def test_read_team_mapping(self, test_label, mount_point, requests_mocker):
expected_status_code = 200
team_name = 'hvac'
mock_response = {
'auth': None,
'data': {
'key': 'SOME_TEAM',
'value': 'some-team-policy'
},
'lease_duration': 0,
'lease_id': '',
'renewable': False,
'request_id': '50346cc8-34e7-f2ea-f36a-fcb9d45c1676',
'warnings': None,
'wrap_info': None
}
mock_url = 'http://localhost:8200/v1/auth/{mount_point}/map/teams/{team_name}'.format(
mount_point=mount_point,
team_name=team_name,
)
requests_mocker.register_uri(
method='GET',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
github = Github(adapter=Request())
response = github.read_team_mapping(
team_name=team_name,
mount_point=mount_point,
)
self.assertEqual(
first=mock_response,
second=response,
)
def test_list_users(self, test_label, mount_point, requests_mocker):
expected_status_code = 200
mock_response = {
'lease_id': '',
'warnings': None,
'wrap_info': None,
'auth': None,
'lease_duration': 0,
'request_id': '0c34cc02-2f75-7deb-a531-33cf7434a729',
'data': {
'keys': ['somedude']
},
'renewable': False
}
mock_url = 'http://localhost:8200/v1/auth/{mount_point}/users'.format(
mount_point=mount_point,
)
requests_mocker.register_uri(
method='LIST',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
ldap = Ldap(adapter=Request())
response = ldap.list_users(
mount_point=mount_point,
)
self.assertEqual(
first=mock_response,
second=response,
)
def test_read_configuration(self, test_label, mount_point,
requests_mocker):
expected_status_code = 200
mock_response = {
'auth': None,
'data': {
'base_url': '',
'max_ttl': 0,
'organization': '',
'ttl': 0
},
'lease_duration': 0,
'lease_id': '',
'renewable': False,
'request_id': '860a11a8-b835-cbab-7fce-de4edc4cf533',
'warnings': None,
'wrap_info': None
}
mock_url = 'http://localhost:8200/v1/auth/{mount_point}/config'.format(
mount_point=mount_point, )
requests_mocker.register_uri(
method='GET',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
github = Github(adapter=Request())
response = github.read_configuration(mount_point=mount_point, )
self.assertEqual(
first=mock_response,
second=response,
)
def test_read_duo_behvaior_configuration(self, test_label, mount_point,
requests_mocker):
expected_status_code = 200
mock_response = {
'lease_id': '',
'warnings': None,
'wrap_info': None,
'auth': None,
'lease_duration': 0,
'request_id': '7ea734e8-bbc4-e2de-2769-d052d6a320c6',
'data': {
'username_format': '%s',
'push_info': '',
'user_agent': ''
},
'renewable': False
}
mock_url = 'http://localhost:8200/v1/auth/{mount_point}/duo/config'.format(
mount_point=mount_point, )
requests_mocker.register_uri(
method='GET',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
mfa = Mfa(adapter=Request())
response = mfa.read_duo_behavior_configuration(
mount_point=mount_point, )
self.assertEqual(
first=mock_response,
second=response,
)
def test_read_user(self, test_label, mount_point, requests_mocker):
expected_status_code = 200
username = '******'
mock_response = {
'lease_id': '',
'warnings': None,
'wrap_info': None,
'auth': None,
'lease_duration': 0,
'request_id': 'c39914d5-70c1-b585-c6bd-ac8f0dcdf997',
'data': {
'policies': [],
'groups': ''
},
'renewable': False
}
mock_url = 'http://localhost:8200/v1/auth/{mount_point}/users/{username}'.format(
mount_point=mount_point,
username=username,
)
requests_mocker.register_uri(
method='GET',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
ldap = Ldap(adapter=Request())
response = ldap.read_user(
mount_point=mount_point,
