From f3b966775ea8a049196b1c87e31f4b30f94beff2 Mon Sep 17 00:00:00 2001
From: Kevin Kendzia <kevin.kendzia-extern@deutschebahn.com>
Date: Fri, 31 Jan 2025 13:03:49 +0100
Subject: [PATCH] fix(lambda): fix policy parsing for lambda permissions when
 using roles as principles

Signed-off-by: Kevin Kendzia <kevin.kendzia-extern@deutschebahn.com>
(cherry picked from commit d1aab6b05738b219224dc8feb93c55fc89e6b70f)
---
 pkg/controller/lambda/permission/policy.go    |  5 ++
 .../lambda/permission/policy_test.go          | 63 +++++++++++++++++++
 2 files changed, 68 insertions(+)

diff --git a/pkg/controller/lambda/permission/policy.go b/pkg/controller/lambda/permission/policy.go
index e30aecc3bc..7e1e3fcf41 100644
--- a/pkg/controller/lambda/permission/policy.go
+++ b/pkg/controller/lambda/permission/policy.go
@@ -35,6 +35,7 @@ func (p *policyPrincipal) UnmarshalJSON(data []byte) error {
 	}
 
 	p.Service = pp.Service
+	p.AWS = pp.AWS
 	return nil
 }
 
@@ -45,6 +46,7 @@ type policyCondition struct {
 
 type policyPrincipal struct {
 	Service *string `json:"Service,omitempty"`
+	AWS     *string `json:"AWS,omitempty"`
 }
 
 type _policyPrincipal policyPrincipal
@@ -62,6 +64,9 @@ func (p *policyStatement) GetPrincipal() string {
 	if p.Principal.Service != nil {
 		return *p.Principal.Service
 	}
+	if p.Principal.AWS != nil {
+		return *p.Principal.AWS
+	}
 	return ""
 }
 
diff --git a/pkg/controller/lambda/permission/policy_test.go b/pkg/controller/lambda/permission/policy_test.go
index 92fc306d85..a81cdac856 100644
--- a/pkg/controller/lambda/permission/policy_test.go
+++ b/pkg/controller/lambda/permission/policy_test.go
@@ -58,6 +58,17 @@ func TestUnmarshalPolicyPrincipal(t *testing.T) {
 				err: nil,
 			},
 		},
+		"PrincipalObjectAWS": {
+			args: args{
+				rawPolicy: `{"AWS":"aws:arn:iam:::role/test"}`,
+			},
+			want: want{
+				result: policyPrincipal{
+					AWS: stringPtr("aws:arn:iam:::role/test"),
+				},
+				err: nil,
+			},
+		},
 	}
 	for name, tc := range cases {
 		t.Run(name, func(t *testing.T) {
@@ -225,6 +236,58 @@ func TestUnmarshalPolicy(t *testing.T) {
 				err: nil,
 			},
 		},
+		"UnmarshalPolicyWithAWSObjectAsPrincipal": {
+			args: args{
+				rawPolicy: `{
+					"Version":"version",
+					"Id":"default",
+					"Statement":[
+						{
+							"Sid": "sid",
+							"Effect": "effect",
+							"Principal": {
+								"AWS": "arn"
+							},
+							"Action": "action",
+							"Resource": "resource",
+							"Condition": {
+								"StringEquals": {
+									"equals1": "foo"
+								},
+								"ArnLike": {
+									"like2": "bar"
+								}
+							}
+						}
+					]
+				}`,
+			},
+			want: want{
+				result: &policyDocument{
+					Version: "version",
+					Statement: []policyStatement{
+						{
+							Sid:      "sid",
+							Effect:   "effect",
+							Action:   "action",
+							Resource: "resource",
+							Principal: policyPrincipal{
+								AWS: stringPtr("arn"),
+							},
+							Condition: policyCondition{
+								ArnLike: map[string]string{
+									"like2": "bar",
+								},
+								StringEquals: map[string]string{
+									"equals1": "foo",
+								},
+							},
+						},
+					},
+				},
+				err: nil,
+			},
+		},
 	}
 
 	for name, tc := range cases {