From 749a8572bad94c42ec7e2ed887f5be769f804b38 Mon Sep 17 00:00:00 2001 From: Viren Nadkarni Date: Tue, 7 Feb 2023 19:54:59 +0530 Subject: [PATCH] IAM: Fix resource list matching (#5908) --- moto/iam/access_control.py | 2 +- tests/test_s3/test_s3_bucket_policy.py | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/moto/iam/access_control.py b/moto/iam/access_control.py index 686657592..8cdd39137 100644 --- a/moto/iam/access_control.py +++ b/moto/iam/access_control.py @@ -378,7 +378,7 @@ class IAMPolicyStatement(object): if is_action_concerned: if self.is_unknown_principal(self._statement.get("Principal")): return PermissionResult.NEUTRAL - same_resource = self._match(self._statement["Resource"], resource) + same_resource = self._check_element_matches("Resource", resource) if self._statement["Effect"] == "Allow" and same_resource: return PermissionResult.PERMITTED else: # Deny diff --git a/tests/test_s3/test_s3_bucket_policy.py b/tests/test_s3/test_s3_bucket_policy.py index 1bec7409a..44ff4ea75 100644 --- a/tests/test_s3/test_s3_bucket_policy.py +++ b/tests/test_s3/test_s3_bucket_policy.py @@ -37,6 +37,20 @@ class TestBucketPolicy: ({"resource": "arn:aws:s3:::mybucket/test_txt"}, 200), ({"resource": "arn:aws:s3:::notmybucket/*"}, 403), ({"resource": "arn:aws:s3:::mybucket/other*"}, 403), + ({"resource": ["arn:aws:s3:::mybucket", "arn:aws:s3:::mybucket/*"]}, 200), + ( + { + "resource": [ + "arn:aws:s3:::notmybucket", + "arn:aws:s3:::notmybucket/*", + ] + }, + 403, + ), + ( + {"resource": ["arn:aws:s3:::mybucket", "arn:aws:s3:::notmybucket/*"]}, + 403, + ), ({"effect": "Deny"}, 403), ], )