awsim-core 0.5.0

Core framework for AWSim — gateway, routing, protocol layer, state management
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342

//! AWS ARN construction and parsing.
//!
//! AWS resource names follow the format
//! `arn:<partition>:<service>:<region>:<account>:<resource>` where the
//! partition is one of `aws`, `aws-cn`, `aws-us-gov`, or `aws-iso(-b)`.
//! Some services (IAM, Route 53, Organizations, CloudFront, STS at the
//! global endpoint) leave the region segment empty; some services (S3
//! bucket ARNs) also leave the account segment empty.
//!
//! This module provides a single helper that pulls partition, region,
//! and account from a [`RequestContext`] so individual services don't
//! have to remember to thread those fields through. A non-default
//! [`AWSIM_PARTITION`] / [`AWSIM_REGION`] / [`AWSIM_ACCOUNT_ID`] is
//! reflected in every emitted ARN.
//!
//! [`AWSIM_PARTITION`]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
//! [`AWSIM_REGION`]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
//! [`AWSIM_ACCOUNT_ID`]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html

use crate::error::AwsError;
use crate::router::RequestContext;
use std::fmt;

/// Parsed AWS ARN with each segment held separately.
///
/// Use [`build`] / [`build_global`] to create one from a request
/// context, or [`parse`] to decompose an external string.
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct Arn {
    pub partition: String,
    pub service: String,
    pub region: String,
    pub account: String,
    pub resource: String,
}

impl fmt::Display for Arn {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        write!(
            f,
            "arn:{}:{}:{}:{}:{}",
            self.partition, self.service, self.region, self.account, self.resource
        )
    }
}

/// Build a regional ARN for `service` and `resource` using the
/// request's partition, region, and account.
pub fn build(ctx: &RequestContext, service: &'static str, resource: impl AsRef<str>) -> String {
    format!(
        "arn:{}:{}:{}:{}:{}",
        ctx.partition,
        service,
        ctx.region,
        ctx.account_id,
        resource.as_ref()
    )
}

/// Build a global-service ARN (IAM, Route 53, CloudFront, ...): the
/// region segment is empty, the account is preserved.
pub fn build_global(
    ctx: &RequestContext,
    service: &'static str,
    resource: impl AsRef<str>,
) -> String {
    format!(
        "arn:{}:{}::{}:{}",
        ctx.partition,
        service,
        ctx.account_id,
        resource.as_ref()
    )
}

/// Build a partition-only ARN (S3 buckets: no region, no account).
pub fn build_partition(
    ctx: &RequestContext,
    service: &'static str,
    resource: impl AsRef<str>,
) -> String {
    format!("arn:{}:{}:::{}", ctx.partition, service, resource.as_ref())
}

/// Parse an external ARN string into its segments.
///
/// Rejects strings that don't have the required six colon-separated
/// fields with `InvalidParameterValue`. Per-service validation
/// (allowed services, resource shape) is the caller's responsibility.
pub fn parse(s: &str) -> Result<Arn, AwsError> {
    // ARNs are `arn:partition:service:region:account:resource`. The
    // `resource` segment itself may contain colons (e.g.,
    // `arn:aws:logs:us-east-1:111:log-group:/aws/lambda/foo:log-stream:bar`)
    // so split into the first 6 parts and keep the remainder verbatim.
    let mut it = s.splitn(6, ':');
    let scheme = it.next();
    let partition = it.next();
    let service = it.next();
    let region = it.next();
    let account = it.next();
    let resource = it.next();
    match (scheme, partition, service, region, account, resource) {
        (Some("arn"), Some(p), Some(s), Some(r), Some(a), Some(res))
            if !p.is_empty() && !s.is_empty() =>
        {
            Ok(Arn {
                partition: p.to_string(),
                service: s.to_string(),
                region: r.to_string(),
                account: a.to_string(),
                resource: res.to_string(),
            })
        }
        _ => Err(AwsError::bad_request(
            "InvalidParameterValue",
            format!("Malformed ARN: {s}"),
        )),
    }
}

