PyPI - cnos-aws - Versions diffs - 1.11.4__tar.gz - Mend

cnos-aws 1.11.4__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

cnos_aws-1.11.4/.gitignore +33 -0
cnos_aws-1.11.4/PKG-INFO +7 -0
cnos_aws-1.11.4/pyproject.toml +19 -0
cnos_aws-1.11.4/src/cnos_aws/__init__.py +4 -0
cnos_aws-1.11.4/src/cnos_aws/provider.py +214 -0
cnos_aws-1.11.4/tests/__init__.py +0 -0
cnos_aws-1.11.4/tests/test_provider.py +139 -0

cnos_aws-1.11.4/.gitignore ADDED Viewed

@@ -0,0 +1,33 @@
+.coop/logs/
+.coop/tmp/
+node_modules/
+dist/
+coverage/
+.artifacts/
+.turbo/
+.DS_Store
+Thumbs.db
+.idea/
+.vscode/
+*.log
+.env
+.env.local
+.env.*.local
+!.env.example
+pnpm-debug.log*
+# Claude Code worktrees and session scratch
+.claude/
+.tmp/
+# Python bytecode
+__pycache__/
+*.pyc
+*.pyo
+*.pyd
+.pytest_cache/
+# Java build output
+target/
+*.class
+*.jar

cnos_aws-1.11.4/PKG-INFO ADDED Viewed

@@ -0,0 +1,7 @@
+Metadata-Version: 2.4
+Name: cnos-aws
+Version: 1.11.4
+Summary: CNOS AWS Secrets Manager vault provider
+Requires-Python: >=3.8
+Requires-Dist: boto3>=1.26.0
+Requires-Dist: cnos>=1.11.4

cnos_aws-1.11.4/pyproject.toml ADDED Viewed

@@ -0,0 +1,19 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+[project]
+name = "cnos-aws"
+version = "1.11.4"
+description = "CNOS AWS Secrets Manager vault provider"
+requires-python = ">=3.8"
+dependencies = [
+    "cnos>=1.11.4",
+    "boto3>=1.26.0",
+]
+[tool.hatch.build.targets.wheel]
+packages = ["src/cnos_aws"]
+[tool.pytest.ini_options]
+testpaths = ["tests"]

cnos_aws-1.11.4/src/cnos_aws/__init__.py ADDED Viewed

@@ -0,0 +1,4 @@
+"""CNOS AWS Secrets Manager vault provider."""
+from cnos_aws.provider import AwsSecretsManagerProvider, factory
+__all__ = ["AwsSecretsManagerProvider", "factory"]

