Add boolean function condition support (#7027)

master
Harshavardhana 6 years ago committed by GitHub
parent 1898961ce3
commit 2a0e4b6f58
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 167
      pkg/iam/policy/action.go
  2. 155
      pkg/policy/action.go
  3. 4
      pkg/policy/condition/binaryequalsfunc.go
  4. 5
      pkg/policy/condition/binaryequalsfunc_test.go
  5. 105
      pkg/policy/condition/boolfunc.go
  6. 152
      pkg/policy/condition/boolfunc_test.go
  7. 1
      pkg/policy/condition/func.go
  8. 14
      pkg/policy/condition/func_test.go
  9. 24
      pkg/policy/condition/key.go
  10. 2
      pkg/policy/condition/key_test.go
  11. 30
      pkg/policy/condition/name.go
  12. 4
      pkg/policy/condition/stringequalsfunc.go
  13. 10
      pkg/policy/condition/stringequalsfunc_test.go
  14. 10
      pkg/policy/condition/stringequalsignorecasefunc_test.go
  15. 12
      pkg/policy/condition/stringlikefunc_test.go
  16. 4
      pkg/policy/statement_test.go

@ -176,133 +176,54 @@ func parseAction(s string) (Action, error) {
var actionConditionKeyMap = map[Action]condition.KeySet{ var actionConditionKeyMap = map[Action]condition.KeySet{
AllActions: condition.NewKeySet(condition.AllSupportedKeys...), AllActions: condition.NewKeySet(condition.AllSupportedKeys...),
AbortMultipartUploadAction: condition.NewKeySet( AbortMultipartUploadAction: condition.NewKeySet(condition.CommonKeys...),
condition.AWSReferer,
condition.AWSSourceIP, CreateBucketAction: condition.NewKeySet(condition.CommonKeys...),
condition.AWSUserAgent,
condition.AWSSecureTransport, DeleteBucketPolicyAction: condition.NewKeySet(condition.CommonKeys...),
),
DeleteObjectAction: condition.NewKeySet(condition.CommonKeys...),
CreateBucketAction: condition.NewKeySet(
condition.AWSReferer, GetBucketLocationAction: condition.NewKeySet(condition.CommonKeys...),
condition.AWSSourceIP,
condition.AWSUserAgent, GetBucketNotificationAction: condition.NewKeySet(condition.CommonKeys...),
condition.AWSSecureTransport,
), GetBucketPolicyAction: condition.NewKeySet(condition.CommonKeys...),
DeleteBucketPolicyAction: condition.NewKeySet(
condition.AWSReferer,
condition.AWSSourceIP,
condition.AWSUserAgent,
condition.AWSSecureTransport,
),
DeleteObjectAction: condition.NewKeySet(
condition.AWSReferer,
condition.AWSSourceIP,
condition.AWSUserAgent,
condition.AWSSecureTransport,
),
GetBucketLocationAction: condition.NewKeySet(
condition.AWSReferer,
condition.AWSSourceIP,
condition.AWSUserAgent,
condition.AWSSecureTransport,
),
GetBucketNotificationAction: condition.NewKeySet(
condition.AWSReferer,
condition.AWSSourceIP,
condition.AWSUserAgent,
condition.AWSSecureTransport,
),
GetBucketPolicyAction: condition.NewKeySet(
condition.AWSReferer,
condition.AWSSourceIP,
condition.AWSUserAgent,
condition.AWSSecureTransport,
),
GetObjectAction: condition.NewKeySet( GetObjectAction: condition.NewKeySet(
condition.S3XAmzServerSideEncryption, append([]condition.Key{
condition.S3XAmzServerSideEncryptionAwsKMSKeyID, condition.S3XAmzServerSideEncryption,
condition.S3XAmzStorageClass, condition.S3XAmzServerSideEncryptionCustomerAlgorithm,
condition.AWSReferer, condition.S3XAmzStorageClass,
condition.AWSSourceIP, }, condition.CommonKeys...)...),
condition.AWSUserAgent,
condition.AWSSecureTransport, HeadBucketAction: condition.NewKeySet(condition.CommonKeys...),
),
ListAllMyBucketsAction: condition.NewKeySet(condition.CommonKeys...),
HeadBucketAction: condition.NewKeySet(
condition.AWSReferer,
condition.AWSSourceIP,
condition.AWSUserAgent,
condition.AWSSecureTransport,
),
ListAllMyBucketsAction: condition.NewKeySet(
condition.AWSReferer,
condition.AWSSourceIP,
condition.AWSUserAgent,
condition.AWSSecureTransport,
),
ListBucketAction: condition.NewKeySet( ListBucketAction: condition.NewKeySet(
condition.S3Prefix, append([]condition.Key{
condition.S3Delimiter, condition.S3Prefix,
condition.S3MaxKeys, condition.S3Delimiter,
condition.AWSReferer, condition.S3MaxKeys,
condition.AWSSourceIP, }, condition.CommonKeys...)...),
condition.AWSUserAgent,
condition.AWSSecureTransport, ListBucketMultipartUploadsAction: condition.NewKeySet(condition.CommonKeys...),
),
ListenBucketNotificationAction: condition.NewKeySet(condition.CommonKeys...),
ListBucketMultipartUploadsAction: condition.NewKeySet(
condition.AWSReferer, ListMultipartUploadPartsAction: condition.NewKeySet(condition.CommonKeys...),
condition.AWSSourceIP,
condition.AWSUserAgent, PutBucketNotificationAction: condition.NewKeySet(condition.CommonKeys...),
condition.AWSSecureTransport,
), PutBucketPolicyAction: condition.NewKeySet(condition.CommonKeys...),
ListenBucketNotificationAction: condition.NewKeySet(
condition.AWSReferer,
condition.AWSSourceIP,
condition.AWSUserAgent,
condition.AWSSecureTransport,
),
ListMultipartUploadPartsAction: condition.NewKeySet(
condition.AWSReferer,
condition.AWSSourceIP,
condition.AWSUserAgent,
condition.AWSSecureTransport,
),
PutBucketNotificationAction: condition.NewKeySet(
condition.AWSReferer,
condition.AWSSourceIP,
condition.AWSUserAgent,
condition.AWSSecureTransport,
),
PutBucketPolicyAction: condition.NewKeySet(
condition.AWSReferer,
condition.AWSSourceIP,
condition.AWSUserAgent,
condition.AWSSecureTransport,
),
PutObjectAction: condition.NewKeySet( PutObjectAction: condition.NewKeySet(
condition.S3XAmzCopySource, append([]condition.Key{
condition.S3XAmzServerSideEncryption, condition.S3XAmzCopySource,
condition.S3XAmzServerSideEncryptionAwsKMSKeyID, condition.S3XAmzServerSideEncryption,
condition.S3XAmzMetadataDirective, condition.S3XAmzServerSideEncryptionCustomerAlgorithm,
condition.S3XAmzStorageClass, condition.S3XAmzMetadataDirective,
condition.AWSReferer, condition.S3XAmzStorageClass,
condition.AWSSourceIP, }, condition.CommonKeys...)...),
condition.AWSUserAgent,
condition.AWSSecureTransport,
),
} }

