def login(self,
username=None,
password=None,
client_id=None,
login_realm=None):
"""Log the user in by Retrieve tokens for the user with the specified username and password.
Args:
username (str): login username
password (str): login password
client_id (str): OIDC client_id for logging into server
login_realm (str): Keycloak realm of the login user
Returns:
requests.Response: token endpoint response
Note: Login realm can be different from the realm that the client is used to manage
"""
vault = None
# Get the password from vault
if username is None:
vault = Vault()
username = vault.read(self.vault_path, 'username')
password = vault.read(self.vault_path, 'password')
if vault is None and (client_id is None or login_realm is None):
vault = Vault()
# Save the client_id and login realm for logging out
self.client_id = client_id or vault.read(self.vault_path, 'client_id')
self.login_realm = login_realm or vault.read(self.vault_path, 'realm')
url = '{}/realms/{}/protocol/openid-connect/token'.format(
self.url_base, self.login_realm)
data = {
'grant_type': 'password',
'client_id': self.client_id,
'username': username,
'password': password,
}
response = requests.post(url,
data=data,
verify=self.https and self.verify_ssl)
KeyCloakError.raise_for_status(response)
self.token = response.json()
self.logged_in = True
return response
def test_retry_logic_returns(self, mockClient):
instance = mockClient.return_value
v = Vault(self.cfg)
instance.read.side_effect = [
hvac.exceptions.Forbidden('Token has expired'), {
"data": {
"super": "this!"
}
}
]
with patch.object(Vault, 'login'):
self.assertEqual(v.read('secrets', 'super'), "this!")
def test_retry_logic_calls_login(self, mockClient):
instance = mockClient.return_value
v = Vault(self.cfg)
instance.read.side_effect = [
hvac.exceptions.Forbidden('Token has expired'), {
"data": {
"super": ""
}
}
]
with patch.object(Vault, 'login') as mock:
v.read('secrets', 'super')
mock.assert_called_once_with(v)
def __init__(self, config=None):
"""
Args:
config (optional[configuration.BossConfig]): Boss configuration. Defaults to loading from /etc/boss/boss.config.
"""
if config is None:
self.config = configuration.BossConfig()
else:
self.config = config
self.vault = Vault(config)
# Get the domain the endpoint lives in.
self.domain = self.config['system']['fqdn'].split('.', 1)[1]
self.iam = boto3.resource('iam', region_name=aws.get_region())
def test_exception_if_key_dosent_exist(self, mockClient):
instance = mockClient.return_value
instance.read.return_value = {"data": {}}
v = Vault(self.cfg)
with self.assertRaises(Exception):
v.read('secrets', 'super')
def test_exception_if_read_fails(self, mockClient):
instance = mockClient.return_value
instance.read.return_value = None
v = Vault(self.cfg)
with self.assertRaises(Exception):
v.read('secrets', 'super')
def test_logout_destroys_hvac_client(self, mockClient):
v = Vault(self.cfg)
v.logout()
self.assertIsNone(v.client)
def test_exception_if_cant_auth_to_vault(self, mockClient):
instance = mockClient.return_value
instance.is_authenticated.return_value = False
with self.assertRaises(Exception):
Vault(self.cfg)
if __name__ == "__main__":
# usage (backup|restore) domain
a = sys.argv[1]
d = sys.argv[2]
with open("/etc/boss/boss.config", "w") as fh:
fh.write("""[system]
type = backup
[vault]
url = http://vault.{}:8200
token =
""".format(d))
v = Vault()
if a == "backup":
f = os.path.join(os.environ['OUTPUT1_STAGING_DIR'], 'export.json')
data = {
'policies': {},
'secrets': {},
'aws-auth': {},
'aws': {},
}
# Backup policies
for policy in v.client.list_policies():
data['policies'][policy] = v.client.read('/sys/policy/' + policy)['rules']
# Backup secrets