def test_can_add_permission_for_apigateway_not_needed(self, stubbed_session): source_arn = 'arn:aws:execute-api:us-west-2:123:rest-api-id/*' wrong_action = { 'Action': 'lambda:NotInvoke', 'Condition': { 'ArnLike': { 'AWS:SourceArn': source_arn, } }, 'Effect': 'Allow', 'Principal': {'Service': 'apigateway.amazonaws.com'}, 'Resource': 'arn:aws:lambda:us-west-2:account_id:function:name', 'Sid': 'e4755709-067e-4254-b6ec-e7f9639e6f7b', } wrong_service_name = { 'Action': 'lambda:Invoke', 'Condition': { 'ArnLike': { 'AWS:SourceArn': source_arn, } }, 'Effect': 'Allow', 'Principal': {'Service': 'NOT-apigateway.amazonaws.com'}, 'Resource': 'arn:aws:lambda:us-west-2:account_id:function:name', 'Sid': 'e4755709-067e-4254-b6ec-e7f9639e6f7b', } correct_statement = { 'Action': 'lambda:InvokeFunction', 'Condition': { 'ArnLike': { 'AWS:SourceArn': source_arn, } }, 'Effect': 'Allow', 'Principal': {'Service': 'apigateway.amazonaws.com'}, 'Resource': 'arn:aws:lambda:us-west-2:account_id:function:name', 'Sid': 'e4755709-067e-4254-b6ec-e7f9639e6f7b', } policy = { 'Id': 'default', 'Statement': [ wrong_action, wrong_service_name, correct_statement, ], 'Version': '2012-10-17' } stubbed_session.stub('lambda').get_policy( FunctionName='name').returns({'Policy': json.dumps(policy)}) # Because the policy above indicates that API gateway already has the # necessary permissions, we should not call add_permission. stubbed_session.activate_stubs() client = TypedAWSClient(stubbed_session) client.add_permission_for_apigateway_if_needed( 'name', 'us-west-2', '123', 'rest-api-id', 'random-id') stubbed_session.verify_stubs()
def test_can_add_permission_for_apigateway_not_needed(self, stubbed_session): source_arn = 'arn:aws:execute-api:us-west-2:123:rest-api-id/*' wrong_action = { 'Action': 'lambda:NotInvoke', 'Condition': { 'ArnLike': { 'AWS:SourceArn': source_arn, } }, 'Effect': 'Allow', 'Principal': {'Service': 'apigateway.amazonaws.com'}, 'Resource': 'arn:aws:lambda:us-west-2:account_id:function:name', 'Sid': 'e4755709-067e-4254-b6ec-e7f9639e6f7b', } wrong_service_name = { 'Action': 'lambda:Invoke', 'Condition': { 'ArnLike': { 'AWS:SourceArn': source_arn, } }, 'Effect': 'Allow', 'Principal': {'Service': 'NOT-apigateway.amazonaws.com'}, 'Resource': 'arn:aws:lambda:us-west-2:account_id:function:name', 'Sid': 'e4755709-067e-4254-b6ec-e7f9639e6f7b', } correct_statement = { 'Action': 'lambda:InvokeFunction', 'Condition': { 'ArnLike': { 'AWS:SourceArn': source_arn, } }, 'Effect': 'Allow', 'Principal': {'Service': 'apigateway.amazonaws.com'}, 'Resource': 'arn:aws:lambda:us-west-2:account_id:function:name', 'Sid': 'e4755709-067e-4254-b6ec-e7f9639e6f7b', } policy = { 'Id': 'default', 'Statement': [ wrong_action, wrong_service_name, correct_statement, ], 'Version': '2012-10-17' } stubbed_session.stub('lambda').get_policy( FunctionName='name').returns({'Policy': json.dumps(policy)}) # Because the policy above indicates that API gateway already has the # necessary permissions, we should not call add_permission. stubbed_session.activate_stubs() client = TypedAWSClient(stubbed_session) client.add_permission_for_apigateway_if_needed( 'name', 'us-west-2', '123', 'rest-api-id', 'random-id') stubbed_session.verify_stubs()
def test_can_add_permission_for_apigateway_needed(self, stubbed_session): # An empty policy means we need to add permissions. lambda_stub = stubbed_session.stub('lambda') lambda_stub.get_policy(FunctionName='name').returns({'Policy': '{}'}) self.should_call_add_permission(lambda_stub) stubbed_session.activate_stubs() client = TypedAWSClient(stubbed_session) client.add_permission_for_apigateway_if_needed( 'name', 'us-west-2', '123', 'rest-api-id', 'random-id') stubbed_session.verify_stubs()
def test_can_add_permission_for_apigateway_needed(self, stubbed_session): # An empty policy means we need to add permissions. lambda_stub = stubbed_session.stub('lambda') lambda_stub.get_policy(FunctionName='name').returns({'Policy': '{}'}) self.should_call_add_permission(lambda_stub) stubbed_session.activate_stubs() client = TypedAWSClient(stubbed_session) client.add_permission_for_apigateway_if_needed( 'name', 'us-west-2', '123', 'rest-api-id', 'random-id') stubbed_session.verify_stubs()
def test_can_add_permission_when_policy_does_not_exist(self, stubbed_session): # It's also possible to receive a ResourceNotFoundException # if you call get_policy() on a lambda function with no policy. lambda_stub = stubbed_session.stub('lambda') lambda_stub.get_policy(FunctionName='name').raises_error( error_code='ResourceNotFoundException', message='Does not exist.') self.should_call_add_permission(lambda_stub) stubbed_session.activate_stubs() client = TypedAWSClient(stubbed_session) client.add_permission_for_apigateway_if_needed( 'name', 'us-west-2', '123', 'rest-api-id', 'random-id') stubbed_session.verify_stubs()
def test_can_add_permission_when_policy_does_not_exist(self, stubbed_session): # It's also possible to receive a ResourceNotFoundException # if you call get_policy() on a lambda function with no policy. lambda_stub = stubbed_session.stub('lambda') lambda_stub.get_policy(FunctionName='name').raises_error( error_code='ResourceNotFoundException', message='Does not exist.') self.should_call_add_permission(lambda_stub) stubbed_session.activate_stubs() client = TypedAWSClient(stubbed_session) client.add_permission_for_apigateway_if_needed( 'name', 'us-west-2', '123', 'rest-api-id', 'random-id') stubbed_session.verify_stubs()