Blame - tests/detect_aws_credentials_test.py - pre-commit-hooks

blob: 4f00744e25aab367521efcfe3a708d26e8ca60ff [file] [log] [blame]

Anthony Sottile	a7f7343	2020-02-29 20:34:45 -0800	[diff] [blame^]	1	from unittest.mock import patch
				2
Ara Hayrabedian	02e8bdc	2015-06-12 19:20:56 +0400	[diff] [blame]	3	import pytest
				4
Anthony Sottile	4575652	2019-02-11 19:56:15 -0800	[diff] [blame]	5	from pre_commit_hooks.detect_aws_credentials import get_aws_cred_files_from_env
Daniel Roschka	b0d4cdb	2016-12-30 08:41:24 +0100	[diff] [blame]	6	from pre_commit_hooks.detect_aws_credentials import get_aws_secrets_from_env
				7	from pre_commit_hooks.detect_aws_credentials import get_aws_secrets_from_file
Ara Hayrabedian	02e8bdc	2015-06-12 19:20:56 +0400	[diff] [blame]	8	from pre_commit_hooks.detect_aws_credentials import main
				9	from testing.util import get_resource_path
				10
				11
Daniel Roschka	3939aee	2017-01-03 19:05:49 +0100	[diff] [blame]	12	@pytest.mark.parametrize(
				13	('env_vars', 'values'),
				14	(
				15	({}, set()),
				16	({'AWS_DUMMY_KEY': '/foo'}, set()),
				17	({'AWS_CONFIG_FILE': '/foo'}, {'/foo'}),
				18	({'AWS_CREDENTIAL_FILE': '/foo'}, {'/foo'}),
				19	({'AWS_SHARED_CREDENTIALS_FILE': '/foo'}, {'/foo'}),
				20	({'BOTO_CONFIG': '/foo'}, {'/foo'}),
				21	({'AWS_DUMMY_KEY': '/foo', 'AWS_CONFIG_FILE': '/bar'}, {'/bar'}),
				22	(
				23	{
				24	'AWS_DUMMY_KEY': '/foo', 'AWS_CONFIG_FILE': '/bar',
Anthony Sottile	2a902e0	2017-07-12 18:35:24 -0700	[diff] [blame]	25	'AWS_CREDENTIAL_FILE': '/baz',
Daniel Roschka	3939aee	2017-01-03 19:05:49 +0100	[diff] [blame]	26	},
Anthony Sottile	b281d87	2017-07-17 17:41:44 -0700	[diff] [blame]	27	{'/bar', '/baz'},
Daniel Roschka	3939aee	2017-01-03 19:05:49 +0100	[diff] [blame]	28	),
				29	(
				30	{
				31	'AWS_CONFIG_FILE': '/foo', 'AWS_CREDENTIAL_FILE': '/bar',
Anthony Sottile	2a902e0	2017-07-12 18:35:24 -0700	[diff] [blame]	32	'AWS_SHARED_CREDENTIALS_FILE': '/baz',
Daniel Roschka	3939aee	2017-01-03 19:05:49 +0100	[diff] [blame]	33	},
Anthony Sottile	b281d87	2017-07-17 17:41:44 -0700	[diff] [blame]	34	{'/foo', '/bar', '/baz'},
Daniel Roschka	3939aee	2017-01-03 19:05:49 +0100	[diff] [blame]	35	),
				36	),
				37	)
				38	def test_get_aws_credentials_file_from_env(env_vars, values):
Daniel Roschka	3939aee	2017-01-03 19:05:49 +0100	[diff] [blame]	39	with patch.dict('os.environ', env_vars, clear=True):
Anthony Sottile	4575652	2019-02-11 19:56:15 -0800	[diff] [blame]	40	assert get_aws_cred_files_from_env() == values
Daniel Roschka	b0d4cdb	2016-12-30 08:41:24 +0100	[diff] [blame]	41
				42
Daniel Roschka	3939aee	2017-01-03 19:05:49 +0100	[diff] [blame]	43	@pytest.mark.parametrize(
				44	('env_vars', 'values'),
				45	(
				46	({}, set()),
				47	({'AWS_DUMMY_KEY': 'foo'}, set()),
				48	({'AWS_SECRET_ACCESS_KEY': 'foo'}, {'foo'}),
				49	({'AWS_SECURITY_TOKEN': 'foo'}, {'foo'}),
				50	({'AWS_SESSION_TOKEN': 'foo'}, {'foo'}),
Alexander Demin	75d4832	2020-02-13 12:01:38 +0000	[diff] [blame]	51	({'AWS_SESSION_TOKEN': ''}, set()),
				52	({'AWS_SESSION_TOKEN': 'foo', 'AWS_SECURITY_TOKEN': ''}, {'foo'}),
Daniel Roschka	3939aee	2017-01-03 19:05:49 +0100	[diff] [blame]	53	({'AWS_DUMMY_KEY': 'foo', 'AWS_SECRET_ACCESS_KEY': 'bar'}, {'bar'}),
				54	(
				55	{'AWS_SECRET_ACCESS_KEY': 'foo', 'AWS_SECURITY_TOKEN': 'bar'},
Anthony Sottile	2a902e0	2017-07-12 18:35:24 -0700	[diff] [blame]	56	{'foo', 'bar'},
Daniel Roschka	3939aee	2017-01-03 19:05:49 +0100	[diff] [blame]	57	),
				58	),
				59	)
				60	def test_get_aws_secrets_from_env(env_vars, values):
Daniel Roschka	b0d4cdb	2016-12-30 08:41:24 +0100	[diff] [blame]	61	"""Test that reading secrets from environment variables works."""
