def _auth_aws_iam(self, _client: hvac.Client) -> None: if self.auth_mount_point: _client.auth_aws_iam(access_key=self.key_id, secret_key=self.secret_id, role=self.role_id, mount_point=self.auth_mount_point) else: _client.auth_aws_iam(access_key=self.key_id, secret_key=self.secret_id, role=self.role_id)
def create_vault_client(app): client = VaultClient(url=app.config['VAULT_ADDR'], token=app.config['VAULT_TOKEN']) if client.is_sealed() and app.config['UNSEAL_VAULT']: keys = [app.config[f'UNSEAL_VAULT_KEY{i}'] for i in range(1, 6)] client.unseal_multi(filter(None, keys)) return client
def test_delete_role_secret_id_accessor(self, test_label, mount_point, role_name, secret_id_accessor, requests_mocker): expected_status_code = 204 mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/secret-id-accessor/{2}'.format( 'approle' if mount_point is None else mount_point, role_name, secret_id_accessor, ) requests_mocker.register_uri( method='DELETE', url=mock_url, status_code=expected_status_code, ) client = Client() if mount_point is None: actual_response = client.delete_role_secret_id_accessor( role_name=role_name, secret_id_accessor=secret_id_accessor, ) else: actual_response = client.delete_role_secret_id_accessor( role_name=role_name, secret_id_accessor=secret_id_accessor, mount_point=mount_point, ) self.assertEquals( first=expected_status_code, second=actual_response.status_code, )
def test_list_roles(self, test_label, mount_point, role_name, requests_mocker): expected_status_code = 200 mock_response = { "auth": None, "data": { "keys": [ role_name, ] }, "lease_duration": 0, "lease_id": "", "renewable": False, "request_id": "e4c219fb-0a78-2be2-8d3c-b3715dccb920", "warnings": None, "wrap_info": None } mock_url = 'http://localhost:8200/v1/auth/{0}/role?list=true'.format( 'approle' if mount_point is None else mount_point, ) requests_mocker.register_uri( method='GET', url=mock_url, status_code=expected_status_code, json=mock_response, ) client = Client() if mount_point is None: actual_response = client.list_roles() else: actual_response = client.list_roles(mount_point=mount_point, ) # ensure we received our mock response data back successfully self.assertEqual(mock_response, actual_response)
def test_auth_aws_iam(self, auth_mock, datetime_mock): datetime_mock.utcnow.return_value = datetime(2015, 8, 30, 12, 36, 0) client = Client() client.auth_aws_iam('AKIDEXAMPLE', 'wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY') auth_mock.assert_called() args, kwargs = auth_mock.call_args actual_params = kwargs['json'] actual_iam_http_request_method = actual_params['iam_http_request_method'] self.assertEqual('POST', actual_iam_http_request_method) actual_iam_request_url = b64decode(actual_params['iam_request_url']).decode('utf-8') self.assertEqual('https://sts.amazonaws.com/', actual_iam_request_url) expected_auth_header_parts = [ 'Credential=AKIDEXAMPLE/20150830/us-east-1/sts/aws4_request', 'SignedHeaders=content-length;content-type;host;x-amz-date', 'Signature=0268ea4a725deae1116f5228d6b177fb047f9f3a9e1c5fd4baa0dc1fbb0d1a99', ] expected_iam_request_headers = { 'Authorization': ['{0} {1}'.format('AWS4-HMAC-SHA256', ', '.join(expected_auth_header_parts))], 'Content-Length': ['43'], 'Content-Type': ['application/x-www-form-urlencoded; charset=utf-8'], 'Host': ['sts.amazonaws.com'], 'X-Amz-Date': ['20150830T123600Z'], } actual_iam_request_headers = json.loads(b64decode(actual_params['iam_request_headers'])) self.assertEqual(expected_iam_request_headers, actual_iam_request_headers) actual_iam_request_body = b64decode(actual_params['iam_request_body']).decode('utf-8') self.assertEqual('Action=GetCallerIdentity&Version=2011-06-15', actual_iam_request_body) actual_role = actual_params['role'] self.assertEqual('', actual_role)
def test_get_role_id(self, test_label, mount_point, role_name, role_id, requests_mocker): expected_status_code = 200 mock_response = { "auth": None, "data": { "role_id": role_id }, "lease_duration": 0, "lease_id": "", "renewable": False, "request_id": "85590a1a-6dd7-de79-01b0-1c285d505bf2", "warnings": None, "wrap_info": None } mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/role-id'.format( 'approle' if mount_point is None else mount_point, role_name, ) requests_mocker.register_uri( method='GET', url=mock_url, status_code=expected_status_code, json=mock_response, ) client = Client() if mount_point is None: actual_response = client.get_role_id(role_name=role_name) else: actual_response = client.get_role_id(role_name=role_name, mount_point=mount_point) # ensure we received our mock response data back successfully self.assertEqual(first=role_id, second=actual_response)
