def test_user_status(self):
try:
User.provision_user(service_accounts['user']['client_email'])
except FusilladeHTTPException:
pass
user_id = service_accounts['user']['client_email']
user_headers = {'Content-Type': "application/json"}
user_headers.update(get_auth_header(service_accounts['user']))
admin_headers = {'Content-Type': "application/json"}
admin_headers.update(get_auth_header(service_accounts['admin']))
disable_url = furl(f"/v1/user/{user_id}", query_params={'user_id': user_id, 'status': 'disabled'})
enable_url = furl(f"/v1/user/{user_id}", query_params={'user_id': user_id, 'status': 'enabled'})
test_user_url = furl(f"/v1/user/{user_id}/")
# check user can get info
resp = self.app.get(test_user_url.url, headers=user_headers)
self.assertEqual(200, resp.status_code)
# disable the user
resp = self.app.put(disable_url.url, headers=admin_headers)
self.assertEqual(200, resp.status_code)
# verify that user cannot access things
resp = self.app.get(test_user_url.url, headers=user_headers)
self.assertEqual(403, resp.status_code)
# enable user
resp = self.app.put(enable_url.url, headers=admin_headers)
self.assertEqual(200, resp.status_code)
# verify that user has access
resp = self.app.get(test_user_url.url, headers=user_headers)
self.assertEqual(200, resp.status_code)
def test_get_role_id(self):
role_id = 'test_get_role_id'
admin_auth_header = get_auth_header(service_accounts['admin'])
tests = [{
'name': '401 return when no auth headers.',
'headers': {},
'role_id': role_id,
'expected_resp': 401
}, {
'name': '403 return when unauthorized user.',
'headers': get_auth_header(service_accounts['user']),
'role_id': role_id,
'expected_resp': 403
}, {
'name': '200 returned when user is authorized.',
'headers': admin_auth_header,
'role_id': role_id,
'expected_resp': 200
}, {
'name': 'error returned when role does not exist.',
'headers': admin_auth_header,
'role_id': 'ghost_role',
'expected_resp': 404
}]
tests.extend([{
'name':
f'200 returned when getting a role when name is {description}',
'role_id': role_id,
'headers': admin_auth_header,
'expected_resp': 200
} for name, description in TEST_NAMES_POS])
tests.extend([{
'name':
f'400 returned when getting a role when name is {description}',
'role_id': role_id,
'headers': admin_auth_header,
'expected_resp': 400
} for role_id, description in TEST_NAMES_NEG if role_id is not ''])
policy = create_test_IAMPolicy("test_role")
role = Role.create(role_id, policy)
expected_policy = policy
[Role.create(role_id, policy) for role_id, _ in TEST_NAMES_POS]
for test in tests:
with self.subTest(test['name']):
url = furl('/v1/role/{}'.format(test['role_id']))
headers = {'Content-Type': "application/json"}
headers.update(test['headers'])
resp = self.app.get(url.url, headers=headers)
self.assertEqual(test['expected_resp'], resp.status_code)
if test['expected_resp'] == 200:
expected_body = {
'role_id': test['role_id'],
'policies': {
'IAMPolicy': expected_policy
}
}
self.assertEqual(expected_body, json.loads(resp.body))
def test_put_role_id_policy(self):
role_id = 'test_put_role_id_policy'
policy_1 = create_test_IAMPolicy(role_id)
policy_2 = create_test_IAMPolicy('ABCD')
policy_invalid = "invalid policy"
Role.create(role_id, policy_1)
admin_auth_header = get_auth_header(service_accounts['admin'])
tests = [{
'name': '401 return when no auth headers.',
'headers': {},
'role_id': role_id,
'data': {
'policy': policy_2
},
'expected_resp': 401
}, {
'name': '403 return when unauthorized user.',
'headers': get_auth_header(service_accounts['user']),
'role_id': role_id,
'data': {
'policy': policy_2
},
'expected_resp': 403
}, {
