remove assume role checks from integration test

as part of moving this pipeline to the FIWG, we don't need this anymore
cloudfoundry · Nov 19, 2024 · 9f070d5 · 9f070d5
1 parent c694612
commit 9f070d5
Showing 1 changed file with 13 additions and 62 deletions.
diff --git a/src/bosh_aws_cpi/spec/integration/spec_helper.rb b/src/bosh_aws_cpi/spec/integration/spec_helper.rb
@@ -12,37 +12,26 @@ def validate_minimum_permissions(logger)
       secret_access_key: @secret_access_key,
       session_token: @session_token
     )
-    integration_test_user = sts_client.get_caller_identity
-    raise 'Cannot get user ARN' if integration_test_user.arn.nil?
+    integration_test_user_arn = sts_client.get_caller_identity.arn
+    raise 'Cannot get user ARN' if integration_test_user_arn.nil?
 
     iam_client = Aws::IAM::Client.new(
       region: @region,
       access_key_id: @permissions_auditor_key_id,
       secret_access_key: @permissions_auditor_secret_key,
-      session_token: @permissions_auditor_session_token,
+      session_token: @session_token,
       logger: logger
     )
 
-
-    ##
-    # The following lines are a workaround for the fact that the AWS SDK does not return all the results at once.
-    role_list = []
-    iam_client.get_account_authorization_details(filter: ['Role']).each{ | response |
-      role_list += response.role_detail_list
-    }
-
-    account_details = role_list.find { |role|
-      role.arn == 'arn:aws:iam::' + integration_test_user.account + ':role/' + integration_test_user.arn.split('/')[1]
-    }
-
-    raise "Cannot find role with ARN: #{integration_test_user.arn}" if account_details.nil?
+    user_details = iam_client.get_account_authorization_details(filter: ['User']).user_detail_list.find { |user| user.arn == integration_test_user_arn }
+    raise "Cannot find user with ARN: #{integration_test_user_arn}" if user_details.nil?
 
     policy_documents = []
-    policy_documents += account_details.attached_managed_policies.map do |p|
+    policy_documents += user_details.attached_managed_policies.map do |p|
       version_id = iam_client.get_policy(policy_arn: p.policy_arn).policy.default_version_id
       iam_client.get_policy_version(policy_arn: p.policy_arn, version_id: version_id).policy_version.document
     end
-    policy_documents += account_details.role_policy_list.map(&:policy_document)
+    policy_documents += user_details.user_policy_list.map(&:policy_document)
 
     actions = policy_documents.map do |document|
       JSON.parse(URI.decode_www_form_component(document))['Statement'].map do |s|
@@ -54,61 +43,25 @@ def validate_minimum_permissions(logger)
       s['Action']
     end.flatten.uniq
 
-    expect(actions).to match_array(minimum_action)
-  end
-end
-
-def set_assume_role_permissions
-  if ENV.fetch('BOSH_AWS_PERMISSIONS_AUDITOR_KEY_ID', nil) && ENV.fetch('BOSH_AWS_PERMISSIONS_AUDITOR_SECRET_KEY', nil)
-    auditor_sts_client = Aws::STS::Client.new(
-      region: ENV.fetch('BOSH_AWS_REGION', 'us-west-1'),
-      access_key_id: ENV.fetch('BOSH_AWS_PERMISSIONS_AUDITOR_KEY_ID'),
-      secret_access_key: ENV.fetch('BOSH_AWS_PERMISSIONS_AUDITOR_SECRET_KEY'),
-      session_token: nil
-    )
-    auditor_assumed_credentials = auditor_sts_client.assume_role(
-      {
-        role_arn: ENV.fetch('BOSH_AWS_PERMISSIONS_AUDITOR_ROLE_ARN', nil),
-        role_session_name: 'rsn' + '-' + SecureRandom.uuid
-      }
-    ).credentials
-
-    @permissions_auditor_key_id = auditor_assumed_credentials.access_key_id
-    @permissions_auditor_secret_key = auditor_assumed_credentials.secret_access_key
-    @permissions_auditor_session_token = auditor_assumed_credentials.session_token
+    expect(actions).to include(*minimum_action)
   end
-
-  sts_client = Aws::STS::Client.new(
-    region: ENV.fetch('BOSH_AWS_REGION', 'us-west-1'),
-    access_key_id: ENV.fetch('BOSH_AWS_ACCESS_KEY_ID'),
-    secret_access_key: ENV.fetch('BOSH_AWS_SECRET_ACCESS_KEY'),
-    session_token: ENV.fetch('BOSH_AWS_SESSION_TOKEN', nil)
-  )
-  assumed_creds = sts_client.assume_role(
-    {
-      role_arn: ENV.fetch('BOSH_AWS_ROLE_ARN', nil),
-      role_session_name: 'rsn' + '-' + SecureRandom.uuid,
-      duration_seconds: 21600
-    }
-  ).credentials
-
-  @access_key_id = assumed_creds.access_key_id
-  @secret_access_key = assumed_creds.secret_access_key
-  @session_token = assumed_creds.session_token
 end
 
 RSpec.configure do |rspec_config|
   include IntegrationHelpers
   rspec_config.before(:all) do
-    set_assume_role_permissions
-
+    @access_key_id = ENV.fetch('BOSH_AWS_ACCESS_KEY_ID')
+    @secret_access_key = ENV.fetch('BOSH_AWS_SECRET_ACCESS_KEY')
+    @session_token = ENV.fetch('BOSH_AWS_SESSION_TOKEN', nil)
     @subnet_id = ENV.fetch('BOSH_AWS_SUBNET_ID')
     @subnet_zone = ENV.fetch('BOSH_AWS_SUBNET_ZONE')
     @kms_key_arn = ENV.fetch('BOSH_AWS_KMS_KEY_ARN')
     @kms_key_arn_override = ENV.fetch('BOSH_AWS_KMS_KEY_ARN_OVERRIDE')
     @region = ENV.fetch('BOSH_AWS_REGION', 'us-west-1')
     @default_key_name = ENV.fetch('BOSH_AWS_DEFAULT_KEY_NAME', 'bosh')
     @ami = ENV.fetch('BOSH_AWS_IMAGE_ID', 'ami-866d3ee6')
+    @permissions_auditor_key_id = ENV.fetch('BOSH_AWS_PERMISSIONS_AUDITOR_KEY_ID', nil)
+    @permissions_auditor_secret_key = ENV.fetch('BOSH_AWS_PERMISSIONS_AUDITOR_SECRET_KEY', nil)
 
     @cpi_api_version = ENV.fetch('BOSH_AWS_CPI_API_VERSION', 1).to_i
 
@@ -127,8 +80,6 @@ def set_assume_role_permissions
   end
 
   rspec_config.before(:each) do
-    set_assume_role_permissions
-
     @registry = instance_double(Bosh::Cpi::RegistryClient).as_null_object
     allow(Bosh::Cpi::RegistryClient).to receive(:new).and_return(@registry)
     allow(@registry).to receive(:read_settings).and_return({})