ssm-cli 1.1.0.dev5__tar.gz → 1.1.0.dev6__tar.gz

{ssm_cli-1.1.0.dev5/ssm_cli.egg-info → ssm_cli-1.1.0.dev6}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ssm-cli
-Version: 1.1.0.dev5
+Version: 1.1.0.dev6
 Summary: CLI tool to help with SSM functionality, aimed at adminstrators
 Author-email: Simon Fletcher <simon.fletcher@lexisnexisrisk.com>
 License: MIT License
@@ -36,10 +36,13 @@ License-File: LICENCE
 Requires-Dist: boto3
 Requires-Dist: paramiko
 Requires-Dist: rich
+Requires-Dist: readchar
 Requires-Dist: confclasses>=0.3.2
 Requires-Dist: xdg_base_dirs
 Requires-Dist: rich-click
 Requires-Dist: psutil
+Provides-Extra: test
+Requires-Dist: pytest; extra == "test"
 Dynamic: license-file
 
 # SSM CLI
@@ -97,7 +100,7 @@ I recommend using conditions in some way to control fine grained access.
         "Sid": "FirstStatement",
         "Effect": "Allow",
         "Action": [
-            "tag:GetResources",
+            "resourcegroupstaggingapi:GetResources",
             "ssm:DescribeInstanceInformation",
             "ssm:StartSession"
         ],
@@ -131,7 +134,7 @@ Adding to the ssh config (typically `~/.ssh/config`) and using ssh client as an
 ```bash
 cat >> ~/.ssh/config << EOL
 Host bastion
-    ProxyCommand ssm proxycommand bastion_group
+    ProxyCommand ssm sshproxy bastion_group
 EOL
 
 ssh bastion -L 3306:database.host:3306 

{ssm_cli-1.1.0.dev5 → ssm_cli-1.1.0.dev6}/README.md

@@ -53,7 +53,7 @@ I recommend using conditions in some way to control fine grained access.
         "Sid": "FirstStatement",
         "Effect": "Allow",
         "Action": [
-            "tag:GetResources",
+            "resourcegroupstaggingapi:GetResources",
             "ssm:DescribeInstanceInformation",
             "ssm:StartSession"
         ],
@@ -87,7 +87,7 @@ Adding to the ssh config (typically `~/.ssh/config`) and using ssh client as an
 ```bash
 cat >> ~/.ssh/config << EOL
 Host bastion
-    ProxyCommand ssm proxycommand bastion_group
+    ProxyCommand ssm sshproxy bastion_group
 EOL
 
 ssh bastion -L 3306:database.host:3306 

{ssm_cli-1.1.0.dev5 → ssm_cli-1.1.0.dev6}/pyproject.toml

@@ -20,6 +20,7 @@ dependencies = [
     "boto3",
     "paramiko",
     "rich",
+    "readchar",
     "confclasses>=0.3.2",
     "xdg_base_dirs",
     "rich-click",
@@ -27,6 +28,12 @@ dependencies = [
 ]
 dynamic = ["version"]
 
+[project.optional-dependencies]
+test = ["pytest"]
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+
 
 [project.scripts]
 ssm = "ssm_cli.cli:cli"

{ssm_cli-1.1.0.dev5 → ssm_cli-1.1.0.dev6}/ssm_cli/app.py

@@ -17,28 +17,38 @@ logger = logging.getLogger(__name__)
 @click.option('--profile', type=str, required=False, help="Which AWS profile to use")
 @click.option('--log-level', type=str, required=False, help="Set the logging level (DEBUG, INFO, WARNING, ERROR, CRITICAL)")
 @version_option('--version')
-def app(profile, log_level):
+@click.pass_context
+def app(ctx, profile, log_level):
     # Allow setup stuff to log at the right level if passed in
     if log_level:
         set_log_level(log_level)
 
+    # Only setup command can run without a config file
+    config_loaded = False
     try:
         with open(get_conf_file(), 'r') as file:
             confclasses.load(CONFIG, file)
             logger.debug(f"Config: {CONFIG}")
+            config_loaded = True
     except EnvironmentError as e:
-        console.print(f"Invalid config: {e}", style="red")
+        # If running setup command, we don't need the config yet
+        if ctx.invoked_subcommand == 'setup':
+            logger.debug(f"Config not loaded, but running setup command, so continuing")
+        else:
+            console.print(f"Invalid config: {e}", style="red")
+            raise SystemExit(1)
     
