def test_get_blind_credential(self):
client = confidant_client.ConfidantClient(
'http://localhost/',
'alias/authnz-testing',
{
'from': 'confidant-unittest',
'to': 'test',
'user_type': 'service'
},
)
client._get_token = MagicMock()
client.request_session.request = mock_404
self.maxDiff = None
self.assertEqual(
client.get_blind_credential('confidant-development', False),
{'result': False})
client.request_session.request = mock_200
self.assertEqual(
client.get_blind_credential('confidant-development', False), {
'result': True,
'blind_credential': {}
})
client.request_session.request = mock_500
self.assertEqual(
client.get_blind_credential('confidant-development', False),
{'result': False})
def test__get_keys_and_encrypted_pairs(self):
client = confidant_client.ConfidantClient(
'http://localhost/',
'alias/authnz-testing',
{
'from': 'confidant-unittest',
'to': 'test',
'user_type': 'service'
},
)
with patch('confidant_client.Fernet') as MockFernet:
mock_encrypt = MagicMock()
mock_encrypt.return_value = 'encrypted'
instance = MagicMock()
instance.encrypt = mock_encrypt
MockFernet.return_value = instance
self.assertEqual(
client._get_keys_and_encrypted_pairs(
{'us-east-1': 'confidant-unittest-blind'},
{'us-east-1': {
'group': 'confidant-unittest'
}}, {'mockkey': 'mockval'}, 'fernet', 2),
({
'us-east-1': 'ZW5jcnlwdGVkX2RhdGFrZXk='
}, {
'us-east-1': 'encrypted'
}))
def test__decrypt_blind_credentials(self):
client = confidant_client.ConfidantClient(
'http://localhost/',
'alias/authnz-testing',
{'from': 'confidant-unittest',
'to': 'test',
'user_type': 'service'},
)
client._get_decrypted_pairs = MagicMock(
return_value={'us-east-1': 'plaintext_secret'}
)
mock_creds = []
self.assertEqual(
client._decrypt_blind_credentials(mock_creds),
[]
)
mock_creds = [{'us-east-1': 'encrypted'}]
self.assertEqual(
client._decrypt_blind_credentials(mock_creds),
[{
'decrypted_credential_pairs': {
'us-east-1': 'plaintext_secret'
},
'us-east-1': 'encrypted'
}]
)
def test_get_service(self):
client = confidant_client.ConfidantClient(
'http://localhost/',
'alias/authnz-testing',
{
'from': 'confidant-unittest',
'to': 'test',
'user_type': 'service'
},
)
client._get_token = MagicMock()
# Test 404. Should return True with no service entry since the call
# succeeded, but the service didn't exist.
client.request_session.request = mock_404
self.maxDiff = None
self.assertEqual(client.get_service('confidant-development', False),
{'result': True})
# Test 200. Should return True with an empty dict, since that's how we
# have the service mocked out.
client.request_session.request = mock_200
self.assertEqual(client.get_service('confidant-development', False), {
'result': True,
'service': {}
})
