diff --git a/cerberus-web/src/main/java/com/nike/cerberus/util/AwsIamRoleArnParser.java b/cerberus-web/src/main/java/com/nike/cerberus/util/AwsIamRoleArnParser.java index 06dbfddcd..3dc5244c3 100644 --- a/cerberus-web/src/main/java/com/nike/cerberus/util/AwsIamRoleArnParser.java +++ b/cerberus-web/src/main/java/com/nike/cerberus/util/AwsIamRoleArnParser.java @@ -174,8 +174,18 @@ public String stripOutDescription(final String principalArn) { * @throws ApiException Throws an exception if the partition of the IAM principal isn't enabled */ public void iamPrincipalPartitionCheck(String iamPrincipalArn) { - getNamedGroupFromRegexPattern( - DomainConstants.IAM_PRINCIPAL_ARN_PATTERN_ALLOWED, "partition", iamPrincipalArn); + final Matcher iamRoleArnMatcher = + DomainConstants.IAM_PRINCIPAL_ARN_PATTERN_ALLOWED.matcher(iamPrincipalArn); + + if (iamRoleArnMatcher.find()) { + partitionCheck(iamRoleArnMatcher.group("partition")); + } else { + final Matcher iamRootArnMatcher = + DomainConstants.AWS_ACCOUNT_ROOT_ARN_PATTERN.matcher(iamPrincipalArn); + if (iamRootArnMatcher.find()) { + partitionCheck(iamRootArnMatcher.group("partition")); + } + } } private String getNamedGroupFromRegexPattern( @@ -194,11 +204,19 @@ private String getNamedGroupFromRegexPattern( } private void partitionCheck(String partition) { - if (DomainConstants.AWS_GLOBAL_PARTITION_NAME.equals(partition) && !awsGlobalEnabled) { + if (isAwsGlobalPartition((partition)) && !awsGlobalEnabled) { throw ApiException.newBuilder().withApiErrors(DefaultApiError.AWS_GLOBAL_NOT_ALLOWED).build(); } - if (DomainConstants.AWS_CHINA_PARTITION_NAME.equals(partition) && !awsChinaEnabled) { + if (isAwsChinaPartition(partition) && !awsChinaEnabled) { throw ApiException.newBuilder().withApiErrors(DefaultApiError.AWS_CHINA_NOT_ALLOWED).build(); } } + + private boolean isAwsChinaPartition(String partition) { + return DomainConstants.AWS_CHINA_PARTITION_NAME.equals(partition); + } + + private boolean isAwsGlobalPartition(String partition) { + return DomainConstants.AWS_GLOBAL_PARTITION_NAME.equals(partition); + } } diff --git a/cerberus-web/src/test/java/com/nike/cerberus/util/AwsIamRoleArnParserTest.java b/cerberus-web/src/test/java/com/nike/cerberus/util/AwsIamRoleArnParserTest.java index f289c0991..2238be432 100644 --- a/cerberus-web/src/test/java/com/nike/cerberus/util/AwsIamRoleArnParserTest.java +++ b/cerberus-web/src/test/java/com/nike/cerberus/util/AwsIamRoleArnParserTest.java @@ -333,15 +333,31 @@ public void test_isAccountRootArn() { "arn:aws:sts::0000000000:federated-user/foobaz")); } + @Test + public void test_root_arn_passes_partition_check() { + awsGlobalIamRoleArnParser.iamPrincipalPartitionCheck("arn:aws:iam::0000000000:root"); + awsChinaIamRoleArnParser.iamPrincipalPartitionCheck("arn:aws-cn:iam::0000000000:root"); + } + @Test(expected = RuntimeException.class) public void iamPrincipalPartitionCheck_fails_on_disabled_aws_china_partition() { awsGlobalIamRoleArnParser.iamPrincipalPartitionCheck( "arn:aws-cn:iam::1111111111:role/lamb_dev_health"); } + @Test(expected = RuntimeException.class) + public void iamPrincipalPartitionCheck_fails_on_root_arn_with_disabled_aws_china_partition() { + awsGlobalIamRoleArnParser.iamPrincipalPartitionCheck("arn:aws-cn:iam::1111111111:root"); + } + @Test(expected = RuntimeException.class) public void iamPrincipalPartitionCheck_fails_on_disabled_aws_global_partition() { awsChinaIamRoleArnParser.iamPrincipalPartitionCheck( "arn:aws:iam::1111111111:role/lamb_dev_health"); } + + @Test(expected = RuntimeException.class) + public void iamPrincipalPartitionCheck_fails_on_root_arn_with_disabled_aws_global_partition() { + awsChinaIamRoleArnParser.iamPrincipalPartitionCheck("arn:aws:iam::1111111111:root"); + } } diff --git a/gradle.properties b/gradle.properties index 5c1d957dd..8d6922ddc 100644 --- a/gradle.properties +++ b/gradle.properties @@ -14,6 +14,6 @@ # limitations under the License. # -version=4.7.0 +version=4.7.1 group=com.nike.cerberus springBootVersion=2.3.2.RELEASE