fakecloud_core/auth.rs
1//! Authentication and authorization primitives shared across services.
2//!
3//! This module defines the opt-in modes for SigV4 signature verification and
4//! IAM policy enforcement, plus the reserved "root bypass" identity that
5//! short-circuits both checks when enabled.
6//!
7//! Neither feature is enforced at this layer — the types are plumbed through
8//! [`crate::dispatch::DispatchConfig`] and consulted later by dispatch and
9//! service handlers once the corresponding batches land. See
10//! `/docs/reference/security` (added in a later batch) for the user-facing
11//! contract.
12
13use std::collections::{BTreeMap, HashMap};
14use std::fmt;
15use std::net::IpAddr;
16use std::str::FromStr;
17use std::sync::Arc;
18
19use chrono::{DateTime, Utc};
20
21/// Kind of principal a set of credentials resolves to.
22///
23/// Used to drive IAM policy evaluation (Phase 2) and the `GetCallerIdentity`
24/// response shape. Inferred from the credential's storage path in
25/// [`IamState`] and — for STS temporary credentials — from the ARN form
26/// `arn:aws:sts::<account>:assumed-role/...` or `federated-user/...`.
27#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash)]
28pub enum PrincipalType {
29 /// An IAM user access key (AKID created via `CreateAccessKey`).
30 User,
31 /// An assumed role session issued by `AssumeRole` /
32 /// `AssumeRoleWithWebIdentity` / `AssumeRoleWithSAML`.
33 AssumedRole,
34 /// Credentials issued by `GetFederationToken` — i.e. a federated user.
35 FederatedUser,
36 /// The account root identity. Reserved for explicit `...:root` ARNs
37 /// only; do not return this from a generic fallback because root
38 /// principals bypass IAM enforcement (see `Principal::is_root`).
39 Root,
40 /// The ARN didn't match any known shape. Treated as a non-root,
41 /// non-bypassable principal so a malformed or unexpected ARN can never
42 /// silently grant elevated permissions during IAM evaluation.
43 Unknown,
44}
45
46impl PrincipalType {
47 pub fn as_str(self) -> &'static str {
48 match self {
49 PrincipalType::User => "user",
50 PrincipalType::AssumedRole => "assumed-role",
51 PrincipalType::FederatedUser => "federated-user",
52 PrincipalType::Root => "root",
53 PrincipalType::Unknown => "unknown",
54 }
55 }
56
57 /// Classify a principal from its ARN. Returns [`PrincipalType::Unknown`]
58 /// for ARNs that don't match any of the well-known principal shapes —
59 /// **never** [`PrincipalType::Root`] as a fallback, because root
60 /// bypasses IAM enforcement and silently treating malformed ARNs as
61 /// root would let unexpected inputs grant elevated permissions
62 /// (identified by cubic in PR #391 review).
63 pub fn from_arn(arn: &str) -> Self {
64 if arn.ends_with(":root") {
65 PrincipalType::Root
66 } else if arn.contains(":user/") {
67 PrincipalType::User
68 } else if arn.contains(":assumed-role/") {
69 PrincipalType::AssumedRole
70 } else if arn.contains(":federated-user/") {
71 PrincipalType::FederatedUser
72 } else {
73 PrincipalType::Unknown
74 }
75 }
76}
77
78/// Identity of the caller making a request, once its credentials have been
79/// resolved. Attached to [`crate::service::AwsRequest::principal`] so
80/// handlers can make identity-based decisions without re-parsing the
81/// Authorization header.
82///
83/// `account_id` is always sourced from the credential itself (via
84/// [`CredentialResolver`]), never from global config — #381 note.
85#[derive(Debug, Clone, PartialEq, Eq)]
86pub struct Principal {
87 pub arn: String,
88 pub user_id: String,
89 pub account_id: String,
90 pub principal_type: PrincipalType,
91 /// Optional source identity string, carried through from
92 /// `AssumeRole`'s `SourceIdentity` parameter. Reserved for later
93 /// batches that wire session policies and auditing.
94 pub source_identity: Option<String>,
95 /// Tags on the calling principal (IAM user or assumed role).
96 /// Populated at credential-resolution time from `IamState`.
97 /// Used for `aws:PrincipalTag/<key>` condition evaluation.
98 pub tags: Option<HashMap<String, String>>,
99}
100
101impl Principal {
102 /// Is this caller the account's root identity? Root bypasses IAM
103 /// evaluation, matching AWS.
104 pub fn is_root(&self) -> bool {
105 matches!(self.principal_type, PrincipalType::Root) || self.arn.ends_with(":root")
106 }
107}
108
109/// Credentials resolved from an access key ID.
110///
111/// Returned by [`CredentialResolver::resolve`]. Holds both the secret access
112/// key (needed for SigV4 verification) and the resolved [`Principal`]
113/// (needed for IAM enforcement and `GetCallerIdentity` consolidation).
114#[derive(Debug, Clone, PartialEq, Eq)]
115pub struct ResolvedCredential {
116 pub secret_access_key: String,
117 pub session_token: Option<String>,
118 pub principal: Principal,
119 /// Session policies passed to the STS call that minted this credential.
120 /// Empty for IAM user access keys.
121 pub session_policies: Vec<String>,
122 /// True iff the underlying STS credential was minted with MFA. Drives
123 /// `aws:MultiFactorAuthPresent` for downstream IAM evaluation. Always
124 /// false for raw IAM user access keys.
125 pub mfa_present: bool,
126 /// Wall-clock time at which the underlying STS credential was issued.
127 /// Drives `aws:TokenIssueTime` and `aws:MultiFactorAuthAge` (the latter
128 /// computed at evaluation time as `now - token_issued_at` when
129 /// [`Self::mfa_present`] is true). `None` for raw IAM user access keys
130 /// — AWS does not expose `aws:TokenIssueTime` for long-lived credentials.
131 pub token_issued_at: Option<DateTime<Utc>>,
132 /// `aws:FederatedProvider` — SAML provider ARN for AssumeRoleWithSAML,
133 /// OIDC provider ARN for AssumeRoleWithWebIdentity. `None` for raw IAM
134 /// user keys, plain AssumeRole, GetSessionToken, GetFederationToken.
135 pub federated_provider: Option<String>,
136}
137
138impl ResolvedCredential {
139 /// Convenience accessors for the flat fields batch 3 callers use. Kept
140 /// as methods rather than re-adding the fields to avoid making the
141 /// shape inconsistent with [`Principal`] itself.
