2019-07-26 18:40:15 +00:00
import json
import boto3
import sure # noqa
from botocore . exceptions import ClientError
2019-10-31 15:44:26 +00:00
2019-07-26 18:40:15 +00:00
# Ensure 'assert_raises' context manager support for Python 2.6
import tests . backport_assert_raises
from nose . tools import assert_raises
from moto import mock_iam , mock_ec2 , mock_s3 , mock_sts , mock_elbv2 , mock_rds2
from moto . core import set_initial_no_auth_action_count
2019-12-17 02:05:29 +00:00
from moto . core import ACCOUNT_ID
2019-11-11 09:27:01 +00:00
from uuid import uuid4
2019-07-26 18:40:15 +00:00
@mock_iam
2019-10-31 15:44:26 +00:00
def create_user_with_access_key ( user_name = " test-user " ) :
client = boto3 . client ( " iam " , region_name = " us-east-1 " )
2019-07-26 18:40:15 +00:00
client . create_user ( UserName = user_name )
2019-10-31 15:44:26 +00:00
return client . create_access_key ( UserName = user_name ) [ " AccessKey " ]
2019-07-26 18:40:15 +00:00
@mock_iam
2019-10-31 15:44:26 +00:00
def create_user_with_access_key_and_inline_policy (
user_name , policy_document , policy_name = " policy1 "
) :
client = boto3 . client ( " iam " , region_name = " us-east-1 " )
2019-07-26 18:40:15 +00:00
client . create_user ( UserName = user_name )
2019-10-31 15:44:26 +00:00
client . put_user_policy (
UserName = user_name ,
PolicyName = policy_name ,
PolicyDocument = json . dumps ( policy_document ) ,
)
return client . create_access_key ( UserName = user_name ) [ " AccessKey " ]
2019-07-26 18:40:15 +00:00
@mock_iam
2019-10-31 15:44:26 +00:00
def create_user_with_access_key_and_attached_policy (
user_name , policy_document , policy_name = " policy1 "
) :
client = boto3 . client ( " iam " , region_name = " us-east-1 " )
2019-07-26 18:40:15 +00:00
client . create_user ( UserName = user_name )
policy_arn = client . create_policy (
2019-10-31 15:44:26 +00:00
PolicyName = policy_name , PolicyDocument = json . dumps ( policy_document )
) [ " Policy " ] [ " Arn " ]
2019-07-26 18:40:15 +00:00
client . attach_user_policy ( UserName = user_name , PolicyArn = policy_arn )
2019-10-31 15:44:26 +00:00
return client . create_access_key ( UserName = user_name ) [ " AccessKey " ]
2019-07-26 18:40:15 +00:00
@mock_iam
2019-10-31 15:44:26 +00:00
def create_user_with_access_key_and_multiple_policies (
user_name ,
inline_policy_document ,
attached_policy_document ,
inline_policy_name = " policy1 " ,
attached_policy_name = " policy1 " ,
) :
client = boto3 . client ( " iam " , region_name = " us-east-1 " )
2019-07-26 18:40:15 +00:00
client . create_user ( UserName = user_name )
policy_arn = client . create_policy (
PolicyName = attached_policy_name ,
2019-10-31 15:44:26 +00:00
PolicyDocument = json . dumps ( attached_policy_document ) ,
) [ " Policy " ] [ " Arn " ]
2019-07-26 18:40:15 +00:00
client . attach_user_policy ( UserName = user_name , PolicyArn = policy_arn )
2019-10-31 15:44:26 +00:00
client . put_user_policy (
UserName = user_name ,
PolicyName = inline_policy_name ,
PolicyDocument = json . dumps ( inline_policy_document ) ,
)
return client . create_access_key ( UserName = user_name ) [ " AccessKey " ]
2019-07-26 18:40:15 +00:00
2019-10-31 15:44:26 +00:00
def create_group_with_attached_policy_and_add_user (
2019-11-11 09:27:01 +00:00
user_name , policy_document , group_name = " test-group " , policy_name = None
2019-10-31 15:44:26 +00:00
) :
2019-11-11 09:27:01 +00:00
if not policy_name :
policy_name = str ( uuid4 ( ) )
2019-10-31 15:44:26 +00:00
client = boto3 . client ( " iam " , region_name = " us-east-1 " )
2019-07-26 18:40:15 +00:00
client . create_group ( GroupName = group_name )
policy_arn = client . create_policy (
2019-10-31 15:44:26 +00:00
PolicyName = policy_name , PolicyDocument = json . dumps ( policy_document )
) [ " Policy " ] [ " Arn " ]
2019-07-26 18:40:15 +00:00
client . attach_group_policy ( GroupName = group_name , PolicyArn = policy_arn )
client . add_user_to_group ( GroupName = group_name , UserName = user_name )
2019-10-31 15:44:26 +00:00
def create_group_with_inline_policy_and_add_user (