cnos_aws-1.11.4/src/cnos_aws/provider.py ADDED Viewed

@@ -0,0 +1,214 @@
+"""AWS Secrets Manager CNOS vault provider — mirrors Go's awssecretsmanager.go."""
+from __future__ import annotations
+from typing import Any, Dict, List, Optional
+from cnos.errors import CnosError
+from cnos.types import (
+    SecretVaultProvider,
+    SecretVaultProviderFactory,
+    VaultAuthConfig,
+    VaultDefinition,
+)
+PROVIDER_NAME = "aws-secrets-manager"
+def _string_config(config: Optional[Dict[str, Any]], key: str) -> str:
+    if not config:
+        return ""
+    val = config.get(key, "")
+    return str(val).strip() if val else ""
+def _first_string_config(config: Optional[Dict[str, Any]], *keys: str) -> str:
+    for key in keys:
+        val = _string_config(config, key)
+        if val:
+            return val
+    return ""
+def _unique_sorted(refs: List[str]) -> List[str]:
+    return sorted(set(refs))
+class AwsSecretsManagerProvider(SecretVaultProvider):
+    """AWS Secrets Manager provider. Supports injecting a mock client for tests."""
+    def __init__(
+        self,
+        vault_id: str,
+        definition: VaultDefinition,
+        client: Any = None,
+    ) -> None:
+        self._vault_id = vault_id
+        self._definition = definition
+        self._config = self._read_config(definition)
+        self._client = client
+        self._authenticated = False
+    @staticmethod
+    def _read_config(definition: VaultDefinition) -> Dict[str, str]:
+        config = definition.auth.config or {}
+        return {
+            "region": _string_config(config, "region"),
+            "endpoint": _string_config(config, "endpoint"),
+            "version_id": _first_string_config(config, "versionId", "version"),
+            "version_stage": _string_config(config, "versionStage"),
+        }
+    def authenticate(self, auth: VaultAuthConfig) -> None:
+        if auth.method not in ("iam", "environment"):
+            raise CnosError(
+                f'vault "{self._vault_id}" uses {PROVIDER_NAME} and requires iam authentication'
+            )
+        self._authenticated = True
+        if self._client is None:
+            self._client = self._build_client()
+    def _build_client(self) -> Any:
+        try:
+            import boto3
+        except ImportError as exc:
+            raise CnosError("cnos-aws: boto3 is required. Install with: pip install boto3") from exc
+        kwargs: Dict[str, Any] = {}
+        if self._config["region"]:
+            kwargs["region_name"] = self._config["region"]
+        client = boto3.client("secretsmanager", **kwargs)
+        if self._config["endpoint"]:
+            client = boto3.client(
+                "secretsmanager",
+                endpoint_url=self._config["endpoint"],
+                **{k: v for k, v in kwargs.items()},
+            )
+        return client
+    def batch_get(self, refs: List[str]) -> Dict[str, Any]:
+        unique = _unique_sorted(refs)
+        # If version params set, fall back to individual gets
+        if self._config["version_id"] or self._config["version_stage"]:
+            return self._get_each(unique)
+        # Try BatchGetSecretValue
+        external_to_logical: Dict[str, str] = {}
+        secret_ids: List[str] = []
+        for ref in unique:
+            external = self._external_secret_id(ref)
+            external_to_logical[external] = ref
+            secret_ids.append(external)
+        try:
+            response = self._client.batch_get_secret_value(SecretIdList=secret_ids)
+        except Exception as exc:
+            if self._is_resource_not_found(exc) or self._is_operation_not_supported(exc):
+                return self._get_each(unique)
+            raise CnosError(f"cnos-aws: batch_get_secret_value failed: {exc}") from exc
+        # Check batch errors
+        for err in response.get("Errors") or []:
+            if err.get("ErrorCode") == "ResourceNotFoundException":
+                continue
+            code = err.get("ErrorCode", "UnknownError")
+            msg = err.get("Message", "")
+            secret_id = err.get("SecretId", "")
