mirror of
https://github.com/fog/fog-aws.git
synced 2022-11-09 13:50:52 -05:00
mocks around iam policies
This commit is contained in:
parent
48af784f06
commit
1248610871
16 changed files with 211 additions and 26 deletions
|
@ -2561,6 +2561,7 @@
|
|||
"Effect": "Allow",
|
||||
"Action": [
|
||||
"iam:GenerateCredentialReport",
|
||||
"iam:GenerateServiceLastAccessedDetails",
|
||||
"iam:Get*",
|
||||
"iam:List*"
|
||||
],
|
||||
|
|
|
@ -8,6 +8,7 @@ module Fog
|
|||
|
||||
attribute :username
|
||||
attribute :group_name
|
||||
attribute :role_name
|
||||
|
||||
model Fog::AWS::IAM::ManagedPolicy
|
||||
|
||||
|
@ -16,6 +17,8 @@ module Fog
|
|||
all_by_user(self.username, options)
|
||||
elsif self.group_name
|
||||
all_by_group(self.group_name, options)
|
||||
elsif self.role_name
|
||||
all_by_role(self.role_name, options)
|
||||
else
|
||||
all_policies(options)
|
||||
end
|
||||
|
@ -51,6 +54,15 @@ module Fog
|
|||
end
|
||||
end
|
||||
|
||||
def all_by_role(role_name, options={})
|
||||
body = service.list_attached_role_policies(role_name, page_params(options)).body
|
||||
merge_attributes(body)
|
||||
|
||||
body['Policies'].map do |policy|
|
||||
service.get_policy(policy['PolicyArn']).body['Policy']
|
||||
end
|
||||
end
|
||||
|
||||
def all_policies(options={})
|
||||
body = service.list_policies(page_params(options)).body
|
||||
merge_attributes(body)
|
||||
|
|
|
@ -14,6 +14,8 @@ module Fog
|
|||
attribute :path, :aliases => 'Path'
|
||||
attribute :updated_at, :aliases => 'UpdateDate', :type => :time
|
||||
|
||||
attr_accessor :policy_document
|
||||
|
||||
def attach(user_or_username)
|
||||
requires :arn
|
||||
|
||||
|
@ -32,6 +34,24 @@ module Fog
|
|||
service.get_policy_version(self.arn, self.default_version).
|
||||
body['PolicyVersion']['Document']
|
||||
end
|
||||
|
||||
def reload
|
||||
service.managed_policies.get(self.arn)
|
||||
end
|
||||
|
||||
def save
|
||||
requires :name, :policy_document
|
||||
|
||||
merge_attributes(service.create_policy(self.name, self.policy_document, self.path, self.description).body["Policy"])
|
||||
end
|
||||
|
||||
def destroy
|
||||
requires :arn
|
||||
|
||||
service.delete_policy(self.arn)
|
||||
|
||||
true
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -20,6 +20,36 @@ module Fog
|
|||
true
|
||||
end
|
||||
|
||||
def attach(policy_or_arn)
|
||||
requires :rolename
|
||||
|
||||
arn = if policy_or_arn.respond_to?(:arn)
|
||||
policy_or_arn.arn
|
||||
else
|
||||
policy_or_arn
|
||||
end
|
||||
|
||||
service.attach_role_policy(self.rolename, arn)
|
||||
end
|
||||
|
||||
def detach(policy_or_arn)
|
||||
requires :rolename
|
||||
|
||||
arn = if policy_or_arn.respond_to?(:arn)
|
||||
policy_or_arn.arn
|
||||
else
|
||||
policy_or_arn
|
||||
end
|
||||
|
||||
service.detach_role_policy(self.rolename, arn)
|
||||
end
|
||||
|
||||
def attached_policies
|
||||
requires :rolename
|
||||
|
||||
service.managed_policies(:role_name => self.rolename)
|
||||
end
|
||||
|
||||
def destroy
|
||||
requires :rolename
|
||||
|
||||
|
|
|
@ -46,6 +46,7 @@ module Fog
|
|||
|
||||
group = self.data[:groups][group_name]
|
||||
group[:attached_policies] << policy_arn
|
||||
managed_policy["AttachmentCount"] += 1
|
||||
|
||||
Excon::Response.new.tap { |response|
|
||||
response.status = 200
|
||||
|
|
|
@ -20,13 +20,39 @@ module Fog
|
|||
#
|
||||
def attach_role_policy(role_name, policy_arn)
|
||||
request(
|
||||
'Action' => 'AttachRolePolicy',
|
||||
'RoleName' => role_name,
|
||||
'PolicyArn' => policy_arn,
|
||||
:parser => Fog::Parsers::AWS::IAM::Basic.new
|
||||
'Action' => 'AttachRolePolicy',
|
||||
'RoleName' => role_name,
|
||||
'PolicyArn' => policy_arn,
|
||||
:parser => Fog::Parsers::AWS::IAM::Basic.new
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
class Mock
|
||||
def attach_role_policy(role_name, policy_arn)
|
||||
response = Excon::Response.new
|
||||
if policy_arn.nil?
