forked from TrueCloudLab/s3-tests
iam: add account tests for Group apis
Signed-off-by: Casey Bodley <cbodley@redhat.com>
This commit is contained in:
parent
d5791d8da6
commit
4ca7967ae7
2 changed files with 156 additions and 0 deletions
|
@ -16,6 +16,7 @@ markers =
|
|||
fails_on_rgw
|
||||
fails_on_s3
|
||||
fails_with_subdomain
|
||||
group
|
||||
iam_account
|
||||
iam_cross_account
|
||||
iam_role
|
||||
|
|
|
@ -928,6 +928,32 @@ def nuke_users(client, **kwargs):
|
|||
except:
|
||||
pass
|
||||
|
||||
def nuke_group_users(client, name):
|
||||
p = client.get_paginator('get_group')
|
||||
for response in p.paginate(GroupName=name):
|
||||
for user in response['Users']:
|
||||
try:
|
||||
client.remove_user_from_group(GroupName=name, UserName=user['UserName'])
|
||||
except:
|
||||
pass
|
||||
|
||||
def nuke_group(client, name):
|
||||
# delete group policies and remove all users
|
||||
try:
|
||||
nuke_group_users(client, name)
|
||||
except:
|
||||
pass
|
||||
client.delete_group(GroupName=name)
|
||||
|
||||
def nuke_groups(client, **kwargs):
|
||||
p = client.get_paginator('list_groups')
|
||||
for response in p.paginate(**kwargs):
|
||||
for user in response['Groups']:
|
||||
try:
|
||||
nuke_group(client, user['GroupName'])
|
||||
except:
|
||||
pass
|
||||
|
||||
def nuke_role_policies(client, name):
|
||||
p = client.get_paginator('list_role_policies')
|
||||
for response in p.paginate(RoleName=name):
|
||||
|
@ -991,6 +1017,7 @@ def iam_root(configfile):
|
|||
|
||||
yield client
|
||||
nuke_users(client, PathPrefix=get_iam_path_prefix())
|
||||
nuke_groups(client, PathPrefix=get_iam_path_prefix())
|
||||
nuke_roles(client, PathPrefix=get_iam_path_prefix())
|
||||
nuke_oidc_providers(client, get_iam_path_prefix())
|
||||
|
||||
|
@ -1572,6 +1599,134 @@ def test_account_user_policy_allow(iam_root):
|
|||
retry_on('AccessDenied', 10, client.list_buckets)
|
||||
|
||||
|
||||
def group_list_names(client, **kwargs):
|
||||
p = client.get_paginator('list_groups')
|
||||
names = []
|
||||
for response in p.paginate(**kwargs):
|
||||
names += [u['GroupName'] for u in response['Groups']]
|
||||
return names
|
||||
|
||||
# IAM Group apis
|
||||
@pytest.mark.group
|
||||
@pytest.mark.iam_account
|
||||
def test_account_group_create(iam_root):
|
||||
path = get_iam_path_prefix()
|
||||
name = make_iam_name('G1')
|
||||
|
||||
assert [] == group_list_names(iam_root, PathPrefix=path)
|
||||
|
||||
response = iam_root.create_group(GroupName=name, Path=path)
|
||||
group = response['Group']
|
||||
assert path == group['Path']
|
||||
assert name == group['GroupName']
|
||||
assert len(group['GroupId'])
|
||||
arn = group['Arn']
|
||||
assert arn.startswith('arn:aws:iam:')
|
||||
assert arn.endswith(f':group{path}{name}')
|
||||
|
||||
with pytest.raises(iam_root.exceptions.EntityAlreadyExistsException):
|
||||
iam_root.create_group(GroupName=name)
|
||||
|
||||
response = iam_root.get_group(GroupName=name)
|
||||
assert group == response['Group']
|
||||
|
||||
assert [name] == group_list_names(iam_root, PathPrefix=path)
|
||||
|
||||
iam_root.delete_group(GroupName=name)
|
||||
|
||||
with pytest.raises(iam_root.exceptions.NoSuchEntityException):
|
||||
iam_root.get_group(GroupName=name)
|
||||
|
||||
assert [] == group_list_names(iam_root, PathPrefix=path)
|
||||
|
||||
@pytest.mark.iam_account
|
||||
@pytest.mark.group
|
||||
def test_account_group_case_insensitive_name(iam_root):
|
||||
