def _test_get_aws_security_credentials_instance_metadata_role_name(
mocker,
is_name_str=True,
token_effects=[MockUrlLibResponse(data="ABCDEFG==")]):
config = get_fake_config()
mocker.patch.dict(os.environ, {})
mocker.patch("os.path.exists", return_value=False)
response = json.dumps({
"Code": "Success",
"LastUpdated": "2019-10-25T14:41:42Z",
"Type": "AWS-HMAC",
"AccessKeyId": ACCESS_KEY_ID_VAL,
"SecretAccessKey": SECRET_ACCESS_KEY_VAL,
"Token": SESSION_TOKEN_VAL,
"Expiration": "2019-10-25T21:17:24Z",
})
if is_name_str:
role_name_data = b"FAKE_IAM_ROLE_NAME"
else:
role_name_data = "FAKE_IAM_ROLE_NAME"
side_effects = (token_effects + [MockUrlLibResponse(data=role_name_data)] +
token_effects + [MockUrlLibResponse(data=response)])
mocker.patch("watchdog.urlopen", side_effect=side_effects)
credentials = watchdog.get_aws_security_credentials(
config, "metadata:", "us-east-1")
assert credentials["AccessKeyId"] == ACCESS_KEY_ID_VAL
assert credentials["SecretAccessKey"] == SECRET_ACCESS_KEY_VAL
assert credentials["Token"] == SESSION_TOKEN_VAL
def _test_get_aws_security_credentials_instance_metadata_role_name(mocker, is_name_str=True, is_imds_v2=False):
mocker.patch.dict(os.environ, {})
mocker.patch('os.path.exists', return_value=False)
response = json.dumps({
'Code': 'Success',
'LastUpdated': '2019-10-25T14:41:42Z',
'Type': 'AWS-HMAC',
'AccessKeyId': ACCESS_KEY_ID_VAL,
'SecretAccessKey': SECRET_ACCESS_KEY_VAL,
'Token': SESSION_TOKEN_VAL,
'Expiration': '2019-10-25T21:17:24Z'
})
if is_name_str:
role_name_data = b'FAKE_IAM_ROLE_NAME'
else:
role_name_data = 'FAKE_IAM_ROLE_NAME'
if is_imds_v2:
side_effects = [HTTPError('url', 401, 'Unauthorized', None, None)]
mocker.patch('watchdog.get_aws_ec2_metadata_token', return_value='ABCDEFG==')
else:
side_effects = []
side_effects = side_effects + [MockUrlLibResponse(data=role_name_data), MockUrlLibResponse(data=response)]
mocker.patch('watchdog.urlopen', side_effect=side_effects)
credentials = watchdog.get_aws_security_credentials('metadata:')
assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL
assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL
assert credentials['Token'] == SESSION_TOKEN_VAL
def test_get_aws_security_credentials_not_found(mocker):
mocker.patch.dict(os.environ, {})
mocker.patch('os.path.exists', return_value=False)
mocker.patch('watchdog.urlopen')
credentials = watchdog.get_aws_security_credentials()
assert credentials['AccessKeyId'] is None
assert credentials['SecretAccessKey'] is None
assert credentials['Token'] is None
def test_get_aws_security_credentials_credentials_from_assumed_profile_botocore_not_present(
mocker, caplog):
config = get_fake_config()
mocker.patch.dict("sys.modules", {"botocore": None})
credentials = watchdog.get_aws_security_credentials(
config, "named_profile:test-profile", "us-east-1")
assert credentials is None
assert ("Named profile credentials cannot be retrieved without botocore"
in [rec.message for rec in caplog.records][0])
def test_get_aws_security_credentials_not_found_file_found_no_creds(mocker):
file_helper_resp = {
'AccessKeyId': None,
'SecretAccessKey': None,
'Token': None
}
mocker.patch('os.path.exists', return_value=True)
mocker.patch('watchdog.credentials_file_helper',
return_value=file_helper_resp)
credentials = watchdog.get_aws_security_credentials('credentials:default')
assert not credentials
def test_get_aws_security_credentials_not_found_file_found_no_creds(mocker):
config = get_fake_config()
file_helper_resp = {
"AccessKeyId": None,
"SecretAccessKey": None,
"Token": None
}
mocker.patch("os.path.exists", return_value=True)
mocker.patch("watchdog.credentials_file_helper",
return_value=file_helper_resp)
credentials = watchdog.get_aws_security_credentials(
config, "credentials:default", "us-east-1")
assert not credentials
def test_get_aws_security_credentials_config_file_found_credentials_found_without_token(mocker):
file_helper_resp = {
'AccessKeyId': ACCESS_KEY_ID_VAL,
'SecretAccessKey': SECRET_ACCESS_KEY_VAL,
'Token': None
}
mocker.patch.dict(os.environ, {})
mocker.patch('os.path.exists', return_value=True)
mocker.patch('watchdog.credentials_file_helper', return_value=file_helper_resp)
credentials = watchdog.get_aws_security_credentials('config:default')
assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL
assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL
assert credentials['Token'] is None
def test_get_aws_security_credentials_botocore_present_get_assumed_profile_credentials(
mocker, ):
config = get_fake_config()
botocore_helper_resp = {
"AccessKeyId": ACCESS_KEY_ID_VAL,
"SecretAccessKey": SECRET_ACCESS_KEY_VAL,
"Token": SESSION_TOKEN_VAL,
}
mocker.patch("watchdog.botocore_credentials_helper",
return_value=botocore_helper_resp)
credentials = watchdog.get_aws_security_credentials(
config, "named_profile:test-profile", "us-east-1")
assert credentials["AccessKeyId"] == ACCESS_KEY_ID_VAL
assert credentials["SecretAccessKey"] == SECRET_ACCESS_KEY_VAL
assert credentials["Token"] == SESSION_TOKEN_VAL
def test_get_aws_security_credentials_botocore_present_get_assumed_profile_credentials(
mocker):
config = get_fake_config()
botocore_helper_resp = {
'AccessKeyId': ACCESS_KEY_ID_VAL,
'SecretAccessKey': SECRET_ACCESS_KEY_VAL,
'Token': SESSION_TOKEN_VAL
}
mocker.patch('watchdog.botocore_credentials_helper',
return_value=botocore_helper_resp)
credentials = watchdog.get_aws_security_credentials(
config, 'named_profile:test-profile', 'us-east-1')
assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL
assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL
assert credentials['Token'] == SESSION_TOKEN_VAL
def test_get_aws_security_credentials_ecs(mocker):
mocker.patch.dict(os.environ, {})
mocker.patch('os.path.exists', return_value=False)
response = json.dumps({
'AccessKeyId': ACCESS_KEY_ID_VAL,
'Expiration': 'EXPIRATION_DATE',
'RoleArn': 'TASK_ROLE_ARN',
'SecretAccessKey': SECRET_ACCESS_KEY_VAL,
'Token': SESSION_TOKEN_VAL
})
mocker.patch.dict(os.environ, {'AWS_CONTAINER_CREDENTIALS_RELATIVE_URI': 'fake_uri'})
mocker.patch('watchdog.urlopen', return_value=MockUrlLibResponse(data=response))
credentials = watchdog.get_aws_security_credentials('ecs:fake_uri')
assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL
assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL
assert credentials['Token'] == SESSION_TOKEN_VAL
def test_get_aws_security_credentials_config_or_creds_file_found_creds_found_with_token_no_awsprofile(
mocker):
file_helper_resp = {
'AccessKeyId': ACCESS_KEY_ID_VAL,
'SecretAccessKey': SECRET_ACCESS_KEY_VAL,
'Token': SESSION_TOKEN_VAL
}
mocker.patch.dict(os.environ, {})
mocker.patch('os.path.exists', return_value=True)
mocker.patch('watchdog.credentials_file_helper',
return_value=file_helper_resp)
credentials = watchdog.get_aws_security_credentials()
assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL
assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL
assert credentials['Token'] is SESSION_TOKEN_VAL
def test_get_aws_security_credentials_config_file_found_credentials_found(
mocker):
config = get_fake_config()
file_helper_resp = {
'AccessKeyId': ACCESS_KEY_ID_VAL,
'SecretAccessKey': SECRET_ACCESS_KEY_VAL,
'Token': SESSION_TOKEN_VAL
}
mocker.patch.dict(os.environ, {})
mocker.patch('os.path.exists', return_value=True)
mocker.patch('watchdog.credentials_file_helper',
return_value=file_helper_resp)
credentials = watchdog.get_aws_security_credentials(
config, 'config:default', 'us-east-1')
assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL
assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL
assert credentials['Token'] is SESSION_TOKEN_VAL
def test_get_aws_security_credentials_instance_metadata(mocker):
mocker.patch.dict(os.environ, {})
mocker.patch('os.path.exists', return_value=False)
response = json.dumps({
'Code': 'Success',
'LastUpdated': '2019-10-25T14:41:42Z',
'Type': 'AWS-HMAC',
'AccessKeyId': ACCESS_KEY_ID_VAL,
'SecretAccessKey': SECRET_ACCESS_KEY_VAL,
'Token': SESSION_TOKEN_VAL,
'Expiration': '2019-10-25T21:17:24Z'
})
mocker.patch('watchdog.urlopen',
return_value=MockUrlLibResponse(data=response))
credentials = watchdog.get_aws_security_credentials('metadata:')
assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL
assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL
assert credentials['Token'] == SESSION_TOKEN_VAL
def test_get_aws_security_credentials_credentials_file_found_credentials_found_without_token(
mocker, ):
config = get_fake_config()
file_helper_resp = {
"AccessKeyId": ACCESS_KEY_ID_VAL,
