File: test_public_apis.py

package info (click to toggle)
python-botocore 1.12.103%2Brepack-1
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 41,552 kB
  • sloc: python: 43,119; xml: 15,052; makefile: 131
file content (76 lines) | stat: -rw-r--r-- 2,763 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
 
# Copyright 2012-2015 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"). You
# may not use this file except in compliance with the License. A copy of
# the License is located at
#
# http://aws.amazon.com/apache2.0/
#
# or in the "license" file accompanying this file. This file is
# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
# ANY KIND, either express or implied. See the License for the specific
# language governing permissions and limitations under the License.
from collections import defaultdict

import mock

from tests import ClientHTTPStubber
from botocore.session import Session
from botocore.exceptions import NoCredentialsError
from botocore import xform_name


REGIONS = defaultdict(lambda: 'us-east-1')
PUBLIC_API_TESTS = {
    "cognito-identity": {
        "GetId": {"IdentityPoolId": "region:1234"},
        "GetOpenIdToken": {"IdentityId": "region:1234"},
        "UnlinkIdentity": {
            "IdentityId": "region:1234", "Logins": {}, "LoginsToRemove": []},
        "GetCredentialsForIdentity": {"IdentityId": "region:1234"},
    },
    "sts": {
        "AssumeRoleWithSaml": {
            "PrincipalArn": "a"*20, "RoleArn": "a"*20, "SAMLAssertion": "abcd",
        },
        "AssumeRoleWithWebIdentity": {
            "RoleArn": "a"*20,
            "RoleSessionName": "foo",
            "WebIdentityToken": "abcd",
        },
    },
}


class EarlyExit(Exception):
    pass


def _test_public_apis_will_not_be_signed(client, operation, kwargs):
    with ClientHTTPStubber(client) as http_stubber:
        http_stubber.responses.append(EarlyExit())
        try:
            operation(**kwargs)
        except EarlyExit:
            pass
        request = http_stubber.requests[0]
    sig_v2_disabled = 'SignatureVersion=2' not in request.url
    assert sig_v2_disabled, "SigV2 is incorrectly enabled"
    sig_v3_disabled = 'X-Amzn-Authorization' not in request.headers
    assert sig_v3_disabled, "SigV3 is incorrectly enabled"
    sig_v4_disabled = 'Authorization' not in request.headers
    assert sig_v4_disabled, "SigV4 is incorrectly enabled"


def test_public_apis_will_not_be_signed():
    session = Session()

    # Mimic the scenario that user does not have aws credentials setup
    session.get_credentials = mock.Mock(return_value=None)

    for service_name in PUBLIC_API_TESTS:
        client = session.create_client(service_name, REGIONS[service_name])
        for operation_name in PUBLIC_API_TESTS[service_name]:
            kwargs = PUBLIC_API_TESTS[service_name][operation_name]
            method = getattr(client, xform_name(operation_name))
            yield _test_public_apis_will_not_be_signed, client, method, kwargs