1
0
Fork 0
mirror of https://github.com/fog/fog-aws.git synced 2022-11-09 13:50:52 -05:00

model managed policies

* list attached group/user policies
* fix policy paging
* default managed policy listing
This commit is contained in:
Josh Lane 2015-05-28 13:20:48 -07:00
parent e46e5c487b
commit 0cc4279333
21 changed files with 2332 additions and 66 deletions

View file

@ -2,5 +2,8 @@ source 'https://rubygems.org'
# Specify your gem's dependencies in fog-aws.gemspec
gemspec
gem 'pry-nav', group: :test
group :test, :default do
gem 'pry-nav'
end
gem "codeclimate-test-reporter", group: :test, require: nil

View file

@ -43,19 +43,22 @@ module Fog
request :detach_group_policy
request :detach_role_policy
request :detach_user_policy
request :get_account_summary
request :get_account_password_policy
request :get_account_summary
request :get_group
request :get_group_policy
request :get_instance_profile
request :get_role_policy
request :get_login_profile
request :get_server_certificate
request :get_policy
request :get_role
request :get_role_policy
request :get_server_certificate
request :get_user
request :get_user_policy
request :list_access_keys
request :list_account_aliases
request :list_attached_group_policies
request :list_attached_user_policies
request :list_group_policies
request :list_groups
request :list_groups_for_user
@ -63,8 +66,8 @@ module Fog
request :list_instance_profiles_for_role
request :list_mfa_devices
request :list_policies
request :list_roles
request :list_role_policies
request :list_roles
request :list_server_certificates
request :list_signing_certificates
request :list_user_policies
@ -89,6 +92,8 @@ module Fog
collection :access_keys
model :group
collection :groups
model :managed_policy
collection :managed_policies
model :policy
collection :policies
model :role
@ -96,11 +101,15 @@ module Fog
model :user
collection :users
require 'fog/aws/iam/default_policies'
class Mock
def self.data
@data ||= Hash.new do |hash, key|
owner_id = Fog::AWS::Mock.owner_id
hash[key] = {
:owner_id => Fog::AWS::Mock.owner_id,
:owner_id => owner_id,
:server_certificates => {},
:access_keys => [{
"Status" => "Active",
@ -111,29 +120,33 @@ module Fog
:serial_number => 'R1234',
:user_name => 'Bob'
}],
:markers => Hash.new { |mhash, mkey| mhash[mkey] = [] },
:managed_policies => Fog::AWS::IAM::Mock.default_policies.inject({}) { |r,p| r.merge(p['Arn'] => p) },
:users => Hash.new do |uhash, ukey|
uhash[ukey] = {
:user_id => Fog::AWS::Mock.key_id,
:path => '/',
:arn => "arn:aws:iam::#{Fog::AWS::Mock.owner_id}:user/#{ukey}",
:access_keys => [],
:arn => "arn:aws:iam::#{owner_id}:user/#{ukey}",
:attached_policies => [],
:created_at => Time.now,
:policies => {}
:path => '/',
:policies => {},
:user_id => Fog::AWS::Mock.key_id
}
end,
:groups => Hash.new do |ghash, gkey|
ghash[gkey] = {
:group_id => Fog::AWS::Mock.key_id,
:arn => "arn:aws:iam::#{Fog::AWS::Mock.owner_id}:group/#{gkey}",
:members => [],
:arn => "arn:aws:iam::#{owner_id}:group/#{gkey}",
:attached_policies => [],
:created_at => Time.now,
:group_id => Fog::AWS::Mock.key_id,
:members => [],
:policies => {}
}
end,
:roles => Hash.new do |rhash, rkey|
rhash[rkey] = {
:role_id => Fog::AWS::Mock.key_id,
:arn => "arn:aws:iam:#{Fog::AWS::Mock.owner_id}:role/#{rkey}",
:arn => "arn:aws:iam:#{owner_id}:role/#{rkey}",
:create_date => Time.now,
:assume_role_policy_document => {
"Version" => "2012-10-17",
@ -174,6 +187,10 @@ module Fog
self.class.data[@aws_access_key_id]
end
def account_id
self.data[:owner_id]
end
def reset_data
self.class.data.delete(@aws_access_key_id)
current_user

