Refactor AWS verification to enable reuse for owner resolution (Yelp#189

) * Refactor AWS verification to enable reuse for owner resolution Follow up of git-defenders/detect-secrets-stream#182 * Revert changes to tox.ini * Fix coverage issue
IBM · Jan 8, 2020 · 47478f7 · 47478f7
1 parent 9c70ffd
commit 47478f7
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 6 deletions.
diff --git a/detect_secrets/plugins/aws.py b/detect_secrets/plugins/aws.py
@@ -53,7 +53,15 @@ def get_secret_access_keys(content):
     ]
 
 
-def verify_aws_secret_access_key(key, secret):  # pragma: no cover
+def verify_aws_secret_access_key(key, secret):
+    response = get_caller_info(key, secret)
+    if response.status_code == 403:
+        return False
+
+    return True
+
+
+def get_caller_info(key, secret):  # pragma: no cover
     """
     Using requests, because we don't want to require boto3 for this one
     optional verification step.
@@ -172,10 +180,7 @@ def verify_aws_secret_access_key(key, secret):  # pragma: no cover
         data=body,
     )
 
-    if response.status_code == 403:
-        return False
-
-    return True
+    return response
 
 
 def _sign(key, message, hex=False):  # pragma: no cover

diff --git a/tests/plugins/aws_key_test.py b/tests/plugins/aws_key_test.py
@@ -9,7 +9,8 @@
 from detect_secrets.core.constants import VerifiedResult
 from detect_secrets.core.potential_secret import PotentialSecret
 from detect_secrets.plugins.aws import AWSKeyDetector
-from detect_secrets.plugins.aws import get_secret_access_keys
+from detect_secrets.plugins.aws import get_secret_access_key
+from detect_secrets.plugins.aws import verify_aws_secret_access_key
 from testing.mocks import mock_file_object
 
 
@@ -104,6 +105,18 @@ def counter(*args, **kwargs):
             ) == VerifiedResult.VERIFIED_TRUE
         assert potential_secret.other_factors['secret_access_key'] == EXAMPLE_SECRET
 
+    @mock.patch('detect_secrets.plugins.aws.get_caller_info')
+    def test_verify_aws_secret_access_key_valid(self, mock_get_caller_info):
+        mock_get_caller_info.return_value = mock.MagicMock(status_code=200)
+        result = verify_aws_secret_access_key('test-access-key', 'test-secret-access-key')
+        assert result is True
+
+    @mock.patch('detect_secrets.plugins.aws.get_caller_info')
+    def test_verify_aws_secret_access_key_invalid(self, mock_get_caller_info):
+        mock_get_caller_info.return_value = mock.MagicMock(status_code=403)
+        result = verify_aws_secret_access_key('test-access-key', 'test-secret-access-key')
+        assert result is False
+
 
 @pytest.mark.parametrize(
     'content, expected_output',