def test_cert(server, env):
crt_file = os.path.join(HERE, 'certs', 'client.crt')
csr_file = os.path.join(HERE, 'certs', 'client.csr')
key_file = os.path.join(HERE, 'certs', 'client.key')
ca_path = os.path.join(HERE, 'certs')
client = Vault(server.addr, cert=[server.csr, server.key])
state = yield from client.initialize(secret_shares=5, secret_threshold=3)
yield from client.seal.unseal(state.keys)
yield from client.audit.enable('file', path='/tmp/aiovault.log')
backend = yield from client.auth.enable('cert')
assert backend.__repr__() == "<CertBackend(name='cert')>"
with open(csr_file) as file:
written = yield from backend.write_cert('foo',
certificate=file.read(),
policies=['pierre', 'pol'])
assert written
data = yield from backend.read_cert('foo')
assert 'pierre' in data['policies']
# TODO does not work with Vault v0.1.2
# return
client = Vault(server.addr, cert=[crt_file, key_file], verify=crt_file)
backend = client.auth.load('cert')
res = yield from backend.login()
print(res)
def test_help(dev_server):
client = Vault(dev_server.addr, token=dev_server.root_token)
response = yield from client.read('/sys/auth/github',
params={"help": 1})
data = yield from response.json()
assert 'help' in data
def test_github_loading(dev_server, env):
try:
github_org = env.GITHUB_ORG
github_token = env.GITHUB_TOKEN
except AttributeError:
return 'GITHUB_ORG or GITHUB_TOKEN missing'
client = Vault(dev_server.addr, token=dev_server.root_token)
backend1 = backend = yield from client.auth.enable('github')
configured = yield from backend.configure(organization=github_org)
assert configured
configured = yield from backend.write_team('test', policies='foo')
assert configured
client = Vault(dev_server.addr)
backend = client.auth.load('github')
dummy_token = '1111111111111111111111111111111111111111'
with pytest.raises(LoginError):
yield from backend.login(github_token=dummy_token)
yield from backend.login(github_token=github_token)
disabled = yield from backend1.disable()
assert disabled
def test_renew(dev_server):
client = Vault(dev_server.addr, token=dev_server.root_token)
response = yield from client.write('/secret/foo', json={
'data': 'bar', 'lease': '1h'
})
assert response.status == 204
response = yield from client.read('/secret/foo')
result = yield from response.json()
renewed = yield from client.lease.renew(result['lease_id'])
assert renewed
def test_status(dev_server):
client = Vault(dev_server.addr, token=dev_server.root_token)
response = yield from client.status()
assert response.initialized is True
response = yield from client.leader()
assert response.enabled is False
assert response.is_self is False
response = yield from client.health()
assert response.initialized is True
assert response.sealed is dev_server.sealed
def test_init(server):
client = Vault(server.addr, cert=[server.csr, server.key])
print(client)
response = yield from client.status()
print(response)
state = yield from client.initialize(secret_shares=5, secret_threshold=3)
assert hasattr(state, 'root_token')
assert hasattr(state, 'keys')
status = yield from client.seal.status()
assert status.sealed is True
status = yield from client.seal.unseal(state.keys)
assert status.sealed is False
def test_revoke_orphan(dev_server):
client = Vault(dev_server.addr, token=dev_server.root_token)
parent_token = yield from client.auth.create()
client_b = Vault(dev_server.addr, token=parent_token)
child_token = yield from client_b.auth.create()
yield from client.auth.lookup(parent_token)
yield from client.auth.lookup(child_token)
yield from client.auth.revoke_orphan(parent_token)
with pytest.raises(KeyError):
yield from client.auth.lookup(parent_token)
yield from client.auth.lookup(child_token)
def test_crud(dev_server, env):
try:
access_key = env.AWS_ACCESS_KEY_ID
secret_key = env.AWS_SECRET_ACCESS_KEY
region = env.AWS_DEFAULT_REGION
except AttributeError:
return 'AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY \
or AWS_DEFAULT_REGION missing'
client = Vault(dev_server.addr, token=dev_server.root_token)
mounted, backend = yield from client.secret.mount('aws')
configured = yield from backend.config_root(access_key=access_key,
secret_key=secret_key,
region=region)
assert configured
configured = yield from backend.config_lease(lease='1m', lease_max='1m')
assert configured
configured = yield from backend.write_role('test', policy=AWS_POLICY)
assert configured
role = yield from backend.read_role('test')
assert 'policy' in role
deleted = yield from backend.delete_role('test')
assert deleted
with pytest.raises(KeyError):
yield from backend.read_role('test')
def test_basic(dev_server, env):
try:
access_key = env.AWS_ACCESS_KEY_ID
