def test_role_arn_invalid_values(self):
# role_arn must be a string
c = configuration.Configuration()
c.region = "sample_region"
c.idp_id = "sample_idp_id"
c.sp_id = "sample_sp_id"
c.password = "******"
c.username = "******"
c.role_arn = 1234
with self.assertRaises(AssertionError) as e:
c.raise_if_invalid()
self.assertIn("Expected role_arn to be None or a string.",
str(e.exception))
# role_arn be a arn-looking string
c = configuration.Configuration()
c.region = "sample_region"
c.idp_id = "sample_idp_id"
c.sp_id = "sample_sp_id"
c.password = "******"
c.username = "******"
c.role_arn = "bad_string"
with self.assertRaises(AssertionError) as e:
c.raise_if_invalid()
self.assertIn("Expected role_arn to contain 'arn:aws:iam::'",
str(e.exception))
def test_unicode_password(self):
c = configuration.Configuration()
c.password = u"hunter2"
c.idp_id = "sample_idp_id"
c.sp_id = "sample_sp_id"
c.username = "******"
c.raise_if_invalid()
def setUp(self):
self.c = configuration.Configuration()
# Pick a profile name that is clear it's for testing. We'll delete it
# after, but in case something goes wrong we don't want to use
# something that could clobber user input.
self.c.profile = "aws_google_auth_test_{}".format(randint(100, 999))
# Pick a string to do password leakage tests.
self.c.password = "******".format(
randint(100, 999))
self.c.region = "us-east-1"
self.c.ask_role = False
self.c.keyring = False
self.c.duration = 1234
self.c.idp_id = "sample_idp_id"
self.c.role_arn = "arn:aws:iam::sample_arn"
self.c.sp_id = "sample_sp_id"
self.c.u2f_disabled = False
self.c.username = "******"
self.c.raise_if_invalid()
self.c.write(None)
self.config_parser = configparser.RawConfigParser()
self.config_parser.read(self.c.config_file)
def resolve_config(args):
# Shortening Convenience functions
coalesce = util.Util.coalesce
# Create a blank configuration object (has the defaults pre-filled)
config = configuration.Configuration()
# Have the configuration update itself via the ~/.aws/config on disk.
# Profile (Option priority = ARGS, ENV_VAR, DEFAULT)
config.profile = coalesce(args.profile, os.getenv('AWS_PROFILE'),
config.profile)
# Now that we've established the profile, we can read the configuration and
# fill in all the other variables.
config.read(config.profile)
# Ask Role (Option priority = ARGS, ENV_VAR, DEFAULT)
config.ask_role = bool(
coalesce(args.ask_role, os.getenv('AWS_ASK_ROLE'), config.ask_role))
# Duration (Option priority = ARGS, ENV_VAR, DEFAULT)
config.duration = int(
coalesce(args.duration, os.getenv('DURATION'), config.duration))
# IDP ID (Option priority = ARGS, ENV_VAR, DEFAULT)
config.idp_id = coalesce(args.idp_id, os.getenv('GOOGLE_IDP_ID'),
config.idp_id)
# Region (Option priority = ARGS, ENV_VAR, DEFAULT)
config.region = coalesce(args.region, os.getenv('AWS_DEFAULT_REGION'),
config.region)
# ROLE ARN (Option priority = ARGS, ENV_VAR, DEFAULT)
config.role_arn = coalesce(args.role_arn, os.getenv('AWS_ROLE_ARN'),
config.role_arn)
# SP ID (Option priority = ARGS, ENV_VAR, DEFAULT)
config.sp_id = coalesce(args.sp_id, os.getenv('GOOGLE_SP_ID'),
config.sp_id)
# U2F Disabled (Option priority = ARGS, ENV_VAR, DEFAULT)
config.u2f_disabled = coalesce(args.disable_u2f, os.getenv('U2F_DISABLED'),
config.u2f_disabled)
# Resolve AWS aliases enabled (Option priority = ARGS, ENV_VAR, DEFAULT)
config.resolve_aliases = coalesce(args.resolve_aliases,
os.getenv('RESOLVE_AWS_ALIASES'),
config.resolve_aliases)
# Username (Option priority = ARGS, ENV_VAR, DEFAULT)
config.username = coalesce(args.username, os.getenv('GOOGLE_USERNAME'),
config.username)
config.keyring = coalesce(args.keyring, config.keyring)
config.print_creds = coalesce(args.print_creds, config.print_creds)
return config
def test_u2f_disabled_is_optional(self):
c = configuration.Configuration()
c.password = "******"
c.idp_id = "sample_idp_id"
c.sp_id = "sample_sp_id"
c.username = "******"
self.assertFalse(c.u2f_disabled)
c.raise_if_invalid()
def test_region_defaults_to_ap_southeast_2(self):
c = configuration.Configuration()
c.idp_id = "sample_idp_id"
c.sp_id = "sample_sp_id"
c.username = "******"
c.password = "******"
self.assertEqual(c.region, "ap-southeast-2")
c.raise_if_invalid()
def test_profile_defaults(self):
c = configuration.Configuration()
c.idp_id = "sample_idp_id"
c.password = "******"
