require "helper" require "inspec/resource" require "resources/aws/aws_iam_user" require "resource_support/aws" require "resources/aws/aws_iam_user" # MAUIB = MockAwsIamUserBackend # Abbreviation not used outside this file #=============================================================================# # Constructor Tests #=============================================================================# class AwsIamUserConstructorTest < Minitest::Test def setup AwsIamUser::BackendFactory.select(MAIUB::Three) end def test_empty_params_throws_exception assert_raises(ArgumentError) { AwsIamUser.new } end def test_accepts_username_as_scalar AwsIamUser.new("erin") end def test_accepts_username_as_hash AwsIamUser.new(username: "erin") end def test_rejects_unrecognized_params assert_raises(ArgumentError) { AwsIamUser.new(shoe_size: 9) } end end #=============================================================================# # Search / Recall #=============================================================================# class AwsIamUserRecallTest < Minitest::Test def setup AwsIamUser::BackendFactory.select(MAIUB::Three) end def test_search_miss_is_not_an_exception user = AwsIamUser.new("tommy") refute user.exists? end def test_search_hit_via_scalar_works user = AwsIamUser.new("erin") assert user.exists? assert_equal("erin", user.username) end def test_search_hit_via_hash_works user = AwsIamUser.new(username: "erin") assert user.exists? assert_equal("erin", user.username) end end #=============================================================================# # Properties #=============================================================================# class AwsIamUserPropertiesTest < Minitest::Test def setup AwsIamUser::BackendFactory.select(MAIUB::Three) end def test_property_attached_policies noone = AwsIamUser.new("nonesuch") assert_empty(noone.attached_policy_names) assert_empty(noone.attached_policy_arns) erin = AwsIamUser.new("erin") assert_empty(erin.attached_policy_names) assert_empty(erin.attached_policy_arns) leslie = AwsIamUser.new("leslie") assert_equal(1, leslie.attached_policy_names.count) assert_includes(leslie.attached_policy_names, "AdministratorAccess") assert_equal(1, leslie.attached_policy_arns.count) assert_includes(leslie.attached_policy_arns, "arn:aws:iam::aws:policy/AdministratorAccess") jared = AwsIamUser.new("jared") assert_equal(2, jared.attached_policy_names.count) assert_includes(jared.attached_policy_names, "ReadOnlyAccess") assert_equal(2, jared.attached_policy_arns.count) assert_includes(jared.attached_policy_arns, "arn:aws:iam::aws:policy/ReadOnlyAccess") end def test_property_inline_policies noone = AwsIamUser.new("nonesuch") assert_empty(noone.inline_policy_names) erin = AwsIamUser.new("erin") assert_empty(erin.inline_policy_names) leslie = AwsIamUser.new("leslie") assert_equal(2, leslie.inline_policy_names.count) assert_includes(leslie.inline_policy_names, "leslie-inline-01") assert_includes(leslie.inline_policy_names, "leslie-inline-02") jared = AwsIamUser.new("jared") assert_equal(1, jared.inline_policy_names.count) assert_includes(jared.inline_policy_names, "jared-inline-01") end #-----------------------------------------------------# # username property #-----------------------------------------------------# def test_property_username_correct_on_hit user = AwsIamUser.new("erin") assert_equal("erin", user.username) end def test_property_username_correct_on_miss user = AwsIamUser.new("nonesuch") assert_equal("nonesuch", user.username) end #-----------------------------------------------------# # access_keys property #-----------------------------------------------------# def test_property_access_keys_positive keys = AwsIamUser.new("erin").access_keys assert_kind_of(Array, keys) assert_equal(keys.length, 2) # We don't currently promise that the results # will be InSpec resource objects. # assert_kind_of(AwsIamAccessKey, keys.first) end def test_property_access_keys_negative keys = AwsIamUser.new("leslie").access_keys assert_kind_of(Array, keys) assert(keys.empty?) end end #=============================================================================# # Matchers #=============================================================================# class AwsIamUserMatchersTest < Minitest::Test def setup AwsIamUser::BackendFactory.select(MAIUB::Three) end def test_matcher_mfa_positive user = AwsIamUser.new("erin") assert_equal(true, user.has_mfa_enabled) assert_equal(true, user.has_mfa_enabled?) end def test_matcher_mfa_negative user = AwsIamUser.new("leslie") assert_equal(false, user.has_mfa_enabled) assert_equal(false, user.has_mfa_enabled?) end def test_matcher_password_positive user = AwsIamUser.new("erin") assert_equal(true, user.has_console_password) assert_equal(true, user.has_console_password?) end