def test_need_naked_permission_to_retrieve_aws_access_key_secret(core_session, cloud_provider_ec2_account_config, live_aws_cloud_provider, user, cds_session): cloud_provider_id, test_deleted_provider, _populate_iam_user_with_access_keys = live_aws_cloud_provider requester_session, limited_user = cds_session iam_user = cloud_provider_ec2_account_config[user] access_key_1 = iam_user['access_key_1'] account_id, success = ResourceManager.add_account_cloud_provider(core_session, iam_user['username'], "", cloud_provider_id) assert success, f"Account addition failed with API response result {account_id}" result, success = CloudProviderManager.import_aws_access_key(requester_session, access_key_1['id'], access_key_1['secret']) assert not success, f"Succeeded to add access key1 when failure was expected {result}" result, success = ResourceManager.assign_account_permissions(core_session, "Manage", limited_user.get_login_name(), limited_user.get_id(), "User", account_id) assert success, f"Failed to execute API call to set permissions {result}" result, success = CloudProviderManager.import_aws_access_key(requester_session, access_key_1['id'], access_key_1['secret']) assert success, f"Succeeded to add access key1 when failure was expected {result}" rows = CloudProviderManager.get_aws_access_keys(core_session, account_id)[0] retrieve_single, success = CloudProviderManager.retrieve_aws_access_key(requester_session, account_id, rows[0]['ID']) assert not success, f"Success while expecting failure to retrieve AWS access keys {retrieve_single}" result, success = ResourceManager.assign_account_permissions(core_session, "Naked", limited_user.get_login_name(), limited_user.get_id(), "User", account_id) assert success, f"Failed to execute API call to set permissions {result}" retrieve_single, success = CloudProviderManager.retrieve_aws_access_key(requester_session, account_id, rows[0]['ID']) assert success, f"Failed to retrieve AWS access keys {retrieve_single}" assert retrieve_single['SecretAccessKey'] == access_key_1['secret'], f"Did not return correct AWS access key secret {retrieve_single}" assert retrieve_single['AccessKeyId'] == access_key_1['id'], f"Did not return correct AWS access key id {retrieve_single}"
def test_delete_cloud_provider_fails_without_permission( core_session, fake_cloud_provider_root_account, fake_cloud_provider, cds_session): account_id, username, password, cloud_provider_id, test_did_cleaning = fake_cloud_provider_root_account name, desc, cloud_provider_id, cloud_account_id, test_did_cleaning = fake_cloud_provider account_name = f"acctname{guid()}" account_id, success = ResourceManager.add_account_cloud_provider( core_session, account_name, "", cloud_provider_id) assert success, f"Account addition failed with API response result {account_id}" pas_user_session, limited_user = cds_session result, success = CloudProviderManager.delete_cloud_providers( pas_user_session, [cloud_provider_id], save_passwords=False) assert not success, f"Delete should not have succeeded {result}" result, success = CloudProviderManager.delete_cloud_providers( pas_user_session, cloud_provider_id) assert not success, f"Delete should not have succeeded {result}" result, success = ResourceManager.del_account(pas_user_session, account_id) assert not success, f"Deleting IAM account failed with API response result: {result}" result, success = ResourceManager.del_account(pas_user_session, account_id) assert not success, f"Deleting IAM account failed with API response result: {result}"
def test_delete_cloud_provider_secret(core_session, fake_cloud_provider_root_account, fake_cloud_provider, secret_cleaner): account_id, username, password, cloud_provider_id, test_did_cleaning = fake_cloud_provider_root_account name, desc, cloud_provider_id, cloud_account_id, test_did_cleaning = fake_cloud_provider account_name = f"acctname{guid()}" account_id, success = ResourceManager.add_account_cloud_provider( core_session, account_name, "", cloud_provider_id) assert success, f"Account addition failed with API response result {account_id}" key_secret = "kjshakjsakjasgfkjysgkjagfkjsakjgfakjsf" result, success = CloudProviderManager.set_mfa_token( core_session, account_id, key_secret) assert success, f"Failed to set mfa token {result}" secret_name = f"SecretName{guid()}" result, success = CloudProviderManager.delete_cloud_providers( core_session, [cloud_provider_id], save_passwords=True, secret_name=secret_name) assert success, f"Failed to delete cloud provider with response {result}" test_did_cleaning() ResourceManager.wait_for_secret_to_exist_or_timeout( core_session, secret_name) secret_id = RedrockController.get_secret_id_by_name( core_session, secret_name) assert secret_id is not None, "No secret was created" secret_cleaner.append(secret_id) user = core_session.get_user() user_name = user.get_login_name() user_id = user.get_id() result, success = set_users_effective_permissions(core_session, user_name, "View,Edit,Retrieve", user_id, secret_id) assert success, f"Did not set secret permission successfully with message {result}" secret_file_contents = get_file_secret_contents(core_session, secret_id) assert username in secret_file_contents, f"username absent from secret file {secret_file_contents}" assert password in secret_file_contents, f"password absent from secret file {secret_file_contents}" assert cloud_provider_id in secret_file_contents, f"cloud_provider_id absent from secret file {secret_file_contents}" assert account_name in secret_file_contents, f"account_name absent from secret file {secret_file_contents}" assert key_secret in secret_file_contents, f"mfa secret absent from secret file {secret_file_contents}"
def test_cant_add_access_key_without_manage_permission(core_session, cloud_provider_ec2_account_config, live_aws_cloud_provider, user, cds_session): cloud_provider_id, test_deleted_provider, _populate_iam_user_with_access_keys = live_aws_cloud_provider requester_session, limited_user = cds_session iam_user = cloud_provider_ec2_account_config[user] access_key_1 = iam_user['access_key_1'] account_id, success = ResourceManager.add_account_cloud_provider(core_session, iam_user['username'], "", cloud_provider_id) assert success, f"Account addition failed with API response result {account_id}" result, success = CloudProviderManager.import_aws_access_key(requester_session, access_key_1['id'], access_key_1['secret']) assert not success, f"Succeeded to add access key1 when failure was expected {result}" result, success = ResourceManager.assign_account_permissions(core_session, "View,Manage", limited_user.get_login_name(), limited_user.get_id(), "User", account_id) assert success, f"Failed to execute API call to set permissions {result}" result, success = CloudProviderManager.import_aws_access_key(requester_session, access_key_1['id'], access_key_1['secret']) assert success, f"Succeeded to add access key1 when failure was expected {result}"