Esempio n. 1
0
    def test_remove_permissions_from_role(self):
        iam = repokid.utils.iam

        class MockRole:
            role_name = "role_name"
            role_id = "12345-roleid"
            policies = [
                dict(Policy=policy)
                for _, policy in list(ROLE_POLICIES.items())
            ]

            def as_dict(self):
                return dict(RoleName=self.role_name, policies=self.policies)

        mock_role = MockRole()

        iam.remove_permissions_from_role("123456789012", ["s3:putobjectacl"],
                                         mock_role,
                                         None,
                                         None,
                                         commit=False)

        iam.remove_permissions_from_role(
            "123456789012",
            ["s3:putobjectacl"],
            mock_role,
            {"connection_iam": dict()},
            None,
            commit=True,
        )
Esempio n. 2
0
def _remove_permissions_from_roles(permissions,
                                   role_filename,
                                   dynamo_table,
                                   config,
                                   hooks,
                                   commit=False):
    """Loads roles specified in file and calls _remove_permissions_from_role() for each one.

    Args:
        permissions (list<string>)
        role_filename (string)
        commit (bool)

    Returns:
        None
    """
    roles = list()
    with open(role_filename, "r") as fd:
        roles = json.load(fd)

    for role_arn in tqdm(roles):
        arn = ARN(role_arn)
        if arn.error:
            LOGGER.error("INVALID ARN: {arn}".format(arn=role_arn))
            return

        account_number = arn.account_number
        role_name = arn.name.split("/")[-1]

        role_id = find_role_in_cache(dynamo_table, account_number, role_name)
        role = Role.parse_obj(get_role_data(dynamo_table, role_id))

        remove_permissions_from_role(
            account_number,
            permissions,
            role,
            role_id,
            dynamo_table,
            config,
            hooks,
            commit=commit,
        )

        repokid.hooks.call_hooks(hooks, "AFTER_REPO", {"role": role})
Esempio n. 3
0
def _remove_permissions_from_roles(
    permissions: List[str],
    role_filename: str,
    config: RepokidConfig,
    hooks: RepokidHooks,
    commit: bool = False,
) -> None:
    """Loads roles specified in file and calls _remove_permissions_from_role() for each one.

    Args:
        permissions (list<string>)
        role_filename (string)
        commit (bool)

    Returns:
        None
    """
    with open(role_filename, "r") as fd:
        roles = json.load(fd)

    for role_arn in tqdm(roles):
        arn = ARN(role_arn)
        if arn.error:
            LOGGER.error("INVALID ARN: {arn}".format(arn=role_arn))
            return

        account_number = arn.account_number
        role_name = arn.name.split("/")[-1]

        role_id = find_role_in_cache(role_name, account_number)
        role = Role(role_id=role_id)
        role.fetch()

        remove_permissions_from_role(account_number,
                                     permissions,
                                     role,
                                     config,
                                     hooks,
                                     commit=commit)

        repokid.hooks.call_hooks(hooks, "AFTER_REPO", {"role": role})