2022-01-07 16:28:29 +00:00
|
|
|
import boto3
|
|
|
|
import datetime
|
|
|
|
import pytest
|
|
|
|
import sure # noqa # pylint: disable=unused-import
|
|
|
|
|
|
|
|
from botocore.exceptions import ClientError
|
|
|
|
from moto import mock_ssoadmin
|
|
|
|
from uuid import uuid4
|
|
|
|
|
|
|
|
# See our Development Tips on writing tests for hints on how to write good tests:
|
|
|
|
# http://docs.getmoto.org/en/latest/docs/contributing/development_tips/tests.html
|
|
|
|
|
|
|
|
|
|
|
|
@mock_ssoadmin
|
|
|
|
def test_create_account_assignment():
|
|
|
|
client = boto3.client("sso-admin", region_name="eu-west-1")
|
|
|
|
target_id = "222222222222"
|
|
|
|
permission_set_arn = (
|
|
|
|
"arn:aws:sso:::permissionSet/ins-eeeeffffgggghhhh/ps-hhhhkkkkppppoooo"
|
|
|
|
)
|
|
|
|
principal_id = str(uuid4())
|
|
|
|
|
|
|
|
resp = client.create_account_assignment(
|
|
|
|
InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd",
|
|
|
|
TargetId=target_id,
|
|
|
|
TargetType="AWS_ACCOUNT",
|
|
|
|
PermissionSetArn=permission_set_arn,
|
|
|
|
PrincipalType="USER",
|
|
|
|
PrincipalId=principal_id,
|
|
|
|
)
|
|
|
|
|
|
|
|
resp.should.have.key("AccountAssignmentCreationStatus")
|
|
|
|
|
|
|
|
status = resp["AccountAssignmentCreationStatus"]
|
|
|
|
status.should.have.key("Status").equals("SUCCEEDED")
|
|
|
|
status.should.have.key("RequestId")
|
|
|
|
status.shouldnt.have.key("FailureReason")
|
|
|
|
status.should.have.key("TargetId").equals(target_id)
|
|
|
|
status.should.have.key("TargetType").equals("AWS_ACCOUNT")
|
|
|
|
status.should.have.key("PermissionSetArn").equals(permission_set_arn)
|
|
|
|
status.should.have.key("PrincipalType").equals("USER")
|
|
|
|
status.should.have.key("PrincipalId").equals(principal_id)
|
|
|
|
|
|
|
|
|
|
|
|
@mock_ssoadmin
|
|
|
|
def test_delete_account_assignment():
|
|
|
|
client = boto3.client("sso-admin", region_name="eu-west-1")
|
|
|
|
target_id = "222222222222"
|
|
|
|
permission_set_arn = (
|
|
|
|
"arn:aws:sso:::permissionSet/ins-eeeeffffgggghhhh/ps-hhhhkkkkppppoooo"
|
|
|
|
)
|
|
|
|
principal_id = str(uuid4())
|
|
|
|
instance_arn = "arn:aws:sso:::instance/ins-aaaabbbbccccdddd"
|
|
|
|
|
|
|
|
client.create_account_assignment(
|
|
|
|
InstanceArn=instance_arn,
|
|
|
|
TargetId=target_id,
|
|
|
|
TargetType="AWS_ACCOUNT",
|
|
|
|
PermissionSetArn=permission_set_arn,
|
|
|
|
PrincipalType="USER",
|
|
|
|
PrincipalId=principal_id,
|
|
|
|
)
|
|
|
|
|
|
|
|
resp = client.delete_account_assignment(
|
|
|
|
InstanceArn=instance_arn,
|
|
|
|
TargetId=target_id,
|
|
|
|
TargetType="AWS_ACCOUNT",
|
|
|
|
PermissionSetArn=permission_set_arn,
|
|
|
|
PrincipalType="USER",
|
|
|
|
PrincipalId=principal_id,
|
|
|
|
)
|
|
|
|
resp.should.have.key("AccountAssignmentDeletionStatus")
|
|
|
|
|
|
|
|
# Verify the correct response
|
|
|
|
status = resp["AccountAssignmentDeletionStatus"]
|
|
|
|
status.should.have.key("Status").equals("SUCCEEDED")
|
|
|
|
status.should.have.key("RequestId")
