def _auth_aws_iam(self, _client: hvac.Client) -> None:
if self.auth_mount_point:
_client.auth_aws_iam(access_key=self.key_id, secret_key=self.secret_id,
role=self.role_id, mount_point=self.auth_mount_point)
else:
_client.auth_aws_iam(access_key=self.key_id, secret_key=self.secret_id,
role=self.role_id)
def create_vault_client(app):
client = VaultClient(url=app.config['VAULT_ADDR'],
token=app.config['VAULT_TOKEN'])
if client.is_sealed() and app.config['UNSEAL_VAULT']:
keys = [app.config[f'UNSEAL_VAULT_KEY{i}'] for i in range(1, 6)]
client.unseal_multi(filter(None, keys))
return client
def test_delete_role_secret_id_accessor(self, test_label, mount_point,
role_name, secret_id_accessor,
requests_mocker):
expected_status_code = 204
mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/secret-id-accessor/{2}'.format(
'approle' if mount_point is None else mount_point,
role_name,
secret_id_accessor,
)
requests_mocker.register_uri(
method='DELETE',
url=mock_url,
status_code=expected_status_code,
)
client = Client()
if mount_point is None:
actual_response = client.delete_role_secret_id_accessor(
role_name=role_name,
secret_id_accessor=secret_id_accessor,
)
else:
actual_response = client.delete_role_secret_id_accessor(
role_name=role_name,
secret_id_accessor=secret_id_accessor,
mount_point=mount_point,
)
self.assertEquals(
first=expected_status_code,
second=actual_response.status_code,
)
def test_list_roles(self, test_label, mount_point, role_name,
requests_mocker):
expected_status_code = 200
mock_response = {
"auth": None,
"data": {
"keys": [
role_name,
]
},
"lease_duration": 0,
"lease_id": "",
"renewable": False,
"request_id": "e4c219fb-0a78-2be2-8d3c-b3715dccb920",
"warnings": None,
"wrap_info": None
}
mock_url = 'http://localhost:8200/v1/auth/{0}/role?list=true'.format(
'approle' if mount_point is None else mount_point, )
requests_mocker.register_uri(
method='GET',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
client = Client()
if mount_point is None:
actual_response = client.list_roles()
else:
actual_response = client.list_roles(mount_point=mount_point, )
# ensure we received our mock response data back successfully
self.assertEqual(mock_response, actual_response)
def test_auth_aws_iam(self, auth_mock, datetime_mock):
datetime_mock.utcnow.return_value = datetime(2015, 8, 30, 12, 36, 0)
client = Client()
client.auth_aws_iam('AKIDEXAMPLE', 'wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY')
auth_mock.assert_called()
args, kwargs = auth_mock.call_args
actual_params = kwargs['json']
actual_iam_http_request_method = actual_params['iam_http_request_method']
self.assertEqual('POST', actual_iam_http_request_method)
actual_iam_request_url = b64decode(actual_params['iam_request_url']).decode('utf-8')
self.assertEqual('https://sts.amazonaws.com/', actual_iam_request_url)
expected_auth_header_parts = [
'Credential=AKIDEXAMPLE/20150830/us-east-1/sts/aws4_request',
'SignedHeaders=content-length;content-type;host;x-amz-date',
'Signature=0268ea4a725deae1116f5228d6b177fb047f9f3a9e1c5fd4baa0dc1fbb0d1a99',
]
expected_iam_request_headers = {
'Authorization': ['{0} {1}'.format('AWS4-HMAC-SHA256', ', '.join(expected_auth_header_parts))],
'Content-Length': ['43'],
'Content-Type': ['application/x-www-form-urlencoded; charset=utf-8'],
'Host': ['sts.amazonaws.com'],
'X-Amz-Date': ['20150830T123600Z'],
}
actual_iam_request_headers = json.loads(b64decode(actual_params['iam_request_headers']))
self.assertEqual(expected_iam_request_headers, actual_iam_request_headers)
actual_iam_request_body = b64decode(actual_params['iam_request_body']).decode('utf-8')
self.assertEqual('Action=GetCallerIdentity&Version=2011-06-15', actual_iam_request_body)
actual_role = actual_params['role']
self.assertEqual('', actual_role)
def test_get_role_id(self, test_label, mount_point, role_name, role_id,
requests_mocker):
expected_status_code = 200
mock_response = {
"auth": None,
"data": {
"role_id": role_id
},
"lease_duration": 0,
"lease_id": "",
"renewable": False,
"request_id": "85590a1a-6dd7-de79-01b0-1c285d505bf2",
"warnings": None,
"wrap_info": None
}
mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/role-id'.format(
'approle' if mount_point is None else mount_point,
role_name,
)
requests_mocker.register_uri(
method='GET',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
client = Client()
if mount_point is None:
actual_response = client.get_role_id(role_name=role_name)
else:
actual_response = client.get_role_id(role_name=role_name,
mount_point=mount_point)
# ensure we received our mock response data back successfully
self.assertEqual(first=role_id, second=actual_response)
def test_create_role(self, test_label, mount_point, role_name, bound_service_account_names, bound_service_account_namespaces, requests_mocker):
expected_status_code = 204
mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}'.format(
'kubernetes' if mount_point is None else mount_point,
role_name,
)
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
)
client = Client()
test_arguments = dict(
name=role_name,
bound_service_account_names=bound_service_account_names,
bound_service_account_namespaces=bound_service_account_namespaces,