-    if log_level:
-        CONFIG.log.level = log_level
-    if profile:
-        CONFIG.aws_profile = profile
+    if config_loaded:
+        if log_level:
+            CONFIG.log.level = log_level
+        if profile:
+            CONFIG.aws_profile = profile
 
-    if not log_level:
-        set_log_level(CONFIG.log.level)
-    elif log_level != logging.DEBUG:
-        for logger_name, level in CONFIG.log.loggers.items():
-            set_log_level(level, name=logger_name)
+        if not log_level:
+            set_log_level(CONFIG.log.level)
+        elif log_level != logging.DEBUG:
+            for logger_name, level in CONFIG.log.loggers.items():
+                set_log_level(level, name=logger_name)
 
 
 @app.command(help='list all instances in a group, if no group provided, will list all available groups')
@@ -109,12 +119,15 @@ def sshproxy(group):
 
     logger.info(f"connecting to {repr(instance)}")
     
+    server = None
     try:
         server = ssm_cli.ssh_proxy.server.SshServer(instance)
         server.start()
     except Exception as e:
-        logger.info(f"hiding exceptions in sshproxy {e}")
-        server.event.set()
+        logger.exception(f"sshproxy failed: {e}")
+        if server is not None:
+            server.event.set()
+        raise
 
 @app.command(help="setups up ssm-cli, can be rerun safely")
 @click.option("--replace-config", is_flag=True, help="if we should replace existing config file")

{ssm_cli-1.1.0.dev5 → ssm_cli-1.1.0.dev6}/ssm_cli/aws.py

@@ -1,13 +1,19 @@
 import boto3
 import botocore
 import contextlib
+from datetime import datetime, timezone
 from threading import local
 
 from ssm_cli.config import CONFIG
 
 _cache = local()
-_cache.client_cache = {}
-_cache.session_cache = None
+
+def _get_cache():
+    if not hasattr(_cache, 'client_cache'):
+        _cache.client_cache = {}
+    if not hasattr(_cache, 'session_cache'):
+        _cache.session_cache = None
+    return _cache
 
 class AWSError(Exception):
     """ A generic exception for any AWS errors """
@@ -24,17 +30,24 @@ class AWSAccessDeniedError(AWSError):
 @contextlib.contextmanager
 def aws_session(use_cache=True):
     """ A context manager for creating a boto3 session with caching built in """
+    cache = _get_cache()
     try:
-         # TODO, check its still valid
-        if _cache.session_cache is not None and use_cache:
-            yield _cache.session_cache
-            return
+        if cache.session_cache is not None and use_cache:
+            credentials = cache.session_cache.get_credentials()
+            expiry_time = getattr(credentials, '_expiry_time', None)
+            if expiry_time is not None and expiry_time.tzinfo is None:
+                expiry_time = expiry_time.replace(tzinfo=timezone.utc)
+            if credentials is not None and (expiry_time is None or expiry_time > datetime.now(timezone.utc)):
+                yield cache.session_cache
+                return
+            cache.session_cache = None
+            cache.client_cache = {}
         
         session = boto3.Session(profile_name=CONFIG.aws_profile)
         if session.region_name is None:
             raise AWSAuthError(f"AWS config missing region for profile {session.profile_name}")
         
-        _cache.session_cache = session
+        cache.session_cache = session
         yield session
     except botocore.exceptions.ProfileNotFound as e:
         raise AWSAuthError(f"profile invalid") from e
@@ -48,11 +61,12 @@ def aws_session(use_cache=True):
 @contextlib.contextmanager
 def aws_client(service_name, use_cache=True):
     """ A context manager for creating a boto3 client with caching built in """
+    cache = _get_cache()
     with aws_session(use_cache) as session:
-        if service_name in _cache.client_cache and use_cache:
-            yield _cache.client_cache[service_name]
+        if service_name in cache.client_cache and use_cache:
+            yield cache.client_cache[service_name]
             return
         
         client = session.client(service_name)
-        _cache.client_cache[service_name] = client
+        cache.client_cache[service_name] = client
         yield client

