def test_iam_construct_policy(requests_get):
"""Check general assemblage."""
settings = copy.deepcopy(BASE_SETTINGS)
policy_json = construct_policy(pipeline_settings=settings)
# checking empty policy
assert policy_json is None
settings.update({'services': {'s3': True}})
policy_json = construct_policy(app='unicornforrest',
env='stage',
group='forrest',
pipeline_settings=settings)
# checking s3 policy
assert type(json.loads(policy_json)) == dict
# TODO: Test other services besides S3
settings.update({
'services': {
'dynamodb': ['coreforrest', 'edgeforrest', 'attendantdevops']
}
})
policy_json = construct_policy(pipeline_settings=settings)
policy = json.loads(policy_json)
def test_construct_s3(requests_get):
"""Check S3 Policy."""
pipeline_settings = copy.deepcopy(BASE_SETTINGS)
pipeline_settings.update({'services': {'s3': True}})
construct_policy_kwargs = {
'app': 'unicornforrest',
'env': 'dev',
'group': 'forrest',
'pipeline_settings': pipeline_settings
}
policy_json = construct_policy(**construct_policy_kwargs)
policy = json.loads(policy_json)
assert len(policy['Statement']) == 2
allow_list_policy, allow_edit_policy = policy['Statement']
assert len(allow_list_policy['Action']) == 1
assert 's3:ListBucket' in allow_list_policy['Action']
assert len(allow_list_policy['Resource']) == 1
assert len(allow_edit_policy['Action']) == 3
assert all(('s3:{0}Object'.format(action) in allow_edit_policy['Action']
for action in ('Delete', 'Get', 'Put')))
assert len(allow_edit_policy['Resource']) == 1
def test_construct_sdb_domains(requests_get, get_base_settings):
"""Check SimpleDB Policy with multiple Domains listed."""
pipeline_settings = get_base_settings
pipeline_settings.update({'services': {'sdb': ['Domain1', 'Domain2']}})
construct_policy_kwargs = {'app': 'unicornforrest',
'env': 'dev',
'group': 'forrest',
'pipeline_settings': pipeline_settings}
policy_json = construct_policy(**construct_policy_kwargs)
policy = json.loads(policy_json)
assert len(policy['Statement']) == 1
assert len(policy['Statement'][0]['Resource']) == 2
assert policy['Statement'][0]['Resource'][0].endswith('Domain1')
assert policy['Statement'][0]['Resource'][1].endswith('Domain2')
def test_construct_cloudwatchlogs(requests_get, get_base_settings):
"""Check Lambda Policy."""
pipeline_settings = get_base_settings
pipeline_settings.update({'services': {'cloudwatchlogs': True}, 'type': 'lambda'})
policy_json = construct_policy(
app='unicornforrest', env='dev', group='forrest', pipeline_settings=pipeline_settings)
policy = json.loads(policy_json)
statements = list(statement for statement in policy['Statement'] if statement['Sid'] == 'LambdaCloudWatchLogs')
assert len(statements) == 1
statement = statements[0]
assert statement['Effect'] == 'Allow'
assert len(statement['Action']) == 3
assert all(action.startswith('logs:') for action in statement['Action'])
def test_construct_s3_buckets(requests_get, get_base_settings):
"""Check S3 Policy with multiple Buckets listed."""
pipeline_settings = get_base_settings
pipeline_settings.update({'services': {'s3': ['Bucket1', 'Bucket2']}})
construct_policy_kwargs = {'app': 'unicornforrest',
'env': 'dev',
'group': 'forrest',
'pipeline_settings': pipeline_settings}
policy_json = construct_policy(**construct_policy_kwargs)
policy = json.loads(policy_json)
print(policy)
assert len(policy['Statement']) == 2
allow_list_policy, allow_edit_policy = policy['Statement']
assert len(allow_list_policy['Resource']) == 3
assert len(allow_edit_policy['Resource']) == 3
