-
Notifications
You must be signed in to change notification settings - Fork 4k
/
test_get_token.py
145 lines (131 loc) · 5.62 KB
/
test_get_token.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"). You
# may not use this file except in compliance with the License. A copy of
# the License is located at
#
# http://aws.amazon.com/apache2.0/
#
# or in the "license" file accompanying this file. This file is
# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
# ANY KIND, either express or implied. See the License for the specific
# language governing permissions and limitations under the License.
import base64
from datetime import datetime
import json
from awscli.testutils import mock
from awscli.testutils import BaseAWSCommandParamsTest
from awscli.compat import urlparse
class TestGetTokenCommand(BaseAWSCommandParamsTest):
def setUp(self):
super(TestGetTokenCommand, self).setUp()
self.cluster_name = 'MyCluster'
self.role_arn = 'arn:aws:iam::012345678910:role/RoleArn'
self.access_key = 'ABCDEFGHIJKLMNOPQRST'
self.secret_key = 'TSRQPONMLKJUHGFEDCBA'
self.session_token = 'TOKENTOKENTOKENTOKEN'
self.environ['AWS_ACCESS_KEY_ID'] = self.access_key
self.environ['AWS_SECRET_ACCESS_KEY'] = self.secret_key
self.expected_token_prefix = 'k8s-aws-v1.'
def run_get_token(self, cmd):
response, _, _ = self.run_cmd(cmd)
return json.loads(response)
def assert_url_correct(self, response,
expected_endpoint='sts.amazonaws.com',
expected_signing_region='us-east-1',
has_session_token=False):
url = self._get_url(response)
url_components = urlparse.urlparse(url)
self.assertEqual(url_components.netloc, expected_endpoint)
parsed_qs = urlparse.parse_qs(url_components.query)
self.assertIn(
expected_signing_region, parsed_qs['X-Amz-Credential'][0])
if has_session_token:
self.assertEqual(
[self.session_token], parsed_qs['X-Amz-Security-Token'])
else:
self.assertNotIn('X-Amz-Security-Token', parsed_qs)
self.assertIn(self.access_key, parsed_qs['X-Amz-Credential'][0])
self.assertIn('x-k8s-aws-id', parsed_qs['X-Amz-SignedHeaders'][0])
def _get_url(self, response):
token = response['status']['token']
b64_token = token[len(self.expected_token_prefix):].encode()
missing_padding = len(b64_token) % 4
if missing_padding:
b64_token += b'=' * (4 - missing_padding)
return base64.urlsafe_b64decode(b64_token).decode()
@mock.patch('awscli.customizations.eks.get_token.datetime')
def test_get_token(self, mock_datetime):
mock_datetime.utcnow.return_value = datetime(2019, 10, 23, 23, 0, 0, 0)
cmd = 'eks get-token --cluster-name %s' % self.cluster_name
response = self.run_get_token(cmd)
self.assertEqual(
response,
{
"kind": "ExecCredential",
"apiVersion": "client.authentication.k8s.io/v1beta1",
"spec": {},
"status": {
"expirationTimestamp": "2019-10-23T23:14:00Z",
"token": mock.ANY, # This is asserted in later cases
},
}
)
def test_url(self):
cmd = 'eks get-token --cluster-name %s' % self.cluster_name
response = self.run_get_token(cmd)
self.assert_url_correct(response)
def test_url_with_region(self):
cmd = 'eks get-token --cluster-name %s' % self.cluster_name
cmd += ' --region us-west-2'
response = self.run_get_token(cmd)
# Even though us-west-2 was specified, we should still only be
# signing for the global endpoint.
self.assert_url_correct(
response,
expected_endpoint='sts.amazonaws.com',
expected_signing_region='us-east-1'
)
def test_url_with_arn(self):
cmd = 'eks get-token --cluster-name %s' % self.cluster_name
cmd += ' --role-arn %s' % self.role_arn
self.parsed_responses = [
{
"Credentials": {
"AccessKeyId": self.access_key,
"SecretAccessKey": self.secret_key,
"SessionToken": self.session_token,
},
}
]
response = self.run_get_token(cmd)
assume_role_call = self.operations_called[0]
self.assertEqual(assume_role_call[0].name, 'AssumeRole')
self.assertEqual(
assume_role_call[1],
{
'RoleArn': self.role_arn,
'RoleSessionName': 'EKSGetTokenAuth'
}
)
self.assert_url_correct(
response, has_session_token=True)
def test_token_has_no_padding(self):
cmd = 'eks get-token --cluster-name %s' % self.cluster_name
num_rounds = 100
# It is difficult to patch everything out to get an exact
# reproduceable token. So to make sure there is no padding, we
# run the command N times and make sure there is no padding in the
# generated token.
for _ in range(num_rounds):
response = self.run_get_token(cmd)
self.assertNotIn('=', response['status']['token'])
def test_url_different_partition(self):
cmd = 'eks get-token --cluster-name %s' % self.cluster_name
cmd += ' --region cn-north-1'
response = self.run_get_token(cmd)
self.assert_url_correct(
response,
expected_endpoint='sts.cn-north-1.amazonaws.com.cn',
expected_signing_region='cn-north-1'
)