Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(s3s-policy): add SimpleEvaluator #181

Closed
wants to merge 1 commit into from
Closed

feat(s3s-policy): add SimpleEvaluator #181

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions crates/s3s-policy/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,5 +11,7 @@ license.workspace = true

[dependencies]
indexmap = { version = "2.5.0", features = ["serde"] }
s3s = { version = "0.11.0-dev", path = "../s3s" }
serde = { version = "1.0.210", features = ["derive"] }
serde_json = "1.0.128"
thiserror = "1.0.64"
206 changes: 206 additions & 0 deletions crates/s3s-policy/src/eval.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,206 @@
use crate::model::WildcardOneOrMore;
use crate::model::{ActionRule, ResourceRule};
use crate::model::{Effect, Policy, Statement};
use crate::pattern::{PatternError, PatternSet};

use s3s::auth::S3AuthContext;
use s3s::path::S3Path;

pub struct SimpleEvaluator {
rules: Vec<ParsedRule>,
}

#[derive(Debug, thiserror::Error)]
pub enum EvalError {
#[error("Not supported")]
NotSupported,

#[error("Invalid pattern")]
InvalidPattern,
}

struct ParsedRule {
effect: Effect,
action: Option<PatternSet>,
not_action: Option<PatternSet>,
resource: Option<PatternSet>,
not_resource: Option<PatternSet>,
}

impl SimpleEvaluator {
/// Create a new evaluator from a policy.
///
/// # Errors
/// Returns an error if the policy contains unsupported features.
pub fn new(policy: &Policy) -> Result<Self, EvalError> {
// TODO
for statement in policy.statement.as_slice() {
if statement.principal.is_some() {
return Err(EvalError::NotSupported);
}
if statement.condition.is_some() {
return Err(EvalError::NotSupported);
}
}

let rules = policy
.statement
.as_slice()
.iter()
.map(Self::parse_rule)
.collect::<Result<_, _>>()?;
Ok(SimpleEvaluator { rules })
}

fn parse_rule(stmt: &Statement) -> Result<ParsedRule, EvalError> {
let mut action = None;
let mut not_action = None;
let mut resource = None;
let mut not_resource = None;

let handle_error = |e: PatternError| match e {
PatternError::InvalidPattern => EvalError::InvalidPattern,
};

let build = |w: &WildcardOneOrMore<String>| match w.as_slice() {
Some(w) => PatternSet::new(w.iter().map(String::as_str)).map_err(handle_error),
None => PatternSet::new(["*"]).map_err(handle_error),
};

match &stmt.action {
ActionRule::Action(w) => action = Some(build(w)?),
ActionRule::NotAction(w) => not_action = Some(build(w)?),
}

match &stmt.resource {
ResourceRule::Resource(w) => resource = Some(build(w)?),
ResourceRule::NotResource(w) => not_resource = Some(build(w)?),
}

Ok(ParsedRule {
effect: stmt.effect.clone(),
action,
not_action,
resource,
not_resource,
})
}

fn s3_op_to_action(op_name: &str) -> String {
// FIXME: some op names are not exactly the same as the action names
// https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-policy-actions.html

// TODO: replace this with a static table
if op_name == "ListBuckets" {
return "s3:ListAllMyBuckets".to_owned();
}

format!("s3:{op_name}")
}

fn s3_path_to_resource(path: &S3Path) -> String {
match path {
S3Path::Root => "arn:aws:s3:::".to_owned(),
S3Path::Bucket { bucket } => format!("arn:aws:s3:::{bucket}"),
S3Path::Object { bucket, key } => format!("arn:aws:s3:::{bucket}/{key}"),
}
}

/// Check if the request is allowed by the policy.
///
/// # Errors
///
pub fn check_access(&self, cx: &mut S3AuthContext<'_>) -> Result<Effect, EvalError> {
Ok(self.check(cx.s3_op().name(), cx.s3_path()))
}

fn check(&self, op_name: &str, path: &S3Path) -> Effect {
let action = Self::s3_op_to_action(op_name);
let resource = Self::s3_path_to_resource(path);

let mut allow_count = 0;
for rule in &self.rules {
let mut action_matched = false;
if let Some(ps) = &rule.action {
if ps.is_match(&action) {
action_matched = true;
}
} else if let Some(ps) = &rule.not_action {
if !ps.is_match(&action) {
action_matched = true;
}
}

let mut resource_matched = false;
if let Some(ps) = &rule.resource {
if ps.is_match(&resource) {
resource_matched = true;
}
} else if let Some(ps) = &rule.not_resource {
if !ps.is_match(&resource) {
resource_matched = true;
}
}

let matched = action_matched && resource_matched;

if matched {
match rule.effect {
Effect::Allow => {
allow_count += 1;
}
Effect::Deny => {
return Effect::Deny;
}
}
}
}

if allow_count > 0 {
return Effect::Allow;
}

Effect::Deny
}
}

#[cfg(test)]
mod tests {
use super::*;

