2018-06-08 05:31:44 +00:00
|
|
|
import boto3
|
|
|
|
|
|
2021-05-11 11:08:01 +00:00
|
|
|
from moto import mock_secretsmanager, mock_lambda, settings
|
2021-06-23 17:03:11 +00:00
|
|
|
from moto.core import ACCOUNT_ID
|
2021-09-21 16:43:31 +00:00
|
|
|
from botocore.exceptions import ClientError, ParamValidationError
|
2018-07-16 19:39:59 +00:00
|
|
|
import string
|
2019-04-18 16:27:13 +00:00
|
|
|
import pytz
|
|
|
|
|
from datetime import datetime
|
2021-10-18 19:44:29 +00:00
|
|
|
import sure # noqa # pylint: disable=unused-import
|
2021-09-21 16:43:31 +00:00
|
|
|
from uuid import uuid4
|
2020-10-06 05:54:49 +00:00
|
|
|
import pytest
|
2018-06-08 05:31:44 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
DEFAULT_SECRET_NAME = "test-secret"
|
2019-05-22 09:45:22 +00:00
|
|
|
|
|
|
|
|
|
2018-06-08 05:31:44 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_get_secret_value():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2018-06-08 05:31:44 +00:00
|
|
|
|
2021-10-18 19:44:29 +00:00
|
|
|
conn.create_secret(Name="java-util-test-password", SecretString="foosecret")
|
2019-10-31 15:44:26 +00:00
|
|
|
result = conn.get_secret_value(SecretId="java-util-test-password")
|
|
|
|
|
assert result["SecretString"] == "foosecret"
|
2018-07-14 07:39:19 +00:00
|
|
|
|
2019-08-23 09:57:15 +00:00
|
|
|
|
2019-11-23 06:29:30 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_get_secret_value_by_arn():
|
|
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
|
|
|
|
|
2021-06-23 17:03:11 +00:00
|
|
|
name = "java-util-test-password"
|
2019-11-23 06:29:30 +00:00
|
|
|
secret_value = "test_get_secret_value_by_arn"
|
2021-06-23 17:03:11 +00:00
|
|
|
result = conn.create_secret(Name=name, SecretString=secret_value)
|
|
|
|
|
arn = result["ARN"]
|
|
|
|
|
arn.should.match(
|
|
|
|
|
"^arn:aws:secretsmanager:us-west-2:{}:secret:{}".format(ACCOUNT_ID, name)
|
2019-11-23 06:29:30 +00:00
|
|
|
)
|
2021-06-23 17:03:11 +00:00
|
|
|
|
|
|
|
|
result = conn.get_secret_value(SecretId=arn)
|
2019-11-23 06:29:30 +00:00
|
|
|
assert result["SecretString"] == secret_value
|
|
|
|
|
|
|
|
|
|
|
2019-05-28 15:32:43 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_get_secret_value_binary():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2019-05-28 15:32:43 +00:00
|
|
|
|
2021-10-18 19:44:29 +00:00
|
|
|
conn.create_secret(Name="java-util-test-password", SecretBinary=b"foosecret")
|
2019-10-31 15:44:26 +00:00
|
|
|
result = conn.get_secret_value(SecretId="java-util-test-password")
|
2021-07-26 06:40:39 +00:00
|
|
|
assert result["SecretBinary"] == b"foosecret"
|
2019-05-28 15:32:43 +00:00
|
|
|
|
2019-08-23 09:57:15 +00:00
|
|
|
|
2018-07-14 07:39:19 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_get_secret_that_does_not_exist():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2018-07-14 07:39:19 +00:00
|
|
|
|
2020-10-06 05:54:49 +00:00
|
|
|
with pytest.raises(ClientError) as cm:
|
2021-10-18 19:44:29 +00:00
|
|
|
conn.get_secret_value(SecretId="i-dont-exist")
|
2018-07-14 07:39:19 +00:00
|
|
|
|
2020-10-06 06:46:05 +00:00
|
|
|
assert (
|
|
|
|
|
"Secrets Manager can't find the specified secret."
|
|
|
|
|
== cm.value.response["Error"]["Message"]
|
|
|
|
|
)
|
2019-10-16 04:16:38 +00:00
|
|
|
|
2019-08-23 09:57:15 +00:00
|
|
|
|
2018-07-14 07:39:19 +00:00
|
|
|
@mock_secretsmanager
|
2018-08-15 17:33:38 +00:00
|
|
|
def test_get_secret_that_does_not_match():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2021-10-18 19:44:29 +00:00
|
|
|
conn.create_secret(Name="java-util-test-password", SecretString="foosecret")
|
2018-08-10 23:40:31 +00:00
|
|
|
|
2020-10-06 05:54:49 +00:00
|
|
|
with pytest.raises(ClientError) as cm:
|
2021-10-18 19:44:29 +00:00
|
|
|
conn.get_secret_value(SecretId="i-dont-match")
|
2018-07-14 07:39:19 +00:00
|
|
|
|
2020-10-06 06:46:05 +00:00
|
|
|
assert (
|
|
|
|
|
"Secrets Manager can't find the specified secret."
|
|
|
|
|
== cm.value.response["Error"]["Message"]
|
|
|
|
|
)
|
2019-04-18 11:58:50 +00:00
|
|
|
|
2019-10-17 23:13:22 +00:00
|
|
|
|
2019-04-18 11:58:50 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_get_secret_value_that_is_marked_deleted():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2019-04-18 11:58:50 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
conn.create_secret(Name="test-secret", SecretString="foosecret")
|
2019-04-18 11:58:50 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
conn.delete_secret(SecretId="test-secret")
|
2019-04-18 11:58:50 +00:00
|
|
|
|
2020-10-06 05:54:49 +00:00
|
|
|
with pytest.raises(ClientError):
|
2021-10-18 19:44:29 +00:00
|
|
|
conn.get_secret_value(SecretId="test-secret")
|
2019-04-18 11:58:50 +00:00
|
|
|
|
|
|
|
|
|
2019-10-15 10:57:16 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_get_secret_that_has_no_value():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2019-10-15 10:57:16 +00:00
|
|
|
|
2021-10-18 19:44:29 +00:00
|
|
|
conn.create_secret(Name="java-util-test-password")
|
2019-10-15 10:57:16 +00:00
|
|
|
|
2020-10-06 05:54:49 +00:00
|
|
|
with pytest.raises(ClientError) as cm:
|
2021-10-18 19:44:29 +00:00
|
|
|
conn.get_secret_value(SecretId="java-util-test-password")
|
2019-10-15 10:57:16 +00:00
|
|
|
|
2020-10-06 06:46:05 +00:00
|
|
|
assert (
|
|
|
|
|
"Secrets Manager can't find the specified secret value for staging label: AWSCURRENT"
|
|
|
|
|
== cm.value.response["Error"]["Message"]
|
|
|
|
|
)
|
2019-10-16 04:16:38 +00:00
|
|
|
|
2019-10-15 10:57:16 +00:00
|
|
|
|
2020-10-05 11:22:54 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_get_secret_version_that_does_not_exist():
|
|
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
|
|
|
|
|
|
|
|
|
result = conn.create_secret(Name="java-util-test-password")
|
|
|
|
|
secret_arn = result["ARN"]
|
|
|
|
|
missing_version_id = "00000000-0000-0000-0000-000000000000"
|
|
|
|
|
|
2020-10-06 06:04:09 +00:00
|
|
|
with pytest.raises(ClientError) as cm:
|
2020-10-05 11:22:54 +00:00
|
|
|
conn.get_secret_value(SecretId=secret_arn, VersionId=missing_version_id)
|
|
|
|
|
|
2020-10-06 06:46:05 +00:00
|
|
|
assert (
|
|
|
|
|
"An error occurred (ResourceNotFoundException) when calling the GetSecretValue operation: Secrets "
|
|
|
|
|
"Manager can't find the specified secret value for VersionId: 00000000-0000-0000-0000-000000000000"
|
|
|
|
|
) == cm.value.response["Error"]["Message"]
|
2020-10-05 11:22:54 +00:00
|
|
|
|
|
|
|
|
|
2018-07-14 07:39:19 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_create_secret():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-east-1")
|
2018-07-14 07:39:19 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
result = conn.create_secret(Name="test-secret", SecretString="foosecret")
|
|
|
|
|
assert result["ARN"]
|
|
|
|
|
assert result["Name"] == "test-secret"
|
|
|
|
|
secret = conn.get_secret_value(SecretId="test-secret")
|
|
|
|
|
assert secret["SecretString"] == "foosecret"
|
2018-07-16 19:39:59 +00:00
|
|
|
|
2019-08-23 09:57:15 +00:00
|
|
|
|
2018-12-21 22:04:52 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_create_secret_with_tags():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-east-1")
|
|
|
|
|
secret_name = "test-secret-with-tags"
|
2018-12-21 22:04:52 +00:00
|
|
|
|
|
|
|
|
result = conn.create_secret(
|
|
|
|
|
Name=secret_name,
|
|
|
|
|
SecretString="foosecret",
|
2019-10-31 15:44:26 +00:00
|
|
|
Tags=[{"Key": "Foo", "Value": "Bar"}, {"Key": "Mykey", "Value": "Myvalue"}],
|
2018-12-21 22:04:52 +00:00
|
|
|
)
|
2019-10-31 15:44:26 +00:00
|
|
|
assert result["ARN"]
|
|
|
|
|
assert result["Name"] == secret_name
|
2018-12-21 22:04:52 +00:00
|
|
|
secret_value = conn.get_secret_value(SecretId=secret_name)
|
2019-10-31 15:44:26 +00:00
|
|
|
assert secret_value["SecretString"] == "foosecret"
|
2018-12-21 22:04:52 +00:00
|
|
|
secret_details = conn.describe_secret(SecretId=secret_name)
|
2019-10-31 15:44:26 +00:00
|
|
|
assert secret_details["Tags"] == [
|
|
|
|
|
{"Key": "Foo", "Value": "Bar"},
|
|
|
|
|
{"Key": "Mykey", "Value": "Myvalue"},
|
|
|
|
|
]
|
2018-12-21 22:04:52 +00:00
|
|
|
|
2019-04-05 14:00:11 +00:00
|
|
|
|
2020-04-24 19:47:11 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_create_secret_with_description():
|
|
|
|
|
conn = boto3.client("secretsmanager", region_name="us-east-1")
|
|
|
|
|
secret_name = "test-secret-with-tags"
|
|
|
|
|
|
|
|
|
|
result = conn.create_secret(
|
|
|
|
|
Name=secret_name, SecretString="foosecret", Description="desc"
|
|
|
|
|
)
|
|
|
|
|
assert result["ARN"]
|
|
|
|
|
assert result["Name"] == secret_name
|
|
|
|
|
secret_value = conn.get_secret_value(SecretId=secret_name)
|
|
|
|
|
assert secret_value["SecretString"] == "foosecret"
|
|
|
|
|
secret_details = conn.describe_secret(SecretId=secret_name)
|
|
|
|
|
assert secret_details["Description"] == "desc"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_create_secret_with_tags_and_description():
|
|
|
|
|
conn = boto3.client("secretsmanager", region_name="us-east-1")
|
|
|
|
|
secret_name = "test-secret-with-tags"
|
|
|
|
|
|
|
|
|
|
result = conn.create_secret(
|
|
|
|
|
Name=secret_name,