username=username,
)
self.assertEqual(
first=mock_response,
second=response,
)
def test_list_groups(self, test_label, mount_point, requests_mocker):
expected_status_code = 200
mock_response = {
'lease_id': '',
'warnings': None,
'wrap_info': None,
'auth': None,
'lease_duration': 0,
'request_id': '89144def-b675-4c8a-590c-4f2ad4f1fae7',
'data': {
'keys': ['cats']
},
'renewable': False
}
mock_url = 'http://localhost:8200/v1/auth/{mount_point}/groups'.format(
mount_point=mount_point,
)
requests_mocker.register_uri(
method='LIST',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
ldap = Ldap(adapter=Request())
response = ldap.list_groups(
mount_point=mount_point,
)
self.assertEqual(
first=mock_response,
second=response,
)
def test_read_group(self, test_label, mount_point, requests_mocker):
expected_status_code = 200
group_name = 'hvac'
mock_response = {
'lease_id': '',
'warnings': None,
'wrap_info': None,
'auth': None,
'lease_duration': 0,
'request_id': '448bc87c-e948-ac5f-907c-9b01fb9d26c6',
'data': {
'policies': []
},
'renewable': False
}
mock_url = 'http://localhost:8200/v1/auth/{mount_point}/groups/{name}'.format(
mount_point=mount_point,
name=group_name,
)
requests_mocker.register_uri(
method='GET',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
ldap = Ldap(adapter=Request())
response = ldap.read_group(
name=group_name,
mount_point=mount_point,
)
self.assertEqual(
first=mock_response,
second=response,
)
def test_list_roles(self, test_label, requests_mocker):
expected_status_code = 200
role_names = ['hvac']
mock_response = {
'data': {
'roles': role_names,
},
}
mock_url = 'http://localhost:8200/v1/{mount_point}/roles'.format(
mount_point=DEFAULT_MOUNT_POINT, )
requests_mocker.register_uri(
method='LIST',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
azure = Azure(adapter=Request())
list_roles_response = azure.list_roles(mount_point=DEFAULT_MOUNT_POINT)
logging.debug('list_roles_response: %s' % list_roles_response)
self.assertEqual(
first=mock_response['data'],
second=list_roles_response,
)
def test_generate_credentials(self, test_label, requests_mocker):
expected_status_code = 200
role_name = 'hvac'
mock_response = {
'data': {
'client_id': 'some_client_id',
'client_secret': 'some_client_secret',
},
}
mock_url = 'http://localhost:8200/v1/{mount_point}/creds/{name}'.format(
mount_point=DEFAULT_MOUNT_POINT,
name=role_name,
)
requests_mocker.register_uri(
method='GET',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
azure = Azure(adapter=Request())
generate_credentials_response = azure.generate_credentials(
name=role_name, mount_point=DEFAULT_MOUNT_POINT)
logging.debug('generate_credentials_response: %s' %
generate_credentials_response)
self.assertEqual(
first=mock_response['data'],
second=generate_credentials_response,
)
def test_create_or_update_role(self, test_label, azure_roles,
requests_mocker):
expected_status_code = 204
role_name = 'hvac'
if azure_roles is None:
azure_roles = [
{
'role_name': "Contributor",
'scope':
"/subscriptions/95e675fa-307a-455e-8cdf-0a66aeaa35ae",
},
]
mock_url = 'http://localhost:8200/v1/{mount_point}/roles/{name}'.format(
mount_point=DEFAULT_MOUNT_POINT,
name=role_name,
)
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
# json=mock_response,
)
azure = Azure(adapter=Request())
create_or_update_role_response = azure.create_or_update_role(
name=role_name,
azure_roles=azure_roles,
mount_point=DEFAULT_MOUNT_POINT)
logging.debug('create_or_update_role_response: %s' %
create_or_update_role_response)
