moto/moto/sts/models.py

from base64 import b64decode
import datetime
import xmltodict
from moto.core import BaseBackend, BaseModel
from moto.core.utils import iso_8601_datetime_with_milliseconds, BackendDict
from moto.core import get_account_id
from moto.sts.utils import (
    random_access_key_id,
    random_secret_access_key,
    random_session_token,
    random_assumed_role_id,
    DEFAULT_STS_SESSION_DURATION,
)
from typing import Mapping


class Token(BaseModel):
    def __init__(self, duration, name=None):
        now = datetime.datetime.utcnow()
        self.expiration = now + datetime.timedelta(seconds=duration)
        self.name = name
        self.policy = None

    @property
    def expiration_ISO8601(self):
        return iso_8601_datetime_with_milliseconds(self.expiration)


class AssumedRole(BaseModel):
    def __init__(self, role_session_name, role_arn, policy, duration, external_id):
        self.session_name = role_session_name
        self.role_arn = role_arn
        self.policy = policy
        now = datetime.datetime.utcnow()
        self.expiration = now + datetime.timedelta(seconds=duration)
        self.external_id = external_id
        self.access_key_id = "ASIA" + random_access_key_id()
        self.secret_access_key = random_secret_access_key()
        self.session_token = random_session_token()
        self.assumed_role_id = "AROA" + random_assumed_role_id()

    @property
    def expiration_ISO8601(self):
        return iso_8601_datetime_with_milliseconds(self.expiration)

    @property
    def user_id(self):
        return self.assumed_role_id + ":" + self.session_name

    @property
    def arn(self):
        return (
            "arn:aws:sts::{account_id}:assumed-role/{role_name}/{session_name}".format(
                account_id=get_account_id(),
                role_name=self.role_arn.split("/")[-1],
                session_name=self.session_name,
            )
        )


class STSBackend(BaseBackend):
    def __init__(self, region_name, account_id):
        super().__init__(region_name, account_id)
        self.assumed_roles = []

    @staticmethod
    def default_vpc_endpoint_service(service_region, zones):
        """Default VPC endpoint service."""
        return BaseBackend.default_vpc_endpoint_service_factory(
            service_region, zones, "sts"
        )

    def get_session_token(self, duration):
        token = Token(duration=duration)
        return token

    def get_federation_token(self, name, duration):
        token = Token(duration=duration, name=name)
        return token

    def assume_role(self, **kwargs):
        role = AssumedRole(**kwargs)
        self.assumed_roles.append(role)
        return role

    def get_assumed_role_from_access_key(self, access_key_id):
        for assumed_role in self.assumed_roles:
            if assumed_role.access_key_id == access_key_id:
                return assumed_role
        return None

    def assume_role_with_web_identity(self, **kwargs):
        return self.assume_role(**kwargs)

    def assume_role_with_saml(self, **kwargs):
        del kwargs["principal_arn"]
        saml_assertion_encoded = kwargs.pop("saml_assertion")
        saml_assertion_decoded = b64decode(saml_assertion_encoded)

        namespaces = {
            "urn:oasis:names:tc:SAML:2.0:protocol": "samlp",
            "urn:oasis:names:tc:SAML:2.0:assertion": "saml",
        }
        saml_assertion = xmltodict.parse(
            saml_assertion_decoded.decode("utf-8"),
            force_cdata=True,
            process_namespaces=True,
            namespaces=namespaces,
            namespace_separator="|",
        )

        saml_assertion_attributes = saml_assertion["samlp|Response"]["saml|Assertion"][
            "saml|AttributeStatement"
        ]["saml|Attribute"]
        for attribute in saml_assertion_attributes:
            if (
                attribute["@Name"]
                == "https://aws.amazon.com/SAML/Attributes/RoleSessionName"
            ):
                kwargs["role_session_name"] = attribute["saml|AttributeValue"]["#text"]
            if (
                attribute["@Name"]
                == "https://aws.amazon.com/SAML/Attributes/SessionDuration"
            ):
                kwargs["duration"] = int(attribute["saml|AttributeValue"]["#text"])

