def test_ReadOnlyAccessの権限を所有していない(self):
global account_id
global execute_test
global trace_id
role_name = self.no_role
external_id = self.no_role_external_id
result = checkaccess.check_access_to_aws(trace_id, account_id,
role_name, external_id)
self.assertFalse(result)
def test_ReadOnlyAccessの権限を所有している(self):
global account_id
global execute_test
global trace_id
role_name = self.read_only_access
external_id = self.read_only_access_external_id
result = checkaccess.check_access_to_aws(trace_id, account_id,
role_name, external_id)
self.assertTrue(result)
def test_ManagedPoliciesが付与されていない(self):
global account_id
global execute_test
global trace_id
role_name = self.no_role
external_id = self.no_role_external_id
result = checkaccess.check_access_to_aws(
trace_id, account_id, role_name, external_id,
['AmazonS3FullAccess', 'ReadOnlyAccess'])
self.assertFalse(result)
def test_ReadOnlyAccessとAmazonS3FullAccessのどちらかの権限を所有している(self):
global account_id
global execute_test
global trace_id
role_name = self.read_only_access
external_id = self.read_only_access_external_id
result = checkaccess.check_access_to_aws(
trace_id, account_id, role_name, external_id,
['AmazonS3FullAccess', 'ReadOnlyAccess'])
self.assertFalse(result)
def test_AdministratorAccessの権限を所有していない(self):
global account_id
global execute_test
global trace_id
role_name = self.read_only_access
external_id = self.read_only_access_external_id
result = checkaccess.check_access_to_aws(trace_id, account_id,
role_name, external_id,
['AdministratorAccess'])
self.assertFalse(result)
def update_awscoop(trace_id, project_id, organization_id, coop_id, data_body):
pm_logger = common_utils.begin_logger(trace_id, __name__,
inspect.currentframe())
# Parse JSON
try:
body_object = json.loads(data_body)
aws_account = body_object["awsAccount"]
role_name = body_object["roleName"]
description = body_object["description"]
aws_account_name = body_object['awsAccountName']
except Exception as e:
return common_utils.error_exception(MsgConst.ERR_REQUEST_202,
HTTPStatus.BAD_REQUEST, e,
pm_logger, True)
# Validate
list_error = validate_update_awscoop(aws_account, role_name)
if list_error:
return common_utils.error_validate(MsgConst.ERR_REQUEST_201,
HTTPStatus.UNPROCESSABLE_ENTITY,
list_error, pm_logger)
# Get data AWSアカウント連携
try:
awscoops_item = pm_awsAccountCoops.get_awscoops_update(
trace_id, coop_id, project_id, organization_id)
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
# 組織情報を取得します。
if awscoops_item is None:
return common_utils.error_common(MsgConst.ERR_301,
HTTPStatus.NOT_FOUND, pm_logger)
# ロールのアクセス確認
if common_utils.is_null(description):
description = None
if common_utils.is_null(aws_account_name):
aws_account_name = None
external_id = awscoops_item['ExternalID']
effective = Effective.Disable.value
members = None
if (checkaccess.check_access_to_aws(trace_id, aws_account, role_name,
external_id)):
effective = Effective.Enable.value
# IAMクライアントを用いて、IAMロールcm-membersportalを取得します。
try:
session = aws_common.create_session_client(trace_id, aws_account,
role_name, external_id)
members = IAMUtils.get_membership_aws_account(
trace_id, session, aws_account)
except PmError as e:
common_utils.write_log_pm_error(e, pm_logger, exc_info=True)
# update project
attribute = {
'AWSAccount': {
"Value": aws_account
},
'RoleName': {
"Value": role_name
},
'Description': {
"Value": description
},
'Effective': {
"Value": effective
},
'AWSAccountName': {
"Value": aws_account_name
}
}
if (members is not None):
attribute['Members'] = {"Value": members}
updated_at = awscoops_item['UpdatedAt']
try:
pm_awsAccountCoops.update_awscoops(trace_id, coop_id, attribute,
updated_at)
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_DB_403,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
# Get data response
try:
awscoops_item = pm_awsAccountCoops.query_awscoop_coop_key(
trace_id, coop_id, convert_response=True)
except PmError as e:
return common_utils.error_exception(MsgConst.ERR_402,
HTTPStatus.INTERNAL_SERVER_ERROR,
e, pm_logger, True)
# return data response
response = common_utils.get_response_by_response_body(
HTTPStatus.OK, awscoops_item)
return common_utils.response(response, pm_logger)