def test_configure_and_read_configuration(self, test_label, organization,
base_url, ttl, max_ttl):
config_response = self.client.auth.github.configure(
organization=organization,
base_url=base_url,
ttl=ttl,
max_ttl=max_ttl,
mount_point=self.TEST_GITHUB_PATH,
)
logging.debug('config_response: {}'.format(config_response))
self.assertEqual(first=204, second=config_response.status_code)
read_config_response = self.client.auth.github.read_configuration(
mount_point=self.TEST_GITHUB_PATH, )
logging.debug('read_config_response: {}'.format(read_config_response))
self.assertEqual(first=organization,
second=read_config_response['data']['organization'])
self.assertEqual(first=base_url,
second=read_config_response['data']['base_url'])
ttl_data_key = 'token_ttl' if utils.vault_version_ge(
'1.2.0') else 'ttl'
max_ttl_data_key = 'token_max_ttl' if utils.vault_version_ge(
'1.2.0') else 'max_ttl'
self.assertEqual(
first=self.convert_python_ttl_value_to_expected_vault_response(
ttl_value=ttl),
second=read_config_response['data'][ttl_data_key])
self.assertEqual(
first=self.convert_python_ttl_value_to_expected_vault_response(
ttl_value=max_ttl),
second=read_config_response['data'][max_ttl_data_key])
def test_ec2_role_token_lifespan(self):
if 'aws-ec2/' not in self.client.list_auth_backends()['data']:
self.client.enable_auth_backend('aws-ec2')
# create a policy to associate with the role
self.prep_policy('ec2rolepolicy')
# create a role with no TTL
self.client.create_ec2_role('foo',
'ami-notarealami',
policies='ec2rolepolicy')
# create a role with a 1hr TTL
self.client.create_ec2_role('bar',
'ami-notarealami',
ttl='1h',
policies='ec2rolepolicy')
# create a role with a 3-day max TTL
self.client.create_ec2_role('baz',
'ami-notarealami',
max_ttl='72h',
policies='ec2rolepolicy')
# create a role with 1-day period
self.client.create_ec2_role('qux',
'ami-notarealami',
period='24h',
policies='ec2rolepolicy')
foo_role = self.client.get_ec2_role('foo')
ttl_data_key = 'token_ttl' if utils.vault_version_ge(
'1.2.0') else 'ttl'
assert (foo_role['data'][ttl_data_key] == 0)
bar_role = self.client.get_ec2_role('bar')
assert (bar_role['data']['ttl'] == 3600)
baz_role = self.client.get_ec2_role('baz')
max_ttl_data_key = 'token_max_ttl' if utils.vault_version_ge(
'1.2.0') else 'max_ttl'
assert (baz_role['data'][max_ttl_data_key] == 259200)
qux_role = self.client.get_ec2_role('qux')
assert (qux_role['data']['period'] == 86400)
# teardown
self.client.delete_ec2_role('foo')
self.client.delete_ec2_role('bar')
self.client.delete_ec2_role('baz')
self.client.delete_ec2_role('qux')
self.client.delete_policy('ec2rolepolicy')
self.client.disable_auth_backend('aws-ec2')
def test_configure_and_read_configuration(self,
test_label,
max_versions=10,
cas_required=None,
delete_version_after="0s"):
configure_arguments = dict(
delete_version_after=delete_version_after,
mount_point=self.DEFAULT_MOUNT_POINT,
)
if max_versions is not None:
configure_arguments['max_versions'] = max_versions
if cas_required is not None:
configure_arguments['cas_required'] = cas_required
self.client.secrets.kv.v2.configure(**configure_arguments)
read_configuration_response = self.client.secrets.kv.v2.read_configuration(
mount_point=self.DEFAULT_MOUNT_POINT, )
logging.debug('read_configuration_response: %s' %
read_configuration_response)
self.assertEqual(
first=max_versions,
second=read_configuration_response['data']['max_versions'],
)
self.assertEqual(
first=cas_required or False,
second=read_configuration_response['data']['cas_required'],
)
if utils.vault_version_ge('1.5.0'):
# delete_version_after wasn't returned in this response when unset before 1.5.0
self.assertEqual(
first=delete_version_after,
second=read_configuration_response['data']
['delete_version_after'],
)
def test_read_role(self,
label,
create_role_first=True,
raises=None,
exception_message=''):
role_name = 'hvac'
project_id = 'test-hvac-project-not-a-real-project'
if create_role_first:
self.client.auth.gcp.create_role(
name=role_name,
role_type='gce',
project_id=project_id,
bound_service_accounts=[
'*****@*****.**'
],
mount_point=self.TEST_MOUNT_POINT,
)
if raises:
with self.assertRaises(raises) as cm:
self.client.auth.gcp.read_role(
name=role_name,
mount_point=self.TEST_MOUNT_POINT,
)
self.assertIn(
member=exception_message,