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,54 @@
module Fog
module AWS
class IAM
class PagedCollection < Fog::Collection
def self.inherited(klass)
klass.send(:attribute, :truncated, :aliases => 'IsTruncated', :type => :boolean)
klass.send(:attribute, :marker, :aliases => 'Marker')
super
end
def each_entry(*args, &block)
to_a.each(*args, &block)
end
def each
if !block_given?
self
else
subset = dup.all
subset.each_entry { |f| yield f }
while subset.truncated
subset.
all(:marker => subset.marker, :limit => 1000).
each_entry { |f| yield f }
end
self
end
end
protected
def page_params(options={})
marker = options.fetch(:marker) { options.fetch('Marker') { self.marker } }
limit = options.fetch(:limit) { options['MaxItems'] }
params = {}
if marker && !marker.empty?
params.merge!('Marker' => marker)
end
if limit
params.merge!('MaxItems' => limit)
end
params
end
end
end
end
end

View file

@ -23,10 +23,41 @@ module Fog
merge_attributes(:users => self.users + [user])
end
def attach(policy_arn)
def attach(policy_or_arn)
requires :name
service.attach_group_policy(self.name, policy_arn)
arn = if policy_or_arn.respond_to?(:arn)
policy_or_arn.arn
else
policy_or_arn
end
service.attach_group_policy(self.name, arn)
end
def attached_policies
requires :name
service.managed_policies(:group_name => self.name)
end
def destroy
requires :name
service.delete_group(self.name)
true
end
def detach(policy_or_arn)
requires :name
arn = if policy_or_arn.respond_to?(:arn)
policy_or_arn.arn
else
policy_or_arn
end
service.detach_group_policy(self.name, arn)
end
def save

View file

@ -1,19 +1,16 @@
require 'fog/aws/models/iam/group'
require 'fog/aws/iam/paged_collection'
module Fog
module AWS
class IAM
class Groups < Fog::Collection
class Groups < Fog::AWS::IAM::PagedCollection
attribute :truncated, :aliases => 'IsTruncated', :type => :boolean
attribute :marker, :aliases => 'Marker'
attribute :username
model Fog::AWS::IAM::Group
def all(options = {})
merge_attributes(options)
data, records = if self.username
response = service.list_groups_for_user(self.username, options)
[response.body, response.body['GroupsForUser']]
@ -36,23 +33,6 @@ module Fog
rescue Fog::AWS::IAM::NotFound
nil
end
def each
if !block_given?
self
else
subset = dup.all
subset.each { |f| yield f }
while subset.truncated
subset = subset.all('Marker' => subset.marker, 'MaxItems' => 1000)
subset.each { |f| yield f }
end
self
end
end
end
end
end

View file

@ -0,0 +1,63 @@
require 'fog/aws/models/iam/managed_policy'
require 'fog/aws/iam/paged_collection'
module Fog
module AWS
class IAM
class ManagedPolicies < Fog::AWS::IAM::PagedCollection
attribute :username
attribute :group_name
model Fog::AWS::IAM::ManagedPolicy
def all(options={})
data = if self.username
all_by_user(self.username, options)
elsif self.group_name
all_by_group(self.group_name, options)
else
all_policies(options)
end
load(data)
end
def get(identity)
response = service.get_policy(identity)
new(response.body['Policy'])
rescue Fog::AWS::IAM::NotFound
nil
end
protected
def all_by_user(username, options={})
body = service.list_attached_user_policies(username, page_params(options)).body
merge_attributes(body)
body['Policies'].map do |policy|
service.get_policy(policy['PolicyArn']).body['Policy']
end
end
def all_by_group(group_name, options={})
body = service.list_attached_group_policies(group_name, page_params(options)).body
merge_attributes(body)
body['Policies'].map do |policy|
service.get_policy(policy['PolicyArn']).body['Policy']
end
end
def all_policies(options={})
body = service.list_policies(page_params(options)).body
merge_attributes(body)
body['Policies']
end
end
end
end
end

