Merge pull request #2525 from edekadigital/add-iam-account-password-policy

Add iam account password policy
2019-11-04 22:44:04 -06:00 · 2019-11-04 22:44:04 -06:00 · ad6b73b38e
commit ad6b73b38e
parent e00af2f73c 78e2714496
5 changed files with 336 additions and 5 deletions
--- a/IMPLEMENTATION_COVERAGE.md
+++ b/IMPLEMENTATION_COVERAGE.md
@ -2362,7 +2362,7 @@
 - [ ] send_ssh_public_key
 ## ecr
-30% implemented
+27% implemented
 - [ ] batch_check_layer_availability
 - [X] batch_delete_image
 - [X] batch_get_image
@ -2371,6 +2371,7 @@
 - [ ] delete_lifecycle_policy
 - [X] delete_repository
 - [ ] delete_repository_policy
 - [ ] describe_image_scan_findings
 - [X] describe_images
 - [X] describe_repositories
 - [ ] get_authorization_token
@ -2382,9 +2383,11 @@
 - [X] list_images
 - [ ] list_tags_for_resource
 - [X] put_image
 - [ ] put_image_scanning_configuration
 - [ ] put_image_tag_mutability
 - [ ] put_lifecycle_policy
 - [ ] set_repository_policy
 - [ ] start_image_scan
 - [ ] start_lifecycle_policy_preview
 - [ ] tag_resource
 - [ ] untag_resource
@ -2475,6 +2478,7 @@
 - [ ] authorize_cache_security_group_ingress
 - [ ] batch_apply_update_action
 - [ ] batch_stop_update_action
 - [ ] complete_migration
 - [ ] copy_snapshot
 - [ ] create_cache_cluster
 - [ ] create_cache_parameter_group
@ -2516,6 +2520,7 @@
 - [ ] remove_tags_from_resource
 - [ ] reset_cache_parameter_group
 - [ ] revoke_cache_security_group_ingress
 - [ ] start_migration
 - [ ] test_failover
 ## elasticbeanstalk
@ -3262,7 +3267,7 @@
 - [ ] describe_events
 ## iam
-60% implemented
+62% implemented
 - [ ] add_client_id_to_open_id_connect_provider
 - [X] add_role_to_instance_profile
 - [X] add_user_to_group
@ -3287,7 +3292,7 @@
 - [X] deactivate_mfa_device
 - [X] delete_access_key
 - [X] delete_account_alias
- [ ] delete_account_password_policy
+- [X] delete_account_password_policy
 - [ ] delete_group
 - [ ] delete_group_policy
 - [ ] delete_instance_profile
@ -3317,7 +3322,7 @@
 - [ ] generate_service_last_accessed_details
 - [X] get_access_key_last_used
 - [X] get_account_authorization_details
- [ ] get_account_password_policy
+- [X] get_account_password_policy
 - [ ] get_account_summary
 - [ ] get_context_keys_for_custom_policy
 - [ ] get_context_keys_for_principal_policy
@ -3387,7 +3392,7 @@
 - [X] untag_role
 - [ ] untag_user
 - [X] update_access_key
- [ ] update_account_password_policy
+- [X] update_account_password_policy
 - [ ] update_assume_role_policy
 - [ ] update_group
 - [X] update_login_profile
--- a/moto/iam/exceptions.py
+++ b/moto/iam/exceptions.py
@ -128,3 +128,10 @@ class InvalidInput(RESTError):
    def __init__(self, message):
        super(InvalidInput, self).__init__("InvalidInput", message)
 class NoSuchEntity(RESTError):
    code = 404
    def __init__(self, message):
        super(NoSuchEntity, self).__init__("NoSuchEntity", message)
--- a/moto/iam/models.py
+++ b/moto/iam/models.py
@ -35,6 +35,7 @@ from .exceptions import (
    EntityAlreadyExists,
    ValidationError,
    InvalidInput,
    NoSuchEntity,
 )
 from .utils import (
    random_access_key,
@ -652,6 +653,89 @@ class User(BaseModel):
        )
 class AccountPasswordPolicy(BaseModel):
    def __init__(
        self,
        allow_change_password,
        hard_expiry,
        max_password_age,
        minimum_password_length,
        password_reuse_prevention,
        require_lowercase_characters,
        require_numbers,
        require_symbols,
        require_uppercase_characters,
    ):
        self._errors = []
        self._validate(
            max_password_age, minimum_password_length, password_reuse_prevention
        )
        self.allow_users_to_change_password = allow_change_password
        self.hard_expiry = hard_expiry
        self.max_password_age = max_password_age
        self.minimum_password_length = minimum_password_length
        self.password_reuse_prevention = password_reuse_prevention
