Inicio Explorar Axuda
Iniciar sesión
github-mirrors
/
mirror-seaweedfs
2
0
Fork 0
Ficheiros Incidencias 0 Pull Requests 0 Wiki
Rama: main
Ramas Etiquetas
mirror-seaweedf...
/
weed
/
iam
/
policy
/
policy_variable_matching_test.go

policy_variable_matching_test.go 6.0 KB
Permalink Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191 
  1. package policy
    2. 

  2. 

  3. import (
    4. 

  4. 	"context"
    5. 

  5. 	"testing"
    6. 

  6. 

  7. 	"github.com/stretchr/testify/assert"
    8. 

  8. 	"github.com/stretchr/testify/require"
    9. 

  9. )
    10. 

  10. 

  11. // TestPolicyVariableMatchingInActionsAndResources tests that Actions and Resources
    12. 

  12. // now support policy variables like ${aws:username} just like string conditions do
    13. 

  13. func TestPolicyVariableMatchingInActionsAndResources(t *testing.T) {
    14. 

  14. 	engine := NewPolicyEngine()
    15. 

  15. 	config := &PolicyEngineConfig{
    16. 

  16. 		DefaultEffect: "Deny",
    17. 

  17. 		StoreType:     "memory",
    18. 

  18. 	}
    19. 

  19. 

  20. 	err := engine.Initialize(config)
    21. 

  21. 	require.NoError(t, err)
    22. 

  22. 

  23. 	ctx := context.Background()
    24. 

  24. 	filerAddress := ""
    25. 

  25. 

  26. 	// Create a policy that uses policy variables in Action and Resource fields
    27. 

  27. 	policyDoc := &PolicyDocument{
    28. 

  28. 		Version: "2012-10-17",
    29. 

  29. 		Statement: []Statement{
    30. 

  30. 			{
    31. 

  31. 				Sid:    "AllowUserSpecificActions",
    32. 

  32. 				Effect: "Allow",
    33. 

  33. 				Action: []string{
    34. 

  34. 					"s3:Get*",                  // Regular wildcard
    35. 

  35. 					"s3:${aws:principaltype}*", // Policy variable in action
    36. 

  36. 				},
    37. 

  37. 				Resource: []string{
    38. 

  38. 					"arn:aws:s3:::user-${aws:username}/*",    // Policy variable in resource
    39. 

  39. 					"arn:aws:s3:::shared/${saml:username}/*", // Different policy variable
    40. 

  40. 				},
    41. 

  41. 			},
    42. 

  42. 		},
    43. 

  43. 	}
    44. 

  44. 

  45. 	err = engine.AddPolicy(filerAddress, "user-specific-policy", policyDoc)
    46. 

  46. 	require.NoError(t, err)
    47. 

  47. 

  48. 	tests := []struct {
    49. 

  49. 		name           string
    50. 

  50. 		principal      string
    51. 

  51. 		action         string
    52. 

  52. 		resource       string
    53. 

  53. 		requestContext map[string]interface{}
    54. 

  54. 		expectedEffect Effect
    55. 

  55. 		description    string
    56. 

  56. 	}{
    57. 

  57. 		{
    58. 

  58. 			name:      "policy_variable_in_action_matches",
    59. 

  59. 			principal: "test-user",
    60. 

  60. 			action:    "s3:AssumedRole", // Should match s3:${aws:principaltype}* when principaltype=AssumedRole
    61. 

  61. 			resource:  "arn:aws:s3:::user-testuser/file.txt",
    62. 

  62. 			requestContext: map[string]interface{}{
    63. 

  63. 				"aws:username":      "testuser",
    64. 

  64. 				"aws:principaltype": "AssumedRole",
    65. 

  65. 			},
    66. 

  66. 			expectedEffect: EffectAllow,
    67. 

  67. 			description:    "Action with policy variable should match when variable is expanded",
    68. 

  68. 		},
    69. 

  69. 		{
    70. 

  70. 			name:      "policy_variable_in_resource_matches",
    71. 

  71. 			principal: "alice",
    72. 

  72. 			action:    "s3:GetObject",
    73. 

  73. 			resource:  "arn:aws:s3:::user-alice/document.pdf", // Should match user-${aws:username}/*
    74. 

  74. 			requestContext: map[string]interface{}{
    75. 

  75. 				"aws:username": "alice",
    76. 

  76. 			},
    77. 

  77. 			expectedEffect: EffectAllow,
    78. 

  78. 			description:    "Resource with policy variable should match when variable is expanded",
    79. 

  79. 		},
    80. 

  80. 		{
    81. 

  81. 			name:      "saml_username_variable_in_resource",
    82. 

  82. 			principal: "bob",
    83. 

  83. 			action:    "s3:GetObject",
    84. 

  84. 			resource:  "arn:aws:s3:::shared/bob/data.json", // Should match shared/${saml:username}/*
    85. 

  85. 			requestContext: map[string]interface{}{
    86. 

  86. 				"saml:username": "bob",
    87. 

  87. 			},
    88. 

  88. 			expectedEffect: EffectAllow,
    89. 

  89. 			description:    "SAML username variable should be expanded in resource patterns",
    90. 

  90. 		},
    91. 

  91. 		{
    92. 

  92. 			name:      "policy_variable_no_match_wrong_user",
    93. 

  93. 			principal: "charlie",
    94. 

  94. 			action:    "s3:GetObject",
    95. 

  95. 			resource:  "arn:aws:s3:::user-alice/file.txt", // charlie trying to access alice's files
    96. 