)
if mount_point:
test_arguments['mount_point'] = mount_point
actual_response = client.create_kubernetes_role(**test_arguments)
self.assertEquals(
first=expected_status_code,
second=actual_response.status_code,
)
def test_tune_auth_backend(self, requests_mocker):
expected_status_code = 204
test_backend_type = 'approle'
test_mount_point = 'approle-test'
test_description = 'this is a test description'
requests_mocker.register_uri(
method='POST',
url='http://localhost:8200/v1/sys/auth/{0}/tune'.format(test_mount_point),
status_code=expected_status_code,
)
client = Client()
actual_response = client.tune_auth_backend(
backend_type=test_backend_type,
mount_point=test_mount_point,
description=test_description,
)
self.assertEqual(
first=expected_status_code,
second=actual_response.status_code,
)
actual_request_params = requests_mocker.request_history[0].json()
# Ensure we sent through an optional tune parameter as expected
self.assertEqual(
first=test_description,
second=actual_request_params['description'],
)
def test_read_lease(self, test_label, test_lease_id, requests_mocker):
test_path = 'http://localhost:8200/v1/sys/leases/lookup'
mock_response = {
'lease_id': '',
'request_id': '34cd8d7c-e59f-7166-49c9-1e65149ff676',
'auth': None,
'data': {
'issue_time': '2018-07-15T08:35:34.775859245-05:00',
'renewable': False,
'id': test_lease_id,
'ttl': 259199,
'expire_time': '2018-07-18T08:35:34.00004241-05:00',
'last_renewal': None
},
'warnings': None,
'wrap_info': None,
'lease_duration': 0,
'renewable': False
}
requests_mocker.register_uri(
method='PUT',
url=test_path,
json=mock_response,
)
client = Client()
response = client.read_lease(
lease_id=test_lease_id,
)
self.assertEquals(
first=mock_response,
second=response,
)
def test_create_role(self, test_label, mount_point, role_name,
requests_mocker):
expected_status_code = 204
mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}'.format(
'approle' if mount_point is None else mount_point,
role_name,
)
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
)
client = Client()
if mount_point is None:
actual_response = client.create_role(role_name=role_name, )
else:
actual_response = client.create_role(
role_name=role_name,
mount_point=mount_point,
)
self.assertEquals(
first=expected_status_code,
second=actual_response.status_code,
)
def test_get_vault_ec2_client_configuration(self, test_label, mount_point,
requests_mocker):
mock_response = {
"data": {
"secret_key": "vCtSM8ZUEQ3mOFVlYPBQkf2sO6F/W7a5TVzrl3Oj",
"access_key": "VKIAJBRHKH6EVTTNXDHA",
"endpoint": "",
"iam_endpoint": "",
"sts_endpoint": "",
"iam_server_id_header_value": ""
}
}
expected_status_code = 200
mock_url = 'http://localhost:8200/v1/auth/{0}/config/client'.format(
'aws-ec2' if mount_point is None else mount_point)
requests_mocker.register_uri(
method='GET',
url=mock_url,
json=mock_response,
status_code=expected_status_code,
)
client = Client()
if mount_point is None:
actual_response = client.get_vault_ec2_client_configuration()
else:
actual_response = client.get_vault_ec2_client_configuration(
mount_point=mount_point)
self.assertEqual(
first=mock_response,
second=actual_response,
)
def main():
logger.info("Trying to login with Token")
logger.debug("Debug enabled")
try:
client = Client(url=os.environ['VAULT_ADDR'],
token=os.environ['VAULT_TOKEN'])
client.is_authenticated()
except Exception as err:
logger.exception("Token Login failed: %s", err)
exit(2)
transit = Transit(client=client, encryption_key='backup', mount='transit')
kv = KVstore(client, 'secrets', transit=transit)
data = kv.get_base_folder()
try:
data = json.dumps(data[0], indent=4)
except Exception as err:
logger.exception(f'Error converting to JSON: {err}')
exit(1)
write_to_disk(cfg['out_file'], data)
exported_key = transit.backup_key()
logger.debug(f"Finished getting data:\n{data}")
logger.info(f"Finished encrypting and writting data to {cfg['out_file']}")
logger.info(f'Encryption used key:\n{exported_key}')
def _auth_userpass(self, _client: hvac.Client) -> None:
if self.auth_mount_point:
_client.auth_userpass(
username=self.username, password=self.password, mount_point=self.auth_mount_point
)
else:
_client.auth_userpass(username=self.username, password=self.password)
def test_set_role_id(self, test_label, mount_point, role_name, role_id, requests_mocker):
expected_status_code = 204
mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/role-id'.format(
'approle' if mount_point is None else mount_point,
role_name,
)
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
)
client = Client()
if mount_point is None:
actual_response = client.set_role_id(
role_name=role_name,
role_id=role_id
)
else:
actual_response = client.set_role_id(
role_name=role_name,
role_id=role_id,
mount_point=mount_point,
)
self.assertEquals(
first=expected_status_code,
second=actual_response.status_code,
)
def test_create_role(self, test_label, mount_point, role_name,
bound_service_account_names,
bound_service_account_namespaces, requests_mocker):
expected_status_code = 204
mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}'.format(
'kubernetes' if mount_point is None else mount_point,
role_name,
)
