From df5ff0f4006ee0a21269e139567fd5c425a4225f Mon Sep 17 00:00:00 2001 From: Maha Benzekri Date: Mon, 30 Oct 2023 09:38:45 +0100 Subject: [PATCH] ARSN-362:fixups on impl deny policy tests As the evaluateAllPolicies function is using the result of the standardEvaluateAllPolicies , the redundant tests are removed. The test that was kept is only to show that we use the result.verdict in old flow evaluation. --- tests/unit/policyEvaluator.spec.js | 113 +++-------------------------- 1 file changed, 10 insertions(+), 103 deletions(-) diff --git a/tests/unit/policyEvaluator.spec.js b/tests/unit/policyEvaluator.spec.js index 33477c886..91fa9ab2d 100644 --- a/tests/unit/policyEvaluator.spec.js +++ b/tests/unit/policyEvaluator.spec.js @@ -1418,40 +1418,6 @@ describe('policyEvaluator', () => { }); describe('evaluate multiple policies', () => { - it('should deny access if any policy results in a Deny', () => { - requestContext = new RequestContext({}, {}, - 'my_favorite_bucket', undefined, - undefined, undefined, 'bucketDelete', 's3'); - requestContext.setRequesterInfo({}); - const result = evaluateAllPolicies(requestContext, - [samples['arn:aws:iam::aws:policy/AmazonS3FullAccess'], - samples['Deny Bucket Policy']], log); - assert.strictEqual(result, 'Deny'); - }); - - it('should deny access if request action is not in any policy', () => { - requestContext = new RequestContext({}, {}, - 'notVeryPrivate', undefined, - undefined, undefined, 'bucketDelete', 's3'); - requestContext.setRequesterInfo({}); - const result = evaluateAllPolicies(requestContext, - [samples['Multi-Statement Policy'], - samples['Variable Bucket Policy']], log); - assert.strictEqual(result, 'Deny'); - }); - - it('should deny access if request resource is not in any policy', () => { - requestContext = new RequestContext({}, {}, - 'notbucket', undefined, - undefined, undefined, 'objectGet', 's3'); - requestContext.setRequesterInfo({}); - const result = evaluateAllPolicies(requestContext, [ - samples['Multi-Statement Policy'], - samples['Variable Bucket Policy'], - ], log); - assert.strictEqual(result, 'Deny'); - }); - it('should deny access if any policy results in a Deny', () => { requestContext = new RequestContext({}, {}, 'my_favorite_bucket', undefined, @@ -1548,7 +1514,7 @@ describe('policyEvaluator', () => { }, }; - const TestMatrixV2 = [ + const TestMatrix = [ { policiesToEvaluate: [], expectedPolicyEvaluation: { @@ -1605,6 +1571,13 @@ describe('policyEvaluator', () => { isImplicit: true, }, }, + { + policiesToEvaluate: ['Neutral', 'Deny'], + expectedPolicyEvaluation: { + verdict: 'Deny', + isImplicit: false, + }, + }, { policiesToEvaluate: ['Allow', 'Deny'], expectedPolicyEvaluation: { @@ -1663,7 +1636,7 @@ describe('policyEvaluator', () => { }, ]; - TestMatrixV2.forEach(testCase => { + TestMatrix.forEach(testCase => { it(`policies evaluating individually to [${testCase.policiesToEvaluate.join(', ')}] ` + `should return ${testCase.expectedPolicyEvaluation}`, () => { requestContext = new RequestContext({}, {}, @@ -1678,72 +1651,6 @@ describe('policyEvaluator', () => { }); }); - const TestMatrix = [ - { - policiesToEvaluate: [], - expectedPolicyEvaluation: 'Deny', - }, - { - policiesToEvaluate: ['Allow'], - expectedPolicyEvaluation: 'Allow', - }, - { - policiesToEvaluate: ['Neutral'], - expectedPolicyEvaluation: 'Deny', - }, - { - policiesToEvaluate: ['Deny'], - expectedPolicyEvaluation: 'Deny', - }, - { - policiesToEvaluate: ['Allow', 'Allow'], - expectedPolicyEvaluation: 'Allow', - }, - { - policiesToEvaluate: ['Allow', 'Neutral'], - expectedPolicyEvaluation: 'Allow', - }, - { - policiesToEvaluate: ['Neutral', 'Allow'], - expectedPolicyEvaluation: 'Allow', - }, - { - policiesToEvaluate: ['Neutral', 'Neutral'], - expectedPolicyEvaluation: 'Deny', - }, - { - policiesToEvaluate: ['Allow', 'Deny'], - expectedPolicyEvaluation: 'Deny', - }, - { - policiesToEvaluate: ['AllowWithTagCondition'], - expectedPolicyEvaluation: 'NeedTagConditionEval', - }, - { - policiesToEvaluate: ['Allow', 'AllowWithTagCondition'], - expectedPolicyEvaluation: 'Allow', - }, - { - policiesToEvaluate: ['DenyWithTagCondition'], - expectedPolicyEvaluation: 'Deny', - }, - { - policiesToEvaluate: ['Allow', 'DenyWithTagCondition'], - expectedPolicyEvaluation: 'NeedTagConditionEval', - }, - { - policiesToEvaluate: ['AllowWithTagCondition', 'DenyWithTagCondition'], - expectedPolicyEvaluation: 'NeedTagConditionEval', - }, - { - policiesToEvaluate: ['AllowWithTagCondition', 'DenyWithTagCondition', 'Deny'], - expectedPolicyEvaluation: 'Deny', - }, - { - policiesToEvaluate: ['DenyWithTagCondition', 'AllowWithTagCondition', 'Allow'], - expectedPolicyEvaluation: 'NeedTagConditionEval', - }, - ]; TestMatrix.forEach(testCase => { it(`policies evaluating individually to [${testCase.policiesToEvaluate.join(', ')}] ` @@ -1756,7 +1663,7 @@ describe('policyEvaluator', () => { requestContext, testCase.policiesToEvaluate.map(policyName => TestMatrixPolicies[policyName]), log); - assert.strictEqual(result, testCase.expectedPolicyEvaluation); + assert.strictEqual(result, testCase.expectedPolicyEvaluation.verdict); }); }); });