def test_get_aws_security_credentials_credentials_not_found_in_aws_creds_uri(mocker, capsys): config = get_fake_config() mocker.patch('mount_efs.urlopen') with pytest.raises(SystemExit) as ex: mount_efs.get_aws_security_credentials(config, True, 'us-east-1', 'default', AWSCREDSURI) assert 0 != ex.value.code out, err = capsys.readouterr() assert 'Unsuccessful retrieval of AWS security credentials at' in err
def test_get_aws_security_credentials_not_found(mocker, capsys): mocker.patch.dict(os.environ, {}) mocker.patch('os.path.exists', return_value=False) mocker.patch('mount_efs.urlopen') with pytest.raises(SystemExit) as ex: mount_efs.get_aws_security_credentials() assert 0 != ex.value.code out, err = capsys.readouterr() assert 'AWS Access Key ID and Secret Access Key are not found in AWS credentials file' in err
def test_get_aws_security_credentials_no_credentials_found(mocker, capsys): mocker.patch.dict(os.environ, {}) mocker.patch('os.path.exists', return_value=False) mocker.patch('mount_efs.urlopen') with pytest.raises(SystemExit) as ex: mount_efs.get_aws_security_credentials(True, 'us-east-1', None) assert 0 != ex.value.code out, err = capsys.readouterr() assert 'AWS Access Key ID and Secret Access Key are not found in AWS credentials file' in err assert 'from ECS credentials relative uri, or from the instance security credentials service' in err
def test_get_aws_security_credentials_credentials_not_found_in_files(mocker, capsys): mocker.patch.dict(os.environ, {}) mocker.patch('os.path.exists', return_value=False) mocker.patch('mount_efs.urlopen') with pytest.raises(SystemExit) as ex: mount_efs.get_aws_security_credentials(True, 'default') assert 0 != ex.value.code out, err = capsys.readouterr() assert 'AWS security credentials not found in' in err assert 'under named profile [default]' in err
def test_get_aws_security_credentials_credentials_not_found_in_files_and_botocore_not_present(mocker, capsys): config = get_fake_config() mocker.patch.dict(os.environ, {}) mocker.patch('os.path.exists', return_value=False) mocker.patch('mount_efs.urlopen') mount_efs.BOTOCORE_PRESENT = False with pytest.raises(SystemExit) as ex: mount_efs.get_aws_security_credentials(config, True, 'us-east-1', 'default') assert 0 != ex.value.code out, err = capsys.readouterr() assert 'AWS security credentials not found in' in err assert 'under named profile [default]' in err
def _test_get_aws_security_credentials_get_instance_metadata_role_name( mocker, is_name_str=True, token_effects=[MockUrlLibResponse(data="ABCDEFG==")]): config = get_fake_config() mocker.patch.dict(os.environ, {}) mocker.patch("os.path.exists", return_value=False) response = json.dumps({ "Code": "Success", "LastUpdated": "2019-10-25T14:41:42Z", "Type": "AWS-HMAC", "AccessKeyId": ACCESS_KEY_ID_VAL, "SecretAccessKey": SECRET_ACCESS_KEY_VAL, "Token": SESSION_TOKEN_VAL, "Expiration": "2019-10-25T21:17:24Z", }) if is_name_str: role_name_data = b"FAKE_IAM_ROLE_NAME" else: role_name_data = "FAKE_IAM_ROLE_NAME" side_effects = (token_effects + [MockUrlLibResponse(data=role_name_data)] + token_effects + [MockUrlLibResponse(data=response)]) mocker.patch("mount_efs.urlopen", side_effect=side_effects) credentials, credentials_source = mount_efs.get_aws_security_credentials( config, True, "us-east-1", None) assert credentials["AccessKeyId"] == ACCESS_KEY_ID_VAL assert credentials["SecretAccessKey"] == SECRET_ACCESS_KEY_VAL assert credentials["Token"] == SESSION_TOKEN_VAL assert credentials_source == "metadata:"
def test_get_aws_security_credentials_do_not_use_iam(): config = get_fake_config() credentials, credentials_source = mount_efs.get_aws_security_credentials( config, False, "us-east-1", "test_profile") assert not credentials assert not credentials_source