142 pub fn principal_arn(&self) -> &str {
143 &self.principal.arn
144 }
145
146 pub fn user_id(&self) -> &str {
147 &self.principal.user_id
148 }
149
150 pub fn account_id(&self) -> &str {
151 &self.principal.account_id
152 }
153}
154
155/// Abstraction over "given an access key ID, return the secret and resolved
156/// principal." Implemented by the IAM crate against `IamState`; the core
157/// crate depends only on the trait so there's no circular dependency.
158///
159/// Implementations must be cheap to clone-share via `Arc` and must be
160/// thread-safe — dispatch calls them from an axum handler under a tokio
161/// worker.
162pub trait CredentialResolver: Send + Sync {
163 /// Resolve `access_key_id` to its secret access key and principal.
164 /// Returns `None` when the AKID is unknown or its underlying credential
165 /// has expired.
166 fn resolve(&self, access_key_id: &str) -> Option<ResolvedCredential>;
167}
168
169/// One IAM action that the dispatch layer should evaluate against the
170/// caller's effective policy set.
171///
172/// Produced by [`crate::service::AwsService::iam_action_for`] on services
173/// that opt into enforcement. The `resource` is a fully-qualified AWS ARN
174/// built from `request.principal.account_id` so multi-account isolation
175/// (#381) becomes a state-partitioning change rather than a cross-cutting
176/// rewrite.
177#[derive(Debug, Clone, PartialEq, Eq)]
178pub struct IamAction {
179 /// IAM service prefix, e.g. `"s3"`, `"sqs"`, `"iam"`.
180 pub service: &'static str,
181 /// AWS action name, e.g. `"GetObject"`, `"SendMessage"`.
182 pub action: &'static str,
183 /// Fully-qualified ARN of the target resource.
184 pub resource: String,
185}
186
187impl IamAction {
188 /// Compose the canonical `service:Action` string the evaluator
189 /// matches against.
190 pub fn action_string(&self) -> String {
191 format!("{}:{}", self.service, self.action)
192 }
193}
194
195/// Result of evaluating a request against an identity's effective policy
196/// set. Abstract over the concrete evaluator [`Decision`] in
197/// `fakecloud-iam::evaluator` so `fakecloud-core` can consume it without
198/// depending on `fakecloud-iam`.
199#[derive(Debug, Clone, Copy, PartialEq, Eq)]
200pub enum IamDecision {
201 Allow,
202 ImplicitDeny,
203 ExplicitDeny,
204}
205
206impl IamDecision {
207 pub fn is_allow(self) -> bool {
208 matches!(self, IamDecision::Allow)
209 }
210}
211
212/// Request-time values consulted when a policy statement carries a
213/// `Condition` block. Populated at dispatch time from the resolved
214/// [`Principal`] and the incoming HTTP request, then handed to
215/// [`IamPolicyEvaluator::evaluate`].
216///
217/// Lives in `fakecloud-core` (not `fakecloud-iam`) so the trait can
218/// reference it without creating a circular crate dependency. All
219/// fields are optional — a missing field means the key wasn't knowable
220/// at dispatch time, and any operator that references it safe-fails to
221/// `false` (unless the operator carries the `IfExists` suffix, in which
222/// case it evaluates to `true`, matching AWS).
223///
224/// The `service_keys` map is reserved for service-specific condition
225/// keys (`s3:prefix`, `sqs:MessageAttribute`, …) which Phase 2 ships
226/// empty; service-specific support lands in a follow-up batch without
227/// a signature change.
228#[derive(Debug, Clone, Default)]
229pub struct ConditionContext {
230 /// `aws:username` — username segment of an IAM user ARN, or `None`
231 /// for assumed roles / federated users where AWS does not set the key.
232 pub aws_username: Option<String>,
233 /// `aws:userid` — the unique `AIDA...`/`AROA...` identifier.
234 pub aws_userid: Option<String>,
235 /// `aws:PrincipalArn` — full principal ARN.
236 pub aws_principal_arn: Option<String>,
237 /// `aws:PrincipalAccount` — 12-digit account ID sourced from the
238 /// credential, not global config (#381 multi-account alignment).
239 pub aws_principal_account: Option<String>,
240 /// `aws:PrincipalType` — `"User"`, `"AssumedRole"`, etc.
241 pub aws_principal_type: Option<String>,
242 /// `aws:SourceIp` — remote address of the HTTP connection.
243 pub aws_source_ip: Option<IpAddr>,
244 /// `aws:CurrentTime` — evaluation timestamp (UTC).
245 pub aws_current_time: Option<DateTime<Utc>>,
246 /// `aws:EpochTime` — same moment as `aws_current_time` in seconds
247 /// since the Unix epoch.
248 pub aws_epoch_time: Option<i64>,
249 /// `aws:SecureTransport` — `true` iff the request came in over TLS.
250 pub aws_secure_transport: Option<bool>,
251 /// `aws:RequestedRegion` — region extracted from SigV4 / config.
252 pub aws_requested_region: Option<String>,
253 /// `aws:MultiFactorAuthPresent` — true iff the caller supplied an
254 /// MFA credential when minting the session (AssumeRole with
255 /// SerialNumber + TokenCode, or a long-lived user credential
256 /// re-asserted via STS GetSessionToken with MFA).
257 pub aws_mfa_present: Option<bool>,
258 /// `aws:MultiFactorAuthAge` — seconds since MFA was asserted on
259 /// the session.
260 pub aws_mfa_age_seconds: Option<i64>,
261 /// `aws:CalledVia` — the chain of service principals that have
262 /// re-invoked downstream services on the caller's behalf
263 /// (e.g. `["cloudformation.amazonaws.com"]`). Multi-value key.
264 pub aws_called_via: Vec<String>,
265 /// `aws:SourceVpce` — VPC endpoint id when the request transited
266 /// a VPC interface endpoint.
267 pub aws_source_vpce: Option<String>,
268 /// `aws:SourceVpc` — VPC id when the request originated inside a
269 /// VPC.
270 pub aws_source_vpc: Option<String>,
271 /// `aws:VpcSourceIp` — private source IP inside the VPC (distinct
272 /// from `aws:SourceIp` which is the public NAT/Edge IP).
273 pub aws_vpc_source_ip: Option<IpAddr>,
274 /// `aws:FederatedProvider` — `cognito-identity.amazonaws.com`,
275 /// `accounts.google.com`, or the SAML-provider ARN, depending on
276 /// how the credential was minted.
277 pub aws_federated_provider: Option<String>,
278 /// `aws:TokenIssueTime` — when the temporary credential
279 /// underlying this session was issued (UTC).