        if "duration" not in kwargs:
            kwargs["duration"] = DEFAULT_STS_SESSION_DURATION

        kwargs["external_id"] = None
        kwargs["policy"] = None
        role = AssumedRole(**kwargs)
        self.assumed_roles.append(role)
        return role

    def get_caller_identity(self):
        # Logic resides in responses.py
        # Fake method here to make implementation coverage script aware that this method is implemented
        pass


sts_backends: Mapping[str, STSBackend] = BackendDict(
    STSBackend, "sts", use_boto3_regions=False, additional_regions=["global"]
)
Add assume_role_with_saml to STSBackend. Add the assume_role_with_saml method to the STSBackend class. 2020-04-16 03:08:44 +00:00			`from base64 import b64decode`
core sts endpoints completed 2013-05-24 21:22:34 +00:00			`import datetime`
Add assume_role_with_saml to STSBackend. Add the assume_role_with_saml method to the STSBackend class. 2020-04-16 03:08:44 +00:00			`import xmltodict`
Add BaseModel to all models. 2017-03-12 04:41:12 +00:00			`from moto.core import BaseBackend, BaseModel`
Preparation for MultiAccount support (#5157) 2022-06-04 11:30:16 +00:00			`from moto.core.utils import iso_8601_datetime_with_milliseconds, BackendDict`
add indirection to access account id (#5098) 2022-05-08 22:25:40 +00:00			`from moto.core import get_account_id`
Run black on moto & test directories. 2019-10-31 15:44:26 +00:00			`from moto.sts.utils import (`
			`random_access_key_id,`
			`random_secret_access_key,`
			`random_session_token,`
			`random_assumed_role_id,`
Fix saml-assertion parsing in assume-role-with-saml (#3523) * Retrieve SAML Attribute by Name instead of relying on order which is too fragile * Handle case when SAML Attribute SessionDuration is not provided, as it is not a required attribute from SAML response When session duration not provided, AWS consider by default a duration of one hour as cited in the following documentation: "If this attribute is not present, then the credential last for one hour (the default value of the DurationSeconds parameter of the AssumeRoleWithSAML API)." https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html#saml_role-session-duration Traceback was: [...] File "/Users/benjamin.brabant/Projects/PERSO/moto/moto/sts/responses.py", line 79, in assume_role_with_saml role = sts_backend.assume_role_with_saml( File "/Users/benjamin.brabant/Projects/PERSO/moto/moto/sts/models.py", line 99, in assume_role_with_saml role = AssumedRole(*kwargs) TypeError: __init__() missing 1 required positional argument: 'duration' Process saml xml namespaces properly instead of relying on textual prefix that can vary between identity providers * Handle when SAML response AttributeValue xml tag contains attributes that force xmltodict to build a dictionary as for complex types instead of directly returning string value Leverage force_cdata option of xmltodict parser that always return a complex dictionary even if xml tag contains only text and no attributes. * Improve existing test_assume_role_with_saml to be coherent with other assume_role_with_saml tests and remove dead code at the same time 2020-12-08 09:08:40 +00:00			`DEFAULT_STS_SESSION_DURATION,`
Run black on moto & test directories. 2019-10-31 15:44:26 +00:00			`)`
Techdebt - Align models-responses integration for all services (#5207) 2022-06-09 17:40:22 +00:00			`from typing import Mapping`
core sts endpoints completed 2013-05-24 21:22:34 +00:00

