diff --git a/eutester4j/TestSuites/IAMSuite.xml b/eutester4j/TestSuites/IAMSuite.xml
index d08f10a5..237f4101 100644
--- a/eutester4j/TestSuites/IAMSuite.xml
+++ b/eutester4j/TestSuites/IAMSuite.xml
@@ -3,11 +3,12 @@
+
+
-
-
+
diff --git a/eutester4j/build.xml b/eutester4j/build.xml
index e8fb8563..dea1d29a 100644
--- a/eutester4j/build.xml
+++ b/eutester4j/build.xml
@@ -12,13 +12,16 @@
+
+
+
-
+
diff --git a/eutester4j/com/eucalyptus/tests/awssdk/Eutester4j.java b/eutester4j/com/eucalyptus/tests/awssdk/Eutester4j.java
index 7dc9060e..6f6569f1 100644
--- a/eutester4j/com/eucalyptus/tests/awssdk/Eutester4j.java
+++ b/eutester4j/com/eucalyptus/tests/awssdk/Eutester4j.java
@@ -37,10 +37,7 @@
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.Comparator;
-import java.util.List;
+import java.util.*;
import java.util.concurrent.TimeUnit;
class Eutester4j {
@@ -943,11 +940,13 @@ public void beforeRequest(final Request request) {
int start = newKeys.lastIndexOf("AccessKeyId:") + 13;
int end = newKeys.lastIndexOf(",Status");
String accessKey = newKeys.substring(start, end);
+ print("Access Key: " + accessKey);
// get secretkey from key gen result request
start = newKeys.lastIndexOf("SecretAccessKey:") + 17;
end = newKeys.lastIndexOf(",CreateDate:");
String secretKey = newKeys.substring(start, end);
+ print("Secret Key: " + secretKey);
return new BasicAWSCredentials(accessKey, secretKey);
}
@@ -986,7 +985,39 @@ public void beforeRequest(final Request request) {
.withPath("/");
youAre.createUser(createUserRequest);
- assertThat((numUsersBefore < youAre.listUsers().getUsers().size()),"Failed to create user " + userName);
+ assertThat((numUsersBefore < youAre.listUsers().getUsers().size()), "Failed to create user " + userName);
print("Created new user " + userName + " in account " + accountName);
}
+
+ public static Map getUserKeys(final String accountName, String userName){
+ Map keys = new HashMap<>();
+
+ AWSCredentialsProvider awsCredentialsProvider = new StaticCredentialsProvider( new BasicAWSCredentials(ACCESS_KEY, SECRET_KEY));
+ final YouAreClient youAre = new YouAreClient(awsCredentialsProvider);
+ youAre.setEndpoint(IAM_ENDPOINT);
+
+ youAre.addRequestHandler(new AbstractRequestHandler() {
+ public void beforeRequest(final Request request) {
+ request.addParameter("DelegateAccount", accountName);
+ }
+ });
+
+ CreateAccessKeyRequest createAccessKeyRequest = new CreateAccessKeyRequest().withUserName(userName);
+ String newKeys = String.valueOf(youAre.createAccessKey(createAccessKeyRequest));
+ print("Created new access key for user " + userName);
+
+ // get accesskey from key gen result request
+ int start = newKeys.lastIndexOf("AccessKeyId:") + 13;
+ int end = newKeys.lastIndexOf(",Status");
+ String accessKey = newKeys.substring(start, end);
+ keys.put("ak", accessKey);
+
+ // get secretkey from key gen result request
+ start = newKeys.lastIndexOf("SecretAccessKey:") + 17;
+ end = newKeys.lastIndexOf(",CreateDate:");
+ String secretKey = newKeys.substring(start, end);
+ keys.put("sk", secretKey);
+
+ return keys;
+ }
}
diff --git a/eutester4j/com/eucalyptus/tests/awssdk/TestAdminRoles.java b/eutester4j/com/eucalyptus/tests/awssdk/TestAdminRoles.java
