import pytest from pre_commit_hooks.detect_aws_credentials import get_aws_credential_files_from_env from pre_commit_hooks.detect_aws_credentials import get_aws_secrets_from_env from pre_commit_hooks.detect_aws_credentials import get_aws_secrets_from_file from pre_commit_hooks.detect_aws_credentials import main from testing.util import get_resource_path def test_get_aws_credentials_file_from_env(monkeypatch): """Test that reading credential files names from environment variables works.""" monkeypatch.delenv('AWS_CREDENTIAL_FILE', raising=False) monkeypatch.delenv('AWS_SHARED_CREDENTIALS_FILE', raising=False) monkeypatch.delenv('BOTO_CONFIG', raising=False) assert get_aws_credential_files_from_env() == set() monkeypatch.setenv('AWS_CREDENTIAL_FILE', '/foo') assert get_aws_credential_files_from_env() == {'/foo'} monkeypatch.setenv('AWS_SHARED_CREDENTIALS_FILE', '/bar') assert get_aws_credential_files_from_env() == {'/foo', '/bar'} monkeypatch.setenv('BOTO_CONFIG', '/baz') assert get_aws_credential_files_from_env() == {'/foo', '/bar', '/baz'} monkeypatch.setenv('AWS_DUMMY_KEY', 'foobar') assert get_aws_credential_files_from_env() == {'/foo', '/bar', '/baz'} def test_get_aws_secrets_from_env(monkeypatch): """Test that reading secrets from environment variables works.""" monkeypatch.delenv('AWS_SECRET_ACCESS_KEY', raising=False) monkeypatch.delenv('AWS_SESSION_TOKEN', raising=False) assert get_aws_secrets_from_env() == set() monkeypatch.setenv('AWS_SECRET_ACCESS_KEY', 'foo') assert get_aws_secrets_from_env() == {'foo'} monkeypatch.setenv('AWS_SESSION_TOKEN', 'bar') assert get_aws_secrets_from_env() == {'foo', 'bar'} monkeypatch.setenv('AWS_SECURITY_TOKEN', 'baz') assert get_aws_secrets_from_env() == {'foo', 'bar', 'baz'} monkeypatch.setenv('AWS_DUMMY_KEY', 'baz') assert get_aws_secrets_from_env() == {'foo', 'bar', 'baz'} @pytest.mark.parametrize(('filename', 'expected_keys'), ( ('aws_config_with_secret.ini', { 'z2rpgs5uit782eapz5l1z0y2lurtsyyk6hcfozlb'}), ('aws_config_with_session_token.ini', {'foo'}), ('aws_config_with_secret_and_session_token.ini', {'z2rpgs5uit782eapz5l1z0y2lurtsyyk6hcfozlb', 'foo'}), ('aws_config_with_multiple_sections.ini', { '7xebzorgm5143ouge9gvepxb2z70bsb2rtrh099e', 'z2rpgs5uit782eapz5l1z0y2lurtsyyk6hcfozlb', 'ixswosj8gz3wuik405jl9k3vdajsnxfhnpui38ez', 'foo'}), ('aws_config_without_secrets.ini', set()), ('nonsense.txt', set()), ('ok_json.json', set()), )) def test_get_aws_secrets_from_file(filename, expected_keys): """Test that reading secrets from files works.""" keys = get_aws_secrets_from_file(get_resource_path(filename)) assert keys == expected_keys # Input filename, expected return value TESTS = ( ('aws_config_with_secret.ini', 1), ('aws_config_with_session_token.ini', 1), ('aws_config_with_multiple_sections.ini', 1), ('aws_config_without_secrets.ini', 0), ('nonsense.txt', 0), ('ok_json.json', 0), ) @pytest.mark.parametrize(('filename', 'expected_retval'), TESTS) def test_detect_aws_credentials(filename, expected_retval): """Test if getting configured AWS secrets from files to be checked in works.""" # with a valid credentials file ret = main(( get_resource_path(filename), "--credentials-file=testing/resources/aws_config_with_multiple_sections.ini", )) assert ret == expected_retval def test_non_existent_credentials(capsys, monkeypatch): """Test behavior with no configured AWS secrets.""" monkeypatch.setattr( 'pre_commit_hooks.detect_aws_credentials.get_aws_secrets_from_env', lambda: set()) monkeypatch.setattr( 'pre_commit_hooks.detect_aws_credentials.get_aws_secrets_from_file', lambda x: set()) ret = main(( get_resource_path('aws_config_without_secrets.ini'), "--credentials-file=testing/resources/credentailsfilethatdoesntexist" )) assert ret == 2 out, _ = capsys.readouterr() assert out == ('No AWS keys were found in the configured credential files ' 'and environment variables.\nPlease ensure you have the ' 'correct setting for --credentials-file\n')