@ -158,133 +158,42 @@ func parseAction(s string) (Action, error) {
// actionConditionKeyMap - holds mapping of supported condition key for an action. // actionConditionKeyMap - holds mapping of supported condition key for an action.
var actionConditionKeyMap = map[Action]condition.KeySet{ var actionConditionKeyMap = map[Action]condition.KeySet{
AbortMultipartUploadAction: condition.NewKeySet( AbortMultipartUploadAction: condition.NewKeySet(condition.CommonKeys...),
condition.AWSReferer,
condition.AWSSourceIP, CreateBucketAction: condition.NewKeySet(condition.CommonKeys...),
condition.AWSUserAgent,
condition.AWSSecureTransport, DeleteObjectAction: condition.NewKeySet(condition.CommonKeys...),
),
GetBucketLocationAction: condition.NewKeySet(condition.CommonKeys...),
CreateBucketAction: condition.NewKeySet(
condition.AWSReferer,
condition.AWSSourceIP,
condition.AWSUserAgent,
condition.AWSSecureTransport,
),
DeleteBucketPolicyAction: condition.NewKeySet(
condition.AWSReferer,
condition.AWSSourceIP,
condition.AWSUserAgent,
condition.AWSSecureTransport,
),
DeleteObjectAction: condition.NewKeySet(
condition.AWSReferer,
condition.AWSSourceIP,
condition.AWSUserAgent,
condition.AWSSecureTransport,
),
GetBucketLocationAction: condition.NewKeySet(
condition.AWSReferer,
condition.AWSSourceIP,
condition.AWSUserAgent,
condition.AWSSecureTransport,
),
GetBucketNotificationAction: condition.NewKeySet(
condition.AWSReferer,
condition.AWSSourceIP,
condition.AWSUserAgent,
condition.AWSSecureTransport,
),
GetBucketPolicyAction: condition.NewKeySet(
condition.AWSReferer,
condition.AWSSourceIP,
condition.AWSUserAgent,
condition.AWSSecureTransport,
),
GetObjectAction: condition.NewKeySet( GetObjectAction: condition.NewKeySet(
condition.S3XAmzServerSideEncryption, append([]condition.Key{
condition.S3XAmzServerSideEncryptionAwsKMSKeyID, condition.S3XAmzServerSideEncryption,
condition.S3XAmzStorageClass, condition.S3XAmzServerSideEncryptionCustomerAlgorithm,
condition.AWSReferer, condition.S3XAmzStorageClass,
condition.AWSSourceIP, }, condition.CommonKeys...)...),
condition.AWSUserAgent,
condition.AWSSecureTransport, HeadBucketAction: condition.NewKeySet(condition.CommonKeys...),
),
ListAllMyBucketsAction: condition.NewKeySet(condition.CommonKeys...),
HeadBucketAction: condition.NewKeySet(
condition.AWSReferer,
condition.AWSSourceIP,
condition.AWSUserAgent,
condition.AWSSecureTransport,
),
ListAllMyBucketsAction: condition.NewKeySet(
condition.AWSReferer,
condition.AWSSourceIP,
condition.AWSUserAgent,
condition.AWSSecureTransport,
),
ListBucketAction: condition.NewKeySet( ListBucketAction: condition.NewKeySet(
condition.S3Prefix, append([]condition.Key{
condition.S3Delimiter, condition.S3Prefix,
condition.S3MaxKeys, condition.S3Delimiter,
condition.AWSReferer, condition.S3MaxKeys,
condition.AWSSourceIP, }, condition.CommonKeys...)...),
condition.AWSUserAgent,
condition.AWSSecureTransport, ListBucketMultipartUploadsAction: condition.NewKeySet(condition.CommonKeys...),
),
ListMultipartUploadPartsAction: condition.NewKeySet(condition.CommonKeys...),
ListBucketMultipartUploadsAction: condition.NewKeySet(
condition.AWSReferer,
condition.AWSSourceIP,
condition.AWSUserAgent,
condition.AWSSecureTransport,
),
ListenBucketNotificationAction: condition.NewKeySet(
condition.AWSReferer,
condition.AWSSourceIP,
condition.AWSUserAgent,
condition.AWSSecureTransport,
),
ListMultipartUploadPartsAction: condition.NewKeySet(
condition.AWSReferer,
condition.AWSSourceIP,
condition.AWSUserAgent,
condition.AWSSecureTransport,
),
PutBucketNotificationAction: condition.NewKeySet(
condition.AWSReferer,
condition.AWSSourceIP,
condition.AWSUserAgent,
condition.AWSSecureTransport,
),
PutBucketPolicyAction: condition.NewKeySet(
condition.AWSReferer,
condition.AWSSourceIP,
condition.AWSUserAgent,
condition.AWSSecureTransport,
),
PutObjectAction: condition.NewKeySet( PutObjectAction: condition.NewKeySet(
condition.S3XAmzCopySource, append([]condition.Key{
condition.S3XAmzServerSideEncryption, condition.S3XAmzCopySource,
condition.S3XAmzServerSideEncryptionAwsKMSKeyID, condition.S3XAmzServerSideEncryption,
condition.S3XAmzMetadataDirective, condition.S3XAmzServerSideEncryptionCustomerAlgorithm,
condition.S3XAmzStorageClass, condition.S3XAmzMetadataDirective,
condition.AWSReferer, condition.S3XAmzStorageClass,
condition.AWSSourceIP, }, condition.CommonKeys...)...),
condition.AWSUserAgent,
condition.AWSSecureTransport,
),
} }

