fix(iam): missing validation for actions added post instantiation of a policy statement (#21906)

VarunWachaspati · web-flow · commit 10974d95693d · 2022-10-14T00:09:13.000Z
## Bug Description The validation for actions/nonActions currently only exists in the constructor of the PolicyStatement class as shown below - https://github.com/aws/aws-cdk/blob/56ba2ab2c2d9240b76ece17c3296488a63f0b232/packages/%40aws-cdk/aws-iam/lib/policy-statement.ts#L88-L95 The above validation is missing when we add an action/nonAction post instantiation of the IAM policy statement leading to discrepancy in the behaviour. The following snippet doesn't throw any error - ```typescript const statement = new iam.PolicyStatement({ resources: ['*'] }); statement.addActions('action'); statement.addNonActions('nonaction'); ``` ## Solution - Refactored the validation in the constructor into a separate private method called `validatePolicyActions()` - Executing this new validation method in the `addActions()` and `addNonActions()` - Fixed existing unit tests which assumed the above behaviour fixes #21821 ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-iam/lib/policy-statement.ts b/packages/@aws-cdk/aws-iam/lib/policy-statement.ts
@@ -86,14 +86,6 @@ export class PolicyStatement {
   private _frozen = false;
 
   constructor(props: PolicyStatementProps = {}) {
-    // Validate actions
-    for (const action of [...props.actions || [], ...props.notActions || []]) {
-
-      if (!/^(\*|[a-zA-Z0-9-]+:[a-zA-Z0-9*]+)$/.test(action) && !cdk.Token.isUnresolved(action)) {
-        throw new Error(`Action '${action}' is invalid. An action string consists of a service namespace, a colon, and the name of an action. Action names can include wildcards.`);
-      }
-    }
-
     this._sid = props.sid;
     this._effect = props.effect || Effect.ALLOW;
 
@@ -154,6 +146,7 @@ export class PolicyStatement {
     if (actions.length > 0 && this._notAction.length > 0) {
       throw new Error('Cannot add \'Actions\' to policy statement if \'NotActions\' have been added');
     }
+    this.validatePolicyActions(actions);
     this._action.push(...actions);
   }
 
@@ -170,6 +163,7 @@ export class PolicyStatement {
     if (notActions.length > 0 && this._action.length > 0) {
       throw new Error('Cannot add \'NotActions\' to policy statement if \'Actions\' have been added');
     }
+    this.validatePolicyActions(notActions);
     this._notAction.push(...notActions);
   }
 
@@ -233,6 +227,16 @@ export class PolicyStatement {
     }
   }
 
+  private validatePolicyActions(actions: string[]) {
+    // In case of an unresolved list of actions return early
+    if (cdk.Token.isUnresolved(actions)) return;
+    for (const action of actions || []) {
+      if (!cdk.Token.isUnresolved(action) && !/^(\*|[a-zA-Z0-9-]+:[a-zA-Z0-9*]+)$/.test(action)) {
+        throw new Error(`Action '${action}' is invalid. An action string consists of a service namespace, a colon, and the name of an action. Action names can include wildcards.`);
+      }
+    }
+  }
+
   private validatePolicyPrincipal(principal: IPrincipal) {
     if (principal instanceof Group) {
       throw new Error('Cannot use an IAM Group as the \'Principal\' or \'NotPrincipal\' in an IAM Policy');
diff --git a/packages/@aws-cdk/aws-iam/test/policy-document.test.ts b/packages/@aws-cdk/aws-iam/test/policy-document.test.ts
@@ -147,11 +147,11 @@ describe('IAM policy document', () => {
     const stack = new Stack();
     const perm = new PolicyStatement();
     perm.addResources('MyResource');
-    perm.addActions('Action1', 'Action2', 'Action3');
+    perm.addActions('service:Action1', 'service:Action2', 'service:Action3');
 
     expect(stack.resolve(perm.toStatementJson())).toEqual({
       Effect: 'Allow',
-      Action: ['Action1', 'Action2', 'Action3'],
+      Action: ['service:Action1', 'service:Action2', 'service:Action3'],
       Resource: 'MyResource',
     });
   });
@@ -325,12 +325,12 @@ describe('IAM policy document', () => {
     const stack = new Stack();
 