Add BaseModel to all models. 2017-03-12 04:41:12 +00:00			`class Token(BaseModel):`
Pylint - Enable more rules on source and tests-directory (#4929) 2022-03-11 21:28:45 +00:00			`def __init__(self, duration, name=None):`
ALWAYS use utcnow(), never now() 2016-09-07 18:40:52 +00:00			`now = datetime.datetime.utcnow()`
core sts endpoints completed 2013-05-24 21:22:34 +00:00			`self.expiration = now + datetime.timedelta(seconds=duration)`
add support for sts get_federation_token 2014-03-20 16:29:39 +00:00			`self.name = name`
			`self.policy = None`
core sts endpoints completed 2013-05-24 21:22:34 +00:00
			`@property`
			`def expiration_ISO8601(self):`
Cleanup some incorrect date formats. 2014-11-30 04:34:40 +00:00			`return iso_8601_datetime_with_milliseconds(self.expiration)`
core sts endpoints completed 2013-05-24 21:22:34 +00:00

Add BaseModel to all models. 2017-03-12 04:41:12 +00:00			`class AssumedRole(BaseModel):`
core sts endpoints completed 2013-05-24 21:22:34 +00:00			`def __init__(self, role_session_name, role_arn, policy, duration, external_id):`
			`self.session_name = role_session_name`
Derive ARN of AssumedRoles from its role ARN and session name. 2019-08-21 10:57:45 +00:00			`self.role_arn = role_arn`
core sts endpoints completed 2013-05-24 21:22:34 +00:00			`self.policy = policy`
ALWAYS use utcnow(), never now() 2016-09-07 18:40:52 +00:00			`now = datetime.datetime.utcnow()`
core sts endpoints completed 2013-05-24 21:22:34 +00:00			`self.expiration = now + datetime.timedelta(seconds=duration)`
			`self.external_id = external_id`
AssumeRole returns randomly generated credentials. 2019-07-08 14:32:25 +00:00			`self.access_key_id = "ASIA" + random_access_key_id()`
			`self.secret_access_key = random_secret_access_key()`
			`self.session_token = random_session_token()`
Implemented returning random assumed role ID. 2019-08-21 08:45:36 +00:00			`self.assumed_role_id = "AROA" + random_assumed_role_id()`
core sts endpoints completed 2013-05-24 21:22:34 +00:00
			`@property`
			`def expiration_ISO8601(self):`
Cleanup some incorrect date formats. 2014-11-30 04:34:40 +00:00			`return iso_8601_datetime_with_milliseconds(self.expiration)`
core sts endpoints completed 2013-05-24 21:22:34 +00:00
Implemented get-caller-identity returning real data depending on the access key used. 2019-08-21 10:20:35 +00:00			`@property`
			`def user_id(self):`
			`return self.assumed_role_id + ":" + self.session_name`

Derive ARN of AssumedRoles from its role ARN and session name. 2019-08-21 10:57:45 +00:00			`@property`
			`def arn(self):`
Update Black + formatting (#4926) 2022-03-10 14:39:59 +00:00			`return (`
			`"arn:aws:sts::{account_id}:assumed-role/{role_name}/{session_name}".format(`
add indirection to access account id (#5098) 2022-05-08 22:25:40 +00:00			`account_id=get_account_id(),`
Update Black + formatting (#4926) 2022-03-10 14:39:59 +00:00			`role_name=self.role_arn.split("/")[-1],`
			`session_name=self.session_name,`
			`)`
Fixed AssumedRole ARN. 2019-08-21 17:47:12 +00:00			`)`
Derive ARN of AssumedRoles from its role ARN and session name. 2019-08-21 10:57:45 +00:00
core sts endpoints completed 2013-05-24 21:22:34 +00:00
			`class STSBackend(BaseBackend):`
Preparation for MultiAccount support (#5157) 2022-06-04 11:30:16 +00:00			`def __init__(self, region_name, account_id):`
			`super().__init__(region_name, account_id)`
Implemented finding credentials from already created IAM users and roles. 2019-07-08 17:57:14 +00:00			`self.assumed_roles = []`

Implement EC2 describe_vpc_endpoint_services() (#4322) 2021-09-24 16:01:09 +00:00			`@staticmethod`
			`def default_vpc_endpoint_service(service_region, zones):`
			`"""Default VPC endpoint service."""`
			`return BaseBackend.default_vpc_endpoint_service_factory(`
			`service_region, zones, "sts"`
			`)`

core sts endpoints completed 2013-05-24 21:22:34 +00:00			`def get_session_token(self, duration):`
			`token = Token(duration=duration)`
			`return token`

