def test_accessor_validation():
with vault_dev.server() as s:
client = s.client()
with pytest.raises(Exception, match="Invalid vault accessor"):
resolve_secret("VAULT:invalid", client)
with pytest.raises(Exception, match="Invalid vault accessor"):
resolve_secret("VAULT:invalid:a:b", client)
def test_secret_reading():
with vault_dev.server() as s:
client = s.client()
client.write("secret/foo", value="s3cret")
assert resolve_secret("foo", client) == (False, "foo")
assert resolve_secret("VAULT:secret/foo:value", client) == \
(True, "s3cret")
def test_error_for_missing_secret_key():
with vault_dev.server() as s:
client = s.client()
client.write("secret/foo", value="s3cret")
msg = "Did not find key 'bar' at secret path 'secret/foo'"
with pytest.raises(Exception, match=msg):
resolve_secret("VAULT:secret/foo:bar", client)
def test_vault_github_login_with_mount_path():
os.environ["VAULT_AUTH_GITHUB_TOKEN"] = os.environ["VAULT_TEST_GITHUB_PAT"]
with vault_dev.server() as s:
cl = s.client()
enable_github_login(cl, path="github-custom")
cl.write("secret/db/password", value="s3cret")
path = "config/vault"
vault_addr = "http://localhost:{}".format(s.port)
options = {
"vault": {
"addr": vault_addr,
"auth": {
"method": "github",
"args": {
"mount_point": "github-custom"
}
}
}
}
orderly_web.start(path, options=options)
cfg = fetch_config(path)
container = cfg.get_container("orderly")
res = string_from_container(container, "/root/.Renviron")
assert "ORDERLY_DB_PASS=s3cret" in res
orderly_web.stop(path, kill=True, volumes=True, network=True)
def test_can_substitute_secrets():
with vault_dev.server() as s:
cl = s.client()
# Copy the certificates into the vault where we will later on
# pull from from.
cert = read_file("proxy/ssl/certificate.pem")
key = read_file("proxy/ssl/key.pem")
cl.write("secret/ssl/certificate", value=cert)
cl.write("secret/ssl/key", value=key)
cl.write("secret/db/password", value="s3cret")
cl.write("secret/github/id", value="ghkey")
cl.write("secret/github/secret", value="ghs3cret")
cl.write("secret/ssh",
public="public-key-data",
private="private-key-data")
cl.write("secret/slack/webhook", value="http://webhook")
# When reading the configuration we have to interpolate in the
# correct values here for the vault connection
cfg = build_config("config/complete")
cfg.vault.url = "http://localhost:{}".format(s.port)
cfg.vault.auth_args["token"] = s.token
cfg.resolve_secrets()
assert not cfg.proxy_ssl_self_signed
assert cfg.proxy_ssl_certificate == cert
assert cfg.proxy_ssl_key == key
assert cfg.orderly_env["ORDERLY_DB_PASS"] == "s3cret"
assert cfg.web_auth_github_app["id"] == "ghkey"
assert cfg.web_auth_github_app["secret"] == "ghs3cret"
assert cfg.orderly_ssh["private"] == "private-key-data"
assert cfg.orderly_ssh["public"] == "public-key-data"
def test_verbose_mode(capsys):
with vault_dev.server(verbose=True) as s:
port = s.port
captured = capsys.readouterr().out
assert "Starting vault server on port {}".format(port) in captured
assert "Waiting for server to become active" in captured
assert "Connection made" in captured
assert "Configuring old-style kv engine at /secret" in captured
def test_failure_after_start():
with vault_dev.server() as s:
s.start()
s.token = "root"
with pytest.raises(vault_dev.VaultDevServerError) as e:
s._wait_until_active(0.5, 0.1)
assert e.msg == "Vault did not start in time"
assert e.code is None
assert e.stdout[0].startswith(">> ")
def test_vault_config_login():
with vault_dev.server() as s:
cl = s.client()
cl.sys.enable_auth_method(method_type="github")
cl.write("auth/github/config", organization="vimc")
url = "http://localhost:{}".format(s.port)
token = os.environ["VAULT_TEST_GITHUB_PAT"]
cfg = vault_config(url, "github", {"token": token})
assert cfg.client().is_authenticated()
def test_failure_to_start():
with socket.socket() as s:
s.bind(('localhost', 0))
port = s.getsockname()[1]
server = vault_dev.server(port)
with pytest.raises(vault_dev.VaultDevServerError) as e:
server.start()
assert e.msg == "Vault process has terminated"
assert e.code is not None
assert e.msg in str(e.value)
assert e.stdout in str(e.value)
def test_secret_reading_of_dicts():
with vault_dev.server() as s:
client = s.client()
client.write("secret/foo", value="s3cret")
# With data
dat = {"foo": "VAULT:secret/foo:value", "bar": "constant"}
resolve_secrets(dat, client)
assert dat == {"foo": "s3cret", "bar": "constant"}
# Without
empty = {}
resolve_secrets(empty, client)
assert empty == {}
def test_server_basic():
s = vault_dev.server()
assert not s.is_running()
s.start()
assert s.is_running()
assert s.url() == "http://localhost:{}".format(s.port)
cl = s.client()
# check that vault came up ok and that the v1 key-value store works
cl.write("secret/foo", a="b")
assert cl.read("secret/foo")["data"]["a"] == "b"
s.stop()
assert not s.is_running()
def test_vault_config_login_no_args():
if "VAULT_TEST_GITHUB_PAT" not in os.environ:
pytest.skip("VAULT_TEST_GITHUB_PAT is not defined")
with vault_dev.server() as s:
cl = s.client()
cl.sys.enable_auth_method(method_type="github")
cl.write("auth/github/config", organization="vimc")
url = "http://localhost:{}".format(s.port)
token = os.environ["VAULT_TEST_GITHUB_PAT"]
with mock.patch.dict(os.environ, {"VAULT_AUTH_GITHUB_TOKEN": token}):
cfg = vault_config(url, "github", None)
assert cfg.client().is_authenticated()
def test_secret_reading_of_objects():
with vault_dev.server() as s:
client = s.client()
client.write("secret/foo", value="s3cret")
class Data:
def __init__(self):
self.foo = "VAULT:secret/foo:value"
self.bar = "constant"
dat = Data()
resolve_secrets(dat, client)
assert dat.foo == "s3cret"
assert dat.bar == "constant"
def test_vault_ssl():
with vault_dev.server() as s:
cl = s.client()