"SecretAccessKey": SECRET_ACCESS_KEY_VAL,
"Token": None,
}
mocker.patch.dict(os.environ, {})
mocker.patch("os.path.exists", return_value=True)
mocker.patch("watchdog.credentials_file_helper",
return_value=file_helper_resp)
credentials = watchdog.get_aws_security_credentials(
config, "credentials:default", "us-east-1")
assert credentials["AccessKeyId"] == ACCESS_KEY_ID_VAL
assert credentials["SecretAccessKey"] == SECRET_ACCESS_KEY_VAL
assert credentials["Token"] is None
def test_get_aws_security_credentials_ecs(mocker):
config = get_fake_config()
mocker.patch.dict(os.environ, {})
mocker.patch("os.path.exists", return_value=False)
response = json.dumps({
"AccessKeyId": ACCESS_KEY_ID_VAL,
"Expiration": "EXPIRATION_DATE",
"RoleArn": "TASK_ROLE_ARN",
"SecretAccessKey": SECRET_ACCESS_KEY_VAL,
"Token": SESSION_TOKEN_VAL,
})
mocker.patch.dict(os.environ,
{"AWS_CONTAINER_CREDENTIALS_RELATIVE_URI": "fake_uri"})
mocker.patch("watchdog.urlopen",
return_value=MockUrlLibResponse(data=response))
credentials = watchdog.get_aws_security_credentials(
config, "ecs:fake_uri", "us-east-1")
assert credentials["AccessKeyId"] == ACCESS_KEY_ID_VAL
assert credentials["SecretAccessKey"] == SECRET_ACCESS_KEY_VAL
assert credentials["Token"] == SESSION_TOKEN_VAL
def _test_get_aws_security_credentials_instance_metadata_role_name(
mocker, is_name_str=True, token_timeout=False):
config = get_fake_config()
mocker.patch.dict(os.environ, {})
mocker.patch('os.path.exists', return_value=False)
response = json.dumps({
'Code': 'Success',
'LastUpdated': '2019-10-25T14:41:42Z',
'Type': 'AWS-HMAC',
'AccessKeyId': ACCESS_KEY_ID_VAL,
'SecretAccessKey': SECRET_ACCESS_KEY_VAL,
'Token': SESSION_TOKEN_VAL,
'Expiration': '2019-10-25T21:17:24Z'
})
if is_name_str:
role_name_data = b'FAKE_IAM_ROLE_NAME'
else:
role_name_data = 'FAKE_IAM_ROLE_NAME'
if token_timeout:
token_effects = [socket.timeout]
else:
token_effects = [MockUrlLibResponse(data='ABCDEFG==')]
side_effects = token_effects + [
MockUrlLibResponse(data=role_name_data)
] + token_effects + [MockUrlLibResponse(data=response)]
mocker.patch('watchdog.urlopen', side_effect=side_effects)
credentials = watchdog.get_aws_security_credentials(
config, 'metadata:', 'us-east-1')
assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL
assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL
assert credentials['Token'] == SESSION_TOKEN_VAL
def test_get_aws_security_credentials_instance_metadata_no_response(mocker):
config = get_fake_config()
mocker.patch('watchdog.url_request_helper', return_value=None)
credentials = watchdog.get_aws_security_credentials(
config, 'metadata:', 'us-east-1')
assert not credentials
def test_get_aws_security_credentials_not_found_file_not_found(mocker):
config = get_fake_config()
mocker.patch('os.path.exists', return_value=False)
credentials = watchdog.get_aws_security_credentials(
config, 'credentials:default', 'us-east-1')
assert not credentials
def test_get_aws_security_credentials_not_found_bad_credentials_source():
config = get_fake_config()
credentials = watchdog.get_aws_security_credentials(
config, 'dummy:source', 'us-east-1')
assert not credentials
def test_get_aws_security_credentials_instance_metadata_no_response(mocker):
mocker.patch('watchdog.url_request_helper', return_value=None)
credentials = watchdog.get_aws_security_credentials('metadata:')
assert not credentials
def test_get_aws_security_credentials_ecs_no_response(mocker):
mocker.patch('watchdog.url_request_helper', return_value=None)
credentials = watchdog.get_aws_security_credentials('ecs:fake_uri')
assert not credentials
def test_get_aws_security_credentials_not_found_file_not_found(mocker):
mocker.patch('os.path.exists', return_value=False)
credentials = watchdog.get_aws_security_credentials('credentials:default')
assert not credentials
def test_get_aws_security_credentials_not_found_bad_credentials_source():
credentials = watchdog.get_aws_security_credentials('dummy:source')
assert not credentials
def test_get_aws_security_credentials_ecs_no_response(mocker):
config = get_fake_config()
mocker.patch("watchdog.url_request_helper", return_value=None)
credentials = watchdog.get_aws_security_credentials(
config, "ecs:fake_uri", "us-east-1")
assert not credentials