index 859d27cc..c0666067 100644
--- a/eutester4j/com/eucalyptus/tests/awssdk/TestAdminRoles.java
+++ b/eutester4j/com/eucalyptus/tests/awssdk/TestAdminRoles.java
@@ -31,6 +31,7 @@
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient;
import com.amazonaws.services.securitytoken.model.AssumeRoleRequest;
import com.amazonaws.services.securitytoken.model.AssumeRoleResult;
+import com.github.sjones4.youcan.youare.model.Account;
import org.testng.annotations.Test;
import static com.eucalyptus.tests.awssdk.Eutester4j.*;
@@ -54,16 +55,6 @@ public class TestAdminRoles {
" }]\n" +
"}";
- private final String assumeRolePolicy = "{\n" +
- " \"Statement\": [ {\n" +
- " \"Effect\": \"Allow\",\n" +
- " \"Principal\": {\n" +
- " \"AWS\": [ \"arn:aws:iam::" + ACCOUNT_ID + ":user/admin\" ]\n" +
- " },\n" +
- " \"Action\": [ \"sts:AssumeRole\" ]\n" +
- " } ]\n" +
- "}";
-
private AmazonEC2 getEc2ClientUsingRole(final String roleArn,
final String sessionName,
final String accessKey,
@@ -101,8 +92,6 @@ public void test() throws Exception {
testInfo(this.getClass().getSimpleName());
getCloudInfo();
-
- // create non-admin user in non-euca account then get credentials and connection for user
final String user = NAME_PREFIX + "user";
final String account = NAME_PREFIX + "account";
@@ -128,7 +117,7 @@ public void run() {
print("Creating role with name: " + roleName);
final String roleArn = youAre.createRole(new CreateRoleRequest()
.withRoleName(roleName)
- .withAssumeRolePolicyDocument(assumeRolePolicy)
+ .withAssumeRolePolicyDocument(getAssumeRolePolicy(getAccountID("eucalyptus")))
).getRole().getArn();
print("Created role with ARN " + roleArn);
@@ -204,4 +193,28 @@ public void run() {
}
}
+ public String getAccountID(String account){
+ String accountId = null;
+
+ List accounts = youAre.listAccounts().getAccounts();
+ for (Account a : accounts) {
+ if (a.getAccountName().equals(account)){
+ accountId = a.getAccountId();
+ }
+ }
+ return accountId == null ? "no account named " + account + " was found." : accountId;
+ }
+
+ public String getAssumeRolePolicy(String accountId){
+ return "{\n" +
+ " \"Statement\": [ {\n" +
+ " \"Effect\": \"Allow\",\n" +
+ " \"Principal\": {\n" +
+ " \"AWS\": [ \"arn:aws:iam::" + accountId + ":user/admin\" ]\n" +
+ " },\n" +
+ " \"Action\": [ \"sts:AssumeRole\" ]\n" +
+ " } ]\n" +
+ "}";
+ }
+
}
\ No newline at end of file
diff --git a/eutester4j/com/eucalyptus/tests/awssdk/TestCannedRoles.java b/eutester4j/com/eucalyptus/tests/awssdk/TestCannedRoles.java
new file mode 100644
index 00000000..b2f3c194
--- /dev/null
+++ b/eutester4j/com/eucalyptus/tests/awssdk/TestCannedRoles.java
@@ -0,0 +1,308 @@
+/*************************************************************************
+ * Copyright 2009-2013 Eucalyptus Systems, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 3 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see http://www.gnu.org/licenses/.
+ *
+ * Please contact Eucalyptus Systems, Inc., 6755 Hollister Ave., Goleta
+ * CA 93117, USA or visit http://www.eucalyptus.com/licenses/ if you need
+ * additional information or have any questions.
