iam: implement getInlinePolicyDetails API for AWS Substrate (#233)

Author: SriramGuduri

iam/iam-aws/src/main/java/com/salesforce/multicloudj/iam/aws/AwsIam.java

@@ -27,13 +27,17 @@
 import software.amazon.awssdk.services.iam.model.EntityAlreadyExistsException;
 import software.amazon.awssdk.services.iam.model.GetRoleRequest;
 import software.amazon.awssdk.services.iam.model.GetRoleResponse;
+import software.amazon.awssdk.services.iam.model.GetRolePolicyRequest;
+import software.amazon.awssdk.services.iam.model.GetRolePolicyResponse;
 import software.amazon.awssdk.services.iam.model.Role;
 import software.amazon.awssdk.services.iam.model.UpdateAssumeRolePolicyRequest;
 import software.amazon.awssdk.services.iam.model.UpdateRoleRequest;
 
 import java.net.URLDecoder;
 import java.nio.charset.StandardCharsets;
 
+import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
 import java.util.LinkedHashMap;
 import java.util.List;
@@ -329,9 +333,37 @@ protected void doAttachInlinePolicy(PolicyDocument policyDocument, String tenant
         throw new UnsupportedOperationException();
     }
 
+    /**
+     * Get inline policy document attached to an IAM role.
+     *
+     * @param identityName the IAM role name
+     * @param policyName the name of the inline policy to retrieve.
+     * @param roleName the IAM role name that has the inline policy attached.
+     * @param tenantId the AWS Account ID.
+     * @param region the AWS region for the IAM client.
+     *
+     * @return the inline policy document as a JSON string
+     *
+     * @throws software.amazon.awssdk.services.iam.model.NoSuchEntityException if the role or policy does not exist
+     * @throws software.amazon.awssdk.services.iam.model.IamException for other IAM service errors
+     */
     @Override
     protected String doGetInlinePolicyDetails(String identityName, String policyName, String roleName, String tenantId, String region) {
-        throw new UnsupportedOperationException();
+        if (StringUtils.isBlank(identityName)) {
+            throw new InvalidArgumentException("identityName is required for AWS IAM");
+        }
+
+        if (StringUtils.isBlank(policyName)) {
+            throw new InvalidArgumentException("policyName is required for AWS IAM");
+        }
+
+        IamClient client = this.iamClient;
+        GetRolePolicyRequest request = GetRolePolicyRequest.builder()
+                .roleName(identityName)
+                .policyName(policyName)
+                .build();
+        GetRolePolicyResponse response = client.getRolePolicy(request);
+        return URLDecoder.decode(response.policyDocument(), StandardCharsets.UTF_8);
     }
 
     @Override

iam/iam-aws/src/test/java/com/salesforce/multicloudj/iam/aws/AwsIamTest.java

@@ -18,6 +18,9 @@
 import software.amazon.awssdk.services.iam.model.EntityAlreadyExistsException;
 import software.amazon.awssdk.services.iam.model.GetRoleRequest;
 import software.amazon.awssdk.services.iam.model.GetRoleResponse;
+import software.amazon.awssdk.services.iam.model.GetRolePolicyRequest;
+import software.amazon.awssdk.services.iam.model.GetRolePolicyResponse;
+import software.amazon.awssdk.services.iam.model.NoSuchEntityException;
 import software.amazon.awssdk.services.iam.model.Role;
 import software.amazon.awssdk.services.iam.model.UpdateAssumeRolePolicyRequest;
 import software.amazon.awssdk.services.iam.model.UpdateAssumeRolePolicyResponse;
@@ -49,6 +52,8 @@ public class AwsIamTest {
     private static final String TEST_TENANT_ID = "123456789012";
     private static final String TEST_REGION = "us-west-2";
     private static final String TEST_ROLE_ARN = "arn:aws:iam::123456789012:role/TestRole";
+    private static final String TEST_POLICY_NAME = "TestPolicy";
+    private static final String TEST_POLICY_DOCUMENT = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":\"s3:GetObject\",\"Resource\":\"*\"}]}";
     public static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
 
     @Mock
@@ -157,16 +162,10 @@ void testCreateIdentityWithoutTrustConfigDefaultsToSameAccountRoot() throws Exce
 
         JsonNode stmt = doc.at("/Statement/0");
         assertFalse(stmt.isMissingNode(), "Statement should not be missing");
-        JsonNode effect = stmt.at("/Effect");
-        assertFalse(effect.isMissingNode(), "Effect should not be missing");
-        assertEquals("Allow", effect.asText());
-        JsonNode action = stmt.at("/Action");
-        assertFalse(action.isMissingNode(), "Action should not be missing");
-        assertEquals("sts:AssumeRole", action.asText());
-        JsonNode principal = stmt.at("/Principal/AWS");
-        assertFalse(principal.isMissingNode(), "Principal should not be missing");
+        assertEquals("Allow", stmt.at("/Effect").asText());
+        assertEquals("sts:AssumeRole", stmt.at("/Action").asText());
         assertEquals("arn:aws:iam::" + TEST_TENANT_ID + ":root",
-                principal.asText());
+                stmt.at("/Principal/AWS").asText());
     }
 
     @Test
@@ -443,7 +442,7 @@ void testCreateIdentityAlreadyExistsUpdatesTrustPolicyWhenDifferent() throws Exc
 
         assertEquals(TEST_ROLE_ARN, result);
 