user_name , policy_document , group_name = " test-group " , policy_name = " policy1 "
) :
client = boto3 . client ( " iam " , region_name = " us-east-1 " )
2019-07-26 18:40:15 +00:00
client . create_group ( GroupName = group_name )
client . put_group_policy (
GroupName = group_name ,
PolicyName = policy_name ,
2019-10-31 15:44:26 +00:00
PolicyDocument = json . dumps ( policy_document ) ,
2019-07-26 18:40:15 +00:00
)
client . add_user_to_group ( GroupName = group_name , UserName = user_name )
2019-10-31 15:44:26 +00:00
def create_group_with_multiple_policies_and_add_user (
user_name ,
inline_policy_document ,
attached_policy_document ,
group_name = " test-group " ,
inline_policy_name = " policy1 " ,
2019-11-11 09:27:01 +00:00
attached_policy_name = None ,
2019-10-31 15:44:26 +00:00
) :
2019-11-11 09:27:01 +00:00
if not attached_policy_name :
attached_policy_name = str ( uuid4 ( ) )
2019-10-31 15:44:26 +00:00
client = boto3 . client ( " iam " , region_name = " us-east-1 " )
2019-07-26 18:40:15 +00:00
client . create_group ( GroupName = group_name )
client . put_group_policy (
GroupName = group_name ,
PolicyName = inline_policy_name ,
2019-10-31 15:44:26 +00:00
PolicyDocument = json . dumps ( inline_policy_document ) ,
2019-07-26 18:40:15 +00:00
)
policy_arn = client . create_policy (
PolicyName = attached_policy_name ,
2019-10-31 15:44:26 +00:00
PolicyDocument = json . dumps ( attached_policy_document ) ,
) [ " Policy " ] [ " Arn " ]
2019-07-26 18:40:15 +00:00
client . attach_group_policy ( GroupName = group_name , PolicyArn = policy_arn )
client . add_user_to_group ( GroupName = group_name , UserName = user_name )
@mock_iam
@mock_sts
2019-10-31 15:44:26 +00:00
def create_role_with_attached_policy_and_assume_it (
role_name ,
trust_policy_document ,
policy_document ,
session_name = " session1 " ,
policy_name = " policy1 " ,
) :
iam_client = boto3 . client ( " iam " , region_name = " us-east-1 " )
sts_client = boto3 . client ( " sts " , region_name = " us-east-1 " )
2019-07-26 18:40:15 +00:00
role_arn = iam_client . create_role (
2019-10-31 15:44:26 +00:00
RoleName = role_name , AssumeRolePolicyDocument = json . dumps ( trust_policy_document )
) [ " Role " ] [ " Arn " ]
2019-07-26 18:40:15 +00:00
policy_arn = iam_client . create_policy (
2019-10-31 15:44:26 +00:00
PolicyName = policy_name , PolicyDocument = json . dumps ( policy_document )
) [ " Policy " ] [ " Arn " ]
2019-07-26 18:40:15 +00:00
iam_client . attach_role_policy ( RoleName = role_name , PolicyArn = policy_arn )
2019-10-31 15:44:26 +00:00
return sts_client . assume_role ( RoleArn = role_arn , RoleSessionName = session_name ) [
" Credentials "
]
2019-07-26 18:40:15 +00:00
@mock_iam
@mock_sts
2019-10-31 15:44:26 +00:00
def create_role_with_inline_policy_and_assume_it (
role_name ,
trust_policy_document ,
policy_document ,
session_name = " session1 " ,
policy_name = " policy1 " ,
) :
iam_client = boto3 . client ( " iam " , region_name = " us-east-1 " )
sts_client = boto3 . client ( " sts " , region_name = " us-east-1 " )
2019-07-26 18:40:15 +00:00
role_arn = iam_client . create_role (
2019-10-31 15:44:26 +00:00
RoleName = role_name , AssumeRolePolicyDocument = json . dumps ( trust_policy_document )
) [ " Role " ] [ " Arn " ]
2019-07-26 18:40:15 +00:00
iam_client . put_role_policy (
RoleName = role_name ,
PolicyName = policy_name ,
2019-10-31 15:44:26 +00:00
PolicyDocument = json . dumps ( policy_document ) ,
2019-07-26 18:40:15 +00:00
)
2019-10-31 15:44:26 +00:00
return sts_client . assume_role ( RoleArn = role_arn , RoleSessionName = session_name ) [
" Credentials "
]
2019-07-26 18:40:15 +00:00
@set_initial_no_auth_action_count ( 0 )
@mock_iam
def test_invalid_client_token_id ( ) :
2019-10-31 15:44:26 +00:00
client = boto3 . client (
" iam " ,
region_name = " us-east-1 " ,
aws_access_key_id = " invalid " ,
aws_secret_access_key = " invalid " ,
)
2019-07-26 18:40:15 +00:00
with assert_raises ( ClientError ) as ex :
client . get_user ( )
2019-10-31 15:44:26 +00:00
ex . exception . response [ " Error " ] [ " Code " ] . should . equal ( " InvalidClientTokenId " )
