1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
4 * Ceph - scalable distributed file system
6 * Copyright (C) 2015 Red Hat
8 * This is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public
10 * License version 2.1, as published by the Free Software
11 * Foundation. See file COPYING.
17 #include <boost/intrusive_ptr.hpp>
18 #include <boost/optional.hpp>
20 #include <gtest/gtest.h>
22 #include "include/stringify.h"
23 #include "common/code_environment.h"
24 #include "common/ceph_context.h"
25 #include "global/global_init.h"
26 #include "rgw/rgw_auth.h"
27 #include "rgw/rgw_iam_policy.h"
28 #include "rgw/rgw_op.h"
34 using boost::container::flat_set
;
35 using boost::intrusive_ptr
;
36 using boost::make_optional
;
39 using rgw::auth::Identity
;
40 using rgw::auth::Principal
;
43 using rgw::IAM::Effect
;
44 using rgw::IAM::Environment
;
46 using rgw::IAM::Policy
;
47 using rgw::IAM::s3All
;
48 using rgw::IAM::s3Count
;
49 using rgw::IAM::s3GetAccelerateConfiguration
;
50 using rgw::IAM::s3GetBucketAcl
;
51 using rgw::IAM::s3GetBucketCORS
;
52 using rgw::IAM::s3GetBucketLocation
;
53 using rgw::IAM::s3GetBucketLogging
;
54 using rgw::IAM::s3GetBucketNotification
;
55 using rgw::IAM::s3GetBucketPolicy
;
56 using rgw::IAM::s3GetBucketRequestPayment
;
57 using rgw::IAM::s3GetBucketTagging
;
58 using rgw::IAM::s3GetBucketVersioning
;
59 using rgw::IAM::s3GetBucketWebsite
;
60 using rgw::IAM::s3GetLifecycleConfiguration
;
61 using rgw::IAM::s3GetObject
;
62 using rgw::IAM::s3GetObjectAcl
;
63 using rgw::IAM::s3GetObjectVersionAcl
;
64 using rgw::IAM::s3GetObjectTorrent
;
65 using rgw::IAM::s3GetObjectTagging
;
66 using rgw::IAM::s3GetObjectVersion
;
67 using rgw::IAM::s3GetObjectVersionTagging
;
68 using rgw::IAM::s3GetObjectVersionTorrent
;
69 using rgw::IAM::s3GetReplicationConfiguration
;
70 using rgw::IAM::s3ListAllMyBuckets
;
71 using rgw::IAM::s3ListBucket
;
72 using rgw::IAM::s3ListBucket
;
73 using rgw::IAM::s3ListBucketMultipartUploads
;
74 using rgw::IAM::s3ListBucketVersions
;
75 using rgw::IAM::s3ListMultipartUploadParts
;
77 using rgw::IAM::s3PutBucketAcl
;
78 using rgw::IAM::s3PutBucketPolicy
;
80 using rgw::IAM::s3GetBucketObjectLockConfiguration
;
81 using rgw::IAM::s3GetObjectRetention
;
82 using rgw::IAM::s3GetObjectLegalHold
;
83 using rgw::IAM::TokenID
;
84 using rgw::IAM::Version
;
85 using rgw::IAM::Action_t
;
86 using rgw::IAM::NotAction_t
;
87 using rgw::IAM::iamCreateRole
;
88 using rgw::IAM::iamDeleteRole
;
89 using rgw::IAM::iamAll
;
90 using rgw::IAM::stsAll
;
92 class FakeIdentity
: public Identity
{
96 explicit FakeIdentity(Principal
&& id
) : id(std::move(id
)) {}
97 uint32_t get_perms_from_aclspec(const DoutPrefixProvider
* dpp
, const aclspec_t
& aclspec
) const override
{
102 bool is_admin_of(const rgw_user
& uid
) const override
{
107 bool is_owner_of(const rgw_user
& uid
) const override
{
112 virtual uint32_t get_perm_mask() const override
{
117 uint32_t get_identity_type() const override
{
122 string
get_acct_name() const override
{
127 void to_str(std::ostream
& out
) const override
{
131 bool is_identity(const flat_set
<Principal
>& ids
) const override
{
132 if (id
.is_wildcard() && (!ids
.empty())) {
135 return ids
.find(id
) != ids
.end() || ids
.find(Principal::wildcard()) != ids
.end();
139 class PolicyTest
: public ::testing::Test
{
141 intrusive_ptr
<CephContext
> cct
;
142 static const string arbitrary_tenant
;
143 static string example1
;
144 static string example2
;
145 static string example3
;
146 static string example4
;
147 static string example5
;
148 static string example6
;
151 cct
= new CephContext(CEPH_ENTITY_TYPE_CLIENT
);
155 TEST_F(PolicyTest
, Parse1
) {
156 boost::optional
<Policy
> p
;
158 ASSERT_NO_THROW(p
= Policy(cct
.get(), arbitrary_tenant
,
159 bufferlist::static_from_string(example1
)));
162 EXPECT_EQ(p
->text
, example1
);
163 EXPECT_EQ(p
->version
, Version::v2012_10_17
);
165 EXPECT_FALSE(p
->statements
[0].sid
);
166 EXPECT_FALSE(p
->statements
.empty());
167 EXPECT_EQ(p
->statements
.size(), 1U);
168 EXPECT_TRUE(p
->statements
[0].princ
.empty());
169 EXPECT_TRUE(p
->statements
[0].noprinc
.empty());
170 EXPECT_EQ(p
->statements
[0].effect
, Effect::Allow
);
172 act
[s3ListBucket
] = 1;
173 EXPECT_EQ(p
->statements
[0].action
, act
);
174 EXPECT_EQ(p
->statements
[0].notaction
, None
);
175 ASSERT_FALSE(p
->statements
[0].resource
.empty());
176 ASSERT_EQ(p
->statements
[0].resource
.size(), 1U);
177 EXPECT_EQ(p
->statements
[0].resource
.begin()->partition
, Partition::aws
);
178 EXPECT_EQ(p
->statements
[0].resource
.begin()->service
, Service::s3
);
179 EXPECT_TRUE(p
->statements
[0].resource
.begin()->region
.empty());
180 EXPECT_EQ(p
->statements
[0].resource
.begin()->account
, arbitrary_tenant
);
181 EXPECT_EQ(p
->statements
[0].resource
.begin()->resource
, "example_bucket");
182 EXPECT_TRUE(p
->statements
[0].notresource
.empty());
183 EXPECT_TRUE(p
->statements
[0].conditions
.empty());
186 TEST_F(PolicyTest
, Eval1
) {
187 auto p
= Policy(cct
.get(), arbitrary_tenant
,
188 bufferlist::static_from_string(example1
));
191 EXPECT_EQ(p
.eval(e
, none
, s3ListBucket
,
192 ARN(Partition::aws
, Service::s3
,
193 "", arbitrary_tenant
, "example_bucket")),
196 EXPECT_EQ(p
.eval(e
, none
, s3PutBucketAcl
,
197 ARN(Partition::aws
, Service::s3
,
198 "", arbitrary_tenant
, "example_bucket")),
201 EXPECT_EQ(p
.eval(e
, none
