Skip to content

Commit

Permalink
add more test cases (deny all principals on getObject)
Browse files Browse the repository at this point in the history 
Signed-off-by: shirady <[email protected]>
  • Loading branch information
@shirady
shirady committed Jan 15, 2025
1 parent 861520f commit fbd99a4
Showing 1 changed file with 111 additions and 4 deletions.
115 changes: 111 additions & 4 deletions src/test/unit_tests/test_s3_bucket_policy.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -344,6 +344,7 @@ mocha.describe('s3_bucket_policy', function() {
Bucket: BKT_D,
});
});

const allow_all_principals_all_s3_actions_statement = {
Sid: `Allow all s3 actions on bucket ${BKT_D} to all principals`,
Effect: 'Allow',
Expand All @@ -352,17 +353,26 @@ mocha.describe('s3_bucket_policy', function() {
Resource: [`arn:aws:s3:::${BKT_D}`, `arn:aws:s3:::${BKT_D}/*`]
};

const deny_all_principals_get_object_action_statement = {
Sid: `Deny all GetObject on bucket ${BKT_D} to all principals`,
Effect: 'Deny',
Principal: { AWS: "*" },
Action: 's3:GetObject',
Resource: [`arn:aws:s3:::${BKT_D}/*`]
};

function get_deny_account_by_id_all_s3_actions_statement(_id) {
return {
Sid: `Do not allow user ${_id} get any object`,
Sid: `Do not allow user ${_id} any s3 action`,
Effect: 'Deny',
Principal: { AWS: [_id] },
Action: ['s3:*'],
Resource: [`arn:aws:s3:::${BKT_D}/*`]
};
}

const deny_account_by_name_all_s3_actions_statement = {
Sid: `Do not allow user ${user_a} get any object`,
Sid: `Do not allow user ${user_a} any s3 action`,
Effect: 'Deny',
Principal: { AWS: [user_a] },
Action: ['s3:*'],
Expand Down Expand Up @@ -451,7 +461,7 @@ mocha.describe('s3_bucket_policy', function() {
get_deny_account_by_id_all_s3_actions_statement(user_a_account_details._id);
const allow_account_by_name_all_s3_actions_statement = _.cloneDeep(deny_account_by_name_all_s3_actions_statement);
allow_account_by_name_all_s3_actions_statement.Effect = 'Allow';
allow_account_by_name_all_s3_actions_statement.Sid = `Allow user ${user_a} get any object`;
allow_account_by_name_all_s3_actions_statement.Sid = `Allow user ${user_a} any s3 action`;
const policy = {
Statement: [
deny_account_by_id_all_s3_actions_statement,
Expand Down Expand Up @@ -486,7 +496,7 @@ mocha.describe('s3_bucket_policy', function() {
get_deny_account_by_id_all_s3_actions_statement(user_a_account_details._id);
const allow_account_by_id_all_s3_actions_statement = _.cloneDeep(deny_account_by_id_all_s3_actions_statement);
allow_account_by_id_all_s3_actions_statement.Effect = 'Allow';
allow_account_by_id_all_s3_actions_statement.Sid = `Allow user ${user_a_account_details._id} get any object`;
allow_account_by_id_all_s3_actions_statement.Sid = `Allow user ${user_a_account_details._id} any s3 action`;
const policy = {
Statement: [
deny_account_by_name_all_s3_actions_statement,
Expand All @@ -512,6 +522,103 @@ mocha.describe('s3_bucket_policy', function() {
Key: key5
}));
});

mocha.it('should not allow principal get object bucket policy with 2 statements: ' +
'(1) ALLOW principal by account name (2) DENY all principals as * (specific action only)', async function() {
const allow_account_by_name_all_s3_actions_statement = _.cloneDeep(deny_account_by_name_all_s3_actions_statement);
allow_account_by_name_all_s3_actions_statement.Effect = 'Allow';
allow_account_by_name_all_s3_actions_statement.Sid = `Allow user ${user_a} any s3 action`;
const policy = {
Statement: [
allow_account_by_name_all_s3_actions_statement,
deny_all_principals_get_object_action_statement
]
};
await s3_owner.putBucketPolicy({
Bucket: BKT_D,
Policy: JSON.stringify(policy)
});
// prepare - put the object to get
const key6 = 'file6.txt';
const res_put_object = await s3_owner.putObject({
Body: BODY,
Bucket: BKT_D,
Key: key6
});
assert.equal(res_put_object.$metadata.httpStatusCode, 200);
// should fail - user a has a DENY statement
await assert_throws_async(s3_a.getObject({
Body: BODY,
Bucket: BKT_D,
Key: key6
}));
});

mocha.it('should not allow principal get object bucket policy with 2 statements: ' +
'(1) ALLOW principal by account name (2) DENY all principals as * (specific action only)', async function() {
// in NC we allow principal to be also IDs
if (!is_nc_coretest) this.skip(); // eslint-disable-line no-invalid-this
const deny_account_by_id_all_s3_actions_statement =
get_deny_account_by_id_all_s3_actions_statement(user_a_account_details._id);
const allow_account_by_id_all_s3_actions_statement = _.cloneDeep(deny_account_by_id_all_s3_actions_statement);
allow_account_by_id_all_s3_actions_statement.Effect = 'Allow';
allow_account_by_id_all_s3_actions_statement.Sid = `Allow user ${user_a_account_details._id} any s3 action`;
const policy = {
Statement: [
allow_account_by_id_all_s3_actions_statement,
deny_all_principals_get_object_action_statement
]
};
await s3_owner.putBucketPolicy({
Bucket: BKT_D,
Policy: JSON.stringify(policy)
});
// prepare - put the object to get
const key7 = 'file7.txt';
const res_put_object = await s3_owner.putObject({
Body: BODY,
Bucket: BKT_D,
Key: key7
});
assert.equal(res_put_object.$metadata.httpStatusCode, 200);
// should fail - user a has a DENY statement
await assert_throws_async(s3_a.getObject({
Body: BODY,
Bucket: BKT_D,
Key: key7
}));
});

mocha.it('should not allow principal get object bucket policy with 2 statements: ' +
'(1) ALLOW principal by account ID (2) DENY all principals as * (specific action only)', async function() {
const allow_account_by_name_all_s3_actions_statement = _.cloneDeep(deny_account_by_name_all_s3_actions_statement);
allow_account_by_name_all_s3_actions_statement.Effect = 'Allow';
allow_account_by_name_all_s3_actions_statement.Sid = `Allow user ${user_a} any s3 action`;
const policy = {
Statement: [
allow_account_by_name_all_s3_actions_statement,
deny_all_principals_get_object_action_statement
]
};
await s3_owner.putBucketPolicy({
Bucket: BKT_D,
Policy: JSON.stringify(policy)
});
// prepare - put the object to get
const key6 = 'file6.txt';
const res_put_object = await s3_owner.putObject({
Body: BODY,
Bucket: BKT_D,
Key: key6
});
assert.equal(res_put_object.$metadata.httpStatusCode, 200);
// should fail - user a has a DENY statement
await assert_throws_async(s3_a.getObject({
Body: BODY,
Bucket: BKT_D,
Key: key6
}));
});
});

mocha.it('should be able to set bucket policy when none set', async function() {
Expand Down

0 comments on commit fbd99a4

Please sign in to comment.