2019-06-11 22:24:35 +00:00
|
|
|
require "helper"
|
|
|
|
require "inspec/resource"
|
|
|
|
require "resources/aws/aws_iam_policy"
|
2018-01-26 20:21:49 +00:00
|
|
|
|
2019-06-11 22:24:35 +00:00
|
|
|
require "resource_support/aws"
|
2019-05-21 00:19:38 +00:00
|
|
|
|
2018-01-26 20:21:49 +00:00
|
|
|
# MAIPSB = MockAwsIamPolicySingularBackend
|
|
|
|
# Abbreviation not used outside this file
|
|
|
|
|
|
|
|
#=============================================================================#
|
|
|
|
# Constructor Tests
|
|
|
|
#=============================================================================#
|
|
|
|
class AwsIamPolicyConstructorTest < Minitest::Test
|
|
|
|
|
|
|
|
def setup
|
|
|
|
AwsIamPolicy::BackendFactory.select(MAIPSB::Empty)
|
|
|
|
end
|
|
|
|
|
|
|
|
def test_rejects_empty_params
|
|
|
|
assert_raises(ArgumentError) { AwsIamPolicy.new }
|
|
|
|
end
|
|
|
|
|
|
|
|
def test_accepts_policy_name_as_scalar
|
2019-06-11 22:24:35 +00:00
|
|
|
AwsIamPolicy.new("test-policy-1")
|
2018-01-26 20:21:49 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def test_accepts_policy_name_as_hash
|
2019-06-11 22:24:35 +00:00
|
|
|
AwsIamPolicy.new(policy_name: "test-policy-1")
|
2018-01-26 20:21:49 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def test_rejects_unrecognized_params
|
|
|
|
assert_raises(ArgumentError) { AwsIamPolicy.new(shoe_size: 9) }
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
#=============================================================================#
|
|
|
|
# Search / Recall
|
|
|
|
#=============================================================================#
|
|
|
|
class AwsIamPolicyRecallTest < Minitest::Test
|
|
|
|
|
|
|
|
def setup
|
|
|
|
AwsIamPolicy::BackendFactory.select(MAIPSB::Basic)
|
|
|
|
end
|
|
|
|
|
|
|
|
def test_search_hit_via_scalar_works
|
2019-06-11 22:24:35 +00:00
|
|
|
assert AwsIamPolicy.new("test-policy-1").exists?
|
2018-01-26 20:21:49 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def test_search_hit_via_hash_works
|
2019-06-11 22:24:35 +00:00
|
|
|
assert AwsIamPolicy.new(policy_name: "test-policy-1").exists?
|
2018-01-26 20:21:49 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def test_search_miss_is_not_an_exception
|
2019-06-11 22:24:35 +00:00
|
|
|
refute AwsIamPolicy.new(policy_name: "non-existant").exists?
|
2018-01-26 20:21:49 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
#=============================================================================#
|
|
|
|
# Properties
|
|
|
|
#=============================================================================#
|
|
|
|
class AwsIamPolicyPropertiesTest < Minitest::Test
|
|
|
|
|
|
|
|
def setup
|
|
|
|
AwsIamPolicy::BackendFactory.select(MAIPSB::Basic)
|
|
|
|
end
|
|
|
|
|
|
|
|
def test_property_arn
|
2019-06-11 22:24:35 +00:00
|
|
|
assert_equal("arn:aws:iam::aws:policy/test-policy-1", AwsIamPolicy.new("test-policy-1").arn)
|
|
|
|
assert_nil(AwsIamPolicy.new(policy_name: "non-existant").arn)
|
2018-01-26 20:21:49 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def test_property_default_version_id
|
2019-06-11 22:24:35 +00:00
|
|
|
assert_equal("v1", AwsIamPolicy.new("test-policy-1").default_version_id)
|
|
|
|
assert_nil(AwsIamPolicy.new(policy_name: "non-existant").default_version_id)
|
2018-01-26 20:21:49 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def test_property_attachment_count
|
2019-06-11 22:24:35 +00:00
|
|
|
assert_equal(3, AwsIamPolicy.new("test-policy-1").attachment_count)
|
|
|
|
assert_nil(AwsIamPolicy.new(policy_name: "non-existant").attachment_count)
|
2018-01-26 20:21:49 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def test_property_attached_users
|
2019-06-11 22:24:35 +00:00
|
|
|
assert_equal(["test-user"], AwsIamPolicy.new("test-policy-1").attached_users)
|
|
|
|
assert_nil(AwsIamPolicy.new(policy_name: "non-existant").attached_users)
|
2018-01-26 20:21:49 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def test_property_attached_groups
|
2019-06-11 22:24:35 +00:00
|
|
|
