Skip to content

Commit 8ddae12

Browse files
SylvainSenechalSylvainSenechal
committed
migrate iam_policies tests to aws sdk v3
ISSUE: ZENKO-5054
1 parent 371be0f commit 8ddae12

File tree

4 files changed

+351
-412
lines changed

4 files changed

+351
-412
lines changed

tests/zenko_tests/node_tests/iam_policies/cloudserver/AssumeRole.js

Lines changed: 129 additions & 131 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,23 @@
11
const assert = require('assert');
2-
const async = require('async');
32
const { errors } = require('arsenal');
3+
const {
4+
CreateRoleCommand,
5+
DeleteRoleCommand,
6+
AttachRolePolicyCommand,
7+
DetachRolePolicyCommand,
8+
CreatePolicyCommand,
9+
DeletePolicyCommand,
10+
CreateUserCommand,
11+
CreateAccessKeyCommand,
12+
AttachUserPolicyCommand,
13+
} = require('@aws-sdk/client-iam');
14+
const { AssumeRoleCommand } = require('@aws-sdk/client-sts');
15+
const {
16+
CreateBucketCommand,
17+
PutObjectCommand,
18+
DeleteObjectCommand,
19+
DeleteBucketCommand,
20+
} = require('@aws-sdk/client-s3');
421
const VaultClient = require('../../VaultClient');
522
const { getS3Client } = require('../../s3SDK');
623
const { getSTSClient } = require('../../stsSDK');
@@ -77,107 +94,83 @@ testAPIs.forEach(testAPI => {
7794

7895
describe(`iam policies - cloudserver - AssumeRole - ${testAPI.API}`, () => {
7996

80-
before(done => {
81-
async.series([
82-
// create account1, generateAccountAccessKey for it and get account1 iam client
83-
next => clientAdmin.createAccount(account1Name, account1Info, (err, res) => {
84-
if (err) {
85-
return next(err);
86-
}
87-
iamAccount1Id = res.account.id;
88-
return next();
89-
}),
90-
next => clientAdmin.generateAccountAccessKey(
97+
before(async () => {
98+
const res = await new Promise((resolve, reject) => {
99+
clientAdmin.createAccount(account1Name, account1Info, (err, res) => (err ? reject(err) : resolve(res)));
100+
});
101+
iamAccount1Id = res.account.id;
102+
103+
await new Promise((resolve, reject) => {
104+
clientAdmin.generateAccountAccessKey(
91105
account1Name,
92-
next,
106+
err => (err ? reject(err) : resolve()),
93107
{ externalAccessKey: externalAccessKey1, externalSecretKey: externalSecretKey1 },
94-
),
95-
next => {
96-
iamAccount1Client = VaultClient.getIamClient(externalAccessKey1, externalSecretKey1);
97-
next();
98-
},
99-
// create account2, generateAccountAccessKey for it, get account2 iam client
100-
// create a user under account2, create access key for the user and get user sts client
101-
next => clientAdmin.createAccount(account2Name, account2Info, next),
102-
next => clientAdmin.generateAccountAccessKey(
108+
);
109+
});
110+
111+
iamAccount1Client = VaultClient.getIamClient(externalAccessKey1, externalSecretKey1);
112+
await new Promise((resolve, reject) => {
113+
clientAdmin.createAccount(account2Name, account2Info, err => (err ? reject(err) : resolve()));
114+
});
115+
116+
await new Promise((resolve, reject) => {
117+
clientAdmin.generateAccountAccessKey(
103118
account2Name,
104-
() => next(),
119+
err => (err ? reject(err) : resolve()),
105120
{ externalAccessKey: externalAccessKey2, externalSecretKey: externalSecretKey2 },
106-
),
107-
next => {
108-
iamAccount2Client = VaultClient.getIamClient(externalAccessKey2, externalSecretKey2);
109-
next();
110-
},
111-
next => iamAccount2Client.createUser({ UserName: userName }, next),
112-
next => iamAccount2Client.createAccessKey(
113-
{ UserName: userName },
114-
(err, result) => {
115-
if (err) {
116-
return next(err);
117-
}
118-
stsClient = getSTSClient(result.AccessKey.AccessKeyId, result.AccessKey.SecretAccessKey);
119-
return next();
120-
},
121-
),
122-
// create allowAssumeRole policy and attach it to the user created above
123-
next => iamAccount2Client.createPolicy({
124-
PolicyName: 'allowAssumeRolePolicy',
125-
PolicyDocument: allowAssumeRolePolicy,
126-
}, (err, result) => {
127-
if (err) {
128-
return next(err);
129-
}
130-
allowAssumeRolePolicyArn = result.Policy.Arn;
131-
return iamAccount2Client.attachUserPolicy({
132-
UserName: userName,
133-
PolicyArn: allowAssumeRolePolicyArn,
134-
}, next);
135-
}),
136-
// get account1 s3 client, create 2 buckets and put 2 objects respectively
137-
next => {
138-
s3Account1Client = getS3Client(externalAccessKey1, externalSecretKey1);
139-
next();
140-
},
141-
next => s3Account1Client.createBucket({ Bucket: bucket1 }, next),
142-
next => s3Account1Client.putObject({ Bucket: bucket1, Key: 'file1' }, next),
143-
next => s3Account1Client.createBucket({ Bucket: bucket2 }, next),
144-
next => s3Account1Client.putObject({ Bucket: bucket2, Key: 'file1' }, next),
145-
], done);
121+
);
122+
});
123+
124+
iamAccount2Client = VaultClient.getIamClient(externalAccessKey2, externalSecretKey2);
125+
await iamAccount2Client.send(new CreateUserCommand({ UserName: userName }));
126+
const result = await iamAccount2Client.send(new CreateAccessKeyCommand({ UserName: userName }));
127+
stsClient = getSTSClient(result.AccessKey.AccessKeyId, result.AccessKey.SecretAccessKey);
128+
// create allowAssumeRole policy and attach it to the user created above
129+
const policyResult = await iamAccount2Client.send(new CreatePolicyCommand({
130+
PolicyName: 'allowAssumeRolePolicy',
131+
PolicyDocument: allowAssumeRolePolicy,
132+
}));
133+
allowAssumeRolePolicyArn = policyResult.Policy.Arn;
134+
await iamAccount2Client.send(new AttachUserPolicyCommand({
135+
UserName: userName,
136+
PolicyArn: allowAssumeRolePolicyArn,
137+
}));
138+
139+
// get account1 s3 client, create 2 buckets and put 2 objects respectively
140+
s3Account1Client = getS3Client(externalAccessKey1, externalSecretKey1);
141+
await s3Account1Client.send(new CreateBucketCommand({ Bucket: bucket1 }));
142+
await s3Account1Client.send(new PutObjectCommand({ Bucket: bucket1, Key: 'file1' }));
143+
await s3Account1Client.send(new CreateBucketCommand({ Bucket: bucket2 }));
144+
await s3Account1Client.send(new PutObjectCommand({ Bucket: bucket2, Key: 'file1' }));
146145
});
147146