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
)
client = Client()
test_arguments = dict(
name=role_name,
bound_service_account_names=bound_service_account_names,
bound_service_account_namespaces=bound_service_account_namespaces,
)
if mount_point:
test_arguments['mount_point'] = mount_point
actual_response = client.create_kubernetes_role(**test_arguments)
self.assertEquals(
first=expected_status_code,
second=actual_response.status_code,
)
def test_list_vault_ec2_certificate_configurations(self, test_label,
mount_point,
requests_mocker):
mock_response = {"data": {"keys": ["cert1"]}}
expected_status_code = 200
mock_url = 'http://localhost:8200/v1/auth/{0}/config/certificates?list=true'.format(
'aws-ec2' if mount_point is None else mount_point, )
requests_mocker.register_uri(
method='GET',
url=mock_url,
json=mock_response,
status_code=expected_status_code,
)
client = Client()
if mount_point is None:
actual_response = client.list_vault_ec2_certificate_configurations(
)
else:
actual_response = client.list_vault_ec2_certificate_configurations(
mount_point=mount_point)
self.assertEqual(
first=mock_response,
second=actual_response,
)
def test_delete_role_secret_id_accessor(self, test_label, mount_point, role_name, secret_id_accessor, requests_mocker):
expected_status_code = 204
mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/secret-id-accessor/destroy'.format(
'approle' if mount_point is None else mount_point,
role_name,
)
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
)
client = Client()
if mount_point is None:
actual_response = client.delete_role_secret_id_accessor(
role_name=role_name,
secret_id_accessor=secret_id_accessor,
)
else:
actual_response = client.delete_role_secret_id_accessor(
role_name=role_name,
secret_id_accessor=secret_id_accessor,
mount_point=mount_point,
)
self.assertEquals(
first=expected_status_code,
second=actual_response.status_code,
)
def test_create_kubernetes_configuration(self, test_label, mount_point, kubernetes_host, pem_keys, requests_mocker):
expected_status_code = 204
mock_url = 'http://localhost:8200/v1/auth/{0}/config'.format(
'kubernetes' if mount_point is None else mount_point,
)
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
)
client = Client()
test_arguments = dict(
kubernetes_host=kubernetes_host,
pem_keys=pem_keys,
)
if mount_point:
test_arguments['mount_point'] = mount_point
actual_response = client.create_kubernetes_configuration(**test_arguments)
self.assertEquals(
first=expected_status_code,
second=actual_response.status_code,
)
def get_client(obj):
client = Client(
**{k: v
for k, v in obj.VAULT_FOR_DYNACONF.items() if v is not None})
assert (client.is_authenticated(
)), "Vault authentication error is VAULT_TOKEN_FOR_DYNACONF defined?"
return client
def _auth_approle(self, _client: hvac.Client) -> None:
if self.auth_mount_point:
_client.auth_approle(
role_id=self.role_id, secret_id=self.secret_id, mount_point=self.auth_mount_point
)
else:
_client.auth_approle(role_id=self.role_id, secret_id=self.secret_id)
def test_get_vault_ec2_certificate_configuration(self, test_label,
mount_point, cert_name,
requests_mocker):
mock_response = {
"data": {
"aws_public_cert":
"-----BEGIN CERTIFICATE-----\nblah blah9K\n-----END CERTIFICATE-----\n",
"type": "pkcs7"
}
}
expected_status_code = 200
mock_url = 'http://localhost:8200/v1/auth/{0}/config/certificate/{1}'.format(
'aws-ec2' if mount_point is None else mount_point,
cert_name,
)
requests_mocker.register_uri(
method='GET',
url=mock_url,
json=mock_response,
status_code=expected_status_code,
)
client = Client()
if mount_point is None:
actual_response = client.get_vault_ec2_certificate_configuration(
cert_name=cert_name, )
else:
actual_response = client.get_vault_ec2_certificate_configuration(
cert_name=cert_name, mount_point=mount_point)
self.assertEqual(
first=mock_response,
second=actual_response,
)
def test_create_vault_ec2_certificate_configuration(
self, test_label, mount_point, cert_name, requests_mocker):
test_cert_info = 'this is some test cert info'
expected_status_code = 204
mock_url = 'http://localhost:8200/v1/auth/{0}/config/certificate/{1}'.format(
'aws-ec2' if mount_point is None else mount_point,
cert_name,
)
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
)
client = Client()
if mount_point is None:
actual_response = client.create_vault_ec2_certificate_configuration(
cert_name=cert_name,
aws_public_cert=test_cert_info,
)
else:
actual_response = client.create_vault_ec2_certificate_configuration(
cert_name=cert_name,
aws_public_cert=test_cert_info,
mount_point=mount_point)
self.assertEqual(
first=expected_status_code,
second=actual_response.status_code,
)
def test_create_kubernetes_configuration(self, test_label, mount_point,
kubernetes_host, pem_keys,
requests_mocker):
expected_status_code = 204
mock_url = 'http://localhost:8200/v1/auth/{0}/config'.format(
'kubernetes' if mount_point is None else mount_point, )
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
)
client = Client()
test_arguments = dict(
kubernetes_host=kubernetes_host,
pem_keys=pem_keys,
)
if mount_point:
test_arguments['mount_point'] = mount_point
