Skip to content

Commit

Permalink
Improve naming of AWS service access generator objects and related pr…
Browse files Browse the repository at this point in the history
…operty.

Migrate CloudFront OAC's allow statement id into the generator.
  • Loading branch information
skuenzli committed Jun 24, 2024
1 parent d021343 commit ad35093
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 8 deletions.
8 changes: 5 additions & 3 deletions src/s3.ts
Original file line number Diff line number Diff line change
Expand Up @@ -65,9 +65,11 @@ let SUPPORTED_CAPABILITIES = new Array<AccessCapability>(
export const SID_DENY_UNEXPECTED_ENCRYPTION_METHOD = 'DenyUnexpectedEncryptionMethod';
export const SID_DENY_UNENCRYPTED_STORAGE = 'DenyUnencryptedStorage';
export const SID_ALLOW_PUBLIC_READ_ACCESS = 'AllowPublicReadAccess';
export const SID_ALLOW_CLOUDFRONT_OAC_READ_ACCESS = 'AllowCloudFrontOACReadAccess';

export class CloudFrontOACReadAccess implements IAWSServiceAccessGenerator {
export class CloudFrontOACReadAccessGenerator implements IAWSServiceAccessGenerator {

static readonly SID_ALLOW_CLOUDFRONT_OAC_READ_ACCESS = 'AllowCloudFrontOACReadAccess';

readonly bucket: IBucket;
readonly distributionArn: string;

Expand All @@ -78,7 +80,7 @@ export class CloudFrontOACReadAccess implements IAWSServiceAccessGenerator {

makeAllowStatements(): Array<PolicyStatement> {
return [new PolicyStatement({
sid: SID_ALLOW_CLOUDFRONT_OAC_READ_ACCESS,
sid: CloudFrontOACReadAccessGenerator.SID_ALLOW_CLOUDFRONT_OAC_READ_ACCESS,
effect: Effect.ALLOW,
principals: [new ServicePrincipal('cloudfront.amazonaws.com')],
actions: ['s3:GetObject'],
Expand Down
11 changes: 6 additions & 5 deletions test/k9.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,9 @@ import { K9KeyPolicyProps, SID_ALLOW_ROOT_AND_IDENTITY_POLICIES, SID_DENY_EVERYO
import {
K9BucketPolicyProps,
SID_ALLOW_PUBLIC_READ_ACCESS,
SID_ALLOW_CLOUDFRONT_OAC_READ_ACCESS,
SID_DENY_UNENCRYPTED_STORAGE,
SID_DENY_UNEXPECTED_ENCRYPTION_METHOD, CloudFrontOACReadAccess,
SID_DENY_UNEXPECTED_ENCRYPTION_METHOD,
CloudFrontOACReadAccessGenerator,
} from '../lib/s3';
// @ts-ignore

Expand Down Expand Up @@ -266,7 +266,7 @@ test('K9BucketPolicy - allow CloudFront OAC', () => {
encryption: BucketEncryption.S3_MANAGED,

awsServiceAccessGenerators: new Array<IAWSServiceAccessGenerator>(
new CloudFrontOACReadAccess(bucket, expectDistributionArn),
new CloudFrontOACReadAccessGenerator(bucket, expectDistributionArn),
),
};

Expand All @@ -283,13 +283,14 @@ test('K9BucketPolicy - allow CloudFront OAC', () => {
let actualPolicyStatements = policyObj.Statement;
expect(actualPolicyStatements).toBeDefined();

assertContainsStatementWithId(SID_ALLOW_CLOUDFRONT_OAC_READ_ACCESS, actualPolicyStatements);
let expectAllowSid = CloudFrontOACReadAccessGenerator.SID_ALLOW_CLOUDFRONT_OAC_READ_ACCESS;
assertContainsStatementWithId(expectAllowSid, actualPolicyStatements);

for (let stmt of actualPolicyStatements) {
if (SID_DENY_EVERYONE_ELSE == stmt.Sid) {
expect(stmt.Condition.ArnNotEquals['aws:PrincipalArn']).toBeTruthy();
expect(stmt.Condition.StringNotEqualsIfExists['aws:PrincipalServiceName']).toEqual('cloudfront.amazonaws.com');
} else if (SID_ALLOW_CLOUDFRONT_OAC_READ_ACCESS == stmt.Sid) {
} else if (expectAllowSid == stmt.Sid) {
expect(stmt.Condition.StringEquals['aws:SourceArn']).toEqual(expectDistributionArn);
}
}
Expand Down

0 comments on commit ad35093

Please sign in to comment.