Codebuild - create_project(): Loosen serviceRole validation (#6401)

2023-06-14 09:31:55 +00:00 · 2023-06-14 09:31:55 +00:00 · d7828fdb1d
commit d7828fdb1d
parent 62bbee56b2
2 changed files with 25 additions and 61 deletions
--- a/moto/codebuild/responses.py
+++ b/moto/codebuild/responses.py
@ -30,14 +30,13 @@ def _validate_required_params_source(source: Dict[str, Any]) -> None:
 def _validate_required_params_service_role(account_id: str, service_role: str) -> None:
-    if f"arn:aws:iam::{account_id}:role/service-role/" not in service_role:
+    if not service_role.startswith(f"arn:aws:iam::{account_id}:role/"):
        raise InvalidInputException(
            "Invalid service role: Service role account ID does not match caller's account"
        )
 def _validate_required_params_artifacts(artifacts: Dict[str, Any]) -> None:
    if artifacts["type"] not in ["CODEPIPELINE", "S3", "NO_ARTIFACTS"]:
        raise InvalidInputException("Invalid type provided: Artifact type")
@ -51,7 +50,6 @@ def _validate_required_params_artifacts(artifacts: Dict[str, Any]) -> None:
 def _validate_required_params_environment(environment: Dict[str, Any]) -> None:
    if environment["type"] not in [
        "WINDOWS_CONTAINER",
        "LINUX_CONTAINER",
@ -116,9 +114,8 @@ class CodeBuildResponse(BaseResponse):
    def create_project(self) -> str:
        _validate_required_params_source(self._get_param("source"))
-        _validate_required_params_service_role(
+        service_role = self._get_param("serviceRole")
-            self.current_account, self._get_param("serviceRole")
+        _validate_required_params_service_role(self.current_account, service_role)
        )
        _validate_required_params_artifacts(self._get_param("artifacts"))
        _validate_required_params_environment(self._get_param("environment"))
        _validate_required_params_project_name(self._get_param("name"))
@ -134,7 +131,7 @@ class CodeBuildResponse(BaseResponse):
            self._get_param("source"),
            self._get_param("artifacts"),
            self._get_param("environment"),
-            self._get_param("serviceRole"),
+            service_role=service_role,
        )
        return json.dumps({"project": project_metadata})
--- a/tests/test_codebuild/test_codebuild.py
+++ b/tests/test_codebuild/test_codebuild.py
@ -107,64 +107,34 @@ def test_codebuild_create_project_no_artifacts():
@mock_codebuild
-def test_codebuild_create_project_with_invalid_name():
+def test_codebuild_create_project_with_invalid_inputs():
    client = boto3.client("codebuild", region_name="eu-central-1")
-    name = "!some_project"
+    _input = {
-    source = dict()
+        "source": {"type": "S3", "location": "bucketname/path/file.zip"},
-    source["type"] = "S3"
+        "artifacts": {"type": "NO_ARTIFACTS"},
-    # repository location for S3
+        "environment": {
-    source["location"] = "bucketname/path/file.zip"
+            "type": "LINUX_CONTAINER",
-    # output artifacts
+            "image": "contents_not_validated",
-    artifacts = {"type": "NO_ARTIFACTS"}
+            "computeType": "BUILD_GENERAL1_SMALL",
-
+        },
-    environment = dict()
+        "serviceRole": f"arn:aws:iam::{ACCOUNT_ID}:role/service-role/my-role",
-    environment["type"] = "LINUX_CONTAINER"
+    }
    environment["image"] = "contents_not_validated"
    environment["computeType"] = "BUILD_GENERAL1_SMALL"
    service_role = (
        f"arn:aws:iam::{ACCOUNT_ID}:role/service-role/my-codebuild-service-role"
    )
    # Name too long
    with pytest.raises(client.exceptions.from_code("InvalidInputException")) as err:
-        client.create_project(
+        client.create_project(name=("some_project_" * 12), **_input)
            name=name,
            source=source,
            artifacts=artifacts,
            environment=environment,
            serviceRole=service_role,
        )
    err.value.response["Error"]["Code"].should.equal("InvalidInputException")
-
+    # Name invalid
@mock_codebuild
 def test_codebuild_create_project_with_invalid_name_length():
    client = boto3.client("codebuild", region_name="eu-central-1")
    name = "some_project_" * 12
    source = dict()
    source["type"] = "S3"
    # repository location for S3
    source["location"] = "bucketname/path/file.zip"
    # output artifacts
    artifacts = {"type": "NO_ARTIFACTS"}
    environment = dict()
    environment["type"] = "LINUX_CONTAINER"
    environment["image"] = "contents_not_validated"
    environment["computeType"] = "BUILD_GENERAL1_SMALL"
    service_role = (
        f"arn:aws:iam::{ACCOUNT_ID}:role/service-role/my-codebuild-service-role"
    )
    with pytest.raises(client.exceptions.from_code("InvalidInputException")) as err:
-        client.create_project(
+        client.create_project(name="!some_project_", **_input)
-            name=name,
+    err.value.response["Error"]["Code"].should.equal("InvalidInputException")
-            source=source,
+
-            artifacts=artifacts,
+    # ServiceRole invalid
-            environment=environment,
+    _input["serviceRole"] = "arn:aws:iam::0000:role/service-role/my-role"
-            serviceRole=service_role,
+    with pytest.raises(client.exceptions.from_code("InvalidInputException")) as err:
-        )
+        client.create_project(name="valid_name", **_input)
    err.value.response["Error"]["Code"].should.equal("InvalidInputException")
@ -349,7 +319,6 @@ def test_codebuild_get_batch_builds_for_project_no_history():
@mock_codebuild
 def test_codebuild_start_build_no_project():
    client = boto3.client("codebuild", region_name="eu-central-1")
    name = "some_project"
@ -361,7 +330,6 @@ def test_codebuild_start_build_no_project():
@mock_codebuild
 def test_codebuild_start_build_no_overrides():
    client = boto3.client("codebuild", region_name="eu-central-1")
    name = "some_project"
@ -428,7 +396,6 @@ def test_codebuild_start_build_multiple_times():
@mock_codebuild
 def test_codebuild_start_build_with_overrides():
    client = boto3.client("codebuild", region_name="eu-central-1")
    name = "some_project"