secret_key = env.AWS_SECRET_ACCESS_KEY
region = env.AWS_DEFAULT_REGION
except AttributeError:
return 'AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY \
or AWS_DEFAULT_REGION missing'
client = Vault(dev_server.addr, token=dev_server.root_token)
mounted, backend = yield from client.secret.mount('aws')
configured = yield from backend.config_root(access_key=access_key,
secret_key=secret_key,
region=region)
assert configured
configured = yield from backend.config_lease(lease='1m', lease_max='1m')
assert configured
configured = yield from backend.write_role('foo', policy=AWS_POLICY)
assert configured
data = yield from backend.creds('foo')
assert 'access_key' in data
assert 'secret_key' in data
def test_basic(dev_server):
client = Vault(dev_server.addr, token=dev_server.root_token)
mounted, backend = yield from client.secret.mount('transit')
assert mounted
written = yield from backend.write_key('test', derived=False)
assert written
policy = yield from backend.read_key('test')
assert policy['name'] == 'test'
assert policy['derived'] is False
policy = yield from backend.read_raw('test')
assert policy['name'] == 'test'
assert policy['derived'] is False
encrypted = yield from backend.encrypt('test', PLAIN_TEXT)
assert 'ciphertext' in encrypted
ciphertext = encrypted['ciphertext']
decrypted = yield from backend.decrypt('test', ciphertext)
assert 'plaintext' in decrypted
assert decrypted['plaintext'] == PLAIN_TEXT
deleted = yield from backend.delete_key('test')
assert deleted
with pytest.raises(KeyError):
yield from backend.read_key('test')
with pytest.raises(KeyError):
yield from backend.read_raw('test')
def test_generic(dev_server):
client = Vault(dev_server.addr, token=dev_server.root_token)
store = client.secret.load('secret', type='generic')
assert store.__repr__() == "<GenericBackend(name='secret')>"
data = yield from store.write('foo', {'value': 'bar'})
assert data
data = yield from store.read('foo')
assert data == {'value': 'bar'}
data = yield from store.delete('foo')
assert data
with pytest.raises(ValueError):
yield from store.write('bar', 'baz')
with pytest.raises(KeyError):
yield from store.read('bar')
data = yield from store.delete('bar')
assert data is True
data = yield from store.delete('bar')
assert data is True
def test_initial_status(dev_server):
client = Vault(dev_server.addr, token=dev_server.root_token)
response = yield from client.seal.status()
assert response.sealed == dev_server.sealed
assert response.threshold == dev_server.threshold
assert response.shares == dev_server.shares
assert response.progress == dev_server.progress
def test_revoke_prefix(dev_server):
client = Vault(dev_server.addr, token=dev_server.root_token)
token = yield from client.auth.create()
yield from client.auth.lookup(token)
revoked = yield from client.auth.revoke_prefix('auth/token/')
assert revoked is True
with pytest.raises(KeyError):
yield from client.auth.lookup(token)
def test_shortcut(dev_server):
"""docstring for test_shortcut"""
client = Vault(dev_server.addr, token=dev_server.root_token)
mounted, backend = yield from client.secret.mount('transit')
assert mounted
backend = client.secret.transit
written = yield from backend.write_key('test')
assert written
def test_auth(dev_server):
client = Vault(dev_server.addr, token=dev_server.root_token)
# list mounted backends
backends = yield from client.auth.items()
assert len(backends) == 1
yield from client.auth.enable('app-id')
backends = yield from client.auth.items()
assert len(backends) == 2
assert 'app-id' in backends
def test_userpass(dev_server):
client = Vault(dev_server.addr, token=dev_server.root_token)
# enable userpass
backend = yield from client.auth.enable('userpass')
response = yield from backend.create('mitchellh', 'foo')
assert response
# raw login
response = yield from client.write('/auth/userpass/login/mitchellh',
json={"password": "******"})
result = yield from response.json()
assert result['auth']['metadata'] == {'username': '******'}
# nicer login
token = yield from client.login('userpass',
username='******',
password='******')
assert token['metadata'] == {'username': '******'}
def test_github_raw_loading(dev_server):
client = Vault(dev_server.addr, token=dev_server.root_token)
response = yield from client.read('/sys/auth/github/login',
params={"help": 1})
data = yield from response.json()
print(data['help'])
# low level create/delete
response = yield from client.write('/sys/auth/github',
json={"type": "github"})
assert response.status == 204, 'Must add github auth backend'
response = yield from client.delete('/sys/auth/github')
assert response.status == 204, 'Must delete github auth backend'
