def test_sts_client_with_invalid_profile(self): a = amazon.Amazon(self.valid_config, "dummy-encoded-saml") self.assertIsNotNone(a.sts_client) self.assertEqual('xxx-xxxx', os.environ['AWS_PROFILE']) self.assertEqual('blart', os.environ['DEFAULT_AWS_PROFILE'])
def test_role_extraction(self): saml_xml = self.read_local_file('valid-response.xml') a = amazon.Amazon(self.valid_config, saml_xml) self.assertIsInstance(a.roles, dict) list_of_testing_roles = [ "arn:aws:iam::123456789012:role/admin", "arn:aws:iam::123456789012:role/read-only", "arn:aws:iam::123456789012:role/test" ] self.assertEqual(sorted(list(a.roles.keys())), sorted(list_of_testing_roles))
def test_role_extraction_too_many_commas(self): # See https://github.com/cevoaustralia/aws-google-auth/issues/12 saml_xml = self.read_local_file('too-many-commas.xml') a = amazon.Amazon(self.valid_config, saml_xml) self.assertIsInstance(a.roles, dict) list_of_testing_roles = [ "arn:aws:iam::123456789012:role/admin", "arn:aws:iam::123456789012:role/read-only", "arn:aws:iam::123456789012:role/test" ] self.assertEqual(sorted(list(a.roles.keys())), sorted(list_of_testing_roles))
def process_auth(args, config): # Set up logging logging.getLogger().setLevel(getattr(logging, args.log_level.upper(), None)) if config.region is None: config.region = util.Util.get_input("AWS Region: ") logging.debug('%s: region is: %s', __name__, config.region) # If there is a valid cache and the user opted to use it, use that instead # of prompting the user for input (it will also ignroe any set variables # such as username or sp_id and idp_id, as those are built into the SAML # response). The user does not need to be prompted for a password if the # SAML cache is used. if args.saml_assertion: saml_xml = base64.b64decode(args.saml_assertion) elif args.saml_cache and config.saml_cache: saml_xml = config.saml_cache logging.info('%s: SAML cache found', __name__) else: # No cache, continue without. logging.info('%s: SAML cache not found', __name__) if config.username is None: config.username = util.Util.get_input("Google username: "******"Google IDP ID: ") logging.debug('%s: idp is: %s', __name__, config.idp_id) if config.sp_id is None: config.sp_id = util.Util.get_input("Google SP ID: ") logging.debug('%s: sp is: %s', __name__, config.sp_id) # There is no way (intentional) to pass in the password via the command # line nor environment variables. This prevents password leakage. keyring_password = None if config.keyring: keyring_password = keyring.get_password("aws-google-auth", config.username) if keyring_password: config.password = keyring_password else: config.password = util.Util.get_password("Google Password: "******"Google Password: "******"aws-google-auth", config.username, config.password) # We now have a new SAML value that can get cached (If the user asked # for it to be) if args.saml_cache: config.saml_cache = saml_xml # The amazon_client now has the SAML assertion it needed (Either via the # cache or freshly generated). From here, we can get the roles and continue # the rest of the workflow regardless of cache. amazon_client = amazon.Amazon(config, saml_xml) roles = amazon_client.roles # Determine the provider and the role arn (if the the user provided isn't an option) if config.role_arn in roles and not config.ask_role: config.provider = roles[config.role_arn] else: if config.account and config.resolve_aliases: aliases = amazon_client.resolve_aws_aliases(roles) config.role_arn, config.provider = util.Util.pick_a_role(roles, aliases, config.account) elif config.account: config.role_arn, config.provider = util.Util.pick_a_role(roles, account=config.account) elif config.resolve_aliases: aliases = amazon_client.resolve_aws_aliases(roles) config.role_arn, config.provider = util.Util.pick_a_role(roles, aliases) else: config.role_arn, config.provider = util.Util.pick_a_role(roles) if not config.quiet: print("Assuming " + config.role_arn) print("Credentials Expiration: " + format(amazon_client.expiration.astimezone(get_localzone()))) if config.print_creds: amazon_client.print_export_line() if config.profile: config.write(amazon_client)
def test_sts_client(self): a = amazon.Amazon(self.valid_config, "dummy-encoded-saml") self.assertEqual(str(a.sts_client.__class__), "<class 'botocore.client.STS'>")