def test_get_vault_client_approle_in_config(mocker: MockerFixture,
monkeypatch: MonkeyPatch) -> None:
# vault_secret_id is a str
class Settings(BaseSettings):
class Config:
vault_url: str = "https://vault.tld"
vault_role_id: str = "fake-role-id"
vault_secret_id: str = "fake-secret-id"
settings: BaseSettings = Settings()
vault_client_mock = mocker.patch(
"pydantic_vault.vault_settings.HvacClient")
_get_authenticated_vault_client(settings)
vault_client_mock.assert_called_once_with("https://vault.tld")
vault_client_mock.return_value.auth.approle.login.assert_called_once_with(
role_id="fake-role-id", secret_id="fake-secret-id")
# vault_secret_id is a SecretStr, we will need to unwrap it
class SettingsWithSecretSecretId(BaseSettings):
class Config:
vault_url: str = "https://vault.tld"
vault_role_id: str = "fake-role-id"
vault_secret_id: SecretStr = SecretStr("fake-secret-id")
settings = SettingsWithSecretSecretId()
vault_client_mock = mocker.patch(
"pydantic_vault.vault_settings.HvacClient")
_get_authenticated_vault_client(settings)
vault_client_mock.assert_called_once_with("https://vault.tld")
vault_client_mock.return_value.auth.approle.login.assert_called_once_with(
role_id="fake-role-id", secret_id="fake-secret-id")
def test_get_vault_client_with_vault_token_in_config(
mocker: MockerFixture) -> None:
# vault_token is a str
class Settings(BaseSettings):
class Config:
vault_url: str = "https://vault.tld"
vault_token: str = "fake-token"
settings: BaseSettings = Settings()
vault_client_mock = mocker.patch(
"pydantic_vault.vault_settings.HvacClient")
_get_authenticated_vault_client(settings)
vault_client_mock.assert_called_once_with("https://vault.tld",
token="fake-token")
# vault_token is a SecretStr, we will need to unwrap it
class SettingsWithSecretToken(BaseSettings):
class Config:
vault_url: str = "https://vault.tld"
vault_token: SecretStr = SecretStr("fake-token")
settings = SettingsWithSecretToken()
vault_client_mock = mocker.patch(
"pydantic_vault.vault_settings.HvacClient")
_get_authenticated_vault_client(settings)
vault_client_mock.assert_called_once_with("https://vault.tld",
token="fake-token")
def test_get_vault_client_with_no_vault_url_fails() -> None:
class Settings(BaseSettings):
pass
settings = Settings()
with pytest.raises(VaultParameterError) as e:
_get_authenticated_vault_client(settings)
assert "URL" in str(e)
def test_get_vault_client_with_vault_url_in_config(
mocker: MockerFixture) -> None:
class Settings(BaseSettings):
class Config:
vault_url: str = "https://vault.tld"
settings = Settings()
vault_client_mock = mocker.patch(
"pydantic_vault.vault_settings.HvacClient")
_get_authenticated_vault_client(settings)
vault_client_mock.assert_called_once_with("https://vault.tld")
def test_get_vault_client_with_vault_url_in_environment(
mocker: MockerFixture, monkeypatch: MonkeyPatch) -> None:
class Settings(BaseSettings):
pass
monkeypatch.setenv("VAULT_ADDR", "https://vault.tld")
settings = Settings()
vault_client_mock = mocker.patch(
"pydantic_vault.vault_settings.HvacClient")
_get_authenticated_vault_client(settings)
vault_client_mock.assert_called_once_with("https://vault.tld")
def test_get_vault_client_with_namespace_in_environment(
mocker: MockerFixture, monkeypatch: MonkeyPatch) -> None:
class Settings(BaseSettings):
class Config:
vault_url: str = "https://vault.tld"
monkeypatch.setenv("VAULT_NAMESPACE", "some/namespace")
settings = Settings()
vault_client_mock = mocker.patch(
"pydantic_vault.vault_settings.HvacClient")
_get_authenticated_vault_client(settings)
vault_client_mock.assert_called_once_with("https://vault.tld",
namespace="some/namespace")
def test_get_vault_client_with_vault_token_in_environment(
mocker: MockerFixture, monkeypatch: MonkeyPatch) -> None:
class Settings(BaseSettings):
class Config:
vault_url: str = "https://vault.tld"
