fix(resourcebasedstatement): check principalType when is undefined

this affects matchPrincipals and matchNotPrincipals fix #42
roggervalf · Apr 9, 2021 · 34ce2f4 · 34ce2f4
1 parent 8bbc412
commit 34ce2f4
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 6 deletions.
diff --git a/src/ResourceBasedPolicy.test.ts b/src/ResourceBasedPolicy.test.ts
@@ -208,6 +208,33 @@ describe('ResourceBasedPolicy Class', () => {
         })
       ).toBe(false);
     });
+
+    describe('when there is not a matched principalType', () => {
+      it('returns false', () => {
+        const resourceBasedPolicy = new ResourceBasedPolicy({
+          statements: [
+            {
+              action: '*',
+              resource: '*',
+              principal: {
+                a: '*',
+                b: '*',
+                c: '*'
+              }
+            }
+          ]
+        });
+
+        expect(
+          resourceBasedPolicy.evaluate({
+            action: 'read',
+            resource: 'secrets:ultraSecret',
+            principal: 'secret',
+            principalType: 'd'
+          })
+        ).toBe(false);
+      });
+    });
   });
 
   describe('when match not principal', () => {
@@ -258,6 +285,34 @@ describe('ResourceBasedPolicy Class', () => {
         })
       ).toBe(true);
     });
+
+    describe('when there is not a matched principalType', () => {
+      it('returns false', () => {
+        const resourceBasedPolicy = new ResourceBasedPolicy({
+          statements: [
+            {
+              action: '*',
+              resource: '*',
+              notPrincipal: {
+                a: '*',
+                b: '*',
+                c: '*'
+              }
+            }
+          ],
+          context: {}
+        });
+
+        expect(
+          resourceBasedPolicy.evaluate({
+            action: 'read',
+            resource: 'secrets:ultraSecret',
+            principal: 'secret',
+            principalType: 'd'
+          })
+        ).toBe(true);
+      });
+    });
   });
 
   describe('when match actions', () => {

diff --git a/src/ResourceBasedStatement.ts b/src/ResourceBasedStatement.ts
@@ -182,10 +182,12 @@ class ResourceBased<T extends object> extends Statement<T> {
             return principalValues.some((a) =>
               new Matcher(applyContext(a, context)).match(principal)
             );
+          } else if (principalValues) {
+            return new Matcher(applyContext(principalValues, context)).match(
+              principal
+            );
           }
-          return new Matcher(applyContext(principalValues, context)).match(
-            principal
-          );
+          return false;
         }
         return false;
       }
@@ -212,10 +214,12 @@ class ResourceBased<T extends object> extends Statement<T> {
             return !principalValues.some((a) =>
               new Matcher(applyContext(a, context)).match(principal)
             );
+          } else if (principalValues) {
+            return !new Matcher(applyContext(principalValues, context)).match(
+              principal
+            );
           }
-          return !new Matcher(applyContext(principalValues, context)).match(
-            principal
-          );
+          return true;
         }
         return true;
       }