import boto3 import datetime import pytest import sure # noqa # pylint: disable=unused-import from botocore.exceptions import ClientError from moto import mock_ssoadmin from uuid import uuid4 # See our Development Tips on writing tests for hints on how to write good tests: # http://docs.getmoto.org/en/latest/docs/contributing/development_tips/tests.html @mock_ssoadmin def test_create_account_assignment(): client = boto3.client("sso-admin", region_name="eu-west-1") target_id = "222222222222" permission_set_arn = ( "arn:aws:sso:::permissionSet/ins-eeeeffffgggghhhh/ps-hhhhkkkkppppoooo" ) principal_id = str(uuid4()) resp = client.create_account_assignment( InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd", TargetId=target_id, TargetType="AWS_ACCOUNT", PermissionSetArn=permission_set_arn, PrincipalType="USER", PrincipalId=principal_id, ) resp.should.have.key("AccountAssignmentCreationStatus") status = resp["AccountAssignmentCreationStatus"] status.should.have.key("Status").equals("SUCCEEDED") status.should.have.key("RequestId") status.shouldnt.have.key("FailureReason") status.should.have.key("TargetId").equals(target_id) status.should.have.key("TargetType").equals("AWS_ACCOUNT") status.should.have.key("PermissionSetArn").equals(permission_set_arn) status.should.have.key("PrincipalType").equals("USER") status.should.have.key("PrincipalId").equals(principal_id) @mock_ssoadmin def test_delete_account_assignment(): client = boto3.client("sso-admin", region_name="eu-west-1") target_id = "222222222222" permission_set_arn = ( "arn:aws:sso:::permissionSet/ins-eeeeffffgggghhhh/ps-hhhhkkkkppppoooo" ) principal_id = str(uuid4()) instance_arn = "arn:aws:sso:::instance/ins-aaaabbbbccccdddd" client.create_account_assignment( InstanceArn=instance_arn, TargetId=target_id, TargetType="AWS_ACCOUNT", PermissionSetArn=permission_set_arn, PrincipalType="USER", PrincipalId=principal_id, ) resp = client.delete_account_assignment( InstanceArn=instance_arn, TargetId=target_id, TargetType="AWS_ACCOUNT", PermissionSetArn=permission_set_arn, PrincipalType="USER", PrincipalId=principal_id, ) resp.should.have.key("AccountAssignmentDeletionStatus") # Verify the correct response status = resp["AccountAssignmentDeletionStatus"] status.should.have.key("Status").equals("SUCCEEDED") status.should.have.key("RequestId") status.shouldnt.have.key("FailureReason") status.should.have.key("TargetId").equals(target_id) status.should.have.key("TargetType").equals("AWS_ACCOUNT") status.should.have.key("PermissionSetArn").equals(permission_set_arn) status.should.have.key("PrincipalType").equals("USER") status.should.have.key("PrincipalId").equals(principal_id) status.should.have.key("CreatedDate").should.be.a(datetime.datetime) # Verify this account assignment can no longer be found resp = client.list_account_assignments( InstanceArn=instance_arn, AccountId=target_id, PermissionSetArn=permission_set_arn, ) resp.should.have.key("AccountAssignments").equals([]) @mock_ssoadmin def test_delete_account_assignment_unknown(): client = boto3.client("sso-admin", region_name="us-east-1") target_id = "222222222222" permission_set_arn = ( "arn:aws:sso:::permissionSet/ins-eeeeffffgggghhhh/ps-hhhhkkkkppppoooo" ) principal_id = str(uuid4()) instance_arn = "arn:aws:sso:::instance/ins-aaaabbbbccccdddd" with pytest.raises(ClientError) as exc: client.delete_account_assignment( InstanceArn=instance_arn, TargetId=target_id, TargetType="AWS_ACCOUNT", PermissionSetArn=permission_set_arn, PrincipalType="USER", PrincipalId=principal_id, ) err = exc.value.response["Error"] err["Code"].should.equal("ResourceNotFound") @mock_ssoadmin def test_list_account_assignments(): client = boto3.client("sso-admin", region_name="ap-southeast-1") target_id1 = "222222222222" target_id2 = "333333333333" permission_set_arn = ( "arn:aws:sso:::permissionSet/ins-eeeeffffgggghhhh/ps-hhhhkkkkppppoooo" ) principal_id = str(uuid4()) instance_arn = "arn:aws:sso:::instance/ins-aaaabbbbccccdddd" resp = client.list_account_assignments( InstanceArn=instance_arn, AccountId=target_id1, PermissionSetArn=permission_set_arn, ) resp.should.have.key("AccountAssignments").equals([]) client.create_account_assignment( InstanceArn=instance_arn, TargetId=target_id1, TargetType="AWS_ACCOUNT", PermissionSetArn=permission_set_arn, PrincipalType="USER", PrincipalId=principal_id, ) resp = client.list_account_assignments( InstanceArn=instance_arn, AccountId=target_id1, PermissionSetArn=permission_set_arn, ) resp.should.have.key("AccountAssignments").equals( [ { "AccountId": target_id1, "PermissionSetArn": permission_set_arn, "PrincipalType": "USER", "PrincipalId": principal_id, } ] ) client.create_account_assignment( InstanceArn=instance_arn, TargetId=target_id2, TargetType="AWS_ACCOUNT", PermissionSetArn=permission_set_arn, PrincipalType="USER", PrincipalId=principal_id, ) resp = client.list_account_assignments( InstanceArn=instance_arn, AccountId=target_id2, PermissionSetArn=permission_set_arn, ) resp.should.have.key("AccountAssignments").equals( [ { "AccountId": target_id2, "PermissionSetArn": permission_set_arn, "PrincipalType": "USER", "PrincipalId": principal_id, } ] ) @mock_ssoadmin def test_create_permission_set(): client = boto3.client("sso-admin", region_name="ap-southeast-1") resp = client.create_permission_set( Name="test", Description="Test permission set", InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd", SessionDuration="PT1H", RelayState="https://console.aws.amazon.com/ec2", ) resp.should.have.key("PermissionSet") permissionSet = resp["PermissionSet"] permissionSet.should.have.key("Name").equals("test") permissionSet.should.have.key("PermissionSetArn") permissionSet.should.have.key("Description") permissionSet.should.have.key("CreatedDate") permissionSet.should.have.key("SessionDuration") permissionSet.should.have.key("RelayState") @mock_ssoadmin def test_update_permission_set(): client = boto3.client("sso-admin", region_name="ap-southeast-1") resp = client.create_permission_set( Name="test", Description="Test permission set", InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd", SessionDuration="PT1H", ) permissionSet = resp["PermissionSet"] resp = client.update_permission_set( InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd", PermissionSetArn=permissionSet["PermissionSetArn"], Description="New description", SessionDuration="PT2H", RelayState="https://console.aws.amazon.com/s3", ) resp = client.describe_permission_set( InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd", PermissionSetArn=permissionSet["PermissionSetArn"], ) resp.should.have.key("PermissionSet") permissionSet = resp["PermissionSet"] permissionSet.should.have.key("Name").equals("test") permissionSet.should.have.key("Description").equals("New description") permissionSet.should.have.key("CreatedDate") permissionSet.should.have.key("SessionDuration").equals("PT2H") permissionSet.should.have.key("RelayState").equals( "https://console.aws.amazon.com/s3" ) @mock_ssoadmin def test_update_permission_set_unknown(): client = boto3.client("sso-admin", region_name="ap-southeast-1") with pytest.raises(ClientError) as exc: client.update_permission_set( InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd", PermissionSetArn="arn:aws:sso:::permissionSet/ins-eeeeffffgggghhhh/ps-hhhhkkkkppppoooo", Description="New description", SessionDuration="PT2H", RelayState="https://console.aws.amazon.com/s3", ) err = exc.value.response["Error"] err["Code"].should.equal("ResourceNotFound") @mock_ssoadmin def test_describe_permission_set(): client = boto3.client("sso-admin", region_name="ap-southeast-1") resp = client.create_permission_set( Name="test", Description="Test permission set", InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd", SessionDuration="PT1H", ) permissionSet = resp["PermissionSet"] resp = client.describe_permission_set( InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd", PermissionSetArn=permissionSet["PermissionSetArn"], ) resp.should.have.key("PermissionSet") permissionSet = resp["PermissionSet"] permissionSet.should.have.key("Name").equals("test") permissionSet.should.have.key("PermissionSetArn") permissionSet.should.have.key("Description") permissionSet.should.have.key("CreatedDate") permissionSet.should.have.key("SessionDuration") @mock_ssoadmin def test_describe_permission_set_unknown(): client = boto3.client("sso-admin", region_name="ap-southeast-1") with pytest.raises(ClientError) as exc: client.describe_permission_set( InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd", PermissionSetArn="arn:aws:sso:::permissionSet/ins-eeeeffffgggghhhh/ps-hhhhkkkkppppoooo", ) err = exc.value.response["Error"] err["Code"].should.equal("ResourceNotFound") @mock_ssoadmin def test_delete_permission_set(): client = boto3.client("sso-admin", region_name="ap-southeast-1") resp = client.create_permission_set( Name="test", Description="Test permission set", InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd", SessionDuration="PT1H", ) permissionSet = resp["PermissionSet"] resp = client.delete_permission_set( InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd", PermissionSetArn=permissionSet["PermissionSetArn"], ) with pytest.raises(ClientError) as exc: client.describe_permission_set( InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd", PermissionSetArn=permissionSet["PermissionSetArn"], ) err = exc.value.response["Error"] err["Code"].should.equal("ResourceNotFound") @mock_ssoadmin def test_delete_permission_set_unknown(): client = boto3.client("sso-admin", region_name="ap-southeast-1") with pytest.raises(ClientError) as exc: client.delete_permission_set( InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd", PermissionSetArn="arn:aws:sso:::permissionSet/ins-eeeeffffgggghhhh/ps-hhhhkkkkppppoooo", ) err = exc.value.response["Error"] err["Code"].should.equal("ResourceNotFound") @mock_ssoadmin def test_list_permission_sets(): client = boto3.client("sso-admin", region_name="ap-southeast-1") response = client.list_permission_sets( InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd", ) response.should.have.key("PermissionSets") permissionSets = response["PermissionSets"] len(permissionSets).should.equal(0) for i in range(5): client.create_permission_set( Name="test" + str(i), Description="Test permission set " + str(i), InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd", SessionDuration="PT1H", ) response = client.list_permission_sets( InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd", ) response.should.have.key("PermissionSets") permissionSets = response["PermissionSets"] len(permissionSets).should.equal(5) @mock_ssoadmin def test_list_permission_sets_pagination(): client = boto3.client("sso-admin", region_name="ap-southeast-1") response = client.list_permission_sets( InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd", ) response.should.have.key("PermissionSets") permissionSets = response["PermissionSets"] len(permissionSets).should.equal(0) for i in range(25): client.create_permission_set( Name="test" + str(i), Description="Test permission set " + str(i), InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd", SessionDuration="PT1H", ) response = client.list_permission_sets( InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd", ) response.should.have.key("PermissionSets") response.should_not.have.key("NextToken") paginator = client.get_paginator("list_permission_sets") page_iterator = paginator.paginate( InstanceArn="arn:aws:sso:::instance/ins-aaaabbbbccccdddd", MaxResults=5 ) for page in page_iterator: len(page["PermissionSets"]).should.be.lower_than_or_equal_to(5)