View file

@ -0,0 +1,31 @@
module Fog
module AWS
class IAM
class ManagedPolicy < Fog::Model
identity :id, :aliases => 'PolicyId'
attribute :arn, :aliases => 'Arn'
attribute :attachable, :aliases => 'IsAttachable', :type => :boolean
attribute :attachments, :aliases => 'AttachmentCount', :type => :integer
attribute :created_at, :aliases => 'CreateDate', :type => :time
attribute :default_version, :aliases => 'DefaultVersionId'
attribute :description, :aliases => 'Description'
attribute :name, :aliases => 'PolicyName'
attribute :path, :aliases => 'Path'
attribute :updated_at, :aliases => 'UpdateDate', :type => :time
def attach(user_or_username)
requires :arn
username = if user_or_username.respond_to?(:identity)
user_or_username.identity
else
user_or_username
end
service.attach_user_policy(username, self.arn)
end
end
end
end
end

View file

@ -1,21 +1,23 @@
require 'fog/aws/models/iam/policy'
require 'fog/aws/iam/paged_collection'
module Fog
module AWS
class IAM
class Policies < Fog::Collection
class Policies < Fog::AWS::IAM::PagedCollection
model Fog::AWS::IAM::Policy
attribute :username
attribute :group_name
def all
def all(options={})
requires_one :username, :group_name
policies = if self.username
all_by_user(self.username)
else
all_by_group(self.group_name)
all_by_user(self.username, options)
else self.group_name
all_by_group(self.group_name, options)
end
load(policies) # data is an array of attribute hashes
@ -24,13 +26,13 @@ module Fog
def get(identity)
requires_one :username, :group_name
data = if self.username
response = if self.username
service.get_user_policy(identity, self.username)
else
else self.group_name
service.get_group_policy(identity, self.group_name)
end.body['Policy']
end
new(data)
new(response.body['Policy'])
rescue Fog::AWS::IAM::NotFound
nil
end
@ -44,16 +46,18 @@ module Fog
# AWS method get_user_policy and list_group_policies only returns an array of policy names, this is kind of useless,
# that's why it has to loop through the list to get the details of each element. I don't like it because it makes this method slow
def all_by_group(group_name)
response = service.list_group_policies(group_name)
def all_by_group(group_name, options={})
response = service.list_group_policies(group_name, page_params(options))
merge_attributes(response.body)
response.body['PolicyNames'].map do |policy_name|
service.get_group_policy(policy_name, group_name).body['Policy']
end
end
def all_by_user(username)
response = service.list_user_policies(username)
def all_by_user(username, options={})
response = service.list_user_policies(username, page_params(options))
merge_attributes(response.body)
response.body['PolicyNames'].map do |policy_name|
service.get_user_policy(policy_name, username).body['Policy']

View file

@ -15,6 +15,36 @@ module Fog
service.access_keys(:username => id)
end
def attach(policy_or_arn)
requires :identity
arn = if policy_or_arn.respond_to?(:arn)
policy_or_arn.arn
else
policy_or_arn
end
service.attach_user_policy(self.identity, arn)
end
def detach(policy_or_arn)
requires :identity
arn = if policy_or_arn.respond_to?(:arn)
policy_or_arn.arn
else
policy_or_arn
end
service.detach_user_policy(self.identity, arn)
end
def attached_policies
requires :identity
service.managed_policies(:username => self.identity)
end
def destroy
requires :id
@ -23,13 +53,15 @@ module Fog
end
def groups
requires :identity
service.groups(:username => self.identity)
end
def policies
requires :id
requires :identity
service.policies(:username => id)
service.policies(:username => self.identity)
end
def password=(password)

View file

@ -14,12 +14,25 @@ module Fog
@response['Policies'] << policy
end
def start_element(name, attrs = [])
case name
when 'member'
@policy = {}
end
super
end
def end_element(name)
case name
when 'RequestId', 'Marker'
@response[name] = value
when 'PolicyArn', 'PolicyName'
@policy[name] = value
when 'IsTruncated'
@response[name] = (value == 'true')
when 'member'
finished_policy(@policy)
@policy = {}
end
super
end

View file

@ -1,7 +1,7 @@
module Fog
module AWS
module RegionMethods
def validate_aws_region host, region
def validate_aws_region(host, region)
if host.end_with?('.amazonaws.com') && !['ap-northeast-1', 'ap-southeast-1', 'ap-southeast-2', 'eu-west-1', 'us-east-1', 'us-west-1', 'us-west-2', 'sa-east-1', 'us-gov-west-1', 'eu-central-1'].include?(region)
raise ArgumentError, "Unknown region: #{region.inspect}"
end

