def test_reload_when_mtime_changes(self, getmtime, fstat): getmtime.return_value = 1 fstat.return_value = mock.Mock(st_mtime=1) self._fill_secrets_file("""{ "secrets": { "test": {"a": 1} }, "vault": { "token": "test", "url": "http://vault.example.com:8200/" } }""") secrets = store.SecretsStore(self.tempfile.name) self.assertEqual(secrets.get_raw("test"), {"a": 1}) getmtime.return_value = 2 fstat.return_value = mock.Mock(st_mtime=2) self._fill_secrets_file("""{ "secrets": { "test": {"a": 2} }, "vault": { "token": "test", "url": "http://vault.example.com:8200/" } }""") self.assertEqual(secrets.get_raw("test"), {"a": 2})
def setUp(self): configurator = Configurator() configurator.add_route("example", "/example", request_method="GET") configurator.add_route("trace_context", "/trace_context", request_method="GET") configurator.add_view( example_application, route_name="example", renderer="json") configurator.add_view( local_tracing_within_context, route_name="trace_context", renderer="json") configurator.add_view( render_exception_view, context=ControlFlowException, renderer="json", ) configurator.add_view( render_bad_exception_view, context=ControlFlowException2, renderer="json", ) mock_filewatcher = mock.Mock(spec=FileWatcher) mock_filewatcher.get_data.return_value = { "secrets": { "jwt/authentication/secret": { "type": "simple", "value": self.TOKEN_SECRET, }, }, "vault": { "token": "test", "url": "http://vault.example.com:8200/", } } secrets = store.SecretsStore("/secrets") secrets._filewatcher = mock_filewatcher self.observer = mock.Mock(spec=BaseplateObserver) self.server_observer = mock.Mock(spec=ServerSpanObserver) def _register_mock(context, server_span): server_span.register(self.server_observer) self.observer.on_server_span_created.side_effect = _register_mock self.baseplate = Baseplate() self.baseplate.register(self.observer) self.baseplate_configurator = BaseplateConfigurator( self.baseplate, trust_trace_headers=True, auth_factory=AuthenticationContextFactory(secrets), ) configurator.include(self.baseplate_configurator.includeme) self.context_init_event_subscriber = mock.Mock() configurator.add_subscriber(self.context_init_event_subscriber, ServerSpanInitialized) app = configurator.make_wsgi_app() self.test_app = webtest.TestApp(app)
def test_simple_secrets(self): self._fill_secrets_file("""{ "secrets": { "test": { "type": "simple", "value": "easy" }, "test_base64": { "type": "simple", "value": "aHVudGVyMg==", "encoding": "base64" }, "test_unknown_encoding": { "type": "simple", "value": "sdlfkj", "encoding": "mystery" }, "test_not_simple": { "something": "else" }, "test_no_value": { "type": "simple" }, "test_bad_base64": { "type": "simple", "value": "aHVudGVyMg", "encoding": "base64" } }, "vault": { "token": "test", "url": "http://vault.example.com:8200/" } }""") secrets = store.SecretsStore(self.tempfile.name) self.assertEqual(secrets.get_simple("test"), b"easy") self.assertEqual(secrets.get_simple("test_base64"), b"hunter2") with self.assertRaises(store.CorruptSecretError): secrets.get_simple("test_unknown_encoding") with self.assertRaises(store.CorruptSecretError): secrets.get_simple("test_not_simple") with self.assertRaises(store.CorruptSecretError): secrets.get_simple("test_no_value") with self.assertRaises(store.CorruptSecretError): secrets.get_simple("test_bad_base64")
def make_edge_context_factory(): mock_filewatcher = mock.Mock(spec=FileWatcher) mock_filewatcher.get_data.return_value = { "secrets": { "secret/authentication/public-key": { "type": "versioned", "current": AUTH_TOKEN_PUBLIC_KEY, } }, "vault": {"token": "test", "url": "http://vault.example.com:8200/"}, } secrets = store.SecretsStore("/secrets") secrets._filewatcher = mock_filewatcher return EdgeRequestContextFactory(secrets)
