if (r == Effect::Deny)
return -EACCES;
if (policy) {
- r = policy->eval(s->env, *s->auth.identity, rgw::IAM::s3ListBucket, ARN(bucket->get_key()));
+ ARN b_arn(bucket->get_key());
+ r = policy->eval(s->env, *s->auth.identity, rgw::IAM::s3ListBucket, b_arn);
if (r == Effect::Allow)
return -ENOENT;
if (r == Effect::Deny)
if (has_s3_existing_tag || has_s3_resource_tag)
rgw_iam_add_objtags(this, s, cs_object.get(), has_s3_existing_tag, has_s3_resource_tag);
auto usr_policy_res = Effect::Pass;
+ rgw::ARN obj_arn(cs_object->get_obj());
for (auto& user_policy : s->iam_user_policies) {
if (usr_policy_res = user_policy.eval(s->env, *s->auth.identity,
cs_object->get_instance().empty() ?
rgw::IAM::s3GetObject :
rgw::IAM::s3GetObjectVersion,
- rgw::ARN(cs_object->get_obj())); usr_policy_res == Effect::Deny)
+ obj_arn); usr_policy_res == Effect::Deny)
return -EACCES;
else if (usr_policy_res == Effect::Allow)
break;
}
rgw::IAM::Effect e = Effect::Pass;
if (policy) {
+ rgw::ARN obj_arn(cs_object->get_obj());
e = policy->eval(s->env, *s->auth.identity,
cs_object->get_instance().empty() ?
rgw::IAM::s3GetObject :
rgw::IAM::s3GetObjectVersion,
- rgw::ARN(cs_object->get_obj()));
+ obj_arn);
}
if (e == Effect::Deny) {
return -EACCES;
rgw::IAM::Effect e = Effect::Pass;
rgw::IAM::PolicyPrincipal princ_type = rgw::IAM::PolicyPrincipal::Other;
if (s->iam_policy) {
+ ARN obj_arn(s->object->get_obj());
e = s->iam_policy->eval(s->env, *s->auth.identity,
rgw::IAM::s3PutObject,
- s->object->get_obj(),
+ obj_arn,
princ_type);
}
if (e == Effect::Deny) {
rgw::IAM::Effect e = Effect::Pass;
rgw::IAM::PolicyPrincipal princ_type = rgw::IAM::PolicyPrincipal::Other;
if (s->iam_policy) {
+ ARN obj_arn(s->object->get_obj());
e = s->iam_policy->eval(s->env, *s->auth.identity,
rgw::IAM::s3PutObject,
- s->object->get_obj(),
+ obj_arn,
princ_type);
}
if (e == Effect::Deny) {
if (r == Effect::Deny) {
bypass_perm = false;
} else if (r == Effect::Pass && s->iam_policy) {
- r = s->iam_policy->eval(s->env, *s->auth.identity, rgw::IAM::s3BypassGovernanceRetention,
- ARN(s->bucket->get_key(), s->object->get_name()));
+ ARN obj_arn(ARN(s->bucket->get_key(), s->object->get_name()));
+ r = s->iam_policy->eval(s->env, *s->auth.identity, rgw::IAM::s3BypassGovernanceRetention, obj_arn);
if (r == Effect::Deny) {
bypass_perm = false;
}
rgw::IAM::Effect r = Effect::Pass;
rgw::IAM::PolicyPrincipal princ_type = rgw::IAM::PolicyPrincipal::Other;
+ ARN obj_arn(ARN(s->bucket->get_key(), s->object->get_name()));
if (s->iam_policy) {
r = s->iam_policy->eval(s->env, *s->auth.identity,
s->object->get_instance().empty() ?
rgw::IAM::s3DeleteObject :
rgw::IAM::s3DeleteObjectVersion,
- ARN(s->bucket->get_key(), s->object->get_name()),
+ obj_arn,
princ_type);
}
if (r == Effect::Deny)
s->object->get_instance().empty() ?
rgw::IAM::s3DeleteObject :
rgw::IAM::s3DeleteObjectVersion,
- ARN(s->bucket->get_key(), s->object->get_name()));
+ obj_arn);
if (session_policy_res == Effect::Deny) {
return -EACCES;
}
if (has_s3_existing_tag || has_s3_resource_tag)
rgw_iam_add_objtags(this, s, s->src_object.get(), has_s3_existing_tag, has_s3_resource_tag);
+ ARN obj_arn(s->src_object->get_obj());
auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env,
boost::none,
s->src_object->get_instance().empty() ?
