def test_cert(server, env): crt_file = os.path.join(HERE, 'certs', 'client.crt') csr_file = os.path.join(HERE, 'certs', 'client.csr') key_file = os.path.join(HERE, 'certs', 'client.key') ca_path = os.path.join(HERE, 'certs') client = Vault(server.addr, cert=[server.csr, server.key]) state = yield from client.initialize(secret_shares=5, secret_threshold=3) yield from client.seal.unseal(state.keys) yield from client.audit.enable('file', path='/tmp/aiovault.log') backend = yield from client.auth.enable('cert') assert backend.__repr__() == "<CertBackend(name='cert')>" with open(csr_file) as file: written = yield from backend.write_cert('foo', certificate=file.read(), policies=['pierre', 'pol']) assert written data = yield from backend.read_cert('foo') assert 'pierre' in data['policies'] # TODO does not work with Vault v0.1.2 # return client = Vault(server.addr, cert=[crt_file, key_file], verify=crt_file) backend = client.auth.load('cert') res = yield from backend.login() print(res)
def test_help(dev_server): client = Vault(dev_server.addr, token=dev_server.root_token) response = yield from client.read('/sys/auth/github', params={"help": 1}) data = yield from response.json() assert 'help' in data
def test_github_loading(dev_server, env): try: github_org = env.GITHUB_ORG github_token = env.GITHUB_TOKEN except AttributeError: return 'GITHUB_ORG or GITHUB_TOKEN missing' client = Vault(dev_server.addr, token=dev_server.root_token) backend1 = backend = yield from client.auth.enable('github') configured = yield from backend.configure(organization=github_org) assert configured configured = yield from backend.write_team('test', policies='foo') assert configured client = Vault(dev_server.addr) backend = client.auth.load('github') dummy_token = '1111111111111111111111111111111111111111' with pytest.raises(LoginError): yield from backend.login(github_token=dummy_token) yield from backend.login(github_token=github_token) disabled = yield from backend1.disable() assert disabled
def test_renew(dev_server): client = Vault(dev_server.addr, token=dev_server.root_token) response = yield from client.write('/secret/foo', json={ 'data': 'bar', 'lease': '1h' }) assert response.status == 204 response = yield from client.read('/secret/foo') result = yield from response.json() renewed = yield from client.lease.renew(result['lease_id']) assert renewed
def test_status(dev_server): client = Vault(dev_server.addr, token=dev_server.root_token) response = yield from client.status() assert response.initialized is True response = yield from client.leader() assert response.enabled is False assert response.is_self is False response = yield from client.health() assert response.initialized is True assert response.sealed is dev_server.sealed
def test_init(server): client = Vault(server.addr, cert=[server.csr, server.key]) print(client) response = yield from client.status() print(response) state = yield from client.initialize(secret_shares=5, secret_threshold=3) assert hasattr(state, 'root_token') assert hasattr(state, 'keys') status = yield from client.seal.status() assert status.sealed is True status = yield from client.seal.unseal(state.keys) assert status.sealed is False
def test_revoke_orphan(dev_server): client = Vault(dev_server.addr, token=dev_server.root_token) parent_token = yield from client.auth.create() client_b = Vault(dev_server.addr, token=parent_token) child_token = yield from client_b.auth.create() yield from client.auth.lookup(parent_token) yield from client.auth.lookup(child_token) yield from client.auth.revoke_orphan(parent_token) with pytest.raises(KeyError): yield from client.auth.lookup(parent_token) yield from client.auth.lookup(child_token)
def test_crud(dev_server, env): try: access_key = env.AWS_ACCESS_KEY_ID secret_key = env.AWS_SECRET_ACCESS_KEY region = env.AWS_DEFAULT_REGION except AttributeError: return 'AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY \ or AWS_DEFAULT_REGION missing' client = Vault(dev_server.addr, token=dev_server.root_token) mounted, backend = yield from client.secret.mount('aws') configured = yield from backend.config_root(access_key=access_key, secret_key=secret_key, region=region) assert configured configured = yield from backend.config_lease(lease='1m', lease_max='1m') assert configured configured = yield from backend.write_role('test', policy=AWS_POLICY) assert configured role = yield from backend.read_role('test') assert 'policy' in role deleted = yield from backend.delete_role('test') assert deleted with pytest.raises(KeyError): yield from backend.read_role('test')