def test_create_role(self, test_label, mount_point, role_name, bound_service_account_names, bound_service_account_namespaces, requests_mocker): expected_status_code = 204 mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}'.format( 'kubernetes' if mount_point is None else mount_point, role_name, ) requests_mocker.register_uri( method='POST', url=mock_url, status_code=expected_status_code, ) client = Client() test_arguments = dict( name=role_name, bound_service_account_names=bound_service_account_names, bound_service_account_namespaces=bound_service_account_namespaces, ) if mount_point: test_arguments['mount_point'] = mount_point actual_response = client.create_kubernetes_role(**test_arguments) self.assertEquals( first=expected_status_code, second=actual_response.status_code, )
def test_tune_auth_backend(self, requests_mocker): expected_status_code = 204 test_backend_type = 'approle' test_mount_point = 'approle-test' test_description = 'this is a test description' requests_mocker.register_uri( method='POST', url='http://localhost:8200/v1/sys/auth/{0}/tune'.format(test_mount_point), status_code=expected_status_code, ) client = Client() actual_response = client.tune_auth_backend( backend_type=test_backend_type, mount_point=test_mount_point, description=test_description, ) self.assertEqual( first=expected_status_code, second=actual_response.status_code, ) actual_request_params = requests_mocker.request_history[0].json() # Ensure we sent through an optional tune parameter as expected self.assertEqual( first=test_description, second=actual_request_params['description'], )
def test_read_lease(self, test_label, test_lease_id, requests_mocker): test_path = 'http://localhost:8200/v1/sys/leases/lookup' mock_response = { 'lease_id': '', 'request_id': '34cd8d7c-e59f-7166-49c9-1e65149ff676', 'auth': None, 'data': { 'issue_time': '2018-07-15T08:35:34.775859245-05:00', 'renewable': False, 'id': test_lease_id, 'ttl': 259199, 'expire_time': '2018-07-18T08:35:34.00004241-05:00', 'last_renewal': None }, 'warnings': None, 'wrap_info': None, 'lease_duration': 0, 'renewable': False } requests_mocker.register_uri( method='PUT', url=test_path, json=mock_response, ) client = Client() response = client.read_lease( lease_id=test_lease_id, ) self.assertEquals( first=mock_response, second=response, )
def test_create_role(self, test_label, mount_point, role_name, requests_mocker): expected_status_code = 204 mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}'.format( 'approle' if mount_point is None else mount_point, role_name, ) requests_mocker.register_uri( method='POST', url=mock_url, status_code=expected_status_code, ) client = Client() if mount_point is None: actual_response = client.create_role(role_name=role_name, ) else: actual_response = client.create_role( role_name=role_name, mount_point=mount_point, ) self.assertEquals( first=expected_status_code, second=actual_response.status_code, )
def test_get_vault_ec2_client_configuration(self, test_label, mount_point, requests_mocker): mock_response = { "data": { "secret_key": "vCtSM8ZUEQ3mOFVlYPBQkf2sO6F/W7a5TVzrl3Oj", "access_key": "VKIAJBRHKH6EVTTNXDHA", "endpoint": "", "iam_endpoint": "", "sts_endpoint": "", "iam_server_id_header_value": "" } } expected_status_code = 200 mock_url = 'http://localhost:8200/v1/auth/{0}/config/client'.format( 'aws-ec2' if mount_point is None else mount_point) requests_mocker.register_uri( method='GET', url=mock_url, json=mock_response, status_code=expected_status_code, ) client = Client() if mount_point is None: actual_response = client.get_vault_ec2_client_configuration() else: actual_response = client.get_vault_ec2_client_configuration( mount_point=mount_point) self.assertEqual( first=mock_response, second=actual_response, )
def main(): logger.info("Trying to login with Token") logger.debug("Debug enabled") try: client = Client(url=os.environ['VAULT_ADDR'], token=os.environ['VAULT_TOKEN']) client.is_authenticated() except Exception as err: logger.exception("Token Login failed: %s", err) exit(2) transit = Transit(client=client, encryption_key='backup', mount='transit') kv = KVstore(client, 'secrets', transit=transit) data = kv.get_base_folder() try: data = json.dumps(data[0], indent=4) except Exception as err: logger.exception(f'Error converting to JSON: {err}') exit(1) write_to_disk(cfg['out_file'], data) exported_key = transit.backup_key() logger.debug(f"Finished getting data:\n{data}") logger.info(f"Finished encrypting and writting data to {cfg['out_file']}") logger.info(f'Encryption used key:\n{exported_key}')
def _auth_userpass(self, _client: hvac.Client) -> None: if self.auth_mount_point: _client.auth_userpass( username=self.username, password=self.password, mount_point=self.auth_mount_point ) else: _client.auth_userpass(username=self.username, password=self.password)
