From 7fbe5e94be036c8e743993ec0caff4a61cd0b1de Mon Sep 17 00:00:00 2001 From: Casey Bodley Date: Sun, 4 Feb 2024 18:07:09 -0500 Subject: [PATCH] iam: test managed role policy Signed-off-by: Casey Bodley (cherry picked from commit 46217fcf812fb1462b1b846d0fa45a9a7436d868) --- s3tests_boto3/functional/test_iam.py | 70 ++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) diff --git a/s3tests_boto3/functional/test_iam.py b/s3tests_boto3/functional/test_iam.py index b06c5b8..a49f129 100644 --- a/s3tests_boto3/functional/test_iam.py +++ b/s3tests_boto3/functional/test_iam.py @@ -932,12 +932,25 @@ def nuke_role_policies(client, name): except: pass +def nuke_attached_role_policies(client, name): + p = client.get_paginator('list_attached_role_policies') + for response in p.paginate(RoleName=name): + for policy in response['AttachedPolicies']: + try: + client.detach_role_policy(RoleName=name, PolicyArn=policy['PolicyArn']) + except: + pass + def nuke_role(client, name): # delete role policies, etc try: nuke_role_policies(client, name) except: pass + try: + nuke_attached_role_policies(client, name) + except: + pass client.delete_role(RoleName=name) def nuke_roles(client, **kwargs): @@ -1780,6 +1793,63 @@ def test_account_role_policy(iam_root): with pytest.raises(iam_root.exceptions.NoSuchEntityException): iam_root.delete_role_policy(RoleName=role_name, PolicyName=policy_name) +@pytest.mark.role_policy +@pytest.mark.iam_account +def test_account_role_policy_managed(iam_root): + path = get_iam_path_prefix() + name = make_iam_name('name') + policy1 = 'arn:aws:iam::aws:policy/AmazonS3FullAccess' + policy2 = 'arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess' + + # Attach/Detach/List fail on nonexistent RoleName + with pytest.raises(iam_root.exceptions.NoSuchEntityException): + iam_root.attach_role_policy(RoleName=name, PolicyArn=policy1) + with pytest.raises(iam_root.exceptions.NoSuchEntityException): + iam_root.detach_role_policy(RoleName=name, PolicyArn=policy1) + with pytest.raises(iam_root.exceptions.NoSuchEntityException): + iam_root.list_attached_role_policies(RoleName=name) + + iam_root.create_role(RoleName=name, Path=path, AssumeRolePolicyDocument=assume_role_policy) + + # Detach fails on unattached PolicyArn + with pytest.raises(iam_root.exceptions.NoSuchEntityException): + iam_root.detach_role_policy(RoleName=name, PolicyArn=policy1) + + iam_root.attach_role_policy(RoleName=name, PolicyArn=policy1) + iam_root.attach_role_policy(RoleName=name, PolicyArn=policy1) + + response = iam_root.list_attached_role_policies(RoleName=name) + assert len(response['AttachedPolicies']) == 1 + assert 'AmazonS3FullAccess' == response['AttachedPolicies'][0]['PolicyName'] + assert policy1 == response['AttachedPolicies'][0]['PolicyArn'] + + iam_root.attach_role_policy(RoleName=name, PolicyArn=policy2) + + response = iam_root.list_attached_role_policies(RoleName=name) + policies = response['AttachedPolicies'] + assert len(policies) == 2 + names = [p['PolicyName'] for p in policies] + arns = [p['PolicyArn'] for p in policies] + assert 'AmazonS3FullAccess' in names + assert policy1 in arns + assert 'AmazonS3ReadOnlyAccess' in names + assert policy2 in arns + + iam_root.detach_role_policy(RoleName=name, PolicyArn=policy2) + + # Detach fails after Detach + with pytest.raises(iam_root.exceptions.NoSuchEntityException): + iam_root.detach_role_policy(RoleName=name, PolicyArn=policy2) + + response = iam_root.list_attached_role_policies(RoleName=name) + assert len(response['AttachedPolicies']) == 1 + assert 'AmazonS3FullAccess' == response['AttachedPolicies'][0]['PolicyName'] + assert policy1 == response['AttachedPolicies'][0]['PolicyArn'] + + # DeleteRole fails while policies are still attached + with pytest.raises(iam_root.exceptions.DeleteConflictException): + iam_root.delete_role(RoleName=name) + @pytest.mark.iam_account @pytest.mark.iam_role @pytest.mark.role_policy