From ae2b416d155960aa40d0f6e1065e36f4e0de2a86 Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Fri, 6 Sep 2024 20:23:20 +0100 Subject: [PATCH 01/42] s3tests_boto3/functional/test_sts.py: remove unused imports Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 25 ------------------------- 1 file changed, 25 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index 8969167c4..db1719c92 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -1,36 +1,11 @@ import boto3 -import botocore.session from botocore.exceptions import ClientError -from botocore.exceptions import ParamValidationError import pytest -import isodate -import email.utils -import datetime -import threading -import re -import pytz -from collections import OrderedDict -import requests import json -import base64 -import hmac -import hashlib -import xml.etree.ElementTree as ET import time -import operator -import os -import string -import random -import socket -import ssl import logging -from collections import namedtuple - -from email.header import decode_header from . import( - configfile, - setup_teardown, get_iam_client, get_sts_client, get_client, From 37aee0a4c88097942abe2e651182fd5c1ca8f009 Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Fri, 6 Sep 2024 20:29:29 +0100 Subject: [PATCH 02/42] s3tests_boto3/functional/test_sts.py: create_role add whitespaces, fix too long lines, remove redundant brackets Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index db1719c92..519341948 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -29,18 +29,34 @@ log = logging.getLogger(__name__) -def create_role(iam_client,path,rolename,policy_document,description,sessionduration,permissionboundary,tag_list=None): - role_err=None + +def create_role( + iam_client, + path, + rolename, + policy_document, + description, + sessionduration, + permissionboundary, + tag_list=None, +): + role_err = None role_response = None if rolename is None: - rolename=get_parameter_name() + rolename = get_parameter_name() if tag_list is None: tag_list = [] try: - role_response = iam_client.create_role(Path=path,RoleName=rolename,AssumeRolePolicyDocument=policy_document,Tags=tag_list) + role_response = iam_client.create_role( + Path=path, + RoleName=rolename, + AssumeRolePolicyDocument=policy_document, + Tags=tag_list, + ) except ClientError as e: - role_err = e.response['Code'] - return (role_err,role_response,rolename) + role_err = e.response['Code'] + return role_err, role_response, rolename + def put_role_policy(iam_client,rolename,policyname,role_policy): role_err=None From b6ab34dcce3de5cde7196c4c2c589e614e4ef319 Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Fri, 6 Sep 2024 20:30:12 +0100 Subject: [PATCH 03/42] s3tests_boto3/functional/test_sts.py: put_role_policy add whitespaces, fix too long lines, remove redundant brackets Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index 519341948..ceae041e7 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -58,16 +58,21 @@ def create_role( return role_err, role_response, rolename -def put_role_policy(iam_client,rolename,policyname,role_policy): +def put_role_policy(iam_client, rolename, policyname, role_policy): role_err=None role_response = None if policyname is None: policyname=get_parameter_name() try: - role_response = iam_client.put_role_policy(RoleName=rolename,PolicyName=policyname,PolicyDocument=role_policy) + role_response = iam_client.put_role_policy( + RoleName=rolename, + PolicyName=policyname, + PolicyDocument=role_policy, + ) except ClientError as e: - role_err = e.response['Code'] - return (role_err,role_response) + role_err = e.response['Code'] + return role_err,role_response + def put_user_policy(iam_client,username,policyname,policy_document): role_err=None From 2bf68806f3c894e4cd5dece884eccd57aef57e08 Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Fri, 6 Sep 2024 20:31:06 +0100 Subject: [PATCH 04/42] s3tests_boto3/functional/test_sts.py: put_user_policy add whitespaces, fix too long lines, remove redundant brackets Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index ceae041e7..f353c400a 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -71,19 +71,24 @@ def put_role_policy(iam_client, rolename, policyname, role_policy): ) except ClientError as e: role_err = e.response['Code'] - return role_err,role_response + return role_err, role_response -def put_user_policy(iam_client,username,policyname,policy_document): +def put_user_policy(iam_client, username, policyname, policy_document): role_err=None role_response = None if policyname is None: - policyname=get_parameter_name() + policyname = get_parameter_name() try: - role_response = iam_client.put_user_policy(UserName=username,PolicyName=policyname,PolicyDocument=policy_document) + role_response = iam_client.put_user_policy( + UserName=username, + PolicyName=policyname, + PolicyDocument=policy_document, + ) except ClientError as e: role_err = e.response['Code'] - return (role_err,role_response,policyname) + return role_err, role_response, policyname + def get_s3_client_using_iam_creds(): iam_access_key = get_iam_access_key() From eb09c4c6631df703f1b264cd9d7e60860078d5fd Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Fri, 6 Sep 2024 20:33:10 +0100 Subject: [PATCH 05/42] s3tests_boto3/functional/test_sts.py: get_s3_client_using_iam_creds add whitespaces, remove redundant variable assignment Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index f353c400a..2043e9220 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -90,18 +90,14 @@ def put_user_policy(iam_client, username, policyname, policy_document): return role_err, role_response, policyname -def get_s3_client_using_iam_creds(): - iam_access_key = get_iam_access_key() - iam_secret_key = get_iam_secret_key() - default_endpoint = get_config_endpoint() - - s3_client_iam_creds = boto3.client('s3', - aws_access_key_id = iam_access_key, - aws_secret_access_key = iam_secret_key, - endpoint_url=default_endpoint, - region_name='', - ) - +def get_s3_client_using_iam_creds() -> boto3: + s3_client_iam_creds = boto3.client( + 's3', + aws_access_key_id=get_iam_access_key(), + aws_secret_access_key=get_iam_secret_key(), + endpoint_url=get_config_endpoint(), + region_name='', + ) return s3_client_iam_creds def create_oidc_provider(iam_client, url, clientidlist, thumbprintlist): From 613d888e4cb370ab908fd7f1ddfbb5b29ca8b4d9 Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Fri, 6 Sep 2024 21:02:46 +0100 Subject: [PATCH 06/42] s3tests_boto3/functional/test_sts.py: create_oidc_provider add whitespaces, remove redundant variable assignment Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index 2043e9220..470ad3d1c 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -100,8 +100,8 @@ def get_s3_client_using_iam_creds() -> boto3: ) return s3_client_iam_creds + def create_oidc_provider(iam_client, url, clientidlist, thumbprintlist): - oidc_arn = None oidc_error = None clientids = [] if clientidlist is None: @@ -129,10 +129,10 @@ def create_oidc_provider(iam_client, url, clientidlist, thumbprintlist): oidc_arn = 'arn:aws:iam:::oidc-provider/{}'.format(url) print (url) print (oidc_arn) - oidc_response = iam_client.get_open_id_connect_provider(OpenIDConnectProviderArn=oidc_arn) - except ClientError as e: + iam_client.get_open_id_connect_provider(OpenIDConnectProviderArn=oidc_arn) + except ClientError: oidc_arn = None - return (oidc_arn, oidc_error) + return oidc_arn, oidc_error def get_s3_resource_using_iam_creds(): iam_access_key = get_iam_access_key() From 3cc629bfe44b4c98b0dea63e8f90671258514a6a Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Fri, 6 Sep 2024 21:03:09 +0100 Subject: [PATCH 07/42] s3tests_boto3/functional/test_sts.py: get_s3_resource_using_iam_creds add whitespaces, remove redundant variable assignment Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 77 +++++++++++++--------------- 1 file changed, 37 insertions(+), 40 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index 470ad3d1c..4d325632f 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -62,7 +62,7 @@ def put_role_policy(iam_client, rolename, policyname, role_policy): role_err=None role_response = None if policyname is None: - policyname=get_parameter_name() + policyname=get_parameter_name() try: role_response = iam_client.put_role_policy( RoleName=rolename, @@ -134,18 +134,15 @@ def create_oidc_provider(iam_client, url, clientidlist, thumbprintlist): oidc_arn = None return oidc_arn, oidc_error -def get_s3_resource_using_iam_creds(): - iam_access_key = get_iam_access_key() - iam_secret_key = get_iam_secret_key() - default_endpoint = get_config_endpoint() - - s3_res_iam_creds = boto3.resource('s3', - aws_access_key_id = iam_access_key, - aws_secret_access_key = iam_secret_key, - endpoint_url=default_endpoint, - region_name='', - ) +def get_s3_resource_using_iam_creds(): + s3_res_iam_creds = boto3.resource( + 's3', + aws_access_key_id=get_iam_access_key(), + aws_secret_access_key=get_iam_secret_key(), + endpoint_url=get_config_endpoint(), + region_name='', + ) return s3_res_iam_creds @pytest.mark.test_of_sts @@ -155,14 +152,14 @@ def test_get_session_token(): sts_client=get_sts_client() sts_user_id=get_alt_user_id() default_endpoint=get_config_endpoint() - + user_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":[\"*\"],\"Condition\":{\"BoolIfExists\":{\"sts:authentication\":\"false\"}}},{\"Effect\":\"Allow\",\"Action\":\"sts:GetSessionToken\",\"Resource\":\"*\",\"Condition\":{\"BoolIfExists\":{\"sts:authentication\":\"false\"}}}]}" (resp_err,resp,policy_name)=put_user_policy(iam_client,sts_user_id,None,user_policy) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - + response=sts_client.get_session_token() assert response['ResponseMetadata']['HTTPStatusCode'] == 200 - + s3_client=boto3.client('s3', aws_access_key_id = response['Credentials']['AccessKeyId'], aws_secret_access_key = response['Credentials']['SecretAccessKey'], @@ -188,14 +185,14 @@ def test_get_session_token_permanent_creds_denied(): default_endpoint=get_config_endpoint() s3_main_access_key=get_main_aws_access_key() s3_main_secret_key=get_main_aws_secret_key() - + user_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":[\"*\"],\"Condition\":{\"BoolIfExists\":{\"sts:authentication\":\"false\"}}},{\"Effect\":\"Allow\",\"Action\":\"sts:GetSessionToken\",\"Resource\":\"*\",\"Condition\":{\"BoolIfExists\":{\"sts:authentication\":\"false\"}}}]}" (resp_err,resp,policy_name)=put_user_policy(iam_client,sts_user_id,None,user_policy) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - + response=sts_client.get_session_token() assert response['ResponseMetadata']['HTTPStatusCode'] == 200 - + s3_client=boto3.client('s3', aws_access_key_id = s3_main_access_key, aws_secret_access_key = s3_main_secret_key, @@ -214,29 +211,29 @@ def test_get_session_token_permanent_creds_denied(): @pytest.mark.test_of_sts @pytest.mark.fails_on_dbstore def test_assume_role_allow(): - iam_client=get_iam_client() + iam_client=get_iam_client() sts_client=get_sts_client() sts_user_id=get_alt_user_id() default_endpoint=get_config_endpoint() role_session_name=get_parameter_name() - + policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/"+sts_user_id+"\"]},\"Action\":[\"sts:AssumeRole\"]}]}" (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) if role_response: assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' else: assert False, role_error - + role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\"}}" (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy) if response: assert response['ResponseMetadata']['HTTPStatusCode'] == 200 else: assert False, role_err - + resp=sts_client.assume_role(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - + s3_client = boto3.client('s3', aws_access_key_id = resp['Credentials']['AccessKeyId'], aws_secret_access_key = resp['Credentials']['SecretAccessKey'], @@ -254,29 +251,29 @@ def test_assume_role_allow(): @pytest.mark.fails_on_dbstore def test_assume_role_deny(): s3bucket_error=None - iam_client=get_iam_client() + iam_client=get_iam_client() sts_client=get_sts_client() sts_user_id=get_alt_user_id() default_endpoint=get_config_endpoint() role_session_name=get_parameter_name() - + policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/"+sts_user_id+"\"]},\"Action\":[\"sts:AssumeRole\"]}]}" (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) if role_response: assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' else: assert False, role_error - + role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\"}}" (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy) if response: assert response['ResponseMetadata']['HTTPStatusCode'] == 200 else: assert False, role_err - + resp=sts_client.assume_role(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - + s3_client = boto3.client('s3', aws_access_key_id = resp['Credentials']['AccessKeyId'], aws_secret_access_key = resp['Credentials']['SecretAccessKey'], @@ -294,30 +291,30 @@ def test_assume_role_deny(): @pytest.mark.test_of_sts @pytest.mark.fails_on_dbstore def test_assume_role_creds_expiry(): - iam_client=get_iam_client() + iam_client=get_iam_client() sts_client=get_sts_client() sts_user_id=get_alt_user_id() default_endpoint=get_config_endpoint() role_session_name=get_parameter_name() - + policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/"+sts_user_id+"\"]},\"Action\":[\"sts:AssumeRole\"]}]}" (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) if role_response: assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' else: assert False, role_error - + role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\"}}" (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy) if response: assert response['ResponseMetadata']['HTTPStatusCode'] == 200 else: assert False, role_err - + resp=sts_client.assume_role(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,DurationSeconds=900) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 time.sleep(900) - + s3_client = boto3.client('s3', aws_access_key_id = resp['Credentials']['AccessKeyId'], aws_secret_access_key = resp['Credentials']['SecretAccessKey'], @@ -426,7 +423,7 @@ def test_assume_role_allow_head_nonexistent(): @pytest.mark.fails_on_dbstore def test_assume_role_with_web_identity(): check_webidentity() - iam_client=get_iam_client() + iam_client=get_iam_client() sts_client=get_sts_client() default_endpoint=get_config_endpoint() role_session_name=get_parameter_name() @@ -434,28 +431,28 @@ def test_assume_role_with_web_identity(): aud=get_aud() token=get_token() realm=get_realm_name() - + oidc_response = iam_client.create_open_id_connect_provider( Url='http://localhost:8080/auth/realms/{}'.format(realm), ThumbprintList=[ thumbprint, ], ) - + policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/auth/realms/"+realm+":app_id\":\""+aud+"\"}}}]}" (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' - + role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\"}}" (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy) if response: assert response['ResponseMetadata']['HTTPStatusCode'] == 200 else: assert False, role_err - + resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - + s3_client = boto3.client('s3', aws_access_key_id = resp['Credentials']['AccessKeyId'], aws_secret_access_key = resp['Credentials']['SecretAccessKey'], @@ -468,7 +465,7 @@ def test_assume_role_with_web_identity(): assert s3bucket['ResponseMetadata']['HTTPStatusCode'] == 200 bkt = s3_client.delete_bucket(Bucket=bucket_name) assert bkt['ResponseMetadata']['HTTPStatusCode'] == 204 - + oidc_remove=iam_client.delete_open_id_connect_provider( OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"] ) From 31d8baa2ba8af177a7f155990395db93324e3295 Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Fri, 6 Sep 2024 21:05:35 +0100 Subject: [PATCH 08/42] s3tests_boto3/functional/test_sts.py: test_get_session_token add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 38 +++++++++++++++++----------- 1 file changed, 23 insertions(+), 15 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index 4d325632f..3725506a3 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -145,36 +145,44 @@ def get_s3_resource_using_iam_creds(): ) return s3_res_iam_creds + @pytest.mark.test_of_sts @pytest.mark.fails_on_dbstore def test_get_session_token(): - iam_client=get_iam_client() - sts_client=get_sts_client() - sts_user_id=get_alt_user_id() - default_endpoint=get_config_endpoint() + iam_client = get_iam_client() + sts_client = get_sts_client() + sts_user_id = get_alt_user_id() + default_endpoint = get_config_endpoint() user_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":[\"*\"],\"Condition\":{\"BoolIfExists\":{\"sts:authentication\":\"false\"}}},{\"Effect\":\"Allow\",\"Action\":\"sts:GetSessionToken\",\"Resource\":\"*\",\"Condition\":{\"BoolIfExists\":{\"sts:authentication\":\"false\"}}}]}" - (resp_err,resp,policy_name)=put_user_policy(iam_client,sts_user_id,None,user_policy) + resp_err,resp, policy_name = put_user_policy( + iam_client, + sts_user_id, + None, + user_policy, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - response=sts_client.get_session_token() + response = sts_client.get_session_token() assert response['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client=boto3.client('s3', - aws_access_key_id = response['Credentials']['AccessKeyId'], - aws_secret_access_key = response['Credentials']['SecretAccessKey'], - aws_session_token = response['Credentials']['SessionToken'], - endpoint_url=default_endpoint, - region_name='', - ) + s3_client=boto3.client( + 's3', + aws_access_key_id = response['Credentials']['AccessKeyId'], + aws_secret_access_key = response['Credentials']['SecretAccessKey'], + aws_session_token = response['Credentials']['SessionToken'], + endpoint_url=default_endpoint, + region_name='', + ) bucket_name = get_new_bucket_name() try: s3bucket = s3_client.create_bucket(Bucket=bucket_name) assert s3bucket['ResponseMetadata']['HTTPStatusCode'] == 200 - finish=s3_client.delete_bucket(Bucket=bucket_name) - finally: # clean up user policy even if create_bucket/delete_bucket fails + s3_client.delete_bucket(Bucket=bucket_name) + finally: # clean up user policy even if create_bucket/delete_bucket fails iam_client.delete_user_policy(UserName=sts_user_id,PolicyName=policy_name) + @pytest.mark.test_of_sts @pytest.mark.fails_on_dbstore def test_get_session_token_permanent_creds_denied(): From fdb8b43ad54e201cd74a0b27830be6a50efad320 Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Fri, 6 Sep 2024 21:07:21 +0100 Subject: [PATCH 09/42] s3tests_boto3/functional/test_sts.py: test_get_session_token_permanent_creds_denied add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 43 ++++++++++++++++------------ 1 file changed, 25 insertions(+), 18 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index 3725506a3..5a792fa7e 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -168,9 +168,9 @@ def test_get_session_token(): s3_client=boto3.client( 's3', - aws_access_key_id = response['Credentials']['AccessKeyId'], - aws_secret_access_key = response['Credentials']['SecretAccessKey'], - aws_session_token = response['Credentials']['SessionToken'], + aws_access_key_id=response['Credentials']['AccessKeyId'], + aws_secret_access_key=response['Credentials']['SecretAccessKey'], + aws_session_token=rresponse['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', ) @@ -187,35 +187,42 @@ def test_get_session_token(): @pytest.mark.fails_on_dbstore def test_get_session_token_permanent_creds_denied(): s3bucket_error=None - iam_client=get_iam_client() - sts_client=get_sts_client() - sts_user_id=get_alt_user_id() - default_endpoint=get_config_endpoint() - s3_main_access_key=get_main_aws_access_key() - s3_main_secret_key=get_main_aws_secret_key() + iam_client = get_iam_client() + sts_client = get_sts_client() + sts_user_id = get_alt_user_id() + default_endpoint = get_config_endpoint() + s3_main_access_key = get_main_aws_access_key() + s3_main_secret_key = get_main_aws_secret_key() user_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":[\"*\"],\"Condition\":{\"BoolIfExists\":{\"sts:authentication\":\"false\"}}},{\"Effect\":\"Allow\",\"Action\":\"sts:GetSessionToken\",\"Resource\":\"*\",\"Condition\":{\"BoolIfExists\":{\"sts:authentication\":\"false\"}}}]}" - (resp_err,resp,policy_name)=put_user_policy(iam_client,sts_user_id,None,user_policy) + resp_err,resp, policy_name = put_user_policy( + iam_client, + sts_user_id, + None, + user_policy, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 response=sts_client.get_session_token() assert response['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client=boto3.client('s3', - aws_access_key_id = s3_main_access_key, - aws_secret_access_key = s3_main_secret_key, - aws_session_token = response['Credentials']['SessionToken'], - endpoint_url=default_endpoint, - region_name='', - ) + s3_client=boto3.client( + 's3', + aws_access_key_id=s3_main_access_key, + aws_secret_access_key=s3_main_secret_key, + aws_session_token=response['Credentials']['SessionToken'], + endpoint_url=default_endpoint, + region_name='', + ) bucket_name = get_new_bucket_name() try: - s3bucket = s3_client.create_bucket(Bucket=bucket_name) + s3_client.create_bucket(Bucket=bucket_name) except ClientError as e: s3bucket_error = e.response.get("Error", {}).get("Code") assert s3bucket_error == 'AccessDenied' iam_client.delete_user_policy(UserName=sts_user_id,PolicyName=policy_name) + @pytest.mark.test_of_sts @pytest.mark.fails_on_dbstore def test_assume_role_allow(): From a37a419956afc1424b7ac4b6144de485dd9604bd Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Fri, 6 Sep 2024 21:10:53 +0100 Subject: [PATCH 10/42] s3tests_boto3/functional/test_sts.py: test_assume_role_allow add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 90 ++++++++++++++++------------ 1 file changed, 51 insertions(+), 39 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index 5a792fa7e..e9eb7e26a 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -168,9 +168,9 @@ def test_get_session_token(): s3_client=boto3.client( 's3', - aws_access_key_id=response['Credentials']['AccessKeyId'], - aws_secret_access_key=response['Credentials']['SecretAccessKey'], - aws_session_token=rresponse['Credentials']['SessionToken'], + aws_access_key_id = response['Credentials']['AccessKeyId'], + aws_secret_access_key = response['Credentials']['SecretAccessKey'], + aws_session_token = response['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', ) @@ -187,36 +187,30 @@ def test_get_session_token(): @pytest.mark.fails_on_dbstore def test_get_session_token_permanent_creds_denied(): s3bucket_error=None - iam_client = get_iam_client() - sts_client = get_sts_client() - sts_user_id = get_alt_user_id() - default_endpoint = get_config_endpoint() - s3_main_access_key = get_main_aws_access_key() - s3_main_secret_key = get_main_aws_secret_key() + iam_client=get_iam_client() + sts_client=get_sts_client() + sts_user_id=get_alt_user_id() + default_endpoint=get_config_endpoint() + s3_main_access_key=get_main_aws_access_key() + s3_main_secret_key=get_main_aws_secret_key() user_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":[\"*\"],\"Condition\":{\"BoolIfExists\":{\"sts:authentication\":\"false\"}}},{\"Effect\":\"Allow\",\"Action\":\"sts:GetSessionToken\",\"Resource\":\"*\",\"Condition\":{\"BoolIfExists\":{\"sts:authentication\":\"false\"}}}]}" - resp_err,resp, policy_name = put_user_policy( - iam_client, - sts_user_id, - None, - user_policy, - ) + (resp_err,resp,policy_name)=put_user_policy(iam_client,sts_user_id,None,user_policy) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 response=sts_client.get_session_token() assert response['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client=boto3.client( - 's3', - aws_access_key_id=s3_main_access_key, - aws_secret_access_key=s3_main_secret_key, - aws_session_token=response['Credentials']['SessionToken'], - endpoint_url=default_endpoint, - region_name='', - ) + s3_client=boto3.client('s3', + aws_access_key_id = s3_main_access_key, + aws_secret_access_key = s3_main_secret_key, + aws_session_token = response['Credentials']['SessionToken'], + endpoint_url=default_endpoint, + region_name='', + ) bucket_name = get_new_bucket_name() try: - s3_client.create_bucket(Bucket=bucket_name) + s3bucket = s3_client.create_bucket(Bucket=bucket_name) except ClientError as e: s3bucket_error = e.response.get("Error", {}).get("Code") assert s3bucket_error == 'AccessDenied' @@ -226,42 +220,60 @@ def test_get_session_token_permanent_creds_denied(): @pytest.mark.test_of_sts @pytest.mark.fails_on_dbstore def test_assume_role_allow(): - iam_client=get_iam_client() - sts_client=get_sts_client() - sts_user_id=get_alt_user_id() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + sts_user_id = get_alt_user_id() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/"+sts_user_id+"\"]},\"Action\":[\"sts:AssumeRole\"]}]}" - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) if role_response: assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' else: assert False, role_error role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\"}}" - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy) + role_err, response = put_role_policy( + iam_client, + general_role_name, + None, + role_policy, + ) if response: assert response['ResponseMetadata']['HTTPStatusCode'] == 200 else: assert False, role_err - resp=sts_client.assume_role(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name) + resp = sts_client.assume_role( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], - endpoint_url=default_endpoint, - region_name='', - ) + s3_client = boto3.client( + 's3', + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], + endpoint_url=default_endpoint, + region_name='', + ) bucket_name = get_new_bucket_name() s3bucket = s3_client.create_bucket(Bucket=bucket_name) assert s3bucket['ResponseMetadata']['HTTPStatusCode'] == 200 bkt = s3_client.delete_bucket(Bucket=bucket_name) assert bkt['ResponseMetadata']['HTTPStatusCode'] == 204 + @pytest.mark.test_of_sts @pytest.mark.fails_on_dbstore def test_assume_role_deny(): From 9c2126da3fdf06ec5bf631451594d665211744de Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Fri, 6 Sep 2024 21:12:59 +0100 Subject: [PATCH 11/42] s3tests_boto3/functional/test_sts.py: test_assume_role_deny add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 52 +++++++++++++++++++--------- 1 file changed, 35 insertions(+), 17 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index e9eb7e26a..c16554128 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -277,44 +277,62 @@ def test_assume_role_allow(): @pytest.mark.test_of_sts @pytest.mark.fails_on_dbstore def test_assume_role_deny(): - s3bucket_error=None - iam_client=get_iam_client() - sts_client=get_sts_client() - sts_user_id=get_alt_user_id() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() + s3bucket_error = None + iam_client = get_iam_client() + sts_client = get_sts_client() + sts_user_id = get_alt_user_id() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/"+sts_user_id+"\"]},\"Action\":[\"sts:AssumeRole\"]}]}" - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) if role_response: assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' else: assert False, role_error role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\"}}" - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy) + role_err, response = put_role_policy( + iam_client, + general_role_name, + None, + role_policy, + ) if response: assert response['ResponseMetadata']['HTTPStatusCode'] == 200 else: assert False, role_err - resp=sts_client.assume_role(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name) + resp = sts_client.assume_role( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], - endpoint_url=default_endpoint, - region_name='', - ) + s3_client = boto3.client( + 's3', + aws_access_key_id = resp['Credentials']['AccessKeyId'], + aws_secret_access_key = resp['Credentials']['SecretAccessKey'], + aws_session_token = resp['Credentials']['SessionToken'], + endpoint_url=default_endpoint, + region_name='', + ) bucket_name = get_new_bucket_name() try: - s3bucket = s3_client.create_bucket(Bucket=bucket_name) + s3_client.create_bucket(Bucket=bucket_name) except ClientError as e: s3bucket_error = e.response.get("Error", {}).get("Code") assert s3bucket_error == 'AccessDenied' + @pytest.mark.test_of_sts @pytest.mark.fails_on_dbstore def test_assume_role_creds_expiry(): From a9cdc2b090e519f7c8d7cdd387b24c0a3b0d3a46 Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Fri, 6 Sep 2024 21:15:09 +0100 Subject: [PATCH 12/42] s3tests_boto3/functional/test_sts.py: test_assume_role_creds_expiry add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 53 +++++++++++++++++++--------- 1 file changed, 36 insertions(+), 17 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index c16554128..faecfab76 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -336,43 +336,62 @@ def test_assume_role_deny(): @pytest.mark.test_of_sts @pytest.mark.fails_on_dbstore def test_assume_role_creds_expiry(): - iam_client=get_iam_client() - sts_client=get_sts_client() - sts_user_id=get_alt_user_id() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + sts_user_id = get_alt_user_id() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/"+sts_user_id+"\"]},\"Action\":[\"sts:AssumeRole\"]}]}" - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) if role_response: assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' else: assert False, role_error role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\"}}" - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy) + role_err, response = put_role_policy( + iam_client, + general_role_name, + None, + role_policy, + ) if response: assert response['ResponseMetadata']['HTTPStatusCode'] == 200 else: assert False, role_err - resp=sts_client.assume_role(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,DurationSeconds=900) + resp = sts_client.assume_role( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + DurationSeconds=900, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 time.sleep(900) - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], - endpoint_url=default_endpoint, - region_name='', - ) + s3_client = boto3.client( + 's3', + aws_access_key_id = resp['Credentials']['AccessKeyId'], + aws_secret_access_key = resp['Credentials']['SecretAccessKey'], + aws_session_token = resp['Credentials']['SessionToken'], + endpoint_url=default_endpoint, + region_name='', + ) bucket_name = get_new_bucket_name() try: - s3bucket = s3_client.create_bucket(Bucket=bucket_name) + s3_client.create_bucket(Bucket=bucket_name) except ClientError as e: s3bucket_error = e.response.get("Error", {}).get("Code") - assert s3bucket_error == 'AccessDenied' + assert s3bucket_error == 'AccessDenied' + @pytest.mark.test_of_sts @pytest.mark.fails_on_dbstore From 9a6462b67ab85145561c443ecfffcc06a3f2fde0 Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Fri, 6 Sep 2024 21:17:01 +0100 Subject: [PATCH 13/42] s3tests_boto3/functional/test_sts.py: test_assume_role_deny_head_nonexistent add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 49 +++++++++++++++++++--------- 1 file changed, 34 insertions(+), 15 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index faecfab76..ff277b0f9 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -400,14 +400,22 @@ def test_assume_role_deny_head_nonexistent(): bucket_name = get_new_bucket_name() get_client().create_bucket(Bucket=bucket_name) - iam_client=get_iam_client() - sts_client=get_sts_client() - sts_user_id=get_alt_user_id() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + sts_user_id = get_alt_user_id() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() policy_document = '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam:::user/'+sts_user_id+'"]},"Action":["sts:AssumeRole"]}]}' - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) if role_response: assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name else: @@ -415,28 +423,39 @@ def test_assume_role_deny_head_nonexistent(): # allow GetObject but deny ListBucket role_policy = '{"Version":"2012-10-17","Statement":{"Effect":"Allow","Action":"s3:GetObject","Principal":"*","Resource":"arn:aws:s3:::*"}}' - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy) + role_err, response = put_role_policy( + iam_client, + general_role_name, + None, + role_policy, + ) if response: assert response['ResponseMetadata']['HTTPStatusCode'] == 200 else: assert False, role_err - resp=sts_client.assume_role(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name) + resp = sts_client.assume_role( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], - endpoint_url=default_endpoint, - region_name='') - status=200 + s3_client = boto3.client( + 's3', + aws_access_key_id = resp['Credentials']['AccessKeyId'], + aws_secret_access_key = resp['Credentials']['SecretAccessKey'], + aws_session_token = resp['Credentials']['SessionToken'], + endpoint_url=default_endpoint, + region_name='', + ) + status = 200 try: s3_client.head_object(Bucket=bucket_name, Key='nonexistent') except ClientError as e: status = e.response['ResponseMetadata']['HTTPStatusCode'] assert status == 403 + @pytest.mark.test_of_sts @pytest.mark.fails_on_dbstore def test_assume_role_allow_head_nonexistent(): From d58da9ff6337528bf0c4d794a3d7ddc218dde9af Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Fri, 6 Sep 2024 21:18:24 +0100 Subject: [PATCH 14/42] s3tests_boto3/functional/test_sts.py: test_assume_role_allow_head_nonexistent add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 38 ++++++++++++++++++---------- 1 file changed, 24 insertions(+), 14 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index ff277b0f9..37ac09258 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -463,11 +463,11 @@ def test_assume_role_allow_head_nonexistent(): bucket_name = get_new_bucket_name() get_client().create_bucket(Bucket=bucket_name) - iam_client=get_iam_client() - sts_client=get_sts_client() - sts_user_id=get_alt_user_id() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + sts_user_id = get_alt_user_id() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() policy_document = '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam:::user/'+sts_user_id+'"]},"Action":["sts:AssumeRole"]}]}' (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) @@ -478,22 +478,32 @@ def test_assume_role_allow_head_nonexistent(): # allow GetObject and ListBucket role_policy = '{"Version":"2012-10-17","Statement":{"Effect":"Allow","Action":["s3:GetObject","s3:ListBucket"],"Principal":"*","Resource":"arn:aws:s3:::*"}}' - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy) + role_err, response = put_role_policy( + iam_client, + general_role_name, + None, + role_policy, + ) if response: assert response['ResponseMetadata']['HTTPStatusCode'] == 200 else: assert False, role_err - resp=sts_client.assume_role(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name) + resp = sts_client.assume_role( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], - endpoint_url=default_endpoint, - region_name='') - status=200 + s3_client = boto3.client( + 's3', + aws_access_key_id = resp['Credentials']['AccessKeyId'], + aws_secret_access_key = resp['Credentials']['SecretAccessKey'], + aws_session_token = resp['Credentials']['SessionToken'], + endpoint_url=default_endpoint, + region_name='', + ) + status = 200 try: s3_client.head_object(Bucket=bucket_name, Key='nonexistent') except ClientError as e: From c4d8795bcd8f07945511ce74d3dff813206a4654 Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Fri, 6 Sep 2024 21:20:34 +0100 Subject: [PATCH 15/42] s3tests_boto3/functional/test_sts.py: test_assume_role_with_web_identity add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 65 ++++++++++++++++++---------- 1 file changed, 41 insertions(+), 24 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index 37ac09258..84a8ddb62 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -516,53 +516,70 @@ def test_assume_role_allow_head_nonexistent(): @pytest.mark.fails_on_dbstore def test_assume_role_with_web_identity(): check_webidentity() - iam_client=get_iam_client() - sts_client=get_sts_client() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() - thumbprint=get_thumbprint() - aud=get_aud() - token=get_token() - realm=get_realm_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() + thumbprint = get_thumbprint() + aud = get_aud() + token = get_token() + realm = get_realm_name() oidc_response = iam_client.create_open_id_connect_provider( - Url='http://localhost:8080/auth/realms/{}'.format(realm), - ThumbprintList=[ - thumbprint, - ], + Url='http://localhost:8080/auth/realms/{}'.format(realm), + ThumbprintList=[thumbprint], ) policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/auth/realms/"+realm+":app_id\":\""+aud+"\"}}}]}" - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\"}}" - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy) + role_err, response = put_role_policy( + iam_client, + general_role_name, + None, + role_policy, + ) if response: assert response['ResponseMetadata']['HTTPStatusCode'] == 200 else: assert False, role_err - resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token) + resp=sts_client.assume_role_with_web_identity( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + WebIdentityToken=token, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], - endpoint_url=default_endpoint, - region_name='', - ) + s3_client = boto3.client( + 's3', + aws_access_key_id = resp['Credentials']['AccessKeyId'], + aws_secret_access_key = resp['Credentials']['SecretAccessKey'], + aws_session_token = resp['Credentials']['SessionToken'], + endpoint_url=default_endpoint, + region_name='', + ) bucket_name = get_new_bucket_name() s3bucket = s3_client.create_bucket(Bucket=bucket_name) assert s3bucket['ResponseMetadata']['HTTPStatusCode'] == 200 bkt = s3_client.delete_bucket(Bucket=bucket_name) assert bkt['ResponseMetadata']['HTTPStatusCode'] == 204 - oidc_remove=iam_client.delete_open_id_connect_provider( - OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"] + iam_client.delete_open_id_connect_provider( + OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"], ) + ''' @pytest.mark.webidentity_test def test_assume_role_with_web_identity_invalid_webtoken(): From 0bfb77dd3de6d56c35e831a1c4933def603f35e7 Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Fri, 6 Sep 2024 21:24:06 +0100 Subject: [PATCH 16/42] s3tests_boto3/functional/test_sts.py: test_session_policy_check_on_different_buckets add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 79 +++++++++++++++++----------- 1 file changed, 49 insertions(+), 30 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index 84a8ddb62..ad2e41fa2 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -627,73 +627,92 @@ def test_assume_role_with_web_identity_invalid_webtoken(): # Session Policy Tests ####################### + @pytest.mark.webidentity_test @pytest.mark.session_policy @pytest.mark.fails_on_dbstore def test_session_policy_check_on_different_buckets(): check_webidentity() - iam_client=get_iam_client() - sts_client=get_sts_client() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() - thumbprint=get_thumbprint() - aud=get_aud() - token=get_token() - realm=get_realm_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() + thumbprint = get_thumbprint() + aud = get_aud() + token = get_token() + realm = get_realm_name() url = 'http://localhost:8080/auth/realms/{}'.format(realm) thumbprintlist = [thumbprint] - (oidc_arn,oidc_error) = create_oidc_provider(iam_client, url, None, thumbprintlist) + oidc_arn, oidc_error = create_oidc_provider(iam_client, url, None, thumbprintlist) if oidc_error is not None: raise RuntimeError('Unable to create/get openid connect provider {}'.format(oidc_error)) policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_arn+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/auth/realms/"+realm+":app_id\":\""+aud+"\"}}}]}" - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client,'/', + None, + policy_document, + None, + None, + None, + ) assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' role_policy_new = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":[\"arn:aws:s3:::test2\",\"arn:aws:s3:::test2/*\"]}}" - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy_new) + role_err, response = put_role_policy( + iam_client, + general_role_name, + None, + role_policy_new, + ) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:GetObject\",\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/*\"]}}" - resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token,Policy=session_policy) + resp=sts_client.assume_role_with_web_identity( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + WebIdentityToken=token, + Policy=session_policy, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], - endpoint_url=default_endpoint, - region_name='', - ) + s3_client = boto3.client( + 's3', + aws_access_key_id = resp['Credentials']['AccessKeyId'], + aws_secret_access_key = resp['Credentials']['SecretAccessKey'], + aws_session_token = resp['Credentials']['SessionToken'], + endpoint_url=default_endpoint, + region_name='', + ) bucket_name_1 = 'test1' + s3bucket_error_1 = 'AccessGranted' try: - s3bucket = s3_client.create_bucket(Bucket=bucket_name_1) + s3_client.create_bucket(Bucket=bucket_name_1) except ClientError as e: - s3bucket_error = e.response.get("Error", {}).get("Code") - assert s3bucket_error == 'AccessDenied' + s3bucket_error_1 = e.response.get("Error", {}).get("Code") + assert s3bucket_error_1 == 'AccessDenied' + s3bucket_error_2 = 'AccessGranted' bucket_name_2 = 'test2' try: - s3bucket = s3_client.create_bucket(Bucket=bucket_name_2) + s3_client.create_bucket(Bucket=bucket_name_2) except ClientError as e: - s3bucket_error = e.response.get("Error", {}).get("Code") - assert s3bucket_error == 'AccessDenied' + s3bucket_error_2 = e.response.get("Error", {}).get("Code") + assert s3bucket_error_2 == 'AccessDenied' bucket_body = 'please-write-something' - #body.encode(encoding='utf_8') + s3_put_obj_error = 'BucketExists' try: - s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt") + s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt") except ClientError as e: s3_put_obj_error = e.response.get("Error", {}).get("Code") assert s3_put_obj_error == 'NoSuchBucket' - oidc_remove=iam_client.delete_open_id_connect_provider( - OpenIDConnectProviderArn=oidc_arn - ) + iam_client.delete_open_id_connect_provider(OpenIDConnectProviderArn=oidc_arn) @pytest.mark.webidentity_test From 5eb8fc822fc317be61478956d484254ea9e0e11a Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Fri, 6 Sep 2024 21:26:18 +0100 Subject: [PATCH 17/42] s3tests_boto3/functional/test_sts.py: test_session_policy_check_on_same_bucket add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 61 ++++++++++++++++++---------- 1 file changed, 39 insertions(+), 22 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index ad2e41fa2..44c7c2446 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -720,28 +720,41 @@ def test_session_policy_check_on_different_buckets(): @pytest.mark.fails_on_dbstore def test_session_policy_check_on_same_bucket(): check_webidentity() - iam_client=get_iam_client() - sts_client=get_sts_client() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() - thumbprint=get_thumbprint() - aud=get_aud() - token=get_token() - realm=get_realm_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() + thumbprint = get_thumbprint() + aud = get_aud() + token = get_token() + realm = get_realm_name() url = 'http://localhost:8080/auth/realms/{}'.format(realm) thumbprintlist = [thumbprint] - (oidc_arn,oidc_error) = create_oidc_provider(iam_client, url, None, thumbprintlist) + oidc_arn, oidc_error = create_oidc_provider(iam_client, url, None, thumbprintlist) if oidc_error is not None: raise RuntimeError('Unable to create/get openid connect provider {}'.format(oidc_error)) policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_arn+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/auth/realms/"+realm+":app_id\":\""+aud+"\"}}}]}" - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' role_policy_new = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":[\"*\"]}}" - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy_new) + role_err, response = put_role_policy( + iam_client, + general_role_name, + None, + role_policy_new, + ) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 s3_client_iam_creds = get_s3_client_using_iam_creds() @@ -752,24 +765,28 @@ def test_session_policy_check_on_same_bucket(): session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:GetObject\",\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/*\"]}}" - resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token,Policy=session_policy) + resp=sts_client.assume_role_with_web_identity( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + WebIdentityToken=token, + Policy=session_policy, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], - endpoint_url=default_endpoint, - region_name='', - ) + s3_client = boto3.client( + 's3', + aws_access_key_id = resp['Credentials']['AccessKeyId'], + aws_secret_access_key = resp['Credentials']['SecretAccessKey'], + aws_session_token = resp['Credentials']['SessionToken'], + endpoint_url=default_endpoint, + region_name='', + ) bucket_body = 'this is a test file' s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt") assert s3_put_obj['ResponseMetadata']['HTTPStatusCode'] == 200 - oidc_remove=iam_client.delete_open_id_connect_provider( - OpenIDConnectProviderArn=oidc_arn - ) + iam_client.delete_open_id_connect_provider(OpenIDConnectProviderArn=oidc_arn) @pytest.mark.webidentity_test From 17d56a8d71633fba82b677cd44f3e26859790a45 Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Fri, 6 Sep 2024 21:28:37 +0100 Subject: [PATCH 18/42] s3tests_boto3/functional/test_sts.py: test_session_policy_check_put_obj_denial add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 66 +++++++++++++++++----------- 1 file changed, 41 insertions(+), 25 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index 44c7c2446..88e847c77 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -794,30 +794,41 @@ def test_session_policy_check_on_same_bucket(): @pytest.mark.fails_on_dbstore def test_session_policy_check_put_obj_denial(): check_webidentity() - iam_client=get_iam_client() - iam_access_key=get_iam_access_key() - iam_secret_key=get_iam_secret_key() - sts_client=get_sts_client() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() - thumbprint=get_thumbprint() - aud=get_aud() - token=get_token() - realm=get_realm_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() + thumbprint = get_thumbprint() + aud = get_aud() + token = get_token() + realm = get_realm_name() url = 'http://localhost:8080/auth/realms/{}'.format(realm) thumbprintlist = [thumbprint] - (oidc_arn,oidc_error) = create_oidc_provider(iam_client, url, None, thumbprintlist) + oidc_arn, oidc_error = create_oidc_provider(iam_client, url, None, thumbprintlist) if oidc_error is not None: raise RuntimeError('Unable to create/get openid connect provider {}'.format(oidc_error)) policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_arn+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/auth/realms/"+realm+":app_id\":\""+aud+"\"}}}]}" - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' role_policy_new = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":[\"*\"]}}" - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy_new) + role_err, response = put_role_policy( + iam_client, + general_role_name, + None, + role_policy_new, + ) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 s3_client_iam_creds = get_s3_client_using_iam_creds() @@ -828,27 +839,32 @@ def test_session_policy_check_put_obj_denial(): session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:GetObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/*\"]}}" - resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token,Policy=session_policy) + resp=sts_client.assume_role_with_web_identity( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + WebIdentityToken=token, + Policy=session_policy, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], - endpoint_url=default_endpoint, - region_name='', - ) + s3_client = boto3.client( + 's3', + aws_access_key_id = resp['Credentials']['AccessKeyId'], + aws_secret_access_key = resp['Credentials']['SecretAccessKey'], + aws_session_token = resp['Credentials']['SessionToken'], + endpoint_url=default_endpoint, + region_name='', + ) bucket_body = 'this is a test file' + s3_put_obj_error = "AccessGranted" try: - s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt") + s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt") except ClientError as e: s3_put_obj_error = e.response.get("Error", {}).get("Code") assert s3_put_obj_error == 'AccessDenied' - oidc_remove=iam_client.delete_open_id_connect_provider( - OpenIDConnectProviderArn=oidc_arn - ) + iam_client.delete_open_id_connect_provider(OpenIDConnectProviderArn=oidc_arn) @pytest.mark.webidentity_test From 3c9a60bb7e656a9882e63cc2cd7a42854243e87a Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Fri, 6 Sep 2024 21:30:34 +0100 Subject: [PATCH 19/42] s3tests_boto3/functional/test_sts.py: test_swapping_role_policy_and_session_policy add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 64 +++++++++++++++++----------- 1 file changed, 40 insertions(+), 24 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index 88e847c77..60f1a96df 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -872,30 +872,41 @@ def test_session_policy_check_put_obj_denial(): @pytest.mark.fails_on_dbstore def test_swapping_role_policy_and_session_policy(): check_webidentity() - iam_client=get_iam_client() - iam_access_key=get_iam_access_key() - iam_secret_key=get_iam_secret_key() - sts_client=get_sts_client() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() - thumbprint=get_thumbprint() - aud=get_aud() - token=get_token() - realm=get_realm_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() + thumbprint = get_thumbprint() + aud = get_aud() + token = get_token() + realm = get_realm_name() url = 'http://localhost:8080/auth/realms/{}'.format(realm) thumbprintlist = [thumbprint] - (oidc_arn,oidc_error) = create_oidc_provider(iam_client, url, None, thumbprintlist) + oidc_arn, oidc_error = create_oidc_provider(iam_client, url, None, thumbprintlist) if oidc_error is not None: raise RuntimeError('Unable to create/get openid connect provider {}'.format(oidc_error)) policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_arn+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/auth/realms/"+realm+":app_id\":\""+aud+"\"}}}]}" - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' role_policy_new = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:GetObject\",\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/*\"]}}" - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy_new) + role_err, response = put_role_policy( + iam_client, + general_role_name, + None, + role_policy_new, + ) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 s3_client_iam_creds = get_s3_client_using_iam_creds() @@ -906,23 +917,28 @@ def test_swapping_role_policy_and_session_policy(): session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":[\"*\"]}}" - resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token,Policy=session_policy) + resp = sts_client.assume_role_with_web_identity( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + WebIdentityToken=token, + Policy=session_policy, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], - endpoint_url=default_endpoint, - region_name='', - ) + s3_client = boto3.client( + 's3', + aws_access_key_id = resp['Credentials']['AccessKeyId'], + aws_secret_access_key = resp['Credentials']['SecretAccessKey'], + aws_session_token = resp['Credentials']['SessionToken'], + endpoint_url=default_endpoint, + region_name='', + ) bucket_body = 'this is a test file' s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt") assert s3_put_obj['ResponseMetadata']['HTTPStatusCode'] == 200 - oidc_remove=iam_client.delete_open_id_connect_provider( - OpenIDConnectProviderArn=oidc_arn - ) + iam_client.delete_open_id_connect_provider(OpenIDConnectProviderArn=oidc_arn) + @pytest.mark.webidentity_test @pytest.mark.session_policy From 6ab8caead314494fc82a6e229bf67d39cdbffbfb Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Fri, 6 Sep 2024 21:32:40 +0100 Subject: [PATCH 20/42] s3tests_boto3/functional/test_sts.py: test_session_policy_check_different_op_permissions add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 66 +++++++++++++++++----------- 1 file changed, 41 insertions(+), 25 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index 60f1a96df..748010a12 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -945,30 +945,41 @@ def test_swapping_role_policy_and_session_policy(): @pytest.mark.fails_on_dbstore def