Skip to content

Commit

Permalink
fix(dynamodb): missing grantRead for ConditionCheckItem (#12313)
Browse files Browse the repository at this point in the history 
----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
@hoegertn
hoegertn committed Jan 8, 2021
1 parent 6d1d3c9 commit e157007
Show file tree
Hide file tree
Showing 10 changed files with 26 additions and 6 deletions.
1 change: 1 addition & 0 deletions ...ages/@aws-cdk-containers/ecs-service-extensions/test/integ.assign-public-ip.expected.json
View file
Expand Up @@ -675,6 +675,7 @@
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
Expand Down
1 change: 1 addition & 0 deletions packages/@aws-cdk/aws-appsync/test/integ.api-import.expected.json
View file
Expand Up @@ -81,6 +81,7 @@
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
Expand Down
1 change: 1 addition & 0 deletions packages/@aws-cdk/aws-appsync/test/integ.auth-apikey.expected.json
View file
Expand Up @@ -64,6 +64,7 @@
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
Expand Down
1 change: 1 addition & 0 deletions packages/@aws-cdk/aws-appsync/test/integ.graphql-iam.expected.json
View file
Expand Up @@ -93,6 +93,7 @@
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
Expand Down
1 change: 1 addition & 0 deletions packages/@aws-cdk/aws-appsync/test/integ.graphql-schema.expected.json
View file
Expand Up @@ -63,6 +63,7 @@
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
Expand Down
3 changes: 3 additions & 0 deletions packages/@aws-cdk/aws-appsync/test/integ.graphql.expected.json
View file
Expand Up @@ -141,6 +141,7 @@
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
Expand Down Expand Up @@ -227,6 +228,7 @@
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
Expand Down Expand Up @@ -324,6 +326,7 @@
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
Expand Down
1 change: 1 addition & 0 deletions packages/@aws-cdk/aws-dynamodb/lib/perms.ts
View file
Expand Up @@ -5,6 +5,7 @@ export const READ_DATA_ACTIONS = [
'dynamodb:Query',
'dynamodb:GetItem',
'dynamodb:Scan',
'dynamodb:ConditionCheckItem',
];
export const KEY_READ_ACTIONS = [
'kms:Decrypt',
Expand Down
11 changes: 9 additions & 2 deletions packages/@aws-cdk/aws-dynamodb/test/dynamodb.test.ts
View file
Expand Up @@ -765,6 +765,7 @@ test('if an encryption key is included, encrypt/decrypt permissions are also add
'dynamodb:Query',
'dynamodb:GetItem',
'dynamodb:Scan',
'dynamodb:ConditionCheckItem',
'dynamodb:BatchWriteItem',
'dynamodb:PutItem',
'dynamodb:UpdateItem',
Expand Down Expand Up @@ -1837,7 +1838,7 @@ describe('grants', () => {

test('"grantReadData" allows the principal to read data from the table', () => {
testGrant(
['BatchGetItem', 'GetRecords', 'GetShardIterator', 'Query', 'GetItem', 'Scan'], (p, t) => t.grantReadData(p));
['BatchGetItem', 'GetRecords', 'GetShardIterator', 'Query', 'GetItem', 'Scan', 'ConditionCheckItem'], (p, t) => t.grantReadData(p));
});

test('"grantWriteData" allows the principal to write data to the table', () => {
Expand All @@ -1848,7 +1849,7 @@ describe('grants', () => {
test('"grantReadWriteData" allows the principal to read/write data', () => {
testGrant([
'BatchGetItem', 'GetRecords', 'GetShardIterator', 'Query', 'GetItem', 'Scan',
'BatchWriteItem', 'PutItem', 'UpdateItem', 'DeleteItem',
'ConditionCheckItem', 'BatchWriteItem', 'PutItem', 'UpdateItem', 'DeleteItem',
], (p, t) => t.grantReadWriteData(p));
});

Expand Down Expand Up @@ -2009,6 +2010,7 @@ describe('grants', () => {
'dynamodb:Query',
'dynamodb:GetItem',
'dynamodb:Scan',
'dynamodb:ConditionCheckItem',
],
'Effect': 'Allow',
'Resource': [
Expand Down Expand Up @@ -2160,6 +2162,7 @@ describe('import', () => {
'dynamodb:Query',
'dynamodb:GetItem',
'dynamodb:Scan',
'dynamodb:ConditionCheckItem',
],
'Effect': 'Allow',
'Resource': [
Expand Down Expand Up @@ -2201,6 +2204,7 @@ describe('import', () => {
'dynamodb:Query',
'dynamodb:GetItem',
'dynamodb:Scan',
'dynamodb:ConditionCheckItem',
'dynamodb:BatchWriteItem',
'dynamodb:PutItem',
'dynamodb:UpdateItem',
Expand Down Expand Up @@ -2346,6 +2350,7 @@ describe('import', () => {
'dynamodb:Query',
'dynamodb:GetItem',
'dynamodb:Scan',
'dynamodb:ConditionCheckItem',
],
Resource: [
{
Expand Down Expand Up @@ -2479,6 +2484,7 @@ describe('global', () => {
'dynamodb:Query',
'dynamodb:GetItem',
'dynamodb:Scan',
'dynamodb:ConditionCheckItem',
],
Effect: 'Allow',
Resource: [
Expand Down Expand Up @@ -2632,6 +2638,7 @@ describe('global', () => {
'dynamodb:Query',
'dynamodb:GetItem',
'dynamodb:Scan',
'dynamodb:ConditionCheckItem',
],
Effect: 'Allow',
Resource: [
Expand Down
6 changes: 4 additions & 2 deletions packages/@aws-cdk/aws-dynamodb/test/integ.dynamodb.expected.json
View file
Expand Up @@ -386,7 +386,8 @@
"dynamodb:GetShardIterator",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan"
"dynamodb:Scan",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": [
Expand All @@ -408,7 +409,8 @@
"dynamodb:GetShardIterator",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan"
"dynamodb:Scan",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": [
Expand Down
6 changes: 4 additions & 2 deletions packages/@aws-cdk/aws-dynamodb/test/integ.dynamodb.sse.expected.json
View file
Expand Up @@ -544,7 +544,8 @@
"dynamodb:GetShardIterator",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan"
"dynamodb:Scan",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": [
Expand Down Expand Up @@ -579,7 +580,8 @@
"dynamodb:GetShardIterator",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan"
"dynamodb:Scan",
"dynamodb:ConditionCheckItem"
],
"Effect": "Allow",
"Resource": [
Expand Down

0 comments on commit e157007

Please sign in to comment.