rgw::IAM::s3GetObject :
rgw::IAM::s3GetObjectVersion,
- ARN(s->src_object->get_obj()));
+ obj_arn);
if (identity_policy_res == Effect::Deny) {
return -EACCES;
}
s->src_object->get_instance().empty() ?
rgw::IAM::s3GetObject :
rgw::IAM::s3GetObjectVersion,
- ARN(s->src_object->get_obj()),
+ obj_arn,
princ_type);
}
if (e == Effect::Deny) {
s->src_object->get_instance().empty() ?
rgw::IAM::s3GetObject :
rgw::IAM::s3GetObjectVersion,
- ARN(s->src_object->get_obj()));
+ obj_arn);
if (session_policy_res == Effect::Deny) {
return -EACCES;
}
rgw_add_to_iam_environment(s->env, "s3:x-amz-metadata-directive",
*md_directive);
+ ARN obj_arn(dest_object->get_obj());
auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies,
s->env, boost::none,
rgw::IAM::s3PutObject,
- ARN(dest_object->get_obj()));
+ obj_arn);
if (identity_policy_res == Effect::Deny) {
return -EACCES;
}
if (dest_iam_policy) {
e = dest_iam_policy->eval(s->env, *s->auth.identity,
rgw::IAM::s3PutObject,
- ARN(dest_object->get_obj()),
+ obj_arn,
princ_type);
}
if (e == Effect::Deny) {
return -EACCES;
}
if (!s->session_policies.empty()) {
- auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env, boost::none, rgw::IAM::s3PutObject, ARN(dest_object->get_obj()));
+ auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env, boost::none, rgw::IAM::s3PutObject, obj_arn);
if (session_policy_res == Effect::Deny) {
return false;
}
rgw::IAM::Effect e = Effect::Pass;
rgw::IAM::PolicyPrincipal princ_type = rgw::IAM::PolicyPrincipal::Other;
+ ARN obj_arn(s->object->get_obj());
if (s->iam_policy) {
e = s->iam_policy->eval(s->env, *s->auth.identity,
rgw::IAM::s3PutObject,
- s->object->get_obj(),
+ obj_arn,
princ_type);
}
if (e == Effect::Deny) {
rgw::IAM::Effect e = Effect::Pass;
rgw::IAM::PolicyPrincipal princ_type = rgw::IAM::PolicyPrincipal::Other;
+ rgw::ARN obj_arn(s->object->get_obj());
if (s->iam_policy) {
e = s->iam_policy->eval(s->env, *s->auth.identity,
rgw::IAM::s3PutObject,
- s->object->get_obj(),
+ obj_arn,
princ_type);
}
if (e == Effect::Deny) {
rgw::IAM::Effect e = Effect::Pass;
rgw::IAM::PolicyPrincipal princ_type = rgw::IAM::PolicyPrincipal::Other;
+ ARN obj_arn(s->object->get_obj());
if (s->iam_policy) {
e = s->iam_policy->eval(s->env, *s->auth.identity,
rgw::IAM::s3AbortMultipartUpload,
- s->object->get_obj(), princ_type);
+ obj_arn, princ_type);
}
if (e == Effect::Deny) {
if (s->iam_policy || ! s->iam_user_policies.empty() || ! s->session_policies.empty()) {
if (s->bucket->get_info().obj_lock_enabled() && bypass_governance_mode) {
+ ARN bucket_arn(s->bucket->get_key());
auto r = eval_identity_or_session_policies(s->iam_user_policies, s->env, boost::none,
rgw::IAM::s3BypassGovernanceRetention, ARN(s->bucket->get_key()));
if (r == Effect::Deny) {
bypass_perm = false;
} else if (r == Effect::Pass && s->iam_policy) {
r = s->iam_policy->eval(s->env, *s->auth.identity, rgw::IAM::s3BypassGovernanceRetention,
- ARN(s->bucket->get_key()));
+ bucket_arn);
if (r == Effect::Deny) {
bypass_perm = false;
}
rgw::IAM::Effect r = Effect::Pass;
rgw::IAM::PolicyPrincipal princ_type = rgw::IAM::PolicyPrincipal::Other;
+ rgw::ARN bucket_arn(s->bucket->get_key());
if (s->iam_policy) {
r = s->iam_policy->eval(s->env, *s->auth.identity,
not_versioned ?
