Add specs for exclude and target option

cookpad · Dec 25, 2017 · 1968e68 · 1968e68
1 parent 0de1b38
commit 1968e68
Show file tree

Hide file tree

Showing 2 changed files with 422 additions and 0 deletions.
diff --git a/spec/miam/exclude_spec.rb b/spec/miam/exclude_spec.rb
@@ -0,0 +1,237 @@
+describe 'target/exclude options' do
+  let(:dsl) do
+    <<-RUBY
+      user "bob", :path=>"/devloper/" do
+        login_profile :password_reset_required=>true
+
+        groups(
+          "Admin",
+          "SES"
+        )
+
+        policy "S3" do
+          {"Statement"=>
+            [{"Action"=>
+               ["s3:Get*",
+                "s3:List*"],
+              "Effect"=>"Allow",
+              "Resource"=>"*"}]}
+        end
+
+        attached_managed_policies(
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+        )
+      end
+
+      user "mary", :path=>"/staff/" do
+        policy "S3" do
+          {"Statement"=>
+            [{"Action"=>
+               ["s3:Get*",
+                "s3:List*"],
+              "Effect"=>"Allow",
+              "Resource"=>"*"}]}
+        end
+
+        attached_managed_policies(
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+        )
+      end
+
+      group "Admin", :path=>"/admin/" do
+        policy "Admin" do
+          {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+        end
+
+        attached_managed_policies(
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+        )
+      end
+
+      group "SES", :path=>"/ses/" do
+        policy "ses-policy" do
+          {"Statement"=>
+            [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+        end
+
+        attached_managed_policies(
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+        )
+      end
+
+      role "my-role", :path=>"/any/" do
+        instance_profiles(
+          "my-instance-profile"
+        )
+
+        assume_role_policy_document do
+          {"Version"=>"2012-10-17",
+           "Statement"=>
+            [{"Sid"=>"",
+              "Effect"=>"Allow",
+              "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+              "Action"=>"sts:AssumeRole"}]}
+        end
+
+        policy "role-policy" do
+          {"Statement"=>
+            [{"Action"=>
+               ["s3:Get*",
+                "s3:List*"],
+              "Effect"=>"Allow",
+              "Resource"=>"*"}]}
+        end
+
+        attached_managed_policies(
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+        )
+      end
+
+      instance_profile "my-instance-profile", :path=>"/profile/"
+    RUBY
+  end
+
+  before(:each) do
+    apply { dsl }
+  end
+
+  context 'when exclude a user' do
+    let(:exclude_bob) do
+      <<-RUBY
+      user "mary", :path=>"/staff/" do
+        policy "S3" do
+          {"Statement"=>
+            [{"Action"=>
+               ["s3:Get*",
+                "s3:List*"],
+              "Effect"=>"Allow",
+              "Resource"=>"*"}]}
+        end
+
+        attached_managed_policies(
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+        )
+      end
+
+      group "Admin", :path=>"/admin/" do
+        policy "Admin" do
+          {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+        end
+
+        attached_managed_policies(
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+        )
+      end
+
+      group "SES", :path=>"/ses/" do
+        policy "ses-policy" do
+          {"Statement"=>
+            [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+        end
+
+        attached_managed_policies(
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+        )
+      end
+
+      role "my-role", :path=>"/any/" do
+        instance_profiles(
+          "my-instance-profile"
+        )
+
+        assume_role_policy_document do
+          {"Version"=>"2012-10-17",
+           "Statement"=>
+            [{"Sid"=>"",
+              "Effect"=>"Allow",
+              "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+              "Action"=>"sts:AssumeRole"}]}
+        end
+
+        policy "role-policy" do
+          {"Statement"=>
+            [{"Action"=>
+               ["s3:Get*",
+                "s3:List*"],
+              "Effect"=>"Allow",
+              "Resource"=>"*"}]}
+        end
+
+        attached_managed_policies(
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+        )
+      end
+
+      instance_profile "my-instance-profile", :path=>"/profile/"
+      RUBY
+    end
+
+    subject { client(exclude: [/bob/]) }
+
+    it do
+      updated = apply(subject) { exclude_bob }
+      expect(updated).to be_falsey
+    end
+  end
+
+  context 'when exclude a group, a role and an instance profile' do
+    let(:exclude_admin_and_my) do
+      <<-RUBY
+      user "bob", :path=>"/devloper/" do
+        login_profile :password_reset_required=>true
+
+        groups(
+          "Admin",
+          "SES"
+        )
+
+        policy "S3" do
+          {"Statement"=>
+            [{"Action"=>
+               ["s3:Get*",
+                "s3:List*"],
+              "Effect"=>"Allow",
+              "Resource"=>"*"}]}
+        end
+
+        attached_managed_policies(
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+        )
+      end
+
+      user "mary", :path=>"/staff/" do
+        policy "S3" do
+          {"Statement"=>
+            [{"Action"=>
+               ["s3:Get*",
+                "s3:List*"],
+              "Effect"=>"Allow",
+              "Resource"=>"*"}]}
+        end
+
+        attached_managed_policies(
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+        )
+      end
+
+      group "SES", :path=>"/ses/" do
+        policy "ses-policy" do
+          {"Statement"=>
+            [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+        end
+
+        attached_managed_policies(
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+        )
+      end
+      RUBY
+    end
+
+    subject { client(exclude: [/Admin/, /^my-/]) }
+
+    it do
+      updated = apply(subject) { exclude_admin_and_my }
+      expect(updated).to be_falsey
+    end
+  end
+end