@ -102,8 +102,8 @@ func validateBinaryEqualsValues(n name, key Key, values set.StringSet) error {
if err = s3utils.CheckValidBucketName(bucket); err != nil { if err = s3utils.CheckValidBucketName(bucket); err != nil {
return err return err
} }
case S3XAmzServerSideEncryption: case S3XAmzServerSideEncryption, S3XAmzServerSideEncryptionCustomerAlgorithm:
if s != "aws:kms" && s != "AES256" { if s != "AES256" {
return fmt.Errorf("invalid value '%v' for '%v' for %v condition", s, S3XAmzServerSideEncryption, n) return fmt.Errorf("invalid value '%v' for '%v' for %v condition", s, S3XAmzServerSideEncryption, n)
} }
case S3XAmzMetadataDirective: case S3XAmzMetadataDirective:

@ -58,7 +58,6 @@ func TestBinaryEqualsFuncEvaluate(t *testing.T) {
{case1Function, map[string][]string{"delimiter": {"/"}}, false}, {case1Function, map[string][]string{"delimiter": {"/"}}, false},
{case2Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, true}, {case2Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, true},
{case2Function, map[string][]string{"x-amz-server-side-encryption": {"aws:kms"}}, false},
{case2Function, map[string][]string{}, false}, {case2Function, map[string][]string{}, false},
{case2Function, map[string][]string{"delimiter": {"/"}}, false}, {case2Function, map[string][]string{"delimiter": {"/"}}, false},
@ -167,7 +166,6 @@ func TestBinaryEqualsFuncToMap(t *testing.T) {
case4Function, err := newBinaryEqualsFunc(S3XAmzServerSideEncryption, case4Function, err := newBinaryEqualsFunc(S3XAmzServerSideEncryption,
NewValueSet( NewValueSet(
NewStringValue(base64.StdEncoding.EncodeToString([]byte("AES256"))), NewStringValue(base64.StdEncoding.EncodeToString([]byte("AES256"))),
NewStringValue(base64.StdEncoding.EncodeToString([]byte("aws:kms"))),
), ),
) )
if err != nil { if err != nil {
@ -177,7 +175,6 @@ func TestBinaryEqualsFuncToMap(t *testing.T) {
case4Result := map[Key]ValueSet{ case4Result := map[Key]ValueSet{
S3XAmzServerSideEncryption: NewValueSet( S3XAmzServerSideEncryption: NewValueSet(
NewStringValue(base64.StdEncoding.EncodeToString([]byte("AES256"))), NewStringValue(base64.StdEncoding.EncodeToString([]byte("AES256"))),
NewStringValue(base64.StdEncoding.EncodeToString([]byte("aws:kms"))),
), ),
} }
@ -285,7 +282,6 @@ func TestNewBinaryEqualsFunc(t *testing.T) {
case4Function, err := newBinaryEqualsFunc(S3XAmzServerSideEncryption, case4Function, err := newBinaryEqualsFunc(S3XAmzServerSideEncryption,
NewValueSet( NewValueSet(
NewStringValue(base64.StdEncoding.EncodeToString([]byte("AES256"))), NewStringValue(base64.StdEncoding.EncodeToString([]byte("AES256"))),
NewStringValue(base64.StdEncoding.EncodeToString([]byte("aws:kms"))),
), ),
) )
if err != nil { if err != nil {
@ -341,7 +337,6 @@ func TestNewBinaryEqualsFunc(t *testing.T) {
{S3XAmzServerSideEncryption, {S3XAmzServerSideEncryption,
NewValueSet( NewValueSet(
NewStringValue(base64.StdEncoding.EncodeToString([]byte("AES256"))), NewStringValue(base64.StdEncoding.EncodeToString([]byte("AES256"))),
NewStringValue(base64.StdEncoding.EncodeToString([]byte("aws:kms"))),
), case4Function, false}, ), case4Function, false},
{S3XAmzMetadataDirective, NewValueSet(NewStringValue(base64.StdEncoding.EncodeToString([]byte("REPLACE")))), case5Function, false}, {S3XAmzMetadataDirective, NewValueSet(NewStringValue(base64.StdEncoding.EncodeToString([]byte("REPLACE")))), case5Function, false},

@ -0,0 +1,105 @@
/*
* Minio Cloud Storage, (C) 2018 Minio, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package condition
import (
"fmt"
"net/http"
"reflect"
"strconv"
)
// booleanFunc - Bool condition function. It checks whether Key is true or false.
// https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_Boolean
type booleanFunc struct {
k Key
value string
}
// evaluate() - evaluates to check whether Key is present in given values or not.
// Depending on condition boolean value, this function returns true or false.
func (f booleanFunc) evaluate(values map[string][]string) bool {
requestValue, ok := values[http.CanonicalHeaderKey(f.k.Name())]
if !ok {
requestValue = values[f.k.Name()]
}
return f.value == requestValue[0]
}
// key() - returns condition key which is used by this condition function.
func (f booleanFunc) key() Key {
return f.k
}
// name() - returns "Bool" condition name.
func (f booleanFunc) name() name {
return boolean
}
func (f booleanFunc) String() string {
return fmt.Sprintf("%v:%v:%v", boolean, f.k, f.value)
}
// toMap - returns map representation of this function.
func (f booleanFunc) toMap() map[Key]ValueSet {
if !f.k.IsValid() {
return nil
}
return map[Key]ValueSet{
f.k: NewValueSet(NewStringValue(f.value)),
}
}
func newBooleanFunc(key Key, values ValueSet) (Function, error) {
if key != AWSSecureTransport {
return nil, fmt.Errorf("only %v key is allowed for %v condition", AWSSecureTransport, boolean)
}
if len(values) != 1 {
return nil, fmt.Errorf("only one value is allowed for boolean condition")
}
var value Value
for v := range values {
value = v
switch v.GetType() {
case reflect.Bool:
if _, err := v.GetBool(); err != nil {
return nil, err
}
case reflect.String:
s, err := v.GetString()
if err != nil {
return nil, err
}
if _, err = strconv.ParseBool(s); err != nil {
return nil, fmt.Errorf("value must be a boolean string for boolean condition")
}
default:
return nil, fmt.Errorf("value must be a boolean for boolean condition")
}
}
return &booleanFunc{key, value.String()}, nil
}
// NewBoolFunc - returns new Bool function.
func NewBoolFunc(key Key, value string) (Function, error) {
return &booleanFunc{key, value}, nil
}