rgw::IAM::s3DeleteObject :
rgw::IAM::s3DeleteObjectVersion,
- ARN(s->bucket->get_key()),
+ bucket_arn,
princ_type);
}
if (r == Effect::Deny)
rgw::IAM::Effect e = Effect::Pass;
rgw::IAM::PolicyPrincipal princ_type = rgw::IAM::PolicyPrincipal::Other;
if (s->iam_policy) {
+ ARN obj_arn(obj->get_obj());
e = s->iam_policy->eval(s->env,
*s->auth.identity,
iter->instance.empty() ?
rgw::IAM::s3DeleteObject :
rgw::IAM::s3DeleteObjectVersion,
- ARN(obj->get_obj()),
+ obj_arn,
princ_type);
}
if (e == Effect::Deny) {
}
rgw::IAM::PolicyPrincipal princ_type = rgw::IAM::PolicyPrincipal::Other;
+ ARN obj_arn(obj);
auto e = policy->eval(s->env, *s->auth.identity,
- rgw::IAM::s3PutObject, obj, princ_type);
+ rgw::IAM::s3PutObject, obj_arn, princ_type);
if (e == Effect::Deny) {
return false;
}
bufferlist::static_from_string(example1));
Environment e;
- EXPECT_EQ(p.eval(e, none, s3ListBucket,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "example_bucket")),
+ ARN arn1(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "example_bucket");
+ EXPECT_EQ(p.eval(e, none, s3ListBucket, arn1),
Effect::Allow);
- EXPECT_EQ(p.eval(e, none, s3PutBucketAcl,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "example_bucket")),
+ ARN arn2(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "example_bucket");
+ EXPECT_EQ(p.eval(e, none, s3PutBucketAcl, arn2),
Effect::Pass);
- EXPECT_EQ(p.eval(e, none, s3ListBucket,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "erroneous_bucket")),
+ ARN arn3(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "erroneous_bucket");
+ EXPECT_EQ(p.eval(e, none, s3ListBucket, arn3),
Effect::Pass);
}
auto notacct = FakeIdentity(
Principal::tenant("some-other-account"));
for (auto i = 0ULL; i < s3Count; ++i) {
- EXPECT_EQ(p.eval(e, trueacct, i,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "mybucket")),
+ ARN arn1(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "mybucket");
+ EXPECT_EQ(p.eval(e, trueacct, i, arn1),
Effect::Allow);
- EXPECT_EQ(p.eval(e, trueacct, i,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "mybucket/myobject")),
+ ARN arn2(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "mybucket/myobject");
+ EXPECT_EQ(p.eval(e, trueacct, i, arn2),
Effect::Allow);
-
- EXPECT_EQ(p.eval(e, notacct, i,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "mybucket")),
+ ARN arn3(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "mybucket");
+ EXPECT_EQ(p.eval(e, notacct, i, arn3),
Effect::Pass);
- EXPECT_EQ(p.eval(e, notacct, i,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "mybucket/myobject")),
+ ARN arn4(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "mybucket/myobject");
+ EXPECT_EQ(p.eval(e, notacct, i, arn4),
Effect::Pass);
-
- EXPECT_EQ(p.eval(e, trueacct, i,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "notyourbucket")),
+ ARN arn5(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "notyourbucket");
+ EXPECT_EQ(p.eval(e, trueacct, i, arn5),
Effect::Pass);
- EXPECT_EQ(p.eval(e, trueacct, i,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "notyourbucket/notyourobject")),
+ ARN arn6(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "notyourbucket/notyourobject");
+ EXPECT_EQ(p.eval(e, trueacct, i, arn6),
Effect::Pass);
}
s3allow[s3GetPublicAccessBlock] = 1;
s3allow[s3GetBucketEncryption] = 1;
- EXPECT_EQ(p.eval(em, none, s3PutBucketPolicy,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "mybucket")),
+ ARN arn1(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "mybucket");
+ EXPECT_EQ(p.eval(em, none, s3PutBucketPolicy, arn1),
Effect::Allow);
- EXPECT_EQ(p.eval(em, none, s3PutBucketPolicy,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "mybucket")),
+ ARN arn2(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "mybucket");
+ EXPECT_EQ(p.eval(em, none, s3PutBucketPolicy, arn2),
Effect::Allow);
if ((op == s3ListAllMyBuckets) || (op == s3PutBucketPolicy)) {
continue;
}
- EXPECT_EQ(p.eval(em, none, op,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "confidential-data")),
+ ARN arn3(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "confidential-data");