     const statement = new PolicyStatement();
-    statement.addActions(...Lazy.list({ produce: () => ['a', 'b', 'c'] }));
+    statement.addActions(...Lazy.list({ produce: () => ['service:a', 'service:b', 'service:c'] }));
     statement.addResources(...Lazy.list({ produce: () => ['x', 'y', 'z'] }));
 
     expect(stack.resolve(statement.toStatementJson())).toEqual({
       Effect: 'Allow',
-      Action: ['a', 'b', 'c'],
+      Action: ['service:a', 'service:b', 'service:c'],
       Resource: ['x', 'y', 'z'],
     });
   });
@@ -339,15 +339,15 @@ describe('IAM policy document', () => {
     const stack = new Stack();
 
     const statement = new PolicyStatement();
-    statement.addActions('a');
-    statement.addActions('a');
+    statement.addActions('service:a');
+    statement.addActions('service:a');
 
     statement.addResources('x');
     statement.addResources('x');
 
     expect(stack.resolve(statement.toStatementJson())).toEqual({
       Effect: 'Allow',
-      Action: 'a',
+      Action: 'service:a',
       Resource: 'x',
     });
   });
@@ -356,15 +356,15 @@ describe('IAM policy document', () => {
     const stack = new Stack();
 
     const statement = new PolicyStatement();
-    statement.addNotActions('a');
-    statement.addNotActions('a');
+    statement.addNotActions('service:a');
+    statement.addNotActions('service:a');
 
     statement.addNotResources('x');
     statement.addNotResources('x');
 
     expect(stack.resolve(statement.toStatementJson())).toEqual({
       Effect: 'Allow',
-      NotAction: 'a',
+      NotAction: 'service:a',
       NotResource: 'x',
     });
   });
@@ -421,10 +421,10 @@ describe('IAM policy document', () => {
     s.addArnPrincipal('349494949494');
     s.addServicePrincipal('test.service');
     s.addResources('resource');
-    s.addActions('action');
+    s.addActions('service:action');
 
     expect(stack.resolve(s.toStatementJson())).toEqual({
-      Action: 'action',
+      Action: 'service:action',
       Effect: 'Allow',
       Principal: { AWS: '349494949494', Service: 'test.service' },
       Resource: 'resource',
@@ -723,7 +723,7 @@ describe('IAM policy document', () => {
 
       const statement = new PolicyStatement();
       statement.addResources('resource1', 'resource2');
-      statement.addActions('action1', 'action2');
+      statement.addActions('service:action1', 'service:action2');
       statement.addServicePrincipal('service');
       statement.addConditions({
         a: {
@@ -750,11 +750,11 @@ describe('IAM policy document', () => {
 
       const statement1 = new PolicyStatement();
       statement1.addResources(Lazy.string({ produce: () => 'resource' }));
-      statement1.addActions(Lazy.string({ produce: () => 'action' }));
+      statement1.addActions(Lazy.string({ produce: () => 'service:action' }));
 
       const statement2 = new PolicyStatement();
       statement2.addResources(Lazy.string({ produce: () => 'resource' }));
-      statement2.addActions(Lazy.string({ produce: () => 'action' }));
+      statement2.addActions(Lazy.string({ produce: () => 'service:action' }));
 
       // WHEN
       p.addStatements(statement1);
diff --git a/packages/@aws-cdk/aws-iam/test/policy-statement.test.ts b/packages/@aws-cdk/aws-iam/test/policy-statement.test.ts
@@ -215,6 +215,15 @@ describe('IAM policy statement', () => {
       .toThrow(/Cannot use an IAM Group as the 'Principal' or 'NotPrincipal' in an IAM Policy/);
   });
 
+  test('throws error when an invalid \'Action\' or \'NotAction\' is added', () => {
+    const policyStatement = new PolicyStatement();
+    const invalidAction = 'xyz';
+    expect(() => policyStatement.addActions(invalidAction))
+      .toThrow(`Action '${invalidAction}' is invalid. An action string consists of a service namespace, a colon, and the name of an action. Action names can include wildcards.`);
+    expect(() => policyStatement.addNotActions(invalidAction))
+      .toThrow(`Action '${invalidAction}' is invalid. An action string consists of a service namespace, a colon, and the name of an action. Action names can include wildcards.`);
+  });
+
   test('multiple identical entries render to a scalar (instead of a singleton list)', () => {
     const stack = new Stack();
     const policyStatement = new PolicyStatement({