@ -0,0 +1,152 @@
/*
* Minio Cloud Storage, (C) 2018 Minio, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package condition
import (
"reflect"
"testing"
)
func TestBooleanFuncEvaluate(t *testing.T) {
case1Function, err := newBooleanFunc(AWSSecureTransport, NewValueSet(NewBoolValue(true)))
if err != nil {
t.Fatalf("unexpected error. %v\n", err)
}
case2Function, err := newBooleanFunc(AWSSecureTransport, NewValueSet(NewBoolValue(false)))
if err != nil {
t.Fatalf("unexpected error. %v\n", err)
}
testCases := []struct {
function Function
values map[string][]string
expectedResult bool
}{
{case1Function, map[string][]string{"SecureTransport": {"true"}}, true},
{case2Function, map[string][]string{"SecureTransport": {"false"}}, true},
}
for i, testCase := range testCases {
result := testCase.function.evaluate(testCase.values)
if result != testCase.expectedResult {
t.Errorf("case %v: expected: %v, got: %v\n", i+1, testCase.expectedResult, result)
}
}
}
func TestBooleanFuncKey(t *testing.T) {
case1Function, err := newBooleanFunc(AWSSecureTransport, NewValueSet(NewBoolValue(true)))
if err != nil {
t.Fatalf("unexpected error. %v\n", err)
}
testCases := []struct {
function Function
expectedResult Key
}{
{case1Function, AWSSecureTransport},
}
for i, testCase := range testCases {
result := testCase.function.key()
if result != testCase.expectedResult {
t.Fatalf("case %v: expected: %v, got: %v\n", i+1, testCase.expectedResult, result)
}
}
}
func TestBooleanFuncToMap(t *testing.T) {
case1Function, err := newBooleanFunc(AWSSecureTransport, NewValueSet(NewBoolValue(true)))
if err != nil {
t.Fatalf("unexpected error. %v\n", err)
}
case1Result := map[Key]ValueSet{
AWSSecureTransport: NewValueSet(NewStringValue("true")),
}
case2Function, err := newBooleanFunc(AWSSecureTransport, NewValueSet(NewBoolValue(false)))
if err != nil {
t.Fatalf("unexpected error. %v\n", err)
}
case2Result := map[Key]ValueSet{
AWSSecureTransport: NewValueSet(NewStringValue("false")),
}
testCases := []struct {
f Function
expectedResult map[Key]ValueSet
}{
{case1Function, case1Result},
{case2Function, case2Result},
}
for i, testCase := range testCases {
result := testCase.f.toMap()
if !reflect.DeepEqual(result, testCase.expectedResult) {
t.Fatalf("case %v: result: expected: %v, got: %v\n", i+1, testCase.expectedResult, result)
}
}
}
func TestNewBooleanFunc(t *testing.T) {
case1Function, err := newBooleanFunc(AWSSecureTransport, NewValueSet(NewBoolValue(true)))
if err != nil {
t.Fatalf("unexpected error. %v\n", err)
}
case2Function, err := newBooleanFunc(AWSSecureTransport, NewValueSet(NewBoolValue(false)))
if err != nil {
t.Fatalf("unexpected error. %v\n", err)
}
testCases := []struct {
key Key
values ValueSet
expectedResult Function
expectErr bool
}{
{AWSSecureTransport, NewValueSet(NewBoolValue(true)), case1Function, false},
{AWSSecureTransport, NewValueSet(NewStringValue("false")), case2Function, false},
// Multiple values error.
{AWSSecureTransport, NewValueSet(NewStringValue("true"), NewStringValue("false")), nil, true},
// Invalid boolean string error.
{AWSSecureTransport, NewValueSet(NewStringValue("foo")), nil, true},
// Invalid value error.
{AWSSecureTransport, NewValueSet(NewIntValue(7)), nil, true},
}
for i, testCase := range testCases {
result, err := newBooleanFunc(testCase.key, testCase.values)
expectErr := (err != nil)
if expectErr != testCase.expectErr {
t.Fatalf("case %v: error: expected: %v, got: %v\n", i+1, testCase.expectErr, expectErr)
}
if !testCase.expectErr {
if !reflect.DeepEqual(result, testCase.expectedResult) {
t.Fatalf("case %v: result: expected: %v, got: %v\n", i+1, testCase.expectedResult, result)
}
}
}
}

@ -99,6 +99,7 @@ var conditionFuncMap = map[name]func(Key, ValueSet) (Function, error){
ipAddress: newIPAddressFunc, ipAddress: newIPAddressFunc,
notIPAddress: newNotIPAddressFunc, notIPAddress: newNotIPAddressFunc,
null: newNullFunc, null: newNullFunc,
boolean: newBooleanFunc,
// Add new conditions here. // Add new conditions here.
} }

@ -148,7 +148,7 @@ func TestFunctionsMarshalJSON(t *testing.T) {
t.Fatalf("unexpected error. %v\n", err) t.Fatalf("unexpected error. %v\n", err)
} }
func6, err := newNullFunc(S3XAmzServerSideEncryptionAwsKMSKeyID, NewValueSet(NewBoolValue(true))) func6, err := newNullFunc(S3XAmzServerSideEncryptionCustomerAlgorithm, NewValueSet(NewBoolValue(true)))
if err != nil { if err != nil {
t.Fatalf("unexpected error. %v\n", err) t.Fatalf("unexpected error. %v\n", err)
} }
@ -159,9 +159,9 @@ func TestFunctionsMarshalJSON(t *testing.T) {
t.Fatalf("unexpected error. %v\n", err) t.Fatalf("unexpected error. %v\n", err)
} }
case1Result := []byte(`{"IpAddress":{"aws:SourceIp":["192.168.1.0/24"]},"NotIpAddress":{"aws:SourceIp":["10.1.10.0/24"]},"Null":{"s3:x-amz-server-side-encryption-aws-kms-key-id":[true]},"StringEquals":{"s3:x-amz-copy-source":["mybucket/myobject"]},"StringLike":{"s3:x-amz-metadata-directive":["REPL*"]},"StringNotEquals":{"s3:x-amz-server-side-encryption":["AES256"]},"StringNotLike":{"s3:x-amz-storage-class":["STANDARD"]}}`) case1Result := []byte(`{"IpAddress":{"aws:SourceIp":["192.168.1.0/24"]},"NotIpAddress":{"aws:SourceIp":["10.1.10.0/24"]},"Null":{"s3:x-amz-server-side-encryption-customer-algorithm":[true]},"StringEquals":{"s3:x-amz-copy-source":["mybucket/myobject"]},"StringLike":{"s3:x-amz-metadata-directive":["REPL*"]},"StringNotEquals":{"s3:x-amz-server-side-encryption":["AES256"]},"StringNotLike":{"s3:x-amz-storage-class":["STANDARD"]}}`)
case2Result := []byte(`{"Null":{"s3:x-amz-server-side-encryption-aws-kms-key-id":[true]}}`) case2Result := []byte(`{"Null":{"s3:x-amz-server-side-encryption-customer-algorithm":[true]}}`)
testCases := []struct { testCases := []struct {
functions Functions functions Functions
@ -211,7 +211,7 @@ func TestFunctionsUnmarshalJSON(t *testing.T) {
"s3:x-amz-storage-class": "STANDARD" "s3:x-amz-storage-class": "STANDARD"
}, },
"Null": { "Null": {
"s3:x-amz-server-side-encryption-aws-kms-key-id": true "s3:x-amz-server-side-encryption-customer-algorithm": true
}, },
"IpAddress": { "IpAddress": {
"aws:SourceIp": [ "aws:SourceIp": [
@ -246,7 +246,7 @@ func TestFunctionsUnmarshalJSON(t *testing.T) {
t.Fatalf("unexpected error. %v\n", err) t.Fatalf("unexpected error. %v\n", err)
} }
func6, err := newNullFunc(S3XAmzServerSideEncryptionAwsKMSKeyID, NewValueSet(NewBoolValue(true))) func6, err := newNullFunc(S3XAmzServerSideEncryptionCustomerAlgorithm, NewValueSet(NewBoolValue(true)))
if err != nil { if err != nil {
t.Fatalf("unexpected error. %v\n", err) t.Fatalf("unexpected error. %v\n", err)
} }
@ -259,10 +259,10 @@ func TestFunctionsUnmarshalJSON(t *testing.T) {
case2Data := []byte(`{ case2Data := []byte(`{
"Null": { "Null": {
"s3:x-amz-server-side-encryption-aws-kms-key-id": true "s3:x-amz-server-side-encryption-customer-algorithm": true
}, },
"Null": { "Null": {
"s3:x-amz-server-side-encryption-aws-kms-key-id": "true" "s3:x-amz-server-side-encryption-customer-algorithm": "true"
} }
}`) }`)

