def test_conditional_does_not_add_when_md5_unavailable(self):
credentials = Credentials('key', 'secret')
request_signer = RequestSigner(
's3', 'us-east-1', 's3', 's3', credentials, mock.Mock())
request_dict = {'body': b'bar',
'url': 'https://s3.us-east-1.amazonaws.com',
'method': 'PUT',
'headers': {}}
context = self.get_context()
self.set_md5_available(False)
with mock.patch('botocore.handlers.MD5_AVAILABLE', False):
handlers.conditionally_calculate_md5(
request_dict, request_signer=request_signer, context=context)
self.assertFalse('Content-MD5' in request_dict['headers'])
def test_adds_md5_when_s3v2(self):
credentials = Credentials('key', 'secret')
request_signer = RequestSigner('s3', 'us-east-1', 's3', 's3',
credentials, mock.Mock())
request_dict = {
'body': b'bar',
'url': 'https://s3.us-east-1.amazonaws.com',
'method': 'PUT',
'headers': {}
}
context = self.get_context()
handlers.conditionally_calculate_md5(request_dict,
request_signer=request_signer,
context=context)
self.assertTrue('Content-MD5' in request_dict['headers'])
def authenticate_presign_url_signv2(method, path, headers, data, url,
query_params, request_dict):
# Calculating Signature
aws_request = create_request_object(request_dict)
credentials = Credentials(
access_key=TEST_AWS_ACCESS_KEY_ID,
secret_key=TEST_AWS_SECRET_ACCESS_KEY,
token=query_params.get("X-Amz-Security-Token", None),
)
auth = HmacV1QueryAuth(credentials=credentials,
expires=query_params["Expires"][0])
split = urlsplit(aws_request.url)
string_to_sign = auth.get_string_to_sign(method=method,
split=split,
headers=aws_request.headers)
signature = auth.get_signature(string_to_sign=string_to_sign)
# Comparing the signature in url with signature we calculated
query_sig = urlparse.unquote(query_params["Signature"][0])
if config.S3_SKIP_SIGNATURE_VALIDATION:
if query_sig != signature:
LOGGER.warning(
"Signatures do not match, but not raising an error, as S3_SKIP_SIGNATURE_VALIDATION=1"
)
signature = query_sig
if query_sig != signature:
return requests_error_response_xml_signature_calculation(
code=403,
code_string="SignatureDoesNotMatch",
aws_access_token=TEST_AWS_ACCESS_KEY_ID,
string_to_sign=string_to_sign,
signature=signature,
message=
"The request signature we calculated does not match the signature you provided. \
Check your key and signing method.",
)
# Checking whether the url is expired or not
if int(query_params["Expires"][0]) < time.time():
return requests_error_response_xml_signature_calculation(
code=403,
code_string="AccessDenied",
message="Request has expired",
expires=query_params["Expires"][0],
)
def test_job_create_aws(self, aws_hook, mock_hook):
mock_hook.return_value.create_transfer_job.return_value = VALID_TRANSFER_JOB_AWS_RAW
aws_hook.return_value.get_credentials.return_value = Credentials(
TEST_AWS_ACCESS_KEY_ID, TEST_AWS_ACCESS_SECRET, None
)
body = deepcopy(VALID_TRANSFER_JOB_AWS)
del body['name']
op = GcpTransferServiceJobCreateOperator(body=body, task_id=TASK_ID)
result = op.execute(None)
mock_hook.assert_called_once_with(api_version='v1', gcp_conn_id='google_cloud_default')
