Exemplo n.º 1
0
        def fetch_credentials(require_expiry=True):
            credentials = {}

            access_key = environ.get(mapping['access_key'])
            if access_key is None:
                raise PartialCredentialsError(provider=method,
                                              cred_var=mapping['access_key'])
            credentials['access_key'] = access_key

            secret_key = environ.get(mapping['secret_key'])
            if secret_key is None:
                raise PartialCredentialsError(provider=method,
                                              cred_var=mapping['secret_key'])
            credentials['secret_key'] = secret_key

            token = None
            for token_env_var in mapping['token']:
                if token_env_var in environ:
                    token = environ[token_env_var]
                    break
            credentials['token'] = token

            expiry_time = environ.get(mapping['expiry_time'])
            if require_expiry and expiry_time is None:
                raise PartialCredentialsError(provider=method,
                                              cred_var=mapping['expiry_time'])
            credentials['expiry_time'] = expiry_time

            return credentials
Exemplo n.º 2
0
 def _get_role_config_values(self):
     # This returns the role related configuration.
     profiles = self._loaded_config.get('profiles', {})
     try:
         source_profile = profiles[self._profile_name]['source_profile']
         role_arn = profiles[self._profile_name]['role_arn']
         mfa_serial = profiles[self._profile_name].get('mfa_serial')
     except KeyError as e:
         raise PartialCredentialsError(provider=self.METHOD,
                                       cred_var=str(e))
     external_id = profiles[self._profile_name].get('external_id')
     role_session_name = \
         profiles[self._profile_name].get('role_session_name')
     if source_profile not in profiles:
         raise InvalidConfigError(
             error_msg=('The source_profile "%s" referenced in '
                        'the profile "%s" does not exist.' %
                        (source_profile, self._profile_name)))
     source_cred_values = profiles[source_profile]
     return {
         'role_arn': role_arn,
         'external_id': external_id,
         'source_profile': source_profile,
         'mfa_serial': mfa_serial,
         'source_cred_values': source_cred_values,
         'role_session_name': role_session_name
     }
Exemplo n.º 3
0
    def _get_mfa_config(self, profile_name):
        profiles = self._loaded_config.get('profiles', {})

        profile = profiles[profile_name]
        source_profile = profile.get('source_profile')
        credential_source = profile.get('credential_source')

        mfa_config = {
            'mfa_serial': profile.get('mfa_serial'),
            'source_profile': source_profile,
            'credential_source': credential_source,
        }

        if credential_source is not None and source_profile is not None:
            raise InvalidConfigError(error_msg=(
                'The profile "{profile_name}" contains both source_profile and '
                'credential_source.'.format(profile_name=profile_name)), )
        elif credential_source is None and source_profile is None:
            raise PartialCredentialsError(
                provider=self.METHOD,
                cred_var='source_profile or credential_source',
            )
        elif credential_source is not None:
            self._validate_credential_source(profile_name, credential_source)
        else:
            self._validate_source_profile(profile_name, source_profile)

        return mfa_config
Exemplo n.º 4
0
 def test_boto3_raises_exceptions_fail(self, boto3, config):
     boto3.session.Session.side_effect = PartialCredentialsError(
         provider=Mock(), cred_var=Mock())
     assert CWDataSource(config).test() == False
     boto3.session.Session.side_effect = ClientError(MagicMock(), Mock())
     assert CWDataSource(config).test() == False
     boto3.session.Session.side_effect = NoRegionError()
     assert CWDataSource(config).test() == False
Exemplo n.º 5
0
 def _resolve_static_credentials_from_profile(self, profile):
     try:
         return AioCredentials(access_key=profile['aws_access_key_id'],
                               secret_key=profile['aws_secret_access_key'],
                               token=profile.get('aws_session_token'))
     except KeyError as e:
         raise PartialCredentialsError(provider=self.METHOD,
                                       cred_var=str(e))
Exemplo n.º 6
0
 def _extract_creds_from_mapping(self, mapping, *key_names):
     found = []
     for key_name in key_names:
         try:
             found.append(mapping[key_name])
         except KeyError:
             raise PartialCredentialsError(provider=self.METHOD,
                                           cred_var=key_name)
     return found
Exemplo n.º 7
0
 def test_raises_boto3clienterror(self, boto3, config):
     boto3.session.Session.side_effect = PartialCredentialsError(
         provider=Mock(), cred_var=Mock())
     with pytest.raises(Boto3ClientError):
         CWDataSource(config)._cw_client()
     boto3.session.Session.side_effect = ClientError(MagicMock(), Mock())
     with pytest.raises(Boto3ClientError):
         CWDataSource(config)._cw_client()
     boto3.session.Session.side_effect = NoRegionError()
     with pytest.raises(Boto3ClientError):
         CWDataSource(config)._cw_client()
Exemplo n.º 8
0
    def create_client(self,
                      service_name,
                      region_name=None,
                      api_version=None,
                      use_ssl=True,
                      verify=None,
                      endpoint_url=None,
                      aws_access_key_id=None,
                      aws_secret_access_key=None,
                      aws_session_token=None,
                      config=None):
        """Create a botocore client.

