public void TestAssumeRoleWithWebIdentityCredentialsPropertiesUsedInSTSCall()
{
#region Setup
// Set up request variables
var dummyToken = "dummyToken";
var dummyRoleArn = "dummyRoleArn";
var dummyRoleSessionName = "dummyRoleSessionName";
var dummyOptions = new AssumeRoleWithWebIdentityCredentialsOptions();
var currentDirectory = Directory.GetCurrentDirectory();
var webIdentityTokenFilePath = Path.Combine(currentDirectory, "my-token.jwt");
File.WriteAllText(webIdentityTokenFilePath, dummyToken);
var equalityCheck = new Func <AssumeRoleWithWebIdentityRequest, bool>(req =>
{
return(req.DurationSeconds.Equals(dummyOptions.DurationSeconds ?? 0) &&
string.Equals(req.Policy, dummyOptions.Policy) &&
Equals(req.PolicyArns, dummyOptions.PolicyArns) &&
Equals(req.ProviderId, dummyOptions.ProviderId) &&
req.RoleArn.Equals(dummyRoleArn) &&
req.RoleSessionName.Equals(dummyRoleSessionName) &&
req.WebIdentityToken.Equals(dummyToken));
});
var envVariables = new Dictionary <string, string>()
{
{ AssumeRoleWithWebIdentityCredentials.WebIdentityTokenFileEnvVariable, webIdentityTokenFilePath },
{ AssumeRoleWithWebIdentityCredentials.RoleArnEnvVariable, dummyRoleArn },
{ AssumeRoleWithWebIdentityCredentials.RoleSessionNameEnvVariable, dummyRoleSessionName },
};
// Set up response
var dummyAccessKeyId = "dummyAccessKeyId";
var dummySecretAccessKey = "dummySecretAccessKey";
var dummySessionToken = "dummySessionToken";
var dummyExpiration = DateTime.UtcNow.AddDays(1);
var forcedResponse = new AssumeRoleWithWebIdentityResponse()
{
Credentials = new Credentials(dummyAccessKeyId, dummySecretAccessKey, dummySessionToken, dummyExpiration)
};
// Setup service client mock
var mock = new Mock <AmazonSecurityTokenServiceClient>();
Expression <Func <AmazonSecurityTokenServiceClient, AssumeRoleWithWebIdentityResponse> > stsCall =
c => c.AssumeRoleWithWebIdentity(It.Is <AssumeRoleWithWebIdentityRequest>(req => equalityCheck(req)));
mock.Setup(stsCall).Returns(forcedResponse);
// Setup credentials
using (var testCredentials = new AssumeRoleWithWebIdentityTestCredentials(webIdentityTokenFilePath, dummyRoleArn, dummyRoleSessionName, dummyOptions)
{
Client = mock.Object
})
{
using (new FallbackFactoryTestFixture(ProfileText, "default", envVariables))
{
#endregion Setup
#region Act
testCredentials.GetCredentials();
#endregion Act
}
}
// Verify that the credential properties were used for the STS call
mock.Verify(stsCall, Times.Once);
}
public void TestAssumeRoleWithWebIdentity_FromSharedProfile()
{
#region Setup
var webIdentityToken = "Dummy.OIDC.Token";
var currentDirectory = Directory.GetCurrentDirectory();
var webIdentityTokenFilePath = Path.Combine(currentDirectory, "my-token.jwt");
File.WriteAllText(webIdentityTokenFilePath, webIdentityToken);
var profileText = GetAssumeRoleWithWebIdentityProfileText(webIdentityTokenFilePath);
AssumeRoleWithWebIdentityTestCredentials webIdentityCredentials;
var mockClient = new Mock <ICoreAmazonSTS_WebIdentity>();
mockClient.Setup(c => c.CredentialsFromAssumeRoleWithWebIdentityAuthentication(It.IsAny <string>(), It.IsAny <string>(), It.IsAny <string>(), It.IsAny <AssumeRoleWithWebIdentityCredentialsOptions>()))
.Returns(new AssumeRoleImmutableCredentials("dummyAccessKeyId", "dummySecret", "dummyToken", DateTime.UtcNow.AddDays(1)));
using (new FallbackFactoryTestFixture(profileText, "default"))
{
#endregion Setup
#region Act
var awsCredentials = FallbackCredentialsFactory.GetCredentials();
webIdentityCredentials = new AssumeRoleWithWebIdentityTestCredentials((AssumeRoleWithWebIdentityCredentials)awsCredentials, null)