mock_hook.return_value.create_transfer_job.assert_called_once_with(body=VALID_TRANSFER_JOB_AWS_RAW)
self.assertEqual(result, VALID_TRANSFER_JOB_AWS_RAW)
def request_api_gateway(params):
method = params[0]
url = params[1]
data = params[2]
awsreq = AWSRequest(method=method, url=url, data=data)
credentials = Credentials(ACCESS_KEY, ACCESS_SECRET)
body = '---'
SigV4Auth(credentials, "execute-api", REGION).add_auth(awsreq)
req = urllib.request.Request(awsreq.url,
awsreq.data,
method=awsreq.method,
headers=awsreq.headers)
with urllib.request.urlopen(req) as res:
body = json.load(res)
return body
def get_request():
credentials = Credentials(
os.environ['AWS_ACCESS_KEY_ID'],
os.environ['AWS_SECRET_ACCESS_KEY'],
# os.environ['AWS_SESSION_TOKEN'],
)
sigv4 = SigV4Auth(credentials, 'execute-api', 'us-east-1')
endpoint = 'https://g4gdlwz33m.execute-api.us-east-1.amazonaws.com/prod'
request = AWSRequest(method='GET', url=endpoint)
sigv4.add_auth(request)
prepped = request.prepare()
response = requests.get(prepped.url, headers=prepped.headers)
print("GET Request: {}".format(response.text))
def test_generate_credentials_creates_a_valid_request(self, signature,
string_to_sign):
self.credentials = Credentials('access', 'secret')
self.session.get_credentials.return_value = self.credentials
self.get_command = CodeCommitGetCommand(self.session)
self.get_command._run_main(self.args, self.globals)
aws_request = signature.call_args[0][1]
self.assertEquals('GIT', aws_request.method)
self.assertEquals(
'https://git-codecommit.us-east-1.amazonaws.com//v1/repos/myrepo',
aws_request.url)
self.assertEquals(
('GIT\n//v1/repos/myrepo\n\n'
'host:git-codecommit.us-east-1.amazonaws.com\n\n'
'host\n'),
string_to_sign.call_args[0][1])
def test__aws_credentials_with_short_lived_credentials_and_ec2_metadata_service_having_no_credentials(
mock,
):
credentials = Credentials(
access_key=_random_string(), secret_key=_random_string(), token=_random_string()
)
session = Mock()
session.get_credentials.return_value = credentials
mock.return_value = False
aws_credentials = _aws_credentials(session)
assert aws_credentials == [
"AWS_ACCESS_KEY_ID=%s" % credentials.access_key,
"AWS_SECRET_ACCESS_KEY=%s" % credentials.secret_key,
"AWS_SESSION_TOKEN=%s" % credentials.token,
]
def test_presigned_url_with_source_region_rds(self):
operation_model = mock.Mock()
operation_model.name = 'CopyDBSnapshot'
params = {
'body': {
'PreSignedUrl': 'https://foo',
'SourceRegion': 'us-east-1'
}
}
credentials = Credentials('key', 'secret')
event_emitter = HierarchicalEmitter()
request_signer = RequestSigner('rds', 'us-east-1', 'rds', 'v4',
credentials, event_emitter)
handlers.inject_presigned_url_rds(params, request_signer,
operation_model)
self.assertEqual(params['body']['PreSignedUrl'], 'https://foo')
self.assertNotIn('SourceRegion', params['body'])
def neptune_endpoints(self, connection_name):
"""Gets Neptune endpoint information from the Glue Data Catalog.
You may need to install a Glue VPC Endpoint in your VPC for this method to work.
You can store Neptune endpoint information as JDBC connections in the Glue Data Catalog.
