def sync_with_backend(self): """Gather all job type secrets that are stored in the secrets backend. """ updated_secrets = {} try: sh = SecretsHandler() jobs_with_secrets = sh.list_job_types() except (InvalidSecretsAuthorization, InvalidSecretsRequest, InvalidSecretsToken) as e: # do not spam logs with exception, this will be captured once in status json # logger.exception('Secrets Error: %s', e.message) return for job in jobs_with_secrets: try: job_secrets = sh.get_job_type_secrets(job) updated_secrets[job] = job_secrets except (InvalidSecretsAuthorization, InvalidSecretsRequest, InvalidSecretsValue) as e: # do not spam logs with exception, this will be captured once in status json # logger.exception('Secrets Error: %s', e.message) continue self._all_secrets = updated_secrets
def test_vault_authenticate_good_return(self, mock_request): with self.settings(SECRETS_TOKEN='some_master_token', DCOS_SERVICE_ACCOUNT=None, SECRETS_URL='HTTP://127.0.0.1:8200'): SecretsHandler()
def test_dcos_authenticate_good_return(self, mock_request): with self.settings(SECRETS_TOKEN=self.dcos_token, DCOS_SERVICE_ACCOUNT='some_account_name', SECRETS_URL='HTTP://127.0.0.1:8200'): SecretsHandler()
def dcos_setup(self, mock_request): with self.settings(SECRETS_TOKEN=self.dcos_token, DCOS_SERVICE_ACCOUNT='some_account_name', SECRETS_URL='HTTP://127.0.0.1:8200'): self.dcos_backend = SecretsHandler()
class DCOSSecretsValueValidation(TestCase): """Tests setting and receiving secrets""" def setUp(self): self.dcos_token = \ """ -----BEGIN RSA PRIVATE KEY----- MIICWwIBAAKBgFoDzg4Q8Jmzw0s1FcMM8BhKlWwcpO2GjkL7g1mGsVEbqaWyz1G3 TaV7bHvBb/D4ceN8AV8CBzaNVidNGaIZNoeTiPNmQ6PfnuXBJLaFMfQjGxeyxxf5 eOoP8U7ukRCEa6YHn41TlWzYKW1Nc5gpzdO47o8aaMkF0D3grDOp4G3BAgMBAAEC gYBR70CyYQ0AezZ60Jk8cBxjoBAe1nvxkRcRNWs8JHRmha2IHBjGIvnUdWIry8mf KCZSkN+WoXv7Ve9j2rRIbnbJHzEZTXcyxRuA+YRxkGYtCWSzMvw3csuvUG4lpCOg hQL4dZHfuWIrrNVteN7UEvN+0dlMotQH9XO/bhn+zoIxGQJBAKvVF6j1SRxj3ucv e6LsLywo6pQIjz+yKZ0ngFJe+FNLISXKspK/tym1IWMD3SZy6tf7mdx2oXnsyy85 1w9PwJ8CQQCGGzXs5382a2YzxWkSsq3niEmQn61NJbHMCOzE2w2fqt4xV2Ka/lp5 3NEg6Q2mRrTpmZvRI3fQtPN4dY8pvVWfAkBdpZvobA21WESSEFG8YCXxVjdKCEQx vaJqUK3htnp1wptFImwiCDQFmf6hHOj43GZa4XdgLJMihMfTbB1l7dwXAkAVOMsg 0UWFVBuZR70n81Sn1h5mH46qLbPkKOlnAY83XC/LORvmkSe6LyJ9BcReMsRAT0mk H+u/AFOjFV9xaH/bAkEAgRi3VkUQNAdsEGVzHHq93s5CSZLz2gHoyTMCZu/G31pF UB3V/SWf7Wqp9vDEbUtgzIn9y4l5cIjS/J2IKkYARg== -----END RSA PRIVATE KEY----- """ self.secret_test_path = 'job_name-0.0.0' self.dcos_setup() django.setup() def mocked_get_secret(*args): class MockResponse: def __init__(self, json_data, status_code): self.json_data = json_data self.status_code = status_code def json(self): return self.json_data def content(self): return self.json_data if not args: return MockResponse({}, 403) elif args[0] == 'secret': status_code = 200 content = { "value": "{'some_name': 'some_secret'}" } return MockResponse(content, status_code) elif args[0] == 'auth': status_code = 200 content = { "value": "dcos_token" } return MockResponse(content, status_code) return MockResponse({}, 404) def mocked_request_setup(): r_return = MagicMock() r_return.status_code = 200 r_return.content = { 'dcos_token': 'foobar' } return r_return @patch('requests.request', return_value=mocked_get_secret('auth')) def dcos_setup(self, mock_request): with self.settings(SECRETS_TOKEN=self.dcos_token, DCOS_SERVICE_ACCOUNT='some_account_name', SECRETS_URL='HTTP://127.0.0.1:8200'): self.dcos_backend = SecretsHandler() @patch('requests.request', return_value=mocked_get_secret('secret')) def test_dcos_get_secret(self, mock_request): test_secret = self.dcos_backend.get_job_type_secrets(self.secret_test_path) self.assertEqual(test_secret, {'some_name': 'some_secret'}) @patch('requests.request', return_value=mocked_get_secret()) def test_dcos_get_bad_secret(self, mock_request): self.assertRaises(InvalidSecretsAuthorization, self.dcos_backend.get_job_type_secrets, self.secret_test_path)
