def test_update_group_bucket_path_access(iam, group, resources_1, resources_2):
bucket_arn = 'arn:aws:s3:::test-bucket'
path_arns_list_1 = [f'{bucket_arn}{resource}' for resource in resources_1]
path_arns_list_2 = [f'{bucket_arn}{resource}' for resource in resources_2]
path_arns_object_1 = [
f'{bucket_arn}{resource}/*' for resource in resources_1
]
path_arns_object_2 = [
f'{bucket_arn}{resource}/*' for resource in resources_2
]
aws.grant_group_bucket_access(group.arn, bucket_arn, 'readonly',
path_arns_list_1)
group.reload()
statements = get_statements_by_sid(group.default_version.document)
assert set(path_arns_object_1) == set(statements['readonly']['Resource'])
aws.grant_group_bucket_access(group.arn, bucket_arn, 'readonly',
path_arns_list_2)
group.reload()
statements = get_statements_by_sid(group.default_version.document)
assert set(path_arns_object_2) == set(statements['readonly']['Resource'])
def test_grant_group_bucket_access(iam, group, resources):
bucket_arn = 'arn:aws:s3:::test-bucket'
path_arns_list = [f'{bucket_arn}{resource}' for resource in resources]
path_arns_object = [f'{bucket_arn}{resource}/*' for resource in resources]
aws.grant_group_bucket_access(group.arn, bucket_arn, 'readonly',
path_arns_list)
group.reload()
statements = get_statements_by_sid(group.default_version.document)
if path_arns_object:
assert set(path_arns_object) == set(statements['readonly']['Resource'])
assert f'{bucket_arn}/*' not in statements['readonly']['Resource']
else:
assert set([f'{bucket_arn}/*'
]) == set(statements['readonly']['Resource'])
# no readwrite statement because no readwrite access granted
assert 'readwrite' not in statements
assert set([bucket_arn]) == set(statements['list']['Resource'])
aws.grant_group_bucket_access(group.arn, f'{bucket_arn}-2', 'readonly')
group.reload()
statements = get_statements_by_sid(group.default_version.document)
expected_num_resources = 2
if path_arns_list:
expected_num_resources = len(path_arns_list) + 1
assert len(statements['readonly']['Resource']) == expected_num_resources
def test_revoke_group_bucket_path_access(iam, group, resources):
bucket_arn = 'arn:aws:s3:::test-bucket'
path_arns = [f'{bucket_arn}{resource}' for resource in resources]
aws.grant_group_bucket_access(group.arn, bucket_arn, 'readonly', path_arns)
aws.grant_group_bucket_access(group.arn, bucket_arn, 'readonly')
group.reload()
statements = get_statements_by_sid(group.default_version.document)
assert set([f'{bucket_arn}/*']) == set(statements['readonly']['Resource'])
assert set([f'{bucket_arn}']) == set(statements['list']['Resource'])
def test_revoke_group_bucket_access(iam, group, resources):
bucket_arn = 'arn:aws:s3:::test-bucket'
path_arns = [f'{bucket_arn}{resource}' for resource in resources]
aws.grant_group_bucket_access(group.arn, bucket_arn, 'readonly', path_arns)
aws.revoke_group_bucket_access(group.arn, bucket_arn)
group.reload()
statements = get_statements_by_sid(group.default_version.document)
assert 'readonly' not in statements
assert 'readwrite' not in statements
assert 'list' not in statements
def grant_bucket_access(self, bucket_arn, access_level, path_arns):
aws.grant_group_bucket_access(self.arn, bucket_arn, access_level,
path_arns)
