diff --git a/moto/server.py b/moto/server.py index 88ae89768..7fdc5671a 100644 --- a/moto/server.py +++ b/moto/server.py @@ -31,7 +31,10 @@ UNSIGNED_REQUESTS = { "AWSCognitoIdentityService": ("cognito-identity", "us-east-1"), "AWSCognitoIdentityProviderService": ("cognito-idp", "us-east-1"), } -UNSIGNED_ACTIONS = {"AssumeRoleWithSAML": ("sts", "us-east-1")} +UNSIGNED_ACTIONS = { + "AssumeRoleWithSAML": ("sts", "us-east-1"), + "AssumeRoleWithWebIdentity": ("sts", "us-east-1"), +} # Some services have v4 signing names that differ from the backend service name/id. SIGNING_ALIASES = { diff --git a/tests/test_sts/test_sts.py b/tests/test_sts/test_sts.py index 3fa656a01..f8aedebf2 100644 --- a/tests/test_sts/test_sts.py +++ b/tests/test_sts/test_sts.py @@ -5,6 +5,7 @@ import json import boto import boto3 from botocore.client import ClientError +from datetime import datetime from freezegun import freeze_time import pytest import sure # noqa @@ -14,6 +15,7 @@ from moto.core import ACCOUNT_ID from moto.sts.responses import MAX_FEDERATION_TOKEN_POLICY_LENGTH +# Has boto3 equivalent @freeze_time("2012-01-01 12:00:00") @mock_sts_deprecated def test_get_session_token(): @@ -28,6 +30,25 @@ def test_get_session_token(): token.secret_key.should.equal("wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY") +@freeze_time("2012-01-01 12:00:00") +@mock_sts +def test_get_session_token_boto3(): + client = boto3.client("sts", region_name="us-east-1") + creds = client.get_session_token(DurationSeconds=903)["Credentials"] + + creds["Expiration"].should.be.a(datetime) + + if not settings.TEST_SERVER_MODE: + fdate = creds["Expiration"].strftime("%Y-%m-%dT%H:%M:%S.000Z") + fdate.should.equal("2012-01-01T12:15:03.000Z") + creds["SessionToken"].should.equal( + "AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE" + ) + creds["AccessKeyId"].should.equal("AKIAIOSFODNN7EXAMPLE") + creds["SecretAccessKey"].should.equal("wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY") + + +# Has boto3 equivalent @freeze_time("2012-01-01 12:00:00") @mock_sts_deprecated def test_get_federation_token(): @@ -51,6 +72,34 @@ def test_get_federation_token(): token.federated_user_id.should.equal(str(ACCOUNT_ID) + ":" + token_name) +@freeze_time("2012-01-01 12:00:00") +@mock_sts +def test_get_federation_token_boto3(): + client = boto3.client("sts", region_name="us-east-1") + token_name = "Bob" + fed_token = client.get_federation_token(DurationSeconds=903, Name=token_name) + creds = fed_token["Credentials"] + fed_user = fed_token["FederatedUser"] + + creds["Expiration"].should.be.a(datetime) + + if not settings.TEST_SERVER_MODE: + fdate = creds["Expiration"].strftime("%Y-%m-%dT%H:%M:%S.000Z") + fdate.should.equal("2012-01-01T12:15:03.000Z") + creds["SessionToken"].should.equal( + "AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQWLWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGdQrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz+scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA==" + ) + creds["AccessKeyId"].should.equal("AKIAIOSFODNN7EXAMPLE") + creds["SecretAccessKey"].should.equal("wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY") + + fed_user["Arn"].should.equal( + "arn:aws:sts::{account_id}:federated-user/{token_name}".format( + account_id=ACCOUNT_ID, token_name=token_name + ) + ) + fed_user["FederatedUserId"].should.equal("{}:{}".format(ACCOUNT_ID, token_name)) + + @freeze_time("2012-01-01 12:00:00") @mock_sts def test_assume_role(): @@ -603,6 +652,7 @@ def test_assume_role_with_saml_should_default_session_duration_to_3600_seconds_w credentials["Expiration"].isoformat().should.equal("2012-01-01T13:00:00+00:00") +# Has boto3 equivalent @freeze_time("2012-01-01 12:00:00") @mock_sts_deprecated def test_assume_role_with_web_identity(): @@ -645,6 +695,59 @@ def test_assume_role_with_web_identity(): role.user.assume_role_id.should.contain("session-name") +@freeze_time("2012-01-01 12:00:00") +@mock_sts +def test_assume_role_with_web_identity_boto3(): + client = boto3.client("sts", region_name="us-east-1") + + policy = json.dumps( + { + "Statement": [ + { + "Sid": "Stmt13690092345534", + "Action": ["S3:ListBucket"], + "Effect": "Allow", + "Resource": ["arn:aws:s3:::foobar-tester"], + } + ] + } + ) + role_name = "test-role" + s3_role = "arn:aws:iam::{account_id}:role/{role_name}".format( + account_id=ACCOUNT_ID, role_name=role_name + ) + session_name = "session-name" + role = client.assume_role_with_web_identity( + RoleArn=s3_role, + RoleSessionName=session_name, + WebIdentityToken="????", + Policy=policy, + DurationSeconds=903, + ) + + creds = role["Credentials"] + user = role["AssumedRoleUser"] + + creds["Expiration"].should.be.a(datetime) + + if not settings.TEST_SERVER_MODE: + fdate = creds["Expiration"].strftime("%Y-%m-%dT%H:%M:%S.000Z") + fdate.should.equal("2012-01-01T12:15:03.000Z") + + creds["SessionToken"].should.have.length_of(356) + creds["SessionToken"].should.match("^FQoGZXIvYXdzE") + creds["AccessKeyId"].should.have.length_of(20) + creds["AccessKeyId"].should.match("^ASIA") + creds["SecretAccessKey"].should.have.length_of(40) + + user["Arn"].should.equal( + "arn:aws:sts::{account_id}:assumed-role/{role_name}/{session_name}".format( + account_id=ACCOUNT_ID, role_name=role_name, session_name=session_name + ) + ) + user["AssumedRoleId"].should.contain("session-name") + + @mock_sts def test_get_caller_identity_with_default_credentials(): identity = boto3.client("sts", region_name="us-east-1").get_caller_identity()