|
|
|
|
|
SecretString="foosecret",
|
|
|
|
|
Description="desc",
|
|
|
|
|
Tags=[{"Key": "Foo", "Value": "Bar"}, {"Key": "Mykey", "Value": "Myvalue"}],
|
|
|
|
|
)
|
|
|
|
|
assert result["ARN"]
|
|
|
|
|
assert result["Name"] == secret_name
|
|
|
|
|
secret_value = conn.get_secret_value(SecretId=secret_name)
|
|
|
|
|
assert secret_value["SecretString"] == "foosecret"
|
|
|
|
|
secret_details = conn.describe_secret(SecretId=secret_name)
|
|
|
|
|
assert secret_details["Tags"] == [
|
|
|
|
|
{"Key": "Foo", "Value": "Bar"},
|
|
|
|
|
{"Key": "Mykey", "Value": "Myvalue"},
|
|
|
|
|
]
|
|
|
|
|
assert secret_details["Description"] == "desc"
|
|
|
|
|
|
|
|
|
|
|
2019-04-05 14:00:11 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_delete_secret():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2019-04-05 14:00:11 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
conn.create_secret(Name="test-secret", SecretString="foosecret")
|
2019-04-05 14:00:11 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
deleted_secret = conn.delete_secret(SecretId="test-secret")
|
2019-04-05 14:00:11 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
assert deleted_secret["ARN"]
|
|
|
|
|
assert deleted_secret["Name"] == "test-secret"
|
|
|
|
|
assert deleted_secret["DeletionDate"] > datetime.fromtimestamp(1, pytz.utc)
|
2019-04-18 11:58:50 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
secret_details = conn.describe_secret(SecretId="test-secret")
|
2019-04-18 11:58:50 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
assert secret_details["ARN"]
|
|
|
|
|
assert secret_details["Name"] == "test-secret"
|
|
|
|
|
assert secret_details["DeletedDate"] > datetime.fromtimestamp(1, pytz.utc)
|
2019-04-18 11:58:50 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_delete_secret_force():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2019-04-18 11:58:50 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
conn.create_secret(Name="test-secret", SecretString="foosecret")
|
2019-04-05 14:00:11 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
result = conn.delete_secret(SecretId="test-secret", ForceDeleteWithoutRecovery=True)
|
2019-04-05 14:00:11 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
assert result["ARN"]
|
|
|
|
|
assert result["DeletionDate"] > datetime.fromtimestamp(1, pytz.utc)
|
|
|
|
|
assert result["Name"] == "test-secret"
|
2019-04-05 14:00:11 +00:00
|
|
|
|
2020-10-06 05:54:49 +00:00
|
|
|
with pytest.raises(ClientError):
|
2019-10-31 15:44:26 +00:00
|
|
|
result = conn.get_secret_value(SecretId="test-secret")
|
2019-04-05 14:00:11 +00:00
|
|
|
|
|
|
|
|
|
2020-06-10 07:54:03 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_delete_secret_force_with_arn():
|
|
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
|
|
|
|
|
|
|
|
|
create_secret = conn.create_secret(Name="test-secret", SecretString="foosecret")
|
|
|
|
|
|
|
|
|
|
result = conn.delete_secret(
|
|
|
|
|
SecretId=create_secret["ARN"], ForceDeleteWithoutRecovery=True
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
assert result["ARN"]
|
|
|
|
|
assert result["DeletionDate"] > datetime.fromtimestamp(1, pytz.utc)
|
|
|
|
|
assert result["Name"] == "test-secret"
|
|
|
|
|
|
2020-10-06 05:54:49 +00:00
|
|
|
with pytest.raises(ClientError):
|
2020-06-10 07:54:03 +00:00
|
|
|
result = conn.get_secret_value(SecretId="test-secret")
|
|
|
|
|
|
|
|
|
|
|
2019-04-05 14:00:11 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_delete_secret_that_does_not_exist():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2019-04-05 14:00:11 +00:00
|
|
|
|
2020-10-06 05:54:49 +00:00
|
|
|
with pytest.raises(ClientError):
|
2021-10-18 19:44:29 +00:00
|
|
|
conn.delete_secret(SecretId="i-dont-exist", ForceDeleteWithoutRecovery=True)
|
2019-04-05 14:00:11 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
@mock_secretsmanager
|
2019-04-18 11:58:50 +00:00
|
|
|
def test_delete_secret_fails_with_both_force_delete_flag_and_recovery_window_flag():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2019-04-05 14:00:11 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
conn.create_secret(Name="test-secret", SecretString="foosecret")
|
2019-04-05 14:00:11 +00:00
|
|
|
|
2020-10-06 05:54:49 +00:00
|
|
|
with pytest.raises(ClientError):
|
2021-10-18 19:44:29 +00:00
|
|
|
conn.delete_secret(
|
2019-10-31 15:44:26 +00:00
|
|
|
SecretId="test-secret",
|
|
|
|
|
RecoveryWindowInDays=1,
|
|
|
|
|
ForceDeleteWithoutRecovery=True,
|
|
|
|
|
)
|
2019-04-05 14:00:11 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
@mock_secretsmanager
|
2019-04-18 11:58:50 +00:00
|
|
|
def test_delete_secret_recovery_window_too_short():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2019-04-05 14:00:11 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
conn.create_secret(Name="test-secret", SecretString="foosecret")
|
2019-04-05 14:00:11 +00:00
|
|
|
|
2020-10-06 05:54:49 +00:00
|
|
|
with pytest.raises(ClientError):
|
2021-10-18 19:44:29 +00:00
|
|
|
conn.delete_secret(SecretId="test-secret", RecoveryWindowInDays=6)
|
2019-04-18 11:58:50 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_delete_secret_recovery_window_too_long():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2019-04-18 11:58:50 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
conn.create_secret(Name="test-secret", SecretString="foosecret")
|
2019-04-18 11:58:50 +00:00
|
|
|
|
2020-10-06 05:54:49 +00:00
|
|
|
with pytest.raises(ClientError):
|
2021-10-18 19:44:29 +00:00
|
|
|
conn.delete_secret(SecretId="test-secret", RecoveryWindowInDays=31)
|
2019-04-18 11:58:50 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_delete_secret_that_is_marked_deleted():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2019-04-18 11:58:50 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
conn.create_secret(Name="test-secret", SecretString="foosecret")
|
2019-04-18 11:58:50 +00:00
|
|
|
|
2021-10-18 19:44:29 +00:00
|
|
|
conn.delete_secret(SecretId="test-secret")
|
2019-04-18 11:58:50 +00:00
|
|
|
|
2020-10-06 05:54:49 +00:00
|
|
|
with pytest.raises(ClientError):
|
2021-10-18 19:44:29 +00:00
|
|
|
conn.delete_secret(SecretId="test-secret")
|
2019-04-05 14:00:11 +00:00
|
|
|
|
|
|
|
|
|
2018-07-16 19:39:59 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_get_random_password_default_length():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2018-07-16 19:39:59 +00:00
|
|
|
|
|
|
|
|
random_password = conn.get_random_password()
|
2019-10-31 15:44:26 +00:00
|
|
|
assert len(random_password["RandomPassword"]) == 32
|
|
|
|
|
|
2018-07-16 19:39:59 +00:00
|
|
|
|
|
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_get_random_password_default_requirements():
|
|
|
|
|
# When require_each_included_type, default true
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2018-07-16 19:39:59 +00:00
|
|
|
|
|
|
|
|
random_password = conn.get_random_password()
|
|
|
|
|
# Should contain lowercase, upppercase, digit, special character
|
2019-10-31 15:44:26 +00:00
|
|
|
assert any(c.islower() for c in random_password["RandomPassword"])
|
|
|
|
|
assert any(c.isupper() for c in random_password["RandomPassword"])
|
|
|
|
|
assert any(c.isdigit() for c in random_password["RandomPassword"])
|
|
|
|
|
assert any(c in string.punctuation for c in random_password["RandomPassword"])
|
|
|
|
|
|
2018-07-16 19:39:59 +00:00
|
|
|
|
|
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_get_random_password_custom_length():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2018-07-16 19:39:59 +00:00
|
|
|
|
|
|
|
|
random_password = conn.get_random_password(PasswordLength=50)
|
2019-10-31 15:44:26 +00:00
|
|
|
assert len(random_password["RandomPassword"]) == 50
|
|
|
|
|
|
2018-07-16 19:39:59 +00:00
|
|
|
|
|
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_get_random_exclude_lowercase():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2018-07-16 19:39:59 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
random_password = conn.get_random_password(PasswordLength=55, ExcludeLowercase=True)
|
2020-10-06 05:54:49 +00:00
|
|
|
assert not any(c.islower() for c in random_password["RandomPassword"])
|
2018-07-16 19:39:59 +00:00
|
|
|
|
2019-08-23 09:57:15 +00:00
|
|
|
|
2018-07-16 19:39:59 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_get_random_exclude_uppercase():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2018-07-16 19:39:59 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
random_password = conn.get_random_password(PasswordLength=55, ExcludeUppercase=True)
|
2020-10-06 05:54:49 +00:00
|
|
|
assert not any(c.isupper() for c in random_password["RandomPassword"])
|
2018-07-16 19:39:59 +00:00
|
|
|
|
2019-08-23 09:57:15 +00:00
|
|
|
|
2018-07-16 19:39:59 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_get_random_exclude_characters_and_symbols():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2018-07-16 19:39:59 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
random_password = conn.get_random_password(
|
|
|
|
|
PasswordLength=20, ExcludeCharacters="xyzDje@?!."