def test_set_role_id(self, test_label, mount_point, role_name, role_id, requests_mocker): expected_status_code = 204 mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/role-id'.format( 'approle' if mount_point is None else mount_point, role_name, ) requests_mocker.register_uri( method='POST', url=mock_url, status_code=expected_status_code, ) client = Client() if mount_point is None: actual_response = client.set_role_id( role_name=role_name, role_id=role_id ) else: actual_response = client.set_role_id( role_name=role_name, role_id=role_id, mount_point=mount_point, ) self.assertEquals( first=expected_status_code, second=actual_response.status_code, )
def test_list_vault_ec2_certificate_configurations(self, test_label, mount_point, requests_mocker): mock_response = {"data": {"keys": ["cert1"]}} expected_status_code = 200 mock_url = 'http://localhost:8200/v1/auth/{0}/config/certificates?list=true'.format( 'aws-ec2' if mount_point is None else mount_point, ) requests_mocker.register_uri( method='GET', url=mock_url, json=mock_response, status_code=expected_status_code, ) client = Client() if mount_point is None: actual_response = client.list_vault_ec2_certificate_configurations( ) else: actual_response = client.list_vault_ec2_certificate_configurations( mount_point=mount_point) self.assertEqual( first=mock_response, second=actual_response, )
def test_delete_role_secret_id_accessor(self, test_label, mount_point, role_name, secret_id_accessor, requests_mocker): expected_status_code = 204 mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/secret-id-accessor/destroy'.format( 'approle' if mount_point is None else mount_point, role_name, ) requests_mocker.register_uri( method='POST', url=mock_url, status_code=expected_status_code, ) client = Client() if mount_point is None: actual_response = client.delete_role_secret_id_accessor( role_name=role_name, secret_id_accessor=secret_id_accessor, ) else: actual_response = client.delete_role_secret_id_accessor( role_name=role_name, secret_id_accessor=secret_id_accessor, mount_point=mount_point, ) self.assertEquals( first=expected_status_code, second=actual_response.status_code, )
def test_create_kubernetes_configuration(self, test_label, mount_point, kubernetes_host, pem_keys, requests_mocker): expected_status_code = 204 mock_url = 'http://localhost:8200/v1/auth/{0}/config'.format( 'kubernetes' if mount_point is None else mount_point, ) requests_mocker.register_uri( method='POST', url=mock_url, status_code=expected_status_code, ) client = Client() test_arguments = dict( kubernetes_host=kubernetes_host, pem_keys=pem_keys, ) if mount_point: test_arguments['mount_point'] = mount_point actual_response = client.create_kubernetes_configuration(**test_arguments) self.assertEquals( first=expected_status_code, second=actual_response.status_code, )
def get_client(obj): client = Client( **{k: v for k, v in obj.VAULT_FOR_DYNACONF.items() if v is not None}) assert (client.is_authenticated( )), "Vault authentication error is VAULT_TOKEN_FOR_DYNACONF defined?" return client
def _auth_approle(self, _client: hvac.Client) -> None: if self.auth_mount_point: _client.auth_approle( role_id=self.role_id, secret_id=self.secret_id, mount_point=self.auth_mount_point ) else: _client.auth_approle(role_id=self.role_id, secret_id=self.secret_id)
def test_get_vault_ec2_certificate_configuration(self, test_label, mount_point, cert_name, requests_mocker): mock_response = { "data": { "aws_public_cert": "-----BEGIN CERTIFICATE-----\nblah blah9K\n-----END CERTIFICATE-----\n", "type": "pkcs7" } } expected_status_code = 200 mock_url = 'http://localhost:8200/v1/auth/{0}/config/certificate/{1}'.format( 'aws-ec2' if mount_point is None else mount_point, cert_name, ) requests_mocker.register_uri( method='GET', url=mock_url, json=mock_response, status_code=expected_status_code, ) client = Client() if mount_point is None: actual_response = client.get_vault_ec2_certificate_configuration( cert_name=cert_name, ) else: actual_response = client.get_vault_ec2_certificate_configuration( cert_name=cert_name, mount_point=mount_point) self.assertEqual( first=mock_response, second=actual_response, )
def test_create_vault_ec2_certificate_configuration( self, test_label, mount_point, cert_name, requests_mocker): test_cert_info = 'this is some test cert info' expected_status_code = 204 mock_url = 'http://localhost:8200/v1/auth/{0}/config/certificate/{1}'.format( 'aws-ec2' if mount_point is None else mount_point, cert_name, ) requests_mocker.register_uri( method='POST', url=mock_url, status_code=expected_status_code, ) client = Client() if mount_point is None: actual_response = client.create_vault_ec2_certificate_configuration( cert_name=cert_name, aws_public_cert=test_cert_info, ) else: actual_response = client.create_vault_ec2_certificate_configuration( cert_name=cert_name, aws_public_cert=test_cert_info, mount_point=mount_point) self.assertEqual( first=expected_status_code, second=actual_response.status_code, )