{
Client = mockClient.Object
};
webIdentityCredentials.GetCredentials();
#endregion Act
}
#region Assert
Assert.AreEqual(webIdentityTokenFilePath, webIdentityCredentials.WebIdentityTokenFile);
Assert.AreEqual("some-arn-2", webIdentityCredentials.RoleArn);
Assert.AreEqual("some-session-name-2", webIdentityCredentials.RoleSessionName);
#endregion Assert
webIdentityCredentials.Dispose();
}
public void TestRetriesOnException <T>(T exception) where T : AmazonServiceException
{
var webIdentityToken = "Dummy.OIDC.Token";
var roleArn = "someRoleArn";
var roleSessionName = "someRoleSessionName";
var currentDirectory = Directory.GetCurrentDirectory();
var webIdentityTokenFilePath = Path.Combine(currentDirectory, "my-token.jwt");
File.WriteAllText(webIdentityTokenFilePath, webIdentityToken);
var envVariables = new Dictionary <string, string>()
{
{ AssumeRoleWithWebIdentityCredentials.WebIdentityTokenFileEnvVariable, webIdentityTokenFilePath },
{ AssumeRoleWithWebIdentityCredentials.RoleArnEnvVariable, roleArn },
{ AssumeRoleWithWebIdentityCredentials.RoleSessionNameEnvVariable, roleSessionName },
};
AWSCredentials awsCredentials;
using (new FallbackFactoryTestFixture(envVariables))
{
awsCredentials = FallbackCredentialsFactory.GetCredentials();
}
var webIdentityCredentials = new AssumeRoleWithWebIdentityTestCredentials((AssumeRoleWithWebIdentityCredentials)awsCredentials, null);
var retries = 0;
var client = webIdentityCredentials.Client as AmazonSecurityTokenServiceClient;
var pipeline = client
.GetType()
.GetProperty("RuntimePipeline", System.Reflection.BindingFlags.Instance | System.Reflection.BindingFlags.NonPublic)
.GetValue(client, null)
as RuntimePipeline;
// Setup STS failures
var credentialsRetriever = new Mock <CredentialsRetriever>(awsCredentials);
credentialsRetriever.Setup(cr => cr.InvokeSync(It.IsAny <IExecutionContext>())).Throws(exception); // Setting up the exception here
pipeline.ReplaceHandler <CredentialsRetriever>(credentialsRetriever.Object);
// Setup retry count notifications
var retryHandler = pipeline.Handlers.Find(h => h is RetryHandler) as RetryHandler;
var notifyingRetryHandler = new NotifyingRetryHandler(client.Config);
notifyingRetryHandler.AddHandler((object sender, RetryEventArgs e) => { retries++; });
pipeline.ReplaceHandler <RetryHandler>(notifyingRetryHandler);
var defaultRetryPolicy = new DefaultRetryPolicy(client.Config);
using (new FallbackFactoryTestFixture(envVariables))
{
// Act and Assert
Assert.ThrowsException <AmazonClientException>(() => webIdentityCredentials.GetCredentials());
}
Assert.AreEqual(defaultRetryPolicy.MaxRetries, retries);
webIdentityCredentials.Dispose();
}
public void TestAssumeRoleWithWebIdentity_SessionNameNotProvided()
{
#region Setup
var webIdentityToken = "Dummy.OIDC.Token";
var roleArn = "someRoleArn";
var currentDirectory = Directory.GetCurrentDirectory();
var webIdentityTokenFilePath = Path.Combine(currentDirectory, "my-token.jwt");
File.WriteAllText(webIdentityTokenFilePath, webIdentityToken);
var envVariables = new Dictionary <string, string>()
{
{ AssumeRoleWithWebIdentityCredentials.WebIdentityTokenFileEnvVariable, webIdentityTokenFilePath },
{ AssumeRoleWithWebIdentityCredentials.RoleArnEnvVariable, roleArn },
{ AssumeRoleWithWebIdentityCredentials.RoleSessionNameEnvVariable, "" },
};
AssumeRoleWithWebIdentityTestCredentials webIdentityCredentials;
AssumeRoleWithWebIdentityTestCredentials webIdentityCredentials2;
var mockClient = new Mock <ICoreAmazonSTS_WebIdentity>();
