From 8e463fb9af11adc21906049c369a023a30e67d1f Mon Sep 17 00:00:00 2001 From: Kevin DeJong Date: Fri, 18 Oct 2024 10:57:09 -0700 Subject: [PATCH] Add additionalProps false to IAM conditions (#3767) --- .../data/schemas/other/iam/policy.json | 1 + .../resources/iam/test_identity_policy.py | 32 +++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/src/cfnlint/data/schemas/other/iam/policy.json b/src/cfnlint/data/schemas/other/iam/policy.json index 0bbe33bed9..99f30247c8 100644 --- a/src/cfnlint/data/schemas/other/iam/policy.json +++ b/src/cfnlint/data/schemas/other/iam/policy.json @@ -68,6 +68,7 @@ ] }, "Condition": { + "additionalProperties": false, "patternProperties": { "ForAllValues:^(Not)?IpAddress$": { "$ref": "#/definitions/ConditionSetValue" diff --git a/test/unit/rules/resources/iam/test_identity_policy.py b/test/unit/rules/resources/iam/test_identity_policy.py index 3ba94c683f..ec145becd6 100644 --- a/test/unit/rules/resources/iam/test_identity_policy.py +++ b/test/unit/rules/resources/iam/test_identity_policy.py @@ -162,3 +162,35 @@ def test_string_statements(self): errs[1].message, "'2012-10-18' is not one of ['2008-10-17', '2012-10-17']" ) self.assertListEqual(list(errs[1].path), ["Version"]) + + def test_string_statements_with_condition(self): + validator = CfnTemplateValidator() + + policy = """ + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "*", + "Resource": "*", + "Condition": { + "iam:PassedToService": "cloudformation.amazonaws.com" + } + } + ] + } + """ + + errs = list( + self.rule.validate( + validator=validator, policy=policy, schema={}, policy_type=None + ) + ) + self.assertEqual(len(errs), 1, errs) + self.assertTrue( + errs[0].message.startswith("'iam:PassedToService' does not match") + ) + self.assertListEqual( + list(errs[0].path), ["Statement", 0, "Condition", "iam:PassedToService"] + )