@ -35,10 +35,6 @@ const (
// to PutObject API only. // to PutObject API only.
S3XAmzServerSideEncryption = "s3:x-amz-server-side-encryption" S3XAmzServerSideEncryption = "s3:x-amz-server-side-encryption"
// S3XAmzServerSideEncryptionAwsKMSKeyID - key representing x-amz-server-side-encryption-aws-kms-key-id
// HTTP header applicable to PutObject API only.
S3XAmzServerSideEncryptionAwsKMSKeyID = "s3:x-amz-server-side-encryption-aws-kms-key-id"
// S3XAmzServerSideEncryptionCustomerAlgorithm - key representing // S3XAmzServerSideEncryptionCustomerAlgorithm - key representing
// x-amz-server-side-encryption-customer-algorithm HTTP header applicable to PutObject API only. // x-amz-server-side-encryption-customer-algorithm HTTP header applicable to PutObject API only.
S3XAmzServerSideEncryptionCustomerAlgorithm = "s3:x-amz-server-side-encryption-customer-algorithm" S3XAmzServerSideEncryptionCustomerAlgorithm = "s3:x-amz-server-side-encryption-customer-algorithm"
@ -74,13 +70,19 @@ const (
// AWSSecureTransport - key representing if the clients request is authenticated or not. // AWSSecureTransport - key representing if the clients request is authenticated or not.
AWSSecureTransport = "aws:SecureTransport" AWSSecureTransport = "aws:SecureTransport"
// AWSCurrentTime - key representing the current time.
AWSCurrentTime = "aws:CurrentTime"
// AWSEpochTime - key representing the current epoch time.
AWSEpochTime = "aws:EpochTime"
) )
// AllSupportedKeys - is list of all all supported keys. // AllSupportedKeys - is list of all all supported keys.
var AllSupportedKeys = []Key{ var AllSupportedKeys = []Key{
S3XAmzCopySource, S3XAmzCopySource,
S3XAmzServerSideEncryption, S3XAmzServerSideEncryption,
S3XAmzServerSideEncryptionAwsKMSKeyID, S3XAmzServerSideEncryptionCustomerAlgorithm,
S3XAmzMetadataDirective, S3XAmzMetadataDirective,
S3XAmzStorageClass, S3XAmzStorageClass,
S3LocationConstraint, S3LocationConstraint,
@ -91,9 +93,21 @@ var AllSupportedKeys = []Key{
AWSSourceIP, AWSSourceIP,
AWSUserAgent, AWSUserAgent,
AWSSecureTransport, AWSSecureTransport,
AWSCurrentTime,
AWSEpochTime,
// Add new supported condition keys. // Add new supported condition keys.
} }
// CommonKeys - is list of all common condition keys.
var CommonKeys = []Key{
AWSReferer,
AWSSourceIP,
AWSUserAgent,
AWSSecureTransport,
AWSCurrentTime,
AWSEpochTime,
}
// IsValid - checks if key is valid or not. // IsValid - checks if key is valid or not.
func (key Key) IsValid() bool { func (key Key) IsValid() bool {
for _, supKey := range AllSupportedKeys { for _, supKey := range AllSupportedKeys {

@ -29,7 +29,7 @@ func TestKeyIsValid(t *testing.T) {
}{ }{
{S3XAmzCopySource, true}, {S3XAmzCopySource, true},
{S3XAmzServerSideEncryption, true}, {S3XAmzServerSideEncryption, true},
{S3XAmzServerSideEncryptionAwsKMSKeyID, true}, {S3XAmzServerSideEncryptionCustomerAlgorithm, true},
{S3XAmzMetadataDirective, true}, {S3XAmzMetadataDirective, true},
{S3XAmzStorageClass, true}, {S3XAmzStorageClass, true},
{S3LocationConstraint, true}, {S3LocationConstraint, true},

@ -34,23 +34,27 @@ const (
ipAddress = "IpAddress" ipAddress = "IpAddress"
notIPAddress = "NotIpAddress" notIPAddress = "NotIpAddress"
null = "Null" null = "Null"
boolean = "Bool"
) )
var supportedConditions = []name{
stringEquals,
stringNotEquals,
stringEqualsIgnoreCase,
stringNotEqualsIgnoreCase,
binaryEquals,
stringLike,
stringNotLike,
ipAddress,
notIPAddress,
null,
boolean,
// Add new conditions here.
}
// IsValid - checks if name is valid or not. // IsValid - checks if name is valid or not.
func (n name) IsValid() bool { func (n name) IsValid() bool {
for _, supn := range []name{ for _, supn := range supportedConditions {
stringEquals,
stringNotEquals,
stringEqualsIgnoreCase,
stringNotEqualsIgnoreCase,
binaryEquals,
stringLike,
stringNotLike,
ipAddress,
notIPAddress,
null,
// Add new conditions here.
} {
if n == supn { if n == supn {
return true return true
} }