ex . exception . response [ " ResponseMetadata " ] [ " HTTPStatusCode " ] . should . equal ( 403 )
ex . exception . response [ " Error " ] [ " Message " ] . should . equal (
" The security token included in the request is invalid. "
)
2019-07-26 18:40:15 +00:00
@set_initial_no_auth_action_count ( 0 )
@mock_ec2
def test_auth_failure ( ) :
2019-10-31 15:44:26 +00:00
client = boto3 . client (
" ec2 " ,
region_name = " us-east-1 " ,
aws_access_key_id = " invalid " ,
aws_secret_access_key = " invalid " ,
)
2019-07-26 18:40:15 +00:00
with assert_raises ( ClientError ) as ex :
client . describe_instances ( )
2019-10-31 15:44:26 +00:00
ex . exception . response [ " Error " ] [ " Code " ] . should . equal ( " AuthFailure " )
ex . exception . response [ " ResponseMetadata " ] [ " HTTPStatusCode " ] . should . equal ( 401 )
ex . exception . response [ " Error " ] [ " Message " ] . should . equal (
" AWS was not able to validate the provided access credentials "
)
2019-07-26 18:40:15 +00:00
@set_initial_no_auth_action_count ( 2 )
@mock_iam
def test_signature_does_not_match ( ) :
access_key = create_user_with_access_key ( )
2019-10-31 15:44:26 +00:00
client = boto3 . client (
" iam " ,
region_name = " us-east-1 " ,
aws_access_key_id = access_key [ " AccessKeyId " ] ,
aws_secret_access_key = " invalid " ,
)
2019-07-26 18:40:15 +00:00
with assert_raises ( ClientError ) as ex :
client . get_user ( )
2019-10-31 15:44:26 +00:00
ex . exception . response [ " Error " ] [ " Code " ] . should . equal ( " SignatureDoesNotMatch " )
ex . exception . response [ " ResponseMetadata " ] [ " HTTPStatusCode " ] . should . equal ( 403 )
ex . exception . response [ " Error " ] [ " Message " ] . should . equal (
" The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details. "
)
2019-07-26 18:40:15 +00:00
@set_initial_no_auth_action_count ( 2 )
@mock_ec2
def test_auth_failure_with_valid_access_key_id ( ) :
access_key = create_user_with_access_key ( )
2019-10-31 15:44:26 +00:00
client = boto3 . client (
" ec2 " ,
region_name = " us-east-1 " ,
aws_access_key_id = access_key [ " AccessKeyId " ] ,
aws_secret_access_key = " invalid " ,
)
2019-07-26 18:40:15 +00:00
with assert_raises ( ClientError ) as ex :
client . describe_instances ( )
2019-10-31 15:44:26 +00:00
ex . exception . response [ " Error " ] [ " Code " ] . should . equal ( " AuthFailure " )
ex . exception . response [ " ResponseMetadata " ] [ " HTTPStatusCode " ] . should . equal ( 401 )
ex . exception . response [ " Error " ] [ " Message " ] . should . equal (
" AWS was not able to validate the provided access credentials "
)
2019-07-26 18:40:15 +00:00
@set_initial_no_auth_action_count ( 2 )
@mock_ec2
def test_access_denied_with_no_policy ( ) :
2019-10-31 15:44:26 +00:00
user_name = " test-user "
2019-07-26 18:40:15 +00:00
access_key = create_user_with_access_key ( user_name )
2019-10-31 15:44:26 +00:00
client = boto3 . client (
" ec2 " ,
region_name = " us-east-1 " ,
aws_access_key_id = access_key [ " AccessKeyId " ] ,
aws_secret_access_key = access_key [ " SecretAccessKey " ] ,
)
2019-07-26 18:40:15 +00:00
with assert_raises ( ClientError ) as ex :
client . describe_instances ( )
2019-10-31 15:44:26 +00:00
ex . exception . response [ " Error " ] [ " Code " ] . should . equal ( " AccessDenied " )
ex . exception . response [ " ResponseMetadata " ] [ " HTTPStatusCode " ] . should . equal ( 403 )
ex . exception . response [ " Error " ] [ " Message " ] . should . equal (
" User: arn:aws:iam:: {account_id} :user/ {user_name} is not authorized to perform: {operation} " . format (
2019-07-26 18:40:15 +00:00
account_id = ACCOUNT_ID ,
user_name = user_name ,
2019-10-31 15:44:26 +00:00
operation = " ec2:DescribeInstances " ,
2019-07-26 18:40:15 +00:00
)
)
@set_initial_no_auth_action_count ( 3 )
@mock_ec2
def test_access_denied_with_not_allowing_policy ( ) :
2019-10-31 15:44:26 +00:00
user_name = " test-user "
2019-07-26 18:40:15 +00:00
inline_policy_document = {
" Version " : " 2012-10-17 " ,
" Statement " : [
2019-10-31 15:44:26 +00:00
{ " Effect " : " Allow " , " Action " : [ " ec2:Describe* " ] , " Resource " : " * " }