self.assertEqual(
first=expected_status_code,
second=create_or_update_role_response.status_code,
)
def test_read_configuration(self, test_label, mount_point,
requests_mocker):
expected_status_code = 200
mock_response = {
'lease_id': '',
'warnings': None,
'wrap_info': None,
'auth': None,
'lease_duration': 0,
'request_id': '18ecf194-aba2-ba99-ebb5-1b90e5e231c7',
'data': {
'type': 'duo'
},
'renewable': False
}
mock_url = 'http://localhost:8200/v1/auth/{mount_point}/mfa_config'.format(
mount_point=mount_point, )
requests_mocker.register_uri(
method='GET',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
mfa = Mfa(adapter=Request())
response = mfa.read_configuration(mount_point=mount_point, )
self.assertEqual(
first=mock_response,
second=response,
)
def test_read_user_mapping(self, test_label, mount_point, requests_mocker):
expected_status_code = 200
user_name = 'hvac'
mock_response = {
'auth': None,
'data': None,
'lease_duration': 0,
'lease_id': '',
'renewable': False,
'request_id': '71ec6e1b-6d4e-6374-ddc2-ff1cdd860e60',
'warnings': None,
'wrap_info': None
}
mock_url = 'http://localhost:8200/v1/auth/{mount_point}/map/users/{user_name}'.format(
mount_point=mount_point,
user_name=user_name,
)
requests_mocker.register_uri(
method='GET',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
github = Github(adapter=Request())
response = github.read_user_mapping(
user_name=user_name,
mount_point=mount_point,
)
self.assertEqual(
first=mock_response,
second=response,
)
def test_rotate_root_iam_credentials(self, test_label, mount_point=DEFAULT_MOUNT_POINT):
expected_status_code = 200
mock_response = {
"data": {
"access_key": "AKIA..."
}
}
aws = Aws(adapter=Request())
mock_url = 'http://localhost:8200/v1/{mount_point}/config/rotate-root'.format(
mount_point=mount_point,
)
logging.debug('Mocking URL: %s' % mock_url)
with requests_mock.mock() as requests_mocker:
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
rotate_root_response = aws.rotate_root_iam_credentials(
mount_point=mount_point,
)
logging.debug('rotate_root_response: %s' % rotate_root_response)
self.assertEqual(
first=mock_response,
second=rotate_root_response,
)
def test_login(self, label, test_params, raises, requests_mocker):
role_name = 'hvac'
test_policies = [
"default",
"dev",
"prod",
]
expected_status_code = 200
mock_url = 'http://localhost:8200/v1/auth/{mount_point}/login'.format(
mount_point=self.TEST_MOUNT_POINT,
)
mock_response = {
"auth": {
"client_token": "38fe9691-e623-7238-f618-c94d4e7bc674",
"accessor": "78e87a38-84ed-2692-538f-ca8b9f400ab3",
"policies": test_policies,
"metadata": {
"role": role_name,
"service_account_name": "vault-auth",
"service_account_namespace": "default",
"service_account_secret_name": "vault-auth-token-pd21c",
"service_account_uid": "aa9aa8ff-98d0-11e7-9bb7-0800276d99bf"
},
"lease_duration": 2764800,
"renewable": True,
},
}
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
kubernetes = Kubernetes(adapter=Request())
if raises is not None:
with self.assertRaises(raises):
kubernetes.login(
role=role_name,
jwt='my-jwt',
mount_point=self.TEST_MOUNT_POINT,
**test_params
)
else:
login_response = kubernetes.login(
role=role_name,
jwt='my-jwt',
mount_point=self.TEST_MOUNT_POINT,
**test_params
)
logging.debug('login_response: %s' % login_response)
self.assertEqual(
first=login_response['auth']['policies'],
second=test_policies,
)
def test_generate_credentials(self,
test_label,
role_name='hvac-test-role',
mount_point=DEFAULT_MOUNT_POINT,
endpoint='creds',
