def patch(self, test_name, default_test_bucket):
# Get STS-vended credentials to stand in for Instance Profile
# credentials before scrubbing the environment of AWS
# environment variables.
c = s3_integration_help.sts_conn()
policy = s3_integration_help.make_policy(default_test_bucket,
test_name)
fed = c.get_federation_token(default_test_bucket, policy=policy)
# Scrub AWS environment-variable based cred to make sure the
# instance profile path is used.
for name in _AWS_CRED_ENV_VARS:
self.monkeypatch.delenv(name, raising=False)
self.monkeypatch.setenv(
'WALE_S3_PREFIX', 's3://{0}/{1}'.format(default_test_bucket,
test_name))
self.monkeypatch.setenv('AWS_REGION', 'us-west-1')
# Patch boto.utils.get_instance_metadata to return a ginned up
# credential.
m = {
"Code": "Success",
"LastUpdated": "3014-01-11T02:13:53Z",
"Type": "AWS-HMAC",
"AccessKeyId": fed.credentials.access_key,
"SecretAccessKey": fed.credentials.secret_key,
"Token": fed.credentials.session_token,
"Expiration": "3014-01-11T08:16:59Z"
}
from boto import provider
self.monkeypatch.setattr(provider.Provider,
'_credentials_need_refresh',
lambda self: False)
# Different versions of boto require slightly different return
# formats.
import test_aws_instance_profiles
if test_aws_instance_profiles.boto_flat_metadata():
m = {'irrelevant': m}
else:
m = {'iam': {'security-credentials': {'irrelevant': m}}}
from boto import utils
self.monkeypatch.setattr(utils, 'get_instance_metadata',
lambda *args, **kwargs: m)
def patch(self, test_name):
# Get STS-vended credentials to stand in for Instance Profile
# credentials before scrubbing the environment of AWS
# environment variables.
c = s3_integration_help.sts_conn()
policy = s3_integration_help.make_policy(self.default_test_bucket,
test_name)
fed = c.get_federation_token(self.default_test_bucket, policy=policy)
# Scrub AWS environment-variable based cred to make sure the
# instance profile path is used.
for name in _AWS_CRED_ENV_VARS:
self.monkeypatch.delenv(name, raising=False)
self.monkeypatch.setenv('WALE_S3_PREFIX', 's3://{0}/{1}'
.format(self.default_test_bucket, test_name))
self.monkeypatch.setenv('AWS_REGION', 'us-west-1')
# Patch boto.utils.get_instance_metadata to return a ginned up
# credential.
m = {
"Code": "Success",
"LastUpdated": "3014-01-11T02:13:53Z",
"Type": "AWS-HMAC",
"AccessKeyId": fed.credentials.access_key,
"SecretAccessKey": fed.credentials.secret_key,
"Token": fed.credentials.session_token,
"Expiration": "3014-01-11T08:16:59Z"
}
from boto import provider
self.monkeypatch.setattr(provider.Provider,
'_credentials_need_refresh',
lambda self: False)
# Different versions of boto require slightly different return
# formats.
import test_aws_instance_profiles
if test_aws_instance_profiles.boto_flat_metadata():
m = {'irrelevant': m}
else:
m = {'iam': {'security-credentials': {'irrelevant': m}}}
from boto import utils
self.monkeypatch.setattr(utils, 'get_instance_metadata',
lambda *args, **kwargs: m)
def test_backup_list(sts_conn):
"""Test BackupList's compatibility with a test policy."""
bn = 'wal-e.sts.backup.list'
h = 's3-us-west-1.amazonaws.com'
cf = connection.OrdinaryCallingFormat()
fed = sts_conn.get_federation_token('wal-e-test-backup-list',
policy=make_policy(bn, 'test-prefix'))
layout = StorageLayout('s3://{0}/test-prefix'.format(bn))
creds = Credentials(fed.credentials.access_key, fed.credentials.secret_key,
fed.credentials.session_token)
with FreshBucket(bn, calling_format=cf, host=h) as fb:
fb.create(location='us-west-1')
cinfo = calling_format.from_store_name(bn)
conn = cinfo.connect(creds)
conn.host = h
backups = list(BackupList(conn, layout, True))
assert not backups
def test_uri_put_file(sts_conn):
bn = 'wal-e.sts.uri.put.file'
cf = connection.OrdinaryCallingFormat()
policy_text = make_policy(bn, 'test-prefix', allow_get_location=True)
fed = sts_conn.get_federation_token('wal-e-test-uri-put-file',
policy=policy_text)
key_path = 'test-prefix/test-key'
creds = Credentials(fed.credentials.access_key,
fed.credentials.secret_key,
fed.credentials.session_token)
with FreshBucket(bn, keys=[key_path], calling_format=cf,
host='s3-us-west-1.amazonaws.com') as fb:
fb.create(location='us-west-1')
uri_put_file(creds, 's3://' + bn + '/' + key_path,
StringIO('test-content'))
k = connection.Key(fb.conn.get_bucket(bn, validate=False))
k.name = key_path
assert k.get_contents_as_string() == 'test-content'
def test_backup_list(sts_conn):
"""Test BackupList's compatibility with a test policy."""
