Skip to content
This repository has been archived by the owner on Sep 3, 2024. It is now read-only.

[RM-5934] Remove buckets_with_valid_policies #186

Merged
merged 1 commit into from
Sep 7, 2021

Conversation

jaspervdj-luminal
Copy link
Member

policy_document_ref_or_json_string is meant to decide whether or not a policy
document is valid. However, there was a bug in this function, resulting in all
inputs being treated as valid if a single policy policy data document exists.

However, this is only used in s3_library.buckets_with_valid_policies, which is
a bit of an antipattern: it first checked which buckets only have valid (valid
as in well-formatted JSON) policies, and then uses these in whatever rule.

It is much better to just iterate over all buckets and policy pairs, and discard
only the invalid ones. That way a single invalid policy doesn't cause our
system to skip the other policies.

`policy_document_ref_or_json_string` is meant to decide whether or not a policy
document is valid.  However, there was a bug in this function, resulting in all
inputs being treated as valid if a single policy policy data document exists.

However, this is only used in `s3_library.buckets_with_valid_policies`, which is
a bit of an antipattern: it first checked which buckets only have valid (valid
as in well-formatted JSON) policies, and then uses these in whatever rule.

It is much better to just iterate over all buckets and policy pairs, and discard
only the invalid ones.  That way a single invalid policy doesn't cause our
system to skip the other policies.
@jason-fugue jason-fugue merged commit 2f1381e into master Sep 7, 2021
@jason-fugue jason-fugue deleted the feature/RM-5934/buckets-with-valid-policies branch September 7, 2021 19:50
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants