def setUpClass(cls): """Use the ServerManager class to launch a vault server process.""" config_paths = [get_config_file_path('vault-tls.hcl')] if distutils.spawn.find_executable('consul') is None and cls.enable_vault_ha: logging.warning('Unable to run Vault in HA mode, consul binary not found in path.') cls.enable_vault_ha = False if is_enterprise(): # TODO: figure out why this bit isn't working logging.warning('Unable to run Vault in HA mode, enterprise Vault version not currently supported.') cls.enable_vault_ha = False if cls.enable_vault_ha: config_paths = [ get_config_file_path('vault-ha-node1.hcl'), get_config_file_path('vault-ha-node2.hcl'), ] cls.manager = ServerManager( config_paths=config_paths, client=create_client(), use_consul=cls.enable_vault_ha, ) try: cls.manager.start() cls.manager.initialize() cls.manager.unseal() except Exception: cls.manager.stop() raise
def doctest_global_setup(): client = test_utils.create_client() manager = ServerManager( config_paths=[test_utils.get_config_file_path('vault-doctest.hcl')], client=client, ) manager.start() manager.initialize() manager.unseal() mocker = Mocker(real_http=True) mocker.start() auth_method_paths = [ 'ldap/login/{}'.format(MockLdapServer.ldap_user_name), ] for auth_method_path in auth_method_paths: mock_url = 'https://127.0.0.1:8200/v1/auth/{path}'.format( path=auth_method_path) mock_response = { "auth": { "client_token": manager.root_token, "accessor": "0e9e354a-520f-df04-6867-ee81cae3d42d", "policies": ['default'], "lease_duration": 2764800, "renewable": True, }, } mocker.register_uri( method='POST', url=mock_url, json=mock_response, ) client.token = manager.root_token os.environ['VAULT_TOKEN'] = manager.root_token os.environ['REQUESTS_CA_BUNDLE'] = test_utils.get_config_file_path( 'server-cert.pem') os.environ['LDAP_USERNAME'] = MockLdapServer.ldap_user_name os.environ['LDAP_PASSWORD'] = MockLdapServer.ldap_user_password os.environ['AWS_LAMBDA_FUNCTION_NAME'] = 'hvac-lambda' os.environ.setdefault("LDAP_PASSWORD", MockLdapServer.ldap_user_password) if 'secret/' not in client.sys.list_mounted_secrets_engines()['data']: client.sys.enable_secrets_engine( backend_type='kv', path='secret', options=dict(version=2), ) attempts = 0 while attempts < 25 and 'secret/' not in client.sys.list_mounted_secrets_engines( )['data']: attempts += 1 logging.debug( 'Waiting 1 second for KV V2 secrets engine under path {path} to become available...' .format(path='secret', )) sleep(1) return manager
def setUp(self): """Set the client attribute to an authenticated hvac Client instance.""" self.client = create_client(token=self.manager.root_token) # Squelch deprecating warnings during tests as we may want to deliberately call deprecated methods and/or verify # warnings invocations. warnings_patcher = patch('hvac.utils.warnings', spec=warnings) self.mock_warnings = warnings_patcher.start()
def get_vault_addr_by_standby_status(self, standby_status=True): """Get an address for a Vault HA node currently in standby. :param standby_status: Value of the 'standby' key from the health status response to match. :type standby_status: bool :return: Standby Vault address. :rtype: str """ vault_addresses = self.manager.get_active_vault_addresses() for vault_address in vault_addresses: health_status = create_client(url=vault_address).sys.read_health_status(method='GET') if health_status['standby'] == standby_status: return vault_address
def test_read_health_status(self, label, method='HEAD', use_standby_node=False, expected_status_code=200, seal_first=False, ha_required=False): """Test the Health system backend class's "read_health_status" method. :param label: Label for a given parameterized test case. :type label: str :param method: HTTP method to use when invoking the method under test (GET or HEAD available). :type method: str :param use_standby_node: If True, send the request to a standby Vault node address :type use_standby_node: bool :param expected_status_code: The status code code expected in the response from Vault. :type expected_status_code: int :param seal_first: If True, seal the Vault node(s) before running the test cases. :type seal_first: bool :param