def test_update_bucket_path_access(iam, users, resources_1, resources_2):
bucket_arn = 'arn:aws:s3:::test-bucket'
path_arns_list_1 = [f'{bucket_arn}{resource}' for resource in resources_1]
path_arns_list_2 = [f'{bucket_arn}{resource}' for resource in resources_2]
path_arns_object_1 = [
f'{bucket_arn}{resource}/*' for resource in resources_1
]
path_arns_object_2 = [
f'{bucket_arn}{resource}/*' for resource in resources_2
]
user = users['normal_user']
aws.create_user_role(user)
aws.grant_bucket_access(user.iam_role_name, bucket_arn, 'readonly',
path_arns_list_1)
policy = iam.RolePolicy(user.iam_role_name, 's3-access')
statements = get_statements_by_sid(policy.policy_document)
assert set(path_arns_object_1) == set(statements['readonly']['Resource'])
aws.grant_bucket_access(user.iam_role_name, bucket_arn, 'readonly',
path_arns_list_2)
policy.reload()
statements = get_statements_by_sid(policy.policy_document)
assert set(path_arns_object_2) == set(statements['readonly']['Resource'])
def test_grant_bucket_access(iam, users, resources):
bucket_arn = 'arn:aws:s3:::test-bucket'
path_arns_list = [f'{bucket_arn}{resource}' for resource in resources]
path_arns_object = [f'{bucket_arn}{resource}/*' for resource in resources]
user = users['normal_user']
aws.create_user_role(user)
aws.grant_bucket_access(user.iam_role_name, bucket_arn, 'readonly',
path_arns_list)
policy = iam.RolePolicy(user.iam_role_name, 's3-access')
statements = get_statements_by_sid(policy.policy_document)
if path_arns_object:
assert set(path_arns_object) == set(statements['readonly']['Resource'])
assert f'{bucket_arn}/*' not in statements['readonly']['Resource']
else:
assert set([f'{bucket_arn}/*'
]) == set(statements['readonly']['Resource'])
# no readwrite statement because no readwrite access granted
assert 'readwrite' not in statements
assert set([bucket_arn]) == set(statements['list']['Resource'])
aws.grant_bucket_access(user.iam_role_name, f'{bucket_arn}-2', 'readonly')
policy.reload()
statements = get_statements_by_sid(policy.policy_document)
expected_num_resources = 2
if path_arns_list:
expected_num_resources = len(path_arns_list) + 1
assert len(statements['readonly']['Resource']) == expected_num_resources
def create(self):
aws.create_user_role(self.user)
self._init_user()
helm.upgrade_release(
f"config-user-{self.user.slug}", # release
f"{settings.HELM_REPO}/config-user", # chart
f"--namespace={self.k8s_namespace}",
f"--set=Username={self.user.slug}",
)
def test_revoke_bucket_access(iam, users, resources):
bucket_arn = 'arn:aws:s3:::test-bucket'
path_arns = [f'{bucket_arn}{resource}' for resource in resources]
user = users['normal_user']
aws.create_user_role(user)
aws.grant_bucket_access(user.iam_role_name, bucket_arn, 'readonly', path_arns)
aws.revoke_bucket_access(user.iam_role_name, bucket_arn)
policy = iam.RolePolicy(user.iam_role_name, 's3-access')
statements = get_statements_by_sid(policy.policy_document)
assert 'readonly' not in statements
assert 'readwrite' not in statements
assert 'list' not in statements
def test_revoke_bucket_path_access(iam, users, resources):
bucket_arn = 'arn:aws:s3:::test-bucket'
path_arns = [f'{bucket_arn}{resource}' for resource in resources]
user = users['normal_user']
aws.create_user_role(user)
aws.grant_bucket_access(user.iam_role_name, bucket_arn, 'readonly', path_arns)
policy = iam.RolePolicy(user.iam_role_name, 's3-access')
aws.grant_bucket_access(user.iam_role_name, bucket_arn, 'readonly')
policy.reload()
