def setUp(self): self.credentials = Credentials('key', 'secret') self.emitter = mock.Mock() self.emitter.emit_until_response.return_value = (None, None) self.signer = RequestSigner('service_name', 'region_name', 'signing_name', 'v4', self.credentials, self.emitter) self.fixed_credentials = self.credentials.get_frozen_credentials()
def test_return_botocore_credentials(self): dummy_credentials = Credentials('access_key', 'secret_key', 'token') with mock.patch.object(self.command._session, 'get_credentials', return_value=dummy_credentials): credentials = self.command._load_credentials() self.assertIs(credentials, dummy_credentials)
def test_raise_error_on_missing_token(self): dummy_credentials = Credentials('access_key', 'secret_key', token=None) with mock.patch.object(self.command._session, 'get_credentials', return_value=dummy_credentials): with self.assertRaises(PartialCredentialsError): self.command._load_credentials()
def _validate_signature(self, headers, raw_input): auth_header = headers["Authorization"] signed_headers_start = auth_header.find("SignedHeaders") signed_headers = auth_header[signed_headers_start:auth_header. find(",", signed_headers_start)] signed_headers_dict = get_dict_subset(headers, signed_headers) request = AWSRequest(method="POST", url="/", data=raw_input, headers=signed_headers_dict) # SigV4Auth assumes this header exists even though it is not required by the algorithm request.context['timestamp'] = headers['X-Amz-Date'] region_start = auth_header.find("Credential=access/") + len( "Credential=access/YYYYMMDD/") region = auth_header[region_start:auth_header.find("/", region_start)] credentials = Credentials("access", "secret") auth = SigV4Auth(credentials, "kms", region) string_to_sign = auth.string_to_sign(request, auth.canonical_request(request)) expected_signature = auth.signature(string_to_sign, request) signature_headers_start = auth_header.find("Signature=") + len( "Signature=") actual_signature = auth_header[signature_headers_start:] return expected_signature == actual_signature
def authenticate_presign_url_signv2(method, path, headers, data, url, query_params, request_dict): # Calculating Signature aws_request = create_request_object(request_dict) credentials = Credentials(access_key=TEST_AWS_ACCESS_KEY_ID, secret_key=TEST_AWS_SECRET_ACCESS_KEY) auth = HmacV1QueryAuth(credentials=credentials, expires=query_params['Expires'][0]) split = urlsplit(aws_request.url) string_to_sign = auth.get_string_to_sign(method=method, split=split, headers=aws_request.headers) signature = auth.get_signature(string_to_sign=string_to_sign) # Comparing the signature in url with signature we calculated query_sig = urlparse.unquote(query_params['Signature'][0]) if query_sig != signature: return requests_error_response_xml_signature_calculation( code=403, code_string='SignatureDoesNotMatch', aws_access_token=TEST_AWS_ACCESS_KEY_ID, string_to_sign=string_to_sign, signature=signature, message='The request signature we calculated does not match the signature you provided. \ Check your key and signing method.') # Checking whether the url is expired or not if int(query_params['Expires'][0]) < time.time(): return requests_error_response_xml_signature_calculation( code=403, code_string='AccessDenied', message='Request has expired', expires=query_params['Expires'][0] )
def test_presigned_url_casing_changed_for_rds(self): operation_model = mock.Mock() operation_model.name = 'CopyDBSnapshot' credentials = Credentials('key', 'secret') event_emitter = HierarchicalEmitter() request_signer = RequestSigner( 'rds', 'us-east-1', 'rds', 'v4', credentials, event_emitter) request_dict = {} params = {'SourceRegion': 'us-west-2'} request_dict['body'] = params request_dict['url'] = 'https://rds.us-east-1.amazonaws.com' request_dict['method'] = 'POST' request_dict['headers'] = {} request_dict['context'] = {} handlers.inject_presigned_url_rds( params=request_dict, request_signer=request_signer, model=operation_model ) self.assertNotIn('PresignedUrl', params) self.assertIn('https://rds.us-west-2.amazonaws.com?', params['PreSignedUrl']) self.assertIn('X-Amz-Signature', params['PreSignedUrl'])
