From 452021b3216b517e4a3a02ec7c36dbedac379459 Mon Sep 17 00:00:00 2001
From: Pat Myron <pamyron@amazon.com>
Date: Sat, 16 Jan 2021 20:05:37 -0800
Subject: [PATCH] no wildcards in handler permissions

https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-greengrassv2/pull/4
https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-imagebuilder/commit/55fa9bfa47406e29def2bf1812fbce8cc7c17b8b#r46035310
---
 src/rpdk/core/data_loaders.py                 | 10 ++++++++-
 .../invalid_wildcard_handler_permissions.json | 21 +++++++++++++++++++
 2 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 tests/data/schema/valid/invalid_wildcard_handler_permissions.json

diff --git a/src/rpdk/core/data_loaders.py b/src/rpdk/core/data_loaders.py
index 403327b88..6bb778a03 100644
--- a/src/rpdk/core/data_loaders.py
+++ b/src/rpdk/core/data_loaders.py
@@ -123,7 +123,7 @@ def get_file_base_uri(file):
     return path.resolve().as_uri()
 
 
-def load_resource_spec(resource_spec_file):  # noqa: C901
+def load_resource_spec(resource_spec_file):  # pylint: disable=too-many-branches # noqa: C901
     """Load a resource provider definition from a file, and validate it."""
     try:
         resource_spec = json.load(resource_spec_file)
@@ -164,6 +164,14 @@ def load_resource_spec(resource_spec_file):  # noqa: C901
             "readOnlyProperties cannot be specified by customers and should not overlap with writeOnlyProperties or createOnlyProperties"
         )
 
+    for handler in resource_spec.get("handlers", []):
+        for permission in resource_spec.get("handlers", [])[handler]["permissions"]:
+            if "*" in permission:
+                LOG.warning(
+                    "Use specific handler permissions instead of using wildcards: %s",
+                    permission,
+                )
+
     try:
         additional_properties_validator.validate(resource_spec)
     except ValidationError as e:
diff --git a/tests/data/schema/valid/invalid_wildcard_handler_permissions.json b/tests/data/schema/valid/invalid_wildcard_handler_permissions.json
new file mode 100644
index 000000000..7890b0459
--- /dev/null
+++ b/tests/data/schema/valid/invalid_wildcard_handler_permissions.json
@@ -0,0 +1,21 @@
+{
+  "typeName" : "AWS::Service::Type",
+  "description" : "",
+  "additionalProperties" : false,
+  "properties" : {
+    "Property" : {
+      "type" : "string"
+    }
+  },
+  "readOnlyProperties": [
+    "/properties/Property"
+  ],
+  "primaryIdentifier" : [ "/properties/Property" ],
+  "handlers": {
+    "create": {
+      "permissions": [
+        "service:create*"
+      ]
+    }
+  }
+}