fix(iam): roleName not validated in fromRoleName function (#24549)

lpizzinidev · web-flow · commit 637fc6a8526b · 2023-03-30T02:37:59.000Z
The `validateRoleName` function validates the `roleName` parameter passed to the `fromRoleName` function following the pattern specified in the [docs](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateRole.html). Closes #24503. **Note** I added the `IAM_IMPORTED_ROLE_STACK_SAFE_DEFAULT_POLICY_NAME` feature flag check because [this](https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-iam/test/integ.imported-role.ts) integration test failed, generating a `roleName` in the format `${Token[TOKEN.26]}`. I don't know if this is the expected behavior, a bug, or an error in my implementation. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-iam/lib/role.ts b/packages/@aws-cdk/aws-iam/lib/role.ts
@@ -318,6 +318,10 @@ export class Role extends Resource implements IRole {
    * @param options allow customizing the behavior of the returned role
    */
   public static fromRoleName(scope: Construct, id: string, roleName: string, options: FromRoleNameOptions = {}) {
+    // Validate the role name only if not a token
+    if (!Token.isUnresolved(roleName)) {
+      this.validateRoleName(roleName);
+    }
     return Role.fromRoleArn(scope, id, Stack.of(scope).formatArn({
       region: '',
       service: 'iam',
@@ -367,6 +371,15 @@ export class Role extends Resource implements IRole {
     });
   }
 
+  private static validateRoleName(roleName: string) {
+    // https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateRole.html
+    const regexp: RegExp = /[\w+=,.@-]+/;
+    const matches = regexp.exec(roleName);
+    if (!(matches && matches.length === 1 && matches[0] === roleName)) {
+      throw new Error(`The role name ${roleName} does not match the IAM conventions.`);
+    }
+  }
+
   public readonly grantPrincipal: IPrincipal = this;
   public readonly principalAccount: string | undefined = this.env.account;
 
diff --git a/packages/@aws-cdk/aws-iam/test/role.test.ts b/packages/@aws-cdk/aws-iam/test/role.test.ts
@@ -1294,3 +1294,14 @@ test('cross-env role ARNs include path', () => {
     },
   });
 });
+
+test('fromRoleName should validate role name (only if not a token)', () => {
+  const app = new App();
+  const stack = new Stack(app, 'MyStack');
+  expect(() => {
+    Role.fromRoleName(stack, 'Invalid role name', 'arn:aws:iam::***:role/myrole');
+  }).toThrow(/does not match the IAM conventions/);
+  expect(() => {
+    Role.fromRoleName(stack, 'Token', '${Token[TOKEN.26]}');
+  }).not.toThrow();
+});