def test_create_kubernetes_configuration(self, test_label, mount_point, kubernetes_host, pem_keys, requests_mocker): expected_status_code = 204 mock_url = 'http://localhost:8200/v1/auth/{0}/config'.format( 'kubernetes' if mount_point is None else mount_point, ) requests_mocker.register_uri( method='POST', url=mock_url, status_code=expected_status_code, ) client = Client() test_arguments = dict( kubernetes_host=kubernetes_host, pem_keys=pem_keys, ) if mount_point: test_arguments['mount_point'] = mount_point actual_response = client.create_kubernetes_configuration( **test_arguments) self.assertEquals( first=expected_status_code, second=actual_response.status_code, )
def test_list_roles(self, test_label, mount_point, role_name, requests_mocker): expected_status_code = 200 mock_response = { "auth": None, "data": { "keys": [ role_name, ] }, "lease_duration": 0, "lease_id": "", "renewable": False, "request_id": "e4c219fb-0a78-2be2-8d3c-b3715dccb920", "warnings": None, "wrap_info": None } mock_url = 'http://localhost:8200/v1/auth/{0}/role?list=true'.format( 'approle' if mount_point is None else mount_point, ) requests_mocker.register_uri( method='GET', url=mock_url, status_code=expected_status_code, json=mock_response, ) client = Client() if mount_point is None: actual_response = client.list_roles() else: actual_response = client.list_roles( mount_point=mount_point, ) # ensure we received our mock response data back successfully self.assertEqual(mock_response, actual_response)
def test_get_ec2_role(self, test_label, mount_point, role_name, requests_mocker): mock_response = { "data": { "bound_ami_id": ["ami-fce36987"], "role_tag": "", "policies": ["default", "dev", "prod"], "max_ttl": 1800000, "disallow_reauthentication": False, "allow_instance_migration": False } } expected_status_code = 200 mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}'.format( 'aws-ec2' if mount_point is None else mount_point, role_name, ) requests_mocker.register_uri( method='GET', url=mock_url, json=mock_response, status_code=expected_status_code, ) client = Client() if mount_point is None: actual_response = client.get_ec2_role(role=role_name) else: actual_response = client.get_ec2_role(role=role_name, mount_point=mount_point) self.assertEqual( first=mock_response, second=actual_response, )
def test_create_ec2_role_tag(self, test_label, mount_point, role_name, requests_mocker): mock_response = { "data": { "tag_value": "v1:09Vp0qGuyB8=:r=dev-role:p=default,dev-api:d=false:t=300h0m0s:uPLKCQxqsefRhrp1qmVa1wsQVUXXJG8UZP/pJIdVyOI=", "tag_key": "VaultRole" } } expected_status_code = 200 mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/tag'.format( 'aws-ec2' if mount_point is None else mount_point, role_name) requests_mocker.register_uri( method='POST', url=mock_url, json=mock_response, status_code=expected_status_code, ) client = Client() if mount_point is None: actual_response = client.create_ec2_role_tag(role=role_name, ) else: actual_response = client.create_ec2_role_tag( role=role_name, mount_point=mount_point) self.assertEqual( first=mock_response, second=actual_response.json(), )
def test_create_vault_ec2_client_configuration(self, test_label, mount_point, requests_mocker): test_access_key = 'AKIAABCDEFGUE1234567' test_secret_key = 'thisisasecretyall' expected_status_code = 204 mock_url = 'http://localhost:8200/v1/auth/{0}/config/client'.format( 'aws-ec2' if mount_point is None else mount_point) requests_mocker.register_uri( method='POST', url=mock_url, status_code=expected_status_code, ) client = Client() if mount_point is None: actual_response = client.create_vault_ec2_client_configuration( access_key=test_access_key, secret_key=test_secret_key, ) else: actual_response = client.create_vault_ec2_client_configuration( access_key=test_access_key, secret_key=test_secret_key, mount_point=mount_point) self.assertEqual(first=expected_status_code, second=actual_response.status_code)
def __init__(self, url, git_token, mount_point): self.client = Client(url=url) self.mount_point = mount_point self.client.auth.github.login(git_token) self.missing_secrets = [] if not self.client.is_authenticated(): print(f'Cannot authenticate vault {url}. Exiting.') exit(-1)
def provide_authed_hvac_client(self, config: VaultConfiguration) -> Client: client = Client( url=config.url, token=config.token, ) client.kv.default_kv_version = 2 assert client.is_authenticated() return client
def _auth_kubernetes(self, _client: hvac.Client) -> None: if not self.kubernetes_jwt_path: raise VaultError( "The kubernetes_jwt_path should be set here. This should not happen." ) with open(self.kubernetes_jwt_path) as f: jwt = f.read() _client.auth_kubernetes(role=self.kubernetes_role, jwt=jwt)
def run(self, terms, variables, **kwargs): key, field, path = terms vault = LookupModule.get_vault_from_path('../{}'.format(path)) client = Client(**vault) if client.is_authenticated() and not client.is_sealed(): result = [client.read(key)['data'][field]] return result else: raise AnsibleError('Unable to authenticate with Vault!')
