Allow manually specifying credentials for CloudFront frontend cache backend (#10565)

2023-06-14 12:29:46 +01:00 · 2023-06-14 12:29:46 +01:00 · 15511411bd
commit 15511411bd
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@ -17,6 +17,7 @@ Changelog
 * Implement a new design for locale labels in listings (Albina Starykova)
 * Add alt text validation rule in the accessibility checker (Albina Starykova)
 * Add a `deactivate()` method to `ProgressController` (Alex Morega)
+ * Allow manually specifying credentials for CloudFront frontend cache backend (Jake Howard)
 * Fix: Make `WAGTAILIMAGES_CHOOSER_PAGE_SIZE` setting functional again (Rohit Sharma)
 * Fix: Enable `richtext` template tag to convert lazy translation values (Benjamin Bach)
 * Fix: Ensure permission labels on group permissions page are translated where available (Matt Westcott)
--- a/docs/reference/contrib/frontendcache.md
+++ b/docs/reference/contrib/frontendcache.md
@ -109,7 +109,7 @@ WAGTAILFRONTENDCACHE = {
 Previous versions allowed passing a dict for `DISTRIBUTION_ID` to allow specifying different distribution IDs for different hostnames. This is now deprecated; instead, multiple distribution IDs should be defined as [multiple backends](frontendcache_multiple_backends), with a `HOSTNAMES` parameter to define the hostnames associated with each one.
 ```

-Configuration of credentials can done in multiple ways. You won't need to store them in your Django settings file. You can read more about this here: [Boto 3 Docs](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html). The user will need a policy similar to:
+`boto3` will attempt to discover credentials itself. You can read more about this here: [Boto 3 Docs](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html). The user will need a policy similar to:

 ```json
 {
@ -125,6 +125,20 @@ Configuration of credentials can done in multiple ways. You won't need to store
 }
 ```

+To specify credentials manually, pass them as additional parameters:
+
+```python
+WAGTAILFRONTENDCACHE = {
+    'cloudfront': {
+        'BACKEND': 'wagtail.contrib.frontend_cache.backends.CloudfrontBackend',
+        'DISTRIBUTION_ID': 'your-distribution-id',
+        'AWS_ACCESS_KEY_ID': os.environ['FRONTEND_CACHE_AWS_ACCESS_KEY_ID'],
+        'AWS_SECRET_ACCESS_KEY': os.environ['FRONTEND_CACHE_AWS_SECRET_ACCESS_KEY'],
+        'AWS_SESSION_TOKEN': os.environ['FRONTEND_CACHE_AWS_SESSION_TOKEN']
+    },
+}
+```
+
 ### Azure CDN

 With [Azure CDN](https://azure.microsoft.com/en-gb/products/cdn/) you will need a CDN profile with an endpoint configured.
--- a/docs/releases/6.2.md
+++ b/docs/releases/6.2.md
@ -31,6 +31,7 @@ This feature was implemented by Albina Starykova, with support from the Wagtail
 * Adopt more compact representation for StreamField definitions in migrations (Matt Westcott)
 * Implement a new design for locale labels in listings (Albina Starykova)
 * Add a `deactivate()` method to `ProgressController` (Alex Morega)
+ * Allow manually specifying credentials for CloudFront frontend cache backend (Jake Howard)


 ### Bug fixes
--- a/wagtail/contrib/frontend_cache/backends/cloudfront.py
+++ b/wagtail/contrib/frontend_cache/backends/cloudfront.py
@ -22,7 +22,13 @@ class CloudfrontBackend(BaseBackend):

        super().__init__(params)

-        self.client = boto3.client("cloudfront")
+        self.client = boto3.client(
+            "cloudfront",
+            aws_access_key_id=params.get("AWS_ACCESS_KEY_ID"),
+            aws_secret_access_key=params.get("AWS_SECRET_ACCESS_KEY"),
+            aws_session_token=params.get("AWS_SESSION_TOKEN"),
+        )
+
        try:
            self.cloudfront_distribution_id = params.pop("DISTRIBUTION_ID")
        except KeyError:
--- a/wagtail/contrib/frontend_cache/tests.py
+++ b/wagtail/contrib/frontend_cache/tests.py
@ -5,7 +5,7 @@ import requests
 from azure.mgmt.cdn import CdnManagementClient
 from azure.mgmt.frontdoor import FrontDoorManagementClient
 from django.core.exceptions import ImproperlyConfigured
-from django.test import TestCase
+from django.test import SimpleTestCase, TestCase
 from django.test.utils import override_settings

 from wagtail.contrib.frontend_cache.backends import (
@ -30,7 +30,7 @@ from .utils import (
 )


-class TestBackendConfiguration(TestCase):
+class TestBackendConfiguration(SimpleTestCase):
    def test_default(self):
        backends = get_backends()

@ -82,6 +82,8 @@ class TestBackendConfiguration(TestCase):
                "cloudfront": {
                    "BACKEND": "wagtail.contrib.frontend_cache.backends.CloudfrontBackend",
                    "DISTRIBUTION_ID": "frontend",
+                    "AWS_ACCESS_KEY_ID": "my-access-key-id",
+                    "AWS_SECRET_ACCESS_KEY": "my-secret-access-key",
                },
            }
        )
@ -91,6 +93,12 @@ class TestBackendConfiguration(TestCase):

        self.assertEqual(backends["cloudfront"].cloudfront_distribution_id, "frontend")

+        credentials = backends["cloudfront"].client._request_signer._credentials
+
+        self.assertEqual(credentials.method, "explicit")
+        self.assertEqual(credentials.access_key, "my-access-key-id")
+        self.assertEqual(credentials.secret_key, "my-secret-access-key")
+
    def test_azure_cdn(self):
        backends = get_backends(
            backend_settings={