def test_radius_missing_secret(self, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
with self.assertRaisesRegex(VaultError, "radius_secret"):
_VaultClient(auth_type="radius",
radius_host="radhost",
url="http://localhost:8180")
def test_approle_missing_role(self, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
with self.assertRaisesRegex(VaultError, "requires 'role_id'"):
_VaultClient(auth_type="approle",
url="http://localhost:8180",
secret_id="pass")
def test_kubernetes_missing_role(self, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
with self.assertRaisesRegex(VaultError, "requires 'kubernetes_role'"):
_VaultClient(auth_type="kubernetes",
kubernetes_jwt_path="path",
url="http://localhost:8180")
def test_kubernetes_kubernetes_jwt_path_none(self, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
with pytest.raises(VaultError, match="requires 'kubernetes_jwt_path'"):
_VaultClient(
auth_type="kubernetes",
kubernetes_role='kube_role',
kubernetes_jwt_path=None,
url="http://localhost:8180",
)
def test_azure_missing_resource(self, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
with pytest.raises(VaultError, match="requires 'azure_resource'"):
_VaultClient(
auth_type="azure",
azure_tenant_id="tenant_id",
url="http://localhost:8180",
key_id="user",
secret_id='pass',
)
def test_azure_missing_tenant_id(self, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
with self.assertRaisesRegex(VaultError, "requires 'azure_tenant_id'"):
_VaultClient(
auth_type="azure",
azure_resource='resource',
url="http://localhost:8180",
key_id="user",
secret_id='pass',
)
def test_gcp_different_auth_mount_point(self, mock_hvac,
mock_get_credentials,
mock_get_scopes):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
mock_get_scopes.return_value = ['scope1', 'scope2']
mock_get_credentials.return_value = ("credentials", "project_id")
vault_client = _VaultClient(
auth_type="gcp",
gcp_key_path="path.json",
gcp_scopes="scope1,scope2",
url="http://localhost:8180",
auth_mount_point="other",
)
client = vault_client.client
mock_hvac.Client.assert_called_with(url='http://localhost:8180')
mock_get_scopes.assert_called_with("scope1,scope2")
mock_get_credentials.assert_called_with(key_path="path.json",
keyfile_dict=None,
scopes=['scope1', 'scope2'])
mock_hvac.Client.assert_called_with(url='http://localhost:8180')
client.auth.gcp.configure.assert_called_with(credentials="credentials",
mount_point="other")
client.is_authenticated.assert_called_with()
self.assertEqual(2, vault_client.kv_engine_version)
def test_get_existing_key_v2_version(self, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
mock_client.secrets.kv.v2.read_secret_version.return_value = {
'request_id': '94011e25-f8dc-ec29-221b-1f9c1d9ad2ae',
'lease_id': '',
'renewable': False,
'lease_duration': 0,
'data': {
'data': {
'secret_key': 'secret_value'
},
'metadata': {
'created_time': '2020-03-16T21:01:43.331126Z',
'deletion_time': '',
'destroyed': False,
'version': 1
}
},
'wrap_info': None,
'warnings': None,
'auth': None
}
vault_client = _VaultClient(auth_type="approle",
role_id="role",
url="http://localhost:8180",
secret_id="pass")
secret = vault_client.get_secret(secret_path="missing",
secret_version=1)
self.assertEqual({'secret_key': 'secret_value'}, secret)
mock_client.secrets.kv.v2.read_secret_version.assert_called_once_with(
mount_point='secret', path='missing', version=1)
def test_get_existing_key_v1(self, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
mock_client.secrets.kv.v1.read_secret.return_value = {
'request_id': '182d0673-618c-9889-4cba-4e1f4cfe4b4b',
'lease_id': '',
'renewable': False,
'lease_duration': 2764800,
'data': {
'value': 'world'
},
'wrap_info': None,
'warnings': None,
'auth': None
}
vault_client = _VaultClient(auth_type="approle",
role_id="role",
url="http://localhost:8180",
secret_id="pass",
kv_engine_version=1)
secret = vault_client.get_secret(secret_path="missing")
self.assertEqual({'value': 'world'}, secret)
mock_client.secrets.kv.v1.read_secret.assert_called_once_with(
mount_point='secret', path='missing')
def test_get_secret_metadata_v2(self, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
mock_client.secrets.kv.v2.read_secret_metadata.return_value = {
'request_id':