def setUp(self): self.itrans = TMemoryBuffer() self.iprot = THeaderProtocol(self.itrans) self.otrans = TMemoryBuffer() self.oprot = THeaderProtocol(self.otrans) self.observer = mock.Mock(spec=BaseplateObserver) self.server_observer = mock.Mock(spec=ServerSpanObserver) def _register_mock(context, server_span): server_span.register(self.server_observer) self.observer.on_server_span_created.side_effect = _register_mock self.logger = mock.Mock(spec=logging.Logger) self.server_context = TRpcConnectionContext(self.itrans, self.iprot, self.oprot) mock_filewatcher = mock.Mock(spec=FileWatcher) mock_filewatcher.get_data.return_value = { "secrets": { "secret/authentication/public-key": { "type": "versioned", "current": AUTH_TOKEN_PUBLIC_KEY, }, }, "vault": { "token": "test", "url": "http://vault.example.com:8200/", } } self.secrets = store.SecretsStore("/secrets") self.secrets._filewatcher = mock_filewatcher baseplate = Baseplate() baseplate.register(self.observer) self.edge_context_factory = EdgeRequestContextFactory(self.secrets) event_handler = BaseplateProcessorEventHandler( self.logger, baseplate, edge_context_factory=self.edge_context_factory, ) handler = TestHandler() self.processor = TestService.ContextProcessor(handler) self.processor.setEventHandler(event_handler)
def setUp(self): mock_filewatcher = mock.Mock(spec=FileWatcher) mock_filewatcher.get_data.return_value = { "secrets": { "jwt/authentication/secret": { "type": "simple", "value": self.TOKEN_SECRET, }, }, "vault": { "token": "test", "url": "http://vault.example.com:8200/", } } self.store = store.SecretsStore("/secrets") self.store._filewatcher = mock_filewatcher
def test_dont_reload_while_not_changed(self, getmtime, fstat): getmtime.return_value = 1 fstat.return_value = mock.Mock(st_mtime=1) self._fill_secrets_file("""{ "secrets": { "test": {"a": 1} }, "vault": { "token": "test", "url": "http://vault.example.com:8200/" } }""") secrets = store.SecretsStore(self.tempfile.name) self.assertEqual(secrets.get_raw("test"), {"a": 1}) # this will not parse, so we know we didn't reload if we don't crash! self._fill_secrets_file("!") self.assertEqual(secrets.get_raw("test"), {"a": 1})
def test_initial_fetch_loads_secrets(self): self._fill_secrets_file("""{ "secrets": { "test": {"a": 1} }, "vault": { "token": "test", "url": "http://vault.example.com:8200/" } }""") secrets = store.SecretsStore(self.tempfile.name) secret = secrets.get_raw("test") self.assertEqual(secret, {"a": 1}) self.assertEqual(secrets.get_vault_token(), "test") self.assertEqual(secrets.get_vault_url(), "http://vault.example.com:8200/") with self.assertRaises(store.SecretNotFoundError): secrets.get_raw("does_not_exist")
def setUp(self): self.mock_filewatcher = mock.Mock(spec=FileWatcher) self.store = store.SecretsStore("/whatever") self.store._filewatcher = self.mock_filewatcher
def test_file_not_found(self): secrets = store.SecretsStore("/does_not_exist") with self.assertRaises(store.SecretsNotAvailableError): secrets.get_raw("test")
def test_versioned_secrets(self): self._fill_secrets_file("""{ "secrets": { "test": { "type": "versioned", "current": "easy" }, "test_base64": { "type": "versioned", "previous": "aHVudGVyMQ==", "current": "aHVudGVyMg==", "next": "aHVudGVyMw==", "encoding": "base64" }, "test_unknown_encoding": { "type": "versioned", "current": "sdlfkj", "encoding": "mystery" }, "test_not_versioned": { "something": "else" }, "test_no_value": { "type": "versioned" }, "test_bad_base64": { "type": "simple", "value": "aHVudGVyMg", "encoding": "base64" } }, "vault": { "token": "test", "url": "http://vault.example.com:8200/" } }""") secrets = store.SecretsStore(self.tempfile.name) simple = secrets.get_versioned("test") self.assertEqual(simple.current, b"easy") self.assertEqual(list(simple.all_versions), [b"easy"]) encoded = secrets.get_versioned("test_base64") self.assertEqual(encoded.previous, b"hunter1") self.assertEqual(encoded.current, b"hunter2") self.assertEqual(encoded.next, b"hunter3") self.assertEqual(list(encoded.all_versions), [b"hunter2", b"hunter1", b"hunter3"]) with self.assertRaises(store.CorruptSecretError): secrets.get_versioned("test_unknown_encoding") with self.assertRaises(store.CorruptSecretError): secrets.get_versioned("test_not_versioned") with self.assertRaises(store.CorruptSecretError): secrets.get_versioned("test_no_value") with self.assertRaises(store.CorruptSecretError): secrets.get_versioned("test_bad_base64")