Fixed some IAM APIs for tagging and role descriptions

2019-08-21 12:24:23 -07:00 · 2019-08-21 12:24:23 -07:00 · 38866bfcef
commit 38866bfcef
parent 1de371ca76
3 changed files with 136 additions and 24 deletions
--- a/moto/iam/models.py
+++ b/moto/iam/models.py
@ -161,7 +161,7 @@ class InlinePolicy(Policy):

 class Role(BaseModel):

-    def __init__(self, role_id, name, assume_role_policy_document, path, permissions_boundary):
+    def __init__(self, role_id, name, assume_role_policy_document, path, permissions_boundary, description, tags):
        self.id = role_id
        self.name = name
        self.assume_role_policy_document = assume_role_policy_document
@ -169,8 +169,8 @@ class Role(BaseModel):
        self.policies = {}
        self.managed_policies = {}
        self.create_date = datetime.utcnow()
-        self.tags = {}
-        self.description = ""
+        self.tags = tags
+        self.description = description
        self.permissions_boundary = permissions_boundary

    @property
@ -185,7 +185,9 @@ class Role(BaseModel):
            role_name=resource_name,
            assume_role_policy_document=properties['AssumeRolePolicyDocument'],
            path=properties.get('Path', '/'),
-            permissions_boundary=properties.get('PermissionsBoundary', '')
+            permissions_boundary=properties.get('PermissionsBoundary', ''),
+            description=properties.get('Description', ''),
+            tags=properties.get('Tags', {})
        )

        policies = properties.get('Policies', [])
@ -635,12 +637,13 @@ class IAMBackend(BaseBackend):

        return policies, marker

-    def create_role(self, role_name, assume_role_policy_document, path, permissions_boundary):
+    def create_role(self, role_name, assume_role_policy_document, path, permissions_boundary, description, tags):
        role_id = random_resource_id()
        if permissions_boundary and not self.policy_arn_regex.match(permissions_boundary):
            raise RESTError('InvalidParameterValue', 'Value ({}) for parameter PermissionsBoundary is invalid.'.format(permissions_boundary))

-        role = Role(role_id, role_name, assume_role_policy_document, path, permissions_boundary)
+        clean_tags = self._tag_verification(tags)
+        role = Role(role_id, role_name, assume_role_policy_document, path, permissions_boundary, description, clean_tags)
        self.roles[role_id] = role
        return role

@ -691,6 +694,23 @@ class IAMBackend(BaseBackend):
        role = self.get_role(role_name)
        return role.policies.keys()

+    def _tag_verification(self, tags):
+        if len(tags) > 50:
+            raise TooManyTags(tags)
+
+        tag_keys = {}
+        for tag in tags:
+            # Need to index by the lowercase tag key since the keys are case insensitive, but their case is retained.
+            ref_key = tag['Key'].lower()
+            self._check_tag_duplicate(tag_keys, ref_key)
+            self._validate_tag_key(tag['Key'])
+            if len(tag['Value']) > 256:
+                raise TagValueTooBig(tag['Value'])
+
+            tag_keys[ref_key] = tag
+
+        return tag_keys
+
    def _validate_tag_key(self, tag_key, exception_param='tags.X.member.key'):
        """Validates the tag key.

@ -740,23 +760,9 @@ class IAMBackend(BaseBackend):
        return tags, marker

    def tag_role(self, role_name, tags):
-        if len(tags) > 50:
-            raise TooManyTags(tags)
-
+        clean_tags = self._tag_verification(tags)
        role = self.get_role(role_name)
-
-        tag_keys = {}
-        for tag in tags:
-            # Need to index by the lowercase tag key since the keys are case insensitive, but their case is retained.
-            ref_key = tag['Key'].lower()
-            self._check_tag_duplicate(tag_keys, ref_key)
-            self._validate_tag_key(tag['Key'])
-            if len(tag['Value']) > 256:
-                raise TagValueTooBig(tag['Value'])
-
-            tag_keys[ref_key] = tag
-
-        role.tags.update(tag_keys)
+        role.tags.update(clean_tags)

    def untag_role(self, role_name, tag_keys):
        if len(tag_keys) > 50:
--- a/moto/iam/responses.py
+++ b/moto/iam/responses.py
@ -178,9 +178,11 @@ class IamResponse(BaseResponse):
            'AssumeRolePolicyDocument')
        permissions_boundary = self._get_param(
            'PermissionsBoundary')
+        description = self._get_param('Description')
+        tags = self._get_multi_param('Tags.member')

        role = iam_backend.create_role(
-            role_name, assume_role_policy_document, path, permissions_boundary)
+            role_name, assume_role_policy_document, path, permissions_boundary, description, tags)
        template = self.response_template(CREATE_ROLE_TEMPLATE)
        return template.render(role=role)