raises=None,
exception_msg=''):
expected_status_code = 200
mock_response = {
"data": {
"access_key": "AKIA...",
"secret_key": "xlCs...",
"security_token": None
}
}
mock_url = 'http://localhost:8200/v1/{mount_point}/creds/{role_name}'.format(
mount_point=mount_point,
role_name=role_name,
)
logging.debug('Mocking URL: %s' % mock_url)
aws = Aws(adapter=Request())
with requests_mock.mock() as requests_mocker:
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
if raises:
with self.assertRaises(raises) as cm:
aws.generate_credentials(
name=role_name,
endpoint=endpoint,
mount_point=mount_point,
)
self.assertIn(
member=exception_msg,
container=str(cm.exception),
)
else:
gen_creds_response = aws.generate_credentials(
name=role_name,
endpoint=endpoint,
mount_point=mount_point,
)
logging.debug('gen_creds_response: %s' % gen_creds_response)
self.assertEqual(
first=mock_response,
second=gen_creds_response,
)
def test_configure(self, test_label, mount_point, requests_mocker):
expected_status_code = 204
mock_url = 'http://localhost:8200/v1/auth/{mount_point}/mfa_config'.format(
mount_point=mount_point, )
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
)
mfa = Mfa(adapter=Request())
response = mfa.configure(mount_point=mount_point, )
self.assertEqual(
first=expected_status_code,
second=response.status_code,
)
def test_login(self, label, test_params, raises, requests_mocker):
test_policies = [
"default",
]
expected_status_code = 200
mock_url = 'http://localhost:8200/v1/auth/{mount_point}/login/{username}'.format(
mount_point=self.TEST_MOUNT_POINT,
username=self.TEST_USERNAME,
)
mock_response = {
"lease_id": "",
"data": None,
"warnings": None,
"auth": {
"client_token": "64d2a8f2-2a2f-5688-102b-e6088b76e344",
"accessor": "18bb8f89-826a-56ee-c65b-1736dc5ea27d",
"policies": ["default"],
"metadata": {
"username": self.TEST_USERNAME,
"policies": "default"
},
},
"lease_duration": 7200,
"renewable": True,
}
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
okta = Okta(adapter=Request())
if raises is not None:
with self.assertRaises(raises):
okta.login(username=self.TEST_USERNAME,
password='******',
mount_point=self.TEST_MOUNT_POINT,
**test_params)
else:
login_response = okta.login(username=self.TEST_USERNAME,
password='******',
mount_point=self.TEST_MOUNT_POINT,
**test_params)
logging.debug('login_response: %s' % login_response)
self.assertEqual(
first=login_response['auth']['policies'],
second=test_policies,
)
def test_read_configuration(self, test_label, mount_point, requests_mocker):
expected_status_code = 200
mock_response = {
'lease_id': '',
'warnings': None,
'wrap_info': None,
'auth': None,
'lease_duration': 0,
'request_id': 'dd7c3635-8e1c-d454-7381-bf11970fe8de',
'data': {
'binddn': '',
'certificate': '',
'deny_null_bind': True,
'starttls': False,
'case_sensitive_names': False,
'userattr': '',
'insecure_tls': False,
'userdn': '',
'url': 'ldap://ldap.hvac.network',
'groupfilter': '',
'tls_max_version': 'tls12',
'tls_min_version': 'tls12',
'groupdn': '',
'groupattr': '',
'upndomain': '',
'discoverdn': False
},
'renewable': False
}
mock_url = 'http://localhost:8200/v1/auth/{mount_point}/config'.format(
mount_point=mount_point,
)
requests_mocker.register_uri(
method='GET',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
ldap = Ldap(adapter=Request())
response = ldap.read_configuration(
mount_point=mount_point,
)
self.assertEqual(
first=mock_response,
second=response,
)
def test_login(self, label, test_params, raises, requests_mocker):
