STS: integrate with core response serializer (#9107)

bpandola · web-flow · commit 6023a9a697e4 · 2025-07-27T13:28:59.000-07:00
diff --git a/moto/sts/exceptions.py b/moto/sts/exceptions.py
@@ -1,10 +1,10 @@
 from typing import Any
 
-from moto.core.exceptions import RESTError
+from moto.core.exceptions import ServiceException
 
 
-class STSClientError(RESTError):
-    code = 400
+class STSClientError(ServiceException):
+    pass
 
 
 class STSValidationError(STSClientError):
diff --git a/moto/sts/models.py b/moto/sts/models.py
@@ -7,7 +7,7 @@
 
 from moto.core.base_backend import BackendDict, BaseBackend
 from moto.core.common_models import BaseModel
-from moto.core.utils import iso_8601_datetime_with_milliseconds, utcnow
+from moto.core.utils import utcnow
 from moto.iam.models import AccessKey, iam_backends
 from moto.sts.utils import (
     DEFAULT_STS_SESSION_DURATION,
@@ -24,10 +24,6 @@ def __init__(self, duration: int, name: Optional[str] = None):
         self.name = name
         self.policy = None
 
-    @property
-    def expiration_ISO8601(self) -> str:
-        return iso_8601_datetime_with_milliseconds(self.expiration)
-
 
 class AssumedRole(BaseModel):
     def __init__(
@@ -55,10 +51,6 @@ def __init__(
         self.session_token = random_session_token()
         self.partition = get_partition(region_name)
 
-    @property
-    def expiration_ISO8601(self) -> str:
-        return iso_8601_datetime_with_milliseconds(self.expiration)
-
     @property
     def user_id(self) -> str:
         iam_backend = iam_backends[self.account_id][self.partition]
diff --git a/moto/sts/responses.py b/moto/sts/responses.py
@@ -1,4 +1,4 @@
-from moto.core.responses import BaseResponse
+from moto.core.responses import ActionResult, BaseResponse
 
 from .exceptions import STSValidationError
 from .models import STSBackend, sts_backends
@@ -19,13 +19,20 @@ def _determine_resource(self) -> str:
             return self.querystring.get("RoleArn")[0]  # type: ignore[index]
         return "*"
 
-    def get_session_token(self) -> str:
+    def get_session_token(self) -> ActionResult:
         duration = int(self.querystring.get("DurationSeconds", [43200])[0])
         token = self.backend.get_session_token(duration=duration)
-        template = self.response_template(GET_SESSION_TOKEN_RESPONSE)
-        return template.render(token=token)
-
-    def get_federation_token(self) -> str:
+        result = {
+            "Credentials": {
+                "AccessKeyId": "AKIAIOSFODNN7EXAMPLE",
+                "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY",
+                "SessionToken": "AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE",
+                "Expiration": token.expiration,
+            }
+        }
+        return ActionResult(result)
+
+    def get_federation_token(self) -> ActionResult:
         duration = int(self.querystring.get("DurationSeconds", [43200])[0])
         policy = self.querystring.get("Policy", [None])[0]
 
@@ -39,12 +46,22 @@ def get_federation_token(self) -> str:
 
         name = self.querystring.get("Name")[0]  # type: ignore
         token = self.backend.get_federation_token(duration=duration, name=name)
-        template = self.response_template(GET_FEDERATION_TOKEN_RESPONSE)
-        return template.render(
-            token=token, account_id=self.current_account, partition=self.partition
-        )
-
-    def assume_role(self) -> str:
+        result = {
+            "Credentials": {
+                "AccessKeyId": "AKIAIOSFODNN7EXAMPLE",
+                "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY",
+                "SessionToken": "AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQWLWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGdQrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz+scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA==",
+                "Expiration": token.expiration,
+            },
+            "FederatedUser": {
+                "FederatedUserId": f"{self.current_account}:{token.name}",
+                "Arn": f"arn:{self.partition}:sts::{self.current_account}:federated-user/{token.name}",
+            },
+            "PackedPolicySize": 6,
+        }
+        return ActionResult(result)
+
+    def assume_role(self) -> ActionResult:
         role_session_name = self.querystring.get("RoleSessionName")[0]  # type: ignore
         role_arn = self.querystring.get("RoleArn")[0]  # type: ignore
 
