def setUp(self):
self.credentials = Credentials('key', 'secret')
self.emitter = mock.Mock()
self.emitter.emit_until_response.return_value = (None, None)
self.signer = RequestSigner('service_name', 'region_name',
'signing_name', 'v4', self.credentials,
self.emitter)
self.fixed_credentials = self.credentials.get_frozen_credentials()
def test_return_botocore_credentials(self):
dummy_credentials = Credentials('access_key', 'secret_key', 'token')
with mock.patch.object(self.command._session,
'get_credentials',
return_value=dummy_credentials):
credentials = self.command._load_credentials()
self.assertIs(credentials, dummy_credentials)
def test_raise_error_on_missing_token(self):
dummy_credentials = Credentials('access_key', 'secret_key', token=None)
with mock.patch.object(self.command._session,
'get_credentials',
return_value=dummy_credentials):
with self.assertRaises(PartialCredentialsError):
self.command._load_credentials()
def _validate_signature(self, headers, raw_input):
auth_header = headers["Authorization"]
signed_headers_start = auth_header.find("SignedHeaders")
signed_headers = auth_header[signed_headers_start:auth_header.
find(",", signed_headers_start)]
signed_headers_dict = get_dict_subset(headers, signed_headers)
request = AWSRequest(method="POST",
url="/",
data=raw_input,
headers=signed_headers_dict)
# SigV4Auth assumes this header exists even though it is not required by the algorithm
request.context['timestamp'] = headers['X-Amz-Date']
region_start = auth_header.find("Credential=access/") + len(
"Credential=access/YYYYMMDD/")
region = auth_header[region_start:auth_header.find("/", region_start)]
credentials = Credentials("access", "secret")
auth = SigV4Auth(credentials, "kms", region)
string_to_sign = auth.string_to_sign(request,
auth.canonical_request(request))
expected_signature = auth.signature(string_to_sign, request)
signature_headers_start = auth_header.find("Signature=") + len(
"Signature=")
actual_signature = auth_header[signature_headers_start:]
return expected_signature == actual_signature
def authenticate_presign_url_signv2(method, path, headers, data, url, query_params, request_dict):
# Calculating Signature
aws_request = create_request_object(request_dict)
credentials = Credentials(access_key=TEST_AWS_ACCESS_KEY_ID, secret_key=TEST_AWS_SECRET_ACCESS_KEY)
auth = HmacV1QueryAuth(credentials=credentials, expires=query_params['Expires'][0])
split = urlsplit(aws_request.url)
string_to_sign = auth.get_string_to_sign(method=method, split=split, headers=aws_request.headers)
signature = auth.get_signature(string_to_sign=string_to_sign)
# Comparing the signature in url with signature we calculated
query_sig = urlparse.unquote(query_params['Signature'][0])
if query_sig != signature:
return requests_error_response_xml_signature_calculation(
code=403,
code_string='SignatureDoesNotMatch',
aws_access_token=TEST_AWS_ACCESS_KEY_ID,
string_to_sign=string_to_sign,
signature=signature,
message='The request signature we calculated does not match the signature you provided. \
Check your key and signing method.')
# Checking whether the url is expired or not
if int(query_params['Expires'][0]) < time.time():
return requests_error_response_xml_signature_calculation(
code=403,
code_string='AccessDenied',
message='Request has expired',
expires=query_params['Expires'][0]
)
def test_presigned_url_casing_changed_for_rds(self):
operation_model = mock.Mock()
operation_model.name = 'CopyDBSnapshot'
credentials = Credentials('key', 'secret')
event_emitter = HierarchicalEmitter()
request_signer = RequestSigner(
'rds', 'us-east-1', 'rds', 'v4', credentials, event_emitter)
request_dict = {}
params = {'SourceRegion': 'us-west-2'}
request_dict['body'] = params
request_dict['url'] = 'https://rds.us-east-1.amazonaws.com'
request_dict['method'] = 'POST'
request_dict['headers'] = {}
request_dict['context'] = {}
handlers.inject_presigned_url_rds(
params=request_dict,
request_signer=request_signer,
model=operation_model
)
self.assertNotIn('PresignedUrl', params)
self.assertIn('https://rds.us-west-2.amazonaws.com?',
params['PreSignedUrl'])
self.assertIn('X-Amz-Signature', params['PreSignedUrl'])
def test_destination_region_always_changed(self):