def __init__(self, url, git_token, mount_point): self.LOGGER = sesam_logger('KeyVault') self.client = Client(url=url) self.mount_point = mount_point self.client.auth.github.login(git_token) self.missing_secrets = [] if not self.client.is_authenticated(): self.LOGGER.critical(f'Cannot authenticate vault {url}. Exiting.') exit(-1)
def pre_flight_check(client: hvac.Client) -> bool: if not client.is_initialized() or client.is_sealed(): logging.error("The vault is either not initialized or sealed. That's odd.") elif not client.is_authenticated(): logging.error("It seems the authentication token is invalid. Vault does" " not like it. Clean everything up and come back.") else: logging.info("Everything looks good so far, pre-flight check ok") return True return False
def __authenticate_vault_client(client: hvac.Client, tenant: str, priv_jwt_token: str) -> hvac.Client: trace_enter(inspect.currentframe()) vault_auth_jwt_path = config.get_vault_auth_jwt_path(tenant) if not vault_auth_jwt_path: logger.error('Failed to load auth jwt path for tenant "%s"', tenant) return None if config.get_config_by_keypath('DEV_MODE'): logger.debug('Attempting to authenticate against Vault using JWT: %s', priv_jwt_token) cache_id = utils.get_vault_token_cache_id(tenant, priv_jwt_token) if cache_id in __VAULT_TOKEN_CACHE: logger.debug('Cache hit: Found token for "%s".', cache_id) client.token = __VAULT_TOKEN_CACHE[cache_id] else: logger.debug('Cache miss: Token for "%s" not found.', cache_id) token = __get_vault_token(client, tenant, priv_jwt_token, vault_auth_jwt_path) if not token: ret = None logger.error('Failed to get Vault token.') trace_exit(inspect.currentframe(), ret) return ret client.token = token __VAULT_TOKEN_CACHE[cache_id] = token if not client.is_authenticated(): # token might be invalid/has expired del __VAULT_TOKEN_CACHE[cache_id] ret = None logger.error('Failed to validate Vault client. ' 'Review configuration (config/config.json). ' 'Retry as token might have expired.') trace_exit(inspect.currentframe(), ret) return ret logger.debug('Successfully authenticated Vault client ' 'for tenant "%s"', tenant) trace_exit(inspect.currentframe(), client) return client
def get_client(obj): client = Client( **{k: v for k, v in obj.VAULT_FOR_DYNACONF.items() if v is not None}) if obj.VAULT_ROLE_ID_FOR_DYNACONF is not None: client.auth_approle( role_id=obj.VAULT_ROLE_ID_FOR_DYNACONF, secret_id=obj.get("VAULT_SECRET_ID_FOR_DYNACONF"), ) assert client.is_authenticated(), ( "Vault authentication error: is VAULT_TOKEN_FOR_DYNACONF or " "VAULT_ROLE_ID_FOR_DYNACONF defined?") return client
def test_get_role_secret_id_accessor(self, test_label, mount_point, role_name, secret_id_accessor, requests_mocker): expected_status_code = 200 mock_response = { "auth": None, "data": { "SecretIDNumUses": 0, "cidr_list": [], "creation_time": "2018-06-11T07:33:57.771908-05:00", "expiration_time": "0001-01-01T00:00:00Z", "last_updated_time": "2018-06-11T07:33:57.771908-05:00", "metadata": {}, "secret_id_accessor": secret_id_accessor, "secret_id_num_uses": 0, "secret_id_ttl": 0 }, "lease_duration": 0, "lease_id": "", "renewable": False, "request_id": "2c9fcba6-425d-e4c0-45fa-ee90450a3c00", "wrap_info": None } mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/secret-id-accessor/lookup'.format( 'approle' if mount_point is None else mount_point, role_name, ) requests_mocker.register_uri( method='POST', url=mock_url, status_code=expected_status_code, json=mock_response, ) client = Client() if mount_point is None: actual_response = client.get_role_secret_id_accessor( role_name=role_name, secret_id_accessor=secret_id_accessor, ) else: actual_response = client.get_role_secret_id_accessor( role_name=role_name, secret_id_accessor=secret_id_accessor, mount_point=mount_point, ) self.assertEquals( first=mock_response, second=actual_response, )
def reset_vault(client: hvac.Client) -> (str, List[str]): assert not client.is_initialized() logging.warning("The vault is not initialized yet, it will be initialized with {} keys and a threshold of {}. " "Security is overrated anyway.".format(shares, threshold)) result = client.initialize(secret_shares=shares, secret_threshold=threshold) root_token, unseal_keys = result['root_token'], result['keys'] logging.warning("Okay, initialized. The root_token is {} and the unseal key(s) are {}. Keep that around, you'll" " need it".format(root_token, unseal_keys)) assert client.is_sealed() logging.info('The vault is sealed. Unsealing...') client.unseal_multi(unseal_keys) logging.info("Okay, you're good to go.") return root_token, unseal_keys
