def test_radius_missing_secret(self, mock_hvac): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client with self.assertRaisesRegex(VaultError, "radius_secret"): _VaultClient(auth_type="radius", radius_host="radhost", url="http://localhost:8180")
def test_approle_missing_role(self, mock_hvac): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client with self.assertRaisesRegex(VaultError, "requires 'role_id'"): _VaultClient(auth_type="approle", url="http://localhost:8180", secret_id="pass")
def test_kubernetes_missing_role(self, mock_hvac): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client with self.assertRaisesRegex(VaultError, "requires 'kubernetes_role'"): _VaultClient(auth_type="kubernetes", kubernetes_jwt_path="path", url="http://localhost:8180")
def test_kubernetes_kubernetes_jwt_path_none(self, mock_hvac): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client with pytest.raises(VaultError, match="requires 'kubernetes_jwt_path'"): _VaultClient( auth_type="kubernetes", kubernetes_role='kube_role', kubernetes_jwt_path=None, url="http://localhost:8180", )
def test_azure_missing_resource(self, mock_hvac): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client with pytest.raises(VaultError, match="requires 'azure_resource'"): _VaultClient( auth_type="azure", azure_tenant_id="tenant_id", url="http://localhost:8180", key_id="user", secret_id='pass', )
def test_azure_missing_tenant_id(self, mock_hvac): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client with self.assertRaisesRegex(VaultError, "requires 'azure_tenant_id'"): _VaultClient( auth_type="azure", azure_resource='resource', url="http://localhost:8180", key_id="user", secret_id='pass', )
def test_gcp_different_auth_mount_point(self, mock_hvac, mock_get_credentials, mock_get_scopes): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client mock_get_scopes.return_value = ['scope1', 'scope2'] mock_get_credentials.return_value = ("credentials", "project_id") vault_client = _VaultClient( auth_type="gcp", gcp_key_path="path.json", gcp_scopes="scope1,scope2", url="http://localhost:8180", auth_mount_point="other", ) client = vault_client.client mock_hvac.Client.assert_called_with(url='http://localhost:8180') mock_get_scopes.assert_called_with("scope1,scope2") mock_get_credentials.assert_called_with(key_path="path.json", keyfile_dict=None, scopes=['scope1', 'scope2']) mock_hvac.Client.assert_called_with(url='http://localhost:8180') client.auth.gcp.configure.assert_called_with(credentials="credentials", mount_point="other") client.is_authenticated.assert_called_with() self.assertEqual(2, vault_client.kv_engine_version)
def test_get_existing_key_v2_version(self, mock_hvac): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client mock_client.secrets.kv.v2.read_secret_version.return_value = { 'request_id': '94011e25-f8dc-ec29-221b-1f9c1d9ad2ae', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'data': { 'data': { 'secret_key': 'secret_value' }, 'metadata': { 'created_time': '2020-03-16T21:01:43.331126Z', 'deletion_time': '', 'destroyed': False, 'version': 1 } }, 'wrap_info': None, 'warnings': None, 'auth': None } vault_client = _VaultClient(auth_type="approle", role_id="role", url="http://localhost:8180", secret_id="pass") secret = vault_client.get_secret(secret_path="missing", secret_version=1) self.assertEqual({'secret_key': 'secret_value'}, secret) mock_client.secrets.kv.v2.read_secret_version.assert_called_once_with( mount_point='secret', path='missing', version=1)
def test_get_existing_key_v1(self, mock_hvac): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client mock_client.secrets.kv.v1.read_secret.return_value = { 'request_id': '182d0673-618c-9889-4cba-4e1f4cfe4b4b', 'lease_id': '', 'renewable': False, 'lease_duration': 2764800, 'data': { 'value': 'world' }, 'wrap_info': None, 'warnings': None, 'auth': None } vault_client = _VaultClient(auth_type="approle", role_id="role", url="http://localhost:8180", secret_id="pass", kv_engine_version=1) secret = vault_client.get_secret(secret_path="missing") self.assertEqual({'value': 'world'}, secret) mock_client.secrets.kv.v1.read_secret.assert_called_once_with( mount_point='secret', path='missing')
