Compare commits

...

2 Commits

Author SHA1 Message Date
Will Toozs 0abc8c2895
ARSN-375: update tests 2023-11-27 19:12:20 +01:00
Will Toozs b98f4dbd30
ARSN-375: add impDeny logic to ChainBackend 2023-11-27 19:11:42 +01:00
2 changed files with 66 additions and 38 deletions

View File

@ -151,7 +151,15 @@ export default class ChainBackend extends BaseBackend {
}); });
return Object.keys(policyMap).map(key => { return Object.keys(policyMap).map(key => {
const policyRes: any = { isAllowed: policyMap[key].isAllowed }; const policyRes: any = {
isAllowed: policyMap[key].isAllowed,
};
if (policyMap[key].action) {
policyRes.action = policyMap[key].action;
}
if (typeof policyMap[key].isImplicit === 'boolean') {
policyRes.isImplicit = policyMap[key].isImplicit;
}
if (policyMap[key].arn !== '') { if (policyMap[key].arn !== '') {
policyRes.arn = policyMap[key].arn; policyRes.arn = policyMap[key].arn;
} }

View File

@ -192,11 +192,11 @@ describe('Auth Backend: Chain Backend', () => {
it('should return an error if any of the clients fails', done => { it('should return an error if any of the clients fails', done => {
const backend = new ChainBackend('chain', [ const backend = new ChainBackend('chain', [
new TestBackend('test1', null, { new TestBackend('test1', null, {
message: { body: [{ isAllowed: false, arn: 'arn:aws:s3:::policybucket/obj1' }] }, message: { body: [{ action: "PutObject", isAllowed: false, isImplicit: false, arn: 'arn:aws:s3:::policybucket/obj1' }] },
}), }),
new TestBackend('test2', testError, null), new TestBackend('test2', testError, null),
new TestBackend('test3', null, { new TestBackend('test3', null, {
message: { body: [{ isAllowed: true, arn: 'arn:aws:s3:::policybucket/obj1' }] }, message: { body: [{ action: "PutObject", isAllowed: true, isImplicit: false, arn: 'arn:aws:s3:::policybucket/obj1' }] },
}), }),
]); ]);
@ -209,23 +209,25 @@ describe('Auth Backend: Chain Backend', () => {
it('should merge results from clients into a single response object', done => { it('should merge results from clients into a single response object', done => {
const backend = new ChainBackend('chain', [ const backend = new ChainBackend('chain', [
new TestBackend('test1', null, { new TestBackend('test1', null, {
message: { body: [{ isAllowed: false, arn: 'arn:aws:s3:::policybucket/obj1' }] }, message: { body: [{ action: "PutObject", isAllowed: false, isImplicit: false, arn: 'arn:aws:s3:::policybucket/obj1' }] },
}), }),
new TestBackend('test2', null, { new TestBackend('test2', null, {
message: { body: [{ isAllowed: true, arn: 'arn:aws:s3:::policybucket/obj2' }] }, message: { body: [{ action: "PutObject", isAllowed: true, isImplicit: false, arn: 'arn:aws:s3:::policybucket/obj2' }] },
}), }),
new TestBackend('test3', null, { new TestBackend('test3', null, {
message: { body: [{ isAllowed: true, arn: 'arn:aws:s3:::policybucket/obj1' }] }, message: { body: [{ action: "PutObject", isAllowed: true, isImplicit: false, arn: 'arn:aws:s3:::policybucket/obj1' }] },
}), }),
]); ]);
backend.checkPolicies(null, null, null, (err, res) => { backend.checkPolicies(null, null, null, (err, res) => {
assert.ifError(err); assert.ifError(err);
assert.deepStrictEqual(res, { assert.deepStrictEqual(res, {
message: { body: [ message: {
{ isAllowed: true, arn: 'arn:aws:s3:::policybucket/obj1' }, body: [
{ isAllowed: true, arn: 'arn:aws:s3:::policybucket/obj2' }, { action: "PutObject", isAllowed: true, isImplicit: false, arn: 'arn:aws:s3:::policybucket/obj1' },
] }, { action: "PutObject", isAllowed: true, isImplicit: false, arn: 'arn:aws:s3:::policybucket/obj2' },
]
},
}); });
done(); done();
}); });
@ -264,45 +266,63 @@ describe('Auth Backend: Chain Backend', () => {
