def setUpClass(cls):
"""Use the ServerManager class to launch a vault server process."""
config_paths = [get_config_file_path('vault-tls.hcl')]
if distutils.spawn.find_executable('consul') is None and cls.enable_vault_ha:
logging.warning('Unable to run Vault in HA mode, consul binary not found in path.')
cls.enable_vault_ha = False
if is_enterprise():
# TODO: figure out why this bit isn't working
logging.warning('Unable to run Vault in HA mode, enterprise Vault version not currently supported.')
cls.enable_vault_ha = False
if cls.enable_vault_ha:
config_paths = [
get_config_file_path('vault-ha-node1.hcl'),
get_config_file_path('vault-ha-node2.hcl'),
]
cls.manager = ServerManager(
config_paths=config_paths,
client=create_client(),
use_consul=cls.enable_vault_ha,
)
try:
cls.manager.start()
cls.manager.initialize()
cls.manager.unseal()
except Exception:
cls.manager.stop()
raise
def doctest_global_setup():
client = test_utils.create_client()
manager = ServerManager(
config_paths=[test_utils.get_config_file_path('vault-doctest.hcl')],
client=client,
)
manager.start()
manager.initialize()
manager.unseal()
mocker = Mocker(real_http=True)
mocker.start()
auth_method_paths = [
'ldap/login/{}'.format(MockLdapServer.ldap_user_name),
]
for auth_method_path in auth_method_paths:
mock_url = 'https://127.0.0.1:8200/v1/auth/{path}'.format(
path=auth_method_path)
mock_response = {
"auth": {
"client_token": manager.root_token,
"accessor": "0e9e354a-520f-df04-6867-ee81cae3d42d",
"policies": ['default'],
"lease_duration": 2764800,
"renewable": True,
},
}
mocker.register_uri(
method='POST',
url=mock_url,
json=mock_response,
)
client.token = manager.root_token
os.environ['VAULT_TOKEN'] = manager.root_token
os.environ['REQUESTS_CA_BUNDLE'] = test_utils.get_config_file_path(
'server-cert.pem')
os.environ['LDAP_USERNAME'] = MockLdapServer.ldap_user_name
os.environ['LDAP_PASSWORD'] = MockLdapServer.ldap_user_password
os.environ['AWS_LAMBDA_FUNCTION_NAME'] = 'hvac-lambda'
os.environ.setdefault("LDAP_PASSWORD", MockLdapServer.ldap_user_password)
if 'secret/' not in client.sys.list_mounted_secrets_engines()['data']:
client.sys.enable_secrets_engine(
backend_type='kv',
path='secret',
options=dict(version=2),
)
attempts = 0
while attempts < 25 and 'secret/' not in client.sys.list_mounted_secrets_engines(
)['data']:
attempts += 1
logging.debug(
'Waiting 1 second for KV V2 secrets engine under path {path} to become available...'
.format(path='secret', ))
sleep(1)
return manager
def setUp(self):
"""Set the client attribute to an authenticated hvac Client instance."""
self.client = create_client(token=self.manager.root_token)
# Squelch deprecating warnings during tests as we may want to deliberately call deprecated methods and/or verify
# warnings invocations.
warnings_patcher = patch('hvac.utils.warnings', spec=warnings)
self.mock_warnings = warnings_patcher.start()
def setUp(self):
"""Set the client attribute to an authenticated hvac Client instance."""
self.client = create_client(token=self.manager.root_token)
# Squelch deprecating warnings during tests as we may want to deliberately call deprecated methods and/or verify
# warnings invocations.
warnings_patcher = patch('hvac.utils.warnings', spec=warnings)
self.mock_warnings = warnings_patcher.start()
def get_vault_addr_by_standby_status(self, standby_status=True):
"""Get an address for a Vault HA node currently in standby.
:param standby_status: Value of the 'standby' key from the health status response to match.
:type standby_status: bool
:return: Standby Vault address.
:rtype: str
"""
vault_addresses = self.manager.get_active_vault_addresses()
for vault_address in vault_addresses:
health_status = create_client(url=vault_address).sys.read_health_status(method='GET')
if health_status['standby'] == standby_status:
return vault_address
def test_read_health_status(self,
label,
method='HEAD',
use_standby_node=False,
expected_status_code=200,
seal_first=False,
ha_required=False):
"""Test the Health system backend class's "read_health_status" method.
:param label: Label for a given parameterized test case.
:type label: str
:param method: HTTP method to use when invoking the method under test (GET or HEAD available).
:type method: str
:param use_standby_node: If True, send the request to a standby Vault node address
:type use_standby_node: bool
:param expected_status_code: The status code code expected in the response from Vault.
:type expected_status_code: int
:param seal_first: If True, seal the Vault node(s) before running the test cases.
:type seal_first: bool
:param ha_required: If True, skip the test case when consul / a HA Vault integration cluster is unavailable.