        :type service_name: string
        :param service_name: The name of the service for which a client will
            be created.  You can use the ``Sesssion.get_available_services()``
            method to get a list of all available service names.

        :type region_name: string
        :param region_name: The name of the region associated with the client.
            A client is associated with a single region.

        :type api_version: string
        :param api_version: The API version to use.  By default, botocore will
            use the latest API version when creating a client.  You only need
            to specify this parameter if you want to use a previous API version
            of the client.

        :type use_ssl: boolean
        :param use_ssl: Whether or not to use SSL.  By default, SSL is used.
            Note that not all services support non-ssl connections.

        :type verify: boolean/string
        :param verify: Whether or not to verify SSL certificates.
            By default SSL certificates are verified.  You can provide the
            following values:

            * False - do not validate SSL certificates.  SSL will still be
              used (unless use_ssl is False), but SSL certificates
              will not be verified.
            * path/to/cert/bundle.pem - A filename of the CA cert bundle to
              uses.  You can specify this argument if you want to use a
              different CA cert bundle than the one used by botocore.

        :type endpoint_url: string
        :param endpoint_url: The complete URL to use for the constructed
            client.  Normally, botocore will automatically construct the
            appropriate URL to use when communicating with a service.  You can
            specify a complete URL (including the "http/https" scheme) to
            override this behavior.  If this value is provided, then
            ``use_ssl`` is ignored.

        :type aws_access_key_id: string
        :param aws_access_key_id: The access key to use when creating
            the client.  This is entirely optional, and if not provided,
            the credentials configured for the session will automatically
            be used.  You only need to provide this argument if you want
            to override the credentials used for this specific client.

        :type aws_secret_access_key: string
        :param aws_secret_access_key: The secret key to use when creating
            the client.  Same semantics as aws_access_key_id above.

        :type aws_session_token: string
        :param aws_session_token: The session token to use when creating
            the client.  Same semantics as aws_access_key_id above.

        :type config: botocore.client.Config
        :param config: Advanced client configuration options. If a value
            is specified in the client config, its value will take precedence
            over environment variables and configuration values, but not over
            a value passed explicitly to the method. If a default config
            object is set on the session, the config object used when creating
            the client will be the result of calling ``merge()`` on the
            default config with the config provided to this call.

        :rtype: botocore.client.BaseClient
        :return: A botocore client instance

        """
        default_client_config = self.get_default_client_config()
        # If a config is provided and a default config is set, then
        # use the config resulting from merging the two.
        if config is not None and default_client_config is not None:
            config = default_client_config.merge(config)
        # If a config was not provided then use the default
        # client config from the session
        elif default_client_config is not None:
            config = default_client_config

        # Figure out the user-provided region based on the various
        # configuration options.
        if region_name is None:
            if config and config.region_name is not None:
                region_name = config.region_name
            else:
                region_name = self.get_config_variable('region')

        # Figure out the verify value base on the various
        # configuration options.
        if verify is None:
            verify = self.get_config_variable('ca_bundle')

        if api_version is None:
            api_version = self.get_config_variable('api_versions').get(
                service_name, None)

