Skip to content

Commit

Permalink
fix: ensure resource policy matches the whole arn
Browse files Browse the repository at this point in the history
  • Loading branch information
G-Rath committed Jun 15, 2024
1 parent 5139c43 commit eaa394d
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 1 deletion.
2 changes: 1 addition & 1 deletion src/events/authMatchPolicyResource.js
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ export default function authMatchPolicyResource(policyResource, resource) {
// for the requested resource and the resource defined in the policy
// Need to create a regex replacing ? with one character and * with any number of characters
const regExp = new RegExp(
parsedPolicyResource.path.replaceAll("*", ".*").replaceAll("?", "."),
`${parsedPolicyResource.path.replaceAll("*", ".*").replaceAll("?", ".")}$`,
)

return regExp.test(parsedResource.path)
Expand Down
32 changes: 32 additions & 0 deletions tests/old-unit/authMatchPolicyResource.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,38 @@ describe("authMatchPolicyResource", () => {
})
})
})

describe("when the resource has segment wildcards", () => {
const wildcardResource =
"arn:aws:execute-api:*:*:random-api-id/local/GET/organizations"

describe("and it matches", () => {
it("returns true", () => {
const resource =
"arn:aws:execute-api:eu-west-1:random-account-id:random-api-id/local/GET/organizations"

assert.strictEqual(
authMatchPolicyResource(wildcardResource, resource),
true,
)
})
})

describe("and it does not match", () => {
it("returns false", () => {
for (const resource of [
"arn:aws:execute-api:eu-west-1:random-account-id:random-api-id/local/GET/me",
"arn:aws:execute-api:eu-west-1:random-account-id:random-api-id/local/GET/organisations",
"arn:aws:execute-api:eu-west-1:random-account-id:random-api-id/local/GET/organizations/1",
]) {
assert.strictEqual(
authMatchPolicyResource(wildcardResource, resource),
false,
)
}
})
})
})
})

describe("when the resource has single character wildcards", () => {
Expand Down

0 comments on commit eaa394d

Please sign in to comment.