1
0
Fork 0
mirror of https://github.com/fog/fog-aws.git synced 2022-11-09 13:50:52 -05:00

mocks around iam policies

This commit is contained in:
Eugene Howe 2017-01-18 09:14:40 -05:00
parent 48af784f06
commit 1248610871
16 changed files with 211 additions and 26 deletions

View file

@ -2561,6 +2561,7 @@
"Effect": "Allow",
"Action": [
"iam:GenerateCredentialReport",
"iam:GenerateServiceLastAccessedDetails",
"iam:Get*",
"iam:List*"
],

View file

@ -8,6 +8,7 @@ module Fog
attribute :username
attribute :group_name
attribute :role_name
model Fog::AWS::IAM::ManagedPolicy
@ -16,6 +17,8 @@ module Fog
all_by_user(self.username, options)
elsif self.group_name
all_by_group(self.group_name, options)
elsif self.role_name
all_by_role(self.role_name, options)
else
all_policies(options)
end
@ -51,6 +54,15 @@ module Fog
end
end
def all_by_role(role_name, options={})
body = service.list_attached_role_policies(role_name, page_params(options)).body
merge_attributes(body)
body['Policies'].map do |policy|
service.get_policy(policy['PolicyArn']).body['Policy']
end
end
def all_policies(options={})
body = service.list_policies(page_params(options)).body
merge_attributes(body)

View file

@ -14,6 +14,8 @@ module Fog
attribute :path, :aliases => 'Path'
attribute :updated_at, :aliases => 'UpdateDate', :type => :time
attr_accessor :policy_document
def attach(user_or_username)
requires :arn
@ -32,6 +34,24 @@ module Fog
service.get_policy_version(self.arn, self.default_version).
body['PolicyVersion']['Document']
end
def reload
service.managed_policies.get(self.arn)
end
def save
requires :name, :policy_document
merge_attributes(service.create_policy(self.name, self.policy_document, self.path, self.description).body["Policy"])
end
def destroy
requires :arn
service.delete_policy(self.arn)
true
end
end
end
end

View file

@ -20,6 +20,36 @@ module Fog
true
end
def attach(policy_or_arn)
requires :rolename
arn = if policy_or_arn.respond_to?(:arn)
policy_or_arn.arn
else
policy_or_arn
end
service.attach_role_policy(self.rolename, arn)
end
def detach(policy_or_arn)
requires :rolename
arn = if policy_or_arn.respond_to?(:arn)
policy_or_arn.arn
else
policy_or_arn
end
service.detach_role_policy(self.rolename, arn)
end
def attached_policies
requires :rolename
service.managed_policies(:role_name => self.rolename)
end
def destroy
requires :rolename

View file

@ -46,6 +46,7 @@ module Fog
group = self.data[:groups][group_name]
group[:attached_policies] << policy_arn
managed_policy["AttachmentCount"] += 1
Excon::Response.new.tap { |response|
response.status = 200

View file

@ -20,13 +20,39 @@ module Fog
#
def attach_role_policy(role_name, policy_arn)
request(
'Action' => 'AttachRolePolicy',
'RoleName' => role_name,
'PolicyArn' => policy_arn,
:parser => Fog::Parsers::AWS::IAM::Basic.new
'Action' => 'AttachRolePolicy',
'RoleName' => role_name,
'PolicyArn' => policy_arn,
:parser => Fog::Parsers::AWS::IAM::Basic.new
)
end
end
class Mock
def attach_role_policy(role_name, policy_arn)
response = Excon::Response.new
if policy_arn.nil?
raise Fog::AWS::IAM::ValidationError, "1 validation error detected: Value null at 'policyArn' failed to satisfy constraint: Member must not be null"
end
managed_policy = self.data[:managed_policies][policy_arn]
unless managed_policy
raise Fog::AWS::IAM::NotFound, "Policy #{policy_arn} does not exist."
end
unless self.data[:roles][role_name]
raise Fog::AWS::IAM::NotFound.new("The role with name #{role_name} cannot be found.")
end
role = self.data[:roles][role_name]
role[:attached_policies] ||= []
role[:attached_policies] << managed_policy['Arn']
managed_policy['AttachmentCount'] += 1
response.body = {"RequestId" => Fog::AWS::Mock.request_id}
response
end
end
end
end
end

View file

@ -46,6 +46,7 @@ module Fog
user = self.data[:users][user_name]
user[:attached_policies] << policy_arn
managed_policy['AttachmentCount'] += 1
Excon::Response.new.tap { |response|
response.status = 200