{ssm_cli-1.1.0.dev5 → ssm_cli-1.1.0.dev6}/ssm_cli/click.py

@@ -16,8 +16,12 @@ def version_callback(ctx: Context, param: Parameter, value: bool) -> None:
     import importlib.metadata
     import os
 
+    plugin_version = "not installed"
     try:
         results = subprocess.run(["session-manager-plugin", "--version"], capture_output=True, text=True)
+        plugin_version = results.stdout.strip()
+        if not plugin_version:
+            plugin_version = f"unavailable (exit={results.returncode})"
     except FileNotFoundError:
         print("session-manager-plugin not found", file=sys.stderr)
     
@@ -26,7 +30,7 @@ def version_callback(ctx: Context, param: Parameter, value: bool) -> None:
     print(f"ssm-cli {importlib.metadata.version('ssm-cli')} from {pkg_dir}")
     v = sys.version_info
     print(f"python {v.major}.{v.minor}.{v.micro}")
-    print(f"session-manager-plugin {results.stdout.strip()}")
+    print(f"session-manager-plugin {plugin_version}")
     ctx.exit()
 
 def version_option(*param_decls):
@@ -53,7 +57,7 @@ class PluginGroup(RichGroup):
             # When developing the allow_interspersed_args, I kept finding these other settings in examples.
             # I haven't found them necessary, so leaving commented if they become useful:
             # "allow_extra_args": True,
-            # "ignore_unknown_options": True
+            "ignore_unknown_options": True
         }, **kwargs)
     
     def parse_args(self, ctx, args):
@@ -74,4 +78,4 @@ class PluginGroup(RichGroup):
                     args.remove(cmd.name)
                     ctx = cmd.make_context(cmd.name, args, parent=parent_ctx)
 
-        return super().parse_args(ctx, args)
+        return super().parse_args(ctx, args)

{ssm_cli-1.1.0.dev5 → ssm_cli-1.1.0.dev6}/ssm_cli/ssh_proxy/forwarding.py

@@ -42,8 +42,10 @@ class PortForwardingSession():
     """
     This is the object that the user will interact with
     """
-    def __init__(self, manager: "PortForwarding", session_id: str, internal_port: int):
+    def __init__(self, manager: "PortForwarding", host: str, remote_port: int, session_id: str, internal_port: int):
         self.manager = manager
+        self.host = host
+        self.remote_port = remote_port
         self.session_id = session_id
         self.internal_port = internal_port
 
@@ -93,13 +95,13 @@ class PortForwarding():
                 del self.session_cache[(host, remote_port)]
 
         session_id, internal_port = self.send_recv(("open_session", (host, remote_port)))
-        session = PortForwardingSession(self, session_id, internal_port)
+        session = PortForwardingSession(self, host, remote_port, session_id, internal_port)
         self.session_cache[(host, remote_port)] = session
         return session
     
     def close_session(self, session: PortForwardingSession):
-        self.proxy_pipe.send(("close_session", session.session_id))
-        del self.session_cache[(session.host, session.remote_port)]
+        self.send(("close_session", session.session_id))
+        self.session_cache.pop((session.host, session.remote_port), None)
 
     def is_open(self, session: PortForwardingSession):
         return self.send_recv(("is_open", session.session_id))
@@ -304,7 +306,7 @@ class PortForwardingManagerProcess(multiprocessing.Process):
                 logger.debug(f"{s.session_id} in cache for {host}:{remote_port}")
                 if s.is_open():
                     logger.debug(f"{s.session_id} still running, reusing")
-                    return s
+                    return s.session_id, s.internal_port
                 else:
                     logger.debug(f"{s.session_id} closed, removing from cache")
                     self.sessions.remove(s)
@@ -375,4 +377,4 @@ def get_free_port(bind_host="127.0.0.1"):
     s.bind((bind_host, 0))
     port = s.getsockname()[1]
     s.close()
-    return port
+    return port

