def test_write_auto_awsume_session(self, mock_config_parser, mock_open):
mock_parser = mock.Mock()
mock_parser_write = mock.Mock()
mock_parser_read = mock.Mock()
mock_parser_has_section = mock.Mock()
mock_parser_remove_section = mock.Mock()
mock_parser.write = mock_parser_write
mock_parser.read = mock_parser_read
mock_parser.has_section = mock_parser_has_section
mock_parser.remove_section = mock_parser_remove_section
mock_parser._sections = []
mock_config_parser.return_value = mock_parser
name = 'name'
path = './path'
roleArn = 'role-arn'
session = collections.OrderedDict()
session['SessionToken'] = 'session-token'
session['AccessKeyId'] = 'access-key-id'
session['SecretAccessKey'] = 'secret-access-key'
session['region'] = 'region'
mock_parser_has_section.return_value = True
awsumepy.write_auto_awsume_session(name, session, path, roleArn, path)
mock_parser_remove_section.assert_called_with(name)
mock_parser_has_section.return_value = False
awsumepy.write_auto_awsume_session(name, session, path, roleArn, path)
self.assertEqual(mock_parser_write.call_count, 2)
def refresh_session(autoProfile):
"""Refresh the `oldSession` role credentials.
Parameters
----------
- oldSession - the session to refresh;
- roleArn - the role_arn used to make the assume_role call;
- sessionName - what to name the assumed role session;
Returns
-------
The refreshed role session
"""
sourceCredentials = awsumepy.read_aws_cache(AWS_CACHE_DIRECTORY, autoProfile['awsume_cache_name'])
stsClient = awsumepy.create_sts_client(sourceCredentials['AccessKeyId'],
sourceCredentials['SecretAccessKey'],
sourceCredentials['SessionToken'])
try:
response = stsClient.assume_role(RoleArn=autoProfile['aws_role_arn'], RoleSessionName=autoProfile['awsume_session_name'])
session = response['Credentials']
session['Expiration'] = session['Expiration'].astimezone(dateutil.tz.tzlocal())
session['Expiration'] = session['Expiration'].strftime('%Y-%m-%d %H:%M:%S')
session['region'] = sourceCredentials['region']
autoProfile['aws_access_key_id'] = session['AccessKeyId']
autoProfile['aws_secret_access_key'] = session['SecretAccessKey']
autoProfile['aws_session_token'] = session['SessionToken']
autoProfile['awsume_role_expiration'] = session['Expiration']
awsumepy.write_auto_awsume_session(autoProfile['__name__'].replace('auto-refresh-', ''), autoProfile, AWS_CREDENTIALS_FILE)
except botocore.exceptions.ClientError:
pass
def scan_through_auto_refresh_profiles(credentialsProfiles):
"""
credentialsProfiles - the dict of profiles to scan through;
loop through the `credentialsProfiles`, find any that are 'auto-refresh-' profiles,
refresh/remove any expired ones, and return when the earliest session-expiration will happen
"""
for profile in credentialsProfiles:
expirationList = []
#if we're looking at an auto-refreshed profile
if 'auto-refresh-' in profile:
#get the cache filename (the file that contains source_profile credentials)
cacheFileName = credentialsProfiles[profile]['awsume_cache_file']
#get the source profile's credentials
sourceProfileCredentials = awsumepy.read_awsume_session_from_file(
AWS_CACHE_DIRECTORY, cacheFileName)
#if credentials are not expired
if sourceProfileCredentials['Expiration'] > datetime.datetime.now(
):
try:
#refresh the session
refreshedCredentials = refresh_session(
sourceProfileCredentials,
credentialsProfiles[profile]['aws_role_arn'],
cacheFileName + '-auto-awsume-session')
except Exception as e:
#if refreshing the session failed, remove that profile
print(
"autoAwsume: Refreshing profile [" +
profile.replace('auto-refresh-', '') +
"] failed. That profile will no longer be auto-refreshed."
)
print(str(e))
awsumepy.remove_auto_awsume_profile_by_name(
profile.replace('auto-refresh-', ''),
AWS_CREDENTIALS_FILE)
else:
#write the session
awsumepy.write_auto_awsume_session(
profile, refreshedCredentials, cacheFileName,
credentialsProfiles[profile]['aws_role_arn'],
AWS_CREDENTIALS_FILE)
expirationList.append(
min(sourceProfileCredentials['Expiration'],
refreshedCredentials['Expiration']))
#if credentials are expired
else:
awsumepy.remove_auto_awsume_profile_by_name(
profile.replace('auto-refresh-', ''), AWS_CREDENTIALS_FILE)
if expirationList:
return min(expirationList)
else:
return datetime.datetime.now()
def refresh_session(autoProfile):
"""Refresh the `oldSession` role credentials.
Parameters
----------
- oldSession - the session to refresh;
- roleArn - the role_arn used to make the assume_role call;
- sessionName - what to name the assumed role session;
Returns
-------
The refreshed role session
"""
sourceCredentials = awsumepy.read_aws_cache(
AWS_CACHE_DIRECTORY, autoProfile['awsume_cache_name'])
stsClient = awsumepy.create_sts_client(
sourceCredentials['AccessKeyId'], sourceCredentials['SecretAccessKey'],
sourceCredentials['SessionToken'])
try:
response = stsClient.assume_role(
RoleArn=autoProfile['aws_role_arn'],
RoleSessionName=autoProfile['awsume_session_name'])
session = response['Credentials']
session['Expiration'] = session['Expiration'].astimezone(
dateutil.tz.tzlocal())
session['Expiration'] = session['Expiration'].strftime(
'%Y-%m-%d %H:%M:%S')
session['region'] = sourceCredentials['region']
autoProfile['aws_access_key_id'] = session['AccessKeyId']
autoProfile['aws_secret_access_key'] = session['SecretAccessKey']
autoProfile['aws_session_token'] = session['SessionToken']
autoProfile['awsume_role_expiration'] = session['Expiration']
awsumepy.write_auto_awsume_session(
autoProfile['__name__'].replace('auto-refresh-', ''), autoProfile,
AWS_CREDENTIALS_FILE)
except botocore.exceptions.ClientError:
pass