Fixing list entities for policy

2019-02-18 21:20:29 -06:00 · 2019-02-18 21:20:29 -06:00 · e9d8021c86
commit e9d8021c86
parent 37845e41a6
3 changed files with 158 additions and 21 deletions
--- a/moto/iam/models.py
+++ b/moto/iam/models.py
@ -892,6 +892,16 @@ class IAMBackend(BaseBackend):
        return users
    def list_roles(self, path_prefix, marker, max_items):
        roles = None
        try:
            roles = self.roles.values()
        except KeyError:
            raise IAMNotFoundException(
                "Users {0}, {1}, {2} not found".format(path_prefix, marker, max_items))
        return roles
    def upload_signing_certificate(self, user_name, body):
        user = self.get_user(user_name)
        cert_id = random_resource_id(size=32)
--- a/moto/iam/responses.py
+++ b/moto/iam/responses.py
@ -108,8 +108,69 @@ class IamResponse(BaseResponse):
        return template.render(policies=policies, marker=marker)
    def list_entities_for_policy(self):
        policy_arn = self._get_param('PolicyArn')
        # Options 'User'|'Role'|'Group'|'LocalManagedPolicy'|'AWSManagedPolicy
        entity = self._get_param('EntityFilter')
        path_prefix = self._get_param('PathPrefix')
        policy_usage_filter = self._get_param('PolicyUsageFilter')
        marker = self._get_param('Marker')
        max_items = self._get_param('MaxItems')
        entity_roles = []
        entity_groups = []
        entity_users = []
        if entity == 'User':
            users = iam_backend.list_users(path_prefix, marker, max_items)
            if users:
                for user in users:
                    for p in user.managed_policies:
                        if p == policy_arn:
                            entity_users.append(user.name)
        elif entity == 'Role':
            roles = iam_backend.list_roles(path_prefix, marker, max_items)
            if roles:
                for role in roles:
                    for p in role.managed_policies:
                        if p == policy_arn:
                            entity_roles.append(role.name)
        elif entity == 'Group':
            groups = iam_backend.list_groups()
            if groups:
                for group in groups:
                    for p in group.managed_policies:
                        if p == policy_arn:
                            entity_groups.append(group.name)
        elif entity == 'LocalManagedPolicy' or entity == 'AWSManagedPolicy':
            users = iam_backend.list_users(path_prefix, marker, max_items)
            if users:
                for user in users:
                    for p in user.managed_policies:
                        if p == policy_arn:
                            entity_users.append(user.name)
            roles = iam_backend.list_roles(path_prefix, marker, max_items)
            if roles:
                for role in roles:
                    for p in role.managed_policies:
                        if p == policy_arn:
                            entity_roles.append(role.name)
            groups = iam_backend.list_groups()
            if groups:
                for group in groups:
                    for p in group.managed_policies:
                        if p == policy_arn:
                            entity_groups.append(group.name)
        template = self.response_template(LIST_ENTITIES_FOR_POLICY_TEMPLATE)
-        return template.render()
+        return template.render(roles=entity_roles, users=entity_users, groups=entity_groups)
    def create_role(self):
        role_name = self._get_param('RoleName')
@ -676,23 +737,26 @@ class IamResponse(BaseResponse):
 LIST_ENTITIES_FOR_POLICY_TEMPLATE = """<ListEntitiesForPolicyResponse>
 <ListEntitiesForPolicyResult>
 <PolicyRoles>
- <member>
+       {% for role in roles %}
- <RoleName>DevRole</RoleName>
+      <member>
- </member>
+        <RoleName>{{ role }}</RoleName>
      </member>
