forked from TrueCloudLab/s3-tests
iam: test bucket policy principal for iam user with path
Signed-off-by: Casey Bodley <cbodley@redhat.com>
This commit is contained in:
parent
db76dfe791
commit
0377466704
1 changed files with 57 additions and 0 deletions
|
@ -1,5 +1,6 @@
|
||||||
import json
|
import json
|
||||||
import datetime
|
import datetime
|
||||||
|
import time
|
||||||
|
|
||||||
from botocore.exceptions import ClientError
|
from botocore.exceptions import ClientError
|
||||||
import pytest
|
import pytest
|
||||||
|
@ -1276,3 +1277,59 @@ def test_account_user_access_key_list(iam_root):
|
||||||
keys = sorted([id1, id2])
|
keys = sorted([id1, id2])
|
||||||
assert keys == sorted(user_list_key_ids(iam_root, UserName=name))
|
assert keys == sorted(user_list_key_ids(iam_root, UserName=name))
|
||||||
assert keys == sorted(user_list_key_ids(iam_root, UserName=name, PaginationConfig={'PageSize': 1}))
|
assert keys == sorted(user_list_key_ids(iam_root, UserName=name, PaginationConfig={'PageSize': 1}))
|
||||||
|
|
||||||
|
def retry_on(code, tries, func, *args, **kwargs):
|
||||||
|
for i in range(tries):
|
||||||
|
try:
|
||||||
|
return func(*args, **kwargs)
|
||||||
|
except ClientError as e:
|
||||||
|
err = e.response['Error']['Code']
|
||||||
|
if i + 1 < tries and err in code:
|
||||||
|
print(f'Got {err}, retrying in {i}s..')
|
||||||
|
time.sleep(i)
|
||||||
|
continue
|
||||||
|
raise
|
||||||
|
|
||||||
|
|
||||||
|
@pytest.mark.iam_account
|
||||||
|
@pytest.mark.iam_user
|
||||||
|
def test_account_user_bucket_policy_allow(iam_root):
|
||||||
|
path = get_iam_path_prefix()
|
||||||
|
name = make_iam_name('name')
|
||||||
|
response = iam_root.create_user(UserName=name, Path=path)
|
||||||
|
user_arn = response['User']['Arn']
|
||||||
|
assert user_arn.startswith('arn:aws:iam:')
|
||||||
|
assert user_arn.endswith(f':user{path}{name}')
|
||||||
|
|
||||||
|
key = iam_root.create_access_key(UserName=name)['AccessKey']
|
||||||
|
client = get_iam_s3client(aws_access_key_id=key['AccessKeyId'],
|
||||||
|
aws_secret_access_key=key['SecretAccessKey'])
|
||||||
|
|
||||||
|
# create a bucket with the root user
|
||||||
|
roots3 = get_iam_root_client(service_name='s3')
|
||||||
|
bucket = get_new_bucket(roots3)
|
||||||
|
try:
|
||||||
|
# the access key may take a bit to start working. retry until it returns
|
||||||
|
# something other than InvalidAccessKeyId
|
||||||
|
e = assert_raises(ClientError, retry_on, 'InvalidAccessKeyId', 10, client.list_objects, Bucket=bucket)
|
||||||
|
# expect AccessDenied because no identity policy allows s3 actions
|
||||||
|
status, error_code = _get_status_and_error_code(e.response)
|
||||||
|
assert status == 403
|
||||||
|
assert error_code == 'AccessDenied'
|
||||||
|
|
||||||
|
# add a bucket policy that allows s3:ListBucket for the iam user's arn
|
||||||
|
policy = json.dumps({
|
||||||
|
'Version': '2012-10-17',
|
||||||
|
'Statement': [{
|
||||||
|
'Effect': 'Allow',
|
||||||
|
'Principal': {'AWS': user_arn},
|
||||||
|
'Action': 's3:ListBucket',
|
||||||
|
'Resource': f'arn:aws:s3:::{bucket}'
|
||||||
|
}]
|
||||||
|
})
|
||||||
|
roots3.put_bucket_policy(Bucket=bucket, Policy=policy)
|
||||||
|
|
||||||
|
# verify that the iam user can eventually access it
|
||||||
|
retry_on('AccessDenied', 10, client.list_objects, Bucket=bucket)
|
||||||
|
finally:
|
||||||
|
roots3.delete_bucket(Bucket=bucket)
|
||||||
|
|
Loading…
Reference in a new issue