monkeypatch.setenv("VAULT_TOKEN", "fake-token")
settings = Settings()
vault_client_mock = mocker.patch(
"pydantic_vault.vault_settings.HvacClient")
_get_authenticated_vault_client(settings)
vault_client_mock.assert_called_once_with("https://vault.tld",
token="fake-token")
def test_get_vault_client_with_namespace_in_config(
mocker: MockerFixture) -> None:
class Settings(BaseSettings):
class Config:
vault_url: str = "https://vault.tld"
vault_token: str = "fake-token"
vault_namespace: str = "some/namespace"
settings = Settings()
vault_client_mock = mocker.patch(
"pydantic_vault.vault_settings.HvacClient")
_get_authenticated_vault_client(settings)
vault_client_mock.assert_called_once_with("https://vault.tld",
namespace="some/namespace",
token="fake-token")
def test_get_vault_client_approle_in_environment_and_config(
mocker: MockerFixture, monkeypatch: MonkeyPatch) -> None:
class Settings(BaseSettings):
class Config:
vault_url: str = "https://vault.tld"
vault_role_id: str = "fake-role-id"
monkeypatch.setenv("VAULT_SECRET_ID", "fake-secret-id")
settings = Settings()
vault_client_mock = mocker.patch(
"pydantic_vault.vault_settings.HvacClient")
_get_authenticated_vault_client(settings)
vault_client_mock.assert_called_once_with("https://vault.tld")
vault_client_mock.return_value.auth.approle.login.assert_called_once_with(
role_id="fake-role-id", secret_id="fake-secret-id")
def test_get_vault_client_vault_url_priority(mocker: MockerFixture,
monkeypatch: MonkeyPatch) -> None:
"""
Environment variable VAULT_ADDR should be preferred over value in Config class
"""
class Settings(BaseSettings):
class Config:
vault_url: str = "https://vault-from-config.tld"
monkeypatch.setenv("VAULT_ADDR", "https://vault-from-environment.tld")
settings = Settings()
vault_client_mock = mocker.patch(
"pydantic_vault.vault_settings.HvacClient")
_get_authenticated_vault_client(settings)
vault_client_mock.assert_called_once_with(
"https://vault-from-environment.tld")
def test_get_vault_client_vault_token_priority_file_config(
mocker: MockerFixture, monkeypatch: MonkeyPatch,
mock_vault_token_from_file: str) -> None:
"""
.vault-token file should be preferred over value in Config class
"""
class Settings(BaseSettings):
class Config:
vault_url: str = "https://vault.tld"
vault_token: str = "fake-token-from-config"
settings = Settings()
vault_client_mock = mocker.patch(
"pydantic_vault.vault_settings.HvacClient")
_get_authenticated_vault_client(settings)
vault_client_mock.assert_called_once_with("https://vault.tld",
token=mock_vault_token_from_file)
def test_get_vault_client_namespace_priority(mocker: MockerFixture,
monkeypatch: MonkeyPatch) -> None:
"""
Environment variable VAULT_NAMESPACE should be preferred over value in Config class
"""
class Settings(BaseSettings):
class Config:
vault_url: str = "https://vault.tld"
vault_namespace: str = "some/namespace/from/config"
monkeypatch.setenv("VAULT_NAMESPACE", "some/namespace/from/environment")
settings = Settings()
vault_client_mock = mocker.patch(
"pydantic_vault.vault_settings.HvacClient")
_get_authenticated_vault_client(settings)
vault_client_mock.assert_called_once_with(
"https://vault.tld", namespace="some/namespace/from/environment")
def test_get_vault_client_vault_token_priority_env_file(
mocker: MockerFixture, monkeypatch: MonkeyPatch,
mock_vault_token_from_file: str) -> None:
"""
Environment variable VAULT_TOKEN should be preferred over .vault-token file
"""
class Settings(BaseSettings):
class Config:
vault_url: str = "https://vault.tld"
monkeypatch.setenv("VAULT_TOKEN", "fake-token-from-environment")
settings = Settings()
vault_client_mock = mocker.patch(
"pydantic_vault.vault_settings.HvacClient")
_get_authenticated_vault_client(settings)
vault_client_mock.assert_called_once_with(
"https://vault.tld", token="fake-token-from-environment")
