예제 #1
0
    def test_session_token(self):
        print('--- running Session Token tests ---')
        c = STSConnection()

        # Create a session token
        token = c.get_session_token()

        # Save session token to a file
        token.save('token.json')

        # Now load up a copy of that token
        token_copy = Credentials.load('token.json')
        assert token_copy.access_key == token.access_key
        assert token_copy.secret_key == token.secret_key
        assert token_copy.session_token == token.session_token
        assert token_copy.expiration == token.expiration
        assert token_copy.request_id == token.request_id

        os.unlink('token.json')

        assert not token.is_expired()

        # Try using the session token with S3
        s3 = S3Connection(aws_access_key_id=token.access_key,
                          aws_secret_access_key=token.secret_key,
                          security_token=token.session_token)
        buckets = s3.get_all_buckets()

        print('--- tests completed ---')
예제 #2
0
    def _authenticate_oidc_(self, token, account_name, dns_enabled, duration, timeout):
        if dns_enabled:
            region = RegionInfo(name='eucalyptus', endpoint='tokens.' + self.host)
            auth_path = '/'
        else:
            region = RegionInfo(name='eucalyptus', endpoint=self.host)
            auth_path = self.NON_DNS_QUERY_PATH

        if self.validate_certs:
            conn_factory = CertValidatingHTTPSConnection
        else:
            conn_factory = HttpsConnectionFactory(self.port).https_connection_factory

        conn = STSConnection(
            port=self.port,
            path=auth_path,
            region=region,
            anon=True,
            https_connection_factory=(conn_factory, ())
        )
        conn.http_connection_kwargs['timeout'] = timeout
        duration = min(int(duration), 3600)  # this call won't allow than 1 hour duration
        try:
            result = conn.assume_role_with_web_identity(
                role_arn="arn:aws:iam::{acct}:role/assume-role".format(acct=account_name),
                role_session_name=token['state'],
                web_identity_token=token['id_token'],
                duration_seconds=duration
            )
        except socket.error as err:
            raise urllib2.URLError(err.message)
        return result.credentials
예제 #3
0
    def test_session_token(self):
        print '--- running Session Token tests ---'
        c = STSConnection()

        # Create a session token
        token = c.get_session_token()

        # Save session token to a file
        token.save('token.json')

        # Now load up a copy of that token
        token_copy = Credentials.load('token.json')
        assert token_copy.access_key == token.access_key
        assert token_copy.secret_key == token.secret_key
        assert token_copy.session_token == token.session_token
        assert token_copy.expiration == token.expiration
        assert token_copy.request_id == token.request_id

        os.unlink('token.json')

        assert not token.is_expired()

        # Try using the session token with S3
        s3 = S3Connection(aws_access_key_id=token.access_key,
                          aws_secret_access_key=token.secret_key,
                          security_token=token.session_token)
        buckets = s3.get_all_buckets()

        print '--- tests completed ---'
예제 #4
0
    def _authenticate_oidc_(self, token, account_name, dns_enabled, duration,
                            timeout):
        if dns_enabled:
            region = RegionInfo(name='eucalyptus',
                                endpoint='tokens.' + self.host)
            auth_path = '/'
        else:
            region = RegionInfo(name='eucalyptus', endpoint=self.host)
            auth_path = self.NON_DNS_QUERY_PATH

        if self.validate_certs:
            conn_factory = CertValidatingHTTPSConnection
        else:
            conn_factory = HttpsConnectionFactory(
                self.port).https_connection_factory

        conn = STSConnection(port=self.port,
                             path=auth_path,
                             region=region,
                             anon=True,
                             https_connection_factory=(conn_factory, ()))
        conn.http_connection_kwargs['timeout'] = timeout
        duration = min(int(duration),
                       3600)  # this call won't allow than 1 hour duration
        try:
            result = conn.assume_role_with_web_identity(
                role_arn="arn:aws:iam::{acct}:role/assume-role".format(
                    acct=account_name),
                role_session_name=token['state'],
                web_identity_token=token['id_token'],
                duration_seconds=duration)
        except socket.error as err:
            raise urllib2.URLError(err.message)
        return result.credentials
예제 #5
0
    def doGetAccessCredentials(self, token, profile):
        from boto.sts.connection import STSConnection