'94011e25-f8dc-ec29-221b-1f9c1d9ad2ae',
'lease_id':
'',
'renewable':
False,
'lease_duration':
0,
'metadata': [
{
'created_time': '2020-03-16T21:01:43.331126Z',
'deletion_time': '',
'destroyed': False,
'version': 1,
},
{
'created_time': '2020-03-16T21:01:43.331126Z',
'deletion_time': '',
'destroyed': False,
'version': 2,
},
],
}
vault_client = _VaultClient(auth_type="token",
token="s.7AU0I51yv1Q1lxOIg1F3ZRAS",
url="http://localhost:8180")
metadata = vault_client.get_secret_metadata(secret_path="missing")
self.assertEqual(
{
'request_id':
'94011e25-f8dc-ec29-221b-1f9c1d9ad2ae',
'lease_id':
'',
'renewable':
False,
'lease_duration':
0,
'metadata': [
{
'created_time': '2020-03-16T21:01:43.331126Z',
'deletion_time': '',
'destroyed': False,
'version': 1,
},
{
'created_time': '2020-03-16T21:01:43.331126Z',
'deletion_time': '',
'destroyed': False,
'version': 2,
},
],
},
metadata,
)
mock_client.secrets.kv.v2.read_secret_metadata.assert_called_once_with(
mount_point='secret', path='missing')
def __init__( # pylint: disable=too-many-arguments
self,
connections_path: str = 'connections',
variables_path: str = 'variables',
config_path: str = 'config',
url: Optional[str] = None,
auth_type: str = 'token',
auth_mount_point: Optional[str] = None,
mount_point: str = 'secret',
kv_engine_version: int = 2,
token: Optional[str] = None,
token_path: Optional[str] = None,
username: Optional[str] = None,
password: Optional[str] = None,
key_id: Optional[str] = None,
secret_id: Optional[str] = None,
role_id: Optional[str] = None,
kubernetes_role: Optional[str] = None,
kubernetes_jwt_path:
str = '/var/run/secrets/kubernetes.io/serviceaccount/token',
gcp_key_path: Optional[str] = None,
gcp_keyfile_dict: Optional[dict] = None,
gcp_scopes: Optional[str] = None,
azure_tenant_id: Optional[str] = None,
azure_resource: Optional[str] = None,
radius_host: Optional[str] = None,
radius_secret: Optional[str] = None,
radius_port: Optional[int] = None,
**kwargs):
super().__init__()
self.connections_path = connections_path.rstrip('/')
self.variables_path = variables_path.rstrip('/')
self.config_path = config_path.rstrip('/')
self.mount_point = mount_point
self.kv_engine_version = kv_engine_version
self.vault_client = _VaultClient(
url=url,
auth_type=auth_type,
auth_mount_point=auth_mount_point,
mount_point=mount_point,
kv_engine_version=kv_engine_version,
token=token,
token_path=token_path,
username=username,
password=password,
key_id=key_id,
secret_id=secret_id,
role_id=role_id,
kubernetes_role=kubernetes_role,
kubernetes_jwt_path=kubernetes_jwt_path,
gcp_key_path=gcp_key_path,
gcp_keyfile_dict=gcp_keyfile_dict,
gcp_scopes=gcp_scopes,
azure_tenant_id=azure_tenant_id,
azure_resource=azure_resource,
radius_host=radius_host,
radius_secret=radius_secret,
radius_port=radius_port,
**kwargs)
def test_get_existing_key_v1_version(self, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
vault_client = _VaultClient(auth_type="token",
token="s.7AU0I51yv1Q1lxOIg1F3ZRAS",
url="http://localhost:8180",
kv_engine_version=1)
with self.assertRaisesRegex(VaultError, "Secret version"):
vault_client.get_secret(secret_path="missing", secret_version=1)
def test_userpass(self, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
vault_client = _VaultClient(
auth_type="userpass", username="******", password="******", url="http://localhost:8180"
)
client = vault_client.client
mock_hvac.Client.assert_called_with(url='http://localhost:8180')
client.auth_userpass.assert_called_with(username="******", password="******")
client.is_authenticated.assert_called_with()
assert 2 == vault_client.kv_engine_version
def test_approle(self, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
vault_client = _VaultClient(
auth_type="approle", role_id="role", url="http://localhost:8180", secret_id="pass"
)
client = vault_client.client
mock_hvac.Client.assert_called_with(url='http://localhost:8180')
client.auth_approle.assert_called_with(role_id="role", secret_id="pass")
client.is_authenticated.assert_called_with()
assert 2 == vault_client.kv_engine_version
def test_default_auth_type(self, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
vault_client = _VaultClient(token="s.7AU0I51yv1Q1lxOIg1F3ZRAS", url="http://localhost:8180")
