Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(iam): avoid duplicate statements in policy documents #2254

Merged
merged 9 commits into from
Apr 16, 2019
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -191,20 +191,6 @@
}
]
},
{
"Action": [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild",
"codebuild:StopBuild"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"MyBuildProject30DB9D6E",
"Arn"
]
}
},
{
"Action": [
"codebuild:BatchGetBuilds",
Expand Down Expand Up @@ -531,39 +517,6 @@
}
]
},
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*",
"s3:PutObject*",
"s3:Abort*"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"MyBucketF68F3FF0",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"MyBucketF68F3FF0",
"Arn"
]
},
"/*"
]
]
}
]
},
{
"Action": [
"s3:GetObject*",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -278,20 +278,6 @@
]
}
},
{
"Action": [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild",
"codebuild:StopBuild"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"MyBuildProject30DB9D6E",
"Arn"
]
}
},
{
"Action": [
"codebuild:BatchGetBuilds",
Expand Down
29 changes: 23 additions & 6 deletions packages/@aws-cdk/aws-iam/lib/policy-document.ts
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,14 @@ import { mergePrincipal } from './util';

export class PolicyDocument extends cdk.Token {
private statements = new Array<PolicyStatement>();
private jsonStatements = new Array<string>();

/**
* Creates a new IAM policy document.
* @param defaultDocument An IAM policy document to use as an initial
* policy. All statements of this document will be copied in.
*/
constructor(private readonly baseDocument?: any) {
constructor(private readonly baseDocument: any = {}) {
super();
}

Expand All @@ -20,10 +21,12 @@ export class PolicyDocument extends cdk.Token {
return undefined;
}

const doc = this.baseDocument || { };
doc.Statement = doc.Statement || [ ];
doc.Version = doc.Version || '2012-10-17';
doc.Statement = doc.Statement.concat(this.statements);
const doc = {
...this.baseDocument,
Statement: (this.baseDocument.Statement || []).concat(this.statements),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This concatenation happens at construction time - when this.statements is guaranteed to be empty. You need to wrap this in a Token so it is done at synthesis time.

Copy link
Contributor Author

@jogold jogold Apr 15, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Version: this.baseDocument.Version || '2012-10-17'
};

return doc;
}

Expand All @@ -39,8 +42,22 @@ export class PolicyDocument extends cdk.Token {
return this.statements.length;
}

/**
* Adds a statement to the policy document. Prevents adding duplicate
* statements.
*
* Removal of duplicate statements containing tokens resolving to the same
* values but represented by different strings is currently not supported.
* This is suboptimal but safe.
*
* @param statement the statement to add.
*/
public addStatement(statement: PolicyStatement): PolicyDocument {
this.statements.push(statement);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of doing this, implement IResolvedValuePostProcessor and do it in the postProcess method.

This is guaranteed to receive the post-resolution Statement, and you can do safe pairwise comparisons based on JSON.stringify().

const jsonStatement = JSON.stringify(statement.toJson());
if (!this.jsonStatements.includes(jsonStatement)) {
this.statements.push(statement);
}
this.jsonStatements.push(jsonStatement);
return this;
}
}
Expand Down
87 changes: 70 additions & 17 deletions packages/@aws-cdk/aws-iam/test/test.policy-document.ts
Original file line number Diff line number Diff line change
Expand Up @@ -212,30 +212,58 @@ export = {
'statementCount returns the number of statement in the policy document'(test: Test) {
const p = new PolicyDocument();
test.equal(p.statementCount, 0);
p.addStatement(new PolicyStatement());
p.addStatement(new PolicyStatement().addAction('action1'));
test.equal(p.statementCount, 1);
p.addStatement(new PolicyStatement());
p.addStatement(new PolicyStatement().addAction('action2'));
test.equal(p.statementCount, 2);
test.done();
},

'the { AWS: "*" } principal is represented as `Anyone` or `AnyPrincipal`'(test: Test) {
const stack = new Stack();
const p = new PolicyDocument();
'{ AWS: "*" } principal': {
'is represented as `Anyone`'(test: Test) {
const stack = new Stack();
const p = new PolicyDocument();

p.addStatement(new PolicyStatement().addPrincipal(new Anyone()));
p.addStatement(new PolicyStatement().addPrincipal(new AnyPrincipal()));
p.addStatement(new PolicyStatement().addAnyPrincipal());
p.addStatement(new PolicyStatement().addPrincipal(new Anyone()));

test.deepEqual(stack.node.resolve(p), {
Statement: [
{ Effect: 'Allow', Principal: '*' },
{ Effect: 'Allow', Principal: '*' },
{ Effect: 'Allow', Principal: '*' }
],
Version: '2012-10-17'
});
test.done();
test.deepEqual(stack.node.resolve(p), {
Statement: [
{ Effect: 'Allow', Principal: '*' }
],
Version: '2012-10-17'
});
test.done();
},

'is represented as `AnyPrincipal`'(test: Test) {
const stack = new Stack();
const p = new PolicyDocument();

p.addStatement(new PolicyStatement().addPrincipal(new AnyPrincipal()));

test.deepEqual(stack.node.resolve(p), {
Statement: [
{ Effect: 'Allow', Principal: '*' }
],
Version: '2012-10-17'
});
test.done();
},

'is represented as `addAnyPrincipal`'(test: Test) {
const stack = new Stack();
const p = new PolicyDocument();

p.addStatement(new PolicyStatement().addAnyPrincipal());

test.deepEqual(stack.node.resolve(p), {
Statement: [
{ Effect: 'Allow', Principal: '*' }
],
Version: '2012-10-17'
});
test.done();
}
},

'addAwsPrincipal/addArnPrincipal are the aliases'(test: Test) {
Expand Down Expand Up @@ -425,4 +453,29 @@ export = {
test.done();
}
},

'duplicate statements'(test: Test) {
const stack = new Stack();
const p = new PolicyDocument();

const statement = new PolicyStatement()
.addResources('resource1', 'resource2')
.addActions('action1', 'action2')
.addServicePrincipal('service')
.addConditions({
a: {
b: 'c'
},
d: {
e: 'f'
}
});

p.addStatement(statement);
p.addStatement(statement);
p.addStatement(statement);

test.equal(stack.node.resolve(p).Statement.length, 1);
test.done();
}
};
18 changes: 8 additions & 10 deletions packages/@aws-cdk/aws-lambda/lib/log-retention.ts
Original file line number Diff line number Diff line change
Expand Up @@ -39,16 +39,14 @@ export class LogRetention extends cdk.Construct {
lambdaPurpose: 'LogRetention',
});

if (provider.role && !provider.role.node.tryFindChild('DefaultPolicy')) { // Avoid duplicate statements
provider.role.addToPolicy(
new iam.PolicyStatement()
.addActions('logs:PutRetentionPolicy', 'logs:DeleteRetentionPolicy')
// We need '*' here because we will also put a retention policy on
// the log group of the provider function. Referencing it's name
// creates a CF circular dependency.
.addAllResources()
);
}
provider.addToRolePolicy(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add a note here that duplicate statements will be deduplicated by PolicyDocument

new iam.PolicyStatement()
.addActions('logs:PutRetentionPolicy', 'logs:DeleteRetentionPolicy')
// We need '*' here because we will also put a retention policy on
// the log group of the provider function. Referencing it's name
// creates a CF circular dependency.
.addAllResources()
);

// Need to use a CfnResource here to prevent lerna dependency cycles
// @aws-cdk/aws-cloudformation -> @aws-cdk/aws-lambda -> @aws-cdk/aws-cloudformation
Expand Down