View file

@ -35,13 +35,37 @@ module Fog
'PolicyName' => policy_name,
'PolicyDocument' => Fog::JSON.encode(policy_document),
'Path' => path,
'Description' => description,
'Description' => description,
:parser => Fog::Parsers::AWS::IAM::SinglePolicy.new
}.reject {|_, value| value.nil?})
end
end
class Mock
def create_policy(policy_name, policy_document, path="/", description=nil)
response = Excon::Response.new
arn = "arn:aws:iam:#{Fog::AWS::Mock.owner_id}:policy/#{policy_name}"
policy = {
"Arn" => arn,
"AttachmentCount" => 0,
"CreateDate" => Time.now.utc,
"DefaultVersionId" => "v1",
"Description" => description,
"IsAttachable" => true,
"Path" => path,
"PolicyId" => Fog::Mock.random_hex(21),
"PolicyName" => policy_name,
"UpdateDate" => Time.now.utc,
}
self.data[:managed_policies][arn] = policy
response.body = {"RequestId" => Fog::AWS::Mock.request_id, "Policy" => policy}
response
end
end
end
end
end

View file

@ -25,6 +25,21 @@ module Fog
)
end
end
class Mock
def delete_policy(policy_arn)
response = Excon::Response.new
policy = self.data[:managed_policies][policy_arn]
if policy.nil?
raise Fog::AWS::IAM::NotFound.new("Policy #{policy_arn} does not exist or is not attachable.")
end
self.data[:managed_policies].delete(policy_arn)
response.body = {"RequestId" => Fog::AWS::Mock.request_id}
response
end
end
end
end
end

View file

@ -46,6 +46,7 @@ module Fog
group = self.data[:groups][group_name]
group[:attached_policies].delete(policy_arn)
managed_policy["AttachmentCount"] -= 1
Excon::Response.new.tap { |response|
response.status = 200

View file

@ -27,6 +27,33 @@ module Fog
)
end
end
class Mock
def detach_role_policy(role_name, policy_arn)
response = Excon::Response.new
if policy_arn.nil?
raise Fog::AWS::IAM::ValidationError, "1 validation error detected: Value null at 'policyArn' failed to satisfy constraint: Member must not be null"
end
managed_policy = self.data[:managed_policies][policy_arn]
unless managed_policy
raise Fog::AWS::IAM::NotFound, "Policy #{policy_arn} does not exist."
end
unless self.data[:roles].key?(role_name)
raise Fog::AWS::IAM::NotFound.new("The role with name #{role_name} cannot be found.")
end
role = self.data[:roles][role_name]
role[:attached_policies].delete(policy_arn)
managed_policy["AttachmentCount"] -= 1
response.body = {"RequestId" => Fog::AWS::Mock.request_id}
response
end
end
end
end
end

View file

@ -46,6 +46,7 @@ module Fog
user = self.data[:users][user_name]
user[:attached_policies].delete(policy_arn)
managed_policy["AttachmentCount"] -= 1
Excon::Response.new.tap { |response|
response.status = 200

View file

@ -70,7 +70,8 @@ module Fog
body = {
'Policies' => data,
'IsTruncated' => truncated,
'RequestId' => Fog::AWS::Mock.request_id
'RequestId' => Fog::AWS::Mock.request_id,
'Marker' => nil
}
if marker

View file

@ -64,6 +64,10 @@ module Fog
self.data[:managed_policies].values
end
if options["PathPrefix"]
data_set.select! { |p| p["Path"].match(/^#{options["PathPrefix"]}/) }
end
data = data_set.slice!(0, limit || 100)
truncated = data_set.size > 0
marker = truncated && Base64.encode64("metadata/l/#{account_id}/#{UUID.uuid}")

