From 79aa6ab71e8b2cf8c81a177bd26641e7f64f1a4f Mon Sep 17 00:00:00 2001 From: davidlm Date: Tue, 26 Sep 2023 16:08:53 -0400 Subject: [PATCH] foo --- tests/unit/test_credentials.py | 550 +++++++++++---------------------- 1 file changed, 180 insertions(+), 370 deletions(-) diff --git a/tests/unit/test_credentials.py b/tests/unit/test_credentials.py index 14585d7a77..1aab8e40b8 100644 --- a/tests/unit/test_credentials.py +++ b/tests/unit/test_credentials.py @@ -106,7 +106,7 @@ def setUp(self): 'token': 'NEW-TOKEN', 'expiry_time': self.future_time.isoformat(), 'role_name': 'rolename', - 'account_id': '222', + 'account_id': 'NEW-ACCOUNTID', } self.refresher.return_value = self.metadata self.mock_time = mock.Mock() @@ -114,11 +114,11 @@ def setUp(self): 'ORIGINAL-ACCESS', 'ORIGINAL-SECRET', 'ORIGINAL-TOKEN', - '111', self.expiry_time, self.refresher, 'iam-role', time_fetcher=self.mock_time, + account_id='ORIGINAL-ACCOUNTID', ) def test_refresh_needed(self): @@ -132,14 +132,13 @@ def test_refresh_needed(self): self.assertEqual(self.creds.access_key, 'NEW-ACCESS') self.assertEqual(self.creds.secret_key, 'NEW-SECRET') self.assertEqual(self.creds.token, 'NEW-TOKEN') - self.assertEqual(self.creds.account_id, '222') + self.assertEqual(self.creds.account_id, 'NEW-ACCOUNTID') def test_no_expiration(self): creds = credentials.RefreshableCredentials( 'ORIGINAL-ACCESS', 'ORIGINAL-SECRET', 'ORIGINAL-TOKEN', - '111', None, self.refresher, 'iam-role', @@ -147,6 +146,54 @@ def test_no_expiration(self): ) self.assertFalse(creds.refresh_needed()) + def test_no_initial_account_id_no_refresh_needed(self): + self.mock_time.return_value = datetime.now(tzlocal()) + creds = credentials.RefreshableCredentials( + 'ORIGINAL-ACCESS', + 'ORIGINAL-SECRET', + 'ORIGINAL-TOKEN', + self.future_time, + self.refresher, + 'iam-role', + time_fetcher=self.mock_time, + account_id=None, + ) + self.assertFalse(creds.refresh_needed()) + self.assertIsNone(creds.account_id) + + def test_no_initial_account_id_refresh_needed(self): + self.mock_time.return_value = datetime.now(tzlocal()) + creds = credentials.RefreshableCredentials( + 'ORIGINAL-ACCESS', + 'ORIGINAL-SECRET', + 'ORIGINAL-TOKEN', + self.expiry_time, + self.refresher, + 'iam-role', + time_fetcher=self.mock_time, + account_id=None, + ) + self.assertTrue(creds.refresh_needed()) + self.assertEqual(creds.account_id, 'NEW-ACCOUNTID') + + def test_refresh_needed_no_account_id_in_metadata(self): + self.mock_time.return_value = datetime.now(tzlocal()) + metadata = self.metadata.copy() + del metadata['account_id'] + self.refresher.return_value = metadata + creds = credentials.RefreshableCredentials( + 'ORIGINAL-ACCESS', + 'ORIGINAL-SECRET', + 'ORIGINAL-TOKEN', + self.expiry_time, + self.refresher, + 'iam-role', + time_fetcher=self.mock_time, + account_id='ORIGINAL-ACCOUNTID', + ) + self.assertTrue(creds.refresh_needed()) + self.assertIsNone(creds.account_id) + def test_no_refresh_needed(self): # The expiry time was 30 minutes ago, let's say it's an hour # ago currently. That would mean we don't need a refresh. @@ -158,7 +205,7 @@ def test_no_refresh_needed(self): self.assertEqual(self.creds.access_key, 'ORIGINAL-ACCESS') self.assertEqual(self.creds.secret_key, 'ORIGINAL-SECRET') self.assertEqual(self.creds.token, 'ORIGINAL-TOKEN') - self.assertEqual(self.creds.account_id, '111') + self.assertEqual(self.creds.account_id, 'ORIGINAL-ACCOUNTID') def test_get_credentials_set(self): # We need to return a consistent set of credentials to use during the @@ -171,7 +218,7 @@ def test_get_credentials_set(self): self.assertEqual(credential_set.access_key, 'ORIGINAL-ACCESS') self.assertEqual(credential_set.secret_key, 'ORIGINAL-SECRET') self.assertEqual(credential_set.token, 'ORIGINAL-TOKEN') - self.assertEqual(self.creds.account_id, '111') + self.assertEqual(credential_set.account_id, 'ORIGINAL-ACCOUNTID') def test_refresh_returns_empty_dict(self): self.refresher.return_value = {} @@ -208,7 +255,6 @@ def setUp(self): 'token': 'NEW-TOKEN', 'expiry_time': self.future_time.isoformat(), 'role_name': 'rolename', - 'account_id': '123456789012', } self.refresher.return_value = self.metadata self.mock_time = mock.Mock() @@ -260,13 +306,17 @@ def get_expected_creds_from_response(self, response): expiration = response['Credentials']['Expiration'] if isinstance(expiration, datetime): expiration = expiration.isoformat() - user_arn = response['AssumedRoleUser']['Arn'] + user_arn = response.get('AssumedRoleUser', {}).get('Arn') + if user_arn is not None: + account_id = ArnParser().parse_arn(user_arn)['account'] + else: + account_id = None return { 'access_key': response['Credentials']['AccessKeyId'], 'secret_key': response['Credentials']['SecretAccessKey'], 'token': response['Credentials']['SessionToken'], 'expiry_time': expiration, - 'account_id': ArnParser().parse_arn(user_arn)['account'], + 'account_id': account_id, } def some_future_time(self): @@ -281,10 +331,6 @@ def test_no_cache(self): 'SessionToken': 'baz', 'Expiration': self.some_future_time().isoformat(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } client_creator = self.create_client_creator(with_response=response) refresher = credentials.AssumeRoleCredentialFetcher( @@ -309,10 +355,6 @@ def test_expiration_in_datetime_format(self): # are immediately expired. 'Expiration': self.some_future_time(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } client_creator = self.create_client_creator(with_response=response) refresher = credentials.AssumeRoleCredentialFetcher( @@ -335,11 +377,7 @@ def test_retrieves_from_cache(self): 'SecretAccessKey': 'bar-cached', 'SessionToken': 'baz-cached', 'Expiration': utc_timestamp, - }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012-cached:assumed-role/foo', - }, + } } } client_creator = mock.Mock() @@ -363,10 +401,6 @@ def test_cache_key_is_windows_safe(self): 'SessionToken': 'baz', 'Expiration': self.some_future_time().isoformat(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } cache = {} client_creator = self.create_client_creator(with_response=response) @@ -377,6 +411,7 @@ def test_cache_key_is_windows_safe(self): ) refresher.fetch_credentials() + # On windows, you cannot use a a ':' in the filename, so # we need to make sure that it doesn't make it into the cache key. cache_key = '75c539f0711ba78c5b9e488d0add95f178a54d74' @@ -391,10 +426,6 @@ def test_cache_key_with_role_session_name(self): 'SessionToken': 'baz', 'Expiration': self.some_future_time().isoformat(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } cache = {} client_creator = self.create_client_creator(with_response=response) @@ -408,6 +439,7 @@ def test_cache_key_with_role_session_name(self): extra_args={'RoleSessionName': role_session_name}, ) refresher.fetch_credentials() + # This is the sha256 hex digest of the expected assume role args. cache_key = '2964201f5648c8be5b9460a9cf842d73a266daf2' self.assertIn(cache_key, cache) @@ -421,10 +453,6 @@ def test_cache_key_with_policy(self): 'SessionToken': 'baz', 'Expiration': self.some_future_time().isoformat(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } cache = {} client_creator = self.create_client_creator(with_response=response) @@ -445,6 +473,7 @@ def test_cache_key_with_policy(self): extra_args={'Policy': policy}, ) refresher.fetch_credentials() + # This is the sha256 hex digest of the expected assume role args. cache_key = '176f223d915e82456c253545e192aa21d68f5ab8' self.assertIn(cache_key, cache) @@ -458,10 +487,6 @@ def test_assume_role_in_cache_but_expired(self): 'SessionToken': 'baz', 'Expiration': self.some_future_time().isoformat(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } client_creator = self.create_client_creator(with_response=response) cache = { @@ -471,11 +496,7 @@ def test_assume_role_in_cache_but_expired(self): 'SecretAccessKey': 'bar-cached', 'SessionToken': 'baz-cached', 'Expiration': datetime.now(tzlocal()), - }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012-cached:assumed-role/foo', - }, + } } } @@ -495,10 +516,6 @@ def test_role_session_name_can_be_provided(self): 'SessionToken': 'baz', 'Expiration': self.some_future_time().isoformat(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } client_creator = self.create_client_creator(with_response=response) role_session_name = 'myname' @@ -524,10 +541,6 @@ def test_external_id_can_be_provided(self): 'SessionToken': 'baz', 'Expiration': self.some_future_time().isoformat(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } client_creator = self.create_client_creator(with_response=response) external_id = 'my_external_id' @@ -555,10 +568,6 @@ def test_policy_can_be_provided(self): 'SessionToken': 'baz', 'Expiration': self.some_future_time().isoformat(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } client_creator = self.create_client_creator(with_response=response) policy = json.dumps( @@ -591,10 +600,6 @@ def test_duration_seconds_can_be_provided(self): 'SessionToken': 'baz', 'Expiration': self.some_future_time().isoformat(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } client_creator = self.create_client_creator(with_response=response) duration = 1234 @@ -622,10 +627,6 @@ def test_mfa(self): 'SessionToken': 'baz', 'Expiration': self.some_future_time().isoformat(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } client_creator = self.create_client_creator(with_response=response) prompter = mock.Mock(return_value='token-code') @@ -666,10 +667,6 @@ def test_refreshes(self): datetime.now(tzlocal()) - timedelta(seconds=100) ).isoformat(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, }, { 