def _test_get_aws_security_credentials_get_instance_metadata_role_name(mocker, is_name_str=True, is_imds_v2=False): mocker.patch.dict(os.environ, {}) mocker.patch('os.path.exists', return_value=False) response = json.dumps({ 'Code': 'Success', 'LastUpdated': '2019-10-25T14:41:42Z', 'Type': 'AWS-HMAC', 'AccessKeyId': ACCESS_KEY_ID_VAL, 'SecretAccessKey': SECRET_ACCESS_KEY_VAL, 'Token': SESSION_TOKEN_VAL, 'Expiration': '2019-10-25T21:17:24Z' }) if is_name_str: role_name_data = b'FAKE_IAM_ROLE_NAME' else: role_name_data = 'FAKE_IAM_ROLE_NAME' if is_imds_v2: side_effects = [HTTPError('url', 401, 'Unauthorized', None, None)] mocker.patch('mount_efs.get_aws_ec2_metadata_token', return_value='ABCDEFG==') else: side_effects = [] side_effects = side_effects + [MockUrlLibResponse(data=role_name_data), MockUrlLibResponse(data=response)] mocker.patch('mount_efs.urlopen', side_effect=side_effects) credentials, credentials_source = mount_efs.get_aws_security_credentials(True, None) assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL assert credentials['Token'] == SESSION_TOKEN_VAL assert credentials_source == 'metadata:'
def _test_get_aws_security_credentials_get_instance_metadata_role_name(mocker, is_name_str=True, token_timeout=False): config = get_fake_config() mocker.patch.dict(os.environ, {}) mocker.patch('os.path.exists', return_value=False) response = json.dumps({ 'Code': 'Success', 'LastUpdated': '2019-10-25T14:41:42Z', 'Type': 'AWS-HMAC', 'AccessKeyId': ACCESS_KEY_ID_VAL, 'SecretAccessKey': SECRET_ACCESS_KEY_VAL, 'Token': SESSION_TOKEN_VAL, 'Expiration': '2019-10-25T21:17:24Z' }) if is_name_str: role_name_data = b'FAKE_IAM_ROLE_NAME' else: role_name_data = 'FAKE_IAM_ROLE_NAME' if token_timeout: token_effects = [socket.timeout] else: token_effects = [MockUrlLibResponse(data='ABCDEFG==')] side_effects = token_effects + [MockUrlLibResponse(data=role_name_data)] + token_effects + [MockUrlLibResponse(data=response)] mocker.patch('mount_efs.urlopen', side_effect=side_effects) credentials, credentials_source = mount_efs.get_aws_security_credentials(config, True, 'us-east-1', None) assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL assert credentials['Token'] == SESSION_TOKEN_VAL assert credentials_source == 'metadata:'
def test_get_aws_security_credentials_no_credentials_found(mocker, capsys): config = get_fake_config() mocker.patch.dict(os.environ, {}) mocker.patch("os.path.exists", return_value=False) mocker.patch("mount_efs.urlopen") with pytest.raises(SystemExit) as ex: mount_efs.get_aws_security_credentials(config, True, "us-east-1", None) assert 0 != ex.value.code out, err = capsys.readouterr() assert ( "AWS Access Key ID and Secret Access Key are not found in AWS credentials file" in err) assert ( "from ECS credentials relative uri, or from the instance security credentials service" in err)
def test_get_aws_security_credentials_get_ecs_from_option_url(mocker): response = json.dumps({ 'AccessKeyId': ACCESS_KEY_ID_VAL, 'Expiration': 'EXPIRATION_DATE', 'RoleArn': 'TASK_ROLE_ARN', 'SecretAccessKey': SECRET_ACCESS_KEY_VAL, 'Token': SESSION_TOKEN_VAL }) mocker.patch('mount_efs.urlopen', return_value=MockUrlLibResponse(data=response)) credentials, credentials_source = mount_efs.get_aws_security_credentials(True, None, AWSCREDSURI) assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL assert credentials['Token'] == SESSION_TOKEN_VAL assert credentials_source == 'ecs:' + AWSCREDSURI