View file

@ -27,6 +27,32 @@ module Fog
)
end
end
class Mock
def attach_group_policy(group_name, policy_arn)
if policy_arn.nil?
raise Fog::AWS::IAM::ValidationError, "1 validation error detected: Value null at 'policyArn' failed to satisfy constraint: Member must not be null"
end
managed_policy = self.data[:managed_policies][policy_arn]
unless managed_policy
raise Fog::AWS::IAM::NotFound, "Policy #{policy_arn} does not exist."
end
unless self.data[:groups].key?(group_name)
raise Fog::AWS::IAM::NotFound.new("The group with name #{group_name} cannot be found.")
end
group = self.data[:groups][group_name]
group[:attached_policies] << policy_arn
Excon::Response.new.tap { |response|
response.status = 200
response.body = { "RequestId" => Fog::AWS::Mock.request_id }
}
end
end
end
end
end

View file

@ -27,6 +27,32 @@ module Fog
)
end
end
class Mock
def attach_user_policy(user_name, policy_arn)
if policy_arn.nil?
raise Fog::AWS::IAM::ValidationError, "1 validation error detected: Value null at 'policyArn' failed to satisfy constraint: Member must not be null"
end
managed_policy = self.data[:managed_policies][policy_arn]
unless managed_policy
raise Fog::AWS::IAM::NotFound, "Policy #{policy_arn} does not exist."
end
unless self.data[:users].key?(user_name)
raise Fog::AWS::IAM::NotFound.new("The user with name #{user_name} cannot be found.")
end
user = self.data[:users][user_name]
user[:attached_policies] << policy_arn
Excon::Response.new.tap { |response|
response.status = 200
response.body = { "RequestId" => Fog::AWS::Mock.request_id }
}
end
end
end
end
end

View file

@ -27,6 +27,32 @@ module Fog
)
end
end
class Mock
def detach_group_policy(group_name, policy_arn)
if policy_arn.nil?
raise Fog::AWS::IAM::ValidationError, "1 validation error detected: Value null at 'policyArn' failed to satisfy constraint: Member must not be null"
end
managed_policy = self.data[:managed_policies][policy_arn]
unless managed_policy
raise Fog::AWS::IAM::NotFound, "Policy #{policy_arn} does not exist."
end
unless self.data[:groups].key?(group_name)
raise Fog::AWS::IAM::NotFound.new("The group with name #{group_name} cannot be found.")
end
group = self.data[:groups][group_name]
group[:attached_policies].delete(policy_arn)
Excon::Response.new.tap { |response|
response.status = 200
response.body = { "RequestId" => Fog::AWS::Mock.request_id }
}
end
end
end
end
end

View file

@ -27,6 +27,32 @@ module Fog
)
end
end
class Mock
def detach_user_policy(user_name, policy_arn)
if policy_arn.nil?
raise Fog::AWS::IAM::ValidationError, "1 validation error detected: Value null at 'policyArn' failed to satisfy constraint: Member must not be null"
end
managed_policy = self.data[:managed_policies][policy_arn]
unless managed_policy
raise Fog::AWS::IAM::NotFound, "Policy #{policy_arn} does not exist."
end
unless self.data[:users].key?(user_name)
raise Fog::AWS::IAM::NotFound.new("The user with name #{user_name} cannot be found.")
end
user = self.data[:users][user_name]
user[:attached_policies].delete(policy_arn)
Excon::Response.new.tap { |response|
response.status = 200
response.body = { "RequestId" => Fog::AWS::Mock.request_id }
}
end
end
end
end
end