mockClient.Setup(c => c.CredentialsFromAssumeRoleWithWebIdentityAuthentication(It.IsAny <string>(), It.IsAny <string>(), It.IsAny <string>(), It.IsAny <AssumeRoleWithWebIdentityCredentialsOptions>()))
.Returns(new AssumeRoleImmutableCredentials("dummyAccessKeyId", "dummySecret", "dummyToken", DateTime.UtcNow.AddDays(1)));
using (new FallbackFactoryTestFixture(ProfileText, "default", envVariables))
{
#endregion Setup
#region Action
// Get credentials once
var awsCredentials = FallbackCredentialsFactory.GetCredentials();
webIdentityCredentials = new AssumeRoleWithWebIdentityTestCredentials((AssumeRoleWithWebIdentityCredentials)awsCredentials, null)
{
Client = mockClient.Object
};
webIdentityCredentials.GetCredentials();
// Get credentials again
var awsCredentials2 = FallbackCredentialsFactory.GetCredentials();
webIdentityCredentials2 = new AssumeRoleWithWebIdentityTestCredentials((AssumeRoleWithWebIdentityCredentials)awsCredentials, null)
{
Client = mockClient.Object
};
webIdentityCredentials2.GetCredentials();
#endregion Action
}
#region Assert
Assert.AreEqual(webIdentityTokenFilePath, webIdentityCredentials.WebIdentityTokenFile);
Assert.AreEqual(roleArn, webIdentityCredentials.RoleArn);
var guidRoleSessionName = webIdentityCredentials.RoleSessionName;
Assert.IsTrue(Guid.TryParse(guidRoleSessionName, out Guid guid));
Assert.AreEqual(guidRoleSessionName, webIdentityCredentials2.RoleSessionName);
#endregion Assert
webIdentityCredentials.Dispose();
webIdentityCredentials2.Dispose();
}
public void TestAssumeRoleWithWebIdentity_DefinedBothInEnvAndConfig()
{
#region Setup
var webIdentityToken = "Dummy.OIDC.Token";
var webIdentityToken2 = "Dummy.OIDC.Token2";
var roleArn = "someRoleArn";
var roleSessionName = "someRoleSessionName";
var currentDirectory = Directory.GetCurrentDirectory();
var webIdentityTokenFilePath = Path.Combine(currentDirectory, "my-token.jwt");
File.WriteAllText(webIdentityTokenFilePath, webIdentityToken);
var webIdentityTokenFilePath2 = Path.Combine(currentDirectory, "my-token2.jwt");
File.WriteAllText(webIdentityTokenFilePath2, webIdentityToken2);
var envVariables = new Dictionary <string, string>()
{
{ AssumeRoleWithWebIdentityCredentials.WebIdentityTokenFileEnvVariable, webIdentityTokenFilePath },
{ AssumeRoleWithWebIdentityCredentials.RoleArnEnvVariable, roleArn },
{ AssumeRoleWithWebIdentityCredentials.RoleSessionNameEnvVariable, roleSessionName },
};
var profileText = GetAssumeRoleWithWebIdentityProfileText(webIdentityTokenFilePath2);
AssumeRoleWithWebIdentityTestCredentials webIdentityCredentials;
var mockClient = new Mock <ICoreAmazonSTS_WebIdentity>();
mockClient.Setup(c => c.CredentialsFromAssumeRoleWithWebIdentityAuthentication(It.IsAny <string>(), It.IsAny <string>(), It.IsAny <string>(), It.IsAny <AssumeRoleWithWebIdentityCredentialsOptions>()))
.Returns(new AssumeRoleImmutableCredentials("dummyAccessKeyId", "dummySecret", "dummyToken", DateTime.UtcNow.AddDays(1)));
using (new FallbackFactoryTestFixture(profileText, "default", envVariables))
{
#endregion Setup
#region Action
var awsCredentials = FallbackCredentialsFactory.GetCredentials();
webIdentityCredentials = new AssumeRoleWithWebIdentityTestCredentials((AssumeRoleWithWebIdentityCredentials)awsCredentials, null)
{
Client = mockClient.Object
};
webIdentityCredentials.GetCredentials();
#endregion Action
}
#region Assert
Assert.AreEqual(webIdentityTokenFilePath, webIdentityCredentials.WebIdentityTokenFile);
Assert.AreEqual(roleArn, webIdentityCredentials.RoleArn);
Assert.AreEqual(roleSessionName, webIdentityCredentials.RoleSessionName);
#endregion Assert
webIdentityCredentials.Dispose();
}