JDBC connection strings must begin 'jdbc:'. To store a Neptune endpoint, use the following format:
'jdbc:<protocol>://<dns_name>:<port>/<endpoint>'
For example, if you store:
'jdbc:wss://my-neptune-cluster.us-east-1.neptune.amazonaws.com:8182/gremlin'
– this method will return:
'wss://my-neptune-cluster.us-east-1.neptune.amazonaws.com:8182/gremlin'
Example:
>>> gremlin_endpoint = GlueNeptuneConnectionInfo(glueContext).neptune_endpoint('neptune')
"""
glue = boto3.client('glue', region_name=self.region)
connection = glue.get_connection(Name=connection_name)
neptune_uri = connection['Connection']['ConnectionProperties']['JDBC_CONNECTION_URL'][5:]
parse_result = urlparse(neptune_uri)
netloc_parts = parse_result.netloc.split(':')
host = netloc_parts[0]
port = netloc_parts[1]
sts = boto3.client('sts', region_name=self.region)
role = sts.assume_role(
RoleArn=self.role_arn,
RoleSessionName=uuid.uuid4().hex,
DurationSeconds=3600
)
credentials = Credentials(
access_key=role['Credentials']['AccessKeyId'],
secret_key=role['Credentials']['SecretAccessKey'],
token=role['Credentials']['SessionToken'])
return Endpoints(neptune_endpoint=host, neptune_port=port, region_name=self.region, credentials=credentials)
def test_request_signin_token(self):
responses.add(
responses.GET,
'https://signin.aws.amazon.com/federation',
status=200,
json={'SigninToken': 'some_token'},
)
credentials = Credentials('access_key', 'secret_key')
signin_token = self.command._get_signin_token(credentials, '3600')
self.assertEqual(signin_token, 'some_token')
call = responses.calls[0]
self.assertIn('SessionDuration=3600', call.request.path_url)
self.assertIn('Session=', call.request.path_url)
self.assertIn(credentials.access_key, call.request.path_url)
self.assertIn(credentials.secret_key, call.request.path_url)
self.assertIn(str(credentials.token), call.request.path_url)
def test_execute(self, mock_aws_hook, mock_transfer_hook):
mock_aws_hook.return_value.get_credentials.return_value = Credentials(
TEST_AWS_ACCESS_KEY_ID, TEST_AWS_ACCESS_SECRET, None)
operator = CloudDataTransferServiceS3ToGCSOperator(
task_id=TASK_ID,
s3_bucket=AWS_BUCKET_NAME,
gcs_bucket=GCS_BUCKET_NAME,
description=DESCRIPTION,
schedule=SCHEDULE_DICT,
)
operator.execute(None)
mock_transfer_hook.return_value.create_transfer_job.assert_called_once_with(
body=VALID_TRANSFER_JOB_AWS_RAW)
assert mock_transfer_hook.return_value.wait_for_transfer_job.called
def write_http_request(self, path: str, headers) -> None:
# Intercept the GET that initiates the websocket protocol at the point where
# all of its 'real' headers have been constructed. Add in the sigv4 header AWS needs.
credentials = Credentials(os.environ['AWS_ACCESS_KEY_ID'],
os.environ['AWS_SECRET_ACCESS_KEY'],
os.environ['AWS_SESSION_TOKEN'])
sigv4 = SigV4Auth(credentials, 'execute-api',
os.environ['AWS_REGION'])
request = AWSRequest(method='GET',
url='https://' + natpunch_server)
sigv4.add_auth(request)
prepped = request.prepare()
headers['Authorization'] = prepped.headers['Authorization']
headers['X-Amz-Date'] = prepped.headers['X-Amz-Date']
headers['x-amz-security-token'] = prepped.headers[
'x-amz-security-token']
# Run the original code with the added sigv4 auth header now included:
super().write_http_request(path, headers)
def test_copy_snapshot_encrypted(self):
credentials = Credentials('key', 'secret')
request_signer = RequestSigner('ec2', 'us-east-1', 'ec2', 'v4',
credentials, None)
request_dict = {}
params = {'SourceRegion': 'us-west-2'}
request_dict['body'] = params
request_dict['url'] = 'https://ec2.us-east-1.amazonaws.com'
request_dict['method'] = 'POST'
request_dict['headers'] = {}
handlers.copy_snapshot_encrypted(request_dict, request_signer)
self.assertIn('https://ec2.us-west-2.amazonaws.com?',
params['PresignedUrl'])
self.assertIn('X-Amz-Signature', params['PresignedUrl'])
# We should also populate the DestinationRegion with the
# region_name of the endpoint object.
self.assertEqual(params['DestinationRegion'], 'us-east-1')
def __init__(self, test_case):