# If the user provides a destination region, we will still
# override the DesinationRegion with the region_name from
# the endpoint object.
actual_region = 'us-west-1'
credentials = Credentials('key', 'secret')
request_signer = RequestSigner('ec2', actual_region, 'ec2', 'v4',
credentials, None)
request_dict = {}
params = {
'SourceRegion': 'us-west-2',
'DestinationRegion': 'us-east-1'
}
request_dict['body'] = params
request_dict['url'] = 'https://ec2.us-west-1.amazonaws.com'
request_dict['method'] = 'POST'
request_dict['headers'] = {}
# The user provides us-east-1, but we will override this to
# endpoint.region_name, of 'us-west-1' in this case.
handlers.copy_snapshot_encrypted(request_dict, request_signer)
self.assertIn('https://ec2.us-west-2.amazonaws.com?',
params['PresignedUrl'])
# Always use the DestinationRegion from the endpoint, regardless of
# whatever value the user provides.
self.assertEqual(params['DestinationRegion'], actual_region)
def test_inject_presigned_url_ec2(self):
operation_model = mock.Mock()
operation_model.name = 'CopySnapshot'
credentials = Credentials('key', 'secret')
event_emitter = HierarchicalEmitter()
request_signer = RequestSigner('ec2', 'us-east-1', 'ec2', 'v4',
credentials, event_emitter)
request_dict = {}
params = {'SourceRegion': 'us-west-2'}
request_dict['body'] = params
request_dict['url'] = 'https://ec2.us-east-1.amazonaws.com'
request_dict['method'] = 'POST'
request_dict['headers'] = {}
request_dict['context'] = {}
handlers.inject_presigned_url_ec2(request_dict, request_signer,
operation_model)
self.assertIn('https://ec2.us-west-2.amazonaws.com?',
params['PresignedUrl'])
self.assertIn('X-Amz-Signature', params['PresignedUrl'])
self.assertIn('DestinationRegion', params['PresignedUrl'])
# We should also populate the DestinationRegion with the
# region_name of the endpoint object.
self.assertEqual(params['DestinationRegion'], 'us-east-1')
def test_destination_region_always_changed(self):
# If the user provides a destination region, we will still
# override the DesinationRegion with the region_name from
# the endpoint object.
actual_region = 'us-west-1'
operation_model = mock.Mock()
operation_model.name = 'CopySnapshot'
credentials = Credentials('key', 'secret')
event_emitter = HierarchicalEmitter()
request_signer = RequestSigner('ec2', actual_region, 'ec2', 'v4',
credentials, event_emitter)
request_dict = {}
params = {
'SourceRegion': 'us-west-2',
'DestinationRegion': 'us-east-1'
}
request_dict['body'] = params
request_dict['url'] = 'https://ec2.us-west-1.amazonaws.com'
request_dict['method'] = 'POST'
request_dict['headers'] = {}
request_dict['context'] = {}
# The user provides us-east-1, but we will override this to
# endpoint.region_name, of 'us-west-1' in this case.
handlers.inject_presigned_url_ec2(request_dict, request_signer,
operation_model)
self.assertIn('https://ec2.us-west-2.amazonaws.com?',
params['PresignedUrl'])
# Always use the DestinationRegion from the endpoint, regardless of
# whatever value the user provides.
self.assertEqual(params['DestinationRegion'], actual_region)
def get_credentials(self):
"""
Returns botocore.credential.Credential object.
"""
return Credentials(access_key=self.aws_access_key_id,
secret_key=self.aws_secret_access_key,
token=self.aws_session_token)
def _aws_auth_header(credentials, server_nonce, sts_host):
"""Signature Version 4 Signing Process to construct the authorization header
"""
region = _get_region(sts_host)
request_parameters = 'Action=GetCallerIdentity&Version=2011-06-15'
encoded_nonce = standard_b64encode(server_nonce).decode('utf8')
request_headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': str(len(request_parameters)),
'Host': sts_host,
'X-MongoDB-Server-Nonce': encoded_nonce,
'X-MongoDB-GS2-CB-Flag': 'n',
}
request = AWSRequest(method="POST", url="/", data=request_parameters,
headers=request_headers)
boto_creds = Credentials(credentials.username, credentials.password,
token=credentials.token)
auth = SigV4Auth(boto_creds, "sts", region)
auth.add_auth(request)
final = {
'a': request.headers['Authorization'],
'd': request.headers['X-Amz-Date']
}
if credentials.token:
final['t'] = credentials.token
return final
def dummy_get_credentials(_self):