280 pub aws_token_issue_time: Option<DateTime<Utc>>,
281 /// Service-specific keys (`s3:prefix`, `sqs:MessageAttribute`, …).
282 pub service_keys: BTreeMap<String, Vec<String>>,
283 /// `aws:ResourceTag/<key>` — tags on the target resource.
284 /// Populated by [`crate::service::AwsService::resource_tags_for`].
285 /// `None` means the service doesn't expose resource tags for ABAC.
286 pub resource_tags: Option<HashMap<String, String>>,
287 /// `aws:RequestTag/<key>` — tags sent in the request body/headers.
288 /// Populated by [`crate::service::AwsService::request_tags_from`].
289 /// Also drives `aws:TagKeys` (the list of request tag keys).
290 pub request_tags: Option<HashMap<String, String>>,
291 /// `aws:PrincipalTag/<key>` — tags on the calling IAM user or role.
292 /// Populated from [`Principal::tags`] at dispatch time.
293 pub principal_tags: Option<HashMap<String, String>>,
294}
295
296impl ConditionContext {
297 /// Resolve a condition key (e.g. `"aws:username"`) to the list of
298 /// context values. Returns `None` if the key is not populated.
299 /// Key names are matched case-insensitively — AWS treats
300 /// `aws:username` and `AWS:UserName` as the same key.
301 pub fn lookup(&self, key: &str) -> Option<Vec<String>> {
302 let lower = key.to_ascii_lowercase();
303 let one = |s: &str| Some(vec![s.to_string()]);
304
305 // ABAC tag-based keys: case-insensitive prefix, case-sensitive
306 // tag key (the part after the slash). AWS treats "Environment"
307 // and "environment" as distinct tag keys.
308 //
309 // Prefix lengths: "aws:resourcetag/" = 16, "aws:requesttag/" = 15,
310 // "aws:principaltag/" = 17
311 if lower.starts_with("aws:resourcetag/") {
312 let tag_key = &key[16..]; // preserve original case
313 return self
314 .resource_tags
315 .as_ref()
316 .and_then(|tags| tags.get(tag_key))
317 .map(|v| vec![v.clone()]);
318 }
319 if lower.starts_with("aws:requesttag/") {
320 let tag_key = &key[15..];
321 return self
322 .request_tags
323 .as_ref()
324 .and_then(|tags| tags.get(tag_key))
325 .map(|v| vec![v.clone()]);
326 }
327 if lower.starts_with("aws:principaltag/") {
328 let tag_key = &key[17..];
329 return self
330 .principal_tags
331 .as_ref()
332 .and_then(|tags| tags.get(tag_key))
333 .map(|v| vec![v.clone()]);
334 }
335 if lower == "aws:tagkeys" {
336 return self
337 .request_tags
338 .as_ref()
339 .map(|tags| tags.keys().cloned().collect());
340 }
341
342 match lower.as_str() {
343 "aws:username" => self.aws_username.as_deref().and_then(one),
344 "aws:userid" => self.aws_userid.as_deref().and_then(one),
345 "aws:principalarn" => self.aws_principal_arn.as_deref().and_then(one),
346 "aws:principalaccount" => self.aws_principal_account.as_deref().and_then(one),
347 "aws:principaltype" => self.aws_principal_type.as_deref().and_then(one),
348 "aws:sourceip" => self.aws_source_ip.map(|ip| vec![ip.to_string()]),
349 "aws:currenttime" => self
350 .aws_current_time
351 .map(|t| vec![t.to_rfc3339_opts(chrono::SecondsFormat::Secs, true)]),
352 "aws:epochtime" => self.aws_epoch_time.map(|e| vec![e.to_string()]),
353 "aws:securetransport" => self.aws_secure_transport.map(|b| vec![b.to_string()]),
354 "aws:requestedregion" => self.aws_requested_region.as_deref().and_then(one),
355 "aws:multifactorauthpresent" => self.aws_mfa_present.map(|b| vec![b.to_string()]),
356 "aws:multifactorauthage" => self.aws_mfa_age_seconds.map(|s| vec![s.to_string()]),
357 "aws:calledvia" => {
358 if self.aws_called_via.is_empty() {
359 None
360 } else {
361 Some(self.aws_called_via.clone())
362 }
363 }
364 "aws:sourcevpce" => self.aws_source_vpce.as_deref().and_then(one),
365 "aws:sourcevpc" => self.aws_source_vpc.as_deref().and_then(one),
366 "aws:vpcsourceip" => self.aws_vpc_source_ip.map(|ip| vec![ip.to_string()]),
367 "aws:federatedprovider" => self.aws_federated_provider.as_deref().and_then(one),
368 "aws:tokenissuetime" => self
369 .aws_token_issue_time
370 .map(|t| vec![t.to_rfc3339_opts(chrono::SecondsFormat::Secs, true)]),
371 _ => {
372 if let Some(vs) = self.service_keys.get(&lower) {
373 if vs.is_empty() {
374 None
375 } else {
376 Some(vs.clone())
377 }
378 } else {
379 self.service_keys
380 .iter()
381 .find(|(k, _)| k.eq_ignore_ascii_case(key))
382 .map(|(_, vs)| vs.clone())
383 }
384 }
385 }
386 }
387}
388
389/// Abstraction over "given a principal, an action, and request-time
390/// condition keys, say Allow / Deny". Implemented by `fakecloud-iam`
391/// against `IamState` + the evaluator. Dispatch calls this for every
392/// request when `FAKECLOUD_IAM != off` and the target service opts in.
393pub trait IamPolicyEvaluator: Send + Sync {
394 /// Evaluate `action` against the identity policies attached to
395 /// `principal`, using `context` for `Condition` block resolution.
396 /// `session_policies` are the raw JSON session-policy documents
397 /// from the STS call that minted the caller's credential (empty
398 /// for IAM user access keys). `scps` are the inherited SCP
399 /// documents (root-OU first, account-direct last) that form the
400 /// top-of-chain allow-list ceiling; `None` means no org exists
401 /// for this principal or the principal is exempt (management,
402 /// service-linked role) and the layer is a pass-through.
403 fn evaluate(
404 &self,
405 principal: &Principal,
406 action: &IamAction,
407 context: &ConditionContext,
408 session_policies: &[String],
409 scps: Option<&[String]>,
410 ) -> IamDecision;
411
412 /// Evaluate with resource-policy + session-policy intersection.
413 /// `scps` follows the same semantics as in [`Self::evaluate`].