'name': '200 returned when user is authorized.',
'headers': admin_auth_header,
'role_id': role_id,
'data': {
'policy': policy_2
},
'expected_resp': 200
}, {
'name': '400 returned when an invalid policy is used.',
'headers': admin_auth_header,
'role_id': role_id,
'data': {
'policy': policy_invalid
},
'expected_resp': 400
}, {
'name': '404 returned when role does not exist.',
'headers': admin_auth_header,
'role_id': 'ghost_role',
'data': {
'policy': policy_2
},
'expected_resp': 404
}]
for test in tests:
with self.subTest(test['name']):
headers = {'Content-Type': "application/json"}
headers.update(test['headers'])
url = furl(f"/v1/role/{test['role_id']}/policy")
data = json.dumps(test['data'])
resp = self.app.put(url.url, data=data, headers=headers)
self.assertEqual(test['expected_resp'], resp.status_code)
def test_lookup_roles(self):
# this looks at how lookup policy scales as roles attached to users increases
roles = [2, 4, 8, 16, 32]
start = 0
repeat = 10
headers = {'Content-Type': "application/json"}
headers.update(get_auth_header(service_accounts['admin']))
role_url = furl('/v1/role')
user_url = furl('/v1/user')
role_ids = []
for role in roles:
user = f"roles_{role}"
resp = self.app.post(user_url.url,
data=json.dumps({"user_id": user}),
headers=headers)
self.assertEqual(201, resp.status_code)
for i in range(start, role):
role_id = f'test_{i}'
policy = create_test_IAMPolicy(role_id)
data = json.dumps({'role_id': role_id, 'policy': policy})
resp = self.app.post(role_url.url, data=data, headers=headers)
self.assertEqual(201, resp.status_code)
role_ids.append(role_id)
add_roles_url = furl(f'/v1/user/{user}/roles',
query_params={'action': 'add'})
resp = self.app.put(add_roles_url.url,
headers=headers,
data=json.dumps({'roles': role_ids}))
resp.raise_for_status()
self._run_test(user, headers, repeat)
start = role
def test_delete_group(self):
headers = {'Content-Type': "application/json"}
headers.update(get_auth_header(service_accounts['admin']))
role = Role.create("test_delete_group_role").name
user = User.provision_user("test_delete_group_user").name
policy = create_test_IAMPolicy("test_delete_group_policy")
group_id = "test_delete_group_group"
with self.subTest("Group delete with users and roles."):
resp = self.app.post(f'/v1/group',
headers=headers,
data=json.dumps({
"group_id": group_id,
"roles": [role],
"policy": policy
}))
resp.raise_for_status()
resp = self.app.put(f'/v1/user/{user}/groups?action=add',
headers=headers,
data=json.dumps({"groups": [group_id]}))
resp.raise_for_status()
resp = self.app.delete(f'/v1/group/{group_id}', headers=headers)
self.assertEqual(resp.status_code, 200)
resp = self.app.get(f'/v1/user/{user}/groups', headers=headers)
groups = json.loads(resp.body)['groups']
self.assertNotIn(group_id, groups)
with self.subTest("delete a group that does not exist."):
resp = self.app.delete(f'/v1/group/{group_id}', headers=headers)
self.assertEqual(resp.status_code, 404)
def test_put_user_id(self):
tests = [
{
'name': "*****@*****.**",
'status': 'enabled',
'response': {
'code': 200
}
},
{
'name': "*****@*****.**",
'status': 'disabled',
'response': {
'code': 200
}
}
]
for test in tests:
with self.subTest(test["name"]):
headers = {'Content-Type': "application/json"}
headers.update(get_auth_header(service_accounts['admin']))
url = furl(f'/v1/user/{test["name"]}')
query_params = {
'user_id': test['name'],
'status': test['status']
}
url.add(query_params=query_params)
user = User.provision_user(test['name'])
if test['status'] == 'disabled':
user.enable()
resp = self.app.put(url.url, headers=headers)
