fix: restrict allowable types in IAM libraries

A number methods were allowing 'any's in places where they easily lead to passing the wrong object. - `role.attachManagedPolicy` - Various methods on `PolicyStatement`. By restrictinig the types to what we actually expect (or `string`s) these mistakes will be harder to make. Fixes #622, doesn't completely resolve but helps with #621.
aws · Aug 27, 2018 · 8794552 · 8794552
1 parent 9f49274
commit 8794552
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 13 deletions.
diff --git a/packages/@aws-cdk/aws-iam/lib/role.ts b/packages/@aws-cdk/aws-iam/lib/role.ts
@@ -1,4 +1,4 @@
-import { ArnPrincipal, Construct, IDependable, PolicyDocument, PolicyPrincipal, PolicyStatement, Token } from '@aws-cdk/cdk';
+import { Arn, ArnPrincipal, Construct, IDependable, PolicyDocument, PolicyPrincipal, PolicyStatement, Token } from '@aws-cdk/cdk';
 import { cloudformation, RoleArn } from './iam.generated';
 import { IIdentityResource, IPrincipal, Policy } from './policy';
 import { AttachedPolicies, undefinedIfEmpty } from './util';
@@ -15,7 +15,7 @@ export interface RoleProps {
 
     /**
      * A list of ARNs for managed policies associated with this role.
-     * You can add managed policies later using `addManagedPolicy(arn)`.
+     * You can add managed policies later using `attachManagedPolicy(arn)`.
      * @default No managed policies.
      */
     managedPolicyArns?: any[];
@@ -97,7 +97,7 @@ export class Role extends Construct implements IIdentityResource, IPrincipal, ID
     public readonly dependencyElements: IDependable[];
 
     private defaultPolicy?: Policy;
-    private readonly managedPolicies: string[];
+    private readonly managedPolicies: Arn[];
     private readonly attachedPolicies = new AttachedPolicies();
 
     constructor(parent: Construct, name: string, props: RoleProps) {
@@ -140,7 +140,7 @@ export class Role extends Construct implements IIdentityResource, IPrincipal, ID
      * Attaches a managed policy to this role.
      * @param arn The ARN of the managed policy to attach.
      */
-    public attachManagedPolicy(arn: any) {
+    public attachManagedPolicy(arn: Arn) {
         this.managedPolicies.push(arn);
     }
 

diff --git a/packages/@aws-cdk/cdk/lib/cloudformation/permission.ts b/packages/@aws-cdk/cdk/lib/cloudformation/permission.ts
@@ -1,4 +1,5 @@
 import { Token } from '../core/tokens';
+import { Arn } from './arn';
 import { FnConcat } from './fn';
 import { AwsAccountId, AwsPartition } from './pseudo';
 
@@ -73,7 +74,7 @@ export class PrincipalPolicyFragment {
 }
 
 export class ArnPrincipal extends PolicyPrincipal {
-    constructor(public readonly arn: any) {
+    constructor(public readonly arn: Arn) {
         super();
     }
 
@@ -92,7 +93,7 @@ export class AccountPrincipal extends ArnPrincipal {
  * An IAM principal that represents an AWS service (i.e. sqs.amazonaws.com).
  */
 export class ServicePrincipal extends PolicyPrincipal {
-    constructor(public readonly service: any) {
+    constructor(public readonly service: string) {
         super();
     }
 
@@ -209,15 +210,15 @@ export class PolicyStatement extends Token {
         return this;
     }
 
-    public addAwsPrincipal(arn: any): PolicyStatement {
+    public addAwsPrincipal(arn: Arn): PolicyStatement {
         return this.addPrincipal(new ArnPrincipal(arn));
     }
 
-    public addAwsAccountPrincipal(accountId: any): PolicyStatement {
+    public addAwsAccountPrincipal(accountId: string): PolicyStatement {
         return this.addPrincipal(new AccountPrincipal(accountId));
     }
 
-    public addServicePrincipal(service: any): PolicyStatement {
+    public addServicePrincipal(service: string): PolicyStatement {
         return this.addPrincipal(new ServicePrincipal(service));
     }
 
@@ -233,7 +234,7 @@ export class PolicyStatement extends Token {
     // Resources
     //
 
-    public addResource(resource: any): PolicyStatement {
+    public addResource(resource: string): PolicyStatement {
         this.resource.push(resource);
         return this;
     }
@@ -245,7 +246,7 @@ export class PolicyStatement extends Token {
         return this.addResource('*');
     }
 
-    public addResources(...resources: any[]): PolicyStatement {
+    public addResources(...resources: string[]): PolicyStatement {
         resources.forEach(r => this.addResource(r));
         return this;
     }
@@ -264,7 +265,7 @@ export class PolicyStatement extends Token {
         return this.resource && this.resource.length === 1 && this.resource[0] === '*';
     }
 
-    public describe(sid: any): PolicyStatement {
+    public describe(sid: string): PolicyStatement {
         this.sid = sid;
         return this;
     }
@@ -320,7 +321,7 @@ export class PolicyStatement extends Token {
         return this.addCondition(key, value);
     }
 
-    public limitToAccount(accountId: any): PolicyStatement {
+    public limitToAccount(accountId: string): PolicyStatement {
         return this.addCondition('StringEquals', new Token(() => {
             return { 'sts:ExternalId': accountId };
         }));