Refactor AWS verification to enable reuse for owner resolution (Yelp#189)

justineyster · justineyster · commit 4d360db2e4d0 · 2020-06-24T10:45:12.000-04:00
* Refactor AWS verification to enable reuse for owner resolution

Follow up of git-defenders/detect-secrets-stream#182

* Revert changes to tox.ini

* Fix coverage issue
diff --git a/detect_secrets/plugins/aws.py b/detect_secrets/plugins/aws.py
@@ -51,7 +51,15 @@ def get_secret_access_keys(content):
     ]
 
 
-def verify_aws_secret_access_key(key, secret):  # pragma: no cover
+def verify_aws_secret_access_key(key, secret):
+    response = get_caller_info(key, secret)
+    if response.status_code == 403:
+        return False
+
+    return True
+
+
+def get_caller_info(key, secret):  # pragma: no cover
     """
     Using requests, because we don't want to require boto3 for this one
     optional verification step.
@@ -170,10 +178,7 @@ def verify_aws_secret_access_key(key, secret):  # pragma: no cover
         data=body,
     )
 
-    if response.status_code == 403:
-        return False
-
-    return True
+    return response
 
 
 def _sign(key, message, hex=False):  # pragma: no cover
diff --git a/tests/plugins/aws_key_test.py b/tests/plugins/aws_key_test.py
@@ -6,7 +6,8 @@
 from detect_secrets.core.constants import VerifiedResult
 from detect_secrets.core.potential_secret import PotentialSecret
 from detect_secrets.plugins.aws import AWSKeyDetector
-from detect_secrets.plugins.aws import get_secret_access_keys
+from detect_secrets.plugins.aws import get_secret_access_key
+from detect_secrets.plugins.aws import verify_aws_secret_access_key
 from testing.mocks import mock_file_object
 
 
@@ -101,6 +102,18 @@ def counter(*args, **kwargs):
             ) == VerifiedResult.VERIFIED_TRUE
         assert potential_secret.other_factors['secret_access_key'] == EXAMPLE_SECRET
 
+    @mock.patch('detect_secrets.plugins.aws.get_caller_info')
+    def test_verify_aws_secret_access_key_valid(self, mock_get_caller_info):
+        mock_get_caller_info.return_value = mock.MagicMock(status_code=200)
+        result = verify_aws_secret_access_key('test-access-key', 'test-secret-access-key')
+        assert result is True
+
+    @mock.patch('detect_secrets.plugins.aws.get_caller_info')
+    def test_verify_aws_secret_access_key_invalid(self, mock_get_caller_info):
+        mock_get_caller_info.return_value = mock.MagicMock(status_code=403)
+        result = verify_aws_secret_access_key('test-access-key', 'test-secret-access-key')
+        assert result is False
+
 
 @pytest.mark.parametrize(
     'content, expected_output',