self.assertEqual(test['response']['code'], resp.status_code)
def _test_custom_claim(self, func: callable, url: str, headers: dict,
body: str):
_headers = headers.copy()
_headers.update(get_auth_header(service_accounts['admin'],
email=False))
with self.subTest("Missing Custom Claim"):
resp = func(url, headers=_headers, data=body)
self.assertEqual(403, resp.status_code)
def test_get_group(self):
headers = {'Content-Type': "application/json"}
headers.update(get_auth_header(service_accounts['admin']))
name = "test_get_group_Groupx"
resp = self.app.get(f'/v1/group/{name}/', headers=headers)
self.assertEqual(404, resp.status_code)
Group.create(name)
resp = self.app.get(f'/v1/group/{name}/', headers=headers)
self.assertEqual(name, json.loads(resp.body)['group_id'])
self.assertTrue(json.loads(resp.body)['policies'])
def test_get_username_groups(self):
headers = {'Content-Type': "application/json"}
headers.update(get_auth_header(service_accounts['admin']))
name = "*****@*****.**"
key = 'groups'
user = User.provision_user(name)
resp = self.app.get(f'/v1/user/{name}/groups', headers=headers)
self.assertEqual(1, len(json.loads(resp.body)[key]))
groups = [Group.create(f"test_get_username_groups_{i}").name for i in range(8)]
user.add_groups(groups)
self._test_paging(f'/v1/user/{name}/groups', headers, 5, key)
def test_evaluate_policy(self):
email = "*****@*****.**"
tests = [
{
'json_request_body': {
"action": ["dss:CreateSubscription"],
"resource": [f"arn:hca:dss:*:*:subscriptions/{email}/*"],
"principal": "*****@*****.**"
},
'response': {
'code': 200,
'result': False
}
},
{
'json_request_body': {
"action": ["fus:GetUser"],
"resource": [f"arn:hca:fus:*:*:user/{email}/policy"],
"principal": email
},
'response': {
'code': 200,
'result': True
}
}
]
headers = {'Content-Type': "application/json"}
headers.update(get_auth_header(service_accounts['admin']))
@eventually(5, 0.5)
def _run_test(test):
data = json.dumps(test['json_request_body'])
resp = self.app.post('/v1/policies/evaluate', headers=headers, data=data)
self.assertEqual(test['response']['code'], resp.status_code, test['response'])
self.assertEqual(test['response']['result'], json.loads(resp.body)['result'], msg=json.loads(resp.body))
self._test_custom_claim(self.app.post,
'/v1/policies/evaluate',
headers,
json.dumps(tests[1]['json_request_body']))
for test in tests:
with self.subTest(test['json_request_body']):
_run_test(test)
with self.subTest("User disabled"):
resp = self.app.put(furl(f"/v1/user/{email}",
query_params={'user_id': email, 'status': 'disabled'}).url,
headers=headers)
self.assertEqual(200, resp.status_code)
resp = self.app.post('/v1/policies/evaluate', headers=headers,
data=json.dumps(tests[1]['json_request_body']))
self.assertEqual(200, resp.status_code)
self.assertEqual(False, json.loads(resp.body)['result'], msg=json.loads(resp.body))
def test_get_group_users(self):
headers = {'Content-Type': "application/json"}
headers.update(get_auth_header(service_accounts['admin']))
name = "test_get_group_users_group"
key = 'users'
group = Group.create(name)
resp = self.app.get(f'/v1/group/{name}/users', headers=headers)
group_user_names = [User(user).name for user in group.get_users_iter()]
self.assertEqual(0, len(json.loads(resp.body)[key]))
users = [User.provision_user(f"test_get_group_user_{i}", groups=[name]).name for i in range(10)]
self._test_paging(f'/v1/group/{name}/users', headers, 5, key)
def test_get_users(self):
headers = {'Content-Type': "application/json"}
headers.update(get_auth_header(service_accounts['admin']))
for i in range(10):
resp = self.app.post(
'/v1/user',
headers=headers,
