Fix: Adding ClientRequestToken for SecretsManager update_secret method (#4314)

2021-09-21 18:43:31 +02:00 · 2021-09-21 18:43:31 +02:00 · c65d4ddc3b
commit c65d4ddc3b
parent 82158096d6
3 changed files with 51 additions and 9 deletions
--- a/moto/secretsmanager/models.py
+++ b/moto/secretsmanager/models.py
@ -189,6 +189,12 @@ class SecretsManagerBackend(BaseBackend):
        epoch = datetime.datetime.utcfromtimestamp(0)
        return (dt - epoch).total_seconds()

+    def _client_request_token_validator(self, client_request_token):
+        token_length = len(client_request_token)
+        if token_length < 32 or token_length > 64:
+            msg = "ClientRequestToken must be 32-64 characters long."
+            raise InvalidParameterException(msg)
+
    def get_secret_value(self, secret_id, version_id, version_stage):
        if not self._is_valid_identifier(secret_id):
            raise SecretNotFoundException()
@ -251,6 +257,7 @@ class SecretsManagerBackend(BaseBackend):
        secret_id,
        secret_string=None,
        secret_binary=None,
+        client_request_token=None,
        kms_key_id=None,
        **kwargs
    ):
@ -274,6 +281,7 @@ class SecretsManagerBackend(BaseBackend):
            secret_string=secret_string,
            secret_binary=secret_binary,
            description=description,
+            version_id=client_request_token,
            tags=tags,
            kms_key_id=kms_key_id,
        )
@ -322,7 +330,9 @@ class SecretsManagerBackend(BaseBackend):
        if version_stages is None:
            version_stages = ["AWSCURRENT"]

-        if not version_id:
+        if version_id:
+            self._client_request_token_validator(version_id)
+        else:
            version_id = str(uuid.uuid4())

        secret_version = {
@ -416,12 +426,6 @@ class SecretsManagerBackend(BaseBackend):
                perform the operation on a secret that's currently marked deleted."
            )

-        if client_request_token:
-            token_length = len(client_request_token)
-            if token_length < 32 or token_length > 64:
-                msg = "ClientRequestToken " "must be 32-64 characters long."
-                raise InvalidParameterException(msg)
-
        if rotation_lambda_arn:
            if len(rotation_lambda_arn) > 2048:
                msg = "RotationLambdaARN " "must <= 2048 characters long."
@ -463,7 +467,12 @@ class SecretsManagerBackend(BaseBackend):
            pass

        old_secret_version = secret.versions[secret.default_version_id]
-        new_version_id = client_request_token or str(uuid.uuid4())
+
+        if client_request_token:
+            self._client_request_token_validator(client_request_token)
+            new_version_id = client_request_token
+        else:
+            new_version_id = str(uuid.uuid4())

        # We add the new secret version as "pending". The previous version remains
        # as "current" for now. Once we've passed the new secret through the lambda
--- a/moto/secretsmanager/responses.py
+++ b/moto/secretsmanager/responses.py
@ -60,11 +60,13 @@ class SecretsManagerResponse(BaseResponse):
        secret_id = self._get_param("SecretId")
        secret_string = self._get_param("SecretString")
        secret_binary = self._get_param("SecretBinary")
+        client_request_token = self._get_param("ClientRequestToken")
        kms_key_id = self._get_param("KmsKeyId", if_none=None)
        return secretsmanager_backends[self.region].update_secret(
            secret_id=secret_id,
            secret_string=secret_string,
            secret_binary=secret_binary,
+            client_request_token=client_request_token,
            kms_key_id=kms_key_id,
        )

--- a/tests/test_secretsmanager/test_secretsmanager.py
+++ b/tests/test_secretsmanager/test_secretsmanager.py
@ -5,10 +5,11 @@ import boto3

 from moto import mock_secretsmanager, mock_lambda, settings
 from moto.core import ACCOUNT_ID
-from botocore.exceptions import ClientError
+from botocore.exceptions import ClientError, ParamValidationError
 import string
 import pytz
 from datetime import datetime
+from uuid import uuid4
 import sure  # noqa
 import pytest

@ -1184,3 +1185,33 @@ def test_secret_versions_to_stages_attribute_discrepancy():
    assert list_vtos[previous_version_id] == ["AWSPREVIOUS"]

    assert describe_vtos == list_vtos
+
+
+@mock_secretsmanager
+def test_update_secret_with_client_request_token():
+    client = boto3.client("secretsmanager", region_name="us-west-2")
+    secret_name = "test-secret"
+    client_request_token = str(uuid4())
+
+    client.create_secret(Name=secret_name, SecretString="first-secret")
+    updated_secret = client.update_secret(
+        SecretId=secret_name,
+        SecretString="second-secret",
+        ClientRequestToken=client_request_token,
+    )
+    assert client_request_token == updated_secret["VersionId"]
+    updated_secret = client.update_secret(
+        SecretId=secret_name, SecretString="third-secret",
+    )
+    assert client_request_token != updated_secret["VersionId"]
+    invalid_request_token = "test-token"
+    with pytest.raises(ParamValidationError) as pve:
+        client.update_secret(
+            SecretId=secret_name,
+            SecretString="fourth-secret",
+            ClientRequestToken=invalid_request_token,
+        )
+        pve.value.response["Error"]["Code"].should.equal("InvalidParameterException")
+        pve.value.response["Error"]["Message"].should.equal(
+            "ClientRequestToken must be 32-64 characters long."
+        )