def test_get_role(self, test_label, mount_point, role_name, requests_mocker): expected_status_code = 200 mock_response = { "auth": None, "data": { "bind_secret_id": True, "bound_cidr_list": "", "period": 0, "policies": [ "default" ], "secret_id_num_uses": 0, "secret_id_ttl": 0, "token_max_ttl": 900, "token_num_uses": 0, "token_ttl": 600 }, "lease_duration": 0, "lease_id": "", "renewable": False, "request_id": "0aab655f-ecd2-b3d4-3817-35b5bdfd3f28", "warnings": None, "wrap_info": None } mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}'.format( 'approle' if mount_point is None else mount_point, role_name, ) requests_mocker.register_uri( method='GET', url=mock_url, status_code=expected_status_code, json=mock_response, ) client = Client() if mount_point is None: actual_response = client.get_role( role_name=role_name, ) else: actual_response = client.get_role( role_name=role_name, mount_point=mount_point, ) self.assertEquals( first=mock_response, second=actual_response, )
def test_auth_approle(self, test_label, mount_point, role_id, secret_id, requests_mocker): expected_status_code = 200 mock_response = { "auth": { "accessor": "f8b576f9-9146-4173-e174-40257d58015a", "client_token": "3db3d089-7d3c-f531-cd3e-bfe44696a92c", "lease_duration": 600, "metadata": { "role_name": "application1" }, "policies": [ "default" ], "renewable": True }, "data": None, "lease_duration": 0, "lease_id": "", "renewable": False, "request_id": "2eb635ad-a763-926a-9815-4cb4d14a40f9", "warnings": None, "wrap_info": None } mock_url = 'http://localhost:8200/v1/auth/{0}/login'.format( 'approle' if mount_point is None else mount_point, ) requests_mocker.register_uri( method='POST', url=mock_url, status_code=expected_status_code, json=mock_response, ) client = Client() if mount_point is None: actual_response = client.auth_approle( role_id=role_id, secret_id=secret_id, ) else: actual_response = client.auth_approle( role_id=role_id, secret_id=secret_id, mount_point=mount_point, ) self.assertEquals( first=mock_response, second=actual_response, )
def test_get_role_secret_id(self, test_label, mount_point, role_name, secret_id, requests_mocker): expected_status_code = 200 mock_response = { "auth": None, "data": { "SecretIDNumUses": 0, "cidr_list": [], "creation_time": "2018-06-11T07:33:57.771908-05:00", "expiration_time": "0001-01-01T00:00:00Z", "last_updated_time": "2018-06-11T07:33:57.771908-05:00", "metadata": {}, "secret_id_accessor": "b58fd0ee-130c-33bb-5f69-6d4fd1731e5f", "secret_id_num_uses": 0, "secret_id_ttl": 0 }, "lease_duration": 0, "lease_id": "", "renewable": False, "request_id": "718a00fa-e76f-f1fc-9b9e-f9c4baa766b3", "wrap_info": None } mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/secret-id/lookup'.format( 'approle' if mount_point is None else mount_point, role_name, ) requests_mocker.register_uri( method='POST', url=mock_url, status_code=expected_status_code, json=mock_response, ) client = Client() if mount_point is None: actual_response = client.get_role_secret_id( role_name=role_name, secret_id=secret_id, ) else: actual_response = client.get_role_secret_id( role_name=role_name, secret_id=secret_id, mount_point=mount_point, ) self.assertEquals( first=mock_response, second=actual_response, )
def test_auth_gcp(self, test_label, test_role, test_jwt, mount_point, requests_mocker): mock_response = { 'auth': { 'accessor': 'accessor-1234-5678-9012-345678901234', 'client_token': 'cltoken-1234-5678-9012-345678901234', 'lease_duration': 10000, 'metadata': { 'role': 'custom_role', 'service_account_email': '*****@*****.**', 'service_account_id': '111111111111111111111' }, 'policies': [ 'default', 'custom_role' ], 'renewable': True }, 'data': None, 'lease_duration': 0, 'lease_id': '', 'renewable': False, 'request_id': 'requesti-1234-5678-9012-345678901234', 'warnings': [], 'wrap_info': None } mock_url = 'http://localhost:8200/v1/auth/{0}/login'.format( 'gcp' if mount_point is None else mount_point) requests_mocker.register_uri( method='POST', url=mock_url, json=mock_response ) client = Client() if mount_point is None: actual_response = client.auth_gcp( role=test_role, jwt=test_jwt ) else: actual_response = client.auth_gcp( role=test_role, jwt=test_jwt, mount_point=mount_point ) # ensure we received our mock response data back successfully self.assertEqual(mock_response, actual_response)
