def _test_get_aws_security_credentials_instance_metadata_role_name( mocker, is_name_str=True, token_effects=[MockUrlLibResponse(data="ABCDEFG==")]): config = get_fake_config() mocker.patch.dict(os.environ, {}) mocker.patch("os.path.exists", return_value=False) response = json.dumps({ "Code": "Success", "LastUpdated": "2019-10-25T14:41:42Z", "Type": "AWS-HMAC", "AccessKeyId": ACCESS_KEY_ID_VAL, "SecretAccessKey": SECRET_ACCESS_KEY_VAL, "Token": SESSION_TOKEN_VAL, "Expiration": "2019-10-25T21:17:24Z", }) if is_name_str: role_name_data = b"FAKE_IAM_ROLE_NAME" else: role_name_data = "FAKE_IAM_ROLE_NAME" side_effects = (token_effects + [MockUrlLibResponse(data=role_name_data)] + token_effects + [MockUrlLibResponse(data=response)]) mocker.patch("watchdog.urlopen", side_effect=side_effects) credentials = watchdog.get_aws_security_credentials( config, "metadata:", "us-east-1") assert credentials["AccessKeyId"] == ACCESS_KEY_ID_VAL assert credentials["SecretAccessKey"] == SECRET_ACCESS_KEY_VAL assert credentials["Token"] == SESSION_TOKEN_VAL
def _test_get_aws_security_credentials_instance_metadata_role_name(mocker, is_name_str=True, is_imds_v2=False): mocker.patch.dict(os.environ, {}) mocker.patch('os.path.exists', return_value=False) response = json.dumps({ 'Code': 'Success', 'LastUpdated': '2019-10-25T14:41:42Z', 'Type': 'AWS-HMAC', 'AccessKeyId': ACCESS_KEY_ID_VAL, 'SecretAccessKey': SECRET_ACCESS_KEY_VAL, 'Token': SESSION_TOKEN_VAL, 'Expiration': '2019-10-25T21:17:24Z' }) if is_name_str: role_name_data = b'FAKE_IAM_ROLE_NAME' else: role_name_data = 'FAKE_IAM_ROLE_NAME' if is_imds_v2: side_effects = [HTTPError('url', 401, 'Unauthorized', None, None)] mocker.patch('watchdog.get_aws_ec2_metadata_token', return_value='ABCDEFG==') else: side_effects = [] side_effects = side_effects + [MockUrlLibResponse(data=role_name_data), MockUrlLibResponse(data=response)] mocker.patch('watchdog.urlopen', side_effect=side_effects) credentials = watchdog.get_aws_security_credentials('metadata:') assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL assert credentials['Token'] == SESSION_TOKEN_VAL
def test_get_aws_security_credentials_not_found(mocker): mocker.patch.dict(os.environ, {}) mocker.patch('os.path.exists', return_value=False) mocker.patch('watchdog.urlopen') credentials = watchdog.get_aws_security_credentials() assert credentials['AccessKeyId'] is None assert credentials['SecretAccessKey'] is None assert credentials['Token'] is None
def test_get_aws_security_credentials_credentials_from_assumed_profile_botocore_not_present( mocker, caplog): config = get_fake_config() mocker.patch.dict("sys.modules", {"botocore": None}) credentials = watchdog.get_aws_security_credentials( config, "named_profile:test-profile", "us-east-1") assert credentials is None assert ("Named profile credentials cannot be retrieved without botocore" in [rec.message for rec in caplog.records][0])
def test_get_aws_security_credentials_not_found_file_found_no_creds(mocker): file_helper_resp = { 'AccessKeyId': None, 'SecretAccessKey': None, 'Token': None } mocker.patch('os.path.exists', return_value=True) mocker.patch('watchdog.credentials_file_helper', return_value=file_helper_resp) credentials = watchdog.get_aws_security_credentials('credentials:default') assert not credentials
def test_get_aws_security_credentials_not_found_file_found_no_creds(mocker): config = get_fake_config() file_helper_resp = { "AccessKeyId": None, "SecretAccessKey": None, "Token": None } mocker.patch("os.path.exists", return_value=True) mocker.patch("watchdog.credentials_file_helper", return_value=file_helper_resp) credentials = watchdog.get_aws_security_credentials( config, "credentials:default", "us-east-1") assert not credentials
def test_get_aws_security_credentials_config_file_found_credentials_found_without_token(mocker): file_helper_resp = { 'AccessKeyId': ACCESS_KEY_ID_VAL, 'SecretAccessKey': SECRET_ACCESS_KEY_VAL, 'Token': None } mocker.patch.dict(os.environ, {}) mocker.patch('os.path.exists', return_value=True) mocker.patch('watchdog.credentials_file_helper', return_value=file_helper_resp) credentials = watchdog.get_aws_security_credentials('config:default') assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL assert credentials['Token'] is None