def test_basic(dev_server, env): try: access_key = env.AWS_ACCESS_KEY_ID secret_key = env.AWS_SECRET_ACCESS_KEY region = env.AWS_DEFAULT_REGION except AttributeError: return 'AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY \ or AWS_DEFAULT_REGION missing' client = Vault(dev_server.addr, token=dev_server.root_token) mounted, backend = yield from client.secret.mount('aws') configured = yield from backend.config_root(access_key=access_key, secret_key=secret_key, region=region) assert configured configured = yield from backend.config_lease(lease='1m', lease_max='1m') assert configured configured = yield from backend.write_role('foo', policy=AWS_POLICY) assert configured data = yield from backend.creds('foo') assert 'access_key' in data assert 'secret_key' in data
def test_basic(dev_server): client = Vault(dev_server.addr, token=dev_server.root_token) mounted, backend = yield from client.secret.mount('transit') assert mounted written = yield from backend.write_key('test', derived=False) assert written policy = yield from backend.read_key('test') assert policy['name'] == 'test' assert policy['derived'] is False policy = yield from backend.read_raw('test') assert policy['name'] == 'test' assert policy['derived'] is False encrypted = yield from backend.encrypt('test', PLAIN_TEXT) assert 'ciphertext' in encrypted ciphertext = encrypted['ciphertext'] decrypted = yield from backend.decrypt('test', ciphertext) assert 'plaintext' in decrypted assert decrypted['plaintext'] == PLAIN_TEXT deleted = yield from backend.delete_key('test') assert deleted with pytest.raises(KeyError): yield from backend.read_key('test') with pytest.raises(KeyError): yield from backend.read_raw('test')
def test_generic(dev_server): client = Vault(dev_server.addr, token=dev_server.root_token) store = client.secret.load('secret', type='generic') assert store.__repr__() == "<GenericBackend(name='secret')>" data = yield from store.write('foo', {'value': 'bar'}) assert data data = yield from store.read('foo') assert data == {'value': 'bar'} data = yield from store.delete('foo') assert data with pytest.raises(ValueError): yield from store.write('bar', 'baz') with pytest.raises(KeyError): yield from store.read('bar') data = yield from store.delete('bar') assert data is True data = yield from store.delete('bar') assert data is True
def test_initial_status(dev_server): client = Vault(dev_server.addr, token=dev_server.root_token) response = yield from client.seal.status() assert response.sealed == dev_server.sealed assert response.threshold == dev_server.threshold assert response.shares == dev_server.shares assert response.progress == dev_server.progress
def test_revoke_prefix(dev_server): client = Vault(dev_server.addr, token=dev_server.root_token) token = yield from client.auth.create() yield from client.auth.lookup(token) revoked = yield from client.auth.revoke_prefix('auth/token/') assert revoked is True with pytest.raises(KeyError): yield from client.auth.lookup(token)
def test_shortcut(dev_server): """docstring for test_shortcut""" client = Vault(dev_server.addr, token=dev_server.root_token) mounted, backend = yield from client.secret.mount('transit') assert mounted backend = client.secret.transit written = yield from backend.write_key('test') assert written
def test_auth(dev_server): client = Vault(dev_server.addr, token=dev_server.root_token) # list mounted backends backends = yield from client.auth.items() assert len(backends) == 1 yield from client.auth.enable('app-id') backends = yield from client.auth.items() assert len(backends) == 2 assert 'app-id' in backends
def test_userpass(dev_server): client = Vault(dev_server.addr, token=dev_server.root_token) # enable userpass backend = yield from client.auth.enable('userpass') response = yield from backend.create('mitchellh', 'foo') assert response # raw login response = yield from client.write('/auth/userpass/login/mitchellh', json={"password": "******"}) result = yield from response.json() assert result['auth']['metadata'] == {'username': '******'} # nicer login token = yield from client.login('userpass', username='******', password='******') assert token['metadata'] == {'username': '******'}