        self.require_lowercase_characters = require_lowercase_characters
        self.require_numbers = require_numbers
        self.require_symbols = require_symbols
        self.require_uppercase_characters = require_uppercase_characters
    @property
    def expire_passwords(self):
        return True if self.max_password_age and self.max_password_age > 0 else False
    def _validate(
        self, max_password_age, minimum_password_length, password_reuse_prevention
    ):
        if minimum_password_length > 128:
            self._errors.append(
                self._format_error(
                    key="minimumPasswordLength",
                    value=minimum_password_length,
                    constraint="Member must have value less than or equal to 128",
                )
            )
        if password_reuse_prevention and password_reuse_prevention > 24:
            self._errors.append(
                self._format_error(
                    key="passwordReusePrevention",
                    value=password_reuse_prevention,
                    constraint="Member must have value less than or equal to 24",
                )
            )
        if max_password_age and max_password_age > 1095:
            self._errors.append(
                self._format_error(
                    key="maxPasswordAge",
                    value=max_password_age,
                    constraint="Member must have value less than or equal to 1095",
                )
            )
        self._raise_errors()
    def _format_error(self, key, value, constraint):
        return 'Value "{value}" at "{key}" failed to satisfy constraint: {constraint}'.format(
            constraint=constraint, key=key, value=value,
        )
    def _raise_errors(self):
        if self._errors:
            count = len(self._errors)
            plural = "s" if len(self._errors) > 1 else ""
            errors = "; ".join(self._errors)
            self._errors = []  # reset collected errors
            raise ValidationError(
                "{count} validation error{plural} detected: {errors}".format(
                    count=count, plural=plural, errors=errors,
                )
            )
 class IAMBackend(BaseBackend):
    def __init__(self):
        self.instance_profiles = {}
@ -666,6 +750,7 @@ class IAMBackend(BaseBackend):
        self.open_id_providers = {}
        self.policy_arn_regex = re.compile(r"^arn:aws:iam::[0-9]*:policy/.*$")
        self.virtual_mfa_devices = {}
        self.account_password_policy = None
        super(IAMBackend, self).__init__()
    def _init_managed_policies(self):
@ -1590,5 +1675,47 @@ class IAMBackend(BaseBackend):
    def list_open_id_connect_providers(self):
        return list(self.open_id_providers.keys())
    def update_account_password_policy(
        self,
        allow_change_password,
        hard_expiry,
        max_password_age,
        minimum_password_length,
        password_reuse_prevention,
        require_lowercase_characters,
        require_numbers,
        require_symbols,
        require_uppercase_characters,
    ):
        self.account_password_policy = AccountPasswordPolicy(
            allow_change_password,
            hard_expiry,
            max_password_age,
            minimum_password_length,
            password_reuse_prevention,
            require_lowercase_characters,
            require_numbers,
            require_symbols,
            require_uppercase_characters,
        )
    def get_account_password_policy(self):
        if not self.account_password_policy:
            raise NoSuchEntity(
                "The Password Policy with domain name {} cannot be found.".format(
                    ACCOUNT_ID
                )
            )
        return self.account_password_policy
    def delete_account_password_policy(self):
        if not self.account_password_policy:
            raise NoSuchEntity(
                "The account policy with name PasswordPolicy cannot be found."