# Copy the certificates into the vault where we will later on
# pull from from.
cert = read_file("proxy/ssl/certificate.pem")
key = read_file("proxy/ssl/key.pem")
cl.write("secret/ssl/certificate", value=cert)
cl.write("secret/ssl/key", value=key)
cl.write("secret/db/password", value="s3cret")
cl.write("secret/github/id", value="ghid")
cl.write("secret/github/secret", value="ghs3cret")
cl.write("secret/ssh",
public="public-key-data",
private="private-key-data")
cl.write("secret/slack/webhook", value="http://webhook")
path = "config/complete"
vault_addr = "http://localhost:{}".format(s.port)
vault_auth = {"args": {"token": s.token}}
options = {"vault": {"addr": vault_addr, "auth": vault_auth}}
res = orderly_web.start(path, options=options)
dat = json.loads(http_get("https://localhost/api/v1"))
assert dat["status"] == "success"
cfg = fetch_config(path)
container = cfg.get_container("orderly")
res = string_from_container(container, "/root/.Renviron")
assert "ORDERLY_DB_PASS=s3cret" in res
private = string_from_container(container, "/root/.ssh/id_rsa")
assert private == "private-key-data"
public = string_from_container(container, "/root/.ssh/id_rsa.pub")
assert public == "public-key-data"
known_hosts = string_from_container(container,
"/root/.ssh/known_hosts")
assert "github.com" in known_hosts
web_container = cfg.get_container("web")
web_config = string_from_container(
web_container, "/etc/orderly/web/config.properties").split("\n")
assert "auth.github_key=ghid" in web_config
assert "auth.github_secret=ghs3cret" in web_config
orderly_web.stop(path, kill=True, volumes=True, network=True)
def test_constellation_fetches_secrets_on_startup():
name = "mything"
prefix = rand_str()
network = "thenw"
volumes = {"data": "mydata"}
ref_server = ImageReference("library", "nginx", "latest")
ref_client = ImageReference("library", "alpine", "latest")
arg_client = ["sleep", "1000"]
data = {"string": "VAULT:secret/foo:value"}
with vault_dev.server() as s:
vault_client = s.client()
vault_url = vault_client.url
secret = rand_str()
vault_client.write("secret/foo", value=secret)
def cfg_server(container, data):
res = docker_util.string_into_container(
data["string"], container, "/config")
def cfg_client(container, data):
res = container.exec_run(["apk", "add", "--no-cache", "curl"])
assert res.exit_code == 0
vault_config = vault.vault_config(vault_client.url, "token",
{"token": s.token})
server = ConstellationContainer("server", ref_server,
configure=cfg_server)
client = ConstellationContainer("client", ref_client, arg_client,
configure=cfg_client)
obj = Constellation(name, prefix, [server, client], network, volumes,
data=data, vault_config=vault_config)
obj.start()
x = obj.containers.get("server", prefix)
res = docker_util.string_from_container(x, "/config")
assert res == secret
obj.destroy()
def test_vault_github_login_with_prompt():
if "VAULT_AUTH_GITHUB_TOKEN" in os.environ:
del os.environ["VAULT_AUTH_GITHUB_TOKEN"]
with mock.patch('builtins.input',
return_value=os.environ["VAULT_TEST_GITHUB_PAT"]):
with vault_dev.server() as s:
cl = s.client()
enable_github_login(cl)
cl.write("secret/db/password", value="s3cret")
path = "config/vault"
vault_addr = "http://localhost:{}".format(s.port)
options = {"vault": {"addr": vault_addr}}
orderly_web.start(path, options=options)
cfg = fetch_config(path)
container = cfg.get_container("orderly")
res = string_from_container(container, "/root/.Renviron")
assert "ORDERLY_DB_PASS=s3cret" in res
orderly_web.stop(path, kill=True, volumes=True, network=True)
def test_restart_is_not_an_error():
with vault_dev.server() as s:
assert s.start() is None
def f():
s = vault_dev.server()
s.start()
return s.process
def test_vault_config():
with vault_dev.server() as s:
url = "http://localhost:{}".format(s.port)
cfg = vault_config(url, "token", {"token": s.token})
cl = cfg.client()
assert cl.is_authenticated()
def test_that_enter_exit_works():
with vault_dev.server() as s:
p = s.process
assert s.is_running()
assert p.poll()
def test_error_for_missing_secret():
with vault_dev.server() as s:
client = s.client()
msg = "Did not find secret at 'secret/foo'"
with pytest.raises(Exception, match=msg):
resolve_secret("VAULT:secret/foo:bar", client)
