def patch(self, test_name, default_test_bucket): # Get STS-vended credentials to stand in for Instance Profile # credentials before scrubbing the environment of AWS # environment variables. c = s3_integration_help.sts_conn() policy = s3_integration_help.make_policy(default_test_bucket, test_name) fed = c.get_federation_token(default_test_bucket, policy=policy) # Scrub AWS environment-variable based cred to make sure the # instance profile path is used. for name in _AWS_CRED_ENV_VARS: self.monkeypatch.delenv(name, raising=False) self.monkeypatch.setenv( 'WALE_S3_PREFIX', 's3://{0}/{1}'.format(default_test_bucket, test_name)) self.monkeypatch.setenv('AWS_REGION', 'us-west-1') # Patch boto.utils.get_instance_metadata to return a ginned up # credential. m = { "Code": "Success", "LastUpdated": "3014-01-11T02:13:53Z", "Type": "AWS-HMAC", "AccessKeyId": fed.credentials.access_key, "SecretAccessKey": fed.credentials.secret_key, "Token": fed.credentials.session_token, "Expiration": "3014-01-11T08:16:59Z" } from boto import provider self.monkeypatch.setattr(provider.Provider, '_credentials_need_refresh', lambda self: False) # Different versions of boto require slightly different return # formats. import test_aws_instance_profiles if test_aws_instance_profiles.boto_flat_metadata(): m = {'irrelevant': m} else: m = {'iam': {'security-credentials': {'irrelevant': m}}} from boto import utils self.monkeypatch.setattr(utils, 'get_instance_metadata', lambda *args, **kwargs: m)
def patch(self, test_name): # Get STS-vended credentials to stand in for Instance Profile # credentials before scrubbing the environment of AWS # environment variables. c = s3_integration_help.sts_conn() policy = s3_integration_help.make_policy(self.default_test_bucket, test_name) fed = c.get_federation_token(self.default_test_bucket, policy=policy) # Scrub AWS environment-variable based cred to make sure the # instance profile path is used. for name in _AWS_CRED_ENV_VARS: self.monkeypatch.delenv(name, raising=False) self.monkeypatch.setenv('WALE_S3_PREFIX', 's3://{0}/{1}' .format(self.default_test_bucket, test_name)) self.monkeypatch.setenv('AWS_REGION', 'us-west-1') # Patch boto.utils.get_instance_metadata to return a ginned up # credential. m = { "Code": "Success", "LastUpdated": "3014-01-11T02:13:53Z", "Type": "AWS-HMAC", "AccessKeyId": fed.credentials.access_key, "SecretAccessKey": fed.credentials.secret_key, "Token": fed.credentials.session_token, "Expiration": "3014-01-11T08:16:59Z" } from boto import provider self.monkeypatch.setattr(provider.Provider, '_credentials_need_refresh', lambda self: False) # Different versions of boto require slightly different return # formats. import test_aws_instance_profiles if test_aws_instance_profiles.boto_flat_metadata(): m = {'irrelevant': m} else: m = {'iam': {'security-credentials': {'irrelevant': m}}} from boto import utils self.monkeypatch.setattr(utils, 'get_instance_metadata', lambda *args, **kwargs: m)
def test_backup_list(sts_conn): """Test BackupList's compatibility with a test policy.""" bn = 'wal-e.sts.backup.list' h = 's3-us-west-1.amazonaws.com' cf = connection.OrdinaryCallingFormat() fed = sts_conn.get_federation_token('wal-e-test-backup-list', policy=make_policy(bn, 'test-prefix')) layout = StorageLayout('s3://{0}/test-prefix'.format(bn)) creds = Credentials(fed.credentials.access_key, fed.credentials.secret_key, fed.credentials.session_token) with FreshBucket(bn, calling_format=cf, host=h) as fb: fb.create(location='us-west-1') cinfo = calling_format.from_store_name(bn) conn = cinfo.connect(creds) conn.host = h backups = list(BackupList(conn, layout, True)) assert not backups
def test_uri_put_file(sts_conn): bn = 'wal-e.sts.uri.put.file' cf = connection.OrdinaryCallingFormat() policy_text = make_policy(bn, 'test-prefix', allow_get_location=True) fed = sts_conn.get_federation_token('wal-e-test-uri-put-file', policy=policy_text) key_path = 'test-prefix/test-key' creds = Credentials(fed.credentials.access_key, fed.credentials.secret_key, fed.credentials.session_token) with FreshBucket(bn, keys=[key_path], calling_format=cf, host='s3-us-west-1.amazonaws.com') as fb: fb.create(location='us-west-1') uri_put_file(creds, 's3://' + bn + '/' + key_path, StringIO('test-content')) k = connection.Key(fb.conn.get_bucket(bn, validate=False)) k.name = key_path assert k.get_contents_as_string() == 'test-content'
