8000 AWS::Logs::ResourcePolicy by jerry153fish · Pull Request #1936 · cloudtools/troposphere · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

AWS::Logs::ResourcePolicy #1936

Ne 8000 w issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Aug 22, 2021
Merged

AWS::Logs::ResourcePolicy #1936

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
9c973cb
AWS::Logs::ResourcePolicy
jerry153fish Jul 18, 2021
2fa14cf
feedbacks
jerry153fish Aug 9, 2021
cde8ef0
fix lint
jerry153fish Aug 9, 2021
5d5bd52
cover resourcePolicy tests
jerry153fish Aug 9, 2021
03a75c1
rename
jerry153fish Aug 9, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 17 additions & 1 deletion tests/test_logs.py
View file
Open in desktop
41 changes: 40 additions & 1 deletion troposphere/logs.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import unittest

from troposphere import Retain
from troposphere.logs import Destination, LogGroup
from troposphere.logs import Destination, LogGroup, validate_resource_policy, LogResourcePolicy


class TestLogs(unittest.TestCase):
Expand Down Expand Up @@ -35,6 +35,22 @@ def test_log_destination(self):
self.assertIn("Type", log_destination_json)
self.assertIn("Properties", log_destination_json)

def test_validate_resource_policy(self):
for s in ["{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Sid\": \"Route53LogsToCloudWatchLogs\", \"Effect\": \"Allow\", \"Principal\": { \"Service\": [ \"route53.amazonaws.com\" ] }, \"Action\":\"logs:PutLogEvents\", \"Resource\": \"logArn\" } ] }", {'Version': '2012-10-17', 'Statement': [{'Sid': 'Route53LogsToCloudWatchLogs', 'Effect': 'Allow', 'Principal': {'Service': ['route53.amazonaws.com']}, 'Action': 'logs:PutLogEvents', 'Resource': 'logArn'}]}]:
validate_resource_policy(s)
log_policy = LogResourcePolicy(
"TestLogPolicy",
PolicyName='TestLogPolicy',
PolicyDocument=s
)
expected = log_policy.to_dict()
properties = expected['Properties']
self.assertEqual(properties.get('PolicyDocument'), s)

for s in ["", "H"*5121, "TEXT", {}]:
with self.assertRaises(ValueError):
validate_resource_policy(s)


if __name__ == "__main__":
unittest.main()
Original file line number Diff line number Diff line change
@@ -1,6 +1,36 @@
from . import AWSObject, AWSProperty
from .compat import policytypes
from .constants import LOGS_ALLOWED_RETENTION_DAYS as RETENTION_DAYS
from .validators import integer_list_item
from .validators import integer_list_item, json_checker
import json

policytypes = policytypes + (str,)


def validate_resource_policy(policy_document):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This validation should take into account the other policy document types coming from awacs. This is imported via https://github.com/cloudtools/troposphere/blob/main/troposphere/compat.py
Note: the length checks won't work with some of these awacs types and additional checking needs to be done around the json_checker return types.

Copy link
Contributor Author
@jerry153fish jerry153fish Jul 22, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hi @markpeek So the plan will be

  1. build a more general policy document validator
  2. cover the types of dict, Policy, PolicyDocumen, and string
  3. add tests cover all above

Any other cases need to be considered here?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That looks like the right list of items. Thanks.

"""validate policy_document. Between 1 to 5120"""

if not isinstance(policy_document, policytypes):
raise ValueError("PolicyDocument must be a valid policy document")

if isinstance(policy_document, str) and not json_checker(policy_document):
raise ValueError("PolicyDocument must be a valid JSON formated string")

if isinstance(policy_document, dict):
policy_document_text = json.dumps(policy_document)
elif isinstance(policy_document, str):
policy_document_text = policy_document
else:
policy_document_text = policy_document.to_json()

# NB: {} empty dict is 2 length
if len(policy_document_text) < 3:
raise ValueError("PolicyDocument must not be empty")

if len(policy_document_text) > 5120:
raise ValueError("PolicyDocument maximum length must not exceed 5120")

return policy_document


class Destination(AWSObject):
Expand Down Expand Up @@ -67,3 +97,12 @@ class SubscriptionFilter(AWSObject):
"LogGroupName": (str, True),
"RoleArn": (str, False),
}


class LogResourcePolicy(AWSObject):
resource_type = "AWS::Logs::ResourcePolicy"

props = {
"PolicyDocument": (validate_resource_policy, True),
"PolicyName": (str, True),
}
0