Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] Proposal add initial bdd testing #8

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
+144 −0
Open

[WIP] Proposal add initial bdd testing #8

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4e01b6f
Add initial bdd testing
RyanJarv Oct 14, 2022
c8a57f1
Fix root trust scenario name
RyanJarv Oct 27, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ z3-solver = "*"
pydantic = "*"
typer = "*"
python-dateutil = "^2.8.2"
pytest-bdd = "^6.0.1"

[tool.poetry.dev-dependencies]
ipython = "*"
Expand Down
38 changes: 38 additions & 0 deletions tests/features/explicit-deny.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
Feature: Explicit Deny
Background:
Given I'm using arn:aws:iam::111111111111:role/source-deny with the policy:
[{
"Effect": "Deny",
"Action": "*",
"Resource": "*"
}]

Scenario: Same account root ARN trust
Given I have the resource arn:aws:iam::111111111111:role/target with the trust policy:
[{
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::111111111111:root" },
"Action": "sts:AssumeRole"
}]
When I call sts:AssumeRole on the resource
Then Access should be denied

Scenario: Same account explicit ARN trust
Given I have the resource arn:aws:iam::111111111111:role/target with the trust policy:
[{
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::111111111111:role/source-deny" },
"Action": "sts:AssumeRole"
}]
When I call sts:AssumeRole on the resource
Then Access should be denied

Scenario: Cross account explicit ARN trust
Given I have the resource arn:aws:iam::999999999999:role/target with the trust policy:
[{
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::111111111111:role/source-deny" },
"Action": "sts:AssumeRole"
}]
When I call sts:AssumeRole on the resource
Then Access should be denied
18 changes: 18 additions & 0 deletions tests/features/root-trust.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
Feature: Root Trust
Background:
Given I'm using arn:aws:iam::111111111111:role/source with the policy:
[{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "*"
}]

Scenario: Same account AssumeRole request.
Given I have the resource arn:aws:iam::111111111111:role/target with the trust policy:
[{
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::111111111111:root" },
"Action": "sts:AssumeRole"
}]
When I call sts:AssumeRole on the resource
Then Access should be allowed
17 changes: 17 additions & 0 deletions tests/fixtures/role.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
import pytest

from iamspy import Model


@pytest.fixture
def model() -> Model:
return Model()


@pytest.fixture
def req():
return {
"source": "",
"action": "",
"resource": "",
}
70 changes: 70 additions & 0 deletions tests/test_bdd.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
import json
from datetime import datetime

from iamspy.iam import RoleDetail, Document, Policy, RoleLastUse, ResourcePolicy
from iamspy.parse import _parse_role, parse_resource_policy
from pytest_bdd import scenarios, given, when, then, parsers
from pytest_bdd.parsers import parse

from .fixtures.role import *

scenarios("features")

@pytest.fixture
def source() -> 'RoleDetail':
return RoleDetail(
Path="/",
RoleName="source",
CreateDate=datetime.now(),
RoleLastUsed=RoleLastUse(LastUsedDate=datetime.now(), Region="us-east-1"),
RoleId="AORAXXXXXXXXXXXXXXXXX",
Arn=f"arn:aws:iam::111111111111:role/source",
AssumeRolePolicyDocument=Document(),
InstanceProfileList=[],
RolePolicyList=[],
)


@given(parsers.parse("I'm using {arn} with the policy:\n{policy}")) # Step alias
def set_source(model, req, source, arn, policy):
source.Arn = arn
source.RoleName = arn.split(':')[5].split("/")[-1]
source.RolePolicyList.append(Policy(
PolicyName="identity_policy",
PolicyDocument=Document(Statement=json.loads(policy)),
))


@pytest.fixture
def resource():
return ResourcePolicy(
Resource="target",
Policy=Document(),
Account="111111111111",
)


@given(parse("I have the resource {arn} with the trust policy:\n{policy}"))
def set_resource(resource, arn, policy):
resource.Resource = arn
resource.Account = arn.split(':')[4]
resource.Policy = Document(Statement=json.loads(policy))


@when(parsers.parse("I call {action}"))
def call(req, model, source, action, resource):
model.solver.add(*_parse_role(None, source))
model.solver.add(*parse_resource_policy(resource.Resource, resource.Policy, resource.Account))
req["source"] = source.Arn
req["action"] = action
req["resource"] = resource.Resource


@then(parsers.parse("Access should be allowed"))
def allowed(model, req):
assert model.can_i(**req)


@then(parsers.parse("Access should be denied"))
def denied(model, req):
assert not model.can_i(**req, strict_conditions=True)