diff --git a/google/auth/aws.py b/google/auth/aws.py new file mode 100644 index 000000000..d4c75c0c8 --- /dev/null +++ b/google/auth/aws.py @@ -0,0 +1,304 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +"""Helper functions for AWS related operations + +This module provides a basic implementation of the `AWS Signature Version 4`_ +request signing algorithm. + +.. _AWS Signature Version 4: https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html +""" + +import hashlib +import hmac +import os + +from six.moves import urllib + +from google.auth import _helpers + +# AWS Signature Version 4 signing algorithm identifier. +_AWS_ALGORITHM = "AWS4-HMAC-SHA256" +# The termination string for the AWS credential scope value as defined in +# https://docs.aws.amazon.com/general/latest/gr/sigv4-create-string-to-sign.html +_AWS_REQUEST_TYPE = "aws4_request" +# The AWS authorization header name for the security session token if available. +_AWS_SECURITY_TOKEN_HEADER = "x-amz-security-token" +# The AWS authorization header name for the auto-generated date. +_AWS_DATE_HEADER = "x-amz-date" + + +class RequestSigner(object): + """Implements an AWS request signer based on the AWS Signature Version 4 signing + process. + https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html + """ + + def __init__(self, region_name): + """Instantiates an AWS request signer used to compute authenticated signed + requests to AWS APIs based on the AWS Signature Version 4 signing process. + + Args: + region_name (str): The AWS region to use. + """ + + self._region_name = region_name + + def get_request_options( + self, + aws_security_credentials, + url, + method, + request_payload="", + additional_headers={}, + ): + """Generates the signed request for the provided HTTP request for calling + an AWS API. This follows the steps described at: + https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html + + Args: + aws_security_credentials (Mapping[str, str]): A dictionary containing + the AWS security credentials. + url (str): The AWS service URL containing the canonical URI and + query string. + method (str): The HTTP method used to call this API. + request_payload (Optional[str]): The optional request payload if + available. + additional_headers (Optional[Mapping[str, str]]): The optional + additional headers needed for the requested AWS API. + + Returns: + Mapping[str, str]: The AWS signed request dictionary object. + """ + # Get AWS credentials. + access_key = aws_security_credentials.get("access_key_id") + secret_key = aws_security_credentials.get("secret_access_key") + security_token = aws_security_credentials.get("security_token") + + additional_headers = additional_headers or {} + + uri = urllib.parse.urlparse(url) + header_map = _generate_authentication_header_map( + host=uri.hostname, + canonical_uri=os.path.normpath(uri.path or "/"), + canonical_querystring=_get_canonical_querystring(uri.query), + method=method, + region=self._region_name, + access_key=access_key, + secret_key=secret_key, + security_token=security_token, + request_payload=request_payload, + additional_headers=additional_headers, + ) + headers = { + "Authorization": header_map.get("authorization_header"), + "host": uri.hostname, + } + # Add x-amz-date if available. + if "amz_date" in header_map: + headers[_AWS_DATE_HEADER] = header_map.get("amz_date") + # Append additional optional headers, eg. X-Amz-Target, Content-Type, etc. + for key in additional_headers: + headers[key] = additional_headers[key] + + # Add session token if available. + if security_token is not None: + headers[_AWS_SECURITY_TOKEN_HEADER] = security_token + + signed_request = {"url": url, "method": method, "headers": headers} + if request_payload: + signed_request["data"] = request_payload + return signed_request + + +def _get_canonical_querystring(query): + """Generates the canonical query string given a raw query string. + Logic is based on + https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html + + Args: + query (str): The raw query string. + + Returns: + str: The canonical query string. + """ + # Parse raw query string. + querystring = urllib.parse.parse_qs(query) + querystring_encoded_map = {} + for key in querystring: + quote_key = urllib.parse.quote(key, safe="-_.