From 5652eccaabee860852033b4327ae18f2a0a1cc20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamil=20Wylega=C5=82a?= Date: Tue, 10 Sep 2024 15:05:43 +0200 Subject: [PATCH 1/3] AP-5187 Ability to define many sqs prefixes. --- .../sns/lib/utils/snsAttributeUtils.spec.ts | 29 ++++++++++++- packages/sns/lib/utils/snsAttributeUtils.ts | 41 ++++++++++++++----- 2 files changed, 58 insertions(+), 12 deletions(-) diff --git a/packages/sns/lib/utils/snsAttributeUtils.spec.ts b/packages/sns/lib/utils/snsAttributeUtils.spec.ts index 1244529c..96f78526 100644 --- a/packages/sns/lib/utils/snsAttributeUtils.spec.ts +++ b/packages/sns/lib/utils/snsAttributeUtils.spec.ts @@ -16,7 +16,32 @@ describe('snsAttributeUtils', () => { }) expect(resolvedPolicy).toBe( - `{"Version":"2012-10-17","Id":"__default_policy_ID","Statement":[{"Sid":"AllowSQSSubscription","Effect":"Allow","Principal":{"AWS":"*"},"Action":["sns:Subscribe"],"Resource":"arn:aws:sns:eu-central-1:632374391739:test-sns-some-service","Condition":{"StringEquals":{"AWS:SourceOwner": "111111111111"},"StringLike":{"sns:Endpoint":"arn:aws:sqs:eu-central-1:632374391739:test-sqs-*"}}}]}`, + `{"Version":"2012-10-17","Id":"__default_policy_ID","Statement":[{"Sid":"AllowSQSSubscription","Effect":"Allow","Principal":{"AWS":"*"},"Action":["sns:Subscribe"],"Resource":"arn:aws:sns:eu-central-1:632374391739:test-sns-some-service","Condition":{"StringEquals":{"AWS:SourceOwner":"111111111111"},"StringLike":{"sns:Endpoint":"arn:aws:sqs:eu-central-1:632374391739:test-sqs-*"}}}]}`, + ) + }) + + it('resolves policy for array of sns:endpoints', () => { + const resolvedPolicy = generateTopicSubscriptionPolicy({ + topicArn: 'arn:aws:sns:eu-central-1:632374391739:test-sns-some-service', + allowedSqsQueueUrlPrefix: [ + 'arn:aws:sqs:eu-central-1:632374391739:test1-sqs-*', + 'arn:aws:sqs:eu-central-1:632374391739:test2-sqs-*', + ], + }) + + expect(resolvedPolicy).toBe( + `{"Version":"2012-10-17","Id":"__default_policy_ID","Statement":[{"Sid":"AllowSQSSubscription","Effect":"Allow","Principal":{"AWS":"*"},"Action":["sns:Subscribe"],"Resource":"arn:aws:sns:eu-central-1:632374391739:test-sns-some-service","Condition":{"StringLike":{"sns:Endpoint":["arn:aws:sqs:eu-central-1:632374391739:test1-sqs-*","arn:aws:sqs:eu-central-1:632374391739:test2-sqs-*"]}}}]}`, + ) + }) + + it('resolves policy without condition for sns:endpoint if provided array is empty', () => { + const resolvedPolicy = generateTopicSubscriptionPolicy({ + topicArn: 'arn:aws:sns:eu-central-1:632374391739:test-sns-some-service', + allowedSqsQueueUrlPrefix: [], + }) + + expect(resolvedPolicy).toBe( + `{"Version":"2012-10-17","Id":"__default_policy_ID","Statement":[{"Sid":"AllowSQSSubscription","Effect":"Allow","Principal":{"AWS":"*"},"Action":["sns:Subscribe"],"Resource":"arn:aws:sns:eu-central-1:632374391739:test-sns-some-service","Condition":{}}]}`, ) }) @@ -27,7 +52,7 @@ describe('snsAttributeUtils', () => { }) expect(resolvedPolicy).toBe( - `{"Version":"2012-10-17","Id":"__default_policy_ID","Statement":[{"Sid":"AllowSQSSubscription","Effect":"Allow","Principal":{"AWS":"*"},"Action":["sns:Subscribe"],"Resource":"arn:aws:sns:eu-central-1:632374391739:test-sns-some-service","Condition":{"StringEquals":{"AWS:SourceOwner": "111111111111"}}}]}`, + `{"Version":"2012-10-17","Id":"__default_policy_ID","Statement":[{"Sid":"AllowSQSSubscription","Effect":"Allow","Principal":{"AWS":"*"},"Action":["sns:Subscribe"],"Resource":"arn:aws:sns:eu-central-1:632374391739:test-sns-some-service","Condition":{"StringEquals":{"AWS:SourceOwner":"111111111111"}}}]}`, ) }) diff --git a/packages/sns/lib/utils/snsAttributeUtils.ts b/packages/sns/lib/utils/snsAttributeUtils.ts index b02ae029..67ed81ca 100644 --- a/packages/sns/lib/utils/snsAttributeUtils.ts +++ b/packages/sns/lib/utils/snsAttributeUtils.ts @@ -5,21 +5,42 @@ const POLICY_VERSION = '2012-10-17' export type TopicSubscriptionPolicyParams = { topicArn: string - allowedSqsQueueUrlPrefix?: string + allowedSqsQueueUrlPrefix?: string | string[] allowedSourceOwner?: string } export function generateTopicSubscriptionPolicy(params: TopicSubscriptionPolicyParams) { - const sourceOwnerFragment = params.allowedSourceOwner - ? `"StringEquals":{"AWS:SourceOwner": "${params.allowedSourceOwner}"}` - : '' - const supportedSqsQueueUrlPrefixFragment = params.allowedSqsQueueUrlPrefix - ? `"StringLike":{"sns:Endpoint":"${params.allowedSqsQueueUrlPrefix}"}` - : '' - const commaFragment = - sourceOwnerFragment.length > 0 && supportedSqsQueueUrlPrefixFragment.length > 0 ? ',' : '' + const policyObject = { + Version: POLICY_VERSION, + Id: '__default_policy_ID', + Statement: [ + { + Sid: 'AllowSQSSubscription', + Effect: 'Allow', + Principal: { + AWS: '*', + }, + Action: ['sns:Subscribe'], + Resource: params.topicArn, + Condition: {}, + }, + ], + } + + if (params.allowedSourceOwner) { + // @ts-ignore + policyObject.Statement[0].Condition.StringEquals = { + 'AWS:SourceOwner': params.allowedSourceOwner, + } + } + if (params.allowedSqsQueueUrlPrefix?.length && params.allowedSqsQueueUrlPrefix.length > 0) { + // @ts-ignore + policyObject.Statement[0].Condition.StringLike = { + 'sns:Endpoint': params.allowedSqsQueueUrlPrefix, + } + } - return `{"Version":"${POLICY_VERSION}","Id":"__default_policy_ID","Statement":[{"Sid":"AllowSQSSubscription","Effect":"Allow","Principal":{"AWS":"*"},"Action":["sns:Subscribe"],"Resource":"${params.topicArn}","Condition":{${sourceOwnerFragment}${commaFragment}${supportedSqsQueueUrlPrefixFragment}}}]}` + return JSON.stringify(policyObject) } export function generateFilterAttributes( From ac7bf9d2d35139f97b97ee30181b1fd5d53f94ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamil=20Wylega=C5=82a?= Date: Tue, 10 Sep 2024 15:08:00 +0200 Subject: [PATCH 2/3] AP-5187 Type change. --- packages/sns/lib/sns/AbstractSnsService.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/sns/lib/sns/AbstractSnsService.ts b/packages/sns/lib/sns/AbstractSnsService.ts index b68a34b3..51118e20 100644 --- a/packages/sns/lib/sns/AbstractSnsService.ts +++ b/packages/sns/lib/sns/AbstractSnsService.ts @@ -29,7 +29,7 @@ export type SNSTopicConfig = { } export type ExtraSNSCreationParams = { - queueUrlsWithSubscribePermissionsPrefix?: string + queueUrlsWithSubscribePermissionsPrefix?: string | string[] allowedSourceOwner?: string } From 1492f79a67a14005c8aefdabd8e5c95abe531a9f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamil=20Wylega=C5=82a?= Date: Tue, 10 Sep 2024 15:09:42 +0200 Subject: [PATCH 3/3] AP-5187 Readonly. --- packages/sns/lib/sns/AbstractSnsService.ts | 2 +- packages/sns/lib/utils/snsAttributeUtils.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/sns/lib/sns/AbstractSnsService.ts b/packages/sns/lib/sns/AbstractSnsService.ts index 51118e20..bae12046 100644 --- a/packages/sns/lib/sns/AbstractSnsService.ts +++ b/packages/sns/lib/sns/AbstractSnsService.ts @@ -29,7 +29,7 @@ export type SNSTopicConfig = { } export type ExtraSNSCreationParams = { - queueUrlsWithSubscribePermissionsPrefix?: string | string[] + queueUrlsWithSubscribePermissionsPrefix?: string | readonly string[] allowedSourceOwner?: string } diff --git a/packages/sns/lib/utils/snsAttributeUtils.ts b/packages/sns/lib/utils/snsAttributeUtils.ts index 67ed81ca..98b8369d 100644 --- a/packages/sns/lib/utils/snsAttributeUtils.ts +++ b/packages/sns/lib/utils/snsAttributeUtils.ts @@ -5,7 +5,7 @@ const POLICY_VERSION = '2012-10-17' export type TopicSubscriptionPolicyParams = { topicArn: string - allowedSqsQueueUrlPrefix?: string | string[] + allowedSqsQueueUrlPrefix?: string | readonly string[] allowedSourceOwner?: string }