Exemplo n.º 1
0
 def _create_role_reference(self, config, stage_name, function_name):
     # type: (Config, str, str) -> models.IAMRole
     # First option, the user doesn't want us to manage
     # the role at all.
     if not config.manage_iam_role:
         # We've already validated the iam_role_arn is provided
         # if manage_iam_role is set to False.
         return models.PreCreatedIAMRole(role_arn=config.iam_role_arn, )
     policy = models.IAMPolicy(document=models.Placeholder.BUILD_STAGE)
     if not config.autogen_policy:
         resource_name = '%s_role' % function_name
         role_name = '%s-%s-%s' % (config.app_name, stage_name,
                                   function_name)
         if config.iam_policy_file is not None:
             filename = os.path.join(config.project_dir, '.chalice',
                                     config.iam_policy_file)
         else:
             filename = os.path.join(config.project_dir, '.chalice',
                                     'policy-%s.json' % stage_name)
         policy = models.FileBasedIAMPolicy(
             filename=filename, document=models.Placeholder.BUILD_STAGE)
     else:
         resource_name = 'default-role'
         role_name = '%s-%s' % (config.app_name, stage_name)
         policy = models.AutoGenIAMPolicy(
             document=models.Placeholder.BUILD_STAGE)
     return models.ManagedIAMRole(
         resource_name=resource_name,
         role_name=role_name,
         trust_policy=LAMBDA_TRUST_POLICY,
         policy=policy,
     )
Exemplo n.º 2
0
 def test_can_create_plan_for_filebased_role(self):
     self.remote_state.declare_no_resources_exists()
     resource = models.ManagedIAMRole(
         resource_name='default-role',
         role_name='myrole',
         trust_policy={'trust': 'policy'},
         policy=models.FileBasedIAMPolicy(filename='foo.json',
                                          document={'iam': 'policy'}),
     )
     plan = self.determine_plan(resource)
     expected = models.APICall(
         method_name='create_role',
         params={
             'name': 'myrole',
             'trust_policy': {
                 'trust': 'policy'
             },
             'policy': {
                 'iam': 'policy'
             }
         },
     )
     self.assert_apicall_equals(plan[0], expected)
     assert list(self.last_plan.messages.values()) == [
         'Creating IAM role: myrole\n'
     ]
Exemplo n.º 3
0
    def test_error_raised_if_file_policy_not_exists(self):
        p = self.create_policy_generator()
        policy = models.FileBasedIAMPolicy(
            filename='foo.json', document=models.Placeholder.BUILD_STAGE)
        self.osutils.get_file_contents.side_effect = IOError()

        with pytest.raises(RuntimeError):
            p.handle(Config.create(), policy)
Exemplo n.º 4
0
    def test_policy_loaded_from_file_if_needed(self):
        p = self.create_policy_generator()
        policy = models.FileBasedIAMPolicy(
            filename='foo.json', document=models.Placeholder.BUILD_STAGE)
        self.osutils.get_file_contents.return_value = '{"iam": "policy"}'

        p.handle(Config.create(), policy)

        assert policy.document == {'iam': 'policy'}
        self.osutils.get_file_contents.assert_called_with('foo.json')
Exemplo n.º 5
0
    def _create_rest_api_model(
            self,
            config,  # type: Config
            deployment,  # type: models.DeploymentPackage
            stage_name,  # type: str
    ):
        # type: (...) -> models.RestAPI
        # Need to mess with the function name for back-compat.
        lambda_function = self._create_lambda_model(config=config,
                                                    deployment=deployment,
                                                    name='api_handler',
                                                    handler_name='app.app',
                                                    stage_name=stage_name)
        # For backwards compatibility with the old deployer, the
        # lambda function for the API handler doesn't have the
        # resource_name appended to its complete function_name,
        # it's just <app>-<stage>.
        function_name = '%s-%s' % (config.app_name, config.chalice_stage)
        lambda_function.function_name = function_name
        if config.minimum_compression_size is None:
            minimum_compression = ''
        else:
            minimum_compression = str(config.minimum_compression_size)
        authorizers = []
        for auth in config.chalice_app.builtin_auth_handlers:
            auth_lambda = self._create_lambda_model(
                config=config,
                deployment=deployment,
                name=auth.name,
                handler_name=auth.handler_string,
                stage_name=stage_name,
            )
            authorizers.append(auth_lambda)

        policy = None
        policy_path = config.api_gateway_policy_file
        if (config.api_gateway_endpoint_type == 'PRIVATE' and not policy_path):
            policy = models.IAMPolicy(
                document=self._get_default_private_api_policy(config))
        elif policy_path:
            policy = models.FileBasedIAMPolicy(
                document=models.Placeholder.BUILD_STAGE,
                filename=os.path.join(config.project_dir, '.chalice',
                                      policy_path))

        return models.RestAPI(resource_name='rest_api',
                              swagger_doc=models.Placeholder.BUILD_STAGE,
                              endpoint_type=config.api_gateway_endpoint_type,
                              minimum_compression=minimum_compression,
                              api_gateway_stage=config.api_gateway_stage,
                              lambda_function=lambda_function,
                              authorizers=authorizers,
                              policy=policy)
Exemplo n.º 6
0
 def test_error_raised_when_filebased_policy_not_exist(self):
     self.remote_state.declare_no_resources_exists()
     resource = models.ManagedIAMRole(
         resource_name='default-role',
         role_name='myrole',
         trust_policy={'trust': 'policy'},
         policy=models.FileBasedIAMPolicy(filename='foo.json'),
     )
     self.osutils.get_file_contents.side_effect = IOError(
         "File does not exist")
     with pytest.raises(RuntimeError):
         self.determine_plan(resource)
Exemplo n.º 7
0
 def test_can_set_variables_when_needed(self):
     function = create_function_resource('function_name')
     self.remote_state.declare_no_resources_exists()
     function.role = models.ManagedIAMRole(
         resource_name='myrole',
         role_name='myrole-dev',
         trust_policy={'trust': 'policy'},
         policy=models.FileBasedIAMPolicy(filename='foo.json'),
     )
     plan = self.determine_plan(function)
     call = plan[0]
     assert call.method_name == 'create_function'
     # The params are verified in test_can_create_function,
     # we just care about how the role_arn Variable is constructed.
     role_arn = call.params['role_arn']
     assert isinstance(role_arn, Variable)
     assert role_arn.name == 'myrole-dev_role_arn'
Exemplo n.º 8
0
 def test_can_update_file_based_policy(self):
     role = models.ManagedIAMRole(
         resource_name='resource_name',
         role_name='myrole',
         trust_policy={},
         policy=models.FileBasedIAMPolicy(filename='foo.json',
                                          document={'iam': 'policy'}),
     )
     self.remote_state.declare_resource_exists(role, role_arn='myrole:arn')
     plan = self.determine_plan(role)
     assert plan[0] == models.StoreValue(name='myrole_role_arn',
                                         value='myrole:arn')
     self.assert_apicall_equals(
         plan[1],
         models.APICall(
             method_name='put_role_policy',
             params={
                 'role_name': 'myrole',
                 'policy_name': 'myrole',
                 'policy_document': {
                     'iam': 'policy'
                 }
             },
         ))