~") + # URI encode key. + querystring_encoded_map[quote_key] = [] + for item in querystring[key]: + # For each key, URI encode all values for that key. + querystring_encoded_map[quote_key].append( + urllib.parse.quote(item, safe="-_.~") + ) + # Sort values for each key. + querystring_encoded_map[quote_key].sort() + # Sort keys. + sorted_keys = list(querystring_encoded_map.keys()) + sorted_keys.sort() + # Reconstruct the query string. Preserve keys with multiple values. + querystring_encoded_pairs = [] + for key in sorted_keys: + for item in querystring_encoded_map[key]: + querystring_encoded_pairs.append("{}={}".format(key, item)) + return "&".join(querystring_encoded_pairs) + + +def _sign(key, msg): + """Creates the HMAC-SHA256 hash of the provided message using the provided + key. + + Args: + key (str): The HMAC-SHA256 key to use. + msg (str): The message to hash. + + Returns: + str: The computed hash bytes. + """ + return hmac.new(key, msg.encode("utf-8"), hashlib.sha256).digest() + + +def _get_signing_key(key, date_stamp, region_name, service_name): + """Calculates the signing key used to calculate the signature for + AWS Signature Version 4 based on: + https://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html + + Args: + key (str): The AWS secret access key. + date_stamp (str): The '%Y%m%d' date format. + region_name (str): The AWS region. + service_name (str): The AWS service name, eg. sts. + + Returns: + str: The signing key bytes. + """ + k_date = _sign(("AWS4" + key).encode("utf-8"), date_stamp) + k_region = _sign(k_date, region_name) + k_service = _sign(k_region, service_name) + k_signing = _sign(k_service, "aws4_request") + return k_signing + + +def _generate_authentication_header_map( + host, + canonical_uri, + canonical_querystring, + method, + region, + access_key, + secret_key, + security_token, + request_payload="", + additional_headers={}, +): + """Generates the authentication header map needed for generating the AWS + Signature Version 4 signed request. + + Args: + host (str): The AWS service URL hostname. + canonical_uri (str): The AWS service URL path name. + canonical_querystring (str): The AWS service URL query string. + method (str): The HTTP method used to call this API. + region (str): The AWS region. + access_key (str): The AWS access key ID. + secret_key (str): The AWS secret access key. + security_token (Optional[str]): The AWS security session token. This is + available for temporary sessions. + request_payload (Optional[str]): The optional request payload if + available. + additional_headers (Optional[Mapping[str, str]]): The optional + additional headers needed for the requested AWS API. + + Returns: + Mapping[str, str]: The AWS authentication header dictionary object. + This contains the x-amz-date and authorization header information. + """ + # iam.amazonaws.com host => iam service. + # sts.us-east-2.amazonaws.com host => sts service. + service_name = host.split(".")