|
|
|
|
|
)
|
2020-10-06 05:54:49 +00:00
|
|
|
assert not any(c in "xyzDje@?!." for c in random_password["RandomPassword"])
|
2020-08-03 12:42:42 +00:00
|
|
|
assert len(random_password["RandomPassword"]) == 20
|
2018-07-16 19:39:59 +00:00
|
|
|
|
2019-08-23 09:57:15 +00:00
|
|
|
|
2018-07-16 19:39:59 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_get_random_exclude_numbers():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2018-07-16 19:39:59 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
random_password = conn.get_random_password(PasswordLength=100, ExcludeNumbers=True)
|
2020-10-06 05:54:49 +00:00
|
|
|
assert not any(c.isdigit() for c in random_password["RandomPassword"])
|
2018-07-16 19:39:59 +00:00
|
|
|
|
2019-08-23 09:57:15 +00:00
|
|
|
|
2018-07-16 19:39:59 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_get_random_exclude_punctuation():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2018-07-16 19:39:59 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
random_password = conn.get_random_password(
|
|
|
|
|
PasswordLength=100, ExcludePunctuation=True
|
|
|
|
|
)
|
2020-10-06 05:54:49 +00:00
|
|
|
assert not any(c in string.punctuation for c in random_password["RandomPassword"])
|
2018-07-16 19:39:59 +00:00
|
|
|
|
2019-08-23 09:57:15 +00:00
|
|
|
|
2018-07-16 19:39:59 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_get_random_include_space_false():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2018-07-16 19:39:59 +00:00
|
|
|
|
|
|
|
|
random_password = conn.get_random_password(PasswordLength=300)
|
2020-10-06 05:54:49 +00:00
|
|
|
assert not any(c.isspace() for c in random_password["RandomPassword"])
|
2018-07-16 19:39:59 +00:00
|
|
|
|
2019-08-23 09:57:15 +00:00
|
|
|
|
2018-07-16 19:39:59 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_get_random_include_space_true():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2018-07-16 19:39:59 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
random_password = conn.get_random_password(PasswordLength=4, IncludeSpace=True)
|
2020-10-06 05:54:49 +00:00
|
|
|
assert any(c.isspace() for c in random_password["RandomPassword"])
|
2018-07-16 19:39:59 +00:00
|
|
|
|
2019-08-23 09:57:15 +00:00
|
|
|
|
2018-07-16 19:39:59 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_get_random_require_each_included_type():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2018-07-16 19:39:59 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
random_password = conn.get_random_password(
|
|
|
|
|
PasswordLength=4, RequireEachIncludedType=True
|
|
|
|
|
)
|
2020-10-06 05:54:49 +00:00
|
|
|
assert any(c in string.punctuation for c in random_password["RandomPassword"])
|
|
|
|
|
assert any(c in string.ascii_lowercase for c in random_password["RandomPassword"])
|
|
|
|
|
assert any(c in string.ascii_uppercase for c in random_password["RandomPassword"])
|
|
|
|
|
assert any(c in string.digits for c in random_password["RandomPassword"])
|
2018-07-16 19:39:59 +00:00
|
|
|
|
2019-08-23 09:57:15 +00:00
|
|
|
|
2018-07-16 19:39:59 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_get_random_too_short_password():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2018-07-16 19:39:59 +00:00
|
|
|
|
2020-10-06 05:54:49 +00:00
|
|
|
with pytest.raises(ClientError):
|
2021-10-18 19:44:29 +00:00
|
|
|
conn.get_random_password(PasswordLength=3)
|
2018-07-16 19:39:59 +00:00
|
|
|
|
2019-08-23 09:57:15 +00:00
|
|
|
|
2018-07-16 19:39:59 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_get_random_too_long_password():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2018-07-16 19:39:59 +00:00
|
|
|
|
2020-10-06 05:54:49 +00:00
|
|
|
with pytest.raises(Exception):
|
2021-10-18 19:44:29 +00:00
|
|
|
conn.get_random_password(PasswordLength=5555)
|
2018-08-06 21:40:33 +00:00
|
|
|
|
2019-08-23 09:57:15 +00:00
|
|
|
|
2018-08-06 21:40:33 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_describe_secret():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
|
|
|
|
conn.create_secret(Name="test-secret", SecretString="foosecret")
|
|
|
|
|
|
|
|
|
|
conn.create_secret(Name="test-secret-2", SecretString="barsecret")
|
|
|
|
|
|
|
|
|
|
secret_description = conn.describe_secret(SecretId="test-secret")
|
|
|
|
|
secret_description_2 = conn.describe_secret(SecretId="test-secret-2")
|
2018-10-24 21:06:23 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
assert secret_description # Returned dict is not empty
|
|
|
|
|
assert secret_description["Name"] == ("test-secret")
|
|
|
|
|
assert secret_description["ARN"] != "" # Test arn not empty
|
|
|
|
|
assert secret_description_2["Name"] == ("test-secret-2")
|
|
|
|
|
assert secret_description_2["ARN"] != "" # Test arn not empty
|
2018-08-06 21:40:33 +00:00
|
|
|
|
2019-08-23 09:57:15 +00:00
|
|
|
|
2019-11-23 07:18:06 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_describe_secret_with_arn():
|
|
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
|
|
|
|
results = conn.create_secret(Name="test-secret", SecretString="foosecret")
|
|
|
|
|
|
2019-11-23 10:02:00 +00:00
|
|
|
secret_description = conn.describe_secret(SecretId=results["ARN"])
|
2019-11-23 07:18:06 +00:00
|
|
|
|
|
|
|
|
assert secret_description # Returned dict is not empty
|
2020-09-28 13:49:14 +00:00
|
|
|
secret_description["Name"].should.equal("test-secret")
|
|
|
|
|
secret_description["ARN"].should.equal(results["ARN"])
|
|
|
|
|
conn.list_secrets()["SecretList"][0]["ARN"].should.equal(results["ARN"])
|
2019-11-23 07:18:06 +00:00
|
|
|
|
|
|
|
|
|
2021-08-03 14:46:23 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_describe_secret_with_KmsKeyId():
|
|
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
|
|
|
|
results = conn.create_secret(
|
|
|
|
|
Name="test-secret", SecretString="foosecret", KmsKeyId="dummy_arn"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
secret_description = conn.describe_secret(SecretId=results["ARN"])
|
|
|
|
|
|
|
|
|
|
secret_description["KmsKeyId"].should.equal("dummy_arn")
|
|
|
|
|
conn.list_secrets()["SecretList"][0]["KmsKeyId"].should.equal(
|
|
|
|
|
secret_description["KmsKeyId"]
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
2018-08-06 21:40:33 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_describe_secret_that_does_not_exist():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2018-08-06 21:40:33 +00:00
|
|
|
|
2020-10-06 05:54:49 +00:00
|
|
|
with pytest.raises(ClientError):
|
2021-10-18 19:44:29 +00:00
|
|
|
conn.get_secret_value(SecretId="i-dont-exist")
|
2018-08-13 19:49:35 +00:00
|
|
|
|
2019-08-23 09:57:15 +00:00
|
|
|
|
2018-08-13 19:49:35 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_describe_secret_that_does_not_match():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
|
|
|
|
conn.create_secret(Name="test-secret", SecretString="foosecret")
|
|
|
|
|
|
2020-10-06 05:54:49 +00:00
|
|
|
with pytest.raises(ClientError):
|
2021-10-18 19:44:29 +00:00
|
|
|
conn.get_secret_value(SecretId="i-dont-match")
|
2018-08-15 17:52:30 +00:00
|
|
|
|
2019-04-05 12:33:28 +00:00
|
|
|
|
2019-04-21 17:11:20 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_restore_secret():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2019-04-21 17:11:20 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
conn.create_secret(Name="test-secret", SecretString="foosecret")
|
