306 lines
12 KiB
Python
306 lines
12 KiB
Python
import boto3
|
|
import json
|
|
import pytest
|
|
import sure # noqa # pylint: disable=unused-import
|
|
|
|
from boto3 import Session
|
|
from botocore.client import ClientError
|
|
from moto import settings, mock_s3control, mock_config
|
|
|
|
# All tests for s3-control cannot be run under the server without a modification of the
|
|
# hosts file on your system. This is due to the fact that the URL to the host is in the form of:
|
|
# ACCOUNT_ID.s3-control.amazonaws.com <-- That Account ID part is the problem. If you want to
|
|
# make use of the moto server, update your hosts file for `THE_ACCOUNT_ID_FOR_MOTO.localhost`
|
|
# and this will work fine.
|
|
|
|
if not settings.TEST_SERVER_MODE:
|
|
|
|
@mock_s3control
|
|
@mock_config
|
|
def test_config_list_account_pab():
|
|
from moto.core import DEFAULT_ACCOUNT_ID as ACCOUNT_ID
|
|
|
|
client = boto3.client("s3control", region_name="us-west-2")
|
|
config_client = boto3.client("config", region_name="us-west-2")
|
|
|
|
# Create the aggregator:
|
|
account_aggregation_source = {
|
|
"AccountIds": [ACCOUNT_ID],
|
|
"AllAwsRegions": True,
|
|
}
|
|
config_client.put_configuration_aggregator(
|
|
ConfigurationAggregatorName="testing",
|
|
AccountAggregationSources=[account_aggregation_source],
|
|
)
|
|
|
|
# Without a PAB in place:
|
|
result = config_client.list_discovered_resources(
|
|
resourceType="AWS::S3::AccountPublicAccessBlock"
|
|
)
|
|
assert not result["resourceIdentifiers"]
|
|
result = config_client.list_aggregate_discovered_resources(
|
|
ResourceType="AWS::S3::AccountPublicAccessBlock",
|
|
ConfigurationAggregatorName="testing",
|
|
)
|
|
assert not result["ResourceIdentifiers"]
|
|
|
|
# Create a PAB:
|
|
client.put_public_access_block(
|
|
AccountId=ACCOUNT_ID,
|
|
PublicAccessBlockConfiguration={
|
|
"BlockPublicAcls": True,
|
|
"IgnorePublicAcls": True,
|
|
"BlockPublicPolicy": True,
|
|
"RestrictPublicBuckets": True,
|
|
},
|
|
)
|
|
|
|
# Test that successful queries work (non-aggregated):
|
|
result = config_client.list_discovered_resources(
|
|
resourceType="AWS::S3::AccountPublicAccessBlock"
|
|
)
|
|
assert result["resourceIdentifiers"] == [
|
|
{
|
|
"resourceType": "AWS::S3::AccountPublicAccessBlock",
|
|
"resourceId": ACCOUNT_ID,
|
|
}
|
|
]
|
|
result = config_client.list_discovered_resources(
|
|
resourceType="AWS::S3::AccountPublicAccessBlock",
|
|
resourceIds=[ACCOUNT_ID, "nope"],
|
|
)
|
|
assert result["resourceIdentifiers"] == [
|
|
{
|
|
"resourceType": "AWS::S3::AccountPublicAccessBlock",
|
|
"resourceId": ACCOUNT_ID,
|
|
}
|
|
]
|
|
result = config_client.list_discovered_resources(
|
|
resourceType="AWS::S3::AccountPublicAccessBlock", resourceName=""
|
|
)
|
|
assert result["resourceIdentifiers"] == [
|
|
{
|
|
"resourceType": "AWS::S3::AccountPublicAccessBlock",
|
|
"resourceId": ACCOUNT_ID,
|
|
}
|
|
]
|
|
|
|
# Test that successful queries work (aggregated):
|
|
result = config_client.list_aggregate_discovered_resources(
|
|
ResourceType="AWS::S3::AccountPublicAccessBlock",
|
|
ConfigurationAggregatorName="testing",
|
|
)
|
|
regions = {region for region in Session().get_available_regions("config")}
|
|
for r in result["ResourceIdentifiers"]:
|
|
regions.remove(r.pop("SourceRegion"))
|
|
assert r == {
|
|
"ResourceType": "AWS::S3::AccountPublicAccessBlock",
|
|
