def test_patch_instance_success_for_superuser(permission_table,
permission_table_name,
state_table_empty,
state_table_name,
cloudformation):
os.environ["dynamodb_permissions_table_name"] = permission_table_name
os.environ["dynamodb_state_table_name"] = state_table_name
initial_instance_type = "fake"
final_instance_type = "t3.micro"
response = cloudformation.create_stack_set(
StackSetName="fake_name",
TemplateBody="fake_body",
PermissionModel="SELF_MANAGED",
Parameters=[
{
"ParameterKey": "InstanceType",
"ParameterValue": initial_instance_type,
},
],
)
stackset_id = response["StackSetId"]
add_stackset_to_state(
dynamodb_client=state_table_empty,
table_name=state_table_name,
stackset_id=stackset_id,
username="******",
email="*****@*****.**",
)
event = {
"requestContext": {
"authorizer": {
"jwt": {
"claims": {
# Request made by non-owner who is a superuser
"email": "*****@*****.**",
"profile": "private",
"nickname": "charlie",
"custom:is_superuser": "******",
}
}
}
},
"pathParameters": {
"id": stackset_id,
},
"body": json.dumps({"instanceType": final_instance_type}),
}
response = patch_instance(event, context=None)
assert response == {}
stackset = cloudformation.describe_stack_set(StackSetName=stackset_id)
params = stackset["StackSet"]["Parameters"]
actual_instance_type = [
item["ParameterValue"] for item in params
if item["ParameterKey"] == "InstanceType"
][0]
assert actual_instance_type == final_instance_type
def test_cleanup_complete_success(state_table, state_table_name,
cloudformation):
os.environ["dynamodb_state_table_name"] = state_table_name
response = cloudformation.create_stack_set(
StackSetName="fake_name",
TemplateBody="fake_body",
PermissionModel="SELF_MANAGED",
)
stackset_id = response["StackSetId"]
add_stackset_to_state(
dynamodb_client=state_table,
table_name=state_table_name,
stackset_id=stackset_id,
username="******",
email="*****@*****.**",
)
event = {"stackset_id": stackset_id}
cleanup_complete(event, context=None)
stackset = cloudformation.describe_stack_set(StackSetName=stackset_id)
# StackSet has been removed
assert stackset["StackSet"]["Status"] == "DELETED"
stackset_state = state_table.get_item(
TableName=state_table_name, Key={"stacksetID": {
"S": stackset_id
}})
# State entry has been removed from the DB
assert "Item" not in stackset_state
def test_post_instance_extend_success_for_superuser_exceeding_extension_limit(
permission_table, permission_table_name, state_table_empty,
state_table_name):
os.environ["dynamodb_permissions_table_name"] = permission_table_name
os.environ["dynamodb_state_table_name"] = state_table_name
stackset_id = "fake_id"
initial_expiry = datetime.now()
initial_extension_count = 1
add_stackset_to_state(
dynamodb_client=state_table_empty,
table_name=state_table_name,
stackset_id=stackset_id,
username="******",
email="*****@*****.**",
extension_count=initial_extension_count,
expiry=initial_expiry,
)
event = {
"requestContext": {
"authorizer": {
"jwt": {
"claims": {
# Request from non-owner of the stackset
"email": "*****@*****.**",
"profile": "private",
"nickname": "charlie",
"custom:is_superuser": "******",
}
}
}
},
"pathParameters": {
"id": stackset_id,
},
}
response = post_instance_extend(event, context=None)
# Expiry time of the stackset extended
assert response["stackset_id"] == stackset_id
assert response["can_extend"]
assert datetime.fromisoformat(response["expiry"]) > initial_expiry
# Extended expiry time saved in dynamodb
query = state_table_empty.get_item(TableName=state_table_name,
Key={"stacksetID": {
"S": stackset_id
}})
assert datetime.fromisoformat(
query["Item"]["expiry"]["S"]) > initial_expiry
assert int(query["Item"]["extensionCount"]["N"]) > initial_extension_count