assert_equal(["test-group"], AwsIamPolicy.new("test-policy-1").attached_groups)
|
|
|
|
assert_nil(AwsIamPolicy.new(policy_name: "non-existant").attached_groups)
|
2018-01-26 20:21:49 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def test_property_attached_roles
|
2019-06-11 22:24:35 +00:00
|
|
|
assert_equal(["test-role"], AwsIamPolicy.new("test-policy-1").attached_roles)
|
|
|
|
assert_nil(AwsIamPolicy.new(policy_name: "non-existant").attached_roles)
|
2018-01-26 20:21:49 +00:00
|
|
|
end
|
2018-04-12 18:31:02 +00:00
|
|
|
|
|
|
|
def test_property_policy
|
2019-06-11 22:24:35 +00:00
|
|
|
policy = AwsIamPolicy.new("test-policy-1").policy
|
2018-04-12 18:31:02 +00:00
|
|
|
assert_kind_of(Hash, policy)
|
2019-06-11 22:24:35 +00:00
|
|
|
assert(policy.key?("Statement"), "test-policy-1 should have a Statement key when unpacked")
|
|
|
|
assert_equal(1, policy["Statement"].count, "test-policy-1 should have 1 statements when unpacked")
|
|
|
|
assert_nil(AwsIamPolicy.new("non-existant").policy)
|
2018-04-12 18:31:02 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def test_property_statement_count
|
2019-06-11 22:24:35 +00:00
|
|
|
assert_nil(AwsIamPolicy.new("non-existant").statement_count)
|
|
|
|
assert_equal(1, AwsIamPolicy.new("test-policy-1").statement_count)
|
|
|
|
assert_equal(2, AwsIamPolicy.new("test-policy-2").statement_count)
|
|
|
|
assert_equal(1, AwsIamPolicy.new("test-policy-3").statement_count)
|
2018-04-12 18:31:02 +00:00
|
|
|
end
|
2018-01-26 20:21:49 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#=============================================================================#
|
|
|
|
# Matchers
|
|
|
|
#=============================================================================#
|
|
|
|
class AwsIamPolicyMatchersTest < Minitest::Test
|
|
|
|
|
|
|
|
def setup
|
|
|
|
AwsIamPolicy::BackendFactory.select(MAIPSB::Basic)
|
|
|
|
end
|
|
|
|
|
|
|
|
def test_matcher_attached_positive
|
2019-06-11 22:24:35 +00:00
|
|
|
assert AwsIamPolicy.new("test-policy-1").attached?
|
2018-01-26 20:21:49 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def test_matcher_attached_negative
|
2019-06-11 22:24:35 +00:00
|
|
|
refute AwsIamPolicy.new("test-policy-2").attached?
|
2018-01-26 20:21:49 +00:00
|
|
|
end
|
2019-06-11 22:24:35 +00:00
|
|
|
|
2018-01-26 20:21:49 +00:00
|
|
|
def test_matcher_attached_to_user_positive
|
2019-06-11 22:24:35 +00:00
|
|
|
assert AwsIamPolicy.new("test-policy-1").attached_to_user?("test-user")
|
2018-01-26 20:21:49 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def test_matcher_attached_to_user_negative
|
2019-06-11 22:24:35 +00:00
|
|
|
refute AwsIamPolicy.new("test-policy-2").attached_to_user?("test-user")
|
2018-01-26 20:21:49 +00:00
|
|
|
end
|
2019-06-11 22:24:35 +00:00
|
|
|
|
2018-01-26 20:21:49 +00:00
|
|
|
def test_matcher_attached_to_group_positive
|
2019-06-11 22:24:35 +00:00
|
|
|
assert AwsIamPolicy.new("test-policy-1").attached_to_group?("test-group")
|
2018-01-26 20:21:49 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def test_matcher_attached_to_group_negative
|
2019-06-11 22:24:35 +00:00
|
|
|
refute AwsIamPolicy.new("test-policy-2").attached_to_group?("test-group")
|
2018-01-26 20:21:49 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def test_matcher_attached_to_role_positive
|
2019-06-11 22:24:35 +00:00
|
|
|
assert AwsIamPolicy.new("test-policy-1").attached_to_role?("test-role")
|
2018-01-26 20:21:49 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def test_matcher_attached_to_role_negative
|
2019-06-11 22:24:35 +00:00
|
|
|
refute AwsIamPolicy.new("test-policy-2").attached_to_role?("test-role")
|
2018-01-26 20:21:49 +00:00
|
|
|
end
|
2018-04-12 18:31:02 +00:00
|
|
|
|
|
|
|
def test_have_statement_when_policy_does_not_exist
|
2019-06-11 22:24:35 +00:00
|
|
|
assert_nil AwsIamPolicy.new("nonesuch").has_statement?("Effect" => "foo")
|
2018-04-12 18:31:02 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def test_have_statement_when_provided_no_criteria
|
2019-06-11 22:24:35 +00:00
|
|
|
AwsIamPolicy.new("test-policy-1").has_statement?