ha_required: If True, skip the test case when consul / a HA Vault integration cluster is unavailable. :type ha_required: bool """ if ha_required and not self.enable_vault_ha: # Conditional to allow folks to run this test class without requiring consul to be installed locally. self.skipTest( 'Skipping test case, Vault HA required but not available.') if seal_first: # Standby nodes can't be sealed directly. # I.e.: "vault cannot seal when in standby mode; please restart instead" self.manager.restart_vault_cluster() # Grab a Vault node address for our desired standby status and create a one-off client configured for that address. vault_addr = self.get_vault_addr_by_standby_status( standby_status=use_standby_node) logging.debug('vault_addr being used: %s' % vault_addr) client = create_client(url=vault_addr) read_status_response = client.sys.read_health_status(method=method, ) logging.debug('read_status_response: %s' % read_status_response) if expected_status_code == 200: self.assertTrue(read_status_response) else: self.assertEqual( first=read_status_response.status_code, second=expected_status_code, ) if method != 'HEAD': if not isinstance(read_status_response, dict): read_status_response = read_status_response.json() self.assertTrue(expr=read_status_response['initialized'])
def get_vault_addr_by_standby_status(self, standby_status=True): """Get an address for a Vault HA node currently in standby. :param standby_status: Value of the 'standby' key from the health status response to match. :type standby_status: bool :return: Standby Vault address. :rtype: str """ vault_addresses = self.manager.get_active_vault_addresses() for vault_address in vault_addresses: health_status = create_client( url=vault_address).sys.read_health_status(method='GET') if health_status['standby'] == standby_status: return vault_address
def setUpClass(cls): """Use the ServerManager class to launch a vault server process.""" config_paths = [get_config_file_path('vault-tls.hcl')] if distutils.spawn.find_executable('consul') is None and cls.enable_vault_ha: logging.warning('Unable to run Vault in HA mode, consul binary not found in path.') cls.enable_vault_ha = False if cls.enable_vault_ha: config_paths = [ get_config_file_path('vault-ha-node1.hcl'), get_config_file_path('vault-ha-node2.hcl'), ] cls.manager = ServerManager( config_paths=config_paths, client=create_client(), use_consul=cls.enable_vault_ha, ) cls.manager.start() cls.manager.initialize() cls.manager.unseal()
def setUpClass(cls): """Use the ServerManager class to launch a vault server process.""" config_paths = [get_config_file_path('vault-tls.hcl')] if distutils.spawn.find_executable( 'consul') is None and cls.enable_vault_ha: logging.warning( 'Unable to run Vault in HA mode, consul binary not found in path.' ) cls.enable_vault_ha = False if cls.enable_vault_ha: config_paths = [ get_config_file_path('vault-ha-node1.hcl'), get_config_file_path('vault-ha-node2.hcl'), ] cls.manager = ServerManager( config_paths=config_paths, client=create_client(), use_consul=cls.enable_vault_ha, ) cls.manager.start() cls.manager.initialize() cls.manager.unseal()
def unseal(self): """Unseal the vault server process.""" vault_addresses = self.get_active_vault_addresses() for vault_address in vault_addresses: create_client(url=vault_address).sys.submit_unseal_keys(self.keys)
def test_broken_token(self): client = utils.create_client(token='\x1b') try: client.is_authenticated() except exceptions.InvalidRequest as e: assert "invalid header value" in str(e)
def test_missing_token(self): client = utils.create_client() assert not client.is_authenticated()
def test_invalid_token(self): client = utils.create_client(token='not-a-real-token') assert not client.is_authenticated()
def test_illegal_token(self): client = utils.create_client(token='token-with-new-line\n') try: client.is_authenticated() except ValueError as e: assert 'Invalid header value' in str(e)