# high level create/delete
response = yield from client.auth.enable('github')
assert response.type == 'github', 'Must add github auth backend'
response = yield from client.auth.disable('github')
assert response is True, 'Must delete github auth backend'
def test_github_raw_loading(dev_server):
client = Vault(dev_server.addr, token=dev_server.root_token)
response = yield from client.read('/sys/auth/github/login',
params={"help": 1})
data = yield from response.json()
print(data['help'])
# low level create/delete
response = yield from client.write('/sys/auth/github',
json={"type": "github"})
assert response.status == 204, 'Must add github auth backend'
response = yield from client.delete('/sys/auth/github')
assert response.status == 204, 'Must delete github auth backend'
# high level create/delete
response = yield from client.auth.enable('github')
assert response.type == 'github', 'Must add github auth backend'
response = yield from client.auth.disable('github')
assert response is True, 'Must delete github auth backend'
def test_seal(dev_server):
client = Vault(dev_server.addr, token=dev_server.root_token)
status = yield from client.seal.status()
assert status.sealed is False
sealed = yield from client.seal.seal()
assert sealed is True
status = yield from client.seal.status()
assert status.sealed is True
status = yield from client.seal.unseal(dev_server.unseal_key)
assert status.sealed is False
def test_basic(dev_server, consul):
client = Vault(dev_server.addr, token=dev_server.root_token)
mounted, backend = yield from client.secret.mount('consul')
assert mounted
store = client.secret.load('consul')
configured = yield from store.config_access(address=consul.address,
token=consul.acl_master_token)
assert configured
configured = yield from store.write_role('foo', policy=CONSUL_POLICY)
assert configured
data = yield from store.creds('foo')
assert 'token' in data
def test_ldap(dev_server):
client = Vault(dev_server.addr, token=dev_server.root_token)
backend = yield from client.auth.enable('ldap')
configured = yield from backend.configure(url='ldap://ldap.forumsys.com',
userattr='uid',
userdn='dc=example,dc=com',
groupdn='dc=example,dc=com')
assert configured
writen = yield from backend.write_group(name='scientists', policies='foo')
assert writen
token = yield from backend.login(username='******', password='******')
assert token['metadata']['username'] == 'tesla'
def test_secret_mount(dev_server):
client = Vault(dev_server.addr, token=dev_server.root_token)
mounted, backend = yield from client.secret.mount('consul')
assert mounted is True, 'must be mounted'
mounted, _ = yield from client.secret.mount('consul')
assert mounted is False, 'must be already mounted'
with pytest.raises(MountError):
# already mounted
yield from backend.mount()
yield from backend.unmount()
unmounted = yield from client.secret.unmount('consul')
assert unmounted is False, 'must be already unmounted'
with pytest.raises(MountError):
# already unmounted
yield from backend.unmount()
def test_secret_2(dev_server):
client = Vault(dev_server.addr, token=dev_server.root_token)
# list mounted backends
backends = yield from client.secret.items()
assert len(backends) == 2
mounted, backend = yield from client.secret.mount('consul')
backends = yield from client.secret.items()
assert len(backends) == 3
assert 'consul' in backends
yield from backend.remount('newpath')
backends = yield from client.secret.items()
assert len(backends) == 3
assert 'newpath' in backends
yield from backend.unmount()
backends = yield from client.secret.items()
assert len(backends) == 2
def test_crud(dev_server, consul):
client = Vault(dev_server.addr, token=dev_server.root_token)
mounted, backend = yield from client.secret.mount('consul')
assert mounted
store = client.secret.load('consul')
configured = yield from store.config_access(address=consul.address,
token=consul.acl_master_token)
assert configured
configured = yield from store.write_role('foo', policy=CONSUL_POLICY)
assert configured
role = yield from store.read_role('foo')
assert 'policy' in role
deleted = yield from store.delete_role('foo')
assert deleted
with pytest.raises(KeyError):
yield from store.read_role('foo')
def test_audit_syslog(dev_server):
client = Vault(dev_server.addr, token=dev_server.root_token)
# enable syslog
enabled = yield from client.audit.enable('syslog')
assert enabled
backends = yield from client.audit.items()
assert 'syslog/' in backends
backend = yield from client.audit.get('syslog')
print(backend)
disabled = yield from client.audit.disable('syslog')
assert disabled
with pytest.raises(KeyError):
yield from client.audit.get('syslog')