@ -134,8 +134,8 @@ func validateStringEqualsValues(n name, key Key, values set.StringSet) error {
if err := s3utils.CheckValidBucketName(bucket); err != nil { if err := s3utils.CheckValidBucketName(bucket); err != nil {
return err return err
} }
case S3XAmzServerSideEncryption: case S3XAmzServerSideEncryption, S3XAmzServerSideEncryptionCustomerAlgorithm:
if s != "aws:kms" && s != "AES256" { if s != "AES256" {
return fmt.Errorf("invalid value '%v' for '%v' for %v condition", s, S3XAmzServerSideEncryption, n) return fmt.Errorf("invalid value '%v' for '%v' for %v condition", s, S3XAmzServerSideEncryption, n)
} }
case S3XAmzMetadataDirective: case S3XAmzMetadataDirective:

@ -53,7 +53,6 @@ func TestStringEqualsFuncEvaluate(t *testing.T) {
{case1Function, map[string][]string{"delimiter": {"/"}}, false}, {case1Function, map[string][]string{"delimiter": {"/"}}, false},
{case2Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, true}, {case2Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, true},
{case2Function, map[string][]string{"x-amz-server-side-encryption": {"aws:kms"}}, false},
{case2Function, map[string][]string{}, false}, {case2Function, map[string][]string{}, false},
{case2Function, map[string][]string{"delimiter": {"/"}}, false}, {case2Function, map[string][]string{"delimiter": {"/"}}, false},
@ -156,7 +155,6 @@ func TestStringEqualsFuncToMap(t *testing.T) {
case4Function, err := newStringEqualsFunc(S3XAmzServerSideEncryption, case4Function, err := newStringEqualsFunc(S3XAmzServerSideEncryption,
NewValueSet( NewValueSet(
NewStringValue("AES256"), NewStringValue("AES256"),
NewStringValue("aws:kms"),
), ),
) )
if err != nil { if err != nil {
@ -166,7 +164,6 @@ func TestStringEqualsFuncToMap(t *testing.T) {
case4Result := map[Key]ValueSet{ case4Result := map[Key]ValueSet{
S3XAmzServerSideEncryption: NewValueSet( S3XAmzServerSideEncryption: NewValueSet(
NewStringValue("AES256"), NewStringValue("AES256"),
NewStringValue("aws:kms"),
), ),
} }
@ -278,7 +275,6 @@ func TestStringNotEqualsFuncEvaluate(t *testing.T) {
{case1Function, map[string][]string{"delimiter": {"/"}}, true}, {case1Function, map[string][]string{"delimiter": {"/"}}, true},
{case2Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, false}, {case2Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, false},
{case2Function, map[string][]string{"x-amz-server-side-encryption": {"aws:kms"}}, true},
{case2Function, map[string][]string{}, true}, {case2Function, map[string][]string{}, true},
{case2Function, map[string][]string{"delimiter": {"/"}}, true}, {case2Function, map[string][]string{"delimiter": {"/"}}, true},
@ -381,7 +377,6 @@ func TestStringNotEqualsFuncToMap(t *testing.T) {
case4Function, err := newStringNotEqualsFunc(S3XAmzServerSideEncryption, case4Function, err := newStringNotEqualsFunc(S3XAmzServerSideEncryption,
NewValueSet( NewValueSet(
NewStringValue("AES256"), NewStringValue("AES256"),
NewStringValue("aws:kms"),
), ),
) )
if err != nil { if err != nil {
@ -391,7 +386,6 @@ func TestStringNotEqualsFuncToMap(t *testing.T) {
case4Result := map[Key]ValueSet{ case4Result := map[Key]ValueSet{
S3XAmzServerSideEncryption: NewValueSet( S3XAmzServerSideEncryption: NewValueSet(
NewStringValue("AES256"), NewStringValue("AES256"),
NewStringValue("aws:kms"),
), ),
} }
@ -495,7 +489,6 @@ func TestNewStringEqualsFunc(t *testing.T) {
case4Function, err := newStringEqualsFunc(S3XAmzServerSideEncryption, case4Function, err := newStringEqualsFunc(S3XAmzServerSideEncryption,
NewValueSet( NewValueSet(
NewStringValue("AES256"), NewStringValue("AES256"),
NewStringValue("aws:kms"),
), ),
) )
if err != nil { if err != nil {
@ -549,7 +542,6 @@ func TestNewStringEqualsFunc(t *testing.T) {
{S3XAmzServerSideEncryption, {S3XAmzServerSideEncryption,
NewValueSet( NewValueSet(
NewStringValue("AES256"), NewStringValue("AES256"),
NewStringValue("aws:kms"),
), case4Function, false}, ), case4Function, false},
{S3XAmzMetadataDirective, NewValueSet(NewStringValue("REPLACE")), case5Function, false}, {S3XAmzMetadataDirective, NewValueSet(NewStringValue("REPLACE")), case5Function, false},
@ -618,7 +610,6 @@ func TestNewStringNotEqualsFunc(t *testing.T) {
case4Function, err := newStringNotEqualsFunc(S3XAmzServerSideEncryption, case4Function, err := newStringNotEqualsFunc(S3XAmzServerSideEncryption,
NewValueSet( NewValueSet(
NewStringValue("AES256"), NewStringValue("AES256"),
NewStringValue("aws:kms"),
), ),
) )
if err != nil { if err != nil {
@ -672,7 +663,6 @@ func TestNewStringNotEqualsFunc(t *testing.T) {
{S3XAmzServerSideEncryption, {S3XAmzServerSideEncryption,
NewValueSet( NewValueSet(
NewStringValue("AES256"), NewStringValue("AES256"),
NewStringValue("aws:kms"),
), case4Function, false}, ), case4Function, false},
{S3XAmzMetadataDirective, NewValueSet(NewStringValue("REPLACE")), case5Function, false}, {S3XAmzMetadataDirective, NewValueSet(NewStringValue("REPLACE")), case5Function, false},