def test_get_aws_security_credentials_config_or_creds_file_found_creds_found_with_token_with_awsprofile(mocker): file_helper_resp = { 'AccessKeyId': ACCESS_KEY_ID_VAL, 'SecretAccessKey': SECRET_ACCESS_KEY_VAL, 'Token': SESSION_TOKEN_VAL } mocker.patch.dict(os.environ, {}) mocker.patch('os.path.exists', return_value=True) mocker.patch('mount_efs.credentials_file_helper', return_value=file_helper_resp) credentials, credentials_source = mount_efs.get_aws_security_credentials(True, 'test_profile') assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL assert credentials['Token'] is SESSION_TOKEN_VAL assert credentials_source == 'credentials:test_profile'
def test_get_aws_security_credentials_config_or_creds_file_found_creds_found_without_token_no_awsprofile( mocker): file_helper_resp = { 'AccessKeyId': ACCESS_KEY_ID_VAL, 'SecretAccessKey': SECRET_ACCESS_KEY_VAL, 'Token': None } mocker.patch.dict(os.environ, {}) mocker.patch('os.path.exists', return_value=True) mocker.patch('mount_efs.credentials_file_helper', return_value=file_helper_resp) credentials = mount_efs.get_aws_security_credentials() assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL assert credentials['Token'] is None
def test_get_aws_security_credentials_get_ecs_from_option_url(mocker): config = get_fake_config() response = json.dumps({ "AccessKeyId": ACCESS_KEY_ID_VAL, "Expiration": "EXPIRATION_DATE", "RoleArn": "TASK_ROLE_ARN", "SecretAccessKey": SECRET_ACCESS_KEY_VAL, "Token": SESSION_TOKEN_VAL, }) mocker.patch("mount_efs.urlopen", return_value=MockUrlLibResponse(data=response)) credentials, credentials_source = mount_efs.get_aws_security_credentials( config, True, "us-east-1", None, AWSCREDSURI) assert credentials["AccessKeyId"] == ACCESS_KEY_ID_VAL assert credentials["SecretAccessKey"] == SECRET_ACCESS_KEY_VAL assert credentials["Token"] == SESSION_TOKEN_VAL assert credentials_source == "ecs:" + AWSCREDSURI
def test_get_aws_security_credentials_get_ecs_from_env_url(mocker): mocker.patch.dict(os.environ, {}) mocker.patch('os.path.exists', return_value=False) response = json.dumps({ 'AccessKeyId': ACCESS_KEY_ID_VAL, 'Expiration': 'EXPIRATION_DATE', 'RoleArn': 'TASK_ROLE_ARN', 'SecretAccessKey': SECRET_ACCESS_KEY_VAL, 'Token': SESSION_TOKEN_VAL }) mocker.patch.dict(os.environ, {'AWS_CONTAINER_CREDENTIALS_RELATIVE_URI': 'fake_uri'}) mocker.patch('mount_efs.urlopen', return_value=MockUrlLibResponse(data=response)) credentials, credentials_source = mount_efs.get_aws_security_credentials(True, None) assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL assert credentials['Token'] == SESSION_TOKEN_VAL assert credentials_source == 'ecs:fake_uri'
def test_get_aws_security_credentials_get_instance_metadata_role_name_bytes(mocker): mocker.patch.dict(os.environ, {}) mocker.patch('os.path.exists', return_value=False) response = json.dumps({ 'Code': 'Success', 'LastUpdated': '2019-10-25T14:41:42Z', 'Type': 'AWS-HMAC', 'AccessKeyId': ACCESS_KEY_ID_VAL, 'SecretAccessKey': SECRET_ACCESS_KEY_VAL, 'Token': SESSION_TOKEN_VAL, 'Expiration': '2019-10-25T21:17:24Z' }) side_effects = [MockUrlLibResponse(data=b'FAKE_IAM_ROLE_NAME'), MockUrlLibResponse(data=response)] mocker.patch('mount_efs.urlopen', side_effect=side_effects) credentials, credentials_source = mount_efs.get_aws_security_credentials(True, None) assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL assert credentials['Token'] == SESSION_TOKEN_VAL assert credentials_source == 'metadata:'
def test_get_aws_security_credentials_botocore_present_get_assumed_profile_credentials(mocker): config = get_fake_config() mocker.patch.dict(os.environ, {}) mocker.patch('os.path.exists', return_value=False) mocker.patch('mount_efs.urlopen') mount_efs.BOTOCORE_PRESENT = True botocore_helper_resp = { 'AccessKeyId': ACCESS_KEY_ID_VAL, 'SecretAccessKey': SECRET_ACCESS_KEY_VAL, 'Token': SESSION_TOKEN_VAL } botocore_get_assumed_profile_credentials_mock = mocker.patch('mount_efs.botocore_credentials_helper', return_value=botocore_helper_resp) credentials, credentials_source = mount_efs.get_aws_security_credentials(config, True, 'us-east-1', awsprofile='test-profile') assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL assert credentials['Token'] == SESSION_TOKEN_VAL assert credentials_source == 'named_profile:test-profile' utils.assert_called(botocore_get_assumed_profile_credentials_mock)