+            raise CnosError(
+                f"AWS Secrets Manager batch read failed for {secret_id!r}: {code}: {msg}"
+            )
+        resolved: Dict[str, Any] = {}
+        for secret in response.get("SecretValues") or []:
+            ref = self._resolve_output_ref(secret, external_to_logical)
+            value = self._decode_secret_value(secret)
+            if ref and value is not None:
+                resolved[ref] = value
+        return resolved
+    def get(self, ref: str) -> Optional[Any]:
+        value = self._get_one(ref)
+        return value
+    def _get_each(self, refs: List[str]) -> Dict[str, Any]:
+        result: Dict[str, Any] = {}
+        for ref in refs:
+            val = self._get_one(ref)
+            if val is not None:
+                result[ref] = val
+        return result
+    def _get_one(self, ref: str) -> Optional[str]:
+        kwargs: Dict[str, Any] = {"SecretId": self._external_secret_id(ref)}
+        if self._config["version_id"]:
+            kwargs["VersionId"] = self._config["version_id"]
+        if self._config["version_stage"]:
+            kwargs["VersionStage"] = self._config["version_stage"]
+        try:
+            response = self._client.get_secret_value(**kwargs)
+        except Exception as exc:
+            if self._is_resource_not_found(exc):
+                return None
+            raise CnosError(f"cnos-aws: get_secret_value failed for {ref!r}: {exc}") from exc
+        return self._decode_get_secret_value(response)
+    def _external_secret_id(self, ref: str) -> str:
+        """Map logical ref to external secret ID via definition.mapping."""
+        mapping = self._definition.mapping or {}
+        for external, logical in mapping.items():
+            if logical == ref:
+                return external
+        return ref
+    def _logical_ref_for_external(self, secret_id: str) -> str:
+        mapping = self._definition.mapping or {}
+        return mapping.get(secret_id, secret_id)
+    def _resolve_output_ref(self, secret: Dict[str, Any], external_to_logical: Dict[str, str]) -> str:
+        arn = secret.get("ARN") or ""
+        if arn and arn in external_to_logical:
+            return external_to_logical[arn]
+        name = secret.get("Name") or ""
+        if name:
+            if name in external_to_logical:
+                return external_to_logical[name]
+            return self._logical_ref_for_external(name)
+        return ""
+    @staticmethod
+    def _decode_secret_value(secret: Dict[str, Any]) -> Optional[str]:
+        if secret.get("SecretString") is not None:
+            return secret["SecretString"]
+        if secret.get("SecretBinary") is not None:
+            return secret["SecretBinary"].decode("utf-8", errors="replace")
+        return None
+    @staticmethod
+    def _decode_get_secret_value(response: Dict[str, Any]) -> Optional[str]:
+        if response.get("SecretString") is not None:
+            return response["SecretString"]
+        if response.get("SecretBinary") is not None:
+            return response["SecretBinary"].decode("utf-8", errors="replace")
+        return None
+    @staticmethod
+    def _is_resource_not_found(exc: Exception) -> bool:
+        cls_name = type(exc).__name__
+        if "ResourceNotFoundException" in cls_name:
+            return True
+        code = getattr(exc, "response", {}).get("Error", {}).get("Code", "")
+        return code == "ResourceNotFoundException"
+    @staticmethod
+    def _is_operation_not_supported(exc: Exception) -> bool:
+        cls_name = type(exc).__name__
+        return "InvalidRequestException" in cls_name or "OperationNotPermitted" in cls_name
+def factory(client: Any = None) -> SecretVaultProviderFactory:
+    """Return a SecretVaultProviderFactory for AWS Secrets Manager.
+    Pass client= to inject a mock for tests.
+    """
+    def create(vault_id: str, definition: VaultDefinition) -> AwsSecretsManagerProvider:
+        return AwsSecretsManagerProvider(vault_id, definition, client=client)
+    return SecretVaultProviderFactory(provider=PROVIDER_NAME, create=create)