View file

@ -0,0 +1,57 @@
module Fog
module AWS
class IAM
class Real
require 'fog/aws/parsers/iam/single_policy'
# Get Policy
#
# ==== Parameters
# * 'PolicyArn'<~String>: The Amazon Resource Name (ARN). ARNs are unique identifiers for AWS resources.
#
# ==== Returns
# * response<~Excon::Response>:
# * body<~Hash>:
# * Arn<~String> The Amazon Resource Name (ARN). ARNs are unique identifiers for AWS resources.
# * AttachmentCount<~Integer> The number of entities (users, groups, and roles) that the policy is attached to.
# * CreateDate<~DateTime> The date and time, in ISO 8601 date-time format, when the policy was created.
# * DefaultVersionId<~String> The identifier for the version of the policy that is set as the default version.
# * Description<~String> A friendly description of the policy.
# * IsAttachable<~Boolean> Specifies whether the policy can be attached to an IAM user, group, or role.
# * Path<~String> The path to the policy.
# * PolicyId<~String> The stable and unique string identifying the policy.
# * PolicyName<~String> The friendly name (not ARN) identifying the policy.
# * UpdateDate<~DateTime> The date and time, in ISO 8601 date-time format, when the policy was last updated.
#
# ==== See Also
# http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetPolicy.html
#
def get_policy(policy_arn)
request({
'Action' => 'GetPolicy',
'PolicyArn' => policy_arn,
:parser => Fog::Parsers::AWS::IAM::SinglePolicy.new
})
end
end
class Mock
def get_policy(policy_arn)
managed_policy = self.data[:managed_policies][policy_arn]
unless managed_policy
raise Fog::AWS::IAM::NotFound, "Policy #{policy_arn} does not exist."
end
Excon::Response.new.tap do |response|
response.body = {
'Policy' => managed_policy,
'RequestId' => Fog::AWS::Mock.request_id
}
response.status = 200
end
end
end
end
end
end

View file

@ -0,0 +1,89 @@
module Fog
module AWS
class IAM
class Real
require 'fog/aws/parsers/iam/list_managed_policies'
# Attaches a managed policy to a group
#
# ==== Parameters
# * group_name<~String>: name of the group
#
# ==== Returns
# * response<~Excon::Response>:
# * body<~Hash>:
# * 'RequestId'<~String> - Id of the request
# * AttachedPolicies
# * 'PolicyArn'<~String> - The Amazon Resource Name (ARN). ARNs are unique identifiers for AWS resources.
# * 'PolicName'<~String> - The friendly name of the attached policy.
#
# ==== See Also
# http://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html
#
def list_attached_group_policies(group_name, options={})
request({
'Action' => 'ListAttachedGroupPolicies',
'GroupName' => group_name,
:parser => Fog::Parsers::AWS::IAM::ListManagedPolicies.new
}.merge(options))
end
end
class Mock
def list_attached_group_policies(group_name, options={})
unless self.data[:groups].key?(group_name)
raise Fog::AWS::IAM::NotFound.new("The group with name #{group_name} cannot be found.")
end
limit = options['MaxItems']
marker = options['Marker']
group = self.data[:groups][group_name]
if limit
if limit > 1_000
raise Fog::AWS::IAM::Error.new(
"ValidationError => 1 validation error detected: Value '#{limit}' at 'limit' failed to satisfy constraint: Member must have value less than or equal to 1000"
)
elsif limit < 1
raise Fog::AWS::IAM::Error.new(
"ValidationError => 1 validation error detected: Value '#{limit}' at 'limit' failed to satisfy constraint: Member must have value greater than or equal to 1"
)
end
end
data_set = if marker
self.data[:markers][marker] || []
else
group[:attached_policies].map { |arn|
self.data[:managed_policies].fetch(arn)
}.map { |mp|
{ "PolicyName" => mp.fetch("PolicyName"), "PolicyArn" => mp.fetch("Arn") }
}
end
data = data_set.slice!(0, limit || 100)
truncated = data_set.size > 0
marker = truncated && Base64.encode64("metadata/l/#{account_id}/#{UUID.uuid}")
response = Excon::Response.new
body = {
'Policies' => data,
'IsTruncated' => truncated,
'RequestId' => Fog::AWS::Mock.request_id
}
if marker
self.data[:markers][marker] = data_set
body.merge!('Marker' => marker)
end
response.body = body
response.status = 200
response
end
end
end
end
end

