add principal validation for iam inline policy

shirady · shirady · commit 497db4e1ba28 · 2025-11-09T10:32:34.000+02:00
Signed-off-by: shirady &lt;57721533+shirady@users.noreply.github.com&gt;
diff --git a/src/util/validation_utils.js b/src/util/validation_utils.js
@@ -79,13 +79,29 @@ function _length_max_check_input(max_length, input_value, parameter_name) {
  */
 function _validate_json_policy_document(input_policy_document) {
     try {
-        JSON.parse(input_policy_document);
+        return JSON.parse(input_policy_document);
     } catch (error) {
-        const message_with_details = `Syntax errors in policy`;
+        const message_with_details = `Syntax errors in policy.`;
         throw new RpcError('MALFORMED_POLICY_DOCUMENT', message_with_details);
     }
 }
 
+/**
+ * _validate_policy_document_iam_no_principal will validate the policy document basic structure
+ * this function purpose is to create better error 
+ * @param {object} policy_document
+ */
+
+ function _validate_policy_document_iam_no_principal(policy_document) {
+     for (const statement of policy_document.Statement) {
+         const statement_principal = statement.Principal || statement.NotPrincipal;
+         if (statement_principal) {
+                const message_with_details = `Policy document should not specify a principal.`;
+                throw new RpcError('MALFORMED_POLICY_DOCUMENT', message_with_details);
+         }
+     }
+ }
+
 /**
  * validate_username will validate:
  * 1. type
@@ -175,7 +191,8 @@ function validate_policy_document(input_policy_document, parameter_name = iam_co
             throw new RpcError('MALFORMED_POLICY_DOCUMENT', message_with_details);
     }
     // valid JSON check
-    _validate_json_policy_document(input_policy_document);
+    const policy_document = _validate_json_policy_document(input_policy_document);
+    _validate_policy_document_iam_no_principal(policy_document);
     return true;
 }
 