client = vault_client.client
mock_hvac.Client.assert_called_with(url='http://localhost:8180')
client.is_authenticated.assert_called_with()
assert "s.7AU0I51yv1Q1lxOIg1F3ZRAS" == client.token
assert "token" == vault_client.auth_type
assert 2 == vault_client.kv_engine_version
assert "secret" == vault_client.mount_point
def test_radius(self, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
vault_client = _VaultClient(
auth_type="radius", radius_host="radhost", radius_secret="pass", url="http://localhost:8180"
)
client = vault_client.client
mock_hvac.Client.assert_called_with(url='http://localhost:8180')
client.auth.radius.configure.assert_called_with(host="radhost", secret="pass", port=None)
client.is_authenticated.assert_called_with()
assert 2 == vault_client.kv_engine_version
def test_github(self, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
vault_client = _VaultClient(
auth_type="github", token="s.7AU0I51yv1Q1lxOIg1F3ZRAS", url="http://localhost:8180"
)
client = vault_client.client
mock_hvac.Client.assert_called_with(url='http://localhost:8180')
client.auth.github.login.assert_called_with(token="s.7AU0I51yv1Q1lxOIg1F3ZRAS")
client.is_authenticated.assert_called_with()
assert 2 == vault_client.kv_engine_version
def test_token(self, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
vault_client = _VaultClient(auth_type="token",
token="s.7AU0I51yv1Q1lxOIg1F3ZRAS",
url="http://localhost:8180")
client = vault_client.client
mock_hvac.Client.assert_called_with(url='http://localhost:8180')
client.is_authenticated.assert_called_with()
self.assertEqual("s.7AU0I51yv1Q1lxOIg1F3ZRAS", client.token)
self.assertEqual(2, vault_client.kv_engine_version)
self.assertEqual("secret", vault_client.mount_point)
def test_get_secret_including_metadata_v1(self, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
vault_client = _VaultClient(auth_type="approle",
role_id="role",
url="http://localhost:8180",
secret_id="pass",
kv_engine_version=1)
with self.assertRaisesRegex(
VaultError, "Metadata might only be used with"
" version 2 of the KV engine."):
vault_client.get_secret_including_metadata(secret_path="missing")
def test_create_or_update_secret_v2_method(self, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
vault_client = _VaultClient(
auth_type="radius",
radius_host="radhost",
radius_port=8110,
radius_secret="pass",
url="http://localhost:8180",
)
with pytest.raises(VaultError, match="The method parameter is only valid for version 1"):
vault_client.create_or_update_secret(secret_path="path", secret={'key': 'value'}, method="post")
def test_get_non_existing_key_v2(self, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
# Response does not contain the requested key
mock_client.secrets.kv.v2.read_secret_version.side_effect = InvalidPath(
)
vault_client = _VaultClient(auth_type="token",
token="s.7AU0I51yv1Q1lxOIg1F3ZRAS",
url="http://localhost:8180")
secret = vault_client.get_secret(secret_path="missing")
self.assertIsNone(secret)
mock_client.secrets.kv.v2.read_secret_version.assert_called_once_with(
mount_point='secret', path='missing', version=None)
def test_kubernetes_default_path(self, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
vault_client = _VaultClient(
auth_type="kubernetes", kubernetes_role="kube_role", url="http://localhost:8180"
)
with patch("builtins.open", mock_open(read_data="data")) as mock_file:
client = vault_client.client
mock_file.assert_called_with("/var/run/secrets/kubernetes.io/serviceaccount/token")
mock_hvac.Client.assert_called_with(url='http://localhost:8180')
client.auth_kubernetes.assert_called_with(role="kube_role", jwt="data")
client.is_authenticated.assert_called_with()
assert 2 == vault_client.kv_engine_version
def test_get_secret_including_metadata_v2(self, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
mock_client.secrets.kv.v2.read_secret_version.return_value = {
'request_id': '94011e25-f8dc-ec29-221b-1f9c1d9ad2ae',
'lease_id': '',
'renewable': False,
'lease_duration': 0,
'data': {
'data': {'secret_key': 'secret_value'},
'metadata': {
'created_time': '2020-03-16T21:01:43.331126Z',
'deletion_time': '',
'destroyed': False,
'version': 1,
},
},
'wrap_info': None,
'warnings': None,
'auth': None,
}
vault_client = _VaultClient(