# These must match what `moto` uses to mock the instance metadata
# response (see InstanceMetadataResponse.metadata_response() in
# moto.instance_metadata.responses).
return Credentials(access_key='test-key',
secret_key='test-secret-key',
token='test-session-token')
class BaseSignerTest(unittest.TestCase):
def setUp(self):
self.credentials = Credentials('key', 'secret')
self.emitter = mock.Mock()
self.emitter.emit_until_response.return_value = (None, None)
self.signer = RequestSigner('service_name', 'region_name',
'signing_name', 'v4', self.credentials,
self.emitter)
self.fixed_credentials = self.credentials.get_frozen_credentials()
def _urlparse(self, url):
if isinstance(url, six.binary_type):
# Not really necessary, but it helps to reduce noise on Python 2.x
url = url.decode('utf8')
return urlparse(url)
def assert_url_equal(self, url1, url2):
parts1 = self._urlparse(url1)
parts2 = self._urlparse(url2)
# Because the query string ordering isn't relevant, we have to parse
# every single part manually and then handle the query string.
self.assertEqual(parts1.scheme, parts2.scheme)
self.assertEqual(parts1.netloc, parts2.netloc)
self.assertEqual(parts1.path, parts2.path)
self.assertEqual(parts1.params, parts2.params)
self.assertEqual(parts1.fragment, parts2.fragment)
self.assertEqual(parts1.username, parts2.username)
self.assertEqual(parts1.password, parts2.password)
self.assertEqual(parts1.hostname, parts2.hostname)
self.assertEqual(parts1.port, parts2.port)
self.assertEqual(parse_qs(parts1.query), parse_qs(parts2.query))
class BaseSignerTest(unittest.TestCase):
def setUp(self):
self.credentials = Credentials('key', 'secret')
self.emitter = mock.Mock()
self.emitter.emit_until_response.return_value = (None, None)
self.signer = RequestSigner(
'service_name', 'region_name', 'signing_name',
'v4', self.credentials, self.emitter)
self.fixed_credentials = self.credentials.get_frozen_credentials()
def _urlparse(self, url):
if isinstance(url, six.binary_type):
# Not really necessary, but it helps to reduce noise on Python 2.x
url = url.decode('utf8')
return urlparse(url)
def assert_url_equal(self, url1, url2):
parts1 = self._urlparse(url1)
parts2 = self._urlparse(url2)
# Because the query string ordering isn't relevant, we have to parse
# every single part manually and then handle the query string.
self.assertEqual(parts1.scheme, parts2.scheme)
self.assertEqual(parts1.netloc, parts2.netloc)
self.assertEqual(parts1.path, parts2.path)
self.assertEqual(parts1.params, parts2.params)
self.assertEqual(parts1.fragment, parts2.fragment)
self.assertEqual(parts1.username, parts2.username)
self.assertEqual(parts1.password, parts2.password)
self.assertEqual(parts1.hostname, parts2.hostname)
self.assertEqual(parts1.port, parts2.port)
self.assertEqual(parse_qs(parts1.query), parse_qs(parts2.query))
async def test_appsync_subscription_iam_not_allowed(event_loop, server):
from gql.transport.appsync_auth import AppSyncIAMAuthentication
from gql.transport.appsync_websockets import AppSyncWebsocketsTransport
from gql.transport.exceptions import TransportQueryError
from botocore.credentials import Credentials
path = "/graphql"
url = f"ws://{server.hostname}:{server.port}{path}"
dummy_credentials = Credentials(
access_key=DUMMY_ACCESS_KEY_ID_NOT_ALLOWED,
secret_key=DUMMY_SECRET_ACCESS_KEY,
token=DUMMY_SECRET_SESSION_TOKEN,
)
auth = AppSyncIAMAuthentication(host=server.hostname,
credentials=dummy_credentials,
region_name=REGION_NAME)
transport = AppSyncWebsocketsTransport(url=url, auth=auth)
client = Client(transport=transport)
async with client as session:
subscription = gql(on_create_message_subscription_str)
with pytest.raises(TransportQueryError) as exc_info:
async for result in session.subscribe(subscription):
pass
assert "Permission denied" in str(exc_info)
def test_get_profile_tokens_no_token(mock_cred):
r = MockS3()
mock_cred.return_value = Credentials(
"aws_access_key_id", "aws_secret_access_key")
cred_string = r._credentials_string()
expected = ('aws_access_key_id=aws_access_key_id;'
