def test_read_role(self, label, configure_first=True, raises=None, exception_message=''): if configure_first: self.client.secrets.aws.create_or_update_role( name=self.TEST_ROLE_NAME, credential_type='iam_user', policy_document=self.TEST_POLICY_DOCUMENT, legacy_params=vault_version_lt('0.11.0'), mount_point=self.TEST_MOUNT_POINT, ) if raises: with self.assertRaises(raises) as cm: self.client.secrets.aws.read_role( name=self.TEST_ROLE_NAME, mount_point=self.TEST_MOUNT_POINT, ) self.assertIn( member=exception_message, container=str(cm.exception), ) else: read_role_response = self.client.secrets.aws.read_role( name=self.TEST_ROLE_NAME, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('read_role_response: %s' % read_role_response) if vault_version_lt('0.11.0'): self.assertDictEqual( d1=json.loads(read_role_response['data']['policy']), d2=self.TEST_POLICY_DOCUMENT, ) else: self.assertEqual( first=read_role_response['data']['credential_types'], second=['iam_user'], )
def test_create_or_update_role(self, label, credential_type='iam_user', policy_document=None, default_sts_ttl=None, max_sts_ttl=None, role_arns=None, policy_arns=None, raises=None, exception_message=''): if raises: with self.assertRaises(raises) as cm: self.client.secrets.aws.create_or_update_role( name=self.TEST_ROLE_NAME, credential_type=credential_type, policy_document=policy_document, default_sts_ttl=default_sts_ttl, max_sts_ttl=max_sts_ttl, role_arns=role_arns, policy_arns=policy_arns, legacy_params=vault_version_lt('0.11.0'), mount_point=self.TEST_MOUNT_POINT, ) self.assertIn( member=exception_message, container=str(cm.exception), ) else: role_response = self.client.secrets.aws.create_or_update_role( name=self.TEST_ROLE_NAME, credential_type=credential_type, policy_document=policy_document, default_sts_ttl=default_sts_ttl, max_sts_ttl=max_sts_ttl, role_arns=role_arns, policy_arns=policy_arns, legacy_params=vault_version_lt('0.11.0'), mount_point=self.TEST_MOUNT_POINT, ) logging.debug('role_response: %s' % role_response) expected_status_code = 204 if vault_version_eq('0.11.0'): # In Vault 0.11.0, this API route returns a 200 instead of a 204. expected_status_code = 200 self.assertEqual( first=role_response.status_code, second=expected_status_code, )
def test_create_role(self, label, role_type, policies=None, bound_service_accounts=None, raises=None, exception_message=''): role_name = 'hvac' project_id = 'test-hvac-project-not-a-real-project' if raises: with self.assertRaises(raises) as cm: self.client.auth.gcp.create_role( name=role_name, role_type=role_type, project_id=project_id, policies=policies, bound_service_accounts=bound_service_accounts, mount_point=self.TEST_MOUNT_POINT, ) self.assertIn( member=exception_message, container=str(cm.exception), ) else: create_role_response = self.client.auth.gcp.create_role( name=role_name, role_type=role_type, project_id=project_id, policies=policies, bound_service_accounts=bound_service_accounts, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('create_role_response: %s' % create_role_response) if utils.vault_version_lt('0.10.0'): expected_status_code = 204 else: expected_status_code = 200 # TODO => figure out why this isn't a 204? self.assertEqual( first=create_role_response.status_code, second=expected_status_code, )
def test_delete_role(self, label, configure_first=True, raises=None, exception_message=''): if configure_first: self.client.secrets.aws.create_or_update_role( name=self.TEST_ROLE_NAME, credential_type='iam_user', policy_document=self.TEST_POLICY_DOCUMENT, legacy_params=vault_version_lt('0.11.0'), mount_point=self.TEST_MOUNT_POINT, ) if raises: with self.assertRaises(raises) as cm: self.client.secrets.aws.delete_role( name=self.TEST_ROLE_NAME, mount_point=self.TEST_MOUNT_POINT, ) self.assertIn( member=exception_message, container=str(cm.exception), ) else: delete_role_response = self.client.secrets.aws.delete_role( name=self.TEST_ROLE_NAME, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('delete_role_response: %s' % delete_role_response) self.assertEqual( first=delete_role_response.status_code, second=204, )
def test_delete_role(self, label, configure_first=True, raises=None, exception_message=''): if configure_first: self.client.secrets.aws.create_or_update_role( name=self.TEST_ROLE_NAME, credential_type='iam_user', policy_document=self.TEST_POLICY_DOCUMENT, legacy_params=vault_version_lt('0.11.0'), mount_point=self.TEST_MOUNT_POINT, ) if raises: with self.assertRaises(raises) as cm: self.client.secrets.aws.delete_role( name=self.TEST_ROLE_NAME, mount_point=self.TEST_MOUNT_POINT, ) self.assertIn( member=exception_message, container=str(cm.exception), ) else: delete_role_response = self.client.secrets.aws.delete_role( name=self.TEST_ROLE_NAME, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('delete_role_response: %s' % delete_role_response) self.assertEqual( first=bool(delete_role_response), second=True, )
def test_create_or_update_role(self, label, credential_type='iam_user', policy_document=None, default_sts_ttl=None, max_sts_ttl=None, role_arns=None, policy_arns=None, raises=None, exception_message=''): if raises: with self.assertRaises(raises) as cm: self.client.secrets.aws.create_or_update_role( name=self.TEST_ROLE_NAME, credential_type=credential_type, policy_document=policy_document, default_sts_ttl=default_sts_ttl, max_sts_ttl=max_sts_ttl, role_arns=role_arns, policy_arns=policy_arns, legacy_params=vault_version_lt('0.11.0'), mount_point=self.TEST_MOUNT_POINT, ) self.assertIn( member=exception_message, container=str(cm.exception), ) else: role_response = self.client.secrets.aws.create_or_update_role( name=self.TEST_ROLE_NAME, credential_type=credential_type, policy_document=policy_document, default_sts_ttl=default_sts_ttl, max_sts_ttl=max_sts_ttl, role_arns=role_arns, policy_arns=policy_arns, legacy_params=vault_version_lt('0.11.0'), mount_point=self.TEST_MOUNT_POINT, ) logging.debug('role_response: %s' % role_response) self.assertEqual( first=bool(role_response), second=True, )
def test_read_role(self, label, configure_first=True, raises=None, exception_message=''): if configure_first: self.client.secrets.aws.create_or_update_role( name=self.TEST_ROLE_NAME, credential_type='iam_user', policy_document=self.TEST_POLICY_DOCUMENT, legacy_params=vault_version_lt('0.11.0'), mount_point=self.TEST_MOUNT_POINT, ) if raises: with self.assertRaises(raises) as cm: self.client.secrets.aws.read_role( name=self.TEST_ROLE_NAME, mount_point=self.TEST_MOUNT_POINT, ) self.assertIn( member=exception_message, container=str(cm.exception), ) else: read_role_response = self.client.secrets.aws.read_role( name=self.TEST_ROLE_NAME, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('read_role_response: %s' % read_role_response) if vault_version_lt('0.11.0'): self.assertDictEqual( d1=json.loads(read_role_response['data']['policy']), d2=self.TEST_POLICY_DOCUMENT, ) # https://github.com/hashicorp/vault/commit/2dcd0aed2a242f53dae03318b4d68693f7d92b81 elif vault_version_lt('1.0.2'): self.assertEqual( first=read_role_response['data']['credential_types'], second=['iam_user'], ) else: self.assertEqual( first=read_role_response['data']['credential_type'], second='iam_user', )
def test_edit_labels_on_gce_role(self, label, add=None, remove=None, create_role_first=True, raises=None, exception_message=''): role_name = 'hvac' project_id = 'test-hvac-project-not-a-real-project' if create_role_first: self.client.auth.gcp.create_role( name=role_name, role_type='gce', project_id=project_id, bound_service_accounts=[ '*****@*****.**' ], mount_point=self.TEST_MOUNT_POINT, ) if raises: with self.assertRaises(raises) as cm: self.client.auth.gcp.edit_labels_on_gce_role( name=role_name, add=add, remove=remove, mount_point=self.TEST_MOUNT_POINT, ) self.assertIn( member=exception_message, container=str(cm.exception), ) else: edit_labled_response = self.client.auth.gcp.edit_labels_on_gce_role( name=role_name, add=add, remove=remove, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('create_role_response: %s' % edit_labled_response) if utils.vault_version_lt('0.10.0'): expected_status_code = 204 else: expected_status_code = 200 # TODO => figure out why this isn't a 204? self.assertEqual( first=edit_labled_response.status_code, second=expected_status_code, )
