Compare commits

..

No commits in common. "f4894a6d6ebb36ba1a559de4811180cb942d55a7" and "cb01346d07db7a874d3b5dcb38cde94099a030e5" have entirely different histories.

6 changed files with 24 additions and 122 deletions

View File

@ -36,7 +36,6 @@ export type ParsedRetention =
export default class ObjectLockConfiguration {
_parsedXml: any;
_config: Config;
_days: number | null;
/**
* Create an Object Lock Configuration instance
@ -46,7 +45,6 @@ export default class ObjectLockConfiguration {
constructor(xml: any) {
this._parsedXml = xml;
this._config = {};
this._days = null;
}
/**
@ -185,8 +183,6 @@ export default class ObjectLockConfiguration {
this._config.rule = {};
this._config.rule.mode = validMode.mode;
this._config.rule[validTime.timeType!] = validTime.timeValue;
// Store the number of days
this._days = validTime.timeType === 'years' ? 365 * validTime.timeValue : validTime.timeValue;
}
return validConfig;
}

View File

@ -171,7 +171,6 @@ export default class RequestContext {
_needTagEval: boolean;
_foundAction?: string;
_foundResource?: string;
_objectLockRetentionDays?: number | null;
constructor(
headers: { [key: string]: string | string[] },
@ -193,7 +192,6 @@ export default class RequestContext {
requestObjTags?: string,
existingObjTag?: string,
needTagEval?: false,
objectLockRetentionDays?: number,
) {
this._headers = headers;
this._query = query;
@ -226,7 +224,6 @@ export default class RequestContext {
this._requestObjTags = requestObjTags || null;
this._existingObjTag = existingObjTag || null;
this._needTagEval = needTagEval || false;
this._objectLockRetentionDays = objectLockRetentionDays || null;
return this;
}
@ -258,7 +255,6 @@ export default class RequestContext {
requestObjTags: this._requestObjTags,
existingObjTag: this._existingObjTag,
needTagEval: this._needTagEval,
objectLockRetentionDays: this._objectLockRetentionDays,
};
return JSON.stringify(requestInfo);
}
@ -299,7 +295,6 @@ export default class RequestContext {
obj.requestObjTags,
obj.existingObjTag,
obj.needTagEval,
obj.objectLockRetentionDays,
);
}
@ -703,24 +698,4 @@ export default class RequestContext {
getNeedTagEval() {
return this._needTagEval;
}
/**
* Get object lock retention days
*
* @returns objectLockRetentionDays - object lock retention days
*/
getObjectLockRetentionDays() {
return this._objectLockRetentionDays;
}
/**
* Set object lock retention days
*
* @param objectLockRetentionDays - object lock retention days
* @returns itself
*/
setObjectLockRetentionDays(objectLockRetentionDays: number) {
this._objectLockRetentionDays = objectLockRetentionDays;
return this;
}
}

View File

@ -324,10 +324,7 @@ export function evaluateAllPolicies(
requestContext: RequestContext,
allPolicies: any[],
log: Logger,
): {
verdict: string;
isImplicit: boolean;
} {
): string {
log.trace('evaluating all policies');
let allow = false;
let allowWithTagCondition = false;
@ -336,10 +333,7 @@ export function evaluateAllPolicies(
const singlePolicyVerdict = evaluatePolicy(requestContext, allPolicies[i], log);
// If there is any Deny, just return Deny
if (singlePolicyVerdict === 'Deny') {
return {
verdict: 'Deny',
isImplicit: false,
};
return 'Deny';
}
if (singlePolicyVerdict === 'Allow') {
allow = true;
@ -350,7 +344,6 @@ export function evaluateAllPolicies(
} // else 'Neutral'
}
let verdict;
let isImplicit = false;
if (allow) {
if (denyWithTagCondition) {
verdict = 'NeedTagConditionEval';
@ -362,9 +355,8 @@ export function evaluateAllPolicies(
verdict = 'NeedTagConditionEval';
} else {
verdict = 'Deny';
isImplicit = true;
}
}
log.trace('result of evaluating all policies', { verdict, isImplicit });
return { verdict, isImplicit };
log.trace('result of evaluating all policies', { verdict });
return verdict;
}

View File

@ -166,9 +166,6 @@ export function findConditionKey(
return requestContext.getNeedTagEval() && requestContext.getRequestObjTags()
? getTagKeys(requestContext.getRequestObjTags()!)
: undefined;
// The maximum retention period is 100 years.
case 's3:object-lock-remaining-retention-days':
return requestContext.getObjectLockRetentionDays() || undefined;
default:
return undefined;
}