+ ************************************************************************/
+package com.eucalyptus.tests.awssdk;
+
+import com.amazonaws.Request;
+import com.amazonaws.auth.AWSCredentials;
+import com.amazonaws.auth.AWSCredentialsProvider;
+import com.amazonaws.auth.BasicAWSCredentials;
+import com.amazonaws.auth.BasicSessionCredentials;
+import com.amazonaws.handlers.AbstractRequestHandler;
+import com.amazonaws.internal.StaticCredentialsProvider;
+import com.amazonaws.services.ec2.AmazonEC2;
+import com.amazonaws.services.ec2.AmazonEC2Client;
+import com.amazonaws.services.ec2.model.CreateKeyPairRequest;
+import com.amazonaws.services.ec2.model.DescribeKeyPairsRequest;
+import com.amazonaws.services.ec2.model.KeyPairInfo;
+import com.amazonaws.services.identitymanagement.model.*;
+import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
+import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient;
+import com.amazonaws.services.securitytoken.model.AssumeRoleRequest;
+import com.amazonaws.services.securitytoken.model.AssumeRoleResult;
+import com.github.sjones4.youcan.youare.YouAreClient;
+import com.github.sjones4.youcan.youare.model.Account;
+import com.github.sjones4.youcan.youare.model.CreateAccountRequest;
+import com.github.sjones4.youcan.youconfig.YouConfigClient;
+import com.github.sjones4.youcan.youconfig.model.ComponentInfo;
+import com.github.sjones4.youcan.youprop.YouPropClient;
+import com.github.sjones4.youcan.youprop.model.Property;
+import com.github.sjones4.youcan.youserv.YouServClient;
+import com.github.sjones4.youcan.youserv.model.DescribeServicesRequest;
+import com.github.sjones4.youcan.youserv.model.ServiceStatus;
+import org.testng.annotations.Test;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+
+import static com.eucalyptus.tests.awssdk.Eutester4j.*;
+import static com.eucalyptus.tests.awssdk.Eutester4j.youAre;
+
+/**
+ * This test verifies the functionality of https://eucalyptus.atlassian.net/browse/EUCA-8156, EUCA-8157, and EUCA-8158
+ * "Canned Roles": resource-admin, infrastructure-admin and account-admin
+ */
+public class TestCannedRoles {
+
+ private AWSCredentialsProvider credentialsProvider(final String roleArn,
+ final String sessionName,
+ final String accesskey,
+ final String secretkey) {
+ final AWSCredentialsProvider creds = new AWSCredentialsProvider() {
+ @Override
+ public AWSCredentials getCredentials() {
+ final AWSSecurityTokenService sts = new AWSSecurityTokenServiceClient(new BasicAWSCredentials(accesskey, secretkey));
+ sts.setEndpoint(TOKENS_ENDPOINT);
+ final AssumeRoleResult assumeRoleResult = sts.assumeRole(new AssumeRoleRequest()
+ .withRoleArn(roleArn)
+ .withRoleSessionName(sessionName)
+ );
+
+ assertThat(assumeRoleResult.getAssumedRoleUser().getAssumedRoleId().endsWith(sessionName), "Unexpected assumed role id: " + assumeRoleResult.getAssumedRoleUser().getAssumedRoleId());
+ assertThat(assumeRoleResult.getAssumedRoleUser().getArn().endsWith(sessionName), "Unexpected assumed role arn: " + assumeRoleResult.getAssumedRoleUser().getArn());
+
+ return new BasicSessionCredentials(
+ assumeRoleResult.getCredentials().getAccessKeyId(),
+ assumeRoleResult.getCredentials().getSecretAccessKey(),
+ assumeRoleResult.getCredentials().getSessionToken()
+ );
+ }
+
+ @Override
+ public void refresh() {
+ }
+ };
+ return creds;
+ }
+
+ private YouAreClient getYouAreClient(final AWSCredentialsProvider credentials) {
+ final YouAreClient euare = new YouAreClient(credentials);
+ euare.setEndpoint(IAM_ENDPOINT);
+ return euare;
+ }
+
+ private AmazonEC2 getEc2Client(final AWSCredentialsProvider credentials) {
+ final AmazonEC2 ec2 = new AmazonEC2Client(credentials);
+ ec2.setEndpoint(EC2_ENDPOINT);
+ return ec2;
+ }
+