test_session_policy_check_different_op_permissions(): check_webidentity() - iam_client=get_iam_client() - iam_access_key=get_iam_access_key() - iam_secret_key=get_iam_secret_key() - sts_client=get_sts_client() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() - thumbprint=get_thumbprint() - aud=get_aud() - token=get_token() - realm=get_realm_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() + thumbprint = get_thumbprint() + aud = get_aud() + token = get_token() + realm = get_realm_name() url = 'http://localhost:8080/auth/realms/{}'.format(realm) thumbprintlist = [thumbprint] - (oidc_arn,oidc_error) = create_oidc_provider(iam_client, url, None, thumbprintlist) + oidc_arn, oidc_error = create_oidc_provider(iam_client, url, None, thumbprintlist) if oidc_error is not None: raise RuntimeError('Unable to create/get openid connect provider {}'.format(oidc_error)) policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_arn+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/auth/realms/"+realm+":app_id\":\""+aud+"\"}}}]}" - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' role_policy_new = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/*\"]}}" - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy_new) + role_err, response = put_role_policy( + iam_client, + general_role_name, + None, + role_policy_new, + ) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 s3_client_iam_creds = get_s3_client_using_iam_creds() @@ -979,27 +990,32 @@ def test_session_policy_check_different_op_permissions(): session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:GetObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/*\"]}}" - resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token,Policy=session_policy) + resp = sts_client.assume_role_with_web_identity( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + WebIdentityToken=token, + Policy=session_policy, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], - endpoint_url=default_endpoint, - region_name='', - ) + s3_client = boto3.client( + 's3', + aws_access_key_id = resp['Credentials']['AccessKeyId'], + aws_secret_access_key = resp['Credentials']['SecretAccessKey'], + aws_session_token = resp['Credentials']['SessionToken'], + endpoint_url=default_endpoint, + region_name='', + ) bucket_body = 'this is a test file' + s3_put_obj_error = 'AccessGranted' try: - s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt") + s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt") except ClientError as e: s3_put_obj_error = e.response.get("Error", {}).get("Code") assert s3_put_obj_error == 'AccessDenied' - oidc_remove=iam_client.delete_open_id_connect_provider( - OpenIDConnectProviderArn=oidc_arn - ) + iam_client.delete_open_id_connect_provider(OpenIDConnectProviderArn=oidc_arn) @pytest.mark.webidentity_test From 5e44960d058576cdacb2b53cf93624131750035b Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Fri, 6 Sep 2024 21:34:47 +0100 Subject: [PATCH 21/42] s3tests_boto3/functional/test_sts.py: test_session_policy_check_with_deny_effect add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 66 +++++++++++++++++----------- 1 file changed, 41 insertions(+), 25 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index 748010a12..857c8794c 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -1023,30 +1023,41 @@ def test_session_policy_check_different_op_permissions(): @pytest.mark.fails_on_dbstore def test_session_policy_check_with_deny_effect(): check_webidentity() - iam_client=get_iam_client() - iam_access_key=get_iam_access_key() - iam_secret_key=get_iam_secret_key() - sts_client=get_sts_client() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() - thumbprint=get_thumbprint() - aud=get_aud() - token=get_token() - realm=get_realm_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() + thumbprint = get_thumbprint() + aud = get_aud() + token = get_token() + realm = get_realm_name() url = 'http://localhost:8080/auth/realms/{}'.format(realm) thumbprintlist = [thumbprint] - (oidc_arn,oidc_error) = create_oidc_provider(iam_client, url, None, thumbprintlist) + oidc_arn, oidc_error = create_oidc_provider(iam_client, url, None, thumbprintlist) if oidc_error is not None: raise RuntimeError('Unable to create/get openid connect provider {}'.format(oidc_error)) policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_arn+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/auth/realms/"+realm+":app_id\":\""+aud+"\"}}}]}" - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' role_policy_new = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":[\"*\"]}}" - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy_new) + role_err, response = put_role_policy( + iam_client, + general_role_name, + None, + role_policy_new, + ) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 s3_client_iam_creds = get_s3_client_using_iam_creds() @@ -1057,26 +1068,31 @@ def test_session_policy_check_with_deny_effect(): session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/*\"]}}" - resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token,Policy=session_policy) + resp = sts_client.assume_role_with_web_identity( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + WebIdentityToken=token, + Policy=session_policy, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], - endpoint_url=default_endpoint, - region_name='', - ) + s3_client = boto3.client( + 's3', + aws_access_key_id = resp['Credentials']['AccessKeyId'], + aws_secret_access_key = resp['Credentials']['SecretAccessKey'], + aws_session_token = resp['Credentials']['SessionToken'], + endpoint_url=default_endpoint, + region_name='', + ) bucket_body = 'this is a test file' + s3_put_obj_error = 'AccessGranted' try: - s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt") + s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt") except ClientError as e: s3_put_obj_error = e.response.get("Error", {}).get("Code") assert s3_put_obj_error == 'AccessDenied' - oidc_remove=iam_client.delete_open_id_connect_provider( - OpenIDConnectProviderArn=oidc_arn - ) + iam_client.delete_open_id_connect_provider(OpenIDConnectProviderArn=oidc_arn) @pytest.mark.webidentity_test From 4799c91412bfc5249532ed28a903bb379bd43fa1 Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Fri, 6 Sep 2024 21:36:51 +0100 Subject: [PATCH 22/42] s3tests_boto3/functional/test_sts.py: test_session_policy_check_with_deny_on_same_op add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 67 +++++++++++++++++----------- 1 file changed, 42 insertions(+), 25 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index 857c8794c..f50505870 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -1100,30 +1100,41 @@ def test_session_policy_check_with_deny_effect(): @pytest.mark.fails_on_dbstore def test_session_policy_check_with_deny_on_same_op(): check_webidentity() - iam_client=get_iam_client() - iam_access_key=get_iam_access_key() - iam_secret_key=get_iam_secret_key() - sts_client=get_sts_client() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() - thumbprint=get_thumbprint() - aud=get_aud() - token=get_token() - realm=get_realm_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() + thumbprint = get_thumbprint() + aud = get_aud() + token = get_token() + realm = get_realm_name() url = 'http://localhost:8080/auth/realms/{}'.format(realm) thumbprintlist = [thumbprint] - (oidc_arn,oidc_error) = create_oidc_provider(iam_client, url, None, thumbprintlist) + oidc_arn, oidc_error = create_oidc_provider(iam_client, url, None, thumbprintlist) if oidc_error is not None: raise RuntimeError('Unable to create/get openid connect provider {}'.format(oidc_error)) policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_arn+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/auth/realms/"+realm+":app_id\":\""+aud+"\"}}}]}" - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' role_policy_new = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/*\"]}}" - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy_new) + role_err, response = put_role_policy( + iam_client, + general_role_name, + None, + role_policy_new, + ) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 s3_client_iam_creds = get_s3_client_using_iam_creds() @@ -1134,27 +1145,33 @@ def test_session_policy_check_with_deny_on_same_op(): session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Deny\",\"Action\":[\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/*\"]}}" - resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token,Policy=session_policy) + resp = sts_client.assume_role_with_web_identity( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + WebIdentityToken=token, + Policy=session_policy, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], - endpoint_url=default_endpoint, - region_name='', - ) + s3_client = boto3.client( + 's3', + aws_access_key_id = resp['Credentials']['AccessKeyId'], + aws_secret_access_key = resp['Credentials']['SecretAccessKey'], + aws_session_token = resp['Credentials']['SessionToken'], + endpoint_url=default_endpoint, + region_name='', + ) bucket_body = 'this is a test file' + s3_put_obj_error = 'AccessGranted' try: - s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt") + s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt") except ClientError as e: s3_put_obj_error = e.response.get("Error", {}).get("Code") assert s3_put_obj_error == 'AccessDenied' - oidc_remove=iam_client.delete_open_id_connect_provider( - OpenIDConnectProviderArn=oidc_arn - ) + iam_client.delete_open_id_connect_provider(OpenIDConnectProviderArn=oidc_arn) + @pytest.mark.webidentity_test @pytest.mark.session_policy From 340214f4a9aa7159bb231d0bc9e412e65e6584a7 Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Fri, 6 Sep 2024 21:39:00 +0100 Subject: [PATCH 23/42] s3tests_boto3/functional/test_sts.py: test_session_policy_bucket_policy_role_arn add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 64 ++++++++++++++++++---------- 1 file changed, 41 insertions(+), 23 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index f50505870..cc4c7f67c 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -1178,27 +1178,40 @@ def test_session_policy_check_with_deny_on_same_op(): @pytest.mark.fails_on_dbstore def test_session_policy_bucket_policy_role_arn(): check_webidentity() - iam_client=get_iam_client() - sts_client=get_sts_client() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() - thumbprint=get_thumbprint() - aud=get_aud() - token=get_token() - realm=get_realm_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() + thumbprint = get_thumbprint() + aud = get_aud() + token = get_token() + realm = get_realm_name() url = 'http://localhost:8080/auth/realms/{}'.format(realm) thumbprintlist = [thumbprint] - (oidc_arn,oidc_error) = create_oidc_provider(iam_client, url, None, thumbprintlist) + oidc_arn, oidc_error = create_oidc_provider(iam_client, url, None, thumbprintlist) if oidc_error is not None: raise RuntimeError('Unable to create/get openid connect provider {}'.format(oidc_error)) policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_arn+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/auth/realms/"+realm+":app_id\":\""+aud+"\"}}}]}" - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":[\"*\"]}}" - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy) + role_err, response = put_role_policy( + iam_client, + general_role_name, + None, + role_policy, + ) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 s3client_iamcreds = get_s3_client_using_iam_creds() @@ -1225,29 +1238,34 @@ def test_session_policy_bucket_policy_role_arn(): s3client_iamcreds.put_bucket_policy(Bucket=bucket_name_1, Policy=bucket_policy) session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/*\"]}}" - resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token,Policy=session_policy) + resp = sts_client.assume_role_with_web_identity( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + WebIdentityToken=token, + Policy=session_policy, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], - endpoint_url=default_endpoint, - region_name='', - ) + s3_client = boto3.client( + 's3', + aws_access_key_id = resp['Credentials']['AccessKeyId'], + aws_secret_access_key = resp['Credentials']['SecretAccessKey'], + aws_session_token = resp['Credentials']['SessionToken'], + endpoint_url=default_endpoint, + region_name='', + ) bucket_body = 'this is a test file' s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt") assert s3_put_obj['ResponseMetadata']['HTTPStatusCode'] == 200 + s3object_error = 'AccessGranted' try: - obj = s3_client.get_object(Bucket=bucket_name_1, Key="test-1.txt") + s3_client.get_object(Bucket=bucket_name_1, Key="test-1.txt") except ClientError as e: s3object_error = e.response.get("Error", {}).get("Code") assert s3object_error == 'AccessDenied' - oidc_remove=iam_client.delete_open_id_connect_provider( - OpenIDConnectProviderArn=oidc_arn - ) + iam_client.delete_open_id_connect_provider(OpenIDConnectProviderArn=oidc_arn) @pytest.mark.webidentity_test @pytest.mark.session_policy From 4118b47bf91b9ef28a41d316e3ec57cc77331576 Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Fri, 6 Sep 2024 21:40:56 +0100 Subject: [PATCH 24/42] s3tests_boto3/functional/test_sts.py: test_session_policy_bucket_policy_session_arn add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 64 ++++++++++++++++++---------- 1 file changed, 41 insertions(+), 23 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index cc4c7f67c..e11101683 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -1267,32 +1267,46 @@ def test_session_policy_bucket_policy_role_arn(): iam_client.delete_open_id_connect_provider(OpenIDConnectProviderArn=oidc_arn) + @pytest.mark.webidentity_test @pytest.mark.session_policy @pytest.mark.fails_on_dbstore def test_session_policy_bucket_policy_session_arn(): check_webidentity() - iam_client=get_iam_client() - sts_client=get_sts_client() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() - thumbprint=get_thumbprint() - aud=get_aud() - token=get_token() - realm=get_realm_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() + thumbprint = get_thumbprint() + aud = get_aud() + token = get_token() + realm = get_realm_name() url = 'http://localhost:8080/auth/realms/{}'.format(realm) thumbprintlist = [thumbprint] - (oidc_arn,oidc_error) = create_oidc_provider(iam_client, url, None, thumbprintlist) + oidc_arn, oidc_error = create_oidc_provider(iam_client, url, None, thumbprintlist) if oidc_error is not None: raise RuntimeError('Unable to create/get openid connect provider {}'.format(oidc_error)) policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_arn+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/auth/realms/"+realm+":app_id\":\""+aud+"\"}}}]}" - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":[\"*\"]}}" - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy) + role_err, response = put_role_policy( + iam_client, + general_role_name, + None, + role_policy, + ) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 s3client_iamcreds = get_s3_client_using_iam_creds() @@ -1319,27 +1333,31 @@ def test_session_policy_bucket_policy_session_arn(): s3client_iamcreds.put_bucket_policy(Bucket=bucket_name_1, Policy=bucket_policy) session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/*\"]}}" - resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token,Policy=session_policy) + resp = sts_client.assume_role_with_web_identity( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + WebIdentityToken=token, + Policy=session_policy, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], - endpoint_url=default_endpoint, - region_name='', - ) + s3_client = boto3.client( + 's3', + aws_access_key_id = resp['Credentials']['AccessKeyId'], + aws_secret_access_key = resp['Credentials']['SecretAccessKey'], + aws_session_token = resp['Credentials']['SessionToken'], + endpoint_url=default_endpoint, + region_name='', + ) bucket_body = 'this is a test file' s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt") assert s3_put_obj['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_get_obj = s3_client.get_object(Bucket=bucket_name_1, Key="test-1.txt") assert s3_get_obj['ResponseMetadata']['HTTPStatusCode'] == 200 - oidc_remove=iam_client.delete_open_id_connect_provider( - OpenIDConnectProviderArn=oidc_arn - ) + iam_client.delete_open_id_connect_provider(OpenIDConnectProviderArn=oidc_arn) + @pytest.mark.webidentity_test @pytest.mark.session_policy From f9d64df2d682aea222c08d3fcb211ddf50321e90 Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Fri, 6 Sep 2024 21:43:13 +0100 Subject: [PATCH 25/42] s3tests_boto3/functional/test_sts.py: test_session_policy_copy_object add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 68 ++++++++++++++++++---------- 1 file changed, 43 insertions(+), 25 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index e11101683..c495c0ce3 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -1364,27 +1364,40 @@ def test_session_policy_bucket_policy_session_arn(): @pytest.mark.fails_on_dbstore def test_session_policy_copy_object(): check_webidentity() - iam_client=get_iam_client() - sts_client=get_sts_client() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() - thumbprint=get_thumbprint() - aud=get_aud() - token=get_token() - realm=get_realm_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() + thumbprint = get_thumbprint() + aud = get_aud() + token = get_token() + realm = get_realm_name() url = 'http://localhost:8080/auth/realms/{}'.format(realm) thumbprintlist = [thumbprint] - (oidc_arn,oidc_error) = create_oidc_provider(iam_client, url, None, thumbprintlist) + oidc_arn, oidc_error = create_oidc_provider(iam_client, url, None, thumbprintlist) if