iam: add account tests for Group apis

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 4ca7967ae7)
This commit is contained in:
Casey Bodley 2024-02-11 11:50:43 -05:00
parent 5613ec249f
commit e44e0447a3
2 changed files with 156 additions and 0 deletions

View file

@ -16,6 +16,7 @@ markers =
fails_on_rgw fails_on_rgw
fails_on_s3 fails_on_s3
fails_with_subdomain fails_with_subdomain
group
iam_account iam_account
iam_cross_account iam_cross_account
iam_role iam_role

View file

@ -928,6 +928,32 @@ def nuke_users(client, **kwargs):
except: except:
pass pass
def nuke_group_users(client, name):
p = client.get_paginator('get_group')
for response in p.paginate(GroupName=name):
for user in response['Users']:
try:
client.remove_user_from_group(GroupName=name, UserName=user['UserName'])
except:
pass
def nuke_group(client, name):
# delete group policies and remove all users
try:
nuke_group_users(client, name)
except:
pass
client.delete_group(GroupName=name)
def nuke_groups(client, **kwargs):
p = client.get_paginator('list_groups')
for response in p.paginate(**kwargs):
for user in response['Groups']:
try:
nuke_group(client, user['GroupName'])
except:
pass
def nuke_role_policies(client, name): def nuke_role_policies(client, name):
p = client.get_paginator('list_role_policies') p = client.get_paginator('list_role_policies')
for response in p.paginate(RoleName=name): for response in p.paginate(RoleName=name):
@ -991,6 +1017,7 @@ def iam_root(configfile):
yield client yield client
nuke_users(client, PathPrefix=get_iam_path_prefix()) nuke_users(client, PathPrefix=get_iam_path_prefix())
nuke_groups(client, PathPrefix=get_iam_path_prefix())
nuke_roles(client, PathPrefix=get_iam_path_prefix()) nuke_roles(client, PathPrefix=get_iam_path_prefix())
nuke_oidc_providers(client, get_iam_path_prefix()) nuke_oidc_providers(client, get_iam_path_prefix())
@ -1572,6 +1599,134 @@ def test_account_user_policy_allow(iam_root):
retry_on('AccessDenied', 10, client.list_buckets) retry_on('AccessDenied', 10, client.list_buckets)
def group_list_names(client, **kwargs):
p = client.get_paginator('list_groups')
names = []
for response in p.paginate(**kwargs):
names += [u['GroupName'] for u in response['Groups']]
return names
# IAM Group apis
@pytest.mark.group
@pytest.mark.iam_account
def test_account_group_create(iam_root):
path = get_iam_path_prefix()
name = make_iam_name('G1')
assert [] == group_list_names(iam_root, PathPrefix=path)
response = iam_root.create_group(GroupName=name, Path=path)
group = response['Group']
assert path == group['Path']
assert name == group['GroupName']
assert len(group['GroupId'])
arn = group['Arn']
assert arn.startswith('arn:aws:iam:')
assert arn.endswith(f':group{path}{name}')
with pytest.raises(iam_root.exceptions.EntityAlreadyExistsException):
iam_root.create_group(GroupName=name)
response = iam_root.get_group(GroupName=name)
assert group == response['Group']
assert [name] == group_list_names(iam_root, PathPrefix=path)
iam_root.delete_group(GroupName=name)
with pytest.raises(iam_root.exceptions.NoSuchEntityException):
iam_root.get_group(GroupName=name)
assert [] == group_list_names(iam_root, PathPrefix=path)
@pytest.mark.iam_account
@pytest.mark.group
def test_account_group_case_insensitive_name(iam_root):
path = get_iam_path_prefix()
name_upper = make_iam_name('G1')
name_lower = make_iam_name('g1')
response = iam_root.create_group(GroupName=name_upper, Path=path)
group = response['Group']
with pytest.raises(iam_root.exceptions.EntityAlreadyExistsException):
iam_root.create_group(GroupName=name_lower)
response = iam_root.get_group(GroupName=name_lower)
assert group == response['Group']
iam_root.delete_group(GroupName=name_lower)
with pytest.raises(iam_root.exceptions.NoSuchEntityException):
iam_root.delete_group(GroupName=name_upper)
@pytest.mark.iam_account
@pytest.mark.group
def test_account_group_list(iam_root):
path = get_iam_path_prefix()
response = iam_root.list_groups(PathPrefix=path)
assert len(response['Groups']) == 0
assert response['IsTruncated'] == False
name1 = make_iam_name('aa')
name2 = make_iam_name('Ab')
name3 = make_iam_name('ac')
name4 = make_iam_name('Ad')
# sort order is independent of Path and GroupName capitalization
iam_root.create_group(GroupName=name4, Path=path+'w/')
iam_root.create_group(GroupName=name3, Path=path+'x/')
iam_root.create_group(GroupName=name2, Path=path+'y/')
iam_root.create_group(GroupName=name1, Path=path+'z/')
assert [name1, name2, name3, name4] == \
group_list_names(iam_root, PathPrefix=path)
assert [name1, name2, name3, name4] == \
group_list_names(iam_root, PathPrefix=path, PaginationConfig={'PageSize': 1})
@pytest.mark.group
@pytest.mark.iam_account
def test_account_group_update(iam_root):
path = get_iam_path_prefix()
name = make_iam_name('G1')
response = iam_root.create_group(GroupName=name, Path=path)
group_id = response['Group']['GroupId']
username = make_iam_name('U1')
iam_root.create_user(UserName=username, Path=path)
iam_root.add_user_to_group(GroupName=name, UserName=username)
response = iam_root.list_groups_for_user(UserName=username)
groups = response['Groups']
assert len(groups) == 1
assert path == groups[0]['Path']
assert name == groups[0]['GroupName']
assert group_id == groups[0]['GroupId']
new_path = path + 'new/'
new_name = make_iam_name('NG1')
iam_root.update_group(GroupName=name, NewPath=new_path, NewGroupName=new_name)
response = iam_root.get_group(GroupName=new_name)
group = response['Group']
assert new_path == group['Path']
assert new_name == group['GroupName']
assert group_id == group['GroupId']
arn = group['Arn']
assert arn.startswith('arn:aws:iam:')
assert arn.endswith(f':group{new_path}{new_name}')
users = response['Users']
assert len(users) == 1
assert username == users[0]['UserName']
response = iam_root.list_groups_for_user(UserName=username)
groups = response['Groups']
assert len(groups) == 1
assert new_path == groups[0]['Path']
assert new_name == groups[0]['GroupName']
assert group_id == groups[0]['GroupId']
assume_role_policy = json.dumps({ assume_role_policy = json.dumps({
'Version': '2012-10-17', 'Version': '2012-10-17',
'Statement': [{ 'Statement': [{