414 #[allow(clippy::too_many_arguments)]
415 fn evaluate_with_resource_policy(
416 &self,
417 principal: &Principal,
418 action: &IamAction,
419 context: &ConditionContext,
420 resource_policy_json: Option<&str>,
421 resource_account_id: &str,
422 session_policies: &[String],
423 scps: Option<&[String]>,
424 ) -> IamDecision;
425
426 /// Evaluate `action` for an **anonymous** (unsigned) caller against a
427 /// resource-based policy in isolation. Anonymous requests carry no
428 /// identity, so the resource policy is the sole authorization source:
429 /// the request is allowed only if the policy explicitly grants the
430 /// action to a wildcard principal (`Principal:"*"` / `{"AWS":"*"}`).
431 ///
432 /// `resource_policy_json` is the raw policy document (S3 bucket policy
433 /// today); `None` or a non-public policy yields [`IamDecision::ImplicitDeny`].
434 /// ACL-based public grants are evaluated separately by the dispatcher
435 /// via [`ResourcePolicyProvider::public_acl_allows`].
436 ///
437 /// The default implementation returns [`IamDecision::ImplicitDeny`] so
438 /// evaluators that don't support anonymous access never silently grant.
439 fn evaluate_anonymous(
440 &self,
441 _action: &IamAction,
442 _context: &ConditionContext,
443 _resource_policy_json: Option<&str>,
444 ) -> IamDecision {
445 IamDecision::ImplicitDeny
446 }
447}
448
449/// Abstraction over "given a principal, return the inherited SCP
450/// documents that form the top-of-chain allow-list ceiling for the
451/// principal's account". Implemented by `fakecloud-organizations`.
452///
453/// Returning `None` means SCPs do not apply (no org exists for this
454/// fakecloud process, or the principal is the management account, or
455/// the principal is a service-linked role, or the account is not
456/// enrolled in the organization). Dispatch plumbs the returned slice
457/// straight into [`IamPolicyEvaluator`].
458///
459/// The ordered list puts root-OU-attached policies first, then each
460/// descendant OU down to the account's parent, and account-direct
461/// attachments last — the evaluator treats each entry as a separate
462/// gate that must allow (intersection), matching AWS SCP semantics.
463pub trait ScpResolver: Send + Sync {
464 fn scps_for(&self, principal: &Principal) -> Option<Vec<String>>;
465}
466
467/// Abstraction over "given a service + a fully-qualified resource ARN,
468/// return the resource-based policy attached to that resource, if any."
469///
470/// Implemented by resource-owning services (S3 for bucket policies in
471/// the initial rollout; SNS topic policies, KMS key policies, and
472/// Lambda resource policies are separate future wirings) and plumbed
473/// through [`crate::dispatch::DispatchConfig`] alongside
474/// [`IamPolicyEvaluator`]. Dispatch fetches the policy for the target
475/// resource and hands it to the evaluator so cross-account Allow/Deny
476/// semantics can be computed.
477///
478/// Implementations must be cheap to clone-share via `Arc` and must be
479/// thread-safe — dispatch calls them on every enforced request.
480///
481/// Returning `None` means "no resource policy attached / resource
482/// doesn't exist / this provider doesn't handle that service." Returning
483/// `Some(json)` yields the raw JSON document as stored by the
484/// resource's CRUD handlers; parsing happens inside the evaluator so a
485/// malformed document logs a debug audit event and falls through to
486/// "no resource policy" rather than silently allowing.
487pub trait ResourcePolicyProvider: Send + Sync {
488 /// Fetch the resource-based policy document attached to
489 /// `resource_arn` on `service`. Both arguments are lowercase-ish
490 /// (`"s3"`, `"arn:aws:s3:::my-bucket"`); implementations should
491 /// match the service prefix they own and return `None` for
492 /// anything else so providers can be composed safely.
493 fn resource_policy(&self, service: &str, resource_arn: &str) -> Option<String>;
494
495 /// Resolve the 12-digit account that owns `resource_arn` on `service`,
496 /// when the ARN itself does not carry it. S3 ARNs have an empty account
497 /// field (`arn:aws:s3:::bucket`), so without this the dispatcher would
498 /// fall back to the caller's account and treat every S3 request as
499 /// same-account — letting account A reach account B's bucket without B's
500 /// bucket policy granting it (bug-audit 2026-05-28, 5.3). Providers whose
501 /// ARNs already carry the account (SQS/SNS/Lambda/…) return `None` and let
502 /// the dispatcher parse it from the ARN. Default `None`.
503 fn resource_owner_account(&self, _service: &str, _resource_arn: &str) -> Option<String> {
504 None
505 }
506
507 /// Whether a **public-read ACL** on `resource_arn` grants `action` to
508 /// an anonymous (unsigned) caller. Distinct from a bucket policy: S3
509 /// ACLs are a separate grant surface, so an object/bucket with an
510 /// `AllUsers` group grant is publicly readable even without a bucket
511 /// policy. `action` is the bare AWS action name (`"GetObject"`,
512 /// `"ListBucket"`, …).
513 ///
514 /// Implementations must honor `PublicAccessBlock` (a bucket with
515 /// `IgnorePublicAcls` set is not public via ACL). Default `false` so
516 /// providers that don't model ACLs never grant anonymous access.
517 fn public_acl_allows(&self, _service: &str, _resource_arn: &str, _action: &str) -> bool {
518 false
519 }
520}
521
522/// Failure mode for IAM PassRole trust-policy validation.
523///
524/// Exists in `fakecloud-core` so service crates (Lambda, ECS, …) can
525/// surface a wire-shaped error without taking a dependency on
526/// `fakecloud-iam`. The server crate wires the concrete validator that
527/// reads the IAM state.
528#[derive(Debug, Clone, PartialEq, Eq)]
529pub enum PassRoleError {
530 /// No role with this ARN exists in the IAM state.
531 RoleNotFound(String),
532 /// Role exists but its `AssumeRolePolicyDocument` does not allow the
533 /// service principal to call `sts:AssumeRole`. Real AWS returns
534 /// `InvalidParameterValueException` in this shape.
535 TrustPolicyDenies {
536 role_arn: String,
537 service_principal: String,
538 },
539 /// Role's `AssumeRolePolicyDocument` could not be parsed as JSON.
