-
Notifications
You must be signed in to change notification settings - Fork 22
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
OCM-2373 | feat: Moved associated to GetRole function to common
- Loading branch information
den-rgb
committed
Oct 16, 2023
1 parent
f1f61c8
commit 51d4b35
Showing
8 changed files
with
336 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| package validations | ||
|
|
||
| import ( | ||
| "fmt" | ||
| "github.com/aws/aws-sdk-go/service/iam" | ||
| "github.com/aws/aws-sdk-go/aws" | ||
| "github.com/openshift/rosa/pkg/aws/tags" | ||
| semver "github.com/hashicorp/go-version" | ||
| ) | ||
|
|
||
| func GetRoleName(prefix string, role string) string { | ||
| name := fmt.Sprintf("%s-%s-Role", prefix, role) | ||
| if len(name) > 64 { | ||
| name = name[0:64] | ||
| } | ||
| return name | ||
| } | ||
|
|
||
| func IsManagedRole(roleTags []*iam.Tag) bool { | ||
| for _, tag := range roleTags { | ||
| if aws.StringValue(tag.Key) == tags.ManagedPolicies && aws.StringValue(tag.Value) == "true" { | ||
| return true | ||
| } | ||
| } | ||
|
|
||
| return false | ||
| } | ||
|
|
||
| func HasCompatibleVersionTags(iamTags []*iam.Tag, version string) (bool, error) { | ||
| if len(iamTags) == 0 { | ||
| return false, nil | ||
| } | ||
| for _, tag := range iamTags { | ||
| if aws.StringValue(tag.Key) == tags.OpenShiftVersion { | ||
| if version == aws.StringValue(tag.Value) { | ||
| return true, nil | ||
| } | ||
| wantedVersion, err := semver.NewVersion(version) | ||
| if err != nil { | ||
| return false, err | ||
| } | ||
| currentVersion, err := semver.NewVersion(aws.StringValue(tag.Value)) | ||
| if err != nil { | ||
| return false, err | ||
| } | ||
| return currentVersion.GreaterThanOrEqual(wantedVersion), nil | ||
| } | ||
| } | ||
| return false, nil | ||
| } | ||
|
|
||
| func IamResourceHasTag(iamTags []*iam.Tag, tagKey string, tagValue string) bool { | ||
| for _, tag := range iamTags { | ||
| if aws.StringValue(tag.Key) == tagKey && aws.StringValue(tag.Value) == tagValue { | ||
| return true | ||
| } | ||
| } | ||
|
|
||
| return false | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,145 @@ | ||
| package validations | ||
|
|
||
| import ( | ||
| "fmt" | ||
| "github.com/aws/aws-sdk-go/service/iam" | ||
| "github.com/aws/aws-sdk-go/aws" | ||
| "github.com/openshift/rosa/pkg/aws/tags" | ||
|
|
||
| . "github.com/onsi/ginkgo/v2" | ||
| . "github.com/onsi/gomega" | ||
| ) | ||
|
|
||
| var _ = Describe("AWS IAM Functions", func() { | ||
| Describe("GetRoleName", func() { | ||
| It("should generate a role name with the given prefix and role name", func() { | ||
| prefix := "myPrefix" | ||
| roleName := "myRole" | ||
| expectedName := fmt.Sprintf("%s-%s-Role", prefix, roleName) | ||
|
|
||
| name := GetRoleName(prefix, roleName) | ||
|
|
||
| Expect(name).To(Equal(expectedName)) | ||
| }) | ||
|
|
||
| It("should truncate the generated name if it exceeds 64 characters", func() { | ||
| prefix := "myPrefix" | ||
| roleName := "myVeryLongRoleNameThatExceedsSixtyFourCharacters123456" | ||
| expectedName := "myPrefix-myVeryLongRoleNameThatExceedsSixtyFourCharacters123456-" | ||
|
|
||
| name := GetRoleName(prefix, roleName) | ||
|
|
||