/// Reject an ARN that belongs to a different account, region, or
/// partition than the caller's [`RequestContext`].
///
/// Use this on operations that take an ARN of an arbitrary resource
/// (TagResource, GetResourceShare, GrantPermissions) and need to
/// keep cross-tenant access from leaking. Pass `RegionScope::Global`
/// for services whose ARNs intentionally have an empty region
/// segment (IAM, Route 53, CloudFront).
///
/// Returns `Ok(arn)` parsed on success so the caller can use the
/// resource segment directly. Returns
/// `AccessDeniedException`-shaped error on a tenant mismatch and
/// `InvalidParameterValue` on a malformed ARN.
pub fn expect_owned_by(
    arn_str: &str,
    ctx: &RequestContext,
    region_scope: RegionScope,
) -> Result<Arn, AwsError> {
    let parsed = parse(arn_str)?;
    if parsed.partition != ctx.partition {
        return Err(AwsError::access_denied(format!(
            "ARN partition '{}' does not match request partition '{}'.",
            parsed.partition, ctx.partition
        )));
    }
    if !parsed.account.is_empty() && parsed.account != ctx.account_id {
        return Err(AwsError::access_denied(format!(
            "ARN account '{}' does not match request account '{}'.",
            parsed.account, ctx.account_id
        )));
    }
    match region_scope {
        RegionScope::Global => {
            if !parsed.region.is_empty() {
                return Err(AwsError::bad_request(
                    "InvalidParameterValue",
                    format!(
                        "ARN region must be empty for global service '{}'.",
                        parsed.service
                    ),
                ));
            }
        }
        RegionScope::Regional => {
            if !parsed.region.is_empty() && parsed.region != ctx.region {
                return Err(AwsError::access_denied(format!(
                    "ARN region '{}' does not match request region '{}'.",
                    parsed.region, ctx.region
                )));
            }
        }
    }
    Ok(parsed)
}

/// Whether a service's ARNs carry a region segment or live in the
/// global namespace. Passed to [`expect_owned_by`] so the same
/// helper works for IAM / Route 53 ARNs (global) and EC2 / DDB ARNs
/// (regional).
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum RegionScope {
    Global,
    Regional,
}

#[cfg(test)]
mod tests {
    use super::*;

    fn ctx_with(partition: &str, region: &str, account: &str) -> RequestContext {
        let mut ctx = RequestContext::new_with_account("ec2", region, account);
        ctx.partition = partition.to_string();
        ctx
    }

    #[test]
    fn build_uses_request_context_segments() {
        let ctx = ctx_with("aws", "us-east-1", "111122223333");
        assert_eq!(
            build(&ctx, "ec2", "instance/i-abc"),
            "arn:aws:ec2:us-east-1:111122223333:instance/i-abc"
        );
    }

    #[test]
    fn build_honors_non_default_partition() {
        let ctx = ctx_with("aws-cn", "cn-north-1", "999988887777");
        assert_eq!(
            build(&ctx, "s3", "my-bucket"),
            "arn:aws-cn:s3:cn-north-1:999988887777:my-bucket"
        );
    }

    #[test]
    fn build_honors_govcloud_partition() {
        let ctx = ctx_with("aws-us-gov", "us-gov-west-1", "555566667777");
        assert_eq!(
            build(&ctx, "kms", "key/abc-123"),
            "arn:aws-us-gov:kms:us-gov-west-1:555566667777:key/abc-123"
        );
    }

    #[test]
    fn build_global_omits_region() {
        let ctx = ctx_with("aws", "us-east-1", "111122223333");
        assert_eq!(
            build_global(&ctx, "iam", "role/AdminRole"),
            "arn:aws:iam::111122223333:role/AdminRole"
        );
    }

    #[test]
    fn build_partition_omits_region_and_account() {
        let ctx = ctx_with("aws", "us-east-1", "111122223333");
        assert_eq!(
            build_partition(&ctx, "s3", "my-bucket"),
            "arn:aws:s3:::my-bucket"
        );
    }

    #[test]
    fn parse_round_trips_basic_arn() {
        let arn = parse("arn:aws:ec2:us-east-1:111122223333:instance/i-abc").unwrap();
        assert_eq!(arn.partition, "aws");
        assert_eq!(arn.service, "ec2");
        assert_eq!(arn.region, "us-east-1");
        assert_eq!(arn.account, "111122223333");
        assert_eq!(arn.resource, "instance/i-abc");
        assert_eq!(
            arn.to_string(),
            "arn:aws:ec2:us-east-1:111122223333:instance/i-abc"
        );
    }

