From 6d34a80d3cfcb840dbd0f564b384a30aa3b5bb54 Mon Sep 17 00:00:00 2001 From: "Maximilian Blatt (external expert on behalf of DB Netz)" Date: Thu, 22 Jun 2023 16:06:24 +0200 Subject: [PATCH] fix(iam): Decode policy document before parsing Signed-off-by: Maximilian Blatt (external expert on behalf of DB Netz) (cherry picked from commit 58341a021e5c4e826819886abc2a31e3242d3169) --- pkg/clients/iam/policy.go | 7 +++- pkg/controller/iam/policy/controller_test.go | 37 +++++++++++++++++++- 2 files changed, 42 insertions(+), 2 deletions(-) diff --git a/pkg/clients/iam/policy.go b/pkg/clients/iam/policy.go index d0c41e7fec..c29a3fe86a 100644 --- a/pkg/clients/iam/policy.go +++ b/pkg/clients/iam/policy.go @@ -2,6 +2,7 @@ package iam import ( "context" + "net/url" "github.com/crossplane-contrib/provider-aws/apis/iam/v1beta1" @@ -49,7 +50,11 @@ func IsPolicyUpToDate(in v1beta1.PolicyParameters, policy iamtypes.PolicyVersion return false, "", nil } - externpolicy, err := policyutils.ParsePolicyString(externalPolicyRaw) + unescapedPolicy, err := url.QueryUnescape(aws.ToString(policy.Document)) + if err != nil { + return false, "", err + } + externpolicy, err := policyutils.ParsePolicyString(unescapedPolicy) if err != nil { return false, "", err } diff --git a/pkg/controller/iam/policy/controller_test.go b/pkg/controller/iam/policy/controller_test.go index 7b9415c979..09836914c1 100644 --- a/pkg/controller/iam/policy/controller_test.go +++ b/pkg/controller/iam/policy/controller_test.go @@ -18,6 +18,7 @@ package policy import ( "context" + "net/url" "testing" @@ -61,7 +62,8 @@ var ( } ] }` - boolFalse = false + documentURLEscaped = url.QueryEscape(document) + boolFalse = false errBoom = errors.New("boom") @@ -209,6 +211,39 @@ func TestObserve(t *testing.T) { }, }, }, + "SuccessfulURLEscapedPolicy": { + args: args{ + iam: &fake.MockPolicyClient{ + MockGetPolicy: func(ctx context.Context, input *awsiam.GetPolicyInput, opts []func(*awsiam.Options)) (*awsiam.GetPolicyOutput, error) { + return &awsiam.GetPolicyOutput{ + Policy: &awsiamtypes.Policy{}, + }, nil + }, + MockGetPolicyVersion: func(ctx context.Context, input *awsiam.GetPolicyVersionInput, opts []func(*awsiam.Options)) (*awsiam.GetPolicyVersionOutput, error) { + return &awsiam.GetPolicyVersionOutput{ + PolicyVersion: &awsiamtypes.PolicyVersion{ + Document: &documentURLEscaped, + }, + }, nil + }, + }, + cr: policy(withSpec(v1beta1.PolicyParameters{ + Document: document, + Name: name, + }), withExternalName(policyArn)), + }, + want: want{ + cr: policy(withSpec(v1beta1.PolicyParameters{ + Document: document, + Name: name, + }), withExternalName(policyArn), + withConditions(xpv1.Available())), + result: managed.ExternalObservation{ + ResourceExists: true, + ResourceUpToDate: true, + }, + }, + }, "InValidInput": { args: args{ cr: unexpectedItem,