def test_update_bucket_path_access(iam, users, resources_1, resources_2): bucket_arn = 'arn:aws:s3:::test-bucket' path_arns_list_1 = [f'{bucket_arn}{resource}' for resource in resources_1] path_arns_list_2 = [f'{bucket_arn}{resource}' for resource in resources_2] path_arns_object_1 = [ f'{bucket_arn}{resource}/*' for resource in resources_1 ] path_arns_object_2 = [ f'{bucket_arn}{resource}/*' for resource in resources_2 ] user = users['normal_user'] aws.create_user_role(user) aws.grant_bucket_access(user.iam_role_name, bucket_arn, 'readonly', path_arns_list_1) policy = iam.RolePolicy(user.iam_role_name, 's3-access') statements = get_statements_by_sid(policy.policy_document) assert set(path_arns_object_1) == set(statements['readonly']['Resource']) aws.grant_bucket_access(user.iam_role_name, bucket_arn, 'readonly', path_arns_list_2) policy.reload() statements = get_statements_by_sid(policy.policy_document) assert set(path_arns_object_2) == set(statements['readonly']['Resource'])
def test_grant_bucket_access(iam, users, resources): bucket_arn = 'arn:aws:s3:::test-bucket' path_arns_list = [f'{bucket_arn}{resource}' for resource in resources] path_arns_object = [f'{bucket_arn}{resource}/*' for resource in resources] user = users['normal_user'] aws.create_user_role(user) aws.grant_bucket_access(user.iam_role_name, bucket_arn, 'readonly', path_arns_list) policy = iam.RolePolicy(user.iam_role_name, 's3-access') statements = get_statements_by_sid(policy.policy_document) if path_arns_object: assert set(path_arns_object) == set(statements['readonly']['Resource']) assert f'{bucket_arn}/*' not in statements['readonly']['Resource'] else: assert set([f'{bucket_arn}/*' ]) == set(statements['readonly']['Resource']) # no readwrite statement because no readwrite access granted assert 'readwrite' not in statements assert set([bucket_arn]) == set(statements['list']['Resource']) aws.grant_bucket_access(user.iam_role_name, f'{bucket_arn}-2', 'readonly') policy.reload() statements = get_statements_by_sid(policy.policy_document) expected_num_resources = 2 if path_arns_list: expected_num_resources = len(path_arns_list) + 1 assert len(statements['readonly']['Resource']) == expected_num_resources
def create(self): aws.create_user_role(self.user) self._init_user() helm.upgrade_release( f"config-user-{self.user.slug}", # release f"{settings.HELM_REPO}/config-user", # chart f"--namespace={self.k8s_namespace}", f"--set=Username={self.user.slug}", )
def test_revoke_bucket_access(iam, users, resources): bucket_arn = 'arn:aws:s3:::test-bucket' path_arns = [f'{bucket_arn}{resource}' for resource in resources] user = users['normal_user'] aws.create_user_role(user) aws.grant_bucket_access(user.iam_role_name, bucket_arn, 'readonly', path_arns) aws.revoke_bucket_access(user.iam_role_name, bucket_arn) policy = iam.RolePolicy(user.iam_role_name, 's3-access') statements = get_statements_by_sid(policy.policy_document) assert 'readonly' not in statements assert 'readwrite' not in statements assert 'list' not in statements
def test_revoke_bucket_path_access(iam, users, resources): bucket_arn = 'arn:aws:s3:::test-bucket' path_arns = [f'{bucket_arn}{resource}' for resource in resources] user = users['normal_user'] aws.create_user_role(user) aws.grant_bucket_access(user.iam_role_name, bucket_arn, 'readonly', path_arns) policy = iam.RolePolicy(user.iam_role_name, 's3-access') aws.grant_bucket_access(user.iam_role_name, bucket_arn, 'readonly') policy.reload() statements = get_statements_by_sid(policy.policy_document) assert set([f'{bucket_arn}/*']) == set(statements['readonly']['Resource']) assert set([f'{bucket_arn}']) == set(statements['list']['Resource'])
def test_create_user_role(iam, managed_policy, users): user = users['normal_user'] aws.create_user_role(user) role = iam.Role(user.iam_role_name) pd = role.assume_role_policy_document assert len(pd['Statement']) == 4 assert ec2_assume_role(pd['Statement'][0]) assert k8s_assume_role(pd['Statement'][1]) assert saml_assume_role(pd['Statement'][2]) assert oidc_assume_role(pd['Statement'][3], user) attached_policies = list(role.attached_policies.all()) assert len(attached_policies) == 1 assert attached_policies[0].arn == managed_policy['Arn']
def test_create_user_role(iam, managed_policy, airflow_dev_policy, airflow_prod_policy, users): user = users['normal_user'] aws.create_user_role(user) role = iam.Role(user.iam_role_name) pd = role.assume_role_policy_document assert len(pd['Statement']) == 4 assert ec2_assume_role(pd['Statement'][0]) assert k8s_assume_role(pd['Statement'][1]) assert saml_assume_role(pd['Statement'][2]) assert oidc_assume_role(pd['Statement'][3], user) attached_policies = list(role.attached_policies.all()) assert len(attached_policies) == 3 arns = [policy.arn for policy in attached_policies] assert managed_policy["Arn"] in arns assert airflow_dev_policy["Arn"] in arns assert airflow_prod_policy["Arn"] in arns
def create(self): aws.create_user_role(self.user) helm.upgrade_release( f"init-user-{self.user.slug}", f"{settings.HELM_REPO}/init-user", f"--set=" + (f"Env={settings.ENV}," f"NFSHostname={settings.NFS_HOSTNAME}," f"OidcDomain={settings.OIDC_DOMAIN}," f"Email={self.user.email}," f"Fullname={self.user.name}," f"Username={self.user.slug}"), ) helm.upgrade_release( f"config-user-{self.user.slug}", f"{settings.HELM_REPO}/config-user", f"--namespace={self.k8s_namespace}", f"--set=Username={self.user.slug}", )
def test_delete_role(iam, managed_policy, role_policy, users): user = users['normal_user'] aws.create_user_role(user) role = iam.Role(user.iam_role_name) inline_policy = role_policy(role) attached_policy = iam.Policy(managed_policy['Arn']) assert attached_policy.attachment_count == 1 aws.delete_role(user.iam_role_name) with pytest.raises(iam.meta.client.exceptions.NoSuchEntityException): role.load() with pytest.raises(iam.meta.client.exceptions.NoSuchEntityException): inline_policy.load() attached_policy.reload() assert attached_policy.attachment_count == 0
def test_create_user_role_EKS(iam, managed_policy, airflow_dev_policy, airflow_prod_policy, users): """ Ensure EKS settngs are in the policy document when running on that infrastructure. """ user = users['normal_user'] with patch("controlpanel.api.aws.settings.EKS", True): aws.create_user_role(user) role = iam.Role(user.iam_role_name) pd = role.assume_role_policy_document assert len(pd['Statement']) == 5 assert ec2_assume_role(pd['Statement'][0]) assert k8s_assume_role(pd['Statement'][1]) assert saml_assume_role(pd['Statement'][2]) assert oidc_assume_role(pd['Statement'][3], user) assert eks_assume_role(pd["Statement"][4], user) attached_policies = list(role.attached_policies.all()) assert len(attached_policies) == 3 arns = [policy.arn for policy in attached_policies] assert managed_policy["Arn"] in arns assert airflow_dev_policy["Arn"] in arns assert airflow_prod_policy["Arn"] in arns
def user_roles(iam, users): for user in users.values(): aws.create_user_role(user)