, s3ListBucket
,
202 ARN(Partition::aws
, Service::s3
,
203 "", arbitrary_tenant
, "erroneous_bucket")),
208 TEST_F(PolicyTest
, Parse2
) {
209 boost::optional
<Policy
> p
;
211 ASSERT_NO_THROW(p
= Policy(cct
.get(), arbitrary_tenant
,
212 bufferlist::static_from_string(example2
)));
215 EXPECT_EQ(p
->text
, example2
);
216 EXPECT_EQ(p
->version
, Version::v2012_10_17
);
217 EXPECT_EQ(*p
->id
, "S3-Account-Permissions");
218 ASSERT_FALSE(p
->statements
.empty());
219 EXPECT_EQ(p
->statements
.size(), 1U);
220 EXPECT_EQ(*p
->statements
[0].sid
, "1");
221 EXPECT_FALSE(p
->statements
[0].princ
.empty());
222 EXPECT_EQ(p
->statements
[0].princ
.size(), 1U);
223 EXPECT_EQ(*p
->statements
[0].princ
.begin(),
224 Principal::tenant("ACCOUNT-ID-WITHOUT-HYPHENS"));
225 EXPECT_TRUE(p
->statements
[0].noprinc
.empty());
226 EXPECT_EQ(p
->statements
[0].effect
, Effect::Allow
);
228 for (auto i
= 0ULL; i
< s3Count
; i
++)
231 EXPECT_EQ(p
->statements
[0].action
, act
);
232 EXPECT_EQ(p
->statements
[0].notaction
, None
);
233 ASSERT_FALSE(p
->statements
[0].resource
.empty());
234 ASSERT_EQ(p
->statements
[0].resource
.size(), 2U);
235 EXPECT_EQ(p
->statements
[0].resource
.begin()->partition
, Partition::aws
);
236 EXPECT_EQ(p
->statements
[0].resource
.begin()->service
, Service::s3
);
237 EXPECT_TRUE(p
->statements
[0].resource
.begin()->region
.empty());
238 EXPECT_EQ(p
->statements
[0].resource
.begin()->account
, arbitrary_tenant
);
239 EXPECT_EQ(p
->statements
[0].resource
.begin()->resource
, "mybucket");
240 EXPECT_EQ((p
->statements
[0].resource
.begin() + 1)->partition
,
242 EXPECT_EQ((p
->statements
[0].resource
.begin() + 1)->service
,
244 EXPECT_TRUE((p
->statements
[0].resource
.begin() + 1)->region
.empty());
245 EXPECT_EQ((p
->statements
[0].resource
.begin() + 1)->account
,
247 EXPECT_EQ((p
->statements
[0].resource
.begin() + 1)->resource
, "mybucket/*");
248 EXPECT_TRUE(p
->statements
[0].notresource
.empty());
249 EXPECT_TRUE(p
->statements
[0].conditions
.empty());
252 TEST_F(PolicyTest
, Eval2
) {
253 auto p
= Policy(cct
.get(), arbitrary_tenant
,
254 bufferlist::static_from_string(example2
));
257 auto trueacct
= FakeIdentity(
258 Principal::tenant("ACCOUNT-ID-WITHOUT-HYPHENS"));
260 auto notacct
= FakeIdentity(
261 Principal::tenant("some-other-account"));
262 for (auto i
= 0ULL; i
< s3Count
; ++i
) {
263 EXPECT_EQ(p
.eval(e
, trueacct
, i
,
264 ARN(Partition::aws
, Service::s3
,
265 "", arbitrary_tenant
, "mybucket")),
267 EXPECT_EQ(p
.eval(e
, trueacct
, i
,
268 ARN(Partition::aws
, Service::s3
,
269 "", arbitrary_tenant
, "mybucket/myobject")),
272 EXPECT_EQ(p
.eval(e
, notacct
, i
,
273 ARN(Partition::aws
, Service::s3
,
274 "", arbitrary_tenant
, "mybucket")),
276 EXPECT_EQ(p
.eval(e
, notacct
, i
,
277 ARN(Partition::aws
, Service::s3
,
278 "", arbitrary_tenant
, "mybucket/myobject")),
281 EXPECT_EQ(p
.eval(e
, trueacct
, i
,
282 ARN(Partition::aws
, Service::s3
,
283 "", arbitrary_tenant
, "notyourbucket")),
285 EXPECT_EQ(p
.eval(e
, trueacct
, i
,
286 ARN(Partition::aws
, Service::s3
,
287 "", arbitrary_tenant
, "notyourbucket/notyourobject")),
293 TEST_F(PolicyTest
, Parse3
) {
294 boost::optional
<Policy
> p
;
296 ASSERT_NO_THROW(p
= Policy(cct
.get(), arbitrary_tenant
,
297 bufferlist::static_from_string(example3
)));
300 EXPECT_EQ(p
->text
, example3
);
301 EXPECT_EQ(p
->version
, Version::v2012_10_17
);
303 ASSERT_FALSE(p
->statements
.empty());
304 EXPECT_EQ(p
->statements
.size(), 3U);
306 EXPECT_EQ(*p
->statements
[0].sid
, "FirstStatement");
307 EXPECT_TRUE(p
->statements
[0].princ
.empty());
308 EXPECT_TRUE(p
->statements
[0].noprinc
.empty());
309 EXPECT_EQ(p
->statements
[0].effect
, Effect::Allow
);
311 act
[s3PutBucketPolicy
] = 1;
312 EXPECT_EQ(p
->statements
[0].action
, act
);
313 EXPECT_EQ(p
->statements
[0].notaction
, None
);
314 ASSERT_FALSE(p
->statements
[0].resource
.empty());
315 ASSERT_EQ(p
->statements
[0].resource
.size(), 1U);
316 EXPECT_EQ(p
->statements
[0].resource
.begin()->partition
, Partition::wildcard
);
317 EXPECT_EQ(p
->statements
[0].resource
.begin()->service
, Service::wildcard
);
318 EXPECT_EQ(p
->statements
[0].resource
.begin()->region
, "*");
319 EXPECT_EQ(p
->statements
[0].resource
.begin()->account
, arbitrary_tenant
);
320 EXPECT_EQ(p
->statements
[0].resource
.begin()->resource
, "*");
321 EXPECT_TRUE(p
->statements
[0].notresource
.empty());
322 EXPECT_TRUE(p
->statements
[0].conditions
.empty());
324 EXPECT_EQ(*p
->statements
[1].sid
, "SecondStatement");
325 EXPECT_TRUE(p
->statements
[1].princ
.empty());
326 EXPECT_TRUE(p
->statements
[1].noprinc
.empty());
327 EXPECT_EQ(p
->statements
[1].effect
, Effect::Allow
);
329 act1
[s3ListAllMyBuckets
] = 1;
330 EXPECT_EQ(p
->statements
[1].action
, act1
);
331 EXPECT_EQ(p
->statements
[1].notaction
, None
);
332 ASSERT_FALSE(p
->statements
[1].resource
.empty());
333 ASSERT_EQ(p
->statements
[1].resource
.size(), 1U);
334 EXPECT_EQ(p
->statements
[1].resource
.begin()->partition
, Partition::wildcard
);
335 EXPECT_EQ(p
->statements
[1].resource
.begin()->service
, Service::wildcard
);
336 EXPECT_EQ(p
->statements
[1].resource
.begin()->region
, "*");
337 EXPECT_EQ(p
->statements
[1].resource
.begin()->account
, arbitrary_tenant
);
338 EXPECT_EQ(p
->statements
[1].resource
.begin()->resource
, "*");
339 EXPECT_TRUE(p
->statements
[1].notresource
.empty());
340 EXPECT_TRUE(p