backends = yield from client.audit.items()
assert 'syslog/' not in backends
def test_basic(dev_server, env):
try:
dsn = env.PG_URL
except AttributeError:
return 'PG_URL must be set for acceptance tests'
client = Vault(dev_server.addr, token=dev_server.root_token)
mounted, backend = yield from client.secret.mount('postgresql')
assert mounted
configured = yield from backend.config_connection(dsn=dsn)
assert configured
configured = yield from backend.config_lease('1m', '1m')
assert configured
configured = yield from backend.write_role('web', sql=PG_SQL)
assert configured
data = yield from backend.creds('web')
assert 'username' in data
assert 'password' in data
def test_ldap_crud(dev_server):
client = Vault(dev_server.addr, token=dev_server.root_token)
backend = yield from client.auth.enable('ldap')
configured = yield from backend.configure(url='ldap://ldap.forumsys.com',
userattr='uid',
userdn='dc=example,dc=com',
groupdn='dc=example,dc=com')
assert configured
writen = yield from backend.write_group(name='g1', policies='foo')
assert writen
data = yield from backend.read_group(name='g1')
assert data['policies'] == {'foo'}
deleted = yield from backend.delete_group(name='g1')
assert deleted
with pytest.raises(KeyError):
yield from backend.read_group(name='g1')
def test_policy(dev_server):
client = Vault(dev_server.addr, token=dev_server.root_token)
policies = yield from client.policy.items()
assert 'root' in policies
assert 'foo' not in policies
absent = yield from client.policy.delete('foo')
assert absent is True
absent = yield from client.policy.delete('foo')
assert absent is True
policy = yield from client.policy.read('root')
assert policy.name == 'root'
with pytest.raises(KeyError):
yield from client.policy.read('foo')
rules = {'sys': {'policy': 'deny'}}
written = yield from client.policy.write('foo', rules)
assert written is True
policy = yield from client.policy.read('foo')
assert policy.name == 'foo'
assert 'sys' in policy
assert policy.rules == rules
assert policy == rules
# add other rules
policy['bar/baz'] = 'deny'
written = yield from client.policy.write('foo', policy)
assert written is True
policy = yield from client.policy.read('foo')
assert policy.name == 'foo'
assert 'sys' in policy
assert 'bar/baz' in policy
def test_policy_hl(dev_server):
client = Vault(dev_server.addr, token=dev_server.root_token)
policies = yield from client.policy.items()
assert 'root' in policies
response = yield from client.policy.write_path('foo', 'my/path', 'read')
assert response
rules = yield from client.policy.read('foo')
assert 'my/path' in rules
assert 'cert' not in rules
backend = client.auth.load('cert')
response = yield from client.policy.write_path('foo', backend, 'read')
assert response
rules = yield from client.policy.read('foo')
assert 'my/path' in rules
assert 'auth/cert' in rules
response = yield from client.policy.delete_path('foo', 'my/path')
assert response
rules = yield from client.policy.read('foo')
assert 'my/path' not in rules
assert 'auth/cert' in rules
def test_crud(dev_server, env):
try:
dsn = env.PG_URL
except AttributeError:
return 'PG_URL must be set for acceptance tests'
client = Vault(dev_server.addr, token=dev_server.root_token)
mounted, backend = yield from client.secret.mount('postgresql')
assert mounted
configured = yield from backend.config_connection(dsn=dsn)
assert configured
configured = yield from backend.write_role('web', sql=PG_SQL)
assert configured
role = yield from backend.read_role('web')
assert 'sql' in role
deleted = yield from backend.delete_role('web')
assert deleted
with pytest.raises(KeyError):
yield from backend.read_role('web')
def test_appid_raw(dev_server):
client = Vault(dev_server.addr, token=dev_server.root_token)
# enable app-id
response = yield from client.write('/sys/auth/app-id',
json={'type': 'app-id'})
assert response.status == 204
response = yield from client.write('/auth/app-id/map/app-id/foo',
json={'value': 'dummy'})
response = yield from client.write('/auth/app-id/map/user-id/bar',
json={'value': 'foo'})
assert response.status == 204
# do login
client = Vault(dev_server.addr)
# login
response = yield from client.write('/auth/app-id/login',
json={'app_id': 'foo',
'user_id': 'bar'})
result = yield from response.json()
assert result['auth']['policies'] == ['dummy']
def test_renew(dev_server):
client = Vault(dev_server.addr, token=dev_server.root_token)
token = yield from client.auth.create(lease='1h')
token = yield from client.auth.renew(token)
def test_lookup_1(dev_server):
client = Vault(dev_server.addr, token=dev_server.root_token)
token = yield from client.auth.lookup_self()
assert token.id == dev_server.root_token