"SourceAccountId": ACCOUNT_ID,
|
|
"ResourceId": ACCOUNT_ID,
|
|
}
|
|
|
|
# Just check that the len is the same -- this should be reasonable
|
|
regions = {region for region in Session().get_available_regions("config")}
|
|
result = config_client.list_aggregate_discovered_resources(
|
|
ResourceType="AWS::S3::AccountPublicAccessBlock",
|
|
ConfigurationAggregatorName="testing",
|
|
Filters={"ResourceName": ""},
|
|
)
|
|
assert len(regions) == len(result["ResourceIdentifiers"])
|
|
result = config_client.list_aggregate_discovered_resources(
|
|
ResourceType="AWS::S3::AccountPublicAccessBlock",
|
|
ConfigurationAggregatorName="testing",
|
|
Filters={"ResourceName": "", "ResourceId": ACCOUNT_ID},
|
|
)
|
|
assert len(regions) == len(result["ResourceIdentifiers"])
|
|
result = config_client.list_aggregate_discovered_resources(
|
|
ResourceType="AWS::S3::AccountPublicAccessBlock",
|
|
ConfigurationAggregatorName="testing",
|
|
Filters={
|
|
"ResourceName": "",
|
|
"ResourceId": ACCOUNT_ID,
|
|
"Region": "us-west-2",
|
|
},
|
|
)
|
|
assert (
|
|
result["ResourceIdentifiers"][0]["SourceRegion"] == "us-west-2"
|
|
and len(result["ResourceIdentifiers"]) == 1
|
|
)
|
|
|
|
# Test aggregator pagination:
|
|
result = config_client.list_aggregate_discovered_resources(
|
|
ResourceType="AWS::S3::AccountPublicAccessBlock",
|
|
ConfigurationAggregatorName="testing",
|
|
Limit=1,
|
|
)
|
|
regions = sorted(
|
|
[region for region in Session().get_available_regions("config")]
|
|
)
|
|
assert result["ResourceIdentifiers"][0] == {
|
|
"ResourceType": "AWS::S3::AccountPublicAccessBlock",
|
|
"SourceAccountId": ACCOUNT_ID,
|
|
"ResourceId": ACCOUNT_ID,
|
|
"SourceRegion": regions[0],
|
|
}
|
|
assert result["NextToken"] == regions[1]
|
|
|
|
# Get the next region:
|
|
result = config_client.list_aggregate_discovered_resources(
|
|
ResourceType="AWS::S3::AccountPublicAccessBlock",
|
|
ConfigurationAggregatorName="testing",
|
|
Limit=1,
|
|
NextToken=regions[1],
|
|
)
|
|
assert result["ResourceIdentifiers"][0] == {
|
|
"ResourceType": "AWS::S3::AccountPublicAccessBlock",
|
|
"SourceAccountId": ACCOUNT_ID,
|
|
"ResourceId": ACCOUNT_ID,
|
|
"SourceRegion": regions[1],
|
|
}
|
|
|
|
# Non-aggregated with incorrect info:
|
|
result = config_client.list_discovered_resources(
|
|
resourceType="AWS::S3::AccountPublicAccessBlock", resourceName="nope"
|
|
)
|
|
assert not result["resourceIdentifiers"]
|
|
result = config_client.list_discovered_resources(
|
|
resourceType="AWS::S3::AccountPublicAccessBlock", resourceIds=["nope"]
|
|
)
|
|
assert not result["resourceIdentifiers"]
|
|
|
|
# Aggregated with incorrect info:
|
|
result = config_client.list_aggregate_discovered_resources(
|
|
ResourceType="AWS::S3::AccountPublicAccessBlock",
|
|
ConfigurationAggregatorName="testing",
|
|
Filters={"ResourceName": "nope"},
|
|
)
|
|
assert not result["ResourceIdentifiers"]
|
|
result = config_client.list_aggregate_discovered_resources(
|
|
ResourceType="AWS::S3::AccountPublicAccessBlock",
|
|
ConfigurationAggregatorName="testing",
|
|
Filters={"ResourceId": "nope"},
|
|
)
|
|
assert not result["ResourceIdentifiers"]
|
|
result = config_client.list_aggregate_discovered_resources(
|
|
ResourceType="AWS::S3::AccountPublicAccessBlock",
|
|
ConfigurationAggregatorName="testing",
|
|
Filters={"Region": "Nope"},
|
|
)
|
|
assert not result["ResourceIdentifiers"]
|
