From ad35093b6bec52f2a824e69ad9b52daef8fc4aef Mon Sep 17 00:00:00 2001
From: Stephen Kuenzli <skuenzli@k9security.io>
Date: Mon, 24 Jun 2024 11:38:35 -0700
Subject: [PATCH] Improve naming of AWS service access generator objects and
 related property.

Migrate CloudFront OAC's allow statement id into the generator.
---
 src/s3.ts       |  8 +++++---
 test/k9.test.ts | 11 ++++++-----
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/src/s3.ts b/src/s3.ts
index 27318e4..3a42c04 100644
--- a/src/s3.ts
+++ b/src/s3.ts
@@ -65,9 +65,11 @@ let SUPPORTED_CAPABILITIES = new Array<AccessCapability>(
 export const SID_DENY_UNEXPECTED_ENCRYPTION_METHOD = 'DenyUnexpectedEncryptionMethod';
 export const SID_DENY_UNENCRYPTED_STORAGE = 'DenyUnencryptedStorage';
 export const SID_ALLOW_PUBLIC_READ_ACCESS = 'AllowPublicReadAccess';
-export const SID_ALLOW_CLOUDFRONT_OAC_READ_ACCESS = 'AllowCloudFrontOACReadAccess';
 
-export class CloudFrontOACReadAccess implements IAWSServiceAccessGenerator {
+export class CloudFrontOACReadAccessGenerator implements IAWSServiceAccessGenerator {
+
+  static readonly SID_ALLOW_CLOUDFRONT_OAC_READ_ACCESS = 'AllowCloudFrontOACReadAccess';
+
   readonly bucket: IBucket;
   readonly distributionArn: string;
 
@@ -78,7 +80,7 @@ export class CloudFrontOACReadAccess implements IAWSServiceAccessGenerator {
 
   makeAllowStatements(): Array<PolicyStatement> {
     return [new PolicyStatement({
-      sid: SID_ALLOW_CLOUDFRONT_OAC_READ_ACCESS,
+      sid: CloudFrontOACReadAccessGenerator.SID_ALLOW_CLOUDFRONT_OAC_READ_ACCESS,
       effect: Effect.ALLOW,
       principals: [new ServicePrincipal('cloudfront.amazonaws.com')],
       actions: ['s3:GetObject'],
diff --git a/test/k9.test.ts b/test/k9.test.ts
index e3e7fff..26b0f42 100644
--- a/test/k9.test.ts
+++ b/test/k9.test.ts
@@ -12,9 +12,9 @@ import { K9KeyPolicyProps, SID_ALLOW_ROOT_AND_IDENTITY_POLICIES, SID_DENY_EVERYO
 import {
   K9BucketPolicyProps,
   SID_ALLOW_PUBLIC_READ_ACCESS,
-  SID_ALLOW_CLOUDFRONT_OAC_READ_ACCESS,
   SID_DENY_UNENCRYPTED_STORAGE,
-  SID_DENY_UNEXPECTED_ENCRYPTION_METHOD, CloudFrontOACReadAccess,
+  SID_DENY_UNEXPECTED_ENCRYPTION_METHOD,
+  CloudFrontOACReadAccessGenerator,
 } from '../lib/s3';
 // @ts-ignore
 
@@ -266,7 +266,7 @@ test('K9BucketPolicy - allow CloudFront OAC', () => {
     encryption: BucketEncryption.S3_MANAGED,
 
     awsServiceAccessGenerators: new Array<IAWSServiceAccessGenerator>(
-      new CloudFrontOACReadAccess(bucket, expectDistributionArn),
+      new CloudFrontOACReadAccessGenerator(bucket, expectDistributionArn),
     ),
   };
 
@@ -283,13 +283,14 @@ test('K9BucketPolicy - allow CloudFront OAC', () => {
   let actualPolicyStatements = policyObj.Statement;
   expect(actualPolicyStatements).toBeDefined();
 
-  assertContainsStatementWithId(SID_ALLOW_CLOUDFRONT_OAC_READ_ACCESS, actualPolicyStatements);
+  let expectAllowSid = CloudFrontOACReadAccessGenerator.SID_ALLOW_CLOUDFRONT_OAC_READ_ACCESS;
+  assertContainsStatementWithId(expectAllowSid, actualPolicyStatements);
 
   for (let stmt of actualPolicyStatements) {
     if (SID_DENY_EVERYONE_ELSE == stmt.Sid) {
       expect(stmt.Condition.ArnNotEquals['aws:PrincipalArn']).toBeTruthy();
       expect(stmt.Condition.StringNotEqualsIfExists['aws:PrincipalServiceName']).toEqual('cloudfront.amazonaws.com');
-    } else if (SID_ALLOW_CLOUDFRONT_OAC_READ_ACCESS == stmt.Sid) {
+    } else if (expectAllowSid == stmt.Sid) {
       expect(stmt.Condition.StringEquals['aws:SourceArn']).toEqual(expectDistributionArn);
     }
   }