:type ha_required: bool
"""
if ha_required and not self.enable_vault_ha:
# Conditional to allow folks to run this test class without requiring consul to be installed locally.
self.skipTest(
'Skipping test case, Vault HA required but not available.')
if seal_first:
# Standby nodes can't be sealed directly.
# I.e.: "vault cannot seal when in standby mode; please restart instead"
self.manager.restart_vault_cluster()
# Grab a Vault node address for our desired standby status and create a one-off client configured for that address.
vault_addr = self.get_vault_addr_by_standby_status(
standby_status=use_standby_node)
logging.debug('vault_addr being used: %s' % vault_addr)
client = create_client(url=vault_addr)
read_status_response = client.sys.read_health_status(method=method, )
logging.debug('read_status_response: %s' % read_status_response)
if expected_status_code == 200:
self.assertTrue(read_status_response)
else:
self.assertEqual(
first=read_status_response.status_code,
second=expected_status_code,
)
if method != 'HEAD':
if not isinstance(read_status_response, dict):
read_status_response = read_status_response.json()
self.assertTrue(expr=read_status_response['initialized'])
def get_vault_addr_by_standby_status(self, standby_status=True):
"""Get an address for a Vault HA node currently in standby.
:param standby_status: Value of the 'standby' key from the health status response to match.
:type standby_status: bool
:return: Standby Vault address.
:rtype: str
"""
vault_addresses = self.manager.get_active_vault_addresses()
for vault_address in vault_addresses:
health_status = create_client(
url=vault_address).sys.read_health_status(method='GET')
if health_status['standby'] == standby_status:
return vault_address
def setUpClass(cls):
"""Use the ServerManager class to launch a vault server process."""
config_paths = [get_config_file_path('vault-tls.hcl')]
if distutils.spawn.find_executable('consul') is None and cls.enable_vault_ha:
logging.warning('Unable to run Vault in HA mode, consul binary not found in path.')
cls.enable_vault_ha = False
if cls.enable_vault_ha:
config_paths = [
get_config_file_path('vault-ha-node1.hcl'),
get_config_file_path('vault-ha-node2.hcl'),
]
cls.manager = ServerManager(
config_paths=config_paths,
client=create_client(),
use_consul=cls.enable_vault_ha,
)
cls.manager.start()
cls.manager.initialize()
cls.manager.unseal()
def setUpClass(cls):
"""Use the ServerManager class to launch a vault server process."""
config_paths = [get_config_file_path('vault-tls.hcl')]
if distutils.spawn.find_executable(
'consul') is None and cls.enable_vault_ha:
logging.warning(
'Unable to run Vault in HA mode, consul binary not found in path.'
)
cls.enable_vault_ha = False
if cls.enable_vault_ha:
config_paths = [
get_config_file_path('vault-ha-node1.hcl'),
get_config_file_path('vault-ha-node2.hcl'),
]
cls.manager = ServerManager(
config_paths=config_paths,
client=create_client(),
use_consul=cls.enable_vault_ha,
)
cls.manager.start()
cls.manager.initialize()
cls.manager.unseal()
def unseal(self):
"""Unseal the vault server process."""
vault_addresses = self.get_active_vault_addresses()
for vault_address in vault_addresses:
create_client(url=vault_address).sys.submit_unseal_keys(self.keys)
def test_broken_token(self):
client = utils.create_client(token='\x1b')
try:
client.is_authenticated()
except exceptions.InvalidRequest as e:
assert "invalid header value" in str(e)
def test_missing_token(self):
client = utils.create_client()
assert not client.is_authenticated()
def test_invalid_token(self):
client = utils.create_client(token='not-a-real-token')
assert not client.is_authenticated()
def test_illegal_token(self):
client = utils.create_client(token='token-with-new-line\n')
try:
client.is_authenticated()
except ValueError as e:
assert 'Invalid header value' in str(e)
import pytest
from tests.utils import create_client
from azure_databricks_api.__token import TokenInfo
from azure_databricks_api.exceptions import ResourceDoesNotExist
TOKEN_COMMENT = "THIS IS A TOKEN CREATED DURING THE CI/CD TESTING"
CREATED_TOKEN_ID = ""
client = create_client()
def teardown_module(module):
for token in client.tokens.list():
if token.comment == TOKEN_COMMENT:
client.tokens.revoke(token_id=token.token_id)
def test_create():
global CREATED_TOKEN_ID
token = client.tokens.create(comment=TOKEN_COMMENT, lifetime_seconds=500)
CREATED_TOKEN_ID = token['token_info'].token_id
assert isinstance(token, dict)
assert "token_value" in token.keys()
assert "token_info" in token.keys()
assert isinstance(token['token_info'], TokenInfo)
def test_missing_token(self):
client = utils.create_client()
assert not client.is_authenticated()
def test_invalid_token(self):
client = utils.create_client(token='not-a-real-token')
assert not client.is_authenticated()
def unseal(self):
"""Unseal the vault server process."""
