def test_need_naked_permission_to_retrieve_aws_access_key_secret(core_session, cloud_provider_ec2_account_config, live_aws_cloud_provider, user, cds_session):
cloud_provider_id, test_deleted_provider, _populate_iam_user_with_access_keys = live_aws_cloud_provider
requester_session, limited_user = cds_session
iam_user = cloud_provider_ec2_account_config[user]
access_key_1 = iam_user['access_key_1']
account_id, success = ResourceManager.add_account_cloud_provider(core_session, iam_user['username'], "", cloud_provider_id)
assert success, f"Account addition failed with API response result {account_id}"
result, success = CloudProviderManager.import_aws_access_key(requester_session, access_key_1['id'], access_key_1['secret'])
assert not success, f"Succeeded to add access key1 when failure was expected {result}"
result, success = ResourceManager.assign_account_permissions(core_session, "Manage", limited_user.get_login_name(), limited_user.get_id(), "User", account_id)
assert success, f"Failed to execute API call to set permissions {result}"
result, success = CloudProviderManager.import_aws_access_key(requester_session, access_key_1['id'], access_key_1['secret'])
assert success, f"Succeeded to add access key1 when failure was expected {result}"
rows = CloudProviderManager.get_aws_access_keys(core_session, account_id)[0]
retrieve_single, success = CloudProviderManager.retrieve_aws_access_key(requester_session, account_id, rows[0]['ID'])
assert not success, f"Success while expecting failure to retrieve AWS access keys {retrieve_single}"
result, success = ResourceManager.assign_account_permissions(core_session, "Naked", limited_user.get_login_name(), limited_user.get_id(), "User", account_id)
assert success, f"Failed to execute API call to set permissions {result}"
retrieve_single, success = CloudProviderManager.retrieve_aws_access_key(requester_session, account_id, rows[0]['ID'])
assert success, f"Failed to retrieve AWS access keys {retrieve_single}"
assert retrieve_single['SecretAccessKey'] == access_key_1['secret'], f"Did not return correct AWS access key secret {retrieve_single}"
assert retrieve_single['AccessKeyId'] == access_key_1['id'], f"Did not return correct AWS access key id {retrieve_single}"
def test_delete_cloud_provider_fails_without_permission(
core_session, fake_cloud_provider_root_account, fake_cloud_provider,
cds_session):
account_id, username, password, cloud_provider_id, test_did_cleaning = fake_cloud_provider_root_account
name, desc, cloud_provider_id, cloud_account_id, test_did_cleaning = fake_cloud_provider
account_name = f"acctname{guid()}"
account_id, success = ResourceManager.add_account_cloud_provider(
core_session, account_name, "", cloud_provider_id)
assert success, f"Account addition failed with API response result {account_id}"
pas_user_session, limited_user = cds_session
result, success = CloudProviderManager.delete_cloud_providers(
pas_user_session, [cloud_provider_id], save_passwords=False)
assert not success, f"Delete should not have succeeded {result}"
result, success = CloudProviderManager.delete_cloud_providers(
pas_user_session, cloud_provider_id)
assert not success, f"Delete should not have succeeded {result}"
result, success = ResourceManager.del_account(pas_user_session, account_id)
assert not success, f"Deleting IAM account failed with API response result: {result}"
result, success = ResourceManager.del_account(pas_user_session, account_id)
assert not success, f"Deleting IAM account failed with API response result: {result}"
def test_delete_cloud_provider_secret(core_session,
fake_cloud_provider_root_account,
fake_cloud_provider, secret_cleaner):
account_id, username, password, cloud_provider_id, test_did_cleaning = fake_cloud_provider_root_account
name, desc, cloud_provider_id, cloud_account_id, test_did_cleaning = fake_cloud_provider
account_name = f"acctname{guid()}"
account_id, success = ResourceManager.add_account_cloud_provider(
core_session, account_name, "", cloud_provider_id)
assert success, f"Account addition failed with API response result {account_id}"
key_secret = "kjshakjsakjasgfkjysgkjagfkjsakjgfakjsf"
result, success = CloudProviderManager.set_mfa_token(
core_session, account_id, key_secret)
assert success, f"Failed to set mfa token {result}"
secret_name = f"SecretName{guid()}"
result, success = CloudProviderManager.delete_cloud_providers(
core_session, [cloud_provider_id],
save_passwords=True,
secret_name=secret_name)
assert success, f"Failed to delete cloud provider with response {result}"
test_did_cleaning()
ResourceManager.wait_for_secret_to_exist_or_timeout(
core_session, secret_name)
secret_id = RedrockController.get_secret_id_by_name(
core_session, secret_name)
assert secret_id is not None, "No secret was created"
secret_cleaner.append(secret_id)
user = core_session.get_user()
user_name = user.get_login_name()
user_id = user.get_id()
result, success = set_users_effective_permissions(core_session, user_name,
"View,Edit,Retrieve",
user_id, secret_id)
assert success, f"Did not set secret permission successfully with message {result}"
secret_file_contents = get_file_secret_contents(core_session, secret_id)
assert username in secret_file_contents, f"username absent from secret file {secret_file_contents}"
assert password in secret_file_contents, f"password absent from secret file {secret_file_contents}"
assert cloud_provider_id in secret_file_contents, f"cloud_provider_id absent from secret file {secret_file_contents}"
assert account_name in secret_file_contents, f"account_name absent from secret file {secret_file_contents}"
assert key_secret in secret_file_contents, f"mfa secret absent from secret file {secret_file_contents}"
def test_cant_add_access_key_without_manage_permission(core_session, cloud_provider_ec2_account_config, live_aws_cloud_provider, user, cds_session):
cloud_provider_id, test_deleted_provider, _populate_iam_user_with_access_keys = live_aws_cloud_provider
requester_session, limited_user = cds_session
iam_user = cloud_provider_ec2_account_config[user]
access_key_1 = iam_user['access_key_1']
account_id, success = ResourceManager.add_account_cloud_provider(core_session, iam_user['username'], "", cloud_provider_id)
assert success, f"Account addition failed with API response result {account_id}"
result, success = CloudProviderManager.import_aws_access_key(requester_session, access_key_1['id'], access_key_1['secret'])
assert not success, f"Succeeded to add access key1 when failure was expected {result}"
result, success = ResourceManager.assign_account_permissions(core_session, "View,Manage", limited_user.get_login_name(), limited_user.get_id(), "User", account_id)
assert success, f"Failed to execute API call to set permissions {result}"
result, success = CloudProviderManager.import_aws_access_key(requester_session, access_key_1['id'], access_key_1['secret'])
assert success, f"Succeeded to add access key1 when failure was expected {result}"