+ public String getAccountID(String account) {
+ String accountId = null;
+ List accounts = youAre.listAccounts().getAccounts();
+ for (Account a : accounts) {
+ if (a.getAccountName().equals(account)) {
+ accountId = a.getAccountId();
+ }
+ }
+ return accountId;
+ }
+
+ public String getAssumeRolePolicy(String accountId){
+ return "{\n" +
+ " \"Statement\": [ {\n" +
+ " \"Effect\": \"Allow\",\n" +
+ " \"Principal\": {\n" +
+ " \"AWS\": [ \"arn:aws:iam::" + accountId + ":user/admin\" ]\n" +
+ " },\n" +
+ " \"Action\": [ \"sts:AssumeRole\" ]\n" +
+ " } ]\n" +
+ "}";
+ }
+
+ @Test
+ public void test() throws Exception {
+
+ testInfo(this.getClass().getSimpleName());
+ getCloudInfo();
+ final String account = NAME_PREFIX + "account";
+
+ final List cleanupTasks = new ArrayList();
+ try {
+ // create an account and a user
+ createAccount(account);
+
+ cleanupTasks.add(new Runnable() {
+ @Override
+ public void run() {
+ deleteAccount(account);
+ }
+ });
+
+ // Update default roles to permit account
+ final String aaAssumeRolePolicy = youAre.getRole(new GetRoleRequest().withRoleName("AccountAdministrator")).getRole().getAssumeRolePolicyDocument();
+ assertThat(aaAssumeRolePolicy != null, "Expected assume role policy for account administrator");
+ cleanupTasks.add(new Runnable() {
+ @Override
+ public void run() {
+ print("Resetting assume role policy for account administrator");
+ youAre.updateAssumeRolePolicy(new UpdateAssumeRolePolicyRequest()
+ .withRoleName("AccountAdministrator")
+ .withPolicyDocument(aaAssumeRolePolicy));
+ }
+ });
+
+ final String iaAssumeRolePolicy = youAre.getRole(new GetRoleRequest().withRoleName("InfrastructureAdministrator")).getRole().getAssumeRolePolicyDocument();
+ assertThat(aaAssumeRolePolicy != null, "Expected assume role policy for account administrator");
+ cleanupTasks.add(new Runnable() {
+ @Override
+ public void run() {
+ print("Resetting assume role policy for infrastructure administrator");
+ youAre.updateAssumeRolePolicy(new UpdateAssumeRolePolicyRequest()
+ .withRoleName("InfrastructureAdministrator")
+ .withPolicyDocument(iaAssumeRolePolicy));
+ }
+ });
+
+ final String raAssumeRolePolicy = youAre.getRole(new GetRoleRequest().withRoleName("ResourceAdministrator")).getRole().getAssumeRolePolicyDocument();
+ cleanupTasks.add(new Runnable() {
+ @Override
+ public void run() {
+ print("Resetting assume role policy for resource administrator");
+ youAre.updateAssumeRolePolicy(new UpdateAssumeRolePolicyRequest()
+ .withRoleName("ResourceAdministrator")
+ .withPolicyDocument(raAssumeRolePolicy));
+ }
+ });
+
+ print("Updating assume role policy for default roles.");
+ final String assumeRolePolicy = getAssumeRolePolicy(getAccountID(account));
+ youAre.updateAssumeRolePolicy(new UpdateAssumeRolePolicyRequest()
+ .withRoleName("AccountAdministrator")
+ .withPolicyDocument(assumeRolePolicy));
+ youAre.updateAssumeRolePolicy(new UpdateAssumeRolePolicyRequest()
+ .withRoleName("InfrastructureAdministrator")
+ .withPolicyDocument(assumeRolePolicy));
+ youAre.updateAssumeRolePolicy(new UpdateAssumeRolePolicyRequest()
+ .withRoleName("ResourceAdministrator")
+ .withPolicyDocument(assumeRolePolicy));
+
+ Map accessKeys = getUserKeys("eucalyptus","admin");
+ final String accessKey = accessKeys.get("ak");
+ final String secretKey = accessKeys.get("sk");
+ cleanupTasks.add(new Runnable() {
+ @Override
+ public void run() {
+ print("Removing user key for account " + account);
+ youAre.deleteAccessKey(new DeleteAccessKeyRequest(accessKey));
+ }
+ });
+
+ // Test Admin Role
+ final String testadminRoleAccount = NAME_PREFIX + "admin-role-account";
+ YouAreClient euare = getYouAreClient(credentialsProvider("arn:aws:iam::eucalyptus:role/eucalyptus/AccountAdministrator", "session-name-here", accessKey, secretKey));