def test_edit_labels_on_gce_role(self, label, add=None, remove=None, create_role_first=True, raises=None, exception_message=''): role_name = 'hvac' project_id = 'test-hvac-project-not-a-real-project' if create_role_first: self.client.auth.gcp.create_role( name=role_name, role_type='gce', project_id=project_id, bound_service_accounts=['*****@*****.**'], mount_point=self.TEST_MOUNT_POINT, ) if raises: with self.assertRaises(raises) as cm: self.client.auth.gcp.edit_labels_on_gce_role( name=role_name, add=add, remove=remove, mount_point=self.TEST_MOUNT_POINT, ) self.assertIn( member=exception_message, container=str(cm.exception), ) else: edit_labled_response = self.client.auth.gcp.edit_labels_on_gce_role( name=role_name, add=add, remove=remove, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('create_role_response: %s' % edit_labled_response) if utils.vault_version_lt('0.10.0'): expected_status_code = 204 else: expected_status_code = 200 # TODO => figure out why this isn't a 204? self.assertEqual( first=edit_labled_response.status_code, second=expected_status_code, )
import logging from time import sleep from unittest import TestCase, skipIf from parameterized import parameterized, param from hvac import exceptions from tests import utils from tests.utils.hvac_integration_test_case import HvacIntegrationTestCase @skipIf(utils.vault_version_lt('0.10.0'), "KV version 2 secret engine not available before Vault version 0.10.0") class TestKvV2(HvacIntegrationTestCase, TestCase): DEFAULT_MOUNT_POINT = 'kvv2' def setUp(self): super(TestKvV2, self).setUp() self.client.enable_secret_backend( backend_type='kv', mount_point=self.DEFAULT_MOUNT_POINT, options=dict(version=2), ) # We occasionally see issues with the newly enabled secrets engine not becoming available in time for our test cases. # So we wait for it to show up in the mounted secrets engines list here before proceeding. path = '{mount_point}/'.format(mount_point=self.DEFAULT_MOUNT_POINT) attempts = 0 while attempts < 25 and path not in self.client.sys.list_mounted_secrets_engines()['data']: attempts += 1 logging.debug('Waiting 1 second for KV V2 secrets engine under path {path} to become available...'.format( path=self.DEFAULT_MOUNT_POINT,
import logging from unittest import TestCase from unittest import skipIf import requests_mock from parameterized import parameterized from hvac.adapters import Request from hvac.api.secrets_engines.azure import Azure, DEFAULT_MOUNT_POINT from tests import utils @skipIf(utils.vault_version_lt('0.11.0'), "Azure secret engine not available before Vault version 0.11.0") class TestAzure(TestCase): @parameterized.expand([ ('create role', None), ]) @requests_mock.Mocker() def test_create_or_update_role(self, test_label, azure_roles, requests_mocker): expected_status_code = 204 role_name = 'hvac' if azure_roles is None: azure_roles = [ { 'role_name': "Contributor", 'scope': "/subscriptions/95e675fa-307a-455e-8cdf-0a66aeaa35ae", }, ]
from unittest import TestCase from unittest import skipIf from parameterized import parameterized from hvac import exceptions from tests import utils from tests.utils.hvac_integration_test_case import HvacIntegrationTestCase @skipIf(utils.vault_version_lt('0.6.2'), "AppRole endpoints standardized in version 0.6.2") class TestAppRole(HvacIntegrationTestCase, TestCase): TEST_MOUNT_POINT = 'approle-test' TEST_ROLE_NAME = 'testrole' TEST_ROLE_ID = 'test_role_id' TEST_SECRET_ID = 'custom_secret' def setUp(self): super(TestAppRole, self).setUp() if '%s/' % self.TEST_MOUNT_POINT not in self.client.list_auth_backends( ): self.client.enable_auth_backend( backend_type='approle', mount_point=self.TEST_MOUNT_POINT, ) _ = self.client.auth.approle.create_or_update_approle( role_name=self.TEST_ROLE_NAME, token_policies=['default'], mount_point=self.TEST_MOUNT_POINT) _ = self.client.auth.approle.update_role_id(
import logging from unittest import TestCase, skipIf from tests import utils from tests.utils.hvac_integration_test_case import HvacIntegrationTestCase @skipIf( utils.vault_version_lt('1.4.0') or not utils.is_enterprise(), 'Transform secrets engine only supported with Enterprise Vault', ) class TestTransform(HvacIntegrationTestCase, TestCase): TEST_MOUNT_POINT = 'transform-integration-test' def setUp(self): super(TestTransform, self).setUp() self.client.sys.enable_secrets_engine( backend_type='transform', path=self.TEST_MOUNT_POINT, ) def tearDown(self): self.client.sys.disable_secrets_engine(path=self.TEST_MOUNT_POINT) super(TestTransform, self).tearDown() def test_create_or_update_role(self): create_response = self.client.secrets.transform.create_or_update_role( name='test_role', transformations=[ 'creditcard-fpe', 'creditcard-masking',
import logging from unittest import TestCase from unittest import skipIf import requests_mock from parameterized import parameterized from hvac.adapters import Request from hvac.api.auth_methods import Kubernetes from tests import utils @skipIf(utils.vault_version_lt('0.8.3'), "Kubernetes auth method not available before Vault version 0.8.3") class TestKubernetes(TestCase): TEST_MOUNT_POINT = 'kubernetes-test' @parameterized.expand([ ('success', dict(), None,), ]) @requests_mock.Mocker() def test_login(self, label, test_params, raises, requests_mocker): role_name = 'hvac' test_policies = [ "default", "dev", "prod", ] expected_status_code = 200 mock_url = 'http://localhost:8200/v1/auth/{mount_point}/login'.format( mount_point=self.TEST_MOUNT_POINT, )
import logging from unittest import TestCase from unittest import skipIf import requests_mock from parameterized import parameterized from hvac.adapters import Request from hvac.api.secrets_engines.azure import Azure, DEFAULT_MOUNT_POINT from tests import utils @skipIf(utils.vault_version_lt('0.11.0'), "Azure secret engine not available before Vault version 0.11.0") class TestAzure(TestCase): @parameterized.expand([ ('create role', None), ]) @requests_mock.Mocker() def test_create_or_update_role(self, test_label, azure_roles, requests_mocker): expected_status_code = 204 role_name = 'hvac' if azure_roles is None: azure_roles = [ { 'role_name': "Contributor", 'scope': "/subscriptions/95e675fa-307a-455e-8cdf-0a66aeaa35ae", }, ] mock_url = 'http://localhost:8200/v1/{mount_point}/roles/{name}'.format( mount_point=DEFAULT_MOUNT_POINT,
import logging from unittest import TestCase from unittest import skipIf from parameterized import parameterized, param from hvac import exceptions from tests import utils from tests.utils.hvac_integration_test_case import HvacIntegrationTestCase @skipIf(utils.vault_version_lt('0.10.0'), "Azure auth method not available before Vault version 0.10.0") class TestAzure(HvacIntegrationTestCase, TestCase): TEST_MOUNT_POINT = 'azure-test' def setUp(self): super(TestAzure, self).setUp() if '%s/' % self.TEST_MOUNT_POINT not in self.client.list_auth_backends(): self.client.enable_auth_backend( backend_type='azure', mount_point=self.TEST_MOUNT_POINT, ) def tearDown(self): super(TestAzure, self).tearDown() self.client.disable_auth_backend( mount_point=self.TEST_MOUNT_POINT, ) @parameterized.expand([ param(
