SecretsManager: Allow creation/update of secrets without values (#6720)
This commit is contained in:
parent
8ff53ff417
commit
3cf4f6315b
@ -61,12 +61,13 @@ class FakeSecret:
|
|||||||
account_id: str,
|
account_id: str,
|
||||||
region_name: str,
|
region_name: str,
|
||||||
secret_id: str,
|
secret_id: str,
|
||||||
|
secret_version: Dict[str, Any],
|
||||||
|
version_id: str,
|
||||||
secret_string: Optional[str] = None,
|
secret_string: Optional[str] = None,
|
||||||
secret_binary: Optional[str] = None,
|
secret_binary: Optional[str] = None,
|
||||||
description: Optional[str] = None,
|
description: Optional[str] = None,
|
||||||
tags: Optional[List[Dict[str, str]]] = None,
|
tags: Optional[List[Dict[str, str]]] = None,
|
||||||
kms_key_id: Optional[str] = None,
|
kms_key_id: Optional[str] = None,
|
||||||
version_id: Optional[str] = None,
|
|
||||||
version_stages: Optional[List[str]] = None,
|
version_stages: Optional[List[str]] = None,
|
||||||
last_changed_date: Optional[int] = None,
|
last_changed_date: Optional[int] = None,
|
||||||
created_date: Optional[int] = None,
|
created_date: Optional[int] = None,
|
||||||
@ -79,10 +80,11 @@ class FakeSecret:
|
|||||||
self.description = description
|
self.description = description
|
||||||
self.tags = tags or []
|
self.tags = tags or []
|
||||||
self.kms_key_id = kms_key_id
|
self.kms_key_id = kms_key_id
|
||||||
self.version_id = version_id
|
|
||||||
self.version_stages = version_stages
|
self.version_stages = version_stages
|
||||||
self.last_changed_date = last_changed_date
|
self.last_changed_date = last_changed_date
|
||||||
self.created_date = created_date
|
self.created_date = created_date
|
||||||
|
# We should only return Rotation details after it's been requested
|
||||||
|
self.rotation_requested = False
|
||||||
self.rotation_enabled = False
|
self.rotation_enabled = False
|
||||||
self.rotation_lambda_arn = ""
|
self.rotation_lambda_arn = ""
|
||||||
self.auto_rotate_after_days = 0
|
self.auto_rotate_after_days = 0
|
||||||
@ -91,6 +93,13 @@ class FakeSecret:
|
|||||||
self.next_rotation_date: Optional[int] = None
|
self.next_rotation_date: Optional[int] = None
|
||||||
self.last_rotation_date: Optional[int] = None
|
self.last_rotation_date: Optional[int] = None
|
||||||
|
|
||||||
|
self.versions: Dict[str, Dict[str, Any]] = {}
|
||||||
|
if secret_string or secret_binary:
|
||||||
|
self.versions = {version_id: secret_version}
|
||||||
|
self.set_default_version_id(version_id)
|
||||||
|
else:
|
||||||
|
self.set_default_version_id(None)
|
||||||
|
|
||||||
def update(
|
def update(
|
||||||
self,
|
self,
|
||||||
description: Optional[str] = None,
|
description: Optional[str] = None,
|
||||||
@ -106,10 +115,7 @@ class FakeSecret:
|
|||||||
if kms_key_id is not None:
|
if kms_key_id is not None:
|
||||||
self.kms_key_id = kms_key_id
|
self.kms_key_id = kms_key_id
|
||||||
|
|
||||||
def set_versions(self, versions: Dict[str, Dict[str, Any]]) -> None:
|
def set_default_version_id(self, version_id: Optional[str]) -> None:
|
||||||
self.versions = versions
|
|
||||||
|
|
||||||
def set_default_version_id(self, version_id: str) -> None:
|
|
||||||
self.default_version_id = version_id
|
self.default_version_id = version_id
|
||||||
|
|
||||||
def reset_default_version(
|
def reset_default_version(
|
||||||