c.sp_id = "sample_sp_id"
c.username = "******"
self.assertEqual(c.profile, 'sts')
c.raise_if_invalid()
def test_ask_role_valid_values(self):
c = configuration.Configuration()
c.idp_id = "sample_idp_id"
c.sp_id = "sample_sp_id"
c.password = "******"
c.username = "******"
c.ask_role = True
self.assertTrue(c.ask_role)
c.raise_if_invalid()
c = configuration.Configuration()
c.idp_id = "sample_idp_id"
c.password = "******"
c.sp_id = "sample_sp_id"
c.username = "******"
c.ask_role = False
self.assertFalse(c.ask_role)
c.raise_if_invalid()
def test_duration_invalid_values(self):
# Duration must be an integer
c = configuration.Configuration()
c.region = "sample_region"
c.idp_id = "sample_idp_id"
c.password = "******"
c.sp_id = "sample_sp_id"
c.username = "******"
c.duration = "bad_type"
c.region = "sample_region"
with self.assertRaises(AssertionError) as e:
c.raise_if_invalid()
self.assertIn("Expected duration to be an integer.", str(e.exception))
# Duration can not be negative
c = configuration.Configuration()
c.region = "sample_region"
c.idp_id = "sample_idp_id"
c.sp_id = "sample_sp_id"
c.password = "******"
c.username = "******"
c.duration = -1
with self.assertRaises(AssertionError) as e:
c.raise_if_invalid()
self.assertIn("Expected duration to be greater than or equal to 900.",
str(e.exception))
# Duration can not be greater than MAX_DURATION
valid = configuration.Configuration()
valid.idp_id = "sample_idp_id"
c.password = "******"
valid.sp_id = "sample_sp_id"
valid.username = "******"
valid.duration = 900
c = configuration.Configuration()
c.region = "sample_region"
c.idp_id = "sample_idp_id"
c.sp_id = "sample_sp_id"
c.password = "******"
c.username = "******"
c.duration = (valid.max_duration + 1)
with self.assertRaises(AssertionError) as e:
c.raise_if_invalid()
self.assertIn(
"Expected duration to be less than or equal to max_duration",
str(e.exception))
def test_role_arn_is_optional(self):
c = configuration.Configuration()
c.idp_id = "sample_idp_id"
c.sp_id = "sample_sp_id"
c.password = "******"
c.username = "******"
self.assertIsNone(c.role_arn)
c.raise_if_invalid()
def test_duration_defaults_to_max_duration(self):
c = configuration.Configuration()
c.idp_id = "sample_idp_id"
c.sp_id = "sample_sp_id"
c.password = "******"
c.username = "******"
self.assertEqual(c.duration, c.max_duration)
c.raise_if_invalid()
def test_sp_id_invalid_values(self):
# sp_id must not be None
c = configuration.Configuration()
c.idp_id = "sample_idp_id"
c.password = "******"
c.username = "******"
with self.assertRaises(AssertionError) as e:
c.raise_if_invalid()
self.assertIn("Expected sp_id to be set to non-None value.", str(e.exception))
def test_password_invalid_values(self):
# password must be set
c = configuration.Configuration()
c.idp_id = "sample_idp_id"
c.username = "******"
c.sp_id = "sample_sp_id"
with self.assertRaises(AssertionError) as e:
c.raise_if_invalid()
self.assertIn("Expected password to be a string.", str(e.exception))
# password must be be string
c = configuration.Configuration()
c.idp_id = "sample_idp_id"
c.sp_id = "sample_sp_id"
c.password = 123456
c.username = "******"
with self.assertRaises(AssertionError) as e:
c.raise_if_invalid()
self.assertIn("Expected password to be a string.", str(e.exception))
def test_ask_role_optional(self):
c = configuration.Configuration()
c.region = "sample_region"
c.idp_id = "sample_idp_id"
c.sp_id = "sample_sp_id"
c.password = "******"
c.username = "******"
self.assertFalse(c.ask_role)
c.raise_if_invalid()
def test_u2f_disabled_valid_values(self):
c = configuration.Configuration()
c.region = "sample_region"
c.password = "******"
c.idp_id = "sample_idp_id"
c.sp_id = "sample_sp_id"
c.username = "******"
c.u2f_disabled = True
self.assertTrue(c.u2f_disabled)
c.raise_if_invalid()
c = configuration.Configuration()
c.region = "sample_region"
c.password = "******"
c.idp_id = "sample_idp_id"
c.sp_id = "sample_sp_id"
c.username = "******"
c.u2f_disabled = False
self.assertFalse(c.u2f_disabled)
c.raise_if_invalid()
def test_region_defaults_to_none(self):
c = configuration.Configuration()
c.idp_id = "sample_idp_id"
c.sp_id = "sample_sp_id"
c.username = "******"
c.password = "******"
self.assertEqual(c.region, None)
with self.assertRaises(AssertionError) as e:
c.raise_if_invalid()
