File: credentials_tests.rb

package info (click to toggle)
ruby-fog-aws 3.18.0-2
links: PTS, VCS
area: main
in suites: forky, sid, trixie
size: 8,140 kB
sloc: ruby: 73,328; javascript: 14; makefile: 9; sh: 4
file content (226 lines) | stat: -rw-r--r-- 9,965 bytes
parent folder | download | duplicates (2)
# frozen_string_literal: true

Shindo.tests('AWS | credentials', ['aws']) do
  old_mock_value = Excon.defaults[:mock]
  fog_was_mocked = Fog.mocking?
  Excon.stubs.clear
  Fog.unmock!
  begin
    Excon.defaults[:mock] = true
    Excon.stub({ method: :put, path: '/latest/api/token' }, { status: 200, body: 'token1234' })

    Excon.stub({ method: :get, path: '/latest/meta-data/iam/security-credentials/' }, { status: 200, body: 'arole' })
    Excon.stub({ method: :get, path: '/latest/meta-data/placement/availability-zone/' }, { status: 200, body: 'us-west-1a' })

    expires_at = Time.at(Time.now.to_i + 500)
    credentials = {
      'AccessKeyId' => 'dummykey',
      'SecretAccessKey' => 'dummysecret',
      'Token' => 'dummytoken',
      'Expiration' => expires_at.xmlschema
    }

    Excon.stub({ method: :get, path: '/latest/meta-data/iam/security-credentials/arole' }, { status: 200, body: Fog::JSON.encode(credentials) })

    tests('#fetch_credentials') do
      returns(aws_access_key_id: 'dummykey',
              aws_secret_access_key: 'dummysecret',
              aws_session_token: 'dummytoken',
              region: 'us-west-1',
              aws_credentials_expire_at: expires_at) { Fog::AWS::Compute.fetch_credentials(use_iam_profile: true) }
    end

    tests('#fetch_credentials when the v2 token 404s') do
      Excon.stub({ method: :put, path: '/latest/api/token' }, { status: 404, body: 'not found' })
      returns(aws_access_key_id: 'dummykey',
              aws_secret_access_key: 'dummysecret',
              aws_session_token: 'dummytoken',
              region: 'us-west-1',
              aws_credentials_expire_at: expires_at) { Fog::AWS::Compute.fetch_credentials(use_iam_profile: true) }
    end

    tests('#fetch_credentials when the v2 disabled') do
      returns(aws_access_key_id: 'dummykey',
              aws_secret_access_key: 'dummysecret',
              aws_session_token: 'dummytoken',
              region: 'us-west-1',
              aws_credentials_expire_at: expires_at) { Fog::AWS::Compute.fetch_credentials(use_iam_profile: true, disable_imds_v2: true) }
    end

    ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] = '/v1/credentials?id=task_id'
    Excon.stub({ method: :get, path: '/v1/credentials?id=task_id' }, { status: 200, body: Fog::JSON.encode(credentials) })

    tests('#fetch_credentials') do
      returns(aws_access_key_id: 'dummykey',
              aws_secret_access_key: 'dummysecret',
              aws_session_token: 'dummytoken',
              region: 'us-west-1',
              aws_credentials_expire_at: expires_at) { Fog::AWS::Compute.fetch_credentials(use_iam_profile: true) }
    end

    ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] = nil

    ENV['AWS_WEB_IDENTITY_TOKEN_FILE'] = File.dirname(__FILE__) + '/lorem.txt'
    ENV['AWS_ROLE_ARN'] = "dummyrole"
    ENV['AWS_ROLE_SESSION_NAME'] = "dummyrolesessionname"
    document = 
      '<AssumeRoleWithWebIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">'\
        '<AssumeRoleWithWebIdentityResult>'\
          '<Credentials>'\
            '<SessionToken>dummytoken</SessionToken>'\
            '<SecretAccessKey>dummysecret</SecretAccessKey>'\
            "<Expiration>#{expires_at.xmlschema}</Expiration>"\
            '<AccessKeyId>dummykey</AccessKeyId>'\
          '</Credentials>'\
        '</AssumeRoleWithWebIdentityResult>'\
      '</AssumeRoleWithWebIdentityResponse>'
    
    Excon.stub({method: :get, path: "/", idempotent: true}, { status: 200, body: document})

    tests('#fetch_credentials token based') do
      returns(
        aws_access_key_id: 'dummykey',
        aws_secret_access_key: 'dummysecret',
        aws_session_token: 'dummytoken',
        region: 'us-west-1',
        sts_endpoint: "https://sts.amazonaws.com",
        aws_credentials_expire_at: expires_at
      ) { Fog::AWS::Compute.fetch_credentials(use_iam_profile: true) }
    end

    ENV['AWS_ROLE_SESSION_NAME'] = nil

    tests('#fetch_credentials token based without session name') do
      returns(
        aws_access_key_id: 'dummykey',
        aws_secret_access_key: 'dummysecret',
        aws_session_token: 'dummytoken',
        region: 'us-west-1',
        sts_endpoint: "https://sts.amazonaws.com",
        aws_credentials_expire_at: expires_at
      ) { Fog::AWS::Compute.fetch_credentials(use_iam_profile: true, region: 'us-west-1') }
    end

