moto/tests/test_ssm/test_ssm_doc_permissions.py

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

199 lines
6.4 KiB
Python
Raw Normal View History

import re
import yaml
import boto3
from botocore.exceptions import ClientError
import pytest
from moto import mock_ssm
from .test_ssm_docs import _get_yaml_template
@mock_ssm
def test_describe_document_permissions_unknown_document():
client = boto3.client("ssm", region_name="us-east-1")
with pytest.raises(ClientError) as ex:
client.describe_document_permission(
Name="UnknownDocument", PermissionType="Share"
)
err = ex.value.response["Error"]
assert err["Code"] == "InvalidDocument"
assert err["Message"] == "The specified document does not exist."
def get_client():
template_file = _get_yaml_template()
json_doc = yaml.safe_load(template_file)
client = boto3.client("ssm", region_name="us-east-1")
client.create_document(
Content=yaml.dump(json_doc),
Name="TestDocument",
DocumentType="Command",
DocumentFormat="YAML",
VersionName="Base",
)
return client
@mock_ssm
def test_describe_document_permissions_initial():
client = get_client()
res = client.describe_document_permission(
Name="TestDocument", PermissionType="Share"
)
assert res["AccountIds"] == []
assert res["AccountSharingInfoList"] == []
@pytest.mark.parametrize(
"ids",
[["111111111111"], ["all"], ["All"], ["111111111111", "222222222222"]],
ids=["one_value", "all", "All", "multiple_values"],
)
@mock_ssm
def test_modify_document_permission_add_account_id(ids):
client = get_client()
client.modify_document_permission(
Name="TestDocument", PermissionType="Share", AccountIdsToAdd=ids
)
res = client.describe_document_permission(
Name="TestDocument", PermissionType="Share"
)
assert "AccountIds" in res
assert set(res["AccountIds"]) == set(ids)
assert len(res["AccountSharingInfoList"]) == len(ids)
expected_account_sharing = [
{"AccountId": _id, "SharedDocumentVersion": "$DEFAULT"} for _id in ids
]
assert res["AccountSharingInfoList"] == expected_account_sharing
@pytest.mark.parametrize(
"initial,to_remove",
[
(["all"], ["all"]),
(["111111111111"], ["111111111111"]),
(["111111111111", "222222222222"], ["222222222222"]),
(
["111111111111", "222222222222", "333333333333"],
["111111111111", "333333333333"],
),
],
ids=["all", "one_value", "multiple_initials", "multiple_to_remove"],
)
@mock_ssm
def test_modify_document_permission_remove_account_id(initial, to_remove):
client = get_client()
client.modify_document_permission(
Name="TestDocument", PermissionType="Share", AccountIdsToAdd=initial
)
client.modify_document_permission(
Name="TestDocument", PermissionType="Share", AccountIdsToRemove=to_remove
)
res = client.describe_document_permission(
Name="TestDocument", PermissionType="Share"
)
assert "AccountIds" in res
expected_new_list = {x for x in initial if x not in to_remove}
assert set(res["AccountIds"]) == expected_new_list
expected_account_sharing = [
{"AccountId": _id, "SharedDocumentVersion": "$DEFAULT"}
for _id in expected_new_list
]
assert res["AccountSharingInfoList"] == expected_account_sharing
@mock_ssm
def test_fail_modify_document_permission_wrong_permission_type():
client = get_client()
with pytest.raises(ClientError) as ex:
client.modify_document_permission(
Name="TestDocument", PermissionType="WrongValue", AccountIdsToAdd=[]
)
err = ex.value.response["Error"]
assert err["Code"] == "InvalidPermissionType"
assert re.search(r"Member must satisfy enum value set: \[Share\]", err["Message"])
@mock_ssm
def test_fail_modify_document_permission_wrong_document_version():
client = get_client()
with pytest.raises(ClientError) as ex:
client.modify_document_permission(
Name="TestDocument",
PermissionType="Share",
SharedDocumentVersion="unknown",
AccountIdsToAdd=[],
)
err = ex.value.response["Error"]
assert err["Code"] == "ValidationException"
assert re.search(r"Member must satisfy regular expression pattern", err["Message"])
@pytest.mark.parametrize(
"value",
[["alll"], ["1234"], ["1234123412341234"], ["account_id"]],
ids=["all?", "too_short", "too_long", "no-digits"],
)
@mock_ssm
def test_fail_modify_document_permission_add_invalid_account_ids(value):
client = get_client()
with pytest.raises(ClientError) as ex:
client.modify_document_permission(
Name="TestDocument", PermissionType="Share", AccountIdsToAdd=value
)
err = ex.value.response["Error"]
assert err["Code"] == "ValidationException"
assert re.search(r"Member must satisfy regular expression pattern:", err["Message"])
@pytest.mark.parametrize(
"value",
[["alll"], ["1234"], ["1234123412341234"], ["account_id"]],
ids=["all?", "too_short", "too_long", "no-digits"],
)
@mock_ssm
def test_fail_modify_document_permission_remove_invalid_account_ids(value):
client = get_client()
with pytest.raises(ClientError) as ex:
client.modify_document_permission(
Name="TestDocument", PermissionType="Share", AccountIdsToRemove=value
)
err = ex.value.response["Error"]
assert err["Code"] == "ValidationException"
assert re.search(r"Member must satisfy regular expression pattern:", err["Message"])
@mock_ssm
def test_fail_modify_document_permission_add_all_and_specific():
client = get_client()
with pytest.raises(ClientError) as ex:
client.modify_document_permission(
Name="TestDocument",
PermissionType="Share",
AccountIdsToAdd=["all", "123412341234"],
)
err = ex.value.response["Error"]
assert err["Code"] == "DocumentPermissionLimit"
assert err["Message"] == "Accounts can either be all or a group of AWS accounts"
@mock_ssm
def test_fail_modify_document_permission_remove_all_and_specific():
client = get_client()
with pytest.raises(ClientError) as ex:
client.modify_document_permission(
Name="TestDocument",
PermissionType="Share",
AccountIdsToRemove=["all", "123412341234"],
)
err = ex.value.response["Error"]
assert err["Code"] == "DocumentPermissionLimit"
assert err["Message"] == "Accounts can either be all or a group of AWS accounts"