def test_from_account_number(self):
proper_account_numbers = [
"012345678912", "123456789101", "123456789101"
]
improper_account_numbers = [
"*",
"O12345678912", # 'O' instead of '0'
"asdfqwer",
"123456",
"89789456314356132168978945",
"568947897*",
]
# Proper account number tests:
for accnt in proper_account_numbers:
logger.info("Testing Proper Account Number: {}".format(accnt))
arn_obj = ARN(accnt)
self.assertFalse(arn_obj.error)
# Improper account number tests:
for accnt in improper_account_numbers:
logger.info("Testing IMPROPER Account Number: {}".format(accnt))
arn_obj = ARN(accnt)
self.assertTrue(arn_obj.error)
def test_from_org_id(self):
# test valid organization IDs
valid_org_ids = ["o-a1b2c3d4e5", "o-*", "*"]
for org_id in valid_org_ids:
logger.info("Testing valid organization ID: {}".format(org_id))
organization_obj = Organization(org_id)
self.assertFalse(organization_obj.error)
self.assertEqual(org_id, organization_obj.organization)
# test invalid organization IDs
invalid_org_ids = [
"o*",
"r-*/ou-a1s2d3f4g5",
"/o-*",
"r-ab12",
"ou-22222222",
]
for org_id in invalid_org_ids:
logger.info("Testing invalid organization ID: {}".format(org_id))
organization_obj = Organization(org_id)
self.assertTrue(organization_obj.error)
def test_from_account_number(self):
proper_account_numbers = [
'012345678912', '123456789101', '123456789101'
]
improper_account_numbers = [
'*',
'O12345678912', # 'O' instead of '0'
'asdfqwer',
'123456',
'89789456314356132168978945',
'568947897*'
]
# Proper account number tests:
for accnt in proper_account_numbers:
logger.info('Testing Proper Account Number: {}'.format(accnt))
arn_obj = ARN(accnt)
self.assertFalse(arn_obj.error)
# Improper account number tests:
for accnt in improper_account_numbers:
logger.info('Testing IMPROPER Account Number: {}'.format(accnt))
arn_obj = ARN(accnt)
self.assertTrue(arn_obj.error)
def test_from_arn(self):
proper_arns = [
"events.amazonaws.com",
"cloudtrail.amazonaws.com",
"arn:aws:iam::012345678910:root",
"arn:aws:iam::012345678910:role/SomeTestRoleForTesting",
"arn:aws:iam::012345678910:instance-profile/SomeTestInstanceProfileForTesting",
"arn:aws:iam::012345678910:role/*",
"arn:aws:iam::012345678910:role/SomeTestRole*",
"arn:aws:s3:::some-s3-bucket",
"arn:aws:s3:*:*:some-s3-bucket",
"arn:aws:s3:::some-s3-bucket/some/path/within/the/bucket"
"arn:aws:s3:::some-s3-bucket/*",
"arn:aws:ec2:us-west-2:012345678910:instance/*",
"arn:aws:ec2:ap-northeast-1:012345678910:security-group/*",
"arn:aws-cn:ec2:ap-northeast-1:012345678910:security-group/*",
"arn:aws-us-gov:ec2:gov-west-1:012345678910:instance/*",
"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EXXXXXXXXXXXXX",
"arn:aws:iam::aws:policy/AlexaForBusinessDeviceSetup",
]
# Proper ARN Tests:
for arn in proper_arns:
logger.info("Testing Proper ARN: {}".format(arn))
arn_obj = ARN(arn)
self.assertFalse(arn_obj.error)
if "root" in arn:
self.assertTrue(arn_obj.root)
else:
self.assertFalse(arn_obj.root)
if ".amazonaws.com" in arn:
self.assertTrue(arn_obj.service)
else:
self.assertFalse(arn_obj.service)
bad_arns = [
"arn:aws:iam::012345678910",
"arn:aws:iam::012345678910:",
"*",
"arn:s3::::",
"arn:arn:arn:arn:arn:arn",
]
# Improper ARN Tests:
for arn in bad_arns:
logger.info("Testing IMPROPER ARN: {}".format(arn))
arn_obj = ARN(arn)
self.assertTrue(arn_obj.error)
def test_parent_and_child_validity(self):
# https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalorgpaths
# Source of test cases and explanation
org_path = "o-a1b2c3d4e5/r-ab12/ou-ab12-11111111/ou-ab12-22222222/"
logger.info("Testing parent:true/child:false case {}".format(org_path))
organization_obj = Organization(org_path)
self.assertTrue(organization_obj.valid_for_parent_ou)
self.assertFalse(organization_obj.valid_for_child_ous)
org_path = "o-a1b2c3d4e5/r-ab12/ou-ab12-11111111/ou-ab12-22222222/*"
logger.info("Testing parent:true/child:true case {}".format(org_path))
organization_obj = Organization(org_path)
self.assertTrue(organization_obj.valid_for_parent_ou)
self.assertTrue(organization_obj.valid_for_child_ous)
org_path = "o-a1b2c3d4e5/r-ab12/ou-ab12-11111111/ou-ab12-22222222/ou-*"
logger.info("Testing parent:false/child:true case {}".format(org_path))