role_name = 'hvac'
test_policies = [
"default",
"dev",
"prod",
]
expected_status_code = 200
mock_url = 'http://localhost:8200/v1/auth/{mount_point}/login'.format(
mount_point=self.TEST_MOUNT_POINT,
)
mock_response = {
"auth": {
"client_token": "f33f8c72-924e-11f8-cb43-ac59d697597c",
"accessor": "0e9e354a-520f-df04-6867-ee81cae3d42d",
"policies": test_policies,
"lease_duration": 2764800,
"renewable": True,
},
}
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
azure = Azure(adapter=Request())
if raises is not None:
with self.assertRaises(raises):
azure.login(
role=role_name,
jwt='my-jwt',
mount_point=self.TEST_MOUNT_POINT,
**test_params
)
else:
login_response = azure.login(
role=role_name,
jwt='my-jwt',
mount_point=self.TEST_MOUNT_POINT,
**test_params
)
logging.debug('login_response: %s' % login_response)
self.assertEqual(
first=login_response['auth']['policies'],
second=test_policies,
)
def test_login(self, test_label, mount_point, requests_mocker):
mock_response = {
'auth': {
'accessor': 'f578d442-94ec-11e8-afe4-0af6a65f93f6',
'client_token': 'edf5c2c0-94ec-11e8-afe4-0af6a65f93f6',
'entity_id': 'f9268760-94ec-11e8-afe4-0af6a65f93f6',
'lease_duration': 3600,
'metadata': {
'org': 'hvac',
'username': '******'
},
'policies': [
'default',
],
'renewable': True,
'token_policies': ['default']
},
'data': None,
'lease_duration': 0,
'lease_id': '',
'renewable': False,
'request_id': '488cf309-2f81-cc04-51bf-c43063d309eb',
'warnings': None,
'wrap_info': None
}
mock_url = 'http://localhost:8200/v1/auth/{mount_point}/login'.format(
mount_point=mount_point, )
requests_mocker.register_uri(
method='POST',
url=mock_url,
json=mock_response,
)
github = Github(adapter=Request())
response = github.login(
token='valid-token',
mount_point=mount_point,
)
self.assertEqual(
first=mock_response,
second=response,
)
self.assertEqual(
first=mock_response['auth']['client_token'],
second=github._adapter.token,
)
def test_login(self, test_label, mount_point, requests_mocker):
expected_status_code = 200
username = '******'
mock_response = {
'lease_id': '',
'warnings': None,
'wrap_info': None,
'auth': {
'entity_id': '5bc030bc-2000-1176-aafb-82747ae9c874',
'lease_duration': 2764800,
'policies': [
'default',
'test-ldap-policy'
],
'client_token': '5a01125e-d823-578e-86c8-049bea022b9e',
'accessor': '71f512de-18ab-af6e-02f7-e37b3aa48780',
'renewable': True,
'metadata': {'username': '******'}
},
'lease_duration': 0,
'request_id': 'c7a85e6c-fb1f-1d97-83a1-63746cb65551',
'data': {},
'renewable': False
}
mock_url = 'http://localhost:8200/v1/auth/{mount_point}/login/{username}'.format(
mount_point=mount_point,
username=username,
)
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
ldap = Ldap(adapter=Request())
response = ldap.login(
mount_point=mount_point,
username=username,
password='******'
)
self.assertEqual(
first=mock_response,
second=response,
)
def test_configure(self, test_label, mount_point, requests_mocker):
expected_status_code = 204
mock_url = 'http://localhost:8200/v1/auth/{mount_point}/config'.format(
mount_point=mount_point, )
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
)
ldap = Ldap(adapter=Request())
response = ldap.configure(
user_dn='dc=users,cn=hvac,cn=network',
group_dn='ou=groups,cn=hvac,cn=network',
url='ldaps://ldap.python-hvac.org',
mount_point=mount_point,
)
self.assertEqual(
first=expected_status_code,
second=response.status_code,
)
def test_configure_duo_access(self, test_label, mount_point,
requests_mocker):
expected_status_code = 204