class TestLdap(HvacIntegrationTestCase, TestCase): TEST_LDAP_PATH = 'test-ldap' ldap_server = None mock_server_port = None mock_ldap_url = None @classmethod def setUpClass(cls): super(TestLdap, cls).setUpClass() logging.getLogger('ldap_test').setLevel(logging.ERROR) cls.mock_server_port = utils.get_free_port() cls.mock_ldap_url = 'ldap://localhost:{port}'.format(port=cls.mock_server_port) cls.ldap_server = LdapServer({ 'port': cls.mock_server_port, 'bind_dn': LDAP_BIND_DN, 'password': LDAP_BIND_PASSWORD, 'base': { 'objectclass': ['domain'], 'dn': LDAP_BASE_DN, 'attributes': {'dc': LDAP_BASE_DC} }, 'entries': LDAP_ENTRIES, }) cls.ldap_server.start() @classmethod def tearDownClass(cls): super(TestLdap, cls).tearDownClass() cls.ldap_server.stop() def setUp(self): super(TestLdap, self).setUp() if 'ldap/' not in self.client.list_auth_backends(): self.client.sys.enable_auth_method( method_type='ldap', path=self.TEST_LDAP_PATH ) def tearDown(self): super(TestLdap, self).tearDown() self.client.disable_auth_backend( mount_point=self.TEST_LDAP_PATH, ) @parameterized.expand([ ('update url', dict(url=LDAP_URL)), ('update binddn', dict(url=LDAP_URL, bind_dn='cn=vault,ou=Users,dc=hvac,dc=network')), ('update upn_domain', dict(url=LDAP_URL, upn_domain='python-hvac.org')), ('update certificate', dict(url=LDAP_URL, certificate=utils.load_config_file('server-cert.pem'))), ('incorrect tls version', dict(url=LDAP_URL, tls_min_version='cats'), exceptions.InvalidRequest, "invalid 'tls_min_version'"), ]) def test_configure(self, test_label, parameters, raises=None, exception_message=''): parameters.update({ 'user_dn': LDAP_USERS_DN, 'group_dn': LDAP_GROUPS_DN, 'mount_point': self.TEST_LDAP_PATH, }) if raises: with self.assertRaises(raises) as cm: self.client.auth.ldap.configure(**parameters) self.assertIn( member=exception_message, container=str(cm.exception), ) else: expected_status_code = 204 configure_response = self.client.auth.ldap.configure(**parameters) self.assertEqual( first=expected_status_code, second=configure_response.status_code ) read_config_response = self.client.auth.ldap.read_configuration( mount_point=self.TEST_LDAP_PATH, ) for parameter, argument in parameters.items(): if parameter == 'mount_point': continue self.assertIn( member=argument, container=read_config_response['data'].values(), ) def test_read_configuration(self): response = self.client.auth.ldap.read_configuration( mount_point=self.TEST_LDAP_PATH, ) self.assertIn( member='data', container=response, ) @parameterized.expand([ ('no policies', 'cats'), ('policies as list', 'cats', ['purr-policy']), ('policies as invalid type', 'cats', 'purr-policy', exceptions.ParamValidationError, '"policies" argument must be an instance of list'), ]) def test_create_or_update_group(self, test_label, name, policies=None, raises=None, exception_message=''): expected_status_code = 204 if raises: with self.assertRaises(raises) as cm: create_response = self.client.auth.ldap.create_or_update_group( name=name, policies=policies, mount_point=self.TEST_LDAP_PATH, ) if exception_message is not None: self.assertIn( member=exception_message, container=str(cm.exception), ) else: create_response = self.client.auth.ldap.create_or_update_group( name=name, policies=policies, mount_point=self.TEST_LDAP_PATH, ) self.assertEqual( first=expected_status_code, second=create_response.status_code ) @parameterized.expand([ ('read configured groups', 'cats'), ('non-existent groups', 'cats', False, exceptions.InvalidPath), ]) def test_list_groups(self, test_label, name, configure_first=True, raises=None, exception_message=None): if configure_first: self.client.auth.ldap.create_or_update_group( name=name, mount_point=self.TEST_LDAP_PATH, ) if raises: with self.assertRaises(raises) as cm: self.client.auth.ldap.list_groups( mount_point=self.TEST_LDAP_PATH, ) if exception_message is not None: self.assertIn( member=exception_message, container=str(cm.exception), ) else: list_groups_response = self.client.auth.ldap.list_groups( mount_point=self.TEST_LDAP_PATH, ) # raise Exception(list_groups_response) self.assertDictEqual( d1=dict(keys=[name]), d2=list_groups_response['data'], ) @parameterized.expand([ ('read configured group', 'cats'), ('non-existent group', 'cats', False, exceptions.InvalidPath), ]) def test_read_group(self, test_label, name, configure_first=True, raises=None, exception_message=None): if configure_first: self.client.auth.ldap.create_or_update_group( name=name, mount_point=self.TEST_LDAP_PATH, ) if raises: with self.assertRaises(raises) as cm: self.client.auth.ldap.read_group( name=name, mount_point=self.TEST_LDAP_PATH, ) if exception_message is not None: self.assertIn( member=exception_message, container=str(cm.exception), ) else: read_group_response = self.client.auth.ldap.read_group( name=name, mount_point=self.TEST_LDAP_PATH, ) self.assertIn( member='policies', container=read_group_response['data'], ) @parameterized.expand([ ('no policies or groups', 'cats'), ('policies as list', 'cats', ['purr-policy']), ('policies as invalid type', 'cats', 'purr-policy', None, exceptions.ParamValidationError, '"policies" argument must be an instance of list'), ('no groups', 'cats', ['purr-policy']), ('groups as list', 'cats', None, ['meow-group']), ('groups as invalid type', 'cats', None, 'meow-group', exceptions.ParamValidationError, '"groups" argument must be an instance of list'), ]) def test_create_or_update_user(self, test_label, username, policies=None, groups=None, raises=None, exception_message=''): expected_status_code = 204 if raises: with self.assertRaises(raises) as cm: self.client.auth.ldap.create_or_update_user( username=username, policies=policies, groups=groups, mount_point=self.TEST_LDAP_PATH, ) if exception_message is not None: self.assertIn( member=exception_message, container=str(cm.exception), ) else: create_response = self.client.auth.ldap.create_or_update_user( username=username, policies=policies, groups=groups, mount_point=self.TEST_LDAP_PATH, ) self.assertEqual( first=expected_status_code, second=create_response.status_code ) @parameterized.expand([ ('read configured group', 'cats'), ('non-existent group', 'cats', False, exceptions.InvalidPath), ]) def test_delete_group(self, test_label, name, configure_first=True, raises=None, exception_message=None): if configure_first: self.client.auth.ldap.create_or_update_group( name=name, mount_point=self.TEST_LDAP_PATH, ) expected_status_code = 204 delete_group_response = self.client.auth.ldap.delete_group( name=name, mount_point=self.TEST_LDAP_PATH, ) self.assertEqual( first=expected_status_code, second=delete_group_response.status_code ) @parameterized.expand([ ('read configured user', 'cats'), ('non-existent user', 'cats', False, exceptions.InvalidPath), ]) def test_list_users(self, test_label, username, configure_first=True, raises=None, exception_message=None): if configure_first: self.client.auth.ldap.create_or_update_user( username=username, mount_point=self.TEST_LDAP_PATH, ) if raises: with self.assertRaises(raises) as cm: self.client.auth.ldap.list_users( mount_point=self.TEST_LDAP_PATH, ) if exception_message is not None: self.assertIn( member=exception_message, container=str(cm.exception), ) else: list_users_response = self.client.auth.ldap.list_users( mount_point=self.TEST_LDAP_PATH, ) self.assertDictEqual( d1=dict(keys=[username]), d2=list_users_response['data'], ) @parameterized.expand([ ('read configured user', 'cats'), ('non-existent user', 'cats', False, exceptions.InvalidPath), ]) def test_read_user(self, test_label, username, configure_first=True, raises=None, exception_message=None): if configure_first: self.client.auth.ldap.create_or_update_user( username=username, mount_point=self.TEST_LDAP_PATH, ) if raises: with self.assertRaises(raises) as cm: self.client.auth.ldap.read_user( username=username, mount_point=self.TEST_LDAP_PATH, ) if exception_message is not None: self.assertIn( member=exception_message, container=str(cm.exception), ) else: read_user_response = self.client.auth.ldap.read_user( username=username, mount_point=self.TEST_LDAP_PATH, ) self.assertIn( member='policies', container=read_user_response['data'], ) @parameterized.expand([ ('read configured user', 'cats'), ('non-existent user', 'cats', False, exceptions.InvalidPath), ]) def test_delete_user(self, test_label, username, configure_first=True, raises=None, exception_message=None): if configure_first: self.client.auth.ldap.create_or_update_user( username=username, mount_point=self.TEST_LDAP_PATH, ) expected_status_code = 204 delete_user_response = self.client.auth.ldap.delete_user( username=username, mount_point=self.TEST_LDAP_PATH, ) self.assertEqual( first=expected_status_code, second=delete_user_response.status_code ) @parameterized.expand([ param( label='working creds with policy' ), param( label='invalid creds', username='******', password='******', attach_policy=False, raises=exceptions.InvalidRequest, ), # The following two test cases cover either side of the associated changelog entry for LDAP auth here: # https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#0103-june-20th-2018 param( label='working creds no membership with Vault version >= 0.10.3', attach_policy=False, skip_due_to_vault_version=utils.vault_version_lt('0.10.3'), ), param( label='working creds no membership with Vault version < 0.10.3', attach_policy=False, raises=exceptions.InvalidRequest, exception_message='user is not a member of any authorized group', skip_due_to_vault_version=utils.vault_version_ge('0.10.3'), ), ]) def test_login(self, label, username=LDAP_USER_NAME, password=LDAP_USER_PASSWORD, attach_policy=True, raises=None, exception_message='', skip_due_to_vault_version=False): if skip_due_to_vault_version: self.skipTest(reason='test case does not apply to Vault version under test') test_policy_name = 'test-ldap-policy' self.client.auth.ldap.configure( url=self.mock_ldap_url, bind_dn=self.ldap_server.config['bind_dn'], bind_pass=self.ldap_server.config['password'], user_dn=LDAP_USERS_DN, user_attr='uid', group_dn=LDAP_GROUPS_DN, group_attr='cn', insecure_tls=True, mount_point=self.TEST_LDAP_PATH, ) if attach_policy: self.prep_policy(test_policy_name) self.client.auth.ldap.create_or_update_group( name=LDAP_GROUP_NAME, policies=[test_policy_name], mount_point=self.TEST_LDAP_PATH, ) if raises: with self.assertRaises(raises) as cm: self.client.auth.ldap.login( username=username, password=password, mount_point=self.TEST_LDAP_PATH, ) if exception_message is not None: self.assertIn( member=exception_message, container=str(cm.exception), ) else: login_response = self.client.auth.ldap.login( username=username, password=password, mount_point=self.TEST_LDAP_PATH, ) self.assertDictEqual( d1=dict(username=username), d2=login_response['auth']['metadata'], ) self.assertEqual( first=login_response['auth']['client_token'], second=self.client.token, ) if attach_policy: expected_policies = ['default', test_policy_name] else: expected_policies = ['default'] self.assertEqual( first=expected_policies, second=login_response['auth']['policies'] )
import logging from unittest import TestCase, skipIf from tests import utils from tests.utils.hvac_integration_test_case import HvacIntegrationTestCase @skipIf( utils.vault_version_lt("1.4.0") or not utils.is_enterprise(), "Transform secrets engine only supported with Enterprise Vault", ) class TestTransform(HvacIntegrationTestCase, TestCase): TEST_MOUNT_POINT = "transform-integration-test" def setUp(self): super(TestTransform, self).setUp() self.client.sys.enable_secrets_engine( backend_type="transform", path=self.TEST_MOUNT_POINT, ) def tearDown(self): self.client.sys.disable_secrets_engine(path=self.TEST_MOUNT_POINT) super(TestTransform, self).tearDown() def test_create_or_update_role(self): create_response = self.client.secrets.transform.create_or_update_role( name="test_role", transformations=[ "creditcard-fpe", "creditcard-masking",
class TestTransform(HvacIntegrationTestCase, TestCase): TEST_MOUNT_POINT = "transform-integration-test" def setUp(self): super(TestTransform, self).setUp() self.client.sys.enable_secrets_engine( backend_type="transform", path=self.TEST_MOUNT_POINT, ) def tearDown(self): self.client.sys.disable_secrets_engine(path=self.TEST_MOUNT_POINT) super(TestTransform, self).tearDown() def test_create_or_update_role(self): create_response = self.client.secrets.transform.create_or_update_role( name="test_role", transformations=[ "creditcard-fpe", "creditcard-masking", ], mount_point=self.TEST_MOUNT_POINT, ) logging.debug("create_response: {}".format(create_response)) self.assertEqual( first=create_response.status_code, second=204, ) def test_read_role(self): transformations = [ "creditcard-fpe", "creditcard-masking", ] create_response = self.client.secrets.transform.create_or_update_role( name="test_role", transformations=transformations, mount_point=self.TEST_MOUNT_POINT, ) logging.debug("create_response: {}".format(create_response)) read_response = self.client.secrets.transform.read_role( name="test_role", mount_point=self.TEST_MOUNT_POINT, ) logging.debug("read_response: {}".format(read_response)) self.assertEqual( first=read_response["data"]["transformations"], second=transformations, ) def test_list_roles(self): role_name = "test_role" transformations = [ "creditcard-fpe", "creditcard-masking", ] create_response = self.client.secrets.transform.create_or_update_role( name=role_name, transformations=transformations, mount_point=self.TEST_MOUNT_POINT, ) logging.debug("create_response: {}".format(create_response)) list_roles_response = self.client.secrets.transform.list_roles( mount_point=self.TEST_MOUNT_POINT, ) logging.debug("list_roles_response: {}".format(list_roles_response)) self.assertEqual( first=list_roles_response["data"]["keys"], second=[role_name], ) def test_delete_role(self): role_name = "test_role" transformations = [ "creditcard-fpe", "creditcard-masking", ] create_response = self.client.secrets.transform.create_or_update_role( name=role_name, transformations=transformations, mount_point=self.TEST_MOUNT_POINT, ) logging.debug("create_response: {}".format(create_response)) create_response = self.client.secrets.transform.create_or_update_role( name="other-role", transformations=transformations, mount_point=self.TEST_MOUNT_POINT, ) logging.debug("create_response: {}".format(create_response)) list_roles_response = self.client.secrets.transform.list_roles( mount_point=self.TEST_MOUNT_POINT, ) logging.debug("list_roles_response: {}".format(list_roles_response)) self.assertIn( member=role_name, container=list_roles_response["data"]["keys"], ) delete_role_response = self.client.secrets.transform.delete_role( name=role_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug("delete_role_response: {}".format(delete_role_response)) self.assertEqual( first=delete_role_response.status_code, second=204, ) list_roles_response = self.client.secrets.transform.list_roles( mount_point=self.TEST_MOUNT_POINT, ) logging.debug("list_roles_response: {}".format(list_roles_response)) self.assertNotIn( member=role_name, container=list_roles_response["data"]["keys"], ) def test_create_or_update_transformation(self): create_response = self.client.secrets.transform.create_or_update_transformation( name="test-transformation", transform_type="fpe", template="builtin/creditcardnumber", tweak_source="internal", allowed_roles=["test-role"], mount_point=self.TEST_MOUNT_POINT, ) logging.debug("create_response: {}".format(create_response)) self.assertEqual( first=create_response.status_code, second=204, ) @skipIf( utils.vault_version_lt("1.7.0"), "Expanded tokenization support added in Vault version v1.7.0", ) def test_create_or_update_fpe_transformation(self): create_response = ( self.client.secrets.transform.create_or_update_fpe_transformation( name="test-transformation", template="builtin/creditcardnumber", tweak_source="internal", allowed_roles=["test-role"], mount_point=self.TEST_MOUNT_POINT, )) logging.debug("create_response: {}".format(create_response)) self.assertEquals( first=create_response.status_code, second=204, ) @skipIf( utils.vault_version_lt("1.7.0"), "Expanded tokenization support added in Vault version v1.7.0", ) def test_create_or_update_masking_transformation(self): create_response = (self.client.secrets.transform. create_or_update_masking_transformation( name="test-masking", template="builtin/creditcardnumber", masking_character="-", allowed_roles=["test-role"], mount_point=self.TEST_MOUNT_POINT, )) logging.debug("create_response: {}".format(create_response)) self.assertEqual( first=create_response.status_code, second=204, ) @skipIf( utils.vault_version_lt("1.7.0"), "Expanded tokenization support added in Vault version v1.7.0", ) def