            )
        self.account_password_policy = None
 iam_backend = IAMBackend()
--- a/moto/iam/responses.py
+++ b/moto/iam/responses.py
@ -838,6 +838,50 @@ class IamResponse(BaseResponse):
        template = self.response_template(LIST_OPEN_ID_CONNECT_PROVIDERS_TEMPLATE)
        return template.render(open_id_provider_arns=open_id_provider_arns)
    def update_account_password_policy(self):
        allow_change_password = self._get_bool_param(
            "AllowUsersToChangePassword", False
        )
        hard_expiry = self._get_bool_param("HardExpiry")
        max_password_age = self._get_int_param("MaxPasswordAge")
        minimum_password_length = self._get_int_param("MinimumPasswordLength", 6)
        password_reuse_prevention = self._get_int_param("PasswordReusePrevention")
        require_lowercase_characters = self._get_bool_param(
            "RequireLowercaseCharacters", False
        )
        require_numbers = self._get_bool_param("RequireNumbers", False)
        require_symbols = self._get_bool_param("RequireSymbols", False)
        require_uppercase_characters = self._get_bool_param(
            "RequireUppercaseCharacters", False
        )
        iam_backend.update_account_password_policy(
            allow_change_password,
            hard_expiry,
            max_password_age,
            minimum_password_length,
            password_reuse_prevention,
            require_lowercase_characters,
            require_numbers,
            require_symbols,
            require_uppercase_characters,
        )
        template = self.response_template(UPDATE_ACCOUNT_PASSWORD_POLICY_TEMPLATE)
        return template.render()
    def get_account_password_policy(self):
        account_password_policy = iam_backend.get_account_password_policy()
        template = self.response_template(GET_ACCOUNT_PASSWORD_POLICY_TEMPLATE)
        return template.render(password_policy=account_password_policy)
    def delete_account_password_policy(self):
        iam_backend.delete_account_password_policy()
        template = self.response_template(DELETE_ACCOUNT_PASSWORD_POLICY_TEMPLATE)
        return template.render()
 LIST_ENTITIES_FOR_POLICY_TEMPLATE = """<ListEntitiesForPolicyResponse>
 <ListEntitiesForPolicyResult>
@ -2170,3 +2214,44 @@ LIST_OPEN_ID_CONNECT_PROVIDERS_TEMPLATE = """<ListOpenIDConnectProvidersResponse
    <RequestId>de2c0228-4f63-11e4-aefa-bfd6aEXAMPLE</RequestId>
  </ResponseMetadata>
 </ListOpenIDConnectProvidersResponse>"""
 UPDATE_ACCOUNT_PASSWORD_POLICY_TEMPLATE = """<UpdateAccountPasswordPolicyResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
 <ResponseMetadata>
    <RequestId>7a62c49f-347e-4fc4-9331-6e8eEXAMPLE</RequestId>
 </ResponseMetadata>
 </UpdateAccountPasswordPolicyResponse>"""
 GET_ACCOUNT_PASSWORD_POLICY_TEMPLATE = """<GetAccountPasswordPolicyResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
  <GetAccountPasswordPolicyResult>
    <PasswordPolicy>
      <AllowUsersToChangePassword>{{ password_policy.allow_users_to_change_password | lower }}</AllowUsersToChangePassword>
      <ExpirePasswords>{{ password_policy.expire_passwords | lower }}</ExpirePasswords>
      {% if password_policy.hard_expiry %}
      <HardExpiry>{{ password_policy.hard_expiry | lower }}</HardExpiry>
      {% endif %}
      {% if password_policy.max_password_age %}
      <MaxPasswordAge>{{ password_policy.max_password_age }}</MaxPasswordAge>
      {% endif %}
      <MinimumPasswordLength>{{ password_policy.minimum_password_length }}</MinimumPasswordLength>
      {% if password_policy.password_reuse_prevention %}
      <PasswordReusePrevention>{{ password_policy.password_reuse_prevention }}</PasswordReusePrevention>
      {% endif %}
      <RequireLowercaseCharacters>{{ password_policy.require_lowercase_characters | lower }}</RequireLowercaseCharacters>
      <RequireNumbers>{{ password_policy.require_numbers | lower }}</RequireNumbers>
      <RequireSymbols>{{ password_policy.require_symbols | lower }}</RequireSymbols>
      <RequireUppercaseCharacters>{{ password_policy.require_uppercase_characters | lower }}</RequireUppercaseCharacters>
    </PasswordPolicy>