|
|
|
|
status.shouldnt.have.key("FailureReason")
|
|
|
|
status.should.have.key("TargetId").equals(target_id)
|
|
|
|
status.should.have.key("TargetType").equals("AWS_ACCOUNT")
|
|
|
|
status.should.have.key("PermissionSetArn").equals(permission_set_arn)
|
|
|
|
status.should.have.key("PrincipalType").equals("USER")
|
|
|
|
status.should.have.key("PrincipalId").equals(principal_id)
|
|
|
|
status.should.have.key("CreatedDate").should.be.a(datetime.datetime)
|
|
|
|
|
|
|
|
# Verify this account assignment can no longer be found
|
|
|
|
resp = client.list_account_assignments(
|
|
|
|
InstanceArn=instance_arn,
|
|
|
|
AccountId=target_id,
|
|
|
|
PermissionSetArn=permission_set_arn,
|
|
|
|
)
|
|
|
|
|
|
|
|
resp.should.have.key("AccountAssignments").equals([])
|
|
|
|
|
|
|
|
|
|
|
|
@mock_ssoadmin
|
|
|
|
def test_delete_account_assignment_unknown():
|
|
|
|
client = boto3.client("sso-admin", region_name="us-east-1")
|
|
|
|
|
|
|
|
target_id = "222222222222"
|
|
|
|
permission_set_arn = (
|
|
|
|
"arn:aws:sso:::permissionSet/ins-eeeeffffgggghhhh/ps-hhhhkkkkppppoooo"
|
|
|
|
)
|
|
|
|
principal_id = str(uuid4())
|
|
|
|
instance_arn = "arn:aws:sso:::instance/ins-aaaabbbbccccdddd"
|
|
|
|
|
|
|
|
with pytest.raises(ClientError) as exc:
|
|
|
|
client.delete_account_assignment(
|
|
|
|
InstanceArn=instance_arn,
|
|
|
|
TargetId=target_id,
|
|
|
|
TargetType="AWS_ACCOUNT",
|
|
|
|
PermissionSetArn=permission_set_arn,
|
|
|
|
PrincipalType="USER",
|
|
|
|
PrincipalId=principal_id,
|
|
|
|
)
|
|
|
|
err = exc.value.response["Error"]
|
|
|
|
err["Code"].should.equal("ResourceNotFound")
|
|
|
|
|
|
|
|
|
|
|
|
@mock_ssoadmin
|
|
|
|
def test_list_account_assignments():
|
|
|
|
client = boto3.client("sso-admin", region_name="ap-southeast-1")
|
|
|
|
|
|
|
|
target_id1 = "222222222222"
|
|
|
|
target_id2 = "333333333333"
|
|
|
|
permission_set_arn = (
|
|
|
|
"arn:aws:sso:::permissionSet/ins-eeeeffffgggghhhh/ps-hhhhkkkkppppoooo"
|
|
|
|
)
|
|
|
|
principal_id = str(uuid4())
|
|
|
|
instance_arn = "arn:aws:sso:::instance/ins-aaaabbbbccccdddd"
|
|
|
|
|
|
|
|
resp = client.list_account_assignments(
|
|
|
|
InstanceArn=instance_arn,
|
|
|
|
AccountId=target_id1,
|
|
|
|
PermissionSetArn=permission_set_arn,
|
|
|
|
)
|
|
|
|
|
|
|
|
resp.should.have.key("AccountAssignments").equals([])
|
|
|
|
|
|
|
|
client.create_account_assignment(
|
|
|
|
InstanceArn=instance_arn,
|
|
|
|
TargetId=target_id1,
|
|
|
|
TargetType="AWS_ACCOUNT",
|
|
|
|
PermissionSetArn=permission_set_arn,
|
|
|
|
PrincipalType="USER",
|
|
|
|
PrincipalId=principal_id,
|
|
|
|
)
|
|
|
|
|
|
|
|
resp = client.list_account_assignments(
|
|
|
|
InstanceArn=instance_arn,
|
|
|
|
AccountId=target_id1,
|
|
|
|
PermissionSetArn=permission_set_arn,
|
|
|
|
)
|
|
|
|
|
|
|
|
resp.should.have.key("AccountAssignments").equals(
|
|
|
|
[
|
|
|
|
{
|
|
|
|
"AccountId": target_id1,
|
|
|
|
"PermissionSetArn": permission_set_arn,
|
|
|
|
"PrincipalType": "USER",
|
|
|