actual_response = client.create_kubernetes_configuration(
**test_arguments)
self.assertEquals(
first=expected_status_code,
second=actual_response.status_code,
)
def test_list_roles(self, test_label, mount_point, role_name, requests_mocker):
expected_status_code = 200
mock_response = {
"auth": None,
"data": {
"keys": [
role_name,
]
},
"lease_duration": 0,
"lease_id": "",
"renewable": False,
"request_id": "e4c219fb-0a78-2be2-8d3c-b3715dccb920",
"warnings": None,
"wrap_info": None
}
mock_url = 'http://localhost:8200/v1/auth/{0}/role?list=true'.format(
'approle' if mount_point is None else mount_point,
)
requests_mocker.register_uri(
method='GET',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
client = Client()
if mount_point is None:
actual_response = client.list_roles()
else:
actual_response = client.list_roles(
mount_point=mount_point,
)
# ensure we received our mock response data back successfully
self.assertEqual(mock_response, actual_response)
def test_auth_aws_iam(self, auth_mock, datetime_mock):
datetime_mock.utcnow.return_value = datetime(2015, 8, 30, 12, 36, 0)
client = Client()
client.auth_aws_iam('AKIDEXAMPLE', 'wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY')
auth_mock.assert_called()
args, kwargs = auth_mock.call_args
actual_params = kwargs['json']
actual_iam_http_request_method = actual_params['iam_http_request_method']
self.assertEqual('POST', actual_iam_http_request_method)
actual_iam_request_url = b64decode(actual_params['iam_request_url']).decode('utf-8')
self.assertEqual('https://sts.amazonaws.com/', actual_iam_request_url)
expected_auth_header_parts = [
'Credential=AKIDEXAMPLE/20150830/us-east-1/sts/aws4_request',
'SignedHeaders=content-length;content-type;host;x-amz-date',
'Signature=0268ea4a725deae1116f5228d6b177fb047f9f3a9e1c5fd4baa0dc1fbb0d1a99',
]
expected_iam_request_headers = {
'Authorization': ['{0} {1}'.format('AWS4-HMAC-SHA256', ', '.join(expected_auth_header_parts))],
'Content-Length': ['43'],
'Content-Type': ['application/x-www-form-urlencoded; charset=utf-8'],
'Host': ['sts.amazonaws.com'],
'X-Amz-Date': ['20150830T123600Z'],
}
actual_iam_request_headers = json.loads(b64decode(actual_params['iam_request_headers']))
self.assertEqual(expected_iam_request_headers, actual_iam_request_headers)
actual_iam_request_body = b64decode(actual_params['iam_request_body']).decode('utf-8')
self.assertEqual('Action=GetCallerIdentity&Version=2011-06-15', actual_iam_request_body)
actual_role = actual_params['role']
self.assertEqual('', actual_role)
def test_get_ec2_role(self, test_label, mount_point, role_name,
requests_mocker):
mock_response = {
"data": {
"bound_ami_id": ["ami-fce36987"],
"role_tag": "",
"policies": ["default", "dev", "prod"],
"max_ttl": 1800000,
"disallow_reauthentication": False,
"allow_instance_migration": False
}
}
expected_status_code = 200
mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}'.format(
'aws-ec2' if mount_point is None else mount_point,
role_name,
)
requests_mocker.register_uri(
method='GET',
url=mock_url,
json=mock_response,
status_code=expected_status_code,
)
client = Client()
if mount_point is None:
actual_response = client.get_ec2_role(role=role_name)
else:
actual_response = client.get_ec2_role(role=role_name,
mount_point=mount_point)
self.assertEqual(
first=mock_response,
second=actual_response,
)
def test_create_ec2_role_tag(self, test_label, mount_point, role_name,
requests_mocker):
mock_response = {
"data": {
"tag_value":
"v1:09Vp0qGuyB8=:r=dev-role:p=default,dev-api:d=false:t=300h0m0s:uPLKCQxqsefRhrp1qmVa1wsQVUXXJG8UZP/pJIdVyOI=",
"tag_key": "VaultRole"
}
}
expected_status_code = 200
mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/tag'.format(
'aws-ec2' if mount_point is None else mount_point, role_name)
requests_mocker.register_uri(
method='POST',
url=mock_url,
json=mock_response,
status_code=expected_status_code,
)
client = Client()
if mount_point is None:
actual_response = client.create_ec2_role_tag(role=role_name, )
else:
actual_response = client.create_ec2_role_tag(
role=role_name, mount_point=mount_point)
self.assertEqual(
first=mock_response,
second=actual_response.json(),
)
def test_create_vault_ec2_client_configuration(self, test_label,
mount_point,
requests_mocker):
test_access_key = 'AKIAABCDEFGUE1234567'
test_secret_key = 'thisisasecretyall'
expected_status_code = 204
mock_url = 'http://localhost:8200/v1/auth/{0}/config/client'.format(
'aws-ec2' if mount_point is None else mount_point)
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
)
client = Client()
if mount_point is None:
actual_response = client.create_vault_ec2_client_configuration(
access_key=test_access_key,
secret_key=test_secret_key,
)
else:
actual_response = client.create_vault_ec2_client_configuration(
access_key=test_access_key,
secret_key=test_secret_key,
mount_point=mount_point)
self.assertEqual(first=expected_status_code,
second=actual_response.status_code)
def __init__(self, url, git_token, mount_point):
self.client = Client(url=url)
self.mount_point = mount_point
self.client.auth.github.login(git_token)
self.missing_secrets = []
if not self.client.is_authenticated():
print(f'Cannot authenticate vault {url}. Exiting.')