2019-04-21 17:11:20 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
conn.delete_secret(SecretId="test-secret")
|
2019-04-21 17:11:20 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
described_secret_before = conn.describe_secret(SecretId="test-secret")
|
|
|
|
|
assert described_secret_before["DeletedDate"] > datetime.fromtimestamp(1, pytz.utc)
|
2019-04-21 17:11:20 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
restored_secret = conn.restore_secret(SecretId="test-secret")
|
|
|
|
|
assert restored_secret["ARN"]
|
|
|
|
|
assert restored_secret["Name"] == "test-secret"
|
2019-04-21 17:11:20 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
described_secret_after = conn.describe_secret(SecretId="test-secret")
|
|
|
|
|
assert "DeletedDate" not in described_secret_after
|
2019-04-21 17:11:20 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_restore_secret_that_is_not_deleted():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2019-04-21 17:11:20 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
conn.create_secret(Name="test-secret", SecretString="foosecret")
|
2019-04-21 17:11:20 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
restored_secret = conn.restore_secret(SecretId="test-secret")
|
|
|
|
|
assert restored_secret["ARN"]
|
|
|
|
|
assert restored_secret["Name"] == "test-secret"
|
2019-04-21 17:11:20 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_restore_secret_that_does_not_exist():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2019-04-21 17:11:20 +00:00
|
|
|
|
2020-10-06 05:54:49 +00:00
|
|
|
with pytest.raises(ClientError):
|
2021-10-18 19:44:29 +00:00
|
|
|
conn.restore_secret(SecretId="i-dont-exist")
|
2019-04-21 17:11:20 +00:00
|
|
|
|
|
|
|
|
|
2018-08-15 18:04:44 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_rotate_secret():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2020-10-05 10:10:32 +00:00
|
|
|
conn.create_secret(
|
|
|
|
|
Name=DEFAULT_SECRET_NAME, SecretString="foosecret", Description="foodescription"
|
|
|
|
|
)
|
2018-08-15 18:04:44 +00:00
|
|
|
|
2019-05-22 09:45:22 +00:00
|
|
|
rotated_secret = conn.rotate_secret(SecretId=DEFAULT_SECRET_NAME)
|
2018-08-15 18:04:44 +00:00
|
|
|
|
|
|
|
|
assert rotated_secret
|
2019-10-31 15:44:26 +00:00
|
|
|
assert rotated_secret["ARN"] != "" # Test arn not empty
|
|
|
|
|
assert rotated_secret["Name"] == DEFAULT_SECRET_NAME
|
|
|
|
|
assert rotated_secret["VersionId"] != ""
|
|
|
|
|
|
2020-10-05 10:10:32 +00:00
|
|
|
describe_secret = conn.describe_secret(SecretId=DEFAULT_SECRET_NAME)
|
|
|
|
|
|
|
|
|
|
assert describe_secret["Description"] == "foodescription"
|
|
|
|
|
|
2018-08-15 18:04:44 +00:00
|
|
|
|
2018-08-16 00:11:58 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_rotate_secret_enable_rotation():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
|
|
|
|
conn.create_secret(Name=DEFAULT_SECRET_NAME, SecretString="foosecret")
|
2018-08-16 00:11:58 +00:00
|
|
|
|
2019-05-22 09:45:22 +00:00
|
|
|
initial_description = conn.describe_secret(SecretId=DEFAULT_SECRET_NAME)
|
2018-08-16 00:11:58 +00:00
|
|
|
assert initial_description
|
2019-10-31 15:44:26 +00:00
|
|
|
assert initial_description["RotationEnabled"] is False
|
|
|
|
|
assert initial_description["RotationRules"]["AutomaticallyAfterDays"] == 0
|
2018-08-16 00:11:58 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
conn.rotate_secret(
|
|
|
|
|
SecretId=DEFAULT_SECRET_NAME, RotationRules={"AutomaticallyAfterDays": 42}
|
|
|
|
|
)
|
2018-08-16 00:11:58 +00:00
|
|
|
|
2019-05-22 09:45:22 +00:00
|
|
|
rotated_description = conn.describe_secret(SecretId=DEFAULT_SECRET_NAME)
|
2018-08-16 00:11:58 +00:00
|
|
|
assert rotated_description
|
2019-10-31 15:44:26 +00:00
|
|
|
assert rotated_description["RotationEnabled"] is True
|
|
|
|
|
assert rotated_description["RotationRules"]["AutomaticallyAfterDays"] == 42
|
2018-08-16 00:11:58 +00:00
|
|
|
|
2019-04-18 15:47:15 +00:00
|
|
|
|
|
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_rotate_secret_that_is_marked_deleted():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2019-04-18 15:47:15 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
conn.create_secret(Name="test-secret", SecretString="foosecret")
|
2019-04-18 15:47:15 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
conn.delete_secret(SecretId="test-secret")
|
2019-04-18 15:47:15 +00:00
|
|
|
|
2020-10-06 05:54:49 +00:00
|
|
|
with pytest.raises(ClientError):
|
2021-10-18 19:44:29 +00:00
|
|
|
conn.rotate_secret(SecretId="test-secret")
|
2019-04-18 15:47:15 +00:00
|
|
|
|
|
|
|
|
|
2018-08-15 17:52:30 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_rotate_secret_that_does_not_exist():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", "us-west-2")
|
2018-08-15 17:52:30 +00:00
|
|
|
|
2020-10-06 05:54:49 +00:00
|
|
|
with pytest.raises(ClientError):
|
2021-10-18 19:44:29 +00:00
|
|
|
conn.rotate_secret(SecretId="i-dont-exist")
|
2019-10-31 15:44:26 +00:00
|
|
|
|
2018-08-15 17:52:30 +00:00
|
|
|
|
|
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_rotate_secret_that_does_not_match():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
|
|
|
|
conn.create_secret(Name="test-secret", SecretString="foosecret")
|
2018-08-15 17:52:30 +00:00
|
|
|
|
2020-10-06 05:54:49 +00:00
|
|
|
with pytest.raises(ClientError):
|
2021-10-18 19:44:29 +00:00
|
|
|
conn.rotate_secret(SecretId="i-dont-match")
|
2019-10-31 15:44:26 +00:00
|
|
|
|
2018-08-15 18:20:29 +00:00
|
|
|
|
|
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_rotate_secret_client_request_token_too_short():
|
|
|
|
|
# Test is intentionally empty. Boto3 catches too short ClientRequestToken
|
|
|
|
|
# and raises ParamValidationError before Moto can see it.
|
|
|
|
|
# test_server actually handles this error.
|
|
|
|
|
assert True
|
|
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
|
2018-08-15 18:20:29 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_rotate_secret_client_request_token_too_long():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
|
|
|
|
conn.create_secret(Name=DEFAULT_SECRET_NAME, SecretString="foosecret")
|
2018-08-15 18:20:29 +00:00
|
|
|
|
|
|
|
|
client_request_token = (
|
2019-10-31 15:44:26 +00:00
|
|
|
"ED9F8B6C-85B7-446A-B7E4-38F2A3BEB13C-" "ED9F8B6C-85B7-446A-B7E4-38F2A3BEB13C"
|
2018-08-15 18:20:29 +00:00
|
|
|
)
|
2020-10-06 05:54:49 +00:00
|
|
|
with pytest.raises(ClientError):
|
2021-10-18 19:44:29 +00:00
|
|
|
conn.rotate_secret(
|
2019-10-31 15:44:26 +00:00
|
|
|
SecretId=DEFAULT_SECRET_NAME, ClientRequestToken=client_request_token
|
|
|
|
|
)
|
|
|
|
|
|
2018-08-15 18:20:29 +00:00
|
|
|
|
|
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_rotate_secret_rotation_lambda_arn_too_long():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
|
|
|
|
conn.create_secret(Name=DEFAULT_SECRET_NAME, SecretString="foosecret")
|
2018-08-15 18:20:29 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
rotation_lambda_arn = "85B7-446A-B7E4" * 147 # == 2058 characters
|
2020-10-06 05:54:49 +00:00
|
|
|
with pytest.raises(ClientError):
|
2021-10-18 19:44:29 +00:00
|
|
|
conn.rotate_secret(
|
2019-10-31 15:44:26 +00:00
|
|
|
SecretId=DEFAULT_SECRET_NAME, RotationLambdaARN=rotation_lambda_arn
|
|
|
|
|
)
|
|
|
|
|
|
2018-08-15 18:20:29 +00:00
|
|
|
|
|
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_rotate_secret_rotation_period_zero():