@ -122,7 +128,7 @@ class FakeSecret:
|
|||||||
|
|
||||||
# set old AWSCURRENT secret to AWSPREVIOUS
|
# set old AWSCURRENT secret to AWSPREVIOUS
|
||||||
previous_current_version_id = self.default_version_id
|
previous_current_version_id = self.default_version_id
|
||||||
self.versions[previous_current_version_id]["version_stages"] = ["AWSPREVIOUS"]
|
self.versions[previous_current_version_id]["version_stages"] = ["AWSPREVIOUS"] # type: ignore
|
||||||
|
|
||||||
self.versions[version_id] = secret_version
|
self.versions[version_id] = secret_version
|
||||||
self.default_version_id = version_id
|
self.default_version_id = version_id
|
||||||
@ -145,40 +151,61 @@ class FakeSecret:
|
|||||||
return self.deleted_date is not None
|
return self.deleted_date is not None
|
||||||
|
|
||||||
def to_short_dict(
|
def to_short_dict(
|
||||||
self, include_version_stages: bool = False, version_id: Optional[str] = None
|
self,
|
||||||
|
include_version_stages: bool = False,
|
||||||
|
version_id: Optional[str] = None,
|
||||||
|
include_version_id: bool = True,
|
||||||
) -> str:
|
) -> str:
|
||||||
if not version_id:
|
if not version_id:
|
||||||
version_id = self.default_version_id
|
version_id = self.default_version_id
|
||||||
dct = {
|
dct = {
|
||||||
"ARN": self.arn,
|
"ARN": self.arn,
|
||||||
"Name": self.name,
|
"Name": self.name,
|
||||||
"VersionId": version_id,
|
|
||||||
}
|
}
|
||||||
if include_version_stages:
|
if include_version_id and version_id:
|
||||||
|
dct["VersionId"] = version_id
|
||||||
|
if version_id and include_version_stages:
|
||||||
dct["VersionStages"] = self.versions[version_id]["version_stages"]
|
dct["VersionStages"] = self.versions[version_id]["version_stages"]
|
||||||
return json.dumps(dct)
|
return json.dumps(dct)
|
||||||
|
|
||||||
def to_dict(self) -> Dict[str, Any]:
|
def to_dict(self) -> Dict[str, Any]:
|
||||||
version_id_to_stages = self._form_version_ids_to_stages()
|
version_id_to_stages = self._form_version_ids_to_stages()
|
||||||
|
|
||||||
return {
|
dct: Dict[str, Any] = {
|
||||||
"ARN": self.arn,
|
"ARN": self.arn,
|
||||||
"Name": self.name,
|
"Name": self.name,
|
||||||
"Description": self.description or "",
|
|
||||||
"KmsKeyId": self.kms_key_id,
|
"KmsKeyId": self.kms_key_id,
|
||||||
"RotationEnabled": self.rotation_enabled,
|
|
||||||
"RotationLambdaARN": self.rotation_lambda_arn,
|
|
||||||
"RotationRules": {"AutomaticallyAfterDays": self.auto_rotate_after_days},
|
|
||||||
"LastRotatedDate": self.last_rotation_date,
|
|
||||||
"LastChangedDate": self.last_changed_date,
|
"LastChangedDate": self.last_changed_date,
|
||||||
"LastAccessedDate": None,
|
"LastAccessedDate": None,
|
||||||
"NextRotationDate": self.next_rotation_date,
|
"NextRotationDate": self.next_rotation_date,
|
||||||
"DeletedDate": self.deleted_date,
|
"DeletedDate": self.deleted_date,
|
||||||
"Tags": self.tags,
|
|
||||||
"VersionIdsToStages": version_id_to_stages,
|
|
||||||
"SecretVersionsToStages": version_id_to_stages,
|
|
||||||
"CreatedDate": self.created_date,
|
"CreatedDate": self.created_date,
|
||||||
}
|
}
|
||||||
|
if self.tags:
|
||||||
|
dct["Tags"] = self.tags
|
||||||
|
if self.description:
|
||||||
|
dct["Description"] = self.description
|
||||||
|
if self.versions:
|
||||||
|
dct.update(
|
||||||
|
{
|
||||||
|
# Key used by describe_secret
|