import pytest from tests.utils import create_client from azure_databricks_api.__token import TokenInfo from azure_databricks_api.exceptions import ResourceDoesNotExist TOKEN_COMMENT = "THIS IS A TOKEN CREATED DURING THE CI/CD TESTING" CREATED_TOKEN_ID = "" client = create_client() def teardown_module(module): for token in client.tokens.list(): if token.comment == TOKEN_COMMENT: client.tokens.revoke(token_id=token.token_id) def test_create(): global CREATED_TOKEN_ID token = client.tokens.create(comment=TOKEN_COMMENT, lifetime_seconds=500) CREATED_TOKEN_ID = token['token_info'].token_id assert isinstance(token, dict) assert "token_value" in token.keys() assert "token_info" in token.keys() assert isinstance(token['token_info'], TokenInfo)
class TestCert(HvacIntegrationTestCase, TestCase): TEST_MOUNT_POINT = 'cert-test' TEST_ROLE_NAME = 'testrole' cert = utils.create_client()._adapter._kwargs.get('cert') with open(utils.get_config_file_path('client-cert.pem')) as fp: TEST_CERTIFICATE = fp.read() def setUp(self): super(TestCert, self).setUp() if '%s/' % self.TEST_MOUNT_POINT not in self.client.list_auth_backends(): self.client.enable_auth_backend( backend_type='cert', mount_point=self.TEST_MOUNT_POINT, ) _ = self.client.auth.cert.create_ca_certificate_role( name=self.TEST_ROLE_NAME, certificate=self.TEST_CERTIFICATE, mount_point=self.TEST_MOUNT_POINT, ) def tearDown(self): super(TestCert, self).tearDown() def test_create_ca_certificate_role(self): response = self.client.auth.cert.create_ca_certificate_role( name='testrole2', certificate=self.TEST_CERTIFICATE, mount_point=self.TEST_MOUNT_POINT, ) self.assertEqual( first=204, second=response.status_code ) def test_read_ca_certificate_role(self): response = self.client.auth.cert.read_ca_certificate_role( name=self.TEST_ROLE_NAME, mount_point=self.TEST_MOUNT_POINT, ) self.assertEqual( first=self.TEST_ROLE_NAME, second=response['data']['display_name'], ) def test_list_certificate_roles(self): response = self.client.auth.cert.list_certificate_roles( mount_point=self.TEST_MOUNT_POINT, ) self.assertEqual( first=response['data']['keys'], second=[self.TEST_ROLE_NAME] ) def test_delete_certificate_role(self): self.client.auth.cert.create_ca_certificate_role( name='testrole2', certificate=self.TEST_CERTIFICATE, mount_point=self.TEST_MOUNT_POINT, ) response = self.client.auth.cert.delete_certificate_role( name='testrole2', mount_point=self.TEST_MOUNT_POINT, ) self.assertEqual( first=204, second=response.status_code ) def test_configure_tls_certificate(self): response = self.client.auth.cert.configure_tls_certificate(mount_point=self.TEST_MOUNT_POINT) self.assertEqual( first=204, second=response.status_code ) def test_auth_tls_deprecation(self): # In order to raise this it is just easier to expect it to fail. with self.assertRaises(OSError): pytest.deprecated_call(Client().auth_tls()) @parameterized.expand([ (TEST_ROLE_NAME, "", cert[0], cert[1], TEST_MOUNT_POINT), ("", "", cert[0], cert[1], TEST_MOUNT_POINT), ("testrole2", "", cert[0], cert[1], TEST_MOUNT_POINT), ("", "", "bad cert", cert[1], TEST_MOUNT_POINT), ("", "bad ca", cert[0], cert[1], TEST_MOUNT_POINT), ("", True, cert[0], cert[1], TEST_MOUNT_POINT), ("", False, " ", " ", TEST_MOUNT_POINT) ]) def test_login(self, name, cacert, cert_pem, key_pem, mount_point): if cacert or "bad" in [cacert, cert_pem, key_pem]: with self.assertRaises(exceptions.ParamValidationError): self.client.auth.cert.login( name=name, cacert=cacert, cert_pem=cert_pem, mount_point=mount_point, ) # elif cacert: # with self.assertRaises(OSError): # self.client.auth.cert.login( # name=name, # cacert=cacert, # cert_pem=cert_pem, # mount_point=mount_point, # ) elif name != "" and name not in self.client.auth.cert.list_certificate_roles( mount_point=self.TEST_MOUNT_POINT, )['data']['keys']: with self.assertRaises(exceptions.InvalidRequest): with self.assertRaises(OSError): self.client.auth.cert.login( name=name, cacert=cacert, cert_pem=cert_pem, mount_point=mount_point, ) elif "/" not in cert_pem: with self.assertRaises(OSError): self.client.auth.cert.login( name=name, cacert=cacert, cert_pem=cert_pem, mount_point=mount_point, ) else: response = self.client.auth.cert.login( name=name, cacert=cacert, cert_pem=cert_pem, mount_point=mount_point, ) if name in [self.TEST_ROLE_NAME, ""] and (cacert, cert_pem, key_pem) == ("", self.cert[0], self.cert[1]): self.assertIsInstance(response, dict)