->statements
[1].conditions
.empty());
342 EXPECT_EQ(*p
->statements
[2].sid
, "ThirdStatement");
343 EXPECT_TRUE(p
->statements
[2].princ
.empty());
344 EXPECT_TRUE(p
->statements
[2].noprinc
.empty());
345 EXPECT_EQ(p
->statements
[2].effect
, Effect::Allow
);
347 act2
[s3ListMultipartUploadParts
] = 1;
348 act2
[s3ListBucket
] = 1;
349 act2
[s3ListBucketVersions
] = 1;
350 act2
[s3ListAllMyBuckets
] = 1;
351 act2
[s3ListBucketMultipartUploads
] = 1;
352 act2
[s3GetObject
] = 1;
353 act2
[s3GetObjectVersion
] = 1;
354 act2
[s3GetObjectAcl
] = 1;
355 act2
[s3GetObjectVersionAcl
] = 1;
356 act2
[s3GetObjectTorrent
] = 1;
357 act2
[s3GetObjectVersionTorrent
] = 1;
358 act2
[s3GetAccelerateConfiguration
] = 1;
359 act2
[s3GetBucketAcl
] = 1;
360 act2
[s3GetBucketCORS
] = 1;
361 act2
[s3GetBucketVersioning
] = 1;
362 act2
[s3GetBucketRequestPayment
] = 1;
363 act2
[s3GetBucketLocation
] = 1;
364 act2
[s3GetBucketPolicy
] = 1;
365 act2
[s3GetBucketNotification
] = 1;
366 act2
[s3GetBucketLogging
] = 1;
367 act2
[s3GetBucketTagging
] = 1;
368 act2
[s3GetBucketWebsite
] = 1;
369 act2
[s3GetLifecycleConfiguration
] = 1;
370 act2
[s3GetReplicationConfiguration
] = 1;
371 act2
[s3GetObjectTagging
] = 1;
372 act2
[s3GetObjectVersionTagging
] = 1;
373 act2
[s3GetBucketObjectLockConfiguration
] = 1;
374 act2
[s3GetObjectRetention
] = 1;
375 act2
[s3GetObjectLegalHold
] = 1;
377 EXPECT_EQ(p
->statements
[2].action
, act2
);
378 EXPECT_EQ(p
->statements
[2].notaction
, None
);
379 ASSERT_FALSE(p
->statements
[2].resource
.empty());
380 ASSERT_EQ(p
->statements
[2].resource
.size(), 2U);
381 EXPECT_EQ(p
->statements
[2].resource
.begin()->partition
, Partition::aws
);
382 EXPECT_EQ(p
->statements
[2].resource
.begin()->service
, Service::s3
);
383 EXPECT_TRUE(p
->statements
[2].resource
.begin()->region
.empty());
384 EXPECT_EQ(p
->statements
[2].resource
.begin()->account
, arbitrary_tenant
);
385 EXPECT_EQ(p
->statements
[2].resource
.begin()->resource
, "confidential-data");
386 EXPECT_EQ((p
->statements
[2].resource
.begin() + 1)->partition
,
388 EXPECT_EQ((p
->statements
[2].resource
.begin() + 1)->service
, Service::s3
);
389 EXPECT_TRUE((p
->statements
[2].resource
.begin() + 1)->region
.empty());
390 EXPECT_EQ((p
->statements
[2].resource
.begin() + 1)->account
,
392 EXPECT_EQ((p
->statements
[2].resource
.begin() + 1)->resource
,
393 "confidential-data/*");
394 EXPECT_TRUE(p
->statements
[2].notresource
.empty());
395 ASSERT_FALSE(p
->statements
[2].conditions
.empty());
396 ASSERT_EQ(p
->statements
[2].conditions
.size(), 1U);
397 EXPECT_EQ(p
->statements
[2].conditions
[0].op
, TokenID::Bool
);
398 EXPECT_EQ(p
->statements
[2].conditions
[0].key
, "aws:MultiFactorAuthPresent");
399 EXPECT_FALSE(p
->statements
[2].conditions
[0].ifexists
);
400 ASSERT_FALSE(p
->statements
[2].conditions
[0].vals
.empty());
401 EXPECT_EQ(p
->statements
[2].conditions
[0].vals
.size(), 1U);
402 EXPECT_EQ(p
->statements
[2].conditions
[0].vals
[0], "true");
405 TEST_F(PolicyTest
, Eval3
) {
406 auto p
= Policy(cct
.get(), arbitrary_tenant
,
407 bufferlist::static_from_string(example3
));
409 Environment tr
= { { "aws:MultiFactorAuthPresent", "true" } };
410 Environment fa
= { { "aws:MultiFactorAuthPresent", "false" } };
413 s3allow
[s3ListMultipartUploadParts
] = 1;
414 s3allow
[s3ListBucket
] = 1;
415 s3allow
[s3ListBucketVersions
] = 1;
416 s3allow
[s3ListAllMyBuckets
] = 1;
417 s3allow
[s3ListBucketMultipartUploads
] = 1;
418 s3allow
[s3GetObject
] = 1;
419 s3allow
[s3GetObjectVersion
] = 1;
420 s3allow
[s3GetObjectAcl
] = 1;
421 s3allow
[s3GetObjectVersionAcl
] = 1;
422 s3allow
[s3GetObjectTorrent
] = 1;
423 s3allow
[s3GetObjectVersionTorrent
] = 1;
424 s3allow
[s3GetAccelerateConfiguration
] = 1;
425 s3allow
[s3GetBucketAcl
] = 1;
426 s3allow
[s3GetBucketCORS
] = 1;
427 s3allow
[s3GetBucketVersioning
] = 1;
428 s3allow
[s3GetBucketRequestPayment
] = 1;
429 s3allow
[s3GetBucketLocation
] = 1;
430 s3allow
[s3GetBucketPolicy
] = 1;
431 s3allow
[s3GetBucketNotification
] = 1;
432 s3allow
[s3GetBucketLogging
] = 1;
433 s3allow
[s3GetBucketTagging
] = 1;
434 s3allow
[s3GetBucketWebsite
] = 1;
435 s3allow
[s3GetLifecycleConfiguration
] = 1;
436 s3allow
[s3GetReplicationConfiguration
] = 1;
437 s3allow
[s3GetObjectTagging
] = 1;
438 s3allow
[s3GetObjectVersionTagging
] = 1;
439 s3allow
[s3GetBucketObjectLockConfiguration
] = 1;
440 s3allow
[s3GetObjectRetention
] = 1;
441 s3allow
[s3GetObjectLegalHold
] = 1;
443 EXPECT_EQ(p
.eval(em
, none
, s3PutBucketPolicy
,
444 ARN(Partition::aws
, Service::s3
,
445 "", arbitrary_tenant
, "mybucket")),
448 EXPECT_EQ(p
.eval(em
, none
, s3PutBucketPolicy
,
449 ARN(Partition::aws
, Service::s3
,
450 "", arbitrary_tenant
, "mybucket")),
454 for (auto op
= 0ULL; op
< s3Count
; ++op
) {
455 if ((op
== s3ListAllMyBuckets
) || (op
== s3PutBucketPolicy
)) {
458 EXPECT_EQ(p
.eval(em
, none
, op
,
459 ARN(Partition::aws
, Service::s3
,
460 "", arbitrary_tenant
, "confidential-data")),
462 EXPECT_EQ(p
.eval(tr
, none
, op
,
463 ARN(Partition::aws
, Service::s3
,
464 "", arbitrary_tenant
, "confidential-data")),
465 s3allow
[op
] ? Effect::Allow
: Effect::Pass
);
466 EXPECT_EQ(p
.eval(fa
, none
, op
,
467 ARN(Partition::aws
, Service::s3
,
468 "", arbitrary_tenant
, "confidential-data")),
471 EXPECT_EQ(p
.eval(em
, none
, op
,
472 ARN(Partition::aws
, Service::s3
,
473 "", arbitrary_tenant
, "confidential-data/moo")),
