Exemplo n.º 1
0
    def patch(self, test_name, default_test_bucket):
        # Get STS-vended credentials to stand in for Instance Profile
        # credentials before scrubbing the environment of AWS
        # environment variables.
        c = s3_integration_help.sts_conn()
        policy = s3_integration_help.make_policy(default_test_bucket,
                                                 test_name)
        fed = c.get_federation_token(default_test_bucket, policy=policy)

        # Scrub AWS environment-variable based cred to make sure the
        # instance profile path is used.
        for name in _AWS_CRED_ENV_VARS:
            self.monkeypatch.delenv(name, raising=False)

        self.monkeypatch.setenv(
            'WALE_S3_PREFIX', 's3://{0}/{1}'.format(default_test_bucket,
                                                    test_name))
        self.monkeypatch.setenv('AWS_REGION', 'us-west-1')

        # Patch boto.utils.get_instance_metadata to return a ginned up
        # credential.
        m = {
            "Code": "Success",
            "LastUpdated": "3014-01-11T02:13:53Z",
            "Type": "AWS-HMAC",
            "AccessKeyId": fed.credentials.access_key,
            "SecretAccessKey": fed.credentials.secret_key,
            "Token": fed.credentials.session_token,
            "Expiration": "3014-01-11T08:16:59Z"
        }

        from boto import provider
        self.monkeypatch.setattr(provider.Provider,
                                 '_credentials_need_refresh',
                                 lambda self: False)

        # Different versions of boto require slightly different return
        # formats.
        import test_aws_instance_profiles
        if test_aws_instance_profiles.boto_flat_metadata():
            m = {'irrelevant': m}
        else:
            m = {'iam': {'security-credentials': {'irrelevant': m}}}
        from boto import utils

        self.monkeypatch.setattr(utils, 'get_instance_metadata',
                                 lambda *args, **kwargs: m)
Exemplo n.º 2
0
    def patch(self, test_name):
        # Get STS-vended credentials to stand in for Instance Profile
        # credentials before scrubbing the environment of AWS
        # environment variables.
        c = s3_integration_help.sts_conn()
        policy = s3_integration_help.make_policy(self.default_test_bucket,
                                                 test_name)
        fed = c.get_federation_token(self.default_test_bucket, policy=policy)

        # Scrub AWS environment-variable based cred to make sure the
        # instance profile path is used.
        for name in _AWS_CRED_ENV_VARS:
            self.monkeypatch.delenv(name, raising=False)

        self.monkeypatch.setenv('WALE_S3_PREFIX', 's3://{0}/{1}'
                                .format(self.default_test_bucket, test_name))
        self.monkeypatch.setenv('AWS_REGION', 'us-west-1')

        # Patch boto.utils.get_instance_metadata to return a ginned up
        # credential.
        m = {
            "Code": "Success",
            "LastUpdated": "3014-01-11T02:13:53Z",
            "Type": "AWS-HMAC",
            "AccessKeyId": fed.credentials.access_key,
            "SecretAccessKey": fed.credentials.secret_key,
            "Token": fed.credentials.session_token,
            "Expiration": "3014-01-11T08:16:59Z"
        }

        from boto import provider
        self.monkeypatch.setattr(provider.Provider,
                            '_credentials_need_refresh',
                            lambda self: False)

        # Different versions of boto require slightly different return
        # formats.
        import test_aws_instance_profiles
        if test_aws_instance_profiles.boto_flat_metadata():
            m = {'irrelevant': m}
        else:
            m = {'iam': {'security-credentials': {'irrelevant': m}}}
        from boto import utils

        self.monkeypatch.setattr(utils, 'get_instance_metadata',
                            lambda *args, **kwargs: m)
Exemplo n.º 3
0
def test_backup_list(sts_conn):
    """Test BackupList's compatibility with a test policy."""
    bn = 'wal-e.sts.backup.list'
    h = 's3-us-west-1.amazonaws.com'
    cf = connection.OrdinaryCallingFormat()
    fed = sts_conn.get_federation_token('wal-e-test-backup-list',
                                        policy=make_policy(bn, 'test-prefix'))
    layout = StorageLayout('s3://{0}/test-prefix'.format(bn))
    creds = Credentials(fed.credentials.access_key, fed.credentials.secret_key,
                        fed.credentials.session_token)

