def test_reload_when_mtime_changes(self, getmtime, fstat):
getmtime.return_value = 1
fstat.return_value = mock.Mock(st_mtime=1)
self._fill_secrets_file("""{
"secrets": {
"test": {"a": 1}
},
"vault": {
"token": "test",
"url": "http://vault.example.com:8200/"
}
}""")
secrets = store.SecretsStore(self.tempfile.name)
self.assertEqual(secrets.get_raw("test"), {"a": 1})
getmtime.return_value = 2
fstat.return_value = mock.Mock(st_mtime=2)
self._fill_secrets_file("""{
"secrets": {
"test": {"a": 2}
},
"vault": {
"token": "test",
"url": "http://vault.example.com:8200/"
}
}""")
self.assertEqual(secrets.get_raw("test"), {"a": 2})
def setUp(self):
configurator = Configurator()
configurator.add_route("example", "/example", request_method="GET")
configurator.add_route("trace_context", "/trace_context", request_method="GET")
configurator.add_view(
example_application, route_name="example", renderer="json")
configurator.add_view(
local_tracing_within_context, route_name="trace_context", renderer="json")
configurator.add_view(
render_exception_view,
context=ControlFlowException,
renderer="json",
)
configurator.add_view(
render_bad_exception_view,
context=ControlFlowException2,
renderer="json",
)
mock_filewatcher = mock.Mock(spec=FileWatcher)
mock_filewatcher.get_data.return_value = {
"secrets": {
"jwt/authentication/secret": {
"type": "simple",
"value": self.TOKEN_SECRET,
},
},
"vault": {
"token": "test",
"url": "http://vault.example.com:8200/",
}
}
secrets = store.SecretsStore("/secrets")
secrets._filewatcher = mock_filewatcher
self.observer = mock.Mock(spec=BaseplateObserver)
self.server_observer = mock.Mock(spec=ServerSpanObserver)
def _register_mock(context, server_span):
server_span.register(self.server_observer)
self.observer.on_server_span_created.side_effect = _register_mock
self.baseplate = Baseplate()
self.baseplate.register(self.observer)
self.baseplate_configurator = BaseplateConfigurator(
self.baseplate,
trust_trace_headers=True,
auth_factory=AuthenticationContextFactory(secrets),
)
configurator.include(self.baseplate_configurator.includeme)
self.context_init_event_subscriber = mock.Mock()
configurator.add_subscriber(self.context_init_event_subscriber, ServerSpanInitialized)
app = configurator.make_wsgi_app()
self.test_app = webtest.TestApp(app)
def test_simple_secrets(self):
self._fill_secrets_file("""{
"secrets": {
"test": {
"type": "simple",
"value": "easy"
},
"test_base64": {
"type": "simple",
"value": "aHVudGVyMg==",
"encoding": "base64"
},
"test_unknown_encoding": {
"type": "simple",
"value": "sdlfkj",
"encoding": "mystery"
},
"test_not_simple": {
"something": "else"
},
"test_no_value": {
"type": "simple"
},
"test_bad_base64": {
"type": "simple",
"value": "aHVudGVyMg",
"encoding": "base64"
}
},
"vault": {
"token": "test",
"url": "http://vault.example.com:8200/"
}
}""")
secrets = store.SecretsStore(self.tempfile.name)
self.assertEqual(secrets.get_simple("test"), b"easy")
self.assertEqual(secrets.get_simple("test_base64"), b"hunter2")
with self.assertRaises(store.CorruptSecretError):
secrets.get_simple("test_unknown_encoding")
with self.assertRaises(store.CorruptSecretError):
secrets.get_simple("test_not_simple")
with self.assertRaises(store.CorruptSecretError):
secrets.get_simple("test_no_value")
with self.assertRaises(store.CorruptSecretError):
secrets.get_simple("test_bad_base64")
def make_edge_context_factory():
mock_filewatcher = mock.Mock(spec=FileWatcher)
mock_filewatcher.get_data.return_value = {
"secrets": {
"secret/authentication/public-key": {
"type": "versioned",
"current": AUTH_TOKEN_PUBLIC_KEY,
}
},
"vault": {"token": "test", "url": "http://vault.example.com:8200/"},
}
secrets = store.SecretsStore("/secrets")
secrets._filewatcher = mock_filewatcher
return EdgeRequestContextFactory(secrets)
def setUp(self):
self.itrans = TMemoryBuffer()
self.iprot = THeaderProtocol(self.itrans)
self.otrans = TMemoryBuffer()
self.oprot = THeaderProtocol(self.otrans)
self.observer = mock.Mock(spec=BaseplateObserver)
self.server_observer = mock.Mock(spec=ServerSpanObserver)
def _register_mock(context, server_span):
server_span.register(self.server_observer)