exit(-1)
def provide_authed_hvac_client(self, config: VaultConfiguration) -> Client:
client = Client(
url=config.url,
token=config.token,
)
client.kv.default_kv_version = 2
assert client.is_authenticated()
return client
def _auth_kubernetes(self, _client: hvac.Client) -> None:
if not self.kubernetes_jwt_path:
raise VaultError(
"The kubernetes_jwt_path should be set here. This should not happen."
)
with open(self.kubernetes_jwt_path) as f:
jwt = f.read()
_client.auth_kubernetes(role=self.kubernetes_role, jwt=jwt)
def run(self, terms, variables, **kwargs):
key, field, path = terms
vault = LookupModule.get_vault_from_path('../{}'.format(path))
client = Client(**vault)
if client.is_authenticated() and not client.is_sealed():
result = [client.read(key)['data'][field]]
return result
else:
raise AnsibleError('Unable to authenticate with Vault!')
def __init__(self, url, git_token, mount_point):
self.LOGGER = sesam_logger('KeyVault')
self.client = Client(url=url)
self.mount_point = mount_point
self.client.auth.github.login(git_token)
self.missing_secrets = []
if not self.client.is_authenticated():
self.LOGGER.critical(f'Cannot authenticate vault {url}. Exiting.')
exit(-1)
def pre_flight_check(client: hvac.Client) -> bool:
if not client.is_initialized() or client.is_sealed():
logging.error("The vault is either not initialized or sealed. That's odd.")
elif not client.is_authenticated():
logging.error("It seems the authentication token is invalid. Vault does"
" not like it. Clean everything up and come back.")
else:
logging.info("Everything looks good so far, pre-flight check ok")
return True
return False
def __authenticate_vault_client(client: hvac.Client, tenant: str,
priv_jwt_token: str) -> hvac.Client:
trace_enter(inspect.currentframe())
vault_auth_jwt_path = config.get_vault_auth_jwt_path(tenant)
if not vault_auth_jwt_path:
logger.error('Failed to load auth jwt path for tenant "%s"', tenant)
return None
if config.get_config_by_keypath('DEV_MODE'):
logger.debug('Attempting to authenticate against Vault using JWT: %s',
priv_jwt_token)
cache_id = utils.get_vault_token_cache_id(tenant, priv_jwt_token)
if cache_id in __VAULT_TOKEN_CACHE:
logger.debug('Cache hit: Found token for "%s".', cache_id)
client.token = __VAULT_TOKEN_CACHE[cache_id]
else:
logger.debug('Cache miss: Token for "%s" not found.', cache_id)
token = __get_vault_token(client, tenant, priv_jwt_token,
vault_auth_jwt_path)
if not token:
ret = None
logger.error('Failed to get Vault token.')
trace_exit(inspect.currentframe(), ret)
return ret
client.token = token
__VAULT_TOKEN_CACHE[cache_id] = token
if not client.is_authenticated():
# token might be invalid/has expired
del __VAULT_TOKEN_CACHE[cache_id]
ret = None
logger.error('Failed to validate Vault client. '
'Review configuration (config/config.json). '
'Retry as token might have expired.')
trace_exit(inspect.currentframe(), ret)
return ret
logger.debug('Successfully authenticated Vault client '
'for tenant "%s"', tenant)
trace_exit(inspect.currentframe(), client)
return client
def get_client(obj):
client = Client(
**{k: v
for k, v in obj.VAULT_FOR_DYNACONF.items() if v is not None})
if obj.VAULT_ROLE_ID_FOR_DYNACONF is not None:
client.auth_approle(
role_id=obj.VAULT_ROLE_ID_FOR_DYNACONF,
secret_id=obj.get("VAULT_SECRET_ID_FOR_DYNACONF"),
)
assert client.is_authenticated(), (
"Vault authentication error: is VAULT_TOKEN_FOR_DYNACONF or "
"VAULT_ROLE_ID_FOR_DYNACONF defined?")