View File

@ -1425,10 +1425,7 @@ describe('policyEvaluator', () => {
const result = evaluateAllPolicies(requestContext,
[samples['arn:aws:iam::aws:policy/AmazonS3FullAccess'],
samples['Deny Bucket Policy']], log);
assert.deepStrictEqual(result, {
verdict: 'Deny',
isImplicit: false,
});
assert.strictEqual(result, 'Deny');
});
it('should deny access if request action is not in any policy', () => {
@ -1439,10 +1436,7 @@ describe('policyEvaluator', () => {
const result = evaluateAllPolicies(requestContext,
[samples['Multi-Statement Policy'],
samples['Variable Bucket Policy']], log);
assert.deepStrictEqual(result, {
verdict: 'Deny',
isImplicit: true,
});
assert.strictEqual(result, 'Deny');
});
it('should deny access if request resource is not in any policy', () => {
@ -1454,10 +1448,7 @@ describe('policyEvaluator', () => {
samples['Multi-Statement Policy'],
samples['Variable Bucket Policy'],
], log);
assert.deepStrictEqual(result, {
verdict: 'Deny',
isImplicit: true,
});
assert.strictEqual(result, 'Deny');
});
const TestMatrixPolicies = {
@ -1516,115 +1507,67 @@ describe('policyEvaluator', () => {
const TestMatrix = [
{
policiesToEvaluate: [],
expectedPolicyEvaluation: {
verdict: 'Deny',
isImplicit: true,
},
expectedPolicyEvaluation: 'Deny',
},
{
policiesToEvaluate: ['Allow'],
expectedPolicyEvaluation: {
verdict: 'Allow',
isImplicit: false,
},
expectedPolicyEvaluation: 'Allow',
},
{
policiesToEvaluate: ['Neutral'],
expectedPolicyEvaluation: {
verdict: 'Deny',
isImplicit: true,
},
expectedPolicyEvaluation: 'Deny',
},
{
policiesToEvaluate: ['Deny'],
expectedPolicyEvaluation: {
verdict: 'Deny',
isImplicit: false,
},
expectedPolicyEvaluation: 'Deny',
},
{
policiesToEvaluate: ['Allow', 'Allow'],
expectedPolicyEvaluation: {
verdict: 'Allow',
isImplicit: false,
},
expectedPolicyEvaluation: 'Allow',
},
{
policiesToEvaluate: ['Allow', 'Neutral'],
expectedPolicyEvaluation: {
verdict: 'Allow',
isImplicit: false,
},
expectedPolicyEvaluation: 'Allow',
},
{
policiesToEvaluate: ['Neutral', 'Allow'],
expectedPolicyEvaluation: {
verdict: 'Allow',
isImplicit: false,
},
expectedPolicyEvaluation: 'Allow',
},
{
policiesToEvaluate: ['Neutral', 'Neutral'],
expectedPolicyEvaluation: {
verdict: 'Deny',
isImplicit: true,
},
expectedPolicyEvaluation: 'Deny',
},
{
policiesToEvaluate: ['Allow', 'Deny'],
expectedPolicyEvaluation: {
verdict: 'Deny',
isImplicit: false,
},
expectedPolicyEvaluation: 'Deny',
},
{
policiesToEvaluate: ['AllowWithTagCondition'],
expectedPolicyEvaluation: {
verdict: 'NeedTagConditionEval',
isImplicit: false,
},
expectedPolicyEvaluation: 'NeedTagConditionEval',
},
{
policiesToEvaluate: ['Allow', 'AllowWithTagCondition'],
expectedPolicyEvaluation: {
verdict: 'Allow',
isImplicit: false,
},
expectedPolicyEvaluation: 'Allow',
},
{
policiesToEvaluate: ['DenyWithTagCondition'],
expectedPolicyEvaluation: {
verdict: 'Deny',
isImplicit: true,
},
expectedPolicyEvaluation: 'Deny',
},
{
policiesToEvaluate: ['Allow', 'DenyWithTagCondition'],
expectedPolicyEvaluation: {
verdict: 'NeedTagConditionEval',
isImplicit: false,
},
expectedPolicyEvaluation: 'NeedTagConditionEval',
},
{
policiesToEvaluate: ['AllowWithTagCondition', 'DenyWithTagCondition'],
expectedPolicyEvaluation: {
verdict: 'NeedTagConditionEval',
isImplicit: false,
},
expectedPolicyEvaluation: 'NeedTagConditionEval',
},
{
policiesToEvaluate: ['AllowWithTagCondition', 'DenyWithTagCondition', 'Deny'],
expectedPolicyEvaluation: {
verdict: 'Deny',
isImplicit: false,
},
expectedPolicyEvaluation: 'Deny',
},
{
policiesToEvaluate: ['DenyWithTagCondition', 'AllowWithTagCondition', 'Allow'],
expectedPolicyEvaluation: {
verdict: 'NeedTagConditionEval',
isImplicit: false,
},
expectedPolicyEvaluation: 'NeedTagConditionEval',
},
];
@ -1639,7 +1582,7 @@ describe('policyEvaluator', () => {
requestContext,
testCase.policiesToEvaluate.map(policyName => TestMatrixPolicies[policyName]),
log);
assert.deepStrictEqual(result, testCase.expectedPolicyEvaluation);
assert.strictEqual(result, testCase.expectedPolicyEvaluation);
});
});
});

View File

@ -111,7 +111,6 @@ describe('RequestContext', () => {
specificResource: 'specific-resource',
sslEnabled: true,
tokenIssueTime: null,
objectLockRetentionDays: null,
};
it('serialize()', () => {
assert.deepStrictEqual(JSON.parse(rc.serialize()), SerializedFields);