'Credentials': { @@ -677,11 +674,7 @@ def test_refreshes(self): 'SecretAccessKey': 'bar', 'SessionToken': 'baz', 'Expiration': self.some_future_time().isoformat(), - }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, + } }, ] client_creator = self.create_client_creator(with_response=responses) @@ -714,10 +707,6 @@ def test_mfa_refresh_enabled(self): datetime.now(tzlocal()) - timedelta(seconds=100) ).isoformat(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, }, { 'Credentials': { @@ -725,11 +714,7 @@ def test_mfa_refresh_enabled(self): 'SecretAccessKey': 'bar', 'SessionToken': 'baz', 'Expiration': self.some_future_time().isoformat(), - }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, + } }, ] client_creator = self.create_client_creator(with_response=responses) @@ -763,6 +748,99 @@ def test_mfa_refresh_enabled(self): ] self.assertEqual(calls, expected_calls) + def test_no_cache_account_id(self): + response = { + 'Credentials': { + 'AccessKeyId': 'foo', + 'SecretAccessKey': 'bar', + 'SessionToken': 'baz', + 'Expiration': self.some_future_time().isoformat(), + }, + 'AssumedRoleUser': { + 'AssumedRoleId': 'ARO123EXAMPLE123:myrole', + 'Arn': 'arn:aws:sts::123456789012:assumed-role/myrole', + }, + } + client_creator = self.create_client_creator(with_response=response) + refresher = credentials.AssumeRoleCredentialFetcher( + client_creator, self.source_creds, self.role_arn + ) + + expected_response = self.get_expected_creds_from_response(response) + response = refresher.fetch_credentials() + + self.assertEqual(response, expected_response) + + def test_retrieves_from_cache_account_id(self): + date_in_future = datetime.utcnow() + timedelta(seconds=1000) + utc_timestamp = date_in_future.isoformat() + 'Z' + cache_key = '793d6e2f27667ab2da104824407e486bfec24a47' + cache = { + cache_key: { + 'Credentials': { + 'AccessKeyId': 'foo-cached', + 'SecretAccessKey': 'bar-cached', + 'SessionToken': 'baz-cached', + 'Expiration': utc_timestamp, + 'AccountId': '123456789012-cached', + }, + 'AssumedRoleUser': { + 'AssumedRoleId': 'ARO123EXAMPLE123:myrole', + 'Arn': 'arn:aws:sts::123456789012-cached:assumed-role/myrole', + }, + } + } + client_creator = mock.Mock() + refresher = credentials.AssumeRoleCredentialFetcher( + client_creator, self.source_creds, self.role_arn, cache=cache + ) + + expected_response = self.get_expected_creds_from_response( + cache[cache_key] + ) + response = refresher.fetch_credentials() + + self.assertEqual(response, expected_response) + client_creator.assert_not_called() + + def test_expired_cache_account_id(self): + response = { + 'Credentials': { + 'AccessKeyId': 'foo', + 'SecretAccessKey': 'bar', + 'SessionToken': 'baz', + 'Expiration': self.some_future_time().isoformat(), + }, + 'AssumedRoleUser': { + 'AssumedRoleId': 'ARO123EXAMPLE123:myrole', + 'Arn': 'arn:aws:sts::123456789012:assumed-role/myrole', + }, + } + client_creator = self.create_client_creator(with_response=response) + cache = { + 'development--myrole': { + 'Credentials': { + 'AccessKeyId': 'foo-cached', + 'SecretAccessKey': 'bar-cached', + 'SessionToken': 'baz-cached', + 'Expiration': datetime.now(tzlocal()), + 'AccountId': '123456789012-cached', + }, + 'AssumedRoleUser': { + 'AssumedRoleId': 'ARO123EXAMPLE123:myrole', + 'Arn': 'arn:aws:sts::123456789012:assumed-role/myrole', + }, + } + } + + refresher = credentials.AssumeRoleCredentialFetcher( + client_creator, self.source_creds, self.role_arn, cache=cache + ) + expected = self.get_expected_creds_from_response(response) + response = refresher.fetch_credentials() + + self.assertEqual(response, expected) + class TestAssumeRoleWithWebIdentityCredentialFetcher(BaseEnvVar): def setUp(self): @@ -790,14 +868,17 @@ def get_expected_creds_from_response(self, response): expiration = response['Credentials']['Expiration'] if isinstance(expiration, datetime): expiration = expiration.isoformat() + user_arn = response.get('AssumedRoleUser', {}).get('Arn') + if user_arn is not None: + account_id = ArnParser().parse_arn(user_arn)['account'] + else: + account_id = None return { 'access_key': response['Credentials']['AccessKeyId'], 'secret_key': response['Credentials']['SecretAccessKey'], 'token': response['Credentials']['SessionToken'], 'expiry_time': expiration, - 'account_id': ArnParser().parse_arn( - response['AssumedRoleUser']['Arn'] - )['account'], + 'account_id': account_id, } def test_no_cache(self): @@ -808,10 +889,6 @@ def test_no_cache(self): 'SessionToken': 'baz', 'Expiration': self.some_future_time().isoformat(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } client_creator = self.create_client_creator(with_response=response) refresher = credentials.AssumeRoleWithWebIdentityCredentialFetcher( @@ -833,11 +910,7 @@ def test_retrieves_from_cache(self): 'SecretAccessKey': 'bar-cached', 'SessionToken': 'baz-cached', 'Expiration': utc_timestamp, - }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012-cached:assumed-role/foo', - }, + } } } client_creator = mock.Mock() @@ -860,10 +933,6 @@ def test_assume_role_in_cache_but_expired(self): 'SessionToken': 'baz', 'Expiration': self.some_future_time().isoformat(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } client_creator = self.create_client_creator(with_response=response) cache = { @@ -873,11 +942,7 @@ def test_assume_role_in_cache_but_expired(self): 'SecretAccessKey': 'bar-cached', 'SessionToken': 'baz-cached', 'Expiration': datetime.now(tzlocal()), - }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012-cached:assumed-role/foo', - }, + } } } @@ -934,10 +999,6 @@ def test_assume_role_with_no_cache(self): 'SessionToken': 'baz', 'Expiration': self.some_future_time().isoformat(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } client_creator = self.create_client_creator(with_response=response) mock_loader_cls = self._mock_loader_cls('totally.a.token') @@ -954,7 +1015,6 @@ def test_assume_role_with_no_cache(self): self.assertEqual(creds.access_key, 'foo') self.assertEqual(creds.secret_key, 'bar') self.assertEqual(creds.token, 'baz') - self.assertEqual(creds.account_id, '123456789012') mock_loader_cls.assert_called_with('/some/path/token.jwt') def test_assume_role_retrieves_from_cache(self): @@ -969,11 +1029,7 @@ def test_assume_role_retrieves_from_cache(self): 'SecretAccessKey': 'bar-cached', 'SessionToken': 'baz-cached', 'Expiration': utc_timestamp, - }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012-cached:assumed-role/foo', - }, + } } } mock_loader_cls = self._mock_loader_cls('totally.a.token') @@ -991,7 +1047,6 @@ def test_assume_role_retrieves_from_cache(self): self.assertEqual(creds.access_key, 'foo-cached') self.assertEqual(creds.secret_key, 'bar-cached') self.assertEqual(creds.token, 'baz-cached') - self.assertEqual(creds.account_id, '123456789012-cached') client_creator.assert_not_called() def test_assume_role_in_cache_but_expired(self): @@ -1004,10 +1059,6 @@ def test_assume_role_in_cache_but_expired(self): 'SessionToken': 'baz', 'Expiration': valid_creds, }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } cache = { 'development--myrole': { @@ -1016,11 +1067,7 @@ def test_assume_role_in_cache_but_expired(self): 'SecretAccessKey': 'bar-cached', 'SessionToken': 'baz-cached', 'Expiration': expired_creds, - }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012-cached:assumed-role/foo', - }, + } } } client_creator = self.create_client_creator(with_response=response) @@ -1038,7 +1085,6 @@ def test_assume_role_in_cache_but_expired(self): self.assertEqual(creds.access_key, 'foo') self.assertEqual(creds.secret_key, 'bar') self.assertEqual(creds.token, 'baz') - self.assertEqual(creds.account_id, '123456789012') mock_loader_cls.assert_called_with('/some/path/token.jwt') def test_role_session_name_provided(self): @@ -1050,10 +1096,6 @@ def test_role_session_name_provided(self): 'SessionToken': 'baz', 'Expiration': self.some_future_time().isoformat(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } client_creator = self.create_client_creator(with_response=response) mock_loader_cls = self._mock_loader_cls('totally.a.token') @@ -1089,30 +1131,16 @@ def test_role_arn_not_set(self): class TestEnvVar(BaseEnvVar): - def test_envvars_are_found_no_token_no_account_id(self): - environ = { - 'AWS_ACCESS_KEY_ID': 'foo', - 'AWS_SECRET_ACCESS_KEY': 'bar', - } - provider = credentials.EnvProvider(environ) - creds = provider.load() - self.assertIsNotNone(creds) - self.assertEqual(creds.access_key, 'foo') - self.assertEqual(creds.secret_key, 'bar') - self.assertEqual(creds.method, 'env') - def test_envvars_are_found_no_token(self): environ = { 'AWS_ACCESS_KEY_ID': 'foo', 'AWS_SECRET_ACCESS_KEY': 'bar', - 'AWS_ACCOUNT_ID': '1234567890', } provider = credentials.EnvProvider(environ) creds = provider.load() self.assertIsNotNone(creds) self.assertEqual(creds.access_key, 'foo') self.assertEqual(creds.secret_key, 'bar') - self.assertEqual(creds.account_id, '1234567890') self.assertEqual(creds.method, 'env') def test_envvars_found_with_security_token(self): @@ -1120,7 +1148,6 @@ def test_envvars_found_with_security_token(self): 'AWS_ACCESS_KEY_ID': 'foo', 'AWS_SECRET_ACCESS_KEY': 'bar', 'AWS_SECURITY_TOKEN': 'baz', - 'AWS_ACCOUNT_ID': '1234567890', } provider = credentials.EnvProvider(environ) creds = provider.load() @@ -1128,26 +1155,9 @@ def test_envvars_found_with_security_token(self): self.assertEqual(creds.access_key, 'foo') self.assertEqual(creds.secret_key, 'bar') self.assertEqual(creds.token, 