@@ -60,10 +77,17 @@ def assume_role(self) -> str:
             duration=duration,
             external_id=external_id,
         )
-        template = self.response_template(ASSUME_ROLE_RESPONSE)
-        return template.render(role=role)
-
-    def assume_role_with_web_identity(self) -> str:
+        result = {
+            "Credentials": role,
+            "AssumedRoleUser": {
+                "AssumedRoleId": role.user_id,
+                "Arn": role.arn,
+            },
+            "PackedPolicySize": 6,
+        }
+        return ActionResult(result)
+
+    def assume_role_with_web_identity(self) -> ActionResult:
         role_session_name = self.querystring.get("RoleSessionName")[0]  # type: ignore
         role_arn = self.querystring.get("RoleArn")[0]  # type: ignore
 
@@ -79,10 +103,17 @@ def assume_role_with_web_identity(self) -> str:
             duration=duration,
             external_id=external_id,
         )
-        template = self.response_template(ASSUME_ROLE_WITH_WEB_IDENTITY_RESPONSE)
-        return template.render(role=role)
-
-    def assume_role_with_saml(self) -> str:
+        result = {
+            "Credentials": role,
+            "AssumedRoleUser": {
+                "AssumedRoleId": f"ARO123EXAMPLE123:{role.session_name}",
+                "Arn": role.arn,
+            },
+            "PackedPolicySize": 6,
+        }
+        return ActionResult(result)
+
+    def assume_role_with_saml(self) -> ActionResult:
         role_arn = self.querystring.get("RoleArn")[0]  # type: ignore
         principal_arn = self.querystring.get("PrincipalArn")[0]  # type: ignore
         saml_assertion = self.querystring.get("SAMLAssertion")[0]  # type: ignore
@@ -92,127 +123,29 @@ def assume_role_with_saml(self) -> str:
             principal_arn=principal_arn,
             saml_assertion=saml_assertion,
         )
-        template = self.response_template(ASSUME_ROLE_WITH_SAML_RESPONSE)
-        return template.render(role=role)
-
-    def get_caller_identity(self) -> str:
-        template = self.response_template(GET_CALLER_IDENTITY_RESPONSE)
-
+        result = {
+            "Credentials": role,
+            "AssumedRoleUser": {
+                "AssumedRoleId": role.user_id,
+                "Arn": role.arn,
+            },
+            "PackedPolicySize": 123,
+            "Subject": role.user_id,
+            "SubjectType": "persistent",
+            "Issuer": "http://localhost:3000/",
+            "Audience": "https://signin.aws.amazon.com/saml",
+            "NameQualifier": "B64EncodedStringOfHashOfIssuerAccountIdAndUserId=",
+        }
+        return ActionResult(result)
+
+    def get_caller_identity(self) -> ActionResult:
         access_key_id = self.get_access_key()
         user_id, arn, account_id = self.backend.get_caller_identity(
             access_key_id, self.region
         )
-
-        return template.render(account_id=account_id, user_id=user_id, arn=arn)
-
-
-GET_SESSION_TOKEN_RESPONSE = """<GetSessionTokenResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
-  <GetSessionTokenResult>
-    <Credentials>
-      <SessionToken>AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE</SessionToken>
-      <SecretAccessKey>wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY</SecretAccessKey>
-      <Expiration>{{ token.expiration_ISO8601 }}</Expiration>
-      <AccessKeyId>AKIAIOSFODNN7EXAMPLE</AccessKeyId>
-    </Credentials>
-  </GetSessionTokenResult>
-  <ResponseMetadata>
-    <RequestId>58c5dbae-abef-11e0-8cfe-09039844ac7d</RequestId>
-  </ResponseMetadata>
-</GetSessionTokenResponse>"""
-
-
-GET_FEDERATION_TOKEN_RESPONSE = """<GetFederationTokenResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
-  <GetFederationTokenResult>
-    <Credentials>
-      <SessionToken>AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQWLWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGdQrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz+scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA==</SessionToken>