{ssm_cli-1.1.0.dev5 → ssm_cli-1.1.0.dev6}/ssm_cli/ssh_proxy/server.py

@@ -117,22 +117,31 @@ class SshServer(paramiko.ServerInterface):
             logger.info(f"starting forward thread chan={chanid}")
 
             chan = self.channels.get_channel(chanid)
-            while True:
-                r, _, _ = select.select([chan, sock], [], [])
-                if sock in r:
-                    data = sock.recv(chunk_size)
-                    if len(data) == 0:
-                        break
-                    chan.send(data)
+            if chan is None:
+                logger.error(f"failed to acquire channel for chanid={chanid}")
+                session.close()
+                sock.close()
+                return
 
-                if chan in r:
-                    data = chan.recv(chunk_size)
-                    if len(data) == 0:
-                        break
-                    sock.send(data)
-   
-            session.close()
-            logger.info(f"forward thread chan={chanid} exiting")
+            try:
+                while True:
+                    r, _, _ = select.select([chan, sock], [], [])
+                    if sock in r:
+                        data = sock.recv(chunk_size)
+                        if len(data) == 0:
+                            break
+                        chan.send(data)
+
+                    if chan in r:
+                        data = chan.recv(chunk_size)
+                        if len(data) == 0:
+                            break
+                        sock.send(data)
+            finally:
+                chan.close()
+                sock.close()
+                session.close()
+                logger.info(f"forward thread chan={chanid} exiting")
         
         t = threading.Thread(target=forwarding_thread)
         t.start()

{ssm_cli-1.1.0.dev5 → ssm_cli-1.1.0.dev6/ssm_cli.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ssm-cli
-Version: 1.1.0.dev5
+Version: 1.1.0.dev6
 Summary: CLI tool to help with SSM functionality, aimed at adminstrators
 Author-email: Simon Fletcher <simon.fletcher@lexisnexisrisk.com>
 License: MIT License
@@ -36,10 +36,13 @@ License-File: LICENCE
 Requires-Dist: boto3
 Requires-Dist: paramiko
 Requires-Dist: rich
+Requires-Dist: readchar
 Requires-Dist: confclasses>=0.3.2
 Requires-Dist: xdg_base_dirs
 Requires-Dist: rich-click
 Requires-Dist: psutil
+Provides-Extra: test
+Requires-Dist: pytest; extra == "test"
 Dynamic: license-file
 
