From 060dc2c0503d55a5829cd8a2d4ae4efde41ffdc9 Mon Sep 17 00:00:00 2001
From: Mark Tse <mark.tse@neverendingqs.com>
Date: Fri, 11 Oct 2019 22:33:16 -0400
Subject: [PATCH] aws - deployment bucket policy for HTTPS only.

---
 .../lib/core-cloudformation-template.json     | 30 ++++++++++++++++
 .../package/lib/generateCoreTemplate.test.js  | 36 +++++++++++++++++++
 2 files changed, 66 insertions(+)

diff --git a/lib/plugins/aws/package/lib/core-cloudformation-template.json b/lib/plugins/aws/package/lib/core-cloudformation-template.json
index 195b41fd7..69811ce50 100644
--- a/lib/plugins/aws/package/lib/core-cloudformation-template.json
+++ b/lib/plugins/aws/package/lib/core-cloudformation-template.json
@@ -15,6 +15,36 @@
           ]
         }
       }
+    },
+    "ServerlessDeploymentBucketPolicy": {
+      "Type": "AWS::S3::BucketPolicy",
+      "Properties": {
+        "Bucket": {
+          "Ref": "ServerlessDeploymentBucket"
+        },
+        "PolicyDocument": {
+          "Statement": [
+            {
+              "Action": "s3:*",
+              "Effect": "Deny",
+              "Principal": "*",
+              "Resource": [
+                { "Fn::Join": [
+                  "",
+                  [
+                    "arn:aws:s3:::",
+                    { "Ref": "ServerlessDeploymentBucket" },
+                    "/*"
+                  ]
+                ]}
+              ],
+              "Condition":{
+                "Bool": { "aws:SecureTransport": false }
+              }
+            }
+          ]
+        }
+      }
     }
   },
   "Outputs": {
diff --git a/lib/plugins/aws/package/lib/generateCoreTemplate.test.js b/lib/plugins/aws/package/lib/generateCoreTemplate.test.js
index 8a55751cc..dbfbaff81 100644
--- a/lib/plugins/aws/package/lib/generateCoreTemplate.test.js
+++ b/lib/plugins/aws/package/lib/generateCoreTemplate.test.js
@@ -45,6 +45,42 @@ describe('#generateCoreTemplate()', () => {
     };
   });
 
+  it('should reject non-HTTPS requests to the deployment bucket', () => {
+    return expect(awsPlugin.generateCoreTemplate()).to.be.fulfilled.then(() => {
+      const serverlessDeploymentBucketPolicy = awsPlugin.serverless.service.provider
+        .compiledCloudFormationTemplate.Resources.ServerlessDeploymentBucketPolicy;
+
+      expect(serverlessDeploymentBucketPolicy).to.exist;
+      expect(serverlessDeploymentBucketPolicy.Type).to.equal('AWS::S3::BucketPolicy');
+      expect(serverlessDeploymentBucketPolicy.Properties).to.exist;
+      expect(serverlessDeploymentBucketPolicy.Properties.Bucket).to.deep.equal({
+        Ref: 'ServerlessDeploymentBucket',
+      });
+
+      expect(serverlessDeploymentBucketPolicy.Properties.PolicyDocument).to.exist;
+      expect(serverlessDeploymentBucketPolicy.Properties.PolicyDocument.Statement).to.exist;
+
+      expect(serverlessDeploymentBucketPolicy.Properties.PolicyDocument.Statement).to.deep.include({
+        Action: 's3:*',
+        Effect: 'Deny',
+        Principal: '*',
+        Resource: [
+          { 'Fn::Join': [
+            '',
+            [
+              'arn:aws:s3:::',
+              { Ref: 'ServerlessDeploymentBucket' },
+              '/*',
+            ],
+          ]},
+        ],
+        Condition: {
+          Bool: { 'aws:SecureTransport': false },
+        },
+      });
+    });
+  });
+
   it('should use a custom bucket if specified', () => {
     const bucketName = 'com.serverless.deploys';