||||||
|
"VersionIdsToStages": version_id_to_stages,
|
||||||
|
# Key used by list_secrets
|
||||||
|
"SecretVersionsToStages": version_id_to_stages,
|
||||||
|
}
|
||||||
|
)
|
||||||
|
if self.rotation_requested:
|
||||||
|
dct.update(
|
||||||
|
{
|
||||||
|
"RotationEnabled": self.rotation_enabled,
|
||||||
|
"RotationLambdaARN": self.rotation_lambda_arn,
|
||||||
|
"RotationRules": {
|
||||||
|
"AutomaticallyAfterDays": self.auto_rotate_after_days
|
||||||
|
},
|
||||||
|
"LastRotatedDate": self.last_rotation_date,
|
||||||
|
}
|
||||||
|
)
|
||||||
|
return dct
|
||||||
|
|
||||||
def _form_version_ids_to_stages(self) -> Dict[str, str]:
|
def _form_version_ids_to_stages(self) -> Dict[str, str]:
|
||||||
version_id_to_stages = {}
|
version_id_to_stages = {}
|
||||||
@ -296,6 +323,7 @@ class SecretsManagerBackend(BaseBackend):
|
|||||||
):
|
):
|
||||||
raise SecretStageVersionMismatchException()
|
raise SecretStageVersionMismatchException()
|
||||||
|
|
||||||
|
version_id_provided = version_id is not None
|
||||||
if not version_id and version_stage:
|
if not version_id and version_stage:
|
||||||
# set version_id to match version_stage
|
# set version_id to match version_stage
|
||||||
versions_dict = self.secrets[secret_id].versions
|
versions_dict = self.secrets[secret_id].versions
|
||||||
@ -314,13 +342,13 @@ class SecretsManagerBackend(BaseBackend):
|
|||||||
)
|
)
|
||||||
|
|
||||||
secret = self.secrets[secret_id]
|
secret = self.secrets[secret_id]
|
||||||
version_id = version_id or secret.default_version_id
|
version_id = version_id or secret.default_version_id or "AWSCURRENT"
|
||||||
|
|
||||||
secret_version = secret.versions.get(version_id)
|
secret_version = secret.versions.get(version_id)
|
||||||
if not secret_version:
|
if not secret_version:
|
||||||
|
_type = "staging label" if not version_id_provided else "VersionId"
|
||||||
raise ResourceNotFoundException(
|
raise ResourceNotFoundException(
|
||||||
"An error occurred (ResourceNotFoundException) when calling the GetSecretValue operation: Secrets "
|
f"Secrets Manager can't find the specified secret value for {_type}: {version_id}"
|
||||||
f"Manager can't find the specified secret value for VersionId: {version_id}"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
response_data = {
|
response_data = {
|
||||||
@ -369,7 +397,7 @@ class SecretsManagerBackend(BaseBackend):
|
|||||||
tags = secret.tags
|
tags = secret.tags
|
||||||
description = description or secret.description
|
description = description or secret.description
|
||||||
|
|
||||||
secret = self._add_secret(
|
secret, new_version = self._add_secret(
|
||||||
secret_id,
|
secret_id,
|
||||||
secret_string=secret_string,
|
secret_string=secret_string,
|
||||||
secret_binary=secret_binary,
|
secret_binary=secret_binary,
|
||||||
@ -379,7 +407,7 @@ class SecretsManagerBackend(BaseBackend):
|
|||||||
kms_key_id=kms_key_id,
|
kms_key_id=kms_key_id,
|
||||||
)
|
)
|
||||||
|
|
||||||
return secret.to_short_dict()
|
return secret.to_short_dict(include_version_id=new_version)
|
||||||
|
|
||||||
def create_secret(
|
def create_secret(
|
||||||
self,
|
self,
|
||||||
@ -398,7 +426,7 @@ class SecretsManagerBackend(BaseBackend):
|
|||||||
"A resource with the ID you requested already exists."
|
"A resource with the ID you requested already exists."