def test_github_raw_loading(dev_server): client = Vault(dev_server.addr, token=dev_server.root_token) response = yield from client.read('/sys/auth/github/login', params={"help": 1}) data = yield from response.json() print(data['help']) # low level create/delete response = yield from client.write('/sys/auth/github', json={"type": "github"}) assert response.status == 204, 'Must add github auth backend' response = yield from client.delete('/sys/auth/github') assert response.status == 204, 'Must delete github auth backend' # high level create/delete response = yield from client.auth.enable('github') assert response.type == 'github', 'Must add github auth backend' response = yield from client.auth.disable('github') assert response is True, 'Must delete github auth backend'
def test_seal(dev_server): client = Vault(dev_server.addr, token=dev_server.root_token) status = yield from client.seal.status() assert status.sealed is False sealed = yield from client.seal.seal() assert sealed is True status = yield from client.seal.status() assert status.sealed is True status = yield from client.seal.unseal(dev_server.unseal_key) assert status.sealed is False
def test_basic(dev_server, consul): client = Vault(dev_server.addr, token=dev_server.root_token) mounted, backend = yield from client.secret.mount('consul') assert mounted store = client.secret.load('consul') configured = yield from store.config_access(address=consul.address, token=consul.acl_master_token) assert configured configured = yield from store.write_role('foo', policy=CONSUL_POLICY) assert configured data = yield from store.creds('foo') assert 'token' in data
def test_ldap(dev_server): client = Vault(dev_server.addr, token=dev_server.root_token) backend = yield from client.auth.enable('ldap') configured = yield from backend.configure(url='ldap://ldap.forumsys.com', userattr='uid', userdn='dc=example,dc=com', groupdn='dc=example,dc=com') assert configured writen = yield from backend.write_group(name='scientists', policies='foo') assert writen token = yield from backend.login(username='******', password='******') assert token['metadata']['username'] == 'tesla'
def test_secret_mount(dev_server): client = Vault(dev_server.addr, token=dev_server.root_token) mounted, backend = yield from client.secret.mount('consul') assert mounted is True, 'must be mounted' mounted, _ = yield from client.secret.mount('consul') assert mounted is False, 'must be already mounted' with pytest.raises(MountError): # already mounted yield from backend.mount() yield from backend.unmount() unmounted = yield from client.secret.unmount('consul') assert unmounted is False, 'must be already unmounted' with pytest.raises(MountError): # already unmounted yield from backend.unmount()
def test_secret_2(dev_server): client = Vault(dev_server.addr, token=dev_server.root_token) # list mounted backends backends = yield from client.secret.items() assert len(backends) == 2 mounted, backend = yield from client.secret.mount('consul') backends = yield from client.secret.items() assert len(backends) == 3 assert 'consul' in backends yield from backend.remount('newpath') backends = yield from client.secret.items() assert len(backends) == 3 assert 'newpath' in backends yield from backend.unmount() backends = yield from client.secret.items() assert len(backends) == 2
def test_crud(dev_server, consul): client = Vault(dev_server.addr, token=dev_server.root_token) mounted, backend = yield from client.secret.mount('consul') assert mounted store = client.secret.load('consul') configured = yield from store.config_access(address=consul.address, token=consul.acl_master_token) assert configured configured = yield from store.write_role('foo', policy=CONSUL_POLICY) assert configured role = yield from store.read_role('foo') assert 'policy' in role deleted = yield from store.delete_role('foo') assert deleted with pytest.raises(KeyError): yield from store.read_role('foo')
def test_audit_syslog(dev_server): client = Vault(dev_server.addr, token=dev_server.root_token) # enable syslog enabled = yield from client.audit.enable('syslog') assert enabled backends = yield from client.audit.items() assert 'syslog/' in backends backend = yield from client.audit.get('syslog') print(backend) disabled = yield from client.audit.disable('syslog') assert disabled with pytest.raises(KeyError): yield from client.audit.get('syslog') backends = yield from client.audit.items() assert 'syslog/' not in backends