  96. 			requestContext: map[string]interface{}{
    97. 

  97. 				"aws:username": "charlie",
    98. 

  98. 			},
    99. 

  99. 			expectedEffect: EffectDeny,
    100. 

  100. 			description:    "Policy variable should prevent access when username doesn't match",
    101. 

  101. 		},
    102. 

  102. 		{
    103. 

  103. 			name:           "missing_policy_variable_context",
    104. 

  104. 			principal:      "dave",
    105. 

  105. 			action:         "s3:GetObject",
    106. 

  106. 			resource:       "arn:aws:s3:::user-dave/file.txt",
    107. 

  107. 			requestContext: map[string]interface{}{
    108. 

  108. 				// Missing aws:username context
    109. 

  109. 			},
    110. 

  110. 			expectedEffect: EffectDeny,
    111. 

  111. 			description:    "Missing policy variable context should result in no match",
    112. 

  112. 		},
    113. 

  113. 	}
    114. 

  114. 

  115. 	for _, tt := range tests {
    116. 

  116. 		t.Run(tt.name, func(t *testing.T) {
    117. 

  117. 			evalCtx := &EvaluationContext{
    118. 

  118. 				Principal:      tt.principal,
    119. 

  119. 				Action:         tt.action,
    120. 

  120. 				Resource:       tt.resource,
    121. 

  121. 				RequestContext: tt.requestContext,
    122. 

  122. 			}
    123. 

  123. 

  124. 			result, err := engine.Evaluate(ctx, filerAddress, evalCtx, []string{"user-specific-policy"})
    125. 

  125. 			require.NoError(t, err, "Policy evaluation should not error")
    126. 

  126. 

  127. 			assert.Equal(t, tt.expectedEffect, result.Effect,
    128. 

  128. 				"Test %s: %s. Expected %s but got %s",
    129. 

  129. 				tt.name, tt.description, tt.expectedEffect, result.Effect)
    130. 

  130. 		})
    131. 

  131. 	}
    132. 

  132. }
    133. 

  133. 

  134. // TestActionResourceConsistencyWithStringConditions verifies that Actions, Resources,
    135. 

  135. // and string conditions all use the same AWS IAM-compliant matching logic
    136. 

  136. func TestActionResourceConsistencyWithStringConditions(t *testing.T) {
    137. 

  137. 	engine := NewPolicyEngine()
    138. 

  138. 	config := &PolicyEngineConfig{
    139. 

  139. 		DefaultEffect: "Deny",
    140. 

  140. 		StoreType:     "memory",
    141. 

  141. 	}
    142. 

  142. 

  143. 	err := engine.Initialize(config)
    144. 

  144. 	require.NoError(t, err)
    145. 

  145. 

  146. 	ctx := context.Background()
    147. 

  147. 	filerAddress := ""
    148. 

  148. 

  149. 	// Policy that uses case-insensitive matching in all three areas
    150. 

  150. 	policyDoc := &PolicyDocument{
    151. 

  151. 		Version: "2012-10-17",
    152. 

  152. 		Statement: []Statement{
    153. 

  153. 			{
    154. 

  154. 				Sid:      "CaseInsensitiveMatching",
    155. 

  155. 				Effect:   "Allow",
    156. 

  156. 				Action:   []string{"S3:GET*"},                    // Uppercase action pattern
    157. 

  157. 				Resource: []string{"arn:aws:s3:::TEST-BUCKET/*"}, // Uppercase resource pattern
    158. 

  158. 				Condition: map[string]map[string]interface{}{
    159. 

  159. 					"StringLike": {
    160. 

  160. 						"s3:RequestedRegion": "US-*", // Uppercase condition pattern
    161. 

  161. 					},
    162. 

  162. 				},
    163. 

  163. 			},
    164. 

  164. 		},
    165. 

  165. 	}
    166. 

  166. 

  167. 	err = engine.AddPolicy(filerAddress, "case-insensitive-policy", policyDoc)
    168. 

  168. 	require.NoError(t, err)
    169. 

  169. 

  170. 	evalCtx := &EvaluationContext{
    171. 

  171. 		Principal: "test-user",
    172. 

  172. 		Action:    "s3:getobject",                      // lowercase action
    173. 

  173. 		Resource:  "arn:aws:s3:::test-bucket/file.txt", // lowercase resource
    174. 

  174. 		RequestContext: map[string]interface{}{
    175. 

  175. 			"s3:RequestedRegion": "us-east-1", // lowercase condition value
    176. 

  176. 		},
    177. 

  177. 	}
    178. 

  178. 

  179. 	result, err := engine.Evaluate(ctx, filerAddress, evalCtx, []string{"case-insensitive-policy"})
    180. 

  180. 	require.NoError(t, err)
    181. 

  181. 

  182. 	// All should match due to case-insensitive AWS IAM-compliant matching
    183. 

  183. 	assert.Equal(t, EffectAllow, result.Effect,
    184. 

  184. 		"Actions, Resources, and Conditions should all use case-insensitive AWS IAM matching")
    185. 

  185. 

  186. 	// Verify that matching statements were found
    187. 

  187. 	assert.Len(t, result.MatchingStatements, 1,
    188. 

  188. 		"Should have exactly one matching statement")
    189. 

  189. 	assert.Equal(t, "Allow", string(result.MatchingStatements[0].Effect),
    190. 

  190. 		"Matching statement should have Allow effect")
    191. 

  191. }
    192.