From: Pritha Srivastava Date: Thu, 24 May 2018 06:51:18 +0000 (+0530) Subject: rgw: Adding unittests for User policies. X-Git-Tag: v14.0.1~335^2~1 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=e118195da8f0cda37cfd215bc8e32e116897954f;p=ceph-ci.git rgw: Adding unittests for User policies. Signed-off-by: Pritha Srivastava --- diff --git a/src/rgw/rgw_iam_policy.cc b/src/rgw/rgw_iam_policy.cc index ceb83104d62..ada2c1f969f 100644 --- a/src/rgw/rgw_iam_policy.cc +++ b/src/rgw/rgw_iam_policy.cc @@ -826,7 +826,7 @@ bool ParseState::do_string(CephContext* cct, const char* s, size_t l) { if (*s == '*') { is_validaction = true; (w->id == TokenID::Action ? - t->action = iamAllValue : t->notaction = iamAllValue); + t->action = allValue : t->notaction = allValue); } else { for (auto& p : actpairs) { if (match_policy({s, l}, p.name, MATCH_POLICY_ACTION)) { @@ -839,6 +839,12 @@ bool ParseState::do_string(CephContext* cct, const char* s, size_t l) { if ((t->notaction & s3AllValue) == s3AllValue) { t->notaction[s3All] = 1; } + if ((t->action & iamAllValue) == iamAllValue) { + t->action[iamAll] = 1; + } + if ((t->notaction & iamAllValue) == iamAllValue) { + t->notaction[iamAll] = 1; + } } } } else if (w->id == TokenID::Resource || w->id == TokenID::NotResource) { diff --git a/src/rgw/rgw_iam_policy.h b/src/rgw/rgw_iam_policy.h index 759b5f08402..38e2726a234 100644 --- a/src/rgw/rgw_iam_policy.h +++ b/src/rgw/rgw_iam_policy.h @@ -102,7 +102,6 @@ static constexpr std::uint64_t iamPutUserPolicy = 55; static constexpr std::uint64_t iamGetUserPolicy = 56; static constexpr std::uint64_t iamDeleteUserPolicy = 57; static constexpr std::uint64_t iamListUserPolicies = 58; - static constexpr std::uint64_t iamCreateRole = 59; static constexpr std::uint64_t iamDeleteRole = 60; static constexpr std::uint64_t iamModifyRole = 61; @@ -112,17 +111,19 @@ static constexpr std::uint64_t iamPutRolePolicy = 64; static constexpr std::uint64_t iamGetRolePolicy = 65; static constexpr std::uint64_t iamListRolePolicies = 66; static constexpr std::uint64_t iamDeleteRolePolicy = 67; +static constexpr std::uint64_t iamAll = 68; static constexpr std::uint64_t s3Count = s3DeleteObjectVersionTagging + 1; -static constexpr std::uint64_t allCount = iamDeleteRolePolicy + 1; +static constexpr std::uint64_t allCount = iamAll + 1; using Action_t = bitset; using NotAction_t = Action_t; static const Action_t None(0); static const Action_t s3AllValue("111111111111111111111111111111111111111111111111111111"); -//Modify iamAllValue if more IAM actions are added -static const Action_t iamAllValue("11111111111111111111111111111111111111111111111111111111111111111111"); +static const Action_t iamAllValue("11111111111110000000000000000000000000000000000000000000000000000000"); +//Modify allValue if more Actions are added +static const Action_t allValue("111111111111111111111111111111111111111111111111111111111111111111111"); namespace { inline int op_to_perm(std::uint64_t op) { diff --git a/src/test/rgw/test_rgw_iam_policy.cc b/src/test/rgw/test_rgw_iam_policy.cc index 9b553da4fbb..b5b1d5f8401 100644 --- a/src/test/rgw/test_rgw_iam_policy.cc +++ b/src/test/rgw/test_rgw_iam_policy.cc @@ -81,6 +81,9 @@ using rgw::IAM::TokenID; using