Pylint - Enable more rules on source and tests-directory (#4929) 2022-03-11 21:28:45 +00:00			`def get_federation_token(self, name, duration):`
			`token = Token(duration=duration, name=name)`
add support for sts get_federation_token 2014-03-20 16:29:39 +00:00			`return token`

core sts endpoints completed 2013-05-24 21:22:34 +00:00			`def assume_role(self, **kwargs):`
			`role = AssumedRole(**kwargs)`
Implemented finding credentials from already created IAM users and roles. 2019-07-08 17:57:14 +00:00			`self.assumed_roles.append(role)`
core sts endpoints completed 2013-05-24 21:22:34 +00:00			`return role`

Implemented get-caller-identity returning real data depending on the access key used. 2019-08-21 10:20:35 +00:00			`def get_assumed_role_from_access_key(self, access_key_id):`
			`for assumed_role in self.assumed_roles:`
			`if assumed_role.access_key_id == access_key_id:`
			`return assumed_role`
			`return None`

Implement assume_role_with_web_identity The AssumeRoleWithWebIdentity is a similar endpoint to STS's AssumeRole where the authentication element is a JWT id_token from a configured OP. This commit implements the functionality and relies on the same result generated for the regular AssumeRole. 2019-07-16 03:27:47 +00:00			`def assume_role_with_web_identity(self, **kwargs):`
			`return self.assume_role(**kwargs)`

