def test_canonical_uri(self):
auth = HmacAuthV4Handler('glacier.us-east-1.amazonaws.com', Mock(),
self.provider)
request = HTTPRequest('GET', 'https',
'glacier.us-east-1.amazonaws.com', 443,
'x/./././x .html', None, {},
{'x-amz-glacier-version': '2012-06-01'}, '')
canonical_uri = auth.canonical_uri(request)
# This should be both normalized & urlencoded.
self.assertEqual(canonical_uri, 'x/x%20.html')
auth = HmacAuthV4Handler('glacier.us-east-1.amazonaws.com', Mock(),
self.provider)
request = HTTPRequest('GET', 'https',
'glacier.us-east-1.amazonaws.com', 443,
'x/./././x/html/', None, {},
{'x-amz-glacier-version': '2012-06-01'}, '')
canonical_uri = auth.canonical_uri(request)
# Trailing slashes should be preserved.
self.assertEqual(canonical_uri, 'x/x/html/')
request = HTTPRequest('GET', 'https',
'glacier.us-east-1.amazonaws.com', 443, '/',
None, {},
{'x-amz-glacier-version': '2012-06-01'}, '')
canonical_uri = auth.canonical_uri(request)
# There should not be two-slashes.
self.assertEqual(canonical_uri, '/')
def test_credential_scope(self):
# test the AWS standard regions IAM endpoint
auth = HmacAuthV4Handler('iam.amazonaws.com', Mock(), self.provider)
request = HTTPRequest(
'POST', 'https', 'iam.amazonaws.com', 443, '/', '/', {
'Action': 'ListAccountAliases',
'Version': '2010-05-08'
}, {
'Content-Length': '44',
'Content-Type':
'application/x-www-form-urlencoded; charset=UTF-8',
'X-Amz-Date': '20130808T013210Z'
}, 'Action=ListAccountAliases&Version=2010-05-08')
credential_scope = auth.credential_scope(request)
region_name = credential_scope.split('/')[1]
self.assertEqual(region_name, 'us-east-1')
# test the AWS GovCloud region IAM endpoint
auth = HmacAuthV4Handler('iam.us-gov.amazonaws.com', Mock(),
self.provider)
request = HTTPRequest(
'POST', 'https', 'iam.us-gov.amazonaws.com', 443, '/', '/', {
'Action': 'ListAccountAliases',
'Version': '2010-05-08'
}, {
'Content-Length': '44',
'Content-Type':
'application/x-www-form-urlencoded; charset=UTF-8',
'X-Amz-Date': '20130808T013210Z'
}, 'Action=ListAccountAliases&Version=2010-05-08')
credential_scope = auth.credential_scope(request)
region_name = credential_scope.split('/')[1]
self.assertEqual(region_name, 'us-gov-west-1')
# iam.us-west-1.amazonaws.com does not exist however this
# covers the remaining region_name control structure for a
# different region name
auth = HmacAuthV4Handler('iam.us-west-1.amazonaws.com', Mock(),
self.provider)
request = HTTPRequest(
'POST', 'https', 'iam.us-west-1.amazonaws.com', 443, '/', '/', {
'Action': 'ListAccountAliases',
'Version': '2010-05-08'
}, {
'Content-Length': '44',
'Content-Type':
'application/x-www-form-urlencoded; charset=UTF-8',
'X-Amz-Date': '20130808T013210Z'
}, 'Action=ListAccountAliases&Version=2010-05-08')
credential_scope = auth.credential_scope(request)
region_name = credential_scope.split('/')[1]
self.assertEqual(region_name, 'us-west-1')
def test_not_adding_empty_qs(self):
self.provider.security_token = None
auth = HmacAuthV4Handler('glacier.us-east-1.amazonaws.com',
mock.Mock(), self.provider)
req = copy.copy(self.request)
auth.add_auth(req)
self.assertEqual(req.path, '/-/vaults/foo/archives')
def test_headers_to_sign(self):
auth = HmacAuthV4Handler('glacier.us-east-1.amazonaws.com',
mock.Mock(), self.provider)
request = HTTPRequest('GET', 'http', 'glacier.us-east-1.amazonaws.com',
80, 'x/./././x .html', None, {},
{'x-amz-glacier-version': '2012-06-01'}, '')
headers = auth.headers_to_sign(request)
# Port 80 & not secure excludes the port.
self.assertEqual(headers['Host'], 'glacier.us-east-1.amazonaws.com')
request = HTTPRequest('GET', 'https',
'glacier.us-east-1.amazonaws.com', 443,
'x/./././x .html', None, {},
{'x-amz-glacier-version': '2012-06-01'}, '')
headers = auth.headers_to_sign(request)