def test_destination_region_always_changed(self): # If the user provides a destination region, we will still # override the DesinationRegion with the region_name from # the endpoint object. actual_region = 'us-west-1' credentials = Credentials('key', 'secret') request_signer = RequestSigner('ec2', actual_region, 'ec2', 'v4', credentials, None) request_dict = {} params = { 'SourceRegion': 'us-west-2', 'DestinationRegion': 'us-east-1' } request_dict['body'] = params request_dict['url'] = 'https://ec2.us-west-1.amazonaws.com' request_dict['method'] = 'POST' request_dict['headers'] = {} # The user provides us-east-1, but we will override this to # endpoint.region_name, of 'us-west-1' in this case. handlers.copy_snapshot_encrypted(request_dict, request_signer) self.assertIn('https://ec2.us-west-2.amazonaws.com?', params['PresignedUrl']) # Always use the DestinationRegion from the endpoint, regardless of # whatever value the user provides. self.assertEqual(params['DestinationRegion'], actual_region)
def test_inject_presigned_url_ec2(self): operation_model = mock.Mock() operation_model.name = 'CopySnapshot' credentials = Credentials('key', 'secret') event_emitter = HierarchicalEmitter() request_signer = RequestSigner('ec2', 'us-east-1', 'ec2', 'v4', credentials, event_emitter) request_dict = {} params = {'SourceRegion': 'us-west-2'} request_dict['body'] = params request_dict['url'] = 'https://ec2.us-east-1.amazonaws.com' request_dict['method'] = 'POST' request_dict['headers'] = {} request_dict['context'] = {} handlers.inject_presigned_url_ec2(request_dict, request_signer, operation_model) self.assertIn('https://ec2.us-west-2.amazonaws.com?', params['PresignedUrl']) self.assertIn('X-Amz-Signature', params['PresignedUrl']) self.assertIn('DestinationRegion', params['PresignedUrl']) # We should also populate the DestinationRegion with the # region_name of the endpoint object. self.assertEqual(params['DestinationRegion'], 'us-east-1')
def test_destination_region_always_changed(self): # If the user provides a destination region, we will still # override the DesinationRegion with the region_name from # the endpoint object. actual_region = 'us-west-1' operation_model = mock.Mock() operation_model.name = 'CopySnapshot' credentials = Credentials('key', 'secret') event_emitter = HierarchicalEmitter() request_signer = RequestSigner('ec2', actual_region, 'ec2', 'v4', credentials, event_emitter) request_dict = {} params = { 'SourceRegion': 'us-west-2', 'DestinationRegion': 'us-east-1' } request_dict['body'] = params request_dict['url'] = 'https://ec2.us-west-1.amazonaws.com' request_dict['method'] = 'POST' request_dict['headers'] = {} request_dict['context'] = {} # The user provides us-east-1, but we will override this to # endpoint.region_name, of 'us-west-1' in this case. handlers.inject_presigned_url_ec2(request_dict, request_signer, operation_model) self.assertIn('https://ec2.us-west-2.amazonaws.com?', params['PresignedUrl']) # Always use the DestinationRegion from the endpoint, regardless of # whatever value the user provides. self.assertEqual(params['DestinationRegion'], actual_region)
def get_credentials(self): """ Returns botocore.credential.Credential object. """ return Credentials(access_key=self.aws_access_key_id, secret_key=self.aws_secret_access_key, token=self.aws_session_token)
def _aws_auth_header(credentials, server_nonce, sts_host): """Signature Version 4 Signing Process to construct the authorization header """ region = _get_region(sts_host) request_parameters = 'Action=GetCallerIdentity&Version=2011-06-15' encoded_nonce = standard_b64encode(server_nonce).decode('utf8') request_headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': str(len(request_parameters)), 'Host': sts_host, 'X-MongoDB-Server-Nonce': encoded_nonce, 'X-MongoDB-GS2-CB-Flag': 'n', } request = AWSRequest(method="POST", url="/", data=request_parameters, headers=request_headers) boto_creds = Credentials(credentials.username, credentials.password, token=credentials.token) auth = SigV4Auth(boto_creds, "sts", region) auth.add_auth(request) final = { 'a': request.headers['Authorization'], 'd': request.headers['X-Amz-Date'] } if credentials.token: final['t'] = credentials.token return final
