def test_kubernetes_dejson(self, mock_hvac, mock_get_connection): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client mock_connection = self.get_mock_connection() mock_get_connection.return_value = mock_connection connection_dict = {} mock_connection.extra_dejson.get.side_effect = connection_dict.get kwargs = { "kubernetes_role": "kube_role", "kubernetes_jwt_path": "path", "auth_type": "kubernetes", "vault_conn_id": "vault_conn_id", } with patch("builtins.open", mock_open(read_data="data")) as mock_file: test_hook = VaultHook(**kwargs) test_client = test_hook.get_conn() mock_get_connection.assert_called_with("vault_conn_id") mock_file.assert_called_with("path") mock_hvac.Client.assert_called_with(url='http://localhost:8180') test_client.auth_kubernetes.assert_called_with(role="kube_role", jwt="data") test_client.is_authenticated.assert_called_with() self.assertEqual(2, test_hook.vault_client.kv_engine_version)
def test_azure_dejson(self, mock_hvac, mock_get_connection): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client mock_connection = self.get_mock_connection() mock_get_connection.return_value = mock_connection connection_dict = { "auth_type": "azure", "azure_tenant_id": "tenant_id", "azure_resource": "resource", } mock_connection.extra_dejson.get.side_effect = connection_dict.get kwargs = { "vault_conn_id": "vault_conn_id", } test_hook = VaultHook(**kwargs) mock_get_connection.assert_called_with("vault_conn_id") test_client = test_hook.get_conn() mock_hvac.Client.assert_called_with(url='http://localhost:8180') test_client.auth.azure.configure.assert_called_with( tenant_id="tenant_id", resource="resource", client_id="user", client_secret="pass", ) test_client.is_authenticated.assert_called_with() assert 2 == test_hook.vault_client.kv_engine_version
def test_gcp_dejson(self, mock_hvac, mock_get_connection, mock_get_credentials, mock_get_scopes): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client mock_connection = self.get_mock_connection() mock_get_connection.return_value = mock_connection mock_get_scopes.return_value = ['scope1', 'scope2'] mock_get_credentials.return_value = ("credentials", "project_id") connection_dict = { "auth_type": "gcp", "gcp_key_path": "path.json", "gcp_scopes": "scope1,scope2", } mock_connection.extra_dejson.get.side_effect = connection_dict.get kwargs = { "vault_conn_id": "vault_conn_id", } test_hook = VaultHook(**kwargs) test_client = test_hook.get_conn() mock_get_connection.assert_called_with("vault_conn_id") mock_get_scopes.assert_called_with("scope1,scope2") mock_get_credentials.assert_called_with(key_path="path.json", scopes=['scope1', 'scope2']) mock_hvac.Client.assert_called_with(url='http://localhost:8180') test_client.auth.gcp.configure.assert_called_with( credentials="credentials", ) test_client.is_authenticated.assert_called_with() self.assertEqual(2, test_hook.vault_client.kv_engine_version)
def test_get_existing_key_v1(self, mock_hvac, mock_get_connection): mock_connection = self.get_mock_connection() mock_get_connection.return_value = mock_connection mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client connection_dict = {} mock_client.secrets.kv.v1.read_secret.return_value = { 'request_id': '182d0673-618c-9889-4cba-4e1f4cfe4b4b', 'lease_id': '', 'renewable': False, 'lease_duration': 2764800, 'data': { 'value': 'world' }, 'wrap_info': None, 'warnings': None, 'auth': None } mock_connection.extra_dejson.get.side_effect = connection_dict.get kwargs = { "vault_conn_id": "vault_conn_id", "auth_type": "token", "kv_engine_version": 1 } test_hook = VaultHook(**kwargs) secret = test_hook.get_secret(secret_path="missing") self.assertEqual({'value': 'world'}, secret) mock_client.secrets.kv.v1.read_secret.assert_called_once_with( mount_point='secret', path='missing')
def test_create_or_update_secret_v2_cas(self, mock_hvac, mock_get_connection): mock_connection = self.get_mock_connection() mock_get_connection.return_value = mock_connection mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client connection_dict = {} mock_connection.extra_dejson.get.side_effect = connection_dict.get kwargs = { "vault_conn_id": "vault_conn_id", "auth_type": "token", "kv_engine_version": 2 } test_hook = VaultHook(**kwargs) test_hook.create_or_update_secret(secret_path="path", secret={'key': 'value'}, cas=10) mock_client.secrets.kv.v2.create_or_update_secret.assert_called_once_with( mount_point='secret', secret_path='path', secret={'key': 'value'}, cas=10)