oidc_error is not None: raise RuntimeError('Unable to create/get openid connect provider {}'.format(oidc_error)) policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_arn+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/auth/realms/"+realm+":app_id\":\""+aud+"\"}}}]}" - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":[\"*\"]}}" - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy) + role_err, response = put_role_policy( + iam_client, + general_role_name, + None, + role_policy, + ) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 s3client_iamcreds = get_s3_client_using_iam_creds() @@ -1395,7 +1408,7 @@ def test_session_policy_copy_object(): resource1 = "arn:aws:s3:::" + bucket_name_1 resource2 = "arn:aws:s3:::" + bucket_name_1 + "/*" rolesessionarn = "arn:aws:iam:::assumed-role/" + general_role_name + "/" + role_session_name - print (rolesessionarn) + print(rolesessionarn) bucket_policy = json.dumps( { "Version": "2012-10-17", @@ -1412,23 +1425,29 @@ def test_session_policy_copy_object(): s3client_iamcreds.put_bucket_policy(Bucket=bucket_name_1, Policy=bucket_policy) session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/*\"]}}" - resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token,Policy=session_policy) + resp = sts_client.assume_role_with_web_identity( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + WebIdentityToken=token, + Policy=session_policy, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], - endpoint_url=default_endpoint, - region_name='', - ) + s3_client = boto3.client( + 's3', + aws_access_key_id = resp['Credentials']['AccessKeyId'], + aws_secret_access_key = resp['Credentials']['SecretAccessKey'], + aws_session_token = resp['Credentials']['SessionToken'], + endpoint_url=default_endpoint, + region_name='', + ) bucket_body = 'this is a test file' s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt") assert s3_put_obj['ResponseMetadata']['HTTPStatusCode'] == 200 copy_source = { - 'Bucket': bucket_name_1, - 'Key': 'test-1.txt' + 'Bucket': bucket_name_1, + 'Key': 'test-1.txt' } s3_client.copy(copy_source, bucket_name_1, "test-2.txt") @@ -1436,9 +1455,8 @@ def test_session_policy_copy_object(): s3_get_obj = s3_client.get_object(Bucket=bucket_name_1, Key="test-2.txt") assert s3_get_obj['ResponseMetadata']['HTTPStatusCode'] == 200 - oidc_remove=iam_client.delete_open_id_connect_provider( - OpenIDConnectProviderArn=oidc_arn - ) + iam_client.delete_open_id_connect_provider(OpenIDConnectProviderArn=oidc_arn) + @pytest.mark.webidentity_test @pytest.mark.session_policy From 9d95a6e73be8c7cd550052efbf575b134679a5e9 Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Fri, 6 Sep 2024 21:45:03 +0100 Subject: [PATCH 26/42] s3tests_boto3/functional/test_sts.py: test_session_policy_no_bucket_role_policy add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 58 +++++++++++++++++----------- 1 file changed, 36 insertions(+), 22 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index c495c0ce3..a8eeccc3e 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -1463,23 +1463,31 @@ def test_session_policy_copy_object(): @pytest.mark.fails_on_dbstore def test_session_policy_no_bucket_role_policy(): check_webidentity() - iam_client=get_iam_client() - sts_client=get_sts_client() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() - thumbprint=get_thumbprint() - aud=get_aud() - token=get_token() - realm=get_realm_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() + thumbprint = get_thumbprint() + aud = get_aud() + token = get_token() + realm = get_realm_name() url = 'http://localhost:8080/auth/realms/{}'.format(realm) thumbprintlist = [thumbprint] - (oidc_arn,oidc_error) = create_oidc_provider(iam_client, url, None, thumbprintlist) + oidc_arn, oidc_error = create_oidc_provider(iam_client, url, None, thumbprintlist) if oidc_error is not None: raise RuntimeError('Unable to create/get openid connect provider {}'.format(oidc_error)) policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_arn+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/auth/realms/"+realm+":app_id\":\""+aud+"\"}}}]}" - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' s3client_iamcreds = get_s3_client_using_iam_creds() @@ -1489,26 +1497,32 @@ def test_session_policy_no_bucket_role_policy(): session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:PutObject\",\"s3:GetObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/*\"]}}" - resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token,Policy=session_policy) + resp = sts_client.assume_role_with_web_identity( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + WebIdentityToken=token, + Policy=session_policy, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], - endpoint_url=default_endpoint, - region_name='', - ) + s3_client = boto3.client( + 's3', + aws_access_key_id = resp['Credentials']['AccessKeyId'], + aws_secret_access_key = resp['Credentials']['SecretAccessKey'], + aws_session_token = resp['Credentials']['SessionToken'], + endpoint_url=default_endpoint, + region_name='', + ) bucket_body = 'this is a test file' + s3putobj_error = 'AccessGranted' try: - s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt") + s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt") except ClientError as e: s3putobj_error = e.response.get("Error", {}).get("Code") assert s3putobj_error == 'AccessDenied' - oidc_remove=iam_client.delete_open_id_connect_provider( - OpenIDConnectProviderArn=oidc_arn - ) + iam_client.delete_open_id_connect_provider(OpenIDConnectProviderArn=oidc_arn) + @pytest.mark.webidentity_test @pytest.mark.session_policy From 30b976e1cd6d882c5fcf2f5a59474f764946fc30 Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Fri, 6 Sep 2024 21:47:01 +0100 Subject: [PATCH 27/42] s3tests_boto3/functional/test_sts.py: test_session_policy_bucket_policy_deny add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 64 +++++++++++++++++----------- 1 file changed, 40 insertions(+), 24 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index a8eeccc3e..8d7174096 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -1529,27 +1529,40 @@ def test_session_policy_no_bucket_role_policy(): @pytest.mark.fails_on_dbstore def test_session_policy_bucket_policy_deny(): check_webidentity() - iam_client=get_iam_client() - sts_client=get_sts_client() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() - thumbprint=get_thumbprint() - aud=get_aud() - token=get_token() - realm=get_realm_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() + thumbprint = get_thumbprint() + aud = get_aud() + token = get_token() + realm = get_realm_name() url = 'http://localhost:8080/auth/realms/{}'.format(realm) thumbprintlist = [thumbprint] - (oidc_arn,oidc_error) = create_oidc_provider(iam_client, url, None, thumbprintlist) + oidc_arn, oidc_error = create_oidc_provider(iam_client, url, None, thumbprintlist) if oidc_error is not None: raise RuntimeError('Unable to create/get openid connect provider {}'.format(oidc_error)) policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_arn+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/auth/realms/"+realm+":app_id\":\""+aud+"\"}}}]}" - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":[\"*\"]}}" - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy) + role_err, response = put_role_policy( + iam_client, + general_role_name, + None, + role_policy, + ) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 s3client_iamcreds = get_s3_client_using_iam_creds() @@ -1576,27 +1589,30 @@ def test_session_policy_bucket_policy_deny(): s3client_iamcreds.put_bucket_policy(Bucket=bucket_name_1, Policy=bucket_policy) session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/*\"]}}" - resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token,Policy=session_policy) + resp = sts_client.assume_role_with_web_identity( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + WebIdentityToken=token, + Policy=session_policy, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], - endpoint_url=default_endpoint, - region_name='', - ) + s3_client = boto3.client( + 's3', + aws_access_key_id = resp['Credentials']['AccessKeyId'], + aws_secret_access_key = resp['Credentials']['SecretAccessKey'], + aws_session_token = resp['Credentials']['SessionToken'], + endpoint_url=default_endpoint, + region_name='', + ) bucket_body = 'this is a test file' - + s3putobj_error = 'AccessGranted' try: - s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt") + s3_client.put_object(Body=bucket_body, Bucket=bucket_name_1, Key="test-1.txt") except ClientError as e: s3putobj_error = e.response.get("Error", {}).get("Code") assert s3putobj_error == 'AccessDenied' - oidc_remove=iam_client.delete_open_id_connect_provider( - OpenIDConnectProviderArn=oidc_arn - ) @pytest.mark.webidentity_test @pytest.mark.token_claims_trust_policy_test From 7113f520605476086e3777202945ec5959392009 Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Sun, 8 Sep 2024 21:21:43 +0100 Subject: [PATCH 28/42] s3tests_boto3/functional/test_sts.py: test_assume_role_with_web_identity_with_sub add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 57 ++++++++++++++++++---------- 1 file changed, 37 insertions(+), 20 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index 8d7174096..8722c2931 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -1619,49 +1619,66 @@ def test_session_policy_bucket_policy_deny(): @pytest.mark.fails_on_dbstore def test_assume_role_with_web_identity_with_sub(): check_webidentity() - iam_client=get_iam_client() - sts_client=get_sts_client() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() - thumbprint=get_thumbprint() - sub=get_sub() - token=get_token() - realm=get_realm_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() + thumbprint = get_thumbprint() + sub = get_sub() + token = get_token() + realm = get_realm_name() oidc_response = iam_client.create_open_id_connect_provider( - Url='http://localhost:8080/auth/realms/{}'.format(realm), - ThumbprintList=[ - thumbprint, - ], + Url='http://localhost:8080/auth/realms/{}'.format(realm), + ThumbprintList=[ + thumbprint, + ], ) policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/auth/realms/"+realm+":sub\":\""+sub+"\"}}}]}" - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\"}}" - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy) + role_err, response = put_role_policy( + iam_client, + general_role_name, + None, + role_policy, + ) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 - resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token) + resp = sts_client.assume_role_with_web_identity( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + WebIdentityToken=token, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', + s3_client = boto3.client( + 's3', aws_access_key_id = resp['Credentials']['AccessKeyId'], aws_secret_access_key = resp['Credentials']['SecretAccessKey'], aws_session_token = resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', - ) + ) bucket_name = get_new_bucket_name() s3bucket = s3_client.create_bucket(Bucket=bucket_name) assert s3bucket['ResponseMetadata']['HTTPStatusCode'] == 200 bkt = s3_client.delete_bucket(Bucket=bucket_name) assert bkt['ResponseMetadata']['HTTPStatusCode'] == 204 - oidc_remove=iam_client.delete_open_id_connect_provider( - OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"] - ) + iam_client.delete_open_id_connect_provider(OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]) + @pytest.mark.webidentity_test @pytest.mark.token_claims_trust_policy_test From 9282f3035eb64e31f89500104f9637b5337ea3b0 Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Sun, 8 Sep 2024 21:25:20 +0100 Subject: [PATCH 29/42] s3tests_boto3/functional/test_sts.py: test_assume_role_with_web_identity_with_azp add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 63 ++++++++++++++++++---------- 1 file changed, 40 insertions(+), 23 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index 8722c2931..3bdf8ceb2 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -1685,49 +1685,66 @@ def test_assume_role_with_web_identity_with_sub(): @pytest.mark.fails_on_dbstore def test_assume_role_with_web_identity_with_azp(): check_webidentity() - iam_client=get_iam_client() - sts_client=get_sts_client() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() - thumbprint=get_thumbprint() - azp=get_azp() - token=get_token() - realm=get_realm_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() + thumbprint = get_thumbprint() + azp = get_azp() + token = get_token() + realm = get_realm_name() oidc_response = iam_client.create_open_id_connect_provider( - Url='http://localhost:8080/auth/realms/{}'.format(realm), - ThumbprintList=[ - thumbprint, - ], + Url='http://localhost:8080/auth/realms/{}'.format(realm), + ThumbprintList=[ + thumbprint, + ], ) policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/auth/realms/"+realm+":azp\":\""+azp+"\"}}}]}" - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\"}}" - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy) + role_err, response = put_role_policy( + iam_client, + general_role_name, + None, + role_policy, + ) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 - resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=token) + resp = sts_client.assume_role_with_web_identity( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + WebIdentityToken=token, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + s3_client = boto3.client( + 's3', + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', - ) + ) bucket_name = get_new_bucket_name() s3bucket = s3_client.create_bucket(Bucket=bucket_name) assert s3bucket['ResponseMetadata']['HTTPStatusCode'] == 200 bkt = s3_client.delete_bucket(Bucket=bucket_name) assert bkt['ResponseMetadata']['HTTPStatusCode'] == 204 - oidc_remove=iam_client.delete_open_id_connect_provider( - OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"] - ) + iam_client.delete_open_id_connect_provider(OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]) + @pytest.mark.webidentity_test @pytest.mark.abac_test From 84bc1ae83348320fe21f373234d29c4a005bf300 Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Sun, 8 Sep 2024 21:27:23 +0100 Subject: [PATCH 30/42] s3tests_boto3/functional/test_sts.py: test_assume_role_with_web_identity_with_request_tag add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 61 ++++++++++++++++++---------- 1 file changed, 39 insertions(+), 22 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index 3bdf8ceb2..223587200 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -1752,48 +1752,65 @@ def test_assume_role_with_web_identity_with_azp(): @pytest.mark.fails_on_dbstore def test_assume_role_with_web_identity_with_request_tag(): check_webidentity() - iam_client=get_iam_client() - sts_client=get_sts_client() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() - thumbprint=get_thumbprint() - user_token=get_user_token() - realm=get_realm_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() + thumbprint = get_thumbprint() + user_token = get_user_token() + realm = get_realm_name() oidc_response = iam_client.create_open_id_connect_provider( - Url='http://localhost:8080/auth/realms/{}'.format(realm), - ThumbprintList=[ - thumbprint, - ], + Url='http://localhost:8080/auth/realms/{}'.format(realm), + ThumbprintList=[ + thumbprint, + ], ) policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\",\"sts:TagSession\"],\"Condition\":{\"StringEquals\":{\"aws:RequestTag/Department\":\"Engineering\"}}}]}" - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\"}}" - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy) + role_err, response = put_role_policy( + iam_client, + general_role_name, + None, + role_policy, + ) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 - resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=user_token) + resp = sts_client.assume_role_with_web_identity( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + WebIdentityToken=user_token, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + s3_client = boto3.client( + 's3', + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', - ) + ) bucket_name = get_new_bucket_name() s3bucket = s3_client.create_bucket(Bucket=bucket_name) assert s3bucket['ResponseMetadata']['HTTPStatusCode'] == 200 bkt = s3_client.delete_bucket(Bucket=bucket_name) assert bkt['ResponseMetadata']['HTTPStatusCode'] == 204 - oidc_remove=iam_client.delete_open_id_connect_provider( - OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"] - ) + iam_client.delete_open_id_connect_provider(OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]) + @pytest.mark.webidentity_test @pytest.mark.abac_test From e34cdf6e6d7102d7236f37f837fb28aa84b7b94a Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Sun, 8 Sep 2024 21:28:55 +0100 Subject: [PATCH 31/42] s3tests_boto3/functional/test_sts.py: test_assume_role_with_web_identity_with_principal_tag add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 61 ++++++++++++++++++---------- 1 file changed, 39 insertions(+), 22 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index 223587200..846710db2 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -1818,48 +1818,65 @@ def test_assume_role_with_web_identity_with_request_tag(): @pytest.mark.fails_on_dbstore def test_assume_role_with_web_identity_with_principal_tag(): check_webidentity() - iam_client=get_iam_client() - sts_client=get_sts_client() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() - thumbprint=get_thumbprint() - user_token=get_user_token() - realm=get_realm_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() + thumbprint = get_thumbprint() + user_token = get_user_token() + realm = get_realm_name() oidc_response = iam_client.create_open_id_connect_provider( - Url='http://localhost:8080/auth/realms/{}'.format(realm), - ThumbprintList=[ - thumbprint, - ], + Url='http://localhost:8080/auth/realms/{}'.format(realm), + ThumbprintList=[ + thumbprint, + ], ) policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\",\"sts:TagSession\"],\"Condition\":{\"StringEquals\":{\"aws:RequestTag/Department\":\"Engineering\"}}}]}" - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\",\"Condition\":{\"StringEquals\":{\"aws:PrincipalTag/Department\":\"Engineering\"}}}}" - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy) + role_err, response = put_role_policy( + iam_client, + general_role_name, + None, + role_policy, + ) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 - resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=user_token) + resp = sts_client.assume_role_with_web_identity( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + WebIdentityToken=user_token, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + s3_client = boto3.client( + 's3', + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', - ) + ) bucket_name = get_new_bucket_name() s3bucket = s3_client.create_bucket(Bucket=bucket_name) assert s3bucket['ResponseMetadata']['HTTPStatusCode'] == 200 bkt = s3_client.delete_bucket(Bucket=bucket_name) assert bkt['ResponseMetadata']['HTTPStatusCode'] == 204 - oidc_remove=iam_client.delete_open_id_connect_provider( - OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"] - ) + iam_client.delete_open_id_connect_provider(OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]) + @pytest.mark.webidentity_test @pytest.mark.abac_test From 8658d04e82fe30ed8c9e1f8e8ff7205827dc4808 Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Sun, 8 Sep 2024 21:31:06 +0100 Subject: [PATCH 32/42] s3tests_boto3/functional/test_sts.py: test_assume_role_with_web_identity_for_all_values add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 61 ++++++++++++++++++---------- 1 file changed, 39 insertions(+), 22 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index 846710db2..3bc0820a3 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -1884,48 +1884,65 @@ def test_assume_role_with_web_identity_with_principal_tag(): @pytest.mark.fails_on_dbstore def test_assume_role_with_web_identity_for_all_values(): check_webidentity() - iam_client=get_iam_client() - sts_client=get_sts_client() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() - thumbprint=get_thumbprint() - user_token=get_user_token() - realm=get_realm_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() + thumbprint = get_thumbprint() + user_token = get_user_token() + realm = get_realm_name() oidc_response = iam_client.create_open_id_connect_provider( - Url='http://localhost:8080/auth/realms/{}'.format(realm), - ThumbprintList=[ - thumbprint, - ], + Url='http://localhost:8080/auth/realms/{}'.format(realm), + ThumbprintList=[ + thumbprint, + ], ) policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\",\"sts:TagSession\"],\"Condition\":{\"StringEquals\":{\"aws:RequestTag/Department\":\"Engineering\"}}}]}" - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\",\"Condition\":{\"ForAllValues:StringEquals\":{\"aws:PrincipalTag/Department\":[\"Engineering\",\"Marketing\"]}}}}" - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy) + role_err, response = put_role_policy( + iam_client, + general_role_name, + None, + role_policy, + ) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 - resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=user_token) + resp = sts_client.assume_role_with_web_identity( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + WebIdentityToken=user_token, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + s3_client = boto3.client( + 's3', + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', - ) + ) bucket_name = get_new_bucket_name() s3bucket = s3_client.create_bucket(Bucket=bucket_name) assert s3bucket['ResponseMetadata']['HTTPStatusCode'] == 200 bkt = s3_client.delete_bucket(Bucket=bucket_name) assert bkt['ResponseMetadata']['HTTPStatusCode'] == 204 - oidc_remove=iam_client.delete_open_id_connect_provider( - OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"] - ) + iam_client.delete_open_id_connect_provider(OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]) + @pytest.mark.webidentity_test @pytest.mark.abac_test From 9392283eca083b8dfb174d4cfe1472e1c4c07f8e Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Sun, 8 Sep 2024 21:32:58 +0100 Subject: [PATCH 33/42] s3tests_boto3/functional/test_sts.py: test_assume_role_with_web_identity_for_all_values_deny add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 66 ++++++++++++++++++---------- 1 file changed, 42 insertions(+), 24 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index 3bc0820a3..55d33a557 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -1950,50 +1950,68 @@ def test_assume_role_with_web_identity_for_all_values(): @pytest.mark.fails_on_dbstore def test_assume_role_with_web_identity_for_all_values_deny(): check_webidentity() - iam_client=get_iam_client() - sts_client=get_sts_client() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() - thumbprint=get_thumbprint() - user_token=get_user_token() - realm=get_realm_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() + thumbprint = get_thumbprint() + user_token = get_user_token() + realm = get_realm_name() oidc_response = iam_client.create_open_id_connect_provider( - Url='http://localhost:8080/auth/realms/{}'.format(realm), - ThumbprintList=[ - thumbprint, - ], + Url='http://localhost:8080/auth/realms/{}'.format(realm), + ThumbprintList=[ + thumbprint, + ], ) policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\",\"sts:TagSession\"],\"Condition\":{\"StringEquals\":{\"aws:RequestTag/Department\":\"Engineering\"}}}]}" - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' - #ForAllValues: The condition returns true if every key value in the request matches at least one value in the policy + # ForAllValues: The condition returns true if every key value in the request matches at least one value in the policy role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\",\"Condition\":{\"ForAllValues:StringEquals\":{\"aws:PrincipalTag/Department\":[\"Engineering\"]}}}}" - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy) + role_err, response = put_role_policy( + iam_client, + general_role_name, + None, + role_policy, + ) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 - resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=user_token) + resp = sts_client.assume_role_with_web_identity( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + WebIdentityToken=user_token, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + s3_client = boto3.client( + 's3', + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', - ) + ) bucket_name = get_new_bucket_name() + s3bucket_error = 'AccessGranted' try: - s3bucket = s3_client.create_bucket(Bucket=bucket_name) + s3_client.create_bucket(Bucket=bucket_name) except ClientError as e: s3bucket_error = e.response.get("Error", {}).get("Code") assert s3bucket_error == 'AccessDenied' - oidc_remove=iam_client.delete_open_id_connect_provider( - OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"] - ) + iam_client.delete_open_id_connect_provider(OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]) + @pytest.mark.webidentity_test @pytest.mark.abac_test From e667b58482e1993ee597569425bc5fea5286c29e Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Mon, 9 Sep 2024 12:27:15 +0100 Subject: [PATCH 34/42] s3tests_boto3/functional/test_sts.py: test_assume_role_with_web_identity_tag_keys_trust_policy add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 61 ++++++++++++++++++---------- 1 file changed, 39 insertions(+), 22 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index 55d33a557..4f498f81b 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -2019,48 +2019,65 @@ def test_assume_role_with_web_identity_for_all_values_deny(): @pytest.mark.fails_on_dbstore def test_assume_role_with_web_identity_tag_keys_trust_policy(): check_webidentity() - iam_client=get_iam_client() - sts_client=get_sts_client() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() - thumbprint=get_thumbprint() - user_token=get_user_token() - realm=get_realm_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() + thumbprint = get_thumbprint() + user_token = get_user_token() + realm = get_realm_name() oidc_response = iam_client.create_open_id_connect_provider( - Url='http://localhost:8080/auth/realms/{}'.format(realm), - ThumbprintList=[ - thumbprint, - ], + Url='http://localhost:8080/auth/realms/{}'.format(realm), + ThumbprintList=[ + thumbprint, + ], ) policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\",\"sts:TagSession\"],\"Condition\":{\"StringEquals\":{\"aws:TagKeys\":\"Department\"}}}]}" - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\",\"Condition\":{\"ForAnyValue:StringEquals\":{\"aws:PrincipalTag/Department\":[\"Engineering\"]}}}}" - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy) + role_err, response = put_role_policy( + iam_client, + general_role_name, + None, + role_policy, + ) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 - resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=user_token) + resp=sts_client.assume_role_with_web_identity( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + WebIdentityToken=user_token, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + s3_client = boto3.client( + 's3', + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', - ) + ) bucket_name = get_new_bucket_name() s3bucket = s3_client.create_bucket(Bucket=bucket_name) assert s3bucket['ResponseMetadata']['HTTPStatusCode'] == 200 bkt = s3_client.delete_bucket(Bucket=bucket_name) assert bkt['ResponseMetadata']['HTTPStatusCode'] == 204 - oidc_remove=iam_client.delete_open_id_connect_provider( - OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"] - ) + iam_client.delete_open_id_connect_provider(OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]) + @pytest.mark.webidentity_test @pytest.mark.abac_test From 70ec15c846baa4fae6b62067b7d1fa84981653a2 Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Mon, 9 Sep 2024 12:28:46 +0100 Subject: [PATCH 35/42] s3tests_boto3/functional/test_sts.py: test_assume_role_with_web_identity_tag_keys_role_policy add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 61 ++++++++++++++++++---------- 1 file changed, 39 insertions(+), 22 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index 4f498f81b..720c6dc4d 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -2085,48 +2085,65 @@ def test_assume_role_with_web_identity_tag_keys_trust_policy(): @pytest.mark.fails_on_dbstore def test_assume_role_with_web_identity_tag_keys_role_policy(): check_webidentity() - iam_client=get_iam_client() - sts_client=get_sts_client() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() - thumbprint=get_thumbprint() - user_token=get_user_token() - realm=get_realm_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() + thumbprint = get_thumbprint() + user_token = get_user_token() + realm = get_realm_name() oidc_response = iam_client.create_open_id_connect_provider( - Url='http://localhost:8080/auth/realms/{}'.format(realm), - ThumbprintList=[ - thumbprint, - ], + Url='http://localhost:8080/auth/realms/{}'.format(realm), + ThumbprintList=[ + thumbprint, + ], ) policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\",\"sts:TagSession\"],\"Condition\":{\"StringEquals\":{\"aws:RequestTag/Department\":\"Engineering\"}}}]}" - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\",\"Condition\":{\"StringEquals\":{\"aws:TagKeys\":[\"Department\"]}}}}" - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy) + role_err, response = put_role_policy( + iam_client, + general_role_name, + None, + role_policy, + ) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 - resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=user_token) + resp = sts_client.assume_role_with_web_identity( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + WebIdentityToken=user_token, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + s3_client = boto3.client( + 's3', + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', - ) + ) bucket_name = get_new_bucket_name() s3bucket = s3_client.create_bucket(Bucket=bucket_name) assert s3bucket['ResponseMetadata']['HTTPStatusCode'] == 200 bkt = s3_client.delete_bucket(Bucket=bucket_name) assert bkt['ResponseMetadata']['HTTPStatusCode'] == 204 - oidc_remove=iam_client.delete_open_id_connect_provider( - OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"] - ) + iam_client.delete_open_id_connect_provider(OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]) + @pytest.mark.webidentity_test @pytest.mark.abac_test From 86b5d3b0600411beabef6912eab33f325f09654c Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Mon, 9 Sep 2024 12:30:56 +0100 Subject: [PATCH 36/42] s3tests_boto3/functional/test_sts.py: test_assume_role_with_web_identity_resource_tag add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 79 +++++++++++++++++++--------- 1 file changed, 54 insertions(+), 25 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index 720c6dc4d..416f20776 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -2151,13 +2151,13 @@ def test_assume_role_with_web_identity_tag_keys_role_policy(): @pytest.mark.fails_on_dbstore def test_assume_role_with_web_identity_resource_tag(): check_webidentity() - iam_client=get_iam_client() - sts_client=get_sts_client() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() - thumbprint=get_thumbprint() - user_token=get_user_token() - realm=get_realm_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() + thumbprint = get_thumbprint() + user_token = get_user_token() + realm = get_realm_name() s3_res_iam_creds = get_s3_resource_using_iam_creds() @@ -2168,41 +2168,70 @@ def test_assume_role_with_web_identity_resource_tag(): assert s3bucket['ResponseMetadata']['HTTPStatusCode'] == 200 bucket_tagging = s3_res_iam_creds.BucketTagging(bucket_name) - Set_Tag = bucket_tagging.put(Tagging={'TagSet':[{'Key':'Department', 'Value': 'Engineering'},{'Key':'Department', 'Value': 'Marketing'}]}) + bucket_tagging.put( + Tagging={ + 'TagSet': [ + { + 'Key': 'Department', + 'Value': 'Engineering', + }, + { + 'Key': 'Department', + 'Value': 'Marketing', + }, + ], + }, + ) oidc_response = iam_client.create_open_id_connect_provider( - Url='http://localhost:8080/auth/realms/{}'.format(realm), - ThumbprintList=[ - thumbprint, - ], + Url='http://localhost:8080/auth/realms/{}'.format(realm), + ThumbprintList=[ + thumbprint, + ], ) policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\",\"sts:TagSession\"],\"Condition\":{\"StringEquals\":{\"aws:RequestTag/Department\":\"Engineering\"}}}]}" - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\",\"Condition\":{\"StringEquals\":{\"s3:ResourceTag/Department\":[\"Engineering\"]}}}}" - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy) + role_err, response = put_role_policy( + iam_client, + general_role_name, + None, + role_policy, + ) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 - resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=user_token) + resp=sts_client.assume_role_with_web_identity( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + WebIdentityToken=user_token, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + s3_client = boto3.client( + 's3', + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', - ) + ) - bucket_body = 'this is a test file' - s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name, Key="test-1.txt") + s3_put_obj = s3_client.put_object(Body='this is a test file', Bucket=bucket_name, Key="test-1.txt") assert s3_put_obj['ResponseMetadata']['HTTPStatusCode'] == 200 - oidc_remove=iam_client.delete_open_id_connect_provider( - OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"] - ) + iam_client.delete_open_id_connect_provider(OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]) + @pytest.mark.webidentity_test @pytest.mark.abac_test From c4b989fbce471fd4ae88964876a1a41ff43506c6 Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Mon, 9 Sep 2024 12:32:53 +0100 Subject: [PATCH 37/42] s3tests_boto3/functional/test_sts.py: test_assume_role_with_web_identity_resource_tag_deny add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 65 ++++++++++++++++++---------- 1 file changed, 41 insertions(+), 24 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index 416f20776..50c4e6ad8 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -2239,13 +2239,13 @@ def test_assume_role_with_web_identity_resource_tag(): @pytest.mark.fails_on_dbstore def test_assume_role_with_web_identity_resource_tag_deny(): check_webidentity() - iam_client=get_iam_client() - sts_client=get_sts_client() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() - thumbprint=get_thumbprint() - user_token=get_user_token() - realm=get_realm_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() + thumbprint = get_thumbprint() + user_token = get_user_token() + realm = get_realm_name() s3_res_iam_creds = get_s3_resource_using_iam_creds() @@ -2256,41 +2256,58 @@ def test_assume_role_with_web_identity_resource_tag_deny(): assert s3bucket['ResponseMetadata']['HTTPStatusCode'] == 200 oidc_response = iam_client.create_open_id_connect_provider( - Url='http://localhost:8080/auth/realms/{}'.format(realm), - ThumbprintList=[ - thumbprint, - ], + Url='http://localhost:8080/auth/realms/{}'.format(realm), + ThumbprintList=[ + thumbprint, + ], ) policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\",\"sts:TagSession\"],\"Condition\":{\"StringEquals\":{\"aws:RequestTag/Department\":\"Engineering\"}}}]}" - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\",\"Condition\":{\"StringEquals\":{\"s3:ResourceTag/Department\":[\"Engineering\"]}}}}" - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy) + role_err, response = put_role_policy( + iam_client, + general_role_name, + None, + role_policy, + ) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 - resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=user_token) + resp = sts_client.assume_role_with_web_identity( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + WebIdentityToken=user_token, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + s3_client = boto3.client( + 's3', + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', - ) + ) - bucket_body = 'this is a test file' + s3_put_obj_error = 'AccessGranted' try: - s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name, Key="test-1.txt") + s3_client.put_object(Body='this is a test file', Bucket=bucket_name, Key="test-1.txt") except ClientError as e: s3_put_obj_error = e.response.get("Error", {}).get("Code") assert s3_put_obj_error == 'AccessDenied' - oidc_remove=iam_client.delete_open_id_connect_provider( - OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"] - ) + iam_client.delete_open_id_connect_provider(OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]) + @pytest.mark.webidentity_test @pytest.mark.abac_test From da3e0c17c767c24fcd452330652eccbd9730a99d Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Mon, 9 Sep 2024 12:35:15 +0100 Subject: [PATCH 38/42] s3tests_boto3/functional/test_sts.py: test_assume_role_with_web_identity_wrong_resource_tag_deny add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 76 +++++++++++++++++++--------- 1 file changed, 51 insertions(+), 25 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index 50c4e6ad8..1f60ec518 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -2315,13 +2315,13 @@ def test_assume_role_with_web_identity_resource_tag_deny(): @pytest.mark.fails_on_dbstore def test_assume_role_with_web_identity_wrong_resource_tag_deny(): check_webidentity() - iam_client=get_iam_client() - sts_client=get_sts_client() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() - thumbprint=get_thumbprint() - user_token=get_user_token() - realm=get_realm_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() + thumbprint = get_thumbprint() + user_token = get_user_token() + realm = get_realm_name() s3_res_iam_creds = get_s3_resource_using_iam_creds() @@ -2332,44 +2332,70 @@ def test_assume_role_with_web_identity_wrong_resource_tag_deny(): assert s3bucket['ResponseMetadata']['HTTPStatusCode'] == 200 bucket_tagging = s3_res_iam_creds.BucketTagging(bucket_name) - Set_Tag = bucket_tagging.put(Tagging={'TagSet':[{'Key':'Department', 'Value': 'WrongResourcetag'}]}) + bucket_tagging.put(Tagging= + { + 'TagSet': [ + { + 'Key': 'Department', + 'Value': 'WrongResourcetag', + }, + ], + }, + ) oidc_response = iam_client.create_open_id_connect_provider( - Url='http://localhost:8080/auth/realms/{}'.format(realm), - ThumbprintList=[ - thumbprint, - ], + Url='http://localhost:8080/auth/realms/{}'.format(realm), + ThumbprintList=[ + thumbprint, + ], ) policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\",\"sts:TagSession\"],\"Condition\":{\"StringEquals\":{\"aws:RequestTag/Department\":\"Engineering\"}}}]}" - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\",\"Condition\":{\"StringEquals\":{\"s3:ResourceTag/Department\":[\"Engineering\"]}}}}" - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy) + role_err, response = put_role_policy( + iam_client, + general_role_name, + None, + role_policy, + ) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 - resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=user_token) + resp = sts_client.assume_role_with_web_identity( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + WebIdentityToken=user_token, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + s3_client = boto3.client( + 's3', + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', - ) + ) - bucket_body = 'this is a test file' + s3_put_obj_error = 'AccessGranted' try: - s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name, Key="test-1.txt") + s3_client.put_object(Body='this is a test file', Bucket=bucket_name, Key="test-1.txt") except ClientError as e: s3_put_obj_error = e.response.get("Error", {}).get("Code") assert s3_put_obj_error == 'AccessDenied' - oidc_remove=iam_client.delete_open_id_connect_provider( - OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"] - ) + iam_client.delete_open_id_connect_provider(OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]) + @pytest.mark.webidentity_test @pytest.mark.abac_test From c5b4477cffb8267d92c5fc757683328c6d05bb04 Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Mon, 9 Sep 2024 12:37:21 +0100 Subject: [PATCH 39/42] s3tests_boto3/functional/test_sts.py: test_assume_role_with_web_identity_resource_tag_princ_tag add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 67 ++++++++++++++++++---------- 1 file changed, 44 insertions(+), 23 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index 1f60ec518..570ed7bb3 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -2403,13 +2403,13 @@ def test_assume_role_with_web_identity_wrong_resource_tag_deny(): @pytest.mark.fails_on_dbstore def test_assume_role_with_web_identity_resource_tag_princ_tag(): check_webidentity() - iam_client=get_iam_client() - sts_client=get_sts_client() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() - thumbprint=get_thumbprint() - user_token=get_user_token() - realm=get_realm_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() + thumbprint = get_thumbprint() + user_token = get_user_token() + realm = get_realm_name() s3_res_iam_creds = get_s3_resource_using_iam_creds() @@ -2420,33 +2420,55 @@ def test_assume_role_with_web_identity_resource_tag_princ_tag(): assert s3bucket['ResponseMetadata']['HTTPStatusCode'] == 200 bucket_tagging = s3_res_iam_creds.BucketTagging(bucket_name) - Set_Tag = bucket_tagging.put(Tagging={'TagSet':[{'Key':'Department', 'Value': 'Engineering'}]}) + bucket_tagging.put(Tagging= + { + 'TagSet': [ + { + 'Key': 'Department', + 'Value': 'Engineering', + }, + ], + }, + ) oidc_response = iam_client.create_open_id_connect_provider( - Url='http://localhost:8080/auth/realms/{}'.format(realm), - ThumbprintList=[ - thumbprint, - ], + Url='http://localhost:8080/auth/realms/{}'.format(realm), + ThumbprintList=[ + thumbprint, + ], ) policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\",\"sts:TagSession\"],\"Condition\":{\"StringEquals\":{\"aws:RequestTag/Department\":\"Engineering\"}}}]}" - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\",\"Condition\":{\"StringEquals\":{\"s3:ResourceTag/Department\":[\"${aws:PrincipalTag/Department}\"]}}}}" - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy) + role_err, response = put_role_policy(iam_client, general_role_name, None, role_policy) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 - resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=user_token) + resp = sts_client.assume_role_with_web_identity( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + WebIdentityToken=user_token, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + s3_client = boto3.client( + 's3', + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', - ) + ) bucket_body = 'this is a test file' tags = 'Department=Engineering&Department=Marketing' @@ -2457,9 +2479,8 @@ def test_assume_role_with_web_identity_resource_tag_princ_tag(): s3_get_obj = s3_client.get_object(Bucket=bucket_name, Key=key) assert s3_get_obj['ResponseMetadata']['HTTPStatusCode'] == 200 - oidc_remove=iam_client.delete_open_id_connect_provider( - OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"] - ) + iam_client.delete_open_id_connect_provider(OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]) + @pytest.mark.webidentity_test @pytest.mark.abac_test From d94bd938a63aa7c87bb328122ac648a06d420e4f Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Mon, 9 Sep 2024 12:39:53 +0100 Subject: [PATCH 40/42] s3tests_boto3/functional/test_sts.py: test_assume_role_with_web_identity_resource_tag_copy_obj add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 92 ++++++++++++++++++---------- 1 file changed, 61 insertions(+), 31 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index 570ed7bb3..f61bbaa2a 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -2488,58 +2488,89 @@ def test_assume_role_with_web_identity_resource_tag_princ_tag(): @pytest.mark.fails_on_dbstore def test_assume_role_with_web_identity_resource_tag_copy_obj(): check_webidentity() - iam_client=get_iam_client() - sts_client=get_sts_client() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() - thumbprint=get_thumbprint() - user_token=get_user_token() - realm=get_realm_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() + thumbprint = get_thumbprint() + user_token = get_user_token() + realm = get_realm_name() s3_res_iam_creds = get_s3_resource_using_iam_creds() s3_client_iam_creds = s3_res_iam_creds.meta.client - #create two buckets and add same tags to both + # create two buckets and add same tags to both bucket_name = get_new_bucket_name() s3bucket = s3_client_iam_creds.create_bucket(Bucket=bucket_name) assert s3bucket['ResponseMetadata']['HTTPStatusCode'] == 200 bucket_tagging = s3_res_iam_creds.BucketTagging(bucket_name) - Set_Tag = bucket_tagging.put(Tagging={'TagSet':[{'Key':'Department', 'Value': 'Engineering'}]}) + bucket_tagging.put(Tagging= + { + 'TagSet': [ + { + 'Key': 'Department', + 'Value': 'Engineering', + }, + ], + }, + ) copy_bucket_name = get_new_bucket_name() s3bucket = s3_client_iam_creds.create_bucket(Bucket=copy_bucket_name) assert s3bucket['ResponseMetadata']['HTTPStatusCode'] == 200 bucket_tagging = s3_res_iam_creds.BucketTagging(copy_bucket_name) - Set_Tag = bucket_tagging.put(Tagging={'TagSet':[{'Key':'Department', 'Value': 'Engineering'}]}) + bucket_tagging.put(Tagging= + { + 'TagSet': [ + { + 'Key': 'Department', + 'Value': 'Engineering', + }, + ], + }, + ) oidc_response = iam_client.create_open_id_connect_provider( - Url='http://localhost:8080/auth/realms/{}'.format(realm), - ThumbprintList=[ - thumbprint, - ], + Url='http://localhost:8080/auth/realms/{}'.format(realm), + ThumbprintList=[ + thumbprint, + ], ) policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\",\"sts:TagSession\"],\"Condition\":{\"StringEquals\":{\"aws:RequestTag/Department\":\"Engineering\"}}}]}" - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\",\"Condition\":{\"StringEquals\":{\"s3:ResourceTag/Department\":[\"${aws:PrincipalTag/Department}\"]}}}}" - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy) + role_err, response = put_role_policy(iam_client, general_role_name, None, role_policy) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 - resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=user_token) + resp=sts_client.assume_role_with_web_identity( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + WebIdentityToken=user_token, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + s3_client = boto3.client( + 's3', + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', - ) + ) bucket_body = 'this is a test file' tags = 'Department=Engineering' @@ -2547,10 +2578,10 @@ def test_assume_role_with_web_identity_resource_tag_copy_obj(): s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name, Key=key, Tagging=tags) assert s3_put_obj['ResponseMetadata']['HTTPStatusCode'] == 200 - #copy to same bucket + # copy to same bucket copy_source = { - 'Bucket': bucket_name, - 'Key': 'test-1.txt' + 'Bucket': bucket_name, + 'Key': 'test-1.txt' } s3_client.copy(copy_source, bucket_name, "test-2.txt") @@ -2558,10 +2589,10 @@ def test_assume_role_with_web_identity_resource_tag_copy_obj(): s3_get_obj = s3_client.get_object(Bucket=bucket_name, Key="test-2.txt") assert s3_get_obj['ResponseMetadata']['HTTPStatusCode'] == 200 - #copy to another bucket + # copy to another bucket copy_source = { - 'Bucket': bucket_name, - 'Key': 'test-1.txt' + 'Bucket': bucket_name, + 'Key': 'test-1.txt' } s3_client.copy(copy_source, copy_bucket_name, "test-1.txt") @@ -2569,9 +2600,8 @@ def test_assume_role_with_web_identity_resource_tag_copy_obj(): s3_get_obj = s3_client.get_object(Bucket=copy_bucket_name, Key="test-1.txt") assert s3_get_obj['ResponseMetadata']['HTTPStatusCode'] == 200 - oidc_remove=iam_client.delete_open_id_connect_provider( - OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"] - ) + iam_client.delete_open_id_connect_provider(OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]) + @pytest.mark.webidentity_test @pytest.mark.abac_test From 0db9bdc11a4943d4f97ee963614421133c201538 Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Mon, 9 Sep 2024 12:42:31 +0100 Subject: [PATCH 41/42] s3tests_boto3/functional/test_sts.py: test_assume_role_with_web_identity_resource_tag add whitespaces, use correct ident level, remove unusued variables Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 88 +++++++++++++++++++--------- 1 file changed, 59 insertions(+), 29 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index f61bbaa2a..9288ddadd 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -2609,13 +2609,13 @@ def test_assume_role_with_web_identity_resource_tag_copy_obj(): @pytest.mark.fails_on_dbstore def test_assume_role_with_web_identity_role_resource_tag(): check_webidentity() - iam_client=get_iam_client() - sts_client=get_sts_client() - default_endpoint=get_config_endpoint() - role_session_name=get_parameter_name() - thumbprint=get_thumbprint() - user_token=get_user_token() - realm=get_realm_name() + iam_client = get_iam_client() + sts_client = get_sts_client() + default_endpoint = get_config_endpoint() + role_session_name = get_parameter_name() + thumbprint = get_thumbprint() + user_token = get_user_token() + realm = get_realm_name() s3_res_iam_creds = get_s3_resource_using_iam_creds() @@ -2626,44 +2626,74 @@ def test_assume_role_with_web_identity_role_resource_tag(): assert s3bucket['ResponseMetadata']['HTTPStatusCode'] == 200 bucket_tagging = s3_res_iam_creds.BucketTagging(bucket_name) - Set_Tag = bucket_tagging.put(Tagging={'TagSet':[{'Key':'Department', 'Value': 'Engineering'},{'Key':'Department', 'Value': 'Marketing'}]}) + bucket_tagging.put(Tagging= + { + 'TagSet': [ + { + 'Key': 'Department', + 'Value': 'Engineering', + }, + { + 'Key': 'Department', + 'Value': 'Marketing', + }, + ], + }, + ) oidc_response = iam_client.create_open_id_connect_provider( - Url='http://localhost:8080/auth/realms/{}'.format(realm), - ThumbprintList=[ - thumbprint, - ], + Url='http://localhost:8080/auth/realms/{}'.format(realm), + ThumbprintList=[ + thumbprint, + ], ) - #iam:ResourceTag refers to the tag attached to role, hence the role is allowed to be assumed only when it has a tag matching the policy. + # iam:ResourceTag refers to the tag attached to role, hence the role is allowed to be assumed only when it has a tag matching the policy. policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_response["OpenIDConnectProviderArn"]+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\",\"sts:TagSession\"],\"Condition\":{\"StringEquals\":{\"iam:ResourceTag/Department\":\"Engineering\"}}}]}" tags_list = [ - {'Key':'Department','Value':'Engineering'}, - {'Key':'Department','Value':'Marketing'} - ] + { + 'Key': 'Department', + 'Value': 'Engineering', + }, + { + 'Key': 'Department', + 'Value': 'Marketing', + }, + ] - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None,tags_list) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + tags_list, + ) assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name+'' role_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::*\",\"Condition\":{\"StringEquals\":{\"s3:ResourceTag/Department\":[\"Engineering\"]}}}}" - (role_err,response)=put_role_policy(iam_client,general_role_name,None,role_policy) + role_err, response = put_role_policy(iam_client, general_role_name, None, role_policy) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 - resp=sts_client.assume_role_with_web_identity(RoleArn=role_response['Role']['Arn'],RoleSessionName=role_session_name,WebIdentityToken=user_token) + resp = sts_client.assume_role_with_web_identity( + RoleArn=role_response['Role']['Arn'], + RoleSessionName=role_session_name, + WebIdentityToken=user_token, + ) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client = boto3.client('s3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + s3_client = boto3.client( + 's3', + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', - ) + ) - bucket_body = 'this is a test file' - s3_put_obj = s3_client.put_object(Body=bucket_body, Bucket=bucket_name, Key="test-1.txt") + s3_put_obj = s3_client.put_object(Body='this is a test file', Bucket=bucket_name, Key="test-1.txt") assert s3_put_obj['ResponseMetadata']['HTTPStatusCode'] == 200 - oidc_remove=iam_client.delete_open_id_connect_provider( - OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"] - ) + iam_client.delete_open_id_connect_provider(OpenIDConnectProviderArn=oidc_response["OpenIDConnectProviderArn"]) From 575a0ff37dbd10328403635505ef7606ad704959 Mon Sep 17 00:00:00 2001 From: Rostyslav Khudov Date: Mon, 9 Sep 2024 12:52:30 +0100 Subject: [PATCH 42/42] s3tests_boto3/functional/test_sts.py: fix pep missing warnings Signed-off-by: Rostyslav Khudov --- s3tests_boto3/functional/test_sts.py | 308 ++++++++++++++------------- 1 file changed, 157 insertions(+), 151 deletions(-) diff --git a/s3tests_boto3/functional/test_sts.py b/s3tests_boto3/functional/test_sts.py