def test_post_instances_failure_exceed_instance_limit(permission_table,
permission_table_name,
state_table_empty,
state_table_name,
account_id):
provision_sfn_arn = "fake_provision_sfn_arn"
os.environ["dynamodb_permissions_table_name"] = permission_table_name
os.environ["dynamodb_state_table_name"] = state_table_name
os.environ["provision_sfn_arn"] = provision_sfn_arn
event = {
"requestContext": {
"authorizer": {
"jwt": {
"claims": {
"email": "*****@*****.**",
"profile": "private",
"nickname": "alice",
"custom:is_superuser": "******",
}
}
}
},
"body":
json.dumps({
"instanceName":
"The Best Instance",
"instanceType":
"t3.micro",
"region":
"eu-west-1",
"operatingSystem":
"AWS Linux 2",
"expiry":
(datetime.now(tz=timezone.utc) + timedelta(days=1)).isoformat(),
}),
}
# Add instances to state data to mimic user exceeding their instance allowance
for i in range(10):
add_stackset_to_state(
dynamodb_client=state_table_empty,
table_name=state_table_name,
stackset_id=f"fake_stackset_id_{i}",
username="******",
email="*****@*****.**",
)
response = post_instances(event, context=None)
assert response["statusCode"] == 400
assert "limit exceeded" in response["body"]
def test_patch_instance_failure_for_non_owner(permission_table,
permission_table_name,
state_table_empty,
state_table_name):
os.environ["dynamodb_permissions_table_name"] = permission_table_name
os.environ["dynamodb_state_table_name"] = state_table_name
stackset_id = "fake_id"
add_stackset_to_state(
dynamodb_client=state_table_empty,
table_name=state_table_name,
stackset_id=stackset_id,
username="******",
email="*****@*****.**",
)
event = {
"requestContext": {
"authorizer": {
"jwt": {
"claims": {
"email": "*****@*****.**",
"profile": "developer",
"nickname": "charlie",
"custom:is_superuser": "******",
}
}
}
},
"pathParameters": {
"id": stackset_id,
},
"body": "{}",
}
response = patch_instance(event, context=None)
# Non owner won't be able to extend the instance
assert response["statusCode"] == 400
assert "not authorized" in response["body"]
def test_post_instance_extend_failure_for_owner_exceeding_extension_limit(
permission_table, permission_table_name, state_table_empty,
state_table_name):
os.environ["dynamodb_permissions_table_name"] = permission_table_name
os.environ["dynamodb_state_table_name"] = state_table_name
stackset_id = "fake_id"
add_stackset_to_state(
dynamodb_client=state_table_empty,
table_name=state_table_name,
stackset_id=stackset_id,
username="******",
email="*****@*****.**",
extension_count=20,
)
event = {
"requestContext": {
"authorizer": {
"jwt": {
"claims": {
"email": "*****@*****.**",
"profile": "private",
"nickname": "alice",
"custom:is_superuser": "******",
}
}
}
},
"pathParameters": {
"id": stackset_id,
},
}
response = post_instance_extend(event, context=None)
# Non owner won't be able to extend the instance
assert response["statusCode"] == 400
assert "cannot extend" in response["body"]
def test_patch_instance_failure_for_unauthorized_param(permission_table,
permission_table_name,
state_table_empty,
state_table_name):
os.environ["dynamodb_permissions_table_name"] = permission_table_name
os.environ["dynamodb_state_table_name"] = state_table_name
stackset_id = "fake_id"
add_stackset_to_state(
dynamodb_client=state_table_empty,
table_name=state_table_name,
stackset_id=stackset_id,
username="******",
email="*****@*****.**",
)
event = {
"requestContext": {
"authorizer": {
"jwt": {
"claims": {
"email": "*****@*****.**",
"profile": "private",
"nickname": "alice",
"custom:is_superuser": "******",
}
}
}
},
"pathParameters": {
"id": stackset_id,
},
"body": json.dumps({"instanceType": "invalid"}),
}
response = patch_instance(event, context=None)
assert response["statusCode"] == 400
assert "instanceType" in response["body"]