|
|
|
|
|
# Test is intentionally empty. Boto3 catches zero day rotation period
|
|
|
|
|
# and raises ParamValidationError before Moto can see it.
|
|
|
|
|
# test_server actually handles this error.
|
|
|
|
|
assert True
|
|
|
|
|
|
2019-08-23 09:57:15 +00:00
|
|
|
|
2018-08-15 18:20:29 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_rotate_secret_rotation_period_too_long():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
|
|
|
|
conn.create_secret(Name=DEFAULT_SECRET_NAME, SecretString="foosecret")
|
2018-08-15 18:20:29 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
rotation_rules = {"AutomaticallyAfterDays": 1001}
|
2020-10-06 05:54:49 +00:00
|
|
|
with pytest.raises(ClientError):
|
2021-10-18 19:44:29 +00:00
|
|
|
conn.rotate_secret(SecretId=DEFAULT_SECRET_NAME, RotationRules=rotation_rules)
|
2019-05-22 09:45:22 +00:00
|
|
|
|
2019-08-23 09:57:15 +00:00
|
|
|
|
2021-05-11 11:08:01 +00:00
|
|
|
def get_rotation_zip_file():
|
2021-09-21 15:19:49 +00:00
|
|
|
from tests.test_awslambda.utilities import _process_lambda
|
2021-05-11 11:08:01 +00:00
|
|
|
|
|
|
|
|
func_str = """
|
|
|
|
|
import boto3
|
|
|
|
|
import json
|
|
|
|
|
|
|
|
|
|
def lambda_handler(event, context):
|
|
|
|
|
arn = event['SecretId']
|
|
|
|
|
token = event['ClientRequestToken']
|
|
|
|
|
step = event['Step']
|
2021-08-03 14:46:23 +00:00
|
|
|
|
2021-05-11 11:08:01 +00:00
|
|
|
client = boto3.client("secretsmanager", region_name="us-west-2", endpoint_url="http://motoserver:5000")
|
|
|
|
|
metadata = client.describe_secret(SecretId=arn)
|
|
|
|
|
value = client.get_secret_value(SecretId=arn, VersionId=token, VersionStage="AWSPENDING")
|
|
|
|
|
|
|
|
|
|
if not metadata['RotationEnabled']:
|
|
|
|
|
print("Secret %s is not enabled for rotation." % arn)
|
|
|
|
|
raise ValueError("Secret %s is not enabled for rotation." % arn)
|
|
|
|
|
versions = metadata['VersionIdsToStages']
|
|
|
|
|
if token not in versions:
|
|
|
|
|
print("Secret version %s has no stage for rotation of secret %s." % (token, arn))
|
|
|
|
|
raise ValueError("Secret version %s has no stage for rotation of secret %s." % (token, arn))
|
|
|
|
|
if "AWSCURRENT" in versions[token]:
|
|
|
|
|
print("Secret version %s already set as AWSCURRENT for secret %s." % (token, arn))
|
|
|
|
|
return
|
|
|
|
|
elif "AWSPENDING" not in versions[token]:
|
|
|
|
|
print("Secret version %s not set as AWSPENDING for rotation of secret %s." % (token, arn))
|
|
|
|
|
raise ValueError("Secret version %s not set as AWSPENDING for rotation of secret %s." % (token, arn))
|
2021-08-03 14:46:23 +00:00
|
|
|
|
2021-05-11 11:08:01 +00:00
|
|
|
if step == 'createSecret':
|
|
|
|
|
try:
|
|
|
|
|
client.get_secret_value(SecretId=arn, VersionId=token, VersionStage='AWSPENDING')
|
|
|
|
|
except client.exceptions.ResourceNotFoundException:
|
|
|
|
|
client.put_secret_value(
|
2021-08-03 14:46:23 +00:00
|
|
|
SecretId=arn,
|
|
|
|
|
ClientRequestToken=token,
|
|
|
|
|
SecretString=json.dumps({'create': True}),
|
2021-05-11 11:08:01 +00:00
|
|
|
VersionStages=['AWSPENDING']
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
if step == 'setSecret':
|
|
|
|
|
client.put_secret_value(
|
2021-08-03 14:46:23 +00:00
|
|
|
SecretId=arn,
|
|
|
|
|
ClientRequestToken=token,
|
|
|
|
|
SecretString='UpdatedValue',
|
2021-05-11 11:08:01 +00:00
|
|
|
VersionStages=["AWSPENDING"],
|
|
|
|
|
)
|
2021-08-03 14:46:23 +00:00
|
|
|
|
2021-05-11 11:08:01 +00:00
|
|
|
elif step == 'finishSecret':
|
|
|
|
|
current_version = next(
|
|
|
|
|
version
|
|
|
|
|
for version, stages in metadata['VersionIdsToStages'].items()
|
2021-08-03 14:46:23 +00:00
|
|
|
if 'AWSCURRENT' in stages
|
2021-05-11 11:08:01 +00:00
|
|
|
)
|
|
|
|
|
print("current: %s new: %s" % (current_version, token))
|
|
|
|
|
client.update_secret_version_stage(
|
|
|
|
|
SecretId=arn,
|
|
|
|
|
VersionStage='AWSCURRENT',
|
|
|
|
|
MoveToVersionId=token,
|
|
|
|
|
RemoveFromVersionId=current_version,
|
|
|
|
|
)
|
|
|
|
|
client.update_secret_version_stage(
|
|
|
|
|
SecretId=arn,
|
|
|
|
|
VersionStage='AWSPENDING',
|
|
|
|
|
RemoveFromVersionId=token,
|
|
|
|
|
)
|
|
|
|
|
"""
|
|
|
|
|
return _process_lambda(func_str)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if settings.TEST_SERVER_MODE:
|
|
|
|
|
|
|
|
|
|
@mock_lambda
|
|
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_rotate_secret_using_lambda():
|
2021-09-21 15:19:49 +00:00
|
|
|
from tests.test_awslambda.utilities import get_role_name
|
2021-05-11 11:08:01 +00:00
|
|
|
|
|
|
|
|
# Passing a `RotationLambdaARN` value to `rotate_secret` should invoke lambda
|
|
|
|
|
lambda_conn = boto3.client(
|
|
|
|
|
"lambda", region_name="us-west-2", endpoint_url="http://localhost:5000",
|
|
|
|
|
)
|
|
|
|
|
func = lambda_conn.create_function(
|
|
|
|
|
FunctionName="testFunction",
|
|
|
|
|
Runtime="python3.8",
|
|
|
|
|
Role=get_role_name(),
|
|
|
|
|
Handler="lambda_function.lambda_handler",
|
|
|
|
|
Code={"ZipFile": get_rotation_zip_file()},
|
|
|
|
|
Description="Secret rotator",
|
|
|
|
|
Timeout=3,
|
|
|
|
|
MemorySize=128,
|
|
|
|
|
Publish=True,
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
secrets_conn = boto3.client(
|
|
|
|
|
"secretsmanager",
|
|
|
|
|
region_name="us-west-2",
|
|
|
|
|
endpoint_url="http://localhost:5000",
|
|
|
|
|
)
|
|
|
|
|
secret = secrets_conn.create_secret(
|
|
|
|
|
Name=DEFAULT_SECRET_NAME, SecretString="InitialValue",
|
|
|
|
|
)
|
|
|
|
|
initial_version = secret["VersionId"]
|
|
|
|
|
|
|
|
|
|
rotated_secret = secrets_conn.rotate_secret(
|
|
|
|
|
SecretId=DEFAULT_SECRET_NAME,
|
|
|
|
|
RotationLambdaARN=func["FunctionArn"],
|
|
|
|
|
RotationRules=dict(AutomaticallyAfterDays=30,),
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
# Ensure we received an updated VersionId from `rotate_secret`
|
|
|
|
|
assert rotated_secret["VersionId"] != initial_version
|
|
|
|
|
|
|
|
|
|
updated_secret = secrets_conn.get_secret_value(
|
|
|
|
|
SecretId=DEFAULT_SECRET_NAME, VersionStage="AWSCURRENT",
|
|
|
|
|
)
|
|
|
|
|
rotated_version = updated_secret["VersionId"]
|
|
|
|
|
|
|
|
|
|
assert initial_version != rotated_version
|
|
|
|
|
metadata = secrets_conn.describe_secret(SecretId=DEFAULT_SECRET_NAME)
|
|
|
|
|
assert metadata["VersionIdsToStages"][initial_version] == ["AWSPREVIOUS"]
|
|
|
|
|
assert metadata["VersionIdsToStages"][rotated_version] == ["AWSCURRENT"]
|
|
|
|
|
assert updated_secret["SecretString"] == "UpdatedValue"
|
|
|
|
|
|
|
|
|
|
|
2020-11-02 10:15:40 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_put_secret_value_on_non_existing_secret():
|
|
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2020-11-10 17:14:50 +00:00
|
|
|
with pytest.raises(ClientError) as cm:
|
2020-11-02 10:15:40 +00:00
|
|
|
conn.put_secret_value(
|
|
|
|
|
SecretId=DEFAULT_SECRET_NAME,
|
|
|
|
|
SecretString="foosecret",
|
|
|
|
|
VersionStages=["AWSCURRENT"],
|
|
|
|
|
)
|
|
|
|
|
|
2020-11-11 15:55:37 +00:00
|
|
|
cm.value.response["Error"]["Message"].should.equal(
|
|
|
|
|
"Secrets Manager can't find the specified secret."