 # SSM CLI
@@ -97,7 +100,7 @@ I recommend using conditions in some way to control fine grained access.
         "Sid": "FirstStatement",
         "Effect": "Allow",
         "Action": [
-            "tag:GetResources",
+            "resourcegroupstaggingapi:GetResources",
             "ssm:DescribeInstanceInformation",
             "ssm:StartSession"
         ],
@@ -131,7 +134,7 @@ Adding to the ssh config (typically `~/.ssh/config`) and using ssh client as an
 ```bash
 cat >> ~/.ssh/config << EOL
 Host bastion
-    ProxyCommand ssm proxycommand bastion_group
+    ProxyCommand ssm sshproxy bastion_group
 EOL
 
 ssh bastion -L 3306:database.host:3306 

{ssm_cli-1.1.0.dev5 → ssm_cli-1.1.0.dev6}/ssm_cli.egg-info/SOURCES.txt

@@ -26,4 +26,8 @@ ssm_cli/ssh_proxy/channels.py
 ssm_cli/ssh_proxy/forwarding.py
 ssm_cli/ssh_proxy/server.py
 ssm_cli/ssh_proxy/shell.py
-ssm_cli/ssh_proxy/socket.py
+ssm_cli/ssh_proxy/socket.py
+tests/test_aws.py
+tests/test_cli.py
+tests/test_config.py
+tests/test_helpers.py

{ssm_cli-1.1.0.dev5 → ssm_cli-1.1.0.dev6}/ssm_cli.egg-info/requires.txt

@@ -1,7 +1,11 @@
 boto3
 paramiko
 rich
+readchar
 confclasses>=0.3.2
 xdg_base_dirs
 rich-click
 psutil
+
+[test]
+pytest

ssm_cli-1.1.0.dev6/tests/test_aws.py

@@ -0,0 +1,172 @@
+"""
+Tests for ssm_cli/aws.py - session and client caching.
+
+All boto3 calls are mocked so nothing hits real AWS.
+
+We use unittest.mock.patch to swap out boto3.Session with a fake - inside
+the patch block our fake is used, outside everything goes back to normal.
+
+The CONFIG object uses confclasses which needs from_dict() before you can
+read it. Can't use patch() on it directly so we just load it with defaults
+and set the profile manually.
+"""
+import pytest
+from unittest.mock import patch, MagicMock
+from datetime import datetime, timezone, timedelta
+from threading import local
+from confclasses import from_dict
+
+from ssm_cli.aws import (
+    aws_session, aws_client,
+    _get_cache,
+    AWSAuthError, AWSAccessDeniedError,
+)
+from ssm_cli.config import CONFIG
+import ssm_cli.aws
+import botocore.exceptions
+
+
+def _setup_config(profile="test-profile"):
+    """Load CONFIG with defaults and set the profile for testing."""
+    from_dict(CONFIG, {})
+    CONFIG.aws_profile = profile
+
+
+# ---------------------------------------------------------------------------
+# _get_cache - thread-local storage init
+# ---------------------------------------------------------------------------
+
+# check a fresh cache starts with empty client_cache and no session
+def test_get_cache_initialises_empty():
+    ssm_cli.aws._cache = local()
+    cache = _get_cache()
+
+    assert cache.client_cache == {}
+    assert cache.session_cache is None
+
+
+# check calling _get_cache() again doesn't wipe data that's already there
+def test_get_cache_preserves_existing_data():
+    ssm_cli.aws._cache = local()
+    cache = _get_cache()
+    cache.client_cache["ssm"] = "fake-client"
+
+    cache2 = _get_cache()
+    assert cache2.client_cache["ssm"] == "fake-client"
+
+
+# ---------------------------------------------------------------------------
+# aws_session - creates and caches boto3 sessions
+# ---------------------------------------------------------------------------
+
+# check we get a boto3 session back when we call aws_session()
+def test_aws_session_creates_session():
+    ssm_cli.aws._cache = local()
+    _setup_config()
+
+    fake_session = MagicMock()
+    fake_session.region_name = "eu-west-1"
+
+    with patch("ssm_cli.aws.boto3.Session", return_value=fake_session):
+        with aws_session() as session:
+            assert session == fake_session
+
+
+# check the second call reuses the cached session instead of making a new one
+def test_aws_session_caches_on_second_call():
+    ssm_cli.aws._cache = local()
+    _setup_config()
+
+    fake_session = MagicMock()
+    fake_session.region_name = "eu-west-1"
+
+    fake_creds = MagicMock()
+    fake_creds._expiry_time = None
+    fake_session.get_credentials.return_value = fake_creds
+
+    with patch("ssm_cli.aws.boto3.Session", return_value=fake_session) as mock_session:
+        with aws_session() as s1:
+            pass
+        with aws_session() as s2:
+            pass
+
+        assert mock_session.call_count == 1
+        assert s1 == s2
+
+
+# check that expired creds get thrown away and a new session is created
+def test_aws_session_clears_cache_when_credentials_expired():
+    ssm_cli.aws._cache = local()
+    _setup_config()
+
+    expired_session = MagicMock()
+    expired_session.region_name = "eu-west-1"
+    expired_creds = MagicMock()