[0] + + current_time = _helpers.utcnow() + amz_date = current_time.strftime("%Y%m%dT%H%M%SZ") + date_stamp = current_time.strftime("%Y%m%d") + + # Change all additional headers to be lower case. + full_headers = {} + for key in additional_headers: + full_headers[key.lower()] = additional_headers[key] + # Add AWS session token if available. + if security_token is not None: + full_headers[_AWS_SECURITY_TOKEN_HEADER] = security_token + + # Required headers + full_headers["host"] = host + # Do not use generated x-amz-date if the date header is provided. + # Previously the date was not fixed with x-amz- and could be provided + # manually. + # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-header-value-trim.req + if "date" not in full_headers: + full_headers[_AWS_DATE_HEADER] = amz_date + + # Header keys need to be sorted alphabetically. + canonical_headers = "" + header_keys = list(full_headers.keys()) + header_keys.sort() + for key in header_keys: + canonical_headers = "{}{}:{}\n".format( + canonical_headers, key, full_headers[key] + ) + signed_headers = ";".join(header_keys) + + payload_hash = hashlib.sha256((request_payload or "").encode("utf-8")).hexdigest() + + # https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html + canonical_request = "{}\n{}\n{}\n{}\n{}\n{}".format( + method, + canonical_uri, + canonical_querystring, + canonical_headers, + signed_headers, + payload_hash, + ) + + credential_scope = "{}/{}/{}/{}".format( + date_stamp, region, service_name, _AWS_REQUEST_TYPE + ) + + # https://docs.aws.amazon.com/general/latest/gr/sigv4-create-string-to-sign.html + string_to_sign = "{}\n{}\n{}\n{}".format( + _AWS_ALGORITHM, + amz_date, + credential_scope, + hashlib.sha256(canonical_request.encode("utf-8")).hexdigest(), + ) + + # https://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html + signing_key = _get_signing_key(secret_key, date_stamp, region, service_name) + signature = hmac.new( + signing_key, string_to_sign.encode("utf-8"), hashlib.sha256 + ).hexdigest() + + # https://docs.aws.amazon.com/general/latest/gr/sigv4-add-signature-to-request.html + authorization_header = "{} Credential={}/{}, SignedHeaders={}, Signature={}".format( + _AWS_ALGORITHM, access_key, credential_scope, signed_headers, signature + ) + + authentication_header = {"authorization_header": authorization_header} + # Do not use generated x-amz-date if the date header is provided. + if "date" not in full_headers: + authentication_header["amz_date"] = amz_date + return authentication_header diff --git a/tests/test_aws.py b/tests/test_aws.py new file mode 100644 index 000000000..26728aa83 --- /dev/null +++ b/tests/test_aws.py @@ -0,0 +1,500 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import datetime + +import mock +import pytest +from six.moves import urllib + +from google.auth import aws + + +# Sample AWS security credentials to be used with tests that require a session token. +ACCESS_KEY_ID = "ASIARD4OQDT6A77FR3CL" +SECRET_ACCESS_KEY = "Y8AfSaucF37G4PpvfguKZ3/l7Id4uocLXxX0+VTx" +TOKEN = "IQoJb3JpZ2luX2VjEIz//////////wEaCXVzLWVhc3QtMiJGMEQCIH7MHX/Oy/OB8OlLQa9GrqU1B914+iMikqWQW7vPCKlgAiA/Lsv8Jcafn14owfxXn95FURZNKaaphj0ykpmS+Ki+CSq0AwhlEAAaDDA3NzA3MTM5MTk5NiIMx9sAeP1ovlMTMKLjKpEDwuJQg41/QUKx0laTZYjPlQvjwSqS3OB9P1KAXPWSLkliVMMqaHqelvMF/WO/glv3KwuTfQsavRNs3v5pcSEm4SPO3l7mCs7KrQUHwGP0neZhIKxEXy+Ls//1C/Bqt53NL+LSbaGv6RPHaX82laz2qElphg95aVLdYgIFY6JWV5fzyjgnhz0DQmy62/Vi8pNcM2/VnxeCQ8CC8dRDSt52ry2v+nc77vstuI9xV5k8mPtnaPoJDRANh0bjwY5Sdwkbp+mGRUJBAQRlNgHUJusefXQgVKBCiyJY4w3Csd8Bgj9IyDV+Azuy1jQqfFZWgP68LSz5bURyIjlWDQunO82stZ0BgplKKAa/KJHBPCp8Qi6i99uy7qh76FQAqgVTsnDuU6fGpHDcsDSGoCls2HgZjZFPeOj8mmRhFk1Xqvkbjuz8V1cJk54d3gIJvQt8gD2D6yJQZecnuGWd5K2e2HohvCc8Fc9kBl1300nUJPV+k4tr/A5R/0QfEKOZL1/k5lf1g9CREnrM8LVkGxCgdYMxLQow1uTL+QU67AHRRSp5PhhGX4Rek+01vdYSnJCMaPhSEgcLqDlQkhk6MPsyT91QMXcWmyO+cAZwUPwnRamFepuP4K8k2KVXs/LIJHLELwAZ0ekyaS7CptgOqS7uaSTFG3U+vzFZLEnGvWQ7y9IPNQZ+Dffgh4p3vF4J68y9049sI6Sr5d5wbKkcbm8hdCDHZcv4lnqohquPirLiFQ3q7B17V9krMPu3mz1cg4Ekgcrn/E09NTsxAqD8NcZ7C7ECom9r+X3zkDOxaajW6hu3Az8hGlyylDaMiFfRbBJpTIlxp7jfa7CxikNgNtEKLH9iCzvuSg2vhA==" +# To avoid json.dumps() differing behavior from one version to other, +# the JSON payload is hardcoded. +REQUEST_PARAMS = '{"KeySchema":[{"KeyType":"HASH","AttributeName":"Id"}],"TableName":"TestTable","AttributeDefinitions":[{"AttributeName":"Id","AttributeType":"S"}],"ProvisionedThroughput":{"WriteCapacityUnits":5,"ReadCapacityUnits":5}}' +# Each tuple contains the following entries: +# region, time, credentials, original_request, signed_request +TEST_FIXTURES = [ + # GET request (AWS botocore tests). + # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-vanilla.req + # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-vanilla.sreq + ( + "us-east-1", + "2011-09-09T23:36:00Z", + { + "access_key_id": "AKIDEXAMPLE", + "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", + }, + { + "method": "GET", + "url": "https://host.foo.com", + "headers": {"date": "Mon, 09 Sep 2011 23:36:00 GMT"}, + }, + { + "url": "https://host.foo.com", + "method": "GET", + "headers": { + "Authorization": "AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=b27ccfbfa7df52a200ff74193ca6e32d4b48b8856fab7ebf1c595d0670a7e470", + "host": "host.foo.com", + "date": "Mon, 09 Sep 2011 23:36:00 GMT", + }, + }, + ), + # GET request with relative path (AWS botocore tests). + # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-relative-relative.req + # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-relative-relative.sreq + ( + "us-east-1", + "2011-09-09T23:36:00Z", + { + "access_key_id": "AKIDEXAMPLE", + "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", + }, + { + "method": "GET", + "url": "https://host.foo.com/foo/bar/../..", + "headers": {"date": "Mon, 09 Sep 2011 23:36:00 GMT"}, + }, + { + "url": "https://host.foo.com/foo/bar/../..", + "method": "GET", + "headers": { + "Authorization": "AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=b27ccfbfa7df52a200ff74193ca6e32d4b48b8856fab7ebf1c595d0670a7e470", + "host": "host.foo.com", + "date": "Mon, 09 Sep 2011 23:36:00 GMT", + }, + }, + ), + # GET request with /./ path (AWS botocore tests). + # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-slash-dot-slash.req + # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-slash-dot-slash.sreq + ( + "us-east-1", + "2011-09-09T23:36:00Z", + { + "access_key_id": "AKIDEXAMPLE", + "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", + }, + { + "method": "GET", + "url": "https://host.foo.com/./", + "headers": {"date": "Mon, 09 Sep 2011 23:36:00 GMT"}, + }, + { + "url": "https://host.foo.com/./", + "method": "GET", + "headers": { + "Authorization": "AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=b27ccfbfa7df52a200ff74193ca6e32d4b48b8856fab7ebf1c595d0670a7e470", + "host": "host.foo.com", + "date": "Mon, 09 Sep 2011 23:36:00 GMT", + }, + }, + ), + # GET request with pointless dot path (AWS botocore tests). + # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-slash-pointless-dot.req + # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-slash-pointless-dot.sreq + ( + "us-east-1", + "2011-09-09T23:36:00Z", + { + "access_key_id": "AKIDEXAMPLE", + "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", + }, + { + "method": "GET", + "url": "https://host.foo.com/./foo", + "headers": {"date": "Mon, 09 Sep 2011 23:36:00 GMT"}, + }, + { + "url": "https://host.foo.com/./foo", + "method": "GET", + "headers": { + "Authorization": "AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=910e4d6c9abafaf87898e1eb4c929135782ea25bb0279703146455745391e63a", + "host": "host.foo.com", + "date": "Mon, 09 Sep 2011 23:36:00 GMT", + }, + }, + ), + # GET request with utf8 path (AWS botocore tests). + # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-utf8.req + # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-utf8.sreq + ( + "us-east-1", + "2011-09-09T23:36:00Z", + { + "access_key_id": "AKIDEXAMPLE", + "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", + }, + { + "method": "GET", + "url": "https://host.foo.com/%E1%88%B4", + "headers": {"date": "Mon, 