'baz') - self.assertEqual(creds.account_id, '1234567890') self.assertEqual(creds.method, 'env') def test_envvars_found_with_session_token(self): - environ = { - 'AWS_ACCESS_KEY_ID': 'foo', - 'AWS_SECRET_ACCESS_KEY': 'bar', - 'AWS_SESSION_TOKEN': 'baz', - 'AWS_ACCOUNT_ID': '1234567890', - } - provider = credentials.EnvProvider(environ) - creds = provider.load() - self.assertIsNotNone(creds) - self.assertEqual(creds.access_key, 'foo') - self.assertEqual(creds.secret_key, 'bar') - self.assertEqual(creds.token, 'baz') - self.assertEqual(creds.account_id, '1234567890') - self.assertEqual(creds.method, 'env') - - def test_envvars_found_no_account_id(self): environ = { 'AWS_ACCESS_KEY_ID': 'foo', 'AWS_SECRET_ACCESS_KEY': 'bar', @@ -1171,7 +1181,6 @@ def test_envvars_empty_string(self): 'AWS_ACCESS_KEY_ID': '', 'AWS_SECRET_ACCESS_KEY': '', 'AWS_SECURITY_TOKEN': '', - 'AWS_ACCOUNT_ID': '', } provider = credentials.EnvProvider(environ) creds = provider.load() @@ -1216,20 +1225,17 @@ def test_can_override_env_var_mapping(self): 'FOO_ACCESS_KEY': 'foo', 'FOO_SECRET_KEY': 'bar', 'FOO_SESSION_TOKEN': 'baz', - 'FOO_ACCOUNT_ID': '1234567890', } mapping = { 'access_key': 'FOO_ACCESS_KEY', 'secret_key': 'FOO_SECRET_KEY', 'token': 'FOO_SESSION_TOKEN', - 'account_id': 'FOO_ACCOUNT_ID', } provider = credentials.EnvProvider(environ, mapping) creds = provider.load() self.assertEqual(creds.access_key, 'foo') self.assertEqual(creds.secret_key, 'bar') self.assertEqual(creds.token, 'baz') - self.assertEqual(creds.account_id, '1234567890') def test_can_override_partial_env_var_mapping(self): # Only changing the access key mapping. @@ -1240,7 +1246,6 @@ def test_can_override_partial_env_var_mapping(self): 'FOO_ACCESS_KEY': 'foo', 'AWS_SECRET_ACCESS_KEY': 'bar', 'AWS_SESSION_TOKEN': 'baz', - 'AWS_ACCOUNT_ID': '1234567890', } provider = credentials.EnvProvider( environ, {'access_key': 'FOO_ACCESS_KEY'} @@ -1249,7 +1254,6 @@ def test_can_override_partial_env_var_mapping(self): self.assertEqual(creds.access_key, 'foo') self.assertEqual(creds.secret_key, 'bar') self.assertEqual(creds.token, 'baz') - self.assertEqual(creds.account_id, '1234567890') def test_can_override_expiry_env_var_mapping(self): expiry_time = datetime.now(tzlocal()) - timedelta(hours=1) @@ -1258,7 +1262,6 @@ def test_can_override_expiry_env_var_mapping(self): 'AWS_SECRET_ACCESS_KEY': 'bar', 'AWS_SESSION_TOKEN': 'baz', 'FOO_EXPIRY': expiry_time.isoformat(), - 'AWS_ACCOUNT_ID': '1234567890', } provider = credentials.EnvProvider( environ, {'expiry_time': 'FOO_EXPIRY'} @@ -1325,7 +1328,6 @@ def test_credentials_refresh(self): 'AWS_SECRET_ACCESS_KEY': 'bar', 'AWS_SESSION_TOKEN': 'baz', 'AWS_CREDENTIAL_EXPIRATION': expiry_time.isoformat(), - 'AWS_ACCOUNT_ID': '1234567890', } provider = credentials.EnvProvider(environ) creds = provider.load() @@ -1351,7 +1353,6 @@ def test_credentials_refresh(self): 'AWS_SECRET_ACCESS_KEY': 'bam', 'AWS_SESSION_TOKEN': 'biz', 'AWS_CREDENTIAL_EXPIRATION': expiry_time.isoformat(), - 'AWS_ACCOUNT_ID': '0987654321', } ) @@ -1359,7 +1360,6 @@ def test_credentials_refresh(self): self.assertEqual(frozen.access_key, 'bin') self.assertEqual(frozen.secret_key, 'bam') self.assertEqual(frozen.token, 'biz') - self.assertEqual(frozen.account_id, '0987654321') def test_credentials_only_refresh_when_needed(self): expiry_time = datetime.now(tzlocal()) + timedelta(hours=2) @@ -2126,10 +2126,6 @@ def test_assume_role_with_no_cache(self): 'SessionToken': 'baz', 'Expiration': self.some_future_time().isoformat(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } client_creator = self.create_client_creator(with_response=response) provider = credentials.AssumeRoleProvider( @@ -2144,7 +2140,6 @@ def test_assume_role_with_no_cache(self): self.assertEqual(creds.access_key, 'foo') self.assertEqual(creds.secret_key, 'bar') self.assertEqual(creds.token, 'baz') - self.assertEqual(creds.account_id, '123456789012') def test_assume_role_with_datetime(self): response = { @@ -2159,10 +2154,6 @@ def test_assume_role_with_datetime(self): # are immediately expired. 'Expiration': datetime.now(tzlocal()) + timedelta(hours=20), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } client_creator = self.create_client_creator(with_response=response) provider = credentials.AssumeRoleProvider( @@ -2177,7 +2168,6 @@ def test_assume_role_with_datetime(self): self.assertEqual(creds.access_key, 'foo') self.assertEqual(creds.secret_key, 'bar') self.assertEqual(creds.token, 'baz') - self.assertEqual(creds.account_id, '123456789012') def test_assume_role_refresher_serializes_datetime(self): client = mock.Mock() @@ -2191,11 +2181,7 @@ def test_assume_role_refresher_serializes_datetime(self): 'SecretAccessKey': 'bar', 'SessionToken': 'baz', 'Expiration': expiration, - }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, + } } refresh = create_assume_role_refresher(client, {}) expiry_time = refresh()['expiry_time'] @@ -2214,12 +2200,7 @@ def test_assume_role_retrieves_from_cache(self): 'SecretAccessKey': 'bar-cached', 'SessionToken': 'baz-cached', 'Expiration': utc_timestamp, - }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, - 'AccountId': '123456789012', + } } } provider = credentials.AssumeRoleProvider( @@ -2234,7 +2215,6 @@ def test_assume_role_retrieves_from_cache(self): self.assertEqual(creds.access_key, 'foo-cached') self.assertEqual(creds.secret_key, 'bar-cached') self.assertEqual(creds.token, 'baz-cached') - self.assertEqual(creds.account_id, '123456789012') def test_chain_prefers_cache(self): date_in_future = datetime.utcnow() + timedelta(seconds=1000) @@ -2251,12 +2231,7 @@ def test_chain_prefers_cache(self): 'SecretAccessKey': 'bar-cached', 'SessionToken': 'baz-cached', 'Expiration': utc_timestamp, - }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, - 'AccountId': '123456789012', + } } } @@ -2276,7 +2251,6 @@ def test_chain_prefers_cache(self): self.assertEqual(creds.access_key, 'foo-cached') self.assertEqual(creds.secret_key, 'bar-cached') self.assertEqual(creds.token, 'baz-cached') - self.assertEqual(creds.account_id, '123456789012') def test_cache_key_is_windows_safe(self): response = { @@ -2286,10 +2260,6 @@ def test_cache_key_is_windows_safe(self): 'SessionToken': 'baz', 'Expiration': self.some_future_time().isoformat(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } cache = {} self.fake_config['profiles']['development'][ @@ -2319,10 +2289,6 @@ def test_cache_key_with_role_session_name(self): 'SessionToken': 'baz', 'Expiration': self.some_future_time().isoformat(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } cache = {} self.fake_config['profiles']['development'][ @@ -2357,10 +2323,6 @@ def test_assume_role_in_cache_but_expired(self): 'SessionToken': 'baz', 'Expiration': valid_creds, }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } client_creator = self.create_client_creator(with_response=response) cache = { @@ -2370,12 +2332,7 @@ def test_assume_role_in_cache_but_expired(self): 'SecretAccessKey': 'bar-cached', 'SessionToken': 'baz-cached', 'Expiration': expired_creds, - }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, - 'AccountId': '123456789012', + } } } provider = credentials.AssumeRoleProvider( @@ -2389,8 +2346,7 @@ def test_assume_role_in_cache_but_expired(self): self.assertEqual(creds.access_key, 'foo') self.assertEqual(creds.secret_key, 'bar') - self.assertEqual(creds.token, 'baz'), - self.assertEqual(creds.account_id, '123456789012') + self.assertEqual(creds.token, 'baz') def test_role_session_name_provided(self): dev_profile = self.fake_config['profiles']['development'] @@ -2402,10 +2358,6 @@ def test_role_session_name_provided(self): 'SessionToken': 'baz', 'Expiration': self.some_future_time().isoformat(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } client_creator = self.create_client_creator(with_response=response) provider = credentials.AssumeRoleProvider( @@ -2432,10 +2384,6 @@ def test_external_id_provided(self): 'SessionToken': 'baz', 'Expiration': self.some_future_time().isoformat(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } client_creator = self.create_client_creator(with_response=response) provider = credentials.AssumeRoleProvider( @@ -2462,10 +2410,6 @@ def test_assume_role_with_duration(self): 'SessionToken': 'baz', 'Expiration': self.some_future_time().isoformat(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } client_creator = self.create_client_creator(with_response=response) provider = credentials.AssumeRoleProvider( @@ -2494,10 +2438,6 @@ def test_assume_role_with_bad_duration(self): 'SessionToken': 'baz', 'Expiration': self.some_future_time().isoformat(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } client_creator = self.create_client_creator(with_response=response) provider = credentials.AssumeRoleProvider( @@ -2524,10 +2464,6 @@ def test_assume_role_with_mfa(self): 'SessionToken': 'baz', 'Expiration': self.some_future_time().isoformat(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } client_creator = self.create_client_creator(with_response=response) prompter = mock.Mock(return_value='token-code') @@ -2568,10 +2504,6 @@ def test_assume_role_populates_session_name_on_refresh(self): # refresh behavior will be triggered. 'Expiration': expiration_time.isoformat(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, }, { 'Credentials': { @@ -2579,11 +2511,7 @@ def test_assume_role_populates_session_name_on_refresh(self): 'SecretAccessKey': 'bar', 'SessionToken': 'baz', 'Expiration': next_expiration_time.isoformat(), - }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, + } }, ] client_creator = self.create_client_creator(with_response=responses) @@ -2632,10 +2560,6 @@ def test_assume_role_mfa_cannot_refresh_credentials(self): # refresh behavior will be triggered. 