148-
after(done => {
149-
async.series([
150-
next => s3Account1Client.deleteObject({
151-
Bucket: bucket1,
152-
Key: 'file1',
153-
}, next),
154-
next => s3Account1Client.deleteObject({
155-
Bucket: bucket2,
156-
Key: 'file1',
157-
}, next),
158-
next => s3Account1Client.deleteBucket({ Bucket: bucket1 }, next),
159-
next => s3Account1Client.deleteBucket({ Bucket: bucket2 }, next),
160-
next => VaultClient.deleteVaultAccount(clientAdmin, iamAccount1Client, account1Name, next),
161-
next => VaultClient.deleteVaultAccount(clientAdmin, iamAccount2Client, account2Name, next),
162-
], done);
147+
after(async () => {
148+
await s3Account1Client.send(new DeleteObjectCommand({
149+
Bucket: bucket1,
150+
Key: 'file1',
151+
}));
152+
await s3Account1Client.send(new DeleteObjectCommand({
153+
Bucket: bucket2,
154+
Key: 'file1',
155+
}));
156+
await s3Account1Client.send(new DeleteBucketCommand({ Bucket: bucket1 }));
157+
await s3Account1Client.send(new DeleteBucketCommand({ Bucket: bucket2 }));
158+
await VaultClient.deleteVaultAccount(clientAdmin, iamAccount1Client, account1Name);
159+
await VaultClient.deleteVaultAccount(clientAdmin, iamAccount2Client, account2Name);
163160
});
164161