475 EXPECT_EQ(p
.eval(tr
, none
, op
,
476 ARN(Partition::aws
, Service::s3
,
477 "", arbitrary_tenant
, "confidential-data/moo")),
478 s3allow
[op
] ? Effect::Allow
: Effect::Pass
);
479 EXPECT_EQ(p
.eval(fa
, none
, op
,
480 ARN(Partition::aws
, Service::s3
,
481 "", arbitrary_tenant
, "confidential-data/moo")),
484 EXPECT_EQ(p
.eval(em
, none
, op
,
485 ARN(Partition::aws
, Service::s3
,
486 "", arbitrary_tenant
, "really-confidential-data")),
488 EXPECT_EQ(p
.eval(tr
, none
, op
,
489 ARN(Partition::aws
, Service::s3
,
490 "", arbitrary_tenant
, "really-confidential-data")),
492 EXPECT_EQ(p
.eval(fa
, none
, op
,
493 ARN(Partition::aws
, Service::s3
,
494 "", arbitrary_tenant
, "really-confidential-data")),
497 EXPECT_EQ(p
.eval(em
, none
, op
,
498 ARN(Partition::aws
, Service::s3
,
499 "", arbitrary_tenant
,
500 "really-confidential-data/moo")), Effect::Pass
);
501 EXPECT_EQ(p
.eval(tr
, none
, op
,
502 ARN(Partition::aws
, Service::s3
,
503 "", arbitrary_tenant
,
504 "really-confidential-data/moo")), Effect::Pass
);
505 EXPECT_EQ(p
.eval(fa
, none
, op
,
506 ARN(Partition::aws
, Service::s3
,
507 "", arbitrary_tenant
,
508 "really-confidential-data/moo")), Effect::Pass
);
513 TEST_F(PolicyTest
, Parse4
) {
514 boost::optional
<Policy
> p
;
516 ASSERT_NO_THROW(p
= Policy(cct
.get(), arbitrary_tenant
,
517 bufferlist::static_from_string(example4
)));
520 EXPECT_EQ(p
->text
, example4
);
521 EXPECT_EQ(p
->version
, Version::v2012_10_17
);
523 EXPECT_FALSE(p
->statements
[0].sid
);
524 EXPECT_FALSE(p
->statements
.empty());
525 EXPECT_EQ(p
->statements
.size(), 1U);
526 EXPECT_TRUE(p
->statements
[0].princ
.empty());
527 EXPECT_TRUE(p
->statements
[0].noprinc
.empty());
528 EXPECT_EQ(p
->statements
[0].effect
, Effect::Allow
);
530 act
[iamCreateRole
] = 1;
531 EXPECT_EQ(p
->statements
[0].action
, act
);
532 EXPECT_EQ(p
->statements
[0].notaction
, None
);
533 ASSERT_FALSE(p
->statements
[0].resource
.empty());
534 ASSERT_EQ(p
->statements
[0].resource
.size(), 1U);
535 EXPECT_EQ(p
->statements
[0].resource
.begin()->partition
, Partition::wildcard
);
536 EXPECT_EQ(p
->statements
[0].resource
.begin()->service
, Service::wildcard
);
537 EXPECT_EQ(p
->statements
[0].resource
.begin()->region
, "*");
538 EXPECT_EQ(p
->statements
[0].resource
.begin()->account
, arbitrary_tenant
);
539 EXPECT_EQ(p
->statements
[0].resource
.begin()->resource
, "*");
540 EXPECT_TRUE(p
->statements
[0].notresource
.empty());
541 EXPECT_TRUE(p
->statements
[0].conditions
.empty());
544 TEST_F(PolicyTest
, Eval4
) {
545 auto p
= Policy(cct
.get(), arbitrary_tenant
,
546 bufferlist::static_from_string(example4
));
549 EXPECT_EQ(p
.eval(e
, none
, iamCreateRole
,
550 ARN(Partition::aws
, Service::iam
,
551 "", arbitrary_tenant
, "role/example_role")),
554 EXPECT_EQ(p
.eval(e
, none
, iamDeleteRole
,
555 ARN(Partition::aws
, Service::iam
,
556 "", arbitrary_tenant
, "role/example_role")),
560 TEST_F(PolicyTest
, Parse5
) {
561 boost::optional
<Policy
> p
;
563 ASSERT_NO_THROW(p
= Policy(cct
.get(), arbitrary_tenant
,
564 bufferlist::static_from_string(example5
)));
566 EXPECT_EQ(p
->text
, example5
);
567 EXPECT_EQ(p
->version
, Version::v2012_10_17
);
569 EXPECT_FALSE(p
->statements
[0].sid
);
570 EXPECT_FALSE(p
->statements
.empty());
571 EXPECT_EQ(p
->statements
.size(), 1U);
572 EXPECT_TRUE(p
->statements
[0].princ
.empty());
573 EXPECT_TRUE(p
->statements
[0].noprinc
.empty());
574 EXPECT_EQ(p
->statements
[0].effect
, Effect::Allow
);
576 for (auto i
= s3All
+1; i
<= iamAll
; i
++)
578 EXPECT_EQ(p
->statements
[0].action
, act
);
579 EXPECT_EQ(p
->statements
[0].notaction
, None
);
580 ASSERT_FALSE(p
->statements
[0].resource
.empty());
581 ASSERT_EQ(p
->statements
[0].resource
.size(), 1U);
582 EXPECT_EQ(p
->statements
[0].resource
.begin()->partition
, Partition::aws
);
583 EXPECT_EQ(p
->statements
[0].resource
.begin()->service
, Service::iam
);
584 EXPECT_EQ(p
->statements
[0].resource
.begin()->region
, "");
585 EXPECT_EQ(p
->statements
[0].resource
.begin()->account
, arbitrary_tenant
);
586 EXPECT_EQ(p
->statements
[0].resource
.begin()->resource
, "role/example_role");
587 EXPECT_TRUE(p
->statements
[0].notresource
.empty());
588 EXPECT_TRUE(p
->statements
[0].conditions
.empty());
591 TEST_F(PolicyTest
, Eval5
) {
592 auto p
= Policy(cct
.get(), arbitrary_tenant
,
593 bufferlist::static_from_string(example5
));
596 EXPECT_EQ(p
.eval(e
, none
, iamCreateRole
,
597 ARN(Partition::aws
, Service::iam
,
598 "", arbitrary_tenant
, "role/example_role")),
601 EXPECT_EQ(p
.eval(e
, none
, s3ListBucket
,
602 ARN(Partition::aws
, Service::iam
,
603 "", arbitrary_tenant
, "role/example_role")),
606 EXPECT_EQ(p
.eval(e
, none
, iamCreateRole
,
607 ARN(Partition::aws
, Service::iam
,
608 "", "", "role/example_role")),
612 TEST_F(PolicyTest
, Parse6
) {
613 boost::optional
<Policy
> p
;
615 ASSERT_NO_THROW(p
= Policy(cct
.get(), arbitrary_tenant
,
616 bufferlist::static_from_string(example6
)));
618 EXPECT_EQ(p
->text
, example6
);
619 EXPECT_EQ(p
->version
, Version::v2012_10_17
);
621 EXPECT_FALSE(p
->statements
[0].sid
);
622 EXPECT_FALSE(p
->statements
.empty());
623 EXPECT_EQ(p
->statements
.size(), 1U);
624 EXPECT_TRUE(p
->statements
[0].princ
.empty());
625 EXPECT_TRUE(p
->statements
[0].noprinc
.empty());
626 EXPECT_EQ(p
->statements
[0].effect
, Effect::Allow
);
628 for (auto i
= 0U; i
<= stsAll
; i
