Add iam.create_open_id_connect_provider

This commit is contained in:
gruebel 2019-10-18 17:29:15 +02:00
parent 4dd347e1fe
commit bd627b65f7
5 changed files with 260 additions and 4 deletions

View File

@ -3163,7 +3163,7 @@
- [ ] describe_events
## iam
55% implemented
56% implemented
- [ ] add_client_id_to_open_id_connect_provider
- [X] add_role_to_instance_profile
- [X] add_user_to_group
@ -3176,7 +3176,7 @@
- [X] create_group
- [X] create_instance_profile
- [X] create_login_profile
- [ ] create_open_id_connect_provider
- [X] create_open_id_connect_provider
- [X] create_policy
- [X] create_policy_version
- [X] create_role

View File

@ -93,3 +93,27 @@ class TooManyTags(RESTError):
super(TooManyTags, self).__init__(
'ValidationError', "1 validation error detected: Value '{}' at '{}' failed to satisfy "
"constraint: Member must have length less than or equal to 50.".format(tags, param))
class EntityAlreadyExists(RESTError):
code = 409
def __init__(self):
super(EntityAlreadyExists, self).__init__(
'EntityAlreadyExists', "Unknown")
class ValidationError(RESTError):
code = 400
def __init__(self, message):
super(ValidationError, self).__init__(
'ValidationError', message)
class InvalidInput(RESTError):
code = 400
def __init__(self, message):
super(InvalidInput, self).__init__(
'InvalidInput', message)

View File

@ -7,6 +7,7 @@ import re
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from six.moves.urllib.parse import urlparse
from moto.core.exceptions import RESTError
from moto.core import BaseBackend, BaseModel
@ -14,8 +15,9 @@ from moto.core.utils import iso_8601_datetime_without_milliseconds, iso_8601_dat
from moto.iam.policy_validation import IAMPolicyDocumentValidator
from .aws_managed_policies import aws_managed_policies_data
from .exceptions import IAMNotFoundException, IAMConflictException, IAMReportNotPresentException, IAMLimitExceededException, \
MalformedCertificate, DuplicateTags, TagKeyTooBig, InvalidTagCharacters, TooManyTags, TagValueTooBig
from .exceptions import (IAMNotFoundException, IAMConflictException, IAMReportNotPresentException, IAMLimitExceededException,
MalformedCertificate, DuplicateTags, TagKeyTooBig, InvalidTagCharacters, TooManyTags, TagValueTooBig,
EntityAlreadyExists, ValidationError, InvalidInput)
from .utils import random_access_key, random_alphanumeric, random_resource_id, random_policy_id
ACCOUNT_ID = 123456789012
@ -93,6 +95,77 @@ class SAMLProvider(BaseModel):
return "arn:aws:iam::{0}:saml-provider/{1}".format(ACCOUNT_ID, self.name)
class OpenIDConnectProvider(BaseModel):
def __init__(self, url, thumbprint_list, client_id_list=None):
self._errors = []
self._validate(url, thumbprint_list, client_id_list)
parsed_url = urlparse(url)
self.url = parsed_url.netloc + parsed_url.path
self.thumbprint_list = thumbprint_list
self.client_id_list = client_id_list
@property
def arn(self):
return 'arn:aws:iam::{0}:oidc-provider/{1}'.format(ACCOUNT_ID, self.url)
def _validate(self, url, thumbprint_list, client_id_list):
if any(len(client_id) > 255 for client_id in client_id_list):
self._errors.append(self._format_error(
key='clientIDList',
value=client_id_list,
constraint='Member must satisfy constraint: '
'[Member must have length less than or equal to 255, '
'Member must have length greater than or equal to 1]',
))
if any(len(thumbprint) > 40 for thumbprint in thumbprint_list):
self._errors.append(self._format_error(
key='thumbprintList',
value=thumbprint_list,
constraint='Member must satisfy constraint: '
'[Member must have length less than or equal to 40, '
'Member must have length greater than or equal to 40]',
))
if len(url) > 255:
self._errors.append(self._format_error(
key='url',
value=url,
constraint='Member must have length less than or equal to 255',
))
self._raise_errors()
parsed_url = urlparse(url)
if not parsed_url.scheme or not parsed_url.netloc:
raise ValidationError('Invalid Open ID Connect Provider URL')
if len(thumbprint_list) > 5:
raise InvalidInput('Thumbprint list must contain fewer than 5 entries.')
if len(client_id_list) > 100:
raise IAMLimitExceededException('Cannot exceed quota for ClientIdsPerOpenIdConnectProvider: 100')
def _format_error(self, key, value, constraint):
return 'Value "{value}" at "{key}" failed to satisfy constraint: {constraint}'.format(
constraint=constraint,
key=key,
value=value,
)
def _raise_errors(self):
if self._errors:
count = len(self._errors)
plural = "s" if len(self._errors) > 1 else ""
errors = "; ".join(self._errors)
self._errors = [] # reset collected errors
raise ValidationError('{count} validation error{plural} detected: {errors}'.format(
count=count, plural=plural, errors=errors,
))
class PolicyVersion(object):
def __init__(self,
@ -515,6 +588,7 @@ class IAMBackend(BaseBackend):
self.managed_policies = self._init_managed_policies()
self.account_aliases = []
self.saml_providers = {}
self.open_id_providers = {}
self.policy_arn_regex = re.compile(
r'^arn:aws:iam::[0-9]*:policy/.*$')
super(IAMBackend, self).__init__()
@ -1264,5 +1338,14 @@ class IAMBackend(BaseBackend):
return user
return None
def create_open_id_connect_provider(self, url, thumbprint_list, client_id_list):
open_id_provider = OpenIDConnectProvider(url, thumbprint_list, client_id_list)
if open_id_provider.arn in self.open_id_providers:
raise EntityAlreadyExists
self.open_id_providers[open_id_provider.arn] = open_id_provider
return open_id_provider
iam_backend = IAMBackend()