|
|
|
|
|
)
|
2020-11-02 10:15:40 +00:00
|
|
|
|
|
|
|
|
|
2019-05-22 09:45:22 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_put_secret_value_puts_new_secret():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2021-07-26 06:40:39 +00:00
|
|
|
conn.create_secret(Name=DEFAULT_SECRET_NAME, SecretBinary=b"foosecret")
|
2019-10-31 15:44:26 +00:00
|
|
|
put_secret_value_dict = conn.put_secret_value(
|
|
|
|
|
SecretId=DEFAULT_SECRET_NAME,
|
|
|
|
|
SecretString="foosecret",
|
|
|
|
|
VersionStages=["AWSCURRENT"],
|
|
|
|
|
)
|
|
|
|
|
version_id = put_secret_value_dict["VersionId"]
|
2019-05-22 09:45:22 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
get_secret_value_dict = conn.get_secret_value(
|
|
|
|
|
SecretId=DEFAULT_SECRET_NAME, VersionId=version_id, VersionStage="AWSCURRENT"
|
|
|
|
|
)
|
2019-05-22 09:45:22 +00:00
|
|
|
|
|
|
|
|
assert get_secret_value_dict
|
2019-10-31 15:44:26 +00:00
|
|
|
assert get_secret_value_dict["SecretString"] == "foosecret"
|
2019-05-22 09:45:22 +00:00
|
|
|
|
2019-08-23 09:57:15 +00:00
|
|
|
|
|
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_put_secret_binary_value_puts_new_secret():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2021-07-26 06:40:39 +00:00
|
|
|
conn.create_secret(Name=DEFAULT_SECRET_NAME, SecretBinary=b"foosecret")
|
2019-10-31 15:44:26 +00:00
|
|
|
put_secret_value_dict = conn.put_secret_value(
|
|
|
|
|
SecretId=DEFAULT_SECRET_NAME,
|
2021-07-26 06:40:39 +00:00
|
|
|
SecretBinary=b"foosecret",
|
2019-10-31 15:44:26 +00:00
|
|
|
VersionStages=["AWSCURRENT"],
|
|
|
|
|
)
|
|
|
|
|
version_id = put_secret_value_dict["VersionId"]
|
2019-08-23 09:57:15 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
get_secret_value_dict = conn.get_secret_value(
|
|
|
|
|
SecretId=DEFAULT_SECRET_NAME, VersionId=version_id, VersionStage="AWSCURRENT"
|
|
|
|
|
)
|
2019-08-23 09:57:15 +00:00
|
|
|
|
|
|
|
|
assert get_secret_value_dict
|
2021-07-26 06:40:39 +00:00
|
|
|
assert get_secret_value_dict["SecretBinary"] == b"foosecret"
|
2019-08-23 09:57:15 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_create_and_put_secret_binary_value_puts_new_secret():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2021-07-26 06:40:39 +00:00
|
|
|
conn.create_secret(Name=DEFAULT_SECRET_NAME, SecretBinary=b"foosecret")
|
2019-10-31 15:44:26 +00:00
|
|
|
conn.put_secret_value(
|
2021-07-26 06:40:39 +00:00
|
|
|
SecretId=DEFAULT_SECRET_NAME, SecretBinary=b"foosecret_update"
|
2019-10-31 15:44:26 +00:00
|
|
|
)
|
2019-08-23 09:57:15 +00:00
|
|
|
|
|
|
|
|
latest_secret = conn.get_secret_value(SecretId=DEFAULT_SECRET_NAME)
|
|
|
|
|
|
|
|
|
|
assert latest_secret
|
2021-07-26 06:40:39 +00:00
|
|
|
assert latest_secret["SecretBinary"] == b"foosecret_update"
|
2019-08-23 09:57:15 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_put_secret_binary_requires_either_string_or_binary():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2020-10-06 05:54:49 +00:00
|
|
|
with pytest.raises(ClientError) as ire:
|
2019-08-23 09:57:15 +00:00
|
|
|
conn.put_secret_value(SecretId=DEFAULT_SECRET_NAME)
|
|
|
|
|
|
2020-10-06 06:04:09 +00:00
|
|
|
ire.value.response["Error"]["Code"].should.equal("InvalidRequestException")
|
|
|
|
|
ire.value.response["Error"]["Message"].should.equal(
|
2019-10-31 15:44:26 +00:00
|
|
|
"You must provide either SecretString or SecretBinary."
|
|
|
|
|
)
|
2019-08-23 09:57:15 +00:00
|
|
|
|
|
|
|
|
|
2019-05-22 09:45:22 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_put_secret_value_can_get_first_version_if_put_twice():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2021-07-26 06:40:39 +00:00
|
|
|
conn.create_secret(Name=DEFAULT_SECRET_NAME, SecretBinary=b"foosecret")
|
2019-10-31 15:44:26 +00:00
|
|
|
put_secret_value_dict = conn.put_secret_value(
|
|
|
|
|
SecretId=DEFAULT_SECRET_NAME,
|
|
|
|
|
SecretString="first_secret",
|
|
|
|
|
VersionStages=["AWSCURRENT"],
|
|
|
|
|
)
|
|
|
|
|
first_version_id = put_secret_value_dict["VersionId"]
|
|
|
|
|
conn.put_secret_value(
|
|
|
|
|
SecretId=DEFAULT_SECRET_NAME,
|
|
|
|
|
SecretString="second_secret",
|
|
|
|
|
VersionStages=["AWSCURRENT"],
|
|
|
|
|
)
|
2019-05-22 09:45:22 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
first_secret_value_dict = conn.get_secret_value(
|
|
|
|
|
SecretId=DEFAULT_SECRET_NAME, VersionId=first_version_id
|
|
|
|
|
)
|
|
|
|
|
first_secret_value = first_secret_value_dict["SecretString"]
|
2019-05-22 09:45:22 +00:00
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
assert first_secret_value == "first_secret"
|
2019-05-22 09:45:22 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_put_secret_value_versions_differ_if_same_secret_put_twice():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2020-11-02 10:15:40 +00:00
|
|
|
conn.create_secret(Name=DEFAULT_SECRET_NAME, SecretBinary="foosecret")
|
2019-10-31 15:44:26 +00:00
|
|
|
put_secret_value_dict = conn.put_secret_value(
|
|
|
|
|
SecretId=DEFAULT_SECRET_NAME,
|
|
|
|
|
SecretString="dupe_secret",
|
|
|
|
|
VersionStages=["AWSCURRENT"],
|
|
|
|
|
)
|
|
|
|
|
first_version_id = put_secret_value_dict["VersionId"]
|
|
|
|
|
put_secret_value_dict = conn.put_secret_value(
|
|
|
|
|
SecretId=DEFAULT_SECRET_NAME,
|
|
|
|
|
SecretString="dupe_secret",
|
|
|
|
|
VersionStages=["AWSCURRENT"],
|
|
|
|
|
)
|
|
|
|
|
second_version_id = put_secret_value_dict["VersionId"]
|
2019-05-22 09:45:22 +00:00
|
|
|
|
|
|
|
|
assert first_version_id != second_version_id
|
|
|
|
|
|
|
|
|
|
|
2020-04-24 19:47:11 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_put_secret_value_maintains_description_and_tags():
|
|
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
|
|
|
|
|
2020-05-29 11:31:41 +00:00
|
|
|
previous_response = conn.create_secret(
|
2020-04-24 19:47:11 +00:00
|
|
|
Name=DEFAULT_SECRET_NAME,
|
|
|
|
|
SecretString="foosecret",
|
|
|
|
|
Description="desc",
|
|
|
|
|
Tags=[{"Key": "Foo", "Value": "Bar"}, {"Key": "Mykey", "Value": "Myvalue"}],
|
|
|
|
|
)
|
2020-05-29 11:31:41 +00:00
|
|
|
previous_version_id = previous_response["VersionId"]
|
2020-04-24 19:47:11 +00:00
|
|
|
|
|
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2020-05-29 11:31:41 +00:00
|
|
|
current_response = conn.put_secret_value(
|
2020-04-24 19:47:11 +00:00
|
|
|
SecretId=DEFAULT_SECRET_NAME,
|
|
|
|
|
SecretString="dupe_secret",
|
|
|
|
|
VersionStages=["AWSCURRENT"],
|
|
|
|
|
)
|
2020-05-29 11:31:41 +00:00
|
|
|
current_version_id = current_response["VersionId"]
|
|
|
|
|
|
2020-04-24 19:47:11 +00:00
|
|
|
secret_details = conn.describe_secret(SecretId=DEFAULT_SECRET_NAME)
|
|
|
|
|
assert secret_details["Tags"] == [
|
|
|
|
|
{"Key": "Foo", "Value": "Bar"},