View file

@ -22,7 +22,7 @@ Shindo.tests("Fog::Compute[:iam] | managed_policies", ['aws','iam']) do
"Statement" => [
{
"Effect" => "Allow",
"Action" => [ "iam:GenerateCredentialReport", "iam:Get*", "iam:List*" ],
"Action" => [ "iam:GenerateCredentialReport", "iam:GenerateServiceLastAccessedDetails", "iam:Get*", "iam:List*" ],
"Resource" => "*"
}
]
@ -38,6 +38,8 @@ Shindo.tests("Fog::Compute[:iam] | managed_policies", ['aws','iam']) do
user.attached_policies.map(&:identity) == [policy.identity]
end
returns(1) { policy.reload.attachments}
tests("#detach").succeeds do
user.detach(policy)
@ -56,6 +58,8 @@ Shindo.tests("Fog::Compute[:iam] | managed_policies", ['aws','iam']) do
group.attached_policies.map(&:identity) == [policy.identity]
end
returns(1) { policy.reload.attachments}
tests("#detach").succeeds do
group.detach(policy)
@ -64,4 +68,22 @@ Shindo.tests("Fog::Compute[:iam] | managed_policies", ['aws','iam']) do
group.destroy
end
tests("roles") do
role = iam.roles.create(:rolename => uniq_id("fog-test-role"))
tests("#attach").succeeds do
role.attach(policy)
role.attached_policies.map(&:identity) == [policy.identity]
end
returns(1) { policy.reload.attachments}
tests("#detach").succeeds do
role.detach(policy)
role.attached_policies.map(&:identity) == []
end
role.destroy
end
end

View file

@ -1,6 +1,5 @@
Shindo.tests('AWS::IAM | managed policy requests', ['aws']) do
pending if Fog.mocking?
Fog::AWS[:iam].create_group('fog_policy_test_group')
Fog::AWS[:iam].create_user('fog_policy_test_user')
Fog::AWS[:iam].create_role('fog_policy_test_role', Fog::AWS::IAM::EC2_ASSUME_ROLE_POLICY)
@ -8,16 +7,16 @@ Shindo.tests('AWS::IAM | managed policy requests', ['aws']) do
tests('success') do
@policy = {'Version' => '2012-10-17', "Statement" => [{"Effect" => "Deny", "Action" => "*", "Resource" => "*"}]}
@policy_format = {
'Arn' => String,
'AttachmentCount' => Integer,
'Description' => String,
'Arn' => String,
'AttachmentCount' => Integer,
'Description' => Fog::Nullable::String,
'DefaultVersionId' => String,
'IsAttachable' => Fog::Boolean,
'Path' => String,
'PolicyId' => String,
'PolicyName' => String,
'CreateDate' => Time,
'UpdateDate' => Time
'IsAttachable' => Fog::Boolean,
'Path' => String,
'PolicyId' => String,
'PolicyName' => String,
'CreateDate' => Time,
'UpdateDate' => Time
}
create_policy_format = {
@ -28,8 +27,8 @@ Shindo.tests('AWS::IAM | managed policy requests', ['aws']) do
list_policies_format = {
'RequestId' => String,
'Policies' => [@policy_format],
'Marker' => String,
'IsTruncated' => Fog::Boolean
'Marker' => Fog::Nullable::String,
'IsTruncated' => Fog::Boolean
}
attached_policy_format = {
@ -39,7 +38,7 @@ Shindo.tests('AWS::IAM | managed policy requests', ['aws']) do
list_managed_policies_format = {
'RequestId' => String,
'AttachedPolicies' => [attached_policy_format]
'Policies' => [attached_policy_format]
}
tests("#create_policy('fog_policy')").formats(create_policy_format) do
@ -74,7 +73,7 @@ Shindo.tests('AWS::IAM | managed policy requests', ['aws']) do
Fog::AWS[:iam].attach_group_policy('fog_policy_test_group', @policy_arn).body
end
tests("#list_attach_group_policies()").formats(fog_policy_test_group) do
tests("#list_attach_group_policies()").formats(list_managed_policies_format) do
Fog::AWS[:iam].list_attached_group_policies('fog_policy_test_group').body
end
@ -83,11 +82,11 @@ Shindo.tests('AWS::IAM | managed policy requests', ['aws']) do
end
tests("#attach_role_policy()").formats(AWS::IAM::Formats::BASIC) do
Fog::AWS[:iam].attach_role_policy('fog_policy_test_role', @policy_arn).body
body = Fog::AWS[:iam].attach_role_policy('fog_policy_test_role', @policy_arn).body
end
tests("#list_attach_role_policies()").formats(fog_policy_test_group) do
Fog::AWS[:iam].attach_role_policies('fog_policy_test_role').body
tests("#list_attached_role_policies()").formats(list_managed_policies_format) do
Fog::AWS[:iam].list_attached_role_policies('fog_policy_test_role').body
end
tests("#detach_role_policy()").formats(AWS::IAM::Formats::BASIC) do
@ -97,7 +96,7 @@ Shindo.tests('AWS::IAM | managed policy requests', ['aws']) do
tests("#delete_policy()").formats(AWS::IAM::Formats::BASIC) do
Fog::AWS[:iam].delete_policy(@policy_arn).body
end
end
tests('failure') do