      {% endfor %}      
 </PolicyRoles>
 <PolicyGroups>
- <member>
+       {% for group in groups %}
- <GroupName>Dev</GroupName>
+      <member>
- </member>
+        <GroupName>{{ group }}</GroupName>
      </member>
      {% endfor %}
 </PolicyGroups>
 <IsTruncated>false</IsTruncated>
 <PolicyUsers>
- <member>
+      {% for user in users %}
- <UserName>Alice</UserName>
+      <member>
- </member>
+        <UserName>{{ user }}</UserName>
- <member>
+      </member>
- <UserName>Bob</UserName>
+      {% endfor %}
 </member>
 </PolicyUsers>
 </ListEntitiesForPolicyResult>
 <ResponseMetadata>
--- a/tests/test_iam/test_iam.py
+++ b/tests/test_iam/test_iam.py
@ -1187,19 +1187,82 @@ def test_update_role():
    response = conn.update_role(RoleName="my-role", Description="test")
    assert len(response.keys()) == 1
@mock_iam()
 def test_list_entities_for_policy():
    import json
    test_policy = json.dumps({
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": "s3:ListBucket",
                "Resource": "*",
                "Effect": "Allow",
            }
        ]
    })
    conn = boto3.client('iam', region_name='us-east-1')
    with assert_raises(ClientError):
        conn.delete_role(RoleName="my-role")
    conn.create_role(RoleName="my-role", AssumeRolePolicyDocument="some policy", Path="/my-path/")
    conn.create_user(Path='/', UserName='testUser')
    conn.create_group(Path='/', GroupName='testGroup')
    conn.create_policy(
        PolicyName='testPolicy',
        Path='/',
        PolicyDocument=test_policy,
        Description='Test Policy'
    )
-    role = conn.get_role(RoleName="my-role")
+    # Attach things to the user and group:
-    arn = role.get('Role').get('Arn')
+    conn.put_user_policy(UserName='testUser', PolicyName='testPolicy', PolicyDocument=test_policy)
    conn.put_group_policy(GroupName='testGroup', PolicyName='testPolicy', PolicyDocument=test_policy)
    conn.attach_user_policy(UserName='testUser', PolicyArn='arn:aws:iam::123456789012:policy/testPolicy')
    conn.attach_group_policy(GroupName='testGroup', PolicyArn='arn:aws:iam::123456789012:policy/testPolicy')
    conn.add_user_to_group(UserName='testUser', GroupName='testGroup')
    # Add things to the role:
    conn.create_instance_profile(InstanceProfileName='ipn')
    conn.add_role_to_instance_profile(InstanceProfileName='ipn', RoleName='my-role')
    conn.tag_role(RoleName='my-role', Tags=[
        {
            'Key': 'somekey',
            'Value': 'somevalue'
        },
        {
            'Key': 'someotherkey',
            'Value': 'someothervalue'
        }
    ])
    conn.put_role_policy(RoleName='my-role', PolicyName='test-policy', PolicyDocument=test_policy)
    conn.attach_role_policy(RoleName='my-role', PolicyArn='arn:aws:iam::123456789012:policy/testPolicy')
    response = conn.list_entities_for_policy(
-        PolicyArn=arn
+        PolicyArn='arn:aws:iam::123456789012:policy/testPolicy',
        EntityFilter='Role'
    )
-    assert response['PolicyGroups'][0]['GroupName'] == 'Dev'
+    assert response['PolicyRoles'] == [{'RoleName': 'my-role'}]
    response = conn.list_entities_for_policy(
        PolicyArn='arn:aws:iam::123456789012:policy/testPolicy',
        EntityFilter='User',
    )
    assert response['PolicyUsers'] ==  [{'UserName': 'testUser'}]
    response = conn.list_entities_for_policy(
        PolicyArn='arn:aws:iam::123456789012:policy/testPolicy',
        EntityFilter='Group',
    )
    assert response['PolicyGroups'] == [{'GroupName': 'testGroup'}]
    response = conn.list_entities_for_policy(
        PolicyArn='arn:aws:iam::123456789012:policy/testPolicy',
        EntityFilter='LocalManagedPolicy',
    )
    assert response['PolicyGroups'] == [{'GroupName': 'testGroup'}]
    assert response['PolicyUsers'] ==  [{'UserName': 'testUser'}]
    assert response['PolicyRoles'] == [{'RoleName': 'my-role'}]