] ,
2019-07-26 18:40:15 +00:00
}
2019-10-31 15:44:26 +00:00
access_key = create_user_with_access_key_and_inline_policy (
user_name , inline_policy_document
)
client = boto3 . client (
" ec2 " ,
region_name = " us-east-1 " ,
aws_access_key_id = access_key [ " AccessKeyId " ] ,
aws_secret_access_key = access_key [ " SecretAccessKey " ] ,
)
2019-07-26 18:40:15 +00:00
with assert_raises ( ClientError ) as ex :
client . run_instances ( MaxCount = 1 , MinCount = 1 )
2019-10-31 15:44:26 +00:00
ex . exception . response [ " Error " ] [ " Code " ] . should . equal ( " AccessDenied " )
ex . exception . response [ " ResponseMetadata " ] [ " HTTPStatusCode " ] . should . equal ( 403 )
ex . exception . response [ " Error " ] [ " Message " ] . should . equal (
" User: arn:aws:iam:: {account_id} :user/ {user_name} is not authorized to perform: {operation} " . format (
account_id = ACCOUNT_ID , user_name = user_name , operation = " ec2:RunInstances "
2019-07-26 18:40:15 +00:00
)
)
@set_initial_no_auth_action_count ( 3 )
@mock_ec2
def test_access_denied_with_denying_policy ( ) :
2019-10-31 15:44:26 +00:00
user_name = " test-user "
2019-07-26 18:40:15 +00:00
inline_policy_document = {
" Version " : " 2012-10-17 " ,
" Statement " : [
2019-10-31 15:44:26 +00:00
{ " Effect " : " Allow " , " Action " : [ " ec2:* " ] , " Resource " : " * " } ,
{ " Effect " : " Deny " , " Action " : " ec2:CreateVpc " , " Resource " : " * " } ,
] ,
2019-07-26 18:40:15 +00:00
}
2019-10-31 15:44:26 +00:00
access_key = create_user_with_access_key_and_inline_policy (
user_name , inline_policy_document
)
client = boto3 . client (
" ec2 " ,
region_name = " us-east-1 " ,
aws_access_key_id = access_key [ " AccessKeyId " ] ,
aws_secret_access_key = access_key [ " SecretAccessKey " ] ,
)
2019-07-26 18:40:15 +00:00
with assert_raises ( ClientError ) as ex :
client . create_vpc ( CidrBlock = " 10.0.0.0/16 " )
2019-10-31 15:44:26 +00:00
ex . exception . response [ " Error " ] [ " Code " ] . should . equal ( " AccessDenied " )
ex . exception . response [ " ResponseMetadata " ] [ " HTTPStatusCode " ] . should . equal ( 403 )
ex . exception . response [ " Error " ] [ " Message " ] . should . equal (
" User: arn:aws:iam:: {account_id} :user/ {user_name} is not authorized to perform: {operation} " . format (
account_id = ACCOUNT_ID , user_name = user_name , operation = " ec2:CreateVpc "
2019-07-26 18:40:15 +00:00
)
)
2019-08-22 16:09:52 +00:00
@set_initial_no_auth_action_count ( 3 )
@mock_sts
def test_get_caller_identity_allowed_with_denying_policy ( ) :
2019-10-31 15:44:26 +00:00
user_name = " test-user "
2019-08-22 16:09:52 +00:00
inline_policy_document = {
" Version " : " 2012-10-17 " ,
" Statement " : [
2019-10-31 15:44:26 +00:00
{ " Effect " : " Deny " , " Action " : " sts:GetCallerIdentity " , " Resource " : " * " }
] ,
2019-08-22 16:09:52 +00:00
}
2019-10-31 15:44:26 +00:00
access_key = create_user_with_access_key_and_inline_policy (
user_name , inline_policy_document
)
client = boto3 . client (
" sts " ,
region_name = " us-east-1 " ,
aws_access_key_id = access_key [ " AccessKeyId " ] ,
aws_secret_access_key = access_key [ " SecretAccessKey " ] ,
)
2019-08-22 16:09:52 +00:00
client . get_caller_identity ( ) . should . be . a ( dict )
2019-07-26 18:40:15 +00:00
@set_initial_no_auth_action_count ( 3 )
@mock_ec2
def test_allowed_with_wildcard_action ( ) :
2019-10-31 15:44:26 +00:00
user_name = " test-user "
2019-07-26 18:40:15 +00:00
inline_policy_document = {
" Version " : " 2012-10-17 " ,
2019-10-31 15:44:26 +00:00
" Statement " : [ { " Effect " : " Allow " , " Action " : " ec2:Describe* " , " Resource " : " * " } ] ,
2019-07-26 18:40:15 +00:00
}
2019-10-31 15:44:26 +00:00
access_key = create_user_with_access_key_and_inline_policy (
user_name , inline_policy_document
)
client = boto3 . client (
" ec2 " ,
region_name = " us-east-1 " ,
aws_access_key_id = access_key [ " AccessKeyId " ] ,
aws_secret_access_key = access_key [ " SecretAccessKey " ] ,
)
client . describe_tags ( ) [ " Tags " ] . should . be . empty
2019-07-26 18:40:15 +00:00
