feat(aws): Add new S3 check for public access block configuration in access points (#4608)

This commit is contained in:
Hugo Pereira Brito
2024-08-07 16:23:12 +02:00
committed by GitHub
parent 6c029a9d7d
commit 5ce54e5605
6 changed files with 600 additions and 37 deletions
@@ -1,5 +1,7 @@
import json
from unittest.mock import patch
import botocore
from boto3 import client
from moto import mock_aws
@@ -10,9 +12,27 @@ from tests.providers.aws.utils import (
set_mocked_aws_provider,
)
# Original botocore _make_api_call function
orig = botocore.client.BaseClient._make_api_call
# Mocked botocore _make_api_call function
def mock_make_api_call(self, operation_name, kwarg):
if operation_name == "ListAccessPoints":
return {
"AccessPointList": [
{
"Name": "test-access-point",
"Bucket": "test-bucket",
"AccessPointArn": f"arn:aws:s3:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:accesspoint/test-access-point",
}
]
}
return orig(self, operation_name, kwarg)
class Test_S3_Service:
# Test S3 Service
@mock_aws
def test_service(self):
@@ -47,7 +67,7 @@ class Test_S3_Service:
# Test S3 List Buckets
@mock_aws
def test__list_buckets__(self):
def test_list_buckets(self):
# Generate S3 Client
s3_client = client("s3")
# Create S3 Bucket
@@ -68,7 +88,7 @@ class Test_S3_Service:
# Test S3 Get Bucket Versioning
@mock_aws
def test__get_bucket_versioning__(self):
def test_get_bucket_versioning(self):
# Generate S3 Client
s3_client = client("s3")
# Create S3 Bucket
@@ -92,7 +112,7 @@ class Test_S3_Service:
# Test S3 Get Bucket ACL
@mock_aws
def test__get_bucket_acl__(self):
def test_get_bucket_acl(self):
s3_client = client("s3")
bucket_name = "test-bucket"
s3_client.create_bucket(Bucket=bucket_name)
@@ -131,7 +151,7 @@ class Test_S3_Service:
# Test S3 Get Bucket Logging
@mock_aws
def test__get_bucket_logging__(self):
def test_get_bucket_logging(self):
# Generate S3 Client
s3_client = client("s3")
# Create S3 Bucket
@@ -205,7 +225,7 @@ class Test_S3_Service:
# Test S3 Get Bucket Policy
@mock_aws
def test__get_bucket_policy__(self):
def test_get_bucket_policy(self):
s3_client = client("s3")
bucket_name = "test-bucket"
s3_client.create_bucket(Bucket=bucket_name)
@@ -226,7 +246,7 @@ class Test_S3_Service:
# Test S3 Get Bucket Encryption
@mock_aws
def test__get_bucket_encryption__(self):
def test_get_bucket_encryption(self):
# Generate S3 Client
s3_client = client("s3")
# Create S3 Bucket
@@ -259,7 +279,7 @@ class Test_S3_Service:
# Test S3 Get Bucket Ownership Controls
@mock_aws
def test__get_bucket_ownership_controls__(self):
def test_get_bucket_ownership_controls(self):
# Generate S3 Client
s3_client = client("s3")
# Create S3 Bucket
@@ -281,7 +301,7 @@ class Test_S3_Service:
# Test S3 Get Public Access Block
@mock_aws
def test__get_public_access_block__(self):
def test_get_public_access_block(self):
# Generate S3 Client
s3_client = client("s3")
# Create S3 Bucket
@@ -314,7 +334,7 @@ class Test_S3_Service:
# Test S3 Get Bucket Tagging
@mock_aws
def test__get_bucket_tagging__(self):
def test_get_bucket_tagging(self):
# Generate S3 Client
s3_client = client("s3")
# Create S3 Bucket
@@ -339,7 +359,7 @@ class Test_S3_Service:
# Test S3 Control Account Get Public Access Block
@mock_aws
def test__get_public_access_block__s3_control(self):
def test_get_public_access_blocks3_control(self):
# Generate S3Control Client
s3control_client = client("s3control", region_name=AWS_REGION_US_EAST_1)
s3control_client.put_public_access_block(
