def test_delete_role(self):
headers = {'Content-Type': "application/json"}
headers.update(get_auth_header(service_accounts['admin']))
role_id = "role_1"
with self.subTest("Role delete with users and groups."):
group = "group_test_delete_role"
user = "******"
policy = create_test_IAMPolicy("policy_04")
resp = self.app.post(f'/v1/role',
headers=headers,
data=json.dumps({
"role_id": role_id,
"policy": policy
}))
resp.raise_for_status()
resp = self.app.post(f'/v1/group',
headers=headers,
data=json.dumps({
"group_id": group,
"roles": [role_id]
}))
resp.raise_for_status()
resp = self.app.post(f'/v1/user',
headers=headers,
data=json.dumps({
"user_id": user,
"roles": [role_id]
}))
resp.raise_for_status()
resp = self.app.delete(f'/v1/role/{role_id}', headers=headers)
self.assertEqual(resp.status_code, 200)
resp = self.app.get(f'/v1/user/{user}/roles', headers=headers)
roles = json.loads(resp.body)['roles']
self.assertNotIn(role_id, roles)
resp = self.app.get(f'/v1/group/{group}/roles', headers=headers)
roles = json.loads(resp.body)['roles']
self.assertNotIn(role_id, roles)
with self.subTest("delete a role that does not exist."):
resp = self.app.delete(f'/v1/role/ghost', headers=headers)
self.assertEqual(resp.status_code, 404)
def test_roles(self):
roles = ['role1', 'role2']
role_objs = [
Role.create(name, create_test_IAMPolicy(name)) for name in roles
]
with self.subTest(
"multiple roles return when multiple roles are attached to group."
):
group = Group.create("test_roles")
group.add_roles(roles)
self.assertEqual(len(group.roles), 2)
with self.subTest(
"policies inherited from roles are returned when lookup policies is called"
):
group_policies = sorted([
normalize_json(p['policy_document'])
for p in group.get_authz_params()['IAMPolicy']
])
role_policies = sorted(
[normalize_json(role.get_policy())
for role in role_objs] + [self.default_group_statement])
self.assertListEqual(group_policies, role_policies)
def test_create_group(self):
with self.subTest(
"an error is returned when creating a group with an invalid statement."
):
with self.assertRaises(FusilladeHTTPException):
group = Group.create("new_group1", {"random": "fields"})
with self.subTest(
"The group is returned when the group has been created with default valid statement"
):
group = Group.create("new_group2")
self.assertEqual(group.name, "new_group2")
self.assertJSONEqual(group.get_policy(),
self.default_group_statement)
with self.subTest(
"The group is returned when the group has been created with specified valid statement."
):
group_name = "NewGroup1234"
statement = create_test_IAMPolicy(group_name)
group = Group.create("new_group3", statement)
self.assertEqual(group.name, "new_group3")
self.assertJSONEqual(group.get_policy(), statement)
def test_roles(self):
name = "*****@*****.**"
test_roles = [(f"Role_{i}", create_test_IAMPolicy(f"RolePolicy{i}"))
for i in range(5)]
roles = [Role.create(*i).name for i in test_roles]
role_names, _ = zip(*test_roles)
role_names = sorted(role_names)
role_statements = [i[1] for i in test_roles]
user = User.provision_user(name)
user_role_names = [Role(None, role).name for role in user.roles]
with self.subTest("a user has the default_user roles when created."):
self.assertEqual(user_role_names, [])
role_name, role_statement = test_roles[0]
with self.subTest("A user has one role when a role is added."):
user.add_roles([role_name])
user_role_names = [Role(None, role).name for role in user.roles]
self.assertEqual(user_role_names, [role_name])
with self.subTest(
"An error is raised when adding a role a user already has."):
with self.assertRaises(
cd_client.exceptions.BatchWriteException) as ex:
user.add_roles([role_name])
self.assertTrue('LinkNameAlreadyInUseException' in
ex.response['Error']['Message'])
with self.subTest(
"An error is raised when adding a role that does not exist."):
with self.assertRaises(
cd_client.exceptions.BatchWriteException) as ex:
user.add_roles(["ghost_role"])
self.assertTrue(ex.response['Error']['Message'].endswith(
"/ role / ghost_role\\' does not exist.'"))
user.set_policy(self.default_policy)
with self.subTest(
"A user inherits a roles policies when a role is added to a user."
):
policies = [
p['policy_document']
for p in user.get_authz_params()['IAMPolicy']
]
self.assertJSONListEqual(policies, [
user.get_policy(), role_statement, *self.default_user_policies
])
with self.subTest(
"A role is removed from user when remove role is called."):
user.remove_roles([role_name])
self.assertEqual(user.roles, [])
with self.subTest(
"A user has multiple roles when multiple roles are added to user."
):
user.add_roles(role_names)
user_role_names = [Role(None, role).name for role in user.roles]
self.assertEqual(sorted(user_role_names), role_names)
with self.subTest(
"A user inherits multiple role policies when the user has multiple roles."
