iam: test managed user policy

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit c6e40b4ffa4e216d9e07a5f6a97c3c1275c3e389)

diff --git a/s3tests_boto3/functional/test_iam.py b/s3tests_boto3/functional/test_iam.py
index 1e09a5e973b2ce4c577072c2baafab0e0b70169b..1eeb4e30f0d5ad1d036c1a066d27ec5c663fb008 100644 (file)
--- a/s3tests_boto3/functional/test_iam.py
+++ b/s3tests_boto3/functional/test_iam.py
@@ -888,6 +888,15 @@ def nuke_user_policies(client, name):
             except:
                 pass
 
+def nuke_attached_user_policies(client, name):
+    p = client.get_paginator('list_attached_user_policies')
+    for response in p.paginate(UserName=name):
+        for policy in response['AttachedPolicies']:
+            try:
+                client.detach_user_policy(UserName=name, PolicyArn=policy['PolicyArn'])
+            except:
+                pass
+
 def nuke_user(client, name):
     # delete access keys, user policies, etc
     try:
@@ -898,6 +907,10 @@ def nuke_user(client, name):
         nuke_user_policies(client, name)
     except:
         pass
+    try:
+        nuke_attached_user_policies(client, name)
+    except:
+        pass
     client.delete_user(UserName=name)
 
 def nuke_users(client, **kwargs):
@@ -1407,6 +1420,63 @@ def test_account_user_policy(iam_root):
     response = iam_root.list_user_policies(UserName=name)
     assert [] == response['PolicyNames']
 
+@pytest.mark.user_policy
+@pytest.mark.iam_account
+def test_account_user_policy_managed(iam_root):
+    path = get_iam_path_prefix()
+    name = make_iam_name('name')
+    policy1 = 'arn:aws:iam::aws:policy/AmazonS3FullAccess'
+    policy2 = 'arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess'
+
+    # Attach/Detach/List fail on nonexistent UserName
+    with pytest.raises(iam_root.exceptions.NoSuchEntityException):
+        iam_root.attach_user_policy(UserName=name, PolicyArn=policy1)
+    with pytest.raises(iam_root.exceptions.NoSuchEntityException):
+        iam_root.detach_user_policy(UserName=name, PolicyArn=policy1)
+    with pytest.raises(iam_root.exceptions.NoSuchEntityException):
+        iam_root.list_attached_user_policies(UserName=name)
+
+    iam_root.create_user(UserName=name, Path=path)
+
+    # Detach fails on unattached PolicyArn
+    with pytest.raises(iam_root.exceptions.NoSuchEntityException):
+        iam_root.detach_user_policy(UserName=name, PolicyArn=policy1)
+
+    iam_root.attach_user_policy(UserName=name, PolicyArn=policy1)
+    iam_root.attach_user_policy(UserName=name, PolicyArn=policy1)
+
+    response = iam_root.list_attached_user_policies(UserName=name)
+    assert len(response['AttachedPolicies']) == 1
+    assert 'AmazonS3FullAccess' == response['AttachedPolicies'][0]['PolicyName']
+    assert policy1 == response['AttachedPolicies'][0]['PolicyArn']
+
+    iam_root.attach_user_policy(UserName=name, PolicyArn=policy2)
+
+    response = iam_root.list_attached_user_policies(UserName=name)
+    policies = response['AttachedPolicies']
+    assert len(policies) == 2
+    names = [p['PolicyName'] for p in policies]
+    arns = [p['PolicyArn'] for p in policies]
+    assert 'AmazonS3FullAccess' in names
+    assert policy1 in arns
+    assert 'AmazonS3ReadOnlyAccess' in names
+    assert policy2 in arns
+
+    iam_root.detach_user_policy(UserName=name, PolicyArn=policy2)
+
+    # Detach fails after Detach
+    with pytest.raises(iam_root.exceptions.NoSuchEntityException):
+        iam_root.detach_user_policy(UserName=name, PolicyArn=policy2)
+
+    response = iam_root.list_attached_user_policies(UserName=name)
+    assert len(response['AttachedPolicies']) == 1
+    assert 'AmazonS3FullAccess' == response['AttachedPolicies'][0]['PolicyName']
+    assert policy1 == response['AttachedPolicies'][0]['PolicyArn']
+
+    # DeleteUser fails while policies are still attached
+    with pytest.raises(iam_root.exceptions.DeleteConflictException):
+        iam_root.delete_user(UserName=name)
+
 @pytest.mark.user_policy
 @pytest.mark.iam_account
 def test_account_user_policy_allow(iam_root):