++)
630 EXPECT_EQ(p
->statements
[0].action
, act
);
631 EXPECT_EQ(p
->statements
[0].notaction
, None
);
632 ASSERT_FALSE(p
->statements
[0].resource
.empty());
633 ASSERT_EQ(p
->statements
[0].resource
.size(), 1U);
634 EXPECT_EQ(p
->statements
[0].resource
.begin()->partition
, Partition::aws
);
635 EXPECT_EQ(p
->statements
[0].resource
.begin()->service
, Service::iam
);
636 EXPECT_EQ(p
->statements
[0].resource
.begin()->region
, "");
637 EXPECT_EQ(p
->statements
[0].resource
.begin()->account
, arbitrary_tenant
);
638 EXPECT_EQ(p
->statements
[0].resource
.begin()->resource
, "user/A");
639 EXPECT_TRUE(p
->statements
[0].notresource
.empty());
640 EXPECT_TRUE(p
->statements
[0].conditions
.empty());
643 TEST_F(PolicyTest
, Eval6
) {
644 auto p
= Policy(cct
.get(), arbitrary_tenant
,
645 bufferlist::static_from_string(example6
));
648 EXPECT_EQ(p
.eval(e
, none
, iamCreateRole
,
649 ARN(Partition::aws
, Service::iam
,
650 "", arbitrary_tenant
, "user/A")),
653 EXPECT_EQ(p
.eval(e
, none
, s3ListBucket
,
654 ARN(Partition::aws
, Service::iam
,
655 "", arbitrary_tenant
, "user/A")),
659 const string
PolicyTest::arbitrary_tenant
= "arbitrary_tenant";
660 string
PolicyTest::example1
= R
"(
662 "Version
": "2012-10-17",
665 "Action
": "s3
:ListBucket
",
666 "Resource
": "arn
:aws
:s3:::example_bucket
"
671 string
PolicyTest::example2
= R
"(
673 "Version
": "2012-10-17",
674 "Id
": "S3
-Account
-Permissions
",
678 "Principal
": {"AWS
": ["arn
:aws
:iam::ACCOUNT
-ID
-WITHOUT
-HYPHENS
:root
"]},
681 "arn
:aws
:s3:::mybucket
",
682 "arn
:aws
:s3:::mybucket
/*"
688 string PolicyTest::example3 = R"(
690 "Version": "2012-10-17",
693 "Sid": "FirstStatement",
695 "Action": ["s3:PutBucketPolicy"],
699 "Sid": "SecondStatement",
701 "Action": "s3:ListAllMyBuckets",
705 "Sid": "ThirdStatement",
712 "arn:aws:s3:::confidential-data",
713 "arn:aws:s3:::confidential-data/*"
715 "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
721 string PolicyTest::example4 = R"(
723 "Version": "2012-10-17",
726 "Action": "iam:CreateRole",
732 string PolicyTest::example5 = R"(
734 "Version": "2012-10-17",
738 "Resource": "arn:aws:iam:::role/example_role"
743 string PolicyTest::example6 = R"(
745 "Version": "2012-10-17",
749 "Resource": "arn:aws:iam:::user/A"
753 class IPPolicyTest : public ::testing::Test {
755 intrusive_ptr<CephContext> cct;
756 static const string arbitrary_tenant;
757 static string ip_address_allow_example;
758 static string ip_address_deny_example;
759 static string ip_address_full_example;
761 const rgw::IAM::MaskedIP allowedIPv4Range = { false, rgw::IAM::Address("11000000101010000000000100000000"), 24 };
763 const rgw::IAM::MaskedIP blacklistedIPv4 = { false, rgw::IAM::Address("11000000101010000000000100000001"), 32 };
764 // 2001:db8:85a3:0:0:8a2e:370:7334/128
765 const rgw::IAM::MaskedIP allowedIPv6 = { true, rgw::IAM::Address("00100000000000010000110110111000100001011010001100000000000000000000000000000000100010100010111000000011011100000111001100110100"), 128 };
767 const rgw::IAM::MaskedIP blacklistedIPv6 = { true, rgw::IAM::Address(1), 128 };
768 // 2001:db8:85a3:0:0:8a2e:370:7330/124
769 const rgw::IAM::MaskedIP allowedIPv6Range = { true, rgw::IAM::Address("00100000000000010000110110111000100001011010001100000000000000000000000000000000100010100010111000000011011100000111001100110000"), 124 };
772 cct = new CephContext(CEPH_ENTITY_TYPE_CLIENT);
775 const string IPPolicyTest::arbitrary_tenant = "arbitrary_tenant";
777 TEST_F(IPPolicyTest, MaskedIPOperations) {
778 EXPECT_EQ(stringify(allowedIPv4Range), "192.168.1.0/24");
779 EXPECT_EQ(stringify(blacklistedIPv4), "192.168.1.1/32");
780 EXPECT_EQ(stringify(allowedIPv6), "2001:db8:85a3:0:0:8a2e:370:7334/128");
781 EXPECT_EQ(stringify(allowedIPv6Range), "2001:db8:85a3:0:0:8a2e:370:7330/124");
782 EXPECT_EQ(stringify(blacklistedIPv6), "0:0:0:0:0:0:0:1/128");
783 EXPECT_EQ(allowedIPv4Range, blacklistedIPv4);
784 EXPECT_EQ(allowedIPv6Range, allowedIPv6);
787 TEST_F(IPPolicyTest, asNetworkIPv4Range) {
788 auto actualIPv4Range = rgw::IAM::Condition::as_network("192.168.1.0/24");
789 ASSERT_TRUE(actualIPv4Range.is_initialized());
790 EXPECT_EQ(*actualIPv4Range, allowedIPv4Range);
793 TEST_F(IPPolicyTest, asNetworkIPv4) {
794 auto actualIPv4 = rgw::IAM::Condition::as_network("192.168.1.1");
795 ASSERT_TRUE(actualIPv4.is_initialized());
796 EXPECT_EQ(*actualIPv4, blacklistedIPv4);
799 TEST_F(IPPolicyTest, asNetworkIPv6Range) {
800 auto actualIPv6Range = rgw::IAM::Condition::as_network("2001:db8:85a3:0:0:8a2e:370:7330/124");
801 ASSERT_TRUE(actualIPv6Range.is_initialized());
802 EXPECT_EQ(*actualIPv6Range, allowedIPv6Range);
805 TEST_F(IPPolicyTest, asNetworkIPv6) {
806 auto actualIPv6 = rgw::IAM::Condition::as_network("2001:db8:85a3:0:0:8a2e:370:7334");
807 ASSERT_TRUE(actualIPv6.is_initialized());
808 EXPECT_EQ(*actualIPv6, allowedIPv6);
811 TEST_F(IPPolicyTest, asNetworkInvalid) {
812 EXPECT_FALSE(rgw::IAM::Condition::as_network(""));
813 EXPECT_FALSE(rgw::IAM::Condition::as_network("192.168.1.1/33"));
814 EXPECT_FALSE(rgw::IAM::Condition::as_network("2001:db8:85a3:0:0:8a2e:370:7334/129"));
815 EXPECT_FALSE(rgw::IAM::Condition::as_network("192.168.1.1:"));
816 EXPECT_FALSE(rgw::IAM::Condition::as_network("1.2.3.10000"));
819 TEST_F(IPPolicyTest, IPEnvironment) {
820 // Unfortunately RGWCivetWeb is too tightly tied to civetweb to test RGWCivetWeb::init_env.
