Skip to content

Commit

Permalink
[pre-commit.ci] auto fixes from pre-commit.com hooks
Browse files Browse the repository at this point in the history
for more information, see https://pre-commit.ci
  • Loading branch information
pre-commit-ci[bot] committed Aug 29, 2024
1 parent b8707cb commit 67de58a
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 11 deletions.
28 changes: 19 additions & 9 deletions src/awx_plugins/credentials/aws_assumerole.py
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,8 @@
'label': 'AWS ARN Role Name',
'type': 'string',
'secret': True,
'help_text': _('The ARN Role Name to be assumed in AWS')},
'help_text': _('The ARN Role Name to be assumed in AWS'),
},
],
'metadata': [{'id': 'identifier',
'label': 'Identifier',
Expand All @@ -51,20 +52,23 @@

def aws_assumerole_getcreds(access_key, secret_key, role_arn, external_id):
if (access_key is None or len(access_key) == 0) and (
secret_key is None or len(secret_key) == 0):
secret_key is None or len(secret_key) == 0
):
# Connect using credentials in the EE
connection = boto3.client(service_name='sts')
else:
# Connect to AWS using provided credentials
connection = boto3.client(
service_name='sts',
aws_access_key_id=access_key,
aws_secret_access_key=secret_key)
aws_secret_access_key=secret_key,
)
try:
response = connection.assume_role(
RoleArn=role_arn,
RoleSessionName='AAP_AWS_Role_Session1',
ExternalId=external_id)
ExternalId=external_id,
)
except ClientError as ce:
raise ValueError(f'Got a bad client response from AWS: {ce.msg}.')

Expand All @@ -87,19 +91,24 @@ def aws_assumerole_backend(**kwargs):
# multiple roles.
#
credential_key_hash = hashlib.sha256(
(str(access_key or '') + role_arn).encode('utf-8'))
(str(access_key or '') + role_arn).encode('utf-8'),
)
credential_key = credential_key_hash.hexdigest()

credentials = _aws_cred_cache.get(credential_key, None)

# If there are no credentials for this user/ARN *or* the credentials
# we have in the cache have expired, then we need to contact AWS again.
#
if (credentials is None) or (credentials['Expiration'] < datetime.datetime.now(
credentials['Expiration'].tzinfo)):
if (credentials is None) or (
credentials['Expiration'] < datetime.datetime.now(
credentials['Expiration'].tzinfo,
)
):

credentials = aws_assumerole_getcreds(
access_key, secret_key, role_arn, external_id)
access_key, secret_key, role_arn, external_id,
)

_aws_cred_cache[credential_key] = credentials

Expand All @@ -114,4 +123,5 @@ def aws_assumerole_backend(**kwargs):
aws_assumerole_plugin = CredentialPlugin(
'AWS Assume Role Plugin',
inputs=assume_role_inputs,
backend=aws_assumerole_backend)
backend=aws_assumerole_backend,
)
6 changes: 4 additions & 2 deletions tests/credential_plugins_test.py
Original file line number Diff line number Diff line change
Expand Up @@ -154,7 +154,8 @@ def test_aws_assumerole_with_accesssecret():
kwargs.get('access_key'),
kwargs.get('secret_key'),
kwargs.get('role_arn'),
None)
None,
)
assert token == 'the_access_token'
kwargs['identifier'] = 'secret_key'
method_mock.reset_mock()
Expand Down Expand Up @@ -185,7 +186,8 @@ def test_aws_assumerole_with_arnonly():
}
token = aws_assumerole.aws_assumerole_backend(**kwargs)
method_mock.assert_called_with(
None, None, kwargs.get('role_arn'), None)
None, None, kwargs.get('role_arn'), None,
)
assert token == 'the_access_token'
kwargs['identifier'] = 'secret_key'
method_mock.reset_mock()
Expand Down

0 comments on commit 67de58a

Please sign in to comment.