def dummy_get_credentials(_self): # These must match what `moto` uses to mock the instance metadata # response (see InstanceMetadataResponse.metadata_response() in # moto.instance_metadata.responses). return Credentials(access_key='test-key', secret_key='test-secret-key', token='test-session-token')
class BaseSignerTest(unittest.TestCase): def setUp(self): self.credentials = Credentials('key', 'secret') self.emitter = mock.Mock() self.emitter.emit_until_response.return_value = (None, None) self.signer = RequestSigner('service_name', 'region_name', 'signing_name', 'v4', self.credentials, self.emitter) self.fixed_credentials = self.credentials.get_frozen_credentials() def _urlparse(self, url): if isinstance(url, six.binary_type): # Not really necessary, but it helps to reduce noise on Python 2.x url = url.decode('utf8') return urlparse(url) def assert_url_equal(self, url1, url2): parts1 = self._urlparse(url1) parts2 = self._urlparse(url2) # Because the query string ordering isn't relevant, we have to parse # every single part manually and then handle the query string. self.assertEqual(parts1.scheme, parts2.scheme) self.assertEqual(parts1.netloc, parts2.netloc) self.assertEqual(parts1.path, parts2.path) self.assertEqual(parts1.params, parts2.params) self.assertEqual(parts1.fragment, parts2.fragment) self.assertEqual(parts1.username, parts2.username) self.assertEqual(parts1.password, parts2.password) self.assertEqual(parts1.hostname, parts2.hostname) self.assertEqual(parts1.port, parts2.port) self.assertEqual(parse_qs(parts1.query), parse_qs(parts2.query))
class BaseSignerTest(unittest.TestCase): def setUp(self): self.credentials = Credentials('key', 'secret') self.emitter = mock.Mock() self.emitter.emit_until_response.return_value = (None, None) self.signer = RequestSigner( 'service_name', 'region_name', 'signing_name', 'v4', self.credentials, self.emitter) self.fixed_credentials = self.credentials.get_frozen_credentials() def _urlparse(self, url): if isinstance(url, six.binary_type): # Not really necessary, but it helps to reduce noise on Python 2.x url = url.decode('utf8') return urlparse(url) def assert_url_equal(self, url1, url2): parts1 = self._urlparse(url1) parts2 = self._urlparse(url2) # Because the query string ordering isn't relevant, we have to parse # every single part manually and then handle the query string. self.assertEqual(parts1.scheme, parts2.scheme) self.assertEqual(parts1.netloc, parts2.netloc) self.assertEqual(parts1.path, parts2.path) self.assertEqual(parts1.params, parts2.params) self.assertEqual(parts1.fragment, parts2.fragment) self.assertEqual(parts1.username, parts2.username) self.assertEqual(parts1.password, parts2.password) self.assertEqual(parts1.hostname, parts2.hostname) self.assertEqual(parts1.port, parts2.port) self.assertEqual(parse_qs(parts1.query), parse_qs(parts2.query))
async def test_appsync_subscription_iam_not_allowed(event_loop, server): from gql.transport.appsync_auth import AppSyncIAMAuthentication from gql.transport.appsync_websockets import AppSyncWebsocketsTransport from gql.transport.exceptions import TransportQueryError from botocore.credentials import Credentials path = "/graphql" url = f"ws://{server.hostname}:{server.port}{path}" dummy_credentials = Credentials( access_key=DUMMY_ACCESS_KEY_ID_NOT_ALLOWED, secret_key=DUMMY_SECRET_ACCESS_KEY, token=DUMMY_SECRET_SESSION_TOKEN, ) auth = AppSyncIAMAuthentication(host=server.hostname, credentials=dummy_credentials, region_name=REGION_NAME) transport = AppSyncWebsocketsTransport(url=url, auth=auth) client = Client(transport=transport) async with client as session: subscription = gql(on_create_message_subscription_str) with pytest.raises(TransportQueryError) as exc_info: async for result in session.subscribe(subscription): pass assert "Permission denied" in str(exc_info)