return client
def test_get_role_secret_id_accessor(self, test_label, mount_point,
role_name, secret_id_accessor,
requests_mocker):
expected_status_code = 200
mock_response = {
"auth": None,
"data": {
"SecretIDNumUses": 0,
"cidr_list": [],
"creation_time": "2018-06-11T07:33:57.771908-05:00",
"expiration_time": "0001-01-01T00:00:00Z",
"last_updated_time": "2018-06-11T07:33:57.771908-05:00",
"metadata": {},
"secret_id_accessor": secret_id_accessor,
"secret_id_num_uses": 0,
"secret_id_ttl": 0
},
"lease_duration": 0,
"lease_id": "",
"renewable": False,
"request_id": "2c9fcba6-425d-e4c0-45fa-ee90450a3c00",
"wrap_info": None
}
mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/secret-id-accessor/lookup'.format(
'approle' if mount_point is None else mount_point,
role_name,
)
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
client = Client()
if mount_point is None:
actual_response = client.get_role_secret_id_accessor(
role_name=role_name,
secret_id_accessor=secret_id_accessor,
)
else:
actual_response = client.get_role_secret_id_accessor(
role_name=role_name,
secret_id_accessor=secret_id_accessor,
mount_point=mount_point,
)
self.assertEquals(
first=mock_response,
second=actual_response,
)
def reset_vault(client: hvac.Client) -> (str, List[str]):
assert not client.is_initialized()
logging.warning("The vault is not initialized yet, it will be initialized with {} keys and a threshold of {}. "
"Security is overrated anyway.".format(shares, threshold))
result = client.initialize(secret_shares=shares,
secret_threshold=threshold)
root_token, unseal_keys = result['root_token'], result['keys']
logging.warning("Okay, initialized. The root_token is {} and the unseal key(s) are {}. Keep that around, you'll"
" need it".format(root_token, unseal_keys))
assert client.is_sealed()
logging.info('The vault is sealed. Unsealing...')
client.unseal_multi(unseal_keys)
logging.info("Okay, you're good to go.")
return root_token, unseal_keys
def test_get_role(self, test_label, mount_point, role_name, requests_mocker):
expected_status_code = 200
mock_response = {
"auth": None,
"data": {
"bind_secret_id": True,
"bound_cidr_list": "",
"period": 0,
"policies": [
"default"
],
"secret_id_num_uses": 0,
"secret_id_ttl": 0,
"token_max_ttl": 900,
"token_num_uses": 0,
"token_ttl": 600
},
"lease_duration": 0,
"lease_id": "",
"renewable": False,
"request_id": "0aab655f-ecd2-b3d4-3817-35b5bdfd3f28",
"warnings": None,
"wrap_info": None
}
mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}'.format(
'approle' if mount_point is None else mount_point,
role_name,
)
requests_mocker.register_uri(
method='GET',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
client = Client()
if mount_point is None:
actual_response = client.get_role(
role_name=role_name,
)
else:
actual_response = client.get_role(
role_name=role_name,
mount_point=mount_point,
)
self.assertEquals(
first=mock_response,
second=actual_response,
)
def test_auth_approle(self, test_label, mount_point, role_id, secret_id, requests_mocker):
expected_status_code = 200
mock_response = {
"auth": {
"accessor": "f8b576f9-9146-4173-e174-40257d58015a",
"client_token": "3db3d089-7d3c-f531-cd3e-bfe44696a92c",
"lease_duration": 600,
"metadata": {
"role_name": "application1"
},
"policies": [
"default"
],
"renewable": True
},
"data": None,
"lease_duration": 0,
"lease_id": "",
"renewable": False,
"request_id": "2eb635ad-a763-926a-9815-4cb4d14a40f9",
"warnings": None,
"wrap_info": None
}
mock_url = 'http://localhost:8200/v1/auth/{0}/login'.format(
'approle' if mount_point is None else mount_point,
)
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
client = Client()
if mount_point is None:
actual_response = client.auth_approle(
role_id=role_id,
secret_id=secret_id,
)
else:
actual_response = client.auth_approle(
role_id=role_id,
secret_id=secret_id,
mount_point=mount_point,
)
self.assertEquals(
first=mock_response,
second=actual_response,
)
def test_get_role_secret_id_accessor(self, test_label, mount_point, role_name, secret_id_accessor, requests_mocker):
expected_status_code = 200
mock_response = {
"auth": None,
"data": {
"SecretIDNumUses": 0,
"cidr_list": [],
"creation_time": "2018-06-11T07:33:57.771908-05:00",
"expiration_time": "0001-01-01T00:00:00Z",
"last_updated_time": "2018-06-11T07:33:57.771908-05:00",
"metadata": {},
"secret_id_accessor": secret_id_accessor,
"secret_id_num_uses": 0,
"secret_id_ttl": 0
},
"lease_duration": 0,
"lease_id": "",
"renewable": False,
"request_id": "2c9fcba6-425d-e4c0-45fa-ee90450a3c00",
"wrap_info": None
}
mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/secret-id-accessor/lookup'.format(
'approle' if mount_point is None else mount_point,
role_name,
)
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
client = Client()
if mount_point is None:
actual_response = client.get_role_secret_id_accessor(
role_name=role_name,
secret_id_accessor=secret_id_accessor,
)
else:
actual_response = client.get_role_secret_id_accessor(
role_name=role_name,
secret_id_accessor=secret_id_accessor,
mount_point=mount_point,
)
self.assertEquals(
first=mock_response,
second=actual_response,
)
def test_get_role_secret_id(self, test_label, mount_point, role_name, secret_id, requests_mocker):