@set_initial_no_auth_action_count ( 4 )
@mock_iam
def test_allowed_with_explicit_action_in_attached_policy ( ) :
2019-10-31 15:44:26 +00:00
user_name = " test-user "
2019-07-26 18:40:15 +00:00
attached_policy_document = {
" Version " : " 2012-10-17 " ,
2019-10-31 15:44:26 +00:00
" Statement " : [ { " Effect " : " Allow " , " Action " : " iam:ListGroups " , " Resource " : " * " } ] ,
2019-07-26 18:40:15 +00:00
}
2019-10-31 15:44:26 +00:00
access_key = create_user_with_access_key_and_attached_policy (
user_name , attached_policy_document
)
client = boto3 . client (
" iam " ,
region_name = " us-east-1 " ,
aws_access_key_id = access_key [ " AccessKeyId " ] ,
aws_secret_access_key = access_key [ " SecretAccessKey " ] ,
)
client . list_groups ( ) [ " Groups " ] . should . be . empty
2019-07-26 18:40:15 +00:00
@set_initial_no_auth_action_count ( 8 )
@mock_s3
@mock_iam
def test_s3_access_denied_with_denying_attached_group_policy ( ) :
2019-10-31 15:44:26 +00:00
user_name = " test-user "
2019-07-26 18:40:15 +00:00
attached_policy_document = {
" Version " : " 2012-10-17 " ,
" Statement " : [
2019-10-31 15:44:26 +00:00
{ " Effect " : " Allow " , " Action " : " s3:ListAllMyBuckets " , " Resource " : " * " }
] ,
2019-07-26 18:40:15 +00:00
}
group_attached_policy_document = {
" Version " : " 2012-10-17 " ,
2019-10-31 15:44:26 +00:00
" Statement " : [ { " Effect " : " Deny " , " Action " : " s3:List* " , " Resource " : " * " } ] ,
2019-07-26 18:40:15 +00:00
}
2019-10-31 15:44:26 +00:00
access_key = create_user_with_access_key_and_attached_policy (
2019-11-05 18:57:38 +00:00
user_name , attached_policy_document , policy_name = " policy1 "
2019-10-31 15:44:26 +00:00
)
create_group_with_attached_policy_and_add_user (
2019-11-05 18:57:38 +00:00
user_name , group_attached_policy_document , policy_name = " policy2 "
2019-10-31 15:44:26 +00:00
)
client = boto3 . client (
" s3 " ,
region_name = " us-east-1 " ,
aws_access_key_id = access_key [ " AccessKeyId " ] ,
aws_secret_access_key = access_key [ " SecretAccessKey " ] ,
)
2019-07-26 18:40:15 +00:00
with assert_raises ( ClientError ) as ex :
client . list_buckets ( )
2019-10-31 15:44:26 +00:00
ex . exception . response [ " Error " ] [ " Code " ] . should . equal ( " AccessDenied " )
ex . exception . response [ " ResponseMetadata " ] [ " HTTPStatusCode " ] . should . equal ( 403 )
ex . exception . response [ " Error " ] [ " Message " ] . should . equal ( " Access Denied " )
2019-07-26 18:40:15 +00:00
@set_initial_no_auth_action_count ( 6 )
@mock_s3
@mock_iam
def test_s3_access_denied_with_denying_inline_group_policy ( ) :
2019-10-31 15:44:26 +00:00
user_name = " test-user "
bucket_name = " test-bucket "
2019-07-26 18:40:15 +00:00
inline_policy_document = {
" Version " : " 2012-10-17 " ,
2019-10-31 15:44:26 +00:00
" Statement " : [ { " Effect " : " Allow " , " Action " : " * " , " Resource " : " * " } ] ,
2019-07-26 18:40:15 +00:00
}
group_inline_policy_document = {
" Version " : " 2012-10-17 " ,
2019-10-31 15:44:26 +00:00
" Statement " : [ { " Effect " : " Deny " , " Action " : " s3:GetObject " , " Resource " : " * " } ] ,
2019-07-26 18:40:15 +00:00
}
2019-10-31 15:44:26 +00:00
access_key = create_user_with_access_key_and_inline_policy (
user_name , inline_policy_document
)
create_group_with_inline_policy_and_add_user (
user_name , group_inline_policy_document
)
client = boto3 . client (
" s3 " ,
region_name = " us-east-1 " ,
aws_access_key_id = access_key [ " AccessKeyId " ] ,
aws_secret_access_key = access_key [ " SecretAccessKey " ] ,
)
2019-07-26 18:40:15 +00:00
client . create_bucket ( Bucket = bucket_name )
with assert_raises ( ClientError ) as ex :
2019-10-31 15:44:26 +00:00
client . get_object ( Bucket = bucket_name , Key = " sdfsdf " )
ex . exception . response [ " Error " ] [ " Code " ] . should . equal ( " AccessDenied " )
ex . exception . response [ " ResponseMetadata " ] [ " HTTPStatusCode " ] . should . equal ( 403 )
ex . exception . response [ " Error " ] [ " Message " ] . should . equal ( " Access Denied " )
2019-07-26 18:40:15 +00:00
@set_initial_no_auth_action_count ( 10 )