def test_get_profile_tokens_no_token(mock_cred): r = MockS3() mock_cred.return_value = Credentials( "aws_access_key_id", "aws_secret_access_key") cred_string = r._credentials_string() expected = ('aws_access_key_id=aws_access_key_id;' 'aws_secret_access_key=aws_secret_access_key') assert cred_string == expected
def get_credentials( access_key: str = None, secret_key: str = None, ): if access_key and secret_key: return Credentials(access_key, secret_key) return Session().get_credentials()
def _resolve_static_credentials_from_profile(self, profile): try: return Credentials(access_key=profile['aws_access_key_id'], secret_key=profile['aws_secret_access_key'], token=profile.get('aws_session_token')) except KeyError as e: raise PartialCredentialsError(provider=self.METHOD, cred_var=str(e))
def setUp(self): self.credentials = Credentials('key', 'secret') self.emitter = mock.Mock() self.emitter.emit_until_response.return_value = (None, None) self.signer = RequestSigner( 'service_name', 'region_name', 'signing_name', 'v4', self.credentials, self.emitter) self.fixed_credentials = self.credentials.get_frozen_credentials()
def test_should_inject_aws_credentials(self, mock_hook): mock_hook.return_value.get_credentials.return_value = Credentials( TEST_AWS_ACCESS_KEY_ID, TEST_AWS_ACCESS_SECRET, None ) body = {TRANSFER_SPEC: deepcopy(SOURCE_AWS)} body = TransferJobPreprocessor(body=body).process_body() self.assertEqual(body[TRANSFER_SPEC][AWS_S3_DATA_SOURCE][AWS_ACCESS_KEY], TEST_AWS_ACCESS_KEY)
def test_generate_session_credentials(self, stdout_mock): self.credentials = Credentials('access', 'secret', 'token') self.session.get_credentials.return_value = self.credentials self.get_command = CodeCommitGetCommand(self.session) self.get_command._run_main(self.args, self.globals) output = stdout_mock.getvalue().strip() self.assertRegexpMatches( output, 'username={0}%{1}\npassword=.+'.format('access', 'token'))
def test__aws_credentials_with_short_lived_credentials_and_ec2_metadata_service_having_credentials(mock): credentials = Credentials(access_key=_random_string(), secret_key=_random_string(), token=_random_string()) session = Mock() session.get_credentials.return_value = credentials mock.return_value = True aws_credentials = _aws_credentials(session) assert aws_credentials is None
def get_s3_auth_headers(creds, url, method, data=None): # TODO: blocking function call # When there is data this function might recalc hashes req = AWSRequest(method=method, url=url, data=data) sig = S3SigV4Auth(Credentials(**creds), 's3', 'us-east-1') sig.headers_to_sign(req) sig.add_auth(req) return dict(req.headers.items())
def __init__(self, service_name, region_name=None, api_version=None, base_path=None, use_ssl=True, access_key_id=None, secret_access_key=None, config_file='~/.nifcloud.yml'): """ config_fileを読み取って認証情報を初期化します。 引数にも値がある場合には引数が優先されます。 :param service_name: サービス名 :param region_name: リージョン名 :param api_version: APIバージョン :param base_path: :param use_ssl: :param access_key_id: :param secret_access_key: :param config_file: 設定ファイル """ # file から読み出し file_path = os.path.expanduser(config_file).replace('/', os.sep) if os.path.isfile(file_path): with open(file_path, 'r') as file: config = yaml.load(file.read()) if config is not None and 'ACCESS_KEY_ID' in config: self.ACCESS_KEY_ID = config['ACCESS_KEY_ID'] if config is not None and 'SECRET_ACCESS_KEY' in config: self.SECRET_ACCESS_KEY = config['SECRET_ACCESS_KEY'] # 環境変数があれば環境変数で上書き if hasattr(self, "ACCESS_KEY_ID"): self.ACCESS_KEY_ID = os.getenv("ACCESS_KEY_ID", self.ACCESS_KEY_ID) else: self.ACCESS_KEY_ID = os.getenv("ACCESS_KEY_ID") if hasattr(self, "SECRET_ACCESS_KEY"): self.SECRET_ACCESS_KEY = os.getenv("SECRET_ACCESS_KEY", self.SECRET_ACCESS_KEY) else: self.SECRET_ACCESS_KEY = os.getenv("SECRET_ACCESS_KEY") # 引数があれば引数の情報で上書き if access_key_id is not None: self.ACCESS_KEY_ID = access_key_id if secret_access_key is not None: self.SECRET_ACCESS_KEY = secret_access_key # 認証情報を生成 self.CREDENTIALS = Credentials(self.ACCESS_KEY_ID, self.SECRET_ACCESS_KEY) self.SERVICE_NAME = service_name self.REGION_NAME = region_name self.API_VERSION = api_version self.BASE_PATH = base_path self.USE_SSL = use_ssl