self.observer.on_server_span_created.side_effect = _register_mock
self.logger = mock.Mock(spec=logging.Logger)
self.server_context = TRpcConnectionContext(self.itrans, self.iprot,
self.oprot)
mock_filewatcher = mock.Mock(spec=FileWatcher)
mock_filewatcher.get_data.return_value = {
"secrets": {
"secret/authentication/public-key": {
"type": "versioned",
"current": AUTH_TOKEN_PUBLIC_KEY,
},
},
"vault": {
"token": "test",
"url": "http://vault.example.com:8200/",
}
}
self.secrets = store.SecretsStore("/secrets")
self.secrets._filewatcher = mock_filewatcher
baseplate = Baseplate()
baseplate.register(self.observer)
self.edge_context_factory = EdgeRequestContextFactory(self.secrets)
event_handler = BaseplateProcessorEventHandler(
self.logger,
baseplate,
edge_context_factory=self.edge_context_factory,
)
handler = TestHandler()
self.processor = TestService.ContextProcessor(handler)
self.processor.setEventHandler(event_handler)
def setUp(self):
mock_filewatcher = mock.Mock(spec=FileWatcher)
mock_filewatcher.get_data.return_value = {
"secrets": {
"jwt/authentication/secret": {
"type": "simple",
"value": self.TOKEN_SECRET,
},
},
"vault": {
"token": "test",
"url": "http://vault.example.com:8200/",
}
}
self.store = store.SecretsStore("/secrets")
self.store._filewatcher = mock_filewatcher
def test_dont_reload_while_not_changed(self, getmtime, fstat):
getmtime.return_value = 1
fstat.return_value = mock.Mock(st_mtime=1)
self._fill_secrets_file("""{
"secrets": {
"test": {"a": 1}
},
"vault": {
"token": "test",
"url": "http://vault.example.com:8200/"
}
}""")
secrets = store.SecretsStore(self.tempfile.name)
self.assertEqual(secrets.get_raw("test"), {"a": 1})
# this will not parse, so we know we didn't reload if we don't crash!
self._fill_secrets_file("!")
self.assertEqual(secrets.get_raw("test"), {"a": 1})
def test_initial_fetch_loads_secrets(self):
self._fill_secrets_file("""{
"secrets": {
"test": {"a": 1}
},
"vault": {
"token": "test",
"url": "http://vault.example.com:8200/"
}
}""")
secrets = store.SecretsStore(self.tempfile.name)
secret = secrets.get_raw("test")
self.assertEqual(secret, {"a": 1})
self.assertEqual(secrets.get_vault_token(), "test")
self.assertEqual(secrets.get_vault_url(),
"http://vault.example.com:8200/")
with self.assertRaises(store.SecretNotFoundError):
secrets.get_raw("does_not_exist")
def setUp(self):
self.mock_filewatcher = mock.Mock(spec=FileWatcher)
self.store = store.SecretsStore("/whatever")
self.store._filewatcher = self.mock_filewatcher
def test_file_not_found(self):
secrets = store.SecretsStore("/does_not_exist")
with self.assertRaises(store.SecretsNotAvailableError):
secrets.get_raw("test")
def test_versioned_secrets(self):
self._fill_secrets_file("""{
"secrets": {
"test": {
"type": "versioned",
"current": "easy"
},
"test_base64": {
"type": "versioned",
"previous": "aHVudGVyMQ==",
"current": "aHVudGVyMg==",
"next": "aHVudGVyMw==",
"encoding": "base64"
},
"test_unknown_encoding": {
"type": "versioned",
"current": "sdlfkj",
"encoding": "mystery"
},
"test_not_versioned": {
"something": "else"
},
"test_no_value": {
"type": "versioned"
},
"test_bad_base64": {
"type": "simple",
"value": "aHVudGVyMg",
"encoding": "base64"
}
},
"vault": {
"token": "test",
"url": "http://vault.example.com:8200/"
}
}""")
secrets = store.SecretsStore(self.tempfile.name)
simple = secrets.get_versioned("test")
self.assertEqual(simple.current, b"easy")
self.assertEqual(list(simple.all_versions), [b"easy"])
encoded = secrets.get_versioned("test_base64")
self.assertEqual(encoded.previous, b"hunter1")
self.assertEqual(encoded.current, b"hunter2")
self.assertEqual(encoded.next, b"hunter3")
self.assertEqual(list(encoded.all_versions),
[b"hunter2", b"hunter1", b"hunter3"])
with self.assertRaises(store.CorruptSecretError):
secrets.get_versioned("test_unknown_encoding")
with self.assertRaises(store.CorruptSecretError):
secrets.get_versioned("test_not_versioned")
with self.assertRaises(store.CorruptSecretError):
secrets.get_versioned("test_no_value")
with self.assertRaises(store.CorruptSecretError):
secrets.get_versioned("test_bad_base64")
