Merge branch 'master' into get-caller-identity

2019-08-21 12:36:40 +02:00 · 2019-08-21 12:36:40 +02:00 · 24dcdb7453
commit 24dcdb7453
parent d931204266 94fd5c4128
82 changed files with 3063 additions and 309 deletions
--- a/tests/test_sts/test_sts.py
+++ b/tests/test_sts/test_sts.py
@ -3,11 +3,15 @@ import json

 import boto
 import boto3
+from botocore.client import ClientError
 from freezegun import freeze_time
+from nose.tools import assert_raises
 import sure  # noqa

+
 from moto import mock_sts, mock_sts_deprecated, mock_iam
 from moto.iam.models import ACCOUNT_ID
+from moto.sts.responses import MAX_FEDERATION_TOKEN_POLICY_LENGTH


@freeze_time("2012-01-01 12:00:00")
@ -80,6 +84,41 @@ def test_assume_role():
    assume_role_response['AssumedRoleUser']['AssumedRoleId'].should.have.length_of(21 + 1 + len(session_name))


+@freeze_time("2012-01-01 12:00:00")
+@mock_sts_deprecated
+def test_assume_role_with_web_identity():
+    conn = boto.connect_sts()
+
+    policy = json.dumps({
+        "Statement": [
+            {
+                "Sid": "Stmt13690092345534",
+                "Action": [
+                    "S3:ListBucket"
+                ],
+                "Effect": "Allow",
+                "Resource": [
+                    "arn:aws:s3:::foobar-tester"
+                ]
+            },
+        ]
+    })
+    s3_role = "arn:aws:iam::123456789012:role/test-role"
+    role = conn.assume_role_with_web_identity(
+        s3_role, "session-name", policy, duration_seconds=123)
+
+    credentials = role.credentials
+    credentials.expiration.should.equal('2012-01-01T12:02:03.000Z')
+    credentials.session_token.should.have.length_of(356)
+    assert credentials.session_token.startswith("FQoGZXIvYXdzE")
+    credentials.access_key.should.have.length_of(20)
+    assert credentials.access_key.startswith("ASIA")
+    credentials.secret_key.should.have.length_of(40)
+
+    role.user.arn.should.equal("arn:aws:iam::123456789012:role/test-role")
+    role.user.assume_role_id.should.contain("session-name")
+
+
@mock_sts
 def test_get_caller_identity_with_default_credentials():
    identity = boto3.client(
@ -137,3 +176,32 @@ def test_get_caller_identity_with_assumed_role_credentials():
    identity['Arn'].should.equal(assumed_role['AssumedRoleUser']['Arn'])
    identity['UserId'].should.equal(assumed_role['AssumedRoleUser']['AssumedRoleId'])
    identity['Account'].should.equal(str(ACCOUNT_ID))
+
+
+@mock_sts
+def test_federation_token_with_too_long_policy():
+    "Trying to get a federation token with a policy longer than 2048 character should fail"
+    cli = boto3.client("sts", region_name='us-east-1')
+    resource_tmpl = 'arn:aws:s3:::yyyy-xxxxx-cloud-default/my_default_folder/folder-name-%s/*'
+    statements = []
+    for num in range(30):
+        statements.append(
+            {
+                'Effect': 'Allow',
+                'Action': ['s3:*'],
+                'Resource': resource_tmpl % str(num)
+            }
+        )
+    policy = {
+        'Version': '2012-10-17',
+        'Statement': statements
+    }
+    json_policy = json.dumps(policy)
+    assert len(json_policy) > MAX_FEDERATION_TOKEN_POLICY_LENGTH
+
+    with assert_raises(ClientError) as exc:
+        cli.get_federation_token(Name='foo', DurationSeconds=3600, Policy=json_policy)
+    exc.exception.response['Error']['Code'].should.equal('ValidationError')
+    exc.exception.response['Error']['Message'].should.contain(
+        str(MAX_FEDERATION_TOKEN_POLICY_LENGTH)
+    )