|
||||
raise Fog::AWS::IAM::ValidationError, "1 validation error detected: Value null at 'policyArn' failed to satisfy constraint: Member must not be null"
|
||||
end
|
||||
|
||||
managed_policy = self.data[:managed_policies][policy_arn]
|
||||
|
||||
unless managed_policy
|
||||
raise Fog::AWS::IAM::NotFound, "Policy #{policy_arn} does not exist."
|
||||
end
|
||||
|
||||
unless self.data[:roles][role_name]
|
||||
raise Fog::AWS::IAM::NotFound.new("The role with name #{role_name} cannot be found.")
|
||||
end
|
||||
|
||||
role = self.data[:roles][role_name]
|
||||
role[:attached_policies] ||= []
|
||||
role[:attached_policies] << managed_policy['Arn']
|
||||
managed_policy['AttachmentCount'] += 1
|
||||
response.body = {"RequestId" => Fog::AWS::Mock.request_id}
|
||||
response
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -46,6 +46,7 @@ module Fog
|
|||
|
||||
user = self.data[:users][user_name]
|
||||
user[:attached_policies] << policy_arn
|
||||
managed_policy['AttachmentCount'] += 1
|
||||
|
||||
Excon::Response.new.tap { |response|
|
||||
response.status = 200
|
||||
|
|
|
@ -35,13 +35,37 @@ module Fog
|
|||
'PolicyName' => policy_name,
|
||||
'PolicyDocument' => Fog::JSON.encode(policy_document),
|
||||
'Path' => path,
|
||||
'Description' => description,
|
||||
'Description' => description,
|
||||
:parser => Fog::Parsers::AWS::IAM::SinglePolicy.new
|
||||
}.reject {|_, value| value.nil?})
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
class Mock
|
||||
def create_policy(policy_name, policy_document, path="/", description=nil)
|
||||
response = Excon::Response.new
|
||||
|
||||
arn = "arn:aws:iam:#{Fog::AWS::Mock.owner_id}:policy/#{policy_name}"
|
||||
|
||||
policy = {
|
||||
"Arn" => arn,
|
||||
"AttachmentCount" => 0,
|
||||
"CreateDate" => Time.now.utc,
|
||||
"DefaultVersionId" => "v1",
|
||||
"Description" => description,
|
||||
"IsAttachable" => true,
|
||||
"Path" => path,
|
||||
"PolicyId" => Fog::Mock.random_hex(21),
|
||||
"PolicyName" => policy_name,
|
||||
"UpdateDate" => Time.now.utc,
|
||||
}
|
||||
|
||||
self.data[:managed_policies][arn] = policy
|
||||
|
||||
response.body = {"RequestId" => Fog::AWS::Mock.request_id, "Policy" => policy}
|
||||
response
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -25,6 +25,21 @@ module Fog
|
|||
)
|
||||
end
|
||||
end
|
||||
|
||||
class Mock
|
||||
def delete_policy(policy_arn)
|
||||
response = Excon::Response.new
|
||||
policy = self.data[:managed_policies][policy_arn]
|
||||
|
||||
if policy.nil?
|
||||
raise Fog::AWS::IAM::NotFound.new("Policy #{policy_arn} does not exist or is not attachable.")
|
||||
end
|
||||
|
||||
self.data[:managed_policies].delete(policy_arn)
|
||||
response.body = {"RequestId" => Fog::AWS::Mock.request_id}
|
||||
response
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -46,6 +46,7 @@ module Fog
|
|||
|
||||
group = self.data[:groups][group_name]
|
||||
group[:attached_policies].delete(policy_arn)
|
||||
managed_policy["AttachmentCount"] -= 1
|
||||
|
||||
Excon::Response.new.tap { |response|
|
||||
response.status = 200
|
||||
|
|
|
@ -27,6 +27,33 @@ module Fog
|
|||
)
|
||||
end
|
||||
end
|
||||
|
||||
class Mock
|
||||
def detach_role_policy(role_name, policy_arn)
|
||||
response = Excon::Response.new
|
||||
|
||||
if policy_arn.nil?