        conn = STSConnection(anon=True, debug=1)

        roleARN = self.getRoleARN()
        email = profile['email'][:32]  # Max 32 characters

        providerID = ''
        if profile['provider'] == 'Facebook':
            providerID = 'graph.facebook.com'
        elif profile['provider'] == 'Amazon':
            providerID = 'www.amazon.com'

        if providerID == '':
            assumedRole = conn.assume_role_with_web_identity(
                role_arn=roleARN,
                role_session_name=email,
                web_identity_token=token)
        else:
            assumedRole = conn.assume_role_with_web_identity(
                role_arn=roleARN,
                role_session_name=email,
                web_identity_token=token,
                provider_id=providerID)

        return assumedRole.credentials.to_dict()
예제 #6
0
    def test_decode_authorization_message(self):
        c = STSConnection()

        try:
            creds = c.decode_authorization_message('b94d27b9934')
        except BotoServerError as err:
            self.assertEqual(err.status, 400)
            self.assertTrue('Invalid token' in err.body)
예제 #7
0
    def test_decode_authorization_message(self):
        c = STSConnection()

        try:
            creds = c.decode_authorization_message('b94d27b9934')
        except BotoServerError as err:
            self.assertEqual(err.status, 400)
            self.assertIn('InvalidAuthorizationMessageException', err.body)
예제 #8
0
 def __init__(self, aws_access_key_id=None, aws_secret_access_key=None,
              is_secure=True, port=None, proxy=None, proxy_port=None,
              proxy_user=None, proxy_pass=None, debug=0,
              https_connection_factory=None, region=None, path='/',
              converter=None):
   STSConnection.__init__(self, aws_access_key_id,
                          aws_secret_access_key,
                          is_secure, port, proxy, proxy_port,
                          proxy_user, proxy_pass, debug,
                          https_connection_factory, region, path, converter)
예제 #9
0
 def __init__(self, aws_access_key_id=None, aws_secret_access_key=None,
              is_secure=True, port=None, proxy=None, proxy_port=None,
              proxy_user=None, proxy_pass=None, debug=0,
              https_connection_factory=None, region=None, path='/',
              converter=None, ioloop=None):
     STSConnection.__init__(self, aws_access_key_id,
                              aws_secret_access_key,
                              is_secure, port, proxy, proxy_port,
                              proxy_user, proxy_pass, debug,
                              https_connection_factory, region, path, converter)
     self.http_client = AsyncHTTPClient(io_loop=ioloop)
예제 #10
0
 def _gen_session_token(_, key_id=None, secret_id=None):
     from boto.sts.connection import STSConnection
     sts = STSConnection(aws_access_key_id=key_id,
                         aws_secret_access_key=secret_id)
     # Note: without force_new=True it will not re-request a token and would
     # just return old one if not expired yet.  Testing below might fail
     # if not entirely new
     token = sts.get_session_token(duration=duration, force_new=True)
     generated.append(token)
     return dict(key_id=token.access_key, secret_id=token.secret_key,
                 session=token.session_token,
                 expiration=token.expiration)
예제 #11
0
    def test_assume_role_with_web_identity(self):
        c = STSConnection()

        try:
            creds = c.assume_role_with_web_identity(
                'arn:aws:s3:::my_corporate_bucket/*',
                'guestuser',
                'b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9',
                provider_id='www.amazon.com',
            )
        except BotoServerError as err:
            self.assertEqual(err.status, 403)
            self.assertTrue('Not authorized' in err.body)
예제 #12
0
    def doGetAccessCredentials(self, token, profile):
        from boto.sts.connection import STSConnection

        conn = STSConnection(anon=True, debug=1)

        roleARN = self.getRoleARN()
        email   = profile['email'][:32] # Max 32 characters

        providerID = ''
        if profile['provider'] == 'Facebook':
            providerID = 'graph.facebook.com'
        elif profile['provider'] == 'Amazon':
            providerID = 'www.amazon.com'

        if providerID == '':
            assumedRole = conn.assume_role_with_web_identity(role_arn=roleARN,
                                                             role_session_name=email,
                                                             web_identity_token=token)
        else:
            assumedRole = conn.assume_role_with_web_identity(role_arn=roleARN,
                                                             role_session_name=email,
                                                             web_identity_token=token,
                                                             provider_id=providerID)

        return assumedRole.credentials.to_dict()

