2019-06-30 11:47:17 +00:00
import json
import boto3
from botocore . exceptions import ClientError
from nose . tools import assert_raises
from moto import mock_iam
2019-06-30 15:04:02 +00:00
invalid_documents_test_cases = [
{
" document " : " This is not a json document " ,
" error_message " : ' Syntax errors in policy. '
} ,
{
" document " : {
" Statement " : {
" Effect " : " Allow " ,
" Action " : " s3:ListBucket " ,
" Resource " : " arn:aws:s3:::example_bucket "
}
} ,
" error_message " : ' Policy document must be version 2012-10-17 or greater. '
} ,
{
" document " : {
" Version " : " 2008-10-17 " ,
" Statement " : {
" Effect " : " Allow " ,
" Action " : " s3:ListBucket " ,
" Resource " : " arn:aws:s3:::example_bucket "
}
} ,
" error_message " : ' Policy document must be version 2012-10-17 or greater. '
} ,
{
" document " : {
" Version " : " 2013-10-17 " ,
" Statement " : {
" Effect " : " Allow " ,
" Action " : " s3:ListBucket " ,
" Resource " : " arn:aws:s3:::example_bucket "
}
} ,
" error_message " : ' Syntax errors in policy. '
} ,
{
" document " : {
" Version " : " 2012-10-17 "
} ,
" error_message " : ' Syntax errors in policy. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " : [ " afd " ]
} ,
" error_message " : ' Syntax errors in policy. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " : {
" Effect " : " Allow " ,
" Action " : " s3:ListBucket " ,
" Resource " : " arn:aws:s3:::example_bucket "
} ,
" Extra field " : " value "
} ,
" error_message " : ' Syntax errors in policy. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " : {
" Effect " : " Allow " ,
" Action " : " s3:ListBucket " ,
" Resource " : " arn:aws:s3:::example_bucket " ,
" Extra field " : " value "
}
} ,
" error_message " : ' Syntax errors in policy. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Id " : [ " cd3a324d2343d942772346-34234234423404-4c2242343242349d1642ee " ] ,
" Statement " : {
" Effect " : " Allow " ,
" Action " : " s3:ListBucket " ,
" Resource " : " arn:aws:s3:::example_bucket "
}
} ,
" error_message " : ' Syntax errors in policy. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Id " : { } ,
" Statement " : {
" Effect " : " Allow " ,
" Action " : " s3:ListBucket " ,
" Resource " : " arn:aws:s3:::example_bucket "
}
} ,
" error_message " : ' Syntax errors in policy. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " : {
" Effect " : " invalid " ,
" Action " : " s3:ListBucket " ,
" Resource " : " arn:aws:s3:::example_bucket "
}
} ,
" error_message " : ' Syntax errors in policy. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " : {
" Effect " : " Allow " ,
" Action " : " invalid " ,
" Resource " : " arn:aws:s3:::example_bucket "
}
} ,
" error_message " : ' Actions/Conditions must be prefaced by a vendor, e.g., iam, sdb, ec2, etc. '
} ,
2019-06-30 16:48:27 +00:00
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " :
{
" Effect " : " Allow " ,
" Action " : " a a:ListBucket " ,
" Resource " : " arn:aws:s3:::example_bucket "
}
} ,
" error_message " : ' Vendor a a is not valid '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " :
{
" Effect " : " Allow " ,
" Action " : " s3:List:Bucket " ,
" Resource " : " arn:aws:s3:::example_bucket "
}
} ,
" error_message " : ' Actions/Condition can contain only one colon. '
} ,
2019-06-30 15:04:02 +00:00
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " : {
" Effect " : " Allow " ,
" Action " : " s3:ListBucket " ,
" Resource " : " invalid resource "
}
} ,
" error_message " : ' Resource invalid resource must be in ARN format or " * " . '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " : {
" Effect " : " Allow " ,
" Action " : " s3:ListBucket " ,
" Resource " : [ " adf " ]
}
} ,
" error_message " : ' Resource adf must be in ARN format or " * " . '
} ,
2019-06-30 16:48:27 +00:00
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " : {
" Effect " : " Allow " ,
" Action " : " s3:ListBucket " ,
" Resource " : " "
}
} ,