540 InvalidTrustPolicy(String),
541}
542
543impl std::fmt::Display for PassRoleError {
544 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
545 match self {
546 Self::RoleNotFound(arn) => write!(f, "role not found: {arn}"),
547 Self::TrustPolicyDenies {
548 role_arn,
549 service_principal,
550 } => write!(
551 f,
552 "Role's trust policy does not allow {service_principal} to assume the role: {role_arn}"
553 ),
554 Self::InvalidTrustPolicy(arn) => {
555 write!(f, "invalid trust policy on role {arn}")
556 }
557 }
558 }
559}
560
561impl std::error::Error for PassRoleError {}
562
563/// Validator that checks whether a role can be passed to a given
564/// service. Used by Lambda / ECS / EC2 etc. to reject `CreateFunction`,
565/// `RegisterTaskDefinition`, etc. when the supplied role's trust policy
566/// doesn't allow the service principal — matching the `iam:PassRole`
567/// trust-side behavior real AWS enforces unconditionally (separate from
568/// identity-policy `iam:PassRole`, which sits behind the IAM evaluator).
569pub trait RoleTrustValidator: Send + Sync {
570 fn validate(
571 &self,
572 account_id: &str,
573 role_arn: &str,
574 service_principal: &str,
575 ) -> Result<(), PassRoleError>;
576}
577
578/// Composite [`ResourcePolicyProvider`] that delegates to a list of
579/// sub-providers in order, returning the first `Some` hit.
580///
581/// Each concrete provider (`S3ResourcePolicyProvider`,
582/// `SnsResourcePolicyProvider`, `LambdaResourcePolicyProvider`, …)
583/// already gates on its own service prefix and returns `None` for
584/// anything it doesn't own, so composition is short-circuit and
585/// order-independent. Server bootstrap builds one of these holding
586/// every resource-owning service and passes it to
587/// [`crate::dispatch::DispatchConfig::resource_policy_provider`].
588///
589/// This is the extension point for future resource-owning services:
590/// adding KMS key policies (or anything else) is a one-line push at
591/// bootstrap, never a core-crate refactor.
592pub struct MultiResourcePolicyProvider {
593 providers: Vec<Arc<dyn ResourcePolicyProvider>>,
594}
595
596impl MultiResourcePolicyProvider {
597 /// Build a composite from a list of providers.
598 pub fn new(providers: Vec<Arc<dyn ResourcePolicyProvider>>) -> Self {
599 Self { providers }
600 }
601
602 /// Shared constructor returning the composite as an
603 /// `Arc<dyn ResourcePolicyProvider>`, matching the signature of
604 /// `DispatchConfig::resource_policy_provider`.
605 pub fn shared(
606 providers: Vec<Arc<dyn ResourcePolicyProvider>>,
607 ) -> Arc<dyn ResourcePolicyProvider> {
608 Arc::new(Self::new(providers))
609 }
610
611 /// Number of sub-providers held by this composite. Used by tests.
612 pub fn len(&self) -> usize {
613 self.providers.len()
614 }
615
616 /// True when no sub-providers are registered.
617 pub fn is_empty(&self) -> bool {
618 self.providers.is_empty()
619 }
620}
621
622impl ResourcePolicyProvider for MultiResourcePolicyProvider {
623 fn resource_policy(&self, service: &str, resource_arn: &str) -> Option<String> {
624 self.providers
625 .iter()
626 .find_map(|p| p.resource_policy(service, resource_arn))
627 }
628
629 fn resource_owner_account(&self, service: &str, resource_arn: &str) -> Option<String> {
630 self.providers
631 .iter()
632 .find_map(|p| p.resource_owner_account(service, resource_arn))
633 }
634
635 fn public_acl_allows(&self, service: &str, resource_arn: &str, action: &str) -> bool {
636 self.providers
637 .iter()
638 .any(|p| p.public_acl_allows(service, resource_arn, action))
639 }
640}
641
642/// How IAM identity policies are evaluated for incoming requests.
643///
644/// Default is [`IamMode::Off`] — existing behavior, policies are stored but
645/// never consulted. [`IamMode::Soft`] evaluates and logs denied decisions via
646/// the `fakecloud::iam::audit` tracing target without failing the request, and
647/// [`IamMode::Strict`] returns an `AccessDeniedException` in the protocol-
648/// correct shape.
649#[derive(Clone, Copy, Debug, Default, PartialEq, Eq, Hash)]
650pub enum IamMode {
651 /// Do not evaluate IAM policies.
652 #[default]
653 Off,
654 /// Evaluate policies and log audit events for denied requests, but allow
655 /// the request to proceed.
656 Soft,
657 /// Evaluate policies and reject denied requests with `AccessDeniedException`.
658 Strict,
659}
660
661impl IamMode {
662 /// Returns true when policy evaluation should occur at all.
663 pub fn is_enabled(self) -> bool {
664 !matches!(self, IamMode::Off)
665 }
666
667 /// Returns true when denied decisions should fail the request.
668 pub fn is_strict(self) -> bool {
669 matches!(self, IamMode::Strict)
670 }
671
672 pub fn as_str(self) -> &'static str {
673 match self {
674 IamMode::Off => "off",
675 IamMode::Soft => "soft",
676 IamMode::Strict => "strict",
677 }
678 }
679}
680
681impl fmt::Display for IamMode {
682 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
683 f.write_str(self.as_str())
684 }
685}
686
687/// Parse error for [`IamMode`] from string.
688#[derive(Debug)]
689pub struct ParseIamModeError(String);
690
691impl fmt::Display for ParseIamModeError {
692 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
693 write!(
694 f,
695 "invalid IAM mode `{}`; expected one of: off, soft, strict",
696 self.0
697 )
698 }
699}
700
701impl std::error::Error for ParseIamModeError {}
702
703impl FromStr for IamMode {
704 type Err = ParseIamModeError;
705
706 fn from_str(s: &str) -> Result<Self, Self::Err> {
707 match s.trim().to_ascii_lowercase().as_str() {
708 "off" | "none" | "disabled" => Ok(IamMode::Off),
709 "soft" | "audit" | "warn" => Ok(IamMode::Soft),
710 "strict" | "enforce" | "deny" => Ok(IamMode::Strict),
711 other => Err(ParseIamModeError(other.to_string())),
712 }
713 }
714}
715
716/// Reserved root-identity convention.
717///
718/// Any access key whose ID begins with `test` (case-insensitive) is treated as
719/// the de-facto root bypass. This matches the long-standing community
720/// convention used by LocalStack and Floci: `test`/`test` credentials should
721/// always "just work" for local development.
722///
723/// When SigV4 verification or IAM enforcement is enabled, callers using a
724/// bypass AKID skip both checks. We emit a one-time startup WARN whenever
725/// enforcement is turned on so users understand that unsigned `test` clients
726/// will silently receive positive results.