expected_status_code = 200
mock_response = {
"auth": None,
"data": {
"SecretIDNumUses": 0,
"cidr_list": [],
"creation_time": "2018-06-11T07:33:57.771908-05:00",
"expiration_time": "0001-01-01T00:00:00Z",
"last_updated_time": "2018-06-11T07:33:57.771908-05:00",
"metadata": {},
"secret_id_accessor": "b58fd0ee-130c-33bb-5f69-6d4fd1731e5f",
"secret_id_num_uses": 0,
"secret_id_ttl": 0
},
"lease_duration": 0,
"lease_id": "",
"renewable": False,
"request_id": "718a00fa-e76f-f1fc-9b9e-f9c4baa766b3",
"wrap_info": None
}
mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/secret-id/lookup'.format(
'approle' if mount_point is None else mount_point,
role_name,
)
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
client = Client()
if mount_point is None:
actual_response = client.get_role_secret_id(
role_name=role_name,
secret_id=secret_id,
)
else:
actual_response = client.get_role_secret_id(
role_name=role_name,
secret_id=secret_id,
mount_point=mount_point,
)
self.assertEquals(
first=mock_response,
second=actual_response,
)
def test_auth_gcp(self, test_label, test_role, test_jwt, mount_point, requests_mocker):
mock_response = {
'auth': {
'accessor': 'accessor-1234-5678-9012-345678901234',
'client_token': 'cltoken-1234-5678-9012-345678901234',
'lease_duration': 10000,
'metadata': {
'role': 'custom_role',
'service_account_email': '*****@*****.**',
'service_account_id': '111111111111111111111'
},
'policies': [
'default',
'custom_role'
],
'renewable': True
},
'data': None,
'lease_duration': 0,
'lease_id': '',
'renewable': False,
'request_id': 'requesti-1234-5678-9012-345678901234',
'warnings': [],
'wrap_info': None
}
mock_url = 'http://localhost:8200/v1/auth/{0}/login'.format(
'gcp' if mount_point is None else mount_point)
requests_mocker.register_uri(
method='POST',
url=mock_url,
json=mock_response
)
client = Client()
if mount_point is None:
actual_response = client.auth_gcp(
role=test_role,
jwt=test_jwt
)
else:
actual_response = client.auth_gcp(
role=test_role,
jwt=test_jwt,
mount_point=mount_point
)
# ensure we received our mock response data back successfully
self.assertEqual(mock_response, actual_response)
def test_auth_kubernetes(self, test_label, test_role, test_jwt, mount_point, requests_mocker):
mock_response = {
'auth': {
'accessor': 'accessor-1234-5678-9012-345678901234',
'client_token': 'cltoken-1234-5678-9012-345678901234',
'lease_duration': 10000,
'metadata': {
'role': 'custom_role',
'service_account_name': 'vault-auth',
'service_account_namespace': 'default',
'service_account_secret_name': 'vault-auth-token-pd21c',
'service_account_uid': 'aa9aa8ff-98d0-11e7-9bb7-0800276d99bf'
},
'policies': [
'default',
'custom_role'
],
'renewable': True
},
'data': None,
'lease_duration': 0,
'lease_id': '',
'renewable': False,
'request_id': 'requesti-1234-5678-9012-345678901234',
'warnings': [],
'wrap_info': None
}
mock_url = 'http://localhost:8200/v1/auth/{0}/login'.format(
'kubernetes' if mount_point is None else mount_point)
requests_mocker.register_uri(
method='POST',
url=mock_url,
json=mock_response
)
client = Client()
test_arguments = dict(
role=test_role,
jwt=test_jwt,
)
if mount_point:
test_arguments['mount_point'] = mount_point
actual_response = client.auth_kubernetes(**test_arguments)
# ensure we received our mock response data back successfully
self.assertEqual(mock_response, actual_response)
def test_create_role_custom_secret_id(self, test_label, mount_point, role_name, secret_id, requests_mocker):
expected_status_code = 200
mock_response = {
"auth": None,
"data": {
"secret_id": secret_id,
"secret_id_accessor": "f5cb4b7d-9111-320e-6f24-73bf45d3845d"
},
"lease_duration": 0,
"lease_id": "",
"renewable": False,
"request_id": "e7c8b2e1-95e8-cb17-e98a-6c428201f1d5",
"warnings": None,
"wrap_info": None
}
mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/custom-secret-id'.format(
'approle' if mount_point is None else mount_point,
role_name,
)
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
client = Client()
if mount_point is None:
actual_response = client.create_role_custom_secret_id(
role_name=role_name,
secret_id=secret_id,
)
else:
actual_response = client.create_role_custom_secret_id(
role_name=role_name,
secret_id=secret_id,
mount_point=mount_point,
)
self.assertEquals(
first=mock_response,
second=actual_response,
)
def test_list_role_secrets(self, test_label, mount_point, role_name, secret_id, requests_mocker):
expected_status_code = 200
mock_response = {
"auth": None,
"data": {
"keys": [
secret_id
]
},
"lease_duration": 0,
"lease_id": "",
"renewable": False,
"request_id": "eb805845-f6ce-a514-9238-6914664dd601",
"warnings": None,
"wrap_info": None
}
mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/secret-id'.format(
'approle' if mount_point is None else mount_point,
role_name,
)
requests_mocker.register_uri(
method='LIST',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
client = Client()
if mount_point is None:
actual_response = client.list_role_secrets(
role_name=role_name,
)
else:
actual_response = client.list_role_secrets(
role_name=role_name,
mount_point=mount_point,
)
self.assertEquals(
first=mock_response,
second=actual_response,
)
def test_create_role_secret_id(self, test_label, mount_point, role_name, requests_mocker):
