Allow soft deletion of secrets

2019-04-18 12:58:50 +01:00 · 2019-04-18 12:58:50 +01:00 · 749f4f63e6
commit 749f4f63e6
parent fc8cf2d872
3 changed files with 103 additions and 18 deletions
--- a/moto/secretsmanager/exceptions.py
+++ b/moto/secretsmanager/exceptions.py
@ -27,3 +27,10 @@ class InvalidParameterException(SecretsManagerClientError):
        super(InvalidParameterException, self).__init__(
            'InvalidParameterException',
            message)
+
+
+class InvalidRequestException(SecretsManagerClientError):
+    def __init__(self, message):
+        super(InvalidRequestException, self).__init__(
+            'InvalidRequestException',
+            message)
--- a/moto/secretsmanager/models.py
+++ b/moto/secretsmanager/models.py
@ -3,6 +3,7 @@ from __future__ import unicode_literals
 import time
 import json
 import uuid
+import datetime

 import boto3

@ -10,6 +11,7 @@ from moto.core import BaseBackend, BaseModel
 from .exceptions import (
    ResourceNotFoundException,
    InvalidParameterException,
+    InvalidRequestException,
    ClientError
 )
 from .utils import random_password, secret_arn
@ -36,11 +38,21 @@ class SecretsManagerBackend(BaseBackend):
    def _is_valid_identifier(self, identifier):
        return identifier in self.secrets

+    def _unix_time_secs(self, dt):
+        epoch = datetime.datetime.utcfromtimestamp(0)
+        return (dt - epoch).total_seconds()
+
    def get_secret_value(self, secret_id, version_id, version_stage):

        if not self._is_valid_identifier(secret_id):
            raise ResourceNotFoundException()

+        if 'deleted_date' in self.secrets[secret_id]:
+            raise InvalidRequestException(
+                "An error occurred (InvalidRequestException) when calling the DeleteSecret operation: You tried to \
+                perform the operation on a secret that's currently marked deleted."
+            )
+
        secret = self.secrets[secret_id]

        response = json.dumps({
@ -101,7 +113,7 @@ class SecretsManagerBackend(BaseBackend):
            "LastRotatedDate": None,
            "LastChangedDate": None,
            "LastAccessedDate": None,
-            "DeletedDate": None,
+            "DeletedDate": secret.get('deleted_date', None),
            "Tags": secret['tags']
        })

@ -193,7 +205,7 @@ class SecretsManagerBackend(BaseBackend):

        secret_list = [{
            "ARN": secret_arn(self.region, secret['secret_id']),
-            "DeletedDate": None,
+            "DeletedDate": secret.get('deleted_date', None),
            "Description": "",
            "KmsKeyId": "",
            "LastAccessedDate": None,
@ -218,10 +230,10 @@ class SecretsManagerBackend(BaseBackend):
        if not self._is_valid_identifier(secret_id):
            raise ResourceNotFoundException

-        if not force_delete_without_recovery:
-            raise InvalidParameterException(
-                "An error occurred (InvalidParameterException) when calling the DeleteSecret operation: \
-                 ForceDeleteWithoutRecovery must be true (Moto cannot simulate soft deletion with a recovery window)"
+        if 'deleted_date' in self.secrets[secret_id]:
+            raise InvalidRequestException(
+                "An error occurred (InvalidRequestException) when calling the DeleteSecret operation: You tried to \
+                perform the operation on a secret that's currently marked deleted."
            )

        if recovery_window_in_days and force_delete_without_recovery:
@ -230,9 +242,20 @@ class SecretsManagerBackend(BaseBackend):
                use ForceDeleteWithoutRecovery in conjunction with RecoveryWindowInDays."
            )

-        secret = self.secrets.pop(secret_id, None)
+        if recovery_window_in_days and (recovery_window_in_days < 7 or recovery_window_in_days > 30):
+            raise InvalidParameterException(
+                "An error occurred (InvalidParameterException) when calling the DeleteSecret operation: The \
+                RecoveryWindowInDays value must be between 7 and 30 days (inclusive)."
+            )

-        deletion_date = int(time.time())
+        deletion_date = datetime.datetime.utcnow()
+
+        if force_delete_without_recovery:
+            secret = self.secrets.pop(secret_id, None)
+        else:
+            deletion_date += datetime.timedelta(days=recovery_window_in_days or 30)
+            self.secrets[secret_id]['deleted_date'] = self._unix_time_secs(deletion_date)
+            secret = self.secrets.get(secret_id, None)

        if not secret:
            raise ResourceNotFoundException
@ -240,7 +263,7 @@ class SecretsManagerBackend(BaseBackend):
        arn = secret_arn(self.region, secret['secret_id'])
        name = secret['name']

-        return arn, name, deletion_date
+        return arn, name, self._unix_time_secs(deletion_date)


 available_regions = (