@ -1002,6 +1004,7 @@ CREATE_ROLE_TEMPLATE = """<CreateRoleResponse xmlns="https://iam.amazonaws.com/d
      <Arn>{{ role.arn }}</Arn>
      <RoleName>{{ role.name }}</RoleName>
      <AssumeRolePolicyDocument>{{ role.assume_role_policy_document }}</AssumeRolePolicyDocument>
+      <Description>{{role.description}}</Description>
      <CreateDate>{{ role.created_iso_8601 }}</CreateDate>
      <RoleId>{{ role.id }}</RoleId>
      {% if role.permissions_boundary %}
@ -1010,6 +1013,16 @@ CREATE_ROLE_TEMPLATE = """<CreateRoleResponse xmlns="https://iam.amazonaws.com/d
          <PermissionsBoundaryArn>{{ role.permissions_boundary }}</PermissionsBoundaryArn>
      </PermissionsBoundary>
      {% endif %}
+      {% if role.tags %}
+      <Tags>
+        {% for tag in role.get_tags() %}
+        <member>
+            <Key>{{ tag['Key'] }}</Key>
+            <Value>{{ tag['Value'] }}</Value>
+        </member>
+        {% endfor %}
+      </Tags>
+      {% endif %}
    </Role>
  </CreateRoleResult>
  <ResponseMetadata>
@ -1043,6 +1056,7 @@ UPDATE_ROLE_DESCRIPTION_TEMPLATE = """<UpdateRoleDescriptionResponse xmlns="http
      <Arn>{{ role.arn }}</Arn>
      <RoleName>{{ role.name }}</RoleName>
      <AssumeRolePolicyDocument>{{ role.assume_role_policy_document }}</AssumeRolePolicyDocument>
+      <Description>{{role.description}}</Description>
      <CreateDate>{{ role.created_iso_8601 }}</CreateDate>
      <RoleId>{{ role.id }}</RoleId>
      {% if role.tags %}
@ -1069,6 +1083,7 @@ GET_ROLE_TEMPLATE = """<GetRoleResponse xmlns="https://iam.amazonaws.com/doc/201
      <Arn>{{ role.arn }}</Arn>
      <RoleName>{{ role.name }}</RoleName>
      <AssumeRolePolicyDocument>{{ role.assume_role_policy_document }}</AssumeRolePolicyDocument>
+      <Description>{{role.description}}</Description>
      <CreateDate>{{ role.created_iso_8601 }}</CreateDate>
      <RoleId>{{ role.id }}</RoleId>
      {% if role.tags %}
@ -1759,8 +1774,15 @@ GET_ACCOUNT_AUTHORIZATION_DETAILS_TEMPLATE = """<GetAccountAuthorizationDetailsR
                <Arn>{{ role.arn }}</Arn>
                <RoleName>{{ role.name }}</RoleName>
                <AssumeRolePolicyDocument>{{ role.assume_role_policy_document }}</AssumeRolePolicyDocument>
+                <Description>{{role.description}}</Description>
                <CreateDate>{{ role.created_iso_8601 }}</CreateDate>
                <RoleId>{{ role.id }}</RoleId>
+                {% if role.permissions_boundary %}
+                <PermissionsBoundary>
+                  <PermissionsBoundaryType>PermissionsBoundaryPolicy</PermissionsBoundaryType>
+                  <PermissionsBoundaryArn>{{ role.permissions_boundary }}</PermissionsBoundaryArn>
+                </PermissionsBoundary>
+                {% endif %}
              </member>
              {% endfor %}
            </Roles>