in lambda/lambda_function.py [0:0]
def test_secret(service_client, arn, token):
"""Test the secret
This method should validate that the AWSPENDING secret works in the service that the secret belongs to. For example, if the secret
is a database credential, this method should validate that the user can login with the password in AWSPENDING and that the user has
all of the expected permissions against the database.
Args:
service_client (client): The secrets manager service client
arn (string): The secret ARN or other identifier
token (string): The ClientRequestToken associated with the secret version
"""
# This is where the secret should be tested against the service
# Obtain secret value for AWSPENDING
pending = service_client.get_secret_value(
SecretId=arn,
VersionId=token,
VersionStage="AWSPENDING"
)
# Obtain secret value for AWSCURRENT
metadata = service_client.describe_secret(SecretId=arn)
for version in metadata["VersionIdsToStages"]:
if "AWSCURRENT" in metadata["VersionIdsToStages"][version]:
currenttoken = version
current = service_client.get_secret_value(
SecretId=arn,
VersionId=currenttoken,
VersionStage="AWSCURRENT"
)
logger.info("Getting current version %s for %s" % (version, arn))
pendingsecret = json.loads(pending['SecretString'])
currentsecret = json.loads(current['SecretString'])
secrets = [pendingsecret['HEADERVALUE'], currentsecret['HEADERVALUE']]
# Test origin URL access functional using validation headers for AWSPENDING and AWSCURRENT
try:
for s in secrets:
if test_origin(OriginUrl, s):
pass
else:
logger.error("Tests failed for URL, %s " % OriginUrl)
raise ValueError("Tests failed for URL, %s " % OriginUrl)
except ClientError as e:
logger.error('Error: {}'.format(e))