mock_url = 'http://localhost:8200/v1/auth/{mount_point}/duo/access'.format(
mount_point=mount_point, )
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
)
mfa = Mfa(adapter=Request())
response = mfa.configure_duo_access(
mount_point=mount_point,
host='someapisubdomain.hvac.network',
integration_key='ikey',
secret_key='supersecret',
)
self.assertEqual(
first=expected_status_code,
second=response.status_code,
)
def test_delete_user(self, test_label, mount_point, requests_mocker):
expected_status_code = 204
username = '******'
mock_url = 'http://localhost:8200/v1/auth/{mount_point}/users/{username}'.format(
mount_point=mount_point,
username=username,
)
requests_mocker.register_uri(
method='DELETE',
url=mock_url,
status_code=expected_status_code,
)
ldap = Ldap(adapter=Request())
response = ldap.delete_user(
username=username,
mount_point=mount_point,
)
self.assertEqual(
first=expected_status_code,
second=response.status_code,
)
def test_map_team(self, test_label, mount_point, requests_mocker):
expected_status_code = 204
team_name = 'hvac'
mock_url = 'http://localhost:8200/v1/auth/{mount_point}/map/teams/{team_name}'.format(
mount_point=mount_point,
team_name=team_name,
)
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
)
github = Github(adapter=Request())
response = github.map_team(
team_name=team_name,
mount_point=mount_point,
)
self.assertEqual(
first=expected_status_code,
second=response.status_code,
)
def test_create_or_update_group(self, test_label, mount_point, requests_mocker):
expected_status_code = 204
group_name = 'hvac'
mock_url = 'http://localhost:8200/v1/auth/{mount_point}/groups/{group_name}'.format(
mount_point=mount_point,
group_name=group_name,
)
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
)
ldap = Ldap(adapter=Request())
response = ldap.create_or_update_group(
name=group_name,
mount_point=mount_point,
)
self.assertEqual(
first=expected_status_code,
second=response.status_code,
)
def test_create_or_update_roleset(self,
label,
secret_type='access_token',
raises=False,
exception_message=''):
bindings = {
'resource': {
"//cloudresourcemanager.googleapis.com/projects/{project}".format(project=self.TEST_PROJECT_ID):
{
"roles": ['roles/viewer'],
},
},
}
bindings = """
resource "//cloudresourcemanager.googleapis.com/project/{project}" {
roles = [
"roles/viewer"
],
}
"""
bindings = dedent(bindings)
token_scopes = None
if secret_type == 'access_token':
token_scopes = [
'https://www.googleapis.com/auth/cloud-platform',
'https://www.googleapis.com/auth/bigquery',
]
gcp = Gcp(adapter=Request())
mock_url = 'http://localhost:8200/v1/{mount_point}/roleset/{name}'.format(
mount_point=self.TEST_MOUNT_POINT,
name=self.TEST_ROLESET_NAME,
)
expected_status_code = 204
with requests_mock.mock() as requests_mocker:
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
)
if raises:
with self.assertRaises(raises) as cm:
gcp.create_or_update_roleset(
name=self.TEST_ROLESET_NAME,
project=self.TEST_PROJECT_ID,
bindings=bindings,
secret_type=secret_type,
token_scopes=token_scopes,
mount_point=self.TEST_MOUNT_POINT,
)
self.assertIn(
member=exception_message,
container=str(cm.exception),
)
else:
create_or_update_response = gcp.create_or_update_roleset(
name=self.TEST_ROLESET_NAME,
project=self.TEST_PROJECT_ID,
bindings=bindings,
secret_type=secret_type,
token_scopes=token_scopes,
mount_point=self.TEST_MOUNT_POINT,
)
logging.debug('configure_response: %s' %
create_or_update_response)
self.assertEqual(
first=create_or_update_response.status_code,
second=204,
)