def test_configure_and_read_configuration(self, test_label, organization, base_url, ttl, max_ttl): config_response = self.client.auth.github.configure( organization=organization, base_url=base_url, ttl=ttl, max_ttl=max_ttl, mount_point=self.TEST_GITHUB_PATH, ) logging.debug('config_response: {}'.format(config_response)) self.assertEqual(first=204, second=config_response.status_code) read_config_response = self.client.auth.github.read_configuration( mount_point=self.TEST_GITHUB_PATH, ) logging.debug('read_config_response: {}'.format(read_config_response)) self.assertEqual(first=organization, second=read_config_response['data']['organization']) self.assertEqual(first=base_url, second=read_config_response['data']['base_url']) ttl_data_key = 'token_ttl' if utils.vault_version_ge( '1.2.0') else 'ttl' max_ttl_data_key = 'token_max_ttl' if utils.vault_version_ge( '1.2.0') else 'max_ttl' self.assertEqual( first=self.convert_python_ttl_value_to_expected_vault_response( ttl_value=ttl), second=read_config_response['data'][ttl_data_key]) self.assertEqual( first=self.convert_python_ttl_value_to_expected_vault_response( ttl_value=max_ttl), second=read_config_response['data'][max_ttl_data_key])
def test_ec2_role_token_lifespan(self): if 'aws-ec2/' not in self.client.list_auth_backends()['data']: self.client.enable_auth_backend('aws-ec2') # create a policy to associate with the role self.prep_policy('ec2rolepolicy') # create a role with no TTL self.client.create_ec2_role('foo', 'ami-notarealami', policies='ec2rolepolicy') # create a role with a 1hr TTL self.client.create_ec2_role('bar', 'ami-notarealami', ttl='1h', policies='ec2rolepolicy') # create a role with a 3-day max TTL self.client.create_ec2_role('baz', 'ami-notarealami', max_ttl='72h', policies='ec2rolepolicy') # create a role with 1-day period self.client.create_ec2_role('qux', 'ami-notarealami', period='24h', policies='ec2rolepolicy') foo_role = self.client.get_ec2_role('foo') ttl_data_key = 'token_ttl' if utils.vault_version_ge( '1.2.0') else 'ttl' assert (foo_role['data'][ttl_data_key] == 0) bar_role = self.client.get_ec2_role('bar') assert (bar_role['data']['ttl'] == 3600) baz_role = self.client.get_ec2_role('baz') max_ttl_data_key = 'token_max_ttl' if utils.vault_version_ge( '1.2.0') else 'max_ttl' assert (baz_role['data'][max_ttl_data_key] == 259200) qux_role = self.client.get_ec2_role('qux') assert (qux_role['data']['period'] == 86400) # teardown self.client.delete_ec2_role('foo') self.client.delete_ec2_role('bar') self.client.delete_ec2_role('baz') self.client.delete_ec2_role('qux') self.client.delete_policy('ec2rolepolicy') self.client.disable_auth_backend('aws-ec2')
def test_configure_and_read_configuration(self, test_label, max_versions=10, cas_required=None, delete_version_after="0s"): configure_arguments = dict( delete_version_after=delete_version_after, mount_point=self.DEFAULT_MOUNT_POINT, ) if max_versions is not None: configure_arguments['max_versions'] = max_versions if cas_required is not None: configure_arguments['cas_required'] = cas_required self.client.secrets.kv.v2.configure(**configure_arguments) read_configuration_response = self.client.secrets.kv.v2.read_configuration( mount_point=self.DEFAULT_MOUNT_POINT, ) logging.debug('read_configuration_response: %s' % read_configuration_response) self.assertEqual( first=max_versions, second=read_configuration_response['data']['max_versions'], ) self.assertEqual( first=cas_required or False, second=read_configuration_response['data']['cas_required'], ) if utils.vault_version_ge('1.5.0'): # delete_version_after wasn't returned in this response when unset before 1.5.0 self.assertEqual( first=delete_version_after, second=read_configuration_response['data'] ['delete_version_after'], )