09 Sep 2011 23:36:00 GMT"}, + }, + { + "url": "https://host.foo.com/%E1%88%B4", + "method": "GET", + "headers": { + "Authorization": "AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=8d6634c189aa8c75c2e51e106b6b5121bed103fdb351f7d7d4381c738823af74", + "host": "host.foo.com", + "date": "Mon, 09 Sep 2011 23:36:00 GMT", + }, + }, + ), + # GET request with duplicate query key (AWS botocore tests). + # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-vanilla-query-order-key-case.req + # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-vanilla-query-order-key-case.sreq + ( + "us-east-1", + "2011-09-09T23:36:00Z", + { + "access_key_id": "AKIDEXAMPLE", + "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", + }, + { + "method": "GET", + "url": "https://host.foo.com/?foo=Zoo&foo=aha", + "headers": {"date": "Mon, 09 Sep 2011 23:36:00 GMT"}, + }, + { + "url": "https://host.foo.com/?foo=Zoo&foo=aha", + "method": "GET", + "headers": { + "Authorization": "AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=be7148d34ebccdc6423b19085378aa0bee970bdc61d144bd1a8c48c33079ab09", + "host": "host.foo.com", + "date": "Mon, 09 Sep 2011 23:36:00 GMT", + }, + }, + ), + # GET request with duplicate out of order query key (AWS botocore tests). + # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-vanilla-query-order-value.req + # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-vanilla-query-order-value.sreq + ( + "us-east-1", + "2011-09-09T23:36:00Z", + { + "access_key_id": "AKIDEXAMPLE", + "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", + }, + { + "method": "GET", + "url": "https://host.foo.com/?foo=b&foo=a", + "headers": {"date": "Mon, 09 Sep 2011 23:36:00 GMT"}, + }, + { + "url": "https://host.foo.com/?foo=b&foo=a", + "method": "GET", + "headers": { + "Authorization": "AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=feb926e49e382bec75c9d7dcb2a1b6dc8aa50ca43c25d2bc51143768c0875acc", + "host": "host.foo.com", + "date": "Mon, 09 Sep 2011 23:36:00 GMT", + }, + }, + ), + # GET request with utf8 query (AWS botocore tests). + # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-vanilla-ut8-query.req + # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-vanilla-ut8-query.sreq + ( + "us-east-1", + "2011-09-09T23:36:00Z", + { + "access_key_id": "AKIDEXAMPLE", + "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", + }, + { + "method": "GET", + "url": "https://host.foo.com/?{}=bar".format( + urllib.parse.unquote("%E1%88%B4") + ), + "headers": {"date": "Mon, 09 Sep 2011 23:36:00 GMT"}, + }, + { + "url": "https://host.foo.com/?{}=bar".format( + urllib.parse.unquote("%E1%88%B4") + ), + "method": "GET", + "headers": { + "Authorization": "AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=6fb359e9a05394cc7074e0feb42573a2601abc0c869a953e8c5c12e4e01f1a8c", + "host": "host.foo.com", + "date": "Mon, 09 Sep 2011 23:36:00 GMT", + }, + }, + ), + # POST request with sorted headers (AWS botocore tests). + # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/post-header-key-sort.req + # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/post-header-key-sort.sreq + ( + "us-east-1", + "2011-09-09T23:36:00Z", + { + "access_key_id": "AKIDEXAMPLE", + "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", + }, + { + "method": "POST", + "url": "https://host.foo.com/", + "headers": {"date": "Mon, 09 Sep 2011 23:36:00 GMT", "ZOO": "zoobar"}, + }, + { + "url": "https://host.foo.com/", + "method": "POST", + "headers": { + "Authorization": "AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host;zoo, Signature=b7a95a52518abbca0964a999a880429ab734f35ebbf1235bd79a5de87756dc4a", + "host": "host.foo.com", + "date": "Mon, 09 Sep 2011 23:36:00 GMT", + "ZOO": "zoobar", + }, + }, + ), + # POST request with upper case header