Add assume_role_with_saml to STSBackend. Add the assume_role_with_saml method to the STSBackend class. 2020-04-16 03:08:44 +00:00			`def assume_role_with_saml(self, **kwargs):`
			`del kwargs["principal_arn"]`
			`saml_assertion_encoded = kwargs.pop("saml_assertion")`
			`saml_assertion_decoded = b64decode(saml_assertion_encoded)`
Fix saml-assertion parsing in assume-role-with-saml (#3523) * Retrieve SAML Attribute by Name instead of relying on order which is too fragile * Handle case when SAML Attribute SessionDuration is not provided, as it is not a required attribute from SAML response When session duration not provided, AWS consider by default a duration of one hour as cited in the following documentation: "If this attribute is not present, then the credential last for one hour (the default value of the DurationSeconds parameter of the AssumeRoleWithSAML API)." https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html#saml_role-session-duration Traceback was: [...] File "/Users/benjamin.brabant/Projects/PERSO/moto/moto/sts/responses.py", line 79, in assume_role_with_saml role = sts_backend.assume_role_with_saml( File "/Users/benjamin.brabant/Projects/PERSO/moto/moto/sts/models.py", line 99, in assume_role_with_saml role = AssumedRole(*kwargs) TypeError: __init__() missing 1 required positional argument: 'duration' Process saml xml namespaces properly instead of relying on textual prefix that can vary between identity providers * Handle when SAML response AttributeValue xml tag contains attributes that force xmltodict to build a dictionary as for complex types instead of directly returning string value Leverage force_cdata option of xmltodict parser that always return a complex dictionary even if xml tag contains only text and no attributes. * Improve existing test_assume_role_with_saml to be coherent with other assume_role_with_saml tests and remove dead code at the same time 2020-12-08 09:08:40 +00:00
			`namespaces = {`
			`"urn:oasis:names:tc:SAML:2.0:protocol": "samlp",`
			`"urn:oasis:names:tc:SAML:2.0:assertion": "saml",`
			`}`
			`saml_assertion = xmltodict.parse(`
			`saml_assertion_decoded.decode("utf-8"),`
			`force_cdata=True,`
			`process_namespaces=True,`
			`namespaces=namespaces,`
Admin - change XML2Dict namespace separator (#4905) 2022-03-03 11:51:00 +00:00			`namespace_separator="\|",`
Add assume_role_with_saml to STSBackend. Add the assume_role_with_saml method to the STSBackend class. 2020-04-16 03:08:44 +00:00			`)`
Fix saml-assertion parsing in assume-role-with-saml (#3523) * Retrieve SAML Attribute by Name instead of relying on order which is too fragile * Handle case when SAML Attribute SessionDuration is not provided, as it is not a required attribute from SAML response When session duration not provided, AWS consider by default a duration of one hour as cited in the following documentation: "If this attribute is not present, then the credential last for one hour (the default value of the DurationSeconds parameter of the AssumeRoleWithSAML API)." https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html#saml_role-session-duration Traceback was: [...] File "/Users/benjamin.brabant/Projects/PERSO/moto/moto/sts/responses.py", line 79, in assume_role_with_saml role = sts_backend.assume_role_with_saml( File "/Users/benjamin.brabant/Projects/PERSO/moto/moto/sts/models.py", line 99, in assume_role_with_saml role = AssumedRole(*kwargs) TypeError: __init__() missing 1 required positional argument: 'duration' Process saml xml namespaces properly instead of relying on textual prefix that can vary between identity providers * Handle when SAML response AttributeValue xml tag contains attributes that force xmltodict to build a dictionary as for complex types instead of directly returning string value Leverage force_cdata option of xmltodict parser that always return a complex dictionary even if xml tag contains only text and no attributes. * Improve existing test_assume_role_with_saml to be coherent with other assume_role_with_saml tests and remove dead code at the same time 2020-12-08 09:08:40 +00:00
Admin - change XML2Dict namespace separator (#4905) 2022-03-03 11:51:00 +00:00			`saml_assertion_attributes = saml_assertion["samlp\|Response"]["saml\|Assertion"][`
			`"saml\|AttributeStatement"`
			`]["saml\|Attribute"]`
Fix saml-assertion parsing in assume-role-with-saml (#3523) * Retrieve SAML Attribute by Name instead of relying on order which is too fragile * Handle case when SAML Attribute SessionDuration is not provided, as it is not a required attribute from SAML response When session duration not provided, AWS consider by default a duration of one hour as cited in the following documentation: "If this attribute is not present, then the credential last for one hour (the default value of the DurationSeconds parameter of the AssumeRoleWithSAML API)." https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html#saml_role-session-duration Traceback was: [...] File "/Users/benjamin.brabant/Projects/PERSO/moto/moto/sts/responses.py", line 79, in assume_role_with_saml role = sts_backend.assume_role_with_saml( File "/Users/benjamin.brabant/Projects/PERSO/moto/moto/sts/models.py", line 99, in assume_role_with_saml role = AssumedRole(*kwargs) TypeError: __init__() missing 1 required positional argument: 'duration' Process saml xml namespaces properly instead of relying on textual prefix that can vary between identity providers * Handle when SAML response AttributeValue xml tag contains attributes that force xmltodict to build a dictionary as for complex types instead of directly returning string value Leverage force_cdata option of xmltodict parser that always return a complex dictionary even if xml tag contains only text and no attributes. * Improve existing test_assume_role_with_saml to be coherent with other assume_role_with_saml tests and remove dead code at the same time 2020-12-08 09:08:40 +00:00			`for attribute in saml_assertion_attributes:`