def test_get_secret_metadata_v2(self, mock_hvac, mock_get_connection): mock_connection = self.get_mock_connection() mock_get_connection.return_value = mock_connection mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client connection_dict = {} mock_client.secrets.kv.v2.read_secret_metadata.return_value = { 'request_id': '94011e25-f8dc-ec29-221b-1f9c1d9ad2ae', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'metadata': [ { 'created_time': '2020-03-16T21:01:43.331126Z', 'deletion_time': '', 'destroyed': False, 'version': 1, }, { 'created_time': '2020-03-16T21:01:43.331126Z', 'deletion_time': '', 'destroyed': False, 'version': 2, }, ], } mock_connection.extra_dejson.get.side_effect = connection_dict.get kwargs = {"vault_conn_id": "vault_conn_id", "auth_type": "token", "kv_engine_version": 2} test_hook = VaultHook(**kwargs) metadata = test_hook.get_secret_metadata(secret_path="missing") assert { 'request_id': '94011e25-f8dc-ec29-221b-1f9c1d9ad2ae', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'metadata': [ { 'created_time': '2020-03-16T21:01:43.331126Z', 'deletion_time': '', 'destroyed': False, 'version': 1, }, { 'created_time': '2020-03-16T21:01:43.331126Z', 'deletion_time': '', 'destroyed': False, 'version': 2, }, ], } == metadata mock_client.secrets.kv.v2.read_secret_metadata.assert_called_once_with( mount_point='secret', path='missing' )
def test_token_init_params(self, mock_hvac, mock_get_connection): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client mock_connection = self.get_mock_connection() mock_get_connection.return_value = mock_connection connection_dict = {} mock_connection.extra_dejson.get.side_effect = connection_dict.get kwargs = {"vault_conn_id": "vault_conn_id", "auth_type": "token", "kv_engine_version": 2} test_hook = VaultHook(**kwargs) mock_get_connection.assert_called_with("vault_conn_id") test_client = test_hook.get_conn() mock_hvac.Client.assert_called_with(url='http://localhost:8180') test_client.is_authenticated.assert_called_with() assert "pass" == test_client.token assert 2 == test_hook.vault_client.kv_engine_version assert "secret" == test_hook.vault_client.mount_point
def test_get_existing_key_v2_version(self, mock_hvac, mock_get_connection): mock_connection = self.get_mock_connection() mock_get_connection.return_value = mock_connection mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client connection_dict = {} mock_client.secrets.kv.v2.read_secret_version.return_value = { 'request_id': '94011e25-f8dc-ec29-221b-1f9c1d9ad2ae', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'data': { 'data': { 'secret_key': 'secret_value' }, 'metadata': { 'created_time': '2020-03-16T21:01:43.331126Z', 'deletion_time': '', 'destroyed': False, 'version': 1 } }, 'wrap_info': None, 'warnings': None, 'auth': None } mock_connection.extra_dejson.get.side_effect = connection_dict.get kwargs = { "vault_conn_id": "vault_conn_id", "auth_type": "token", "kv_engine_version": 2 } test_hook = VaultHook(**kwargs) secret = test_hook.get_secret(secret_path="missing", secret_version=1) self.assertEqual({'secret_key': 'secret_value'}, secret) mock_client.secrets.kv.v2.read_secret_version.assert_called_once_with( mount_point='secret', path='missing', version=1)
def test_github_init_params(self, mock_hvac, mock_get_connection): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client mock_connection = self.get_mock_connection() mock_get_connection.return_value = mock_connection connection_dict = {} mock_connection.extra_dejson.get.side_effect = connection_dict.get kwargs = { "auth_type": "github", "vault_conn_id": "vault_conn_id", } test_hook = VaultHook(**kwargs) mock_get_connection.assert_called_with("vault_conn_id") test_client = test_hook.get_conn() mock_hvac.Client.assert_called_with(url='http://localhost:8180') test_client.auth.github.login.assert_called_with(token="pass") test_client.is_authenticated.assert_called_with() self.assertEqual(2, test_hook.vault_client.kv_engine_version)
def test_aws_iam_dejson(self, mock_hvac, mock_get_connection): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client mock_connection = self.get_mock_connection() mock_get_connection.return_value = mock_connection connection_dict = {"auth_type": "aws_iam", "role_id": "role"} mock_connection.extra_dejson.get.side_effect = connection_dict.get kwargs = { "vault_conn_id": "vault_conn_id", } test_hook = VaultHook(**kwargs) mock_get_connection.assert_called_with("vault_conn_id") test_client = test_hook.get_conn() mock_hvac.Client.assert_called_with(url='http://localhost:8180') test_client.auth_aws_iam.assert_called_with( access_key='user', secret_key='pass', role="role", )
def test_radius_init_params(self, mock_hvac, mock_get_connection): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client mock_connection = self.get_mock_connection() mock_get_connection.return_value = mock_connection connection_dict = {} mock_connection.extra_dejson.get.side_effect = connection_dict.get kwargs = { "auth_type": "radius", "radius_host": "radhost", "vault_conn_id": "vault_conn_id", } test_hook = VaultHook(**kwargs) mock_get_connection.assert_called_with("vault_conn_id") test_client = test_hook.get_conn() mock_hvac.Client.assert_called_with(url='http://localhost:8180') test_client.auth.radius.configure.assert_called_with(host="radhost", secret="pass", port=None) test_client.is_authenticated.assert_called_with() assert 2 == test_hook.vault_client.kv_engine_version
