From fd0377a645cc2721edc94b36293eca12897c5b17 Mon Sep 17 00:00:00 2001 From: xiaogang_chen Date: Sun, 23 Jun 2024 17:54:19 +0800 Subject: [PATCH 1/3] fix in _handle_sts_session to refresh sts token at 80% of TTL for issue #2031 --- kombu/transport/SQS.py | 30 ++++++++++++++---------------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/kombu/transport/SQS.py b/kombu/transport/SQS.py index 80b1af5b1..d69dde8ee 100644 --- a/kombu/transport/SQS.py +++ b/kombu/transport/SQS.py @@ -128,7 +128,7 @@ import socket import string import uuid -from datetime import datetime +from datetime import datetime, timezone, timedelta from queue import Empty from botocore.client import Config @@ -734,23 +734,21 @@ def sqs(self, queue=None): return c def _handle_sts_session(self, queue, q): - if not hasattr(self, 'sts_expiration'): # STS token - token init + datetime_now_utc = datetime.now(timezone.utc).replace( + tzinfo=None + ) + sts_token_timeout = self.transport_options.get('sts_token_timeout', 900) + # STS token is generated only if it is not present or + # the time reaches 80% of the token TTL + if (not hasattr(self, 'sts_expiration')) or ( + self.sts_expiration.replace(tzinfo=None) + - timedelta(seconds=int(sts_token_timeout * 0.2)) + < datetime_now_utc + ): sts_creds = self.generate_sts_session_token( self.transport_options.get('sts_role_arn'), - self.transport_options.get('sts_token_timeout', 900)) - self.sts_expiration = sts_creds['Expiration'] - c = self._predefined_queue_clients[queue] = self.new_sqs_client( - region=q.get('region', self.region), - access_key_id=sts_creds['AccessKeyId'], - secret_access_key=sts_creds['SecretAccessKey'], - session_token=sts_creds['SessionToken'], + sts_token_timeout, ) - return c - # STS token - refresh if expired - elif self.sts_expiration.replace(tzinfo=None) < datetime.utcnow(): - sts_creds = self.generate_sts_session_token( - self.transport_options.get('sts_role_arn'), - self.transport_options.get('sts_token_timeout', 900)) self.sts_expiration = sts_creds['Expiration'] c = self._predefined_queue_clients[queue] = self.new_sqs_client( region=q.get('region', self.region), @@ -759,7 +757,7 @@ def _handle_sts_session(self, queue, q): session_token=sts_creds['SessionToken'], ) return c - else: # STS token - ruse existing + else: # STS token still valid - reuse existing return self._predefined_queue_clients[queue] def generate_sts_session_token(self, role_arn, token_expiry_seconds): From 59a7ea40758a0c1d9e890ac6d5ddaec345519185 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Sun, 23 Jun 2024 10:09:57 +0000 Subject: [PATCH 2/3] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- kombu/transport/SQS.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kombu/transport/SQS.py b/kombu/transport/SQS.py index d69dde8ee..68c8c9f05 100644 --- a/kombu/transport/SQS.py +++ b/kombu/transport/SQS.py @@ -128,7 +128,7 @@ import socket import string import uuid -from datetime import datetime, timezone, timedelta +from datetime import datetime, timedelta, timezone from queue import Empty from botocore.client import Config From 5974800df03a85c301f4646f1339f3ceab1e983f Mon Sep 17 00:00:00 2001 From: chenxg283 <71055172+chenxg283@users.noreply.github.com> Date: Sun, 23 Jun 2024 18:22:44 +0800 Subject: [PATCH 3/3] Update SQS.py Minor fix on the long line --- kombu/transport/SQS.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/kombu/transport/SQS.py b/kombu/transport/SQS.py index 68c8c9f05..3743e3a18 100644 --- a/kombu/transport/SQS.py +++ b/kombu/transport/SQS.py @@ -737,7 +737,9 @@ def _handle_sts_session(self, queue, q): datetime_now_utc = datetime.now(timezone.utc).replace( tzinfo=None ) - sts_token_timeout = self.transport_options.get('sts_token_timeout', 900) + sts_token_timeout = self.transport_options.get( + 'sts_token_timeout', 900 + ) # STS token is generated only if it is not present or # the time reaches 80% of the token TTL if (not hasattr(self, 'sts_expiration')) or (