824 rgw_env.set("REMOTE_ADDR", "192.168.1.1");
825 rgw_env.set("HTTP_HOST", "1.2.3.4");
826 req_state rgw_req_state(cct.get(), &rgw_env, &user, 0);
827 rgw_build_iam_environment(&rgw_rados, &rgw_req_state);
828 auto ip = rgw_req_state.env.find("aws:SourceIp");
829 ASSERT_NE(ip, rgw_req_state.env.end());
830 EXPECT_EQ(ip->second, "192.168.1.1");
832 ASSERT_EQ(cct.get()->_conf.set_val("rgw_remote_addr_param", "SOME_VAR"), 0);
833 EXPECT_EQ(cct.get()->_conf->rgw_remote_addr_param, "SOME_VAR");
834 rgw_req_state.env.clear();
835 rgw_build_iam_environment(&rgw_rados, &rgw_req_state);
836 ip = rgw_req_state.env.find("aws:SourceIp");
837 EXPECT_EQ(ip, rgw_req_state.env.end());
839 rgw_env.set("SOME_VAR", "192.168.1.2");
840 rgw_req_state.env.clear();
841 rgw_build_iam_environment(&rgw_rados, &rgw_req_state);
842 ip = rgw_req_state.env.find("aws:SourceIp");
843 ASSERT_NE(ip, rgw_req_state.env.end());
844 EXPECT_EQ(ip->second, "192.168.1.2");
846 ASSERT_EQ(cct.get()->_conf.set_val("rgw_remote_addr_param", "HTTP_X_FORWARDED_FOR"), 0);
847 rgw_env.set("HTTP_X_FORWARDED_FOR", "192.168.1.3");
848 rgw_req_state.env.clear();
849 rgw_build_iam_environment(&rgw_rados, &rgw_req_state);
850 ip = rgw_req_state.env.find("aws:SourceIp");
851 ASSERT_NE(ip, rgw_req_state.env.end());
852 EXPECT_EQ(ip->second, "192.168.1.3");
854 rgw_env.set("HTTP_X_FORWARDED_FOR", "192.168.1.4, 4.3.2.1, 2001:db8:85a3:8d3:1319:8a2e:370:7348");
855 rgw_req_state.env.clear();
856 rgw_build_iam_environment(&rgw_rados, &rgw_req_state);
857 ip = rgw_req_state.env.find("aws:SourceIp");
858 ASSERT_NE(ip, rgw_req_state.env.end());
859 EXPECT_EQ(ip->second, "192.168.1.4");
862 TEST_F(IPPolicyTest, ParseIPAddress) {
863 boost::optional<Policy> p;
865 ASSERT_NO_THROW(p = Policy(cct.get(), arbitrary_tenant,
866 bufferlist::static_from_string(ip_address_full_example)));
869 EXPECT_EQ(p->text, ip_address_full_example);
870 EXPECT_EQ(p->version, Version::v2012_10_17);
871 EXPECT_EQ(*p->id, "S3IPPolicyTest");
872 EXPECT_FALSE(p->statements.empty());
873 EXPECT_EQ(p->statements.size(), 1U);
874 EXPECT_EQ(*p->statements[0].sid, "IPAllow");
875 EXPECT_FALSE(p->statements[0].princ.empty());
876 EXPECT_EQ(p->statements[0].princ.size(), 1U);
877 EXPECT_EQ(*p->statements[0].princ.begin(),
878 Principal::wildcard());
879 EXPECT_TRUE(p->statements[0].noprinc.empty());
880 EXPECT_EQ(p->statements[0].effect, Effect::Allow);
882 act[s3ListBucket] = 1;
883 EXPECT_EQ(p->statements[0].action, act);
884 EXPECT_EQ(p->statements[0].notaction, None);
885 ASSERT_FALSE(p->statements[0].resource.empty());
886 ASSERT_EQ(p->statements[0].resource.size(), 2U);
887 EXPECT_EQ(p->statements[0].resource.begin()->partition, Partition::aws);
888 EXPECT_EQ(p->statements[0].resource.begin()->service, Service::s3);
889 EXPECT_TRUE(p->statements[0].resource.begin()->region.empty());
890 EXPECT_EQ(p->statements[0].resource.begin()->account, arbitrary_tenant);
891 EXPECT_EQ(p->statements[0].resource.begin()->resource, "example_bucket");
892 EXPECT_EQ((p->statements[0].resource.begin() + 1)->resource, "example_bucket/*");
893 EXPECT_TRUE(p->statements[0].notresource.empty());
894 ASSERT_FALSE(p->statements[0].conditions.empty());
895 ASSERT_EQ(p->statements[0].conditions.size(), 2U);
896 EXPECT_EQ(p->statements[0].conditions[0].op, TokenID::IpAddress);
897 EXPECT_EQ(p->statements[0].conditions[0].key, "aws:SourceIp");
898 ASSERT_FALSE(p->statements[0].conditions[0].vals.empty());
899 EXPECT_EQ(p->statements[0].conditions[0].vals.size(), 2U);
900 EXPECT_EQ(p->statements[0].conditions[0].vals[0], "192.168.1.0/24");
901 EXPECT_EQ(p->statements[0].conditions[0].vals[1], "::1");
902 boost::optional<rgw::IAM::MaskedIP> convertedIPv4 = rgw::IAM::Condition::as_network(p->statements[0].conditions[0].vals[0]);
903 EXPECT_TRUE(convertedIPv4.is_initialized());
904 if (convertedIPv4.is_initialized()) {
905 EXPECT_EQ(*convertedIPv4, allowedIPv4Range);
908 EXPECT_EQ(p->statements[0].conditions[1].op, TokenID::NotIpAddress);
909 EXPECT_EQ(p->statements[0].conditions[1].key, "aws:SourceIp");
910 ASSERT_FALSE(p->statements[0].conditions[1].vals.empty());
911 EXPECT_EQ(p->statements[0].conditions[1].vals.size(), 2U);
912 EXPECT_EQ(p->statements[0].conditions[1].vals[0], "192.168.1.1/32");
913 EXPECT_EQ(p->statements[0].conditions[1].vals[1], "2001:0db8:85a3:0000:0000:8a2e:0370:7334");
914 boost::optional<rgw::IAM::MaskedIP> convertedIPv6 = rgw::IAM::Condition::as_network(p->statements[0].conditions[1].vals[1]);
915 EXPECT_TRUE(convertedIPv6.is_initialized());
916 if (convertedIPv6.is_initialized()) {
917 EXPECT_EQ(*convertedIPv6, allowedIPv6);
921 TEST_F(IPPolicyTest, EvalIPAddress) {
922 auto allowp = Policy(cct.get(), arbitrary_tenant,
923 bufferlist::static_from_string(ip_address_allow_example));
924 auto denyp = Policy(cct.get(), arbitrary_tenant,
925 bufferlist::static_from_string(ip_address_deny_example));
926 auto fullp = Policy(cct.get(), arbitrary_tenant,
927 bufferlist::static_from_string(ip_address_full_example));
929 Environment allowedIP, blacklistedIP, allowedIPv6, blacklistedIPv6;