Daniel Roschka	3939aee	2017-01-03 19:05:49 +0100	[diff] [blame]	62	with patch.dict('os.environ', env_vars, clear=True):
				63	assert get_aws_secrets_from_env() == values
Daniel Roschka	b0d4cdb	2016-12-30 08:41:24 +0100	[diff] [blame]	64
				65
Daniel Roschka	3939aee	2017-01-03 19:05:49 +0100	[diff] [blame]	66	@pytest.mark.parametrize(
				67	('filename', 'expected_keys'),
				68	(
				69	(
				70	'aws_config_with_secret.ini',
Anthony Sottile	2a902e0	2017-07-12 18:35:24 -0700	[diff] [blame]	71	{'z2rpgs5uit782eapz5l1z0y2lurtsyyk6hcfozlb'},
Daniel Roschka	3939aee	2017-01-03 19:05:49 +0100	[diff] [blame]	72	),
				73	('aws_config_with_session_token.ini', {'foo'}),
Anthony Sottile	e9aea74	2017-07-15 12:56:51 -0700	[diff] [blame]	74	(
				75	'aws_config_with_secret_and_session_token.ini',
				76	{'z2rpgs5uit782eapz5l1z0y2lurtsyyk6hcfozlb', 'foo'},
				77	),
Daniel Roschka	3939aee	2017-01-03 19:05:49 +0100	[diff] [blame]	78	(
				79	'aws_config_with_multiple_sections.ini',
				80	{
				81	'7xebzorgm5143ouge9gvepxb2z70bsb2rtrh099e',
				82	'z2rpgs5uit782eapz5l1z0y2lurtsyyk6hcfozlb',
				83	'ixswosj8gz3wuik405jl9k3vdajsnxfhnpui38ez',
Anthony Sottile	2a902e0	2017-07-12 18:35:24 -0700	[diff] [blame]	84	'foo',
				85	},
Daniel Roschka	3939aee	2017-01-03 19:05:49 +0100	[diff] [blame]	86	),
				87	('aws_config_without_secrets.ini', set()),
Pablo Vega	7c631b3	2018-01-26 15:19:01 -0800	[diff] [blame]	88	('aws_config_without_secrets_with_spaces.ini', set()),
Daniel Roschka	3939aee	2017-01-03 19:05:49 +0100	[diff] [blame]	89	('nonsense.txt', set()),
				90	('ok_json.json', set()),
				91	),
				92	)
Daniel Roschka	b0d4cdb	2016-12-30 08:41:24 +0100	[diff] [blame]	93	def test_get_aws_secrets_from_file(filename, expected_keys):
				94	"""Test that reading secrets from files works."""