expected_status_code = 200
mock_response = {
"auth": None,
"data": {
"secret_id": "be78e3ca-f644-b099-3291-e8a6f5985cfe",
"secret_id_accessor": "b58fd0ee-130c-33bb-5f69-6d4fd1731e5f"
},
"lease_duration": 0,
"lease_id": "",
"renewable": False,
"request_id": "2310dc21-0fea-a2de-2d94-bb4edd59f1e9",
"warnings": None,
"wrap_info": None
}
mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/secret-id'.format(
'approle' if mount_point is None else mount_point,
role_name,
)
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
client = Client()
if mount_point is None:
actual_response = client.create_role_secret_id(
role_name=role_name,
)
else:
actual_response = client.create_role_secret_id(
role_name=role_name,
mount_point=mount_point,
)
self.assertEquals(
first=mock_response,
second=actual_response,
)
def test_get_role_id(self, test_label, mount_point, role_name, role_id, requests_mocker):
expected_status_code = 200
mock_response = {
"auth": None,
"data": {
"role_id": role_id
},
"lease_duration": 0,
"lease_id": "",
"renewable": False,
"request_id": "85590a1a-6dd7-de79-01b0-1c285d505bf2",
"warnings": None,
"wrap_info": None
}
mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/role-id'.format(
'approle' if mount_point is None else mount_point,
role_name,
)
requests_mocker.register_uri(
method='GET',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
client = Client()
if mount_point is None:
actual_response = client.get_role_id(
role_name=role_name
)
else:
actual_response = client.get_role_id(
role_name=role_name,
mount_point=mount_point
)
# ensure we received our mock response data back successfully
self.assertEqual(
first=role_id,
second=actual_response
)
def test_get_kubernetes_configuration(self, test_label, mount_point, requests_mocker):
expected_status_code = 200
mock_response = {
'auth': None,
'data': {
'kubernetes_ca_cert': '',
'kubernetes_host': '127.0.0.1:80',
'pem_keys': ['some key'],
'token_reviewer_jwt': ''
},
'lease_duration': 0,
'lease_id': '',
'renewable': False,
'request_id': '12687b5f-b4f5-2ba4-aae2-2a8d7e53ca55',
'warnings': None,
'wrap_info': None
}
mock_url = 'http://localhost:8200/v1/auth/{0}/config'.format(
'kubernetes' if mount_point is None else mount_point,
)
requests_mocker.register_uri(
method='GET',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
client = Client()
test_arguments = dict()
if mount_point:
test_arguments['mount_point'] = mount_point
actual_response = client.get_kubernetes_configuration(**test_arguments)
self.assertEquals(
first=mock_response,
second=actual_response,
)
def test_read_lease(self, test_label, test_lease_id, requests_mocker):
test_path = 'http://localhost:8200/v1/sys/leases/lookup'
mock_response = {
'issue_time': '2018-07-15T08:35:34.775859245-05:00',
'renewable': False,
'id': test_lease_id,
'ttl': 259199,
'expire_time': '2018-07-18T08:35:34.00004241-05:00',
'last_renewal': None
}
requests_mocker.register_uri(
method='PUT',
url=test_path,
json=mock_response,
)
client = Client()
response = client.read_lease(
lease_id=test_lease_id,
)
self.assertEquals(
first=mock_response,
second=response,
)
def test_get_auth_backend_tuning(self, requests_mocker):
expected_status_code = 200
test_backend_type = 'approle'
test_mount_point = 'approle-test'
mock_response = {
'max_lease_ttl': 12345678,
'lease_id': '',
'force_no_cache': False,
'warnings': None,
'data': {
'force_no_cache': False,
'default_lease_ttl': 2764800,
'max_lease_ttl': 12345678
},
'wrap_info': None,
'auth': None,
'lease_duration': 0,
'request_id': '673f2336-3235-b988-2194-c68261a02bfe',
'default_lease_ttl': 2764800,
'renewable': False
}
requests_mocker.register_uri(
method='GET',
url='http://localhost:8200/v1/sys/auth/{0}/tune'.format(test_mount_point),
status_code=expected_status_code,
json=mock_response
)
client = Client()
actual_response = client.get_auth_backend_tuning(
backend_type=test_backend_type,
mount_point=test_mount_point,
)
self.assertEqual(
first=mock_response,
second=actual_response,
)
def init_postgre_backend(client: hvac.Client):
if 'postgresql/' in client.list_secret_backends():
logging.warning('Backend postgresql already exists : it will be modified')
else:
client.enable_secret_backend('postgresql')
ok = False
logging.info('Setting up the postgre backend with the url {}'.format(postgre_url))
while not ok:
try:
# We try a lot because postgre/vault might not be completely up by the time it is launched
client.write('/postgresql/config/connection', connection_url=postgre_url)
ok = True
except hvac.exceptions.InvalidRequest as e:
logging.error(e)
time.sleep(1)
logging.info('Creating role readwrite')
client.write('/postgresql/roles/readwrite', sql=rw_role_request)
logging.info("Ok we're good. You can now request rw on the url postgresql/creds/readwrite")
def set_up_policies(client: hvac.Client):
if postgres_policy_name in client.list_policies():
logging.info("Policy {} already set up".format(postgres_policy_name))
return
client.set_policy(postgres_policy_name, postgres_policy)
def send_access_token(client: hvac.Client) -> bool:
token = client.create_token(policies=[postgres_policy_name])
requests.post(minitwit_url, json={'token': token['auth']['client_token']})