self.assertIn("Expected region to be a string.", str(e.exception))
def test_region_invalid_values(self):
# region must be a string
c = configuration.Configuration()
c.idp_id = "sample_idp_id"
c.sp_id = "sample_sp_id"
c.password = "******"
c.username = "******"
c.region = 1234
with self.assertRaises(AssertionError) as e:
c.raise_if_invalid()
self.assertIn("Expected region to be a string.", str(e.exception))
def test_sp_id_valid_values(self):
c = configuration.Configuration()
c.idp_id = "sample_idp_id"
c.sp_id = "sample_sp_id"
c.username = "******"
c.password = "******"
self.assertEqual(c.sp_id, "sample_sp_id")
c.raise_if_invalid()
c.sp_id = 123456
self.assertEqual(c.sp_id, 123456)
c.raise_if_invalid()
def test_ask_role_invalid_values(self):
# ask_role must be a boolean
c = configuration.Configuration()
c.idp_id = "sample_idp_id"
c.sp_id = "sample_sp_id"
c.password = "******"
c.username = "******"
c.ask_role = "bad_value"
with self.assertRaises(AssertionError) as e:
c.raise_if_invalid()
self.assertIn("Expected ask_role to be a boolean.", str(e.exception))
def test_u2f_disabled_invalid_values(self):
# u2f_disabled must be a boolean
c = configuration.Configuration()
c.idp_id = "sample_idp_id"
c.sp_id = "sample_sp_id"
c.username = "******"
c.password = "******"
c.u2f_disabled = 1234
with self.assertRaises(AssertionError) as e:
c.raise_if_invalid()
self.assertIn("Expected u2f_disabled to be a boolean.", str(e.exception))
def test_region_valid_values(self):
c = configuration.Configuration()
c.idp_id = "sample_idp_id"
c.sp_id = "sample_sp_id"
c.password = "******"
c.username = "******"
c.region = "us-east-1"
self.assertEqual(c.region, "us-east-1")
c.raise_if_invalid()
c.region = "us-west-2"
self.assertEqual(c.region, "us-west-2")
c.raise_if_invalid()
def test_password_valid_values(self):
c = configuration.Configuration()
c.region = "sample_region"
c.password = "******"
c.idp_id = "sample_idp_id"
c.sp_id = "sample_sp_id"
c.username = "******"
self.assertEqual(c.password, "hunter2")
c.raise_if_invalid()
c.password = "******"
self.assertEqual(c.password, "123456")
c.raise_if_invalid()
def test_profile_valid_values(self):
c = configuration.Configuration()
c.idp_id = "sample_idp_id"
c.password = "******"
c.sp_id = "sample_sp_id"
c.username = "******"
c.profile = "default"
self.assertEqual(c.profile, "default")
c.raise_if_invalid()
c.profile = "sts"
self.assertEqual(c.profile, "sts")
c.raise_if_invalid()
def test_role_arn_valid_values(self):
c = configuration.Configuration()
c.idp_id = "sample_idp_id"
c.sp_id = "sample_sp_id"
c.username = "******"
c.password = "******"
c.role_arn = "arn:aws:iam::some_arn_1"
self.assertEqual(c.role_arn, "arn:aws:iam::some_arn_1")
c.raise_if_invalid()
c.role_arn = "arn:aws:iam::some_other_arn_2"
self.assertEqual(c.role_arn, "arn:aws:iam::some_other_arn_2")
c.raise_if_invalid()
def test_duration_valid_values(self):
c = configuration.Configuration()
c.idp_id = "sample_idp_id"
c.sp_id = "sample_sp_id"
c.password = "******"
c.username = "******"
c.duration = 100
self.assertEqual(c.duration, 100)
c.raise_if_invalid()
c.duration = c.max_duration
self.assertEqual(c.duration, c.max_duration)
c.raise_if_invalid()
c.duration = (c.max_duration - 1)
self.assertEqual(c.duration, c.max_duration - 1)
c.raise_if_invalid()
def test_can_read_all_values(self):
test_configuration = configuration.Configuration()
test_configuration.read(self.c.profile)
# Reading won't get password, so we need to set for the configuration
# to be considered valid
test_configuration.password = "******"
test_configuration.raise_if_invalid()
self.assertEqual(test_configuration.profile, self.c.profile)
self.assertEqual(test_configuration.idp_id, self.c.idp_id)
self.assertEqual(test_configuration.role_arn, self.c.role_arn)
self.assertEqual(test_configuration.sp_id, self.c.sp_id)
self.assertEqual(test_configuration.username, self.c.username)
self.assertEqual(test_configuration.region, self.c.region)
self.assertEqual(test_configuration.ask_role, self.c.ask_role)
self.assertEqual(test_configuration.u2f_disabled, self.c.u2f_disabled)
self.assertEqual(test_configuration.duration, self.c.duration)
def resolve_config(args):
# Shortening Convenience functions
coalesce = util.Util.coalesce
# Create a blank configuration object (has the defaults pre-filled)
config = configuration.Configuration()