|
"PrincipalId": principal_id,
|
|
|
|
}
|
|
|
|
]
|
|
|
|
)
|
|
|
|
|
|
|
|
client.create_account_assignment(
|
|
|
|
InstanceArn=instance_arn,
|
|
|
|
TargetId=target_id2,
|
|
|
|
TargetType="AWS_ACCOUNT",
|
|
|
|
PermissionSetArn=permission_set_arn,
|
|
|
|
PrincipalType="USER",
|
|
|
|
PrincipalId=principal_id,
|
|
|
|
)
|
|
|
|
|
|
|
|
resp = client.list_account_assignments(
|
|
|
|
InstanceArn=instance_arn,
|
|
|
|
AccountId=target_id2,
|
|
|
|
PermissionSetArn=permission_set_arn,
|
|
|
|
)
|
|
|
|
|
|
|
|
resp.should.have.key("AccountAssignments").equals(
|
|
|
|
[
|
|
|
|
{
|
|
|
|
"AccountId": target_id2,
|
|
|
|
"PermissionSetArn": permission_set_arn,
|
|
|
|
"PrincipalType": "USER",
|
|
|
|
"PrincipalId": principal_id,
|
|
|
|
}
|
|
|
|
]
|
|
|
|
)
|
2022-06-09 17:37:30 +00:00
|
|
|
|
|
|
|
|
|
|
|
@mock_ssoadmin
|
|
|
|
def test_create_permission_set():
|
|
|
|
client = boto3.client("sso-admin", region_name="ap-southeast-1")
|
|
|
|
resp = client.create_permission_set(
|
|
|
|
Name="test",
|
|
|
|
Description="Test permission set",
|
|
|
|
InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd",
|
|
|
|
SessionDuration="PT1H",
|
|
|
|
RelayState="https://console.aws.amazon.com/ec2",
|
|
|
|
)
|
|
|
|
resp.should.have.key("PermissionSet")
|
|
|
|
permissionSet = resp["PermissionSet"]
|
|
|
|
permissionSet.should.have.key("Name").equals("test")
|
|
|
|
permissionSet.should.have.key("PermissionSetArn")
|
|
|
|
permissionSet.should.have.key("Description")
|
|
|
|
permissionSet.should.have.key("CreatedDate")
|
|
|
|
permissionSet.should.have.key("SessionDuration")
|
|
|
|
permissionSet.should.have.key("RelayState")
|
|
|
|
|
|
|
|
|
|
|
|
@mock_ssoadmin
|
|
|
|
def test_update_permission_set():
|
|
|
|
client = boto3.client("sso-admin", region_name="ap-southeast-1")
|
|
|
|
resp = client.create_permission_set(
|
|
|
|
Name="test",
|
|
|
|
Description="Test permission set",
|
|
|
|
InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd",
|
|
|
|
SessionDuration="PT1H",
|
|
|
|
)
|
|
|
|
permissionSet = resp["PermissionSet"]
|
|
|
|
|
|
|
|
resp = client.update_permission_set(
|
|
|
|
InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd",
|
|
|
|
PermissionSetArn=permissionSet["PermissionSetArn"],
|
|
|
|
Description="New description",
|
|
|
|
SessionDuration="PT2H",
|
|
|
|
RelayState="https://console.aws.amazon.com/s3",
|
|
|
|
)
|
|
|
|
resp = client.describe_permission_set(
|
|
|
|
InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd",
|
|
|
|
PermissionSetArn=permissionSet["PermissionSetArn"],
|
|
|
|
)
|
|
|
|
resp.should.have.key("PermissionSet")
|
|
|
|
permissionSet = resp["PermissionSet"]
|
|
|
|
permissionSet.should.have.key("Name").equals("test")
|
|
|
|
permissionSet.should.have.key("Description").equals("New description")
|
|
|
|
permissionSet.should.have.key("CreatedDate")
|
|
|
|
permissionSet.should.have.key("SessionDuration").equals("PT2H")
|
|
|
|
permissionSet.should.have.key("RelayState").equals(