index 9288ddadd..89d02a94b 100644 --- a/s3tests_boto3/functional/test_sts.py +++ b/s3tests_boto3/functional/test_sts.py @@ -5,7 +5,7 @@ import time import logging -from . import( +from . import ( get_iam_client, get_sts_client, get_client, @@ -59,10 +59,10 @@ def create_role( def put_role_policy(iam_client, rolename, policyname, role_policy): - role_err=None + role_err = None role_response = None if policyname is None: - policyname=get_parameter_name() + policyname = get_parameter_name() try: role_response = iam_client.put_role_policy( RoleName=rolename, @@ -75,7 +75,7 @@ def put_role_policy(iam_client, rolename, policyname, role_policy): def put_user_policy(iam_client, username, policyname, policy_document): - role_err=None + role_err = None role_response = None if policyname is None: policyname = get_parameter_name() @@ -105,7 +105,7 @@ def create_oidc_provider(iam_client, url, clientidlist, thumbprintlist): oidc_error = None clientids = [] if clientidlist is None: - clientidlist=clientids + clientidlist = clientids try: oidc_response = iam_client.create_open_id_connect_provider( Url=url, @@ -113,13 +113,13 @@ def create_oidc_provider(iam_client, url, clientidlist, thumbprintlist): ThumbprintList=thumbprintlist, ) oidc_arn = oidc_response['OpenIDConnectProviderArn'] - print (oidc_arn) + print(oidc_arn) except ClientError as e: oidc_error = e.response['Code'] - print (oidc_error) + print(oidc_error) try: oidc_error = None - print (url) + print(url) if url.startswith('http://'): url = url[len('http://'):] elif url.startswith('https://'): @@ -127,8 +127,8 @@ def create_oidc_provider(iam_client, url, clientidlist, thumbprintlist): elif url.startswith('www.'): url = url[len('www.'):] oidc_arn = 'arn:aws:iam:::oidc-provider/{}'.format(url) - print (url) - print (oidc_arn) + print(url) + print(oidc_arn) iam_client.get_open_id_connect_provider(OpenIDConnectProviderArn=oidc_arn) except ClientError: oidc_arn = None @@ -155,7 +155,7 @@ def test_get_session_token(): default_endpoint = get_config_endpoint() user_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":[\"*\"],\"Condition\":{\"BoolIfExists\":{\"sts:authentication\":\"false\"}}},{\"Effect\":\"Allow\",\"Action\":\"sts:GetSessionToken\",\"Resource\":\"*\",\"Condition\":{\"BoolIfExists\":{\"sts:authentication\":\"false\"}}}]}" - resp_err,resp, policy_name = put_user_policy( + resp_err, resp, policy_name = put_user_policy( iam_client, sts_user_id, None, @@ -166,11 +166,11 @@ def test_get_session_token(): response = sts_client.get_session_token() assert response['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client=boto3.client( + s3_client = boto3.client( 's3', - aws_access_key_id = response['Credentials']['AccessKeyId'], - aws_secret_access_key = response['Credentials']['SecretAccessKey'], - aws_session_token = response['Credentials']['SessionToken'], + aws_access_key_id=response['Credentials']['AccessKeyId'], + aws_secret_access_key=response['Credentials']['SecretAccessKey'], + aws_session_token=response['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', ) @@ -180,41 +180,42 @@ def test_get_session_token(): assert s3bucket['ResponseMetadata']['HTTPStatusCode'] == 200 s3_client.delete_bucket(Bucket=bucket_name) finally: # clean up user policy even if create_bucket/delete_bucket fails - iam_client.delete_user_policy(UserName=sts_user_id,PolicyName=policy_name) + iam_client.delete_user_policy(UserName=sts_user_id, PolicyName=policy_name) @pytest.mark.test_of_sts @pytest.mark.fails_on_dbstore def test_get_session_token_permanent_creds_denied(): - s3bucket_error=None - iam_client=get_iam_client() - sts_client=get_sts_client() - sts_user_id=get_alt_user_id() - default_endpoint=get_config_endpoint() - s3_main_access_key=get_main_aws_access_key() - s3_main_secret_key=get_main_aws_secret_key() + s3bucket_error = None + iam_client = get_iam_client() + sts_client = get_sts_client() + sts_user_id = get_alt_user_id() + default_endpoint = get_config_endpoint() + s3_main_access_key = get_main_aws_access_key() + s3_main_secret_key = get_main_aws_secret_key() user_policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":[\"*\"],\"Condition\":{\"BoolIfExists\":{\"sts:authentication\":\"false\"}}},{\"Effect\":\"Allow\",\"Action\":\"sts:GetSessionToken\",\"Resource\":\"*\",\"Condition\":{\"BoolIfExists\":{\"sts:authentication\":\"false\"}}}]}" - (resp_err,resp,policy_name)=put_user_policy(iam_client,sts_user_id,None,user_policy) + resp_err, resp, policy_name = put_user_policy(iam_client, sts_user_id, None, user_policy) assert resp['ResponseMetadata']['HTTPStatusCode'] == 200 - response=sts_client.get_session_token() + response = sts_client.get_session_token() assert response['ResponseMetadata']['HTTPStatusCode'] == 200 - s3_client=boto3.client('s3', - aws_access_key_id = s3_main_access_key, - aws_secret_access_key = s3_main_secret_key, - aws_session_token = response['Credentials']['SessionToken'], - endpoint_url=default_endpoint, - region_name='', - ) + s3_client = boto3.client( + 's3', + aws_access_key_id=s3_main_access_key, + aws_secret_access_key=s3_main_secret_key, + aws_session_token=response['Credentials']['SessionToken'], + endpoint_url=default_endpoint, + region_name='', + ) bucket_name = get_new_bucket_name() try: - s3bucket = s3_client.create_bucket(Bucket=bucket_name) + s3_client.create_bucket(Bucket=bucket_name) except ClientError as e: s3bucket_error = e.response.get("Error", {}).get("Code") assert s3bucket_error == 'AccessDenied' - iam_client.delete_user_policy(UserName=sts_user_id,PolicyName=policy_name) + iam_client.delete_user_policy(UserName=sts_user_id, PolicyName=policy_name) @pytest.mark.test_of_sts @@ -319,9 +320,9 @@ def test_assume_role_deny(): s3_client = boto3.client( 's3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', ) @@ -379,9 +380,9 @@ def test_assume_role_creds_expiry(): s3_client = boto3.client( 's3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', ) @@ -442,9 +443,9 @@ def test_assume_role_deny_head_nonexistent(): s3_client = boto3.client( 's3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', ) @@ -470,7 +471,15 @@ def test_assume_role_allow_head_nonexistent(): role_session_name = get_parameter_name() policy_document = '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["arn:aws:iam:::user/'+sts_user_id+'"]},"Action":["sts:AssumeRole"]}]}' - (role_error,role_response,general_role_name)=create_role(iam_client,'/',None,policy_document,None,None,None) + role_error, role_response, general_role_name = create_role( + iam_client, + '/', + None, + policy_document, + None, + None, + None, + ) if role_response: assert role_response['Role']['Arn'] == 'arn:aws:iam:::role/'+general_role_name else: @@ -497,9 +506,9 @@ def test_assume_role_allow_head_nonexistent(): s3_client = boto3.client( 's3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', ) @@ -554,7 +563,7 @@ def test_assume_role_with_web_identity(): else: assert False, role_err - resp=sts_client.assume_role_with_web_identity( + resp = sts_client.assume_role_with_web_identity( RoleArn=role_response['Role']['Arn'], RoleSessionName=role_session_name, WebIdentityToken=token, @@ -563,9 +572,9 @@ def test_assume_role_with_web_identity(): s3_client = boto3.client( 's3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', ) @@ -650,7 +659,8 @@ def test_session_policy_check_on_different_buckets(): policy_document = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Federated\":[\""+oidc_arn+"\"]},\"Action\":[\"sts:AssumeRoleWithWebIdentity\"],\"Condition\":{\"StringEquals\":{\"localhost:8080/auth/realms/"+realm+":app_id\":\""+aud+"\"}}}]}" role_error, role_response, general_role_name = create_role( - iam_client,'/', + iam_client, + '/', None, policy_document, None, @@ -671,7 +681,7 @@ def test_session_policy_check_on_different_buckets(): session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:GetObject\",\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/*\"]}}" - resp=sts_client.assume_role_with_web_identity( + resp = sts_client.assume_role_with_web_identity( RoleArn=role_response['Role']['Arn'], RoleSessionName=role_session_name, WebIdentityToken=token, @@ -681,9 +691,9 @@ def test_session_policy_check_on_different_buckets(): s3_client = boto3.client( 's3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', ) @@ -765,7 +775,7 @@ def test_session_policy_check_on_same_bucket(): session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:GetObject\",\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/*\"]}}" - resp=sts_client.assume_role_with_web_identity( + resp = sts_client.assume_role_with_web_identity( RoleArn=role_response['Role']['Arn'], RoleSessionName=role_session_name, WebIdentityToken=token, @@ -775,9 +785,9 @@ def test_session_policy_check_on_same_bucket(): s3_client = boto3.client( 's3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', ) @@ -839,7 +849,7 @@ def test_session_policy_check_put_obj_denial(): session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:GetObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/*\"]}}" - resp=sts_client.assume_role_with_web_identity( + resp = sts_client.assume_role_with_web_identity( RoleArn=role_response['Role']['Arn'], RoleSessionName=role_session_name, WebIdentityToken=token, @@ -849,9 +859,9 @@ def test_session_policy_check_put_obj_denial(): s3_client = boto3.client( 's3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', ) @@ -927,9 +937,9 @@ def test_swapping_role_policy_and_session_policy(): s3_client = boto3.client( 's3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', ) @@ -1000,9 +1010,9 @@ def test_session_policy_check_different_op_permissions(): s3_client = boto3.client( 's3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', ) @@ -1078,9 +1088,9 @@ def test_session_policy_check_with_deny_effect(): s3_client = boto3.client( 's3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', ) @@ -1155,9 +1165,9 @@ def test_session_policy_check_with_deny_on_same_op(): s3_client = boto3.client( 's3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', ) @@ -1222,18 +1232,18 @@ def test_session_policy_bucket_policy_role_arn(): resource1 = "arn:aws:s3:::" + bucket_name_1 resource2 = "arn:aws:s3:::" + bucket_name_1 + "/*" rolearn = "arn:aws:iam:::role/" + general_role_name - bucket_policy = json.dumps( - { + bucket_policy = json.dumps({ "Version": "2012-10-17", - "Statement": [{ - "Effect": "Allow", - "Principal": {"AWS": "{}".format(rolearn)}, - "Action": ["s3:GetObject","s3:PutObject"], - "Resource": [ - "{}".format(resource1), - "{}".format(resource2) - ] - }] + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "{}".format(rolearn), + }, + "Action": ["s3:GetObject", "s3:PutObject"], + "Resource": ["{}".format(resource1), "{}".format(resource2)], + }, + ], }) s3client_iamcreds.put_bucket_policy(Bucket=bucket_name_1, Policy=bucket_policy) session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/*\"]}}" @@ -1248,9 +1258,9 @@ def test_session_policy_bucket_policy_role_arn(): s3_client = boto3.client( 's3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', ) @@ -1317,18 +1327,18 @@ def test_session_policy_bucket_policy_session_arn(): resource1 = "arn:aws:s3:::" + bucket_name_1 resource2 = "arn:aws:s3:::" + bucket_name_1 + "/*" rolesessionarn = "arn:aws:iam:::assumed-role/" + general_role_name + "/" + role_session_name - bucket_policy = json.dumps( - { + bucket_policy = json.dumps({ "Version": "2012-10-17", - "Statement": [{ - "Effect": "Allow", - "Principal": {"AWS": "{}".format(rolesessionarn)}, - "Action": ["s3:GetObject","s3:PutObject"], - "Resource": [ - "{}".format(resource1), - "{}".format(resource2) - ] - }] + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "{}".format(rolesessionarn), + }, + "Action": ["s3:GetObject", "s3:PutObject"], + "Resource": ["{}".format(resource1), "{}".format(resource2)], + }, + ], }) s3client_iamcreds.put_bucket_policy(Bucket=bucket_name_1, Policy=bucket_policy) session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/*\"]}}" @@ -1343,9 +1353,9 @@ def test_session_policy_bucket_policy_session_arn(): s3_client = boto3.client( 's3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', ) @@ -1409,18 +1419,18 @@ def test_session_policy_copy_object(): resource2 = "arn:aws:s3:::" + bucket_name_1 + "/*" rolesessionarn = "arn:aws:iam:::assumed-role/" + general_role_name + "/" + role_session_name print(rolesessionarn) - bucket_policy = json.dumps( - { + bucket_policy = json.dumps({ "Version": "2012-10-17", - "Statement": [{ - "Effect": "Allow", - "Principal": {"AWS": "{}".format(rolesessionarn)}, - "Action": ["s3:GetObject","s3:PutObject"], - "Resource": [ - "{}".format(resource1), - "{}".format(resource2) - ] - }] + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "{}".format(rolesessionarn), + }, + "Action": ["s3:GetObject", "s3:PutObject"], + "Resource": ["{}".format(resource1), "{}".format(resource2)], + }, + ], }) s3client_iamcreds.put_bucket_policy(Bucket=bucket_name_1, Policy=bucket_policy) session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/*\"]}}" @@ -1435,9 +1445,9 @@ def test_session_policy_copy_object(): s3_client = boto3.client( 's3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', ) @@ -1507,9 +1517,9 @@ def test_session_policy_no_bucket_role_policy(): s3_client = boto3.client( 's3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', ) @@ -1573,18 +1583,19 @@ def test_session_policy_bucket_policy_deny(): resource1 = "arn:aws:s3:::" + bucket_name_1 resource2 = "arn:aws:s3:::" + bucket_name_1 + "/*" rolesessionarn = "arn:aws:iam:::assumed-role/" + general_role_name + "/" + role_session_name - bucket_policy = json.dumps( - { + bucket_policy = json.dumps({ "Version": "2012-10-17", - "Statement": [{ - "Effect": "Deny", - "Principal": {"AWS": "{}".format(rolesessionarn)}, - "Action": ["s3:GetObject","s3:PutObject"], - "Resource": [ - "{}".format(resource1), - "{}".format(resource2) - ] - }] + "Statement": [ + { + "Effect": "Deny", + "Principal": {"AWS": "{}".format(rolesessionarn)}, + "Action": ["s3:GetObject", "s3:PutObject"], + "Resource": [ + "{}".format(resource1), + "{}".format(resource2), + ], + }, + ], }) s3client_iamcreds.put_bucket_policy(Bucket=bucket_name_1, Policy=bucket_policy) session_policy = "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":[\"s3:PutObject\"],\"Resource\":[\"arn:aws:s3:::test1\",\"arn:aws:s3:::test1/*\"]}}" @@ -1599,9 +1610,9 @@ def test_session_policy_bucket_policy_deny(): s3_client = boto3.client( 's3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', ) @@ -1665,9 +1676,9 @@ def test_assume_role_with_web_identity_with_sub(): s3_client = boto3.client( 's3', - aws_access_key_id = resp['Credentials']['AccessKeyId'], - aws_secret_access_key = resp['Credentials']['SecretAccessKey'], - aws_session_token = resp['Credentials']['SessionToken'], + aws_access_key_id=resp['Credentials']['AccessKeyId'], + aws_secret_access_key=resp['Credentials']['SecretAccessKey'], + aws_session_token=resp['Credentials']['SessionToken'], endpoint_url=default_endpoint, region_name='', ) @@ -2055,7 +2066,7 @@ def test_assume_role_with_web_identity_tag_keys_trust_policy(): ) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 - resp=sts_client.assume_role_with_web_identity( + resp = sts_client.assume_role_with_web_identity( RoleArn=role_response['Role']['Arn'], RoleSessionName=role_session_name, WebIdentityToken=user_token, @@ -2211,7 +2222,7 @@ def test_assume_role_with_web_identity_resource_tag(): ) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 - resp=sts_client.assume_role_with_web_identity( + resp = sts_client.assume_role_with_web_identity( RoleArn=role_response['Role']['Arn'], RoleSessionName=role_session_name, WebIdentityToken=user_token, @@ -2332,8 +2343,7 @@ def test_assume_role_with_web_identity_wrong_resource_tag_deny(): assert s3bucket['ResponseMetadata']['HTTPStatusCode'] == 200 bucket_tagging = s3_res_iam_creds.BucketTagging(bucket_name) - bucket_tagging.put(Tagging= - { + bucket_tagging.put(Tagging={ 'TagSet': [ { 'Key': 'Department', @@ -2420,8 +2430,7 @@ def test_assume_role_with_web_identity_resource_tag_princ_tag(): assert s3bucket['ResponseMetadata']['HTTPStatusCode'] == 200 bucket_tagging = s3_res_iam_creds.BucketTagging(bucket_name) - bucket_tagging.put(Tagging= - { + bucket_tagging.put(Tagging={ 'TagSet': [ { 'Key': 'Department', @@ -2506,8 +2515,7 @@ def test_assume_role_with_web_identity_resource_tag_copy_obj(): assert s3bucket['ResponseMetadata']['HTTPStatusCode'] == 200 bucket_tagging = s3_res_iam_creds.BucketTagging(bucket_name) - bucket_tagging.put(Tagging= - { + bucket_tagging.put(Tagging={ 'TagSet': [ { 'Key': 'Department', @@ -2522,8 +2530,7 @@ def test_assume_role_with_web_identity_resource_tag_copy_obj(): assert s3bucket['ResponseMetadata']['HTTPStatusCode'] == 200 bucket_tagging = s3_res_iam_creds.BucketTagging(copy_bucket_name) - bucket_tagging.put(Tagging= - { + bucket_tagging.put(Tagging={ 'TagSet': [ { 'Key': 'Department', @@ -2556,7 +2563,7 @@ def test_assume_role_with_web_identity_resource_tag_copy_obj(): role_err, response = put_role_policy(iam_client, general_role_name, None, role_policy) assert response['ResponseMetadata']['HTTPStatusCode'] == 200 - resp=sts_client.assume_role_with_web_identity( + resp = sts_client.assume_role_with_web_identity( RoleArn=role_response['Role']['Arn'], RoleSessionName=role_session_name, WebIdentityToken=user_token, @@ -2626,8 +2633,7 @@ def test_assume_role_with_web_identity_role_resource_tag(): assert s3bucket['ResponseMetadata']['HTTPStatusCode'] == 200 bucket_tagging = s3_res_iam_creds.BucketTagging(bucket_name) - bucket_tagging.put(Tagging= - { + bucket_tagging.put(Tagging={ 'TagSet': [ { 'Key': 'Department',