'aws_secret_access_key=aws_secret_access_key')
assert cred_string == expected
def get_credentials(
access_key: str = None,
secret_key: str = None,
):
if access_key and secret_key:
return Credentials(access_key, secret_key)
return Session().get_credentials()
def _resolve_static_credentials_from_profile(self, profile):
try:
return Credentials(access_key=profile['aws_access_key_id'],
secret_key=profile['aws_secret_access_key'],
token=profile.get('aws_session_token'))
except KeyError as e:
raise PartialCredentialsError(provider=self.METHOD,
cred_var=str(e))
def setUp(self):
self.credentials = Credentials('key', 'secret')
self.emitter = mock.Mock()
self.emitter.emit_until_response.return_value = (None, None)
self.signer = RequestSigner(
'service_name', 'region_name', 'signing_name',
'v4', self.credentials, self.emitter)
self.fixed_credentials = self.credentials.get_frozen_credentials()
def test_should_inject_aws_credentials(self, mock_hook):
mock_hook.return_value.get_credentials.return_value = Credentials(
TEST_AWS_ACCESS_KEY_ID, TEST_AWS_ACCESS_SECRET, None
)
body = {TRANSFER_SPEC: deepcopy(SOURCE_AWS)}
body = TransferJobPreprocessor(body=body).process_body()
self.assertEqual(body[TRANSFER_SPEC][AWS_S3_DATA_SOURCE][AWS_ACCESS_KEY], TEST_AWS_ACCESS_KEY)
def test_generate_session_credentials(self, stdout_mock):
self.credentials = Credentials('access', 'secret', 'token')
self.session.get_credentials.return_value = self.credentials
self.get_command = CodeCommitGetCommand(self.session)
self.get_command._run_main(self.args, self.globals)
output = stdout_mock.getvalue().strip()
self.assertRegexpMatches(
output, 'username={0}%{1}\npassword=.+'.format('access', 'token'))
def test__aws_credentials_with_short_lived_credentials_and_ec2_metadata_service_having_credentials(mock):
credentials = Credentials(access_key=_random_string(), secret_key=_random_string(), token=_random_string())
session = Mock()
session.get_credentials.return_value = credentials
mock.return_value = True
aws_credentials = _aws_credentials(session)
assert aws_credentials is None
def get_s3_auth_headers(creds, url, method, data=None):
# TODO: blocking function call
# When there is data this function might recalc hashes
req = AWSRequest(method=method, url=url, data=data)
sig = S3SigV4Auth(Credentials(**creds), 's3', 'us-east-1')
sig.headers_to_sign(req)
sig.add_auth(req)
return dict(req.headers.items())
def __init__(self,
service_name,
region_name=None,
api_version=None,
base_path=None,
use_ssl=True,
access_key_id=None,
secret_access_key=None,
config_file='~/.nifcloud.yml'):
"""
config_fileを読み取って認証情報を初期化します。
引数にも値がある場合には引数が優先されます。
:param service_name: サービス名
:param region_name: リージョン名
:param api_version: APIバージョン
:param base_path:
:param use_ssl:
:param access_key_id:
:param secret_access_key:
:param config_file: 設定ファイル
"""
# file から読み出し
file_path = os.path.expanduser(config_file).replace('/', os.sep)
if os.path.isfile(file_path):
with open(file_path, 'r') as file:
config = yaml.load(file.read())
if config is not None and 'ACCESS_KEY_ID' in config:
self.ACCESS_KEY_ID = config['ACCESS_KEY_ID']
if config is not None and 'SECRET_ACCESS_KEY' in config:
self.SECRET_ACCESS_KEY = config['SECRET_ACCESS_KEY']
# 環境変数があれば環境変数で上書き
if hasattr(self, "ACCESS_KEY_ID"):
self.ACCESS_KEY_ID = os.getenv("ACCESS_KEY_ID", self.ACCESS_KEY_ID)
else:
self.ACCESS_KEY_ID = os.getenv("ACCESS_KEY_ID")
if hasattr(self, "SECRET_ACCESS_KEY"):
self.SECRET_ACCESS_KEY = os.getenv("SECRET_ACCESS_KEY",
self.SECRET_ACCESS_KEY)
else:
self.SECRET_ACCESS_KEY = os.getenv("SECRET_ACCESS_KEY")
# 引数があれば引数の情報で上書き
if access_key_id is not None:
self.ACCESS_KEY_ID = access_key_id
if secret_access_key is not None:
self.SECRET_ACCESS_KEY = secret_access_key
# 認証情報を生成
self.CREDENTIALS = Credentials(self.ACCESS_KEY_ID,
self.SECRET_ACCESS_KEY)
self.SERVICE_NAME = service_name
self.REGION_NAME = region_name
self.API_VERSION = api_version
self.BASE_PATH = base_path
self.USE_SSL = use_ssl
def setUp(self):
self.service_description = {
'metadata': {
'apiVersion': '2014-01-01',