data=json.dumps({"user_id": f"test_post_user{i}@email.com"})
)
self.assertEqual(201, resp.status_code)
self._test_paging(f'/v1/users', headers, 7, 'users')
def test_get_group_roles(self):
headers = {'Content-Type': "application/json"}
headers.update(get_auth_header(service_accounts['admin']))
name = "test_get_group_roles_group"
key = 'roles'
group = Group.create(name)
resp = self.app.get(f'/v1/group/{name}/roles', headers=headers)
group_role_names = [Role(None, role).name for role in group.roles]
self.assertEqual(0, len(json.loads(resp.body)[key]))
roles = [Role.create(f"test_get_group_roles_role_{i}").name for i in range(10)]
group.add_roles(roles)
self._test_paging(f'/v1/group/{name}/roles', headers, 5, key)
def test_get_username_roles(self):
headers = {'Content-Type': "application/json"}
headers.update(get_auth_header(service_accounts['admin']))
name = "*****@*****.**"
key = 'roles'
user = User.provision_user(name)
resp = self.app.get(f'/v1/user/{name}/roles', headers=headers)
user_role_names = [Role(None, role).name for role in user.roles]
self.assertEqual(0, len(json.loads(resp.body)[key]))
roles = [Role.create(f"test_get_username_role_{i}").name for i in range(11)]
user.add_roles(roles)
self._test_paging(f'/v1/user/{name}/roles', headers, 6, key)
def test_get_groups(self):
headers = {'Content-Type': "application/json"}
headers.update(get_auth_header(service_accounts['admin']))
for i in range(10):
resp = self.app.post(
'/v1/group',
headers=headers,
data=json.dumps({"group_id": f"test_get_groups_{i}",
'policy': create_test_IAMPolicy("test_group")})
)
self.assertEqual(201, resp.status_code)
self._test_paging('/v1/groups', headers, 6, 'groups')
def test_get_user(self):
try:
User.provision_user(service_accounts['user']['client_email'])
except FusilladeHTTPException:
pass
headers = {'Content-Type': "application/json"}
headers.update(get_auth_header(service_accounts['user']))
name = service_accounts['user']['client_email']
resp = self.app.get(f'/v1/user/[email protected]', headers=headers)
self.assertEqual(403, resp.status_code)
resp = self.app.get(f'/v1/user/{name}/', headers=headers)
resp.raise_for_status()
self.assertEqual(name, json.loads(resp.body)['user_id'])
def test_default_group(self):
headers = {'Content-Type': "application/json"}
users = ['admin', 'user']
for user in users:
with self.subTest(f"{user} has permission to access default_user group."):
headers.update(get_auth_header(service_accounts[user]))
resp = self.app.get(f'/v1/group/user_default', headers=headers)
resp.raise_for_status()
resp = self.app.get(f'/v1/group/user_default/roles', headers=headers)
resp.raise_for_status()
if user == 'admin':
resp = self.app.get(f'/v1/group/user_default/users', headers=headers)
resp.raise_for_status()
def test_user_owned(self):
headers = {'Content-Type': "application/json"}
headers.update(get_auth_header(service_accounts['admin']))
name = "*****@*****.**"
key = 'roles'
user = User.provision_user(name)
url = furl(f"/v1/user/{name}/owns", query_params={'resource_type': 'role'}).url
resp = self.app.request(url, headers=headers)
self.assertEqual('False', resp.headers['X-OpenAPI-Pagination'])
user_role_names = [Role(object_ref=role).name for role in user.roles]
roles = [Role.create(f"test_user_owned_role_{i}") for i in range(11)]
user.add_roles([role.name for role in roles])
[user.add_ownership(role) for role in roles]
self._test_paging(url, headers, 6, key)
def test_lookup_groups(self):
# this looks at how lookup policy scales as user groups membership increases
groups = [2, 4, 8, 16, 32]
start = 0
repeat = 100
headers = {'Content-Type': "application/json"}
