diff --git a/tests/unit/policyEvaluator.spec.js b/tests/unit/policyEvaluator.spec.js index ef0f76d1e..f0a3066f8 100644 --- a/tests/unit/policyEvaluator.spec.js +++ b/tests/unit/policyEvaluator.spec.js @@ -6,7 +6,7 @@ const fakeTimers = require('@sinonjs/fake-timers'); const evaluator = require('../../lib/policyEvaluator/evaluator'); const evaluatePolicy = evaluator.evaluatePolicy; const evaluateAllPolicies = evaluator.evaluateAllPolicies; -const evaluateAllPoliciesNew = evaluator.evaluateAllPoliciesNew; +const StandardEvaluateAllPolicies = evaluator.StandardEvaluateAllPolicies; const handleWildcards = require('../../lib/policyEvaluator/utils/wildcards').handleWildcards; const substituteVariables = @@ -1457,7 +1457,7 @@ describe('policyEvaluator', () => { 'my_favorite_bucket', undefined, undefined, undefined, 'bucketDelete', 's3'); requestContext.setRequesterInfo({}); - const result = evaluateAllPoliciesNew(requestContext, + const result = StandardEvaluateAllPolicies(requestContext, [samples['arn:aws:iam::aws:policy/AmazonS3FullAccess'], samples['Deny Bucket Policy']], log); assert.deepStrictEqual(result, { @@ -1471,7 +1471,7 @@ describe('policyEvaluator', () => { 'notVeryPrivate', undefined, undefined, undefined, 'bucketDelete', 's3'); requestContext.setRequesterInfo({}); - const result = evaluateAllPoliciesNew(requestContext, + const result = StandardEvaluateAllPolicies(requestContext, [samples['Multi-Statement Policy'], samples['Variable Bucket Policy']], log); assert.deepStrictEqual(result, { @@ -1485,7 +1485,7 @@ describe('policyEvaluator', () => { 'notbucket', undefined, undefined, undefined, 'objectGet', 's3'); requestContext.setRequesterInfo({}); - const result = evaluateAllPoliciesNew(requestContext, [ + const result = StandardEvaluateAllPolicies(requestContext, [ samples['Multi-Statement Policy'], samples['Variable Bucket Policy'], ], log); @@ -1548,7 +1548,7 @@ describe('policyEvaluator', () => { }, }; - const TestMatrixV2 = [ + const TestMatrix = [ { policiesToEvaluate: [], expectedPolicyEvaluation: { @@ -1605,6 +1605,13 @@ describe('policyEvaluator', () => { isImplicit: true, }, }, + { + policiesToEvaluate: ['Neutral', 'Deny'], + expectedPolicyEvaluation: { + verdict: 'Deny', + isImplicit: false, + }, + }, { policiesToEvaluate: ['Allow', 'Deny'], expectedPolicyEvaluation: { @@ -1663,88 +1670,21 @@ describe('policyEvaluator', () => { }, ]; - TestMatrixV2.forEach(testCase => { + TestMatrix.forEach(testCase => { it(`policies evaluating individually to [${testCase.policiesToEvaluate.join(', ')}] ` + `should return ${testCase.expectedPolicyEvaluation}`, () => { requestContext = new RequestContext({}, {}, 'my_favorite_bucket', undefined, undefined, undefined, 'objectGet', 's3'); requestContext.setRequesterInfo({}); - const result = evaluateAllPoliciesNew( + const result = EvaluateAllPolicies( requestContext, testCase.policiesToEvaluate.map(policyName => TestMatrixPolicies[policyName]), log); - assert.deepStrictEqual(result, testCase.expectedPolicyEvaluation); + assert.StrictEqual(result, testCase.expectedPolicyEvaluation.verdict); }); }); - const TestMatrix = [ - { - policiesToEvaluate: [], - expectedPolicyEvaluation: 'Deny', - }, - { - policiesToEvaluate: ['Allow'], - expectedPolicyEvaluation: 'Allow', - }, - { - policiesToEvaluate: ['Neutral'], - expectedPolicyEvaluation: 'Deny', - }, - { - policiesToEvaluate: ['Deny'], - expectedPolicyEvaluation: 'Deny', - }, - { - policiesToEvaluate: ['Allow', 'Allow'], - expectedPolicyEvaluation: 'Allow', - }, - { - policiesToEvaluate: ['Allow', 'Neutral'], - expectedPolicyEvaluation: 'Allow', - }, - { - policiesToEvaluate: ['Neutral', 'Allow'], - expectedPolicyEvaluation: 'Allow', - }, - { - policiesToEvaluate: ['Neutral', 'Neutral'], - expectedPolicyEvaluation: 'Deny', - }, - { - policiesToEvaluate: ['Allow', 'Deny'], - expectedPolicyEvaluation: 'Deny', - }, - { - policiesToEvaluate: ['AllowWithTagCondition'], - expectedPolicyEvaluation: 'NeedTagConditionEval', - }, - { - policiesToEvaluate: ['Allow', 'AllowWithTagCondition'], - expectedPolicyEvaluation: 'Allow', - }, - { - policiesToEvaluate: ['DenyWithTagCondition'], - expectedPolicyEvaluation: 'Deny', - }, - { - policiesToEvaluate: ['Allow', 'DenyWithTagCondition'], - expectedPolicyEvaluation: 'NeedTagConditionEval', - }, - { - policiesToEvaluate: ['AllowWithTagCondition', 'DenyWithTagCondition'], - expectedPolicyEvaluation: 'NeedTagConditionEval', - }, - { - policiesToEvaluate: ['AllowWithTagCondition', 'DenyWithTagCondition', 'Deny'], - expectedPolicyEvaluation: 'Deny', - }, - { - policiesToEvaluate: ['DenyWithTagCondition', 'AllowWithTagCondition', 'Allow'], - expectedPolicyEvaluation: 'NeedTagConditionEval', - }, - ]; - TestMatrix.forEach(testCase => { it(`policies evaluating individually to [${testCase.policiesToEvaluate.join(', ')}] ` + `should return ${testCase.expectedPolicyEvaluation}`, () => { @@ -1752,13 +1692,14 @@ describe('policyEvaluator', () => { 'my_favorite_bucket', undefined, undefined, undefined, 'objectGet', 's3'); requestContext.setRequesterInfo({}); - const result = evaluateAllPolicies( + const result = StandardEvaluateAllPolicies( requestContext, testCase.policiesToEvaluate.map(policyName => TestMatrixPolicies[policyName]), log); - assert.strictEqual(result, testCase.expectedPolicyEvaluation); + assert.deepStrictEqual(result, testCase.expectedPolicyEvaluation); }); }); + }); });