def test_basic(dev_server, env): try: dsn = env.PG_URL except AttributeError: return 'PG_URL must be set for acceptance tests' client = Vault(dev_server.addr, token=dev_server.root_token) mounted, backend = yield from client.secret.mount('postgresql') assert mounted configured = yield from backend.config_connection(dsn=dsn) assert configured configured = yield from backend.config_lease('1m', '1m') assert configured configured = yield from backend.write_role('web', sql=PG_SQL) assert configured data = yield from backend.creds('web') assert 'username' in data assert 'password' in data
def test_ldap_crud(dev_server): client = Vault(dev_server.addr, token=dev_server.root_token) backend = yield from client.auth.enable('ldap') configured = yield from backend.configure(url='ldap://ldap.forumsys.com', userattr='uid', userdn='dc=example,dc=com', groupdn='dc=example,dc=com') assert configured writen = yield from backend.write_group(name='g1', policies='foo') assert writen data = yield from backend.read_group(name='g1') assert data['policies'] == {'foo'} deleted = yield from backend.delete_group(name='g1') assert deleted with pytest.raises(KeyError): yield from backend.read_group(name='g1')
def test_policy(dev_server): client = Vault(dev_server.addr, token=dev_server.root_token) policies = yield from client.policy.items() assert 'root' in policies assert 'foo' not in policies absent = yield from client.policy.delete('foo') assert absent is True absent = yield from client.policy.delete('foo') assert absent is True policy = yield from client.policy.read('root') assert policy.name == 'root' with pytest.raises(KeyError): yield from client.policy.read('foo') rules = {'sys': {'policy': 'deny'}} written = yield from client.policy.write('foo', rules) assert written is True policy = yield from client.policy.read('foo') assert policy.name == 'foo' assert 'sys' in policy assert policy.rules == rules assert policy == rules # add other rules policy['bar/baz'] = 'deny' written = yield from client.policy.write('foo', policy) assert written is True policy = yield from client.policy.read('foo') assert policy.name == 'foo' assert 'sys' in policy assert 'bar/baz' in policy
def test_policy_hl(dev_server): client = Vault(dev_server.addr, token=dev_server.root_token) policies = yield from client.policy.items() assert 'root' in policies response = yield from client.policy.write_path('foo', 'my/path', 'read') assert response rules = yield from client.policy.read('foo') assert 'my/path' in rules assert 'cert' not in rules backend = client.auth.load('cert') response = yield from client.policy.write_path('foo', backend, 'read') assert response rules = yield from client.policy.read('foo') assert 'my/path' in rules assert 'auth/cert' in rules response = yield from client.policy.delete_path('foo', 'my/path') assert response rules = yield from client.policy.read('foo') assert 'my/path' not in rules assert 'auth/cert' in rules
def test_crud(dev_server, env): try: dsn = env.PG_URL except AttributeError: return 'PG_URL must be set for acceptance tests' client = Vault(dev_server.addr, token=dev_server.root_token) mounted, backend = yield from client.secret.mount('postgresql') assert mounted configured = yield from backend.config_connection(dsn=dsn) assert configured configured = yield from backend.write_role('web', sql=PG_SQL) assert configured role = yield from backend.read_role('web') assert 'sql' in role deleted = yield from backend.delete_role('web') assert deleted with pytest.raises(KeyError): yield from backend.read_role('web')
def test_appid_raw(dev_server): client = Vault(dev_server.addr, token=dev_server.root_token) # enable app-id response = yield from client.write('/sys/auth/app-id', json={'type': 'app-id'}) assert response.status == 204 response = yield from client.write('/auth/app-id/map/app-id/foo', json={'value': 'dummy'}) response = yield from client.write('/auth/app-id/map/user-id/bar', json={'value': 'foo'}) assert response.status == 204 # do login client = Vault(dev_server.addr) # login response = yield from client.write('/auth/app-id/login', json={'app_id': 'foo', 'user_id': 'bar'}) result = yield from response.json() assert result['auth']['policies'] == ['dummy']
def test_renew(dev_server): client = Vault(dev_server.addr, token=dev_server.root_token) token = yield from client.auth.create(lease='1h') token = yield from client.auth.renew(token)
def test_lookup_1(dev_server): client = Vault(dev_server.addr, token=dev_server.root_token) token = yield from client.auth.lookup_self() assert token.id == dev_server.root_token