headers.update(get_auth_header(service_accounts['admin']))
role_url = furl('/v1/role')
user_url = furl('/v1/user')
group_url = furl('/v1/group')
group_ids = []
for group in groups:
user = f"group_{group}"
resp = self.app.post(user_url.url,
data=json.dumps({"user_id": user}),
headers=headers)
self.assertEqual(201, resp.status_code)
for i in range(start, group):
# create the roles
role_id = f'rtest_{i}'
policy = create_test_IAMPolicy(role_id)
data = json.dumps({'role_id': role_id, 'policy': policy})
resp = self.app.post(role_url.url, data=data, headers=headers)
self.assertEqual(201, resp.status_code)
# create the group
group_id = f'gtest_{i}'
data = json.dumps({
'group_id': group_id,
})
resp = self.app.post(group_url.url, data=data, headers=headers)
self.assertEqual(201, resp.status_code)
group_ids.append(group_id)
# add roles to group
add_roles_url = furl(f'/v1/group/{group_id}/roles',
query_params={'action': 'add'})
resp = self.app.put(add_roles_url.url,
headers=headers,
data=json.dumps({'roles': [role_id]}))
resp.raise_for_status()
add_groups_url = furl(f'/v1/user/{user}/groups',
query_params={'action': 'add'})
resp = self.app.put(add_groups_url.url,
headers=headers,
data=json.dumps({'groups': group_ids}))
resp.raise_for_status()
self._run_test(user, headers, repeat)
start = group
def test_delete_role(self):
headers = {'Content-Type': "application/json"}
headers.update(get_auth_header(service_accounts['admin']))
role_id = "role_1"
with self.subTest("Role delete with users and groups."):
group = "group_test_delete_role"
user = "******"
policy = create_test_IAMPolicy("policy_04")
resp = self.app.post(f'/v1/role',
headers=headers,
data=json.dumps({
"role_id": role_id,
"policy": policy
}))
resp.raise_for_status()
resp = self.app.post(f'/v1/group',
headers=headers,
data=json.dumps({
"group_id": group,
"roles": [role_id]
}))
resp.raise_for_status()
resp = self.app.post(f'/v1/user',
headers=headers,
data=json.dumps({
"user_id": user,
"roles": [role_id]
}))
resp.raise_for_status()
resp = self.app.delete(f'/v1/role/{role_id}', headers=headers)
self.assertEqual(resp.status_code, 200)
resp = self.app.get(f'/v1/user/{user}/roles', headers=headers)
roles = json.loads(resp.body)['roles']
self.assertNotIn(role_id, roles)
resp = self.app.get(f'/v1/group/{group}/roles', headers=headers)
roles = json.loads(resp.body)['roles']
self.assertNotIn(role_id, roles)
with self.subTest("delete a role that does not exist."):
resp = self.app.delete(f'/v1/role/ghost', headers=headers)
self.assertEqual(resp.status_code, 404)
def test_put_group_roles(self):
tests = [
{
'group_id': "test_put_group_roles_Group1",
'action': 'add',
'json_request_body': {
"roles": [Role.create("role_0").name]
},
'responses': [
{'code': 200},
{'code': 304}
]
},
{
'group_id': "test_put_group_roles_Group2",
'action': 'remove',
'json_request_body': {
"roles": [Role.create("role_1").name]
},
'responses': [
{'code': 200},
{'code': 304}
]
}
]
for test in tests:
with self.subTest(test['json_request_body']):
data = json.dumps(test['json_request_body'])
headers = {'Content-Type': "application/json"}
headers.update(get_auth_header(service_accounts['admin']))
url = furl(f'/v1/group/{test["group_id"]}/roles/')
query_params = {
'group_id': test['group_id'],
'action': test['action']
}
url.add(query_params=query_params)
group = Group.create(test['group_id'])
if test['action'] == 'remove':
group.add_roles(test['json_request_body']['roles'])
resp = self.app.put(url.url, headers=headers, data=data)
self.assertEqual(test['responses'][0]['code'], resp.status_code)
