예제 #1
0
 def test_ReadOnlyAccessの権限を所有していない(self):
     global account_id
     global execute_test
     global trace_id
     role_name = self.no_role
     external_id = self.no_role_external_id
     result = checkaccess.check_access_to_aws(trace_id, account_id,
                                              role_name, external_id)
     self.assertFalse(result)
예제 #2
0
 def test_ReadOnlyAccessの権限を所有している(self):
     global account_id
     global execute_test
     global trace_id
     role_name = self.read_only_access
     external_id = self.read_only_access_external_id
     result = checkaccess.check_access_to_aws(trace_id, account_id,
                                              role_name, external_id)
     self.assertTrue(result)
예제 #3
0
 def test_ManagedPoliciesが付与されていない(self):
     global account_id
     global execute_test
     global trace_id
     role_name = self.no_role
     external_id = self.no_role_external_id
     result = checkaccess.check_access_to_aws(
         trace_id, account_id, role_name, external_id,
         ['AmazonS3FullAccess', 'ReadOnlyAccess'])
     self.assertFalse(result)
예제 #4
0
 def test_ReadOnlyAccessとAmazonS3FullAccessのどちらかの権限を所有している(self):
     global account_id
     global execute_test
     global trace_id
     role_name = self.read_only_access
     external_id = self.read_only_access_external_id
     result = checkaccess.check_access_to_aws(
         trace_id, account_id, role_name, external_id,
         ['AmazonS3FullAccess', 'ReadOnlyAccess'])
     self.assertFalse(result)
예제 #5
0
 def test_AdministratorAccessの権限を所有していない(self):
     global account_id
     global execute_test
     global trace_id
     role_name = self.read_only_access
     external_id = self.read_only_access_external_id
     result = checkaccess.check_access_to_aws(trace_id, account_id,
                                              role_name, external_id,
                                              ['AdministratorAccess'])
     self.assertFalse(result)
예제 #6
0
def update_awscoop(trace_id, project_id, organization_id, coop_id, data_body):
    pm_logger = common_utils.begin_logger(trace_id, __name__,
                                          inspect.currentframe())
    # Parse JSON
    try:
        body_object = json.loads(data_body)
        aws_account = body_object["awsAccount"]
        role_name = body_object["roleName"]
        description = body_object["description"]
        aws_account_name = body_object['awsAccountName']
    except Exception as e:
        return common_utils.error_exception(MsgConst.ERR_REQUEST_202,
                                            HTTPStatus.BAD_REQUEST, e,
                                            pm_logger, True)

    # Validate
    list_error = validate_update_awscoop(aws_account, role_name)
    if list_error:
        return common_utils.error_validate(MsgConst.ERR_REQUEST_201,
                                           HTTPStatus.UNPROCESSABLE_ENTITY,
                                           list_error, pm_logger)

    # Get data AWSアカウント連携
    try:
        awscoops_item = pm_awsAccountCoops.get_awscoops_update(
            trace_id, coop_id, project_id, organization_id)
    except PmError as e:
        return common_utils.error_exception(MsgConst.ERR_402,
                                            HTTPStatus.INTERNAL_SERVER_ERROR,
                                            e, pm_logger, True)

    # 組織情報を取得します。
    if awscoops_item is None:
        return common_utils.error_common(MsgConst.ERR_301,
                                         HTTPStatus.NOT_FOUND, pm_logger)

    # ロールのアクセス確認
    if common_utils.is_null(description):
        description = None
    if common_utils.is_null(aws_account_name):
        aws_account_name = None
    external_id = awscoops_item['ExternalID']
    effective = Effective.Disable.value
    members = None
    if (checkaccess.check_access_to_aws(trace_id, aws_account, role_name,
                                        external_id)):
        effective = Effective.Enable.value

        # IAMクライアントを用いて、IAMロールcm-membersportalを取得します。
        try:
            session = aws_common.create_session_client(trace_id, aws_account,
                                                       role_name, external_id)
            members = IAMUtils.get_membership_aws_account(
                trace_id, session, aws_account)
        except PmError as e:
            common_utils.write_log_pm_error(e, pm_logger, exc_info=True)

    # update project
    attribute = {
        'AWSAccount': {
            "Value": aws_account
        },
        'RoleName': {
            "Value": role_name
        },
        'Description': {
            "Value": description
        },
        'Effective': {
            "Value": effective
        },
        'AWSAccountName': {
            "Value": aws_account_name
        }
    }
    if (members is not None):
        attribute['Members'] = {"Value": members}
    updated_at = awscoops_item['UpdatedAt']

    try:
        pm_awsAccountCoops.update_awscoops(trace_id, coop_id, attribute,
                                           updated_at)
    except PmError as e:
        return common_utils.error_exception(MsgConst.ERR_DB_403,
                                            HTTPStatus.INTERNAL_SERVER_ERROR,
                                            e, pm_logger, True)

    # Get data response
    try:
        awscoops_item = pm_awsAccountCoops.query_awscoop_coop_key(
            trace_id, coop_id, convert_response=True)
    except PmError as e:
        return common_utils.error_exception(MsgConst.ERR_402,
                                            HTTPStatus.INTERNAL_SERVER_ERROR,
                                            e, pm_logger, True)

    # return data response
    response = common_utils.get_response_by_response_body(
        HTTPStatus.OK, awscoops_item)
    return common_utils.response(response, pm_logger)