Merge pull request #15 from tilfin/feature/policy-v2

Policy definition V2
tilfin · Jul 13, 2019 · 0f4f1c5 · 0f4f1c5
2 parents 18c4b9d + 3fb924d
commit 0f4f1c5
Show file tree

Hide file tree

Showing 31 changed files with 421 additions and 162 deletions.
diff --git a/README.md b/README.md
@@ -61,23 +61,32 @@ A filename minus the extension (.json) decides the policy name.
 
 ```json
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "s3:PutObject",
-                "s3:GetObject",
-                "s3:DeleteObject"
-            ],
-            "Resource": "arn:aws:s3:::yourapp-storage-ENV/*"
-        }
-    ]
+    "Policy": {
+        "PolicyName": "yourapp-s3-storage-ENV",
+        "Path": "/"
+    },
+    "Documen": {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "s3:PutObject",
+                    "s3:GetObject",
+                    "s3:DeleteObject"
+                ],
+                "Resource": "arn:aws:s3:::yourapp-storage-ENV/*"
+            }
+        ]
+    }
 }
 ```
 
 See an [example](example) of *Role* and *Policy* definitions.
 
+If you encounter `[WARN] policy-file.json : This policy definition is old version.` message, upgrade your policy definition files to new version. 
+There is [example/upgrade_policy.js](example/upgrade_policy.js) for the conversion script.
+
 ## Install
 
 * Require Node.js 8.10 or later

diff --git a/example/policies/bar-logs-lambda-ENV.json b/example/policies/bar-logs-lambda-ENV.json
diff --git a/example/policies/bar-logs-lambda.json b/example/policies/bar-logs-lambda.json
@@ -0,0 +1,20 @@
+{
+    "Policy": {
+        "PolicyName": "bar-logs-lambda-ENV",
+        "Path": "/"
+    },
+    "Document": {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Action": [
+                    "logs:CreateLogGroup",
+                    "logs:CreateLogStream",
+                    "logs:PutLogEvents"
+                ],
+                "Effect": "Allow",
+                "Resource": "arn:aws:logs:*:*:*"
+            }
+        ]
+    }
+}
diff --git a/example/policies/baz-dynamodb-items-ENV.json b/example/policies/baz-dynamodb-items-ENV.json
diff --git a/example/policies/baz-dynamodb-items.json b/example/policies/baz-dynamodb-items.json
@@ -0,0 +1,24 @@
+{
+    "Policy": {
+        "PolicyName": "baz-dynamodb-items-ENV",
+        "Path": "/"
+    },
+    "Document": {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "dynamodb:BatchGetItem",
+                    "dynamodb:BatchWriteItem",
+                    "dynamodb:DescribeStream",
+                    "dynamodb:ListStreams",
+                    "dynamodb:PutItem",
+                    "dynamodb:Query",
+                    "dynamodb:UpdateItem"
+                ],
+                "Resource": "arn:aws:dynamodb:ap-northeast-1:ACCOUNT_ID:table/baz-items-ENV"
+            }
+        ]
+    }
+}
diff --git a/example/policies/foo-s3-logs-ENV.json b/example/policies/foo-s3-logs-ENV.json
diff --git a/example/policies/foo-s3-logs.json b/example/policies/foo-s3-logs.json
@@ -0,0 +1,20 @@
+{
+    "Policy": {
+        "PolicyName": "foo-s3-logs-ENV",
+        "Path": "/"
+    },
+    "Document": {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "s3:PutObject",
+                    "s3:GetObject",
+                    "s3:DeleteObject"
+                ],
+                "Resource": "arn:aws:s3:::foo-s3-logs-ENV-ACCOUNT_ID/*"
+            }
+        ]
+    }
+}
diff --git a/example/policies/foo-s3-storage-ENV.json b/example/policies/foo-s3-storage-ENV.json
diff --git a/example/policies/foo-s3-storage.json b/example/policies/foo-s3-storage.json
@@ -0,0 +1,20 @@
+{
+    "Policy": {
+        "PolicyName": "foo-s3-storage-ENV",
+        "Path": "/"
+    },
+    "Document": {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": [
+                    "s3:PutObject",
+                    "s3:GetObject",
+                    "s3:DeleteObject"
+                ],
+                "Resource": "arn:aws:s3:::foo-s3-storage-ENV-ACCOUNT_ID/*"
+            }
+        ]
+    }
+}
diff --git a/example/upgrade_policy.js b/example/upgrade_policy.js
@@ -0,0 +1,52 @@
+#!/usr/bin/env
+
+const fs = require('fs');
+const path = require('path');
+
+async function readJSONFile(filePath) {
+  return new Promise((resolve, reject) => {
+    fs.readFile(filePath, 'utf8', (err, text) => {
+      if (err) reject(err)
+      else resolve(JSON.parse(text))
+    })
+  })
+}
+
+async function writeJSONFile(filePath, content) {
+  const json = JSON.stringify(content, null, 4)
+  return new Promise((resolve, reject) => {
+    fs.writeFile(filePath, json, function(err) {
+      if (err) reject(err)
+      else resolve()
+    })
+  })
+}
+
+;(async () => {
+  const filePath = process.argv[2]
+  if (!filePath) {
+    console.log('Usage) node upgrade_policy.js <policy JSON file>')
+    process.exit(2)
+    return
+  }
+
+  const document = await readJSONFile(filePath)
+  if (document.Document) {
+    console.warn('[WARN] %s : This policy definition is already new version.', filePath)
+    process.exit(3)
+    return
+  }
+
+  const newDoc = {
+    Policy: {
+      PolicyName: path.basename(filePath, '.json'),
+      Path: '/'
+    },
+    Document: document
+  }
+  await writeJSONFile(filePath, newDoc)
+})()
+.catch(err => {
+  console.error(err)
+  process.exit(1)
+})
diff --git a/src/aws/file_reader.ts b/src/aws/file_reader.ts
@@ -1,7 +1,7 @@
 import path from 'path'
 import { readFile } from '../utils/file'
 import { substitute, parseJSON } from '../utils/varset'
-import { PolicyEntry } from './policy'
+import { PolicyEntry, PolicyDocumentNode, PolicyNode } from './policy'
 import { ArnType } from './operation'
 import { RoleEntry, RoleDocument } from './role'
 
