Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: refactor tech debt in aws and identity pool credentials #1501

Merged
merged 4 commits into from
Mar 18, 2024
+17 −16
Merged

fix: refactor tech debt in aws and identity pool credentials #1501

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
894d2ff
fix: implement fixes suggested in suppliers PR
aeitzman Mar 18, 2024
eae9cde
Add back elif
aeitzman Mar 18, 2024
0c255f5
update const name to include unit
aeitzman Mar 18, 2024
b0db4b1
Merge branch 'main' into aws-refactor
aeitzman Mar 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
30 changes: 16 additions & 14 deletions google/auth/aws.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,8 @@
_DEFAULT_AWS_REGIONAL_CREDENTIAL_VERIFICATION_URL = (
"https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"
)
# IMDSV2 session token lifetime. This is set to a low value because the session token is used immediately.
_IMDSV2_SESSION_TOKEN_TTL_SECONDS = "300"


class RequestSigner(object):
Expand Down Expand Up @@ -476,9 +478,9 @@ def get_aws_region(self, context, request):
else response.data
)

if response.status != 200:
if response.status != http_client.OK:
raise exceptions.RefreshError(
"Unable to retrieve AWS region", response_body
"Unable to retrieve AWS region: {}".format(response_body)
)

# This endpoint will return the region in format: us-east-2b.
Expand All @@ -487,16 +489,19 @@ def get_aws_region(self, context, request):

def _get_imdsv2_session_token(self, request):
if request is not None and self._imdsv2_session_token_url is not None:
headers = {"X-aws-ec2-metadata-token-ttl-seconds": "300"}
headers = {
"X-aws-ec2-metadata-token-ttl-seconds": _IMDSV2_SESSION_TOKEN_TTL_SECONDS
}

imdsv2_session_token_response = request(
url=self._imdsv2_session_token_url, method="PUT", headers=headers
)

if imdsv2_session_token_response.status != 200:
if imdsv2_session_token_response.status != http_client.OK:
raise exceptions.RefreshError(
"Unable to retrieve AWS Session Token",
imdsv2_session_token_response.data,
"Unable to retrieve AWS Session Token: {}".format(
imdsv2_session_token_response.data
)
)

return imdsv2_session_token_response.data
Expand Down Expand Up @@ -545,7 +550,7 @@ def _get_metadata_security_credentials(

if response.status != http_client.OK:
raise exceptions.RefreshError(
"Unable to retrieve AWS security credentials", response_body
"Unable to retrieve AWS security credentials: {}".format(response_body)
)

credentials_response = json.loads(response_body)
Expand Down Expand Up @@ -593,7 +598,7 @@ def _get_metadata_role_name(self, request, imdsv2_session_token):

if response.status != http_client.OK:
raise exceptions.RefreshError(
"Unable to retrieve AWS role name", response_body
"Unable to retrieve AWS role name {}".format(response_body)
)

return response_body
Expand Down Expand Up @@ -690,7 +695,7 @@ def __init__(
"regional_cred_verification_url"
)

# Get the environment ID. Currently, only one version supported (v1).
# Get the environment ID, i.e. "aws1". Currently, only one version supported (1).
aeitzman marked this conversation as resolved.
Show resolved Hide resolved
matches = re.match(r"^(aws)([\d]+)$", environment_id)
if matches:
env_id, env_version = matches.groups()
Expand All @@ -701,7 +706,7 @@ def __init__(
raise exceptions.InvalidResource(
"No valid AWS 'credential_source' provided"
)
elif int(env_version or "") != 1:
elif env_version is None or int(env_version) != 1:
raise exceptions.InvalidValue(
"aws version '{}' is not supported in the current build.".format(
env_version
Expand Down Expand Up @@ -784,15 +789,12 @@ def retrieve_subject_token(self, request):
request_headers["x-goog-cloud-target-resource"] = self._target_resource

# Serialize AWS signed request.
# Keeping inner keys in sorted order makes testing easier for Python
# versions <=3.5 as the stringified JSON string would have a predictable
# key order.
aws_signed_req = {}
aws_signed_req["url"] = request_options.get("url")
aws_signed_req["method"] = request_options.get("method")
aws_signed_req["headers"] = []
# Reformat header to GCP STS expected format.
for key in sorted(request_headers.keys()):
for key in request_headers.keys():
aws_signed_req["headers"].append(
{"key": key, "value": request_headers[key]}
)
Expand Down
3 changes: 1 addition & 2 deletions google/auth/identity_pool.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,6 @@
except ImportError: # pragma: NO COVER
from collections import Mapping
import abc
import io
import json
import os
from typing import NamedTuple
Expand Down Expand Up @@ -104,7 +103,7 @@ def get_subject_token(self, context, request):
if not os.path.exists(self._path):
raise exceptions.RefreshError("File '{}' was not found.".format(self._path))

with io.open(self._path, "r", encoding="utf-8") as file_obj:
with open(self._path, "r", encoding="utf-8") as file_obj:
token_content = _TokenContent(file_obj.read(), self._path)

return _parse_token_data(
Expand Down