'Expiration': expiration_time.isoformat(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } client_creator = self.create_client_creator(with_response=response) provider = credentials.AssumeRoleProvider( @@ -2783,10 +2707,6 @@ def test_assume_role_with_credential_source(self): 'SessionToken': 'baz', 'Expiration': self.some_future_time().isoformat(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } client_creator = self.create_client_creator(with_response=response) @@ -2819,7 +2739,6 @@ def test_assume_role_with_credential_source(self): self.assertEqual(creds.access_key, 'foo') self.assertEqual(creds.secret_key, 'bar') self.assertEqual(creds.token, 'baz') - self.assertEqual(creds.account_id, '123456789012') client_creator.assert_called_with( 'sts', aws_access_key_id=fake_creds.access_key, @@ -2863,10 +2782,6 @@ def test_source_profile_can_reference_self(self): 'SessionToken': 'baz', 'Expiration': self.some_future_time().isoformat(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } client_creator = self.create_client_creator(with_response=response) @@ -2892,7 +2807,6 @@ def test_source_profile_can_reference_self(self): self.assertEqual(creds.access_key, 'foo') self.assertEqual(creds.secret_key, 'bar') self.assertEqual(creds.token, 'baz') - self.assertEqual(creds.account_id, '123456789012') def test_infinite_looping_profiles_raises_error(self): config = { @@ -2914,8 +2828,8 @@ def test_infinite_looping_profiles_raises_error(self): def test_recursive_assume_role(self): assume_responses = [ - Credentials('foo', 'bar', 'baz', '123456789012'), - Credentials('spam', 'eggs', 'spamandegss', '123456789012'), + Credentials('foo', 'bar', 'baz'), + Credentials('spam', 'eggs', 'spamandegss'), ] responses = [] for credential_set in assume_responses: @@ -2926,11 +2840,7 @@ def test_recursive_assume_role(self): 'SecretAccessKey': credential_set.secret_key, 'SessionToken': credential_set.token, 'Expiration': self.some_future_time().isoformat(), - }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, + } } ) client_creator = self.create_client_creator(with_response=responses) @@ -2959,7 +2869,6 @@ def test_recursive_assume_role(self): self.assertEqual(creds.access_key, expected_creds.access_key) self.assertEqual(creds.secret_key, expected_creds.secret_key) self.assertEqual(creds.token, expected_creds.token) - self.assertEqual(creds.account_id, expected_creds.account_id) client_creator.assert_has_calls( [ @@ -2986,10 +2895,6 @@ def test_assume_role_with_profile_provider(self): 'SessionToken': 'baz', 'Expiration': self.some_future_time().isoformat(), }, - 'AssumedRoleUser': { - 'AssumedRoleId': 'foo', - 'Arn': 'arn:aws:iam::123456789012:assumed-role/foo', - }, } client_creator = self.create_client_creator(with_response=response) mock_builder = mock.Mock(spec=ProfileProviderBuilder) @@ -3446,63 +3351,6 @@ def test_can_retrieve_via_process(self): self.assertEqual(creds.secret_key, 'bar') self.assertEqual(creds.token, 'baz') self.assertEqual(creds.method, 'custom-process') - self.assertEqual(creds.account_id, None) - self.popen_mock.assert_called_with( - ['my-process'], stdout=subprocess.PIPE, stderr=subprocess.PIPE - ) - - def test_can_retrieve_via_process_with_account_id(self): - self.loaded_config['profiles'] = { - 'default': {'credential_process': 'my-process'} - } - self._set_process_return_value( - { - 'Version': 1, - 'AccessKeyId': 'foo', - 'SecretAccessKey': 'bar', - 'SessionToken': 'baz', - 'Expiration': '2999-01-01T00:00:00Z', - 'AccountId': '123456789012', - } - ) - - provider = self.create_process_provider() - creds = provider.load() - self.assertIsNotNone(creds) - self.assertEqual(creds.access_key, 'foo') - self.assertEqual(creds.secret_key, 'bar') - self.assertEqual(creds.token, 'baz') - self.assertEqual(creds.method, 'custom-process') - self.assertEqual(creds.account_id, '123456789012') - self.popen_mock.assert_called_with( - ['my-process'], stdout=subprocess.PIPE, stderr=subprocess.PIPE - ) - - def test_can_retrieve_via_process_with_profile_account_id(self): - self.loaded_config['profiles'] = { - 'default': { - 'credential_process': 'my-process', - 'aws_account_id': '123456789012', - } - } - self._set_process_return_value( - { - 'Version': 1, - 'AccessKeyId': 'foo', - 'SecretAccessKey': 'bar', - 'SessionToken': 'baz', - 'Expiration': '2999-01-01T00:00:00Z', - } - ) - - provider = self.create_process_provider() - creds = provider.load() - self.assertIsNotNone(creds) - self.assertEqual(creds.access_key, 'foo') - self.assertEqual(creds.secret_key, 'bar') - self.assertEqual(creds.token, 