Yasuke/moto
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ACMPCA: Adding validation and unittests for revocation configuration (#7503)

Browse Source
This commit is contained in:
Akira Noda 2024-03-23 05:33:34 +09:00 committed by GitHub
parent 33d3745263
commit c8db699f3c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 75 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
moto/acmpca/exceptions.py
View File

@ -6,3 +6,13 @@ from moto.core.exceptions import JsonRESTError
class ResourceNotFoundException(JsonRESTError):
def __init__(self, arn: str):
super().__init__("ResourceNotFoundException", f"Resource {arn} not found")
class InvalidS3ObjectAclInCrlConfiguration(JsonRESTError):
code = 400
def __init__(self, value: str):
super().__init__(
"InvalidS3ObjectAclInCrlConfiguration",
f"Invalid value for parameter RevocationConfiguration.CrlConfiguration.S3ObjectAcl, value: {value}, valid values: ['PUBLIC_READ', 'BUCKET_OWNER_FULL_CONTROL']",
)

19
moto/acmpca/models.py
View File

@ -16,7 +16,7 @@ from moto.core.utils import unix_time, utcnow
from moto.moto_api._internal import mock_random
from moto.utilities.tagging_service import TaggingService
from .exceptions import ResourceNotFoundException
from .exceptions import InvalidS3ObjectAclInCrlConfiguration, ResourceNotFoundException
class CertificateAuthority(BaseModel):
@ -132,13 +132,16 @@ class CertificateAuthority(BaseModel):
if revocation_configuration is not None:
self.revocation_configuration = revocation_configuration
if "CrlConfiguration" in self.revocation_configuration:
if (
"S3ObjectAcl"
not in self.revocation_configuration["CrlConfiguration"]
):
self.revocation_configuration["CrlConfiguration"]["S3ObjectAcl"] = (
"PUBLIC_READ"
)
acl = self.revocation_configuration["CrlConfiguration"].get(
"S3ObjectAcl", None
)
if acl is None:
self.revocation_configuration["CrlConfiguration"][
"S3ObjectAcl"
] = "PUBLIC_READ"
else:
if acl not in ["PUBLIC_READ", "BUCKET_OWNER_FULL_CONTROL"]:
raise InvalidS3ObjectAclInCrlConfiguration(acl)
@property
def certificate_bytes(self) -> bytes:

54
tests/test_acmpca/test_acmpca.py
View File

@ -200,6 +200,60 @@ def test_update_certificate_authority():
assert ca["Status"] == "DISABLED"
assert "LastStateChangeAt" in ca
# test when `RevocationConfiguration` passed to request parameters
client.update_certificate_authority(
CertificateAuthorityArn=ca_arn,
RevocationConfiguration={
"CrlConfiguration": {
"Enabled": True,
}
},
)
ca = client.describe_certificate_authority(CertificateAuthorityArn=ca_arn)[
"CertificateAuthority"
]
revocation_crl_conf = ca["RevocationConfiguration"]["CrlConfiguration"]
assert revocation_crl_conf["Enabled"]
assert (
revocation_crl_conf["S3ObjectAcl"] == "PUBLIC_READ"
) # check if default value is applied.
client.update_certificate_authority(
CertificateAuthorityArn=ca_arn,
RevocationConfiguration={
"CrlConfiguration": {
"Enabled": True,
"S3ObjectAcl": "BUCKET_OWNER_FULL_CONTROL",
}
},
)
ca = client.describe_certificate_authority(CertificateAuthorityArn=ca_arn)[
"CertificateAuthority"
]
revocation_crl_conf = ca["RevocationConfiguration"]["CrlConfiguration"]
assert (
revocation_crl_conf["S3ObjectAcl"] == "BUCKET_OWNER_FULL_CONTROL"
) # check if the passed parameter is applied.
# test when invald value passed for RevocationConfiguration.CrlConfiguration.S3ObjectAcl
invalid_s3object_acl = "INVALID_VALUE"
with pytest.raises(ClientError) as exc:
client.update_certificate_authority(
CertificateAuthorityArn=ca_arn,
RevocationConfiguration={
"CrlConfiguration": {
"Enabled": True,
"S3ObjectAcl": invalid_s3object_acl,
}
},
)
err = exc.value.response["Error"]
assert err["Code"] == "InvalidS3ObjectAclInCrlConfiguration"
assert (
err["Message"]
== f"Invalid value for parameter RevocationConfiguration.CrlConfiguration.S3ObjectAcl, value: {invalid_s3object_acl}, valid values: ['PUBLIC_READ', 'BUCKET_OWNER_FULL_CONTROL']"
)
@mock_aws
def test_delete_certificate_authority():