# Test 500. Should return False as the request failed.
client.request_session.request = mock_500
self.assertEqual(client.get_service('confidant-development', False),
{'result': False})
def _get_client_from_args(args):
if args.mfa:
mfa_pin = getpass.getpass('Enter the MFA code: ')
else:
mfa_pin = None
auth_context = {}
if args._from:
auth_context['from'] = args._from
if args._to:
auth_context['to'] = args._to
if args.user_type:
auth_context['user_type'] = args.user_type
if not auth_context:
auth_context = None
if args.config_files:
config_files = args.config_files.split(',')
else:
config_files = None
client = confidant_client.ConfidantClient(
args.url,
args.auth_key,
auth_context,
token_lifetime=args.token_lifetime,
token_version=args.token_version,
assume_role=args.assume_role,
mfa_pin=mfa_pin,
region=args.region,
retries=args.retries,
config_files=config_files,
profile=args.profile)
return client
def test__get_username(self):
client = confidant_client.ConfidantClient(
'http://localhost/',
'alias/authnz-testing', {
'from': 'confidant-unittest',
'to': 'test'
},
token_version=1)
self.assertEqual(client._get_username(), 'confidant-unittest')
client = confidant_client.ConfidantClient(
'http://localhost/',
'alias/authnz-testing', {
'from': 'confidant-unittest',
'to': 'test',
'user_type': 'service'
},
token_version=2)
self.assertEqual(client._get_username(),
'2/service/confidant-unittest')
def test_validate_config(self):
with self.assertRaises(
confidant_client.ClientConfigurationError
):
confidant_client.ConfidantClient(
'http://localhost/',
'alias/authnz-testing',
# Missing auth context. This causes a validation error
{}
)
with self.assertRaises(
confidant_client.ClientConfigurationError
):
confidant_client.ConfidantClient(
'http://localhost/',
'alias/authnz-testing',
# Missing user_type context. This causes a validation error
{'from': 'test', 'to': 'test'}
)
with self.assertRaises(
confidant_client.ClientConfigurationError
):
confidant_client.ConfidantClient(
'http://localhost/',
'alias/authnz-testing',
{'from': 'test', 'to': 'test', 'user_type': 'user'},
# invalid token version
token_version=3
)
assert(confidant_client.ConfidantClient(
'http://localhost/',
'alias/authnz-testing',
{'from': 'test', 'to': 'test'},
token_version=1
))
assert(confidant_client.ConfidantClient(
'http://localhost/',
'alias/authnz-testing',
{'from': 'test', 'to': 'test', 'user_type': 'service'}
))
def test__get_token(self, boto_mock):
kms_mock = MagicMock()
kms_mock.encrypt = MagicMock(
return_value={'CiphertextBlob': 'encrypted'}
)
boto_mock.return_value = kms_mock
client = confidant_client.ConfidantClient(
'http://localhost/',
'alias/authnz-testing',
{'from': 'confidant-unittest',
'to': 'test',
'user_type': 'service'},
)
token = client._get_token()
self.assertEqual(token, base64.b64encode('encrypted'.encode()))
def test__check_response_code(self):
client = confidant_client.ConfidantClient(
'http://localhost/',
'alias/authnz-testing',
{'from': 'confidant-unittest',
'to': 'test',
'user_type': 'service'},
)
response = MagicMock
response.status_code = 200
self.assertTrue(client._check_response_code(response))
self.assertTrue(client._check_response_code(response, [200]))
response = MagicMock
response.status_code = 200
self.assertTrue(client._check_response_code(response))
self.assertTrue(client._check_response_code(response, [200, 404]))
response.status_code = 404
response.text = 'failure'
self.assertFalse(client._check_response_code(response))
self.assertFalse(client._check_response_code(response, [200]))
def test_create_blind_credential(self):
client = confidant_client.ConfidantClient(
'http://localhost/',
'alias/authnz-testing',
{'from': 'confidant-unittest',
'to': 'test',
'user_type': 'service'},
)
client._get_token = MagicMock()
client._get_keys_and_encrypted_pairs = MagicMock(
return_value=(
{
'us-east-1': 'ZW5jcnlwdGVkX2RhdGFrZXk='
},
{
'us-east-1': 'encrypted'
}
)
)
self.maxDiff = None
client.request_session.request = mock_500
self.assertEqual(
client.create_blind_credential(
{'us-east-1': 'confidant-development-blind'},
{'us-east-1': {'group': 'confidant-development'}},
'mock credential',