statements = get_statements_by_sid(policy.policy_document)
assert set([f'{bucket_arn}/*']) == set(statements['readonly']['Resource'])
assert set([f'{bucket_arn}']) == set(statements['list']['Resource'])
def test_create_user_role(iam, managed_policy, users):
user = users['normal_user']
aws.create_user_role(user)
role = iam.Role(user.iam_role_name)
pd = role.assume_role_policy_document
assert len(pd['Statement']) == 4
assert ec2_assume_role(pd['Statement'][0])
assert k8s_assume_role(pd['Statement'][1])
assert saml_assume_role(pd['Statement'][2])
assert oidc_assume_role(pd['Statement'][3], user)
attached_policies = list(role.attached_policies.all())
assert len(attached_policies) == 1
assert attached_policies[0].arn == managed_policy['Arn']
def test_create_user_role(iam, managed_policy, airflow_dev_policy, airflow_prod_policy, users):
user = users['normal_user']
aws.create_user_role(user)
role = iam.Role(user.iam_role_name)
pd = role.assume_role_policy_document
assert len(pd['Statement']) == 4
assert ec2_assume_role(pd['Statement'][0])
assert k8s_assume_role(pd['Statement'][1])
assert saml_assume_role(pd['Statement'][2])
assert oidc_assume_role(pd['Statement'][3], user)
attached_policies = list(role.attached_policies.all())
assert len(attached_policies) == 3
arns = [policy.arn for policy in attached_policies]
assert managed_policy["Arn"] in arns
assert airflow_dev_policy["Arn"] in arns
assert airflow_prod_policy["Arn"] in arns
def create(self):
aws.create_user_role(self.user)
helm.upgrade_release(
f"init-user-{self.user.slug}",
f"{settings.HELM_REPO}/init-user",
f"--set=" + (f"Env={settings.ENV},"
f"NFSHostname={settings.NFS_HOSTNAME},"
f"OidcDomain={settings.OIDC_DOMAIN},"
f"Email={self.user.email},"
f"Fullname={self.user.name},"
f"Username={self.user.slug}"),
)
helm.upgrade_release(
f"config-user-{self.user.slug}",
f"{settings.HELM_REPO}/config-user",
f"--namespace={self.k8s_namespace}",
f"--set=Username={self.user.slug}",
)
def test_delete_role(iam, managed_policy, role_policy, users):
user = users['normal_user']
aws.create_user_role(user)
role = iam.Role(user.iam_role_name)
inline_policy = role_policy(role)
attached_policy = iam.Policy(managed_policy['Arn'])
assert attached_policy.attachment_count == 1
aws.delete_role(user.iam_role_name)
with pytest.raises(iam.meta.client.exceptions.NoSuchEntityException):
role.load()
with pytest.raises(iam.meta.client.exceptions.NoSuchEntityException):
inline_policy.load()
attached_policy.reload()
assert attached_policy.attachment_count == 0
def test_create_user_role_EKS(iam, managed_policy, airflow_dev_policy, airflow_prod_policy, users):
"""
Ensure EKS settngs are in the policy document when running on that
infrastructure.
"""
user = users['normal_user']
with patch("controlpanel.api.aws.settings.EKS", True):
aws.create_user_role(user)
role = iam.Role(user.iam_role_name)
pd = role.assume_role_policy_document
assert len(pd['Statement']) == 5
assert ec2_assume_role(pd['Statement'][0])
assert k8s_assume_role(pd['Statement'][1])
assert saml_assume_role(pd['Statement'][2])
assert oidc_assume_role(pd['Statement'][3], user)
assert eks_assume_role(pd["Statement"][4], user)
attached_policies = list(role.attached_policies.all())
assert len(attached_policies) == 3
arns = [policy.arn for policy in attached_policies]
assert managed_policy["Arn"] in arns
assert airflow_dev_policy["Arn"] in arns
assert airflow_prod_policy["Arn"] in arns
def user_roles(iam, users):
for user in users.values():
aws.create_user_role(user)