value from AWS Python test harness. + # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/post-header-value-case.req + # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/post-header-value-case.sreq + ( + "us-east-1", + "2011-09-09T23:36:00Z", + { + "access_key_id": "AKIDEXAMPLE", + "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", + }, + { + "method": "POST", + "url": "https://host.foo.com/", + "headers": {"date": "Mon, 09 Sep 2011 23:36:00 GMT", "zoo": "ZOOBAR"}, + }, + { + "url": "https://host.foo.com/", + "method": "POST", + "headers": { + "Authorization": "AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host;zoo, Signature=273313af9d0c265c531e11db70bbd653f3ba074c1009239e8559d3987039cad7", + "host": "host.foo.com", + "date": "Mon, 09 Sep 2011 23:36:00 GMT", + "zoo": "ZOOBAR", + }, + }, + ), + # POST request with header and no body (AWS botocore tests). + # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-header-value-trim.req + # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/get-header-value-trim.sreq + ( + "us-east-1", + "2011-09-09T23:36:00Z", + { + "access_key_id": "AKIDEXAMPLE", + "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", + }, + { + "method": "POST", + "url": "https://host.foo.com/", + "headers": {"date": "Mon, 09 Sep 2011 23:36:00 GMT", "p": "phfft"}, + }, + { + "url": "https://host.foo.com/", + "method": "POST", + "headers": { + "Authorization": "AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host;p, Signature=debf546796015d6f6ded8626f5ce98597c33b47b9164cf6b17b4642036fcb592", + "host": "host.foo.com", + "date": "Mon, 09 Sep 2011 23:36:00 GMT", + "p": "phfft", + }, + }, + ), + # POST request with body and no header (AWS botocore tests). + # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/post-x-www-form-urlencoded.req + # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/post-x-www-form-urlencoded.sreq + ( + "us-east-1", + "2011-09-09T23:36:00Z", + { + "access_key_id": "AKIDEXAMPLE", + "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", + }, + { + "method": "POST", + "url": "https://host.foo.com/", + "headers": { + "Content-Type": "application/x-www-form-urlencoded", + "date": "Mon, 09 Sep 2011 23:36:00 GMT", + }, + "data": "foo=bar", + }, + { + "url": "https://host.foo.com/", + "method": "POST", + "headers": { + "Authorization": "AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=content-type;date;host, Signature=5a15b22cf462f047318703b92e6f4f38884e4a7ab7b1d6426ca46a8bd1c26cbc", + "host": "host.foo.com", + "Content-Type": "application/x-www-form-urlencoded", + "date": "Mon, 09 Sep 2011 23:36:00 GMT", + }, + "data": "foo=bar", + }, + ), + # POST request with querystring (AWS botocore tests). + # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/post-vanilla-query.req + # https://github.com/boto/botocore/blob/879f8440a4e9ace5d3cf145ce8b3d5e5ffb892ef/tests/unit/auth/aws4_testsuite/post-vanilla-query.sreq + ( + "us-east-1", + "2011-09-09T23:36:00Z", + { + "access_key_id": "AKIDEXAMPLE", + "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", + }, + { + "method": "POST", + "url": "https://host.foo.com/?foo=bar", + "headers": {"date": "Mon, 09 Sep 2011 23:36:00 GMT"}, + }, + { + "url": "https://host.foo.com/?foo=bar", + "method": "POST", + "headers": { + "Authorization": "AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=b6e3b79003ce0743a491606ba1035a804593b0efb1e20a11cba83f8c25a57a92", + "host": "host.foo.com", + "date": "Mon, 09 Sep 2011 23:36:00 GMT", + }, + }, + ), + # GET request with session token credentials. + ( + "us-east-2", + "2020-08-11T06:55:22Z", + { + "access_key_id": ACCESS_KEY_ID, + "secret_access_key": SECRET_ACCESS_KEY, + "security_token": TOKEN, + }, + { + "method": "GET", + "url": "https://ec2.us-east-2.amazonaws.com?Action=DescribeRegions&Version=2013-10-15", + }, + { + "url": "https://ec2.us-east-2.amazonaws.com?Action=DescribeRegions&Version=2013-10-15", + "method": "GET", + "headers": { + "Authorization": "AWS4-HMAC-SHA256 