Merge pull request #9270 from shirady/iam-user-policy-implementations

shirady · web-flow · commit 2017b80e34ad · 2025-11-10T08:43:14.000+02:00
IAM | User Inline Policy Implementation
diff --git a/src/endpoint/iam/iam_constants.js b/src/endpoint/iam/iam_constants.js
@@ -22,6 +22,13 @@ const IAM_ACTIONS = Object.freeze({
     LIST_USER_POLICIES: 'list_user_policies',
 });
 
+const IAM_ACTIONS_USER_INLINE_POLICY = [
+    IAM_ACTIONS.PUT_USER_POLICY,
+    IAM_ACTIONS.GET_USER_POLICY,
+    IAM_ACTIONS.DELETE_USER_POLICY,
+    IAM_ACTIONS.LIST_USER_POLICIES
+];
+
 // key: action - the function name on accountspace_fs (snake case style)
 // value: AWS action name (camel case style)
 // we use it for error message to match AWS style 
@@ -62,6 +69,7 @@ const MAX_NUMBER_OF_ACCESS_KEYS = 2;
 const IAM_DEFAULT_PATH = '/';
 const AWS_NOT_USED = 'N/A'; // can be used in case the region or the service name were not used
 const IAM_SERVICE_SMALL_LETTERS = 'iam';
+const AWS_LIMIT_CHARS_USER_INlINE_POLICY = 2048;
 
 // parameter names in camel case style
 // we will use in the error messages
@@ -79,12 +87,14 @@ const IAM_SPLIT_CHARACTERS = ':';
 
 // EXPORTS
 exports.IAM_ACTIONS = IAM_ACTIONS;
+exports.IAM_ACTIONS_USER_INLINE_POLICY = IAM_ACTIONS_USER_INLINE_POLICY;
 exports.ACTION_MESSAGE_TITLE_MAP = ACTION_MESSAGE_TITLE_MAP;
 exports.ACCESS_KEY_STATUS_ENUM = ACCESS_KEY_STATUS_ENUM;
 exports.IDENTITY_ENUM = IDENTITY_ENUM;
 exports.DEFAULT_MAX_ITEMS = DEFAULT_MAX_ITEMS;
 exports.MAX_TAGS = MAX_TAGS;
 exports.MAX_NUMBER_OF_ACCESS_KEYS = MAX_NUMBER_OF_ACCESS_KEYS;
+exports.AWS_LIMIT_CHARS_USER_INlINE_POLICY = AWS_LIMIT_CHARS_USER_INlINE_POLICY;
 exports.IAM_DEFAULT_PATH = IAM_DEFAULT_PATH;
 exports.AWS_NOT_USED = AWS_NOT_USED;
 exports.IAM_SERVICE_SMALL_LETTERS = IAM_SERVICE_SMALL_LETTERS;
diff --git a/src/endpoint/iam/ops/iam_list_user_policies.js b/src/endpoint/iam/ops/iam_list_user_policies.js
@@ -25,7 +25,9 @@ async function list_user_policies(req, res) {
     return {
         ListUserPoliciesResponse: {
             ListUserPoliciesResult: {
-                PolicyNames: reply.members,
+                PolicyNames: reply.members.map(member => ({
+                    member: member,
+                })),
                 IsTruncated: reply.is_truncated,
             },
             ResponseMetadata: {
diff --git a/src/sdk/accountspace_fs.js b/src/sdk/accountspace_fs.js
@@ -866,8 +866,9 @@ class AccountSpaceFS {
 
     _check_if_user_does_not_have_access_keys_before_deletion(action, account_to_delete) {
         const resource_name = 'access keys';
-        const is_access_keys_removed = account_to_delete.access_keys.length === 0;
-        if (!is_access_keys_removed) {
+        const access_keys = account_to_delete.access_keys || [];
+        const is_access_keys_empty = access_keys.length === 0;
+        if (!is_access_keys_empty) {
             this._throw_error_delete_conflict(action, account_to_delete, resource_name);
         }
     }
diff --git a/src/sdk/accountspace_nb.js b/src/sdk/accountspace_nb.js
@@ -162,6 +162,7 @@ class AccountSpaceNB {
         const requested_account = system_store.get_account_by_email(username);
         account_util._check_if_requested_account_is_root_account_or_IAM_user(action, requesting_account, requested_account);
         account_util._check_if_requested_is_owned_by_root_account(action, requesting_account, requested_account);
+        account_util._check_if_user_does_not_have_resources_before_deletion(action, requested_account);
         // TODO: DELETE INLINE POLICY : Manually
         // TODO: DELETE ACCESS KEY : manually
         const req = {
@@ -440,27 +441,79 @@ class AccountSpaceNB {
     ////////////////////
 