def test_get_secret_metadata_v2(self, mock_hvac): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client mock_client.secrets.kv.v2.read_secret_metadata.return_value = { 'request_id': '94011e25-f8dc-ec29-221b-1f9c1d9ad2ae', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'metadata': [ { 'created_time': '2020-03-16T21:01:43.331126Z', 'deletion_time': '', 'destroyed': False, 'version': 1, }, { 'created_time': '2020-03-16T21:01:43.331126Z', 'deletion_time': '', 'destroyed': False, 'version': 2, }, ], } vault_client = _VaultClient(auth_type="token", token="s.7AU0I51yv1Q1lxOIg1F3ZRAS", url="http://localhost:8180") metadata = vault_client.get_secret_metadata(secret_path="missing") self.assertEqual( { 'request_id': '94011e25-f8dc-ec29-221b-1f9c1d9ad2ae', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'metadata': [ { 'created_time': '2020-03-16T21:01:43.331126Z', 'deletion_time': '', 'destroyed': False, 'version': 1, }, { 'created_time': '2020-03-16T21:01:43.331126Z', 'deletion_time': '', 'destroyed': False, 'version': 2, }, ], }, metadata, ) mock_client.secrets.kv.v2.read_secret_metadata.assert_called_once_with( mount_point='secret', path='missing')
def __init__( # pylint: disable=too-many-arguments self, connections_path: str = 'connections', variables_path: str = 'variables', config_path: str = 'config', url: Optional[str] = None, auth_type: str = 'token', auth_mount_point: Optional[str] = None, mount_point: str = 'secret', kv_engine_version: int = 2, token: Optional[str] = None, token_path: Optional[str] = None, username: Optional[str] = None, password: Optional[str] = None, key_id: Optional[str] = None, secret_id: Optional[str] = None, role_id: Optional[str] = None, kubernetes_role: Optional[str] = None, kubernetes_jwt_path: str = '/var/run/secrets/kubernetes.io/serviceaccount/token', gcp_key_path: Optional[str] = None, gcp_keyfile_dict: Optional[dict] = None, gcp_scopes: Optional[str] = None, azure_tenant_id: Optional[str] = None, azure_resource: Optional[str] = None, radius_host: Optional[str] = None, radius_secret: Optional[str] = None, radius_port: Optional[int] = None, **kwargs): super().__init__() self.connections_path = connections_path.rstrip('/') self.variables_path = variables_path.rstrip('/') self.config_path = config_path.rstrip('/') self.mount_point = mount_point self.kv_engine_version = kv_engine_version self.vault_client = _VaultClient( url=url, auth_type=auth_type, auth_mount_point=auth_mount_point, mount_point=mount_point, kv_engine_version=kv_engine_version, token=token, token_path=token_path, username=username, password=password, key_id=key_id, secret_id=secret_id, role_id=role_id, kubernetes_role=kubernetes_role, kubernetes_jwt_path=kubernetes_jwt_path, gcp_key_path=gcp_key_path, gcp_keyfile_dict=gcp_keyfile_dict, gcp_scopes=gcp_scopes, azure_tenant_id=azure_tenant_id, azure_resource=azure_resource, radius_host=radius_host, radius_secret=radius_secret, radius_port=radius_port, **kwargs)
def test_get_existing_key_v1_version(self, mock_hvac): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client vault_client = _VaultClient(auth_type="token", token="s.7AU0I51yv1Q1lxOIg1F3ZRAS", url="http://localhost:8180", kv_engine_version=1) with self.assertRaisesRegex(VaultError, "Secret version"): vault_client.get_secret(secret_path="missing", secret_version=1)
def test_userpass(self, mock_hvac): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client vault_client = _VaultClient( auth_type="userpass", username="******", password="******", url="http://localhost:8180" ) client = vault_client.client mock_hvac.Client.assert_called_with(url='http://localhost:8180') client.auth_userpass.assert_called_with(username="******", password="******") client.is_authenticated.assert_called_with() assert 2 == vault_client.kv_engine_version
def test_approle(self, mock_hvac): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client vault_client = _VaultClient( auth_type="approle", role_id="role", url="http://localhost:8180", secret_id="pass" ) client = vault_client.client mock_hvac.Client.assert_called_with(url='http://localhost:8180') client.auth_approle.assert_called_with(role_id="role", secret_id="pass") client.is_authenticated.assert_called_with() assert 2 == vault_client.kv_engine_version
