fix up

Signed-off-by: Mahesh Shetty <[email protected]>
red-hat-storage · Jul 19, 2024 · d1ebe40 · d1ebe40
1 parent da4fd7b
commit d1ebe40
Show file tree

Hide file tree

Showing 3 changed files with 82 additions and 8 deletions.
diff --git a/ocs_ci/ocs/bucket_utils.py b/ocs_ci/ocs/bucket_utils.py
@@ -2785,6 +2785,9 @@ def sts_assume_role(
         access_key_id_assumed_user (str): Access key id of the assumed user
         mcg_obj (MCG): MCG object
         signed_request_creds (dict): a dictionary containing AWS S3 creds for a signed request
+    Returns:
+        Dict: Representing the output of the command which on successful execution
+        consists of new credentials
 
     """
     if not role_session_name:
@@ -2796,7 +2799,7 @@ def sts_assume_role(
     cmd = craft_sts_command(
         cmd, mcg_obj=mcg_obj, signed_request_creds=signed_request_creds
     )
-    pod_obj.exec_cmd_on_pod(command=cmd, out_yaml_format=False)
+    return pod_obj.exec_cmd_on_pod(command=cmd)
 
 
 def s3_create_bucket(s3_obj, bucket_name, s3_client=None):

diff --git a/ocs_ci/ocs/resources/mcg.py b/ocs_ci/ocs/resources/mcg.py
@@ -1137,3 +1137,33 @@ def remove_sts_role(self, account_id):
         self.exec_mcg_cmd(
             cmd=cmd,
         )
+
+    def create_s3client_assumed_role(self, sts_assume_role_creds):
+        """
+        Create a s3 client from the credential generated
+        for the assumed role
+
+        Args:
+            sts_assume_role_creds (dict): Credentials generated during the `aws sts assume-role` operation
+
+        """
+        self.assumed_access_key_id = sts_assume_role_creds.get("Credentials").get(
+            "AccessKeyId"
+        )
+        self.assumed_access_key = sts_assume_role_creds.get("Credentials").get(
+            "SecretAccessKey"
+        )
+        self.assumed_session_token = sts_assume_role_creds.get("Credentials").get(
+            "SessionToken"
+        )
+
+        self.assumed_s3_resource = boto3.resource(
+            "s3",
+            verify=retrieve_verification_mode(),
+            endpoint_url=self.s3_endpoint,
+            aws_access_key_id=self.assumed_access_key_id,
+            aws_secret_access_key=self.assumed_access_key,
+            aws_session_token=self.assumed_session_token,
+        )
+
+        self.assumed_s3_client = self.assumed_s3_resource.meta.client
diff --git a/tests/functional/object/mcg/test_sts_client.py b/tests/functional/object/mcg/test_sts_client.py
@@ -84,14 +84,47 @@ def teardown():
     return factory
 
 
+@pytest.fixture()
+def new_bucket(request, mcg_obj_session):
+    """
+    Create new bucket using s3
+
+    """
+    buckets_created = []
+
+    def factory(bucket_name, s3_client=None):
+        bucket_obj = {
+            "s3client": s3_client,
+            "bucket": bucket_name,
+            "mcg": mcg_obj_session,
+        }
+        buckets_created.append(bucket_obj)
+        s3_create_bucket(mcg_obj_session, bucket_name, s3_client)
+        logger.info(f"Created new-bucket {bucket_name}")
+
+    def finalizer():
+        """
+        Cleanup the created bucket
+
+        """
+        for bucket in buckets_created:
+            s3_delete_bucket(
+                bucket.get("mcg"), bucket.get("bucket"), bucket.get("s3client")
+            )
+            logger.info(f"Deleted the bucket {bucket}")
+
+    request.addfinalizer(finalizer)
+    return factory
+
+
 class TestSTSClient:
     def test_sts_assume_role(
         self,
         mcg_obj_session,
         awscli_pod_session,
         nb_account_factory,
         nb_assign_user_role_fixture,
-        bucket_factory,
+        new_bucket,
     ):
         """
         Test sts support for Noobaa clients.
@@ -105,8 +138,7 @@ def test_sts_assume_role(
         """
         # create a bucket using noobaa admin creds
         bucket_1 = "first-bucket"
-        bucket_factory()
-        s3_create_bucket(mcg_obj_session, bucket_1)
+        new_bucket(bucket_1)
         logger.info(f"Created bucket {bucket_1}")
 
         # create noobaa account
@@ -127,18 +159,27 @@ def test_sts_assume_role(
         logger.info(f"Assigned the assume role policy to the user {user_name}")
 
         # noobaa admin assumes the above role
-        sts_assume_role(
+        creds_generated = sts_assume_role(
             awscli_pod_session,
             role_name,
             nb_user_access_key_id,
             mcg_obj=mcg_obj_session,
         )
-        logger.info(f"Nooba admin user assumed the role of user {user_name}")
+        mcg_obj_session.create_s3client_assumed_role(creds_generated)
+        logger.info(creds_generated)
 
         # perform io to validate the role assumption
         bucket_2 = "second-bucket"
-        s3_create_bucket(mcg_obj_session, bucket_2)
-        s3_delete_bucket(mcg_obj_session, bucket_1)
+        try:
+            new_bucket(bucket_2, mcg_obj_session.assumed_s3_client)
+            assert (
+                False
+            ), "Bucket was created even though assumed role user doesnt have ability to create new bucket"
+        except Exception as err:
+            if "AccessDenied" not in err.args[0]:
+                raise
+            logger.info("Bucket creation failed as expected")
+        s3_delete_bucket(mcg_obj_session, bucket_1, mcg_obj_session.assumed_s3_client)
         logger.info(f"Deleted bucket {bucket_1}")
 
         # remove the role from the user