def vault_setup(self, mock_request): with self.settings(SECRETS_TOKEN='some_master_token', DCOS_SERVICE_ACCOUNT=None, SECRETS_URL='HTTP://127.0.0.1:8200'): self.vault_backend = SecretsHandler()
class VaultSecretsValueValidation(TestCase): """Tests setting and receiving secrets""" def setUp(self): self.secret_test_path = 'job_name-0.0.0' self.vault_setup() django.setup() def mocked_get_secret(*args): class MockResponse: def __init__(self, json_data, status_code): self.json_data = json_data self.status_code = status_code def json(self): return self.json_data def content(self): return self.json_data if not args: return MockResponse({}, 403) elif args[0] == 'secret': status_code = 200 content = { "request_id": "some_id", "lease_id": "", "lease_duration": 0, "renewable": "false", "data": { "test_val_name": "vault_backend_secret", "foo": "bar" }, "warnings": "null" } return MockResponse(content, status_code) return MockResponse({}, 404) def mocked_request_setup(): r_return = MagicMock() r_return.status_code = 200 r_return.content = json.dumps({ "scale/": { "config": { "default_lease_ttl": 0, "max_lease_ttl": 0 }, "description": "scale secrets storage", "type": "generic", } }) return r_return @patch('requests.request', return_value=mocked_request_setup()) def vault_setup(self, mock_request): with self.settings(SECRETS_TOKEN='some_master_token', DCOS_SERVICE_ACCOUNT=None, SECRETS_URL='HTTP://127.0.0.1:8200'): self.vault_backend = SecretsHandler() @patch('requests.request', return_value=mocked_get_secret('secret')) def test_vault_get_secret(self, mock_request): test_secret = self.vault_backend.get_job_type_secrets(self.secret_test_path) self.assertEqual(test_secret, {"test_val_name": "vault_backend_secret", "foo": "bar"}) @patch('requests.request', return_value=mocked_get_secret()) def test_vault_get_bad_secret(self, mock_request): self.assertRaises(InvalidSecretsAuthorization, self.vault_backend.get_job_type_secrets, self.secret_test_path)
def generate_status_json(self, status_dict): """Generates the portion of the status JSON that describes the secrets settings and metrics :param status_dict: The status JSON dict :type status_dict: dict """ status_dict['vault'] = {} status_dict['vault']['status'] = 'Ok' status_dict['vault']['sealed'] = False status_dict['vault']['message'] = '' if not settings.SECRETS_URL: status_dict['vault']['status'] = 'Secrets Not Configured' status_dict['vault']['sealed'] = False status_dict['vault']['message'] = '' return try: sh = SecretsHandler() jobs_with_secrets = sh.list_job_types() except (InvalidSecretsAuthorization) as e: logger.exception('Secrets Error: %s', e.message) status_dict['vault']['status'] = 'Secrets Improperly Configured' status_dict['vault']['sealed'] = False status_dict['vault']['message'] = e.message return except (InvalidSecretsRequest) as e: logger.exception('Secrets Error: %s', e.message) if 'is currently sealed' in e.message: status_dict['vault']['status'] = 'Sealed' status_dict['vault']['sealed'] = True status_dict['vault']['message'] = e.message return except (InvalidSecretsToken) as e: logger.exception('Secrets Error: %s', e.message) status_dict['vault']['status'] = 'Invalid Token' status_dict['vault']['sealed'] = False status_dict['vault']['message'] = e.message return for job in jobs_with_secrets: try: job_secrets = sh.get_job_type_secrets(job) except (InvalidSecretsAuthorization) as e: logger.exception('Secrets Error: %s', e.message) status_dict['vault']['status'] = 'Invalid Credentials' status_dict['vault']['sealed'] = False status_dict['vault']['message'] = e.message return except (InvalidSecretsRequest) as e: logger.exception('Secrets Error: %s', e.message) if 'is currently sealed' in e.message: status_dict['vault']['status'] = 'Sealed' status_dict['vault']['sealed'] = True else: status_dict['vault']['status'] = 'Secret Error' status_dict['vault']['message'] = e.message return except (InvalidSecretsValue) as e: logger.exception('Secrets Error: %s', e.message) status_dict['vault']['status'] = 'Invalid Secret' status_dict['vault']['sealed'] = False status_dict['vault']['message'] = e.message return