organization_obj = Organization(org_path)
self.assertFalse(organization_obj.valid_for_parent_ou)
self.assertTrue(organization_obj.valid_for_child_ous)
# show false/false as there is neither parent nor child
org_path = "o-a1b2c3d4e5/*"
logger.info(
"Testing parent:false/child:false case {}".format(org_path))
organization_obj = Organization(org_path)
self.assertFalse(organization_obj.valid_for_parent_ou)
self.assertFalse(organization_obj.valid_for_child_ous)
def test_from_arn(self):
proper_arns = [
'events.amazonaws.com', 'cloudtrail.amazonaws.com',
'arn:aws:iam::012345678910:root',
'arn:aws:iam::012345678910:role/SomeTestRoleForTesting',
'arn:aws:iam::012345678910:instance-profile/SomeTestInstanceProfileForTesting',
'arn:aws:iam::012345678910:role/*',
'arn:aws:iam::012345678910:role/SomeTestRole*',
'arn:aws:s3:::some-s3-bucket', 'arn:aws:s3:*:*:some-s3-bucket',
'arn:aws:s3:::some-s3-bucket/some/path/within/the/bucket'
'arn:aws:s3:::some-s3-bucket/*',
'arn:aws:ec2:us-west-2:012345678910:instance/*',
'arn:aws:ec2:ap-northeast-1:012345678910:security-group/*',
'arn:aws-cn:ec2:ap-northeast-1:012345678910:security-group/*',
'arn:aws-us-gov:ec2:gov-west-1:012345678910:instance/*',
'arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EXXXXXXXXXXXXX'
]
# Proper ARN Tests:
for arn in proper_arns:
logger.info('Testing Proper ARN: {}'.format(arn))
arn_obj = ARN(arn)
self.assertFalse(arn_obj.error)
if "root" in arn:
self.assertTrue(arn_obj.root)
else:
self.assertFalse(arn_obj.root)
if ".amazonaws.com" in arn:
self.assertTrue(arn_obj.service)
else:
self.assertFalse(arn_obj.service)
bad_arns = [
'arn:aws:iam::012345678910', 'arn:aws:iam::012345678910:', '*',
'arn:s3::::', "arn:arn:arn:arn:arn:arn"
]
# Improper ARN Tests:
for arn in bad_arns:
logger.info('Testing IMPROPER ARN: {}'.format(arn))
arn_obj = ARN(arn)
self.assertTrue(arn_obj.error)
def test_from_org_path(self):
# test valid organization paths
valid_org_paths = [
"o-a1b2c3d4e5/*",
"o-a1b2c3d4e5/*/ou-ab12-22222222",
"o-a1b2c3d4e5/r-*/ou-*",
"o-a1b2c3d4e5/r-ab12/ou-ab12-11111111",
"o-a1b2c3d4e5/r-ab12/ou-ab12-11111111/ou-ab12-22222222/",
"o-a1b2c3d4e5/r-ab12/ou-ab12-11111111/ou-ab12-22222222/*",
"o-a1b2c3d4e5/r-ab12/ou-ab12-11111111/ou-ab12-22222222/ou-*",
"o-a1b2c3d4e5/r-ab12/ou-ab12-11111111/ou-ab12-22222222/ou-ab12-33333333/ou-*",
"*/*",
"*/*/*",
]
for org_path in valid_org_paths:
logger.info("Testing valid organization path: {}".format(org_path))
organization_obj = Organization(org_path)
self.assertFalse(organization_obj.error)
# test invalid organization paths
invalid_org_paths = [
"dynamodb.amazonaws.com",
"arn:aws:kms:region:111122223333:key/my-example-key",
"111122223333",
"arn:aws:s3:::some-s3-bucket",
"arn:aws:iam::aws:policy/AlexaForBusinessDeviceSetup",
"o-a1b2c3d4e5/*/*/*/*",
"o-a1b2c3d4e5/r-ab12/ou-ab12-11111111/ou-*/ou-*",
"o-a1b2c3d4e5/o-a1b2c3d4e5/r-ab12/ou-22222222",
"ou-a1b2c3d4e5/r-ab12/ou-22222222",
"*/*/*/*",
"o-a1b2c3d4e5/r-ab12/ou-ab12-11111111/ou-ab12-22222222/ou-ab12-33333333/o-*",
"o-a1b2c3d4e5/r-ab12/ou-ab12-11111111/ou-ab12-22222222/ou-ab12-33333333/r-*",
]
for org_path in invalid_org_paths:
logger.info(
"Testing invalid organization path: {}".format(org_path))
organization_obj = Organization(org_path)
self.assertTrue(organization_obj.error)
def test_root_toggles_child_validity_in_path(self):
# https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalorgpaths
# If an orgpath is given with a root of *, any OU regardless of parent
# can access the resource, so long as it is in the organization.
# The same can be said of Organizations, from my understanding.
# However, once an OU is given, OU-based restrictions apply.
org_path = "o-a1b2c3d4e5"
logger.info("Testing path without root: {}".format(org_path))
organization_obj = Organization(org_path)
self.assertTrue(organization_obj.valid_for_all_ous)
org_path = "o-a1b2c3d4e5/*"
logger.info("Testing path with root *: {}".format(org_path))
organization_obj = Organization(org_path)
self.assertTrue(organization_obj.valid_for_all_ous)
org_path = "o-a1b2c3d4e5/*/ou-ab12-22222222"
logger.info(
"Testing path with root * and trailing path: {}".format(org_path))
organization_obj = Organization(org_path)
self.assertFalse(organization_obj.valid_for_all_ous)