# Have the configuration update itself via the ~/.aws/config on disk.
# Profile (Option priority = ARGS, ENV_VAR, DEFAULT)
config.profile = coalesce(args.profile, os.getenv('AWS_PROFILE'),
config.profile)
# Now that we've established the profile, we can read the configuration and
# fill in all the other variables.
config.read(config.profile)
# Ask Role (Option priority = ARGS, ENV_VAR, DEFAULT)
config.ask_role = bool(
coalesce(args.ask_role, os.getenv('AWS_ASK_ROLE'), config.ask_role))
# Duration (Option priority = ARGS, ENV_VAR, DEFAULT)
config.duration = int(
coalesce(args.duration, os.getenv('DURATION'), config.duration))
# Automatic duration (Option priority = ARGS, ENV_VAR, DEFAULT)
config.auto_duration = coalesce(args.auto_duration,
os.getenv('AUTO_DURATION'),
config.auto_duration)
# IDP ID (Option priority = ARGS, ENV_VAR, DEFAULT)
config.idp_id = coalesce(args.idp_id, os.getenv('GOOGLE_IDP_ID'),
config.idp_id)
# Region (Option priority = ARGS, ENV_VAR, DEFAULT)
config.region = coalesce(args.region, os.getenv('AWS_DEFAULT_REGION'),
config.region)
# ROLE ARN (Option priority = ARGS, ENV_VAR, DEFAULT)
config.role_arn = coalesce(args.role_arn, os.getenv('AWS_ROLE_ARN'),
config.role_arn)
# SP ID (Option priority = ARGS, ENV_VAR, DEFAULT)
config.sp_id = coalesce(args.sp_id, os.getenv('GOOGLE_SP_ID'),
config.sp_id)
# U2F Disabled (Option priority = ARGS, ENV_VAR, DEFAULT)
config.u2f_disabled = coalesce(args.disable_u2f, os.getenv('U2F_DISABLED'),
config.u2f_disabled)
# Resolve AWS aliases enabled (Option priority = ARGS, ENV_VAR, DEFAULT)
config.resolve_aliases = coalesce(args.resolve_aliases,
os.getenv('RESOLVE_AWS_ALIASES'),
config.resolve_aliases)
# Username (Option priority = ARGS, ENV_VAR, DEFAULT)
config.username = coalesce(args.username, os.getenv('GOOGLE_USERNAME'),
config.username)
# Shell cmd to get password (Option priority = ARGS, ENV_VAR, DEFAULT)
config.password_cmd = coalesce(args.password_cmd,
os.getenv('PASSWORD_CMD'),
config.password_cmd)
# Shell cmd to get password (Option priority = ARGS, ENV_VAR, DEFAULT)
# e.g. "ssh user@host oathtool --totp -b $(cat authenticator-code)"
config.token_cmd = coalesce(args.token_cmd, os.getenv('TOKEN_CMD'),
config.token_cmd)
# Account (Option priority = ARGS, ENV_VAR, DEFAULT)
config.account = coalesce(args.account, os.getenv('AWS_ACCOUNT'),
config.account)
config.keyring = coalesce(args.keyring, config.keyring)
config.print_creds = coalesce(args.print_creds, config.print_creds)
# Quiet
config.quiet = coalesce(args.quiet, config.quiet)
config.bg_response = coalesce(args.bg_response,
os.getenv('GOOGLE_BG_RESPONSE'),
config.bg_response)
return config
def valid_config(self):
return configuration.Configuration(idp_id="IDPID",
sp_id="SPID",
username="******",
password="******")
