def test_can_add_permission_for_apigateway_not_needed(self,
stubbed_session):
source_arn = 'arn:aws:execute-api:us-west-2:123:rest-api-id/*'
wrong_action = {
'Action': 'lambda:NotInvoke',
'Condition': {
'ArnLike': {
'AWS:SourceArn': source_arn,
}
},
'Effect': 'Allow',
'Principal': {'Service': 'apigateway.amazonaws.com'},
'Resource': 'arn:aws:lambda:us-west-2:account_id:function:name',
'Sid': 'e4755709-067e-4254-b6ec-e7f9639e6f7b',
}
wrong_service_name = {
'Action': 'lambda:Invoke',
'Condition': {
'ArnLike': {
'AWS:SourceArn': source_arn,
}
},
'Effect': 'Allow',
'Principal': {'Service': 'NOT-apigateway.amazonaws.com'},
'Resource': 'arn:aws:lambda:us-west-2:account_id:function:name',
'Sid': 'e4755709-067e-4254-b6ec-e7f9639e6f7b',
}
correct_statement = {
'Action': 'lambda:InvokeFunction',
'Condition': {
'ArnLike': {
'AWS:SourceArn': source_arn,
}
},
'Effect': 'Allow',
'Principal': {'Service': 'apigateway.amazonaws.com'},
'Resource': 'arn:aws:lambda:us-west-2:account_id:function:name',
'Sid': 'e4755709-067e-4254-b6ec-e7f9639e6f7b',
}
policy = {
'Id': 'default',
'Statement': [
wrong_action,
wrong_service_name,
correct_statement,
],
'Version': '2012-10-17'
}
stubbed_session.stub('lambda').get_policy(
FunctionName='name').returns({'Policy': json.dumps(policy)})
# Because the policy above indicates that API gateway already has the
# necessary permissions, we should not call add_permission.
stubbed_session.activate_stubs()
client = TypedAWSClient(stubbed_session)
client.add_permission_for_apigateway_if_needed(
'name', 'us-west-2', '123', 'rest-api-id', 'random-id')
stubbed_session.verify_stubs()
def test_can_add_permission_for_apigateway_not_needed(self,
stubbed_session):
source_arn = 'arn:aws:execute-api:us-west-2:123:rest-api-id/*'
wrong_action = {
'Action': 'lambda:NotInvoke',
'Condition': {
'ArnLike': {
'AWS:SourceArn': source_arn,
}
},
'Effect': 'Allow',
'Principal': {'Service': 'apigateway.amazonaws.com'},
'Resource': 'arn:aws:lambda:us-west-2:account_id:function:name',
'Sid': 'e4755709-067e-4254-b6ec-e7f9639e6f7b',
}
wrong_service_name = {
'Action': 'lambda:Invoke',
'Condition': {
'ArnLike': {
'AWS:SourceArn': source_arn,
}
},
'Effect': 'Allow',
'Principal': {'Service': 'NOT-apigateway.amazonaws.com'},
'Resource': 'arn:aws:lambda:us-west-2:account_id:function:name',
'Sid': 'e4755709-067e-4254-b6ec-e7f9639e6f7b',
}
correct_statement = {
'Action': 'lambda:InvokeFunction',
'Condition': {
'ArnLike': {
'AWS:SourceArn': source_arn,
}
},
'Effect': 'Allow',
'Principal': {'Service': 'apigateway.amazonaws.com'},
'Resource': 'arn:aws:lambda:us-west-2:account_id:function:name',
'Sid': 'e4755709-067e-4254-b6ec-e7f9639e6f7b',
}
policy = {
'Id': 'default',
'Statement': [
wrong_action,
wrong_service_name,
correct_statement,
],
'Version': '2012-10-17'
}
stubbed_session.stub('lambda').get_policy(
FunctionName='name').returns({'Policy': json.dumps(policy)})
# Because the policy above indicates that API gateway already has the
# necessary permissions, we should not call add_permission.
stubbed_session.activate_stubs()
client = TypedAWSClient(stubbed_session)
client.add_permission_for_apigateway_if_needed(
'name', 'us-west-2', '123', 'rest-api-id', 'random-id')
stubbed_session.verify_stubs()
def test_can_add_permission_for_apigateway_needed(self, stubbed_session):
# An empty policy means we need to add permissions.
lambda_stub = stubbed_session.stub('lambda')
lambda_stub.get_policy(FunctionName='name').returns({'Policy': '{}'})
self.should_call_add_permission(lambda_stub)
stubbed_session.activate_stubs()
client = TypedAWSClient(stubbed_session)
client.add_permission_for_apigateway_if_needed(
'name', 'us-west-2', '123', 'rest-api-id', 'random-id')
stubbed_session.verify_stubs()
def test_can_add_permission_for_apigateway_needed(self, stubbed_session):
# An empty policy means we need to add permissions.
lambda_stub = stubbed_session.stub('lambda')
lambda_stub.get_policy(FunctionName='name').returns({'Policy': '{}'})
self.should_call_add_permission(lambda_stub)
stubbed_session.activate_stubs()
client = TypedAWSClient(stubbed_session)
client.add_permission_for_apigateway_if_needed(
'name', 'us-west-2', '123', 'rest-api-id', 'random-id')
stubbed_session.verify_stubs()
def test_can_add_permission_when_policy_does_not_exist(self,
stubbed_session):
# It's also possible to receive a ResourceNotFoundException
# if you call get_policy() on a lambda function with no policy.
lambda_stub = stubbed_session.stub('lambda')
lambda_stub.get_policy(FunctionName='name').raises_error(
error_code='ResourceNotFoundException', message='Does not exist.')
self.should_call_add_permission(lambda_stub)
stubbed_session.activate_stubs()
client = TypedAWSClient(stubbed_session)
client.add_permission_for_apigateway_if_needed(
'name', 'us-west-2', '123', 'rest-api-id', 'random-id')
stubbed_session.verify_stubs()
def test_can_add_permission_when_policy_does_not_exist(self,
stubbed_session):
# It's also possible to receive a ResourceNotFoundException
# if you call get_policy() on a lambda function with no policy.
lambda_stub = stubbed_session.stub('lambda')
lambda_stub.get_policy(FunctionName='name').raises_error(
error_code='ResourceNotFoundException', message='Does not exist.')
self.should_call_add_permission(lambda_stub)
stubbed_session.activate_stubs()
client = TypedAWSClient(stubbed_session)
client.add_permission_for_apigateway_if_needed(
'name', 'us-west-2', '123', 'rest-api-id', 'random-id')
stubbed_session.verify_stubs()