-      <SecretAccessKey>wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY</SecretAccessKey>
-      <Expiration>{{ token.expiration_ISO8601 }}</Expiration>
-      <AccessKeyId>AKIAIOSFODNN7EXAMPLE</AccessKeyId>
-    </Credentials>
-    <FederatedUser>
-      <Arn>arn:{{ partition }}:sts::{{ account_id }}:federated-user/{{ token.name }}</Arn>
-      <FederatedUserId>{{ account_id }}:{{ token.name }}</FederatedUserId>
-    </FederatedUser>
-    <PackedPolicySize>6</PackedPolicySize>
-  </GetFederationTokenResult>
-  <ResponseMetadata>
-    <RequestId>c6104cbe-af31-11e0-8154-cbc7ccf896c7</RequestId>
-  </ResponseMetadata>
-</GetFederationTokenResponse>"""
-
-
-ASSUME_ROLE_RESPONSE = """<AssumeRoleResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
-  <AssumeRoleResult>
-    <Credentials>
-      <SessionToken>{{ role.session_token }}</SessionToken>
-      <SecretAccessKey>{{ role.secret_access_key }}</SecretAccessKey>
-      <Expiration>{{ role.expiration_ISO8601 }}</Expiration>
-      <AccessKeyId>{{ role.access_key_id }}</AccessKeyId>
-    </Credentials>
-    <AssumedRoleUser>
-      <Arn>{{ role.arn }}</Arn>
-      <AssumedRoleId>{{ role.user_id }}</AssumedRoleId>
-    </AssumedRoleUser>
-    <PackedPolicySize>6</PackedPolicySize>
-  </AssumeRoleResult>
-  <ResponseMetadata>
-    <RequestId>c6104cbe-af31-11e0-8154-cbc7ccf896c7</RequestId>
-  </ResponseMetadata>
-</AssumeRoleResponse>"""
-
-
-ASSUME_ROLE_WITH_WEB_IDENTITY_RESPONSE = """<AssumeRoleWithWebIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
-  <AssumeRoleWithWebIdentityResult>
-    <Credentials>
-      <SessionToken>{{ role.session_token }}</SessionToken>
-      <SecretAccessKey>{{ role.secret_access_key }}</SecretAccessKey>
-      <Expiration>{{ role.expiration_ISO8601 }}</Expiration>
-      <AccessKeyId>{{ role.access_key_id }}</AccessKeyId>
-    </Credentials>
-    <AssumedRoleUser>
-      <Arn>{{ role.arn }}</Arn>
-      <AssumedRoleId>ARO123EXAMPLE123:{{ role.session_name }}</AssumedRoleId>
-    </AssumedRoleUser>
-    <PackedPolicySize>6</PackedPolicySize>
-  </AssumeRoleWithWebIdentityResult>
-  <ResponseMetadata>
-    <RequestId>c6104cbe-af31-11e0-8154-cbc7ccf896c7</RequestId>
-  </ResponseMetadata>
-</AssumeRoleWithWebIdentityResponse>"""
-
-
-ASSUME_ROLE_WITH_SAML_RESPONSE = """<AssumeRoleWithSAMLResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
-  <AssumeRoleWithSAMLResult>
-    <Audience>https://signin.aws.amazon.com/saml</Audience>
-    <AssumedRoleUser>
-      <AssumedRoleId>{{ role.user_id }}</AssumedRoleId>
-      <Arn>{{ role.arn }}</Arn>
-    </AssumedRoleUser>
-    <Credentials>
-      <AccessKeyId>{{ role.access_key_id }}</AccessKeyId>
-      <SecretAccessKey>{{ role.secret_access_key }}</SecretAccessKey>
-      <SessionToken>{{ role.session_token }}</SessionToken>
-      <Expiration>{{ role.expiration_ISO8601 }}</Expiration>
-    </Credentials>
-    <Subject>{{ role.user_id }}</Subject>
-    <NameQualifier>B64EncodedStringOfHashOfIssuerAccountIdAndUserId=</NameQualifier>
-    <SubjectType>persistent</SubjectType>
-    <Issuer>http://localhost:3000/</Issuer>
-  </AssumeRoleWithSAMLResult>
-  <ResponseMetadata>
-    <RequestId>c6104cbe-af31-11e0-8154-cbc7ccf896c7</RequestId>
-  </ResponseMetadata>
-</AssumeRoleWithSAMLResponse>"""
-
-
-GET_CALLER_IDENTITY_RESPONSE = """<GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
-  <GetCallerIdentityResult>
-    <Arn>{{ arn }}</Arn>
-    <UserId>{{ user_id }}</UserId>
-    <Account>{{ account_id }}</Account>
-  </GetCallerIdentityResult>
-  <ResponseMetadata>
-    <RequestId>c6104cbe-af31-11e0-8154-cbc7ccf896c7</RequestId>
-  </ResponseMetadata>
-</GetCallerIdentityResponse>
-"""
+        result = {
+            "UserId": user_id,
+            "Account": account_id,
+            "Arn": arn,
+        }
+        return ActionResult(result)