|
||||||
)
|
)
|
||||||
|
|
||||||
secret = self._add_secret(
|
secret, new_version = self._add_secret(
|
||||||
name,
|
name,
|
||||||
secret_string=secret_string,
|
secret_string=secret_string,
|
||||||
secret_binary=secret_binary,
|
secret_binary=secret_binary,
|
||||||
@ -408,7 +436,7 @@ class SecretsManagerBackend(BaseBackend):
|
|||||||
version_id=client_request_token,
|
version_id=client_request_token,
|
||||||
)
|
)
|
||||||
|
|
||||||
return secret.to_short_dict()
|
return secret.to_short_dict(include_version_id=new_version)
|
||||||
|
|
||||||
def _add_secret(
|
def _add_secret(
|
||||||
self,
|
self,
|
||||||
@ -420,7 +448,7 @@ class SecretsManagerBackend(BaseBackend):
|
|||||||
kms_key_id: Optional[str] = None,
|
kms_key_id: Optional[str] = None,
|
||||||
version_id: Optional[str] = None,
|
version_id: Optional[str] = None,
|
||||||
version_stages: Optional[List[str]] = None,
|
version_stages: Optional[List[str]] = None,
|
||||||
) -> FakeSecret:
|
) -> Tuple[FakeSecret, bool]:
|
||||||
|
|
||||||
if version_stages is None:
|
if version_stages is None:
|
||||||
version_stages = ["AWSCURRENT"]
|
version_stages = ["AWSCURRENT"]
|
||||||
@ -438,17 +466,20 @@ class SecretsManagerBackend(BaseBackend):
|
|||||||
if secret_binary is not None:
|
if secret_binary is not None:
|
||||||
secret_version["secret_binary"] = secret_binary
|
secret_version["secret_binary"] = secret_binary
|
||||||
|
|
||||||
|
new_version = secret_string is not None or secret_binary is not None
|
||||||
|
|
||||||
update_time = int(time.time())
|
update_time = int(time.time())
|
||||||
if secret_id in self.secrets:
|
if secret_id in self.secrets:
|
||||||
secret = self.secrets[secret_id]
|
secret = self.secrets[secret_id]
|
||||||
|
|
||||||
secret.update(description, tags, kms_key_id, last_changed_date=update_time)
|
secret.update(description, tags, kms_key_id, last_changed_date=update_time)
|
||||||
|
|
||||||
if "AWSCURRENT" in version_stages:
|
if new_version:
|
||||||
secret.reset_default_version(secret_version, version_id)
|
if "AWSCURRENT" in version_stages:
|
||||||
else:
|
secret.reset_default_version(secret_version, version_id)
|
||||||
secret.remove_version_stages_from_old_versions(version_stages)
|
else:
|
||||||
secret.versions[version_id] = secret_version
|
secret.remove_version_stages_from_old_versions(version_stages)
|
||||||
|
secret.versions[version_id] = secret_version
|
||||||
else:
|
else:
|
||||||
secret = FakeSecret(
|
secret = FakeSecret(
|
||||||
account_id=self.account_id,
|
account_id=self.account_id,
|
||||||
@ -461,12 +492,12 @@ class SecretsManagerBackend(BaseBackend):
|
|||||||
kms_key_id=kms_key_id,
|
kms_key_id=kms_key_id,
|
||||||
last_changed_date=update_time,
|
last_changed_date=update_time,
|
||||||
created_date=update_time,
|
created_date=update_time,
|
||||||
|
version_id=version_id,
|
||||||
|
secret_version=secret_version,
|
||||||
)
|
)
|
||||||
secret.set_versions({version_id: secret_version})
|
|
||||||
secret.set_default_version_id(version_id)
|
|
||||||
self.secrets[secret_id] = secret
|
self.secrets[secret_id] = secret
|
||||||
|
|
||||||
return secret
|
return secret, new_version
|
||||||
|
|
||||||
def put_secret_value(
|
def put_secret_value(
|
||||||
self,
|
self,
|
||||||
@ -486,7 +517,7 @@ class SecretsManagerBackend(BaseBackend):
|
|||||||
|
|
||||||
version_id = self._from_client_request_token(client_request_token)
|
version_id = self._from_client_request_token(client_request_token)
|
||||||
|
|
||||||
secret = self._add_secret(
|
secret, _ = self._add_secret(
|
||||||
secret_id,
|
secret_id,
|