def test_get_aws_security_credentials_botocore_present_get_assumed_profile_credentials( mocker, ): config = get_fake_config() botocore_helper_resp = { "AccessKeyId": ACCESS_KEY_ID_VAL, "SecretAccessKey": SECRET_ACCESS_KEY_VAL, "Token": SESSION_TOKEN_VAL, } mocker.patch("watchdog.botocore_credentials_helper", return_value=botocore_helper_resp) credentials = watchdog.get_aws_security_credentials( config, "named_profile:test-profile", "us-east-1") assert credentials["AccessKeyId"] == ACCESS_KEY_ID_VAL assert credentials["SecretAccessKey"] == SECRET_ACCESS_KEY_VAL assert credentials["Token"] == SESSION_TOKEN_VAL
def test_get_aws_security_credentials_botocore_present_get_assumed_profile_credentials( mocker): config = get_fake_config() botocore_helper_resp = { 'AccessKeyId': ACCESS_KEY_ID_VAL, 'SecretAccessKey': SECRET_ACCESS_KEY_VAL, 'Token': SESSION_TOKEN_VAL } mocker.patch('watchdog.botocore_credentials_helper', return_value=botocore_helper_resp) credentials = watchdog.get_aws_security_credentials( config, 'named_profile:test-profile', 'us-east-1') assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL assert credentials['Token'] == SESSION_TOKEN_VAL
def test_get_aws_security_credentials_ecs(mocker): mocker.patch.dict(os.environ, {}) mocker.patch('os.path.exists', return_value=False) response = json.dumps({ 'AccessKeyId': ACCESS_KEY_ID_VAL, 'Expiration': 'EXPIRATION_DATE', 'RoleArn': 'TASK_ROLE_ARN', 'SecretAccessKey': SECRET_ACCESS_KEY_VAL, 'Token': SESSION_TOKEN_VAL }) mocker.patch.dict(os.environ, {'AWS_CONTAINER_CREDENTIALS_RELATIVE_URI': 'fake_uri'}) mocker.patch('watchdog.urlopen', return_value=MockUrlLibResponse(data=response)) credentials = watchdog.get_aws_security_credentials('ecs:fake_uri') assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL assert credentials['Token'] == SESSION_TOKEN_VAL
def test_get_aws_security_credentials_config_or_creds_file_found_creds_found_with_token_no_awsprofile( mocker): file_helper_resp = { 'AccessKeyId': ACCESS_KEY_ID_VAL, 'SecretAccessKey': SECRET_ACCESS_KEY_VAL, 'Token': SESSION_TOKEN_VAL } mocker.patch.dict(os.environ, {}) mocker.patch('os.path.exists', return_value=True) mocker.patch('watchdog.credentials_file_helper', return_value=file_helper_resp) credentials = watchdog.get_aws_security_credentials() assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL assert credentials['Token'] is SESSION_TOKEN_VAL
def test_get_aws_security_credentials_config_file_found_credentials_found( mocker): config = get_fake_config() file_helper_resp = { 'AccessKeyId': ACCESS_KEY_ID_VAL, 'SecretAccessKey': SECRET_ACCESS_KEY_VAL, 'Token': SESSION_TOKEN_VAL } mocker.patch.dict(os.environ, {}) mocker.patch('os.path.exists', return_value=True) mocker.patch('watchdog.credentials_file_helper', return_value=file_helper_resp) credentials = watchdog.get_aws_security_credentials( config, 'config:default', 'us-east-1') assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL assert credentials['Token'] is SESSION_TOKEN_VAL
def test_get_aws_security_credentials_instance_metadata(mocker): mocker.patch.dict(os.environ, {}) mocker.patch('os.path.exists', return_value=False) response = json.dumps({ 'Code': 'Success', 'LastUpdated': '2019-10-25T14:41:42Z', 'Type': 'AWS-HMAC', 'AccessKeyId': ACCESS_KEY_ID_VAL, 'SecretAccessKey': SECRET_ACCESS_KEY_VAL, 'Token': SESSION_TOKEN_VAL, 'Expiration': '2019-10-25T21:17:24Z' }) mocker.patch('watchdog.urlopen', return_value=MockUrlLibResponse(data=response)) credentials = watchdog.get_aws_security_credentials('metadata:') assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL assert credentials['Token'] == SESSION_TOKEN_VAL