|
2018-04-12 18:31:02 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def test_have_statement_when_provided_acceptable_criteria
|
|
|
|
{
|
2019-06-11 22:24:35 +00:00
|
|
|
"Action" => "dummy",
|
|
|
|
"Effect" => "Deny", # This has restictions on the value provided
|
|
|
|
"Resource" => "dummy",
|
|
|
|
"Sid" => "dummy",
|
2018-04-12 18:31:02 +00:00
|
|
|
}.each do |criterion, test_value|
|
2018-06-21 18:19:56 +00:00
|
|
|
[
|
|
|
|
criterion,
|
|
|
|
criterion.downcase,
|
|
|
|
criterion.to_sym,
|
2019-07-09 00:20:30 +00:00
|
|
|
criterion.downcase.to_sym,
|
2018-06-21 18:19:56 +00:00
|
|
|
].each do |variant|
|
2019-06-11 22:24:35 +00:00
|
|
|
AwsIamPolicy.new("test-policy-1").has_statement?(variant => test_value)
|
2018-06-21 18:19:56 +00:00
|
|
|
end
|
2018-04-12 18:31:02 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def test_have_statement_when_provided_unimplemented_criteria
|
2019-06-11 22:24:35 +00:00
|
|
|
%w{
|
|
|
|
Conditional
|
|
|
|
NotAction
|
|
|
|
NotPrincipal
|
|
|
|
NotResource
|
|
|
|
Principal
|
|
|
|
}.each do |criterion|
|
|
|
|
ex = assert_raises(ArgumentError) { AwsIamPolicy.new("test-policy-1").has_statement?(criterion => "dummy") }
|
2018-04-12 18:31:02 +00:00
|
|
|
assert_match(/not supported/, ex.message)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def test_have_statement_when_provided_unrecognized_criteria
|
2019-06-11 22:24:35 +00:00
|
|
|
ex = assert_raises(ArgumentError) { AwsIamPolicy.new("test-policy-1").has_statement?("foo" => "dummy") }
|
2018-04-12 18:31:02 +00:00
|
|
|
assert_match(/Unrecognized/, ex.message)
|
|
|
|
end
|
|
|
|
|
|
|
|
def test_have_statement_when_sid_is_provided
|
2019-06-11 22:24:35 +00:00
|
|
|
["Sid", "sid", :Sid, :sid].each do |variant|
|
|
|
|
assert(AwsIamPolicy.new("test-policy-1").has_statement?(variant => "beta01"))
|
|
|
|
assert(AwsIamPolicy.new("test-policy-2").has_statement?(variant => "CloudWatchEventsFullAccess"))
|
|
|
|
assert(AwsIamPolicy.new("test-policy-2").has_statement?(variant => "IAMPassRoleForCloudWatchEvents"))
|
|
|
|
refute(AwsIamPolicy.new("test-policy-2").has_statement?(variant => "beta01"))
|
|
|
|
|
|
|
|
assert(AwsIamPolicy.new("test-policy-1").has_statement?(variant => /eta/))
|
|
|
|
assert(AwsIamPolicy.new("test-policy-2").has_statement?(variant => /CloudWatch/))
|
|
|
|
refute(AwsIamPolicy.new("test-policy-2").has_statement?(variant => /eta/))
|
2018-06-21 18:19:56 +00:00
|
|
|
end
|
2018-04-12 18:31:02 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def test_have_statement_when_effect_is_provided
|
2019-06-11 22:24:35 +00:00
|
|
|
["Effect", "effect", :Effect, :effect].each do |variant|
|
|
|
|
assert(AwsIamPolicy.new("test-policy-1").has_statement?(variant => "Deny"))
|
|
|
|
refute(AwsIamPolicy.new("test-policy-1").has_statement?(variant => "Allow"))
|
|
|
|
assert(AwsIamPolicy.new("test-policy-2").has_statement?(variant => "Allow"))
|
|
|
|
|
|
|
|
assert_raises(ArgumentError) { AwsIamPolicy.new("test-policy-1").has_statement?(variant => "Disallow") }