def test_default_auth_type(self, mock_hvac): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client vault_client = _VaultClient(token="s.7AU0I51yv1Q1lxOIg1F3ZRAS", url="http://localhost:8180") client = vault_client.client mock_hvac.Client.assert_called_with(url='http://localhost:8180') client.is_authenticated.assert_called_with() assert "s.7AU0I51yv1Q1lxOIg1F3ZRAS" == client.token assert "token" == vault_client.auth_type assert 2 == vault_client.kv_engine_version assert "secret" == vault_client.mount_point
def test_radius(self, mock_hvac): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client vault_client = _VaultClient( auth_type="radius", radius_host="radhost", radius_secret="pass", url="http://localhost:8180" ) client = vault_client.client mock_hvac.Client.assert_called_with(url='http://localhost:8180') client.auth.radius.configure.assert_called_with(host="radhost", secret="pass", port=None) client.is_authenticated.assert_called_with() assert 2 == vault_client.kv_engine_version
def test_github(self, mock_hvac): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client vault_client = _VaultClient( auth_type="github", token="s.7AU0I51yv1Q1lxOIg1F3ZRAS", url="http://localhost:8180" ) client = vault_client.client mock_hvac.Client.assert_called_with(url='http://localhost:8180') client.auth.github.login.assert_called_with(token="s.7AU0I51yv1Q1lxOIg1F3ZRAS") client.is_authenticated.assert_called_with() assert 2 == vault_client.kv_engine_version
def test_token(self, mock_hvac): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client vault_client = _VaultClient(auth_type="token", token="s.7AU0I51yv1Q1lxOIg1F3ZRAS", url="http://localhost:8180") client = vault_client.client mock_hvac.Client.assert_called_with(url='http://localhost:8180') client.is_authenticated.assert_called_with() self.assertEqual("s.7AU0I51yv1Q1lxOIg1F3ZRAS", client.token) self.assertEqual(2, vault_client.kv_engine_version) self.assertEqual("secret", vault_client.mount_point)
def test_get_secret_including_metadata_v1(self, mock_hvac): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client vault_client = _VaultClient(auth_type="approle", role_id="role", url="http://localhost:8180", secret_id="pass", kv_engine_version=1) with self.assertRaisesRegex( VaultError, "Metadata might only be used with" " version 2 of the KV engine."): vault_client.get_secret_including_metadata(secret_path="missing")
def test_create_or_update_secret_v2_method(self, mock_hvac): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client vault_client = _VaultClient( auth_type="radius", radius_host="radhost", radius_port=8110, radius_secret="pass", url="http://localhost:8180", ) with pytest.raises(VaultError, match="The method parameter is only valid for version 1"): vault_client.create_or_update_secret(secret_path="path", secret={'key': 'value'}, method="post")
def test_get_non_existing_key_v2(self, mock_hvac): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client # Response does not contain the requested key mock_client.secrets.kv.v2.read_secret_version.side_effect = InvalidPath( ) vault_client = _VaultClient(auth_type="token", token="s.7AU0I51yv1Q1lxOIg1F3ZRAS", url="http://localhost:8180") secret = vault_client.get_secret(secret_path="missing") self.assertIsNone(secret) mock_client.secrets.kv.v2.read_secret_version.assert_called_once_with( mount_point='secret', path='missing', version=None)
def test_kubernetes_default_path(self, mock_hvac): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client vault_client = _VaultClient( auth_type="kubernetes", kubernetes_role="kube_role", url="http://localhost:8180" ) with patch("builtins.open", mock_open(read_data="data")) as mock_file: client = vault_client.client mock_file.assert_called_with("/var/run/secrets/kubernetes.io/serviceaccount/token") mock_hvac.Client.assert_called_with(url='http://localhost:8180') client.auth_kubernetes.assert_called_with(role="kube_role", jwt="data") client.is_authenticated.assert_called_with() assert 2 == vault_client.kv_engine_version