        loader = self.get_component('data_loader')
        event_emitter = self.get_component('event_emitter')
        response_parser_factory = self.get_component('response_parser_factory')
        if aws_access_key_id is not None and aws_secret_access_key is not None:
            credentials = botocore.credentials.Credentials(
                access_key=aws_access_key_id,
                secret_key=aws_secret_access_key,
                token=aws_session_token)
        elif self._missing_cred_vars(aws_access_key_id, aws_secret_access_key):
            raise PartialCredentialsError(provider='explicit',
                                          cred_var=self._missing_cred_vars(
                                              aws_access_key_id,
                                              aws_secret_access_key))
        else:
            credentials = self.get_credentials()
        endpoint_resolver = self.get_component('endpoint_resolver')
        client_creator = botocore.client.ClientCreator(
            loader, endpoint_resolver, self.user_agent(), event_emitter,
            retryhandler, translate, response_parser_factory)
        client = client_creator.create_client(
            service_name=service_name,
            region_name=region_name,
            is_secure=use_ssl,
            endpoint_url=endpoint_url,
            verify=verify,
            credentials=credentials,
            scoped_config=self.get_scoped_config(),
            client_config=config,
            api_version=api_version)
        return client
Exemplo n.º 9
0
    def create_client(self, service_name, region_name=None, api_version=None,
                      use_ssl=True, verify=None, endpoint_url=None,
                      aws_access_key_id=None, aws_secret_access_key=None,
                      aws_session_token=None, config=None):

        default_client_config = self.get_default_client_config()
        # If a config is provided and a default config is set, then
        # use the config resulting from merging the two.
        if config is not None and default_client_config is not None:
            config = default_client_config.merge(config)
        # If a config was not provided then use the default
        # client config from the session
        elif default_client_config is not None:
            config = default_client_config

        region_name = self._resolve_region_name(region_name, config)

        # Figure out the verify value base on the various
        # configuration options.
        if verify is None:
            verify = self.get_config_variable('ca_bundle')

        if api_version is None:
            api_version = self.get_config_variable('api_versions').get(
                service_name, None)

        loader = self.get_component('data_loader')
        event_emitter = self.get_component('event_emitter')
        response_parser_factory = self.get_component(
            'response_parser_factory')
        if config is not None and config.signature_version is UNSIGNED:
            credentials = None
        elif aws_access_key_id is not None and \
                aws_secret_access_key is not None:
            credentials = botocore.credentials.Credentials(
                access_key=aws_access_key_id,
                secret_key=aws_secret_access_key,
                token=aws_session_token)
        elif self._missing_cred_vars(aws_access_key_id,
                                     aws_secret_access_key):
            raise PartialCredentialsError(
                provider='explicit',
                cred_var=self._missing_cred_vars(aws_access_key_id,
                                                 aws_secret_access_key))
        else:
            credentials = self.get_credentials()
        endpoint_resolver = self._get_internal_component('endpoint_resolver')
        exceptions_factory = self._get_internal_component('exceptions_factory')
        config_store = self.get_component('config_store')
        client_creator = AioClientCreator(
            loader, endpoint_resolver, self.user_agent(), event_emitter,
            retryhandler, translate, response_parser_factory,
            exceptions_factory, config_store, loop=self._loop)
        client = client_creator.create_client(
            service_name=service_name, region_name=region_name,
            is_secure=use_ssl, endpoint_url=endpoint_url, verify=verify,
            credentials=credentials, scoped_config=self.get_scoped_config(),
            client_config=config, api_version=api_version)
        monitor = self._get_internal_component('monitor')
        if monitor is not None:
            monitor.register(client.meta.events)
        return client
Exemplo n.º 10
0
    def __init__(self,
                 session=None,
                 region_name=None,
                 api_version=None,
                 use_ssl=None,
                 verify=None,
                 endpoint_url=None,
                 aws_access_key_id=None,
                 aws_secret_access_key=None,
                 aws_session_token=None,
                 config=None,
                 endpoints=None):
        if session is None:
            session = botocore.session.get_session()
        else:
            if not isinstance(session, botocore.session.Session):
                try:
                    # Check for a boto3 session-ish object and get the internal botocore session
                    _session = session._session
                except AttributeError:
                    raise ValueError(
                        'session must be a botocore or boto3 session')
                else:
                    session = _session

        if use_ssl:
            raise ValueError('SSL/TLS is not supported. Set use_ssl=False.')

        self._session = session
        default_client_config = self._session.get_default_client_config()
        if config is not None and default_client_config is not None:
            # If a config is provided and a default config is set, then
            # use the config resulting from merging the two.
            config = default_client_config.merge(config)
        elif default_client_config is not None:
            # If a config was not provided then use the default
            # client config from the session
            config = default_client_config
        self._client_config = config if config is not None else Config(
            region_name=region_name)

        # resolve the region name
        if region_name is None:
            if config and config.region_name:
                region_name = config.region_name
            else:
                region_name = self._session.get_config_variable('region')
        self._region_name = region_name