|
|
|
|
assert_raises(ArgumentError) { AwsIamPolicy.new("test-policy-1").has_statement?(variant => "allow") }
|
|
|
|
assert_raises(ArgumentError) { AwsIamPolicy.new("test-policy-1").has_statement?(variant => :Allow) }
|
|
|
|
assert_raises(ArgumentError) { AwsIamPolicy.new("test-policy-1").has_statement?(variant => :allow) }
|
2018-06-21 18:19:56 +00:00
|
|
|
end
|
2018-04-12 18:31:02 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def test_have_statement_when_action_is_provided
|
2019-06-11 22:24:35 +00:00
|
|
|
["Action", "action", :Action, :action].each do |variant|
|
2018-06-21 18:19:56 +00:00
|
|
|
# Able to match a simple string action when multiple statements present
|
2019-06-11 22:24:35 +00:00
|
|
|
assert(AwsIamPolicy.new("test-policy-2").has_statement?(variant => "iam:PassRole"))
|
2018-06-21 18:19:56 +00:00
|
|
|
# Able to match a wildcard string action
|
2019-06-11 22:24:35 +00:00
|
|
|
assert(AwsIamPolicy.new("test-policy-2").has_statement?(variant => "events:*"))
|
2018-06-21 18:19:56 +00:00
|
|
|
# Do not match a wildcard when using strings
|
2019-06-11 22:24:35 +00:00
|
|
|
refute(AwsIamPolicy.new("test-policy-2").has_statement?(variant => "events:EnableRule"))
|
2018-06-21 18:19:56 +00:00
|
|
|
# Do match when using a regex
|
2019-06-11 22:24:35 +00:00
|
|
|
assert(AwsIamPolicy.new("test-policy-2").has_statement?(variant => /^events\:/))
|
2018-06-21 18:19:56 +00:00
|
|
|
# Able to match one action when the statement has an array of actions
|
2019-06-11 22:24:35 +00:00
|
|
|
assert(AwsIamPolicy.new("test-policy-1").has_statement?(variant => "ec2:DescribeSubnets"))
|
2018-06-21 18:19:56 +00:00
|
|
|
# Do not match if only one action specified as an array when the statement has an array of actions
|
2019-06-11 22:24:35 +00:00
|
|
|
refute(AwsIamPolicy.new("test-policy-1").has_statement?(variant => ["ec2:DescribeSubnets"]))
|
2018-06-21 18:19:56 +00:00
|
|
|
# Do match if two actions specified when the statement has an array of actions
|
2019-06-11 22:24:35 +00:00
|
|
|
assert(AwsIamPolicy.new("test-policy-1").has_statement?(variant => ["ec2:DescribeSubnets", "ec2:DescribeSecurityGroups"]))
|
2018-06-21 18:19:56 +00:00
|
|
|
# Do match setwise if two actions specified when the statement has an array of actions
|
2019-06-11 22:24:35 +00:00
|
|
|
assert(AwsIamPolicy.new("test-policy-1").has_statement?(variant => ["ec2:DescribeSecurityGroups", "ec2:DescribeSubnets"]))
|
2018-06-21 18:19:56 +00:00
|
|
|
# Do match if only one regex action specified when the statement has an array of actions
|
2019-06-11 22:24:35 +00:00
|
|
|
assert(AwsIamPolicy.new("test-policy-1").has_statement?(variant => /^ec2\:Describe/))
|
2018-06-21 18:19:56 +00:00
|
|
|
# Do match if one regex action specified in an array when the statement has an array of actions
|
2019-06-11 22:24:35 +00:00
|
|
|
assert(AwsIamPolicy.new("test-policy-1").has_statement?(variant => [/^ec2\:Describe/]))