Credential=" + + ACCESS_KEY_ID + + "/20200811/us-east-2/ec2/aws4_request, SignedHeaders=host;x-amz-date;x-amz-security-token, Signature=631ea80cddfaa545fdadb120dc92c9f18166e38a5c47b50fab9fce476e022855", + "host": "ec2.us-east-2.amazonaws.com", + "x-amz-date": "20200811T065522Z", + "x-amz-security-token": TOKEN, + }, + }, + ), + # POST request with session token credentials. + ( + "us-east-2", + "2020-08-11T06:55:22Z", + { + "access_key_id": ACCESS_KEY_ID, + "secret_access_key": SECRET_ACCESS_KEY, + "security_token": TOKEN, + }, + { + "method": "POST", + "url": "https://sts.us-east-2.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15", + }, + { + "url": "https://sts.us-east-2.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15", + "method": "POST", + "headers": { + "Authorization": "AWS4-HMAC-SHA256 Credential=" + + ACCESS_KEY_ID + + "/20200811/us-east-2/sts/aws4_request, SignedHeaders=host;x-amz-date;x-amz-security-token, Signature=73452984e4a880ffdc5c392355733ec3f5ba310d5e0609a89244440cadfe7a7a", + "host": "sts.us-east-2.amazonaws.com", + "x-amz-date": "20200811T065522Z", + "x-amz-security-token": TOKEN, + }, + }, + ), + # POST request with computed x-amz-date and no data. + ( + "us-east-2", + "2020-08-11T06:55:22Z", + {"access_key_id": ACCESS_KEY_ID, "secret_access_key": SECRET_ACCESS_KEY}, + { + "method": "POST", + "url": "https://sts.us-east-2.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15", + }, + { + "url": "https://sts.us-east-2.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15", + "method": "POST", + "headers": { + "Authorization": "AWS4-HMAC-SHA256 Credential=" + + ACCESS_KEY_ID + + "/20200811/us-east-2/sts/aws4_request, SignedHeaders=host;x-amz-date, Signature=d095ba304919cd0d5570ba8a3787884ee78b860f268ed040ba23831d55536d56", + "host": "sts.us-east-2.amazonaws.com", + "x-amz-date": "20200811T065522Z", + }, + }, + ), + # POST request with session token and additional headers/data. + ( + "us-east-2", + "2020-08-11T06:55:22Z", + { + "access_key_id": ACCESS_KEY_ID, + "secret_access_key": SECRET_ACCESS_KEY, + "security_token": TOKEN, + }, + { + "method": "POST", + "url": "https://dynamodb.us-east-2.amazonaws.com/", + "headers": { + "Content-Type": "application/x-amz-json-1.0", + "x-amz-target": "DynamoDB_20120810.CreateTable", + }, + "data": REQUEST_PARAMS, + }, + { + "url": "https://dynamodb.us-east-2.amazonaws.com/", + "method": "POST", + "headers": { + "Authorization": "AWS4-HMAC-SHA256 Credential=" + + ACCESS_KEY_ID + + "/20200811/us-east-2/dynamodb/aws4_request, SignedHeaders=content-type;host;x-amz-date;x-amz-security-token;x-amz-target, Signature=fdaa5b9cc9c86b80fe61eaf504141c0b3523780349120f2bd8145448456e0385", + "host": "dynamodb.us-east-2.amazonaws.com", + "x-amz-date": "20200811T065522Z", + "Content-Type": "application/x-amz-json-1.0", + "x-amz-target": "DynamoDB_20120810.CreateTable", + "x-amz-security-token": TOKEN, + }, + "data": REQUEST_PARAMS, + }, + ), +] + + +class TestRequestSigner(object): + @pytest.mark.parametrize( + "region, time, credentials, original_request, signed_request", TEST_FIXTURES + ) + @mock.patch("google.auth._helpers.utcnow") + def test_get_request_options( + self, utcnow, region, time, credentials, original_request, signed_request + ): + utcnow.return_value = datetime.datetime.strptime(time, "%Y-%m-%dT%H:%M:%SZ") + request_signer = aws.RequestSigner(region) + actual_signed_request = request_signer.get_request_options( + credentials, + original_request.get("url"), + original_request.get("method"), + original_request.get("data"), + original_request.get("headers"), + ) + + assert actual_signed_request == signed_request