rgw::IAM::Version; using rgw::IAM::Action_t; using rgw::IAM::NotAction_t; +using rgw::IAM::iamCreateRole; +using rgw::IAM::iamDeleteRole; +using rgw::IAM::iamAll; class FakeIdentity : public Identity { const Principal id; @@ -126,6 +129,9 @@ protected: static string example1; static string example2; static string example3; + static string example4; + static string example5; + static string example6; public: PolicyTest() { cct = new CephContext(CEPH_ENTITY_TYPE_CLIENT); @@ -484,6 +490,152 @@ TEST_F(PolicyTest, Eval3) { } } +TEST_F(PolicyTest, Parse4) { + boost::optional p; + + ASSERT_NO_THROW(p = Policy(cct.get(), arbitrary_tenant, + bufferlist::static_from_string(example4))); + ASSERT_TRUE(p); + + EXPECT_EQ(p->text, example4); + EXPECT_EQ(p->version, Version::v2012_10_17); + EXPECT_FALSE(p->id); + EXPECT_FALSE(p->statements[0].sid); + EXPECT_FALSE(p->statements.empty()); + EXPECT_EQ(p->statements.size(), 1U); + EXPECT_TRUE(p->statements[0].princ.empty()); + EXPECT_TRUE(p->statements[0].noprinc.empty()); + EXPECT_EQ(p->statements[0].effect, Effect::Allow); + Action_t act; + act[iamCreateRole] = 1; + EXPECT_EQ(p->statements[0].action, act); + EXPECT_EQ(p->statements[0].notaction, None); + ASSERT_FALSE(p->statements[0].resource.empty()); + ASSERT_EQ(p->statements[0].resource.size(), 1U); + EXPECT_EQ(p->statements[0].resource.begin()->partition, Partition::wildcard); + EXPECT_EQ(p->statements[0].resource.begin()->service, Service::wildcard); + EXPECT_EQ(p->statements[0].resource.begin()->region, "*"); + EXPECT_EQ(p->statements[0].resource.begin()->account, arbitrary_tenant); + EXPECT_EQ(p->statements[0].resource.begin()->resource, "*"); + EXPECT_TRUE(p->statements[0].notresource.empty()); + EXPECT_TRUE(p->statements[0].conditions.empty()); +} + +TEST_F(PolicyTest, Eval4) { + auto p = Policy(cct.get(), arbitrary_tenant, + bufferlist::static_from_string(example4)); + Environment e; + + EXPECT_EQ(p.eval(e, none, iamCreateRole, + ARN(Partition::aws, Service::iam, + "", arbitrary_tenant, "role/example_role")), + Effect::Allow); + + EXPECT_EQ(p.eval(e, none, iamDeleteRole, + ARN(Partition::aws, Service::iam, + "", arbitrary_tenant, "role/example_role")), + Effect::Pass); +} + +TEST_F(PolicyTest, Parse5) { + boost::optional p; + + ASSERT_NO_THROW(p = Policy(cct.get(), arbitrary_tenant, + bufferlist::static_from_string(example5))); + ASSERT_TRUE(p); + EXPECT_EQ(p->text, example5); + EXPECT_EQ(p->version, Version::v2012_10_17); + EXPECT_FALSE(p->id); + EXPECT_FALSE(p->statements[0].sid); + EXPECT_FALSE(p->statements.empty()); + EXPECT_EQ(p->statements.size(), 1U); + EXPECT_TRUE(p->statements[0].princ.empty()); + EXPECT_TRUE(p->statements[0].noprinc.empty()); + EXPECT_EQ(p->statements[0].effect, Effect::Allow); + Action_t act; + for (auto i = s3All+1; i <= iamAll; i++) + act[i] = 1; + EXPECT_EQ(p->statements[0].action, act); + EXPECT_EQ(p->statements[0].notaction, None); + ASSERT_FALSE(p->statements[0].resource.empty()); + ASSERT_EQ(p->statements[0].resource.size(), 