|
2018-06-21 18:19:56 +00:00
|
|
|
# Able to match a degenerate policy doc in which there is exactly one statement as a hash.
|
2019-06-11 22:24:35 +00:00
|
|
|
assert(AwsIamPolicy.new("test-policy-3").has_statement?(variant => "acm:GetCertificate"))
|
2018-06-21 18:19:56 +00:00
|
|
|
# Don't explode, and also don't match, if a policy has a statement without an Action
|
2019-06-11 22:24:35 +00:00
|
|
|
refute(AwsIamPolicy.new("test-policy-4").has_statement?(variant => "iam:*"))
|
2018-06-21 18:19:56 +00:00
|
|
|
end
|
2018-04-12 18:31:02 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def test_have_statement_when_resource_is_provided
|
2019-06-11 22:24:35 +00:00
|
|
|
["Resource", "resource", :Resource, :resource].each do |variant|
|
2018-06-21 18:19:56 +00:00
|
|
|
# Able to match a simple string resource when multiple statements present
|
2019-06-11 22:24:35 +00:00
|
|
|
assert(AwsIamPolicy.new("test-policy-2").has_statement?(variant => "arn:aws:iam::*:role/AWS_Events_Invoke_Targets"))
|
2018-06-21 18:19:56 +00:00
|
|
|
# Able to match a wildcard string resource
|
2019-06-11 22:24:35 +00:00
|
|
|
assert(AwsIamPolicy.new("test-policy-2").has_statement?(variant => "*"))
|
2018-06-21 18:19:56 +00:00
|
|
|
# Do not match a wildcard when using strings
|
2019-06-11 22:24:35 +00:00
|
|
|
refute(AwsIamPolicy.new("test-policy-2").has_statement?(variant => "arn:aws:events:us-east-1:123456789012:rule/my-rule"))
|
2018-06-21 18:19:56 +00:00
|
|
|
# Do match when using a regex
|
2019-06-11 22:24:35 +00:00
|
|
|
assert(AwsIamPolicy.new("test-policy-2").has_statement?(variant => /AWS_Events_Invoke_Targets$/))
|
2018-06-21 18:19:56 +00:00
|
|
|
# Able to match one resource when the statement has an array of resources
|
2019-06-11 22:24:35 +00:00
|
|
|
assert(AwsIamPolicy.new("test-policy-1").has_statement?(variant => "arn:aws:ec2:::*"))
|
2018-06-21 18:19:56 +00:00
|
|
|
# Do not match if only one resource specified as an array when the statement has an array of resources
|
2019-06-11 22:24:35 +00:00
|
|
|
refute(AwsIamPolicy.new("test-policy-1").has_statement?(variant => ["arn:aws:ec2:::*"]))
|
2018-06-21 18:19:56 +00:00
|
|
|
# Do match if two resources specified when the statement has an array of resources
|
2019-06-11 22:24:35 +00:00
|
|
|
assert(AwsIamPolicy.new("test-policy-1").has_statement?(variant => ["arn:aws:ec2:::*", "*"]))
|
2018-06-21 18:19:56 +00:00
|
|
|
# Do match setwise if two resources specified when the statement has an array of resources
|
2019-06-11 22:24:35 +00:00
|
|
|
assert(AwsIamPolicy.new("test-policy-1").has_statement?(variant => ["*", "arn:aws:ec2:::*"]))
|
2018-06-21 18:19:56 +00:00
|
|
|
# Do match if only one regex resource specified when the statement has an array of resources
|
2019-06-11 22:24:35 +00:00
|
|
|
assert(AwsIamPolicy.new("test-policy-1").has_statement?(variant => /^arn\:aws\:ec2/))
|
2018-06-21 18:19:56 +00:00
|
|
|
# Do match if one regex resource specified in an array when the statement has an array of resources
|
2019-06-11 22:24:35 +00:00
|
|
|
assert(AwsIamPolicy.new("test-policy-1").has_statement?(variant => [/\*/]))