def test_get_aws_security_credentials_iam(mocker): mocker.patch.dict(os.environ, {}) mocker.patch('os.path.exists', return_value=False) response = json.dumps({ 'Code': 'Success', 'LastUpdated': '2019-10-25T14:41:42Z', 'Type': 'AWS-HMAC', 'AccessKeyId': ACCESS_KEY_ID_VAL, 'SecretAccessKey': SECRET_ACCESS_KEY_VAL, 'Token': SESSION_TOKEN_VAL, 'Expiration': '2019-10-25T21:17:24Z' }) mocker.patch.dict(os.environ, {}) mocker.patch('mount_efs.urlopen', return_value=MockUrlLibResponse(data=response)) credentials = mount_efs.get_aws_security_credentials() assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL assert credentials['Token'] == SESSION_TOKEN_VAL
def test_get_aws_security_credentials_config_or_creds_file_found_creds_found_without_token_with_awsprofile( mocker, ): config = get_fake_config() file_helper_resp = { "AccessKeyId": ACCESS_KEY_ID_VAL, "SecretAccessKey": SECRET_ACCESS_KEY_VAL, "Token": None, } mocker.patch.dict(os.environ, {}) mocker.patch("os.path.exists", return_value=True) mocker.patch("mount_efs.credentials_file_helper", return_value=file_helper_resp) credentials, credentials_source = mount_efs.get_aws_security_credentials( config, True, "us-east-1", "test_profile") assert credentials["AccessKeyId"] == ACCESS_KEY_ID_VAL assert credentials["SecretAccessKey"] == SECRET_ACCESS_KEY_VAL assert credentials["Token"] is None assert credentials_source == "credentials:test_profile"
def _test_get_aws_security_credentials_get_ecs_from_env_url(mocker): config = get_fake_config() mocker.patch.dict(os.environ, {}) mocker.patch("os.path.exists", return_value=False) response = json.dumps({ "AccessKeyId": ACCESS_KEY_ID_VAL, "Expiration": "EXPIRATION_DATE", "RoleArn": "TASK_ROLE_ARN", "SecretAccessKey": SECRET_ACCESS_KEY_VAL, "Token": SESSION_TOKEN_VAL, }) mocker.patch.dict(os.environ, {"AWS_CONTAINER_CREDENTIALS_RELATIVE_URI": "fake_uri"}) mocker.patch("mount_efs.urlopen", return_value=MockUrlLibResponse(data=response)) credentials, credentials_source = mount_efs.get_aws_security_credentials( config, True, "us-east-1", None) assert credentials["AccessKeyId"] == ACCESS_KEY_ID_VAL assert credentials["SecretAccessKey"] == SECRET_ACCESS_KEY_VAL assert credentials["Token"] == SESSION_TOKEN_VAL assert credentials_source == "ecs:fake_uri"
def test_get_aws_security_credentials_botocore_present_get_assumed_profile_credentials( mocker, ): config = get_fake_config() mocker.patch.dict(os.environ, {}) mocker.patch("os.path.exists", return_value=False) mocker.patch("mount_efs.urlopen") mount_efs.BOTOCORE_PRESENT = True botocore_helper_resp = { "AccessKeyId": ACCESS_KEY_ID_VAL, "SecretAccessKey": SECRET_ACCESS_KEY_VAL, "Token": SESSION_TOKEN_VAL, } botocore_get_assumed_profile_credentials_mock = mocker.patch( "mount_efs.botocore_credentials_helper", return_value=botocore_helper_resp) credentials, credentials_source = mount_efs.get_aws_security_credentials( config, True, "us-east-1", awsprofile="test-profile") assert credentials["AccessKeyId"] == ACCESS_KEY_ID_VAL assert credentials["SecretAccessKey"] == SECRET_ACCESS_KEY_VAL assert credentials["Token"] == SESSION_TOKEN_VAL assert credentials_source == "named_profile:test-profile" utils.assert_called(botocore_get_assumed_profile_credentials_mock)
def test_get_aws_security_credentials_do_not_use_iam(): credentials, credentials_source = mount_efs.get_aws_security_credentials( False, 'test_profile') assert not credentials assert not credentials_source