File: StsClientTest.php

package info (click to toggle)
php-async-aws-core 1.27.0-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 988 kB
  • sloc: php: 6,837; makefile: 32
file content (129 lines) | stat: -rw-r--r-- 4,948 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
 
<?php

namespace AsyncAws\Core\Tests\Integration;

use AsyncAws\Core\Credentials\Credentials;
use AsyncAws\Core\Credentials\NullProvider;
use AsyncAws\Core\Sts\Input\AssumeRoleRequest;
use AsyncAws\Core\Sts\Input\AssumeRoleWithWebIdentityRequest;
use AsyncAws\Core\Sts\Input\GetCallerIdentityRequest;
use AsyncAws\Core\Sts\StsClient;
use AsyncAws\Core\Sts\ValueObject\PolicyDescriptorType;
use AsyncAws\Core\Sts\ValueObject\Tag;
use AsyncAws\Core\Test\TestCase;

class StsClientTest extends TestCase
{
    public function testAssumeRole(): void
    {
        $client = $this->getClient();

        $input = new AssumeRoleRequest([
            'RoleArn' => 'arn:aws::iam::123456789012:role/demo',
            'RoleSessionName' => 'John-session',
            'PolicyArns' => [new PolicyDescriptorType([
                'arn' => 'arn:aws::iam::123456789012:policy/demo',
            ])],
            'Policy' => '{"Version":"2012-10-17","Statement":[{"Sid": "Stmt1","Effect": "Allow","Action": "s3:*","Resource": "*"}]}',
            'DurationSeconds' => 300,
            'Tags' => [new Tag([
                'Key' => 'Project',
                'Value' => 'Pegasus',
            ])],
            'TransitiveTagKeys' => ['Project', 'Cost-Center'],
            'ExternalId' => '123ABC',
            'SerialNumber' => '12345678',
            'TokenCode' => 'change me',
        ]);
        $result = $client->AssumeRole($input);

        self::assertNotNull($result->getCredentials());
        self::assertLessThanOrEqual(new \DateTime('+5min'), $result->getCredentials()->getExpiration());
        self::assertNotNull($result->getAssumedRoleUser());
        self::assertSame('arn:aws:sts::000000000000:assumed-role/demo/John-session', $result->getAssumedRoleUser()->getArn());
        self::assertSame(6, $result->getPackedPolicySize());
    }

    public function testAssumeRoleWithWebIdentity(): void
    {
        $client = $this->getClient();

        $input = new AssumeRoleWithWebIdentityRequest([
            'RoleArn' => 'arn:aws:iam::123456789012:role/FederatedWebIdentityRole',
            'RoleSessionName' => 'app1',
            'WebIdentityToken' => 'FooBarBaz',
            'ProviderId' => 'www.amazon.com',
            'PolicyArns' => [new PolicyDescriptorType([
                'arn' => 'arn:aws:iam::123456789012:policy/q=webidentitydemopolicy1',
            ]), new PolicyDescriptorType([
                'arn' => 'arn:aws:iam::123456789012:policy/webidentitydemopolicy2',
            ])],
            'DurationSeconds' => 300,
        ]);
        $result = $client->AssumeRoleWithWebIdentity($input);

        self::assertNotNull($result->getCredentials());
        self::assertLessThanOrEqual(new \DateTime('+5min'), $result->getCredentials()->getExpiration());
        self::assertNotNull($result->getAssumedRoleUser());
        self::assertSame('arn:aws:sts::123456789012:assumed-role/FederatedWebIdentityRole/app1', $result->getAssumedRoleUser()->getArn());
        self::assertSame(6, $result->getPackedPolicySize());
    }

    public function testGetCallerIdentity(): void
    {
        $client = $this->getClient();

        $input = new GetCallerIdentityRequest();
        $result = $client->GetCallerIdentity($input);

        self::assertNotNull($result->getUserId());
        self::assertStringContainsString('000000000000', $result->getAccount());
        self::assertStringContainsString('arn:aws:iam::000000000000:root', $result->getArn());
    }

    public function testNonAwsRegionWithCustomEndpoint(): void
    {
        $client = new StsClient([
            'endpoint' => 'http://localhost',
            'region' => 'test',
        ], new NullProvider());
        self::assertNotEmpty($client->presign(new AssumeRoleRequest(['RoleArn' => 'demo', 'RoleSessionName' => 'demo'])));
    }

    /**
     * A region that is not recognized should be treated as "default" region.
     */
    public function testNonAwsRegion(): void
    {
        $client = new StsClient([
            'region' => 'test',
        ], new NullProvider());

        self::assertNotEmpty($client->presign(new AssumeRoleRequest(['RoleArn' => 'demo', 'RoleSessionName' => 'demo'])));
    }

    public function testCustomEndpointSignature(): void
    {
        $client = new StsClient([
            'endpoint' => 'https://custom.acme.com',
            'region' => 'demo',
            'accessKeyId' => '123',
            'accessKeySecret' => '123',
        ]);

        $url = $client->presign(new AssumeRoleRequest([
            'RoleArn' => 'test',
            'RoleSessionName' => 'test',
        ]));
        parse_str(parse_url($url, \PHP_URL_QUERY), $query);

        self::assertStringContainsString('/demo/', $query['X-Amz-Credential']);
    }

    private function getClient(): StsClient
    {
        return new StsClient([
            'endpoint' => 'http://localhost:4566',
        ], new Credentials('aws_id', 'aws_secret'));
    }
}