def test_userpass_dejson(self, mock_hvac, mock_get_connection): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client mock_connection = self.get_mock_connection() mock_get_connection.return_value = mock_connection connection_dict = { "auth_type": "userpass", } mock_connection.extra_dejson.get.side_effect = connection_dict.get kwargs = { "vault_conn_id": "vault_conn_id", } test_hook = VaultHook(**kwargs) mock_get_connection.assert_called_with("vault_conn_id") test_client = test_hook.get_conn() mock_hvac.Client.assert_called_with(url='http://localhost:8180') test_client.auth_userpass.assert_called_with(username="******", password="******") test_client.is_authenticated.assert_called_with() assert 2 == test_hook.vault_client.kv_engine_version
def test_version_as_string(self, mock_hvac, mock_get_connection): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client mock_connection = self.get_mock_connection() mock_get_connection.return_value = mock_connection connection_dict = {"auth_type": "userpass", "kv_engine_version": "2"} mock_connection.extra_dejson.get.side_effect = connection_dict.get kwargs = { "vault_conn_id": "vault_conn_id", } test_hook = VaultHook(**kwargs) self.assertEqual(2, test_hook.vault_client.kv_engine_version)
def test_version_not_int(self, mock_hvac, mock_get_connection): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client mock_connection = self.get_mock_connection() mock_get_connection.return_value = mock_connection connection_dict = {"auth_type": "userpass", "kv_engine_version": "text"} mock_connection.extra_dejson.get.side_effect = connection_dict.get kwargs = { "vault_conn_id": "vault_conn_id", } with pytest.raises(VaultError, match='The version is not an int: text'): VaultHook(**kwargs)
def test_protocol(self, protocol, expected_url, mock_hvac, mock_get_connection): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client mock_connection = self.get_mock_connection(conn_type=protocol) mock_get_connection.return_value = mock_connection connection_dict = {} mock_connection.extra_dejson.get.side_effect = connection_dict.get kwargs = { "vault_conn_id": "vault_conn_id", "auth_type": "approle", "role_id": "role", "kv_engine_version": 2, } test_hook = VaultHook(**kwargs) mock_get_connection.assert_called_with("vault_conn_id") test_client = test_hook.get_conn() mock_hvac.Client.assert_called_with(url=expected_url) test_client.auth.approle.login.assert_called_with(role_id="role", secret_id="pass") test_client.is_authenticated.assert_called_with() assert 2 == test_hook.vault_client.kv_engine_version
def test_custom_auth_mount_point_dejson(self, mock_hvac, mock_get_connection): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client mock_connection = self.get_mock_connection() mock_get_connection.return_value = mock_connection connection_dict = {"auth_type": "userpass", "auth_mount_point": "custom"} mock_connection.extra_dejson.get.side_effect = connection_dict.get kwargs = { "vault_conn_id": "vault_conn_id", } test_hook = VaultHook(**kwargs) assert "secret" == test_hook.vault_client.mount_point assert "custom" == test_hook.vault_client.auth_mount_point
def test_approle_dejson(self, mock_hvac, mock_get_connection): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client mock_connection = self.get_mock_connection() mock_get_connection.return_value = mock_connection connection_dict = { "auth_type": "approle", 'role_id': "role", } mock_connection.extra_dejson.get.side_effect = connection_dict.get kwargs = { "vault_conn_id": "vault_conn_id", } test_hook = VaultHook(**kwargs) mock_get_connection.assert_called_with("vault_conn_id") test_client = test_hook.get_conn() mock_hvac.Client.assert_called_with(url='http://localhost:8180') test_client.auth_approle.assert_called_with(role_id="role", secret_id="pass") test_client.is_authenticated.assert_called_with() self.assertEqual(2, test_hook.vault_client.kv_engine_version)
def test_custom_mount_point_dejson(self, mock_hvac, mock_get_connection): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client mock_connection = self.get_mock_connection(schema='custom') mock_get_connection.return_value = mock_connection connection_dict = { "auth_type": "userpass", } mock_connection.extra_dejson.get.side_effect = connection_dict.get kwargs = { "vault_conn_id": "vault_conn_id", } test_hook = VaultHook(**kwargs) self.assertEqual("custom", test_hook.vault_client.mount_point)
def test_radius_dejson_wrong_port(self, mock_hvac, mock_get_connection): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client mock_connection = self.get_mock_connection() mock_get_connection.return_value = mock_connection connection_dict = { "auth_type": "radius", "radius_host": "radhost", "radius_port": "wrong", } mock_connection.extra_dejson.get.side_effect = connection_dict.get kwargs = { "vault_conn_id": "vault_conn_id", } with pytest.raises(VaultError, match="Radius port was wrong: wrong"): VaultHook(**kwargs)