def test_get_aws_security_credentials_credentials_file_found_credentials_found_without_token( mocker, ): config = get_fake_config() file_helper_resp = { "AccessKeyId": ACCESS_KEY_ID_VAL, "SecretAccessKey": SECRET_ACCESS_KEY_VAL, "Token": None, } mocker.patch.dict(os.environ, {}) mocker.patch("os.path.exists", return_value=True) mocker.patch("watchdog.credentials_file_helper", return_value=file_helper_resp) credentials = watchdog.get_aws_security_credentials( config, "credentials:default", "us-east-1") assert credentials["AccessKeyId"] == ACCESS_KEY_ID_VAL assert credentials["SecretAccessKey"] == SECRET_ACCESS_KEY_VAL assert credentials["Token"] is None
def test_get_aws_security_credentials_ecs(mocker): config = get_fake_config() mocker.patch.dict(os.environ, {}) mocker.patch("os.path.exists", return_value=False) response = json.dumps({ "AccessKeyId": ACCESS_KEY_ID_VAL, "Expiration": "EXPIRATION_DATE", "RoleArn": "TASK_ROLE_ARN", "SecretAccessKey": SECRET_ACCESS_KEY_VAL, "Token": SESSION_TOKEN_VAL, }) mocker.patch.dict(os.environ, {"AWS_CONTAINER_CREDENTIALS_RELATIVE_URI": "fake_uri"}) mocker.patch("watchdog.urlopen", return_value=MockUrlLibResponse(data=response)) credentials = watchdog.get_aws_security_credentials( config, "ecs:fake_uri", "us-east-1") assert credentials["AccessKeyId"] == ACCESS_KEY_ID_VAL assert credentials["SecretAccessKey"] == SECRET_ACCESS_KEY_VAL assert credentials["Token"] == SESSION_TOKEN_VAL
def _test_get_aws_security_credentials_instance_metadata_role_name( mocker, is_name_str=True, token_timeout=False): config = get_fake_config() mocker.patch.dict(os.environ, {}) mocker.patch('os.path.exists', return_value=False) response = json.dumps({ 'Code': 'Success', 'LastUpdated': '2019-10-25T14:41:42Z', 'Type': 'AWS-HMAC', 'AccessKeyId': ACCESS_KEY_ID_VAL, 'SecretAccessKey': SECRET_ACCESS_KEY_VAL, 'Token': SESSION_TOKEN_VAL, 'Expiration': '2019-10-25T21:17:24Z' }) if is_name_str: role_name_data = b'FAKE_IAM_ROLE_NAME' else: role_name_data = 'FAKE_IAM_ROLE_NAME' if token_timeout: token_effects = [socket.timeout] else: token_effects = [MockUrlLibResponse(data='ABCDEFG==')] side_effects = token_effects + [ MockUrlLibResponse(data=role_name_data) ] + token_effects + [MockUrlLibResponse(data=response)] mocker.patch('watchdog.urlopen', side_effect=side_effects) credentials = watchdog.get_aws_security_credentials( config, 'metadata:', 'us-east-1') assert credentials['AccessKeyId'] == ACCESS_KEY_ID_VAL assert credentials['SecretAccessKey'] == SECRET_ACCESS_KEY_VAL assert credentials['Token'] == SESSION_TOKEN_VAL
def test_get_aws_security_credentials_instance_metadata_no_response(mocker): config = get_fake_config() mocker.patch('watchdog.url_request_helper', return_value=None) credentials = watchdog.get_aws_security_credentials( config, 'metadata:', 'us-east-1') assert not credentials
def test_get_aws_security_credentials_not_found_file_not_found(mocker): config = get_fake_config() mocker.patch('os.path.exists', return_value=False) credentials = watchdog.get_aws_security_credentials( config, 'credentials:default', 'us-east-1') assert not credentials
def test_get_aws_security_credentials_not_found_bad_credentials_source(): config = get_fake_config() credentials = watchdog.get_aws_security_credentials( config, 'dummy:source', 'us-east-1') assert not credentials
def test_get_aws_security_credentials_instance_metadata_no_response(mocker): mocker.patch('watchdog.url_request_helper', return_value=None) credentials = watchdog.get_aws_security_credentials('metadata:') assert not credentials
def test_get_aws_security_credentials_ecs_no_response(mocker): mocker.patch('watchdog.url_request_helper', return_value=None) credentials = watchdog.get_aws_security_credentials('ecs:fake_uri') assert not credentials
def test_get_aws_security_credentials_not_found_file_not_found(mocker): mocker.patch('os.path.exists', return_value=False) credentials = watchdog.get_aws_security_credentials('credentials:default') assert not credentials
def test_get_aws_security_credentials_not_found_bad_credentials_source(): credentials = watchdog.get_aws_security_credentials('dummy:source') assert not credentials
def test_get_aws_security_credentials_ecs_no_response(mocker): config = get_fake_config() mocker.patch("watchdog.url_request_helper", return_value=None) credentials = watchdog.get_aws_security_credentials( config, "ecs:fake_uri", "us-east-1") assert not credentials