|
|
|
@mock_s3control
|
|
@mock_config
|
|
def test_config_get_account_pab():
|
|
from moto.core import DEFAULT_ACCOUNT_ID as ACCOUNT_ID
|
|
|
|
client = boto3.client("s3control", region_name="us-west-2")
|
|
config_client = boto3.client("config", region_name="us-west-2")
|
|
|
|
# Create the aggregator:
|
|
account_aggregation_source = {
|
|
"AccountIds": [ACCOUNT_ID],
|
|
"AllAwsRegions": True,
|
|
}
|
|
config_client.put_configuration_aggregator(
|
|
ConfigurationAggregatorName="testing",
|
|
AccountAggregationSources=[account_aggregation_source],
|
|
)
|
|
|
|
# Without a PAB in place:
|
|
with pytest.raises(ClientError) as ce:
|
|
config_client.get_resource_config_history(
|
|
resourceType="AWS::S3::AccountPublicAccessBlock", resourceId=ACCOUNT_ID
|
|
)
|
|
assert ce.value.response["Error"]["Code"] == "ResourceNotDiscoveredException"
|
|
# aggregate
|
|
result = config_client.batch_get_resource_config(
|
|
resourceKeys=[
|
|
{
|
|
"resourceType": "AWS::S3::AccountPublicAccessBlock",
|
|
"resourceId": "ACCOUNT_ID",
|
|
}
|
|
]
|
|
)
|
|
assert not result["baseConfigurationItems"]
|
|
result = config_client.batch_get_aggregate_resource_config(
|
|
ConfigurationAggregatorName="testing",
|
|
ResourceIdentifiers=[
|
|
{
|
|
"SourceAccountId": ACCOUNT_ID,
|
|
"SourceRegion": "us-west-2",
|
|
"ResourceId": ACCOUNT_ID,
|
|
"ResourceType": "AWS::S3::AccountPublicAccessBlock",
|
|
"ResourceName": "",
|
|
}
|
|
],
|
|
)
|
|
assert not result["BaseConfigurationItems"]
|
|
|
|
# Create a PAB:
|
|
client.put_public_access_block(
|
|
AccountId=ACCOUNT_ID,
|
|
PublicAccessBlockConfiguration={
|
|
"BlockPublicAcls": True,
|
|
"IgnorePublicAcls": True,
|
|
"BlockPublicPolicy": True,
|
|
"RestrictPublicBuckets": True,
|
|
},
|
|
)
|
|
|
|
# Get the proper config:
|
|
proper_config = {
|
|
"blockPublicAcls": True,
|
|
"ignorePublicAcls": True,
|
|
"blockPublicPolicy": True,
|
|
"restrictPublicBuckets": True,
|
|
}
|
|
result = config_client.get_resource_config_history(
|
|
resourceType="AWS::S3::AccountPublicAccessBlock", resourceId=ACCOUNT_ID
|
|
)
|
|
assert (
|
|
json.loads(result["configurationItems"][0]["configuration"])
|
|
== proper_config
|
|
)
|
|
assert (
|
|
result["configurationItems"][0]["accountId"]
|
|
== result["configurationItems"][0]["resourceId"]
|
|
== ACCOUNT_ID
|
|
)
|
|
result = config_client.batch_get_resource_config(
|
|
resourceKeys=[
|
|
{
|
|
"resourceType": "AWS::S3::AccountPublicAccessBlock",
|
|
"resourceId": ACCOUNT_ID,
|
|
}
|
|
]
|
|
)
|
|
assert len(result["baseConfigurationItems"]) == 1
|
|
assert (
|
|
json.loads(result["baseConfigurationItems"][0]["configuration"])
|
|
== proper_config
|
|
)
|
|
assert (
|
|
result["baseConfigurationItems"][0]["accountId"]
|
|
== result["baseConfigurationItems"][0]["resourceId"]
|
|
== ACCOUNT_ID
|
|
)
|
|
|
|
for region in Session().get_available_regions("s3control"):
|
|
result = config_client.batch_get_aggregate_resource_config(
|
|
ConfigurationAggregatorName="testing",
|
|
ResourceIdentifiers=[
|
|
{
|
|
"SourceAccountId": ACCOUNT_ID,
|
|
"SourceRegion": region,
|
|
"ResourceId": ACCOUNT_ID,
|
|
"ResourceType": "AWS::S3::AccountPublicAccessBlock",
|
|
"ResourceName": "",
|
|
}
|
|
],
|
|
)
|
|
assert len(result["BaseConfigurationItems"]) == 1
|
|
assert (
|
|
json.loads(result["BaseConfigurationItems"][0]["configuration"])
|
|
== proper_config
|
|
)
|