Nearly finished implementation and tests

2017-09-22 11:21:36 +01:00 · 2017-09-22 11:21:36 +01:00 · edbbbf6d20
commit edbbbf6d20
parent ea318edc94
3 changed files with 287 additions and 10 deletions
--- a/moto/acm/models.py
+++ b/moto/acm/models.py
@ -43,6 +43,11 @@ MqO5tzHpCvX2HzLc
 # so for now a cheap response is just give any old root CA
 def datetime_to_epoch(date):
    # As only Py3 has datetime.timestamp()
    return int((date - datetime.datetime(1970, 1, 1)).total_seconds())
 class AWSError(Exception):
    TYPE = None
    STATUS = 400
@ -64,7 +69,8 @@ class AWSResourceNotFoundException(AWSError):
 class CertBundle(BaseModel):
-    def __init__(self, certificate, private_key, chain=None, region='us-east-1', arn=None):
+    def __init__(self, certificate, private_key, chain=None, region='us-east-1', arn=None, cert_type='IMPORTED'):
        self.created_at = datetime.datetime.now()
        self.cert = certificate
        self._cert = None
        self.common_name = None
@ -73,6 +79,7 @@ class CertBundle(BaseModel):
        self.chain = chain
        self.tags = {}
        self._chain = None
        self.type = cert_type  # Should really be an enum
        # AWS always returns your chain + root CA
        if self.chain is None:
@ -132,10 +139,13 @@ class CertBundle(BaseModel):
            self._chain = []
            for cert_armored in self.chain.split(b'-\n-'):
                # Would leave encoded but Py2 does not have raw binary strings
                cert_armored = cert_armored.decode()
                # Fix missing -'s on split
-                cert_armored = re.sub(rb'^----B', b'-----B', cert_armored)
+                cert_armored = re.sub(r'^----B', '-----B', cert_armored)
-                cert_armored = re.sub(rb'E----$', b'E-----', cert_armored)
+                cert_armored = re.sub(r'E----$', 'E-----', cert_armored)
-                cert = cryptography.x509.load_pem_x509_certificate(cert_armored, default_backend())
+                cert = cryptography.x509.load_pem_x509_certificate(cert_armored.encode(), default_backend())
                self._chain.append(cert)
                now = datetime.datetime.now()
@ -150,6 +160,42 @@ class CertBundle(BaseModel):
                raise
            raise AWSValidationException('The certificate is not PEM-encoded or is not valid.')
    def describe(self):
        #'RenewalSummary': {},  # Only when cert is amazon issued
        if self._key.key_size == 1024:
            key_algo = 'RSA_1024'
        elif self._key.key_size == 2048:
            key_algo = 'RSA_2048'
        else:
            key_algo = 'EC_prime256v1'
        result = {
            'Certificate': {
                'CertificateArn': self.arn,
                'DomainName': self.common_name,
                'InUseBy': [],
                'Issuer': self._cert.issuer.get_attributes_for_oid(cryptography.x509.OID_COMMON_NAME)[0].value,
                'KeyAlgorithm': key_algo,
                'NotAfter': datetime_to_epoch(self._cert.not_valid_after),
                'NotBefore': datetime_to_epoch(self._cert.not_valid_before),
                'Serial': self._cert.serial,
                'SignatureAlgorithm': self._cert.signature_algorithm_oid._name.upper().replace('ENCRYPTION', ''),
                'Status': 'ISSUED',  # One of PENDING_VALIDATION, ISSUED, INACTIVE, EXPIRED, VALIDATION_TIMED_OUT, REVOKED, FAILED.
                'Subject': 'CN={0}'.format(self.common_name),
                'SubjectAlternativeNames': [],
                'Type': self.type  # One of IMPORTED, AMAZON_ISSUED
            }
        }
        if self.type == 'IMPORTED':
            result['Certificate']['ImportedAt'] = datetime_to_epoch(self.created_at)
        else:
            result['Certificate']['CreatedAt'] = datetime_to_epoch(self.created_at)
            result['Certificate']['IssuedAt'] = datetime_to_epoch(self.created_at)
        return result
    def __str__(self):
        return self.arn
--- a/moto/acm/responses.py
+++ b/moto/acm/responses.py
@ -30,7 +30,7 @@ class AWSCertificateManagerResponse(BaseResponse):
    def add_tags_to_certificate(self):
        arn = self._get_param('CertificateArn')
-        tags = self._get_list_prefix('Tags')
+        tags = self._get_param('Tags')
        if arn is None:
            msg = 'A required parameter for the specified action is not supplied.'