p = os.path.join
# We're using io.open() because we need to open these files with
# a specific encoding, and in 2.x io.open is the best way to do this.
self.raw_request = io.open(p(TESTSUITE_DIR, test_case + '.req'),
encoding='utf-8').read()
self.canonical_request = io.open(
p(TESTSUITE_DIR, test_case + '.creq'),
encoding='utf-8').read().replace('\r', '')
self.string_to_sign = io.open(
p(TESTSUITE_DIR, test_case + '.sts'),
encoding='utf-8').read().replace('\r', '')
self.authorization_header = io.open(
p(TESTSUITE_DIR, test_case + '.authz'),
encoding='utf-8').read().replace('\r', '')
self.signed_request = io.open(p(TESTSUITE_DIR, test_case + '.sreq'),
encoding='utf-8').read()
self.credentials = Credentials(ACCESS_KEY, SECRET_KEY)
def __init__(self,
service_name,
region_name=None,
api_version=None,
base_path=None,
use_ssl=True,
access_key_id=None,
secret_access_key=None,
config_file='~/.nifcloud.yml'):
"""
config_fileを読み取って認証情報を初期化します。
引数にも値がある場合には引数が優先されます。
:param service_name: サービス名
:param region_name: リージョン名
:param api_version: APIバージョン
:param base_path:
:param use_ssl:
:param access_key_id:
:param secret_access_key:
:param config_file: 設定ファイル
"""
# file から読み出し
file_path = os.path.expanduser(config_file).replace('/', os.sep)
if os.path.isfile(file_path):
config = yaml.load(open(file_path, 'r').read())
if 'ACCESS_KEY_ID' in config:
self.ACCESS_KEY_ID = config['ACCESS_KEY_ID']
if 'SECRET_ACCESS_KEY' in config:
self.SECRET_ACCESS_KEY = config['SECRET_ACCESS_KEY']
# 引数があれば引数の情報で上書き
if access_key_id is not None:
self.ACCESS_KEY_ID = access_key_id
if secret_access_key is not None:
self.SECRET_ACCESS_KEY = secret_access_key
# 認証情報を生成
self.CREDENTIALS = Credentials(self.ACCESS_KEY_ID,
self.SECRET_ACCESS_KEY)
self.SERVICE_NAME = service_name
self.REGION_NAME = region_name
self.API_VERSION = api_version
self.BASE_PATH = base_path
self.USE_SSL = use_ssl
def list_queues_with_auth_in_presigned_url(self, method):
base_url = "{}://{}:{}".format(get_service_protocol(),
config.LOCALSTACK_HOSTNAME,
config.PORT_SQS)
req = AWSRequest(
method=method,
url=base_url,
data={
"Action": "ListQueues",
"Version": "2012-11-05"
},
)
# boto doesn't support querystring-style auth, so we have to do some
# weird logic to use boto's signing functions, to understand what's
# going on here look at the internals of the SigV4Auth.add_auth
# method.
datetime_now = datetime.datetime.utcnow()
req.context["timestamp"] = datetime_now.strftime(SIGV4_TIMESTAMP)
signer = SigV4Auth(
Credentials(TEST_AWS_ACCESS_KEY_ID, TEST_AWS_SECRET_ACCESS_KEY),
"sqs",
aws_stack.get_region(),
)
canonical_request = signer.canonical_request(req)
string_to_sign = signer.string_to_sign(req, canonical_request)
payload = {
"Action": "ListQueues",
"Version": "2012-11-05",
"X-Amz-Algorithm": "AWS4-HMAC-SHA256",
"X-Amz-Credential": signer.scope(req),
"X-Amz-SignedHeaders":
";".join(signer.headers_to_sign(req).keys()),
"X-Amz-Signature": signer.signature(string_to_sign, req),
}
if method == "GET":
return requests.get(url=base_url, params=payload)
else:
return requests.post(url=base_url, data=urlencode(payload))
def test_dest_region_removed(self):
operation_model = mock.Mock()
operation_model.name = 'CopyDBSnapshot'
credentials = Credentials('key', 'secret')
event_emitter = HierarchicalEmitter()
request_signer = RequestSigner('rds', 'us-east-1', 'rds', 'v4',
