Skip to content

Commit 1157074

Browse files
jinapurapujinapurapu
authored
fix: getBucketPolicy to match pattern for prefix used in setBucketPolicy (#2156)
1 parent 9b927a4 commit 1157074

File tree

2 files changed

+94
-0
lines changed

2 files changed

+94
-0
lines changed

pkg/policy/bucket-policy.go

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -521,6 +521,18 @@ func getBucketPolicy(statement Statement, prefix string) (commonFound, readOnly,
521521
readOnly = true
522522
}
523523
}
524+
} else if stringLikeValue, ok := statement.Conditions["StringLike"]; ok {
525+
if s3PrefixValues, ok := stringLikeValue["s3:prefix"]; ok {
526+
if s3PrefixValues.Contains(prefix + "*") {
527+
readOnly = true
528+
}
529+
}
530+
} else if stringNotLikeValue, ok := statement.Conditions["StringNotLike"]; ok {
531+
if s3PrefixValues, ok := stringNotLikeValue["s3:prefix"]; ok {
532+
if !s3PrefixValues.Contains(prefix + "*") {
533+
readOnly = true
534+
}
535+
}
524536
}
525537
} else if prefix == "" && statement.Conditions == nil {
526538
readOnly = true

pkg/policy/bucket-policy_test.go

Lines changed: 82 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1371,6 +1371,30 @@ func TestGetBucketPolicy(t *testing.T) {
13711371
notHelloCondMap := make(ConditionMap)
13721372
notHelloCondMap.Add("StringNotEquals", worldCondKeyMap)
13731373

1374+
// StringLike condition map for "hello*"
1375+
stringLikeHelloCondMap := make(ConditionMap)
1376+
stringLikeHelloCondKeyMap := make(ConditionKeyMap)
1377+
stringLikeHelloCondKeyMap.Add("s3:prefix", set.CreateStringSet("hello*"))
1378+
stringLikeHelloCondMap.Add("StringLike", stringLikeHelloCondKeyMap)
1379+
1380+
// StringLike condition map for "world*"
1381+
stringLikeWorldCondMap := make(ConditionMap)
1382+
stringLikeWorldCondKeyMap := make(ConditionKeyMap)
1383+
stringLikeWorldCondKeyMap.Add("s3:prefix", set.CreateStringSet("world*"))
1384+
stringLikeWorldCondMap.Add("StringLike", stringLikeWorldCondKeyMap)
1385+
1386+
// StringNotLike condition map for "hello*"
1387+
stringNotLikeHelloCondMap := make(ConditionMap)
1388+
stringNotLikeHelloCondKeyMap := make(ConditionKeyMap)
1389+
stringNotLikeHelloCondKeyMap.Add("s3:prefix", set.CreateStringSet("hello*"))
1390+
stringNotLikeHelloCondMap.Add("StringNotLike", stringNotLikeHelloCondKeyMap)
1391+
1392+
// StringNotLike condition map for "world*"
1393+
stringNotLikeWorldCondMap := make(ConditionMap)
1394+
stringNotLikeWorldCondKeyMap := make(ConditionKeyMap)
1395+
stringNotLikeWorldCondKeyMap.Add("s3:prefix", set.CreateStringSet("world*"))
1396+
stringNotLikeWorldCondMap.Add("StringNotLike", stringNotLikeWorldCondKeyMap)
1397+
13741398
testCases := []struct {
13751399
statement Statement
13761400
prefix string
@@ -1548,6 +1572,64 @@ func TestGetBucketPolicy(t *testing.T) {
15481572
Conditions: notHelloCondMap,
15491573
Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
15501574
}, "hello", false, true, false},
1575+
1576+
// Statement with StringLike condition for "hello*" pattern with empty prefix - should not grant readOnly access.
1577+
{Statement{
1578+
Actions: readOnlyBucketActions,
1579+
Effect: "Allow",
1580+
Principal: User{AWS: set.CreateStringSet("*")},
1581+
Conditions: stringLikeHelloCondMap,
1582+
Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
1583+
}, "", false, false, false},
1584+
// Statement with StringLike condition for "hello*" pattern with "hello" prefix - should grant readOnly access.
1585+
{Statement{
1586+
Actions: readOnlyBucketActions,
1587+
Effect: "Allow",
1588+
Principal: User{AWS: set.CreateStringSet("*")},
1589+
Conditions: stringLikeHelloCondMap,
1590+
Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
1591+
}, "hello", false, true, false},
1592+
// Statement with StringLike condition for "world*" pattern with "hello" prefix - should not grant readOnly access.
1593+
{Statement{
1594+
Actions: readOnlyBucketActions,
1595+
Effect: "Allow",
1596+
Principal: User{AWS: set.CreateStringSet("*")},
1597+
Conditions: stringLikeWorldCondMap,
1598+
Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
1599+
}, "hello", false, false, false},
1600+
1601+
// Statement with StringNotLike condition for "hello*" pattern with empty prefix - should not grant readOnly access.
1602+
{Statement{
1603+
Actions: readOnlyBucketActions,
1604+
Effect: "Allow",
1605+
Principal: User{AWS: set.CreateStringSet("*")},
1606+
Conditions: stringNotLikeHelloCondMap,
1607+
Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
1608+
}, "", false, false, false},
1609+
// Statement with StringNotLike condition for "hello*" pattern with "hello" prefix - prefix matches pattern so should not grant readOnly access.
1610+
{Statement{
1611+
Actions: readOnlyBucketActions,
1612+
Effect: "Allow",
1613+
Principal: User{AWS: set.CreateStringSet("*")},
1614+
Conditions: stringNotLikeHelloCondMap,
1615+
Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
1616+
}, "hello", false, false, false},
1617+
// Statement with StringNotLike condition for "world*" pattern with "hello" prefix - prefix doesn't match pattern so should grant readOnly access.
1618+
{Statement{
1619+
Actions: readOnlyBucketActions,
1620+
Effect: "Allow",
1621+
Principal: User{AWS: set.CreateStringSet("*")},
1622+
Conditions: stringNotLikeWorldCondMap,
1623+
Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
1624+
}, "hello", false, true, false},
1625+
// Statement with StringNotLike condition for "world*" pattern with "world" prefix - prefix matches pattern so should not grant readOnly access.
1626+
{Statement{
1627+
Actions: readOnlyBucketActions,
1628+
Effect: "Allow",
1629+
Principal: User{AWS: set.CreateStringSet("*")},
1630+
Conditions: stringNotLikeWorldCondMap,
1631+
Resources: set.CreateStringSet("arn:aws:s3:::mybucket"),
1632+
}, "world", false, false, false},
15511633
}
15521634

15531635
for _, testCase := range testCases {

0 commit comments

Comments
 (0)