feature added: support for api RolePermissionsBoundary (#3329)

* feature added: support for api PutUserPermissionsBoundary; DeleteRolePermissionsBoundary * minor test fix * lint fixed * refractored test case * Issue 3224 s3 copy glacier object (#3318) * 3224 Enhancement - S3 Copy restored glacier objects - adds setter for expiry date - copy sets expiry date to none when source is glacier object - throws error for copying glacier object only if not restored/still restoring * 3224 Enhancement - S3 Copy restored glacier objects - throws error for copying deep archive object only if not restored/still restoring * Fix:s3 List Object response:delimiter (#3254) * Fix:s3 List Object delimiter in response * fixed tests * fixed failed tests Co-authored-by: usmankb <usman@krazybee.com> * feature added: support for api PutUserPermissionsBoundary; DeleteRolePermissionsBoundary * minor test fix * lint fixed * refractored test case * added test case for put role exception Co-authored-by: ruthbovell <63656505+ruthbovell@users.noreply.github.com> Co-authored-by: usmangani1 <sgosman_chem@yahoo.com> Co-authored-by: usmankb <usman@krazybee.com>
2020-09-22 17:13:59 +05:30 · 2020-09-22 17:13:59 +05:30 · 427a222aa0
commit 427a222aa0
parent 958e95cf5c
3 changed files with 49 additions and 3 deletions
--- a/moto/iam/models.py
+++ b/moto/iam/models.py
@ -1435,6 +1435,23 @@ class IAMBackend(BaseBackend):
        role.max_session_duration = max_session_duration
        return role

+    def put_role_permissions_boundary(self, role_name, permissions_boundary):
+        if permissions_boundary and not self.policy_arn_regex.match(
+            permissions_boundary
+        ):
+            raise RESTError(
+                "InvalidParameterValue",
+                "Value ({}) for parameter PermissionsBoundary is invalid.".format(
+                    permissions_boundary
+                ),
+            )
+        role = self.get_role(role_name)
+        role.permissions_boundary = permissions_boundary
+
+    def delete_role_permissions_boundary(self, role_name):
+        role = self.get_role(role_name)
+        role.permissions_boundary = None
+
    def detach_role_policy(self, policy_arn, role_name):
        arns = dict((p.arn, p) for p in self.managed_policies.values())
        try:
--- a/moto/iam/responses.py
+++ b/moto/iam/responses.py
@ -265,6 +265,19 @@ class IamResponse(BaseResponse):
        template = self.response_template(UPDATE_ROLE_TEMPLATE)
        return template.render(role=role)

+    def put_role_permissions_boundary(self):
+        permissions_boundary = self._get_param("PermissionsBoundary")
+        role_name = self._get_param("RoleName")
+        iam_backend.put_role_permissions_boundary(role_name, permissions_boundary)
+        template = self.response_template(GENERIC_EMPTY_TEMPLATE)
+        return template.render(name="PutRolePermissionsBoundary")
+
+    def delete_role_permissions_boundary(self):
+        role_name = self._get_param("RoleName")
+        iam_backend.delete_role_permissions_boundary(role_name)
+        template = self.response_template(GENERIC_EMPTY_TEMPLATE)
+        return template.render(name="DeleteRolePermissionsBoundary")
+
    def create_policy_version(self):
        policy_arn = self._get_param("PolicyArn")
        policy_document = self._get_param("PolicyDocument")
@ -1315,6 +1328,12 @@ GET_ROLE_TEMPLATE = """<GetRoleResponse xmlns="https://iam.amazonaws.com/doc/201
      <CreateDate>{{ role.created_iso_8601 }}</CreateDate>
      <RoleId>{{ role.id }}</RoleId>
      <MaxSessionDuration>{{ role.max_session_duration }}</MaxSessionDuration>
+      {% if role.permissions_boundary %}
+      <PermissionsBoundary>
+          <PermissionsBoundaryType>PermissionsBoundaryPolicy</PermissionsBoundaryType>
+          <PermissionsBoundaryArn>{{ role.permissions_boundary }}</PermissionsBoundaryArn>
+      </PermissionsBoundary>
+      {% endif %}
      {% if role.tags %}
      <Tags>
        {% for tag in role.get_tags() %}
--- a/tests/test_iam/test_iam.py
+++ b/tests/test_iam/test_iam.py
@ -869,9 +869,7 @@ def test_list_access_keys():
    conn = boto3.client("iam", region_name="us-east-1")
    conn.create_user(UserName="my-user")
    response = conn.list_access_keys(UserName="my-user")
-    assert_equals(
-        response["AccessKeyMetadata"], [],
-    )
+    assert_equals(response["AccessKeyMetadata"], [])
    access_key = conn.create_access_key(UserName="my-user")["AccessKey"]
    response = conn.list_access_keys(UserName="my-user")
    assert_equals(
@ -2377,7 +2375,19 @@ def test_create_role_with_permissions_boundary():
    resp.get("Role").get("PermissionsBoundary").should.equal(expected)
    resp.get("Role").get("Description").should.equal("test")

+    conn.delete_role_permissions_boundary(RoleName="my-role")
+    conn.list_roles().get("Roles")[0].should_not.have.key("PermissionsBoundary")
+
+    conn.put_role_permissions_boundary(RoleName="my-role", PermissionsBoundary=boundary)
+    resp.get("Role").get("PermissionsBoundary").should.equal(expected)
+
    invalid_boundary_arn = "arn:aws:iam::123456789:not_a_boundary"
+
+    with assert_raises(ClientError):
+        conn.put_role_permissions_boundary(
+            RoleName="my-role", PermissionsBoundary=invalid_boundary_arn
+        )
+
    with assert_raises(ClientError):
        conn.create_role(
            RoleName="bad-boundary",