|
|
|
|
|
{"Key": "Mykey", "Value": "Myvalue"},
|
|
|
|
|
]
|
|
|
|
|
assert secret_details["Description"] == "desc"
|
2020-05-29 11:31:41 +00:00
|
|
|
assert secret_details["VersionIdsToStages"] is not None
|
|
|
|
|
assert previous_version_id in secret_details["VersionIdsToStages"]
|
|
|
|
|
assert current_version_id in secret_details["VersionIdsToStages"]
|
|
|
|
|
assert secret_details["VersionIdsToStages"][previous_version_id] == ["AWSPREVIOUS"]
|
|
|
|
|
assert secret_details["VersionIdsToStages"][current_version_id] == ["AWSCURRENT"]
|
2020-04-24 19:47:11 +00:00
|
|
|
|
|
|
|
|
|
2019-05-22 09:45:22 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_can_list_secret_version_ids():
|
2019-10-31 15:44:26 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2020-11-02 10:15:40 +00:00
|
|
|
conn.create_secret(Name=DEFAULT_SECRET_NAME, SecretBinary="foosecret")
|
2019-10-31 15:44:26 +00:00
|
|
|
put_secret_value_dict = conn.put_secret_value(
|
|
|
|
|
SecretId=DEFAULT_SECRET_NAME,
|
|
|
|
|
SecretString="dupe_secret",
|
|
|
|
|
VersionStages=["AWSCURRENT"],
|
|
|
|
|
)
|
|
|
|
|
first_version_id = put_secret_value_dict["VersionId"]
|
|
|
|
|
put_secret_value_dict = conn.put_secret_value(
|
|
|
|
|
SecretId=DEFAULT_SECRET_NAME,
|
|
|
|
|
SecretString="dupe_secret",
|
|
|
|
|
VersionStages=["AWSCURRENT"],
|
|
|
|
|
)
|
|
|
|
|
second_version_id = put_secret_value_dict["VersionId"]
|
2019-05-22 09:45:22 +00:00
|
|
|
|
|
|
|
|
versions_list = conn.list_secret_version_ids(SecretId=DEFAULT_SECRET_NAME)
|
|
|
|
|
|
2019-10-31 15:44:26 +00:00
|
|
|
returned_version_ids = [v["VersionId"] for v in versions_list["Versions"]]
|
2019-05-22 09:45:22 +00:00
|
|
|
|
|
|
|
|
assert [first_version_id, second_version_id].sort() == returned_version_ids.sort()
|
2020-04-16 15:20:43 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
@mock_secretsmanager
|
2021-09-27 19:59:13 +00:00
|
|
|
@pytest.mark.parametrize("pass_arn", [True, False])
|
|
|
|
|
def test_update_secret(pass_arn):
|
2020-04-16 15:20:43 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
|
|
|
|
|
|
|
|
|
created_secret = conn.create_secret(Name="test-secret", SecretString="foosecret")
|
|
|
|
|
|
|
|
|
|
assert created_secret["ARN"]
|
|
|
|
|
assert created_secret["Name"] == "test-secret"
|
|
|
|
|
assert created_secret["VersionId"] != ""
|
|
|
|
|
|
2021-09-27 19:59:13 +00:00
|
|
|
secret_id = created_secret["ARN"] if pass_arn else "test-secret"
|
|
|
|
|
|
|
|
|
|
secret = conn.get_secret_value(SecretId=secret_id)
|
2020-04-16 15:20:43 +00:00
|
|
|
assert secret["SecretString"] == "foosecret"
|
|
|
|
|
|
2021-09-27 19:59:13 +00:00
|
|
|
updated_secret = conn.update_secret(SecretId=secret_id, SecretString="barsecret")
|
2020-04-16 15:20:43 +00:00
|
|
|
|
|
|
|
|
assert updated_secret["ARN"]
|
|
|
|
|
assert updated_secret["Name"] == "test-secret"
|
|
|
|
|
assert updated_secret["VersionId"] != ""
|
|
|
|
|
|
2021-09-27 19:59:13 +00:00
|
|
|
secret = conn.get_secret_value(SecretId=secret_id)
|
2020-04-16 15:20:43 +00:00
|
|
|
assert secret["SecretString"] == "barsecret"
|
|
|
|
|
assert created_secret["VersionId"] != updated_secret["VersionId"]
|
|
|
|
|
|
|
|
|
|
|
2020-04-24 19:47:11 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_update_secret_with_tags_and_description():
|
|
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
|
|
|
|
|
|
|
|
|
created_secret = conn.create_secret(
|
|
|
|
|
Name="test-secret",
|
|
|
|
|
SecretString="foosecret",
|
|
|
|
|
Description="desc",
|
|
|
|
|
Tags=[{"Key": "Foo", "Value": "Bar"}, {"Key": "Mykey", "Value": "Myvalue"}],
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
assert created_secret["ARN"]
|
|
|
|
|
assert created_secret["Name"] == "test-secret"
|
|
|
|
|
assert created_secret["VersionId"] != ""
|
|
|
|
|
|
|
|
|
|
secret = conn.get_secret_value(SecretId="test-secret")
|
|
|
|
|
assert secret["SecretString"] == "foosecret"
|
|
|
|
|
|
|
|
|
|
updated_secret = conn.update_secret(
|
|
|
|
|
SecretId="test-secret", SecretString="barsecret"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
assert updated_secret["ARN"]
|
|
|
|
|
assert updated_secret["Name"] == "test-secret"
|
|
|
|
|
assert updated_secret["VersionId"] != ""
|
|
|
|
|
|
|
|
|
|
secret = conn.get_secret_value(SecretId="test-secret")
|
|
|
|
|
assert secret["SecretString"] == "barsecret"
|
|
|
|
|
assert created_secret["VersionId"] != updated_secret["VersionId"]
|
|
|
|
|
secret_details = conn.describe_secret(SecretId="test-secret")
|
|
|
|
|
assert secret_details["Tags"] == [
|
|
|
|
|
{"Key": "Foo", "Value": "Bar"},
|
|
|
|
|
{"Key": "Mykey", "Value": "Myvalue"},
|
|
|
|
|
]
|
|
|
|
|
assert secret_details["Description"] == "desc"
|
|
|
|
|
|
|
|
|
|
|
2021-08-03 14:46:23 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_update_secret_with_KmsKeyId():
|
|
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
|
|
|
|
|
|
|
|
|
created_secret = conn.create_secret(
|
|
|
|
|
Name="test-secret", SecretString="foosecret", KmsKeyId="foo_arn"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
assert created_secret["ARN"]
|
|
|
|
|
assert created_secret["Name"] == "test-secret"
|
|
|
|
|
assert created_secret["VersionId"] != ""
|
|
|
|
|
|
|
|
|
|
secret = conn.get_secret_value(SecretId="test-secret")
|
|
|
|
|
assert secret["SecretString"] == "foosecret"
|
|
|
|
|
|
|
|
|
|
secret_details = conn.describe_secret(SecretId="test-secret")
|
|
|
|
|
secret_details["KmsKeyId"].should.equal("foo_arn")
|
|
|
|
|
|
|
|
|
|
updated_secret = conn.update_secret(
|
|
|
|
|
SecretId="test-secret", SecretString="barsecret", KmsKeyId="bar_arn"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
assert updated_secret["ARN"]
|
|
|
|
|
assert updated_secret["Name"] == "test-secret"
|
|
|
|
|
assert updated_secret["VersionId"] != ""
|
|
|
|
|
|
|
|
|
|
secret = conn.get_secret_value(SecretId="test-secret")
|
|
|
|
|
assert secret["SecretString"] == "barsecret"
|
|
|
|
|
assert created_secret["VersionId"] != updated_secret["VersionId"]
|
|
|
|
|
|
|
|
|
|
secret_details = conn.describe_secret(SecretId="test-secret")
|
|
|
|
|
secret_details["KmsKeyId"].should.equal("bar_arn")
|
|
|
|
|
|
|
|
|
|
|
2020-04-16 15:20:43 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_update_secret_which_does_not_exit():
|
|
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
|
|
|
|
|
2020-10-06 05:54:49 +00:00
|
|
|
with pytest.raises(ClientError) as cm:
|
2021-10-18 19:44:29 +00:00
|
|
|
conn.update_secret(SecretId="test-secret", SecretString="barsecret")
|
2020-04-16 15:20:43 +00:00
|
|
|
|
2020-10-06 06:46:05 +00:00
|
|
|
assert (
|
|
|
|
|
"Secrets Manager can't find the specified secret."