||||||
secret_string,
|
secret_string,
|
||||||
secret_binary,
|
secret_binary,
|
||||||
@ -513,7 +544,6 @@ class SecretsManagerBackend(BaseBackend):
|
|||||||
rotation_lambda_arn: Optional[str] = None,
|
rotation_lambda_arn: Optional[str] = None,
|
||||||
rotation_rules: Optional[Dict[str, Any]] = None,
|
rotation_rules: Optional[Dict[str, Any]] = None,
|
||||||
) -> str:
|
) -> str:
|
||||||
|
|
||||||
rotation_days = "AutomaticallyAfterDays"
|
rotation_days = "AutomaticallyAfterDays"
|
||||||
|
|
||||||
if not self._is_valid_identifier(secret_id):
|
if not self._is_valid_identifier(secret_id):
|
||||||
@ -569,30 +599,33 @@ class SecretsManagerBackend(BaseBackend):
|
|||||||
# Pending is not present in any version
|
# Pending is not present in any version
|
||||||
pass
|
pass
|
||||||
|
|
||||||
old_secret_version = secret.versions[secret.default_version_id]
|
if secret.versions:
|
||||||
|
old_secret_version = secret.versions[secret.default_version_id] # type: ignore
|
||||||
|
|
||||||
if client_request_token:
|
if client_request_token:
|
||||||
self._client_request_token_validator(client_request_token)
|
self._client_request_token_validator(client_request_token)
|
||||||
new_version_id = client_request_token
|
new_version_id = client_request_token
|
||||||
else:
|
else:
|
||||||
new_version_id = str(mock_random.uuid4())
|
new_version_id = str(mock_random.uuid4())
|
||||||
|
|
||||||
# We add the new secret version as "pending". The previous version remains
|
# We add the new secret version as "pending". The previous version remains
|
||||||
# as "current" for now. Once we've passed the new secret through the lambda
|
# as "current" for now. Once we've passed the new secret through the lambda
|
||||||
# rotation function (if provided) we can then update the status to "current".
|
# rotation function (if provided) we can then update the status to "current".
|
||||||
old_secret_version_secret_string = (
|
old_secret_version_secret_string = (
|
||||||
old_secret_version["secret_string"]
|
old_secret_version["secret_string"]
|
||||||
if "secret_string" in old_secret_version
|
if "secret_string" in old_secret_version
|
||||||
else None
|
else None
|
||||||
)
|
)
|
||||||
self._add_secret(
|
self._add_secret(
|
||||||
secret_id,
|
secret_id,
|
||||||
old_secret_version_secret_string,
|
old_secret_version_secret_string,
|
||||||
description=secret.description,
|
description=secret.description,
|
||||||
tags=secret.tags,
|
tags=secret.tags,
|
||||||
version_id=new_version_id,
|
version_id=new_version_id,
|
||||||
version_stages=["AWSPENDING"],
|
version_stages=["AWSPENDING"],
|
||||||
)
|
)
|
||||||
|
|
||||||
|
secret.rotation_requested = True
|
||||||
secret.rotation_lambda_arn = rotation_lambda_arn or ""
|
secret.rotation_lambda_arn = rotation_lambda_arn or ""
|
||||||
if rotation_rules:
|
if rotation_rules:
|
||||||
secret.auto_rotate_after_days = rotation_rules.get(rotation_days, 0)
|
secret.auto_rotate_after_days = rotation_rules.get(rotation_days, 0)
|
||||||
@ -628,11 +661,15 @@ class SecretsManagerBackend(BaseBackend):
|
|||||||
)
|
)
|
||||||
|
|
||||||
secret.set_default_version_id(new_version_id)
|
secret.set_default_version_id(new_version_id)
|
||||||
else:
|
elif secret.versions:
|
||||||
|
# AWS will always require a Lambda ARN
|
||||||
|
# without that, Moto can still apply the 'AWSCURRENT'-label
|
||||||
|
# This only makes sense if we have a version
|
||||||
secret.reset_default_version(
|
secret.reset_default_version(
|
||||||
secret.versions[new_version_id], new_version_id
|
secret.versions[new_version_id], new_version_id