@mock_iam
@mock_ec2
def test_access_denied_with_many_irrelevant_policies ( ) :
2019-10-31 15:44:26 +00:00
user_name = " test-user "
2019-07-26 18:40:15 +00:00
inline_policy_document = {
" Version " : " 2012-10-17 " ,
2019-10-31 15:44:26 +00:00
" Statement " : [ { " Effect " : " Allow " , " Action " : " ec2:Describe* " , " Resource " : " * " } ] ,
2019-07-26 18:40:15 +00:00
}
attached_policy_document = {
" Version " : " 2012-10-17 " ,
2019-10-31 15:44:26 +00:00
" Statement " : [ { " Effect " : " Allow " , " Action " : " s3:* " , " Resource " : " * " } ] ,
2019-07-26 18:40:15 +00:00
}
group_inline_policy_document = {
" Version " : " 2012-10-17 " ,
2019-10-31 15:44:26 +00:00
" Statement " : [ { " Effect " : " Deny " , " Action " : " iam:List* " , " Resource " : " * " } ] ,
2019-07-26 18:40:15 +00:00
}
group_attached_policy_document = {
" Version " : " 2012-10-17 " ,
2019-10-31 15:44:26 +00:00
" Statement " : [ { " Effect " : " Deny " , " Action " : " lambda:* " , " Resource " : " * " } ] ,
2019-07-26 18:40:15 +00:00
}
2019-10-31 15:44:26 +00:00
access_key = create_user_with_access_key_and_multiple_policies (
2019-11-05 18:57:38 +00:00
user_name ,
inline_policy_document ,
attached_policy_document ,
attached_policy_name = " policy1 " ,
2019-10-31 15:44:26 +00:00
)
create_group_with_multiple_policies_and_add_user (
2019-11-05 18:57:38 +00:00
user_name ,
group_inline_policy_document ,
group_attached_policy_document ,
attached_policy_name = " policy2 " ,
2019-10-31 15:44:26 +00:00
)
client = boto3 . client (
" ec2 " ,
region_name = " us-east-1 " ,
aws_access_key_id = access_key [ " AccessKeyId " ] ,
aws_secret_access_key = access_key [ " SecretAccessKey " ] ,
)
2019-07-26 18:40:15 +00:00
with assert_raises ( ClientError ) as ex :
client . create_key_pair ( KeyName = " TestKey " )
2019-10-31 15:44:26 +00:00
ex . exception . response [ " Error " ] [ " Code " ] . should . equal ( " AccessDenied " )
ex . exception . response [ " ResponseMetadata " ] [ " HTTPStatusCode " ] . should . equal ( 403 )
ex . exception . response [ " Error " ] [ " Message " ] . should . equal (
" User: arn:aws:iam:: {account_id} :user/ {user_name} is not authorized to perform: {operation} " . format (
account_id = ACCOUNT_ID , user_name = user_name , operation = " ec2:CreateKeyPair "
2019-07-26 18:40:15 +00:00
)
)
@set_initial_no_auth_action_count ( 4 )
@mock_iam
@mock_sts
@mock_ec2
@mock_elbv2
def test_allowed_with_temporary_credentials ( ) :
2019-10-31 15:44:26 +00:00
role_name = " test-role "
2019-07-26 18:40:15 +00:00
trust_policy_document = {
" Version " : " 2012-10-17 " ,
" Statement " : {
" Effect " : " Allow " ,
2019-10-31 15:44:26 +00:00
" Principal " : {
" AWS " : " arn:aws:iam:: {account_id} :root " . format ( account_id = ACCOUNT_ID )
} ,
" Action " : " sts:AssumeRole " ,
} ,
2019-07-26 18:40:15 +00:00
}
attached_policy_document = {
" Version " : " 2012-10-17 " ,
" Statement " : [
{
" Effect " : " Allow " ,
" Action " : [
" elasticloadbalancing:CreateLoadBalancer " ,
2019-10-31 15:44:26 +00:00
" ec2:DescribeSubnets " ,
2019-07-26 18:40:15 +00:00
] ,
2019-10-31 15:44:26 +00:00
" Resource " : " * " ,
2019-07-26 18:40:15 +00:00
}
2019-10-31 15:44:26 +00:00
] ,
2019-07-26 18:40:15 +00:00
}
2019-10-31 15:44:26 +00:00
credentials = create_role_with_attached_policy_and_assume_it (
role_name , trust_policy_document , attached_policy_document
)
elbv2_client = boto3 . client (
" elbv2 " ,
region_name = " us-east-1 " ,
aws_access_key_id = credentials [ " AccessKeyId " ] ,
aws_secret_access_key = credentials [ " SecretAccessKey " ] ,
aws_session_token = credentials [ " SessionToken " ] ,
)
ec2_client = boto3 . client (
" ec2 " ,
region_name = " us-east-1 " ,
aws_access_key_id = credentials [ " AccessKeyId " ] ,
aws_secret_access_key = credentials [ " SecretAccessKey " ] ,
aws_session_token = credentials [ " SessionToken " ] ,
)
subnets = ec2_client . describe_subnets ( ) [ " Subnets " ]
2019-07-26 18:40:15 +00:00
len ( subnets ) . should . be . greater_than ( 1 )
elbv2_client . create_load_balancer (
2019-10-31 15:44:26 +00:00