+ EXPECT_EQ(p.eval(em, none, op, arn3),
Effect::Pass);
- EXPECT_EQ(p.eval(tr, none, op,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "confidential-data")),
+ ARN arn4(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "confidential-data");
+ EXPECT_EQ(p.eval(tr, none, op, arn4),
s3allow[op] ? Effect::Allow : Effect::Pass);
- EXPECT_EQ(p.eval(fa, none, op,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "confidential-data")),
+ ARN arn5(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "confidential-data");
+ EXPECT_EQ(p.eval(fa, none, op, arn5),
Effect::Pass);
-
- EXPECT_EQ(p.eval(em, none, op,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "confidential-data/moo")),
+ ARN arn6(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "confidential-data/moo");
+ EXPECT_EQ(p.eval(em, none, op, arn6),
Effect::Pass);
- EXPECT_EQ(p.eval(tr, none, op,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "confidential-data/moo")),
+ ARN arn7(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "confidential-data/moo");
+ EXPECT_EQ(p.eval(tr, none, op, arn7),
s3allow[op] ? Effect::Allow : Effect::Pass);
- EXPECT_EQ(p.eval(fa, none, op,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "confidential-data/moo")),
+ ARN arn8(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "confidential-data/moo");
+ EXPECT_EQ(p.eval(fa, none, op, arn8),
Effect::Pass);
-
- EXPECT_EQ(p.eval(em, none, op,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "really-confidential-data")),
+ ARN arn9(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "really-confidential-data");
+ EXPECT_EQ(p.eval(em, none, op, arn9),
Effect::Pass);
- EXPECT_EQ(p.eval(tr, none, op,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "really-confidential-data")),
+ ARN arn10(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "really-confidential-data");
+ EXPECT_EQ(p.eval(tr, none, op, arn10),
Effect::Pass);
- EXPECT_EQ(p.eval(fa, none, op,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "really-confidential-data")),
+ ARN arn11(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "really-confidential-data");
+ EXPECT_EQ(p.eval(fa, none, op, arn11),
Effect::Pass);
-
- EXPECT_EQ(p.eval(em, none, op,
- ARN(Partition::aws, Service::s3,
+ ARN arn12(Partition::aws, Service::s3,
"", arbitrary_tenant,
- "really-confidential-data/moo")), Effect::Pass);
- EXPECT_EQ(p.eval(tr, none, op,
- ARN(Partition::aws, Service::s3,
+ "really-confidential-data/moo");
+ EXPECT_EQ(p.eval(em, none, op, arn12), Effect::Pass);
+ ARN arn13(Partition::aws, Service::s3,
"", arbitrary_tenant,
- "really-confidential-data/moo")), Effect::Pass);
- EXPECT_EQ(p.eval(fa, none, op,
- ARN(Partition::aws, Service::s3,
+ "really-confidential-data/moo");
+ EXPECT_EQ(p.eval(tr, none, op, arn13), Effect::Pass);
+ ARN arn14(Partition::aws, Service::s3,
"", arbitrary_tenant,
- "really-confidential-data/moo")), Effect::Pass);
+ "really-confidential-data/moo");
+ EXPECT_EQ(p.eval(fa, none, op, arn14), Effect::Pass);
}
}
bufferlist::static_from_string(example4));
Environment e;
- EXPECT_EQ(p.eval(e, none, iamCreateRole,
- ARN(Partition::aws, Service::iam,
- "", arbitrary_tenant, "role/example_role")),
+ ARN arn1(Partition::aws, Service::iam,
+ "", arbitrary_tenant, "role/example_role");
+ EXPECT_EQ(p.eval(e, none, iamCreateRole, arn1),
Effect::Allow);
- EXPECT_EQ(p.eval(e, none, iamDeleteRole,
- ARN(Partition::aws, Service::iam,
- "", arbitrary_tenant, "role/example_role")),
+ ARN arn2(Partition::aws, Service::iam,
+ "", arbitrary_tenant, "role/example_role");
+ EXPECT_EQ(p.eval(e, none, iamDeleteRole, arn2),
Effect::Pass);
}
bufferlist::static_from_string(example5));
Environment e;
- EXPECT_EQ(p.eval(e, none, iamCreateRole,
- ARN(Partition::aws, Service::iam,
- "", arbitrary_tenant, "role/example_role")),
+ ARN arn1(Partition::aws, Service::iam,
+ "", arbitrary_tenant, "role/example_role");
+ EXPECT_EQ(p.eval(e, none, iamCreateRole, arn1),
Effect::Allow);
- EXPECT_EQ(p.eval(e, none, s3ListBucket,
- ARN(Partition::aws, Service::iam,
- "", arbitrary_tenant, "role/example_role")),