def test_read_role(self, label, create_role_first=True, raises=None, exception_message=''): role_name = 'hvac' project_id = 'test-hvac-project-not-a-real-project' if create_role_first: self.client.auth.gcp.create_role( name=role_name, role_type='gce', project_id=project_id, bound_service_accounts=[ '*****@*****.**' ], mount_point=self.TEST_MOUNT_POINT, ) if raises: with self.assertRaises(raises) as cm: self.client.auth.gcp.read_role( name=role_name, mount_point=self.TEST_MOUNT_POINT, ) self.assertIn( member=exception_message, container=str(cm.exception), ) else: read_role_response = self.client.auth.gcp.read_role( name=role_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('create_role_response: %s' % read_role_response) if utils.vault_version_ge('1.0.0'): returned_project_id = read_role_response['bound_projects'] expected_project_id = [project_id] else: returned_project_id = read_role_response['project_id'] expected_project_id = project_id self.assertEqual(first=returned_project_id, second=expected_project_id)
def test_read_role(self, label, create_role_first=True, raises=None, exception_message=''): role_name = 'hvac' project_id = 'test-hvac-project-not-a-real-project' if create_role_first: self.client.auth.gcp.create_role( name=role_name, role_type='gce', project_id=project_id, bound_service_accounts=['*****@*****.**'], mount_point=self.TEST_MOUNT_POINT, ) if raises: with self.assertRaises(raises) as cm: self.client.auth.gcp.read_role( name=role_name, mount_point=self.TEST_MOUNT_POINT, ) self.assertIn( member=exception_message, container=str(cm.exception), ) else: read_role_response = self.client.auth.gcp.read_role( name=role_name, mount_point=self.TEST_MOUNT_POINT, ) logging.debug('create_role_response: %s' % read_role_response) if utils.vault_version_ge('1.0.0'): returned_project_id = read_role_response['bound_projects'] expected_project_id = [project_id] else: returned_project_id = read_role_response['project_id'] expected_project_id = project_id self.assertEqual( first=returned_project_id, second=expected_project_id )
class TestLdap(HvacIntegrationTestCase, TestCase): TEST_LDAP_PATH = 'test-ldap' ldap_server = None mock_server_port = None mock_ldap_url = None @classmethod def setUpClass(cls): super(TestLdap, cls).setUpClass() logging.getLogger('ldap_test').setLevel(logging.ERROR) cls.mock_server_port = utils.get_free_port() cls.mock_ldap_url = 'ldap://localhost:{port}'.format(port=cls.mock_server_port) cls.ldap_server = LdapServer({ 'port': cls.mock_server_port, 'bind_dn': LDAP_BIND_DN, 'password': LDAP_BIND_PASSWORD, 'base': { 'objectclass': ['domain'], 'dn': LDAP_BASE_DN, 'attributes': {'dc': LDAP_BASE_DC} }, 'entries': LDAP_ENTRIES, }) cls.ldap_server.start() @classmethod def tearDownClass(cls): super(TestLdap, cls).tearDownClass() cls.ldap_server.stop() def setUp(self): super(TestLdap, self).setUp() if 'ldap/' not in self.client.list_auth_backends(): self.client.sys.enable_auth_method( method_type='ldap', path=self.TEST_LDAP_PATH ) def tearDown(self): super(TestLdap, self).tearDown() self.client.disable_auth_backend( mount_point=self.TEST_LDAP_PATH, ) @parameterized.expand([ ('update url', dict(url=LDAP_URL)), ('update binddn', dict(url=LDAP_URL, bind_dn='cn=vault,ou=Users,dc=hvac,dc=network')), ('update upn_domain', dict(url=LDAP_URL, upn_domain='python-hvac.org')), ('update certificate', dict(url=LDAP_URL, certificate=utils.load_config_file('server-cert.pem'))), ('incorrect tls version', dict(url=LDAP_URL, tls_min_version='cats'), exceptions.InvalidRequest, "invalid 'tls_min_version'"), ]) def test_configure(self, test_label, parameters, raises=None, exception_message=''): parameters.update({ 'user_dn': LDAP_USERS_DN, 'group_dn': LDAP_GROUPS_DN, 'mount_point': self.TEST_LDAP_PATH, }) if raises: with self.assertRaises(raises) as cm: self.client.auth.ldap.configure(**parameters) self.assertIn( member=exception_message, container=str(cm.exception), ) else: expected_status_code = 204 configure_response = self.client.auth.ldap.configure(**parameters) self.assertEqual( first=expected_status_code, second=configure_response.status_code ) read_config_response = self.client.auth.ldap.read_configuration( mount_point=self.TEST_LDAP_PATH, ) for parameter, argument in parameters.items(): if parameter == 'mount_point': continue self.assertIn( member=argument, container=read_config_response['data'].values(), ) def test_read_configuration(self): response = self.client.auth.ldap.read_configuration( mount_point=self.TEST_LDAP_PATH, ) self.assertIn( member='data', container=response, ) @parameterized.expand([ ('no policies', 'cats'), ('policies as list', 'cats', ['purr-policy']), ('policies as invalid type', 'cats', 