    with FreshBucket(bn, calling_format=cf, host=h) as fb:
        fb.create(location='us-west-1')

        cinfo = calling_format.from_store_name(bn)
        conn = cinfo.connect(creds)
        conn.host = h

        backups = list(BackupList(conn, layout, True))
        assert not backups
Exemplo n.º 4
0
def test_uri_put_file(sts_conn):
    bn = 'wal-e.sts.uri.put.file'
    cf = connection.OrdinaryCallingFormat()
    policy_text = make_policy(bn, 'test-prefix', allow_get_location=True)
    fed = sts_conn.get_federation_token('wal-e-test-uri-put-file',
                                        policy=policy_text)

    key_path = 'test-prefix/test-key'

    creds = Credentials(fed.credentials.access_key,
                        fed.credentials.secret_key,
                        fed.credentials.session_token)

    with FreshBucket(bn, keys=[key_path], calling_format=cf,
                     host='s3-us-west-1.amazonaws.com') as fb:
        fb.create(location='us-west-1')
        uri_put_file(creds, 's3://' + bn + '/' + key_path,
                     StringIO('test-content'))
        k = connection.Key(fb.conn.get_bucket(bn, validate=False))
        k.name = key_path
        assert k.get_contents_as_string() == 'test-content'
Exemplo n.º 5
0
def test_backup_list(sts_conn):
    """Test BackupList's compatibility with a test policy."""
    bn = 'wal-e.sts.backup.list'
    h = 's3-us-west-1.amazonaws.com'
    cf = connection.OrdinaryCallingFormat()
    fed = sts_conn.get_federation_token('wal-e-test-backup-list',
                                        policy=make_policy(bn, 'test-prefix'))
    layout = StorageLayout('s3://{0}/test-prefix'.format(bn))
    creds = Credentials(fed.credentials.access_key,
                        fed.credentials.secret_key,
                        fed.credentials.session_token)

    with FreshBucket(bn, calling_format=cf, host=h) as fb:
        fb.create(location='us-west-1')

        cinfo = calling_format.from_store_name(bn)
        conn = cinfo.connect(creds)
        conn.host = h

        backups = list(BackupList(conn, layout, True))
        assert not backups
Exemplo n.º 6
0
def test_uri_put_file(sts_conn):
    bn = 'wal-e.sts.uri.put.file'
    cf = connection.OrdinaryCallingFormat()
    policy_text = make_policy(bn, 'test-prefix', allow_get_location=True)
    fed = sts_conn.get_federation_token('wal-e-test-uri-put-file',
                                        policy=policy_text)

    key_path = 'test-prefix/test-key'

    creds = Credentials(fed.credentials.access_key, fed.credentials.secret_key,
                        fed.credentials.session_token)

    with FreshBucket(bn,
                     keys=[key_path],
                     calling_format=cf,
                     host='s3-us-west-1.amazonaws.com') as fb:
        fb.create(location='us-west-1')
        uri_put_file(creds, 's3://' + bn + '/' + key_path,
                     StringIO('test-content'))
        k = connection.Key(fb.conn.get_bucket(bn, validate=False))
        k.name = key_path
        assert k.get_contents_as_string() == 'test-content'
Exemplo n.º 7
0
def test_policy(sts_conn, monkeypatch):
    """Sanity checks for the intended ACLs of the policy"""
    monkeypatch.setenv('AWS_REGION', 'us-west-1')
    # Use periods to force OrdinaryCallingFormat when using
    # calling_format.from_store_name.
    bn = bucket_name_mangle('wal-e.sts.list.test')
    h = 's3-us-west-1.amazonaws.com'
    cf = connection.OrdinaryCallingFormat()

    fed = sts_conn.get_federation_token('wal-e-test-list-bucket',
                                        policy=make_policy(bn, 'test-prefix'))
    test_payload = 'wal-e test'

    keys = [
        'test-prefix/hello', 'test-prefix/world', 'not-in-prefix/goodbye',
        'not-in-prefix/world'
    ]
    creds = Credentials(fed.credentials.access_key, fed.credentials.secret_key,
                        fed.credentials.session_token)

    with FreshBucket(bn, keys=keys, calling_format=cf, host=h) as fb:
        # Superuser creds, for testing keys not in the prefix.
        bucket_superset_creds = fb.create(location='us-west-1')

        cinfo = calling_format.from_store_name(bn)
        conn = cinfo.connect(creds)
        conn.host = h