|
||||||
)
|
)
|
||||||
secret.versions[new_version_id]["version_stages"] = ["AWSCURRENT"]
|
secret.versions[new_version_id]["version_stages"] = ["AWSCURRENT"]
|
||||||
|
|
||||||
self.secrets[secret_id].last_rotation_date = int(time.time())
|
self.secrets[secret_id].last_rotation_date = int(time.time())
|
||||||
return secret.to_short_dict()
|
return secret.to_short_dict()
|
||||||
|
|
||||||
@ -741,11 +778,8 @@ class SecretsManagerBackend(BaseBackend):
|
|||||||
if not force_delete_without_recovery:
|
if not force_delete_without_recovery:
|
||||||
raise SecretNotFoundException()
|
raise SecretNotFoundException()
|
||||||
else:
|
else:
|
||||||
unknown_secret = FakeSecret(
|
arn = secret_arn(self.account_id, self.region_name, secret_id=secret_id)
|
||||||
self.account_id, self.region_name, secret_id
|
name = secret_id
|
||||||
)
|
|
||||||
arn = unknown_secret.arn
|
|
||||||
name = unknown_secret.name
|
|
||||||
deletion_date = datetime.datetime.utcnow()
|
deletion_date = datetime.datetime.utcnow()
|
||||||
return arn, name, self._unix_time_secs(deletion_date)
|
return arn, name, self._unix_time_secs(deletion_date)
|
||||||
else:
|
else:
|
||||||
|
@ -14,7 +14,7 @@ import pytest
|
|||||||
from moto import mock_secretsmanager, mock_lambda, settings
|
from moto import mock_secretsmanager, mock_lambda, settings
|
||||||
from moto.core import DEFAULT_ACCOUNT_ID as ACCOUNT_ID
|
from moto.core import DEFAULT_ACCOUNT_ID as ACCOUNT_ID
|
||||||
|
|
||||||
DEFAULT_SECRET_NAME = "test-secret"
|
DEFAULT_SECRET_NAME = "test-secret7"
|
||||||
|
|
||||||
|
|
||||||
@mock_secretsmanager
|
@mock_secretsmanager
|
||||||
@ -124,10 +124,10 @@ def test_get_secret_value_that_is_marked_deleted():
|
|||||||
def test_get_secret_that_has_no_value():
|
def test_get_secret_that_has_no_value():
|
||||||
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
||||||
|
|
||||||
conn.create_secret(Name="java-util-test-password")
|
conn.create_secret(Name="secret-no-value")
|
||||||
|
|
||||||
with pytest.raises(ClientError) as cm:
|
with pytest.raises(ClientError) as cm:
|
||||||
conn.get_secret_value(SecretId="java-util-test-password")
|
conn.get_secret_value(SecretId="secret-no-value")
|
||||||
|
|
||||||
assert (
|
assert (
|
||||||
"Secrets Manager can't find the specified secret value for staging label: AWSCURRENT"
|
"Secrets Manager can't find the specified secret value for staging label: AWSCURRENT"
|
||||||
@ -139,7 +139,7 @@ def test_get_secret_that_has_no_value():
|
|||||||
def test_get_secret_version_that_does_not_exist():
|
def test_get_secret_version_that_does_not_exist():
|
||||||
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
||||||
|
|
||||||
result = conn.create_secret(Name="java-util-test-password")
|
result = conn.create_secret(Name="java-util-test-password", SecretString="v")
|
||||||
secret_arn = result["ARN"]
|
secret_arn = result["ARN"]
|
||||||
missing_version_id = "00000000-0000-0000-0000-000000000000"
|
missing_version_id = "00000000-0000-0000-0000-000000000000"
|
||||||
|
|
||||||
@ -147,8 +147,7 @@ def test_get_secret_version_that_does_not_exist():
|
|||||||
conn.get_secret_value(SecretId=secret_arn, VersionId=missing_version_id)
|
conn.get_secret_value(SecretId=secret_arn, VersionId=missing_version_id)
|
||||||
|
|
||||||
assert (
|
assert (
|
||||||
"An error occurred (ResourceNotFoundException) when calling the "
|
"Secrets Manager can't find the specified "
|
||||||
"GetSecretValue operation: Secrets Manager can't find the specified "
|
|
||||||
"secret value for VersionId: 00000000-0000-0000-0000-000000000000"
|
