2015-11-24 12:34:53 +01:00
|
|
|
# Copyright 2012-2015 Amazon.com, Inc. or its affiliates. All Rights Reserved.
|
|
|
|
#
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License"). You
|
|
|
|
# may not use this file except in compliance with the License. A copy of
|
|
|
|
# the License is located at
|
|
|
|
#
|
|
|
|
# http://aws.amazon.com/apache2.0/
|
|
|
|
#
|
|
|
|
# or in the "license" file accompanying this file. This file is
|
|
|
|
# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
|
|
|
|
# ANY KIND, either express or implied. See the License for the specific
|
|
|
|
# language governing permissions and limitations under the License.
|
|
|
|
from collections import defaultdict
|
|
|
|
|
|
|
|
|
2021-09-22 22:53:42 +02:00
|
|
|
from tests import mock
|
2018-10-04 08:50:52 +02:00
|
|
|
from tests import ClientHTTPStubber
|
2015-11-24 12:34:53 +01:00
|
|
|
from botocore.session import Session
|
|
|
|
from botocore.exceptions import NoCredentialsError
|
|
|
|
from botocore import xform_name
|
|
|
|
|
|
|
|
|
|
|
|
REGIONS = defaultdict(lambda: 'us-east-1')
|
|
|
|
PUBLIC_API_TESTS = {
|
|
|
|
"cognito-identity": {
|
|
|
|
"GetId": {"IdentityPoolId": "region:1234"},
|
|
|
|
"GetOpenIdToken": {"IdentityId": "region:1234"},
|
|
|
|
"UnlinkIdentity": {
|
|
|
|
"IdentityId": "region:1234", "Logins": {}, "LoginsToRemove": []},
|
|
|
|
"GetCredentialsForIdentity": {"IdentityId": "region:1234"},
|
|
|
|
},
|
|
|
|
"sts": {
|
|
|
|
"AssumeRoleWithSaml": {
|
|
|
|
"PrincipalArn": "a"*20, "RoleArn": "a"*20, "SAMLAssertion": "abcd",
|
|
|
|
},
|
|
|
|
"AssumeRoleWithWebIdentity": {
|
|
|
|
"RoleArn": "a"*20,
|
|
|
|
"RoleSessionName": "foo",
|
|
|
|
"WebIdentityToken": "abcd",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2018-10-04 08:50:52 +02:00
|
|
|
class EarlyExit(Exception):
|
2015-11-24 12:34:53 +01:00
|
|
|
pass
|
|
|
|
|
|
|
|
|
2018-10-04 08:50:52 +02:00
|
|
|
def _test_public_apis_will_not_be_signed(client, operation, kwargs):
|
|
|
|
with ClientHTTPStubber(client) as http_stubber:
|
|
|
|
http_stubber.responses.append(EarlyExit())
|
2015-11-24 12:34:53 +01:00
|
|
|
try:
|
2018-10-04 08:50:52 +02:00
|
|
|
operation(**kwargs)
|
2015-11-24 12:34:53 +01:00
|
|
|
except EarlyExit:
|
|
|
|
pass
|
2018-10-04 08:50:52 +02:00
|
|
|
request = http_stubber.requests[0]
|
|
|
|
sig_v2_disabled = 'SignatureVersion=2' not in request.url
|
|
|
|
assert sig_v2_disabled, "SigV2 is incorrectly enabled"
|
|
|
|
sig_v3_disabled = 'X-Amzn-Authorization' not in request.headers
|
|
|
|
assert sig_v3_disabled, "SigV3 is incorrectly enabled"
|
|
|
|
sig_v4_disabled = 'Authorization' not in request.headers
|
|
|
|
assert sig_v4_disabled, "SigV4 is incorrectly enabled"
|
2015-11-24 12:34:53 +01:00
|
|
|
|
|
|
|
|
|
|
|
def test_public_apis_will_not_be_signed():
|
|
|
|
session = Session()
|
|
|
|
|
|
|
|
# Mimic the scenario that user does not have aws credentials setup
|
|
|
|
session.get_credentials = mock.Mock(return_value=None)
|
|
|
|
|
|
|
|
for service_name in PUBLIC_API_TESTS:
|
|
|
|
client = session.create_client(service_name, REGIONS[service_name])
|
|
|
|
for operation_name in PUBLIC_API_TESTS[service_name]:
|
|
|
|
kwargs = PUBLIC_API_TESTS[service_name][operation_name]
|
|
|
|
method = getattr(client, xform_name(operation_name))
|
2018-10-04 08:50:52 +02:00
|
|
|
yield _test_public_apis_will_not_be_signed, client, method, kwargs
|