| Expect(name).To(Equal(expectedName)) | ||
| }) | ||
| }) | ||
|
|
||
| Describe("isManagedRole", func() { | ||
| It("should return true if the 'ManagedPolicies' tag has the value 'true'", func() { | ||
| roleTags := []*iam.Tag{ | ||
| &iam.Tag{Key: aws.String(tags.ManagedPolicies), Value: aws.String("true")}, | ||
| } | ||
|
|
||
| result := IsManagedRole(roleTags) | ||
|
|
||
| Expect(result).To(BeTrue()) | ||
| }) | ||
|
|
||
| It("should return false if the 'ManagedPolicies' tag does not have the value 'true'", func() { | ||
| roleTags := []*iam.Tag{ | ||
| &iam.Tag{Key: aws.String(tags.ManagedPolicies), Value: aws.String("false")}, | ||
| } | ||
|
|
||
| result := IsManagedRole(roleTags) | ||
|
|
||
| Expect(result).To(BeFalse()) | ||
| }) | ||
|
|
||
| It("should return false if the 'ManagedPolicies' tag is not present", func() { | ||
| roleTags := []*iam.Tag{ | ||
| &iam.Tag{Key: aws.String("SomeOtherTag"), Value: aws.String("true")}, | ||
| } | ||
|
|
||
| result := IsManagedRole(roleTags) | ||
|
|
||
| Expect(result).To(BeFalse()) | ||
| }) | ||
| }) | ||
|
|
||
| var _ = Describe("HasCompatibleVersionTags", func() { | ||
| var iamTags []*iam.Tag | ||
|
|
||
| BeforeEach(func() { | ||
| iamTags = []*iam.Tag{ | ||
| &iam.Tag{Key: aws.String(tags.OpenShiftVersion), Value: aws.String("1.2.3")}, | ||
| &iam.Tag{Key: aws.String("SomeOtherTag"), Value: aws.String("value")}, | ||
| } | ||
| }) | ||
|
|
||
| It("should return true if the version tag matches the provided version", func() { | ||
| version := "1.2.3" | ||
|
|
||
| result, err := HasCompatibleVersionTags(iamTags, version) | ||
|
|
||
| Expect(result).To(BeTrue()) | ||
| Expect(err).To(BeNil()) | ||
| }) | ||
|
|
||
| It("should return false if the version tag does not match the provided version", func() { | ||
| version := "2.0.0" | ||
|
|
||
| result, err := HasCompatibleVersionTags(iamTags, version) | ||
|
|
||
| Expect(result).To(BeFalse()) | ||
| Expect(err).To(BeNil()) | ||
| }) | ||
|
|
||
| It("should return false if the version tag is not present", func() { | ||
| version := "1.2.3" | ||
| iamTags = []*iam.Tag{ | ||
| &iam.Tag{Key: aws.String("SomeOtherTag"), Value: aws.String("value")}, | ||
| } | ||
|
|
||
| result, err := HasCompatibleVersionTags(iamTags, version) | ||
|
|
||
| Expect(result).To(BeFalse()) | ||
| Expect(err).To(BeNil()) | ||
| }) | ||
|
|
||
| It("should return an error if the provided version is not a valid semantic version", func() { | ||
| version := "invalid-version" | ||
|
|
||
| result, err := HasCompatibleVersionTags(iamTags, version) | ||
|
|
||
| Expect(result).To(BeFalse()) | ||
| Expect(err).ToNot(BeNil()) | ||
| }) | ||
| }) | ||
|
|
||
| var _ = Describe("IamResourceHasTag", func() { | ||
| It("should return true if the tag with the specified key and value exists", func() { | ||
| iamTags := []*iam.Tag{ | ||
| &iam.Tag{Key: aws.String("Tag1"), Value: aws.String("Value1")}, | ||
| &iam.Tag{Key: aws.String("Tag2"), Value: aws.String("Value2")}, | ||
| } | ||
| tagKey := "Tag1" | ||
| tagValue := "Value1" | ||
|
|
||
| result := IamResourceHasTag(iamTags, tagKey, tagValue) | ||
|
|
||
| Expect(result).To(BeTrue()) | ||
| }) | ||
|
|
||
| It("should return false if the tag with the specified key and value does not exist", func() { | ||