resp = self.app.put(url.url, headers=headers, data=data)
self.assertEqual(test['responses'][1]['code'], resp.status_code)
def test_put_username_roles(self):
tests = [
{
'name': "*****@*****.**",
'action': 'add',
'json_request_body': {
"roles": [Role.create("test_put_username_roles_role_0").name]
},
'responses': [
{'code': 200},
{'code': 304}
]
},
{
'name': "*****@*****.**",
'action': 'remove',
'json_request_body': {
"roles": [Role.create("test_put_username_roles_role_1").name]
},
'responses': [
{'code': 200},
{'code': 304}
]
}
]
for test in tests:
with self.subTest(test['json_request_body']):
data = json.dumps(test['json_request_body'])
headers = {'Content-Type': "application/json"}
headers.update(get_auth_header(service_accounts['admin']))
url = furl(f'/v1/user/{test["name"]}/roles/')
query_params = {
'user_id': test['name'],
'action': test['action']
}
url.add(query_params=query_params)
user = User.provision_user(test['name'])
if test['action'] == 'remove':
user.add_roles(test['json_request_body']['roles'])
resp = self.app.put(url.url, headers=headers, data=data)
self.assertEqual(test['responses'][0]['code'], resp.status_code)
resp = self.app.put(url.url, headers=headers, data=data)
self.assertEqual(test['responses'][1]['code'], resp.status_code)
def _save_state(cls):
headers = {'Content-Type': "application/json"}
headers.update(get_auth_header(service_accounts['admin']))
def _iterator(url, key):
url = furl(url)
url.add(query_params={'per_page': 30})
resp = cls.app.get(url.url, headers=headers)
results = json.loads(resp.body).get(key, [])
while "Link" in resp.headers:
next_url = resp.headers['Link'].split(';')[0][1:-1]
resp = cls.app.get(next_url, headers=headers)
results.extend(json.loads(resp.body)[key])
return results
cls.saved_groups = _iterator('/v1/groups', 'groups')
cls.saved_users = _iterator('/v1/users', 'users')
cls.saved_roles = _iterator('/v1/roles', 'roles')
cls.saved_resources = _iterator('/v1/resources', 'resources')
def test_user_group_limit(self):
groups = [Group.create(f"test_user_group_limit{i}").name for i in range(10)]
name = "*****@*****.**"
user = User.provision_user(name)
tests = [
{
'action': 'add',
'json_request_body': {
"groups": groups[:8]
},
'response': {
'code': 200
}
},
{
'action': 'add',
'json_request_body': {
"groups": [groups[9]]
},
'response': {
'code': 409
}
}
]
for test in tests:
with self.subTest(test['json_request_body']):
data = json.dumps(test['json_request_body'])
headers = {'Content-Type': "application/json"}
headers.update(get_auth_header(service_accounts['admin']))
url = furl(f'/v1/user/{name}/groups/')
query_params = {
'user_id': name,
'action': test['action']
}
url.add(query_params=query_params)
if test['action'] == 'remove':
user.add_groups(test['json_request_body']['groups'])
resp = self.app.put(url.url, headers=headers, data=data)
self.assertEqual(test['response']['code'], resp.status_code)
def test_positive(self):
"""
Test Create Retrieve and Update
1. Create a role
2. retrieve that role
3. modify that role
4. retrieve modified role
"""
role_id = 'test_positive'
policy = create_test_IAMPolicy(role_id)
headers = {'Content-Type': "application/json"}
headers.update(get_auth_header(service_accounts['admin']))
url = furl('/v1/role')
data = json.dumps({'role_id': role_id, 'policy': policy})
resp = self.app.post(url.url, data=data, headers=headers)
self.assertEqual(201, resp.status_code)
url = furl(f'/v1/role/{role_id}')
resp = self.app.get(url.url, headers=headers)
self.assertEqual(200, resp.status_code)
expected_body = {'role_id': role_id, 'policies': {"IAMPolicy": policy}}
self.assertEqual(expected_body, json.loads(resp.body))