				95	keys = get_aws_secrets_from_file(get_resource_path(filename))
				96	assert keys == expected_keys
				97
				98
Daniel Roschka	3939aee	2017-01-03 19:05:49 +0100	[diff] [blame]	99	@pytest.mark.parametrize(
				100	('filename', 'expected_retval'),
				101	(
				102	('aws_config_with_secret.ini', 1),
				103	('aws_config_with_session_token.ini', 1),
				104	('aws_config_with_multiple_sections.ini', 1),
				105	('aws_config_without_secrets.ini', 0),
Pablo Vega	7c631b3	2018-01-26 15:19:01 -0800	[diff] [blame]	106	('aws_config_without_secrets_with_spaces.ini', 0),
Daniel Roschka	3939aee	2017-01-03 19:05:49 +0100	[diff] [blame]	107	('nonsense.txt', 0),
				108	('ok_json.json', 0),
				109	),
Ara Hayrabedian	02e8bdc	2015-06-12 19:20:56 +0400	[diff] [blame]	110	)
Ara Hayrabedian	02e8bdc	2015-06-12 19:20:56 +0400	[diff] [blame]	111	def test_detect_aws_credentials(filename, expected_retval):
				112	# with a valid credentials file
Anthony Sottile	a99475a	2016-05-27 14:09:50 -0700	[diff] [blame]	113	ret = main((
				114	get_resource_path(filename),
Anthony Sottile	4575652	2019-02-11 19:56:15 -0800	[diff] [blame]	115	'--credentials-file',
				116	'testing/resources/aws_config_with_multiple_sections.ini',
Anthony Sottile	a99475a	2016-05-27 14:09:50 -0700	[diff] [blame]	117	))
Ara Hayrabedian	02e8bdc	2015-06-12 19:20:56 +0400	[diff] [blame]	118	assert ret == expected_retval
				119
				120
Anthony Sottile	21553c2	2020-02-18 10:24:17 -0800	[diff] [blame]	121	def test_allows_arbitrarily_encoded_files(tmpdir):
				122	src_ini = tmpdir.join('src.ini')
				123	src_ini.write(
				124	'[default]\n'
				125	'aws_access_key_id=AKIASDFASDF\n'
				126	'aws_secret_Access_key=9018asdf23908190238123\n',
				127	)
				128	arbitrary_encoding = tmpdir.join('f')
				129	arbitrary_encoding.write_binary(b'\x12\x9a\xe2\xf2')
				130	ret = main((str(arbitrary_encoding), '--credentials-file', str(src_ini)))
				131	assert ret == 0
				132
				133
Daniel Roschka	3939aee	2017-01-03 19:05:49 +0100	[diff] [blame]	134	@patch('pre_commit_hooks.detect_aws_credentials.get_aws_secrets_from_file')
				135	@patch('pre_commit_hooks.detect_aws_credentials.get_aws_secrets_from_env')
				136	def test_non_existent_credentials(mock_secrets_env, mock_secrets_file, capsys):
Daniel Roschka	b0d4cdb	2016-12-30 08:41:24 +0100	[diff] [blame]	137	"""Test behavior with no configured AWS secrets."""
Daniel Roschka	3939aee	2017-01-03 19:05:49 +0100	[diff] [blame]	138	mock_secrets_env.return_value = set()
				139	mock_secrets_file.return_value = set()
Anthony Sottile	d444ab8	2016-02-08 17:05:39 -0800	[diff] [blame]	140	ret = main((
Daniel Roschka	b0d4cdb	2016-12-30 08:41:24 +0100	[diff] [blame]	141	get_resource_path('aws_config_without_secrets.ini'),
Anthony Sottile	8626e26	2019-02-11 19:57:37 -0800	[diff] [blame]	142	'--credentials-file=testing/resources/credentailsfilethatdoesntexist',
Anthony Sottile	d444ab8	2016-02-08 17:05:39 -0800	[diff] [blame]	143	))
				144	assert ret == 2
				145	out, _ = capsys.readouterr()
Daniel Roschka	3939aee	2017-01-03 19:05:49 +0100	[diff] [blame]	146	assert out == (
				147	'No AWS keys were found in the configured credential files '
				148	'and environment variables.\nPlease ensure you have the '
				149	'correct setting for --credentials-file\n'
				150	)
Mike Fiedler	312e721	2017-02-10 08:26:26 -0500	[diff] [blame]	151
				152
				153	@patch('pre_commit_hooks.detect_aws_credentials.get_aws_secrets_from_file')
				154	@patch('pre_commit_hooks.detect_aws_credentials.get_aws_secrets_from_env')
Anthony Sottile	4575652	2019-02-11 19:56:15 -0800	[diff] [blame]	155	def test_non_existent_credentials_with_allow_flag(
				156	mock_secrets_env, mock_secrets_file,
				157	):
Mike Fiedler	312e721	2017-02-10 08:26:26 -0500	[diff] [blame]	158	mock_secrets_env.return_value = set()
				159	mock_secrets_file.return_value = set()
				160	ret = main((
				161	get_resource_path('aws_config_without_secrets.ini'),
Anthony Sottile	8626e26	2019-02-11 19:57:37 -0800	[diff] [blame]	162	'--credentials-file=testing/resources/credentailsfilethatdoesntexist',
				163	'--allow-missing-credentials',
Mike Fiedler	312e721	2017-02-10 08:26:26 -0500	[diff] [blame]	164	))
				165	assert ret == 0