def test_matcher_password_negative user = AwsIamUser.new("leslie") assert_equal(false, user.has_console_password) assert_equal(false, user.has_console_password?) end def test_matcher_has_attached_policies assert_nil(AwsIamUser.new("nonesuch").has_attached_policies?) refute(AwsIamUser.new("erin").has_attached_policies?) assert(AwsIamUser.new("leslie").has_attached_policies?) assert(AwsIamUser.new("jared").has_attached_policies?) end def test_matcher_has_inline_policies assert_nil(AwsIamUser.new("nonesuch").has_inline_policies?) refute(AwsIamUser.new("erin").has_inline_policies?) assert(AwsIamUser.new("leslie").has_inline_policies?) assert(AwsIamUser.new("jared").has_inline_policies?) end end #=============================================================================# # Test Fixtures #=============================================================================# module MAIUB class Three < AwsBackendBase def get_user(criteria) people = { "erin" => OpenStruct.new({ user: OpenStruct.new({ arn: "arn:aws:iam::123456789012:user/erin", create_date: Time.parse("2016-09-21T23:03:13Z"), path: "/", user_id: "AKIAIOSFODNN7EXAERIN", user_name: "erin", }), }), "leslie" => OpenStruct.new({ user: OpenStruct.new({ arn: "arn:aws:iam::123456789012:user/leslie", create_date: Time.parse("2017-09-21T23:03:13Z"), path: "/", user_id: "AKIAIOSFODNN7EXAERIN", user_name: "leslie", }), }), "jared" => OpenStruct.new({ user: OpenStruct.new({ arn: "arn:aws:iam::123456789012:user/jared", create_date: Time.parse("2017-09-21T23:03:13Z"), path: "/", user_id: "AKIAIOSFODNN7EXAERIN", user_name: "jared", }), }), } raise Aws::IAM::Errors::NoSuchEntity.new(nil, nil) unless people.key?(criteria[:user_name]) people[criteria[:user_name]] end def get_login_profile(criteria) # Leslie has no password # Jared's is expired people = { "erin" => OpenStruct.new({ login_profile: OpenStruct.new({ user_name: "erin", password_reset_required: false, create_date: Time.parse("2016-09-21T23:03:13Z"), }), }), "jared" => OpenStruct.new({ login_profile: OpenStruct.new({ user_name: "jared", password_reset_required: true, create_date: Time.parse("2017-09-21T23:03:13Z"), }), }), } raise Aws::IAM::Errors::NoSuchEntity.new(nil, nil) unless people.key?(criteria[:user_name]) people[criteria[:user_name]] end def list_mfa_devices(criteria) # Erin has 2, one soft and one hw # Leslie has none # Jared has one soft people = { "erin" => OpenStruct.new({ mfa_devices: [ OpenStruct.new({ user_name: "erin", serial_number: "arn:blahblahblah", enable_date: Time.parse("2016-09-21T23:03:13Z"), }), OpenStruct.new({ user_name: "erin", serial_number: "1234567890", enable_date: Time.parse("2016-09-21T23:03:13Z"), }), ], }), "leslie" => OpenStruct.new({ mfa_devices: [] }), "jared" => OpenStruct.new({ mfa_devices: [ OpenStruct.new({ user_name: "jared", serial_number: "arn:blahblahblah", enable_date: Time.parse("2016-09-21T23:03:13Z"), }), ], }), } people[criteria[:user_name]] end def list_access_keys(criteria) # Erin has 2 # Leslie has none # Jared has one people = { "erin" => OpenStruct.new({ access_key_metadata: [ OpenStruct.new({ user_name: "erin", access_key_id: "AKIA111111111EXAMPLE", create_date: Time.parse("2016-09-21T23:03:13Z"), status: "Active", }), OpenStruct.new({ user_name: "erin", access_key_id: "AKIA222222222EXAMPLE", create_date: Time.parse("2016-09-21T23:03:13Z"), status: "Active", }), ], }), "leslie" => OpenStruct.new({ access_key_metadata: [] }), "jared" => OpenStruct.new({ access_key_metadata: [ OpenStruct.new({ user_name: "jared", access_key_id: "AKIA3333333333EXAMPLE", create_date: Time.parse("2017-10-21T23:03:13Z"), status: "Active", }), ], }), } people[criteria[:user_name]] end def list_user_policies(query) people = { "erin" => Aws::IAM::Types::ListUserPoliciesResponse.new( policy_names: [] ), "leslie" => Aws::IAM::Types::ListUserPoliciesResponse.new( policy_names: %w{leslie-inline-01 leslie-inline-02} ), "jared" => Aws::IAM::Types::ListUserPoliciesResponse.new( policy_names: ["jared-inline-01"] ), } people[query[:user_name]] end def list_attached_user_policies(query) people = { "erin" => Aws::IAM::Types::ListAttachedUserPoliciesResponse.new( attached_policies: [] ), "leslie" => Aws::IAM::Types::ListAttachedUserPoliciesResponse.new( attached_policies: [ { policy_arn: "arn:aws:iam::aws:policy/AdministratorAccess", policy_name: "AdministratorAccess", }, ] ), "jared" => Aws::IAM::Types::ListAttachedUserPoliciesResponse.new( attached_policies: [ { policy_arn: "arn:aws:iam::aws:policy/ReadOnlyAccess", policy_name: "ReadOnlyAccess", }, { policy_arn: "arn:aws:iam::123456789012:policy/some-policy", policy_name: "some-policy", }, ] ), } people[query[:user_name]] end end end