url = furl(f'/v1/role/{role_id}/policy')
policy = create_test_IAMPolicy('ABCD')
data = json.dumps({'policy': policy})
resp = self.app.put(url.url, data=data, headers=headers)
self.assertEqual(200, resp.status_code)
url = furl(f'/v1/role/{role_id}')
resp = self.app.get(url.url, headers=headers)
self.assertEqual(200, resp.status_code)
expected_body = {'role_id': role_id, 'policies': {"IAMPolicy": policy}}
self.assertEqual(expected_body, json.loads(resp.body))
"""
import json
import os
import sys
import unittest
pkg_root = os.path.abspath(os.path.join(os.path.dirname(__file__),
'..')) # noqa
sys.path.insert(0, pkg_root) # noqa
from tests.json_mixin import AssertJSONMixin
from tests.base_api_test import BaseAPITest
from tests.common import get_auth_header, service_accounts, create_test_ResourcePolicy
admin_headers = {'Content-Type': "application/json"}
admin_headers.update(get_auth_header(service_accounts['admin']))
user_header = {'Content-Type': "application/json"}
user_header.update(get_auth_header(service_accounts['user']))
class ResourceTypeName:
rt_count = 0
@classmethod
def get(self):
self.rt_count += 1
return f'sample_rt_{self.rt_count}'
class TestResourceApi(BaseAPITest, AssertJSONMixin, unittest.TestCase):
def test_post_group(self):
tests = [
{
'name': f'201 returned when creating a group',
'json_request_body': {
"group_id": "test_post_group_Group0"
},
'response': {
'code': 201
}
},
{
'name': f'201 returned when creating a group with role only',
'json_request_body': {
"group_id": "test_post_group_Group1",
"roles": [Role.create("test_post_group_role_02").name]
},
'response': {
'code': 201
}
},
{
'name': f'201 returned when creating a group with policy only',
'json_request_body': {
"group_id": "test_post_group_Group2",
"policy": create_test_IAMPolicy("policy_03")
},
'response': {
'code': 201
}
},
{
'name': f'201 returned when creating a group with role and policy',
'json_request_body': {
"group_id": "test_post_group_Group3",
"roles": [Role.create("test_post_group_role_04").name],
"policy": create_test_IAMPolicy("policy_04")
},
'response': {
'code': 201
}
},
{
'name': f'400 returned when creating a group without group_id',
'json_request_body': {
"roles": [Role.create("test_post_group_role_05").name],
"policy": create_test_IAMPolicy("policy_05")
},
'response': {
'code': 400
}
},
{
'name': f'409 returned when creating a group that already exists',
'json_request_body': {
"group_id": "test_post_group_Group3"
},
'response': {
'code': 409
}
}
]
tests.extend([{
'name': f'201 returned when creating a role when name is {description}',
'json_request_body': {
"group_id": name
},
'response': {
'code': 201
}
} for name, description in TEST_NAMES_POS
])
tests.extend([{
'name': f'400 returned when creating a role when name is {description}',
'json_request_body': {
"group_id": name
},
'response': {
'code': 400
}
} for name, description in TEST_NAMES_NEG
])
for test in tests:
with self.subTest(test['name']):
headers = {'Content-Type': "application/json"}
headers.update(get_auth_header(service_accounts['admin']))
if test['name'] == "400 returned when creating a group that already exists":
self.app.post('/v1/group', headers=headers, data=json.dumps(test['json_request_body']))
resp = self.app.post('/v1/group', headers=headers, data=json.dumps(test['json_request_body']))
self.assertEqual(test['response']['code'], resp.status_code)
if resp.status_code == 201:
resp = self.app.get(f'/v1/group/{test["json_request_body"]["group_id"]}/', headers=headers)
self.assertEqual(test["json_request_body"]["group_id"], json.loads(resp.body)['group_id'])
