Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IAM sample doesn't allow policies as expected #1282

Closed
kenfdev opened this issue Mar 24, 2019 · 3 comments
Closed

IAM sample doesn't allow policies as expected #1282

kenfdev opened this issue Mar 24, 2019 · 3 comments
Labels
bug docs

Comments

@kenfdev
Copy link
Contributor

kenfdev commented Mar 24, 2019

Expected Behavior

Looking at the Comparison to Other Systems, the IAM policies' wild card doesn't seem to be working.

# actions_match is true if input.action matches one in the list
actions_match {
    # iterate over the actions in the list
    actions = ["s3:List*","s3:Get*"]
    action = actions[_]
    # check if input.action matches an action
    regex.globs_match(input.action, action)
}

# resources_match is true if input.resource matches one in the list
resources_match {
    # iterate over the resources in the list
    resources = ["arn:aws:s3:::confidential-data","arn:aws:s3:::confidential-data/*"]
    resource = resources[_]
    # check if input.resource matches a resource
    regex.globs_match(input.resource, resource)
}

According to the rules above, the input below should be allowed.

{
    "user": "alice",
    "action": "s3:ListBucket",
    "resource": "arn:aws:s3:::confidential-data/12345678"
}

Actual Behavior

The Output turns out to be empty (not allowed).

Steps to Reproduce the Problem

  1. https://play.openpolicyagent.org/p/hCcU0gDmpX
  2. Set the Input as follows:
{
    "user": "alice",
    "action": "s3:ListBucket",
    "resource": "arn:aws:s3:::confidential-data/12345678"
}
  1. Check the Output
{
  "result": {}
}

Additional Info

I assume this is because regex.globs_match(glob1, glob2) receives regex and not wild cards.

actions = ["s3:List*","s3:Get*"]

This should be:

actions = ["s3:List.*","s3:Get.*"]

And the following

resources = ["arn:aws:s3:::confidential-data","arn:aws:s3:::confidential-data/*"]

should be:

resources = ["arn:aws:s3:::confidential-data","arn:aws:s3:::confidential-data/.*"]

Changing the above statements, the Output looks correct:

{
  "result": {
    "actions_match": true,
    "allow": true,
    "resources_match": true
  }
}

If my understanding is correct, I can create a quick PR for this. Thanks!
@tsandall
Copy link
Member

@kenfdev that's correct. I think there was misunderstanding about how the regex.globs_match built-in function was supposed to work (the author was assuming it was going to act like a wildcard/shell glob).

If you could submit a patch to the docs to make the actions and resources specify regexp patterns like you did in the "Additional Info" section of your issue, that would be great. Thanks! 👍

@kenfdev
Copy link
Contributor Author

kenfdev commented Mar 25, 2019

Thank you for the clarification @tsandall ! Will make a small PR for this.

kenfdev added a commit to kenfdev/opa that referenced this issue Mar 26, 2019
@kenfdev
Fix IAM sample regex
eb71779 
This fixes wildcard expressions to appropriate regex.

Fixes open-policy-agent#1282

Signed-off-by: Ken Fukuyama <[email protected]>
@kenfdev kenfdev mentioned this issue Mar 26, 2019
Merged
@tsandall
Copy link
Member

Thanks @kenfdev!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug docs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tsandall @kenfdev