#[test]
fn example1() {
let json = crate::tests::example1_json();
let mut policy: Policy = serde_json::from_str(json).unwrap();

// TODO
for stmt in policy.statement.as_mut_slice() {
stmt.principal = None;
stmt.condition = None;
}

let evaluator = SimpleEvaluator::new(&policy).unwrap();

{
let ans = evaluator.check("ListBuckets", &S3Path::root());
assert_eq!(ans, Effect::Allow);
}
{
let ans = evaluator.check("ListObjectsV2", &S3Path::bucket("confidential-data"));
assert_eq!(ans, Effect::Allow);

let ans = evaluator.check("GetObject", &S3Path::object("confidential-data", "file.txt"));
assert_eq!(ans, Effect::Allow);

let ans = evaluator.check("PutObject", &S3Path::bucket("confidential-data"));
assert_eq!(ans, Effect::Deny);
}
{
let ans = evaluator.check("ListObjectsV2", &S3Path::bucket("another-bucket"));
assert_eq!(ans, Effect::Deny);

let ans = evaluator.check("GetObject", &S3Path::object("another-bucket", "file.txt"));
assert_eq!(ans, Effect::Deny);
}
}
}
9 changes: 9 additions & 0 deletions crates/s3s-policy/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,14 @@
#![warn(
clippy::dbg_macro, //
)]
#![allow(
clippy::module_name_repetitions, //
)]

mod pattern;

pub mod eval;
pub mod model;

#[cfg(test)]
mod tests;
101 changes: 38 additions & 63 deletions crates/s3s-policy/src/model.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
//! <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html>

use std::marker::PhantomData;
use std::slice;

use indexmap::IndexMap;
use serde::{Deserialize, Serialize};
Expand Down Expand Up @@ -280,6 +281,40 @@ where
}
}

impl<T> OneOrMore<T> {
pub fn as_slice(&self) -> &[T] {
match self {
OneOrMore::One(t) => slice::from_ref(t),
OneOrMore::More(ts) => ts,
}
}

pub fn as_mut_slice(&mut self) -> &mut [T] {
match self {
OneOrMore::One(t) => slice::from_mut(t),
OneOrMore::More(ts) => ts,
}
}
}

impl<T> WildcardOneOrMore<T> {
pub fn as_slice(&self) -> Option<&[T]> {
match self {
WildcardOneOrMore::Wildcard => None,
WildcardOneOrMore::One(t) => Some(slice::from_ref(t)),
WildcardOneOrMore::More(ts) => Some(ts),
}
}

pub fn as_mut_slice(&mut self) -> Option<&mut [T]> {
match self {
WildcardOneOrMore::Wildcard => None,
WildcardOneOrMore::One(t) => Some(slice::from_mut(t)),
WildcardOneOrMore::More(ts) => Some(ts),
}
}
}

#[cfg(test)]
mod tests {
use super::*;
Expand Down Expand Up @@ -457,42 +492,9 @@ mod tests {
}
}

/// <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json>
#[test]
fn example1() {
let json = r#"
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FirstStatement",
"Effect": "Allow",
"Action": ["iam:ChangePassword"],
"Resource": "*"
},
{
"Sid": "SecondStatement",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Sid": "ThirdStatement",
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::confidential-data",
"arn:aws:s3:::confidential-data/*"
],
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
}
]
}
"#;

let json = crate::tests::example1_json();
let policy: Policy = serde_json::from_str(json).unwrap();

let expected = Policy {
Expand Down Expand Up @@ -541,20 +543,9 @@ mod tests {
}
}

/// <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json>
#[test]
fn example2() {
let json = r#"
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket"
}
}
"#;

let json = crate::tests::example2_json();
let policy: Policy = serde_json::from_str(json).unwrap();

let expected = Policy {
Expand All @@ -579,25 +570,9 @@ mod tests {
}
}

/// <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json>
#[test]
fn example3() {
let json = r#"
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "1",
"Effect": "Allow",
"Principal": {"AWS": ["arn:aws:iam::account-id:root"]},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/*"
]
}]
}
"#;

let json = crate::tests::example3_json();
let policy: Policy = serde_json::from_str(json).unwrap();

let expected = Policy {
Expand Down
Loading
Loading