|
2018-06-21 18:19:56 +00:00
|
|
|
# Able to match a degenerate policy doc in which there is exactly one statement as a hash.
|
2019-06-11 22:24:35 +00:00
|
|
|
assert(AwsIamPolicy.new("test-policy-3").has_statement?(variant => "*"))
|
2018-06-21 18:19:56 +00:00
|
|
|
end
|
2018-04-12 18:31:02 +00:00
|
|
|
end
|
2018-01-26 20:21:49 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#=============================================================================#
|
|
|
|
# Test Fixtures
|
|
|
|
#=============================================================================#
|
|
|
|
module MAIPSB
|
2018-02-08 04:26:37 +00:00
|
|
|
class Empty < AwsBackendBase
|
2018-01-26 20:21:49 +00:00
|
|
|
def list_policies(query)
|
|
|
|
OpenStruct.new(policies: [])
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2018-02-08 04:26:37 +00:00
|
|
|
class Basic < AwsBackendBase
|
2018-01-26 20:21:49 +00:00
|
|
|
def list_policies(query)
|
|
|
|
fixtures = [
|
|
|
|
OpenStruct.new({
|
2019-06-11 22:24:35 +00:00
|
|
|
policy_name: "test-policy-1",
|
|
|
|
arn: "arn:aws:iam::aws:policy/test-policy-1",
|
|
|
|
default_version_id: "v1",
|
2018-01-26 20:21:49 +00:00
|
|
|
attachment_count: 3,
|
|
|
|
is_attachable: true,
|
|
|
|
}),
|
|
|
|
OpenStruct.new({
|
2019-06-11 22:24:35 +00:00
|
|
|
policy_name: "test-policy-2",
|
|
|
|
arn: "arn:aws:iam::aws:policy/test-policy-2",
|
|
|
|
default_version_id: "v1",
|
2018-01-26 20:21:49 +00:00
|
|
|
attachment_count: 0,
|
|
|
|
is_attachable: false,
|
|
|
|
}),
|
2018-04-16 14:04:00 +00:00
|
|
|
OpenStruct.new({
|
2019-06-11 22:24:35 +00:00
|
|
|
policy_name: "test-policy-3",
|
|
|
|
arn: "arn:aws:iam::aws:policy/test-policy-3",
|
|
|
|
default_version_id: "v1",
|
2018-04-16 14:04:00 +00:00
|
|
|
attachment_count: 0,
|
|
|
|
is_attachable: true,
|
|
|
|
}),
|
2018-04-17 17:21:29 +00:00
|
|
|
OpenStruct.new({
|
2019-06-11 22:24:35 +00:00
|
|
|
policy_name: "test-policy-4",
|
|
|
|
arn: "arn:aws:iam::aws:policy/test-policy-4",
|
|
|
|
default_version_id: "v1",
|
2018-04-17 17:21:29 +00:00
|
|
|
attachment_count: 0,
|
|
|
|
is_attachable: false,
|
|
|
|
}),
|
2018-01-26 20:21:49 +00:00
|
|
|
]
|
|
|
|
OpenStruct.new({ policies: fixtures })
|
|
|
|
end
|
|
|
|
|
|
|
|
def list_entities_for_policy(query)
|
|
|
|
policy = {}
|
2019-06-11 22:24:35 +00:00
|
|
|
policy["arn:aws:iam::aws:policy/test-policy-1"] =
|
|
|
|
{
|
|
|
|
policy_groups: [
|
|
|
|
OpenStruct.new({
|
|
|
|
group_name: "test-group",
|
|
|
|
group_id: "AIDAIJ3FUBXLZ4VXV34LE",
|
|
|
|
}),
|
|
|
|
],
|
|
|
|
policy_users: [
|
|
|
|
OpenStruct.new({
|
|
|
|
user_name: "test-user",
|
|
|
|
user_id: "AIDAIJ3FUBXLZ4VXV34LE",
|
|
|
|
}),
|
|
|
|
],
|
|
|
|
policy_roles: [
|
|
|
|
OpenStruct.new({
|
|
|
|
role_name: "test-role",
|
|
|
|
role_id: "AIDAIJ3FUBXLZ4VXV34LE",
|
|
|
|
}),
|
|
|
|
],
|
|
|
|
}
|
|
|
|
policy["arn:aws:iam::aws:policy/test-policy-2"] =
|
|
|
|
{
|
|
|
|
policy_groups: [],
|
|
|
|
policy_users: [],
|
|
|
|
policy_roles: [],
|
|
|
|
}
|
2018-01-26 20:21:49 +00:00
|
|
|
OpenStruct.new( policy[query[:policy_arn]] )
|
|
|
|
end
|
2018-04-12 18:31:02 +00:00
|
|
|
|
|
|
|
def get_policy_version(query)