        # Bucket using the token, subject to the policy.
        bucket = conn.get_bucket(bn, validate=False)

        for name in keys:
            if name.startswith('test-prefix/'):
                # Test the PUT privilege.
                k = connection.Key(bucket)
            else:
                # Not in the prefix, so PUT will not work.
                k = connection.Key(bucket_superset_creds)

            k.key = name
            k.set_contents_from_string(test_payload)

        # Test listing keys within the prefix.
        prefix_fetched_keys = list(bucket.list(prefix='test-prefix/'))
        assert len(prefix_fetched_keys) == 2

        # Test the GET privilege.
        for key in prefix_fetched_keys:
            assert key.get_contents_as_string() == b'wal-e test'

        # Try a bogus listing outside the valid prefix.
        with pytest.raises(exception.S3ResponseError) as e:
            list(bucket.list(prefix=''))

        assert e.value.status == 403

        # Test the rejection of PUT outside of prefix.
        k = connection.Key(bucket)
        k.key = 'not-in-prefix/world'

        with pytest.raises(exception.S3ResponseError) as e:
            k.set_contents_from_string(test_payload)

        assert e.value.status == 403
Exemplo n.º 8
0
def test_simple_federation_token(sts_conn):
    sts_conn.get_federation_token('hello',
                                  policy=make_policy('hello', 'goodbye'))
Exemplo n.º 9
0
def test_policy(sts_conn, monkeypatch):
    """Sanity checks for the intended ACLs of the policy"""
    monkeypatch.setenv('AWS_REGION', 'us-west-1')
    # Use periods to force OrdinaryCallingFormat when using
    # calling_format.from_store_name.
    bn = bucket_name_mangle('wal-e.sts.list.test')
    h = 's3-us-west-1.amazonaws.com'
    cf = connection.OrdinaryCallingFormat()

    fed = sts_conn.get_federation_token('wal-e-test-list-bucket',
                                        policy=make_policy(bn, 'test-prefix'))
    test_payload = 'wal-e test'

    keys = ['test-prefix/hello', 'test-prefix/world',
            'not-in-prefix/goodbye', 'not-in-prefix/world']
    creds = Credentials(fed.credentials.access_key,
                        fed.credentials.secret_key,
                        fed.credentials.session_token)

    with FreshBucket(bn, keys=keys, calling_format=cf, host=h) as fb:
        # Superuser creds, for testing keys not in the prefix.
        bucket_superset_creds = fb.create(location='us-west-1')

        cinfo = calling_format.from_store_name(bn)
        conn = cinfo.connect(creds)
        conn.host = h

        # Bucket using the token, subject to the policy.
        bucket = conn.get_bucket(bn, validate=False)

        for name in keys:
            if name.startswith('test-prefix/'):
                # Test the PUT privilege.
                k = connection.Key(bucket)
            else:
                # Not in the prefix, so PUT will not work.
                k = connection.Key(bucket_superset_creds)

            k.key = name
            k.set_contents_from_string(test_payload)

        # Test listing keys within the prefix.
        prefix_fetched_keys = list(bucket.list(prefix='test-prefix/'))
        assert len(prefix_fetched_keys) == 2

        # Test the GET privilege.
        for key in prefix_fetched_keys:
            assert key.get_contents_as_string() == b'wal-e test'

        # Try a bogus listing outside the valid prefix.
        with pytest.raises(exception.S3ResponseError) as e:
            list(bucket.list(prefix=''))

        assert e.value.status == 403

        # Test the rejection of PUT outside of prefix.
        k = connection.Key(bucket)
        k.key = 'not-in-prefix/world'

        with pytest.raises(exception.S3ResponseError) as e:
            k.set_contents_from_string(test_payload)

        assert e.value.status == 403
Exemplo n.º 10
0
def test_simple_federation_token(sts_conn):
    sts_conn.get_federation_token(
        'hello',
        policy=make_policy('hello', 'goodbye'))