def test_create_resource_type(self):
actions = ['readproject', 'writeproject', 'deleteproject']
resource_type = 'test_type'
# a resource type is created
self._create_resource_type(resource_type, actions)
test_type = ResourceType(resource_type)
# cannot do twice
with self.assertRaises(FusilladeHTTPException):
ResourceType.create(resource_type, actions)
# actions are set
self.assertTrue(set(test_type.actions) == set(actions))
# owner policy exists
self.assertIn(f'/resource/{resource_type}/policy/Owner',
test_type.list_policies()[0]['policies'])
# create an additional resource type
resource_type2 = 'test_type2'
self._create_resource_type(resource_type2, actions)
test_type2 = ResourceType(resource_type2)
# list resources
resource_types = ResourceType.get_types()
self.assertEqual([resource_type, resource_type2], resource_types)
def test_eval(self):
actions = ['test:readproject', 'test:writeproject', 'test:deleteproject']
resource_type = 'test_type'
test_type = ResourceType.create(resource_type, actions)
access_level = 'Reader'
resource_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Principal": "*",
"Sid": "project_reader",
"Effect": "Allow",
"Action": ['test:readproject'],
"Resource": f"{self.arn_prefix}{resource_type}/*"
}
]
}
test_type.create_policy(access_level, resource_policy, 'ResourcePolicy')
user = User.provision_user('test_user')
type_id = '1234455'
resource = f'{self.arn_prefix}{resource_type}/{type_id}'
with self.subTest("A user does not have access when they only have permitting resource_policy and no "
"permitting IAMPolicy"):
test_id = test_type.create_id(type_id)
test_id.add_principals([user], access_level)
x = get_resource_authz_parameters(user.name, resource)
resp = evaluate_policy(user.name, ['test:readproject'], [resource], x['IAMPolicy'], x['ResourcePolicy'])
self.assertFalse(resp['result'])
with self.subTest("A user has a access when they have a permitting resource policy and IAMPolicy"):
IAMpolicy = {
"Statement": [
{
"Sid": "project_reader",
"Effect": "Allow",
"Action": [
"test:readproject"
],
"Resource": f"{self.arn_prefix}{resource_type}/*"
}
]
}
role = Role.create('project_reader', IAMpolicy)
user.add_roles([role.name])
x = get_resource_authz_parameters(user.name, resource)
resp = evaluate_policy(user.name, ['test:readproject'], [resource], x['IAMPolicy'], x['ResourcePolicy'])
self.assertTrue(resp['result'])
def test_get_authz_params(self):
actions = ['test:readproject', 'test:writeproject', 'test:deleteproject']
resource_type = 'test_type'
test_type = ResourceType.create(resource_type, actions)
access_level = 'Reader'
resource_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Principal": "*",
"Sid": "project_reader",
"Effect": "Allow",
"Action": ['test:readproject'],
"Resource": f"{self.arn_prefix}{resource_type}/*"
}
]
}
test_type.create_policy(access_level, resource_policy, 'ResourcePolicy')
user = User.provision_user('test_user')
type_id = '1234455'
resource = f'{self.arn_prefix}{resource_type}/{type_id}'
with self.subTest("A user has no access when no access level set between user and resource"):
with self.assertRaises(ResourceNotFound):
get_resource_authz_parameters(user.name, resource)
with self.subTest("No resource policy parameters are returned when the user tries to access a resource that "
"does not use resource policies"):
params = get_resource_authz_parameters(user.name, f"{self.arn_prefix}non_acl_resource/1234")
self.assertFalse(params.get('ResourcePolicy'))
self.assertFalse(params.get('resources'))
with self.subTest("The resource policy for the access level assigned to the user is returned when a user "
"is given access to a resource"):
test_id = test_type.create_id(type_id)
test_id.add_principals([user], access_level)
params = get_resource_authz_parameters(user.name, resource)
self.assertTrue(json_equal(params['ResourcePolicy'], resource_policy))
self.assertEqual(['Reader'], params['resources'])
with self.subTest("No access when the user is disabled."):
user.disable()
with self.assertRaises(AuthorizationException):
get_resource_authz_parameters(user.name, resource)
def _create_resource_type(self, name='test_type', actions=None):
actions = actions or ['readproject', 'writeproject', 'deleteproject']
return ResourceType.create(name, actions)