930 allowedIP["aws:SourceIp"] = "192.168.1.2";
931 allowedIPv6["aws:SourceIp"] = "::1";
932 blacklistedIP["aws:SourceIp"] = "192.168.1.1";
933 blacklistedIPv6["aws:SourceIp"] = "2001:0db8:85a3:0000:0000:8a2e:0370:7334";
935 auto trueacct = FakeIdentity(
936 Principal::tenant("ACCOUNT-ID-WITHOUT-HYPHENS"));
937 // Without an IP address in the environment then evaluation will always pass
938 EXPECT_EQ(allowp.eval(e, trueacct, s3ListBucket,
939 ARN(Partition::aws, Service::s3,
940 "", arbitrary_tenant, "example_bucket")),
942 EXPECT_EQ(fullp.eval(e, trueacct, s3ListBucket,
943 ARN(Partition::aws, Service::s3,
944 "", arbitrary_tenant, "example_bucket/myobject")),
947 EXPECT_EQ(allowp.eval(allowedIP, trueacct, s3ListBucket,
948 ARN(Partition::aws, Service::s3,
949 "", arbitrary_tenant, "example_bucket")),
951 EXPECT_EQ(allowp.eval(blacklistedIPv6, trueacct, s3ListBucket,
952 ARN(Partition::aws, Service::s3,
953 "", arbitrary_tenant, "example_bucket")),
957 EXPECT_EQ(denyp.eval(allowedIP, trueacct, s3ListBucket,
958 ARN(Partition::aws, Service::s3,
959 "", arbitrary_tenant, "example_bucket")),
961 EXPECT_EQ(denyp.eval(allowedIP, trueacct, s3ListBucket,
962 ARN(Partition::aws, Service::s3,
963 "", arbitrary_tenant, "example_bucket/myobject")),
966 EXPECT_EQ(denyp.eval(blacklistedIP, trueacct, s3ListBucket,
967 ARN(Partition::aws, Service::s3,
968 "", arbitrary_tenant, "example_bucket")),
970 EXPECT_EQ(denyp.eval(blacklistedIP, trueacct, s3ListBucket,
971 ARN(Partition::aws, Service::s3,
972 "", arbitrary_tenant, "example_bucket/myobject")),
975 EXPECT_EQ(denyp.eval(blacklistedIPv6, trueacct, s3ListBucket,
976 ARN(Partition::aws, Service::s3,
977 "", arbitrary_tenant, "example_bucket")),
979 EXPECT_EQ(denyp.eval(blacklistedIPv6, trueacct, s3ListBucket,
980 ARN(Partition::aws, Service::s3,
981 "", arbitrary_tenant, "example_bucket/myobject")),
983 EXPECT_EQ(denyp.eval(allowedIPv6, trueacct, s3ListBucket,
984 ARN(Partition::aws, Service::s3,
985 "", arbitrary_tenant, "example_bucket")),
987 EXPECT_EQ(denyp.eval(allowedIPv6, trueacct, s3ListBucket,
988 ARN(Partition::aws, Service::s3,
989 "", arbitrary_tenant, "example_bucket/myobject")),
992 EXPECT_EQ(fullp.eval(allowedIP, trueacct, s3ListBucket,
993 ARN(Partition::aws, Service::s3,
994 "", arbitrary_tenant, "example_bucket")),
996 EXPECT_EQ(fullp.eval(allowedIP, trueacct, s3ListBucket,
997 ARN(Partition::aws, Service::s3,
998 "", arbitrary_tenant, "example_bucket/myobject")),
1001 EXPECT_EQ(fullp.eval(blacklistedIP, trueacct, s3ListBucket,
1002 ARN(Partition::aws, Service::s3,
1003 "", arbitrary_tenant, "example_bucket")),
1005 EXPECT_EQ(fullp.eval(blacklistedIP, trueacct, s3ListBucket,
1006 ARN(Partition::aws, Service::s3,
1007 "", arbitrary_tenant, "example_bucket/myobject")),
1010 EXPECT_EQ(fullp.eval(allowedIPv6, trueacct, s3ListBucket,
1011 ARN(Partition::aws, Service::s3,
1012 "", arbitrary_tenant, "example_bucket")),
1014 EXPECT_EQ(fullp.eval(allowedIPv6, trueacct, s3ListBucket,
1015 ARN(Partition::aws, Service::s3,
1016 "", arbitrary_tenant, "example_bucket/myobject")),
1019 EXPECT_EQ(fullp.eval(blacklistedIPv6, trueacct, s3ListBucket,
1020 ARN(Partition::aws, Service::s3,
1021 "", arbitrary_tenant, "example_bucket")),
1023 EXPECT_EQ(fullp.eval(blacklistedIPv6, trueacct, s3ListBucket,
1024 ARN(Partition::aws, Service::s3,
1025 "", arbitrary_tenant, "example_bucket/myobject")),
1029 string IPPolicyTest::ip_address_allow_example = R"(
1031 "Version": "2012-10-17",
1032 "Id": "S3SimpleIPPolicyTest",
1036 "Principal": {"AWS": ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:root"]},
1037 "Action": "s3:ListBucket",
1039 "arn:aws:s3:::example_bucket"
1042 "IpAddress": {"aws:SourceIp": "192.168.1.0/24"}
1048 string IPPolicyTest::ip_address_deny_example = R"(
1050 "Version": "2012-10-17",
1051 "Id": "S3IPPolicyTest",
1055 "Action": "s3:ListBucket",
1056 "Principal": {"AWS": ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:root"]},
1058 "arn:aws:s3:::example_bucket",
1059 "arn:aws:s3:::example_bucket/*"
1062 "NotIpAddress": {"aws:SourceIp": ["192.168.1.1/32", "2001:0db8:85a3:0000:0000:8a2e:0370:7334"]}
1068 string IPPolicyTest::ip_address_full_example = R"(
1070 "Version": "2012-10-17",
1071 "Id": "S3IPPolicyTest",
1075 "Action": "s3:ListBucket",
1078 "arn:aws:s3:::example_bucket",
1079 "arn:aws:s3:::example_bucket/*"
1082 "IpAddress": {"aws:SourceIp": ["192.168.1.0/24", "::1"]},
1083 "NotIpAddress": {"aws:SourceIp": ["192.168.1.1/32", "2001:0db8:85a3:0000:0000:8a2e:0370:7334"]}
1089 TEST(MatchWildcards, Simple)
1091 EXPECT_TRUE(match_wildcards("", ""));
1092 EXPECT_TRUE(match_wildcards("", "", MATCH_CASE_INSENSITIVE));
1093 EXPECT_FALSE(match_wildcards("", "abc"));
1094 EXPECT_FALSE(match_wildcards("", "abc", MATCH_CASE_INSENSITIVE));
1095 EXPECT_FALSE(match_wildcards("abc", ""));
1096 EXPECT_FALSE(match_wildcards("abc", "", MATCH_CASE_INSENSITIVE));
1097 EXPECT_TRUE(match_wildcards("abc", "abc"));
1098 EXPECT_TRUE(match_wildcards("abc", "abc", MATCH_CASE_INSENSITIVE));