{'mockkey': 'mockval'}
),
{'result': False}
)
client.request_session.request = mock_200
self.assertEqual(
client.create_blind_credential(
{'us-east-1': 'confidant-development-blind'},
{'us-east-1': {'group': 'confidant-development'}},
'mock credential',
{'mockkey': 'mockval'}
),
{'result': True, 'blind_credential': {}}
)
def test__get_assume_role_creds(self):
client = confidant_client.ConfidantClient(
'http://localhost/',
'alias/authnz-testing',
{'from': 'confidant-unittest',
'to': 'test',
'user_type': 'service'},
token_version=2
)
client.sts_client.assume_role = MagicMock()
client._get_assume_role_creds(
'arn:aws:iam::12345:role/confidant-unittest'
)
# Ensure we generate base_arn, role_arn and username from passed-in
# role
client.sts_client.assume_role.assert_called_with(
RoleArn='arn:aws:iam::12345:role/confidant-unittest',
RoleSessionName='confidant-unittest_confidant'
)
client.iam_client = MagicMock()
client.iam_client.get_user = MagicMock(return_value={
'User': {
'Arn': 'arn:aws:iam::12345:user/confidant-unittest2',
'UserName': '******'
}
})
client._get_assume_role_creds('confidant-unittest2')
# Ensure we generate base_arn, role_arn and username from get_user
client.sts_client.assume_role.assert_called_with(
RoleArn='arn:aws:iam::12345:role/confidant-unittest2',
RoleSessionName='confidant-unittest2_confidant'
)
client._get_assume_role_creds('confidant-unittest2', mfa_pin='1234')
# Ensure we generate base_arn, role_arn and username from get_user
client.sts_client.assume_role.assert_called_with(
RoleArn='arn:aws:iam::12345:role/confidant-unittest2',
RoleSessionName='confidant-unittest2_confidant',
SerialNumber='arn:aws:iam::12345:mfa/unittestuser',
TokenCode='1234'
)
def test__get_decrypted_pairs(self, boto_mock):
config_mock = MagicMock()
kms_mock = MagicMock()
kms_mock._client_config = config_mock
boto_mock.return_value = kms_mock
client = confidant_client.ConfidantClient(
'http://localhost/',
'alias/authnz-testing',
{'from': 'confidant-unittest',
'to': 'test',
'user_type': 'service'},
region='us-east-1'
)
credential = {
'metadata': {
'context': {
'us-east-1': {
'group': 'unittest'
}
}
},
'data_key': {
# base64 encoded version of encrypted_datakey
'us-east-1': 'ZW5jcnlwdGVkX2RhdGFrZXk='
},
'credential_pairs': {
'us-east-1': 'plaintext_secret'
}
}
with patch('confidant_client.Fernet') as MockFernet:
mock_decrypt = MagicMock()
mock_decrypt.return_value = '{"hello": "world"}'
instance = MagicMock()
instance.decrypt = mock_decrypt
MockFernet.return_value = instance
self.assertEqual(
client._get_decrypted_pairs(credential),
{'hello': 'world'}
)
def test_update_blind_credential(self):
client = confidant_client.ConfidantClient(
'http://localhost/',
'alias/authnz-testing',
{
'from': 'confidant-unittest',
'to': 'test',
'user_type': 'service'
},
)
client._get_token = MagicMock()
client._get_keys_and_encrypted_pairs = MagicMock(
return_value=({
'us-east-1': 'ZW5jcnlwdGVkX2RhdGFrZXk='
}, {
'us-east-1': 'encrypted'
}))
get_blind_data = {
'result': True,
'blind_credential': {
'revision': 1,
'modified_by': 'testuser',
# TODO: use a correctly formatted date here.
'modified_date': '2015-01-01',
'name': 'test secret',
'metadata': {
'context': {
'us-east-1': {
'group': 'confidant-unittest'
}
}
},
'credential_pairs': {
'us-east-1': 'encrypted'
},
'cipher_type': 'fernet',
'cipher_version': 2,
'data_key': {
'us-east-1': 'ZW5jcnlwdGVkX2RhdGFrZXk='
},
'enabled': True
}
}
client.get_blind_credential = MagicMock(
return_value=copy.deepcopy(get_blind_data))
client.request_session.request = mock_500
self.maxDiff = None
self.assertEqual(
client.update_blind_credential(
'12345', {'us-east-1': 'confidant-development-blind'},
{'us-east-1': {
'group': 'confidant-development'
}}, 'mock credential', {'mockkey': 'mockval'}),
{'result': False})
client.get_blind_credential = MagicMock(
return_value=copy.deepcopy(get_blind_data))
client.request_session.request = mock_200
self.assertEqual(
client.update_blind_credential(
'12345', {'us-east-1': 'confidant-development-blind'},
{'us-east-1': {
'group': 'confidant-development'
}}, 'mock credential', {'mockkey': 'mockval'}), {
'result': True,
'blind_credential': {}
})