  </GetAccountPasswordPolicyResult>
  <ResponseMetadata>
    <RequestId>7a62c49f-347e-4fc4-9331-6e8eEXAMPLE</RequestId>
  </ResponseMetadata>
 </GetAccountPasswordPolicyResponse>"""
 DELETE_ACCOUNT_PASSWORD_POLICY_TEMPLATE = """<DeleteAccountPasswordPolicyResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
  <ResponseMetadata>
    <RequestId>7a62c49f-347e-4fc4-9331-6e8eEXAMPLE</RequestId>
  </ResponseMetadata>
 </DeleteAccountPasswordPolicyResponse>"""
--- a/tests/test_iam/test_iam.py
+++ b/tests/test_iam/test_iam.py
@ -2195,3 +2195,110 @@ def test_list_open_id_connect_providers():
    sorted(response["OpenIDConnectProviderList"], key=lambda i: i["Arn"]).should.equal(
        [{"Arn": open_id_arn_1}, {"Arn": open_id_arn_2}, {"Arn": open_id_arn_3}]
    )
@mock_iam
 def test_update_account_password_policy():
    client = boto3.client("iam", region_name="us-east-1")
    client.update_account_password_policy()
    response = client.get_account_password_policy()
    response["PasswordPolicy"].should.equal(
        {
            "AllowUsersToChangePassword": False,
            "ExpirePasswords": False,
            "MinimumPasswordLength": 6,
            "RequireLowercaseCharacters": False,
            "RequireNumbers": False,
            "RequireSymbols": False,
            "RequireUppercaseCharacters": False,
        }
    )
@mock_iam
 def test_update_account_password_policy_errors():
    client = boto3.client("iam", region_name="us-east-1")
    client.update_account_password_policy.when.called_with(
        MaxPasswordAge=1096, MinimumPasswordLength=129, PasswordReusePrevention=25
    ).should.throw(
        ClientError,
        "3 validation errors detected: "
        'Value "129" at "minimumPasswordLength" failed to satisfy constraint: '
        "Member must have value less than or equal to 128; "
        'Value "25" at "passwordReusePrevention" failed to satisfy constraint: '
        "Member must have value less than or equal to 24; "
        'Value "1096" at "maxPasswordAge" failed to satisfy constraint: '
        "Member must have value less than or equal to 1095",
    )
@mock_iam
 def test_get_account_password_policy():
    client = boto3.client("iam", region_name="us-east-1")
    client.update_account_password_policy(
        AllowUsersToChangePassword=True,
        HardExpiry=True,
        MaxPasswordAge=60,
        MinimumPasswordLength=10,
        PasswordReusePrevention=3,
        RequireLowercaseCharacters=True,
        RequireNumbers=True,
        RequireSymbols=True,
        RequireUppercaseCharacters=True,
    )
    response = client.get_account_password_policy()
    response["PasswordPolicy"].should.equal(
        {
            "AllowUsersToChangePassword": True,
            "ExpirePasswords": True,
            "HardExpiry": True,
            "MaxPasswordAge": 60,
            "MinimumPasswordLength": 10,
            "PasswordReusePrevention": 3,
            "RequireLowercaseCharacters": True,
            "RequireNumbers": True,
            "RequireSymbols": True,
            "RequireUppercaseCharacters": True,
        }
    )
@mock_iam
 def test_get_account_password_policy_errors():
    client = boto3.client("iam", region_name="us-east-1")
    client.get_account_password_policy.when.called_with().should.throw(
        ClientError,
        "The Password Policy with domain name 123456789012 cannot be found.",
    )
@mock_iam
 def test_delete_account_password_policy():
    client = boto3.client("iam", region_name="us-east-1")
    client.update_account_password_policy()
    response = client.get_account_password_policy()
    response.should.have.key("PasswordPolicy").which.should.be.a(dict)
    client.delete_account_password_policy()
    client.get_account_password_policy.when.called_with().should.throw(
        ClientError,
        "The Password Policy with domain name 123456789012 cannot be found.",
    )
@mock_iam
 def test_delete_account_password_policy_errors():
    client = boto3.client("iam", region_name="us-east-1")
    client.delete_account_password_policy.when.called_with().should.throw(
        ClientError, "The account policy with name PasswordPolicy cannot be found."
    )