Module condition

Expand description

IAM policy Condition block evaluation (Phase 2).

Phase 1 of the opt-in IAM enforcement skipped any statement carrying a Condition block. This module implements real evaluation of the 28 operators AWS defines, with IfExists suffix handling and ForAllValues / ForAnyValue qualifiers, against a ConditionContext populated at dispatch time.

§Scope

Implemented operators (authoritative list mirrored from crate::policy_validation):

String: StringEquals, StringNotEquals, StringEqualsIgnoreCase, StringNotEqualsIgnoreCase, StringLike, StringNotLike
Numeric: NumericEquals, NumericNotEquals, NumericLessThan, NumericLessThanEquals, NumericGreaterThan, NumericGreaterThanEquals
Date: DateEquals, DateNotEquals, DateLessThan, DateLessThanEquals, DateGreaterThan, DateGreaterThanEquals
Boolean: Bool
Binary: BinaryEquals
IP: IpAddress, NotIpAddress
ARN: ArnEquals, ArnNotEquals, ArnLike, ArnNotLike
Existence: Null

Plus the ...IfExists suffix and the ForAllValues: / ForAnyValue: qualifiers on every operator.

Implemented global keys:

aws:username — populated from the IAM user ARN at dispatch time; absent for assumed-role / federated-user / root principals, matching AWS.
aws:userid — <role-id>:<RoleSessionName> for assumed-role sessions, the IAM user’s AIDA... id for IAM users.
aws:PrincipalArn, aws:PrincipalAccount, aws:PrincipalType
aws:SourceIp — remote-address of the HTTP connection.
aws:CurrentTime, aws:EpochTime
aws:SecureTransport, aws:RequestedRegion
aws:MultiFactorAuthPresent — true iff the underlying STS session was minted with SerialNumber + TokenCode.
aws:MultiFactorAuthAge — seconds since the MFA-asserted session was minted; only present when MFA was supplied at mint time.
aws:CalledVia — multi-value chain of service principals that re-invoked downstream services on the caller’s behalf.
aws:SourceVpc, aws:SourceVpce, aws:VpcSourceIp — populated when the request transited a VPC interface endpoint.
aws:FederatedProvider — SAML provider ARN for AssumeRoleWithSAML, OIDC provider ARN (or ProviderId host) for AssumeRoleWithWebIdentity. Absent for IAM user keys, plain AssumeRole, GetSessionToken, GetFederationToken.
aws:TokenIssueTime — wall-clock time at which the underlying STS credential was issued. Absent for IAM user access keys.

Service-specific keys (s3:prefix, sqs:MessageAttribute, …) are deferred to a follow-up batch; the ConditionContext::service_keys map is pre-wired so they can land without a signature change.

§Safe-fail semantics

Any unimplemented operator, unknown key, or parse error emits a tracing::debug! on the fakecloud::iam::audit target and causes the operator to evaluate to false — i.e. the statement is treated as not applicable. Silently returning true would let real policies grant access we can’t actually verify, which would defeat the whole opt-in enforcement story.

Structs§

CompiledCondition: A statement’s fully-parsed Condition block. Multiple entries are combined with AND: every entry must evaluate to true for the statement to apply.
ConditionContext: Re-export of the data type defined in fakecloud-core::auth — see fakecloud_core::auth::ConditionContext for field documentation. The condition operator framework in this module is implemented against this type. Request-time values consulted when a policy statement carries a Condition block. Populated at dispatch time from the resolved Principal and the incoming HTTP request, then handed to IamPolicyEvaluator::evaluate.
ParsedCondition: One parsed entry from a statement’s condition block: the operator, a key, and the policy-declared value list.
ParsedOperatorName: Parsed operator name: the base ConditionOperator, the IfExists flag, and the ForAllValues / ForAnyValue qualifier.

Enums§

ConditionOperator: Base condition operator name (without IfExists suffix or ForAllValues: / ForAnyValue: qualifier).
Qualifier: ForAllValues: / ForAnyValue: qualifier applied to the operator.

Functions§

evaluate_condition_block: Top-level evaluation helper used by the evaluator integration in Batch 2. Returns true iff the block is empty or every entry matches.
evaluate_entry: Evaluate a single condition entry. Convenience entry point used by the evaluator integration in Batch 2 and by unit tests.