'purr-policy', exceptions.ParamValidationError, '"policies" argument must be an instance of list'), ]) def test_create_or_update_group(self, test_label, name, policies=None, raises=None, exception_message=''): expected_status_code = 204 if raises: with self.assertRaises(raises) as cm: create_response = self.client.auth.ldap.create_or_update_group( name=name, policies=policies, mount_point=self.TEST_LDAP_PATH, ) if exception_message is not None: self.assertIn( member=exception_message, container=str(cm.exception), ) else: create_response = self.client.auth.ldap.create_or_update_group( name=name, policies=policies, mount_point=self.TEST_LDAP_PATH, ) self.assertEqual( first=expected_status_code, second=create_response.status_code ) @parameterized.expand([ ('read configured groups', 'cats'), ('non-existent groups', 'cats', False, exceptions.InvalidPath), ]) def test_list_groups(self, test_label, name, configure_first=True, raises=None, exception_message=None): if configure_first: self.client.auth.ldap.create_or_update_group( name=name, mount_point=self.TEST_LDAP_PATH, ) if raises: with self.assertRaises(raises) as cm: self.client.auth.ldap.list_groups( mount_point=self.TEST_LDAP_PATH, ) if exception_message is not None: self.assertIn( member=exception_message, container=str(cm.exception), ) else: list_groups_response = self.client.auth.ldap.list_groups( mount_point=self.TEST_LDAP_PATH, ) # raise Exception(list_groups_response) self.assertDictEqual( d1=dict(keys=[name]), d2=list_groups_response['data'], ) @parameterized.expand([ ('read configured group', 'cats'), ('non-existent group', 'cats', False, exceptions.InvalidPath), ]) def test_read_group(self, test_label, name, configure_first=True, raises=None, exception_message=None): if configure_first: self.client.auth.ldap.create_or_update_group( name=name, mount_point=self.TEST_LDAP_PATH, ) if raises: with self.assertRaises(raises) as cm: self.client.auth.ldap.read_group( name=name, mount_point=self.TEST_LDAP_PATH, ) if exception_message is not None: self.assertIn( member=exception_message, container=str(cm.exception), ) else: read_group_response = self.client.auth.ldap.read_group( name=name, mount_point=self.TEST_LDAP_PATH, ) self.assertIn( member='policies', container=read_group_response['data'], ) @parameterized.expand([ ('no policies or groups', 'cats'), ('policies as list', 'cats', ['purr-policy']), ('policies as invalid type', 'cats', 'purr-policy', None, exceptions.ParamValidationError, '"policies" argument must be an instance of list'), ('no groups', 'cats', ['purr-policy']), ('groups as list', 'cats', None, ['meow-group']), ('groups as invalid type', 'cats', None, 'meow-group', exceptions.ParamValidationError, '"groups" argument must be an instance of list'), ]) def test_create_or_update_user(self, test_label, username, policies=None, groups=None, raises=None, exception_message=''): expected_status_code = 204 if raises: with self.assertRaises(raises) as cm: self.client.auth.ldap.create_or_update_user( username=username, policies=policies, groups=groups, mount_point=self.TEST_LDAP_PATH, ) if exception_message is not None: self.assertIn( member=exception_message, container=str(cm.exception), ) else: create_response = self.client.auth.ldap.create_or_update_user( username=username, policies=policies, groups=groups, mount_point=self.TEST_LDAP_PATH, ) self.assertEqual( first=expected_status_code, second=create_response.status_code ) @parameterized.expand([ ('read configured group', 'cats'), ('non-existent group', 'cats', False, exceptions.InvalidPath), ]) def test_delete_group(self, test_label, name, configure_first=True, raises=None, exception_message=None): if configure_first: self.client.auth.ldap.create_or_update_group( name=name, mount_point=self.TEST_LDAP_PATH, ) expected_status_code = 204 delete_group_response = self.client.auth.ldap.delete_group( name=name, mount_point=self.TEST_LDAP_PATH, ) self.assertEqual( first=expected_status_code, second=delete_group_response.status_code ) @parameterized.expand([ ('read configured user', 'cats'), ('non-existent user', 'cats', False, exceptions.InvalidPath), ]) def test_list_users(self, test_label, username, configure_first=True, raises=None, exception_message=None): if