@ -58,7 +58,18 @@ class AWSCertificateManagerResponse(BaseResponse):
        return ''
    def describe_certificate(self):
-        raise NotImplementedError()
+        arn = self._get_param('CertificateArn')
        if arn is None:
            msg = 'A required parameter for the specified action is not supplied.'
            return {'__type': 'MissingParameter', 'message': msg}, dict(status=400)
        try:
            cert_bundle = self.acm_backend.get_certificate(arn)
        except AWSError as err:
            return err.response()
        return json.dumps(cert_bundle.describe())
    def get_certificate(self):
        arn = self._get_param('CertificateArn')
@ -79,7 +90,18 @@ class AWSCertificateManagerResponse(BaseResponse):
        return json.dumps(result)
    def import_certificate(self):
-        # TODO comment on what raises exceptions for all branches
+        """
        Returns errors on:
        Certificate, PrivateKey or Chain not being properly formatted
        Arn not existing if its provided
        PrivateKey size > 2048
        Certificate expired or is not yet in effect
        Does not return errors on:
        Checking Certificate is legit, or a selfsigned chain is provided
        :return: str(JSON) for response
        """
        certificate = self._get_param('Certificate')
        private_key = self._get_param('PrivateKey')
        chain = self._get_param('CertificateChain')  # Optional
@ -134,7 +156,7 @@ class AWSCertificateManagerResponse(BaseResponse):
        result = {'Tags': []}
        # Tag "objects" can not contain the Value part
-        for key, value in cert_bundle.tags:
+        for key, value in cert_bundle.tags.items():
            tag_dict = {'Key': key}
            if value is not None:
                tag_dict['Value'] = value
@ -144,7 +166,7 @@ class AWSCertificateManagerResponse(BaseResponse):
    def remove_tags_from_certificate(self):
        arn = self._get_param('CertificateArn')
-        tags = self._get_list_prefix('Tags')
+        tags = self._get_param('Tags')
        if arn is None:
            msg = 'A required parameter for the specified action is not supplied.'
--- a/tests/test_acm/test_acm.py
+++ b/tests/test_acm/test_acm.py
@ -14,10 +14,22 @@ _GET_RESOURCE = lambda x: open(os.path.join(RESOURCE_FOLDER, x), 'rb').read()
 CA_CRT = _GET_RESOURCE('ca.pem')
 CA_KEY = _GET_RESOURCE('ca.key')
 SERVER_CRT = _GET_RESOURCE('star_moto_com.pem')
 SERVER_COMMON_NAME = '*.moto.com'
 SERVER_CRT_BAD = _GET_RESOURCE('star_moto_com-bad.pem')
 SERVER_KEY = _GET_RESOURCE('star_moto_com.key')
 BAD_ARN = 'arn:aws:acm:us-east-2:123456789012:certificate/_0000000-0000-0000-0000-000000000000'
 def _import_cert(client):
    response = client.import_certificate(
        Certificate=SERVER_CRT,
        PrivateKey=SERVER_KEY,
        CertificateChain=CA_CRT
    )
    return response['CertificateArn']
 # Also tests GetCertificate
@mock_acm
 def test_import_certificate():
    client = boto3.client('acm', region_name='eu-central-1')
@ -29,4 +41,201 @@ def test_import_certificate():
    )
    resp = client.get_certificate(CertificateArn=resp['CertificateArn'])
-    print(resp)
+    resp['Certificate'].should.equal(SERVER_CRT.decode())
    resp.should.contain('CertificateChain')
@mock_acm
 def test_import_bad_certificate():
    client = boto3.client('acm', region_name='eu-central-1')
    try:
        client.import_certificate(
            Certificate=SERVER_CRT_BAD,
            PrivateKey=SERVER_KEY,
        )
    except ClientError as err:
        err.response['Error']['Code'].should.equal('ValidationException')
    else:
        raise RuntimeError('Should of raised ValidationException')
@mock_acm
 def test_list_certificates():
    client = boto3.client('acm', region_name='eu-central-1')
    arn = _import_cert(client)
    resp = client.list_certificates()
    len(resp['CertificateSummaryList']).should.equal(1)
    resp['CertificateSummaryList'][0]['CertificateArn'].should.equal(arn)
    resp['CertificateSummaryList'][0]['DomainName'].should.equal(SERVER_COMMON_NAME)
@mock_acm
 def test_get_invalid_certificate():
    client = boto3.client('acm', region_name='eu-central-1')
    try:
        client.get_certificate(CertificateArn=BAD_ARN)
    except ClientError as err:
        err.response['Error']['Code'].should.equal('ResourceNotFoundException')
    else:
        raise RuntimeError('Should of raised ResourceNotFoundException')
 # Also tests deleting invalid certificate
@mock_acm
 def test_delete_certificate():
    client = boto3.client('acm', region_name='eu-central-1')
    arn = _import_cert(client)