    #[test]
    fn parse_preserves_colons_in_resource_segment() {
        let raw = "arn:aws:logs:us-east-1:111:log-group:/aws/lambda/foo:log-stream:bar";
        let arn = parse(raw).unwrap();
        assert_eq!(arn.resource, "log-group:/aws/lambda/foo:log-stream:bar");
        assert_eq!(arn.to_string(), raw);
    }

    #[test]
    fn parse_accepts_empty_region_and_account_segments() {
        let arn = parse("arn:aws:iam::111122223333:role/Admin").unwrap();
        assert_eq!(arn.region, "");
        assert_eq!(arn.account, "111122223333");

        let bucket = parse("arn:aws:s3:::my-bucket").unwrap();
        assert_eq!(bucket.region, "");
        assert_eq!(bucket.account, "");
        assert_eq!(bucket.resource, "my-bucket");
    }

    #[test]
    fn parse_rejects_non_arn_string() {
        let err = parse("not-an-arn").unwrap_err();
        assert_eq!(err.code, "InvalidParameterValue");
    }

    #[test]
    fn parse_rejects_too_few_segments() {
        let err = parse("arn:aws:s3").unwrap_err();
        assert_eq!(err.code, "InvalidParameterValue");
    }

    #[test]
    fn parse_rejects_empty_partition_or_service() {
        assert!(parse("arn::s3:us-east-1:111:bucket").is_err());
        assert!(parse("arn:aws::us-east-1:111:bucket").is_err());
    }

    #[test]
    fn expect_owned_by_accepts_matching_tenant() {
        let ctx = ctx_with("aws", "us-east-1", "111122223333");
        let arn = "arn:aws:dynamodb:us-east-1:111122223333:table/users";
        expect_owned_by(arn, &ctx, RegionScope::Regional).unwrap();
    }

    #[test]
    fn expect_owned_by_rejects_foreign_account() {
        let ctx = ctx_with("aws", "us-east-1", "111122223333");
        let arn = "arn:aws:dynamodb:us-east-1:999988887777:table/users";
        let err = expect_owned_by(arn, &ctx, RegionScope::Regional).unwrap_err();
        assert_eq!(err.code, "AccessDeniedException");
    }

    #[test]
    fn expect_owned_by_rejects_foreign_region() {
        let ctx = ctx_with("aws", "us-east-1", "111122223333");
        let arn = "arn:aws:dynamodb:eu-west-1:111122223333:table/users";
        let err = expect_owned_by(arn, &ctx, RegionScope::Regional).unwrap_err();
        assert_eq!(err.code, "AccessDeniedException");
    }

    #[test]
    fn expect_owned_by_rejects_foreign_partition() {
        let ctx = ctx_with("aws", "us-east-1", "111122223333");
        let arn = "arn:aws-cn:dynamodb:us-east-1:111122223333:table/users";
        let err = expect_owned_by(arn, &ctx, RegionScope::Regional).unwrap_err();
        assert_eq!(err.code, "AccessDeniedException");
    }

    #[test]
    fn expect_owned_by_allows_empty_account_segment() {
        let ctx = ctx_with("aws", "us-east-1", "111122223333");
        let arn = "arn:aws:s3:::my-bucket";
        let parsed = expect_owned_by(arn, &ctx, RegionScope::Regional).unwrap();
        assert_eq!(parsed.resource, "my-bucket");
    }

    #[test]
    fn expect_owned_by_global_requires_empty_region() {
        let ctx = ctx_with("aws", "us-east-1", "111122223333");
        let arn = "arn:aws:iam::111122223333:role/AdminRole";
        expect_owned_by(arn, &ctx, RegionScope::Global).unwrap();

        let bad = "arn:aws:iam:us-east-1:111122223333:role/AdminRole";
        let err = expect_owned_by(bad, &ctx, RegionScope::Global).unwrap_err();
        assert_eq!(err.code, "InvalidParameterValue");
    }
}