credentials, event_emitter)
request_dict = {}
params = {'SourceRegion': 'us-west-2'}
request_dict['body'] = params
request_dict['url'] = 'https://rds.us-east-1.amazonaws.com'
request_dict['method'] = 'POST'
request_dict['headers'] = {}
request_dict['context'] = {}
handlers.inject_presigned_url_rds(params=request_dict,
request_signer=request_signer,
model=operation_model)
self.assertNotIn('DestinationRegion', params)
def post_request():
credentials = Credentials(
os.environ['AWS_ACCESS_KEY_ID'],
os.environ['AWS_SECRET_ACCESS_KEY'],
# os.environ['AWS_SESSION_TOKEN'],
)
sigv4 = SigV4Auth(credentials, 'execute-api', 'us-east-1')
endpoint = 'https://g4gdlwz33m.execute-api.us-east-1.amazonaws.com/prod'
data = {"My": "body"}
headers = {'Content-Type': 'application/json'}
request = AWSRequest(method='POST',
url=endpoint,
data=data,
headers=headers)
sigv4.add_auth(request)
prepped = request.prepare()
response = requests.post(prepped.url, headers=prepped.headers, data=data)
print("POST Request: {}".format(response.text))
async def test_appsync_execute_method_not_allowed(event_loop, server):
from gql.transport.appsync_auth import AppSyncIAMAuthentication
from gql.transport.appsync_websockets import AppSyncWebsocketsTransport
from botocore.credentials import Credentials
path = "/graphql"
url = f"ws://{server.hostname}:{server.port}{path}"
dummy_credentials = Credentials(
access_key=DUMMY_ACCESS_KEY_ID,
secret_key=DUMMY_SECRET_ACCESS_KEY,
)
auth = AppSyncIAMAuthentication(host=server.hostname,
credentials=dummy_credentials,
region_name=REGION_NAME)
transport = AppSyncWebsocketsTransport(url=url, auth=auth)
client = Client(transport=transport)
async with client as session:
query = gql("""
mutation createMessage($message: String!) {
createMessage(input: {message: $message}) {
id
message
createdAt
}
}""")
variable_values = {"message": "Hello world!"}
with pytest.raises(AssertionError) as exc_info:
await session.execute(query, variable_values=variable_values)
assert (
"execute method is not allowed for AppSyncWebsocketsTransport "
"because only subscriptions are allowed on the realtime endpoint."
) in str(exc_info)
async def test_appsync_subscription_iam_without_token(event_loop, server):
from gql.transport.appsync_auth import AppSyncIAMAuthentication
from gql.transport.appsync_websockets import AppSyncWebsocketsTransport
from botocore.credentials import Credentials
path = "/graphql"
url = f"ws://{server.hostname}:{server.port}{path}"
dummy_credentials = Credentials(
access_key=DUMMY_ACCESS_KEY_ID,
secret_key=DUMMY_SECRET_ACCESS_KEY,
)
auth = AppSyncIAMAuthentication(host=server.hostname,
credentials=dummy_credentials,
region_name=REGION_NAME)
transport = AppSyncWebsocketsTransport(url=url, auth=auth)
await default_transport_test(transport)
def _validate_signature(self, headers, raw_input):
auth_header = headers["Authorization"]
signed_headers_start = auth_header.find("SignedHeaders")
signed_headers = auth_header[signed_headers_start:auth_header.find(",", signed_headers_start)]
signed_headers_dict = get_dict_subset(headers, signed_headers)
request = AWSRequest(method="POST", url="/", data=raw_input, headers=signed_headers_dict)
# SigV4Auth assumes this header exists even though it is not required by the algorithm
request.context['timestamp'] = headers['X-Amz-Date']