1099 EXPECT_FALSE(match_wildcards("abc", "abC"));
1100 EXPECT_TRUE(match_wildcards("abc", "abC", MATCH_CASE_INSENSITIVE));
1101 EXPECT_FALSE(match_wildcards("abC", "abc"));
1102 EXPECT_TRUE(match_wildcards("abC", "abc", MATCH_CASE_INSENSITIVE));
1103 EXPECT_FALSE(match_wildcards("abc", "abcd"));
1104 EXPECT_FALSE(match_wildcards("abc", "abcd", MATCH_CASE_INSENSITIVE));
1105 EXPECT_FALSE(match_wildcards("abcd", "abc"));
1106 EXPECT_FALSE(match_wildcards("abcd", "abc", MATCH_CASE_INSENSITIVE));
1109 TEST(MatchWildcards, QuestionMark)
1111 EXPECT_FALSE(match_wildcards("?", ""));
1112 EXPECT_FALSE(match_wildcards("?", "", MATCH_CASE_INSENSITIVE));
1113 EXPECT_TRUE(match_wildcards("?", "a"));
1114 EXPECT_TRUE(match_wildcards("?", "a", MATCH_CASE_INSENSITIVE));
1115 EXPECT_TRUE(match_wildcards("?bc", "abc"));
1116 EXPECT_TRUE(match_wildcards("?bc", "abc", MATCH_CASE_INSENSITIVE));
1117 EXPECT_TRUE(match_wildcards("a?c", "abc"));
1118 EXPECT_TRUE(match_wildcards("a?c", "abc", MATCH_CASE_INSENSITIVE));
1119 EXPECT_FALSE(match_wildcards("abc", "a?c"));
1120 EXPECT_FALSE(match_wildcards("abc", "a?c", MATCH_CASE_INSENSITIVE));
1121 EXPECT_FALSE(match_wildcards("a?c", "abC"));
1122 EXPECT_TRUE(match_wildcards("a?c", "abC", MATCH_CASE_INSENSITIVE));
1123 EXPECT_TRUE(match_wildcards("ab?", "abc"));
1124 EXPECT_TRUE(match_wildcards("ab?", "abc", MATCH_CASE_INSENSITIVE));
1125 EXPECT_TRUE(match_wildcards("a?c?e", "abcde"));
1126 EXPECT_TRUE(match_wildcards("a?c?e", "abcde", MATCH_CASE_INSENSITIVE));
1127 EXPECT_TRUE(match_wildcards("???", "abc"));
1128 EXPECT_TRUE(match_wildcards("???", "abc", MATCH_CASE_INSENSITIVE));
1129 EXPECT_FALSE(match_wildcards("???", "abcd"));
1130 EXPECT_FALSE(match_wildcards("???", "abcd", MATCH_CASE_INSENSITIVE));
1133 TEST(MatchWildcards, Asterisk)
1135 EXPECT_TRUE(match_wildcards("*", ""));
1136 EXPECT_TRUE(match_wildcards("*", "", MATCH_CASE_INSENSITIVE));
1137 EXPECT_FALSE(match_wildcards("", "*"));
1138 EXPECT_FALSE(match_wildcards("", "*", MATCH_CASE_INSENSITIVE));
1139 EXPECT_FALSE(match_wildcards("*a", ""));
1140 EXPECT_FALSE(match_wildcards("*a", "", MATCH_CASE_INSENSITIVE));
1141 EXPECT_TRUE(match_wildcards("*a", "a"));
1142 EXPECT_TRUE(match_wildcards("*a", "a", MATCH_CASE_INSENSITIVE));
1143 EXPECT_TRUE(match_wildcards("a*", "a"));
1144 EXPECT_TRUE(match_wildcards("a*", "a", MATCH_CASE_INSENSITIVE));
1145 EXPECT_TRUE(match_wildcards("a*c", "ac"));
1146 EXPECT_TRUE(match_wildcards("a*c", "ac", MATCH_CASE_INSENSITIVE));
1147 EXPECT_TRUE(match_wildcards("a*c", "abbc"));
1148 EXPECT_TRUE(match_wildcards("a*c", "abbc", MATCH_CASE_INSENSITIVE));
1149 EXPECT_FALSE(match_wildcards("a*c", "abbC"));
1150 EXPECT_TRUE(match_wildcards("a*c", "abbC", MATCH_CASE_INSENSITIVE));
1151 EXPECT_TRUE(match_wildcards("a*c*e", "abBce"));
1152 EXPECT_TRUE(match_wildcards("a*c*e", "abBce", MATCH_CASE_INSENSITIVE));
1153 EXPECT_TRUE(match_wildcards("http://*.example.com",
1154 "http://www.example.com"));
1155 EXPECT_TRUE(match_wildcards("http://*.example.com",
1156 "http://www.example.com", MATCH_CASE_INSENSITIVE));
1157 EXPECT_FALSE(match_wildcards("http://*.example.com",
1158 "http://www.Example.com"));
1159 EXPECT_TRUE(match_wildcards("http://*.example.com",
1160 "http://www.Example.com", MATCH_CASE_INSENSITIVE));
1161 EXPECT_TRUE(match_wildcards("http://example.com/*",
1162 "http://example.com/index.html"));
1163 EXPECT_TRUE(match_wildcards("http://example.com/*/*.jpg",
1164 "http://example.com/fun/smiley.jpg"));
1165 // note: parsing of * is not greedy, so * does not match 'bc' here
1166 EXPECT_FALSE(match_wildcards("a*c", "abcc"));
1167 EXPECT_FALSE(match_wildcards("a*c", "abcc", MATCH_CASE_INSENSITIVE));
1170 TEST(MatchPolicy, Action)
1172 constexpr auto flag = MATCH_POLICY_ACTION;
1173 EXPECT_TRUE(match_policy("a:b:c", "a:b:c", flag));
1174 EXPECT_TRUE(match_policy("a:b:c", "A:B:C", flag)); // case insensitive
1175 EXPECT_TRUE(match_policy("a:*:e", "a:bcd:e", flag));
1176 EXPECT_FALSE(match_policy("a:*", "a:b:c", flag)); // cannot span segments
1179 TEST(MatchPolicy, Resource)
1181 constexpr auto flag = MATCH_POLICY_RESOURCE;
1182 EXPECT_TRUE(match_policy("a:b:c", "a:b:c", flag));
1183 EXPECT_FALSE(match_policy("a:b:c", "A:B:C", flag)); // case sensitive
1184 EXPECT_TRUE(match_policy("a:*:e", "a:bcd:e", flag));
1185 EXPECT_TRUE(match_policy("a:*", "a:b:c", flag)); // can span segments
1188 TEST(MatchPolicy, ARN)
1190 constexpr auto flag = MATCH_POLICY_ARN;
1191 EXPECT_TRUE(match_policy("a:b:c", "a:b:c", flag));
1192 EXPECT_TRUE(match_policy("a:b:c", "A:B:C", flag)); // case insensitive
1193 EXPECT_TRUE(match_policy("a:*:e", "a:bcd:e", flag));
1194 EXPECT_FALSE(match_policy("a:*", "a:b:c", flag)); // cannot span segments
1197 TEST(MatchPolicy, String)
1199 constexpr auto flag = MATCH_POLICY_STRING;
1200 EXPECT_TRUE(match_policy("a:b:c", "a:b:c", flag));
1201 EXPECT_FALSE(match_policy("a:b:c", "A:B:C", flag)); // case sensitive
1202 EXPECT_TRUE(match_policy("a:*:e", "a:bcd:e", flag));
1203 EXPECT_TRUE(match_policy("a:*", "a:b:c", flag)); // can span segments