def setUp(self): self.service_description = { 'metadata': { 'apiVersion': '2014-01-01', 'endpointPrefix': 'myservice', 'signatureVersion': 'v4', 'protocol': 'query' }, 'operations': { 'TestOperation': { 'name': 'TestOperation', 'http': { 'method': 'POST', 'requestUri': '/', }, 'input': {'shape': 'TestOperationRequest'}, } }, 'shapes': { 'TestOperationRequest': { 'type': 'structure', 'required': ['Foo'], 'members': { 'Foo': {'shape': 'StringType'}, 'Bar': {'shape': 'StringType'}, } }, 'StringType': {'type': 'string'} } } self.retry_config = { "retry": { "__default__": { "max_attempts": 5, "delay": { "type": "exponential", "base": "rand", "growth_factor": 2 }, "policies": {} } } } self.loader = mock.Mock() self.loader.load_service_model.return_value = self.service_description self.loader.load_data.return_value = self.retry_config self.credentials = Credentials('access-key', 'secret-key') self.endpoint_creator_patch = mock.patch( 'botocore.client.EndpointCreator') self.endpoint_creator_cls = self.endpoint_creator_patch.start() self.endpoint_creator = self.endpoint_creator_cls.return_value self.endpoint = mock.Mock() self.endpoint.make_request.return_value = ( mock.Mock(status_code=200), {}) self.endpoint_creator.create_endpoint.return_value = self.endpoint
def test_raise_error_on_failure_response(self): responses.add(responses.GET, 'https://signin.aws.amazon.com/federation', status=401, body='Unauthorized') credentials = Credentials('access_key', 'secret_key') with self.assertRaises(requests.HTTPError): self.command._get_signin_token(credentials, '3600')
class BaseSignerTest(unittest.TestCase): def setUp(self): self.credentials = Credentials('key', 'secret') self.emitter = mock.Mock() self.emitter.emit_until_response.return_value = (None, None) self.signer = RequestSigner( ServiceId('service_name'), 'region_name', 'signing_name', 'v4', self.credentials, self.emitter) self.fixed_credentials = self.credentials.get_frozen_credentials() self.request = botocore.awsrequest.AWSRequest()
def setUp(self): self.credentials = Credentials('access', 'secret') self.args = Namespace() self.args.ignore_host_check = False self.globals = Namespace() self.globals.region = 'us-east-1' self.globals.verify_ssl = False self.session = MagicMock() self.session.get_config_variable.return_value = 'us-east-1' self.session.get_credentials.return_value = self.credentials
def test_presigned_url_already_present_rds(self): operation_model = mock.Mock() operation_model.name = 'CopyDBSnapshot' params = {'body': {'PreSignedUrl': 'https://foo'}} credentials = Credentials('key', 'secret') event_emitter = HierarchicalEmitter() request_signer = RequestSigner('rds', 'us-east-1', 'rds', 'v4', credentials, event_emitter) handlers.inject_presigned_url_rds(params, request_signer, operation_model) self.assertEqual(params['body']['PreSignedUrl'], 'https://foo')
def test_can_set_credentials_in_client_init(self): creator = self.create_client_creator() credentials = Credentials( access_key='access_key', secret_key='secret_key', token='session_token') client = creator.create_client( 'myservice', 'us-west-2', credentials=credentials) # Verify that we create an endpoint with a credentials object # matching our creds arguments. self.assertEqual(client._request_signer._credentials, credentials)
def test__aws_credentials_with_long_lived_credentials(): credentials = Credentials(access_key=_random_string(), secret_key=_random_string(), token=None) session = Mock() session.get_credentials.return_value = credentials aws_credentials = _aws_credentials(session) assert aws_credentials == [ "AWS_ACCESS_KEY_ID=%s" % credentials.access_key, "AWS_SECRET_ACCESS_KEY=%s" % credentials.secret_key, ]
def test_adds_md5_when_not_v4(self): credentials = Credentials('key', 'secret') request_signer = RequestSigner( 's3', 'us-east-1', 's3', 's3', credentials, mock.Mock()) request_dict = {'body': b'bar', 'url': 'https://s3.us-east-1.amazonaws.com', 'method': 'PUT', 'headers': {}} handlers.conditionally_calculate_md5(request_dict, request_signer=request_signer) self.assertTrue('Content-MD5' in request_dict['headers'])