			`if (`
			`attribute["@Name"]`
			`== "https://aws.amazon.com/SAML/Attributes/RoleSessionName"`
			`):`
Admin - change XML2Dict namespace separator (#4905) 2022-03-03 11:51:00 +00:00			`kwargs["role_session_name"] = attribute["saml\|AttributeValue"]["#text"]`
Fix saml-assertion parsing in assume-role-with-saml (#3523) * Retrieve SAML Attribute by Name instead of relying on order which is too fragile * Handle case when SAML Attribute SessionDuration is not provided, as it is not a required attribute from SAML response When session duration not provided, AWS consider by default a duration of one hour as cited in the following documentation: "If this attribute is not present, then the credential last for one hour (the default value of the DurationSeconds parameter of the AssumeRoleWithSAML API)." https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html#saml_role-session-duration Traceback was: [...] File "/Users/benjamin.brabant/Projects/PERSO/moto/moto/sts/responses.py", line 79, in assume_role_with_saml role = sts_backend.assume_role_with_saml( File "/Users/benjamin.brabant/Projects/PERSO/moto/moto/sts/models.py", line 99, in assume_role_with_saml role = AssumedRole(*kwargs) TypeError: __init__() missing 1 required positional argument: 'duration' Process saml xml namespaces properly instead of relying on textual prefix that can vary between identity providers * Handle when SAML response AttributeValue xml tag contains attributes that force xmltodict to build a dictionary as for complex types instead of directly returning string value Leverage force_cdata option of xmltodict parser that always return a complex dictionary even if xml tag contains only text and no attributes. * Improve existing test_assume_role_with_saml to be coherent with other assume_role_with_saml tests and remove dead code at the same time 2020-12-08 09:08:40 +00:00			`if (`
			`attribute["@Name"]`
			`== "https://aws.amazon.com/SAML/Attributes/SessionDuration"`
			`):`
Admin - change XML2Dict namespace separator (#4905) 2022-03-03 11:51:00 +00:00			`kwargs["duration"] = int(attribute["saml\|AttributeValue"]["#text"])`
Fix saml-assertion parsing in assume-role-with-saml (#3523) * Retrieve SAML Attribute by Name instead of relying on order which is too fragile * Handle case when SAML Attribute SessionDuration is not provided, as it is not a required attribute from SAML response When session duration not provided, AWS consider by default a duration of one hour as cited in the following documentation: "If this attribute is not present, then the credential last for one hour (the default value of the DurationSeconds parameter of the AssumeRoleWithSAML API)." https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html#saml_role-session-duration Traceback was: [...] File "/Users/benjamin.brabant/Projects/PERSO/moto/moto/sts/responses.py", line 79, in assume_role_with_saml role = sts_backend.assume_role_with_saml( File "/Users/benjamin.brabant/Projects/PERSO/moto/moto/sts/models.py", line 99, in assume_role_with_saml role = AssumedRole(*kwargs) TypeError: __init__() missing 1 required positional argument: 'duration' Process saml xml namespaces properly instead of relying on textual prefix that can vary between identity providers * Handle when SAML response AttributeValue xml tag contains attributes that force xmltodict to build a dictionary as for complex types instead of directly returning string value Leverage force_cdata option of xmltodict parser that always return a complex dictionary even if xml tag contains only text and no attributes. * Improve existing test_assume_role_with_saml to be coherent with other assume_role_with_saml tests and remove dead code at the same time 2020-12-08 09:08:40 +00:00
			`if "duration" not in kwargs:`
			`kwargs["duration"] = DEFAULT_STS_SESSION_DURATION`

Add assume_role_with_saml to STSBackend. Add the assume_role_with_saml method to the STSBackend class. 2020-04-16 03:08:44 +00:00			`kwargs["external_id"] = None`
			`kwargs["policy"] = None`
			`role = AssumedRole(**kwargs)`
			`self.assumed_roles.append(role)`
			`return role`

#3599 - Update Implementation Coverage script (#3621) 2021-01-27 18:54:21 +00:00			`def get_caller_identity(self):`
			`# Logic resides in responses.py`
			`# Fake method here to make implementation coverage script aware that this method is implemented`
			`pass`

Lints. 2017-02-24 02:37:43 +00:00
Techdebt - Align models-responses integration for all services (#5207) 2022-06-09 17:40:22 +00:00			`sts_backends: Mapping[str, STSBackend] = BackendDict(`
Preparation for MultiAccount support (#5157) 2022-06-04 11:30:16 +00:00			`STSBackend, "sts", use_boto3_regions=False, additional_regions=["global"]`
			`)`