        # Figure out the verify value base on the various
        # configuration options.
        if verify is None:
            verify = self._session.get_config_variable('ca_bundle')
        self._verify = verify

        # Gather endpoints
        self._endpoints = endpoints or []
        if endpoint_url and endpoint_url not in self._endpoints:
            # If endpoint_url is provided, include it
            self._endpoints.insert(0, endpoint_url)

        if not self._endpoints:
            raise ValueError('No endpoints provided')

        # Resolve credentials
        if aws_access_key_id is not None and aws_secret_access_key is not None:
            self._credentials = Credentials(aws_access_key_id,
                                            aws_secret_access_key,
                                            aws_session_token)
        elif self._session._missing_cred_vars(aws_access_key_id,
                                              aws_secret_access_key):
            raise PartialCredentialsError(
                provider='explicit',
                cred_var=self._session._missing_cred_vars(
                    aws_access_key_id, aws_secret_access_key))
        else:
            self._credentials = self._session.get_credentials()

        # Fake out the meta information as much as possible
        loader = session.get_component('data_loader')
        json_model = loader.load_service_model('dynamodb',
                                               'service-2',
                                               api_version=api_version)
        service_model = ServiceModel(json_model, service_name='dynamodb')
        event_emitter = session.get_component('event_emitter')
        partition = None
        self.meta = ClientMeta(event_emitter, self._client_config,
                               self._endpoints[0], service_model,
                               self._PY_TO_OP_NAME, partition)

        # Check signing version
        if self._client_config.signature_version and self._client_config.signature_version != 'v4':
            logger.warning(
                'DAX only supports SigV4 signing; given signature_version "%s" ignored.',
                self._client_config.signature_version)

        # Start cluster connection & background tasks
        self._cluster = Cluster(self._region_name, self._endpoints,
                                self._credentials,
                                self._client_config.user_agent,
                                self._client_config.user_agent_extra,
                                self._client_config.connect_timeout,
                                self._client_config.read_timeout)
        self._cluster.start()
Exemplo n.º 11
0
    def create_client(self,
                      service_name,
                      region_name=None,
                      api_version=None,
                      use_ssl=True,
                      verify=None,
                      endpoint_url=None,
                      aws_access_key_id=None,
                      aws_secret_access_key=None,
                      aws_session_token=None,
                      config=None,
                      http_session=None):

        assert http_session, "http_session is required"

        # CUT AND PASTE FROM BOTOCORE

        default_client_config = self.get_default_client_config()
        # If a config is provided and a default config is set, then
        # use the config resulting from merging the two.
        if config is not None and default_client_config is not None:
            config = default_client_config.merge(config)
        # If a config was not provided then use the default
        # client config from the session
        elif default_client_config is not None:
            config = default_client_config

        # Figure out the user-provided region based on the various
        # configuration options.
        if region_name is None:
            if config and config.region_name is not None:
                region_name = config.region_name
            else:
                region_name = self.get_config_variable('region')

        # Figure out the verify value base on the various
        # configuration options.
        if verify is None:
            verify = self.get_config_variable('ca_bundle')

        if api_version is None:
            api_version = self.get_config_variable('api_versions').get(
                service_name, None)

        loader = self.get_component('data_loader')
        event_emitter = self.get_component('event_emitter')
        response_parser_factory = self.get_component('response_parser_factory')
        if aws_access_key_id is not None and aws_secret_access_key is not None:
            credentials = botocore.credentials.Credentials(
                access_key=aws_access_key_id,
                secret_key=aws_secret_access_key,
                token=aws_session_token)
        elif self._missing_cred_vars(aws_access_key_id, aws_secret_access_key):
            raise PartialCredentialsError(provider='explicit',
                                          cred_var=self._missing_cred_vars(
                                              aws_access_key_id,
                                              aws_secret_access_key))
        else:
            credentials = self.get_credentials()
        endpoint_resolver = self.get_component('endpoint_resolver')

        # END OF CUT AND PASTE

        client_creator = AsyncClientCreator(http_session,
                                            loader, endpoint_resolver,
                                            self.user_agent(), event_emitter,
                                            retryhandler, translate,
                                            response_parser_factory)

        client = client_creator.create_client(
            service_name=service_name,
            region_name=region_name,
            is_secure=use_ssl,
            endpoint_url=endpoint_url,
            verify=verify,
            credentials=credentials,
            scoped_config=self.get_scoped_config(),
            client_config=config,
            api_version=api_version)
        return client