inspec/test/unit/resources/aws_iam_users_test.rb
Richard Nixon 47e4c578e0 Fix aws-iam-users pagination (#2761)
* Fix aws-iam-users pagination

PROBLEM: aws-iam-users resource only retrieves 100 records due to pagination
in the AWS IAM list_users function.

FIX: Iterate over all the pages using the AWS pagination variables `marker`
and `is_truncated`

Signed-off-by: Richard Nixon <richard.nixon@btinternet.com>
2018-03-02 09:14:05 -05:00

184 lines
5.8 KiB
Ruby

require 'helper'
# Maiusb = Mock AwsIamUsers::BackendFactory
# Abbreviation not used outside of this file
class AwsIamUsersTestConstructor < Minitest::Test
def setup
AwsIamUsers::BackendFactory.select(Maiusb::Empty)
end
def test_users_no_params_does_not_explode
AwsIamUsers.new
end
def test_users_all_params_rejected
assert_raises(ArgumentError) { AwsIamUsers.new(something: 'somevalue') }
end
end
class AwsIamUsersTestFilterCriteria < Minitest::Test
def setup
# Reset to empty, that's harmless
AwsIamUsers::BackendFactory.select(Maiusb::Empty)
end
#------------------------------------------#
# Open Filter
#------------------------------------------#
def test_users_empty_result_when_no_users_no_criteria
users = AwsIamUsers.new.where {}
assert users.entries.empty?
end
def test_users_all_returned_when_some_users_no_criteria
AwsIamUsers::BackendFactory.select(Maiusb::Basic)
users = AwsIamUsers.new.where {}
assert(3, users.entries.count)
end
#------------------------------------------#
# has_mfa_enabled?
#------------------------------------------#
def test_users_criteria_has_mfa_enabled
AwsIamUsers::BackendFactory.select(Maiusb::Basic)
users = AwsIamUsers.new.where { has_mfa_enabled }
assert(1, users.entries.count)
assert_includes users.entries.map{ |u| u[:user_name] }, 'carol'
refute_includes users.entries.map{ |u| u[:user_name] }, 'alice'
end
#------------------------------------------#
# has_console_password?
#------------------------------------------#
def test_users_criteria_has_console_password?
AwsIamUsers::BackendFactory.select(Maiusb::Basic)
users = AwsIamUsers.new.where { has_console_password }
assert(2, users.entries.count)
assert_includes users.entries.map{ |u| u[:user_name] }, 'carol'
refute_includes users.entries.map{ |u| u[:user_name] }, 'alice'
end
#------------------------------------------#
# password_ever_used?
#------------------------------------------#
def test_users_criteria_password_ever_used?
AwsIamUsers::BackendFactory.select(Maiusb::Basic)
users = AwsIamUsers.new.where { password_ever_used? }
assert(2, users.entries.count)
assert_includes users.entries.map{ |u| u[:user_name] }, 'carol'
refute_includes users.entries.map{ |u| u[:user_name] }, 'alice'
end
#------------------------------------------#
# password_never_used?
#------------------------------------------#
def test_users_criteria_password_never_used?
AwsIamUsers::BackendFactory.select(Maiusb::Basic)
users = AwsIamUsers.new.where { password_never_used? }
assert(1, users.entries.count)
assert_includes users.entries.map{ |u| u[:user_name] }, 'alice'
refute_includes users.entries.map{ |u| u[:user_name] }, 'carol'
end
#------------------------------------------#
# password_last_used_days_ago
#------------------------------------------#
def test_users_criteria_has_password_last_used_days_ago_10
AwsIamUsers::BackendFactory.select(Maiusb::Basic)
users = AwsIamUsers.new.where(password_last_used_days_ago: 10)
puts users
assert(1, users.entries.count)
assert_includes users.entries.map{ |u| u[:user_name] }, 'bob'
refute_includes users.entries.map{ |u| u[:user_name] }, 'alice'
end
end
#=============================================================================#
# Test Fixture Classes
#=============================================================================#
module Maiusb
# --------------------------------
# Empty - No users
# --------------------------------
class Empty < AwsBackendBase
def list_users(criteria = {})
OpenStruct.new({
users: []
})
end
def get_login_profile(criteria)
raise Aws::IAM::Errors::NoSuchEntity.new("No login profile for #{criteria[:user_name]}", 'Nope')
end
def list_mfa_devices(_criteria)
OpenStruct.new({
mfa_devices: []
})
end
end
# --------------------------------
# Basic - 3 Users
# --------------------------------
# Alice has no password or MFA device
# Bob has a password but no MFA device
# Carol has a password and MFA device
class Basic < AwsBackendBase
# arn, path, user_id omitted
def list_users(criteria = {})
OpenStruct.new({
users: [
OpenStruct.new({
user_name: 'alice',
create_date: DateTime.parse('2017-10-10T16:19:30Z'),
# Password last used is absent, never logged in w/ password
}),
OpenStruct.new({
user_name: 'bob',
create_date: DateTime.parse('2017-11-06T16:19:30Z'),
password_last_used: Time.now - 10*24*60*60,
}),
OpenStruct.new({
user_name: 'carol',
create_date: DateTime.parse('2017-10-10T16:19:30Z'),
password_last_used: Time.now - 91*24*60*60,
}),
]
})
end
def get_login_profile(criteria)
if ['bob', 'carol'].include?(criteria[:user_name])
OpenStruct.new({
login_profile: OpenStruct.new({
user_name: criteria[:user_name],
created_date: DateTime.parse('2017-10-10T16:19:30Z')
})
})
else
raise Aws::IAM::Errors::NoSuchEntity.new("No login profile for #{criteria[:user_name]}", 'Nope')
end
end
def list_mfa_devices(criteria)
if ['carol'].include?(criteria[:user_name])
OpenStruct.new({
mfa_devices: [
OpenStruct.new({
user_name: criteria[:user_name],
serial_number: '1234567890',
enable_date: DateTime.parse('2017-10-10T16:19:30Z'),
})
]
})
else
OpenStruct.new({
mfa_devices: []
})
end
end
end
end