1U); + EXPECT_EQ(p->statements[0].resource.begin()->partition, Partition::aws); + EXPECT_EQ(p->statements[0].resource.begin()->service, Service::iam); + EXPECT_EQ(p->statements[0].resource.begin()->region, ""); + EXPECT_EQ(p->statements[0].resource.begin()->account, arbitrary_tenant); + EXPECT_EQ(p->statements[0].resource.begin()->resource, "role/example_role"); + EXPECT_TRUE(p->statements[0].notresource.empty()); + EXPECT_TRUE(p->statements[0].conditions.empty()); +} + +TEST_F(PolicyTest, Eval5) { + auto p = Policy(cct.get(), arbitrary_tenant, + bufferlist::static_from_string(example5)); + Environment e; + + EXPECT_EQ(p.eval(e, none, iamCreateRole, + ARN(Partition::aws, Service::iam, + "", arbitrary_tenant, "role/example_role")), + Effect::Allow); + + EXPECT_EQ(p.eval(e, none, s3ListBucket, + ARN(Partition::aws, Service::iam, + "", arbitrary_tenant, "role/example_role")), + Effect::Pass); + + EXPECT_EQ(p.eval(e, none, iamCreateRole, + ARN(Partition::aws, Service::iam, + "", "", "role/example_role")), + Effect::Pass); +} + +TEST_F(PolicyTest, Parse6) { + boost::optional p; + + ASSERT_NO_THROW(p = Policy(cct.get(), arbitrary_tenant, + bufferlist::static_from_string(example6))); + ASSERT_TRUE(p); + EXPECT_EQ(p->text, example6); + EXPECT_EQ(p->version, Version::v2012_10_17); + EXPECT_FALSE(p->id); + EXPECT_FALSE(p->statements[0].sid); + EXPECT_FALSE(p->statements.empty()); + EXPECT_EQ(p->statements.size(), 1U); + EXPECT_TRUE(p->statements[0].princ.empty()); + EXPECT_TRUE(p->statements[0].noprinc.empty()); + EXPECT_EQ(p->statements[0].effect, Effect::Allow); + Action_t act; + for (auto i = 0U; i <= iamAll; i++) + act[i] = 1; + EXPECT_EQ(p->statements[0].action, act); + EXPECT_EQ(p->statements[0].notaction, None); + ASSERT_FALSE(p->statements[0].resource.empty()); + ASSERT_EQ(p->statements[0].resource.size(), 1U); + EXPECT_EQ(p->statements[0].resource.begin()->partition, Partition::aws); + EXPECT_EQ(p->statements[0].resource.begin()->service, Service::iam); + EXPECT_EQ(p->statements[0].resource.begin()->region, ""); + EXPECT_EQ(p->statements[0].resource.begin()->account, arbitrary_tenant); + EXPECT_EQ(p->statements[0].resource.begin()->resource, "user/A"); + EXPECT_TRUE(p->statements[0].notresource.empty()); + EXPECT_TRUE(p->statements[0].conditions.empty()); +} + +TEST_F(PolicyTest, Eval6) { + auto p = Policy(cct.get(), arbitrary_tenant, + bufferlist::static_from_string(example6)); + Environment e; + + EXPECT_EQ(p.eval(e, none, iamCreateRole, + ARN(Partition::aws, Service::iam, + "", arbitrary_tenant, "user/A")), + Effect::Allow); + + EXPECT_EQ(p.eval(e, none, s3ListBucket, + ARN(Partition::aws, Service::iam, + "", arbitrary_tenant, "user/A")), + Effect::Allow); +} + const string PolicyTest::arbitrary_tenant = "arbitrary_tenant"; string PolicyTest::example1 = R"( { @@ -546,6 +698,38 @@ string PolicyTest::example3 = R"( } )"; +string PolicyTest::example4 = R"( +{ + "Version": "2012-10-17", + "Statement": { + "Effect": "Allow", + "Action": "iam:CreateRole", + "Resource": "*" + } +} +)"; + +string PolicyTest::example5 = R"( +{ + "Version": "2012-10-17", + "Statement": { + "Effect": "Allow", + "Action": "iam:*", + "Resource": "arn:aws:iam:::role/example_role" + } +} +)"; + +string PolicyTest::example6 = R"( +{ + "Version": "2012-10-17", + "Statement": { + "Effect": "Allow", + "Action": "*", + "Resource": "arn:aws:iam:::user/A" + } +} +)"; class IPPolicyTest : public ::testing::Test { protected: intrusive_ptr cct;