describe('::_mergePolicies', () => { describe('::_mergePolicies', () => {
it('should correctly merge policies', () => { it('should correctly merge policies', () => {
const policyResps = [ const policyResps = [
{ message: { body: [ {
{ isAllowed: false, arn: 'arn:aws:s3:::policybucket/true1' }, message: {
{ isAllowed: true, arn: 'arn:aws:s3:::policybucket/true2' }, body: [
{ isAllowed: false, arn: 'arn:aws:s3:::policybucket/false1' }, { action: 'GetObject', isAllowed: false, isImplicit: false, arn: 'arn:aws:s3:::policybucket/true1' },
] } }, { action: 'GetObject', isAllowed: true, isImplicit: false, arn: 'arn:aws:s3:::policybucket/true2' },
{ message: { body: [ { action: 'GetObject', isAllowed: false, isImplicit: false, arn: 'arn:aws:s3:::policybucket/false1' },
{ isAllowed: true, arn: 'arn:aws:s3:::policybucket/true1' }, { action: 'GetObject', isAllowed: false, isImplicit: true, arn: 'arn:aws:s3:::policybucket/false2' },
{ isAllowed: false, arn: 'arn:aws:s3:::policybucket/true2' }, ]
{ isAllowed: false, arn: 'arn:aws:s3:::policybucket/false2' }, }
] } }, },
{
message: {
body: [
{ action: 'GetObject', isAllowed: true, isImplicit: false, arn: 'arn:aws:s3:::policybucket/true1' },
{ action: 'GetObject', isAllowed: false, isImplicit: false, arn: 'arn:aws:s3:::policybucket/true2' },
{ action: 'GetObject', isAllowed: false, isImplicit: true, arn: 'arn:aws:s3:::policybucket/false1' },
{ action: 'GetObject', isAllowed: false, isImplicit: false, arn: 'arn:aws:s3:::policybucket/false2' },
]
}
},
]; ];
assert.deepStrictEqual( assert.deepStrictEqual(
ChainBackend._mergePolicies(policyResps), ChainBackend._mergePolicies(policyResps),
[ [
{ isAllowed: true, arn: 'arn:aws:s3:::policybucket/true1' }, { action: 'GetObject', isAllowed: true, isImplicit: false, arn: 'arn:aws:s3:::policybucket/true1' },
{ isAllowed: true, arn: 'arn:aws:s3:::policybucket/true2' }, { action: 'GetObject', isAllowed: true, isImplicit: false, arn: 'arn:aws:s3:::policybucket/true2' },
{ isAllowed: false, arn: 'arn:aws:s3:::policybucket/false1' }, { action: 'GetObject', isAllowed: false, isImplicit: true, arn: 'arn:aws:s3:::policybucket/false1' },
{ isAllowed: false, arn: 'arn:aws:s3:::policybucket/false2' }, { action: 'GetObject', isAllowed: false, isImplicit: false, arn: 'arn:aws:s3:::policybucket/false2' },
], ],
); );
const policyRespsNested = [ const policyRespsNested = [
{ message: { body: [ {
[ message: {
{ isAllowed: false, arn: 'arn:aws:s3:::policybucket/true1' }, body: [
{ isAllowed: true, arn: 'arn:aws:s3:::policybucket/true2' }, [
], { action: 'GetObject', isAllowed: false, isImplicit: false, arn: 'arn:aws:s3:::policybucket/true1' },
] } }, { action: 'GetObject', isAllowed: true, isImplicit: false, arn: 'arn:aws:s3:::policybucket/true2' },
{ message: { body: [ ],
[ ]
{ isAllowed: true, arn: 'arn:aws:s3:::policybucket/true1' }, }
{ isAllowed: true, arn: 'arn:aws:s3:::policybucket/true2' }, },
], {
] } }, message: {
body: [
[
{ action: 'GetObject', isAllowed: true, isImplicit: false, arn: 'arn:aws:s3:::policybucket/true1' },
{ action: 'GetObject', isAllowed: true, isImplicit: false, arn: 'arn:aws:s3:::policybucket/true2' },
],
]
}
},
]; ];
assert.deepStrictEqual( assert.deepStrictEqual(
ChainBackend._mergePolicies(policyRespsNested), ChainBackend._mergePolicies(policyRespsNested),
[ [
{ isAllowed: true, arn: 'arn:aws:s3:::policybucket/true1' }, { action: 'GetObject', isAllowed: true, isImplicit: false, arn: 'arn:aws:s3:::policybucket/true1' },
{ isAllowed: true, arn: 'arn:aws:s3:::policybucket/true2' }, { action: 'GetObject', isAllowed: true, isImplicit: false, arn: 'arn:aws:s3:::policybucket/true2' },
], ],
); );
}); });