| iamTags := []*iam.Tag{ | ||
| &iam.Tag{Key: aws.String("Tag1"), Value: aws.String("Value1")}, | ||
| &iam.Tag{Key: aws.String("Tag2"), Value: aws.String("Value2")}, | ||
| } | ||
| tagKey := "Tag3" | ||
| tagValue := "Value3" | ||
|
|
||
| result := IamResourceHasTag(iamTags, tagKey, tagValue) | ||
|
|
||
| Expect(result).To(BeFalse()) | ||
| }) | ||
| }) | ||
| }) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| package validations | ||
|
|
||
| import ( | ||
| "testing" | ||
|
|
||
| . "github.com/onsi/ginkgo/v2" | ||
| . "github.com/onsi/gomega" | ||
| ) | ||
|
|
||
| func TestValidation(t *testing.T) { | ||
| RegisterFailHandler(Fail) | ||
| RunSpecs(t, "Validations Suite") | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| package validations | ||
|
|
||
| import ( | ||
| "net/url" | ||
| "strings" | ||
|
|
||
| errors "github.com/zgalor/weberr" | ||
| ) | ||
|
|
||
| func ValidateIssuerUrlMatchesAssumePolicyDocument( | ||
| roleArn string, parsedUrl *url.URL, assumePolicyDocument string) error { | ||
| issuerUrl := parsedUrl.Host | ||
| if parsedUrl.Path != "" { | ||
| issuerUrl += parsedUrl.Path | ||
| } | ||
| decodedAssumePolicyDocument, err := url.QueryUnescape(assumePolicyDocument) | ||
| if err != nil { | ||
| return err | ||
| } | ||
| if !strings.Contains(decodedAssumePolicyDocument, issuerUrl) { | ||
| return errors.Errorf("Operator role '%s' does not have trusted relationship to '%s' issuer URL", | ||
| roleArn, issuerUrl) | ||
| } | ||
| return nil | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| package validations | ||
|
|
||
| import ( | ||
| "net/url" | ||
|
|
||
| . "github.com/onsi/ginkgo/v2" | ||
| . "github.com/onsi/gomega" | ||
| ) | ||
|
|
||
| var _ = Describe("validateIssuerUrlMatchesAssumePolicyDocument", func() { | ||
| It("should return nil if the issuer URL is present in the assume policy document", func() { | ||
| roleArn := "arn:aws:iam::123456789012:role/OperatorRole" | ||
| parsedUrl, _ := url.Parse("https://example.com/path") | ||
| assumePolicyDocument := "some document with https://example.com/path in it" | ||
|
|
||
| err := ValidateIssuerUrlMatchesAssumePolicyDocument(roleArn, parsedUrl, assumePolicyDocument) | ||
|
|
||
| Expect(err).To(BeNil()) | ||
| }) | ||
|
|
||
| It("should return an error if the issuer URL is not present in the assume policy document", func() { | ||
| roleArn := "arn:aws:iam::123456789012:role/OperatorRole" | ||
| parsedUrl, _ := url.Parse("https://example.com/path") | ||
| assumePolicyDocument := "some document without the issuer URL" | ||
|
|
||
| err := ValidateIssuerUrlMatchesAssumePolicyDocument(roleArn, parsedUrl, assumePolicyDocument) | ||
|
|
||
| Expect(err).To(MatchError("Operator role 'arn:aws:iam::123456789012:role/OperatorRole' does not have trusted relationship to 'example.com/path' issuer URL")) | ||
| }) | ||
| }) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| package validations | ||
|
|
||
| import ( | ||
| "testing" | ||
|
|
||
| . "github.com/onsi/ginkgo/v2" | ||
| . "github.com/onsi/gomega" | ||
| ) | ||
|
|
||
| func TestValidations(t *testing.T) { | ||
| RegisterFailHandler(Fail) | ||
| RunSpecs(t, "Validations Suite") | ||
| } |