def test_get_secret_including_metadata_v2(self, mock_hvac): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client mock_client.secrets.kv.v2.read_secret_version.return_value = { 'request_id': '94011e25-f8dc-ec29-221b-1f9c1d9ad2ae', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'data': { 'data': {'secret_key': 'secret_value'}, 'metadata': { 'created_time': '2020-03-16T21:01:43.331126Z', 'deletion_time': '', 'destroyed': False, 'version': 1, }, }, 'wrap_info': None, 'warnings': None, 'auth': None, } vault_client = _VaultClient( auth_type="radius", radius_host="radhost", radius_port=8110, radius_secret="pass", url="http://localhost:8180", ) metadata = vault_client.get_secret_including_metadata(secret_path="missing") assert { 'request_id': '94011e25-f8dc-ec29-221b-1f9c1d9ad2ae', 'lease_id': '', 'renewable': False, 'lease_duration': 0, 'data': { 'data': {'secret_key': 'secret_value'}, 'metadata': { 'created_time': '2020-03-16T21:01:43.331126Z', 'deletion_time': '', 'destroyed': False, 'version': 1, }, }, 'wrap_info': None, 'warnings': None, 'auth': None, } == metadata mock_client.secrets.kv.v2.read_secret_version.assert_called_once_with( mount_point='secret', path='missing', version=None )
def test_token_path(self, mock_hvac): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client with open('/tmp/test_token.txt', 'w+') as the_file: the_file.write('s.7AU0I51yv1Q1lxOIg1F3ZRAS') vault_client = _VaultClient(auth_type="token", token_path="/tmp/test_token.txt", url="http://localhost:8180") client = vault_client.client mock_hvac.Client.assert_called_with(url='http://localhost:8180') client.is_authenticated.assert_called_with() self.assertEqual("s.7AU0I51yv1Q1lxOIg1F3ZRAS", client.token) self.assertEqual(2, vault_client.kv_engine_version) self.assertEqual("secret", vault_client.mount_point)
def test_create_or_update_secret_v1_cas(self, mock_hvac): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client vault_client = _VaultClient(auth_type="approle", role_id="role", url="http://localhost:8180", secret_id="pass", kv_engine_version=1) with self.assertRaisesRegex( VaultError, "The cas parameter is only valid for version 2"): vault_client.create_or_update_secret(secret_path="path", secret={'key': 'value'}, cas=10)
def test_get_secret_including_metadata_v1(self, mock_hvac): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client vault_client = _VaultClient( auth_type="radius", radius_host="radhost", radius_port=8110, radius_secret="pass", kv_engine_version=1, url="http://localhost:8180", ) with pytest.raises(VaultError, match="Metadata might only be used with version 2 of the KV engine."): vault_client.get_secret_including_metadata(secret_path="missing")
def test_get_non_existing_key_v1(self, mock_hvac): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client # Response does not contain the requested key mock_client.secrets.kv.v1.read_secret.side_effect = InvalidPath() vault_client = _VaultClient(auth_type="approle", role_id="role", url="http://localhost:8180", secret_id="pass", kv_engine_version=1) secret = vault_client.get_secret(secret_path="missing") self.assertIsNone(secret) mock_client.secrets.kv.v1.read_secret.assert_called_once_with( mount_point='secret', path='missing')
def test_kubernetes(self, mock_hvac): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client vault_client = _VaultClient(auth_type="kubernetes", kubernetes_role="kube_role", kubernetes_jwt_path="path", url="http://localhost:8180") with patch("builtins.open", mock_open(read_data="data")) as mock_file: client = vault_client.client mock_file.assert_called_with("path") mock_hvac.Client.assert_called_with(url='http://localhost:8180') client.auth_kubernetes.assert_called_with(role="kube_role", jwt="data") client.is_authenticated.assert_called_with() self.assertEqual(2, vault_client.kv_engine_version)
def test_create_or_update_secret_v2(self, mock_hvac): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client vault_client = _VaultClient(auth_type="approle", role_id="role", url="http://localhost:8180", secret_id="pass") vault_client.create_or_update_secret(secret_path="path", secret={'key': 'value'}) mock_client.secrets.kv.v2.create_or_update_secret.assert_called_once_with( mount_point='secret', secret_path='path', secret={'key': 'value'}, cas=None)
def test_github_different_auth_mount_point(self, mock_hvac): mock_client = mock.MagicMock() mock_hvac.Client.return_value = mock_client vault_client = _VaultClient( auth_type="github", token="s.7AU0I51yv1Q1lxOIg1F3ZRAS", url="http://localhost:8180", auth_mount_point="other", ) client = vault_client.client mock_hvac.Client.assert_called_with(url='http://localhost:8180') client.auth.github.login.assert_called_with( token="s.7AU0I51yv1Q1lxOIg1F3ZRAS", mount_point="other") client.is_authenticated.assert_called_with() self.assertEqual(2, vault_client.kv_engine_version)