"secret value for VersionId: 00000000-0000-0000-0000-000000000000"
|
||||||
) == cm.value.response["Error"]["Message"]
|
) == cm.value.response["Error"]["Message"]
|
||||||
|
|
||||||
@ -251,6 +250,92 @@ def test_create_secret_with_tags_and_description():
|
|||||||
assert secret_details["Description"] == "desc"
|
assert secret_details["Description"] == "desc"
|
||||||
|
|
||||||
|
|
||||||
|
@mock_secretsmanager
|
||||||
|
def test_create_secret_without_value():
|
||||||
|
conn = boto3.client("secretsmanager", region_name="us-east-2")
|
||||||
|
secret_name = f"secret-{str(uuid4())[0:6]}"
|
||||||
|
|
||||||
|
create = conn.create_secret(Name=secret_name)
|
||||||
|
assert set(create.keys()) == {"ARN", "Name", "ResponseMetadata"}
|
||||||
|
|
||||||
|
describe = conn.describe_secret(SecretId=secret_name)
|
||||||
|
assert set(describe.keys()) == {
|
||||||
|
"ARN",
|
||||||
|
"Name",
|
||||||
|
"LastChangedDate",
|
||||||
|
"CreatedDate",
|
||||||
|
"ResponseMetadata",
|
||||||
|
}
|
||||||
|
|
||||||
|
with pytest.raises(ClientError) as exc:
|
||||||
|
conn.get_secret_value(SecretId=secret_name)
|
||||||
|
err = exc.value.response["Error"]
|
||||||
|
assert err["Code"] == "ResourceNotFoundException"
|
||||||
|
|
||||||
|
updated = conn.update_secret(
|
||||||
|
SecretId=secret_name,
|
||||||
|
Description="new desc",
|
||||||
|
)
|
||||||
|
assert set(updated.keys()) == {"ARN", "Name", "ResponseMetadata"}
|
||||||
|
|
||||||
|
describe = conn.describe_secret(SecretId=secret_name)
|
||||||
|
assert set(describe.keys()) == {
|
||||||
|
"ARN",
|
||||||
|
"Name",
|
||||||
|
"Description",
|
||||||
|
"LastChangedDate",
|
||||||
|
"CreatedDate",
|
||||||
|
"ResponseMetadata",
|
||||||
|
}
|
||||||
|
|
||||||
|
deleted = conn.delete_secret(SecretId=secret_name)
|
||||||
|
assert set(deleted.keys()) == {"ARN", "Name", "DeletionDate", "ResponseMetadata"}
|
||||||
|
|
||||||
|
|
||||||
|
@mock_secretsmanager
|
||||||
|
def test_update_secret_without_value():
|
||||||
|
conn = boto3.client("secretsmanager", region_name="us-east-2")
|
||||||
|
secret_name = f"secret-{str(uuid4())[0:6]}"
|
||||||
|
|
||||||
|
create = conn.create_secret(Name=secret_name, SecretString="foosecret")
|
||||||
|
assert set(create.keys()) == {"ARN", "Name", "VersionId", "ResponseMetadata"}
|
||||||
|
version_id = create["VersionId"]
|
||||||
|
|
||||||
|
describe1 = conn.describe_secret(SecretId=secret_name)
|
||||||
|
assert set(describe1.keys()) == {
|
||||||
|
"ARN",
|
||||||
|
"Name",
|
||||||
|
"LastChangedDate",
|
||||||
|
"VersionIdsToStages",
|
||||||
|
"CreatedDate",
|
||||||
|
"ResponseMetadata",
|
||||||
|
}
|
||||||
|
|
||||||
|
conn.get_secret_value(SecretId=secret_name)
|
||||||
|
|
||||||
|
updated = conn.update_secret(SecretId=secret_name, Description="desc")
|
||||||
|
assert set(updated.keys()) == {"ARN", "Name", "ResponseMetadata"}
|
||||||
|
|
||||||
|
describe2 = conn.describe_secret(SecretId=secret_name)
|
||||||
|
# AWS also includes 'LastAccessedDate'
|
||||||
|
assert set(describe2.keys()) == {
|
||||||
|
"ARN",
|
||||||
|
"Name",
|
||||||
|
"Description",
|
||||||
|
"LastChangedDate",
|
||||||
|
"VersionIdsToStages",
|
||||||
|
"CreatedDate",
|
||||||
|
"ResponseMetadata",
|
||||||
|
}
|
||||||
|
assert describe1["VersionIdsToStages"] == describe2["VersionIdsToStages"]
|
||||||
|
|
||||||
|
value = conn.get_secret_value(SecretId=secret_name)
|
||||||
|
assert value["SecretString"] == "foosecret"
|
||||||
|
assert value["VersionId"] == version_id
|
||||||
|
|
||||||
|
conn.delete_secret(SecretId=secret_name)
|
||||||
|
|
||||||
|
|
||||||