test_create_or_update_tokenization_transformation(self): create_response = (self.client.secrets.transform. create_or_update_tokenization_transformation( name="test-tokenization", max_ttl="60", mapping_mode="exportable", allowed_roles=["test-role"], mount_point=self.TEST_MOUNT_POINT, )) logging.debug("create_response: {}".format(create_response)) self.assertEqual( first=create_response.status_code, second=204, ) def test_read_transformation(self): test_name = "test-transformation" template = "builtin/creditcardnumber" create_response = self.client.secrets.transform.create_or_update_transformation( name=test_name, transform_type="fpe", template=template, tweak_source="internal", allowed_roles=["test-role"], mount_point=self.TEST_MOUNT_POINT, ) logging.debug("create_response: {}".format(create_response)) read_response = self.client.secrets.transform.read_transformation( name=test_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug("read_response: {}".format(read_response)) self.assertIn( member=template, container=read_response["data"]["templates"], ) def test_list_transformations(self): test_name = "test-transformation" template = "builtin/creditcardnumber" create_response = self.client.secrets.transform.create_or_update_transformation( name=test_name, transform_type="fpe", template=template, tweak_source="internal", allowed_roles=["test-role"], mount_point=self.TEST_MOUNT_POINT, ) logging.debug("create_response: {}".format(create_response)) list_response = self.client.secrets.transform.list_transformations( mount_point=self.TEST_MOUNT_POINT, ) logging.debug("list_response: {}".format(list_response)) self.assertIn( member=test_name, container=list_response["data"]["keys"], ) def test_delete_transformation(self): test_name = "test-transformation" template = "builtin/creditcardnumber" create_response = self.client.secrets.transform.create_or_update_transformation( name=test_name, transform_type="fpe", template=template, tweak_source="internal", allowed_roles=["test-role"], mount_point=self.TEST_MOUNT_POINT, ) logging.debug("create_response: {}".format(create_response)) delete_response = self.client.secrets.transform.delete_transformation( name=test_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug("delete_response: {}".format(delete_response)) self.assertEqual( first=delete_response.status_code, second=204, ) def test_create_or_update_template(self): test_name = "test-template" create_response = self.client.secrets.transform.create_or_update_template( name=test_name, template_type="regex", pattern="(\\d{9})", alphabet="builtin/numeric", mount_point=self.TEST_MOUNT_POINT, ) logging.debug("create_response: {}".format(create_response)) self.assertEqual( first=create_response.status_code, second=204, ) def test_read_template(self): test_name = "test-template" test_pattern = "(\\d{9})" create_response = self.client.secrets.transform.create_or_update_template( name=test_name, template_type="regex", pattern=test_pattern, alphabet="builtin/numeric", mount_point=self.TEST_MOUNT_POINT, ) logging.debug("create_response: {}".format(create_response)) read_response = self.client.secrets.transform.read_template( name=test_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug("read_response: {}".format(read_response)) self.assertIn( member=test_pattern, container=read_response["data"]["pattern"], ) def test_list_templates(self): test_name = "test-template" test_pattern = "(\\d{9})" create_response = self.client.secrets.transform.create_or_update_template( name=test_name, template_type="regex", pattern=test_pattern, alphabet="builtin/numeric", mount_point=self.TEST_MOUNT_POINT, ) logging.debug("create_response: {}".format(create_response)) list_response = self.client.secrets.transform.list_templates( mount_point=self.TEST_MOUNT_POINT, ) logging.debug("list_response: {}".format(list_response)) self.assertIn( member=test_name, container=list_response["data"]["keys"], ) def test_delete_template(self): test_name = "test-template" test_pattern = "(\\d{9})" create_response = self.client.secrets.transform.create_or_update_template( name=test_name, template_type="regex", pattern=test_pattern, alphabet="builtin/numeric", mount_point=self.TEST_MOUNT_POINT, ) logging.debug("create_response: {}".format(create_response)) delete_response = self.client.secrets.transform.delete_template( name=test_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug("delete_response: {}".format(delete_response)) self.assertEqual( first=delete_response.status_code, second=204, ) def test_create_or_update_alphabet(self): test_name = "test-alphabet" test_alphabet = "abc" create_response = self.client.secrets.transform.create_or_update_alphabet( name=test_name, alphabet=test_alphabet, mount_point=self.TEST_MOUNT_POINT, ) logging.debug("create_response: {}".format(create_response)) self.assertEqual( first=create_response.status_code, second=204, ) def test_read_alphabet(self): test_name = "test-alphabet" test_alphabet = "abc" create_response = self.client.secrets.transform.create_or_update_alphabet( name=test_name, alphabet=test_alphabet, mount_point=self.TEST_MOUNT_POINT, ) logging.debug("create_response: {}".format(create_response)) read_response = self.client.secrets.transform.read_alphabet( name=test_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug("read_response: {}".format(read_response)) self.assertEqual( first=test_alphabet, second=read_response["data"]["alphabet"], ) def test_list_alphabets(self): test_name = "test-alphabet" test_alphabet = "abc" create_response = self.client.secrets.transform.create_or_update_alphabet( name=test_name, alphabet=test_alphabet, mount_point=self.TEST_MOUNT_POINT, ) logging.debug("create_response: {}".format(create_response)) list_response = self.client.secrets.transform.list_alphabets( mount_point=self.TEST_MOUNT_POINT, ) logging.debug("list_response: {}".format(list_response)) self.assertIn( member=test_name, container=list_response["data"]["keys"], ) def test_delete_alphabet(self): test_name = "test-alphabet" test_alphabet = "abc" create_response = self.client.secrets.transform.create_or_update_alphabet( name=test_name, alphabet=test_alphabet, mount_point=self.TEST_MOUNT_POINT, ) logging.debug("create_response: {}".format(create_response)) delete_response = self.client.secrets.transform.delete_alphabet( name=test_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug("delete_response: {}".format(delete_response)) self.assertEqual( first=delete_response.status_code, second=204, ) def test_encode(self): role_name = "test-role" transformation_name = "test-transformation" transformations = [transformation_name] test_input_value = "1111-1111-1111-1111" expected_output = "****-****-****-****" create_role_response = self.client.secrets.transform.create_or_update_role( name=role_name, transformations=transformations, mount_point=self.TEST_MOUNT_POINT, ) logging.debug("create_role_response: {}".format(create_role_response)) create_transform_response = ( self.client.secrets.transform.create_or_update_transformation( name=transformation_name, transform_type="masking", template="builtin/creditcardnumber", tweak_source="internal", allowed_roles=[role_name], mount_point=self.TEST_MOUNT_POINT, )) logging.debug( "create_transform_response: {}".format(create_transform_response)) encode_response = self.client.secrets.transform.encode( role_name=role_name, value=test_input_value, transformation=transformation_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug("encode_response: {}".format(encode_response)) self.assertEqual( first=encode_response["data"]["encoded_value"], second=expected_output, ) def test_decode(self): role_name = "test-role" transformation_name = "test-transformation" transformations = [transformation_name] test_input_value = "1111-1111-1111-1111" create_role_response = self.client.secrets.transform.create_or_update_role( name=role_name, transformations=transformations, mount_point=self.TEST_MOUNT_POINT, ) logging.debug("create_role_response: {}".format(create_role_response)) create_transform_response = ( self.client.secrets.transform.create_or_update_transformation( name=transformation_name, transform_type="fpe", template="builtin/creditcardnumber", tweak_source="internal", allowed_roles=[role_name], mount_point=self.TEST_MOUNT_POINT, )) logging.debug( "create_transform_response: {}".format(create_transform_response)) encode_response = self.client.secrets.transform.encode( role_name=role_name, value=test_input_value, transformation=transformation_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug("encode_response: {}".format(encode_response)) decode_response = self.client.secrets.transform.decode( role_name=role_name, value=encode_response["data"]["encoded_value"], transformation=transformation_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug("decode_response: {}".format(decode_response)) self.assertEqual( first=decode_response["data"]["decoded_value"], second=test_input_value, )
