def test_oneof_valid(self):
parser = config.OneOf(ONE=1, TWO=2, THREE=3)
self.assertEqual(parser("ONE"), 1)
self.assertEqual(parser("TWO"), 2)
self.assertEqual(parser("THREE"), 3)
def test_oneof_invalid(self):
parser = config.OneOf(ONE=1, TWO=2, THREE=3)
with self.assertRaises(ValueError):
parser("")
with self.assertRaises(ValueError):
parser("FOUR")
def main():
arg_parser = argparse.ArgumentParser()
arg_parser.add_argument("config_file",
type=argparse.FileType("r"),
help="path to a configuration file")
arg_parser.add_argument("--debug",
default=False,
action="store_true",
help="enable debug logging")
arg_parser.add_argument(
"--once",
default=False,
action="store_true",
help="only run the fetcher once rather than as a daemon",
)
args = arg_parser.parse_args()
if args.debug:
level = logging.DEBUG
else:
level = logging.INFO
logging.basicConfig(format="%(asctime)s:%(levelname)s:%(message)s",
level=level)
parser = configparser.RawConfigParser()
parser.readfp(args.config_file) # pylint: disable=deprecated-method
fetcher_config = dict(parser.items("secret-fetcher"))
cfg = config.parse_config(
fetcher_config,
{
"vault": {
"url":
config.String,
"role":
config.String,
"auth_type":
config.Optional(
config.OneOf(**VaultClientFactory.auth_types()),
default=VaultClientFactory.auth_types()["aws"],
),
"mount_point":
config.Optional(config.String, default="aws-ec2"),
},
"output": {
"path":
config.Optional(config.String,
default="/var/local/secrets.json"),
"owner":
config.Optional(config.UnixUser, default=0),
"group":
config.Optional(config.UnixGroup, default=0),
"mode":
config.Optional(config.Integer(base=8), default=0o400),
},
"secrets": config.Optional(config.TupleOf(config.String),
default=[]),
},
)
# pylint: disable=maybe-no-member
client_factory = VaultClientFactory(cfg.vault.url, cfg.vault.role,
cfg.vault.auth_type,
cfg.vault.mount_point)
if args.once:
logger.info("Running secret fetcher once")
fetch_secrets(cfg, client_factory)
else:
logger.info("Running secret fetcher as a daemon")
while True:
soonest_expiration = fetch_secrets(cfg, client_factory)
time_til_expiration = soonest_expiration - datetime.datetime.utcnow(
)
time_to_sleep = time_til_expiration - VAULT_TOKEN_PREFETCH_TIME
time.sleep(max(int(time_to_sleep.total_seconds()), 1))
