124 lines
4.7 KiB
Python
124 lines
4.7 KiB
Python
# Copyright 2015 Amazon.com, Inc. or its affiliates. All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"). You
|
|
# may not use this file except in compliance with the License. A copy of
|
|
# the License is located at
|
|
#
|
|
# http://aws.amazon.com/apache2.0/
|
|
#
|
|
# or in the "license" file accompanying this file. This file is
|
|
# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
|
|
# ANY KIND, either express or implied. See the License for the specific
|
|
# language governing permissions and limitations under the License.
|
|
|
|
import os
|
|
import mock
|
|
|
|
from botocore.session import Session
|
|
from tests import BaseEnvVar, temporary_file
|
|
|
|
|
|
class TestCredentialPrecedence(BaseEnvVar):
|
|
|
|
def setUp(self):
|
|
super(TestCredentialPrecedence, self).setUp()
|
|
|
|
# Set the config file to something that doesn't exist so
|
|
# that we don't accidentally load a config.
|
|
os.environ['AWS_CONFIG_FILE'] = '~/.aws/config-missing'
|
|
|
|
def create_session(self, *args, **kwargs):
|
|
"""
|
|
Create a new session with the given arguments. Additionally,
|
|
this method will set the credentials file to the test credentials
|
|
used by the following test cases.
|
|
"""
|
|
kwargs['session_vars'] = {
|
|
'credentials_file': (
|
|
None, None,
|
|
os.path.join(os.path.dirname(__file__), 'test-credentials'),
|
|
None)
|
|
}
|
|
|
|
return Session(*args, **kwargs)
|
|
|
|
def test_access_secret_vs_profile_env(self):
|
|
# If all three are given, then the access/secret keys should
|
|
# take precedence.
|
|
os.environ['AWS_ACCESS_KEY_ID'] = 'env'
|
|
os.environ['AWS_SECRET_ACCESS_KEY'] = 'env-secret'
|
|
os.environ['AWS_DEFAULT_PROFILE'] = 'test'
|
|
|
|
s = self.create_session()
|
|
credentials = s.get_credentials()
|
|
|
|
self.assertEqual(credentials.access_key, 'env')
|
|
self.assertEqual(credentials.secret_key, 'env-secret')
|
|
|
|
@mock.patch('botocore.credentials.Credentials')
|
|
def test_access_secret_vs_profile_code(self, credentials_cls):
|
|
# If all three are given, then the access/secret keys should
|
|
# take precedence.
|
|
s = self.create_session(profile='test')
|
|
|
|
client = s.create_client('s3', aws_access_key_id='code',
|
|
aws_secret_access_key='code-secret')
|
|
|
|
credentials_cls.assert_called_with(
|
|
access_key='code', secret_key='code-secret', token=mock.ANY)
|
|
|
|
def test_profile_env_vs_code(self):
|
|
# If the profile is set both by the env var and by code,
|
|
# then the one set by code should take precedence.
|
|
os.environ['AWS_DEFAULT_PROFILE'] = 'test'
|
|
s = self.create_session(profile='default')
|
|
|
|
credentials = s.get_credentials()
|
|
|
|
self.assertEqual(credentials.access_key, 'default')
|
|
self.assertEqual(credentials.secret_key, 'default-secret')
|
|
|
|
@mock.patch('botocore.credentials.Credentials')
|
|
def test_access_secret_env_vs_code(self, credentials_cls):
|
|
# If the access/secret keys are set both as env vars and via
|
|
# code, then those set by code should take precedence.
|
|
os.environ['AWS_ACCESS_KEY_ID'] = 'env'
|
|
os.environ['AWS_SECRET_ACCESS_KEY'] = 'secret'
|
|
s = self.create_session()
|
|
|
|
client = s.create_client('s3', aws_access_key_id='code',
|
|
aws_secret_access_key='code-secret')
|
|
|
|
credentials_cls.assert_called_with(
|
|
access_key='code', secret_key='code-secret', token=mock.ANY)
|
|
|
|
def test_access_secret_env_vs_profile_code(self):
|
|
# If access/secret keys are set in the environment, but then a
|
|
# specific profile is passed via code, then the access/secret
|
|
# keys defined in that profile should take precedence over
|
|
# the environment variables. Example:
|
|
#
|
|
# ``aws --profile dev s3 ls``
|
|
#
|
|
os.environ['AWS_ACCESS_KEY_ID'] = 'env'
|
|
os.environ['AWS_SECRET_ACCESS_KEY'] = 'env-secret'
|
|
s = self.create_session(profile='test')
|
|
|
|
credentials = s.get_credentials()
|
|
|
|
self.assertEqual(credentials.access_key, 'test')
|
|
self.assertEqual(credentials.secret_key, 'test-secret')
|
|
|
|
def test_honors_aws_shared_credentials_file_env_var(self):
|
|
with temporary_file('w') as f:
|
|
f.write('[default]\n'
|
|
'aws_access_key_id=custom1\n'
|
|
'aws_secret_access_key=custom2\n')
|
|
f.flush()
|
|
os.environ['AWS_SHARED_CREDENTIALS_FILE'] = f.name
|
|
s = Session()
|
|
credentials = s.get_credentials()
|
|
|
|
self.assertEqual(credentials.access_key, 'custom1')
|
|
self.assertEqual(credentials.secret_key, 'custom2')
|