vault_addresses = self.get_active_vault_addresses()
for vault_address in vault_addresses:
create_client(url=vault_address).sys.submit_unseal_keys(self.keys)
class TestCert(HvacIntegrationTestCase, TestCase):
TEST_MOUNT_POINT = 'cert-test'
TEST_ROLE_NAME = 'testrole'
cert = utils.create_client()._adapter._kwargs.get('cert')
with open(utils.get_config_file_path('client-cert.pem')) as fp:
TEST_CERTIFICATE = fp.read()
def setUp(self):
super(TestCert, self).setUp()
if '%s/' % self.TEST_MOUNT_POINT not in self.client.list_auth_backends():
self.client.enable_auth_backend(
backend_type='cert',
mount_point=self.TEST_MOUNT_POINT,
)
_ = self.client.auth.cert.create_ca_certificate_role(
name=self.TEST_ROLE_NAME,
certificate=self.TEST_CERTIFICATE,
mount_point=self.TEST_MOUNT_POINT,
)
def tearDown(self):
super(TestCert, self).tearDown()
def test_create_ca_certificate_role(self):
response = self.client.auth.cert.create_ca_certificate_role(
name='testrole2',
certificate=self.TEST_CERTIFICATE,
mount_point=self.TEST_MOUNT_POINT,
)
self.assertEqual(
first=204,
second=response.status_code
)
def test_read_ca_certificate_role(self):
response = self.client.auth.cert.read_ca_certificate_role(
name=self.TEST_ROLE_NAME,
mount_point=self.TEST_MOUNT_POINT,
)
self.assertEqual(
first=self.TEST_ROLE_NAME,
second=response['data']['display_name'],
)
def test_list_certificate_roles(self):
response = self.client.auth.cert.list_certificate_roles(
mount_point=self.TEST_MOUNT_POINT,
)
self.assertEqual(
first=response['data']['keys'],
second=[self.TEST_ROLE_NAME]
)
def test_delete_certificate_role(self):
self.client.auth.cert.create_ca_certificate_role(
name='testrole2',
certificate=self.TEST_CERTIFICATE,
mount_point=self.TEST_MOUNT_POINT,
)
response = self.client.auth.cert.delete_certificate_role(
name='testrole2',
mount_point=self.TEST_MOUNT_POINT,
)
self.assertEqual(
first=204,
second=response.status_code
)
def test_configure_tls_certificate(self):
response = self.client.auth.cert.configure_tls_certificate(mount_point=self.TEST_MOUNT_POINT)
self.assertEqual(
first=204,
second=response.status_code
)
def test_auth_tls_deprecation(self):
# In order to raise this it is just easier to expect it to fail.
with self.assertRaises(OSError):
pytest.deprecated_call(Client().auth_tls())
@parameterized.expand([
(TEST_ROLE_NAME, "", cert[0], cert[1], TEST_MOUNT_POINT),
("", "", cert[0], cert[1], TEST_MOUNT_POINT),
("testrole2", "", cert[0], cert[1], TEST_MOUNT_POINT),
("", "", "bad cert", cert[1], TEST_MOUNT_POINT),
("", "bad ca", cert[0], cert[1], TEST_MOUNT_POINT),
("", True, cert[0], cert[1], TEST_MOUNT_POINT),
("", False, " ", " ", TEST_MOUNT_POINT)
])
def test_login(self, name, cacert, cert_pem, key_pem, mount_point):
if cacert or "bad" in [cacert, cert_pem, key_pem]:
with self.assertRaises(exceptions.ParamValidationError):
self.client.auth.cert.login(
name=name,
cacert=cacert,
cert_pem=cert_pem,
mount_point=mount_point,
)
# elif cacert:
# with self.assertRaises(OSError):
# self.client.auth.cert.login(
# name=name,
# cacert=cacert,
# cert_pem=cert_pem,
# mount_point=mount_point,
# )
elif name != "" and name not in self.client.auth.cert.list_certificate_roles(
mount_point=self.TEST_MOUNT_POINT,
)['data']['keys']:
with self.assertRaises(exceptions.InvalidRequest):
with self.assertRaises(OSError):
self.client.auth.cert.login(
name=name,
cacert=cacert,
cert_pem=cert_pem,
mount_point=mount_point,
)
elif "/" not in cert_pem:
with self.assertRaises(OSError):
self.client.auth.cert.login(
name=name,
cacert=cacert,
cert_pem=cert_pem,
mount_point=mount_point,
)
else:
response = self.client.auth.cert.login(
name=name,
cacert=cacert,
cert_pem=cert_pem,
mount_point=mount_point,
)
if name in [self.TEST_ROLE_NAME, ""] and (cacert, cert_pem, key_pem) == ("", self.cert[0], self.cert[1]):
self.assertIsInstance(response, dict)
def test_illegal_token(self):
client = utils.create_client(token='token-with-new-line\n')
try:
client.is_authenticated()
except ValueError as e:
assert 'Invalid header value' in str(e)
def test_broken_token(self):
client = utils.create_client(token='\x1b')
try:
client.is_authenticated()
except exceptions.InvalidRequest as e:
assert "invalid header value" in str(e)