-        ArgumentCaptor<UpdateAssumeRolePolicyRequest> updatePolicyCaptor = 
+        ArgumentCaptor<UpdateAssumeRolePolicyRequest> updatePolicyCaptor =
                 ArgumentCaptor.forClass(UpdateAssumeRolePolicyRequest.class);
         verify(mockIamClient, times(1)).updateAssumeRolePolicy(updatePolicyCaptor.capture());
         assertEquals(TEST_ROLE_NAME, updatePolicyCaptor.getValue().roleName());
@@ -535,15 +534,100 @@ void testCreateIdentityAlreadyExistsUpdatesMultipleAttributesWhenDifferent() thr
         assertEquals(newDescription, updateCaptor.getValue().description());
         assertEquals(7200, updateCaptor.getValue().maxSessionDuration());
 
-        ArgumentCaptor<UpdateAssumeRolePolicyRequest> updatePolicyCaptor = 
+        ArgumentCaptor<UpdateAssumeRolePolicyRequest> updatePolicyCaptor =
                 ArgumentCaptor.forClass(UpdateAssumeRolePolicyRequest.class);
         verify(mockIamClient, times(1)).updateAssumeRolePolicy(updatePolicyCaptor.capture());
         assertEquals(TEST_ROLE_NAME, updatePolicyCaptor.getValue().roleName());
     }
 
     private String buildDefaultAssumeRolePolicy() {
         return "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\"," +
-                "\"Action\":\"sts:AssumeRole\",\"Principal\":{\"AWS\":\"arn:aws:iam::" + 
+                "\"Action\":\"sts:AssumeRole\",\"Principal\":{\"AWS\":\"arn:aws:iam::" +
                 TEST_TENANT_ID + ":root\"}}]}";
     }
+
+    @Test
+    void testGetInlinePolicyDetailsReturnsDocument() {
+        when(mockIamClient.getRolePolicy(any(GetRolePolicyRequest.class)))
+                .thenReturn(GetRolePolicyResponse.builder()
+                        .policyDocument(TEST_POLICY_DOCUMENT)
+                        .build());
+
+        String result = awsIam.getInlinePolicyDetails(
+                TEST_ROLE_NAME,
+                TEST_POLICY_NAME,
+                TEST_ROLE_NAME,
+                TEST_TENANT_ID,
+                TEST_REGION);
+
+        assertEquals(TEST_POLICY_DOCUMENT, result);
+
+        ArgumentCaptor<GetRolePolicyRequest> captor = ArgumentCaptor.forClass(GetRolePolicyRequest.class);
+        verify(mockIamClient, times(1)).getRolePolicy(captor.capture());
+        assertEquals(TEST_ROLE_NAME, captor.getValue().roleName());
+        assertEquals(TEST_POLICY_NAME, captor.getValue().policyName());
+    }
+
+    @Test
+    void testGetInlinePolicyDetailsWithNoSuchEntityException() {
+        when(mockIamClient.getRolePolicy(any(GetRolePolicyRequest.class)))
+                .thenThrow(NoSuchEntityException.builder()
+                        .message("Policy not found")
+                        .build());
+
+        assertThrows(NoSuchEntityException.class, () ->
+                awsIam.getInlinePolicyDetails(
+                        TEST_ROLE_NAME,
+                        TEST_POLICY_NAME,
+                        TEST_ROLE_NAME,
+                        TEST_TENANT_ID,
+                        TEST_REGION)
+        );
+
+        ArgumentCaptor<GetRolePolicyRequest> captor = ArgumentCaptor.forClass(GetRolePolicyRequest.class);
+        verify(mockIamClient, times(1)).getRolePolicy(captor.capture());
+        assertEquals(TEST_ROLE_NAME, captor.getValue().roleName());
+        assertEquals(TEST_POLICY_NAME, captor.getValue().policyName());
+    }
+
+    @Test
+    void testGetInlinePolicyDetailsVerifiesParameters() {
+        when(mockIamClient.getRolePolicy(any(GetRolePolicyRequest.class)))
+                .thenReturn(GetRolePolicyResponse.builder()
+                        .policyDocument(TEST_POLICY_DOCUMENT)
+                        .build());
+
+        awsIam.getInlinePolicyDetails(
+                TEST_ROLE_NAME,
+                TEST_POLICY_NAME,
+                TEST_ROLE_NAME,
+                TEST_TENANT_ID,
+                TEST_REGION);
+
+        ArgumentCaptor<GetRolePolicyRequest> captor = ArgumentCaptor.forClass(GetRolePolicyRequest.class);
+        verify(mockIamClient).getRolePolicy(captor.capture());
+
+        GetRolePolicyRequest capturedRequest = captor.getValue();
+        assertEquals(TEST_ROLE_NAME, capturedRequest.roleName());
+        assertEquals(TEST_POLICY_NAME, capturedRequest.policyName());
+    }
+
+    @Test
+    void testGetInlinePolicyDetailsThrowsGenericException() {
+        RuntimeException genericException = new RuntimeException("Service error");
+
+        when(mockIamClient.getRolePolicy(any(GetRolePolicyRequest.class)))
+                .thenThrow(genericException);
+
+        RuntimeException exception = assertThrows(RuntimeException.class, () ->
+                awsIam.getInlinePolicyDetails(
+                        TEST_ROLE_NAME,
+                        TEST_POLICY_NAME,
+                        TEST_ROLE_NAME,
+                        TEST_TENANT_ID,
+                        TEST_REGION)
+        );
+
+        assertEquals(genericException, exception);
+    }
 }