+    expired_creds._expiry_time = datetime.now(timezone.utc) - timedelta(hours=1)
+    expired_session.get_credentials.return_value = expired_creds
+
+    fresh_session = MagicMock()
+    fresh_session.region_name = "eu-west-1"
+
+    with patch("ssm_cli.aws.boto3.Session", side_effect=[expired_session, fresh_session]) as mock_session:
+        with aws_session() as s1:
+            pass
+        with aws_session() as s2:
+            pass
+
+        assert mock_session.call_count == 2
+        assert s2 == fresh_session
+
+
+# check we get AWSAuthError when the profile has no region set
+def test_aws_session_raises_on_missing_region():
+    ssm_cli.aws._cache = local()
+    _setup_config("broken-profile")
+
+    fake_session = MagicMock()
+    fake_session.region_name = None
+    fake_session.profile_name = "broken-profile"
+
+    with patch("ssm_cli.aws.boto3.Session", return_value=fake_session):
+        with pytest.raises(AWSAuthError, match="missing region"):
+            with aws_session() as session:
+                pass
+
+
+# check we wrap boto3's ProfileNotFound into our own AWSAuthError
+def test_aws_session_raises_on_invalid_profile():
+    ssm_cli.aws._cache = local()
+    _setup_config("nope")
+
+    with patch("ssm_cli.aws.boto3.Session",
+               side_effect=botocore.exceptions.ProfileNotFound(profile="nope")):
+        with pytest.raises(AWSAuthError, match="profile invalid"):
+            with aws_session() as session:
+                pass
+
+
+# ---------------------------------------------------------------------------
+# aws_client - creates and caches boto3 service clients
+# ---------------------------------------------------------------------------
+
+# check the client is created once and reused on the second call
+def test_aws_client_creates_and_caches_client():
+    ssm_cli.aws._cache = local()
+    _setup_config()
+
+    fake_session = MagicMock()
+    fake_session.region_name = "eu-west-1"
+    fake_client = MagicMock()
+    fake_session.client.return_value = fake_client
+
+    fake_creds = MagicMock()
+    fake_creds._expiry_time = None
+    fake_session.get_credentials.return_value = fake_creds
+
+    with patch("ssm_cli.aws.boto3.Session", return_value=fake_session):
+        with aws_client("ssm") as client1:
+            assert client1 == fake_client
+        with aws_client("ssm") as client2:
+            assert client2 == fake_client
+
+        assert fake_session.client.call_count == 1

ssm_cli-1.1.0.dev6/tests/test_cli.py

@@ -0,0 +1,62 @@
+"""
+Tests for the CLI commands - smoke tests using click's CliRunner.
+
+CliRunner lets us call CLI commands without a real terminal.
+Output is captured as a string and we can check exit codes.
+
+These just check the CLI loads and shows the right help text,
+they don't test any actual AWS functionality.
+"""
+from unittest.mock import patch, MagicMock
+from click.testing import CliRunner
+from ssm_cli.app import app
+
+
+# check ssm --help lists all four commands
+def test_help_shows_commands():
+    runner = CliRunner()
+    result = runner.invoke(app, ["--help"])
+
+    assert result.exit_code == 0, f"--help failed with: {result.output}"
+    assert "list" in result.output
+    assert "shell" in result.output
+    assert "sshproxy" in result.output
+    assert "setup" in result.output
+
+
+# check ssm --version shows versions of ssm-cli, python, and the plugin
+#
+# we mock subprocess.run because session-manager-plugin might not be
+# installed, and importlib.metadata.version because the package might
+# not be installed in editable mode
+def test_version_flag():
+    runner = CliRunner()
+
+    fake_result = MagicMock()
+    fake_result.stdout = "1.2.3.0"
+    fake_result.returncode = 0
+
+    with patch("subprocess.run", return_value=fake_result), \
+         patch("importlib.metadata.version", return_value="0.0.0-test"):
+        result = runner.invoke(app, ["--version"])
+
+    assert result.exit_code == 0, f"--version failed with: {result.output}"
+    assert "ssm-cli" in result.output
+    assert "python" in result.output
+
+
+# check ssm list --help doesn't crash
+def test_list_help():
+    runner = CliRunner()
+    result = runner.invoke(app, ["list", "--help"])
+    assert result.exit_code == 0, f"list --help failed with: {result.output}"
+
+
+# check ssm setup --help shows the --replace-config and --replace-hostkey flags
+def test_setup_help():
+    runner = CliRunner()
+    result = runner.invoke(app, ["setup", "--help"])
+
+    assert result.exit_code == 0, f"setup --help failed with: {result.output}"
+    assert "replace-config" in result.output
+    assert "replace-hostkey" in result.output