     async put_user_policy(params, account_sdk) {
-        dbg.log0('AccountSpaceNB.put_user_policy:', params);
-        const { code, http_code, type } = IamError.NotImplemented;
-        throw new IamError({ code, message: 'NotImplemented', http_code, type });
+        const action = IAM_ACTIONS.PUT_USER_POLICY;
+        dbg.log1(`AccountSpaceNB.${action}`, params);
+        const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
+        const requested_account = validate_and_return_requested_account(params, action, requesting_account, account_sdk);
+        const iam_user_policies = requested_account.iam_user_policies || [];
+        const index_of_iam_user_policy = account_util._get_iam_user_policy_index(iam_user_policies, params.policy_name);
+        const iam_user_policy_to_add = {
+            policy_name: params.policy_name,
+            policy_document: params.policy_document,
+        };
+        if (index_of_iam_user_policy === -1) {
+            iam_user_policies.push(iam_user_policy_to_add);
+        } else {
+            iam_user_policies[index_of_iam_user_policy] = iam_user_policy_to_add;
+        }
+
+        account_util._check_total_policy_size(iam_user_policies, params.username);
+
+        await system_store.make_changes({
+            update: {
+                accounts: [{
+                    _id: requested_account._id,
+                    $set: { iam_user_policies },
+                }]
+            }
+        });
     }
 
     async get_user_policy(params, account_sdk) {
-        dbg.log0('AccountSpaceNB.get_user_policy:', params);
-        const { code, http_code, type } = IamError.NotImplemented;
-        throw new IamError({ code, message: 'NotImplemented', http_code, type });
+        const action = IAM_ACTIONS.GET_USER_POLICY;
+        dbg.log1(`AccountSpaceNB.${action}`, params);
+        const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
+        const requested_account = validate_and_return_requested_account(params, action, requesting_account, account_sdk);
+        const iam_user_policies = requested_account.iam_user_policies || [];
+        const iam_user_policy_index = account_util._check_user_policy_exists(action, iam_user_policies, params.policy_name);
+        return {
+            username: params.username,
+            policy_name: params.policy_name,
+            policy_document: JSON.stringify(iam_user_policies[iam_user_policy_index].policy_document),
+        };
     }
 
     async delete_user_policy(params, account_sdk) {
-        dbg.log0('AccountSpaceNB.delete_user_policy:', params);
-        const { code, http_code, type } = IamError.NotImplemented;
-        throw new IamError({ code, message: 'NotImplemented', http_code, type });
+        const action = IAM_ACTIONS.DELETE_USER_POLICY;
+        dbg.log1(`AccountSpaceNB.${action}`, params);
+        const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
+        const requested_account = validate_and_return_requested_account(params, action, requesting_account, account_sdk);
+        const iam_user_policies = requested_account.iam_user_policies || [];
+        const iam_user_policy_index = account_util._check_user_policy_exists(action, iam_user_policies, params.policy_name);
+        iam_user_policies.splice(iam_user_policy_index, 1);
+
+        await system_store.make_changes({
+            update: {
+                accounts: [{
+                    _id: requested_account._id,
+                    $set: { iam_user_policies },
+                }]
+            }
+        });
     }
 
     async list_user_policies(params, account_sdk) {
-        dbg.log0('AccountSpaceNB.list_user_policies:', params);
-        const { code, http_code, type } = IamError.NotImplemented;
-        throw new IamError({ code, message: 'NotImplemented', http_code, type });
+        const action = IAM_ACTIONS.LIST_USER_POLICIES;
+        dbg.log1(`AccountSpaceNB.${action}`, params);
+        const requesting_account = system_store.get_account_by_email(account_sdk.requesting_account.email);
+        const requested_account = validate_and_return_requested_account(params, action, requesting_account, account_sdk);
+        const is_truncated = false; // GAP - no pagination at this point
+        let members = _.map(requested_account.iam_user_policies || [], iam_user_policy => iam_user_policy.policy_name);
+        members = members.sort((a, b) => a.localeCompare(b));
+        return {
+            is_truncated,
+            members
+        };
     }
 }
 
