fix(aws): check all conditions in IAM policy parser (#3006)

Co-authored-by: John Mastron <jmastron@jpl.nasa.gov> Co-authored-by: Sergio Garcia <sergargar1@gmail.com>
2026-02-10 14:55:00 +00:00 · 2023-11-07 01:40:34 -08:00
parent 12b45c6896
commit ec01b62a82
2 changed files with 77 additions and 2 deletions
--- a/tests/providers/aws/lib/policy_condition_parser/policy_condition_parser_test.py
+++ b/tests/providers/aws/lib/policy_condition_parser/policy_condition_parser_test.py
@@ -1282,3 +1282,75 @@ class Test_policy_condition_parser:
        assert not is_account_only_allowed_in_condition(
            condition_statement, TRUSTED_AWS_ACCOUNT_NUMBER
        )
+
+    def test_condition_parser_two_lists_unrestrictive(self):
+        condition_statement = {
+            "StringLike": {
+                "AWS:ResourceAccount": [
+                    TRUSTED_AWS_ACCOUNT_NUMBER,
+                    NON_TRUSTED_AWS_ACCOUNT_NUMBER,
+                ]
+            },
+            "ArnLike": {
+                "AWS:SourceArn": [
+                    f"arn:aws:cloudtrail:*:{TRUSTED_AWS_ACCOUNT_NUMBER}:trail/*",
+                    f"arn:aws:cloudtrail:*:{NON_TRUSTED_AWS_ACCOUNT_NUMBER}:trail/*",
+                ]
+            },
+        }
+        assert not is_account_only_allowed_in_condition(
+            condition_statement, TRUSTED_AWS_ACCOUNT_NUMBER
+        )
+
+    def test_condition_parser_two_lists_both_restrictive(self):
+        condition_statement = {
+            "StringLike": {
+                "AWS:ResourceAccount": [
+                    TRUSTED_AWS_ACCOUNT_NUMBER,
+                ]
+            },
+            "ArnLike": {
+                "AWS:SourceArn": [
+                    f"arn:aws:cloudtrail:*:{TRUSTED_AWS_ACCOUNT_NUMBER}:trail/*",
+                ]
+            },
+        }
+        assert is_account_only_allowed_in_condition(
+            condition_statement, TRUSTED_AWS_ACCOUNT_NUMBER
+        )
+
+    def test_condition_parser_two_lists_first_restrictive(self):
+        condition_statement = {
+            "StringLike": {
+                "AWS:ResourceAccount": [
+                    TRUSTED_AWS_ACCOUNT_NUMBER,
+                ]
+            },
+            "ArnLike": {
+                "AWS:SourceArn": [
+                    f"arn:aws:cloudtrail:*:{TRUSTED_AWS_ACCOUNT_NUMBER}:trail/*",
+                    f"arn:aws:cloudtrail:*:{NON_TRUSTED_AWS_ACCOUNT_NUMBER}:trail/*",
+                ]
+            },
+        }
+        assert is_account_only_allowed_in_condition(
+            condition_statement, TRUSTED_AWS_ACCOUNT_NUMBER
+        )
+
+    def test_condition_parser_two_lists_second_restrictive(self):
+        condition_statement = {
+            "StringLike": {
+                "AWS:ResourceAccount": [
+                    TRUSTED_AWS_ACCOUNT_NUMBER,
+                    NON_TRUSTED_AWS_ACCOUNT_NUMBER,
+                ]
+            },
+            "ArnLike": {
+                "AWS:SourceArn": [
+                    f"arn:aws:cloudtrail:*:{TRUSTED_AWS_ACCOUNT_NUMBER}:trail/*",
+                ]
+            },
+        }
+        assert is_account_only_allowed_in_condition(
+            condition_statement, TRUSTED_AWS_ACCOUNT_NUMBER
+        )