updated repolicy logic

port-labs · Oct 26, 2024 · e8fea8f · e8fea8f
1 parent b337b21
commit e8fea8f
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 3 deletions.
diff --git a/integrations/aws/tests/utils/test_overrides.py b/integrations/aws/tests/utils/test_overrides.py
@@ -14,7 +14,7 @@ def test_is_region_allowed_deny_policy(self) -> None:
             query="test", regionPolicy=region_policy
         )
         self.assertFalse(selector.is_region_allowed("us-east-1"))
-        self.assertFalse(selector.is_region_allowed("us-west-2"))
+        self.assertTrue(selector.is_region_allowed("us-west-2"))
 
     def test_is_region_allowed_allow_policy(self) -> None:
         region_policy = RegionPolicy(allow=["us-west-2"])
@@ -32,3 +32,28 @@ def test_is_region_allowed_both_policies(self) -> None:
         self.assertFalse(selector.is_region_allowed("us-east-1"))
         self.assertTrue(selector.is_region_allowed("us-west-2"))
         self.assertFalse(selector.is_region_allowed("eu-central-1"))
+
+    def test_is_region_allowed_conflicting_policies(self) -> None:
+        region_policy = RegionPolicy(allow=["us-east-1"], deny=["us-east-1"])
+        selector = AWSDescribeResourcesSelector(
+            query="test", regionPolicy=region_policy
+        )
+        self.assertFalse(selector.is_region_allowed("us-east-1"))
+
+    def test_is_region_allowed_deny_only(self) -> None:
+        region_policy = RegionPolicy(deny=["us-east-1", "us-west-2"])
+        selector = AWSDescribeResourcesSelector(
+            query="test", regionPolicy=region_policy
+        )
+        self.assertFalse(selector.is_region_allowed("us-east-1"))
+        self.assertFalse(selector.is_region_allowed("us-west-2"))
+        self.assertTrue(selector.is_region_allowed("eu-central-1"))
+
+    def test_is_region_allowed_allow_only(self) -> None:
+        region_policy = RegionPolicy(allow=["us-east-1", "us-west-2"])
+        selector = AWSDescribeResourcesSelector(
+            query="test", regionPolicy=region_policy
+        )
+        self.assertTrue(selector.is_region_allowed("us-east-1"))
+        self.assertTrue(selector.is_region_allowed("us-west-2"))
+        self.assertFalse(selector.is_region_allowed("eu-central-1"))
diff --git a/integrations/aws/utils/overrides.py b/integrations/aws/utils/overrides.py
@@ -30,7 +30,9 @@ def is_region_allowed(self, region: str) -> bool:
         - If the region is listed in the "deny" list of `region_policy`, the method returns False.
         - If the region is listed in the "allow" list of `region_policy`, the method returns True.
         - If the region is not listed in either "allow" or "deny" lists, the method returns False.
-
+        - If the region is listed in both "allow" and "deny" lists, the method returns False.
+        - If the policy denies regions but does not explicitly allow any, and the specific region is not in the deny list, then the region is considered allowed.
+        - If the policy allows regions but does not explicitly deny any, and the specific region is not in the allow list, then the region is considered denied.
         Args:
             region (str): The region to be checked.
 
@@ -43,7 +45,10 @@ def is_region_allowed(self, region: str) -> bool:
             return False
         if region in self.region_policy.allow:
             return True
-
+        if self.region_policy.deny and not self.region_policy.allow:
+            return True
+        if self.region_policy.allow and not self.region_policy.deny:
+            return False
         return False