STS - duplicate boto tests (#4329)

moto/server.py

@@ -31,7 +31,10 @@ UNSIGNED_REQUESTS = {
     "AWSCognitoIdentityService": ("cognito-identity", "us-east-1"),
     "AWSCognitoIdentityProviderService": ("cognito-idp", "us-east-1"),
 }
-UNSIGNED_ACTIONS = {"AssumeRoleWithSAML": ("sts", "us-east-1")}
+UNSIGNED_ACTIONS = {
+    "AssumeRoleWithSAML": ("sts", "us-east-1"),
+    "AssumeRoleWithWebIdentity": ("sts", "us-east-1"),
+}
 
 # Some services have v4 signing names that differ from the backend service name/id.
 SIGNING_ALIASES = {

tests/test_sts/test_sts.py

@@ -5,6 +5,7 @@ import json
 import boto
 import boto3
 from botocore.client import ClientError
+from datetime import datetime
 from freezegun import freeze_time
 import pytest
 import sure  # noqa
@@ -14,6 +15,7 @@ from moto.core import ACCOUNT_ID
 from moto.sts.responses import MAX_FEDERATION_TOKEN_POLICY_LENGTH
 
 
+# Has boto3 equivalent
 @freeze_time("2012-01-01 12:00:00")
 @mock_sts_deprecated
 def test_get_session_token():
@@ -28,6 +30,25 @@ def test_get_session_token():
     token.secret_key.should.equal("wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY")
 
 
+@freeze_time("2012-01-01 12:00:00")
+@mock_sts
+def test_get_session_token_boto3():
+    client = boto3.client("sts", region_name="us-east-1")
+    creds = client.get_session_token(DurationSeconds=903)["Credentials"]
+
+    creds["Expiration"].should.be.a(datetime)
+
+    if not settings.TEST_SERVER_MODE:
+        fdate = creds["Expiration"].strftime("%Y-%m-%dT%H:%M:%S.000Z")
+        fdate.should.equal("2012-01-01T12:15:03.000Z")
+    creds["SessionToken"].should.equal(
+        "AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE"
+    )
+    creds["AccessKeyId"].should.equal("AKIAIOSFODNN7EXAMPLE")
+    creds["SecretAccessKey"].should.equal("wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY")
+
+
+# Has boto3 equivalent
 @freeze_time("2012-01-01 12:00:00")
 @mock_sts_deprecated
 def test_get_federation_token():
@@ -51,6 +72,34 @@ def test_get_federation_token():
     token.federated_user_id.should.equal(str(ACCOUNT_ID) + ":" + token_name)
 
 
+@freeze_time("2012-01-01 12:00:00")
+@mock_sts
+def test_get_federation_token_boto3():
+    client = boto3.client("sts", region_name="us-east-1")
+    token_name = "Bob"
+    fed_token = client.get_federation_token(DurationSeconds=903, Name=token_name)
+    creds = fed_token["Credentials"]
+    fed_user = fed_token["FederatedUser"]
+
+    creds["Expiration"].should.be.a(datetime)
+
+    if not settings.TEST_SERVER_MODE:
+        fdate = creds["Expiration"].strftime("%Y-%m-%dT%H:%M:%S.000Z")
+        fdate.should.equal("2012-01-01T12:15:03.000Z")
+    creds["SessionToken"].should.equal(
+        "AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQWLWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGdQrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz+scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA=="
+    )
+    creds["AccessKeyId"].should.equal("AKIAIOSFODNN7EXAMPLE")
+    creds["SecretAccessKey"].should.equal("wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY")
+
+    fed_user["Arn"].should.equal(
+        "arn:aws:sts::{account_id}:federated-user/{token_name}".format(
+            account_id=ACCOUNT_ID, token_name=token_name
+        )
+    )
+    fed_user["FederatedUserId"].should.equal("{}:{}".format(ACCOUNT_ID, token_name))
+
+
 @freeze_time("2012-01-01 12:00:00")
 @mock_sts
 def test_assume_role():
@@ -603,6 +652,7 @@ def test_assume_role_with_saml_should_default_session_duration_to_3600_seconds_w
         credentials["Expiration"].isoformat().should.equal("2012-01-01T13:00:00+00:00")
 
 
+# Has boto3 equivalent
 @freeze_time("2012-01-01 12:00:00")
 @mock_sts_deprecated
 def test_assume_role_with_web_identity():
@@ -645,6 +695,59 @@ def test_assume_role_with_web_identity():
     role.user.assume_role_id.should.contain("session-name")
 
 
+@freeze_time("2012-01-01 12:00:00")
+@mock_sts
+def test_assume_role_with_web_identity_boto3():
+    client = boto3.client("sts", region_name="us-east-1")
+
+    policy = json.dumps(
+        {
+            "Statement": [
+                {
+                    "Sid": "Stmt13690092345534",
+                    "Action": ["S3:ListBucket"],
+                    "Effect": "Allow",
+                    "Resource": ["arn:aws:s3:::foobar-tester"],
+                }
+            ]
+        }
+    )
+    role_name = "test-role"
+    s3_role = "arn:aws:iam::{account_id}:role/{role_name}".format(
+        account_id=ACCOUNT_ID, role_name=role_name
+    )
+    session_name = "session-name"
+    role = client.assume_role_with_web_identity(
+        RoleArn=s3_role,
+        RoleSessionName=session_name,
+        WebIdentityToken="????",
+        Policy=policy,
+        DurationSeconds=903,
+    )
+
+    creds = role["Credentials"]
+    user = role["AssumedRoleUser"]
+
+    creds["Expiration"].should.be.a(datetime)
+
+    if not settings.TEST_SERVER_MODE:
+        fdate = creds["Expiration"].strftime("%Y-%m-%dT%H:%M:%S.000Z")
+        fdate.should.equal("2012-01-01T12:15:03.000Z")
+
+    creds["SessionToken"].should.have.length_of(356)
+    creds["SessionToken"].should.match("^FQoGZXIvYXdzE")
+    creds["AccessKeyId"].should.have.length_of(20)
+    creds["AccessKeyId"].should.match("^ASIA")
+    creds["SecretAccessKey"].should.have.length_of(40)
+
+    user["Arn"].should.equal(
+        "arn:aws:sts::{account_id}:assumed-role/{role_name}/{session_name}".format(
+            account_id=ACCOUNT_ID, role_name=role_name, session_name=session_name
+        )
+    )
+    user["AssumedRoleId"].should.contain("session-name")
+
+
 @mock_sts
 def test_get_caller_identity_with_default_credentials():
     identity = boto3.client("sts", region_name="us-east-1").get_caller_identity()