View File

@ -755,6 +755,15 @@ class IamResponse(BaseResponse):
template = self.response_template(UNTAG_ROLE_TEMPLATE)
return template.render()
def create_open_id_connect_provider(self):
open_id_provider_url = self._get_param('Url')
thumbprint_list = self._get_multi_param('ThumbprintList.member')
client_id_list = self._get_multi_param('ClientIDList.member')
open_id_provider = iam_backend.create_open_id_connect_provider(open_id_provider_url, thumbprint_list, client_id_list)
template = self.response_template(CREATE_OPEN_ID_CONNECT_PROVIDER_TEMPLATE)
return template.render(open_id_provider=open_id_provider)
LIST_ENTITIES_FOR_POLICY_TEMPLATE = """<ListEntitiesForPolicyResponse>
<ListEntitiesForPolicyResult>
@ -1974,3 +1983,13 @@ UNTAG_ROLE_TEMPLATE = """<UntagRoleResponse xmlns="https://iam.amazonaws.com/doc
<RequestId>EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE</RequestId>
</ResponseMetadata>
</UntagRoleResponse>"""
CREATE_OPEN_ID_CONNECT_PROVIDER_TEMPLATE = """<CreateOpenIDConnectProviderResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
<CreateOpenIDConnectProviderResult>
<OpenIDConnectProviderArn>{{ open_id_provider.arn }}</OpenIDConnectProviderArn>
</CreateOpenIDConnectProviderResult>
<ResponseMetadata>
<RequestId>f248366a-4f64-11e4-aefa-bfd6aEXAMPLE</RequestId>
</ResponseMetadata>
</CreateOpenIDConnectProviderResponse>"""

View File

@ -1565,3 +1565,133 @@ def test_create_role_with_permissions_boundary():
# Ensure the PermissionsBoundary is included in role listing as well
conn.list_roles().get('Roles')[0].get('PermissionsBoundary').should.equal(expected)
@mock_iam
def test_create_open_id_connect_provider():
client = boto3.client('iam', region_name='us-east-1')
response = client.create_open_id_connect_provider(
Url='https://example.com',
ThumbprintList=[] # even it is required to provide at least one thumbprint, AWS accepts an empty list
)
response['OpenIDConnectProviderArn'].should.equal(
'arn:aws:iam::123456789012:oidc-provider/example.com'
)
response = client.create_open_id_connect_provider(
Url='http://example.org',
ThumbprintList=[
'b' * 40
],
ClientIDList=[
'b'
]
)
response['OpenIDConnectProviderArn'].should.equal(
'arn:aws:iam::123456789012:oidc-provider/example.org'
)
response = client.create_open_id_connect_provider(
Url='http://example.org/oidc',
ThumbprintList=[]
)
response['OpenIDConnectProviderArn'].should.equal(
'arn:aws:iam::123456789012:oidc-provider/example.org/oidc'
)
response = client.create_open_id_connect_provider(
Url='http://example.org/oidc-query?test=true',
ThumbprintList=[]
)
response['OpenIDConnectProviderArn'].should.equal(
'arn:aws:iam::123456789012:oidc-provider/example.org/oidc-query'
)
@mock_iam
def test_create_open_id_connect_provider_errors():
client = boto3.client('iam', region_name='us-east-1')
response = client.create_open_id_connect_provider(
Url='https://example.com',
ThumbprintList=[]
)
open_id_arn = response['OpenIDConnectProviderArn']
client.create_open_id_connect_provider.when.called_with(
Url='https://example.com',
ThumbprintList=[]
).should.throw(
ClientError,
'Unknown'
)
client.create_open_id_connect_provider.when.called_with(
Url='example.org',
ThumbprintList=[]
).should.throw(
ClientError,
'Invalid Open ID Connect Provider URL'
)
client.create_open_id_connect_provider.when.called_with(
Url='example',
ThumbprintList=[]
).should.throw(
ClientError,
'Invalid Open ID Connect Provider URL'
)
client.create_open_id_connect_provider.when.called_with(
Url='http://example.org',
ThumbprintList=[
'a' * 40,
'b' * 40,
'c' * 40,
'd' * 40,
'e' * 40,
'f' * 40,
]
).should.throw(
ClientError,
'Thumbprint list must contain fewer than 5 entries.'
)
too_many_client_ids = ['{}'.format(i) for i in range(101)]
client.create_open_id_connect_provider.when.called_with(
Url='http://example.org',
ThumbprintList=[],
ClientIDList=too_many_client_ids
).should.throw(
ClientError,
'Cannot exceed quota for ClientIdsPerOpenIdConnectProvider: 100'
)
too_long_url = 'b' * 256
too_long_thumbprint = 'b' * 41
too_long_client_id = 'b' * 256
client.create_open_id_connect_provider.when.called_with(
Url=too_long_url,
ThumbprintList=[
too_long_thumbprint
],
ClientIDList=[
too_long_client_id
]
).should.throw(
ClientError,
'3 validation errors detected: '
'Value "{0}" at "clientIDList" failed to satisfy constraint: '
'Member must satisfy constraint: '
'[Member must have length less than or equal to 255, '
'Member must have length greater than or equal to 1]; '
'Value "{1}" at "thumbprintList" failed to satisfy constraint: '
'Member must satisfy constraint: '
'[Member must have length less than or equal to 40, '
'Member must have length greater than or equal to 40]; '
'Value "{2}" at "url" failed to satisfy constraint: '
'Member must have length less than or equal to 255'.format([too_long_client_id], [too_long_thumbprint], too_long_url)
)