path = get_iam_path_prefix()
|
||||
name_upper = make_iam_name('G1')
|
||||
name_lower = make_iam_name('g1')
|
||||
response = iam_root.create_group(GroupName=name_upper, Path=path)
|
||||
group = response['Group']
|
||||
|
||||
with pytest.raises(iam_root.exceptions.EntityAlreadyExistsException):
|
||||
iam_root.create_group(GroupName=name_lower)
|
||||
|
||||
response = iam_root.get_group(GroupName=name_lower)
|
||||
assert group == response['Group']
|
||||
|
||||
iam_root.delete_group(GroupName=name_lower)
|
||||
|
||||
with pytest.raises(iam_root.exceptions.NoSuchEntityException):
|
||||
iam_root.delete_group(GroupName=name_upper)
|
||||
|
||||
@pytest.mark.iam_account
|
||||
@pytest.mark.group
|
||||
def test_account_group_list(iam_root):
|
||||
path = get_iam_path_prefix()
|
||||
response = iam_root.list_groups(PathPrefix=path)
|
||||
assert len(response['Groups']) == 0
|
||||
assert response['IsTruncated'] == False
|
||||
|
||||
name1 = make_iam_name('aa')
|
||||
name2 = make_iam_name('Ab')
|
||||
name3 = make_iam_name('ac')
|
||||
name4 = make_iam_name('Ad')
|
||||
|
||||
# sort order is independent of Path and GroupName capitalization
|
||||
iam_root.create_group(GroupName=name4, Path=path+'w/')
|
||||
iam_root.create_group(GroupName=name3, Path=path+'x/')
|
||||
iam_root.create_group(GroupName=name2, Path=path+'y/')
|
||||
iam_root.create_group(GroupName=name1, Path=path+'z/')
|
||||
|
||||
assert [name1, name2, name3, name4] == \
|
||||
group_list_names(iam_root, PathPrefix=path)
|
||||
assert [name1, name2, name3, name4] == \
|
||||
group_list_names(iam_root, PathPrefix=path, PaginationConfig={'PageSize': 1})
|
||||
|
||||
@pytest.mark.group
|
||||
@pytest.mark.iam_account
|
||||
def test_account_group_update(iam_root):
|
||||
path = get_iam_path_prefix()
|
||||
name = make_iam_name('G1')
|
||||
response = iam_root.create_group(GroupName=name, Path=path)
|
||||
group_id = response['Group']['GroupId']
|
||||
|
||||
username = make_iam_name('U1')
|
||||
iam_root.create_user(UserName=username, Path=path)
|
||||
|
||||
iam_root.add_user_to_group(GroupName=name, UserName=username)
|
||||
|
||||
response = iam_root.list_groups_for_user(UserName=username)
|
||||
groups = response['Groups']
|
||||
assert len(groups) == 1
|
||||
assert path == groups[0]['Path']
|
||||
assert name == groups[0]['GroupName']
|
||||
assert group_id == groups[0]['GroupId']
|
||||
|
||||
new_path = path + 'new/'
|
||||
new_name = make_iam_name('NG1')
|
||||
iam_root.update_group(GroupName=name, NewPath=new_path, NewGroupName=new_name)
|
||||
|
||||
response = iam_root.get_group(GroupName=new_name)
|
||||
group = response['Group']
|
||||
assert new_path == group['Path']
|
||||
assert new_name == group['GroupName']
|
||||
assert group_id == group['GroupId']
|
||||
arn = group['Arn']
|
||||
assert arn.startswith('arn:aws:iam:')
|
||||
assert arn.endswith(f':group{new_path}{new_name}')
|
||||
users = response['Users']
|
||||
assert len(users) == 1
|
||||
assert username == users[0]['UserName']
|
||||
|
||||
response = iam_root.list_groups_for_user(UserName=username)
|
||||
groups = response['Groups']
|
||||
assert len(groups) == 1
|
||||
assert new_path == groups[0]['Path']
|
||||
assert new_name == groups[0]['GroupName']
|
||||
assert group_id == groups[0]['GroupId']
|
||||
|
||||
|
||||
assume_role_policy = json.dumps({
|
||||
'Version': '2012-10-17',
|
||||
'Statement': [{
|
||||
|
|
Loading…
Reference in a new issue