python-botocore/tests/functional/test_public_apis.py
2021-10-04 09:33:37 -07:00

80 lines
2.7 KiB
Python

# Copyright 2012-2015 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"). You
# may not use this file except in compliance with the License. A copy of
# the License is located at
#
# http://aws.amazon.com/apache2.0/
#
# or in the "license" file accompanying this file. This file is
# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
# ANY KIND, either express or implied. See the License for the specific
# language governing permissions and limitations under the License.
from collections import defaultdict
import pytest
from tests import mock
from tests import ClientHTTPStubber
from botocore.session import Session
from botocore.exceptions import NoCredentialsError
from botocore import xform_name
REGIONS = defaultdict(lambda: 'us-east-1')
PUBLIC_API_TESTS = {
"cognito-identity": {
"GetId": {"IdentityPoolId": "region:1234"},
"GetOpenIdToken": {"IdentityId": "region:1234"},
"UnlinkIdentity": {
"IdentityId": "region:1234", "Logins": {}, "LoginsToRemove": []},
"GetCredentialsForIdentity": {"IdentityId": "region:1234"},
},
"sts": {
"AssumeRoleWithSaml": {
"PrincipalArn": "a"*20, "RoleArn": "a"*20, "SAMLAssertion": "abcd",
},
"AssumeRoleWithWebIdentity": {
"RoleArn": "a"*20,
"RoleSessionName": "foo",
"WebIdentityToken": "abcd",
},
},
}
class EarlyExit(Exception):
pass
def _public_apis():
session = Session()
# Mimic the scenario that user does not have aws credentials setup
session.get_credentials = mock.Mock(return_value=None)
for service_name in PUBLIC_API_TESTS:
client = session.create_client(service_name, REGIONS[service_name])
for operation_name in PUBLIC_API_TESTS[service_name]:
kwargs = PUBLIC_API_TESTS[service_name][operation_name]
method = getattr(client, xform_name(operation_name))
yield client, method, kwargs
@pytest.mark.parametrize("client, operation, kwargs", _public_apis())
def test_public_apis_will_not_be_signed(client, operation, kwargs):
with ClientHTTPStubber(client) as http_stubber:
http_stubber.responses.append(EarlyExit())
try:
operation(**kwargs)
except EarlyExit:
pass
request = http_stubber.requests[0]
sig_v2_disabled = 'SignatureVersion=2' not in request.url
assert sig_v2_disabled, "SigV2 is incorrectly enabled"
sig_v3_disabled = 'X-Amzn-Authorization' not in request.headers
assert sig_v3_disabled, "SigV3 is incorrectly enabled"
sig_v4_disabled = 'Authorization' not in request.headers
assert sig_v4_disabled, "SigV4 is incorrectly enabled"