def test_ReadOnlyAccessの権限を所有していない(self): global account_id global execute_test global trace_id role_name = self.no_role external_id = self.no_role_external_id result = checkaccess.check_access_to_aws(trace_id, account_id, role_name, external_id) self.assertFalse(result)
def test_ReadOnlyAccessの権限を所有している(self): global account_id global execute_test global trace_id role_name = self.read_only_access external_id = self.read_only_access_external_id result = checkaccess.check_access_to_aws(trace_id, account_id, role_name, external_id) self.assertTrue(result)
def test_ManagedPoliciesが付与されていない(self): global account_id global execute_test global trace_id role_name = self.no_role external_id = self.no_role_external_id result = checkaccess.check_access_to_aws( trace_id, account_id, role_name, external_id, ['AmazonS3FullAccess', 'ReadOnlyAccess']) self.assertFalse(result)
def test_ReadOnlyAccessとAmazonS3FullAccessのどちらかの権限を所有している(self): global account_id global execute_test global trace_id role_name = self.read_only_access external_id = self.read_only_access_external_id result = checkaccess.check_access_to_aws( trace_id, account_id, role_name, external_id, ['AmazonS3FullAccess', 'ReadOnlyAccess']) self.assertFalse(result)
def test_AdministratorAccessの権限を所有していない(self): global account_id global execute_test global trace_id role_name = self.read_only_access external_id = self.read_only_access_external_id result = checkaccess.check_access_to_aws(trace_id, account_id, role_name, external_id, ['AdministratorAccess']) self.assertFalse(result)
def update_awscoop(trace_id, project_id, organization_id, coop_id, data_body): pm_logger = common_utils.begin_logger(trace_id, __name__, inspect.currentframe()) # Parse JSON try: body_object = json.loads(data_body) aws_account = body_object["awsAccount"] role_name = body_object["roleName"] description = body_object["description"] aws_account_name = body_object['awsAccountName'] except Exception as e: return common_utils.error_exception(MsgConst.ERR_REQUEST_202, HTTPStatus.BAD_REQUEST, e, pm_logger, True) # Validate list_error = validate_update_awscoop(aws_account, role_name) if list_error: return common_utils.error_validate(MsgConst.ERR_REQUEST_201, HTTPStatus.UNPROCESSABLE_ENTITY, list_error, pm_logger) # Get data AWSアカウント連携 try: awscoops_item = pm_awsAccountCoops.get_awscoops_update( trace_id, coop_id, project_id, organization_id) except PmError as e: return common_utils.error_exception(MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) # 組織情報を取得します。 if awscoops_item is None: return common_utils.error_common(MsgConst.ERR_301, HTTPStatus.NOT_FOUND, pm_logger) # ロールのアクセス確認 if common_utils.is_null(description): description = None if common_utils.is_null(aws_account_name): aws_account_name = None external_id = awscoops_item['ExternalID'] effective = Effective.Disable.value members = None if (checkaccess.check_access_to_aws(trace_id, aws_account, role_name, external_id)): effective = Effective.Enable.value # IAMクライアントを用いて、IAMロールcm-membersportalを取得します。 try: session = aws_common.create_session_client(trace_id, aws_account, role_name, external_id) members = IAMUtils.get_membership_aws_account( trace_id, session, aws_account) except PmError as e: common_utils.write_log_pm_error(e, pm_logger, exc_info=True) # update project attribute = { 'AWSAccount': { "Value": aws_account }, 'RoleName': { "Value": role_name }, 'Description': { "Value": description }, 'Effective': { "Value": effective }, 'AWSAccountName': { "Value": aws_account_name } } if (members is not None): attribute['Members'] = {"Value": members} updated_at = awscoops_item['UpdatedAt'] try: pm_awsAccountCoops.update_awscoops(trace_id, coop_id, attribute, updated_at) except PmError as e: return common_utils.error_exception(MsgConst.ERR_DB_403, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) # Get data response try: awscoops_item = pm_awsAccountCoops.query_awscoop_coop_key( trace_id, coop_id, convert_response=True) except PmError as e: return common_utils.error_exception(MsgConst.ERR_402, HTTPStatus.INTERNAL_SERVER_ERROR, e, pm_logger, True) # return data response response = common_utils.get_response_by_response_body( HTTPStatus.OK, awscoops_item) return common_utils.response(response, pm_logger)