'baz') - self.assertEqual(creds.method, 'custom-process') - self.assertEqual(creds.account_id, '123456789012') self.popen_mock.assert_called_with( ['my-process'], stdout=subprocess.PIPE, stderr=subprocess.PIPE ) @@ -3520,7 +3368,6 @@ def test_can_pass_arguments_through(self): 'SecretAccessKey': 'bar', 'SessionToken': 'baz', 'Expiration': '2999-01-01T00:00:00Z', - 'AccountId': '123456789012', } ) @@ -3550,7 +3397,6 @@ def test_can_refresh_credentials(self): 'SecretAccessKey': 'bar', 'SessionToken': 'baz', 'Expiration': expired_date, - 'AccountId': '123456789012', } ) new_creds = self._get_output( @@ -3560,7 +3406,6 @@ def test_can_refresh_credentials(self): 'SecretAccessKey': 'bar2', 'SessionToken': 'baz2', 'Expiration': future_date, - 'AccountId': '123456789012', } ) self.invoked_process.communicate.side_effect = [old_creds, new_creds] @@ -3573,7 +3418,6 @@ def test_can_refresh_credentials(self): self.assertEqual(creds.secret_key, 'bar2') self.assertEqual(creds.token, 'baz2') self.assertEqual(creds.method, 'custom-process') - self.assertEqual(creds.account_id, '123456789012') def test_non_zero_rc_raises_exception(self): self.loaded_config['profiles'] = { @@ -3598,7 +3442,6 @@ def test_unsupported_version_raises_mismatch(self): 'SecretAccessKey': 'bar', 'SessionToken': 'baz', 'Expiration': '2999-01-01T00:00:00Z', - 'AccountId': '123456789012', } ) @@ -3618,7 +3461,6 @@ def test_missing_version_in_payload_returned_raises_exception(self): 'SecretAccessKey': 'bar', 'SessionToken': 'baz', 'Expiration': '2999-01-01T00:00:00Z', - 'AccountId': '123456789012', } ) @@ -3638,7 +3480,6 @@ def test_missing_access_key_raises_exception(self): 'SecretAccessKey': 'bar', 'SessionToken': 'baz', 'Expiration': '2999-01-01T00:00:00Z', - 'AccountId': '123456789012', } ) @@ -3658,7 +3499,6 @@ def test_missing_secret_key_raises_exception(self): # Missing secret key. 'SessionToken': 'baz', 'Expiration': '2999-01-01T00:00:00Z', - 'AccountId': '123456789012', } ) @@ -3678,7 +3518,6 @@ def test_missing_session_token(self): 'SecretAccessKey': 'bar', # Missing session token. 'Expiration': '2999-01-01T00:00:00Z', - 'AccountId': '123456789012', } ) @@ -3689,7 +3528,6 @@ def test_missing_session_token(self): self.assertEqual(creds.secret_key, 'bar') self.assertIsNone(creds.token) self.assertEqual(creds.method, 'custom-process') - self.assertEqual(creds.account_id, '123456789012') def test_missing_expiration(self): self.loaded_config['profiles'] = { @@ -3702,31 +3540,6 @@ def test_missing_expiration(self): 'SecretAccessKey': 'bar', 'SessionToken': 'baz', # Missing expiration. - 'AccountId': '123456789012', - } - ) - - provider = self.create_process_provider() - creds = provider.load() - self.assertIsNotNone(creds) - self.assertEqual(creds.access_key, 'foo') - self.assertEqual(creds.secret_key, 'bar') - self.assertEqual(creds.token, 'baz') - self.assertEqual(creds.method, 'custom-process') - self.assertEqual(creds.account_id, '123456789012') - - def test_missing_account_id(self): - self.loaded_config['profiles'] = { - 'default': {'credential_process': 'my-process'} - } - self._set_process_return_value( - { - 'Version': 1, - 'AccessKeyId': 'foo', - 'SecretAccessKey': 'bar', - 'SessionToken': 'baz', - 'Expiration': '2999-01-01T00:00:00Z', - # Missing account id. } ) @@ -3748,7 +3561,6 @@ def test_missing_expiration_and_session_token(self): 'AccessKeyId': 'foo', 'SecretAccessKey': 'bar', # Missing session token and expiration - 'AccountId': '123456789012', } ) @@ -3839,7 +3651,6 @@ def test_can_fetch_credentials(self): self.assertEqual(credentials['secret_key'], 'bar') self.assertEqual(credentials['token'], 'baz') self.assertEqual(credentials['expiry_time'], '2008-09-23T12:43:20Z') - self.assertEqual(credentials['account_id'], self.account_id) cache_key = '048db75bbe50955c16af7aba6ff9c41a3131bb7e' expected_cached_credentials = { 'ProviderType': 'sso', @@ -3848,6 +3659,7 @@ def test_can_fetch_credentials(self): 'SecretAccessKey': 'bar', 'SessionToken': 'baz', 'Expiration': '2008-09-23T12:43:20Z', + 'AccountId': '1234567890', }, } self.assertEqual(self.cache[cache_key], expected_cached_credentials) @@ -3941,7 +3753,6 @@ def test_load_sso_credentials_without_cache(self): self.assertEqual(credentials.access_key, 'foo') self.assertEqual(credentials.secret_key, 'bar') self.assertEqual(credentials.token, 'baz') - self.assertEqual(credentials.account_id, self.account_id) def test_load_sso_credentials_with_cache(self): cached_creds = { @@ -3950,8 +3761,7 @@ def test_load_sso_credentials_with_cache(self): 'SecretAccessKey': 'cached-sak', 'SessionToken': 'cached-st', 'Expiration': self.expires_at.strftime('%Y-%m-%dT%H:%M:%S%Z'), - }, - 'AccountId': self.account_id, + } } self.cache[self.cached_creds_key] = cached_creds credentials = self.provider.load()