From 427a222aa02eca40421dffa859d2f445c277a590 Mon Sep 17 00:00:00 2001
From: Macwan Nevil <macnev2013@gmail.com>
Date: Tue, 22 Sep 2020 17:13:59 +0530
Subject: [PATCH] feature added: support for api RolePermissionsBoundary
 (#3329)

* feature added: support for api PutUserPermissionsBoundary; DeleteRolePermissionsBoundary

* minor test fix

* lint fixed

* refractored test case

* Issue 3224 s3 copy glacier object (#3318)

* 3224 Enhancement - S3 Copy restored glacier objects

- adds setter for expiry date
- copy sets expiry date to none when source is glacier object
- throws error for copying glacier object only if not restored/still restoring

* 3224 Enhancement - S3 Copy restored glacier objects

- throws error for copying deep archive object only if not restored/still restoring

* Fix:s3 List Object response:delimiter  (#3254)

* Fix:s3 List Object delimiter in response

* fixed tests

* fixed failed tests

Co-authored-by: usmankb <usman@krazybee.com>

* feature added: support for api PutUserPermissionsBoundary; DeleteRolePermissionsBoundary

* minor test fix

* lint fixed

* refractored test case

* added test case for put role exception

Co-authored-by: ruthbovell <63656505+ruthbovell@users.noreply.github.com>
Co-authored-by: usmangani1 <sgosman_chem@yahoo.com>
Co-authored-by: usmankb <usman@krazybee.com>
---
 moto/iam/models.py         | 17 +++++++++++++++++
 moto/iam/responses.py      | 19 +++++++++++++++++++
 tests/test_iam/test_iam.py | 16 +++++++++++++---
 3 files changed, 49 insertions(+), 3 deletions(-)

diff --git a/moto/iam/models.py b/moto/iam/models.py
index 617da69b..3e7b638b 100755
--- a/moto/iam/models.py
+++ b/moto/iam/models.py
@@ -1435,6 +1435,23 @@ class IAMBackend(BaseBackend):
         role.max_session_duration = max_session_duration
         return role
 
+    def put_role_permissions_boundary(self, role_name, permissions_boundary):
+        if permissions_boundary and not self.policy_arn_regex.match(
+            permissions_boundary
+        ):
+            raise RESTError(
+                "InvalidParameterValue",
+                "Value ({}) for parameter PermissionsBoundary is invalid.".format(
+                    permissions_boundary
+                ),
+            )
+        role = self.get_role(role_name)
+        role.permissions_boundary = permissions_boundary
+
+    def delete_role_permissions_boundary(self, role_name):
+        role = self.get_role(role_name)
+        role.permissions_boundary = None
+
     def detach_role_policy(self, policy_arn, role_name):
         arns = dict((p.arn, p) for p in self.managed_policies.values())
         try:
diff --git a/moto/iam/responses.py b/moto/iam/responses.py
index 6f785f8a..88ab9aef 100644
--- a/moto/iam/responses.py
+++ b/moto/iam/responses.py
@@ -265,6 +265,19 @@ class IamResponse(BaseResponse):
         template = self.response_template(UPDATE_ROLE_TEMPLATE)
         return template.render(role=role)
 
+    def put_role_permissions_boundary(self):
+        permissions_boundary = self._get_param("PermissionsBoundary")
+        role_name = self._get_param("RoleName")
+        iam_backend.put_role_permissions_boundary(role_name, permissions_boundary)
+        template = self.response_template(GENERIC_EMPTY_TEMPLATE)
+        return template.render(name="PutRolePermissionsBoundary")
+
+    def delete_role_permissions_boundary(self):
+        role_name = self._get_param("RoleName")
+        iam_backend.delete_role_permissions_boundary(role_name)
+        template = self.response_template(GENERIC_EMPTY_TEMPLATE)
+        return template.render(name="DeleteRolePermissionsBoundary")
+
     def create_policy_version(self):
         policy_arn = self._get_param("PolicyArn")
         policy_document = self._get_param("PolicyDocument")
@@ -1315,6 +1328,12 @@ GET_ROLE_TEMPLATE = """<GetRoleResponse xmlns="https://iam.amazonaws.com/doc/201
       <CreateDate>{{ role.created_iso_8601 }}</CreateDate>
       <RoleId>{{ role.id }}</RoleId>
       <MaxSessionDuration>{{ role.max_session_duration }}</MaxSessionDuration>
+      {% if role.permissions_boundary %}
+      <PermissionsBoundary>
+          <PermissionsBoundaryType>PermissionsBoundaryPolicy</PermissionsBoundaryType>
+          <PermissionsBoundaryArn>{{ role.permissions_boundary }}</PermissionsBoundaryArn>
+      </PermissionsBoundary>
+      {% endif %}
       {% if role.tags %}
       <Tags>
         {% for tag in role.get_tags() %}
diff --git a/tests/test_iam/test_iam.py b/tests/test_iam/test_iam.py
index e1bc93d5..e9d5e8a4 100644
--- a/tests/test_iam/test_iam.py
+++ b/tests/test_iam/test_iam.py
@@ -869,9 +869,7 @@ def test_list_access_keys():
     conn = boto3.client("iam", region_name="us-east-1")
     conn.create_user(UserName="my-user")
     response = conn.list_access_keys(UserName="my-user")
-    assert_equals(
-        response["AccessKeyMetadata"], [],
-    )
+    assert_equals(response["AccessKeyMetadata"], [])
     access_key = conn.create_access_key(UserName="my-user")["AccessKey"]
     response = conn.list_access_keys(UserName="my-user")
     assert_equals(
@@ -2377,7 +2375,19 @@ def test_create_role_with_permissions_boundary():
     resp.get("Role").get("PermissionsBoundary").should.equal(expected)
     resp.get("Role").get("Description").should.equal("test")
 
+    conn.delete_role_permissions_boundary(RoleName="my-role")
+    conn.list_roles().get("Roles")[0].should_not.have.key("PermissionsBoundary")
+
+    conn.put_role_permissions_boundary(RoleName="my-role", PermissionsBoundary=boundary)
+    resp.get("Role").get("PermissionsBoundary").should.equal(expected)
+
     invalid_boundary_arn = "arn:aws:iam::123456789:not_a_boundary"
+
+    with assert_raises(ClientError):
+        conn.put_role_permissions_boundary(
+            RoleName="my-role", PermissionsBoundary=invalid_boundary_arn
+        )
+
     with assert_raises(ClientError):
         conn.create_role(
             RoleName="bad-boundary",