This repository has been archived by the owner on Sep 3, 2024. It is now read-only.
[RM-5934] Remove buckets_with_valid_policies #186
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
policy_document_ref_or_json_string
is meant to decide whether or not a policydocument is valid. However, there was a bug in this function, resulting in all
inputs being treated as valid if a single policy policy data document exists.
However, this is only used in
s3_library.buckets_with_valid_policies
, which isa bit of an antipattern: it first checked which buckets only have valid (valid
as in well-formatted JSON) policies, and then uses these in whatever rule.
It is much better to just iterate over all buckets and policy pairs, and discard
only the invalid ones. That way a single invalid policy doesn't cause our
system to skip the other policies.