def test_get_aws_security_credentials_credentials_not_found_in_aws_creds_uri(mocker, capsys):
config = get_fake_config()
mocker.patch('mount_efs.urlopen')
with pytest.raises(SystemExit) as ex:
mount_efs.get_aws_security_credentials(config, True, 'us-east-1', 'default', AWSCREDSURI)
assert 0 != ex.value.code
out, err = capsys.readouterr()
assert 'Unsuccessful retrieval of AWS security credentials at' in err
def test_get_aws_security_credentials_not_found(mocker, capsys):
mocker.patch.dict(os.environ, {})
mocker.patch('os.path.exists', return_value=False)
mocker.patch('mount_efs.urlopen')
with pytest.raises(SystemExit) as ex:
mount_efs.get_aws_security_credentials()
assert 0 != ex.value.code
out, err = capsys.readouterr()
assert 'AWS Access Key ID and Secret Access Key are not found in AWS credentials file' in err
def test_get_aws_security_credentials_no_credentials_found(mocker, capsys):
mocker.patch.dict(os.environ, {})
mocker.patch('os.path.exists', return_value=False)
mocker.patch('mount_efs.urlopen')
with pytest.raises(SystemExit) as ex:
mount_efs.get_aws_security_credentials(True, 'us-east-1', None)
assert 0 != ex.value.code
out, err = capsys.readouterr()
assert 'AWS Access Key ID and Secret Access Key are not found in AWS credentials file' in err
assert 'from ECS credentials relative uri, or from the instance security credentials service' in err
def test_get_aws_security_credentials_credentials_not_found_in_files(mocker, capsys):
mocker.patch.dict(os.environ, {})
mocker.patch('os.path.exists', return_value=False)
mocker.patch('mount_efs.urlopen')
with pytest.raises(SystemExit) as ex:
mount_efs.get_aws_security_credentials(True, 'default')
assert 0 != ex.value.code
out, err = capsys.readouterr()
assert 'AWS security credentials not found in' in err
assert 'under named profile [default]' in err
def test_get_aws_security_credentials_credentials_not_found_in_files_and_botocore_not_present(mocker, capsys):
config = get_fake_config()
mocker.patch.dict(os.environ, {})
mocker.patch('os.path.exists', return_value=False)
mocker.patch('mount_efs.urlopen')
mount_efs.BOTOCORE_PRESENT = False
with pytest.raises(SystemExit) as ex:
mount_efs.get_aws_security_credentials(config, True, 'us-east-1', 'default')
assert 0 != ex.value.code
out, err = capsys.readouterr()
assert 'AWS security credentials not found in' in err
assert 'under named profile [default]' in err
def _test_get_aws_security_credentials_get_instance_metadata_role_name(
mocker,
is_name_str=True,
token_effects=[MockUrlLibResponse(data="ABCDEFG==")]):
config = get_fake_config()
mocker.patch.dict(os.environ, {})
mocker.patch("os.path.exists", return_value=False)
response = json.dumps({
"Code": "Success",
"LastUpdated": "2019-10-25T14:41:42Z",
"Type": "AWS-HMAC",
"AccessKeyId": ACCESS_KEY_ID_VAL,
"SecretAccessKey": SECRET_ACCESS_KEY_VAL,
"Token": SESSION_TOKEN_VAL,
"Expiration": "2019-10-25T21:17:24Z",
})
if is_name_str:
role_name_data = b"FAKE_IAM_ROLE_NAME"
else:
role_name_data = "FAKE_IAM_ROLE_NAME"
side_effects = (token_effects + [MockUrlLibResponse(data=role_name_data)] +
token_effects + [MockUrlLibResponse(data=response)])
mocker.patch("mount_efs.urlopen", side_effect=side_effects)
credentials, credentials_source = mount_efs.get_aws_security_credentials(
config, True, "us-east-1", None)
assert credentials["AccessKeyId"] == ACCESS_KEY_ID_VAL
assert credentials["SecretAccessKey"] == SECRET_ACCESS_KEY_VAL
assert credentials["Token"] == SESSION_TOKEN_VAL
assert credentials_source == "metadata:"
def test_get_aws_security_credentials_do_not_use_iam():
config = get_fake_config()
credentials, credentials_source = mount_efs.get_aws_security_credentials(
config, False, "us-east-1", "test_profile")
assert not credentials
assert not credentials_source
def _test_get_aws_security_credentials_get_instance_metadata_role_name(mocker, is_name_str=True, is_imds_v2=False):