    ENV["AWS_STS_REGIONAL_ENDPOINTS"] = "regional"

    tests('#fetch_credentials with no region specified') do
      returns(
        aws_access_key_id: 'dummykey',
        aws_secret_access_key: 'dummysecret',
        aws_session_token: 'dummytoken',
        region: 'us-west-1',
        sts_endpoint: "https://sts.amazonaws.com",
        aws_credentials_expire_at: expires_at
      ) { Fog::AWS::Compute.fetch_credentials(use_iam_profile: true) }
    end

    tests('#fetch_credentials with regional STS endpoint') do
      returns(
        aws_access_key_id: 'dummykey',
        aws_secret_access_key: 'dummysecret',
        aws_session_token: 'dummytoken',
        region: 'us-west-1',
        sts_endpoint: "https://sts.us-west-1.amazonaws.com",
        aws_credentials_expire_at: expires_at
      ) { Fog::AWS::Compute.fetch_credentials(use_iam_profile: true, region: 'us-west-1') }
    end

    ENV["AWS_DEFAULT_REGION"] = "us-west-1"

    tests('#fetch_credentials with regional STS endpoint with region in env') do
      returns(
        aws_access_key_id: 'dummykey',
        aws_secret_access_key: 'dummysecret',
        aws_session_token: 'dummytoken',
        region: 'us-west-1',
        sts_endpoint: "https://sts.us-west-1.amazonaws.com",
        aws_credentials_expire_at: expires_at
      ) { Fog::AWS::Compute.fetch_credentials(use_iam_profile: true) }
    end

    ENV["AWS_STS_REGIONAL_ENDPOINTS"] = nil
    ENV["AWS_DEFAULT_REGION"] = nil
    ENV['AWS_WEB_IDENTITY_TOKEN_FILE'] = nil

    storage = Fog::Storage.new(
      :provider => 'AWS',
      :region => 'us-east-1',
      :use_iam_profile => true,
      :aws_credentials_refresh_threshold_seconds => 30)

    tests('#credentials_refresh_threshold') do
      returns(30) { storage.send(:credentials_refresh_threshold) }
    end

    Fog::Time.now = storage.instance_variable_get(:@aws_credentials_expire_at) - 31
    tests('#refresh_credentials_if_expired before credentials have expired and before refresh threshold') do
      returns(nil) { storage.refresh_credentials_if_expired }
      returns('dummykey') { storage.instance_variable_get(:@aws_access_key_id) }
      returns('dummysecret') { storage.instance_variable_get(:@aws_secret_access_key) }
      returns(expires_at) { storage.instance_variable_get(:@aws_credentials_expire_at) }
    end
    Fog::Time.now = Time.now

    credentials['AccessKeyId'] = 'newkey-1'
    credentials['SecretAccessKey'] = 'newsecret-1'
    credentials['Expiration'] = (expires_at + 10).xmlschema

    Excon.stub({ method: :get, path: '/latest/meta-data/iam/security-credentials/arole' }, { status: 200, body: Fog::JSON.encode(credentials) })

    Fog::Time.now = storage.instance_variable_get(:@aws_credentials_expire_at) - 29
    tests('#refresh_credentials_if_expired after refresh threshold is crossed but before expiration') do
      returns(true) { storage.refresh_credentials_if_expired }
      returns('newkey-1') { storage.instance_variable_get(:@aws_access_key_id) }
      returns('newsecret-1') { storage.instance_variable_get(:@aws_secret_access_key) }
      returns(expires_at + 10) { storage.instance_variable_get(:@aws_credentials_expire_at) }
    end
    Fog::Time.now = Time.now

    credentials['AccessKeyId'] = 'newkey-2'
    credentials['SecretAccessKey'] = 'newsecret-2'
    credentials['Expiration'] = (expires_at + 20).xmlschema

    Excon.stub({ method: :get, path: '/latest/meta-data/iam/security-credentials/arole' }, { status: 200, body: Fog::JSON.encode(credentials) })

    Fog::Time.now = storage.instance_variable_get(:@aws_credentials_expire_at) + 1
    tests('#refresh_credentials_if_expired after credentials have expired') do
      returns(true) { storage.refresh_credentials_if_expired }
      returns('newkey-2') { storage.instance_variable_get(:@aws_access_key_id) }
      returns('newsecret-2') { storage.instance_variable_get(:@aws_secret_access_key) }
      returns(expires_at + 20) { storage.instance_variable_get(:@aws_credentials_expire_at) }
    end
    Fog::Time.now = Time.now

    compute = Fog::AWS::Compute.new(use_iam_profile: true)

    tests('#credentials_refresh_threshold when "aws_credentials_refresh_threshold_seconds" is unspecified') do
      returns(15) { compute.send(:credentials_refresh_threshold) }
    end

    default_credentials = Fog::AWS::Compute.fetch_credentials({})
    tests('#fetch_credentials when the url 404s') do
      Excon.stub({ method: :put, path: '/latest/api/token' }, { status: 404, body: 'not found' })
      Excon.stub({ method: :get, path: '/latest/meta-data/iam/security-credentials/' }, { status: 404, body: 'not bound' })
      Excon.stub({ method: :get, path: '/latest/meta-data/placement/availability-zone/' }, { status: 400, body: 'not found' })
      returns(default_credentials) { Fog::AWS::Compute.fetch_credentials(use_iam_profile: true) }
    end

    mocked_credentials = {
      aws_access_key_id: 'access-key-id',
      aws_secret_access_key: 'secret-access-key',
      aws_session_token: 'session-token',
      aws_credentials_expire_at: Time.at(Time.now.to_i + 500).xmlschema
    }
    tests('#fetch_credentials when mocking') do
      Fog.mock!
      Fog::AWS::Compute::Mock.data[:iam_role_based_creds] = mocked_credentials
      returns(mocked_credentials) { Fog::AWS::Compute.fetch_credentials(use_iam_profile: true) }
    end
  ensure
    ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] = nil
    ENV['AWS_WEB_IDENTITY_TOKEN_FILE'] = nil
    Excon.stubs.clear
    Excon.defaults[:mock] = old_mock_value
    Fog.mock! if fog_was_mocked
  end
end