# SSL port excludes the port.
self.assertEqual(headers['Host'], 'glacier.us-east-1.amazonaws.com')
request = HTTPRequest('GET', 'https',
'glacier.us-east-1.amazonaws.com', 8080,
'x/./././x .html', None, {},
{'x-amz-glacier-version': '2012-06-01'}, '')
headers = auth.headers_to_sign(request)
# URL should include port.
self.assertEqual(headers['Host'],
'glacier.us-east-1.amazonaws.com:8080')
def test_region_and_service_can_be_overriden(self):
auth = HmacAuthV4Handler('queue.amazonaws.com', Mock(), self.provider)
self.request.headers['X-Amz-Date'] = '20121121000000'
auth.region_name = 'us-west-2'
auth.service_name = 'sqs'
scope = auth.credential_scope(self.request)
self.assertEqual(scope, '20121121/us-west-2/sqs/aws4_request')
def test_query_string(self):
auth = HmacAuthV4Handler('sns.us-east-1.amazonaws.com', mock.Mock(),
self.provider)
params = {
'Message': u'We \u2665 utf-8'.encode('utf-8'),
}
request = HTTPRequest('POST', 'https', 'sns.us-east-1.amazonaws.com',
443, '/', None, params, {}, '')
query_string = auth.query_string(request)
self.assertEqual(query_string, 'Message=We%20%E2%99%A5%20utf-8')
def test_bytes_header(self):
auth = HmacAuthV4Handler('glacier.us-east-1.amazonaws.com',
mock.Mock(), self.provider)
request = HTTPRequest(
'GET', 'http', 'glacier.us-east-1.amazonaws.com', 80,
'x/./././x .html', None, {},
{'x-amz-glacier-version': '2012-06-01', 'x-amz-hash': b'f00'}, '')
canonical = auth.canonical_request(request)
self.assertIn('f00', canonical)
def test_canonical_query_string(self):
auth = HmacAuthV4Handler('glacier.us-east-1.amazonaws.com',
mock.Mock(), self.provider)
request = HTTPRequest('GET', 'https',
'glacier.us-east-1.amazonaws.com', 443,
'/-/vaults/foo/archives', None, {},
{'x-amz-glacier-version': '2012-06-01'}, '')
request.params['Foo.1'] = 'aaa'
request.params['Foo.10'] = 'zzz'
query_string = auth.canonical_query_string(request)
self.assertEqual(query_string, 'Foo.1=aaa&Foo.10=zzz')
def test_pickle_works(self):
provider = Provider('aws', access_key='access_key',
secret_key='secret_key')
auth = HmacAuthV4Handler('queue.amazonaws.com', None, provider)
# Pickle it!
pickled = pickle.dumps(auth)
# Now restore it
auth2 = pickle.loads(pickled)
self.assertEqual(auth.host, auth2.host)
def _update_session_token_cb(self,
creds,
provider='aws',
callback=None,
error=None,
attempts=0):
'''
Callback to use with `async_aws_sts`. The 'provider' arg is a bit misleading,
it is a relic from boto and should probably be left to its default. This will
take the new Credentials obj from `async_aws_sts.get_session_token()` and use
it to update self.provider, and then will clear the deque of pending requests.
A callback is optional. If provided, it must be callable without any arguments,
but also accept an optional error argument that will be an instance of BotoServerError.
'''
def raise_error():
# get out of locked state
self.provider.security_token = None
if callable(callback):
return callback(error=error)
else:
logging.error(error)
raise error
if error:
if isinstance(error, InvalidClientTokenIdError):
# no need to retry if error is due to bad tokens
raise_error()
else:
if attempts > self.max_sts_attempts:
raise_error()
else:
seconds_to_wait = (0.1 * (2**attempts))
logging.warning(
"Got error[ %s ] getting session token, retrying in %.02f seconds"
% (error, seconds_to_wait))
self.ioloop.add_timeout(
time.time() + seconds_to_wait,
functools.partial(self._update_session_token,
attempts=attempts + 1,
callback=callback,
bypass_lock=True))
return
else:
self.provider = Provider(provider, creds.access_key,
creds.secret_key, creds.session_token)
# force the correct auth, with the new provider
self._auth_handler = HmacAuthV4Handler(self.host, None,
self.provider)
while self.pending_requests:
request = self.pending_requests.pop()
request()
if callable(callback):
return callback()
def test_inner_whitespace_is_collapsed(self):
auth = HmacAuthV4Handler('glacier.us-east-1.amazonaws.com',
Mock(), self.provider)
self.request.headers['x-amz-archive-description'] = 'two spaces'
headers = auth.headers_to_sign(self.request)
self.assertEqual(headers, {'Host': 'glacier.us-east-1.amazonaws.com',
'x-amz-archive-description': 'two spaces',
'x-amz-glacier-version': '2012-06-01'})
# Note the single space between the "two spaces".
self.assertEqual(auth.canonical_headers(headers),
'host:glacier.us-east-1.amazonaws.com\n'
'x-amz-archive-description:two spaces\n'
'x-amz-glacier-version:2012-06-01')