@@ -361,7 +381,7 @@ class Test_S3_Service:
# Test S3 Get Bucket Object Lock
@mock_aws
def test__get_object_lock_configuration__(self):
def test_get_object_lock_configuration(self):
# Generate S3 Client
s3_client = client("s3")
# Create S3 Bucket
@@ -382,3 +402,108 @@ class Test_S3_Service:
== f"arn:{aws_provider.identity.partition}:s3:::{bucket_name}"
)
assert s3.buckets[0].object_lock
# Test S3 List Access Points
@patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)
@mock_aws
def test_list_access_points(self):
arn = f"arn:aws:s3:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:accesspoint/test-access-point"
# Generate S3 Client
s3_client = client("s3", region_name=AWS_REGION_US_EAST_1)
# Generate Bucket
s3_client.create_bucket(
Bucket="test-bucket", ObjectOwnership="BucketOwnerEnforced"
)
sse_config = {
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256",
}
}
]
}
s3_client.put_bucket_encryption(
Bucket="test-bucket", ServerSideEncryptionConfiguration=sse_config
)
# Generate S3Control Client
s3control_client = client("s3control", region_name=AWS_REGION_US_EAST_1)
s3control_client.create_access_point(
AccountId=AWS_ACCOUNT_NUMBER,
Name="test-access-point",
Bucket="test-bucket",
PublicAccessBlockConfiguration={
"BlockPublicAcls": True,
"IgnorePublicAcls": True,
"BlockPublicPolicy": True,
"RestrictPublicBuckets": True,
},
)
aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
s3control = S3Control(aws_provider)
assert len(s3control.access_points) == 1
assert s3control.access_points[arn].account_id == AWS_ACCOUNT_NUMBER
assert s3control.access_points[arn].name == "test-access-point"
assert s3control.access_points[arn].bucket == "test-bucket"
assert s3control.access_points[arn].region == AWS_REGION_US_EAST_1
# Test S3 Get Access Point
@patch("botocore.client.BaseClient._make_api_call", new=mock_make_api_call)
@mock_aws
def test_get_access_point(self):
arn = f"arn:aws:s3:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:accesspoint/test-access-point"
# Generate S3 Client
s3_client = client("s3", region_name=AWS_REGION_US_EAST_1)
# Generate Bucket
s3_client.create_bucket(
Bucket="test-bucket", ObjectOwnership="BucketOwnerEnforced"
)
sse_config = {
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256",
}
}
]
}
s3_client.put_bucket_encryption(
Bucket="test-bucket", ServerSideEncryptionConfiguration=sse_config
)
# Generate S3Control Client
s3control_client = client("s3control", region_name=AWS_REGION_US_EAST_1)
s3control_client.create_access_point(
AccountId=AWS_ACCOUNT_NUMBER,
Name="test-access-point",
Bucket="test-bucket",
PublicAccessBlockConfiguration={
"BlockPublicAcls": True,
"IgnorePublicAcls": True,
"BlockPublicPolicy": True,
"RestrictPublicBuckets": True,
},
)
aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
s3control = S3Control(aws_provider)
assert len(s3control.access_points) == 1
assert s3control.access_points[arn].account_id == AWS_ACCOUNT_NUMBER
assert s3control.access_points[arn].name == "test-access-point"
assert s3control.access_points[arn].bucket == "test-bucket"
assert s3control.access_points[arn].region == AWS_REGION_US_EAST_1
assert s3control.access_points[arn].public_access_block
assert s3control.access_points[arn].public_access_block.block_public_acls
assert s3control.access_points[arn].public_access_block.ignore_public_acls
assert s3control.access_points[arn].public_access_block.block_public_policy
assert s3control.access_points[arn].public_access_block.restrict_public_buckets