feat(iam): policy document from json

packages/@aws-cdk/aws-iam/README.md

@@ -188,6 +188,46 @@ const role = new iam.Role(this, 'MyRole', {
 });
 ```
 
+### Parsing JSON Policy Documents
+
+The `PolicyDocument.fromJson` and `PolicyStatement.fromJson` static methods can be used to parse JSON objects. For example:
+
+```ts
+const policyDocument = {
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "FirstStatement",
+      "Effect": "Allow",
+      "Action": ["iam:ChangePassword"],
+      "Resource": "*"
+    },
+    {
+      "Sid": "SecondStatement",
+      "Effect": "Allow",
+      "Action": "s3:ListAllMyBuckets",
+      "Resource": "*"
+    },
+    {
+      "Sid": "ThirdStatement",
+      "Effect": "Allow",
+      "Action": [
+        "s3:List*",
+        "s3:Get*"
+      ],
+      "Resource": [
+        "arn:aws:s3:::confidential-data",
+        "arn:aws:s3:::confidential-data/*"
+      ],
+      "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
+    }
+  ]
+};
+
+const newPolicyDocument = PolicyDocument.fromJson(policyDocument);
+
+```
+
 ### Features
 
  * Policy name uniqueness is enforced. If two policies by the same name are attached to the same

packages/@aws-cdk/aws-iam/lib/policy-document.ts

@@ -24,6 +24,22 @@ export interface PolicyDocumentProps {
  * A PolicyDocument is a collection of statements
  */
 export class PolicyDocument implements cdk.IResolvable {
+
+  /**
+   * Creates a new PolicyDocument based on the object provided.
+   * This will accept an object created from the `.toJSON()` call
+   * @param obj the PolicyDocument in object form.
+   */
+  public static fromJson(obj: any): PolicyDocument {
+    const newPolicyDocument = new PolicyDocument();
+    const statement = obj.Statement ?? [];
+    if (statement && !Array.isArray(statement)) {
+      throw new Error('Statement must be an array');
+    }
+    newPolicyDocument.addStatements(...obj.Statement.map((s: any) => PolicyStatement.fromJson(s)));
+    return newPolicyDocument;
+  }
+
   public readonly creationStack: string[];
   private readonly statements = new Array<PolicyStatement>();
   private readonly autoAssignSids: boolean;

packages/@aws-cdk/aws-iam/lib/policy-statement.ts

@@ -3,10 +3,56 @@ import { AccountPrincipal, AccountRootPrincipal, Anyone, ArnPrincipal, Canonical
   FederatedPrincipal, IPrincipal, ServicePrincipal, ServicePrincipalOpts } from './principals';
 import { mergePrincipal } from './util';
 
+const ensureArrayOrUndefined = (field: any) => {
+  if (field === undefined) {
+    return undefined;
+  }
+  if (typeof (field) !== "string" && !Array.isArray(field)) {
+    throw new Error("Fields must be either a string or an array of strings");
+  }
+  if (Array.isArray(field) && !!field.find((f: any) => typeof (f) !== "string")) {
+    throw new Error("Fields must be either a string or an array of strings");
+  }
+  return Array.isArray(field) ? field : [field];
+};
+
 /**
  * Represents a statement in an IAM policy document.
  */
 export class PolicyStatement {
+
+  /**
+   * Creates a new PolicyStatement based on the object provided.
+   * This will accept an object created from the `.toJSON()` call
+   * @param obj the PolicyStatement in object form.
+   */
+  public static fromJson(obj: any) {
+    const statement = new PolicyStatement({
+      actions: ensureArrayOrUndefined(obj.Action),
+      resources: ensureArrayOrUndefined(obj.Resource),
+      conditions: obj.Condition,
+      effect: obj.Effect,
+      notActions: ensureArrayOrUndefined(obj.NotAction),
+      notResources: ensureArrayOrUndefined(obj.NotResource)
+    });
+
+    statement.sid = obj.Sid;
+
+    // Since the principals are a more complex object, not just a string or an array of strings,
+    // then just passing them through on the constructor doesn't work.