def test_auth_kubernetes(self, test_label, test_role, test_jwt, mount_point, requests_mocker): mock_response = { 'auth': { 'accessor': 'accessor-1234-5678-9012-345678901234', 'client_token': 'cltoken-1234-5678-9012-345678901234', 'lease_duration': 10000, 'metadata': { 'role': 'custom_role', 'service_account_name': 'vault-auth', 'service_account_namespace': 'default', 'service_account_secret_name': 'vault-auth-token-pd21c', 'service_account_uid': 'aa9aa8ff-98d0-11e7-9bb7-0800276d99bf' }, 'policies': [ 'default', 'custom_role' ], 'renewable': True }, 'data': None, 'lease_duration': 0, 'lease_id': '', 'renewable': False, 'request_id': 'requesti-1234-5678-9012-345678901234', 'warnings': [], 'wrap_info': None } mock_url = 'http://localhost:8200/v1/auth/{0}/login'.format( 'kubernetes' if mount_point is None else mount_point) requests_mocker.register_uri( method='POST', url=mock_url, json=mock_response ) client = Client() test_arguments = dict( role=test_role, jwt=test_jwt, ) if mount_point: test_arguments['mount_point'] = mount_point actual_response = client.auth_kubernetes(**test_arguments) # ensure we received our mock response data back successfully self.assertEqual(mock_response, actual_response)
def test_create_role_custom_secret_id(self, test_label, mount_point, role_name, secret_id, requests_mocker): expected_status_code = 200 mock_response = { "auth": None, "data": { "secret_id": secret_id, "secret_id_accessor": "f5cb4b7d-9111-320e-6f24-73bf45d3845d" }, "lease_duration": 0, "lease_id": "", "renewable": False, "request_id": "e7c8b2e1-95e8-cb17-e98a-6c428201f1d5", "warnings": None, "wrap_info": None } mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/custom-secret-id'.format( 'approle' if mount_point is None else mount_point, role_name, ) requests_mocker.register_uri( method='POST', url=mock_url, status_code=expected_status_code, json=mock_response, ) client = Client() if mount_point is None: actual_response = client.create_role_custom_secret_id( role_name=role_name, secret_id=secret_id, ) else: actual_response = client.create_role_custom_secret_id( role_name=role_name, secret_id=secret_id, mount_point=mount_point, ) self.assertEquals( first=mock_response, second=actual_response, )
def test_list_role_secrets(self, test_label, mount_point, role_name, secret_id, requests_mocker): expected_status_code = 200 mock_response = { "auth": None, "data": { "keys": [ secret_id ] }, "lease_duration": 0, "lease_id": "", "renewable": False, "request_id": "eb805845-f6ce-a514-9238-6914664dd601", "warnings": None, "wrap_info": None } mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/secret-id'.format( 'approle' if mount_point is None else mount_point, role_name, ) requests_mocker.register_uri( method='LIST', url=mock_url, status_code=expected_status_code, json=mock_response, ) client = Client() if mount_point is None: actual_response = client.list_role_secrets( role_name=role_name, ) else: actual_response = client.list_role_secrets( role_name=role_name, mount_point=mount_point, ) self.assertEquals( first=mock_response, second=actual_response, )
def test_create_role_secret_id(self, test_label, mount_point, role_name, requests_mocker): expected_status_code = 200 mock_response = { "auth": None, "data": { "secret_id": "be78e3ca-f644-b099-3291-e8a6f5985cfe", "secret_id_accessor": "b58fd0ee-130c-33bb-5f69-6d4fd1731e5f" }, "lease_duration": 0, "lease_id": "", "renewable": False, "request_id": "2310dc21-0fea-a2de-2d94-bb4edd59f1e9", "warnings": None, "wrap_info": None } mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/secret-id'.format( 'approle' if mount_point is None else mount_point, role_name, ) requests_mocker.register_uri( method='POST', url=mock_url, status_code=expected_status_code, json=mock_response, ) client = Client() if mount_point is None: actual_response = client.create_role_secret_id( role_name=role_name, ) else: actual_response = client.create_role_secret_id( role_name=role_name, mount_point=mount_point, ) self.assertEquals( first=mock_response, second=actual_response, )
