Also throw exception if client tries to RotateSecret on a soft-deleted secret

2019-04-18 16:47:15 +01:00 · 2019-04-18 16:47:15 +01:00 · bd8aa341f2
commit bd8aa341f2
parent 749f4f63e6
2 changed files with 22 additions and 2 deletions
--- a/moto/secretsmanager/models.py
+++ b/moto/secretsmanager/models.py
@ -49,7 +49,7 @@ class SecretsManagerBackend(BaseBackend):

        if 'deleted_date' in self.secrets[secret_id]:
            raise InvalidRequestException(
-                "An error occurred (InvalidRequestException) when calling the DeleteSecret operation: You tried to \
+                "An error occurred (InvalidRequestException) when calling the GetSecretValue operation: You tried to \
                perform the operation on a secret that's currently marked deleted."
            )

@ -127,6 +127,12 @@ class SecretsManagerBackend(BaseBackend):
        if not self._is_valid_identifier(secret_id):
            raise ResourceNotFoundException

+        if 'deleted_date' in self.secrets[secret_id]:
+            raise InvalidRequestException(
+                "An error occurred (InvalidRequestException) when calling the RotateSecret operation: You tried to \
+                perform the operation on a secret that's currently marked deleted."
+            )
+
        if client_request_token:
            token_length = len(client_request_token)
            if token_length < 32 or token_length > 64:
--- a/tests/test_secretsmanager/test_secretsmanager.py
+++ b/tests/test_secretsmanager/test_secretsmanager.py
@ -43,7 +43,7 @@ def test_get_secret_value_that_is_marked_deleted():
    conn.create_secret(Name='test-secret',
                       SecretString='foosecret')

-    deleted_secret = conn.delete_secret(SecretId='test-secret')
+    conn.delete_secret(SecretId='test-secret')

    with assert_raises(ClientError):
        result = conn.get_secret_value(SecretId='test-secret')
@ -380,6 +380,20 @@ def test_rotate_secret_enable_rotation():
    assert rotated_description['RotationEnabled'] is True
    assert rotated_description['RotationRules']['AutomaticallyAfterDays'] == 42

+
+@mock_secretsmanager
+def test_rotate_secret_that_is_marked_deleted():
+    conn = boto3.client('secretsmanager', region_name='us-west-2')
+
+    conn.create_secret(Name='test-secret',
+                       SecretString='foosecret')
+
+    conn.delete_secret(SecretId='test-secret')
+
+    with assert_raises(ClientError):
+        result = conn.rotate_secret(SecretId='test-secret')
+
+
@mock_secretsmanager
 def test_rotate_secret_that_does_not_exist():
    conn = boto3.client('secretsmanager', 'us-west-2')