+ ARN arn2(Partition::aws, Service::iam,
+ "", arbitrary_tenant, "role/example_role");
+ EXPECT_EQ(p.eval(e, none, s3ListBucket, arn2),
Effect::Pass);
- EXPECT_EQ(p.eval(e, none, iamCreateRole,
- ARN(Partition::aws, Service::iam,
- "", "", "role/example_role")),
+ ARN arn3(Partition::aws, Service::iam,
+ "", "", "role/example_role");
+ EXPECT_EQ(p.eval(e, none, iamCreateRole, arn3),
Effect::Pass);
}
bufferlist::static_from_string(example6));
Environment e;
- EXPECT_EQ(p.eval(e, none, iamCreateRole,
- ARN(Partition::aws, Service::iam,
- "", arbitrary_tenant, "user/A")),
+ ARN arn1(Partition::aws, Service::iam,
+ "", arbitrary_tenant, "user/A");
+ EXPECT_EQ(p.eval(e, none, iamCreateRole, arn1),
Effect::Allow);
- EXPECT_EQ(p.eval(e, none, s3ListBucket,
- ARN(Partition::aws, Service::iam,
- "", arbitrary_tenant, "user/A")),
+ ARN arn2(Partition::aws, Service::iam,
+ "", arbitrary_tenant, "user/A");
+ EXPECT_EQ(p.eval(e, none, s3ListBucket, arn2),
Effect::Allow);
}
auto sub2acct = FakeIdentity(
Principal::user(std::move(""), "A:sub2A"));
- EXPECT_EQ(p.eval(e, subacct, s3ListBucket,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "mybucket/*")),
+ ARN arn1(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "mybucket/*");
+ EXPECT_EQ(p.eval(e, subacct, s3ListBucket, arn1),
Effect::Allow);
- EXPECT_EQ(p.eval(e, parentacct, s3ListBucket,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "mybucket/*")),
+ ARN arn2(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "mybucket/*");
+ EXPECT_EQ(p.eval(e, parentacct, s3ListBucket, arn2),
Effect::Pass);
-
- EXPECT_EQ(p.eval(e, sub2acct, s3ListBucket,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "mybucket/*")),
+
+ ARN arn3(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "mybucket/*");
+ EXPECT_EQ(p.eval(e, sub2acct, s3ListBucket, arn3),
Effect::Pass);
}
auto trueacct = FakeIdentity(
Principal::tenant("ACCOUNT-ID-WITHOUT-HYPHENS"));
// Without an IP address in the environment then evaluation will always pass
- EXPECT_EQ(allowp.eval(e, trueacct, s3ListBucket,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "example_bucket")),
+ ARN arn1(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "example_bucket");
+ EXPECT_EQ(allowp.eval(e, trueacct, s3ListBucket, arn1),
Effect::Pass);
- EXPECT_EQ(fullp.eval(e, trueacct, s3ListBucket,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "example_bucket/myobject")),
+ ARN arn2(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "example_bucket/myobject");
+ EXPECT_EQ(fullp.eval(e, trueacct, s3ListBucket, arn2),
Effect::Pass);
- EXPECT_EQ(allowp.eval(allowedIP, trueacct, s3ListBucket,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "example_bucket")),
+ ARN arn3(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "example_bucket");
+ EXPECT_EQ(allowp.eval(allowedIP, trueacct, s3ListBucket, arn3),
Effect::Allow);
- EXPECT_EQ(allowp.eval(blocklistedIPv6, trueacct, s3ListBucket,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "example_bucket")),
+ ARN arn4(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "example_bucket");
+ EXPECT_EQ(allowp.eval(blocklistedIPv6, trueacct, s3ListBucket, arn4),
Effect::Pass);
-
- EXPECT_EQ(denyp.eval(allowedIP, trueacct, s3ListBucket,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "example_bucket")),
+ ARN arn5(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "example_bucket");
+ EXPECT_EQ(denyp.eval(allowedIP, trueacct, s3ListBucket, arn5),
Effect::Deny);
- EXPECT_EQ(denyp.eval(allowedIP, trueacct, s3ListBucket,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "example_bucket/myobject")),
+ ARN arn6(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "example_bucket/myobject");
+ EXPECT_EQ(denyp.eval(allowedIP, trueacct, s3ListBucket, arn6),
Effect::Deny);
- EXPECT_EQ(denyp.eval(blocklistedIP, trueacct, s3ListBucket,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "example_bucket")),
+ ARN arn7(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "example_bucket");
+ EXPECT_EQ(denyp.eval(blocklistedIP, trueacct, s3ListBucket, arn7),
Effect::Pass);