    # If it does not raise an error and the next call does, all is fine
    client.delete_certificate(CertificateArn=arn)
    try:
        client.delete_certificate(CertificateArn=arn)
    except ClientError as err:
        err.response['Error']['Code'].should.equal('ResourceNotFoundException')
    else:
        raise RuntimeError('Should of raised ResourceNotFoundException')
@mock_acm
 def test_describe_certificate():
    client = boto3.client('acm', region_name='eu-central-1')
    arn = _import_cert(client)
    resp = client.describe_certificate(CertificateArn=arn)
    resp['Certificate']['CertificateArn'].should.equal(arn)
    resp['Certificate']['DomainName'].should.equal(SERVER_COMMON_NAME)
    resp['Certificate']['Issuer'].should.equal('Moto')
    resp['Certificate']['KeyAlgorithm'].should.equal('RSA_2048')
    resp['Certificate']['Status'].should.equal('ISSUED')
    resp['Certificate']['Type'].should.equal('IMPORTED')
@mock_acm
 def test_describe_certificate():
    client = boto3.client('acm', region_name='eu-central-1')
    try:
        client.describe_certificate(CertificateArn=BAD_ARN)
    except ClientError as err:
        err.response['Error']['Code'].should.equal('ResourceNotFoundException')
    else:
        raise RuntimeError('Should of raised ResourceNotFoundException')
 # Also tests ListTagsForCertificate
@mock_acm
 def test_add_tags_to_certificate():
    client = boto3.client('acm', region_name='eu-central-1')
    arn = _import_cert(client)
    client.add_tags_to_certificate(
        CertificateArn=arn,
        Tags=[
            {'Key': 'key1', 'Value': 'value1'},
            {'Key': 'key2'},
        ]
    )
    resp = client.list_tags_for_certificate(CertificateArn=arn)
    tags = {item['Key']: item.get('Value', '__NONE__') for item in resp['Tags']}
    tags.should.contain('key1')
    tags.should.contain('key2')
    tags['key1'].should.equal('value1')
    # This way, it ensures that we can detect if None is passed back when it shouldnt,
    # as we store keys without values with a value of None, but it shouldnt be passed back
    tags['key2'].should.equal('__NONE__')
@mock_acm
 def test_add_tags_to_invalid_certificate():
    client = boto3.client('acm', region_name='eu-central-1')
    try:
        client.add_tags_to_certificate(
            CertificateArn=BAD_ARN,
            Tags=[
                {'Key': 'key1', 'Value': 'value1'},
                {'Key': 'key2'},
            ]
        )
    except ClientError as err:
        err.response['Error']['Code'].should.equal('ResourceNotFoundException')
    else:
        raise RuntimeError('Should of raised ResourceNotFoundException')
@mock_acm
 def test_list_tags_for_invalid_certificate():
    client = boto3.client('acm', region_name='eu-central-1')
    try:
        client.list_tags_for_certificate(CertificateArn=BAD_ARN)
    except ClientError as err:
        err.response['Error']['Code'].should.equal('ResourceNotFoundException')
    else:
        raise RuntimeError('Should of raised ResourceNotFoundException')
@mock_acm
 def test_remove_tags_from_certificate():
    client = boto3.client('acm', region_name='eu-central-1')
    arn = _import_cert(client)
    client.add_tags_to_certificate(
        CertificateArn=arn,
        Tags=[
            {'Key': 'key1', 'Value': 'value1'},
            {'Key': 'key2'},
            {'Key': 'key3', 'Value': 'value3'},
            {'Key': 'key4', 'Value': 'value4'},
        ]
    )
    client.remove_tags_from_certificate(
        CertificateArn=arn,
        Tags=[
            {'Key': 'key1', 'Value': 'value2'},  # Should not remove as doesnt match
            {'Key': 'key2'},  # Single key removal
            {'Key': 'key3', 'Value': 'value3'},  # Exact match removal
            {'Key': 'key4'}  # Partial match removal
        ]
    )
    resp = client.list_tags_for_certificate(CertificateArn=arn)
    tags = {item['Key']: item.get('Value', '__NONE__') for item in resp['Tags']}
    for key in ('key2', 'key3', 'key4'):
        tags.should_not.contain(key)
    tags.should.contain('key1')
@mock_acm
 def test_remove_tags_from_invalid_certificate():
    client = boto3.client('acm', region_name='eu-central-1')
    try:
        client.remove_tags_from_certificate(
            CertificateArn=BAD_ARN,
            Tags=[
                {'Key': 'key1', 'Value': 'value1'},
                {'Key': 'key2'},
            ]
        )
    except ClientError as err:
        err.response['Error']['Code'].should.equal('ResourceNotFoundException')
    else:
        raise RuntimeError('Should of raised ResourceNotFoundException')