'endpointPrefix': 'myservice',
'signatureVersion': 'v4',
'protocol': 'query'
},
'operations': {
'TestOperation': {
'name': 'TestOperation',
'http': {
'method': 'POST',
'requestUri': '/',
},
'input': {'shape': 'TestOperationRequest'},
}
},
'shapes': {
'TestOperationRequest': {
'type': 'structure',
'required': ['Foo'],
'members': {
'Foo': {'shape': 'StringType'},
'Bar': {'shape': 'StringType'},
}
},
'StringType': {'type': 'string'}
}
}
self.retry_config = {
"retry": {
"__default__": {
"max_attempts": 5,
"delay": {
"type": "exponential",
"base": "rand",
"growth_factor": 2
},
"policies": {}
}
}
}
self.loader = mock.Mock()
self.loader.load_service_model.return_value = self.service_description
self.loader.load_data.return_value = self.retry_config
self.credentials = Credentials('access-key', 'secret-key')
self.endpoint_creator_patch = mock.patch(
'botocore.client.EndpointCreator')
self.endpoint_creator_cls = self.endpoint_creator_patch.start()
self.endpoint_creator = self.endpoint_creator_cls.return_value
self.endpoint = mock.Mock()
self.endpoint.make_request.return_value = (
mock.Mock(status_code=200), {})
self.endpoint_creator.create_endpoint.return_value = self.endpoint
def test_raise_error_on_failure_response(self):
responses.add(responses.GET,
'https://signin.aws.amazon.com/federation',
status=401,
body='Unauthorized')
credentials = Credentials('access_key', 'secret_key')
with self.assertRaises(requests.HTTPError):
self.command._get_signin_token(credentials, '3600')
class BaseSignerTest(unittest.TestCase):
def setUp(self):
self.credentials = Credentials('key', 'secret')
self.emitter = mock.Mock()
self.emitter.emit_until_response.return_value = (None, None)
self.signer = RequestSigner(
ServiceId('service_name'), 'region_name', 'signing_name',
'v4', self.credentials, self.emitter)
self.fixed_credentials = self.credentials.get_frozen_credentials()
self.request = botocore.awsrequest.AWSRequest()
def setUp(self):
self.credentials = Credentials('access', 'secret')
self.args = Namespace()
self.args.ignore_host_check = False
self.globals = Namespace()
self.globals.region = 'us-east-1'
self.globals.verify_ssl = False
self.session = MagicMock()
self.session.get_config_variable.return_value = 'us-east-1'
self.session.get_credentials.return_value = self.credentials
def test_presigned_url_already_present_rds(self):
operation_model = mock.Mock()
operation_model.name = 'CopyDBSnapshot'
params = {'body': {'PreSignedUrl': 'https://foo'}}
credentials = Credentials('key', 'secret')
event_emitter = HierarchicalEmitter()
request_signer = RequestSigner('rds', 'us-east-1', 'rds', 'v4',
credentials, event_emitter)
handlers.inject_presigned_url_rds(params, request_signer,
operation_model)
self.assertEqual(params['body']['PreSignedUrl'], 'https://foo')
def test_can_set_credentials_in_client_init(self):
creator = self.create_client_creator()
credentials = Credentials(
access_key='access_key', secret_key='secret_key',
token='session_token')
client = creator.create_client(
'myservice', 'us-west-2', credentials=credentials)
# Verify that we create an endpoint with a credentials object
# matching our creds arguments.
self.assertEqual(client._request_signer._credentials, credentials)
def test__aws_credentials_with_long_lived_credentials():
credentials = Credentials(access_key=_random_string(), secret_key=_random_string(), token=None)
session = Mock()
session.get_credentials.return_value = credentials
aws_credentials = _aws_credentials(session)
assert aws_credentials == [
"AWS_ACCESS_KEY_ID=%s" % credentials.access_key,
"AWS_SECRET_ACCESS_KEY=%s" % credentials.secret_key,
]
def test_adds_md5_when_not_v4(self):
credentials = Credentials('key', 'secret')
request_signer = RequestSigner(
's3', 'us-east-1', 's3', 's3', credentials, mock.Mock())
request_dict = {'body': b'bar',
'url': 'https://s3.us-east-1.amazonaws.com',
'method': 'PUT',
'headers': {}}
handlers.conditionally_calculate_md5(request_dict,
request_signer=request_signer)
self.assertTrue('Content-MD5' in request_dict['headers'])