configure_first: self.client.auth.ldap.create_or_update_user( username=username, mount_point=self.TEST_LDAP_PATH, ) if raises: with self.assertRaises(raises) as cm: self.client.auth.ldap.list_users( mount_point=self.TEST_LDAP_PATH, ) if exception_message is not None: self.assertIn( member=exception_message, container=str(cm.exception), ) else: list_users_response = self.client.auth.ldap.list_users( mount_point=self.TEST_LDAP_PATH, ) self.assertDictEqual( d1=dict(keys=[username]), d2=list_users_response['data'], ) @parameterized.expand([ ('read configured user', 'cats'), ('non-existent user', 'cats', False, exceptions.InvalidPath), ]) def test_read_user(self, test_label, username, configure_first=True, raises=None, exception_message=None): if configure_first: self.client.auth.ldap.create_or_update_user( username=username, mount_point=self.TEST_LDAP_PATH, ) if raises: with self.assertRaises(raises) as cm: self.client.auth.ldap.read_user( username=username, mount_point=self.TEST_LDAP_PATH, ) if exception_message is not None: self.assertIn( member=exception_message, container=str(cm.exception), ) else: read_user_response = self.client.auth.ldap.read_user( username=username, mount_point=self.TEST_LDAP_PATH, ) self.assertIn( member='policies', container=read_user_response['data'], ) @parameterized.expand([ ('read configured user', 'cats'), ('non-existent user', 'cats', False, exceptions.InvalidPath), ]) def test_delete_user(self, test_label, username, configure_first=True, raises=None, exception_message=None): if configure_first: self.client.auth.ldap.create_or_update_user( username=username, mount_point=self.TEST_LDAP_PATH, ) expected_status_code = 204 delete_user_response = self.client.auth.ldap.delete_user( username=username, mount_point=self.TEST_LDAP_PATH, ) self.assertEqual( first=expected_status_code, second=delete_user_response.status_code ) @parameterized.expand([ param( label='working creds with policy' ), param( label='invalid creds', username='******', password='******', attach_policy=False, raises=exceptions.InvalidRequest, ), # The following two test cases cover either side of the associated changelog entry for LDAP auth here: # https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#0103-june-20th-2018 param( label='working creds no membership with Vault version >= 0.10.3', attach_policy=False, skip_due_to_vault_version=utils.vault_version_lt('0.10.3'), ), param( label='working creds no membership with Vault version < 0.10.3', attach_policy=False, raises=exceptions.InvalidRequest, exception_message='user is not a member of any authorized group', skip_due_to_vault_version=utils.vault_version_ge('0.10.3'), ), ]) def test_login(self, label, username=LDAP_USER_NAME, password=LDAP_USER_PASSWORD, attach_policy=True, raises=None, exception_message='', skip_due_to_vault_version=False): if skip_due_to_vault_version: self.skipTest(reason='test case does not apply to Vault version under test') test_policy_name = 'test-ldap-policy' self.client.auth.ldap.configure( url=self.mock_ldap_url, bind_dn=self.ldap_server.config['bind_dn'], bind_pass=self.ldap_server.config['password'], user_dn=LDAP_USERS_DN, user_attr='uid', group_dn=LDAP_GROUPS_DN, group_attr='cn', insecure_tls=True, mount_point=self.TEST_LDAP_PATH, ) if attach_policy: self.prep_policy(test_policy_name) self.client.auth.ldap.create_or_update_group( name=LDAP_GROUP_NAME, policies=[test_policy_name], mount_point=self.TEST_LDAP_PATH, ) if raises: with self.assertRaises(raises) as cm: self.client.auth.ldap.login( username=username, password=password, mount_point=self.TEST_LDAP_PATH, ) if exception_message is not None: self.assertIn( member=exception_message, container=str(cm.exception), ) else: login_response = self.client.auth.ldap.login( username=username, password=password, mount_point=self.TEST_LDAP_PATH, ) self.assertDictEqual( d1=dict(username=username), d2=login_response['auth']['metadata'], ) self.assertEqual( first=login_response['auth']['client_token'], second=self.client.token, ) if attach_policy: expected_policies = ['default', test_policy_name] else: expected_policies = ['default'] self.assertEqual( first=expected_policies, second=login_response['auth']['policies'] )