" error_message " : ' Resource must be in ARN format or " * " . '
} ,
2019-06-30 15:04:02 +00:00
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " : [ ]
} ,
" error_message " : ' Syntax errors in policy. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " : {
" Effect " : " Allow " ,
" Action " : " s3:ListBucket "
}
} ,
" error_message " : ' Policy statement must contain resources. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " : {
" Effect " : " Allow " ,
" Action " : " s3:ListBucket " ,
" Resource " : [ ]
}
} ,
" error_message " : ' Policy statement must contain resources. '
} ,
2019-06-30 16:48:27 +00:00
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " : {
" Effect " : " Allow " ,
" Action " : " invalid "
}
} ,
" error_message " : ' Policy statement must contain resources. '
} ,
2019-06-30 15:04:02 +00:00
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " : {
" Effect " : " Allow " ,
" Resource " : " arn:aws:s3:::example_bucket "
}
} ,
" error_message " : ' Policy statement must contain actions. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " : {
" Action " : " s3:ListBucket " ,
" Resource " : " arn:aws:s3:::example_bucket "
}
} ,
" error_message " : ' Syntax errors in policy. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " : {
" Effect " : " Allow "
}
} ,
" error_message " : ' Policy statement must contain actions. '
} ,
2019-06-30 16:48:27 +00:00
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " :
{
" Effect " : " Allow " ,
" Action " : [ ] ,
" Resource " : " arn:aws:s3:::example_bucket "
}
} ,
" error_message " : ' Policy statement must contain actions. '
} ,
2019-06-30 15:04:02 +00:00
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " : [
{
" Effect " : " Deny "
} ,
{
2019-06-30 11:47:17 +00:00
" Effect " : " Allow " ,
" Action " : " s3:ListBucket " ,
" Resource " : " arn:aws:s3:::example_bucket "
}
2019-06-30 15:04:02 +00:00
]
} ,
" error_message " : ' Policy statement must contain actions. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " :
{
2019-06-30 11:47:17 +00:00
" Effect " : " Allow " ,
" Action " : " s3:ListBucket " ,
2019-06-30 15:04:02 +00:00
" Resource " : " arn:aws:iam:::example_bucket "
2019-06-30 11:47:17 +00:00
}
} ,
2019-06-30 15:04:02 +00:00
" error_message " : ' IAM resource path must either be " * " or start with user/, federated-user/, role/, group/, instance-profile/, mfa/, server-certificate/, policy/, sms-mfa/, saml-provider/, oidc-provider/, report/, access-report/. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " :
{
2019-06-30 11:47:17 +00:00
" Effect " : " Allow " ,
" Action " : " s3:ListBucket " ,
2019-06-30 15:04:02 +00:00
" Resource " : " arn:aws:s3::example_bucket "
2019-06-30 11:47:17 +00:00
}
2019-06-30 14:36:49 +00:00
} ,
2019-06-30 15:04:02 +00:00
" error_message " : ' The policy failed legacy parsing '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " :
{
2019-06-30 11:47:17 +00:00
" Effect " : " Allow " ,
" Action " : " s3:ListBucket " ,
2019-06-30 15:04:02 +00:00
" Resource " : " arn:aws "
}
2019-06-30 11:47:17 +00:00
} ,
2019-06-30 15:04:02 +00:00
" error_message " : ' Resource vendor must be fully qualified and cannot contain regexes. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " :
{
2019-06-30 11:47:17 +00:00
" Effect " : " Allow " ,
" Action " : " s3:ListBucket " ,
2019-06-30 15:04:02 +00:00
" Resource " : {
" a " : " arn:aws:s3:::example_bucket "
}
2019-06-30 11:47:17 +00:00
}
} ,
2019-06-30 15:04:02 +00:00
" error_message " : ' Syntax errors in policy. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " : {
" Effect " : " Deny " ,
" Action " : " s3:ListBucket " ,
" Resource " : [ " adfdf " , { } ]
}
} ,
" error_message " : ' Syntax errors in policy. '
} ,
2019-06-30 16:48:27 +00:00
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " : {
" Effect " : " Deny " ,
" Action " : [ [ ] ] ,
" Resource " : " arn:aws:s3:::example_bucket "
}
} ,