mocker.patch.dict(os.environ, {})
mocker.patch('os.path.exists', return_value=False)
response = json.dumps({
'Code': 'Success',
'LastUpdated': '2019-10-25T14:41:42Z',
'Type': 'AWS-HMAC',
'AccessKeyId': ACCESS_KEY_ID_VAL,
'SecretAccessKey': SECRET_ACCESS_KEY_VAL,
'Token': SESSION_TOKEN_VAL,
'Expiration': '2019-10-25T21:17:24Z'
})
if is_name_str:
role_name_data = b'FAKE_IAM_ROLE_NAME'
else:
role_name_data = 'FAKE_IAM_ROLE_NAME'
if is_imds_v2:
side_effects = [HTTPError('url', 401, 'Unauthorized', None, None)]
mocker.patch('mount_efs.get_aws_ec2_metadata_token', return_value='ABCDEFG==')
else:
side_effects = []
side_effects = side_effects + [MockUrlLibResponse(data=role_name_data), MockUrlLibResponse(data=response)]
mocker.patch('mount_efs.urlopen', side_effect=side_effects)
credentials, credentials_source = mount_efs.get_aws_security_credentials(True, None)
assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL
assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL
assert credentials['Token'] == SESSION_TOKEN_VAL
assert credentials_source == 'metadata:'
def _test_get_aws_security_credentials_get_instance_metadata_role_name(mocker, is_name_str=True, token_timeout=False):
config = get_fake_config()
mocker.patch.dict(os.environ, {})
mocker.patch('os.path.exists', return_value=False)
response = json.dumps({
'Code': 'Success',
'LastUpdated': '2019-10-25T14:41:42Z',
'Type': 'AWS-HMAC',
'AccessKeyId': ACCESS_KEY_ID_VAL,
'SecretAccessKey': SECRET_ACCESS_KEY_VAL,
'Token': SESSION_TOKEN_VAL,
'Expiration': '2019-10-25T21:17:24Z'
})
if is_name_str:
role_name_data = b'FAKE_IAM_ROLE_NAME'
else:
role_name_data = 'FAKE_IAM_ROLE_NAME'
if token_timeout:
token_effects = [socket.timeout]
else:
token_effects = [MockUrlLibResponse(data='ABCDEFG==')]
side_effects = token_effects + [MockUrlLibResponse(data=role_name_data)] + token_effects + [MockUrlLibResponse(data=response)]
mocker.patch('mount_efs.urlopen', side_effect=side_effects)
credentials, credentials_source = mount_efs.get_aws_security_credentials(config, True, 'us-east-1', None)
assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL
assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL
assert credentials['Token'] == SESSION_TOKEN_VAL
assert credentials_source == 'metadata:'
def test_get_aws_security_credentials_no_credentials_found(mocker, capsys):
config = get_fake_config()
mocker.patch.dict(os.environ, {})
mocker.patch("os.path.exists", return_value=False)
mocker.patch("mount_efs.urlopen")
with pytest.raises(SystemExit) as ex:
mount_efs.get_aws_security_credentials(config, True, "us-east-1", None)
assert 0 != ex.value.code
out, err = capsys.readouterr()
assert (
"AWS Access Key ID and Secret Access Key are not found in AWS credentials file"
in err)
assert (
"from ECS credentials relative uri, or from the instance security credentials service"
in err)
def test_get_aws_security_credentials_get_ecs_from_option_url(mocker):
response = json.dumps({
'AccessKeyId': ACCESS_KEY_ID_VAL,
'Expiration': 'EXPIRATION_DATE',
'RoleArn': 'TASK_ROLE_ARN',
'SecretAccessKey': SECRET_ACCESS_KEY_VAL,
'Token': SESSION_TOKEN_VAL
})
mocker.patch('mount_efs.urlopen', return_value=MockUrlLibResponse(data=response))
credentials, credentials_source = mount_efs.get_aws_security_credentials(True, None, AWSCREDSURI)
assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL
assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL
assert credentials['Token'] == SESSION_TOKEN_VAL
assert credentials_source == 'ecs:' + AWSCREDSURI
def test_get_aws_security_credentials_config_or_creds_file_found_creds_found_with_token_with_awsprofile(mocker):
file_helper_resp = {
'AccessKeyId': ACCESS_KEY_ID_VAL,
'SecretAccessKey': SECRET_ACCESS_KEY_VAL,
'Token': SESSION_TOKEN_VAL
}
mocker.patch.dict(os.environ, {})
mocker.patch('os.path.exists', return_value=True)
mocker.patch('mount_efs.credentials_file_helper', return_value=file_helper_resp)