ssm_cli-1.1.0.dev6/tests/test_config.py

@@ -0,0 +1,39 @@
+"""
+Tests for ssm_cli/config.py - checks the CONFIG defaults are what we expect.
+
+If someone changes a default by accident, these will catch it.
+
+Note: confclasses needs from_dict() called before you can read attributes,
+so each test creates a fresh Config and loads it with an empty dict to get defaults.
+"""
+from confclasses import from_dict
+from ssm_cli.config import Config
+
+
+# check the default EC2 tag key for grouping instances is "group"
+def test_default_group_tag_key():
+    config = Config()
+    from_dict(config, {})
+    assert config.group_tag_key == "group"
+
+
+# check the default AWS profile is "default"
+def test_default_aws_profile():
+    config = Config()
+    from_dict(config, {})
+    assert config.aws_profile == "default"
+
+
+# check the default log level is "info"
+def test_default_log_level():
+    config = Config()
+    from_dict(config, {})
+    assert config.log.level == "info"
+
+
+# check botocore and paramiko default to "warn" (they're noisy at info)
+def test_default_logger_overrides():
+    config = Config()
+    from_dict(config, {})
+    assert config.log.loggers["botocore"] == "warn"
+    assert config.log.loggers["paramiko"] == "warn"

ssm_cli-1.1.0.dev6/tests/test_helpers.py

@@ -0,0 +1,101 @@
+"""
+Tests for the helper functions in ssm_cli/instances.py.
+
+These are pure functions with no AWS dependencies so no mocking is needed.
+"""
+import pytest
+from ssm_cli.instances import get_tag, arn_to_instance_id, ip_as_int
+
+
+# ---------------------------------------------------------------------------
+# get_tag - looks up a tag value from the list of tag dicts that AWS returns
+#
+# AWS tags come back as: [{"Key": "Name", "Value": "my-server"}, ...]
+# ---------------------------------------------------------------------------
+
+# check it can find a tag that exists and return the right value
+def test_get_tag_finds_existing_tag():
+    tags = [
+        {"Key": "Name", "Value": "my-server"},
+        {"Key": "env", "Value": "prod"},
+    ]
+    assert get_tag(tags, "Name") == "my-server"
+
+
+# check it returns None when the tag key doesn't exist
+def test_get_tag_returns_none_when_not_found():
+    tags = [
+        {"Key": "Name", "Value": "my-server"},
+    ]
+    assert get_tag(tags, "missing-key") is None
+
+
+# check it handles an empty tag list without crashing
+def test_get_tag_empty_list():
+    assert get_tag([], "anything") is None
+
+
+# check that if there are duplicate keys, it returns the first one
+def test_get_tag_returns_first_match():
+    tags = [
+        {"Key": "env", "Value": "first"},
+        {"Key": "env", "Value": "second"},
+    ]
+    assert get_tag(tags, "env") == "first"
+
+
+# ---------------------------------------------------------------------------
+# arn_to_instance_id - pulls the instance ID out of an EC2 ARN
+#
+# e.g. "arn:aws:ec2:eu-west-1:123456789:instance/i-0abc123def456"
+#   -> "i-0abc123def456"
+# ---------------------------------------------------------------------------
+
+# check it extracts the instance ID from a valid ARN
+def test_arn_to_instance_id_normal():
+    arn = "arn:aws:ec2:eu-west-1:123456789:instance/i-0abc123def456"
+    assert arn_to_instance_id(arn) == "i-0abc123def456"
+
+
+# check it raises ValueError when there's no slash in the ARN
+def test_arn_to_instance_id_invalid_raises():
+    with pytest.raises(ValueError):
+        arn_to_instance_id("no-slash-here")
+
+
+# check it raises ValueError when there are too many slashes
+def test_arn_to_instance_id_too_many_slashes_raises():
+    with pytest.raises(ValueError):
+        arn_to_instance_id("a/b/c")
+
+
+# ---------------------------------------------------------------------------
+# ip_as_int - converts IP string to integer for sorting
+#
+# needed because string sorting puts "10.0.10.1" before "10.0.2.1"
+# ---------------------------------------------------------------------------
+
+# check a normal IP converts to the right integer
+def test_ip_as_int_simple():
+    assert ip_as_int("10.0.0.1") == 167772161
+
+
+# check 0.0.0.0 gives 0
+def test_ip_as_int_all_zeros():
+    assert ip_as_int("0.0.0.0") == 0
+
+
+# check 255.255.255.255 gives the max value
+def test_ip_as_int_all_255():
+    assert ip_as_int("255.255.255.255") == 4294967295
+
+
+# check that IPs sort numerically not alphabetically
+def test_ip_as_int_ordering():
+    assert ip_as_int("10.0.2.1") < ip_as_int("10.0.10.1")
+
+
+# check it raises ValueError for garbage input
+def test_ip_as_int_invalid_raises():
+    with pytest.raises(ValueError):
+        ip_as_int("not-an-ip")