Name = " test-load-balancer " ,
Subnets = [ subnets [ 0 ] [ " SubnetId " ] , subnets [ 1 ] [ " SubnetId " ] ] ,
) [ " LoadBalancers " ] . should . have . length_of ( 1 )
2019-07-26 18:40:15 +00:00
@set_initial_no_auth_action_count ( 3 )
@mock_iam
@mock_sts
@mock_rds2
def test_access_denied_with_temporary_credentials ( ) :
2019-10-31 15:44:26 +00:00
role_name = " test-role "
session_name = " test-session "
2019-07-26 18:40:15 +00:00
trust_policy_document = {
" Version " : " 2012-10-17 " ,
" Statement " : {
" Effect " : " Allow " ,
2019-10-31 15:44:26 +00:00
" Principal " : {
" AWS " : " arn:aws:iam:: {account_id} :root " . format ( account_id = ACCOUNT_ID )
} ,
" Action " : " sts:AssumeRole " ,
} ,
2019-07-26 18:40:15 +00:00
}
attached_policy_document = {
" Version " : " 2012-10-17 " ,
" Statement " : [
2019-10-31 15:44:26 +00:00
{ " Effect " : " Allow " , " Action " : [ " rds:Describe* " ] , " Resource " : " * " }
] ,
2019-07-26 18:40:15 +00:00
}
2019-10-31 15:44:26 +00:00
credentials = create_role_with_inline_policy_and_assume_it (
role_name , trust_policy_document , attached_policy_document , session_name
)
client = boto3 . client (
" rds " ,
region_name = " us-east-1 " ,
aws_access_key_id = credentials [ " AccessKeyId " ] ,
aws_secret_access_key = credentials [ " SecretAccessKey " ] ,
aws_session_token = credentials [ " SessionToken " ] ,
)
2019-07-26 18:40:15 +00:00
with assert_raises ( ClientError ) as ex :
client . create_db_instance (
2019-10-31 15:44:26 +00:00
DBInstanceIdentifier = " test-db-instance " ,
DBInstanceClass = " db.t3 " ,
Engine = " aurora-postgresql " ,
2019-07-26 18:40:15 +00:00
)
2019-10-31 15:44:26 +00:00
ex . exception . response [ " Error " ] [ " Code " ] . should . equal ( " AccessDenied " )
ex . exception . response [ " ResponseMetadata " ] [ " HTTPStatusCode " ] . should . equal ( 403 )
ex . exception . response [ " Error " ] [ " Message " ] . should . equal (
" User: arn:aws:sts:: {account_id} :assumed-role/ {role_name} / {session_name} is not authorized to perform: {operation} " . format (
2019-07-26 18:40:15 +00:00
account_id = ACCOUNT_ID ,
role_name = role_name ,
session_name = session_name ,
2019-10-31 15:44:26 +00:00
operation = " rds:CreateDBInstance " ,
2019-07-26 18:40:15 +00:00
)
)
2019-07-28 20:19:50 +00:00
@set_initial_no_auth_action_count ( 3 )
@mock_iam
def test_get_user_from_credentials ( ) :
2019-10-31 15:44:26 +00:00
user_name = " new-test-user "
2019-07-28 20:19:50 +00:00
inline_policy_document = {
" Version " : " 2012-10-17 " ,
2019-10-31 15:44:26 +00:00
" Statement " : [ { " Effect " : " Allow " , " Action " : " iam:* " , " Resource " : " * " } ] ,
2019-07-28 20:19:50 +00:00
}
2019-10-31 15:44:26 +00:00
access_key = create_user_with_access_key_and_inline_policy (
user_name , inline_policy_document
)
client = boto3 . client (
" iam " ,
region_name = " us-east-1 " ,
aws_access_key_id = access_key [ " AccessKeyId " ] ,
aws_secret_access_key = access_key [ " SecretAccessKey " ] ,
)
client . get_user ( ) [ " User " ] [ " UserName " ] . should . equal ( user_name )
2019-07-28 20:19:50 +00:00
@set_initial_no_auth_action_count ( 0 )
@mock_s3
def test_s3_invalid_access_key_id ( ) :
2019-10-31 15:44:26 +00:00
client = boto3 . client (
" s3 " ,
region_name = " us-east-1 " ,
aws_access_key_id = " invalid " ,
aws_secret_access_key = " invalid " ,
)
2019-07-28 20:19:50 +00:00
with assert_raises ( ClientError ) as ex :
client . list_buckets ( )
2019-10-31 15:44:26 +00:00
ex . exception . response [ " Error " ] [ " Code " ] . should . equal ( " InvalidAccessKeyId " )
ex . exception . response [ " ResponseMetadata " ] [ " HTTPStatusCode " ] . should . equal ( 403 )
ex . exception . response [ " Error " ] [ " Message " ] . should . equal (
" The AWS Access Key Id you provided does not exist in our records. "
)
2019-07-28 20:19:50 +00:00
@set_initial_no_auth_action_count ( 3 )
@mock_s3
@mock_iam
def test_s3_signature_does_not_match ( ) :
2019-10-31 15:44:26 +00:00
bucket_name = " test-bucket "
2019-07-28 20:19:50 +00:00
access_key = create_user_with_access_key ( )