+ euare.createAccount(new CreateAccountRequest().withAccountName(testadminRoleAccount));
+ assertThat(getAccountID(testadminRoleAccount) != null, "Expected account ID");
+
+ List result = new ArrayList<>();
+ List accounts = euare.listAccounts().getAccounts();
+ for (Account a : accounts) {
+ if (a.getAccountName().equals(testadminRoleAccount)) {
+ result.add(a);
+ }
+ }
+ assertThat(!result.isEmpty(), "expected account " + testadminRoleAccount);
+
+ cleanupTasks.add(new Runnable() {
+ @Override
+ public void run() {
+ deleteAccount(testadminRoleAccount);
+ }
+ });
+
+ // Test Infrastructure Admin Role
+ final YouServClient youServ = new YouServClient(credentialsProvider("arn:aws:iam::eucalyptus:role/eucalyptus/InfrastructureAdministrator", "session-name-here", accessKey, secretKey));
+ youServ.setEndpoint(EC2_ENDPOINT.substring(0, EC2_ENDPOINT.length() - 21) + "/services/Empyrean/");
+ List serviceStatuses = youServ.describeServices(new DescribeServicesRequest()).getServiceStatuses();
+ assertThat(!serviceStatuses.isEmpty(), "Expected Services");
+
+ final YouPropClient youProp = new YouPropClient(credentialsProvider("arn:aws:iam::eucalyptus:role/eucalyptus/InfrastructureAdministrator", "session-name-here", accessKey, secretKey));
+ youProp.setEndpoint(EC2_ENDPOINT.substring(0, EC2_ENDPOINT.length() - 21) + "/services/Properties/");
+ List properties = youProp.describeProperties().getProperties();
+ assertThat(!properties.isEmpty(), "Expected Properties");
+
+ final YouConfigClient youConfig = new YouConfigClient(credentialsProvider("arn:aws:iam::eucalyptus:role/eucalyptus/InfrastructureAdministrator", "session-name-here", accessKey, secretKey));
+ youConfig.setEndpoint(EC2_ENDPOINT.substring(0, EC2_ENDPOINT.length() - 21) + "/services/Configuration/");
+ List components = youConfig.describeComponents().getComponentInfos();
+ assertThat(!components.isEmpty(), "Expected Components");
+
+ // Test Resource Admin Role first create an account and add a keypair
+ final String resourceAccount = NAME_PREFIX + "resource-account";
+ final String keyName = NAME_PREFIX + "resource-key";
+ createAccount(resourceAccount);
+
+ print("Creating credentials for " + resourceAccount);
+ AWSCredentialsProvider awsCredentialsProvider = new StaticCredentialsProvider( new BasicAWSCredentials(ACCESS_KEY, SECRET_KEY));
+ final YouAreClient youAre = new YouAreClient(awsCredentialsProvider);
+ youAre.setEndpoint(IAM_ENDPOINT);
+
+ youAre.addRequestHandler(new AbstractRequestHandler() {
+ public void beforeRequest(final Request request) {
+ request.addParameter("DelegateAccount", resourceAccount);
+ }
+ });
+ youAre.createAccessKey(new CreateAccessKeyRequest().withUserName("admin"));
+ assertThat(awsCredentialsProvider != null, "Expected resource account credentials");
+
+ AmazonEC2 ec2client = getEc2Client(awsCredentialsProvider);
+ ec2client.createKeyPair(new CreateKeyPairRequest(keyName));
+ cleanupTasks.add(new Runnable() {
+ @Override
+ public void run() {
+ print("Deleting keypair in resource account: " + resourceAccount);
+ deleteKeyPair(keyName);
+ }
+ });
+
+ AmazonEC2 userEc2client = getEc2Client(credentialsProvider("arn:aws:iam::eucalyptus:role/eucalyptus/ResourceAdministrator", "session-name-here", accessKey, secretKey));
+ List found = new ArrayList<>();
+ List keypairResult = userEc2client.describeKeyPairs(new DescribeKeyPairsRequest().withKeyNames(keyName)).getKeyPairs();
+ for(KeyPairInfo k : keypairResult){
+ if (k.getKeyName().equals(keyName)){
+ found.add(k);
+ }
+ }
+ assertThat(!found.isEmpty(),"Expected keypair");
+
+
+ cleanupTasks.add(new Runnable() {
+ @Override
+ public void run() {
+ deleteAccount(resourceAccount);
+ }
+ });
+