    # def doGetAccessCredentials_NO_BOTO(self, token, profile):
    #     import urllib, urllib2, json
    #
    #     # Let's subclass give us the role ARN
    #     roleARN = self.getRoleARN()
    #     email   = profile['email']
    #
    #     url = 'https://sts.amazonaws.com?Action=AssumeRoleWithWebIdentity'
    #     url = url + '&DurationSeconds=3600'
    #     url = url + '&RoleSessionName=' + email
    #     url = url + '&Version=2011-06-15'
    #     url = url + '&RoleArn=' + roleARN
    #     url = url + '&WebIdentityToken=' + token
    #
    #     if profile['provider'] == 'Facebook':
    #         url = url + '&ProviderId=graph.facebook.com'
    #     elif profile['provider'] == 'Amazon':
    #         url = url + '&ProviderId=www.amazon.com'
    #
    #     request = urllib2.Request(url, headers= {'Accept' : 'application/json'} )
    #     response = urllib2.urlopen(request)
    #     assumedRole = response.read()
    #     assumedRole = json.loads(assumedRole)
    #     return assumedRole['AssumeRoleWithWebIdentityResponse']['AssumeRoleWithWebIdentityResult']['Credentials']
예제 #13
0
    def test_assume_role_with_web_identity(self):
        c = STSConnection(anon=True)
        arn = 'arn:aws:iam::000240903217:role/FederatedWebIdentityRole'
        wit = 'b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9'

        try:
            creds = c.assume_role_with_web_identity(
                role_arn=arn,
                role_session_name='guestuser',
                web_identity_token=wit,
                provider_id='www.amazon.com',
            )
        except BotoServerError as err:
            self.assertEqual(err.status, 403)
            self.assertTrue('Not authorized' in err.body)
예제 #14
0
    def test_assume_role_with_web_identity(self):
        c = STSConnection(anon=True)
        arn = 'arn:aws:iam::000240903217:role/FederatedWebIdentityRole'
        wit = 'b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9'

        try:
            creds = c.assume_role_with_web_identity(
                role_arn=arn,
                role_session_name='guestuser',
                web_identity_token=wit,
                provider_id='www.amazon.com',
            )
        except BotoServerError as err:
            self.assertEqual(err.status, 403)
            self.assertTrue('Not authorized' in err.body)
예제 #15
0
# https://web-identity-federation-playground.s3.amazonaws.com/index.html
from boto.sts.connection import STSConnection
sts = STSConnection(anon=True)
 
arn = 'arn:aws:iam::877950674958:role/WebIdFed_Amazon'
session_name = 'web-identity-federation'
token = 'Atza|IwEBIPIBmfyOcO_vUQ8weJgIVpxWXKNXnXNg1FVOYVEKajPe2EKUqMIqinmLNpHulbLWaeemEtenY_TzAWxR0FIw9Nsj9C7Oaj0P-AE694CxURnCwhiglXL6yvrii465Iu9_3FCEFkctp847L3R5BPk0vmFQ8YMJoSfkbvXCVvX5NKZgae8cGlLnXJNp6ImB2UzY-qGvsDkR7k8fLOil-4kUrfmg1eqTSBT2abF_obHpZi1xKcCB1aYt3uPquO4k056_0pi6H5PI0vCioHetLjo_6tBx2SYG1o2FGuX9At0jGRNIpZL_dWhcbIYvjEVSYZEfHVg7jR7wpMcnafX3ct0Q-zb2xrA9iQvDewWmizCs2_Ip5PIlnY8HPr32JiCSE7aT8oHzOh6-NIFmr_99cv7mqUi0d3d188Aj4H8AGBeaOyRAqP9li4FxvPBJoCg7ZIuMPDC02M6yzGGwCcWoJlvJTFCQLsI8zvDQrxkHm4hHMHSoNcwNQr1rXR8v-tKlzY-OKQfyZJ4KkiPCwG4FDS2A5AO_yxILLjFZzx4VHCXELmKd8w'
 creds = sts.assume_role_with_web_identity(
    role_arn=arn,
    role_session_name=session_name,
    web_identity_token=token,
    provider_id='www.amazon.com',
)
print creds.user.arn
print creds.user.assume_role_id