def test_statement_condition_remove_colon(): assert StatementCondition.parse_obj( { "ForAllValues:ArnEqualsIfExists": {"patata_1": "test_1"}, "ForAnyValue:ArnEquals": {"patata_2": ["test_2", "test_3"]}, } ) == StatementCondition( ForAllValuesArnEqualsIfExists={"patata_1": "test_1"}, ForAnyValueArnEquals={"patata_2": ["test_2", "test_3"]} )
def test_generic_resource(): resource = GenericResource.parse_obj({ "Type": "AWS::ECR::RegistryPolicy", "Properties": { "PolicyText": { "Version": "2012-10-17", "Statement": [ { "Sid": "ReplicationAccessCrossAccount1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::210987654321:root" }, "Action": ["ecr:CreateRepository", "ecr:ReplicateImage"], "Condition": { "StringEquals": { "aws:username": "******" } }, "Resource": "arn:aws:ecr:us-west-2:123456789012:repository/*", }, { "Sid": "DeleteAccessCrossAccount2", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111222333444:root" }, "Action": ["ecr:DeleteRepository"], "Condition": { "IpAddress": { "aws:SourceIp": "203.0.113.0/24" } }, "Resource": "arn:aws:ecr:us-west-2:123456789012:repository/*", }, ], } }, }) assert isinstance(resource, GenericResource) assert isinstance(resource.Properties.PolicyText, PolicyDocument) assert resource.all_statement_conditions == [ StatementCondition(StringEquals={"aws:username": "******"}), StatementCondition(IpAddress={"aws:SourceIp": "203.0.113.0/24"}), ]
def test_statement_condition_without_resolving_raises_error(): statement_condition_raw = { "StringLike": { "patata": { "Fn::Sub": "${ClusterId}*" } } } statement_condition = StatementCondition.parse_obj(statement_condition_raw) with pytest.raises(StatementConditionBuildEvaluatorError): statement_condition.eval({"patata": "test_cluster"})
def test_statement_condition_with_resolver_works_fine(): statement_condition_raw = { "StringLike": { "patata": { "Fn::Sub": "${ClusterId}*" } } } resolved_statement_condition_raw = resolve(statement_condition_raw, {"ClusterId": "test_cluster"}, {}, {}) resolved_statement_condition = StatementCondition.parse_obj( resolved_statement_condition_raw) assert resolved_statement_condition.eval({"patata": "test_cluster" }) is True
def test_all_possible_conditions(): # Based on https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html all_operators = set() for operator in [ "ArnEquals", "ArnLike", "ArnNotEquals", "ArnNotLike", "Bool", "BinaryEquals", "DateEquals", "DateNotEquals", "DateLessThan", "DateLessThanEquals", "DateGreaterThan", "DateGreaterThanEquals", "IpAddress", "NotIpAddress", "NumericEquals", "NumericNotEquals", "NumericLessThan", "NumericLessThanEquals", "NumericGreaterThan", "NumericGreaterThanEquals", "StringEquals", "StringNotEquals", "StringEqualsIgnoreCase", "StringNotEqualsIgnoreCase", "StringLike", "StringNotLike", ]: all_operators.add(operator) all_operators.add(f"{operator}IfExists") # Null # Null is not compatible with IfExists all_operators.add("Null") # For(Any/All)Values for operator in all_operators.copy(): all_operators.add(f"ForAllValues{operator}") all_operators.add(f"ForAnyValue{operator}") implemented_operators = sorted( StatementCondition.schema()["properties"].keys()) assert implemented_operators == sorted(all_operators)
def test_sns_all_conditions_in_policy(sns_topic_policy): assert sns_topic_policy.all_statement_conditions == [ StatementCondition(IpAddress={"aws:SourceIp": "203.0.113.0/24"}) ]
def test_eval_is_built_only_if_called(): condition = StatementCondition() assert condition._eval is None condition.eval({}) assert condition._eval is not None
def test_statement_condition_eval_all_conditions_are_true( statement_condition: StatementCondition, params: Dict, expected_output: bool): assert statement_condition.eval(params) == expected_output
}, False), ], ) def test_build_root_evaluator_for_any_value_if_exists(function: str, arguments: Union[Dict, Tuple], params: Dict, expected_output: bool): node = build_root_evaluator(function, arguments) assert node(params) == expected_output @pytest.mark.parametrize( "statement_condition, params, expected_output", [ (StatementCondition(), {}, True), (StatementCondition(NumericEquals={"patata": 1}), { "patata": 1 }, True), (StatementCondition(NumericEquals={"patata": 1}), { "patata": 2 }, False), ( StatementCondition(NumericEquals={"patata_1": 1}, StringEquals={"patata_2": "A"}), { "patata_1": 1, "patata_2": "A" }, True, ),
def test_s3_bucketpolicy_all_statement_conditions(s3_bucket_policy): assert s3_bucket_policy.all_statement_conditions == [ StatementCondition(StringNotEquals={ "s3:VersionId": "AaaHbAQitwiL_h47_44lRO2DDfLlBO5e" }) ]