@@ -473,10 +526,10 @@ function validate_and_return_requested_account(params, action, requesting_accoun
             // So in that case requesting account and requested account is same.
             requested_account = requesting_account;
         } else {
+            account_util._check_if_requesting_account_is_root_account(action, requesting_account, { username: params.username });
             const account_email = account_util.get_account_name_from_username(params.username, requesting_account.name.unwrap());
             account_util._check_if_account_exists(action, account_email);
             requested_account = system_store.get_account_by_email(account_email);
-            account_util._check_if_requesting_account_is_root_account(action, requesting_account, { username: params.username });
             account_util._check_if_requested_account_is_root_account_or_IAM_user(action, requesting_account, requested_account);
             account_util._check_if_requested_is_owned_by_root_account(action, requesting_account, requested_account);
         }
diff --git a/src/test/unit_tests/internal/test_accountspace_nb.test.js b/src/test/unit_tests/internal/test_accountspace_nb.test.js
diff --git a/src/util/account_util.js b/src/util/account_util.js
@@ -15,7 +15,8 @@ const { OP_NAME_TO_ACTION } = require('../endpoint/sts/sts_rest');
 const IamError = require('../endpoint/iam/iam_errors').IamError;
 const { create_arn_for_user, get_action_message_title } = require('../endpoint/iam/iam_utils');
 const { IAM_ACTIONS, MAX_NUMBER_OF_ACCESS_KEYS, IAM_DEFAULT_PATH,
-    ACCESS_KEY_STATUS_ENUM, IAM_SPLIT_CHARACTERS } = require('../endpoint/iam/iam_constants');
+    ACCESS_KEY_STATUS_ENUM, IAM_SPLIT_CHARACTERS, IAM_ACTIONS_USER_INLINE_POLICY,
+    AWS_LIMIT_CHARS_USER_INlINE_POLICY } = require('../endpoint/iam/iam_constants');
 
 const demo_access_keys = Object.freeze({
     access_key: new SensitiveString('123'),
@@ -360,8 +361,7 @@ function _check_if_requesting_account_is_root_account(action, requesting_account
     dbg.log1(`AccountSpaceNB.${action} requesting_account ID: ${requesting_account._id}` +
         `name: ${requesting_account.name.unwrap()}`, 'is_root_account', is_root_account);
     if (!is_root_account) {
-        dbg.error(`AccountSpaceNB.${action} requesting account is not a root account`,
-            requesting_account);
+        dbg.error(`AccountSpaceNB.${action} requesting account is not a root account`, requesting_account._id);
         _throw_access_denied_error(action, requesting_account, user_details, "USER");
     }
 }
@@ -449,6 +449,13 @@ function _throw_error_no_such_entity_access_key(action, access_key_id) {
     throw new IamError({ code, message: message_with_details, http_code, type });
 }
 
+function _throw_error_no_such_entity_policy(action, policy_name) {
+    dbg.error(`AccountSpaceNB.${action} The user policy with name does not exist`, policy_name);
+    const message_with_details = `The user policy with name ${policy_name} cannot be found`;
+    const { code, http_code, type } = IamError.NoSuchEntity;
+    throw new IamError({ code, message: message_with_details, http_code, type });
+}
+
 function _throw_access_denied_error(action, requesting_account, details, entity) {
     const full_action_name = get_action_message_title(action);
     const account_id_for_arn = _get_account_owner_id_for_arn(requesting_account);
@@ -459,7 +466,8 @@ function _throw_access_denied_error(action, requesting_account, details, entity)
     let message_with_details;
     if (entity === 'USER') {
         let user_message;
-        if (action === IAM_ACTIONS.LIST_ACCESS_KEYS) {
+        if (action === IAM_ACTIONS.LIST_ACCESS_KEYS ||
+            IAM_ACTIONS_USER_INLINE_POLICY.includes(action)) {
             user_message = `user ${details.username}`;
         } else {
             user_message = create_arn_for_user(account_id_for_arn, details.username, details.path);
@@ -473,6 +481,14 @@ function _throw_access_denied_error(action, requesting_account, details, entity)
     throw new IamError({ code, message: message_with_details, http_code, type });
 }
 
+function _throw_error_delete_conflict(action, account_to_delete, resource_name) {
+        dbg.error(`AccountSpaceNB.${action} requested account ` +
+            `${account_to_delete.name} ${account_to_delete._id} has ${resource_name}`);
+        const message_with_details = `Cannot delete entity, must delete ${resource_name} first.`;
+        const { code, http_code, type } = IamError.DeleteConflict;
+        throw new IamError({ code, message: message_with_details, http_code, type });
+    }
+
 // ACCESS KEY VALIDATIONS
 
 function _check_number_of_access_key_array(action, requested_account) {
@@ -569,6 +585,63 @@ function _list_access_keys_from_account(requesting_account, account, on_itself)
     return members;
 }
 
