Yasuke/moto
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ACMPCA: Adding validation and unittests for revocation configuration (#7503)

Browse Source
This commit is contained in:
Akira Noda 2024-03-23 05:33:34 +09:00 committed by GitHub
parent 33d3745263
commit c8db699f3c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 75 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
moto/acmpca/exceptions.py
View File

@ -6,3 +6,13 @@ from moto.core.exceptions import JsonRESTError
class ResourceNotFoundException(JsonRESTError): class ResourceNotFoundException(JsonRESTError):
def __init__(self, arn: str): def __init__(self, arn: str):
super().__init__("ResourceNotFoundException", f"Resource {arn} not found") super().__init__("ResourceNotFoundException", f"Resource {arn} not found")
class InvalidS3ObjectAclInCrlConfiguration(JsonRESTError):
code = 400
def __init__(self, value: str):
super().__init__(
"InvalidS3ObjectAclInCrlConfiguration",
f"Invalid value for parameter RevocationConfiguration.CrlConfiguration.S3ObjectAcl, value: {value}, valid values: ['PUBLIC_READ', 'BUCKET_OWNER_FULL_CONTROL']",
)

19
moto/acmpca/models.py
View File

@ -16,7 +16,7 @@ from moto.core.utils import unix_time, utcnow
from moto.moto_api._internal import mock_random from moto.moto_api._internal import mock_random
from moto.utilities.tagging_service import TaggingService from moto.utilities.tagging_service import TaggingService
from .exceptions import ResourceNotFoundException from .exceptions import InvalidS3ObjectAclInCrlConfiguration, ResourceNotFoundException
class CertificateAuthority(BaseModel): class CertificateAuthority(BaseModel):
@ -132,13 +132,16 @@ class CertificateAuthority(BaseModel):
if revocation_configuration is not None: if revocation_configuration is not None:
self.revocation_configuration = revocation_configuration self.revocation_configuration = revocation_configuration
if "CrlConfiguration" in self.revocation_configuration: if "CrlConfiguration" in self.revocation_configuration:
if ( acl = self.revocation_configuration["CrlConfiguration"].get(
"S3ObjectAcl" "S3ObjectAcl", None
not in self.revocation_configuration["CrlConfiguration"] )
): if acl is None:
self.revocation_configuration["CrlConfiguration"]["S3ObjectAcl"] = ( self.revocation_configuration["CrlConfiguration"][
"PUBLIC_READ" "S3ObjectAcl"
) ] = "PUBLIC_READ"
else:
if acl not in ["PUBLIC_READ", "BUCKET_OWNER_FULL_CONTROL"]:
raise InvalidS3ObjectAclInCrlConfiguration(acl)
@property @property
def certificate_bytes(self) -> bytes: def certificate_bytes(self) -> bytes:

54
tests/test_acmpca/test_acmpca.py
View File

@ -200,6 +200,60 @@ def test_update_certificate_authority():
assert ca["Status"] == "DISABLED" assert ca["Status"] == "DISABLED"
assert "LastStateChangeAt" in ca assert "LastStateChangeAt" in ca
# test when `RevocationConfiguration` passed to request parameters
client.update_certificate_authority(
CertificateAuthorityArn=ca_arn,
RevocationConfiguration={
"CrlConfiguration": {
"Enabled": True,
}
},
)
ca = client.describe_certificate_authority(CertificateAuthorityArn=ca_arn)[
"CertificateAuthority"
]
revocation_crl_conf = ca["RevocationConfiguration"]["CrlConfiguration"]
assert revocation_crl_conf["Enabled"]
assert (
revocation_crl_conf["S3ObjectAcl"] == "PUBLIC_READ"
) # check if default value is applied.
client.update_certificate_authority(
CertificateAuthorityArn=ca_arn,
RevocationConfiguration={
"CrlConfiguration": {
"Enabled": True,
"S3ObjectAcl": "BUCKET_OWNER_FULL_CONTROL",
}
},
)
ca = client.describe_certificate_authority(CertificateAuthorityArn=ca_arn)[
"CertificateAuthority"
]
revocation_crl_conf = ca["RevocationConfiguration"]["CrlConfiguration"]
assert (
revocation_crl_conf["S3ObjectAcl"] == "BUCKET_OWNER_FULL_CONTROL"
) # check if the passed parameter is applied.
# test when invald value passed for RevocationConfiguration.CrlConfiguration.S3ObjectAcl
invalid_s3object_acl = "INVALID_VALUE"
with pytest.raises(ClientError) as exc:
client.update_certificate_authority(
CertificateAuthorityArn=ca_arn,
RevocationConfiguration={
"CrlConfiguration": {
"Enabled": True,
"S3ObjectAcl": invalid_s3object_acl,
}
},
)
err = exc.value.response["Error"]
assert err["Code"] == "InvalidS3ObjectAclInCrlConfiguration"
assert (
err["Message"]
== f"Invalid value for parameter RevocationConfiguration.CrlConfiguration.S3ObjectAcl, value: {invalid_s3object_acl}, valid values: ['PUBLIC_READ', 'BUCKET_OWNER_FULL_CONTROL']"
)
@mock_aws @mock_aws
def test_delete_certificate_authority(): def test_delete_certificate_authority():