):
policies = [
p['policy_document']
for p in user.get_authz_params()['IAMPolicy']
]
self.assertJSONListEqual(policies, [
user.get_policy(), *self.default_user_policies,
*role_statements
])
with self.subTest(
"A user's roles are listed when a listing a users roles."):
user_role_names = [Role(None, role).name for role in user.roles]
self.assertListEqual(sorted(user_role_names), role_names)
with self.subTest(
"Multiple roles are removed from a user when a multiple roles are specified for removal."
):
user.remove_roles(role_names)
self.assertEqual(user.roles, [])
def test_post_group(self):
tests = [
{
'name': f'201 returned when creating a group',
'json_request_body': {
"group_id": "test_post_group_Group0"
},
'response': {
'code': 201
}
},
{
'name': f'201 returned when creating a group with role only',
'json_request_body': {
"group_id": "test_post_group_Group1",
"roles": [Role.create("test_post_group_role_02").name]
},
'response': {
'code': 201
}
},
{
'name': f'201 returned when creating a group with policy only',
'json_request_body': {
"group_id": "test_post_group_Group2",
"policy": create_test_IAMPolicy("policy_03")
},
'response': {
'code': 201
}
},
{
'name': f'201 returned when creating a group with role and policy',
'json_request_body': {
"group_id": "test_post_group_Group3",
"roles": [Role.create("test_post_group_role_04").name],
"policy": create_test_IAMPolicy("policy_04")
},
'response': {
'code': 201
}
},
{
'name': f'400 returned when creating a group without group_id',
'json_request_body': {
"roles": [Role.create("test_post_group_role_05").name],
"policy": create_test_IAMPolicy("policy_05")
},
'response': {
'code': 400
}
},
{
'name': f'409 returned when creating a group that already exists',
'json_request_body': {
"group_id": "test_post_group_Group3"
},
'response': {
'code': 409
}
}
]
tests.extend([{
'name': f'201 returned when creating a role when name is {description}',
'json_request_body': {
"group_id": name
},
'response': {
'code': 201
}
} for name, description in TEST_NAMES_POS
])
tests.extend([{
'name': f'400 returned when creating a role when name is {description}',
'json_request_body': {
"group_id": name
},
'response': {
'code': 400
}
} for name, description in TEST_NAMES_NEG
])
for test in tests:
with self.subTest(test['name']):
headers = {'Content-Type': "application/json"}
headers.update(get_auth_header(service_accounts['admin']))
if test['name'] == "400 returned when creating a group that already exists":
self.app.post('/v1/group', headers=headers, data=json.dumps(test['json_request_body']))
resp = self.app.post('/v1/group', headers=headers, data=json.dumps(test['json_request_body']))
self.assertEqual(test['response']['code'], resp.status_code)
if resp.status_code == 201:
resp = self.app.get(f'/v1/group/{test["json_request_body"]["group_id"]}/', headers=headers)
self.assertEqual(test["json_request_body"]["group_id"], json.loads(resp.body)['group_id'])
def test_post_role(self):
url = furl('/v1/role')
data = json.dumps({
'role_id': 'test_put_role',
'policy': create_test_IAMPolicy("test_role")
})
admin_auth_header = get_auth_header(service_accounts['admin'])
tests = [{
'name': '401 return when no auth headers.',
'data': data,
'headers': {},
'expected_resp': 401
}, {
'name': '403 return when unauthorized user.',
'data': data,
'headers': get_auth_header(service_accounts['user']),
'expected_resp': 403
}, {
'name': '201 returned when user is authorized.',
'data': data,
'headers': admin_auth_header,
'expected_resp': 201
}, {
'name': '409 returned when role already exists.',
'data': data,
'headers': admin_auth_header,
'expected_resp': 409
}, {
'name':
'400 returned when an invalid policy is used',
'data':
json.dumps({
'role_id': 'test_role2',
'policy': 'garbage statement'
}),
'headers':
admin_auth_header,
'expected_resp':
400
}, {
'name':
'400 returned when creating a role with no name.',
'data':
json.dumps({'policy': create_test_IAMPolicy("test_role")}),
'headers':
admin_auth_header,
'expected_resp':
400
}, {
'name': '400 returned when creating a role with no policy.',
'data': json.dumps({
'role_id': 'abcd',
}),
'headers': admin_auth_header,
'expected_resp': 400
}]
tests.extend([{
'name':
f'201 returned when creating a role when name is {description}',
'data':
json.dumps({
'role_id': name,
'policy': create_test_IAMPolicy("test_role")
}),
'headers':
admin_auth_header,
'expected_resp':
201
} for name, description in TEST_NAMES_POS])
tests.extend([{
'name':
f'400 returned when creating a role when name is {description}',
'data':
json.dumps({
'role_id': name,
'policy': create_test_IAMPolicy("test_role")
}),
'headers':
admin_auth_header,
'expected_resp':
400
} for name, description in TEST_NAMES_NEG])
for test in tests:
with self.subTest(test['name']):
headers = {'Content-Type': "application/json"}
headers.update(test['headers'])
resp = self.app.post(url.url,
data=test['data'],
headers=headers)
self.assertEqual(test['expected_resp'], resp.status_code)
def test_evaluate_resource_policy(self):
resource_type = 'evaluate_test_type'
actions = sorted(['rt:read', 'rt:write', 'rt:delete'])
resource_id = 'protected-data'
arn_prefix = "arn:dcp:fus:us-east-1:dev:"
resource_arn = f'{arn_prefix}{resource_type}/{resource_id}'
user = '******'
group = 'user_default'
# create a resource type
resp = self.app.post(
f'/v1/resource/{resource_type}',
data=json.dumps({'actions': actions}),
headers=admin_headers)
self.assertEqual(resp.status_code, 201)
# create a resource policy read
resp = self.app.post(
f"/v1/resource/{resource_type}/policy/read",
data=json.dumps({'policy': create_test_ResourcePolicy(
'read',
actions=['rt:read'],
resource_type=resource_type,
effect='Allow'
)}),
headers=admin_headers
)
self.assertEqual(resp.status_code, 201)
# create a resource policy rw
resp = self.app.post(
f"/v1/resource/{resource_type}/policy/rw",
data=json.dumps({
'policy': create_test_ResourcePolicy(
'rw',
actions=['rt:read', 'rt:write', 'rt:delete'],
resource_type=resource_type,
effect='Allow'
)},
),
headers=admin_headers
)
self.assertEqual(resp.status_code, 201)
# create a resource id
resp = self.app.post(
f'/v1/resource/{resource_type}/id/{resource_id}',
headers=admin_headers)
self.assertEqual(resp.status_code, 201)
# create a role with read
resp = self.app.post(
f'/v1/role',
data=json.dumps(
{'role_id': 'read',
'policy': create_test_IAMPolicy(
'read',
actions=['rt:read'],
resource_type=resource_type,
effect='Allow'
)}),
headers=admin_headers
)
self.assertEqual(resp.status_code, 201)
# create a role with rw
resp = self.app.post(
f'/v1/role',
data=json.dumps(
{'role_id': 'rw',
'policy': create_test_IAMPolicy(
'rw',
actions=['rt:read', 'rt:write', 'rt:delete'],
resource_type=resource_type,
effect='Allow'
)}),
headers=admin_headers
)
self.assertEqual(resp.status_code, 201)
# create a user
resp = self.app.post(
f'/v1/user',
data=json.dumps({'user_id': user}),
headers=admin_headers)
self.assertEqual(resp.status_code, 201)
# user fails to read resource
resp = self.app.post(
'/v1/policies/evaluate',
headers=admin_headers,
data=json.dumps(
{'principal': user,
'action': ['rt:read'],
'resource': [resource_arn]}
)
)
self.assertFalse(json.loads(resp.body)['result'])
# give the user role read
resp = self.app.put(
f'/v1/user/{user}/roles?action=add',
headers=admin_headers,
data=json.dumps(
{'roles': ['read']}
)
)
self.assertEqual(resp.status_code, 200)
# user fails to read resource
resp = self.app.post(
'/v1/policies/evaluate',
headers=admin_headers,
data=json.dumps(
{'principal': user,
'action': ['rt:read'],
'resource': [resource_arn]}
)
)
self.assertFalse(json.loads(resp.body)['result'])
# give the user access level read
request_body = [
{'member': user,
'member_type': 'user',
'access_level': 'read'}
]
resp = self.app.put(
f'/v1/resource/{resource_type}/id/{resource_id}/members',
data=json.dumps(request_body),
headers=admin_headers
)
self.assertEqual(resp.status_code, 200)
# the user has read access to resource
resp = self.app.post(
'/v1/policies/evaluate',
headers=admin_headers,
data=json.dumps(
{'principal': user,
'action': ['rt:read'],
'resource': [resource_arn]}
)
)
self.assertTrue(json.loads(resp.body)['result'])
# the user does not have write access to resource
resp = self.app.post(
'/v1/policies/evaluate',
headers=admin_headers,
data=json.dumps(
{'principal': user,
'action': ['rt:write'],
'resource': [resource_arn]}
)
)
self.assertFalse(json.loads(resp.body)['result'])
# give the user_default group rw access to the resource
request_body = [
{'member': group,
'member_type': 'group',
'access_level': 'rw'}
]
resp = self.app.put(
f'/v1/resource/{resource_type}/id/{resource_id}/members',
data=json.dumps(request_body),
headers=admin_headers
)
self.assertEqual(resp.status_code, 200)
# the user does not have write access to resource
resp = self.app.post(
'/v1/policies/evaluate',
headers=admin_headers,
data=json.dumps(
{'principal': user,
'action': ['rt:write'],
'resource': [resource_arn]}
)
)
self.assertFalse(json.loads(resp.body)['result'])
# give the group role rw
resp = self.app.put(
f'/v1/group/{group}/roles?action=add',
headers=admin_headers,
data=json.dumps(
{'roles': ['rw']}
)
)
self.assertEqual(resp.status_code, 200)
# the user does have write access to resource
resp = self.app.post(
'/v1/policies/evaluate',
headers=admin_headers,
data=json.dumps(
{'principal': user,
'action': ['rt:write'],
'resource': [resource_arn]}
)
)
self.assertTrue(json.loads(resp.body)['result'])