alien-permissions 1.2.1

Alien Developer Platform
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145

mod common;

use alien_permissions::{generators::AwsRuntimePermissionsGenerator, BindingTarget};
use common::*;
use insta::assert_json_snapshot;
use rstest::rstest;

#[rstest]
#[case::stack_binding(BindingTarget::Stack)]
#[case::resource_binding(BindingTarget::Resource)]
fn test_aws_storage_data_read_policy_generation(#[case] binding_target: BindingTarget) {
    let generator = AwsRuntimePermissionsGenerator::new();
    let permission_set = create_aws_storage_data_read_permission_set();
    let context = create_test_context();

    let result = generator
        .generate_policy(&permission_set, binding_target, &context)
        .expect("Should generate AWS policy successfully");

    let snapshot_name = format!("aws_storage_data_read_{}_binding", binding_target);
    assert_json_snapshot!(snapshot_name, result);
}

#[test]
fn test_aws_policy_with_conditions() {
    let generator = AwsRuntimePermissionsGenerator::new();
    let permission_set = create_aws_storage_data_read_permission_set_with_condition();
    let context = create_test_context();

    let result = generator
        .generate_policy(&permission_set, BindingTarget::Stack, &context)
        .expect("Should generate AWS policy with conditions successfully");

    assert_json_snapshot!("aws_policy_with_conditions", result);
}

#[test]
fn test_aws_statement_id_generation() {
    let generator = AwsRuntimePermissionsGenerator::new();

    // Create a permission set with a complex ID
    let mut permission_set = create_aws_storage_data_read_permission_set();
    permission_set.id = "complex/permission-set/with-dashes".to_string();

    let context = create_test_context();

    let result = generator
        .generate_policy(&permission_set, BindingTarget::Stack, &context)
        .expect("Should generate AWS policy successfully");

    // Verify that the statement ID is properly formatted
    assert_eq!(result.statement[0].sid, "ComplexPermissionSetWithDashes");
    assert_eq!(result.version, "2012-10-17");
    assert_eq!(result.statement[0].effect, "Allow");
}

#[test]
fn test_aws_missing_actions_error() {
    let generator = AwsRuntimePermissionsGenerator::new();
    let permission_set = create_permission_set_missing_actions();
    let context = create_test_context();

    let result = generator.generate_policy(&permission_set, BindingTarget::Stack, &context);

    assert!(result.is_err());
    let error = result.unwrap_err();
    let error_string = error.to_string();
    assert!(error_string.contains("AWS permission grant must have 'actions' field"));
}

#[test]
fn test_aws_variable_interpolation() {
    let generator = AwsRuntimePermissionsGenerator::new();
    let permission_set = create_aws_storage_data_read_permission_set();
    let context = create_test_context();

    let result = generator
        .generate_policy(&permission_set, BindingTarget::Resource, &context)
        .expect("Should generate AWS policy successfully");

    // Verify that variables were interpolated correctly
    let expected_resources = vec![
        "arn:aws:s3:::my-stack-payments-data".to_string(),
        "arn:aws:s3:::my-stack-payments-data/*".to_string(),
    ];
    assert_eq!(result.statement[0].resource, expected_resources);
}

#[test]
fn test_aws_missing_variable_error() {
    let generator = AwsRuntimePermissionsGenerator::new();

    // Create a permission set with a variable that won't be found
    let mut permission_set = create_aws_storage_data_read_permission_set();
    if let Some(aws_permissions) = &mut permission_set.platforms.aws {
        if let Some(resource_binding) = &mut aws_permissions[0].binding.resource {
            resource_binding.resources = vec!["arn:aws:s3:::${missingVariable}".to_string()];
        }
    }

    let context = create_empty_context(); // Empty context

    let result = generator.generate_policy(&permission_set, BindingTarget::Resource, &context);

    assert!(result.is_err());
    let error = result.unwrap_err();
    let error_string = error.to_string();
    assert!(error_string.contains("Variable 'missingVariable' is not found"));
}

#[test]
fn test_aws_missing_platform_error() {
    let generator = AwsRuntimePermissionsGenerator::new();

    // Create a permission set without AWS platform
    let permission_set = create_gcp_storage_data_read_permission_set(); // This only has GCP
    let context = create_test_context();

    let result = generator.generate_policy(&permission_set, BindingTarget::Stack, &context);

    assert!(result.is_err());
    let error = result.unwrap_err();
    let error_string = error.to_string();
    assert!(error_string.contains("Platform 'aws' is not supported"));
}

#[test]
fn test_aws_missing_binding_target_error() {
    let generator = AwsRuntimePermissionsGenerator::new();

    // Create a permission set with only stack binding
    let mut permission_set = create_aws_storage_data_read_permission_set();
    if let Some(aws_permissions) = &mut permission_set.platforms.aws {
        aws_permissions[0].binding.resource = None; // Remove resource binding
    }

    let context = create_test_context();

    let result = generator.generate_policy(&permission_set, BindingTarget::Resource, &context);

    assert!(result.is_err());
    let error = result.unwrap_err();
    let error_string = error.to_string();
    assert!(error_string.contains("Binding target 'resource' is not supported"));
}