region_start = auth_header.find("Credential=access/") + len("Credential=access/YYYYMMDD/")
region = auth_header[region_start:auth_header.find("/", region_start)]
credentials = Credentials("access", "secret")
auth = SigV4Auth(credentials, "kms", region)
string_to_sign = auth.string_to_sign(request, auth.canonical_request(request))
expected_signature = auth.signature(string_to_sign, request)
signature_headers_start = auth_header.find("Signature=") + len("Signature=")
actual_signature = auth_header[signature_headers_start:]
return expected_signature == actual_signature
def setUpClass(cls):
# ダミーの認証情報
cls.ACCESS_KEY_ID = "dummy_access_key_id"
cls.SECRET_ACCESS_KEY = "dummy_secret_access_key"
cls.endpoint_url = "https://computing.jp-east-1.api.cloud.nifty.com/api"
cls.params = {
"Action": "DescribeRegions",
}
# 認証情報を生成
cls.CREDENTIALS = Credentials(cls.ACCESS_KEY_ID, cls.SECRET_ACCESS_KEY)
cls.request = AWSRequest(method="GET",
url=cls.endpoint_url,
data=cls.params,
headers={})
sut = NifCloudSigV1Auth(credentials=cls.CREDENTIALS)
# request情報更新
sut.add_auth(cls.request)
def request(option):
logger.debug('option:{}'.format(option))
request = AWSRequest(method="GET",
url=os.environ["ES_ENDPOINT_URL"],
data=json.dumps(option))
if ("AWS_ACCESS_KEY_ID" in os.environ):
credentials = Credentials(os.environ["AWS_ACCESS_KEY_ID"],
os.environ["AWS_SECRET_ACCESS_KEY"],
os.environ["AWS_SESSION_TOKEN"])
SigV4Auth(credentials, "es",
os.environ["AWS_REGION"]).add_auth(request)
response = BotocoreHTTPSession().send(request.prepare())
result = response.json()
logger.debug('result:{}'.format(result))
if (("hits" in result) and ("hits" in result["hits"])):
return list(map(lambda n: n["_source"], result["hits"]["hits"]))
else:
return []
def check_request_signature(request,
authorization,
secret_key,
region='local'):
# Reuse botocore API to validate signature.
if 'AWS4-HMAC-SHA256' != authorization.algorithm:
raise errors.IncompleteSignature(
f"Unsupported AWS 'algorithm': '{authorization.algorithm}'")
if 'aws4_request' != authorization.terminator:
raise errors.SignatureDoesNotMatch(
"Credential should be scoped with a valid terminator: "
f"'aws4_request', not '{authorization.terminator}'.")
if 'host' not in authorization.signed_headers:
raise errors.SignatureDoesNotMatch(
"'Host' must be a 'SignedHeader' in the AWS Authorization.")
headers_key = {k.lower() for k in request.headers.keys()}
headers_to_sign = set(authorization.signed_headers)
for h in headers_to_sign:
if h not in headers_key:
raise errors.SignatureDoesNotMatch(
f"Authorization header requires existence of '{h}' header. "
f"{authorization}")
creds = Credentials(authorization.access_key, secret_key)
signer = SigV4Auth(creds, 'rds', region)
awsrequest = make_boto_request(request, headers_to_sign)
canonical_request = signer.canonical_request(awsrequest)
string_to_sign = signer.string_to_sign(awsrequest, canonical_request)
signature = signer.signature(string_to_sign, awsrequest)
if signature != authorization.signature:
raise errors.SignatureDoesNotMatch(description=(
"The request signature we calculated does not match the signature "
"you provided. Check your AWS Secret Access Key and signing "
"method. Consult the service documentation for details."))
def __init__(self, test_case):
filepath = os.path.join(TESTSUITE_DIR, test_case,
os.path.basename(test_case))
