diff --git a/moto/acmpca/exceptions.py b/moto/acmpca/exceptions.py index 1107cdb12619..9a584d67ce1d 100644 --- a/moto/acmpca/exceptions.py +++ b/moto/acmpca/exceptions.py @@ -6,3 +6,13 @@ class ResourceNotFoundException(JsonRESTError): def __init__(self, arn: str): super().__init__("ResourceNotFoundException", f"Resource {arn} not found") + + +class InvalidS3ObjectAclInCrlConfiguration(JsonRESTError): + code = 400 + + def __init__(self, value: str): + super().__init__( + "InvalidS3ObjectAclInCrlConfiguration", + f"Invalid value for parameter RevocationConfiguration.CrlConfiguration.S3ObjectAcl, value: {value}, valid values: ['PUBLIC_READ', 'BUCKET_OWNER_FULL_CONTROL']", + ) diff --git a/moto/acmpca/models.py b/moto/acmpca/models.py index 3caf89c7113f..27a4565ec3f9 100644 --- a/moto/acmpca/models.py +++ b/moto/acmpca/models.py @@ -16,7 +16,7 @@ from moto.moto_api._internal import mock_random from moto.utilities.tagging_service import TaggingService -from .exceptions import ResourceNotFoundException +from .exceptions import InvalidS3ObjectAclInCrlConfiguration, ResourceNotFoundException class CertificateAuthority(BaseModel): @@ -132,13 +132,16 @@ def set_revocation_configuration( if revocation_configuration is not None: self.revocation_configuration = revocation_configuration if "CrlConfiguration" in self.revocation_configuration: - if ( - "S3ObjectAcl" - not in self.revocation_configuration["CrlConfiguration"] - ): - self.revocation_configuration["CrlConfiguration"]["S3ObjectAcl"] = ( - "PUBLIC_READ" - ) + acl = self.revocation_configuration["CrlConfiguration"].get( + "S3ObjectAcl", None + ) + if acl is None: + self.revocation_configuration["CrlConfiguration"][ + "S3ObjectAcl" + ] = "PUBLIC_READ" + else: + if acl not in ["PUBLIC_READ", "BUCKET_OWNER_FULL_CONTROL"]: + raise InvalidS3ObjectAclInCrlConfiguration(acl) @property def certificate_bytes(self) -> bytes: diff --git a/tests/test_acmpca/test_acmpca.py b/tests/test_acmpca/test_acmpca.py index 56d415711fef..e68345fc9994 100644 --- a/tests/test_acmpca/test_acmpca.py +++ b/tests/test_acmpca/test_acmpca.py @@ -200,6 +200,60 @@ def test_update_certificate_authority(): assert ca["Status"] == "DISABLED" assert "LastStateChangeAt" in ca + # test when `RevocationConfiguration` passed to request parameters + client.update_certificate_authority( + CertificateAuthorityArn=ca_arn, + RevocationConfiguration={ + "CrlConfiguration": { + "Enabled": True, + } + }, + ) + ca = client.describe_certificate_authority(CertificateAuthorityArn=ca_arn)[ + "CertificateAuthority" + ] + revocation_crl_conf = ca["RevocationConfiguration"]["CrlConfiguration"] + assert revocation_crl_conf["Enabled"] + assert ( + revocation_crl_conf["S3ObjectAcl"] == "PUBLIC_READ" + ) # check if default value is applied. + + client.update_certificate_authority( + CertificateAuthorityArn=ca_arn, + RevocationConfiguration={ + "CrlConfiguration": { + "Enabled": True, + "S3ObjectAcl": "BUCKET_OWNER_FULL_CONTROL", + } + }, + ) + ca = client.describe_certificate_authority(CertificateAuthorityArn=ca_arn)[ + "CertificateAuthority" + ] + revocation_crl_conf = ca["RevocationConfiguration"]["CrlConfiguration"] + assert ( + revocation_crl_conf["S3ObjectAcl"] == "BUCKET_OWNER_FULL_CONTROL" + ) # check if the passed parameter is applied. + + # test when invald value passed for RevocationConfiguration.CrlConfiguration.S3ObjectAcl + invalid_s3object_acl = "INVALID_VALUE" + with pytest.raises(ClientError) as exc: + client.update_certificate_authority( + CertificateAuthorityArn=ca_arn, + RevocationConfiguration={ + "CrlConfiguration": { + "Enabled": True, + "S3ObjectAcl": invalid_s3object_acl, + } + }, + ) + err = exc.value.response["Error"] + assert err["Code"] == "InvalidS3ObjectAclInCrlConfiguration" + assert ( + err["Message"] + == f"Invalid value for parameter RevocationConfiguration.CrlConfiguration.S3ObjectAcl, value: {invalid_s3object_acl}, valid values: ['PUBLIC_READ', 'BUCKET_OWNER_FULL_CONTROL']" + ) + @mock_aws def test_delete_certificate_authority():