def test_update_group_bucket_path_access(iam, group, resources_1, resources_2): bucket_arn = 'arn:aws:s3:::test-bucket' path_arns_list_1 = [f'{bucket_arn}{resource}' for resource in resources_1] path_arns_list_2 = [f'{bucket_arn}{resource}' for resource in resources_2] path_arns_object_1 = [ f'{bucket_arn}{resource}/*' for resource in resources_1 ] path_arns_object_2 = [ f'{bucket_arn}{resource}/*' for resource in resources_2 ] aws.grant_group_bucket_access(group.arn, bucket_arn, 'readonly', path_arns_list_1) group.reload() statements = get_statements_by_sid(group.default_version.document) assert set(path_arns_object_1) == set(statements['readonly']['Resource']) aws.grant_group_bucket_access(group.arn, bucket_arn, 'readonly', path_arns_list_2) group.reload() statements = get_statements_by_sid(group.default_version.document) assert set(path_arns_object_2) == set(statements['readonly']['Resource'])
def test_grant_group_bucket_access(iam, group, resources): bucket_arn = 'arn:aws:s3:::test-bucket' path_arns_list = [f'{bucket_arn}{resource}' for resource in resources] path_arns_object = [f'{bucket_arn}{resource}/*' for resource in resources] aws.grant_group_bucket_access(group.arn, bucket_arn, 'readonly', path_arns_list) group.reload() statements = get_statements_by_sid(group.default_version.document) if path_arns_object: assert set(path_arns_object) == set(statements['readonly']['Resource']) assert f'{bucket_arn}/*' not in statements['readonly']['Resource'] else: assert set([f'{bucket_arn}/*' ]) == set(statements['readonly']['Resource']) # no readwrite statement because no readwrite access granted assert 'readwrite' not in statements assert set([bucket_arn]) == set(statements['list']['Resource']) aws.grant_group_bucket_access(group.arn, f'{bucket_arn}-2', 'readonly') group.reload() statements = get_statements_by_sid(group.default_version.document) expected_num_resources = 2 if path_arns_list: expected_num_resources = len(path_arns_list) + 1 assert len(statements['readonly']['Resource']) == expected_num_resources
def test_revoke_group_bucket_path_access(iam, group, resources): bucket_arn = 'arn:aws:s3:::test-bucket' path_arns = [f'{bucket_arn}{resource}' for resource in resources] aws.grant_group_bucket_access(group.arn, bucket_arn, 'readonly', path_arns) aws.grant_group_bucket_access(group.arn, bucket_arn, 'readonly') group.reload() statements = get_statements_by_sid(group.default_version.document) assert set([f'{bucket_arn}/*']) == set(statements['readonly']['Resource']) assert set([f'{bucket_arn}']) == set(statements['list']['Resource'])
def test_revoke_group_bucket_access(iam, group, resources): bucket_arn = 'arn:aws:s3:::test-bucket' path_arns = [f'{bucket_arn}{resource}' for resource in resources] aws.grant_group_bucket_access(group.arn, bucket_arn, 'readonly', path_arns) aws.revoke_group_bucket_access(group.arn, bucket_arn) group.reload() statements = get_statements_by_sid(group.default_version.document) assert 'readonly' not in statements assert 'readwrite' not in statements assert 'list' not in statements
def grant_bucket_access(self, bucket_arn, access_level, path_arns): aws.grant_group_bucket_access(self.arn, bucket_arn, access_level, path_arns)