@ -54,7 +54,6 @@ func TestStringEqualsIgnoreCaseFuncEvaluate(t *testing.T) {
{case2Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, true}, {case2Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, true},
{case2Function, map[string][]string{"x-amz-server-side-encryption": {"aes256"}}, true}, {case2Function, map[string][]string{"x-amz-server-side-encryption": {"aes256"}}, true},
{case2Function, map[string][]string{"x-amz-server-side-encryption": {"aws:kms"}}, false},
{case2Function, map[string][]string{}, false}, {case2Function, map[string][]string{}, false},
{case2Function, map[string][]string{"delimiter": {"/"}}, false}, {case2Function, map[string][]string{"delimiter": {"/"}}, false},
@ -158,7 +157,6 @@ func TestStringEqualsIgnoreCaseFuncToMap(t *testing.T) {
case4Function, err := newStringEqualsIgnoreCaseFunc(S3XAmzServerSideEncryption, case4Function, err := newStringEqualsIgnoreCaseFunc(S3XAmzServerSideEncryption,
NewValueSet( NewValueSet(
NewStringValue("AES256"), NewStringValue("AES256"),
NewStringValue("aws:kms"),
), ),
) )
if err != nil { if err != nil {
@ -168,7 +166,6 @@ func TestStringEqualsIgnoreCaseFuncToMap(t *testing.T) {
case4Result := map[Key]ValueSet{ case4Result := map[Key]ValueSet{
S3XAmzServerSideEncryption: NewValueSet( S3XAmzServerSideEncryption: NewValueSet(
NewStringValue("AES256"), NewStringValue("AES256"),
NewStringValue("aws:kms"),
), ),
} }
@ -280,7 +277,6 @@ func TestStringNotEqualsIgnoreCaseFuncEvaluate(t *testing.T) {
{case1Function, map[string][]string{"delimiter": {"/"}}, true}, {case1Function, map[string][]string{"delimiter": {"/"}}, true},
{case2Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, false}, {case2Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, false},
{case2Function, map[string][]string{"x-amz-server-side-encryption": {"aws:kms"}}, true},
{case2Function, map[string][]string{}, true}, {case2Function, map[string][]string{}, true},
{case2Function, map[string][]string{"delimiter": {"/"}}, true}, {case2Function, map[string][]string{"delimiter": {"/"}}, true},
@ -383,7 +379,6 @@ func TestStringNotEqualsIgnoreCaseFuncToMap(t *testing.T) {
case4Function, err := newStringNotEqualsIgnoreCaseFunc(S3XAmzServerSideEncryption, case4Function, err := newStringNotEqualsIgnoreCaseFunc(S3XAmzServerSideEncryption,
NewValueSet( NewValueSet(
NewStringValue("AES256"), NewStringValue("AES256"),
NewStringValue("aws:kms"),
), ),
) )
if err != nil { if err != nil {
@ -393,7 +388,6 @@ func TestStringNotEqualsIgnoreCaseFuncToMap(t *testing.T) {
case4Result := map[Key]ValueSet{ case4Result := map[Key]ValueSet{
S3XAmzServerSideEncryption: NewValueSet( S3XAmzServerSideEncryption: NewValueSet(
NewStringValue("AES256"), NewStringValue("AES256"),
NewStringValue("aws:kms"),
), ),
} }
@ -497,7 +491,6 @@ func TestNewStringEqualsIgnoreCaseFunc(t *testing.T) {
case4Function, err := newStringEqualsIgnoreCaseFunc(S3XAmzServerSideEncryption, case4Function, err := newStringEqualsIgnoreCaseFunc(S3XAmzServerSideEncryption,
NewValueSet( NewValueSet(
NewStringValue("AES256"), NewStringValue("AES256"),
NewStringValue("aws:kms"),
), ),
) )
if err != nil { if err != nil {
@ -551,7 +544,6 @@ func TestNewStringEqualsIgnoreCaseFunc(t *testing.T) {
{S3XAmzServerSideEncryption, {S3XAmzServerSideEncryption,
NewValueSet( NewValueSet(
NewStringValue("AES256"), NewStringValue("AES256"),
NewStringValue("aws:kms"),
), case4Function, false}, ), case4Function, false},
{S3XAmzMetadataDirective, NewValueSet(NewStringValue("REPLACE")), case5Function, false}, {S3XAmzMetadataDirective, NewValueSet(NewStringValue("REPLACE")), case5Function, false},
@ -620,7 +612,6 @@ func TestNewStringNotEqualsIgnoreCaseFunc(t *testing.T) {
case4Function, err := newStringNotEqualsIgnoreCaseFunc(S3XAmzServerSideEncryption, case4Function, err := newStringNotEqualsIgnoreCaseFunc(S3XAmzServerSideEncryption,
NewValueSet( NewValueSet(
NewStringValue("AES256"), NewStringValue("AES256"),
NewStringValue("aws:kms"),
), ),
) )
if err != nil { if err != nil {
@ -674,7 +665,6 @@ func TestNewStringNotEqualsIgnoreCaseFunc(t *testing.T) {
{S3XAmzServerSideEncryption, {S3XAmzServerSideEncryption,
NewValueSet( NewValueSet(
NewStringValue("AES256"), NewStringValue("AES256"),
NewStringValue("aws:kms"),
), case4Function, false}, ), case4Function, false},
{S3XAmzMetadataDirective, NewValueSet(NewStringValue("REPLACE")), case5Function, false}, {S3XAmzMetadataDirective, NewValueSet(NewStringValue("REPLACE")), case5Function, false},