|
|
|
|
|
== cm.value.response["Error"]["Message"]
|
|
|
|
|
)
|
2020-04-16 15:20:43 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_update_secret_marked_as_deleted():
|
|
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
|
|
|
|
|
2021-10-18 19:44:29 +00:00
|
|
|
conn.create_secret(Name="test-secret", SecretString="foosecret")
|
|
|
|
|
conn.delete_secret(SecretId="test-secret")
|
2020-04-16 15:20:43 +00:00
|
|
|
|
2020-10-06 05:54:49 +00:00
|
|
|
with pytest.raises(ClientError) as cm:
|
2021-10-18 19:44:29 +00:00
|
|
|
conn.update_secret(SecretId="test-secret", SecretString="barsecret")
|
2020-04-16 15:20:43 +00:00
|
|
|
|
|
|
|
|
assert (
|
2020-10-06 06:46:05 +00:00
|
|
|
"because it was marked for deletion." in cm.value.response["Error"]["Message"]
|
2020-04-16 15:20:43 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_update_secret_marked_as_deleted_after_restoring():
|
|
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
|
|
|
|
|
2021-10-18 19:44:29 +00:00
|
|
|
conn.create_secret(Name="test-secret", SecretString="foosecret")
|
|
|
|
|
conn.delete_secret(SecretId="test-secret")
|
|
|
|
|
conn.restore_secret(SecretId="test-secret")
|
2020-04-16 15:20:43 +00:00
|
|
|
|
|
|
|
|
updated_secret = conn.update_secret(
|
|
|
|
|
SecretId="test-secret", SecretString="barsecret"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
assert updated_secret["ARN"]
|
|
|
|
|
assert updated_secret["Name"] == "test-secret"
|
|
|
|
|
assert updated_secret["VersionId"] != ""
|
2020-10-22 10:14:32 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
@mock_secretsmanager
|
2021-09-27 19:59:13 +00:00
|
|
|
@pytest.mark.parametrize("pass_arn", [True, False])
|
|
|
|
|
def test_tag_resource(pass_arn):
|
2020-10-22 10:14:32 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2021-09-27 19:59:13 +00:00
|
|
|
created_secret = conn.create_secret(Name="test-secret", SecretString="foosecret")
|
|
|
|
|
secret_id = created_secret["ARN"] if pass_arn else "test-secret"
|
2020-10-22 10:14:32 +00:00
|
|
|
conn.tag_resource(
|
2021-09-27 19:59:13 +00:00
|
|
|
SecretId=secret_id, Tags=[{"Key": "FirstTag", "Value": "SomeValue"},],
|
2020-10-22 10:14:32 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
conn.tag_resource(
|
2021-09-27 19:59:13 +00:00
|
|
|
SecretId=secret_id, Tags=[{"Key": "SecondTag", "Value": "AnotherValue"},],
|
2020-10-22 10:14:32 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
secrets = conn.list_secrets()
|
|
|
|
|
assert secrets["SecretList"][0].get("Tags") == [
|
|
|
|
|
{"Key": "FirstTag", "Value": "SomeValue"},
|
|
|
|
|
{"Key": "SecondTag", "Value": "AnotherValue"},
|
|
|
|
|
]
|
|
|
|
|
|
2020-11-10 17:14:50 +00:00
|
|
|
with pytest.raises(ClientError) as cm:
|
2020-10-22 10:14:32 +00:00
|
|
|
conn.tag_resource(
|
|
|
|
|
SecretId="dummy-test-secret",
|
2020-11-11 15:55:37 +00:00
|
|
|
Tags=[{"Key": "FirstTag", "Value": "SomeValue"},],
|
2020-10-22 10:14:32 +00:00
|
|
|
)
|
|
|
|
|
|
2020-11-11 15:55:37 +00:00
|
|
|
assert (
|
|
|
|
|
"Secrets Manager can't find the specified secret."
|
|
|
|
|
== cm.value.response["Error"]["Message"]
|
|
|
|
|
)
|
2020-11-03 14:18:56 +00:00
|
|
|
|
|
|
|
|
|
2021-03-12 10:35:38 +00:00
|
|
|
@mock_secretsmanager
|
2021-09-27 19:59:13 +00:00
|
|
|
@pytest.mark.parametrize("pass_arn", [True, False])
|
|
|
|
|
def test_untag_resource(pass_arn):
|
2021-03-12 10:35:38 +00:00
|
|
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
2021-09-27 19:59:13 +00:00
|
|
|
created_secret = conn.create_secret(Name="test-secret", SecretString="foosecret")
|
|
|
|
|
secret_id = created_secret["ARN"] if pass_arn else "test-secret"
|
2021-03-12 10:35:38 +00:00
|
|
|
conn.tag_resource(
|
2021-09-27 19:59:13 +00:00
|
|
|
SecretId=secret_id,
|
2021-03-12 10:35:38 +00:00
|
|
|
Tags=[
|
|
|
|
|
{"Key": "FirstTag", "Value": "SomeValue"},
|
|
|
|
|
{"Key": "SecondTag", "Value": "SomeValue"},
|
|
|
|
|
],
|
|
|
|
|
)
|
|
|
|
|
|
2021-09-27 19:59:13 +00:00
|
|
|
conn.untag_resource(SecretId=secret_id, TagKeys=["FirstTag"])
|
2021-03-12 10:35:38 +00:00
|
|
|
secrets = conn.list_secrets()
|
|
|
|
|
assert secrets["SecretList"][0].get("Tags") == [
|
|
|
|
|
{"Key": "SecondTag", "Value": "SomeValue"},
|
|
|
|
|
]
|
|
|
|
|
|
|
|
|
|
with pytest.raises(ClientError) as cm:
|
|
|
|
|
conn.untag_resource(
|
|
|
|
|
SecretId="dummy-test-secret", TagKeys=["FirstTag"],
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
assert (
|
|
|
|
|
"Secrets Manager can't find the specified secret."
|
|
|
|
|
== cm.value.response["Error"]["Message"]
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
2020-11-03 14:18:56 +00:00
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_secret_versions_to_stages_attribute_discrepancy():
|
|
|
|
|
client = boto3.client("secretsmanager", region_name="us-west-2")
|
|
|
|
|
|
|
|
|
|
resp = client.create_secret(Name=DEFAULT_SECRET_NAME, SecretString="foosecret")
|
|
|
|
|
previous_version_id = resp["VersionId"]
|
|
|
|
|
|
|
|
|
|
resp = client.put_secret_value(
|
|
|
|
|
SecretId=DEFAULT_SECRET_NAME,
|
|
|
|
|
SecretString="dupe_secret",
|
|
|
|
|
VersionStages=["AWSCURRENT"],
|
|
|
|
|
)
|
|
|
|
|
current_version_id = resp["VersionId"]
|
|
|
|
|
|
|
|
|
|
secret = client.describe_secret(SecretId=DEFAULT_SECRET_NAME)
|
|
|
|
|
describe_vtos = secret["VersionIdsToStages"]
|
|
|
|
|
assert describe_vtos[current_version_id] == ["AWSCURRENT"]
|
|
|
|
|
assert describe_vtos[previous_version_id] == ["AWSPREVIOUS"]
|
|
|
|
|
|
|
|
|
|
secret = client.list_secrets(
|
|
|
|
|
Filters=[{"Key": "name", "Values": [DEFAULT_SECRET_NAME]}]
|
|
|
|
|
).get("SecretList")[0]
|
|
|
|
|
list_vtos = secret["SecretVersionsToStages"]
|
|
|
|
|
assert list_vtos[current_version_id] == ["AWSCURRENT"]
|
|
|
|
|
assert list_vtos[previous_version_id] == ["AWSPREVIOUS"]
|
|
|
|
|
|
|
|
|
|
assert describe_vtos == list_vtos
|
2021-09-21 16:43:31 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
@mock_secretsmanager
|
|
|
|
|
def test_update_secret_with_client_request_token():
|
|
|
|
|
client = boto3.client("secretsmanager", region_name="us-west-2")
|
|
|
|
|
secret_name = "test-secret"
|
|
|
|
|
client_request_token = str(uuid4())
|
|
|
|
|
|
|
|
|
|
client.create_secret(Name=secret_name, SecretString="first-secret")
|
|
|
|
|
updated_secret = client.update_secret(
|
|
|
|
|
SecretId=secret_name,
|
|
|
|
|
SecretString="second-secret",
|
|
|
|
|
ClientRequestToken=client_request_token,
|
|
|
|
|
)
|
|
|
|
|
assert client_request_token == updated_secret["VersionId"]
|
|
|
|
|
updated_secret = client.update_secret(
|
|
|
|
|
SecretId=secret_name, SecretString="third-secret",
|
|
|
|
|
)
|
|
|
|
|
assert client_request_token != updated_secret["VersionId"]
|
|
|
|
|
invalid_request_token = "test-token"
|
|
|
|
|
with pytest.raises(ParamValidationError) as pve:
|
|
|
|
|
client.update_secret(
|
|
|
|
|
SecretId=secret_name,
|
|
|
|
|
SecretString="fourth-secret",
|
|
|
|
|
ClientRequestToken=invalid_request_token,
|
|
|
|
|
)
|
|
|
|
|
pve.value.response["Error"]["Code"].should.equal("InvalidParameterException")
|
|
|
|
|
pve.value.response["Error"]["Message"].should.equal(
|
|
|
|
|
"ClientRequestToken must be 32-64 characters long."
|
|
|
|
|
)
|