# We're using io.open() because we need to open these files with
# a specific encoding, and in 2.x io.open is the best way to do this.
self.raw_request = io.open(filepath + '.req', encoding='utf-8').read()
self.canonical_request = io.open(filepath + '.creq',
encoding='utf-8').read().replace(
'\r', '')
self.string_to_sign = io.open(filepath + '.sts',
encoding='utf-8').read().replace(
'\r', '')
self.authorization_header = io.open(filepath + '.authz',
encoding='utf-8').read().replace(
'\r', '')
self.signed_request = io.open(filepath + '.sreq',
encoding='utf-8').read()
token_pattern = r'^x-amz-security-token:(.*)$'
token_match = re.search(token_pattern, self.canonical_request,
re.MULTILINE)
token = token_match.group(1) if token_match else None
self.credentials = Credentials(ACCESS_KEY, SECRET_KEY, token)
def test_execute_should_throw_ex_when_delete_job_without_wait(
self, mock_aws_hook, mock_transfer_hook):
mock_aws_hook.return_value.get_credentials.return_value = Credentials(
TEST_AWS_ACCESS_KEY_ID, TEST_AWS_ACCESS_SECRET, None)
with pytest.raises(AirflowException) as ctx:
operator = CloudDataTransferServiceS3ToGCSOperator(
task_id=TASK_ID,
s3_bucket=AWS_BUCKET_NAME,
gcs_bucket=GCS_BUCKET_NAME,
description=DESCRIPTION,
schedule=SCHEDULE_DICT,
wait=False,
delete_job_after_completion=True,
)
operator.execute(None)
err = ctx.value
assert "If 'delete_job_after_completion' is True, then 'wait' must also be True." in str(
err)
mock_aws_hook.assert_not_called()
mock_transfer_hook.assert_not_called()
def authenticate_presign_url_signv2(method, path, headers, data, url,
query_params, request_dict):
# Calculating Signature
aws_request = create_request_object(request_dict)
credentials = Credentials(access_key=TEST_AWS_ACCESS_KEY_ID,
secret_key=TEST_AWS_SECRET_ACCESS_KEY)
auth = HmacV1QueryAuth(credentials=credentials,
expires=query_params['Expires'][0])
split = urlsplit(aws_request.url)
string_to_sign = auth.get_string_to_sign(method=method,
split=split,
headers=aws_request.headers)
signature = auth.get_signature(string_to_sign=string_to_sign)
# Comparing the signature in url with signature we calculated
query_sig = urlparse.unquote(query_params['Signature'][0])
if query_sig != signature:
return requests_error_response_xml_signature_calculation(
code=403,
code_string='SignatureDoesNotMatch',
aws_access_token=TEST_AWS_ACCESS_KEY_ID,
string_to_sign=string_to_sign,
signature=signature,
message=
'The request signature we calculated does not match the signature you provided. \
Check your key and signing method.')
# Checking whether the url is expired or not
if int(query_params['Expires'][0]) < time.time():
return requests_error_response_xml_signature_calculation(
code=403,
code_string='AccessDenied',
message='Request has expired',
expires=query_params['Expires'][0])
def test_inject_presigned_url_rds(self):
operation_model = mock.Mock()
operation_model.name = 'CopyDBSnapshot'
credentials = Credentials('key', 'secret')
event_emitter = HierarchicalEmitter()
request_signer = RequestSigner('rds', 'us-east-1', 'rds', 'v4',
credentials, event_emitter)
request_dict = {}
params = {'SourceRegion': 'us-west-2'}
request_dict['body'] = params
request_dict['url'] = 'https://rds.us-east-1.amazonaws.com'
request_dict['method'] = 'POST'
request_dict['headers'] = {}
request_dict['context'] = {}
handlers.inject_presigned_url_rds(request_dict, request_signer,
operation_model)
self.assertIn('https://rds.us-west-2.amazonaws.com?',
params['PreSignedUrl'])
self.assertIn('X-Amz-Signature', params['PreSignedUrl'])
self.assertIn('DestinationRegion', params['PreSignedUrl'])
# We should not populate the destination region for rds
self.assertNotIn('DestinationRegion', params)
async def test_appsync_fetch_schema_from_transport_not_allowed(event_loop):
from gql.transport.appsync_auth import AppSyncIAMAuthentication
from gql.transport.appsync_websockets import AppSyncWebsocketsTransport
from botocore.credentials import Credentials
dummy_credentials = Credentials(
access_key=DUMMY_ACCESS_KEY_ID,
secret_key=DUMMY_SECRET_ACCESS_KEY,
)
auth = AppSyncIAMAuthentication(host="something",
credentials=dummy_credentials,
region_name=REGION_NAME)
transport = AppSyncWebsocketsTransport(url="https://something", auth=auth)
with pytest.raises(AssertionError) as exc_info:
Client(transport=transport, fetch_schema_from_transport=True)
assert (
"fetch_schema_from_transport=True is not allowed for AppSyncWebsocketsTransport"
" because only subscriptions are allowed on the realtime endpoint."
) in str(exc_info)