|
||||
raise Fog::AWS::IAM::ValidationError, "1 validation error detected: Value null at 'policyArn' failed to satisfy constraint: Member must not be null"
|
||||
end
|
||||
|
||||
managed_policy = self.data[:managed_policies][policy_arn]
|
||||
|
||||
unless managed_policy
|
||||
raise Fog::AWS::IAM::NotFound, "Policy #{policy_arn} does not exist."
|
||||
end
|
||||
|
||||
unless self.data[:roles].key?(role_name)
|
||||
raise Fog::AWS::IAM::NotFound.new("The role with name #{role_name} cannot be found.")
|
||||
end
|
||||
|
||||
role = self.data[:roles][role_name]
|
||||
role[:attached_policies].delete(policy_arn)
|
||||
managed_policy["AttachmentCount"] -= 1
|
||||
|
||||
response.body = {"RequestId" => Fog::AWS::Mock.request_id}
|
||||
response
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -46,6 +46,7 @@ module Fog
|
|||
|
||||
user = self.data[:users][user_name]
|
||||
user[:attached_policies].delete(policy_arn)
|
||||
managed_policy["AttachmentCount"] -= 1
|
||||
|
||||
Excon::Response.new.tap { |response|
|
||||
response.status = 200
|
||||
|
|
|
@ -70,7 +70,8 @@ module Fog
|
|||
body = {
|
||||
'Policies' => data,
|
||||
'IsTruncated' => truncated,
|
||||
'RequestId' => Fog::AWS::Mock.request_id
|
||||
'RequestId' => Fog::AWS::Mock.request_id,
|
||||
'Marker' => nil
|
||||
}
|
||||
|
||||
if marker
|
||||
|
|
|
@ -64,6 +64,10 @@ module Fog
|
|||
self.data[:managed_policies].values
|
||||
end
|
||||
|
||||
if options["PathPrefix"]
|
||||
data_set.select! { |p| p["Path"].match(/^#{options["PathPrefix"]}/) }
|
||||
end
|
||||
|
||||
data = data_set.slice!(0, limit || 100)
|
||||
truncated = data_set.size > 0
|
||||
marker = truncated && Base64.encode64("metadata/l/#{account_id}/#{UUID.uuid}")
|
||||
|
|
|
@ -22,7 +22,7 @@ Shindo.tests("Fog::Compute[:iam] | managed_policies", ['aws','iam']) do
|
|||
"Statement" => [
|
||||
{
|
||||
"Effect" => "Allow",
|
||||
"Action" => [ "iam:GenerateCredentialReport", "iam:Get*", "iam:List*" ],
|
||||
"Action" => [ "iam:GenerateCredentialReport", "iam:GenerateServiceLastAccessedDetails", "iam:Get*", "iam:List*" ],
|
||||
"Resource" => "*"
|
||||
}
|
||||
]
|
||||
|
@ -38,6 +38,8 @@ Shindo.tests("Fog::Compute[:iam] | managed_policies", ['aws','iam']) do
|
|||
user.attached_policies.map(&:identity) == [policy.identity]
|
||||
end
|
||||
|
||||
returns(1) { policy.reload.attachments}
|
||||
|
||||
tests("#detach").succeeds do
|
||||
user.detach(policy)
|
||||
|
||||
|
@ -56,6 +58,8 @@ Shindo.tests("Fog::Compute[:iam] | managed_policies", ['aws','iam']) do
|
|||
group.attached_policies.map(&:identity) == [policy.identity]
|
||||
end
|
||||
|
||||
returns(1) { policy.reload.attachments}
|
||||
|
||||
tests("#detach").succeeds do
|
||||
group.detach(policy)
|
||||
|
||||
|
@ -64,4 +68,22 @@ Shindo.tests("Fog::Compute[:iam] | managed_policies", ['aws','iam']) do
|
|||
|
||||
group.destroy
|
||||
end
|
||||
|
||||
tests("roles") do
|
||||
role = iam.roles.create(:rolename => uniq_id("fog-test-role"))
|
||||
|
||||
tests("#attach").succeeds do
|
||||
role.attach(policy)
|
||||
role.attached_policies.map(&:identity) == [policy.identity]
|
||||
end
|
||||
|
||||
returns(1) { policy.reload.attachments}
|
||||
|
||||
tests("#detach").succeeds do
|
||||
role.detach(policy)
|
||||
role.attached_policies.map(&:identity) == []
|
||||
end
|
||||
|
||||
role.destroy
|
||||
end
|
||||
end
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
Shindo.tests('AWS::IAM | managed policy requests', ['aws']) do
|
||||
|
||||
pending if Fog.mocking?