View file

@ -0,0 +1,89 @@
module Fog
module AWS
class IAM
class Real
require 'fog/aws/parsers/iam/list_managed_policies'
# Attaches a managed policy to a user
#
# ==== Parameters
# * user_name<~String>: name of the user
#
# ==== Returns
# * response<~Excon::Response>:
# * body<~Hash>:
# * 'RequestId'<~String> - Id of the request
# * AttachedPolicies
# * 'PolicyArn'<~String> - The Amazon Resource Name (ARN). ARNs are unique identifiers for AWS resources.
# * 'PolicName'<~String> - The friendly name of the attached policy.
#
# ==== See Also
# http://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html
#
def list_attached_user_policies(user_name, options={})
request({
'Action' => 'ListAttachedUserPolicies',
'UserName' => user_name,
:parser => Fog::Parsers::AWS::IAM::ListManagedPolicies.new
}.merge(options))
end
end
class Mock
def list_attached_user_policies(user_name, options={})
unless self.data[:users].key?(user_name)
raise Fog::AWS::IAM::NotFound.new("The user with name #{user_name} cannot be found.")
end
limit = options['MaxItems']
marker = options['Marker']
user = self.data[:users][user_name]
if limit
if limit > 1_000
raise Fog::AWS::IAM::Error.new(
"ValidationError => 1 validation error detected: Value '#{limit}' at 'limit' failed to satisfy constraint: Member must have value less than or equal to 1000"
)
elsif limit < 1
raise Fog::AWS::IAM::Error.new(
"ValidationError => 1 validation error detected: Value '#{limit}' at 'limit' failed to satisfy constraint: Member must have value greater than or equal to 1"
)
end
end
data_set = if marker
self.data[:markers][marker] || []
else
user[:attached_policies].map { |arn|
self.data[:managed_policies].fetch(arn)
}.map { |mp|
{ "PolicyName" => mp.fetch("PolicyName"), "PolicyArn" => mp.fetch("Arn") }
}
end
data = data_set.slice!(0, limit || 100)
truncated = data_set.size > 0
marker = truncated && Base64.encode64("metadata/l/#{account_id}/#{UUID.uuid}")
response = Excon::Response.new
body = {
'Policies' => data,
'IsTruncated' => truncated,
'RequestId' => Fog::AWS::Mock.request_id
}
if marker
self.data[:markers][marker] = data_set
body.merge!('Marker' => marker)
end
response.body = body
response.status = 200
response
end
end
end
end
end

View file

@ -41,7 +41,52 @@ module Fog
end
end
class Mock
def list_policies(options={})
limit = options['MaxItems']
marker = options['Marker']
if limit
if limit > 1_000
raise Fog::AWS::IAM::Error.new(
"ValidationError => 1 validation error detected: Value '#{limit}' at 'limit' failed to satisfy constraint: Member must have value less than or equal to 1000"
)
elsif limit < 1
raise Fog::AWS::IAM::Error.new(
"ValidationError => 1 validation error detected: Value '#{limit}' at 'limit' failed to satisfy constraint: Member must have value greater than or equal to 1"
)
end
end
data_set = if marker
self.data[:markers][marker] || []
else
self.data[:managed_policies].values
end
data = data_set.slice!(0, limit || 100)
truncated = data_set.size > 0
marker = truncated && Base64.encode64("metadata/l/#{account_id}/#{UUID.uuid}")
response = Excon::Response.new
body = {
'Policies' => data,
'IsTruncated' => truncated,
'RequestId' => Fog::AWS::Mock.request_id
}
if marker
self.data[:markers][marker] = data_set
body.merge!('Marker' => marker)
end
response.body = body
response.status = 200
response
end
end
end
end
end

View file

@ -0,0 +1,54 @@
Shindo.tests("Fog::Compute[:iam] | managed_policies", ['aws','iam']) do
iam = Fog::AWS[:iam]
tests('#all').succeeds do
iam.managed_policies.size == 100
end
tests('#each').succeeds do
policies = []
iam.managed_policies.each { |policy| policies << policy }
policies.size > 100
end
policy = iam.managed_policies.get("arn:aws:iam::aws:policy/IAMReadOnlyAccess")
tests("users") do
user = iam.users.create(:id => uniq_id("fog-test-user"))
tests("#attach").succeeds do
user.attach(policy)
user.attached_policies.map(&:identity) == [policy.identity]
end
tests("#detach").succeeds do
user.detach(policy)
user.attached_policies.map(&:identity) == []
end
user.destroy
end
tests("groups") do
group = iam.groups.create(:name => uniq_id("fog-test-group"))
tests("#attach").succeeds do
group.attach(policy)
group.attached_policies.map(&:identity) == [policy.identity]
end
tests("#detach").succeeds do
group.detach(policy)
group.attached_policies.map(&:identity) == []
end
group.destroy
end
end