@@ -28,11 +28,35 @@ export async function readPolicyFile(
   let name = ''
   try {
     name = path.basename(filePath, '.json')
+    name = substitute(name, varSet)
+
     const text = await readFile(filePath)
-    return new PolicyEntry(
-      arnPrefix + '/' + substitute(name, varSet),
-      parseJSON(text, varSet)
-    )
+    const rawJson: any = parseJSON(text, varSet)
+
+    let arn: ArnType
+    let policyInfo: PolicyNode
+    let docNode: PolicyDocumentNode
+    if (rawJson.Document) {
+      // V2
+      const { Policy: policy } = rawJson
+      arn = arnPrefix + policy.Path + policy.PolicyName
+      policyInfo = {
+        PolicyName: policy.PolicyName,
+        Path: policy.Path,
+      }
+      docNode = rawJson.Document
+    } else {
+      // V1
+      arn = arnPrefix + '/' + substitute(name, varSet)
+      policyInfo = {
+        PolicyName: substitute(name, varSet),
+        Path: '/',
+      }
+      docNode = rawJson
+      console.warn('[WARN] %s : This policy definition is old version.', path.basename(filePath))
+    }
+
+    return new PolicyEntry(arn, policyInfo, docNode)
   } catch (err) {
     console.error(`Failed to read ${name}`)
     throw err

diff --git a/src/aws/operation.ts b/src/aws/operation.ts
@@ -56,6 +56,12 @@ export async function listPolicyVersions(
   return data.Versions || []
 }
 
+export async function getPolicy(arn: string): Promise<IAM.Policy> {
+  const params = { PolicyArn: arn }
+  const data = await iam.getPolicy(params).promise()
+  return data.Policy!
+}
+
 export async function getPolicyVersion(
   arn: string,
   verionId: string