class TestTransit(HvacIntegrationTestCase, TestCase): TEST_MOUNT_POINT = 'transit-integration-test' def setUp(self): super(TestTransit, self).setUp() self.client.enable_secret_backend( backend_type='transit', mount_point=self.TEST_MOUNT_POINT, ) def tearDown(self): self.client.disable_secret_backend(mount_point=self.TEST_MOUNT_POINT) super(TestTransit, self).tearDown() @parameterized.expand([ param('success', ), ]) def test_create_key(self, label, raises=False, exception_message=''): key_name = 'testkey' if raises: with self.assertRaises(raises) as cm: self.client.secrets.transit.create_key( name=key_name, mount_point=self.TEST_MOUNT_POINT, ) self.assertIn( member=exception_message, container=str(cm.exception), ) else: create_key_response = self.client.secrets.transit.create_key( name=key_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('create_key_response: %s' % create_key_response) self.assertEqual( first=create_key_response.status_code, second=204, ) @parameterized.expand([ param('success', ), ]) def test_read_key(self, label, raises=False, exception_message=''): key_name = 'testkey' create_key_response = self.client.secrets.transit.create_key( name=key_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('create_key_response: %s' % create_key_response) if raises: with self.assertRaises(raises) as cm: self.client.secrets.transit.read_key( name=key_name, mount_point=self.TEST_MOUNT_POINT, ) self.assertIn( member=exception_message, container=str(cm.exception), ) else: read_key_response = self.client.secrets.transit.read_key( name=key_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('read_key_response: %s' % read_key_response) self.assertEqual( first=read_key_response['data']['name'], second=key_name, ) @parameterized.expand([ param('success', ), ]) def test_list_keys(self, label, raises=False, exception_message=''): key_name = 'testkey' create_key_response = self.client.secrets.transit.create_key( name=key_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('create_key_response: %s' % create_key_response) if raises: with self.assertRaises(raises) as cm: self.client.secrets.transit.list_keys( mount_point=self.TEST_MOUNT_POINT, ) self.assertIn( member=exception_message, container=str(cm.exception), ) else: list_keys_response = self.client.secrets.transit.list_keys( mount_point=self.TEST_MOUNT_POINT, ) logging.debug('list_keys_response: %s' % list_keys_response) self.assertEqual( first=list_keys_response['data']['keys'], second=[key_name], ) @parameterized.expand([ param('success', ), ]) def test_delete_key(self, label, raises=False, exception_message=''): key_name = 'testkey' create_key_response = self.client.secrets.transit.create_key( name=key_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('create_key_response: %s' % create_key_response) update_key_configuration_response = self.client.secrets.transit.update_key_configuration( name=key_name, deletion_allowed=True, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('update_key_configuration_response: %s' % update_key_configuration_response) if raises: with self.assertRaises(raises) as cm: self.client.secrets.transit.delete_key( name=key_name, mount_point=self.TEST_MOUNT_POINT, ) self.assertIn( member=exception_message, container=str(cm.exception), ) else: delete_key_response = self.client.secrets.transit.delete_key( name=key_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('delete_key_response: %s' % delete_key_response) self.assertEqual( first=delete_key_response.status_code, second=204, ) @parameterized.expand([ param('success', ), ]) def test_rotate_key(self, label, raises=False, exception_message=''): key_name = 'testkey' create_key_response = self.client.secrets.transit.create_key( name=key_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('create_key_response: %s' % create_key_response) if raises: with self.assertRaises(raises) as cm: self.client.secrets.transit.rotate_key( name=key_name, mount_point=self.TEST_MOUNT_POINT, ) self.assertIn( member=exception_message, container=str(cm.exception), ) else: rotate_key_response = self.client.secrets.transit.rotate_key( name=key_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('rotate_key_response: %s' % rotate_key_response) self.assertEqual( first=rotate_key_response.status_code, second=204, ) @parameterized.expand([ param('success', ), param( 'invalid key type', key_type='kitty-cat-key', raises=exceptions.ParamValidationError, exception_message='invalid key_type argument provided', ), ]) def test_export_key(self, label, key_type='hmac-key', raises=False, exception_message=''): key_name = 'testkey' create_key_response = self.client.secrets.transit.create_key( name=key_name, exportable=True, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('create_key_response: %s' % create_key_response) if raises: with self.assertRaises(raises) as cm: self.client.secrets.transit.export_key( name=key_name, key_type=key_type, mount_point=self.TEST_MOUNT_POINT, ) self.assertIn( member=exception_message, container=str(cm.exception), ) else: export_key_response = self.client.secrets.transit.export_key( name=key_name, key_type=key_type, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('export_key_response: %s' % export_key_response) self.assertEqual( first=len(export_key_response['data']['keys']), second=1, ) self.assertEqual( first=export_key_response['data']['name'], second=key_name, ) @parameterized.expand([ param('success', ), ]) def test_encrypt_data(self, label, plaintext='hi itsame hvac', raises=False, exception_message=''): key_name = 'testkey' plaintext = utils.base64ify(plaintext) create_key_response = self.client.secrets.transit.create_key( name=key_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('create_key_response: %s' % create_key_response) if raises: with self.assertRaises(raises) as cm: self.client.secrets.transit.encrypt_data( name=key_name, plaintext=plaintext, mount_point=self.TEST_MOUNT_POINT, ) self.assertIn( member=exception_message, container=str(cm.exception), ) else: encrypt_data_response = self.client.secrets.transit.encrypt_data( name=key_name, plaintext=plaintext, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('encrypt_data_response: %s' % encrypt_data_response) self.assertIn( member='ciphertext', container=encrypt_data_response['data'], ) @parameterized.expand([ param('success', ), ]) def test_decrypt_data(self, label, plaintext='hi itsame hvac', raises=False, exception_message=''): key_name = 'testkey' plaintext = utils.base64ify(plaintext) create_key_response = self.client.secrets.transit.create_key( name=key_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('create_key_response: %s' % create_key_response) encrypt_data_response = self.client.secrets.transit.encrypt_data( name=key_name, plaintext=plaintext, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('encrypt_data_response: %s' % encrypt_data_response) ciphertext = encrypt_data_response['data']['ciphertext'] if raises: with self.assertRaises(raises) as cm: self.client.secrets.transit.decrypt_data( name=key_name, ciphertext=ciphertext, mount_point=self.TEST_MOUNT_POINT, ) self.assertIn( member=exception_message, container=str(cm.exception), ) else: decrypt_data_response = self.client.secrets.transit.decrypt_data( name=key_name, ciphertext=ciphertext, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('decrypt_data_response: %s' % decrypt_data_response) self.assertIn( member=plaintext, container=decrypt_data_response['data']['plaintext'], ) @parameterized.expand([ param('success', ), ]) def test_rewrap_data(self, label, plaintext='hi itsame hvac', raises=False, exception_message=''): key_name = 'testkey' plaintext = utils.base64ify(plaintext) create_key_response = self.client.secrets.transit.create_key( name=key_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('create_key_response: %s' % create_key_response) encrypt_data_response = self.client.secrets.transit.encrypt_data( name=key_name, plaintext=plaintext, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('encrypt_data_response: %s' % encrypt_data_response) ciphertext = encrypt_data_response['data']['ciphertext'] rotate_key_response = self.client.secrets.transit.rotate_key( name=key_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('rotate_key_response: %s' % rotate_key_response) if raises: with self.assertRaises(raises) as cm: self.client.secrets.transit.rewrap_data( name=key_name, ciphertext=ciphertext, mount_point=self.TEST_MOUNT_POINT, ) self.assertIn( member=exception_message, container=str(cm.exception), ) else: rewrap_data_response = self.client.secrets.transit.rewrap_data( name=key_name, ciphertext=ciphertext, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('rewrap_data_response: %s' % rewrap_data_response) self.assertIn( member='ciphertext', container=rewrap_data_response['data'], ) @parameterized.expand([ param('success', ), param( 'invalid key type', key_type='kitty-cat-key', raises=exceptions.ParamValidationError, exception_message='invalid key_type argument provided', ), ]) def test_generate_data_key(self, label, key_type='plaintext', raises=False, exception_message=''): key_name = 'testkey' create_key_response = self.client.secrets.transit.create_key( name=key_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('create_key_response: %s' % create_key_response) if raises: with self.assertRaises(raises) as cm: self.client.secrets.transit.generate_data_key( name=key_name, key_type=key_type, mount_point=self.TEST_MOUNT_POINT, ) self.assertIn( member=exception_message, container=str(cm.exception), ) else: gen_data_key_response = self.client.secrets.transit.generate_data_key( name=key_name, key_type=key_type, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('gen_data_key_response: %s' % gen_data_key_response) self.assertIn( member='ciphertext', container=gen_data_key_response['data'], ) @parameterized.expand([ param('success', ), ]) def test_generate_random_bytes(self, label, n_bytes=32, raises=False, exception_message=''): if raises: with self.assertRaises(raises) as cm: self.client.secrets.transit.generate_random_bytes( n_bytes=n_bytes, mount_point=self.TEST_MOUNT_POINT, ) self.assertIn( member=exception_message, container=str(cm.exception), ) else: gen_bytes_response = self.client.secrets.transit.generate_random_bytes( n_bytes=n_bytes, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('gen_data_key_response: %s' % gen_bytes_response) self.assertIn( member='random_bytes', container=gen_bytes_response['data'], ) @parameterized.expand([ param('success', ), param( 'invalid algorithm', algorithm='meow2-256', raises=exceptions.ParamValidationError, exception_message='invalid algorithm argument provided', ), param( 'invalid output_format', output_format='kitty64', raises=exceptions.ParamValidationError, exception_message='invalid output_format argument provided', ), ]) def test_hash_data(self, label, hash_input='hash this ish', algorithm='sha2-256', output_format='hex', raises=False, exception_message=''): hash_input = utils.base64ify(hash_input) if raises: with self.assertRaises(raises) as cm: self.client.secrets.transit.hash_data( hash_input=hash_input, algorithm=algorithm, output_format=output_format, mount_point=self.TEST_MOUNT_POINT, ) self.assertIn( member=exception_message, container=str(cm.exception), ) else: hash_data_response = self.client.secrets.transit.hash_data( hash_input=hash_input, algorithm=algorithm, output_format=output_format, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('hash_data_response: %s' % hash_data_response) self.assertIn( member='sum', container=hash_data_response['data'], ) @parameterized.expand([ param('success', ), param( 'invalid algorithm', algorithm='meow2-256', raises=exceptions.ParamValidationError, exception_message='invalid algorithm argument provided', ), ]) def test_generate_hmac(self, label, hash_input='hash this ish', algorithm='sha2-256', raises=False, exception_message=''): hash_input = utils.base64ify(hash_input) key_name = 'testkey' create_key_response = self.client.secrets.transit.create_key( name=key_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('create_key_response: %s' % create_key_response) if raises: with self.assertRaises(raises) as cm: self.client.secrets.transit.generate_hmac( name=key_name, hash_input=hash_input, algorithm=algorithm, mount_point=self.TEST_MOUNT_POINT, ) self.assertIn( member=exception_message, container=str(cm.exception), ) else: generate_hmac_response = self.client.secrets.transit.generate_hmac( name=key_name, hash_input=hash_input, algorithm=algorithm, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('generate_hmac_response: %s' % generate_hmac_response) self.assertIn( member='hmac', container=generate_hmac_response['data'], ) @parameterized.expand([ param('success', ), param( 'invalid algorithm', hash_algorithm='meow2-256', raises=exceptions.ParamValidationError, exception_message='invalid hash_algorithm argument provided', ), param( 'invalid signature_algorithm', signature_algorithm='pre-shared kitty cats', raises=exceptions.ParamValidationError, exception_message='invalid signature_algorithm argument provided', ), ]) def test_sign_data(self, label, hash_input='hash this ish', hash_algorithm='sha2-256', signature_algorithm='pss', raises=False, exception_message=''): hash_input = utils.base64ify(hash_input) key_name = 'testkey' key_type = 'ed25519' create_key_response = self.client.secrets.transit.create_key( name=key_name, key_type=key_type, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('create_key_response: %s' % create_key_response) if raises: with self.assertRaises(raises) as cm: self.client.secrets.transit.sign_data( name=key_name, hash_input=hash_input, hash_algorithm=hash_algorithm, signature_algorithm=signature_algorithm, mount_point=self.TEST_MOUNT_POINT, ) self.assertIn( member=exception_message, container=str(cm.exception), ) else: sign_data_response = self.client.secrets.transit.sign_data( name=key_name, hash_input=hash_input, hash_algorithm=hash_algorithm, signature_algorithm=signature_algorithm, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('sign_data_response: %s' % sign_data_response) self.assertIn( member='signature', container=sign_data_response['data'], ) @parameterized.expand([ param('success', ), param( 'invalid algorithm', hash_algorithm='meow2-256', raises=exceptions.ParamValidationError, exception_message='invalid hash_algorithm argument provided', ), param( 'invalid signature_algorithm', signature_algorithm='pre-shared kitty cats', raises=exceptions.ParamValidationError, exception_message='invalid signature_algorithm argument provided', ), ]) def test_verify_signed_data(self, label, hash_input='hash this ish', hash_algorithm='sha2-256', signature_algorithm='pss', raises=False, exception_message=''): hash_input = utils.base64ify(hash_input) key_name = 'testkey' key_type = 'ed25519' create_key_response = self.client.secrets.transit.create_key( name=key_name, key_type=key_type, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('create_key_response: %s' % create_key_response) sign_data_response = self.client.secrets.transit.sign_data( name=key_name, hash_input=hash_input, hash_algorithm='sha2-256', signature_algorithm='pss', mount_point=self.TEST_MOUNT_POINT, ) logging.debug('sign_data_response: %s' % sign_data_response) signature = sign_data_response['data']['signature'] if raises: with self.assertRaises(raises) as cm: self.client.secrets.transit.verify_signed_data( name=key_name, hash_input=hash_input, signature=signature, hash_algorithm=hash_algorithm, signature_algorithm=signature_algorithm, mount_point=self.TEST_MOUNT_POINT, ) self.assertIn( member=exception_message, container=str(cm.exception), ) else: verify_signed_data_response = self.client.secrets.transit.verify_signed_data( name=key_name, hash_input=hash_input, signature=signature, hash_algorithm=hash_algorithm, signature_algorithm=signature_algorithm, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('verify_signed_data_response: %s' % verify_signed_data_response) self.assertTrue( expr=verify_signed_data_response['data']['valid'], ) @parameterized.expand([ param('success', ), param( 'allow_plaintext_backup false', allow_plaintext_backup=False, raises=exceptions.InternalServerError, exception_message='plaintext backup is disallowed on the policy', ), ]) @skipIf(utils.vault_version_lt('0.9.1'), "transit key export/restore added in Vault versions >=0.9.1") def test_backup_key(self, label, allow_plaintext_backup=True, raises=False, exception_message=''): key_name = 'testkey' create_key_response = self.client.secrets.transit.create_key( name=key_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('create_key_response: %s' % create_key_response) update_key_configuration_response = self.client.secrets.transit.update_key_configuration( name=key_name, exportable=True, allow_plaintext_backup=allow_plaintext_backup, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('update_key_configuration_response: %s' % update_key_configuration_response) if raises: with self.assertRaises(raises) as cm: self.client.secrets.transit.backup_key( name=key_name, mount_point=self.TEST_MOUNT_POINT, ) self.assertIn( member=exception_message, container=str(cm.exception), ) else: backup_key_response = self.client.secrets.transit.backup_key( name=key_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('backup_key_response: %s' % backup_key_response) self.assertIn( member='backup', container=backup_key_response['data'], ) @parameterized.expand([ param('success', ), param( 'success with force', force=True, ), param( 'existing key without force', name=None, raises=exceptions.InternalServerError, exception_message='already exists', ), ]) @skipIf(utils.vault_version_lt('0.9.1'), "transit key export/restore added in Vault versions >=0.9.1") def test_restore_key(self, label, name='new_test_ky', force=False, raises=False, exception_message=''): key_name = 'testkey' create_key_response = self.client.secrets.transit.create_key( name=key_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('create_key_response: %s' % create_key_response) update_key_configuration_response = self.client.secrets.transit.update_key_configuration( name=key_name, exportable=True, allow_plaintext_backup=True, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('update_key_configuration_response: %s' % update_key_configuration_response) backup_key_response = self.client.secrets.transit.backup_key( name=key_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('backup_key_response: %s' % backup_key_response) backup = backup_key_response['data']['backup'] if raises: with self.assertRaises(raises) as cm: self.client.secrets.transit.restore_key( backup=backup, name=name, force=force, mount_point=self.TEST_MOUNT_POINT, ) self.assertIn( member=exception_message, container=str(cm.exception), ) else: restore_key_response = self.client.secrets.transit.restore_key( backup=backup, name=name, force=force, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('restore_key_response: %s' % restore_key_response) self.assertEqual( first=restore_key_response.status_code, second=204, ) @parameterized.expand([ param('success', ), ]) @skipIf(utils.vault_version_lt('0.11.4'), "transit key trimming added in Vault versions >=0.11.4") def test_trim_key(self, label, min_version=2, raises=False, exception_message=''): key_name = 'testkey' create_key_response = self.client.secrets.transit.create_key( name=key_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('create_key_response: %s' % create_key_response) for _ in range(0, 10): rotate_key_response = self.client.secrets.transit.rotate_key( name=key_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('rotate_key_response: %s' % rotate_key_response) update_key_configuration_response = self.client.secrets.transit.update_key_configuration( name=key_name, min_decryption_version=3, min_encryption_version=9, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('update_key_configuration_response: %s' % update_key_configuration_response) read_key_response = self.client.secrets.transit.read_key( name=key_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('read_key_response: %s' % read_key_response) if raises: with self.assertRaises(raises) as cm: self.client.secrets.transit.trim_key( name=key_name, min_version=min_version, mount_point=self.TEST_MOUNT_POINT, ) self.assertIn( member=exception_message, container=str(cm.exception), ) else: trim_key_response = self.client.secrets.transit.trim_key( name=key_name, min_version=min_version, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('trim_key_response: %s' % trim_key_response) self.assertEqual( first=trim_key_response.status_code, second=204, )
import logging from unittest import TestCase from unittest import skipIf from parameterized import parameterized, param from hvac import exceptions from tests import utils from tests.utils.hvac_integration_test_case import HvacIntegrationTestCase @skipIf(utils.vault_version_lt('0.8.3'), "Kubernetes auth method not available before Vault version 0.8.3") class TestKubernetes(HvacIntegrationTestCase, TestCase): TEST_MOUNT_POINT = 'kubernetes-test' def setUp(self): super(TestKubernetes, self).setUp() if '%s/' % self.TEST_MOUNT_POINT not in self.client.list_auth_backends( ): self.client.enable_auth_backend( backend_type='kubernetes', mount_point=self.TEST_MOUNT_POINT, ) def tearDown(self): super(TestKubernetes, self).tearDown() self.client.disable_auth_backend(mount_point=self.TEST_MOUNT_POINT, ) @parameterized.expand([ param('success', ),
import logging from unittest import TestCase from unittest import skipIf from parameterized import parameterized, param from hvac import exceptions from tests import utils from tests.utils.hvac_integration_test_case import HvacIntegrationTestCase @skipIf(utils.vault_version_lt('0.8.3'), "Kubernetes auth method not available before Vault version 0.8.3") class TestKubernetes(HvacIntegrationTestCase, TestCase): TEST_MOUNT_POINT = 'kubernetes-test' def setUp(self): super(TestKubernetes, self).setUp() if '%s/' % self.TEST_MOUNT_POINT not in self.client.list_auth_backends(): self.client.enable_auth_backend( backend_type='kubernetes', mount_point=self.TEST_MOUNT_POINT, ) def tearDown(self): super(TestKubernetes, self).tearDown() self.client.disable_auth_backend( mount_point=self.TEST_MOUNT_POINT, ) @parameterized.expand([ param(
import json import logging from unittest import TestCase, skipIf from parameterized import parameterized, param from tests import utils from tests.utils.hvac_integration_test_case import HvacIntegrationTestCase @skipIf(utils.vault_version_lt('0.9.0'), "Policy class uses new parameters added >= Vault 0.9.0") class TestPolicy(HvacIntegrationTestCase, TestCase): TEST_POLICY_NAME = 'test-policy-policy' def tearDown(self): self.client.sys.delete_policy( name=self.TEST_POLICY_NAME, ) super(TestPolicy, self).tearDown() @parameterized.expand([ param( 'success', ), param( 'pretty print false', pretty_print=False, ), ]) @skipIf(utils.vault_version_eq('0.11.0'), "Policy parsing broken in Vault version 0.11.0") def test_create_or_update_policy(self, label, pretty_print=True):