727pub fn is_root_bypass(access_key_id: &str) -> bool {
728 access_key_id
729 .trim()
730 .get(..4)
731 .is_some_and(|prefix| prefix.eq_ignore_ascii_case("test"))
732}
733
734#[cfg(test)]
735mod tests {
736 use super::*;
737
738 #[test]
739 fn iam_mode_default_is_off() {
740 assert_eq!(IamMode::default(), IamMode::Off);
741 assert!(!IamMode::default().is_enabled());
742 }
743
744 #[test]
745 fn iam_mode_from_str_accepts_primary_values() {
746 assert_eq!(IamMode::from_str("off").unwrap(), IamMode::Off);
747 assert_eq!(IamMode::from_str("soft").unwrap(), IamMode::Soft);
748 assert_eq!(IamMode::from_str("strict").unwrap(), IamMode::Strict);
749 }
750
751 #[test]
752 fn iam_mode_from_str_is_case_insensitive_and_trimmed() {
753 assert_eq!(IamMode::from_str(" OFF ").unwrap(), IamMode::Off);
754 assert_eq!(IamMode::from_str("Soft").unwrap(), IamMode::Soft);
755 assert_eq!(IamMode::from_str("STRICT").unwrap(), IamMode::Strict);
756 }
757
758 #[test]
759 fn iam_mode_from_str_accepts_aliases() {
760 assert_eq!(IamMode::from_str("disabled").unwrap(), IamMode::Off);
761 assert_eq!(IamMode::from_str("audit").unwrap(), IamMode::Soft);
762 assert_eq!(IamMode::from_str("enforce").unwrap(), IamMode::Strict);
763 }
764
765 #[test]
766 fn iam_mode_from_str_rejects_garbage() {
767 assert!(IamMode::from_str("").is_err());
768 assert!(IamMode::from_str("allow").is_err());
769 assert!(IamMode::from_str("yes").is_err());
770 }
771
772 #[test]
773 fn iam_mode_display_roundtrips() {
774 for mode in [IamMode::Off, IamMode::Soft, IamMode::Strict] {
775 assert_eq!(IamMode::from_str(&mode.to_string()).unwrap(), mode);
776 }
777 }
778
779 #[test]
780 fn iam_mode_flags() {
781 assert!(!IamMode::Off.is_enabled());
782 assert!(!IamMode::Off.is_strict());
783 assert!(IamMode::Soft.is_enabled());
784 assert!(!IamMode::Soft.is_strict());
785 assert!(IamMode::Strict.is_enabled());
786 assert!(IamMode::Strict.is_strict());
787 }
788
789 #[test]
790 fn root_bypass_matches_test_prefix() {
791 assert!(is_root_bypass("test"));
792 assert!(is_root_bypass("TEST"));
793 assert!(is_root_bypass("Test"));
794 assert!(is_root_bypass("testAccessKey"));
795 assert!(is_root_bypass("TESTAKIAIOSFODNN7EXAMPLE"));
796 }
797
798 #[test]
799 fn root_bypass_does_not_panic_on_multibyte_input() {
800 // Byte index 4 falls inside a multi-byte UTF-8 character; must not panic.
801 assert!(!is_root_bypass("té"));
802 assert!(!is_root_bypass("日本語キー"));
803 assert!(!is_root_bypass("🔑🔑"));
804 }
805
806 #[test]
807 fn principal_type_from_arn_classifies_known_shapes() {
808 assert_eq!(
809 PrincipalType::from_arn("arn:aws:iam::123456789012:user/alice"),
810 PrincipalType::User
811 );
812 assert_eq!(
813 PrincipalType::from_arn("arn:aws:sts::123456789012:assumed-role/R/s"),
814 PrincipalType::AssumedRole
815 );
816 assert_eq!(
817 PrincipalType::from_arn("arn:aws:sts::123456789012:federated-user/bob"),
818 PrincipalType::FederatedUser
819 );
820 assert_eq!(
821 PrincipalType::from_arn("arn:aws:iam::123456789012:root"),
822 PrincipalType::Root
823 );
824 }
825
826 #[test]
827 fn principal_type_unparseable_is_unknown_not_root() {
828 // Identified by cubic on PR #391: falling back to Root would let
829 // malformed or unexpected ARNs bypass IAM enforcement, since
830 // Principal::is_root short-circuits evaluation. The fallback must
831 // be the non-bypassable Unknown variant.
832 assert_eq!(
833 PrincipalType::from_arn("not-an-arn"),
834 PrincipalType::Unknown
835 );
836 assert_eq!(PrincipalType::from_arn(""), PrincipalType::Unknown);
837 assert_eq!(
838 PrincipalType::from_arn("arn:aws:iam::123456789012:something-weird"),
839 PrincipalType::Unknown
840 );
841
842 // And a Principal built from an Unknown ARN must not be treated
843 // as root for enforcement decisions.
844 let p = Principal {
845 arn: "garbage".to_string(),
846 user_id: "x".to_string(),
847 account_id: "123456789012".to_string(),
848 principal_type: PrincipalType::Unknown,
849 source_identity: None,
850 tags: None,
851 };
852 assert!(!p.is_root());
853 }
854
855 #[test]
856 fn principal_is_root_covers_root_type_and_arn_suffix() {
857 let p = Principal {
858 arn: "arn:aws:iam::123456789012:root".to_string(),
859 user_id: "AIDAROOT".to_string(),
860 account_id: "123456789012".to_string(),
861 principal_type: PrincipalType::Root,
862 source_identity: None,
863 tags: None,
864 };
865 assert!(p.is_root());
866
867 let user = Principal {
868 arn: "arn:aws:iam::123456789012:user/alice".to_string(),
869 user_id: "AIDAALICE".to_string(),
870 account_id: "123456789012".to_string(),
871 principal_type: PrincipalType::User,
872 source_identity: None,
873 tags: None,
874 };
875 assert!(!user.is_root());
876 }
877
878 #[test]
879 fn resolved_credential_accessors_forward_to_principal() {
880 let rc = ResolvedCredential {
881 secret_access_key: "s".into(),
882 session_token: None,
883 principal: Principal {
884 arn: "arn:aws:iam::123456789012:user/alice".into(),
885 user_id: "AIDAALICE".into(),
886 account_id: "123456789012".into(),
887 principal_type: PrincipalType::User,
888 source_identity: None,
889 tags: None,
890 },
891 session_policies: Vec::new(),
892 mfa_present: false,
893 token_issued_at: None,
894 federated_provider: None,
895 };
896 assert_eq!(rc.principal_arn(), "arn:aws:iam::123456789012:user/alice");
897 assert_eq!(rc.user_id(), "AIDAALICE");
898 assert_eq!(rc.account_id(), "123456789012");
899 }
900
901 #[test]
902 fn root_bypass_rejects_non_test_keys() {
903 assert!(!is_root_bypass(""));
904 assert!(!is_root_bypass(" "));
905 assert!(!is_root_bypass("AKIAIOSFODNN7EXAMPLE"));
906 assert!(!is_root_bypass("FKIA123456"));
907 assert!(!is_root_bypass("tes"));
908 assert!(!is_root_bypass("tst"));
909 }
910
911 // --- MultiResourcePolicyProvider composite -------------------------
912
913 /// Test provider that returns a canned document for one
914 /// (service, arn) pair and `None` for everything else.