@mock_secretsmanager
|
@mock_secretsmanager
|
||||||
def test_delete_secret():
|
def test_delete_secret():
|
||||||
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
||||||
@ -302,7 +387,7 @@ def test_delete_secret_force():
|
|||||||
assert result["Name"] == "test-secret"
|
assert result["Name"] == "test-secret"
|
||||||
|
|
||||||
with pytest.raises(ClientError):
|
with pytest.raises(ClientError):
|
||||||
result = conn.get_secret_value(SecretId="test-secret")
|
conn.get_secret_value(SecretId="test-secret")
|
||||||
|
|
||||||
|
|
||||||
@mock_secretsmanager
|
@mock_secretsmanager
|
||||||
@ -331,7 +416,7 @@ def test_delete_secret_force_with_arn():
|
|||||||
assert result["Name"] == "test-secret"
|
assert result["Name"] == "test-secret"
|
||||||
|
|
||||||
with pytest.raises(ClientError):
|
with pytest.raises(ClientError):
|
||||||
result = conn.get_secret_value(SecretId="test-secret")
|
conn.get_secret_value(SecretId="test-secret")
|
||||||
|
|
||||||
|
|
||||||
@mock_secretsmanager
|
@mock_secretsmanager
|
||||||
@ -756,16 +841,17 @@ def test_rotate_secret():
|
|||||||
|
|
||||||
@mock_secretsmanager
|
@mock_secretsmanager
|
||||||
def test_rotate_secret_without_secretstring():
|
def test_rotate_secret_without_secretstring():
|
||||||
conn = boto3.client("secretsmanager", region_name="us-west-2")
|
# This test just verifies that Moto does not fail
|
||||||
|
conn = boto3.client("secretsmanager", region_name="us-east-2")
|
||||||
conn.create_secret(Name=DEFAULT_SECRET_NAME, Description="foodescription")
|
conn.create_secret(Name=DEFAULT_SECRET_NAME, Description="foodescription")
|
||||||
|
|
||||||
|
# AWS will always require a Lambda ARN to do the actual rotating
|
||||||
rotated_secret = conn.rotate_secret(SecretId=DEFAULT_SECRET_NAME)
|
rotated_secret = conn.rotate_secret(SecretId=DEFAULT_SECRET_NAME)
|
||||||
|
|
||||||
assert rotated_secret
|
|
||||||
assert rotated_secret["ARN"] == rotated_secret["ARN"]
|
|
||||||
assert rotated_secret["Name"] == DEFAULT_SECRET_NAME
|
assert rotated_secret["Name"] == DEFAULT_SECRET_NAME
|
||||||
assert rotated_secret["VersionId"] == rotated_secret["VersionId"]
|
|
||||||
|
|
||||||
|
# Without secret-value, and without actual rotating, we can't verify much
|
||||||
|
# Just that the secret exists/can be described
|
||||||
|
# We cannot verify any versions info (as that is not created without a secret-value)
|
||||||
describe_secret = conn.describe_secret(SecretId=DEFAULT_SECRET_NAME)
|
describe_secret = conn.describe_secret(SecretId=DEFAULT_SECRET_NAME)
|
||||||
assert describe_secret["Description"] == "foodescription"
|
assert describe_secret["Description"] == "foodescription"
|
||||||
|
|
||||||
@ -776,9 +862,7 @@ def test_rotate_secret_enable_rotation():
|
|||||||
conn.create_secret(Name=DEFAULT_SECRET_NAME, SecretString="foosecret")
|
conn.create_secret(Name=DEFAULT_SECRET_NAME, SecretString="foosecret")
|
||||||
|
|
||||||
initial_description = conn.describe_secret(SecretId=DEFAULT_SECRET_NAME)
|
initial_description = conn.describe_secret(SecretId=DEFAULT_SECRET_NAME)
|
||||||
assert initial_description
|
assert "RotationEnabled" not in initial_description
|
||||||
assert initial_description["RotationEnabled"] is False
|
|
||||||
assert initial_description["RotationRules"]["AutomaticallyAfterDays"] == 0
|
|
||||||
|
|
||||||
conn.rotate_secret(
|
conn.rotate_secret(
|
||||||
SecretId=DEFAULT_SECRET_NAME, RotationRules={"AutomaticallyAfterDays": 42}
|
SecretId=DEFAULT_SECRET_NAME, RotationRules={"AutomaticallyAfterDays": 42}
|
||||||
|
Loading…
Reference in New Issue
Block a user