/
authMatchPolicyResource.js
66 lines (53 loc) · 1.67 KB
/
authMatchPolicyResource.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
function parseResource(resource) {
const [, region, accountId, restApiId, path] = resource.match(
/arn:aws:execute-api:(.*?):(.*?):(.*?)\/(.*)/,
)
return { accountId, path, region, restApiId }
}
export default function authMatchPolicyResource(policyResource, resource) {
// resource and policyResource are ARNs
if (policyResource === resource) {
return true
}
if (policyResource === '*') {
return true
}
if (policyResource === 'arn:aws:execute-api:**') {
// better fix for #523
return true
}
if (policyResource === 'arn:aws:execute-api:*:*:*') {
return true
}
if (policyResource.includes('*') || policyResource.includes('?')) {
// Policy contains a wildcard resource
const parsedPolicyResource = parseResource(policyResource)
const parsedResource = parseResource(resource)
if (
parsedPolicyResource.region !== '*' &&
parsedPolicyResource.region !== parsedResource.region
) {
return false
}
if (
parsedPolicyResource.accountId !== '*' &&
parsedPolicyResource.accountId !== parsedResource.accountId
) {
return false
}
if (
parsedPolicyResource.restApiId !== '*' &&
parsedPolicyResource.restApiId !== parsedResource.restApiId
) {
return false
}
// The path contains stage, method and the path
// for the requested resource and the resource defined in the policy
// Need to create a regex replacing ? with one character and * with any number of characters
const regExp = new RegExp(
parsedPolicyResource.path.replace(/\*/g, '.*').replace(/\?/g, '.'),
)
return regExp.test(parsedResource.path)
}
return false
}