credentials, credentials_source = mount_efs.get_aws_security_credentials(True, 'test_profile')
assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL
assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL
assert credentials['Token'] is SESSION_TOKEN_VAL
assert credentials_source == 'credentials:test_profile'
def test_get_aws_security_credentials_config_or_creds_file_found_creds_found_without_token_no_awsprofile(
mocker):
file_helper_resp = {
'AccessKeyId': ACCESS_KEY_ID_VAL,
'SecretAccessKey': SECRET_ACCESS_KEY_VAL,
'Token': None
}
mocker.patch.dict(os.environ, {})
mocker.patch('os.path.exists', return_value=True)
mocker.patch('mount_efs.credentials_file_helper',
return_value=file_helper_resp)
credentials = mount_efs.get_aws_security_credentials()
assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL
assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL
assert credentials['Token'] is None
def test_get_aws_security_credentials_get_ecs_from_option_url(mocker):
config = get_fake_config()
response = json.dumps({
"AccessKeyId": ACCESS_KEY_ID_VAL,
"Expiration": "EXPIRATION_DATE",
"RoleArn": "TASK_ROLE_ARN",
"SecretAccessKey": SECRET_ACCESS_KEY_VAL,
"Token": SESSION_TOKEN_VAL,
})
mocker.patch("mount_efs.urlopen",
return_value=MockUrlLibResponse(data=response))
credentials, credentials_source = mount_efs.get_aws_security_credentials(
config, True, "us-east-1", None, AWSCREDSURI)
assert credentials["AccessKeyId"] == ACCESS_KEY_ID_VAL
assert credentials["SecretAccessKey"] == SECRET_ACCESS_KEY_VAL
assert credentials["Token"] == SESSION_TOKEN_VAL
assert credentials_source == "ecs:" + AWSCREDSURI
def test_get_aws_security_credentials_get_ecs_from_env_url(mocker):
mocker.patch.dict(os.environ, {})
mocker.patch('os.path.exists', return_value=False)
response = json.dumps({
'AccessKeyId': ACCESS_KEY_ID_VAL,
'Expiration': 'EXPIRATION_DATE',
'RoleArn': 'TASK_ROLE_ARN',
'SecretAccessKey': SECRET_ACCESS_KEY_VAL,
'Token': SESSION_TOKEN_VAL
})
mocker.patch.dict(os.environ, {'AWS_CONTAINER_CREDENTIALS_RELATIVE_URI': 'fake_uri'})
mocker.patch('mount_efs.urlopen', return_value=MockUrlLibResponse(data=response))
credentials, credentials_source = mount_efs.get_aws_security_credentials(True, None)
assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL
assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL
assert credentials['Token'] == SESSION_TOKEN_VAL
assert credentials_source == 'ecs:fake_uri'
def test_get_aws_security_credentials_get_instance_metadata_role_name_bytes(mocker):
mocker.patch.dict(os.environ, {})
mocker.patch('os.path.exists', return_value=False)
response = json.dumps({
'Code': 'Success',
'LastUpdated': '2019-10-25T14:41:42Z',
'Type': 'AWS-HMAC',
'AccessKeyId': ACCESS_KEY_ID_VAL,
'SecretAccessKey': SECRET_ACCESS_KEY_VAL,
'Token': SESSION_TOKEN_VAL,
'Expiration': '2019-10-25T21:17:24Z'
})
side_effects = [MockUrlLibResponse(data=b'FAKE_IAM_ROLE_NAME'), MockUrlLibResponse(data=response)]
mocker.patch('mount_efs.urlopen', side_effect=side_effects)
credentials, credentials_source = mount_efs.get_aws_security_credentials(True, None)
assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL
assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL
assert credentials['Token'] == SESSION_TOKEN_VAL
assert credentials_source == 'metadata:'
def test_get_aws_security_credentials_botocore_present_get_assumed_profile_credentials(mocker):
config = get_fake_config()
mocker.patch.dict(os.environ, {})
mocker.patch('os.path.exists', return_value=False)
mocker.patch('mount_efs.urlopen')
mount_efs.BOTOCORE_PRESENT = True
botocore_helper_resp = {
'AccessKeyId': ACCESS_KEY_ID_VAL,
'SecretAccessKey': SECRET_ACCESS_KEY_VAL,
'Token': SESSION_TOKEN_VAL
}
botocore_get_assumed_profile_credentials_mock = mocker.patch('mount_efs.botocore_credentials_helper',
return_value=botocore_helper_resp)