|
|
|
|
fixtures = {
|
2019-06-11 22:24:35 +00:00
|
|
|
"arn:aws:iam::aws:policy/test-policy-1" => {
|
|
|
|
"v1" => OpenStruct.new(
|
2018-04-12 18:31:02 +00:00
|
|
|
# This is the integration test fixture "beta"
|
|
|
|
# {
|
|
|
|
# "Version"=>"2012-10-17",
|
|
|
|
# "Statement"=> [
|
|
|
|
# {
|
|
|
|
# "Sid"=>"beta01",
|
|
|
|
# "Action"=>["ec2:DescribeSubnets", "ec2:DescribeSecurityGroups"],
|
|
|
|
# "Effect"=>"Deny",
|
|
|
|
# "Resource"=>["arn:aws:ec2:::*", "*"]
|
|
|
|
# }
|
|
|
|
# ]
|
|
|
|
# }
|
2019-06-11 22:24:35 +00:00
|
|
|
document: "%7B%0A%20%20%22Version%22%3A%20%222012-10-17%22%2C%0A%20%20%22Statement%22%3A%20%5B%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%22Sid%22%3A%20%22beta01%22%2C%0A%20%20%20%20%20%20%22Action%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%22ec2%3ADescribeSubnets%22%2C%0A%20%20%20%20%20%20%20%20%22ec2%3ADescribeSecurityGroups%22%0A%20%20%20%20%20%20%5D%2C%0A%20%20%20%20%20%20%22Effect%22%3A%20%22Deny%22%2C%0A%20%20%20%20%20%20%22Resource%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%22arn%3Aaws%3Aec2%3A%3A%3A%2A%22%2C%0A%20%20%20%20%20%20%20%20%22%2A%22%0A%20%20%20%20%20%20%5D%0A%20%20%20%20%7D%0A%20%20%5D%0A%7D%0A"
|
|
|
|
),
|
2018-04-12 18:31:02 +00:00
|
|
|
},
|
2019-06-11 22:24:35 +00:00
|
|
|
"arn:aws:iam::aws:policy/test-policy-2" => {
|
|
|
|
"v1" => OpenStruct.new(
|
2018-04-12 18:31:02 +00:00
|
|
|
# This is AWS-managed CloudWatchEventsFullAccess
|
|
|
|
# {
|
|
|
|
# "Version"=>"2012-10-17",
|
|
|
|
# "Statement"=> [
|
|
|
|
# {
|
|
|
|
# "Sid"=>"CloudWatchEventsFullAccess",
|
|
|
|
# "Effect"=>"Allow",
|
|
|
|
# "Action"=>"events:*",
|
|
|
|
# "Resource"=>"*"
|
|
|
|
# },
|
|
|
|
# {
|
|
|
|
# "Sid"=>"IAMPassRoleForCloudWatchEvents",
|
|
|
|
# "Effect"=>"Allow",
|
|
|
|
# "Action"=>"iam:PassRole",
|
|
|
|
# "Resource"=>"arn:aws:iam::*:role/AWS_Events_Invoke_Targets"
|
|
|
|
# }
|
|
|
|
# ]
|
|
|
|
# }
|
2019-06-11 22:24:35 +00:00
|
|
|
document: "%7B%0A%20%20%20%20%22Version%22%3A%20%222012-10-17%22%2C%0A%20%20%20%20%22Statement%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%22Sid%22%3A%20%22CloudWatchEventsFullAccess%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%22Effect%22%3A%20%22Allow%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%22Action%22%3A%20%22events%3A%2A%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%22Resource%22%3A%20%22%2A%22%0A%20%20%20%20%20%20%20%20%7D%2C%0A%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%22Sid%22%3A%20%22IAMPassRoleForCloudWatchEvents%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%22Effect%22%3A%20%22Allow%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%22Action%22%3A%20%22iam%3APassRole%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%22Resource%22%3A%20%22arn%3Aaws%3Aiam%3A%3A%2A%3Arole%2FAWS_Events_Invoke_Targets%22%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%5D%0A%7D"
|
|
|
|
),
|
2018-04-16 14:04:00 +00:00
|
|
|
},
|
2019-06-11 22:24:35 +00:00
|
|
|
"arn:aws:iam::aws:policy/test-policy-3" => {
|
|
|
|
"v1" => OpenStruct.new(
|
2018-04-16 14:04:00 +00:00
|
|
|
# This is AWS-managed AWSCertificateManagerReadOnly
|