" error_message " : ' Syntax errors in policy. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " :
{
" Effect " : " Allow " ,
" Action " : { } ,
" Resource " : " arn:aws:s3:::example_bucket "
}
} ,
" error_message " : ' Syntax errors in policy. '
} ,
2019-06-30 15:04:02 +00:00
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " :
{
2019-06-30 11:47:17 +00:00
" Effect " : " Allow " ,
" Action " : " s3:ListBucket " ,
2019-06-30 15:04:02 +00:00
" Resource " : " arn:aws:s3:::example_bucket " ,
" Condition " : [ ]
2019-06-30 11:47:17 +00:00
}
} ,
2019-06-30 15:04:02 +00:00
" error_message " : ' Syntax errors in policy. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " :
{
2019-06-30 11:47:17 +00:00
" Effect " : " Allow " ,
" Action " : " s3:ListBucket " ,
2019-06-30 15:04:02 +00:00
" Resource " : " arn:aws:s3:::example_bucket " ,
" Condition " : " a "
2019-06-30 11:47:17 +00:00
}
} ,
2019-06-30 15:04:02 +00:00
" error_message " : ' Syntax errors in policy. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " :
{
" Effect " : " Allow " ,
2019-06-30 11:47:17 +00:00
" Action " : " s3:ListBucket " ,
2019-06-30 15:04:02 +00:00
" Resource " : " arn:aws:s3:::example_bucket " ,
" Condition " : {
" a " : " b "
}
2019-06-30 11:47:17 +00:00
}
} ,
2019-06-30 15:04:02 +00:00
" error_message " : ' Syntax errors in policy. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " :
{
2019-06-30 11:47:17 +00:00
" Effect " : " Allow " ,
2019-06-30 15:04:02 +00:00
" Action " : " s3:ListBucket " ,
" Resource " : " arn:aws:s3:::example_bucket " ,
" Condition " : {
" DateGreaterThan " : " b "
}
2019-06-30 11:47:17 +00:00
}
} ,
2019-06-30 15:04:02 +00:00
" error_message " : ' Syntax errors in policy. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " :
{
2019-06-30 11:47:17 +00:00
" Effect " : " Allow " ,
" Action " : " s3:ListBucket " ,
2019-06-30 15:04:02 +00:00
" Resource " : " arn:aws:s3:::example_bucket " ,
" Condition " : {
" DateGreaterThan " : [ ]
}
2019-06-30 11:47:17 +00:00
}
} ,
2019-06-30 15:04:02 +00:00
" error_message " : ' Syntax errors in policy. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " :
{
2019-06-30 14:36:49 +00:00
" Effect " : " Allow " ,
" Action " : " s3:ListBucket " ,
2019-06-30 15:04:02 +00:00
" Resource " : " arn:aws:s3:::example_bucket " ,
" Condition " : {
" DateGreaterThan " : { " a " : { } }
}
2019-06-30 14:36:49 +00:00
}
2019-06-30 11:47:17 +00:00
} ,
2019-06-30 15:04:02 +00:00
" error_message " : ' Syntax errors in policy. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " :
{
2019-06-30 11:47:17 +00:00
" Effect " : " Allow " ,
2019-06-30 15:04:02 +00:00
" Resource " : " arn:aws:s3:::example_bucket " ,
" Condition " : {
" DateGreaterThan " : { " a " : { } }
}
2019-06-30 11:47:17 +00:00
}
} ,
2019-06-30 15:04:02 +00:00
" error_message " : ' Syntax errors in policy. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " :
{
2019-06-30 14:36:49 +00:00
" Effect " : " Allow " ,
" Action " : " s3:ListBucket " ,
2019-06-30 15:04:02 +00:00
" Resource " : " arn:aws:s3:::example_bucket " ,
" Condition " : [
{ " ForAllValues:StringEquals " : { " aws:TagKeys " : " Department " } }
]
2019-06-30 14:36:49 +00:00
}
} ,
2019-06-30 15:04:02 +00:00
" error_message " : ' Syntax errors in policy. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " :
{
2019-06-30 11:47:17 +00:00
" Effect " : " Allow " ,
2019-06-30 15:04:02 +00:00
" Action " : " s3:ListBucket " ,
" Resource " : " arn:aws:iam:us-east-1::example_bucket "
2019-06-30 11:47:17 +00:00
}
} ,
2019-06-30 15:04:02 +00:00
" error_message " : ' IAM resource arn:aws:iam:us-east-1::example_bucket cannot contain region information. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " :
{
" Effect " : " Allow " ,
2019-06-30 11:47:17 +00:00
" Action " : " s3:ListBucket " ,
2019-06-30 15:04:02 +00:00
" Resource " : " arn:aws:s3:us-east-1::example_bucket "
2019-06-30 11:47:17 +00:00
}
} ,
2019-06-30 15:04:02 +00:00