def test_put_users(self):
users = [User.provision_user(f"test_put_user_{i}").name for i in range(11)]
tests = [
{
'action': 'add',
'json_request_body': {
"users": [users[0]]
},
'responses': [
{'code': 200},
{'code': 304}
]
},
{
'action': 'remove',
'json_request_body': {
"users": [users[0]]
},
'responses': [
{'code': 200},
{'code': 304}
]
},
{
'action': 'add',
'json_request_body': {
"users": users[:-1]
},
'responses': [
{'code': 200},
{'code': 304}
]
},
{
'action': 'remove',
'json_request_body': {
"users": users[:-1]
},
'responses': [
{'code': 200},
{'code': 304}
]
},
{
'action': 'add',
'json_request_body': {
"users": users
},
'responses': [
{'code': 400},
{'code': 400}
]
},
{
'action': 'remove',
'json_request_body': {
"users": users
},
'responses': [
{'code': 400},
{'code': 400}
]
}
]
for i, test in enumerate(tests):
group_id = Group.create(f"Group{i}").name
with self.subTest(test['json_request_body']):
data = json.dumps(test['json_request_body'])
headers = {'Content-Type': "application/json"}
headers.update(get_auth_header(service_accounts['admin']))
if test['action'] == 'remove':
url = furl(f'/v1/group/{group_id}/users', query_params={'action': 'add'})
resp = self.app.put(url.url, headers=headers, data=data)
url = furl(f'/v1/group/{group_id}/users', query_params={'action': test['action']})
resp = self.app.put(url.url, headers=headers, data=data)
self.assertEqual(test['responses'][0]['code'], resp.status_code)
resp = self.app.put(url.url, headers=headers, data=data)
self.assertEqual(test['responses'][1]['code'], resp.status_code)
def test_post_role(self):
url = furl('/v1/role')
data = json.dumps({
'role_id': 'test_put_role',
'policy': create_test_IAMPolicy("test_role")
})
admin_auth_header = get_auth_header(service_accounts['admin'])
tests = [{
'name': '401 return when no auth headers.',
'data': data,
'headers': {},
'expected_resp': 401
}, {
'name': '403 return when unauthorized user.',
'data': data,
'headers': get_auth_header(service_accounts['user']),
'expected_resp': 403
}, {
'name': '201 returned when user is authorized.',
'data': data,
'headers': admin_auth_header,
'expected_resp': 201
}, {
'name': '409 returned when role already exists.',
'data': data,
'headers': admin_auth_header,
'expected_resp': 409
}, {
'name':
'400 returned when an invalid policy is used',
'data':
json.dumps({
'role_id': 'test_role2',
'policy': 'garbage statement'
}),
'headers':
admin_auth_header,
'expected_resp':
400
}, {
'name':
'400 returned when creating a role with no name.',
'data':
json.dumps({'policy': create_test_IAMPolicy("test_role")}),
'headers':
admin_auth_header,
'expected_resp':
400
}, {
'name': '400 returned when creating a role with no policy.',
'data': json.dumps({
'role_id': 'abcd',
}),
'headers': admin_auth_header,
'expected_resp': 400
}]
tests.extend([{
'name':
f'201 returned when creating a role when name is {description}',
'data':
json.dumps({
'role_id': name,
'policy': create_test_IAMPolicy("test_role")
}),
'headers':
admin_auth_header,
'expected_resp':
201
} for name, description in TEST_NAMES_POS])
tests.extend([{
'name':
f'400 returned when creating a role when name is {description}',
'data':
json.dumps({
'role_id': name,
'policy': create_test_IAMPolicy("test_role")
}),
'headers':
admin_auth_header,
'expected_resp':
400
} for name, description in TEST_NAMES_NEG])
for test in tests:
with self.subTest(test['name']):
headers = {'Content-Type': "application/json"}
headers.update(test['headers'])
resp = self.app.post(url.url,
data=test['data'],
headers=headers)
self.assertEqual(test['expected_resp'], resp.status_code)