def test_get_role_id(self, test_label, mount_point, role_name, role_id, requests_mocker): expected_status_code = 200 mock_response = { "auth": None, "data": { "role_id": role_id }, "lease_duration": 0, "lease_id": "", "renewable": False, "request_id": "85590a1a-6dd7-de79-01b0-1c285d505bf2", "warnings": None, "wrap_info": None } mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/role-id'.format( 'approle' if mount_point is None else mount_point, role_name, ) requests_mocker.register_uri( method='GET', url=mock_url, status_code=expected_status_code, json=mock_response, ) client = Client() if mount_point is None: actual_response = client.get_role_id( role_name=role_name ) else: actual_response = client.get_role_id( role_name=role_name, mount_point=mount_point ) # ensure we received our mock response data back successfully self.assertEqual( first=role_id, second=actual_response )
def test_get_kubernetes_configuration(self, test_label, mount_point, requests_mocker): expected_status_code = 200 mock_response = { 'auth': None, 'data': { 'kubernetes_ca_cert': '', 'kubernetes_host': '127.0.0.1:80', 'pem_keys': ['some key'], 'token_reviewer_jwt': '' }, 'lease_duration': 0, 'lease_id': '', 'renewable': False, 'request_id': '12687b5f-b4f5-2ba4-aae2-2a8d7e53ca55', 'warnings': None, 'wrap_info': None } mock_url = 'http://localhost:8200/v1/auth/{0}/config'.format( 'kubernetes' if mount_point is None else mount_point, ) requests_mocker.register_uri( method='GET', url=mock_url, status_code=expected_status_code, json=mock_response, ) client = Client() test_arguments = dict() if mount_point: test_arguments['mount_point'] = mount_point actual_response = client.get_kubernetes_configuration(**test_arguments) self.assertEquals( first=mock_response, second=actual_response, )
def test_read_lease(self, test_label, test_lease_id, requests_mocker): test_path = 'http://localhost:8200/v1/sys/leases/lookup' mock_response = { 'issue_time': '2018-07-15T08:35:34.775859245-05:00', 'renewable': False, 'id': test_lease_id, 'ttl': 259199, 'expire_time': '2018-07-18T08:35:34.00004241-05:00', 'last_renewal': None } requests_mocker.register_uri( method='PUT', url=test_path, json=mock_response, ) client = Client() response = client.read_lease( lease_id=test_lease_id, ) self.assertEquals( first=mock_response, second=response, )
def test_get_auth_backend_tuning(self, requests_mocker): expected_status_code = 200 test_backend_type = 'approle' test_mount_point = 'approle-test' mock_response = { 'max_lease_ttl': 12345678, 'lease_id': '', 'force_no_cache': False, 'warnings': None, 'data': { 'force_no_cache': False, 'default_lease_ttl': 2764800, 'max_lease_ttl': 12345678 }, 'wrap_info': None, 'auth': None, 'lease_duration': 0, 'request_id': '673f2336-3235-b988-2194-c68261a02bfe', 'default_lease_ttl': 2764800, 'renewable': False } requests_mocker.register_uri( method='GET', url='http://localhost:8200/v1/sys/auth/{0}/tune'.format(test_mount_point), status_code=expected_status_code, json=mock_response ) client = Client() actual_response = client.get_auth_backend_tuning( backend_type=test_backend_type, mount_point=test_mount_point, ) self.assertEqual( first=mock_response, second=actual_response, )
def init_postgre_backend(client: hvac.Client): if 'postgresql/' in client.list_secret_backends(): logging.warning('Backend postgresql already exists : it will be modified') else: client.enable_secret_backend('postgresql') ok = False logging.info('Setting up the postgre backend with the url {}'.format(postgre_url)) while not ok: try: # We try a lot because postgre/vault might not be completely up by the time it is launched client.write('/postgresql/config/connection', connection_url=postgre_url) ok = True except hvac.exceptions.InvalidRequest as e: logging.error(e) time.sleep(1) logging.info('Creating role readwrite') client.write('/postgresql/roles/readwrite', sql=rw_role_request) logging.info("Ok we're good. You can now request rw on the url postgresql/creds/readwrite")
def set_up_policies(client: hvac.Client): if postgres_policy_name in client.list_policies(): logging.info("Policy {} already set up".format(postgres_policy_name)) return client.set_policy(postgres_policy_name, postgres_policy)
def send_access_token(client: hvac.Client) -> bool: token = client.create_token(policies=[postgres_policy_name]) requests.post(minitwit_url, json={'token': token['auth']['client_token']})