+    if (obj.Principal) {
+      /* tslint:disable:no-unused-expression */
+      obj.Principal === "*" && statement.addAnyPrincipal();
+      obj.Principal.AWS && statement.addArnPrincipal(obj.Principal.AWS);
+      obj.Principal.CanonicalUser && statement.addCanonicalUserPrincipal(obj.Principal.CanonicalUser);
+      obj.Principal.Federated && statement.addFederatedPrincipal(obj.Principal.Federated, {});
+      obj.Principal.Service && statement.addServicePrincipal(obj.Principal.Service.replace(/.amazonaws.com/i, ''));
+      /* tslint:enable:no-unused-expression */
+    }
+
+    return statement;
+
+  }
   /**
    * Statement ID for this statement
    */

packages/@aws-cdk/aws-iam/test/policy-document.test.ts

@@ -572,4 +572,14 @@ describe('IAM polocy document', () => {
 
     expect(stack.resolve(doc1)).toEqual(stack.resolve(doc2));
   });
+
+  describe('fromJson', () => {
+    test("throws error when Statement isn't an array", () => {
+      expect(() => {
+        PolicyDocument.fromJson({
+          Statement: 'asdf'
+        });
+      }).toThrow(/Statement must be an array/);
+    });
+  });
 });

packages/@aws-cdk/aws-iam/test/policy-statement.test.ts

@@ -0,0 +1,257 @@
+import '@aws-cdk/assert/jest';
+import { Stack } from '@aws-cdk/core';
+import { PolicyDocument, PolicyStatement } from '../lib';
+
+describe('IAM policy statement', () => {
+
+  describe('from JSON', () => {
+    test('parses with no principal', () => {
+      // given
+      const stack = new Stack();
+
+      const s = new PolicyStatement();
+      s.addActions('service:action1', 'service:action2');
+      s.addAllResources();
+      s.addCondition('key', { equals: 'value' });
+
+      const doc1 = new PolicyDocument();
+      doc1.addStatements(s);
+
+      // when
+      const doc2 = PolicyDocument.fromJson(doc1.toJSON());
+
+      // then
+      expect(stack.resolve(doc2)).toEqual(stack.resolve(doc1));
+    });
+
+    test('parses a given arnPrincipal', () => {
+      const stack = new Stack();
+
+      const s = new PolicyStatement();
+      s.addActions('service:action1', 'service:action2');
+      s.addAllResources();
+      s.addArnPrincipal('somearn');
+      s.addCondition('key', { equals: 'value' });
+
+      const doc1 = new PolicyDocument();
+      doc1.addStatements(s);
+
+      const doc2 = PolicyDocument.fromJson(doc1.toJSON());
+
+      expect(stack.resolve(doc2)).toEqual(stack.resolve(doc1));
+
+    });
+
+    test('parses a given anyPrincipal', () => {
+      const stack = new Stack();
+
+      const s = new PolicyStatement();
+      s.addActions('service:action1', 'service:action2');
+      s.addAllResources();
+      s.addAnyPrincipal();
+      s.addCondition('key', { equals: 'value' });
+
+      const doc1 = new PolicyDocument();
+      doc1.addStatements(s);
+
+      const doc2 = PolicyDocument.fromJson(doc1.toJSON());
+
+      expect(stack.resolve(doc2)).toEqual(stack.resolve(doc1));
+
+    });
+
+    test('parses an awsAccountPrincipal', () => {
+      const stack = new Stack();
+
+      const s = new PolicyStatement();
+      s.addActions('service:action1', 'service:action2');
+      s.addAllResources();
+      s.addAwsAccountPrincipal('someaccountid');
+      s.addCondition('key', { equals: 'value' });
+
+      const doc1 = new PolicyDocument();
+      doc1.addStatements(s);
+
+      const doc2 = PolicyDocument.fromJson(doc1.toJSON());
+
+      expect(stack.resolve(doc2)).toEqual(stack.resolve(doc1));
+
+    });
+
+    test('parses a given canonicalUserPrincipal', () => {
+      const stack = new Stack();
+
+      const s = new PolicyStatement();
+      s.addActions('service:action1', 'service:action2');
+      s.addAllResources();
+      s.addCanonicalUserPrincipal('someconnonicaluser');
+      s.addCondition('key', { equals: 'value' });
+
+      const doc1 = new PolicyDocument();
+      doc1.addStatements(s);
+
+      const doc2 = PolicyDocument.fromJson(doc1.toJSON());
+
+      expect(stack.resolve(doc2)).toEqual(stack.resolve(doc1));
+
+    });
+
+    test('parses a given federatedPrincipal', () => {
+      const stack = new Stack();
+
+      const s = new PolicyStatement();
+      s.addActions('service:action1', 'service:action2');
+      s.addAllResources();
