IAM: Fix resource list matching (#5908)

2023-02-07 19:54:59 +05:30 · 2023-02-07 19:54:59 +05:30 · 749a8572ba
commit 749a8572ba
parent 8cc9518662
2 changed files with 15 additions and 1 deletions
--- a/moto/iam/access_control.py
+++ b/moto/iam/access_control.py
@ -378,7 +378,7 @@ class IAMPolicyStatement(object):
        if is_action_concerned:
            if self.is_unknown_principal(self._statement.get("Principal")):
                return PermissionResult.NEUTRAL
-            same_resource = self._match(self._statement["Resource"], resource)
+            same_resource = self._check_element_matches("Resource", resource)
            if self._statement["Effect"] == "Allow" and same_resource:
                return PermissionResult.PERMITTED
            else:  # Deny
--- a/tests/test_s3/test_s3_bucket_policy.py
+++ b/tests/test_s3/test_s3_bucket_policy.py
@ -37,6 +37,20 @@ class TestBucketPolicy:
            ({"resource": "arn:aws:s3:::mybucket/test_txt"}, 200),
            ({"resource": "arn:aws:s3:::notmybucket/*"}, 403),
            ({"resource": "arn:aws:s3:::mybucket/other*"}, 403),
+            ({"resource": ["arn:aws:s3:::mybucket", "arn:aws:s3:::mybucket/*"]}, 200),
+            (
+                {
+                    "resource": [
+                        "arn:aws:s3:::notmybucket",
+                        "arn:aws:s3:::notmybucket/*",
+                    ]
+                },
+                403,
+            ),
+            (
+                {"resource": ["arn:aws:s3:::mybucket", "arn:aws:s3:::notmybucket/*"]},
+                403,
+            ),
            ({"effect": "Deny"}, 403),
        ],
    )