def test_set_variable_passes_down_ssl_verify_param(self, mock_http_client):
api = Api(url='http://localhost',
login_id='mylogin',
api_key='apikey',
ssl_verify='verify')
def mock_auth():
return 'apitoken'
api.authenticate = mock_auth
api.set_variable('myvar', 'myvalue')
self.verify_http_call(mock_http_client,
HttpVerb.POST,
ConjurEndpoint.SECRETS,
'myvalue',
kind='variable',
identifier='myvar',
ssl_verify='verify')
def test_get_variables_invokes_http_client_correctly(
self, mock_http_client):
api = Api(url='http://localhost', login_id='mylogin', api_key='apikey')
def mock_auth():
return 'apitoken'
api.authenticate = mock_auth
api.get_variables('myvar', 'myvar2')
self.verify_http_call(
mock_http_client,
HttpVerb.GET,
ConjurEndpoint.BATCH_SECRETS,
query={
'variable_ids':
'default:variable:myvar,default:variable:myvar2'
},
ssl_verify=True)
def test_delete_policy_invokes_http_client_correctly(
self, mock_http_client):
api = Api(url='http://localhost', login_id='mylogin', api_key='apikey')
def mock_auth():
return 'apitoken'
api.authenticate = mock_auth
api.delete_policy_file('mypolicyname', self.POLICY_FILE)
policy_data = None
with open(self.POLICY_FILE, 'r') as content_file:
policy_data = content_file.read()
self.verify_http_call(mock_http_client,
HttpVerb.PATCH,
ConjurEndpoint.POLICIES,
policy_data,
identifier='mypolicyname',
ssl_verify=True)
def test_authenticate_invokes_http_client_correctly(
self, mock_http_client):
Api(url='http://localhost', login_id='mylogin',
api_key='apikey').authenticate()
self.verify_http_call(mock_http_client,
HttpVerb.POST,
ConjurEndpoint.AUTHENTICATE,
'apikey',
login='******',
api_token=False,
ssl_verify=True)
def test_account_info_is_passed_down_to_http_call(self, mock_http_client):
Api(url='http://localhost',
account='myacct',
login_id='mylogin',
api_key='apikey').authenticate()
self.verify_http_call(mock_http_client, HttpVerb.POST, ConjurEndpoint.AUTHENTICATE,
'apikey',
login='******',
account='myacct',
api_token=False,
ssl_verify=True)
def test_authenticate_passes_down_ssl_verify_param(self, mock_http_client):
Api(url='http://localhost',
login_id='mylogin',
api_key='apikey',
ssl_verify='verify').authenticate()
self.verify_http_call(mock_http_client,
HttpVerb.POST,
ConjurEndpoint.AUTHENTICATE,
'apikey',
api_token=False,
login='******',
ssl_verify='verify')
def test_replace_policy_passes_down_ssl_verify_parameter(
self, mock_http_client):
api = Api(url='http://localhost',
login_id='mylogin',
api_key='apikey',
ssl_verify='ssl_verify')
def mock_auth():
return 'apitoken'
api.authenticate = mock_auth
api.replace_policy_file('mypolicyname', self.POLICY_FILE)
policy_data = None
with open(self.POLICY_FILE, 'r') as content_file:
policy_data = content_file.read()
self.verify_http_call(mock_http_client,
HttpVerb.PUT,
ConjurEndpoint.POLICIES,
policy_data,
identifier='mypolicyname',
ssl_verify='ssl_verify')
def test_new_client_shows_warning_when_ssl_verify_is_false(
self, mock_http_client, logging_warn_func):
Api(url='http://localhost',
login_id='mylogin',
api_key='apikey',
ssl_verify=False)
calls = [
call("************************************************************"
),
call(
"'ssl_verify' is False - YOU ARE VULNERABLE TO MITM ATTACKS!"),
call("************************************************************"
),
]
logging_warn_func.assert_has_calls(calls)
def test_authenticate_throws_error_without_api_key_specified(self):
with self.assertRaises(RuntimeError):
Api(url='http://localhost', login_id='mylogin').authenticate()
def test_if_account_is_empty_throw_an_error(self, mock_http_client):
empty_values = [ None, "" ]
for empty_value in empty_values:
with self.subTest(account=empty_value):
with self.assertRaises(RuntimeError):
api = Api(url='http://localhost', account=empty_value)
def test_if_api_token_is_missing_fetch_a_new_one(self, mock_http_client):
api = Api(url='http://localhost')
api.authenticate = MagicMock(return_value='mytoken')
self.assertEquals(api.api_token, 'mytoken')
api.authenticate.assert_called_once_with()
def test_new_client_disables_insecure_warnings_in_urllib_when_sslverify_is_false(self,
mock_http_client, logging_warn_func, disable_warning_func):
Api(url='http://localhost', login_id='mylogin', api_key='apikey',
ssl_verify=False)
disable_warning_func.assert_called_once_with(urllib3.exceptions.InsecureRequestWarning)
def test_login_saves_login_id(self, _):
api = Api(url='http://localhost')
api.login('myuser', 'mypass')
self.assertEquals(api.login_id, 'myuser')
if not os.path.exists(token_file):
sleep(5)
continue
with open(token_file, 'r') as f:
api_token = f.read()
# if there is no token wait for 5 seconds and run new cycle
if api_token == '':
sleep(5)
continue
# Small hack
# We don't use Client here, because it requires login_id and
# tries to authenticate by itself (what already done by k8s
# authenticator)
# Instead, we use the API library directly
# But it also tries to authenticate by itself, so we put token
# inside _api_token variable, and renew api_token_expiration time
# to avoid unnecessary authentication
client = Api(url=url, account=account, ca_bundle=cert_path)
client._api_token = api_token
client.api_token_expiration = datetime.now() + timedelta(
minutes=client.API_TOKEN_DURATION)
for secret in secrets:
value = client.get_variable(secret)
with open(secrets[secret], 'w') as f:
f.write(value.decode("utf-8"))
print("Value %s has written" % secrets[secret])
sleep(timeout)
def test_new_client_delegates_ssl_verify_flag(self, mock_http_client):
Api(url='http://localhost', ssl_verify=True).login('myuser', 'mypass')
self.verify_http_call(mock_http_client, HttpVerb.GET, ConjurEndpoint.LOGIN,
auth=('myuser', 'mypass'),
api_token=False,
ssl_verify=True)
def test_new_client_throws_error_when_no_url(self):
with self.assertRaises(Exception):
Api(login_id='mylogin', api_key='apikey', ssl_verify=False)
def test_login_throws_error_when_username_not_provided(self):
with self.assertRaises(RuntimeError):
Api(url='http://localhost').login(None, 'mypass')
def test_login_invokes_http_client_correctly(self, mock_http_client):
Api(url='http://localhost').login('myuser', 'mypass')
self.verify_http_call(mock_http_client, HttpVerb.GET, ConjurEndpoint.LOGIN,
auth=('myuser', 'mypass'),
api_token=False,
ssl_verify=True)
def test_login_throws_error_when_password_not_provided(self):
with self.assertRaises(RuntimeError):
Api(url='http://localhost').login('myuser', None)