+      s.addFederatedPrincipal('federated', {});
+      s.addCondition('key', { equals: 'value' });
+
+      const doc1 = new PolicyDocument();
+      doc1.addStatements(s);
+
+      const doc2 = PolicyDocument.fromJson(doc1.toJSON());
+
+      expect(stack.resolve(doc2)).toEqual(stack.resolve(doc1));
+
+    });
+
+    test('parses a given servicePrincipal', () => {
+      const stack = new Stack();
+
+      const s = new PolicyStatement();
+      s.addActions('service:action1', 'service:action2');
+      s.addAllResources();
+      s.addServicePrincipal('serviceprincipal', { conditions: { one: "two" }, region: 'us-west-2' });
+      s.addCondition('key', { equals: 'value' });
+
+      const doc1 = new PolicyDocument();
+      doc1.addStatements(s);
+
+      const doc2 = PolicyDocument.fromJson(doc1.toJSON());
+
+      expect(stack.resolve(doc2)).toEqual(stack.resolve(doc1));
+
+    });
+
+    test('parses with notAction', () => {
+      const stack = new Stack();
+
+      const s = new PolicyStatement();
+      s.addNotActions('service:action3');
+      s.addAllResources();
+
+      const doc1 = new PolicyDocument();
+      doc1.addStatements(s);
+
+      const doc2 = PolicyDocument.fromJson(doc1.toJSON());
+
+      expect(stack.resolve(doc2)).toEqual(stack.resolve(doc1));
+
+    });
+
+    test('parses with notActions', () => {
+      const stack = new Stack();
+
+      const s = new PolicyStatement();
+      s.addNotActions('service:action3', 'service:action4');
+      s.addAllResources();
+
+      const doc1 = new PolicyDocument();
+      doc1.addStatements(s);
+
+      const doc2 = PolicyDocument.fromJson(doc1.toJSON());
+
+      expect(stack.resolve(doc2)).toEqual(stack.resolve(doc1));
+
+    });
+
+    test('parses with notResource', () => {
+      const stack = new Stack();
+
+      const s = new PolicyStatement();
+      s.addActions('service:action3', 'service:action4');
+      s.addNotResources('resource1');
+
+      const doc1 = new PolicyDocument();
+      doc1.addStatements(s);
+
+      const doc2 = PolicyDocument.fromJson(doc1.toJSON());
+
+      expect(stack.resolve(doc2)).toEqual(stack.resolve(doc1));
+
+    });
+
+    test('parses with notResources', () => {
+      const stack = new Stack();
+
+      const s = new PolicyStatement();
+      s.addActions('service:action3', 'service:action4');
+      s.addNotResources('resource1', 'resource2');
+
+      const doc1 = new PolicyDocument();
+      doc1.addStatements(s);
+
+      const doc2 = PolicyDocument.fromJson(doc1.toJSON());
+
+      expect(stack.resolve(doc2)).toEqual(stack.resolve(doc1));
+
+    });
+
+    test('the kitchen sink', () => {
+      const stack = new Stack();
+
+      /* tslint:disable */
+      const policyDocument = {
+        "Version": "2012-10-17",
+        "Statement": [
+          {
+            "Sid": "FirstStatement",
+            "Effect": "Allow",
+            "Action": "iam:ChangePassword",
+            "Resource": "*"
+          },
+          {
+            "Sid": "SecondStatement",
+            "Effect": "Allow",
+            "Action": "s3:ListAllMyBuckets",
+            "Resource": "*"
+          },
+          {
+            "Sid": "ThirdStatement",
+            "Effect": "Allow",
+            "Action": [
+              "s3:List*",
+              "s3:Get*"
+            ],
+            "Resource": [
+              "arn:aws:s3:::confidential-data",
+              "arn:aws:s3:::confidential-data/*"
+            ],
+            "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
+          }
+        ]
+      };
+      /* tslint:enable */
+
+      const doc = PolicyDocument.fromJson(policyDocument);
+
+      expect(stack.resolve(doc)).toEqual(policyDocument);
+    });
+
+    test('throws error with field data being object', () => {
+      expect(() => {
+        PolicyStatement.fromJson({
+          Action: {}
+        });
+      }).toThrow(/Fields must be either a string or an array of strings/);
+    });
+
+    test('throws error with field data being object', () => {
+      expect(() => {
+        PolicyStatement.fromJson({
+          Action: [{}]
+        });
+      }).toThrow(/Fields must be either a string or an array of strings/);
+    });
+  });
+
+});