Allow anonymous calls on an operation-by-operation basis. #208
Conversation
This fixes two issues to get elastictranscoder working: * account for the `rest-json` service type in `get_response()` * account for query strings coming from the url path in sigv4 signer I've also added integration tests that verify we can talk to the Elastic Transcoder service as expected.
* validate-content-length: Use unittest2 on python2.6 Detect incomplete reads (content length mismatch)
Fixing an issue that came up while fixing AWS CLI issue below
Unsurprisingly, the internal details vary from py2 to py3 regarding how to get a socket object from an HTTPResponse class, as the integration tests have pointed out.
* rest-json: Fix elastictranscoder service
|
LGTM. As an aside: Do anonymous S3 operations work a similar way? Are they unsupported? Or are they handled a different way? |
|
Looks good, what do you think about calling the key name "signature_version" with a value of null meaning unsigned? That's the currently behavior of the top level key, and if for whatever reason we needed to support different signature versions per operation in the future we wouldn't have to add any new keys. |
|
Yeah, I like that better. I was struggling with the name a bit. I'll make that change and update. |
|
As for anonymous S3 operations, I don't think this really addresses that but it probably should. This PR allows certain operations for a service to be annotated as not needing auth and then botocore will never send auth for those. For S3, we have operations that normally require auth but for some resources no auth is required. Do you think I should extend this to handle that case, as well? |
|
@garnaat Not part of this PR. Just seemed potentially related to me & wanted to make sure we weren't inventing multiple ways to be anonymous. |
… to be consistent with the corresponding attribute on the Service.
… to be consistent with the corresponding attribute on the Service.
|
Well, that uglied things up. I guess I shouldn't have re-based. Maybe I should do another, clean PR. |
|
@garnaat would you prefer us to look at this version? I noticed the latest commit is (garnaat@faebc48) which says that it supersedes this PR so I'm not sure which version you'd prefer reviewed. |
|
Please review #215. The end result is the same as this one but its cleaner and easier to review. I'm closing this one. |
* release-0.31.0: (22 commits) Bumping version to 0.31.0 Remove debug logging message. Fix reference to no_auth. Allow for operations within a service to override the signature_version. Fixes #206. Supercedes #208 Fix setting socket timeout in py3 Add response parsing tests for S3 GetBucketLocation Expose output parameters matching root XML node, fix GetBucketLocation Use unittest2 on python2.6 Detect incomplete reads (content length mismatch) Simplifying code and fixing test to use unicode constant. Fixing an issue that came up while fixing aws/aws-cli#593. Fixing an issue that came up while fixing aws/aws-cli#593. Fix elastictranscoder service Add default param to get_config_variable Add session config vars for metadata retry/timeouts Add support for per session config vars Rename get_variable to get_config_variable Rename env vars to session vars Move module vars into session class vars Update elasticache model to the latest version ...
This pull request adds the ability to make anonymous (unsigned) requests. The motivation for this PR is to allow the STS operations AssumeRoleWithSAML and AssumeRoleWithWebIdentity to be called without having any credentials defined. These operations do not require, and in fact ignore, any authentication and it's quite likely that if a user wants to make these calls they would prefer to do it without any AWS credentials defined in their environment.
This required more changes than I expected.
no_authwas added to the two operations in question in thesns.extra.jsonfile.endpoints.pycode was changed so that themake_requestmethod checks for a value ofTrueon theno_authattribute of the operation and only callsadd_authif the endpoint has an auth class and the operation'sno_authis not True.auth.pycode was changed to move the check for credentials into theadd_authmethod rather than in the constructor. This is necessary because the auth is associated with the endpoint itself and not the operation. So, if a user has no credentials defined, they should still be able to create an endpoint and only get an error if they try to call an operation that does not have theno_authattribute.test_endpoints.py.Fixes #206.