def test_statement_condition_remove_colon():
assert StatementCondition.parse_obj(
{
"ForAllValues:ArnEqualsIfExists": {"patata_1": "test_1"},
"ForAnyValue:ArnEquals": {"patata_2": ["test_2", "test_3"]},
}
) == StatementCondition(
ForAllValuesArnEqualsIfExists={"patata_1": "test_1"}, ForAnyValueArnEquals={"patata_2": ["test_2", "test_3"]}
)
def test_generic_resource():
resource = GenericResource.parse_obj({
"Type": "AWS::ECR::RegistryPolicy",
"Properties": {
"PolicyText": {
"Version":
"2012-10-17",
"Statement": [
{
"Sid":
"ReplicationAccessCrossAccount1",
"Effect":
"Allow",
"Principal": {
"AWS": "arn:aws:iam::210987654321:root"
},
"Action":
["ecr:CreateRepository", "ecr:ReplicateImage"],
"Condition": {
"StringEquals": {
"aws:username": "******"
}
},
"Resource":
"arn:aws:ecr:us-west-2:123456789012:repository/*",
},
{
"Sid":
"DeleteAccessCrossAccount2",
"Effect":
"Allow",
"Principal": {
"AWS": "arn:aws:iam::111222333444:root"
},
"Action": ["ecr:DeleteRepository"],
"Condition": {
"IpAddress": {
"aws:SourceIp": "203.0.113.0/24"
}
},
"Resource":
"arn:aws:ecr:us-west-2:123456789012:repository/*",
},
],
}
},
})
assert isinstance(resource, GenericResource)
assert isinstance(resource.Properties.PolicyText, PolicyDocument)
assert resource.all_statement_conditions == [
StatementCondition(StringEquals={"aws:username": "******"}),
StatementCondition(IpAddress={"aws:SourceIp": "203.0.113.0/24"}),
]
def test_statement_condition_without_resolving_raises_error():
statement_condition_raw = {
"StringLike": {
"patata": {
"Fn::Sub": "${ClusterId}*"
}
}
}
statement_condition = StatementCondition.parse_obj(statement_condition_raw)
with pytest.raises(StatementConditionBuildEvaluatorError):
statement_condition.eval({"patata": "test_cluster"})
def test_statement_condition_with_resolver_works_fine():
statement_condition_raw = {
"StringLike": {
"patata": {
"Fn::Sub": "${ClusterId}*"
}
}
}
resolved_statement_condition_raw = resolve(statement_condition_raw,
{"ClusterId": "test_cluster"},
{}, {})
resolved_statement_condition = StatementCondition.parse_obj(
resolved_statement_condition_raw)
assert resolved_statement_condition.eval({"patata": "test_cluster"
}) is True
def test_all_possible_conditions():
# Based on https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html
all_operators = set()
for operator in [
"ArnEquals",
"ArnLike",
"ArnNotEquals",
"ArnNotLike",
"Bool",
"BinaryEquals",
"DateEquals",
"DateNotEquals",
"DateLessThan",
"DateLessThanEquals",
"DateGreaterThan",
"DateGreaterThanEquals",
"IpAddress",
"NotIpAddress",
"NumericEquals",
"NumericNotEquals",
"NumericLessThan",
"NumericLessThanEquals",
"NumericGreaterThan",
"NumericGreaterThanEquals",
"StringEquals",
"StringNotEquals",
"StringEqualsIgnoreCase",
"StringNotEqualsIgnoreCase",
"StringLike",
"StringNotLike",
]:
all_operators.add(operator)
all_operators.add(f"{operator}IfExists")
# Null
# Null is not compatible with IfExists
all_operators.add("Null")
# For(Any/All)Values
for operator in all_operators.copy():
all_operators.add(f"ForAllValues{operator}")
all_operators.add(f"ForAnyValue{operator}")
implemented_operators = sorted(
StatementCondition.schema()["properties"].keys())
assert implemented_operators == sorted(all_operators)
def test_sns_all_conditions_in_policy(sns_topic_policy):
assert sns_topic_policy.all_statement_conditions == [
StatementCondition(IpAddress={"aws:SourceIp": "203.0.113.0/24"})
]
def test_eval_is_built_only_if_called():
condition = StatementCondition()
assert condition._eval is None
condition.eval({})
assert condition._eval is not None
def test_statement_condition_eval_all_conditions_are_true(
statement_condition: StatementCondition, params: Dict,
expected_output: bool):
assert statement_condition.eval(params) == expected_output
}, False),
],
)
def test_build_root_evaluator_for_any_value_if_exists(function: str,
arguments: Union[Dict,
Tuple],
params: Dict,
expected_output: bool):
node = build_root_evaluator(function, arguments)
assert node(params) == expected_output
@pytest.mark.parametrize(
"statement_condition, params, expected_output",
[
(StatementCondition(), {}, True),
(StatementCondition(NumericEquals={"patata": 1}), {
"patata": 1
}, True),
(StatementCondition(NumericEquals={"patata": 1}), {
"patata": 2
}, False),
(
StatementCondition(NumericEquals={"patata_1": 1},
StringEquals={"patata_2": "A"}),
{
"patata_1": 1,
"patata_2": "A"
},
True,
),
def test_s3_bucketpolicy_all_statement_conditions(s3_bucket_policy):
assert s3_bucket_policy.all_statement_conditions == [
StatementCondition(StringNotEquals={
"s3:VersionId": "AaaHbAQitwiL_h47_44lRO2DDfLlBO5e"
})
]
