From 734f0e1ca5691d2ae830ce29872b08cc5194d71c Mon Sep 17 00:00:00 2001
From: Nader Ziada <nader.ziada@broadcom.com>
Date: Tue, 19 Nov 2024 10:55:03 -0500
Subject: [PATCH] remove assume role from int test

---
 ci/tasks/run-integration.yml                  |  3 ++-
 .../spec/integration/spec_helper.rb           | 26 ++++++++++---------
 2 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/ci/tasks/run-integration.yml b/ci/tasks/run-integration.yml
index 22b7e6b5..ee60ba68 100644
--- a/ci/tasks/run-integration.yml
+++ b/ci/tasks/run-integration.yml
@@ -5,10 +5,11 @@ image_resource:
   source: {repository: bosh/integration}
 inputs:
   - name: bosh-cpi-src
+  - name: bosh-cpi-src-test
   - name: environment
   - name: stemcell
 run:
-  path: bosh-cpi-src/ci/tasks/run-integration.sh
+  path: bosh-cpi-src-test/ci/tasks/run-integration.sh
 params:
   AWS_ACCESS_KEY_ID:                       ""
   AWS_SECRET_ACCESS_KEY:                   ""
diff --git a/src/bosh_aws_cpi/spec/integration/spec_helper.rb b/src/bosh_aws_cpi/spec/integration/spec_helper.rb
index 674941c0..e693d020 100644
--- a/src/bosh_aws_cpi/spec/integration/spec_helper.rb
+++ b/src/bosh_aws_cpi/spec/integration/spec_helper.rb
@@ -12,18 +12,17 @@ def validate_minimum_permissions(logger)
       secret_access_key: @secret_access_key,
       session_token: @session_token
     )
-    integration_test_user = sts_client.get_caller_identity
-    raise 'Cannot get user ARN' if integration_test_user.arn.nil?
+    integration_test_user_arn = sts_client.get_caller_identity.arn
+    raise 'Cannot get user ARN' if integration_test_user_arn.nil?
 
     iam_client = Aws::IAM::Client.new(
       region: @region,
       access_key_id: @permissions_auditor_key_id,
       secret_access_key: @permissions_auditor_secret_key,
-      session_token: @permissions_auditor_session_token,
+      session_token: @session_token,
       logger: logger
     )
 
-
     ##
     # The following lines are a workaround for the fact that the AWS SDK does not return all the results at once.
     role_list = []
@@ -31,18 +30,16 @@ def validate_minimum_permissions(logger)
       role_list += response.role_detail_list
     }
 
-    account_details = role_list.find { |role|
-      role.arn == 'arn:aws:iam::' + integration_test_user.account + ':role/' + integration_test_user.arn.split('/')[1]
-    }
+    user_details = iam_client.get_account_authorization_details(filter: ['User']).user_detail_list.find { |user| user.arn == integration_test_user_arn }
 
-    raise "Cannot find role with ARN: #{integration_test_user.arn}" if account_details.nil?
+    raise "Cannot find user with ARN: #{integration_test_user_arn}" if user_details.nil?
 
     policy_documents = []
-    policy_documents += account_details.attached_managed_policies.map do |p|
+    policy_documents += user_details.attached_managed_policies.map do |p|
       version_id = iam_client.get_policy(policy_arn: p.policy_arn).policy.default_version_id
       iam_client.get_policy_version(policy_arn: p.policy_arn, version_id: version_id).policy_version.document
     end
-    policy_documents += account_details.role_policy_list.map(&:policy_document)
+    policy_documents += user_details.user_policy_list.map(&:policy_document)
 
     actions = policy_documents.map do |document|
       JSON.parse(URI.decode_www_form_component(document))['Statement'].map do |s|
@@ -100,8 +97,11 @@ def set_assume_role_permissions
 RSpec.configure do |rspec_config|
   include IntegrationHelpers
   rspec_config.before(:all) do
-    set_assume_role_permissions
+    #set_assume_role_permissions
 
+    @access_key_id = ENV.fetch('BOSH_AWS_ACCESS_KEY_ID')
+    @secret_access_key = ENV.fetch('BOSH_AWS_SECRET_ACCESS_KEY')
+    @session_token = ENV.fetch('BOSH_AWS_SESSION_TOKEN', nil)
     @subnet_id = ENV.fetch('BOSH_AWS_SUBNET_ID')
     @subnet_zone = ENV.fetch('BOSH_AWS_SUBNET_ZONE')
     @kms_key_arn = ENV.fetch('BOSH_AWS_KMS_KEY_ARN')
@@ -109,6 +109,8 @@ def set_assume_role_permissions
     @region = ENV.fetch('BOSH_AWS_REGION', 'us-west-1')
     @default_key_name = ENV.fetch('BOSH_AWS_DEFAULT_KEY_NAME', 'bosh')
     @ami = ENV.fetch('BOSH_AWS_IMAGE_ID', 'ami-866d3ee6')
+    @permissions_auditor_key_id = ENV.fetch('BOSH_AWS_PERMISSIONS_AUDITOR_KEY_ID', nil)
+    @permissions_auditor_secret_key = ENV.fetch('BOSH_AWS_PERMISSIONS_AUDITOR_SECRET_KEY', nil)
 
     @cpi_api_version = ENV.fetch('BOSH_AWS_CPI_API_VERSION', 1).to_i
 
@@ -127,7 +129,7 @@ def set_assume_role_permissions
   end
 
   rspec_config.before(:each) do
-    set_assume_role_permissions
+    #set_assume_role_permissions
 
     @registry = instance_double(Bosh::Cpi::RegistryClient).as_null_object
     allow(Bosh::Cpi::RegistryClient).to receive(:new).and_return(@registry)