" error_message " : ' Resource arn:aws:s3:us-east-1::example_bucket can not contain region information. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " :
{
" Sid " : { } ,
" Effect " : " Allow " ,
" Action " : " s3:ListBucket " ,
" Resource " : " arn:aws:s3:::example_bucket "
2019-06-30 11:47:17 +00:00
}
} ,
2019-06-30 15:04:02 +00:00
" error_message " : ' Syntax errors in policy. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " :
{
" Sid " : [ ] ,
" Effect " : " Allow " ,
2019-06-30 14:36:49 +00:00
" Action " : " s3:ListBucket " ,
2019-06-30 15:04:02 +00:00
" Resource " : " arn:aws:s3:::example_bucket "
2019-06-30 14:36:49 +00:00
}
2019-06-30 12:03:18 +00:00
} ,
2019-06-30 15:04:02 +00:00
" error_message " : ' Syntax errors in policy. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " : [
{
" Sid " : " sdf " ,
2019-06-30 12:03:18 +00:00
" Effect " : " Allow " ,
2019-06-30 15:04:02 +00:00
" Action " : " s3:ListBucket " ,
2019-06-30 12:03:18 +00:00
" Resource " : " arn:aws:s3:::example_bucket "
2019-06-30 15:04:02 +00:00
} ,
{
" Sid " : " sdf " ,
" Effect " : " Allow "
2019-06-30 12:03:18 +00:00
}
2019-06-30 15:04:02 +00:00
]
} ,
" error_message " : ' Statement IDs (SID) in a single policy must be unique. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " : {
" Effect " : " Allow " ,
" NotAction " : " s3:ListBucket " ,
" Action " : " iam:dsf " ,
" Resource " : " arn:aws:s3:::example_bucket "
}
} ,
" error_message " : ' Syntax errors in policy. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " : {
" Effect " : " Allow " ,
" Action " : " s3:ListBucket " ,
" Resource " : " arn:aws:s3:::example_bucket " ,
" NotResource " : " * "
}
} ,
" error_message " : ' Syntax errors in policy. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " : {
" Effect " : " denY " ,
" Action " : " s3:ListBucket " ,
" Resource " : " arn:aws:s3:::example_bucket "
}
} ,
" error_message " : ' The policy failed legacy parsing '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " :
{
2019-06-30 12:03:18 +00:00
" Effect " : " Allow " ,
" Action " : " s3:ListBucket " ,
" Resource " : " arn:aws:s3:::example_bucket " ,
2019-06-30 15:04:02 +00:00
" Condition " : {
" DateGreaterThan " : { " a " : " sdfdsf " }
}
2019-06-30 12:03:18 +00:00
}
2019-06-30 14:36:49 +00:00
} ,
2019-06-30 15:04:02 +00:00
" error_message " : ' The policy failed legacy parsing '
} ,
{
" document " : {
" Statement " :
{
" Effect " : " Allow " ,
2019-06-30 14:36:49 +00:00
" Action " : " s3:ListBucket " ,
2019-06-30 15:04:02 +00:00
" Resource " : " arn:aws:s3:::example_bucket " ,
" Condition " : {
" DateGreaterThan " : { " a " : " sdfdsf " }
2019-06-30 14:36:49 +00:00
}
2019-06-30 15:04:02 +00:00
}
} ,
" error_message " : ' Policy document must be version 2012-10-17 or greater. '
} ,
{
" document " : {
" Version " : " 2012-10-17 " ,
" Statement " :
{
" Effect " : " Allow " ,
" Condition " : {
" DateGreaterThan " : { " a " : " sdfdsf " }
2019-06-30 14:36:49 +00:00
}
2019-06-30 15:04:02 +00:00
}
} ,
" error_message " : ' The policy failed legacy parsing '
}
] # TODO add more tests
2019-06-30 11:47:17 +00:00
2019-06-30 15:04:02 +00:00
def test_create_policy_with_invalid_policy_documents ( ) :
2019-06-30 11:47:17 +00:00
for test_case in invalid_documents_test_cases :
2019-06-30 15:04:02 +00:00
yield check_create_policy_with_invalid_policy_document , test_case
@mock_iam
def check_create_policy_with_invalid_policy_document ( test_case ) :
conn = boto3 . client ( ' iam ' , region_name = ' us-east-1 ' )
with assert_raises ( ClientError ) as ex :
conn . create_policy (
PolicyName = " TestCreatePolicy " ,
PolicyDocument = json . dumps ( test_case [ " document " ] ) )
ex . exception . response [ ' Error ' ] [ ' Code ' ] . should . equal ( ' MalformedPolicyDocument ' )
ex . exception . response [ ' ResponseMetadata ' ] [ ' HTTPStatusCode ' ] . should . equal ( 400 )
ex . exception . response [ ' Error ' ] [ ' Message ' ] . should . equal ( test_case [ " error_message " ] )