From a0e4bde48138902070c49071ef23132944a6a537 Mon Sep 17 00:00:00 2001 From: Andy Driver Date: Tue, 22 Oct 2019 17:22:24 +0100 Subject: [PATCH] Avoid overwriting existing resources in s3-access policy statements (#768) Should have stuck to my original code - updating Statement dicts with empty Resource list removes all resources :man_facepalming: --- controlpanel/api/aws.py | 3 --- tests/api/test_aws.py | 8 ++++++++ 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/controlpanel/api/aws.py b/controlpanel/api/aws.py index 204a993dd..f610ce94f 100644 --- a/controlpanel/api/aws.py +++ b/controlpanel/api/aws.py @@ -106,19 +106,16 @@ def iam_arn(resource, account=settings.AWS_ACCOUNT_ID): 's3:ListBucket', ], 'Effect': 'Allow', - 'Resource': [], }, 'readonly': { 'Sid': 'readonly', 'Action': READ_ACTIONS, 'Effect': 'Allow', - 'Resource': [], }, 'readwrite': { 'Sid': 'readwrite', 'Action': READ_ACTIONS + WRITE_ACTIONS, 'Effect': 'Allow', - 'Resource': [], }, } diff --git a/tests/api/test_aws.py b/tests/api/test_aws.py index 1efb46a13..61c005727 100644 --- a/tests/api/test_aws.py +++ b/tests/api/test_aws.py @@ -308,6 +308,14 @@ def test_grant_bucket_access(iam, users, resources): else: assert bucket_arn in statements['list']['Resource'] + aws.grant_bucket_access(user.iam_role_name, f'{bucket_arn}-2', 'readonly') + policy.reload() + statements = get_statements_by_sid(policy.policy_document) + expected_num_resources = 2 + if path_arns: + expected_num_resources = len(path_arns) + 1 + assert len(statements['readonly']['Resource']) == expected_num_resources + @pytest.mark.parametrize( 'resources',