|
|
|
|
"https://console.aws.amazon.com/s3"
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
@mock_ssoadmin
|
|
|
|
def test_update_permission_set_unknown():
|
|
|
|
client = boto3.client("sso-admin", region_name="ap-southeast-1")
|
|
|
|
|
|
|
|
with pytest.raises(ClientError) as exc:
|
|
|
|
client.update_permission_set(
|
|
|
|
InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd",
|
|
|
|
PermissionSetArn="arn:aws:sso:::permissionSet/ins-eeeeffffgggghhhh/ps-hhhhkkkkppppoooo",
|
|
|
|
Description="New description",
|
|
|
|
SessionDuration="PT2H",
|
|
|
|
RelayState="https://console.aws.amazon.com/s3",
|
|
|
|
)
|
|
|
|
err = exc.value.response["Error"]
|
|
|
|
err["Code"].should.equal("ResourceNotFound")
|
|
|
|
|
|
|
|
|
|
|
|
@mock_ssoadmin
|
|
|
|
def test_describe_permission_set():
|
|
|
|
client = boto3.client("sso-admin", region_name="ap-southeast-1")
|
|
|
|
resp = client.create_permission_set(
|
|
|
|
Name="test",
|
|
|
|
Description="Test permission set",
|
|
|
|
InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd",
|
|
|
|
SessionDuration="PT1H",
|
|
|
|
)
|
|
|
|
permissionSet = resp["PermissionSet"]
|
|
|
|
|
|
|
|
resp = client.describe_permission_set(
|
|
|
|
InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd",
|
|
|
|
PermissionSetArn=permissionSet["PermissionSetArn"],
|
|
|
|
)
|
|
|
|
resp.should.have.key("PermissionSet")
|
|
|
|
permissionSet = resp["PermissionSet"]
|
|
|
|
permissionSet.should.have.key("Name").equals("test")
|
|
|
|
permissionSet.should.have.key("PermissionSetArn")
|
|
|
|
permissionSet.should.have.key("Description")
|
|
|
|
permissionSet.should.have.key("CreatedDate")
|
|
|
|
permissionSet.should.have.key("SessionDuration")
|
|
|
|
|
|
|
|
|
|
|
|
@mock_ssoadmin
|
|
|
|
def test_describe_permission_set_unknown():
|
|
|
|
client = boto3.client("sso-admin", region_name="ap-southeast-1")
|
|
|
|
|
|
|
|
with pytest.raises(ClientError) as exc:
|
|
|
|
client.describe_permission_set(
|
|
|
|
InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd",
|
|
|
|
PermissionSetArn="arn:aws:sso:::permissionSet/ins-eeeeffffgggghhhh/ps-hhhhkkkkppppoooo",
|
|
|
|
)
|
|
|
|
err = exc.value.response["Error"]
|
|
|
|
err["Code"].should.equal("ResourceNotFound")
|
|
|
|
|
|
|
|
|
|
|
|
@mock_ssoadmin
|
|
|
|
def test_delete_permission_set():
|
|
|
|
client = boto3.client("sso-admin", region_name="ap-southeast-1")
|
|
|
|
resp = client.create_permission_set(
|
|
|
|
Name="test",
|
|
|
|
Description="Test permission set",
|
|
|
|
InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd",
|
|
|
|
SessionDuration="PT1H",
|
|
|
|
)
|
|
|
|
permissionSet = resp["PermissionSet"]
|
|
|
|
resp = client.delete_permission_set(
|
|
|
|
InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd",
|
|
|
|
PermissionSetArn=permissionSet["PermissionSetArn"],
|
|
|
|
)
|
|
|
|
with pytest.raises(ClientError) as exc:
|
|
|
|
client.describe_permission_set(
|
|
|
|
InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd",
|
|
|
|
PermissionSetArn=permissionSet["PermissionSetArn"],
|
|
|
|
)
|
|
|
|
err = exc.value.response["Error"]
|
|
|
|
err["Code"].should.equal("ResourceNotFound")
|
|
|
|
|
|
|
|
|
|
|
|
@mock_ssoadmin
|
|
|
|
def test_delete_permission_set_unknown():
|
|
|
|
client = boto3.client("sso-admin", region_name="ap-southeast-1")
|
|
|
|
|
|
|
|
with pytest.raises(ClientError) as exc:
|
|
|
|
client.delete_permission_set(
|
|
|
|
InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd",
|
|
|
|
PermissionSetArn="arn:aws:sso:::permissionSet/ins-eeeeffffgggghhhh/ps-hhhhkkkkppppoooo",
|
|
|
|
)
|
|
|
|
err = exc.value.response["Error"]
|
|
|
|
err["Code"].should.equal("ResourceNotFound")
|
|
|
|
|
|
|
|
|
|
|
|
@mock_ssoadmin
|
|
|
|
def test_list_permission_sets():
|
|
|
|
client = boto3.client("sso-admin", region_name="ap-southeast-1")
|
|
|
|
|
|
|
|
response = client.list_permission_sets(
|
|
|
|
InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd",
|
|
|
|
)
|
|
|
|
response.should.have.key("PermissionSets")
|
|
|
|
permissionSets = response["PermissionSets"]
|
|
|
|
len(permissionSets).should.equal(0)
|
|
|
|
|
|
|
|
for i in range(5):
|
|
|
|
client.create_permission_set(
|
|
|
|
Name="test" + str(i),
|
|
|
|
Description="Test permission set " + str(i),
|
|
|
|
InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd",
|
|
|
|
SessionDuration="PT1H",
|
|
|
|
)
|
|
|
|
response = client.list_permission_sets(
|
|
|
|
InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd",
|
|
|
|
)
|
|
|
|
response.should.have.key("PermissionSets")
|
|
|
|
permissionSets = response["PermissionSets"]
|
|
|
|
len(permissionSets).should.equal(5)
|
|
|
|
|
|
|
|
|
|
|
|
@mock_ssoadmin
|
|
|
|
def test_list_permission_sets_pagination():
|
|
|
|
client = boto3.client("sso-admin", region_name="ap-southeast-1")
|
|
|
|
|
|
|
|
response = client.list_permission_sets(
|
|
|
|
InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd",
|
|
|
|
)
|
|
|
|
response.should.have.key("PermissionSets")
|
|
|
|
permissionSets = response["PermissionSets"]
|
|
|
|
len(permissionSets).should.equal(0)
|
|
|
|
|
|
|
|
for i in range(25):
|
|
|
|
client.create_permission_set(
|
|
|
|
Name="test" + str(i),
|
|
|
|
Description="Test permission set " + str(i),
|
|
|
|
InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd",
|
|
|
|
SessionDuration="PT1H",
|
|
|
|
)
|
|
|
|
response = client.list_permission_sets(
|
|
|
|
InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd",
|
|
|
|
)
|
|
|
|
response.should.have.key("PermissionSets")
|
|
|
|
response.should_not.have.key("NextToken")
|
|
|
|
|
|
|
|
paginator = client.get_paginator("list_permission_sets")
|
|
|
|
page_iterator = paginator.paginate(
|
|
|
|
InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd", MaxResults=5
|
|
|
|
)
|
|
|
|
for page in page_iterator:
|
|
|
|
len(page["PermissionSets"]).should.be.lower_than_or_equal_to(5)
|