+ print("Test complete");
+ } finally {
+ // Attempt to clean up anything we created
+ Collections.reverse(cleanupTasks);
+ for (final Runnable cleanupTask : cleanupTasks) {
+ try {
+ cleanupTask.run();
+ } catch (NoSuchEntityException e) {
+ print("Entity not found during cleanup.");
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/eutester4j/com/eucalyptus/tests/awssdk/TestSTSAssumeRole.java b/eutester4j/com/eucalyptus/tests/awssdk/TestSTSAssumeRole.java
index 9cb3a312..cd8079dc 100644
--- a/eutester4j/com/eucalyptus/tests/awssdk/TestSTSAssumeRole.java
+++ b/eutester4j/com/eucalyptus/tests/awssdk/TestSTSAssumeRole.java
@@ -22,8 +22,8 @@
import com.amazonaws.AmazonServiceException;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.AWSCredentialsProvider;
-import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.auth.BasicSessionCredentials;
+import com.amazonaws.internal.StaticCredentialsProvider;
import com.amazonaws.services.ec2.AmazonEC2;
import com.amazonaws.services.ec2.AmazonEC2Client;
import com.amazonaws.services.ec2.model.DescribeImagesRequest;
@@ -34,6 +34,7 @@
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient;
import com.amazonaws.services.securitytoken.model.AssumeRoleRequest;
import com.amazonaws.services.securitytoken.model.AssumeRoleResult;
+import com.github.sjones4.youcan.youare.YouAreClient;
import org.testng.annotations.Test;
import java.util.ArrayList;
@@ -59,17 +60,39 @@ public class TestSTSAssumeRole {
public void STSAssumeRoleTest() throws Exception {
testInfo(this.getClass().getSimpleName());
getCloudInfo();
-
- final GetUserResult userResult = youAre.getUser(new GetUserRequest());
- assertThat(userResult.getUser() != null, "Expected current user info");
- assertThat(userResult.getUser().getArn() != null, "Expected current user ARN");
- final String userArn = userResult.getUser().getArn();
- print("Got user ARN (will convert account alias to ID if necessary): " + userArn);
+ final String user = NAME_PREFIX + "user";
+ final String account = NAME_PREFIX + "account";
final List cleanupTasks = new ArrayList();
try {
// Create role to get a client id
final String accountId;
+
+ // create non-admin user in non-euca account then get credentials and connection for user
+ createAccount(account);
+ createUser(account, user);
+ createIAMPolicy(account, user, NAME_PREFIX + "policy", null);
+
+ // get youAre connection for new user
+ AWSCredentialsProvider awsCredentialsProvider = new StaticCredentialsProvider(getUserCreds(account,user));
+ final YouAreClient youAre = new YouAreClient(awsCredentialsProvider);
+ youAre.setEndpoint(IAM_ENDPOINT);
+
+ cleanupTasks.add(new Runnable() {
+ @Override
+ public void run() {
+ print("Deleting account " + account);
+ deleteAccount(account);
+ }
+ });
+
+ final GetUserResult userResult = youAre.getUser(new GetUserRequest());
+ assertThat(userResult.getUser() != null, "Expected current user info");
+ assertThat(userResult.getUser().getArn() != null, "Expected current user ARN");
+ final String userArn = userResult.getUser().getArn();
+ print("Got user ARN (will convert account alias to ID if necessary): " + userArn);
+
+
{
final String roleNameA = NAME_PREFIX + "AssumeRoleTestA";
print("Creating role to determine account number: " + roleNameA);
@@ -148,12 +171,12 @@ public void run() {
// Describe images using role, no permissions so should see nothing
print("Describing images to ensure no permission with role: " + roleName);
{
- final DescribeImagesResult imagesResult = getImagesUsingRole(roleName, roleArn, "222222222222");
+ final DescribeImagesResult imagesResult = getImagesUsingRole(account, user, roleName, roleArn, "222222222222");
assertThat(imagesResult.getImages().size() == 0, "Image found when using role with no permissions");
