def test_patch_instance_success_for_superuser(permission_table, permission_table_name, state_table_empty, state_table_name, cloudformation): os.environ["dynamodb_permissions_table_name"] = permission_table_name os.environ["dynamodb_state_table_name"] = state_table_name initial_instance_type = "fake" final_instance_type = "t3.micro" response = cloudformation.create_stack_set( StackSetName="fake_name", TemplateBody="fake_body", PermissionModel="SELF_MANAGED", Parameters=[ { "ParameterKey": "InstanceType", "ParameterValue": initial_instance_type, }, ], ) stackset_id = response["StackSetId"] add_stackset_to_state( dynamodb_client=state_table_empty, table_name=state_table_name, stackset_id=stackset_id, username="******", email="*****@*****.**", ) event = { "requestContext": { "authorizer": { "jwt": { "claims": { # Request made by non-owner who is a superuser "email": "*****@*****.**", "profile": "private", "nickname": "charlie", "custom:is_superuser": "******", } } } }, "pathParameters": { "id": stackset_id, }, "body": json.dumps({"instanceType": final_instance_type}), } response = patch_instance(event, context=None) assert response == {} stackset = cloudformation.describe_stack_set(StackSetName=stackset_id) params = stackset["StackSet"]["Parameters"] actual_instance_type = [ item["ParameterValue"] for item in params if item["ParameterKey"] == "InstanceType" ][0] assert actual_instance_type == final_instance_type
def test_cleanup_complete_success(state_table, state_table_name, cloudformation): os.environ["dynamodb_state_table_name"] = state_table_name response = cloudformation.create_stack_set( StackSetName="fake_name", TemplateBody="fake_body", PermissionModel="SELF_MANAGED", ) stackset_id = response["StackSetId"] add_stackset_to_state( dynamodb_client=state_table, table_name=state_table_name, stackset_id=stackset_id, username="******", email="*****@*****.**", ) event = {"stackset_id": stackset_id} cleanup_complete(event, context=None) stackset = cloudformation.describe_stack_set(StackSetName=stackset_id) # StackSet has been removed assert stackset["StackSet"]["Status"] == "DELETED" stackset_state = state_table.get_item( TableName=state_table_name, Key={"stacksetID": { "S": stackset_id }}) # State entry has been removed from the DB assert "Item" not in stackset_state
def test_post_instance_extend_success_for_superuser_exceeding_extension_limit( permission_table, permission_table_name, state_table_empty, state_table_name): os.environ["dynamodb_permissions_table_name"] = permission_table_name os.environ["dynamodb_state_table_name"] = state_table_name stackset_id = "fake_id" initial_expiry = datetime.now() initial_extension_count = 1 add_stackset_to_state( dynamodb_client=state_table_empty, table_name=state_table_name, stackset_id=stackset_id, username="******", email="*****@*****.**", extension_count=initial_extension_count, expiry=initial_expiry, ) event = { "requestContext": { "authorizer": { "jwt": { "claims": { # Request from non-owner of the stackset "email": "*****@*****.**", "profile": "private", "nickname": "charlie", "custom:is_superuser": "******", } } } }, "pathParameters": { "id": stackset_id, }, } response = post_instance_extend(event, context=None) # Expiry time of the stackset extended assert response["stackset_id"] == stackset_id assert response["can_extend"] assert datetime.fromisoformat(response["expiry"]) > initial_expiry # Extended expiry time saved in dynamodb query = state_table_empty.get_item(TableName=state_table_name, Key={"stacksetID": { "S": stackset_id }}) assert datetime.fromisoformat( query["Item"]["expiry"]["S"]) > initial_expiry assert int(query["Item"]["extensionCount"]["N"]) > initial_extension_count
def test_post_instances_failure_exceed_instance_limit(permission_table, permission_table_name, state_table_empty, state_table_name, account_id): provision_sfn_arn = "fake_provision_sfn_arn" os.environ["dynamodb_permissions_table_name"] = permission_table_name os.environ["dynamodb_state_table_name"] = state_table_name os.environ["provision_sfn_arn"] = provision_sfn_arn event = { "requestContext": { "authorizer": { "jwt": { "claims": { "email": "*****@*****.**", "profile": "private", "nickname": "alice", "custom:is_superuser": "******", } } } }, "body": json.dumps({ "instanceName": "The Best Instance", "instanceType": "t3.micro", "region": "eu-west-1", "operatingSystem": "AWS Linux 2", "expiry": (datetime.now(tz=timezone.utc) + timedelta(days=1)).isoformat(), }), } # Add instances to state data to mimic user exceeding their instance allowance for i in range(10): add_stackset_to_state( dynamodb_client=state_table_empty, table_name=state_table_name, stackset_id=f"fake_stackset_id_{i}", username="******", email="*****@*****.**", ) response = post_instances(event, context=None) assert response["statusCode"] == 400 assert "limit exceeded" in response["body"]
def test_patch_instance_failure_for_non_owner(permission_table, permission_table_name, state_table_empty, state_table_name): os.environ["dynamodb_permissions_table_name"] = permission_table_name os.environ["dynamodb_state_table_name"] = state_table_name stackset_id = "fake_id" add_stackset_to_state( dynamodb_client=state_table_empty, table_name=state_table_name, stackset_id=stackset_id, username="******", email="*****@*****.**", ) event = { "requestContext": { "authorizer": { "jwt": { "claims": { "email": "*****@*****.**", "profile": "developer", "nickname": "charlie", "custom:is_superuser": "******", } } } }, "pathParameters": { "id": stackset_id, }, "body": "{}", } response = patch_instance(event, context=None) # Non owner won't be able to extend the instance assert response["statusCode"] == 400 assert "not authorized" in response["body"]
def test_post_instance_extend_failure_for_owner_exceeding_extension_limit( permission_table, permission_table_name, state_table_empty, state_table_name): os.environ["dynamodb_permissions_table_name"] = permission_table_name os.environ["dynamodb_state_table_name"] = state_table_name stackset_id = "fake_id" add_stackset_to_state( dynamodb_client=state_table_empty, table_name=state_table_name, stackset_id=stackset_id, username="******", email="*****@*****.**", extension_count=20, ) event = { "requestContext": { "authorizer": { "jwt": { "claims": { "email": "*****@*****.**", "profile": "private", "nickname": "alice", "custom:is_superuser": "******", } } } }, "pathParameters": { "id": stackset_id, }, } response = post_instance_extend(event, context=None) # Non owner won't be able to extend the instance assert response["statusCode"] == 400 assert "cannot extend" in response["body"]
def test_patch_instance_failure_for_unauthorized_param(permission_table, permission_table_name, state_table_empty, state_table_name): os.environ["dynamodb_permissions_table_name"] = permission_table_name os.environ["dynamodb_state_table_name"] = state_table_name stackset_id = "fake_id" add_stackset_to_state( dynamodb_client=state_table_empty, table_name=state_table_name, stackset_id=stackset_id, username="******", email="*****@*****.**", ) event = { "requestContext": { "authorizer": { "jwt": { "claims": { "email": "*****@*****.**", "profile": "private", "nickname": "alice", "custom:is_superuser": "******", } } } }, "pathParameters": { "id": stackset_id, }, "body": json.dumps({"instanceType": "invalid"}), } response = patch_instance(event, context=None) assert response["statusCode"] == 400 assert "instanceType" in response["body"]