fix security policy to work without log group

mantil-io · Dec 20, 2021 · 7e80994 · 7e80994
1 parent 942c01f
commit 7e80994
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 20 deletions.
diff --git a/node/api/security/policy.go b/node/api/security/policy.go
@@ -3,19 +3,21 @@ package security
 const credentialsTemplate = `{
     "Version": "2012-10-17",
     "Statement": [
+        {{$first := true}}
         {{- range .Buckets}}
         {{- if ne . "" }}
+        {{if $first}}{{$first = false}}{{else}},{{end}}
         {
             "Action": [
                 "s3:PutObject"
             ],
             "Effect": "Allow",
             "Resource": "arn:aws:s3:::{{.}}/*"
-        },
+        }
         {{ end }}
         {{ end }}
         {{- if ne .LogGroupsPrefix "" }}
-        {
+        ,{
             "Action": [
                 "logs:DescribeLogStreams",
                 "logs:FilterLogEvents"

diff --git a/node/api/security/security_test.go b/node/api/security/security_test.go
@@ -35,7 +35,7 @@ func (a *awsMock) RoleCredentials(name, role, policy string, durationSeconds int
 	}, nil
 }
 
-func TestProjectCredentials(t *testing.T) {
+func TestProjectPolicyWithLogGroup(t *testing.T) {
 	s := &Security{
 		SecurityRequest: dto.SecurityRequest{
 			CliRole:         "cliRole",
@@ -53,14 +53,27 @@ func TestProjectCredentials(t *testing.T) {
 	policy, err := s.executeProjectPolicyTemplate(pptd)
 	require.NoError(t, err)
 
-	compare(t, "testdata/policy", policy)
+	compare(t, "testdata/policy-log-group", policy)
+}
 
-	creds, err := s.credentialsForPolicy(policy)
+func TestProjectPolicyWithoutLogGroup(t *testing.T) {
+	s := &Security{
+		SecurityRequest: dto.SecurityRequest{
+			CliRole: "cliRole",
+			Buckets: []string{"bucket1", "bucket2", ""},
+		},
+		awsClient: &awsMock{},
+	}
+	pptd := s.projectPolicyTemplateData()
+	assert.NotEmpty(t, pptd.Buckets)
+	assert.Empty(t, pptd.LogGroupsPrefix)
+	assert.NotEmpty(t, pptd.Region)
+	assert.NotEmpty(t, pptd.AccountID)
+
+	policy, err := s.executeProjectPolicyTemplate(pptd)
 	require.NoError(t, err)
-	assert.NotEmpty(t, creds.AccessKeyID)
-	assert.NotEmpty(t, creds.SecretAccessKey)
-	assert.NotEmpty(t, creds.SessionToken)
-	assert.NotNil(t, creds.Expiration)
+
+	compare(t, "testdata/policy", policy)
 }
 
 func compare(t *testing.T, expectedFilename, policy string) {

diff --git a/node/api/security/testdata/policy b/node/api/security/testdata/policy
@@ -1,33 +1,27 @@
 {
     "Version": "2012-10-17",
     "Statement": [
+
+
         {
             "Action": [
                 "s3:PutObject"
             ],
             "Effect": "Allow",
             "Resource": "arn:aws:s3:::bucket1/*"
-        },
+        }
 
 
+        ,
         {
             "Action": [
                 "s3:PutObject"
             ],
             "Effect": "Allow",
             "Resource": "arn:aws:s3:::bucket2/*"
-        },
-
+        }
 
 
-        {
-            "Action": [
-                "logs:DescribeLogStreams",
-                "logs:FilterLogEvents"
-            ],
-            "Effect": "Allow",
-            "Resource": "arn:aws:logs:region:123456789012:log-group:logGroupsPrefix*"
-        }
 
     ]
 }
diff --git a/node/api/security/testdata/policy-log-group b/node/api/security/testdata/policy-log-group
@@ -0,0 +1,36 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+
+
+        {
+            "Action": [
+                "s3:PutObject"
+            ],
+            "Effect": "Allow",
+            "Resource": "arn:aws:s3:::bucket1/*"
+        }
+
+
+        ,
+        {
+            "Action": [
+                "s3:PutObject"
+            ],
+            "Effect": "Allow",
+            "Resource": "arn:aws:s3:::bucket2/*"
+        }
+
+
+
+        ,{
+            "Action": [
+                "logs:DescribeLogStreams",
+                "logs:FilterLogEvents"
+            ],
+            "Effect": "Allow",
+            "Resource": "arn:aws:logs:region:123456789012:log-group:logGroupsPrefix*"
+        }
+
+    ]
+}