def test_write_auto_awsume_session(self, mock_config_parser, mock_open): mock_parser = mock.Mock() mock_parser_write = mock.Mock() mock_parser_read = mock.Mock() mock_parser_has_section = mock.Mock() mock_parser_remove_section = mock.Mock() mock_parser.write = mock_parser_write mock_parser.read = mock_parser_read mock_parser.has_section = mock_parser_has_section mock_parser.remove_section = mock_parser_remove_section mock_parser._sections = [] mock_config_parser.return_value = mock_parser name = 'name' path = './path' roleArn = 'role-arn' session = collections.OrderedDict() session['SessionToken'] = 'session-token' session['AccessKeyId'] = 'access-key-id' session['SecretAccessKey'] = 'secret-access-key' session['region'] = 'region' mock_parser_has_section.return_value = True awsumepy.write_auto_awsume_session(name, session, path, roleArn, path) mock_parser_remove_section.assert_called_with(name) mock_parser_has_section.return_value = False awsumepy.write_auto_awsume_session(name, session, path, roleArn, path) self.assertEqual(mock_parser_write.call_count, 2)
def refresh_session(autoProfile): """Refresh the `oldSession` role credentials. Parameters ---------- - oldSession - the session to refresh; - roleArn - the role_arn used to make the assume_role call; - sessionName - what to name the assumed role session; Returns ------- The refreshed role session """ sourceCredentials = awsumepy.read_aws_cache(AWS_CACHE_DIRECTORY, autoProfile['awsume_cache_name']) stsClient = awsumepy.create_sts_client(sourceCredentials['AccessKeyId'], sourceCredentials['SecretAccessKey'], sourceCredentials['SessionToken']) try: response = stsClient.assume_role(RoleArn=autoProfile['aws_role_arn'], RoleSessionName=autoProfile['awsume_session_name']) session = response['Credentials'] session['Expiration'] = session['Expiration'].astimezone(dateutil.tz.tzlocal()) session['Expiration'] = session['Expiration'].strftime('%Y-%m-%d %H:%M:%S') session['region'] = sourceCredentials['region'] autoProfile['aws_access_key_id'] = session['AccessKeyId'] autoProfile['aws_secret_access_key'] = session['SecretAccessKey'] autoProfile['aws_session_token'] = session['SessionToken'] autoProfile['awsume_role_expiration'] = session['Expiration'] awsumepy.write_auto_awsume_session(autoProfile['__name__'].replace('auto-refresh-', ''), autoProfile, AWS_CREDENTIALS_FILE) except botocore.exceptions.ClientError: pass
def scan_through_auto_refresh_profiles(credentialsProfiles): """ credentialsProfiles - the dict of profiles to scan through; loop through the `credentialsProfiles`, find any that are 'auto-refresh-' profiles, refresh/remove any expired ones, and return when the earliest session-expiration will happen """ for profile in credentialsProfiles: expirationList = [] #if we're looking at an auto-refreshed profile if 'auto-refresh-' in profile: #get the cache filename (the file that contains source_profile credentials) cacheFileName = credentialsProfiles[profile]['awsume_cache_file'] #get the source profile's credentials sourceProfileCredentials = awsumepy.read_awsume_session_from_file( AWS_CACHE_DIRECTORY, cacheFileName) #if credentials are not expired if sourceProfileCredentials['Expiration'] > datetime.datetime.now( ): try: #refresh the session refreshedCredentials = refresh_session( sourceProfileCredentials, credentialsProfiles[profile]['aws_role_arn'], cacheFileName + '-auto-awsume-session') except Exception as e: #if refreshing the session failed, remove that profile print( "autoAwsume: Refreshing profile [" + profile.replace('auto-refresh-', '') + "] failed. That profile will no longer be auto-refreshed." ) print(str(e)) awsumepy.remove_auto_awsume_profile_by_name( profile.replace('auto-refresh-', ''), AWS_CREDENTIALS_FILE) else: #write the session awsumepy.write_auto_awsume_session( profile, refreshedCredentials, cacheFileName, credentialsProfiles[profile]['aws_role_arn'], AWS_CREDENTIALS_FILE) expirationList.append( min(sourceProfileCredentials['Expiration'], refreshedCredentials['Expiration'])) #if credentials are expired else: awsumepy.remove_auto_awsume_profile_by_name( profile.replace('auto-refresh-', ''), AWS_CREDENTIALS_FILE) if expirationList: return min(expirationList) else: return datetime.datetime.now()
def refresh_session(autoProfile): """Refresh the `oldSession` role credentials. Parameters ---------- - oldSession - the session to refresh; - roleArn - the role_arn used to make the assume_role call; - sessionName - what to name the assumed role session; Returns ------- The refreshed role session """ sourceCredentials = awsumepy.read_aws_cache( AWS_CACHE_DIRECTORY, autoProfile['awsume_cache_name']) stsClient = awsumepy.create_sts_client( sourceCredentials['AccessKeyId'], sourceCredentials['SecretAccessKey'], sourceCredentials['SessionToken']) try: response = stsClient.assume_role( RoleArn=autoProfile['aws_role_arn'], RoleSessionName=autoProfile['awsume_session_name']) session = response['Credentials'] session['Expiration'] = session['Expiration'].astimezone( dateutil.tz.tzlocal()) session['Expiration'] = session['Expiration'].strftime( '%Y-%m-%d %H:%M:%S') session['region'] = sourceCredentials['region'] autoProfile['aws_access_key_id'] = session['AccessKeyId'] autoProfile['aws_secret_access_key'] = session['SecretAccessKey'] autoProfile['aws_session_token'] = session['SessionToken'] autoProfile['awsume_role_expiration'] = session['Expiration'] awsumepy.write_auto_awsume_session( autoProfile['__name__'].replace('auto-refresh-', ''), autoProfile, AWS_CREDENTIALS_FILE) except botocore.exceptions.ClientError: pass