Skip to content

Add case-sensitive ARN ID collision xfail tests #53

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
InfoSecHack merged 1 commit into from
Jun 4, 2026
Merged

Add case-sensitive ARN ID collision xfail tests #53

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
115 changes: 115 additions & 0 deletions tests/identity/test_case_sensitive_id_collision.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,115 @@
"""Regression evidence for case-sensitive ARN deterministic ID collisions."""

from __future__ import annotations

import pytest

from iamscope.identity.deterministic_ids import edge_id, node_id

_XFAIL_REASON = (
"known v2 canonical_id lowercases provider_id; fixed by planned v3 case-preserving provider_id algorithm"
)

_EMPTY_FEATURES_DIGEST = "{}"


@pytest.mark.xfail(reason=_XFAIL_REASON, strict=True)
def test_case_distinct_iam_role_provider_ids_do_not_collide_under_node_id() -> None:
upper_role = node_id(
"aws",
"IAMRole",
"arn:aws:iam::000000000000:role/CaseRole",
)
lower_role = node_id(
"aws",
"IAMRole",
"arn:aws:iam::000000000000:role/caserole",
)

assert upper_role != lower_role


@pytest.mark.xfail(reason=_XFAIL_REASON, strict=True)
def test_case_distinct_iam_user_provider_ids_do_not_collide_under_node_id() -> None:
upper_user = node_id(
"aws",
"IAMUser",
"arn:aws:iam::000000000000:user/CaseUser",
)
lower_user = node_id(
"aws",
"IAMUser",
"arn:aws:iam::000000000000:user/caseuser",
)

assert upper_user != lower_user


@pytest.mark.xfail(reason=_XFAIL_REASON, strict=True)
def test_case_distinct_source_provider_ids_do_not_collide_under_edge_id() -> None:
upper_source = edge_id(
"sts:AssumeRole_permission",
"arn:aws:iam::000000000000:user/CaseUser",
"arn:aws:iam::000000000000:role/TargetRole",
"-",
_EMPTY_FEATURES_DIGEST,
)
lower_source = edge_id(
"sts:AssumeRole_permission",
"arn:aws:iam::000000000000:user/caseuser",
"arn:aws:iam::000000000000:role/TargetRole",
"-",
_EMPTY_FEATURES_DIGEST,
)

assert upper_source != lower_source


@pytest.mark.xfail(reason=_XFAIL_REASON, strict=True)
def test_case_distinct_destination_provider_ids_do_not_collide_under_edge_id() -> None:
upper_destination = edge_id(
"sts:AssumeRole_permission",
"arn:aws:iam::000000000000:user/SourceUser",
"arn:aws:iam::000000000000:role/CaseRole",
"-",
_EMPTY_FEATURES_DIGEST,
)
lower_destination = edge_id(
"sts:AssumeRole_permission",
"arn:aws:iam::000000000000:user/SourceUser",
"arn:aws:iam::000000000000:role/caserole",
"-",
_EMPTY_FEATURES_DIGEST,
)

assert upper_destination != lower_destination


def test_exact_repeated_inputs_remain_deterministic() -> None:
first_node_id = node_id(
"aws",
"IAMRole",
"arn:aws:iam::000000000000:role/CaseRole",
)
second_node_id = node_id(
"aws",
"IAMRole",
"arn:aws:iam::000000000000:role/CaseRole",
)
first_edge_id = edge_id(
"sts:AssumeRole_permission",
"arn:aws:iam::000000000000:user/CaseUser",
"arn:aws:iam::000000000000:role/CaseRole",
"-",
_EMPTY_FEATURES_DIGEST,
)
second_edge_id = edge_id(
"sts:AssumeRole_permission",
"arn:aws:iam::000000000000:user/CaseUser",
"arn:aws:iam::000000000000:role/CaseRole",
"-",
_EMPTY_FEATURES_DIGEST,
)

assert first_node_id == second_node_id
assert first_edge_id == second_edge_id