915 struct FakeProvider {
916 service: &'static str,
917 arn: &'static str,
918 policy: &'static str,
919 }
920
921 impl ResourcePolicyProvider for FakeProvider {
922 fn resource_policy(&self, service: &str, resource_arn: &str) -> Option<String> {
923 if service.eq_ignore_ascii_case(self.service) && resource_arn == self.arn {
924 Some(self.policy.to_string())
925 } else {
926 None
927 }
928 }
929 }
930
931 fn fake(
932 service: &'static str,
933 arn: &'static str,
934 policy: &'static str,
935 ) -> Arc<dyn ResourcePolicyProvider> {
936 Arc::new(FakeProvider {
937 service,
938 arn,
939 policy,
940 })
941 }
942
943 #[test]
944 fn multi_provider_empty_always_returns_none() {
945 let m = MultiResourcePolicyProvider::new(vec![]);
946 assert!(m.is_empty());
947 assert_eq!(m.len(), 0);
948 assert_eq!(m.resource_policy("s3", "arn:aws:s3:::x"), None);
949 }
950
951 #[test]
952 fn multi_provider_delegates_to_single_child() {
953 let m = MultiResourcePolicyProvider::new(vec![fake("s3", "arn:aws:s3:::b", r#"{"v":1}"#)]);
954 assert_eq!(m.len(), 1);
955 assert_eq!(
956 m.resource_policy("s3", "arn:aws:s3:::b").as_deref(),
957 Some(r#"{"v":1}"#)
958 );
959 assert_eq!(m.resource_policy("s3", "arn:aws:s3:::missing"), None);
960 assert_eq!(m.resource_policy("sns", "arn:aws:s3:::b"), None);
961 }
962
963 #[test]
964 fn multi_provider_hits_first_matching_child() {
965 let m = MultiResourcePolicyProvider::new(vec![
966 fake("s3", "arn:aws:s3:::b", r#"{"v":"s3"}"#),
967 fake("sns", "arn:aws:sns:us-east-1:123:t", r#"{"v":"sns"}"#),
968 ]);
969 assert_eq!(
970 m.resource_policy("s3", "arn:aws:s3:::b").as_deref(),
971 Some(r#"{"v":"s3"}"#)
972 );
973 assert_eq!(
974 m.resource_policy("sns", "arn:aws:sns:us-east-1:123:t")
975 .as_deref(),
976 Some(r#"{"v":"sns"}"#)
977 );
978 }
979
980 #[test]
981 fn multi_provider_is_order_independent_when_services_differ() {
982 // Because each concrete provider gates on its own service
983 // prefix, swapping the order must never change the result.
984 let children: Vec<Arc<dyn ResourcePolicyProvider>> = vec![
985 fake("s3", "arn:aws:s3:::b", "s3-doc"),
986 fake("sns", "arn:aws:sns:us-east-1:123:t", "sns-doc"),
987 fake(
988 "lambda",
989 "arn:aws:lambda:us-east-1:123:function:f",
990 "lam-doc",
991 ),
992 ];
993 let forward = MultiResourcePolicyProvider::new(children.clone());
994 let reversed = MultiResourcePolicyProvider::new({
995 let mut v = children.clone();
996 v.reverse();
997 v
998 });
999 for (svc, arn) in [
1000 ("s3", "arn:aws:s3:::b"),
1001 ("sns", "arn:aws:sns:us-east-1:123:t"),
1002 ("lambda", "arn:aws:lambda:us-east-1:123:function:f"),
1003 ] {
1004 assert_eq!(
1005 forward.resource_policy(svc, arn),
1006 reversed.resource_policy(svc, arn),
1007 "service {svc}"
1008 );
1009 }
1010 }
1011
1012 #[test]
1013 fn multi_provider_returns_none_for_unhandled_service() {
1014 let m = MultiResourcePolicyProvider::new(vec![fake("s3", "arn:aws:s3:::b", "doc")]);
1015 assert_eq!(
1016 m.resource_policy("kms", "arn:aws:kms:us-east-1:123:key/k"),
1017 None
1018 );
1019 assert_eq!(m.resource_policy("iam", "arn:aws:iam::123:role/r"), None);
1020 }
1021
1022 #[test]
1023 fn multi_provider_shared_wraps_in_arc() {
1024 let arc = MultiResourcePolicyProvider::shared(vec![fake("s3", "arn:aws:s3:::b", "doc")]);
1025 assert_eq!(
1026 arc.resource_policy("s3", "arn:aws:s3:::b").as_deref(),
1027 Some("doc")
1028 );
1029 }
1030
1031 // --- ABAC tag condition key lookup ------------------------------------
1032
1033 #[test]
1034 fn lookup_mfa_present_emits_bool_string() {
1035 let ctx = ConditionContext {
1036 aws_mfa_present: Some(true),
1037 ..Default::default()
1038 };
1039 assert_eq!(
1040 ctx.lookup("aws:MultiFactorAuthPresent"),
1041 Some(vec!["true".to_string()])
1042 );
1043 let ctx = ConditionContext {
1044 aws_mfa_present: Some(false),
1045 ..Default::default()
1046 };
1047 assert_eq!(
1048 ctx.lookup("aws:multifactorauthpresent"),
1049 Some(vec!["false".to_string()])
1050 );
1051 }
1052
1053 #[test]
1054 fn lookup_mfa_age_emits_seconds() {
1055 let ctx = ConditionContext {
1056 aws_mfa_age_seconds: Some(900),
1057 ..Default::default()
1058 };
1059 assert_eq!(
1060 ctx.lookup("aws:MultiFactorAuthAge"),
1061 Some(vec!["900".to_string()])
1062 );
1063 }
1064
1065 #[test]
1066 fn lookup_called_via_returns_full_chain() {
1067 let ctx = ConditionContext {
1068 aws_called_via: vec![
1069 "cloudformation.amazonaws.com".to_string(),
1070 "lambda.amazonaws.com".to_string(),
1071 ],
1072 ..Default::default()