auth_type="radius",
radius_host="radhost",
radius_port=8110,
radius_secret="pass",
url="http://localhost:8180",
)
metadata = vault_client.get_secret_including_metadata(secret_path="missing")
assert {
'request_id': '94011e25-f8dc-ec29-221b-1f9c1d9ad2ae',
'lease_id': '',
'renewable': False,
'lease_duration': 0,
'data': {
'data': {'secret_key': 'secret_value'},
'metadata': {
'created_time': '2020-03-16T21:01:43.331126Z',
'deletion_time': '',
'destroyed': False,
'version': 1,
},
},
'wrap_info': None,
'warnings': None,
'auth': None,
} == metadata
mock_client.secrets.kv.v2.read_secret_version.assert_called_once_with(
mount_point='secret', path='missing', version=None
)
def test_token_path(self, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
with open('/tmp/test_token.txt', 'w+') as the_file:
the_file.write('s.7AU0I51yv1Q1lxOIg1F3ZRAS')
vault_client = _VaultClient(auth_type="token",
token_path="/tmp/test_token.txt",
url="http://localhost:8180")
client = vault_client.client
mock_hvac.Client.assert_called_with(url='http://localhost:8180')
client.is_authenticated.assert_called_with()
self.assertEqual("s.7AU0I51yv1Q1lxOIg1F3ZRAS", client.token)
self.assertEqual(2, vault_client.kv_engine_version)
self.assertEqual("secret", vault_client.mount_point)
def test_create_or_update_secret_v1_cas(self, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
vault_client = _VaultClient(auth_type="approle",
role_id="role",
url="http://localhost:8180",
secret_id="pass",
kv_engine_version=1)
with self.assertRaisesRegex(
VaultError, "The cas parameter is only valid for version 2"):
vault_client.create_or_update_secret(secret_path="path",
secret={'key': 'value'},
cas=10)
def test_get_secret_including_metadata_v1(self, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
vault_client = _VaultClient(
auth_type="radius",
radius_host="radhost",
radius_port=8110,
radius_secret="pass",
kv_engine_version=1,
url="http://localhost:8180",
)
with pytest.raises(VaultError, match="Metadata might only be used with version 2 of the KV engine."):
vault_client.get_secret_including_metadata(secret_path="missing")
def test_get_non_existing_key_v1(self, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
# Response does not contain the requested key
mock_client.secrets.kv.v1.read_secret.side_effect = InvalidPath()
vault_client = _VaultClient(auth_type="approle",
role_id="role",
url="http://localhost:8180",
secret_id="pass",
kv_engine_version=1)
secret = vault_client.get_secret(secret_path="missing")
self.assertIsNone(secret)
mock_client.secrets.kv.v1.read_secret.assert_called_once_with(
mount_point='secret', path='missing')
def test_kubernetes(self, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
vault_client = _VaultClient(auth_type="kubernetes",
kubernetes_role="kube_role",
kubernetes_jwt_path="path",
url="http://localhost:8180")
with patch("builtins.open", mock_open(read_data="data")) as mock_file:
client = vault_client.client
mock_file.assert_called_with("path")
mock_hvac.Client.assert_called_with(url='http://localhost:8180')
client.auth_kubernetes.assert_called_with(role="kube_role", jwt="data")
client.is_authenticated.assert_called_with()
self.assertEqual(2, vault_client.kv_engine_version)
def test_create_or_update_secret_v2(self, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
vault_client = _VaultClient(auth_type="approle",
role_id="role",
url="http://localhost:8180",
secret_id="pass")
vault_client.create_or_update_secret(secret_path="path",
secret={'key': 'value'})
mock_client.secrets.kv.v2.create_or_update_secret.assert_called_once_with(
mount_point='secret',
secret_path='path',
secret={'key': 'value'},
cas=None)
def test_github_different_auth_mount_point(self, mock_hvac):
mock_client = mock.MagicMock()
mock_hvac.Client.return_value = mock_client
vault_client = _VaultClient(
auth_type="github",
token="s.7AU0I51yv1Q1lxOIg1F3ZRAS",
url="http://localhost:8180",
auth_mount_point="other",
)
client = vault_client.client
mock_hvac.Client.assert_called_with(url='http://localhost:8180')
client.auth.github.login.assert_called_with(
token="s.7AU0I51yv1Q1lxOIg1F3ZRAS", mount_point="other")
client.is_authenticated.assert_called_with()
self.assertEqual(2, vault_client.kv_engine_version)