165-
function cleanUp(roleName, policyArn, err, done) {
166-
return async.series([
167-
next => iamAccount1Client.detachRolePolicy({
162+
async function cleanUp(roleName, policyArn, err) {
163+
try {
164+
await iamAccount1Client.send(new DetachRolePolicyCommand({
168165
RoleName: roleName, PolicyArn: policyArn,
169-
}, next),
170-
next => iamAccount1Client.deletePolicy({ PolicyArn: policyArn }, next),
171-
next => iamAccount1Client.deleteRole({ RoleName: roleName }, next),
172-
], _err => {
173-
if (err) {
174-
return done(err);
175-
}
176-
if (_err) {
177-
return done(_err);
178-
}
179-
return done();
180-
});
166+
}));
167+
await iamAccount1Client.send(new DeletePolicyCommand({ PolicyArn: policyArn }));
168+
await iamAccount1Client.send(new DeleteRoleCommand({ RoleName: roleName }));
169+
} catch (cleanupErr) {
170+
if (err) throw err;
171+
throw cleanupErr;
172+
}
173+
if (err) throw err;
181174
}
182175

183176
const tests = [
@@ -314,55 +307,60 @@ testAPIs.forEach(testAPI => {
314307
tests.forEach((test, i) => {
315308
it(
316309
test.name,
317-
done => {
310+
async () => {
318311
const roleName = `test-role-${i}`;
319312
const policyName = `test-policy-${i}`;
320313
let policyArn = null;
321-
async.series([
314+
315+
try {
322316
// create a role under account1 and attach different policy to it
323-
next => iamAccount1Client.createRole({
317+
await iamAccount1Client.send(new CreateRoleCommand({
324318
RoleName: roleName,
325319
AssumeRolePolicyDocument: trustPolicy,
326-
}, next),
327-
next => iamAccount1Client.createPolicy({
320+
}));
321+
322+
const res = await iamAccount1Client.send(new CreatePolicyCommand({
328323
PolicyName: policyName,
329324
PolicyDocument: JSON.stringify(test.policy),
330-
}, (err, res) => {
331-
if (err) {
332-
return done(err);
333-
}
334-
policyArn = res.Policy.Arn;
335-
return iamAccount1Client.attachRolePolicy({
336-
RoleName: roleName,
337-
PolicyArn: policyArn,
338-
}, next);
339-
}),
325+
}));
326+
policyArn = res.Policy.Arn;
327+
await iamAccount1Client.send(new AttachRolePolicyCommand({
328+
RoleName: roleName,
329+
PolicyArn: policyArn,
330+
}));
331+
340332
// user under account2 assume the role under account1
341-
next => stsClient.assumeRole({
333+
const assumeRoleRes = await stsClient.send(new AssumeRoleCommand({
342334
RoleArn: `arn:aws:iam::${iamAccount1Id}:role/${roleName}`,
343335
RoleSessionName: 'test-session',
344-
}, (err, res) => {
345-
if (err) {
346-
return done(err);
347-
}
348-
const sessionUserCredentials = {
349-
accessKeyId: res.Credentials.AccessKeyId,
350-
secretAccessKey: res.Credentials.SecretAccessKey,
351-
sessionToken: res.Credentials.SessionToken,
352-
};
353-
return async.eachOf(test.buckets, (bucket, idx, eachCb) => {
354-
// make request on specific buckets using session user's credentials
355-
// and see if can get the correct response
356-
testAPI.checkResponse(sessionUserCredentials, bucket, (err, res) => {
357-
if (err) {
358-
assert.ifError(err);
359-
return done(err);
360-
}
361-
test.assertions[idx](res);
362-
return eachCb();
363-
}, 'file1');
364-
}, next);
365-
})], err => cleanUp(roleName, policyArn, err, done));
336+
}));
337+
338+
const sessionUserCredentials = {
339+
accessKeyId: assumeRoleRes.Credentials.AccessKeyId,
340+
secretAccessKey: assumeRoleRes.Credentials.SecretAccessKey,
341+
sessionToken: assumeRoleRes.Credentials.SessionToken,
342+
};
343+
344+
// Test each bucket
345+
const results = await Promise.all(test.buckets.map(bucket => new Promise((resolve, reject) => {
346+
// make request on specific buckets using session user's credentials
347+
// and see if can get the correct response
348+
testAPI.checkResponse(
349+
sessionUserCredentials,
350+
bucket,
351+
(err, res) => (err ? reject(err) : resolve(res)),
352+
'file1',
353+
);
354+
})));
355+
356+
results.forEach((result, idx) => {
357+
test.assertions[idx](result);
358+
});
359+
360+
await cleanUp(roleName, policyArn);
361+
} catch (err) {
362+
await cleanUp(roleName, policyArn, err);
363+
}
366364
},
367365
);
368366
});

0 commit comments

Comments
 (0)