def test_policy(sts_conn, monkeypatch): """Sanity checks for the intended ACLs of the policy""" monkeypatch.setenv('AWS_REGION', 'us-west-1') # Use periods to force OrdinaryCallingFormat when using # calling_format.from_store_name. bn = bucket_name_mangle('wal-e.sts.list.test') h = 's3-us-west-1.amazonaws.com' cf = connection.OrdinaryCallingFormat() fed = sts_conn.get_federation_token('wal-e-test-list-bucket', policy=make_policy(bn, 'test-prefix')) test_payload = 'wal-e test' keys = [ 'test-prefix/hello', 'test-prefix/world', 'not-in-prefix/goodbye', 'not-in-prefix/world' ] creds = Credentials(fed.credentials.access_key, fed.credentials.secret_key, fed.credentials.session_token) with FreshBucket(bn, keys=keys, calling_format=cf, host=h) as fb: # Superuser creds, for testing keys not in the prefix. bucket_superset_creds = fb.create(location='us-west-1') cinfo = calling_format.from_store_name(bn) conn = cinfo.connect(creds) conn.host = h # Bucket using the token, subject to the policy. bucket = conn.get_bucket(bn, validate=False) for name in keys: if name.startswith('test-prefix/'): # Test the PUT privilege. k = connection.Key(bucket) else: # Not in the prefix, so PUT will not work. k = connection.Key(bucket_superset_creds) k.key = name k.set_contents_from_string(test_payload) # Test listing keys within the prefix. prefix_fetched_keys = list(bucket.list(prefix='test-prefix/')) assert len(prefix_fetched_keys) == 2 # Test the GET privilege. for key in prefix_fetched_keys: assert key.get_contents_as_string() == b'wal-e test' # Try a bogus listing outside the valid prefix. with pytest.raises(exception.S3ResponseError) as e: list(bucket.list(prefix='')) assert e.value.status == 403 # Test the rejection of PUT outside of prefix. k = connection.Key(bucket) k.key = 'not-in-prefix/world' with pytest.raises(exception.S3ResponseError) as e: k.set_contents_from_string(test_payload) assert e.value.status == 403
def test_simple_federation_token(sts_conn): sts_conn.get_federation_token('hello', policy=make_policy('hello', 'goodbye'))
def test_policy(sts_conn, monkeypatch): """Sanity checks for the intended ACLs of the policy""" monkeypatch.setenv('AWS_REGION', 'us-west-1') # Use periods to force OrdinaryCallingFormat when using # calling_format.from_store_name. bn = bucket_name_mangle('wal-e.sts.list.test') h = 's3-us-west-1.amazonaws.com' cf = connection.OrdinaryCallingFormat() fed = sts_conn.get_federation_token('wal-e-test-list-bucket', policy=make_policy(bn, 'test-prefix')) test_payload = 'wal-e test' keys = ['test-prefix/hello', 'test-prefix/world', 'not-in-prefix/goodbye', 'not-in-prefix/world'] creds = Credentials(fed.credentials.access_key, fed.credentials.secret_key, fed.credentials.session_token) with FreshBucket(bn, keys=keys, calling_format=cf, host=h) as fb: # Superuser creds, for testing keys not in the prefix. bucket_superset_creds = fb.create(location='us-west-1') cinfo = calling_format.from_store_name(bn) conn = cinfo.connect(creds) conn.host = h # Bucket using the token, subject to the policy. bucket = conn.get_bucket(bn, validate=False) for name in keys: if name.startswith('test-prefix/'): # Test the PUT privilege. k = connection.Key(bucket) else: # Not in the prefix, so PUT will not work. k = connection.Key(bucket_superset_creds) k.key = name k.set_contents_from_string(test_payload) # Test listing keys within the prefix. prefix_fetched_keys = list(bucket.list(prefix='test-prefix/')) assert len(prefix_fetched_keys) == 2 # Test the GET privilege. for key in prefix_fetched_keys: assert key.get_contents_as_string() == b'wal-e test' # Try a bogus listing outside the valid prefix. with pytest.raises(exception.S3ResponseError) as e: list(bucket.list(prefix='')) assert e.value.status == 403 # Test the rejection of PUT outside of prefix. k = connection.Key(bucket) k.key = 'not-in-prefix/world' with pytest.raises(exception.S3ResponseError) as e: k.set_contents_from_string(test_payload) assert e.value.status == 403
def test_simple_federation_token(sts_conn): sts_conn.get_federation_token( 'hello', policy=make_policy('hello', 'goodbye'))