1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
# frozen_string_literal: true
# rubocop:todo all
require 'lite_spec_helper'
require 'support/aws_utils'
describe Mongo::Auth::Aws::CredentialsRetriever do
require_aws_auth
let(:retriever) do
described_class.new(user)
end
let(:credentials) do
retriever.credentials
end
context 'when user is not given' do
let(:user) do
Mongo::Auth::User.new(auth_mech: :aws)
end
before do
Mongo::Auth::Aws::CredentialsCache.instance.clear
end
shared_examples_for 'retrieves the credentials' do
it 'retrieves' do
credentials.should be_a(Mongo::Auth::Aws::Credentials)
# When user is not given, credentials retrieved are always temporary.
retriever.credentials.access_key_id.should =~ /^ASIA/
retriever.credentials.secret_access_key.should =~ /./
retriever.credentials.session_token.should =~ /./
end
let(:request) do
Mongo::Auth::Aws::Request.new(
access_key_id: credentials.access_key_id,
secret_access_key: credentials.secret_access_key,
session_token: credentials.session_token,
host: 'sts.amazonaws.com',
server_nonce: 'test',
)
end
it 'produces valid credentials' do
result = request.validate!
puts "STS request successful with ARN #{result['Arn']}"
end
end
context 'ec2 instance role' do
require_ec2_host
before(:all) do
unless ENV['AUTH'] == 'aws-ec2'
skip "Set AUTH=aws-ec2 in environment to run EC2 instance role tests"
end
end
context 'when instance profile is not assigned' do
before(:all) do
orchestrator = AwsUtils::Orchestrator.new(
region: ENV.fetch('MONGO_RUBY_DRIVER_AWS_AUTH_REGION'),
access_key_id: ENV.fetch('MONGO_RUBY_DRIVER_AWS_AUTH_ACCESS_KEY_ID'),
secret_access_key: ENV.fetch('MONGO_RUBY_DRIVER_AWS_AUTH_SECRET_ACCESS_KEY'),
)
orchestrator.clear_instance_profile(Utils.ec2_instance_id)
Utils.wait_for_no_instance_profile
end
it 'raises an error' do
lambda do
credentials
end.should raise_error(Mongo::Auth::Aws::CredentialsNotFound, /Could not locate AWS credentials/)
end
end
context 'when instance profile is assigned' do
before(:all) do
orchestrator = AwsUtils::Orchestrator.new(
region: ENV.fetch('MONGO_RUBY_DRIVER_AWS_AUTH_REGION'),
access_key_id: ENV.fetch('MONGO_RUBY_DRIVER_AWS_AUTH_ACCESS_KEY_ID'),
secret_access_key: ENV.fetch('MONGO_RUBY_DRIVER_AWS_AUTH_SECRET_ACCESS_KEY'),
)
orchestrator.set_instance_profile(Utils.ec2_instance_id,
instance_profile_name: nil,
instance_profile_arn: ENV.fetch('MONGO_RUBY_DRIVER_AWS_AUTH_INSTANCE_PROFILE_ARN'),
)
Utils.wait_for_instance_profile
end
it_behaves_like 'retrieves the credentials'
end
end
context 'ecs task role' do
before(:all) do
unless ENV['AUTH'] == 'aws-ecs'
skip "Set AUTH=aws-ecs in environment to run ECS task role tests"
end
end
it_behaves_like 'retrieves the credentials'
end
context 'web identity' do
before(:all) do
unless ENV['AUTH'] == 'aws-web-identity'
skip "Set AUTH=aws-web-identity in environment to run Wed identity tests"
end
end
context 'with AWS_ROLE_SESSION_NAME' do
before do
stub_const('ENV', ENV.to_hash.merge('AWS_ROLE_SESSION_NAME' => 'mongo-ruby-driver-test-app'))
end
it_behaves_like 'retrieves the credentials'
end
context 'without AWS_ROLE_SESSION_NAME' do
before do
env = ENV.to_hash.dup
env.delete('AWS_ROLE_SESSION_NAME')
stub_const('ENV', env)
end
it_behaves_like 'retrieves the credentials'
end
end
end
end
|