+function _check_user_policy_exists(action, iam_user_policies, policy_name) {
+    const iam_user_policy_index = _get_iam_user_policy_index(iam_user_policies, policy_name);
+    if (iam_user_policy_index === -1) {
+        _throw_error_no_such_entity_policy(action, policy_name);
+    }
+    return iam_user_policy_index;
+}
+
+function _get_iam_user_policy_index(iam_user_policies, policy_name) {
+    const iam_user_policy_index = iam_user_policies.findIndex(current_iam_user_policy =>
+    current_iam_user_policy.policy_name === policy_name);
+    return iam_user_policy_index;
+}
+
+function _check_total_policy_size(iam_user_policies, username) {
+    const total_chars_size = _get_total_size_of_policies(iam_user_policies);
+    if (total_chars_size > AWS_LIMIT_CHARS_USER_INlINE_POLICY) {
+        const message_with_details = `Maximum policy size of 2048 bytes exceeded for user ${username}`;
+        const { code, http_code, type } = IamError.LimitExceeded;
+        throw new IamError({ code, message: message_with_details, http_code, type });
+    }
+}
+
+// each char is  byte and not including whitespaces
+function _get_total_size_of_policies(iam_user_policies) {
+    let total_size = 0;
+    for (const iam_user_policy of iam_user_policies) {
+        const policy_as_string = JSON.stringify(iam_user_policy);
+        total_size += policy_as_string.length;
+    }
+    return total_size;
+}
+
+// only resources of IAM (without the case of root account)
+function _check_if_user_does_not_have_resources_before_deletion(action, account_to_delete) {
+    _check_if_user_does_not_have_access_keys_before_deletion(action, account_to_delete);
+    _check_if_user_does_not_have_user_policy_before_deletion(action, account_to_delete);
+}
+
+function _check_if_user_does_not_have_access_keys_before_deletion(action, account_to_delete) {
+    const resource_name = 'access keys';
+    const access_keys = account_to_delete.access_keys || [];
+    const is_access_keys_empty = access_keys.length === 0;
+    if (!is_access_keys_empty) {
+        _throw_error_delete_conflict(action, account_to_delete, resource_name);
+    }
+}
+
+function _check_if_user_does_not_have_user_policy_before_deletion(action, account_to_delete) {
+    const resource_name = 'policies';
+    const iam_user_policies = account_to_delete.iam_user_policies || [];
+    const is_policies_removed = iam_user_policies.length === 0;
+    if (!is_policies_removed) {
+        _throw_error_delete_conflict(action, account_to_delete, resource_name);
+    }
+}
+
 function validate_create_account_permissions(req) {
     const account = req.account;
     //For new system creation, nothing to be checked
@@ -665,3 +738,7 @@ exports._check_if_account_exists = _check_if_account_exists;
 exports._returned_username = _returned_username;
 exports._check_if_requested_is_owned_by_root_account = _check_if_requested_is_owned_by_root_account;
 exports._check_if_requested_account_is_root_account_or_IAM_user = _check_if_requested_account_is_root_account_or_IAM_user;
+exports._get_iam_user_policy_index = _get_iam_user_policy_index;
+exports._check_user_policy_exists = _check_user_policy_exists;
+exports._check_if_user_does_not_have_resources_before_deletion = _check_if_user_does_not_have_resources_before_deletion;
+exports._check_total_policy_size = _check_total_policy_size;

Original file line number	Diff line number	Diff line change
`@@ -866,8 +866,9 @@ class AccountSpaceFS {`
`866`	`866`
`867`	`867`	`_check_if_user_does_not_have_access_keys_before_deletion(action, account_to_delete) {`
`868`	`868`	`const resource_name = 'access keys';`
`869`		`- const is_access_keys_removed = account_to_delete.access_keys.length === 0;`
`870`		`- if (!is_access_keys_removed) {`
	`869`	`+ const access_keys = account_to_delete.access_keys \|\| [];`
	`870`	`+ const is_access_keys_empty = access_keys.length === 0;`
	`871`	`+ if (!is_access_keys_empty) {`
`871`	`872`	`this._throw_error_delete_conflict(action, account_to_delete, resource_name);`
`872`	`873`	`}`
`873`	`874`	`}`