credentials, credentials_source = mount_efs.get_aws_security_credentials(config, True, 'us-east-1', awsprofile='test-profile')
assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL
assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL
assert credentials['Token'] == SESSION_TOKEN_VAL
assert credentials_source == 'named_profile:test-profile'
utils.assert_called(botocore_get_assumed_profile_credentials_mock)
def test_get_aws_security_credentials_iam(mocker):
mocker.patch.dict(os.environ, {})
mocker.patch('os.path.exists', return_value=False)
response = json.dumps({
'Code': 'Success',
'LastUpdated': '2019-10-25T14:41:42Z',
'Type': 'AWS-HMAC',
'AccessKeyId': ACCESS_KEY_ID_VAL,
'SecretAccessKey': SECRET_ACCESS_KEY_VAL,
'Token': SESSION_TOKEN_VAL,
'Expiration': '2019-10-25T21:17:24Z'
})
mocker.patch.dict(os.environ, {})
mocker.patch('mount_efs.urlopen',
return_value=MockUrlLibResponse(data=response))
credentials = mount_efs.get_aws_security_credentials()
assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL
assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL
assert credentials['Token'] == SESSION_TOKEN_VAL
def test_get_aws_security_credentials_config_or_creds_file_found_creds_found_without_token_with_awsprofile(
mocker, ):
config = get_fake_config()
file_helper_resp = {
"AccessKeyId": ACCESS_KEY_ID_VAL,
"SecretAccessKey": SECRET_ACCESS_KEY_VAL,
"Token": None,
}
mocker.patch.dict(os.environ, {})
mocker.patch("os.path.exists", return_value=True)
mocker.patch("mount_efs.credentials_file_helper",
return_value=file_helper_resp)
credentials, credentials_source = mount_efs.get_aws_security_credentials(
config, True, "us-east-1", "test_profile")
assert credentials["AccessKeyId"] == ACCESS_KEY_ID_VAL
assert credentials["SecretAccessKey"] == SECRET_ACCESS_KEY_VAL
assert credentials["Token"] is None
assert credentials_source == "credentials:test_profile"
def _test_get_aws_security_credentials_get_ecs_from_env_url(mocker):
config = get_fake_config()
mocker.patch.dict(os.environ, {})
mocker.patch("os.path.exists", return_value=False)
response = json.dumps({
"AccessKeyId": ACCESS_KEY_ID_VAL,
"Expiration": "EXPIRATION_DATE",
"RoleArn": "TASK_ROLE_ARN",
"SecretAccessKey": SECRET_ACCESS_KEY_VAL,
"Token": SESSION_TOKEN_VAL,
})
mocker.patch.dict(os.environ,
{"AWS_CONTAINER_CREDENTIALS_RELATIVE_URI": "fake_uri"})
mocker.patch("mount_efs.urlopen",
return_value=MockUrlLibResponse(data=response))
credentials, credentials_source = mount_efs.get_aws_security_credentials(
config, True, "us-east-1", None)
assert credentials["AccessKeyId"] == ACCESS_KEY_ID_VAL
assert credentials["SecretAccessKey"] == SECRET_ACCESS_KEY_VAL
assert credentials["Token"] == SESSION_TOKEN_VAL
assert credentials_source == "ecs:fake_uri"
def test_get_aws_security_credentials_botocore_present_get_assumed_profile_credentials(
mocker, ):
config = get_fake_config()
mocker.patch.dict(os.environ, {})
mocker.patch("os.path.exists", return_value=False)
mocker.patch("mount_efs.urlopen")
mount_efs.BOTOCORE_PRESENT = True
botocore_helper_resp = {
"AccessKeyId": ACCESS_KEY_ID_VAL,
"SecretAccessKey": SECRET_ACCESS_KEY_VAL,
"Token": SESSION_TOKEN_VAL,
}
botocore_get_assumed_profile_credentials_mock = mocker.patch(
"mount_efs.botocore_credentials_helper",
return_value=botocore_helper_resp)
credentials, credentials_source = mount_efs.get_aws_security_credentials(
config, True, "us-east-1", awsprofile="test-profile")
assert credentials["AccessKeyId"] == ACCESS_KEY_ID_VAL
assert credentials["SecretAccessKey"] == SECRET_ACCESS_KEY_VAL
assert credentials["Token"] == SESSION_TOKEN_VAL
assert credentials_source == "named_profile:test-profile"
utils.assert_called(botocore_get_assumed_profile_credentials_mock)
def test_get_aws_security_credentials_do_not_use_iam():
credentials, credentials_source = mount_efs.get_aws_security_credentials(
False, 'test_profile')
assert not credentials
assert not credentials_source