|
|
|
# {
|
|
|
|
# "Version": "2012-10-17",
|
|
|
|
# "Statement": {
|
|
|
|
# "Effect": "Allow",
|
|
|
|
# "Action": [
|
|
|
|
# "acm:DescribeCertificate",
|
|
|
|
# "acm:ListCertificates",
|
|
|
|
# "acm:GetCertificate",
|
|
|
|
# "acm:ListTagsForCertificate"
|
|
|
|
# ],
|
|
|
|
# "Resource": "*"
|
|
|
|
# }
|
|
|
|
# }
|
2019-06-11 22:24:35 +00:00
|
|
|
document: "%7B%0A%20%20%20%20%22Version%22%3A%20%222012-10-17%22%2C%0A%20%20%20%20%22Statement%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%22Effect%22%3A%20%22Allow%22%2C%0A%20%20%20%20%20%20%20%20%22Action%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%20%20%20%20%22acm%3ADescribeCertificate%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%22acm%3AListCertificates%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%22acm%3AGetCertificate%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%22acm%3AListTagsForCertificate%22%0A%20%20%20%20%20%20%20%20%5D%2C%0A%20%20%20%20%20%20%20%20%22Resource%22%3A%20%22%2A%22%0A%20%20%20%20%7D%0A%7D"
|
|
|
|
),
|
2018-04-16 14:04:00 +00:00
|
|
|
},
|
2019-06-11 22:24:35 +00:00
|
|
|
"arn:aws:iam::aws:policy/test-policy-4" => {
|
|
|
|
"v1" => OpenStruct.new(
|
2018-04-17 17:21:29 +00:00
|
|
|
# This is arn:aws:iam::aws:policy/PowerUserAccess
|
|
|
|
# {
|
|
|
|
# "Version": "2012-10-17",
|
|
|
|
# "Statement": [
|
|
|
|
# {
|
|
|
|
# "Effect": "Allow",
|
|
|
|
# "NotAction": [
|
|
|
|
# "iam:*",
|
|
|
|
# "organizations:*"
|
|
|
|
# ],
|
|
|
|
# "Resource": "*"
|
|
|
|
# },
|
|
|
|
# {
|
|
|
|
# "Effect": "Allow",
|
|
|
|
# "Action": [
|
|
|
|
# "iam:CreateServiceLinkedRole",
|
|
|
|
# "iam:DeleteServiceLinkedRole",
|
|
|
|
# "iam:ListRoles",
|
|
|
|
# "organizations:DescribeOrganization"
|
|
|
|
# ],
|
|
|
|
# "Resource": "*"
|
|
|
|
# }
|
|
|
|
# ]
|
|
|
|
# }
|
2019-06-11 22:24:35 +00:00
|
|
|
document: "%7B%0A%20%20%22Version%22%3A%20%222012-10-17%22%2C%0A%20%20%22Statement%22%3A%20%5B%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%22Effect%22%3A%20%22Allow%22%2C%0A%20%20%20%20%20%20%22NotAction%22%3A%20%5B%22iam%3A%2A%22%2C%20%22organizations%3A%2A%22%5D%2C%0A%20%20%20%20%20%20%22Resource%22%3A%20%22%2A%22%0A%20%20%20%20%7D%2C%7B%0A%20%20%20%20%20%20%22Effect%22%3A%20%22Allow%22%2C%0A%20%20%20%20%20%20%22Action%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%20%20%22iam%3ACreateServiceLinkedRole%22%2C%0A%20%20%20%20%20%20%20%20%20%20%22iam%3ADeleteServiceLinkedRole%22%2C%0A%20%20%20%20%20%20%20%20%20%20%22iam%3AListRoles%22%2C%0A%20%20%20%20%20%20%20%20%20%20%22organizations%3ADescribeOrganization%22%0A%20%20%20%20%20%20%5D%2C%0A%20%20%20%20%20%20%22Resource%22%3A%20%22%2A%22%0A%20%20%20%20%7D%0A%20%20%5D%0A%7D"
|
|
|
|
),
|
2018-04-17 17:21:29 +00:00
|
|
|
},
|
2018-04-12 18:31:02 +00:00
|
|
|
}
|
|
|
|
pv = fixtures.dig(query[:policy_arn], query[:version_id])
|
|
|
|
return OpenStruct.new(policy_version: pv) if pv
|
2019-07-09 00:20:30 +00:00
|
|
|
|
2018-04-12 18:31:02 +00:00
|
|
|
raise Aws::IAM::Errors::NoSuchEntity.new(nil, nil)
|
|
|
|
end
|
2018-01-26 20:21:49 +00:00
|
|
|
end
|
2019-05-21 00:19:38 +00:00
|
|
|
end
|