}
// Add policy to role
- final String policyName = NAME_PREFIX + "AssumeRoleTest";
+ final String policyName = NAME_PREFIX + "AssumeRoleTestPolicy";
print("Adding policy: " + policyName + " to role: " + roleName);
youAre.putRolePolicy(new PutRolePolicyRequest()
.withRoleName(roleName)
@@ -176,7 +199,7 @@ public void run() {
// Describe images using role
{
- final DescribeImagesResult imagesResult = getImagesUsingRole(roleName, roleArn, "222222222222");
+ final DescribeImagesResult imagesResult = getImagesUsingRole(account, user, roleName, roleArn, "222222222222");
assertThat(imagesResult.getImages().size() > 0, "Image not found when using role");
final String imageId = imagesResult.getImages().get(0).getImageId();
print("Found image: " + imageId);
@@ -185,7 +208,7 @@ public void run() {
// Describe images using role with incorrect external id
print("Ensuring listing images fails when incorrect external id used with role: " + roleName);
try {
- getImagesUsingRole(roleName, roleArn, "222222222221");
+ getImagesUsingRole(account, user, roleName, roleArn, "222222222221");
assertThat(false, "Expected error due to incorrect external id when assuming role (test must not be run as cloud admin)");
} catch (AmazonServiceException e) {
print("Received expected exception: " + e);
@@ -207,13 +230,15 @@ public void run() {
}
}
- private AmazonEC2 getEc2ClientUsingRole(final String roleArn,
+ private AmazonEC2 getEc2ClientUsingRole(final String account,
+ final String user,
+ final String roleArn,
final String externalId,
final String sessionName) {
final AmazonEC2 ec2 = new AmazonEC2Client(new AWSCredentialsProvider() {
@Override
public AWSCredentials getCredentials() {
- AWSCredentials creds = new BasicAWSCredentials(ACCESS_KEY, SECRET_KEY);
+ AWSCredentials creds = getUserCreds(account,user);
final AWSSecurityTokenService sts = new AWSSecurityTokenServiceClient(creds);
sts.setEndpoint(TOKENS_ENDPOINT);
final AssumeRoleResult assumeRoleResult = sts.assumeRole(new AssumeRoleRequest()
@@ -240,8 +265,12 @@ public void refresh() {
return ec2;
}
- private DescribeImagesResult getImagesUsingRole(final String roleName, final String roleArn, String externalId) {
- final AmazonEC2 ec2 = getEc2ClientUsingRole(roleArn, externalId, "session-name-here");
+ private DescribeImagesResult getImagesUsingRole(final String account,
+ final String user,
+ final String roleName,
+ final String roleArn,
+ String externalId) {
+ final AmazonEC2 ec2 = getEc2ClientUsingRole(account, user, roleArn, externalId, "session-name-here");
print("Searching images using role: " + roleName);
return ec2.describeImages(new DescribeImagesRequest().withFilters(
diff --git a/testcases/cloud_admin/create_user.py b/testcases/cloud_admin/create_user.py
index c0db0b19..e99e481d 100755
--- a/testcases/cloud_admin/create_user.py
+++ b/testcases/cloud_admin/create_user.py
@@ -26,12 +26,7 @@ def CreateUsers(self):
allow_all_policy = """{
"Statement": [
{
- "Action": "ec2:*",
- "Effect": "Allow",
- "Resource": "*"
- },
- {
- "Action": "s3:*",
+ "Action": "*",
"Effect": "Allow",
"Resource": "*"
}]
diff --git a/testcases/cloud_admin/services_up_test.py b/testcases/cloud_admin/services_up_test.py
index 9058e1da..1cf68cea 100755
--- a/testcases/cloud_admin/services_up_test.py
+++ b/testcases/cloud_admin/services_up_test.py
@@ -65,7 +65,7 @@ def wait_for_services_operational(self, timeout=None):
try:
self.tester = eucaops.Eucaops(config_file=self.args.config_file, password=self.args.password)
except Exception, e:
- tb = eucaops.get_traceback()
+ tb = eucaops.Eucaops.get_traceback()
last_err = str(tb) + "\n" + str(e)
if not self.tester:
raise Exception(str(last_err) + 'Could not create tester object after elapsed:' + str(elapsed))