Update policy condition definitions (#3779)

* Update condition regex patterns
aws-cloudformation · Oct 21, 2024 · a017a95 · a017a95
1 parent de28d1e
commit a017a95
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 56 deletions.
diff --git a/src/cfnlint/data/schemas/other/iam/policy.json b/src/cfnlint/data/schemas/other/iam/policy.json
@@ -70,76 +70,37 @@
   "Condition": {
    "additionalProperties": false,
    "patternProperties": {
-    "ForAllValues:^(Not)?IpAddress$": {
-     "$ref": "#/definitions/ConditionSetValue"
-    },
-    "ForAllValues:^Arn(Not)?Equals$": {
-     "$ref": "#/definitions/ConditionSetValue"
-    },
-    "ForAllValues:^Arn(Not)?Like$": {
-     "$ref": "#/definitions/ConditionSetValue"
-    },
-    "ForAllValues:^Date(Not)?Equals$": {
-     "$ref": "#/definitions/ConditionSetValue"
-    },
-    "ForAllValues:^Number(Less|Greater)Than(Equals)?$": {
-     "$ref": "#/definitions/ConditionSetValue"
-    },
-    "ForAllValues:^Number(Not)?Equals$": {
-     "$ref": "#/definitions/ConditionSetValue"
-    },
-    "ForAllValues:^String(Not)?Equals(IgnoreCase)?$": {
-     "$ref": "#/definitions/ConditionSetValue"
-    },
-    "ForAllValues:^String(Not)?Like$": {
-     "$ref": "#/definitions/ConditionSetValue"
-    },
-    "ForAnyValues:^(Not)?IpAddress$": {
-     "$ref": "#/definitions/ConditionSetValue"
-    },
-    "ForAnyValues:^Arn(Not)?Equals$": {
-     "$ref": "#/definitions/ConditionSetValue"
-    },
-    "ForAnyValues:^Arn(Not)?Like$": {
-     "$ref": "#/definitions/ConditionSetValue"
-    },
-    "ForAnyValues:^Date(Not)?Equals$": {
-     "$ref": "#/definitions/ConditionSetValue"
-    },
-    "ForAnyValues:^Number(Less|Greater)Than(Equals)?$": {
-     "$ref": "#/definitions/ConditionSetValue"
-    },
-    "ForAnyValues:^Number(Not)?Equals$": {
-     "$ref": "#/definitions/ConditionSetValue"
+    "^(ForAnyValue:|ForAllValues:)?(Not)?IpAddress(Exists)?(IfExists)?$": {
+     "$ref": "#/definitions/ConditionValue"
     },
-    "ForAnyValues:^String(Not)?Equals(IgnoreCase)?$": {
-     "$ref": "#/definitions/ConditionSetValue"
+    "^(ForAnyValue:|ForAllValues:)?Arn(Not)?Equals(Exists)?(IfExists)?$": {
+     "$ref": "#/definitions/ConditionValue"
     },
-    "ForAnyValues:^String(Not)?Like?$": {
-     "$ref": "#/definitions/ConditionSetValue"
+    "^(ForAnyValue:|ForAllValues:)?Arn(Not)?Like(Exists)?(IfExists)?$": {
+     "$ref": "#/definitions/ConditionValue"
     },
-    "^(Not)?IpAddress(Exists)?$": {
+    "^(ForAnyValue:|ForAllValues:)?Bool(IfExists)?$": {
      "$ref": "#/definitions/ConditionValue"
     },
-    "^Arn(Not)?Equals(Exists)?$": {
+    "^(ForAnyValue:|ForAllValues:)?Date(Less|Greater)Than(Equals)?(IfExists)?$": {
      "$ref": "#/definitions/ConditionValue"
     },
-    "^Arn(Not)?Like(Exists)?$": {
+    "^(ForAnyValue:|ForAllValues:)?Date(Not)?Equals(IfExists)?$": {
      "$ref": "#/definitions/ConditionValue"
     },
-    "^Date(Not)?Equals(Exists)?$": {
+    "^(ForAnyValue:|ForAllValues:)?Null(IfExists)?$": {
      "$ref": "#/definitions/ConditionValue"
     },
-    "^Number(Less|Greater)Than(Equals)?(Exists)?$": {
+    "^(ForAnyValue:|ForAllValues:)?Numeric(Less|Greater)Than(Equals)?(Exists)?(IfExists)?$": {
      "$ref": "#/definitions/ConditionValue"
     },
-    "^Number(Not)?Equals(Exists)?$": {
+    "^(ForAnyValue:|ForAllValues:)?Numeric(Not)?Equals(Exists)?(IfExists)?$": {
      "$ref": "#/definitions/ConditionValue"
     },
-    "^String(Not)?Equals(IgnoreCase)?(Exists)?$": {
+    "^(ForAnyValue:|ForAllValues:)?String(Not)?Equals(IgnoreCase)?(Exists)?(IfExists)?$": {
      "$ref": "#/definitions/ConditionValue"
     },
-    "^String(Not)?Like(Exists)?$": {
+    "^(ForAnyValue:|ForAllValues:)?String(Not)?Like(Exists)?(IfExists)?$": {
      "$ref": "#/definitions/ConditionValue"
     }
    },

diff --git a/test/unit/rules/resources/iam/test_identity_policy.py b/test/unit/rules/resources/iam/test_identity_policy.py
@@ -175,7 +175,18 @@ def test_string_statements_with_condition(self):
                         "Action": "*",
                         "Resource": "*",
                         "Condition": {
-                            "iam:PassedToService": "cloudformation.amazonaws.com"
+                            "iam:PassedToService": "cloudformation.amazonaws.com",
+                            "StringEquals": {"aws:PrincipalTag/job-category": "iamuser-admin"},
+                            "StringLike": {"s3:prefix": ["", "home/", "home/${aws:username}/"]},
+                            "ArnLike": {"aws:SourceArn": "arn:aws:cloudtrail:*:111122223333:trail/*"},
+                            "NumericLessThanEquals": {"s3:max-keys": "10"},
+                            "DateGreaterThan": {"aws:TokenIssueTime": "2020-01-01T00:00:01Z"},
+                            "Bool": { "aws:SecureTransport": "false"},
+                            "BinaryEquals": { "key" : "QmluYXJ5VmFsdWVJbkJhc2U2NA=="},
+                            "IpAddress": {"aws:SourceIp": "203.0.113.0/24"},
+                            "ArnEquals": {"aws:SourceArn": "arn:aws:sns:REGION:123456789012:TOPIC-ID"},
+                            "StringLikeIfExists": { "ec2:InstanceType": [ "t1.*", "t2.*" ]},
+                            "Null":{"aws:TokenIssueTime":"true"}
                         }
                     }
                 ]

diff --git a/test/unit/rules/resources/iam/test_resource_policy.py b/test/unit/rules/resources/iam/test_resource_policy.py
@@ -60,8 +60,8 @@ def test_object_multiple_effect(self):
                     },
                     "Condition": {
                         "Null": {
-                            "s3:x-amz-server-side-encryption": [False],
-                            "aws:TagKeys": False,
+                            "s3:x-amz-server-side-encryption": ["false"],
+                            "aws:TagKeys": "false",
                         }
                     },
                 }