|
||||
Fog::AWS[:iam].create_group('fog_policy_test_group')
|
||||
Fog::AWS[:iam].create_user('fog_policy_test_user')
|
||||
Fog::AWS[:iam].create_role('fog_policy_test_role', Fog::AWS::IAM::EC2_ASSUME_ROLE_POLICY)
|
||||
|
@ -8,16 +7,16 @@ Shindo.tests('AWS::IAM | managed policy requests', ['aws']) do
|
|||
tests('success') do
|
||||
@policy = {'Version' => '2012-10-17', "Statement" => [{"Effect" => "Deny", "Action" => "*", "Resource" => "*"}]}
|
||||
@policy_format = {
|
||||
'Arn' => String,
|
||||
'AttachmentCount' => Integer,
|
||||
'Description' => String,
|
||||
'Arn' => String,
|
||||
'AttachmentCount' => Integer,
|
||||
'Description' => Fog::Nullable::String,
|
||||
'DefaultVersionId' => String,
|
||||
'IsAttachable' => Fog::Boolean,
|
||||
'Path' => String,
|
||||
'PolicyId' => String,
|
||||
'PolicyName' => String,
|
||||
'CreateDate' => Time,
|
||||
'UpdateDate' => Time
|
||||
'IsAttachable' => Fog::Boolean,
|
||||
'Path' => String,
|
||||
'PolicyId' => String,
|
||||
'PolicyName' => String,
|
||||
'CreateDate' => Time,
|
||||
'UpdateDate' => Time
|
||||
}
|
||||
|
||||
create_policy_format = {
|
||||
|
@ -28,8 +27,8 @@ Shindo.tests('AWS::IAM | managed policy requests', ['aws']) do
|
|||
list_policies_format = {
|
||||
'RequestId' => String,
|
||||
'Policies' => [@policy_format],
|
||||
'Marker' => String,
|
||||
'IsTruncated' => Fog::Boolean
|
||||
'Marker' => Fog::Nullable::String,
|
||||
'IsTruncated' => Fog::Boolean
|
||||
}
|
||||
|
||||
attached_policy_format = {
|
||||
|
@ -39,7 +38,7 @@ Shindo.tests('AWS::IAM | managed policy requests', ['aws']) do
|
|||
|
||||
list_managed_policies_format = {
|
||||
'RequestId' => String,
|
||||
'AttachedPolicies' => [attached_policy_format]
|
||||
'Policies' => [attached_policy_format]
|
||||
}
|
||||
|
||||
tests("#create_policy('fog_policy')").formats(create_policy_format) do
|
||||
|
@ -74,7 +73,7 @@ Shindo.tests('AWS::IAM | managed policy requests', ['aws']) do
|
|||
Fog::AWS[:iam].attach_group_policy('fog_policy_test_group', @policy_arn).body
|
||||
end
|
||||
|
||||
tests("#list_attach_group_policies()").formats(fog_policy_test_group) do
|
||||
tests("#list_attach_group_policies()").formats(list_managed_policies_format) do
|
||||
Fog::AWS[:iam].list_attached_group_policies('fog_policy_test_group').body
|
||||
end
|
||||
|
||||
|
@ -83,11 +82,11 @@ Shindo.tests('AWS::IAM | managed policy requests', ['aws']) do
|
|||
end
|
||||
|
||||
tests("#attach_role_policy()").formats(AWS::IAM::Formats::BASIC) do
|
||||
Fog::AWS[:iam].attach_role_policy('fog_policy_test_role', @policy_arn).body
|
||||
body = Fog::AWS[:iam].attach_role_policy('fog_policy_test_role', @policy_arn).body
|
||||
end
|
||||
|
||||
tests("#list_attach_role_policies()").formats(fog_policy_test_group) do
|
||||
Fog::AWS[:iam].attach_role_policies('fog_policy_test_role').body
|
||||
tests("#list_attached_role_policies()").formats(list_managed_policies_format) do
|
||||
Fog::AWS[:iam].list_attached_role_policies('fog_policy_test_role').body
|
||||
end
|
||||
|
||||
tests("#detach_role_policy()").formats(AWS::IAM::Formats::BASIC) do
|
||||
|
@ -97,7 +96,7 @@ Shindo.tests('AWS::IAM | managed policy requests', ['aws']) do
|
|||
tests("#delete_policy()").formats(AWS::IAM::Formats::BASIC) do
|
||||
Fog::AWS[:iam].delete_policy(@policy_arn).body
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
||||
tests('failure') do
|
||||
|
|
Loading…
Add table
Reference in a new issue