1073 };
1074 assert_eq!(
1075 ctx.lookup("aws:CalledVia"),
1076 Some(vec![
1077 "cloudformation.amazonaws.com".to_string(),
1078 "lambda.amazonaws.com".to_string(),
1079 ])
1080 );
1081 }
1082
1083 #[test]
1084 fn lookup_called_via_empty_returns_none() {
1085 let ctx = ConditionContext::default();
1086 assert_eq!(ctx.lookup("aws:CalledVia"), None);
1087 }
1088
1089 #[test]
1090 fn lookup_source_vpc_keys() {
1091 let ctx = ConditionContext {
1092 aws_source_vpc: Some("vpc-123".to_string()),
1093 aws_source_vpce: Some("vpce-456".to_string()),
1094 aws_vpc_source_ip: Some("10.0.1.5".parse::<IpAddr>().unwrap()),
1095 ..Default::default()
1096 };
1097 assert_eq!(
1098 ctx.lookup("aws:SourceVpc"),
1099 Some(vec!["vpc-123".to_string()])
1100 );
1101 assert_eq!(
1102 ctx.lookup("aws:SourceVpce"),
1103 Some(vec!["vpce-456".to_string()])
1104 );
1105 assert_eq!(
1106 ctx.lookup("aws:VpcSourceIp"),
1107 Some(vec!["10.0.1.5".to_string()])
1108 );
1109 }
1110
1111 #[test]
1112 fn lookup_federated_provider_and_token_issue_time() {
1113 use chrono::TimeZone;
1114 let ctx = ConditionContext {
1115 aws_federated_provider: Some("cognito-identity.amazonaws.com".to_string()),
1116 aws_token_issue_time: Some(
1117 chrono::Utc.with_ymd_and_hms(2026, 4, 30, 12, 0, 0).unwrap(),
1118 ),
1119 ..Default::default()
1120 };
1121 assert_eq!(
1122 ctx.lookup("aws:FederatedProvider"),
1123 Some(vec!["cognito-identity.amazonaws.com".to_string()])
1124 );
1125 assert_eq!(
1126 ctx.lookup("aws:TokenIssueTime"),
1127 Some(vec!["2026-04-30T12:00:00Z".to_string()])
1128 );
1129 }
1130
1131 fn abac_context() -> ConditionContext {
1132 ConditionContext {
1133 resource_tags: Some(
1134 [("Environment", "prod"), ("CostCenter", "42")]
1135 .iter()
1136 .map(|(k, v)| (k.to_string(), v.to_string()))
1137 .collect(),
1138 ),
1139 request_tags: Some(
1140 [("Project", "web"), ("Team", "platform")]
1141 .iter()
1142 .map(|(k, v)| (k.to_string(), v.to_string()))
1143 .collect(),
1144 ),
1145 principal_tags: Some(
1146 [("Department", "eng"), ("Role", "developer")]
1147 .iter()
1148 .map(|(k, v)| (k.to_string(), v.to_string()))
1149 .collect(),
1150 ),
1151 ..Default::default()
1152 }
1153 }
1154
1155 #[test]
1156 fn lookup_resource_tag_case_sensitive_key() {
1157 let ctx = abac_context();
1158 assert_eq!(
1159 ctx.lookup("aws:ResourceTag/Environment"),
1160 Some(vec!["prod".to_string()])
1161 );
1162 // Different case -> different tag key -> None
1163 assert_eq!(ctx.lookup("aws:ResourceTag/environment"), None);
1164 }
1165
1166 #[test]
1167 fn lookup_resource_tag_prefix_case_insensitive() {
1168 let ctx = abac_context();
1169 // Prefix is case-insensitive per AWS
1170 assert_eq!(
1171 ctx.lookup("AWS:resourcetag/Environment"),
1172 Some(vec!["prod".to_string()])
1173 );
1174 assert_eq!(
1175 ctx.lookup("Aws:RESOURCETAG/CostCenter"),
1176 Some(vec!["42".to_string()])
1177 );
1178 }
1179
1180 #[test]
1181 fn lookup_request_tag() {
1182 let ctx = abac_context();
1183 assert_eq!(
1184 ctx.lookup("aws:RequestTag/Project"),
1185 Some(vec!["web".to_string()])
1186 );
1187 assert_eq!(ctx.lookup("aws:RequestTag/project"), None);
1188 }
1189
1190 #[test]
1191 fn lookup_principal_tag() {
1192 let ctx = abac_context();
1193 assert_eq!(
1194 ctx.lookup("aws:PrincipalTag/Department"),
1195 Some(vec!["eng".to_string()])
1196 );
1197 assert_eq!(ctx.lookup("aws:PrincipalTag/department"), None);
1198 }
1199
1200 #[test]
1201 fn lookup_tag_keys_returns_all_request_tag_keys() {
1202 let ctx = abac_context();
1203 let mut keys = ctx.lookup("aws:TagKeys").unwrap();
1204 keys.sort();
1205 assert_eq!(keys, vec!["Project", "Team"]);
1206 }
1207
1208 #[test]
1209 fn lookup_tag_keys_case_insensitive() {
1210 let ctx = abac_context();
1211 assert!(ctx.lookup("AWS:TAGKEYS").is_some());
1212 assert!(ctx.lookup("aws:tagkeys").is_some());
1213 }
1214
1215 #[test]
1216 fn lookup_tag_none_when_field_not_set() {
1217 let ctx = ConditionContext::default();
1218 assert_eq!(ctx.lookup("aws:ResourceTag/Foo"), None);
1219 assert_eq!(ctx.lookup("aws:RequestTag/Foo"), None);
1220 assert_eq!(ctx.lookup("aws:PrincipalTag/Foo"), None);
1221 assert_eq!(ctx.lookup("aws:TagKeys"), None);
1222 }
1223
1224 #[test]
1225 fn lookup_tag_missing_key_returns_none() {
1226 let ctx = abac_context();
1227 assert_eq!(ctx.lookup("aws:ResourceTag/NonExistent"), None);
1228 assert_eq!(ctx.lookup("aws:RequestTag/NonExistent"), None);
1229 assert_eq!(ctx.lookup("aws:PrincipalTag/NonExistent"), None);
1230 }
1231}