2019-10-31 15:44:26 +00:00
client = boto3 . client (
" s3 " ,
region_name = " us-east-1 " ,
aws_access_key_id = access_key [ " AccessKeyId " ] ,
aws_secret_access_key = " invalid " ,
)
2019-07-28 20:19:50 +00:00
client . create_bucket ( Bucket = bucket_name )
with assert_raises ( ClientError ) as ex :
client . put_object ( Bucket = bucket_name , Key = " abc " )
2019-10-31 15:44:26 +00:00
ex . exception . response [ " Error " ] [ " Code " ] . should . equal ( " SignatureDoesNotMatch " )
ex . exception . response [ " ResponseMetadata " ] [ " HTTPStatusCode " ] . should . equal ( 403 )
ex . exception . response [ " Error " ] [ " Message " ] . should . equal (
" The request signature we calculated does not match the signature you provided. Check your key and signing method. "
)
2019-07-28 20:19:50 +00:00
@set_initial_no_auth_action_count ( 7 )
@mock_s3
@mock_iam
def test_s3_access_denied_not_action ( ) :
2019-10-31 15:44:26 +00:00
user_name = " test-user "
bucket_name = " test-bucket "
2019-07-28 20:19:50 +00:00
inline_policy_document = {
" Version " : " 2012-10-17 " ,
2019-10-31 15:44:26 +00:00
" Statement " : [ { " Effect " : " Allow " , " Action " : " * " , " Resource " : " * " } ] ,
2019-07-28 20:19:50 +00:00
}
group_inline_policy_document = {
" Version " : " 2012-10-17 " ,
2019-10-31 15:44:26 +00:00
" Statement " : [ { " Effect " : " Deny " , " NotAction " : " iam:GetUser " , " Resource " : " * " } ] ,
2019-07-28 20:19:50 +00:00
}
2019-10-31 15:44:26 +00:00
access_key = create_user_with_access_key_and_inline_policy (
user_name , inline_policy_document
)
create_group_with_inline_policy_and_add_user (
user_name , group_inline_policy_document
)
client = boto3 . client (
" s3 " ,
region_name = " us-east-1 " ,
aws_access_key_id = access_key [ " AccessKeyId " ] ,
aws_secret_access_key = access_key [ " SecretAccessKey " ] ,
)
2019-07-28 20:19:50 +00:00
client . create_bucket ( Bucket = bucket_name )
with assert_raises ( ClientError ) as ex :
2019-10-31 15:44:26 +00:00
client . delete_object ( Bucket = bucket_name , Key = " sdfsdf " )
ex . exception . response [ " Error " ] [ " Code " ] . should . equal ( " AccessDenied " )
ex . exception . response [ " ResponseMetadata " ] [ " HTTPStatusCode " ] . should . equal ( 403 )
ex . exception . response [ " Error " ] [ " Message " ] . should . equal ( " Access Denied " )
2019-07-28 20:19:50 +00:00
@set_initial_no_auth_action_count ( 4 )
@mock_iam
@mock_sts
@mock_s3
def test_s3_invalid_token_with_temporary_credentials ( ) :
2019-10-31 15:44:26 +00:00
role_name = " test-role "
session_name = " test-session "
bucket_name = " test-bucket-888 "
2019-07-28 20:19:50 +00:00
trust_policy_document = {
" Version " : " 2012-10-17 " ,
" Statement " : {
" Effect " : " Allow " ,
2019-10-31 15:44:26 +00:00
" Principal " : {
" AWS " : " arn:aws:iam:: {account_id} :root " . format ( account_id = ACCOUNT_ID )
} ,
" Action " : " sts:AssumeRole " ,
} ,
2019-07-28 20:19:50 +00:00
}
attached_policy_document = {
" Version " : " 2012-10-17 " ,
2019-10-31 15:44:26 +00:00
" Statement " : [ { " Effect " : " Allow " , " Action " : [ " * " ] , " Resource " : " * " } ] ,
2019-07-28 20:19:50 +00:00
}
2019-10-31 15:44:26 +00:00
credentials = create_role_with_inline_policy_and_assume_it (
role_name , trust_policy_document , attached_policy_document , session_name
)
client = boto3 . client (
" s3 " ,
region_name = " us-east-1 " ,
aws_access_key_id = credentials [ " AccessKeyId " ] ,
aws_secret_access_key = credentials [ " SecretAccessKey " ] ,
aws_session_token = " invalid " ,
)
2019-07-28 20:19:50 +00:00
client . create_bucket ( Bucket = bucket_name )
with assert_raises ( ClientError ) as ex :
client . list_bucket_metrics_configurations ( Bucket = bucket_name )
2019-10-31 15:44:26 +00:00
ex . exception . response [ " Error " ] [ " Code " ] . should . equal ( " InvalidToken " )
ex . exception . response [ " ResponseMetadata " ] [ " HTTPStatusCode " ] . should . equal ( 400 )
ex . exception . response [ " Error " ] [ " Message " ] . should . equal (
" The provided token is malformed or otherwise invalid. "
)