- EXPECT_EQ(denyp.eval(blocklistedIP, trueacct, s3ListBucket,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "example_bucket/myobject")),
+ ARN arn8(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "example_bucket/myobject");
+ EXPECT_EQ(denyp.eval(blocklistedIP, trueacct, s3ListBucket, arn8),
Effect::Pass);
- EXPECT_EQ(denyp.eval(blocklistedIPv6, trueacct, s3ListBucket,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "example_bucket")),
+ ARN arn9(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "example_bucket");
+ EXPECT_EQ(denyp.eval(blocklistedIPv6, trueacct, s3ListBucket, arn9),
Effect::Pass);
- EXPECT_EQ(denyp.eval(blocklistedIPv6, trueacct, s3ListBucket,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "example_bucket/myobject")),
+ ARN arn10(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "example_bucket/myobject");
+ EXPECT_EQ(denyp.eval(blocklistedIPv6, trueacct, s3ListBucket, arn10),
Effect::Pass);
- EXPECT_EQ(denyp.eval(allowedIPv6, trueacct, s3ListBucket,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "example_bucket")),
+ ARN arn11(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "example_bucket");
+ EXPECT_EQ(denyp.eval(allowedIPv6, trueacct, s3ListBucket, arn11),
Effect::Deny);
- EXPECT_EQ(denyp.eval(allowedIPv6, trueacct, s3ListBucket,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "example_bucket/myobject")),
+ ARN arn12(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "example_bucket/myobject");
+ EXPECT_EQ(denyp.eval(allowedIPv6, trueacct, s3ListBucket, arn12),
Effect::Deny);
- EXPECT_EQ(fullp.eval(allowedIP, trueacct, s3ListBucket,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "example_bucket")),
+ ARN arn13(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "example_bucket");
+ EXPECT_EQ(fullp.eval(allowedIP, trueacct, s3ListBucket, arn13),
Effect::Allow);
- EXPECT_EQ(fullp.eval(allowedIP, trueacct, s3ListBucket,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "example_bucket/myobject")),
+ ARN arn14(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "example_bucket/myobject");
+ EXPECT_EQ(fullp.eval(allowedIP, trueacct, s3ListBucket, arn14),
Effect::Allow);
- EXPECT_EQ(fullp.eval(blocklistedIP, trueacct, s3ListBucket,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "example_bucket")),
+ ARN arn15(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "example_bucket");
+ EXPECT_EQ(fullp.eval(blocklistedIP, trueacct, s3ListBucket, arn15),
Effect::Pass);
- EXPECT_EQ(fullp.eval(blocklistedIP, trueacct, s3ListBucket,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "example_bucket/myobject")),
+ ARN arn16(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "example_bucket/myobject");
+ EXPECT_EQ(fullp.eval(blocklistedIP, trueacct, s3ListBucket, arn16),
Effect::Pass);
- EXPECT_EQ(fullp.eval(allowedIPv6, trueacct, s3ListBucket,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "example_bucket")),
+ ARN arn17(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "example_bucket");
+ EXPECT_EQ(fullp.eval(allowedIPv6, trueacct, s3ListBucket, arn17),
Effect::Allow);
- EXPECT_EQ(fullp.eval(allowedIPv6, trueacct, s3ListBucket,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "example_bucket/myobject")),
+ ARN arn18(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "example_bucket/myobject");
+ EXPECT_EQ(fullp.eval(allowedIPv6, trueacct, s3ListBucket, arn18),
Effect::Allow);
- EXPECT_EQ(fullp.eval(blocklistedIPv6, trueacct, s3ListBucket,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "example_bucket")),
+ ARN arn19(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "example_bucket");
+ EXPECT_EQ(fullp.eval(blocklistedIPv6, trueacct, s3ListBucket, arn19),
Effect::Pass);
- EXPECT_EQ(fullp.eval(blocklistedIPv6, trueacct, s3ListBucket,
- ARN(Partition::aws, Service::s3,
- "", arbitrary_tenant, "example_bucket/myobject")),
+ ARN arn20(Partition::aws, Service::s3,
+ "", arbitrary_tenant, "example_bucket/myobject");
+ EXPECT_EQ(fullp.eval(blocklistedIPv6, trueacct, s3ListBucket, arn20),
Effect::Pass);
}
projects / ceph.git / commitdiff