Skip to content
This repository has been archived by the owner on Jan 12, 2024. It is now read-only.

Commit

Permalink
fix: fix issue where root ARN gets rejected by partition validation (#…
Browse files Browse the repository at this point in the history
  • Loading branch information
mayitbeegh authored Aug 13, 2020
1 parent b9132e2 commit 4a21e36
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 5 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -174,8 +174,18 @@ public String stripOutDescription(final String principalArn) {
* @throws ApiException Throws an exception if the partition of the IAM principal isn't enabled
*/
public void iamPrincipalPartitionCheck(String iamPrincipalArn) {
getNamedGroupFromRegexPattern(
DomainConstants.IAM_PRINCIPAL_ARN_PATTERN_ALLOWED, "partition", iamPrincipalArn);
final Matcher iamRoleArnMatcher =
DomainConstants.IAM_PRINCIPAL_ARN_PATTERN_ALLOWED.matcher(iamPrincipalArn);

if (iamRoleArnMatcher.find()) {
partitionCheck(iamRoleArnMatcher.group("partition"));
} else {
final Matcher iamRootArnMatcher =
DomainConstants.AWS_ACCOUNT_ROOT_ARN_PATTERN.matcher(iamPrincipalArn);
if (iamRootArnMatcher.find()) {
partitionCheck(iamRootArnMatcher.group("partition"));
}
}
}

private String getNamedGroupFromRegexPattern(
Expand All @@ -194,11 +204,19 @@ private String getNamedGroupFromRegexPattern(
}

private void partitionCheck(String partition) {
if (DomainConstants.AWS_GLOBAL_PARTITION_NAME.equals(partition) && !awsGlobalEnabled) {
if (isAwsGlobalPartition((partition)) && !awsGlobalEnabled) {
throw ApiException.newBuilder().withApiErrors(DefaultApiError.AWS_GLOBAL_NOT_ALLOWED).build();
}
if (DomainConstants.AWS_CHINA_PARTITION_NAME.equals(partition) && !awsChinaEnabled) {
if (isAwsChinaPartition(partition) && !awsChinaEnabled) {
throw ApiException.newBuilder().withApiErrors(DefaultApiError.AWS_CHINA_NOT_ALLOWED).build();
}
}

private boolean isAwsChinaPartition(String partition) {
return DomainConstants.AWS_CHINA_PARTITION_NAME.equals(partition);
}

private boolean isAwsGlobalPartition(String partition) {
return DomainConstants.AWS_GLOBAL_PARTITION_NAME.equals(partition);
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -333,15 +333,31 @@ public void test_isAccountRootArn() {
"arn:aws:sts::0000000000:federated-user/foobaz"));
}

@Test
public void test_root_arn_passes_partition_check() {
awsGlobalIamRoleArnParser.iamPrincipalPartitionCheck("arn:aws:iam::0000000000:root");
awsChinaIamRoleArnParser.iamPrincipalPartitionCheck("arn:aws-cn:iam::0000000000:root");
}

@Test(expected = RuntimeException.class)
public void iamPrincipalPartitionCheck_fails_on_disabled_aws_china_partition() {
awsGlobalIamRoleArnParser.iamPrincipalPartitionCheck(
"arn:aws-cn:iam::1111111111:role/lamb_dev_health");
}

@Test(expected = RuntimeException.class)
public void iamPrincipalPartitionCheck_fails_on_root_arn_with_disabled_aws_china_partition() {
awsGlobalIamRoleArnParser.iamPrincipalPartitionCheck("arn:aws-cn:iam::1111111111:root");
}

@Test(expected = RuntimeException.class)
public void iamPrincipalPartitionCheck_fails_on_disabled_aws_global_partition() {
awsChinaIamRoleArnParser.iamPrincipalPartitionCheck(
"arn:aws:iam::1111111111:role/lamb_dev_health");
}

@Test(expected = RuntimeException.class)
public void iamPrincipalPartitionCheck_fails_on_root_arn_with_disabled_aws_global_partition() {
awsChinaIamRoleArnParser.iamPrincipalPartitionCheck("arn:aws:iam::1111111111:root");
}
}
2 changes: 1 addition & 1 deletion gradle.properties
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,6 @@
# limitations under the License.
#

version=4.7.0
version=4.7.1
group=com.nike.cerberus
springBootVersion=2.3.2.RELEASE

0 comments on commit 4a21e36

Please sign in to comment.