bn = 'wal-e.sts.backup.list'
h = 's3-us-west-1.amazonaws.com'
cf = connection.OrdinaryCallingFormat()
fed = sts_conn.get_federation_token('wal-e-test-backup-list',
policy=make_policy(bn, 'test-prefix'))
layout = StorageLayout('s3://{0}/test-prefix'.format(bn))
creds = Credentials(fed.credentials.access_key,
fed.credentials.secret_key,
fed.credentials.session_token)
with FreshBucket(bn, calling_format=cf, host=h) as fb:
fb.create(location='us-west-1')
cinfo = calling_format.from_store_name(bn)
conn = cinfo.connect(creds)
conn.host = h
backups = list(BackupList(conn, layout, True))
assert not backups
def test_uri_put_file(sts_conn):
bn = 'wal-e.sts.uri.put.file'
cf = connection.OrdinaryCallingFormat()
policy_text = make_policy(bn, 'test-prefix', allow_get_location=True)
fed = sts_conn.get_federation_token('wal-e-test-uri-put-file',
policy=policy_text)
key_path = 'test-prefix/test-key'
creds = Credentials(fed.credentials.access_key, fed.credentials.secret_key,
fed.credentials.session_token)
with FreshBucket(bn,
keys=[key_path],
calling_format=cf,
host='s3-us-west-1.amazonaws.com') as fb:
fb.create(location='us-west-1')
uri_put_file(creds, 's3://' + bn + '/' + key_path,
StringIO('test-content'))
k = connection.Key(fb.conn.get_bucket(bn, validate=False))
k.name = key_path
assert k.get_contents_as_string() == 'test-content'
def test_policy(sts_conn, monkeypatch):
"""Sanity checks for the intended ACLs of the policy"""
monkeypatch.setenv('AWS_REGION', 'us-west-1')
# Use periods to force OrdinaryCallingFormat when using
# calling_format.from_store_name.
bn = bucket_name_mangle('wal-e.sts.list.test')
h = 's3-us-west-1.amazonaws.com'
cf = connection.OrdinaryCallingFormat()
fed = sts_conn.get_federation_token('wal-e-test-list-bucket',
policy=make_policy(bn, 'test-prefix'))
test_payload = 'wal-e test'
keys = [
'test-prefix/hello', 'test-prefix/world', 'not-in-prefix/goodbye',
'not-in-prefix/world'
]
creds = Credentials(fed.credentials.access_key, fed.credentials.secret_key,
fed.credentials.session_token)
with FreshBucket(bn, keys=keys, calling_format=cf, host=h) as fb:
# Superuser creds, for testing keys not in the prefix.
bucket_superset_creds = fb.create(location='us-west-1')
cinfo = calling_format.from_store_name(bn)
conn = cinfo.connect(creds)
conn.host = h
# Bucket using the token, subject to the policy.
bucket = conn.get_bucket(bn, validate=False)
for name in keys:
if name.startswith('test-prefix/'):
# Test the PUT privilege.
k = connection.Key(bucket)
else:
# Not in the prefix, so PUT will not work.
k = connection.Key(bucket_superset_creds)
k.key = name
k.set_contents_from_string(test_payload)
# Test listing keys within the prefix.
prefix_fetched_keys = list(bucket.list(prefix='test-prefix/'))
assert len(prefix_fetched_keys) == 2
# Test the GET privilege.
for key in prefix_fetched_keys:
assert key.get_contents_as_string() == b'wal-e test'
# Try a bogus listing outside the valid prefix.
with pytest.raises(exception.S3ResponseError) as e:
list(bucket.list(prefix=''))
assert e.value.status == 403
# Test the rejection of PUT outside of prefix.
k = connection.Key(bucket)
k.key = 'not-in-prefix/world'
with pytest.raises(exception.S3ResponseError) as e:
k.set_contents_from_string(test_payload)
assert e.value.status == 403
def test_simple_federation_token(sts_conn):
sts_conn.get_federation_token('hello',
policy=make_policy('hello', 'goodbye'))
def test_policy(sts_conn, monkeypatch):
"""Sanity checks for the intended ACLs of the policy"""
monkeypatch.setenv('AWS_REGION', 'us-west-1')
# Use periods to force OrdinaryCallingFormat when using
# calling_format.from_store_name.
bn = bucket_name_mangle('wal-e.sts.list.test')
h = 's3-us-west-1.amazonaws.com'
cf = connection.OrdinaryCallingFormat()
fed = sts_conn.get_federation_token('wal-e-test-list-bucket',
policy=make_policy(bn, 'test-prefix'))
test_payload = 'wal-e test'
keys = ['test-prefix/hello', 'test-prefix/world',
'not-in-prefix/goodbye', 'not-in-prefix/world']
creds = Credentials(fed.credentials.access_key,
fed.credentials.secret_key,
fed.credentials.session_token)
with FreshBucket(bn, keys=keys, calling_format=cf, host=h) as fb:
# Superuser creds, for testing keys not in the prefix.
bucket_superset_creds = fb.create(location='us-west-1')
cinfo = calling_format.from_store_name(bn)
conn = cinfo.connect(creds)
conn.host = h
# Bucket using the token, subject to the policy.
bucket = conn.get_bucket(bn, validate=False)
for name in keys:
if name.startswith('test-prefix/'):
# Test the PUT privilege.
k = connection.Key(bucket)
else:
# Not in the prefix, so PUT will not work.
k = connection.Key(bucket_superset_creds)
k.key = name
k.set_contents_from_string(test_payload)
# Test listing keys within the prefix.
prefix_fetched_keys = list(bucket.list(prefix='test-prefix/'))
assert len(prefix_fetched_keys) == 2
# Test the GET privilege.
for key in prefix_fetched_keys:
assert key.get_contents_as_string() == b'wal-e test'
# Try a bogus listing outside the valid prefix.
with pytest.raises(exception.S3ResponseError) as e:
list(bucket.list(prefix=''))
assert e.value.status == 403
# Test the rejection of PUT outside of prefix.
k = connection.Key(bucket)
k.key = 'not-in-prefix/world'
with pytest.raises(exception.S3ResponseError) as e:
k.set_contents_from_string(test_payload)
assert e.value.status == 403
def test_simple_federation_token(sts_conn):
sts_conn.get_federation_token(
'hello',
policy=make_policy('hello', 'goodbye'))