cnos_aws-1.11.4/tests/__init__.py ADDED Viewed

File without changes

cnos_aws-1.11.4/tests/test_provider.py ADDED Viewed

@@ -0,0 +1,139 @@
+"""Tests for the AWS Secrets Manager provider."""
+from __future__ import annotations
+import pytest
+from cnos.types import VaultAuthConfig, VaultAuthDefinition, VaultDefinition
+from cnos_aws.provider import AwsSecretsManagerProvider, PROVIDER_NAME
+# ---------------------------------------------------------------------------
+# Mock client
+# ---------------------------------------------------------------------------
+class MockAwsClient:
+    def __init__(self, secrets: dict, raise_on_batch: bool = False, not_found: set = None):
+        self._secrets = secrets
+        self._raise_on_batch = raise_on_batch
+        self._not_found = not_found or set()
+    def batch_get_secret_value(self, **kwargs):
+        if self._raise_on_batch:
+            raise _ResourceNotFoundException("not found")
+        secret_ids = kwargs.get("SecretIdList", [])
+        values = []
+        errors = []
+        for sid in secret_ids:
+            if sid in self._not_found:
+                errors.append({"ErrorCode": "ResourceNotFoundException", "SecretId": sid})
+            elif sid in self._secrets:
+                values.append({"Name": sid, "SecretString": self._secrets[sid]})
+        return {"SecretValues": values, "Errors": errors}
+    def get_secret_value(self, **kwargs):
+        sid = kwargs.get("SecretId", "")
+        if sid in self._not_found:
+            raise _ResourceNotFoundException(sid)
+        if sid in self._secrets:
+            return {"SecretString": self._secrets[sid]}
+        raise _ResourceNotFoundException(sid)
+class _ResourceNotFoundException(Exception):
+    def __init__(self, msg=""):
+        super().__init__(msg)
+        self.response = {"Error": {"Code": "ResourceNotFoundException"}}
+def _make_provider(secrets: dict, **kwargs) -> AwsSecretsManagerProvider:
+    definition = VaultDefinition(
+        provider=PROVIDER_NAME,
+        auth=VaultAuthDefinition(method="iam"),
+        mapping={},
+    )
+    client = MockAwsClient(secrets, **kwargs)
+    p = AwsSecretsManagerProvider("test-vault", definition, client=client)
+    p._authenticated = True
+    return p
+# ---------------------------------------------------------------------------
+# Tests
+# ---------------------------------------------------------------------------
+class TestAuthenticate:
+    def test_iam_auth_accepted(self):
+        p = _make_provider({})
+        p._authenticated = False
+        p.authenticate(VaultAuthConfig(method="iam"))
+        assert p._authenticated
+    def test_environment_auth_accepted(self):
+        p = _make_provider({})
+        p._authenticated = False
+        p.authenticate(VaultAuthConfig(method="environment"))
+        assert p._authenticated
+    def test_wrong_auth_raises(self):
+        p = _make_provider({})
+        p._authenticated = False
+        with pytest.raises(Exception, match="iam authentication"):
+            p.authenticate(VaultAuthConfig(method="token", token="tok"))
+class TestBatchGet:
+    def test_returns_secrets(self):
+        p = _make_provider({"my-secret": "value123"})
+        result = p.batch_get(["my-secret"])
+        assert result == {"my-secret": "value123"}
+    def test_missing_secret_not_in_result(self):
+        p = _make_provider({}, not_found={"missing-secret"})
+        result = p.batch_get(["missing-secret"])
+        assert "missing-secret" not in result
+    def test_multiple_secrets(self):
+        p = _make_provider({"s1": "v1", "s2": "v2"})
+        result = p.batch_get(["s1", "s2"])
+        assert result == {"s1": "v1", "s2": "v2"}
+    def test_deduplicates_refs(self):
+        p = _make_provider({"s1": "v1"})
+        result = p.batch_get(["s1", "s1", "s1"])
+        assert result == {"s1": "v1"}
+class TestGet:
+    def test_existing_secret(self):
+        p = _make_provider({"sec": "val"})
+        assert p.get("sec") == "val"
+    def test_missing_returns_none(self):
+        p = _make_provider({}, not_found={"missing"})
+        assert p.get("missing") is None
+class TestMapping:
+    def test_external_mapping(self):
+        definition = VaultDefinition(
+            provider=PROVIDER_NAME,
+            auth=VaultAuthDefinition(method="iam"),
+            mapping={"arn:aws:secretsmanager:us-east-1:123:secret:prod/db": "db.password"},
+        )
+        client = MockAwsClient({"arn:aws:secretsmanager:us-east-1:123:secret:prod/db": "secret!"})
+        p = AwsSecretsManagerProvider("v", definition, client=client)
+        p._authenticated = True
+        result = p.batch_get(["db.password"])
+        assert result.get("db.password") == "secret!"
+class TestFallbackToIndividualGet:
+    def test_fallback_on_batch_error(self):
+        p = _make_provider({"sec": "val"}, raise_on_batch=True)
+        result = p.batch_get(["sec"])
+        assert result.get("sec") == "val"
+class TestProviderName:
+    def test_provider_name_constant(self):
+        assert PROVIDER_NAME == "aws-secrets-manager"