@ -81,13 +81,11 @@ func TestStringLikeFuncEvaluate(t *testing.T) {
{case3Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, true}, {case3Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, true},
{case3Function, map[string][]string{"x-amz-server-side-encryption": {"AES512"}}, true}, {case3Function, map[string][]string{"x-amz-server-side-encryption": {"AES512"}}, true},
{case3Function, map[string][]string{"x-amz-server-side-encryption": {"aws:kms"}}, false},
{case3Function, map[string][]string{}, false}, {case3Function, map[string][]string{}, false},
{case3Function, map[string][]string{"delimiter": {"/"}}, false}, {case3Function, map[string][]string{"delimiter": {"/"}}, false},
{case4Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, true}, {case4Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, true},
{case4Function, map[string][]string{"x-amz-server-side-encryption": {"AES512"}}, false}, {case4Function, map[string][]string{"x-amz-server-side-encryption": {"AES512"}}, false},
{case4Function, map[string][]string{"x-amz-server-side-encryption": {"aws:kms"}}, false},
{case4Function, map[string][]string{}, false}, {case4Function, map[string][]string{}, false},
{case4Function, map[string][]string{"delimiter": {"/"}}, false}, {case4Function, map[string][]string{"delimiter": {"/"}}, false},
@ -204,7 +202,6 @@ func TestStringLikeFuncToMap(t *testing.T) {
case4Function, err := newStringLikeFunc(S3XAmzServerSideEncryption, case4Function, err := newStringLikeFunc(S3XAmzServerSideEncryption,
NewValueSet( NewValueSet(
NewStringValue("AES*"), NewStringValue("AES*"),
NewStringValue("aws:*"),
), ),
) )
if err != nil { if err != nil {
@ -214,7 +211,6 @@ func TestStringLikeFuncToMap(t *testing.T) {
case4Result := map[Key]ValueSet{ case4Result := map[Key]ValueSet{
S3XAmzServerSideEncryption: NewValueSet( S3XAmzServerSideEncryption: NewValueSet(
NewStringValue("AES*"), NewStringValue("AES*"),
NewStringValue("aws:*"),
), ),
} }
@ -354,13 +350,11 @@ func TestStringNotLikeFuncEvaluate(t *testing.T) {
{case3Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, false}, {case3Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, false},
{case3Function, map[string][]string{"x-amz-server-side-encryption": {"AES512"}}, false}, {case3Function, map[string][]string{"x-amz-server-side-encryption": {"AES512"}}, false},
{case3Function, map[string][]string{"x-amz-server-side-encryption": {"aws:kms"}}, true},
{case3Function, map[string][]string{}, true}, {case3Function, map[string][]string{}, true},
{case3Function, map[string][]string{"delimiter": {"/"}}, true}, {case3Function, map[string][]string{"delimiter": {"/"}}, true},
{case4Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, false}, {case4Function, map[string][]string{"x-amz-server-side-encryption": {"AES256"}}, false},
{case4Function, map[string][]string{"x-amz-server-side-encryption": {"AES512"}}, true}, {case4Function, map[string][]string{"x-amz-server-side-encryption": {"AES512"}}, true},
{case4Function, map[string][]string{"x-amz-server-side-encryption": {"aws:kms"}}, true},
{case4Function, map[string][]string{}, true}, {case4Function, map[string][]string{}, true},
{case4Function, map[string][]string{"delimiter": {"/"}}, true}, {case4Function, map[string][]string{"delimiter": {"/"}}, true},
@ -477,7 +471,6 @@ func TestStringNotLikeFuncToMap(t *testing.T) {
case4Function, err := newStringNotLikeFunc(S3XAmzServerSideEncryption, case4Function, err := newStringNotLikeFunc(S3XAmzServerSideEncryption,
NewValueSet( NewValueSet(
NewStringValue("AES*"), NewStringValue("AES*"),
NewStringValue("aws:*"),
), ),
) )
if err != nil { if err != nil {
@ -487,7 +480,6 @@ func TestStringNotLikeFuncToMap(t *testing.T) {
case4Result := map[Key]ValueSet{ case4Result := map[Key]ValueSet{
S3XAmzServerSideEncryption: NewValueSet( S3XAmzServerSideEncryption: NewValueSet(
NewStringValue("AES*"), NewStringValue("AES*"),
NewStringValue("aws:*"),
), ),
} }
@ -591,7 +583,6 @@ func TestNewStringLikeFunc(t *testing.T) {
case4Function, err := newStringLikeFunc(S3XAmzServerSideEncryption, case4Function, err := newStringLikeFunc(S3XAmzServerSideEncryption,
NewValueSet( NewValueSet(
NewStringValue("AES*"), NewStringValue("AES*"),
NewStringValue("aws:*"),
), ),
) )
if err != nil { if err != nil {
@ -645,7 +636,6 @@ func TestNewStringLikeFunc(t *testing.T) {
{S3XAmzServerSideEncryption, {S3XAmzServerSideEncryption,
NewValueSet( NewValueSet(
NewStringValue("AES*"), NewStringValue("AES*"),
NewStringValue("aws:*"),
), case4Function, false}, ), case4Function, false},
{S3XAmzMetadataDirective, NewValueSet(NewStringValue("REPL*")), case5Function, false}, {S3XAmzMetadataDirective, NewValueSet(NewStringValue("REPL*")), case5Function, false},
@ -712,7 +702,6 @@ func TestNewStringNotLikeFunc(t *testing.T) {
case4Function, err := newStringNotLikeFunc(S3XAmzServerSideEncryption, case4Function, err := newStringNotLikeFunc(S3XAmzServerSideEncryption,
NewValueSet( NewValueSet(
NewStringValue("AES*"), NewStringValue("AES*"),
NewStringValue("aws:*"),
), ),
) )
if err != nil { if err != nil {
@ -766,7 +755,6 @@ func TestNewStringNotLikeFunc(t *testing.T) {
{S3XAmzServerSideEncryption, {S3XAmzServerSideEncryption,
NewValueSet( NewValueSet(
NewStringValue("AES*"), NewStringValue("AES*"),
NewStringValue("aws:*"),
), case4Function, false}, ), case4Function, false},
{S3XAmzMetadataDirective, NewValueSet(NewStringValue("REPL*")), case5Function, false}, {S3XAmzMetadataDirective, NewValueSet(NewStringValue("REPL*")), case5Function, false},

@ -305,11 +305,11 @@ func TestStatementMarshalJSON(t *testing.T) {
case3Statement := NewStatement( case3Statement := NewStatement(
Deny, Deny,
NewPrincipal("*"), NewPrincipal("*"),
NewActionSet(GetObjectAction), NewActionSet(PutObjectAction),
NewResourceSet(NewResource("mybucket", "/myobject*")), NewResourceSet(NewResource("mybucket", "/myobject*")),
condition.NewFunctions(func2), condition.NewFunctions(func2),
) )
case3Data := []byte(`{"Effect":"Deny","Principal":{"AWS":["*"]},"Action":["s3:GetObject"],"Resource":["arn:aws:s3:::mybucket/myobject*"],"Condition":{"Null":{"s3:x-amz-server-side-encryption":[false]}}}`) case3Data := []byte(`{"Effect":"Deny","Principal":{"AWS":["*"]},"Action":["s3:PutObject"],"Resource":["arn:aws:s3:::mybucket/myobject*"],"Condition":{"Null":{"s3:x-amz-server-side-encryption":[false]}}}`)
case4Statement := NewStatement( case4Statement := NewStatement(
Allow, Allow,

Loading…
Cancel
Save