container=str(cm.exception),
)
else:
read_role_response = self.client.auth.gcp.read_role(
name=role_name,
mount_point=self.TEST_MOUNT_POINT,
)
logging.debug('create_role_response: %s' % read_role_response)
if utils.vault_version_ge('1.0.0'):
returned_project_id = read_role_response['bound_projects']
expected_project_id = [project_id]
else:
returned_project_id = read_role_response['project_id']
expected_project_id = project_id
self.assertEqual(first=returned_project_id,
second=expected_project_id)
def test_read_role(self, label, create_role_first=True, raises=None, exception_message=''):
role_name = 'hvac'
project_id = 'test-hvac-project-not-a-real-project'
if create_role_first:
self.client.auth.gcp.create_role(
name=role_name,
role_type='gce',
project_id=project_id,
bound_service_accounts=['*****@*****.**'],
mount_point=self.TEST_MOUNT_POINT,
)
if raises:
with self.assertRaises(raises) as cm:
self.client.auth.gcp.read_role(
name=role_name,
mount_point=self.TEST_MOUNT_POINT,
)
self.assertIn(
member=exception_message,
container=str(cm.exception),
)
else:
read_role_response = self.client.auth.gcp.read_role(
name=role_name,
mount_point=self.TEST_MOUNT_POINT,
)
logging.debug('create_role_response: %s' % read_role_response)
if utils.vault_version_ge('1.0.0'):
returned_project_id = read_role_response['bound_projects']
expected_project_id = [project_id]
else:
returned_project_id = read_role_response['project_id']
expected_project_id = project_id
self.assertEqual(
first=returned_project_id,
second=expected_project_id
)
class TestLdap(HvacIntegrationTestCase, TestCase):
TEST_LDAP_PATH = 'test-ldap'
ldap_server = None
mock_server_port = None
mock_ldap_url = None
@classmethod
def setUpClass(cls):
super(TestLdap, cls).setUpClass()
logging.getLogger('ldap_test').setLevel(logging.ERROR)
cls.mock_server_port = utils.get_free_port()
cls.mock_ldap_url = 'ldap://localhost:{port}'.format(port=cls.mock_server_port)
cls.ldap_server = LdapServer({
'port': cls.mock_server_port,
'bind_dn': LDAP_BIND_DN,
'password': LDAP_BIND_PASSWORD,
'base': {
'objectclass': ['domain'],
'dn': LDAP_BASE_DN,
'attributes': {'dc': LDAP_BASE_DC}
},
'entries': LDAP_ENTRIES,
})
cls.ldap_server.start()
@classmethod
def tearDownClass(cls):
super(TestLdap, cls).tearDownClass()
cls.ldap_server.stop()
def setUp(self):
super(TestLdap, self).setUp()
if 'ldap/' not in self.client.list_auth_backends():
self.client.sys.enable_auth_method(
method_type='ldap',
path=self.TEST_LDAP_PATH
)
def tearDown(self):
super(TestLdap, self).tearDown()
self.client.disable_auth_backend(
mount_point=self.TEST_LDAP_PATH,
)
@parameterized.expand([
('update url', dict(url=LDAP_URL)),
('update binddn', dict(url=LDAP_URL, bind_dn='cn=vault,ou=Users,dc=hvac,dc=network')),
('update upn_domain', dict(url=LDAP_URL, upn_domain='python-hvac.org')),
('update certificate', dict(url=LDAP_URL, certificate=utils.load_config_file('server-cert.pem'))),
('incorrect tls version', dict(url=LDAP_URL, tls_min_version='cats'), exceptions.InvalidRequest,
"invalid 'tls_min_version'"),
])
def test_configure(self, test_label, parameters, raises=None, exception_message=''):
parameters.update({
'user_dn': LDAP_USERS_DN,
'group_dn': LDAP_GROUPS_DN,
'mount_point': self.TEST_LDAP_PATH,
})
if raises:
with self.assertRaises(raises) as cm:
self.client.auth.ldap.configure(**parameters)
self.assertIn(
member=exception_message,
container=str(cm.exception),
)
else:
expected_status_code = 204
configure_response = self.client.auth.ldap.configure(**parameters)
self.assertEqual(
first=expected_status_code,
second=configure_response.status_code
)
read_config_response = self.client.auth.ldap.read_configuration(
mount_point=self.TEST_LDAP_PATH,
)
for parameter, argument in parameters.items():
if parameter == 'mount_point':
continue
self.assertIn(
member=argument,
container=read_config_response['data'].values(),
)
def test_read_configuration(self):
response = self.client.auth.ldap.read_configuration(
mount_point=self.TEST_LDAP_PATH,
)
self.assertIn(
member='data',
container=response,
)
@parameterized.expand([
('no policies', 'cats'),
('policies as list', 'cats', ['purr-policy']),
('policies as invalid type', 'cats', 'purr-policy', exceptions.ParamValidationError, '"policies" argument must be an instance of list'),
])
def test_create_or_update_group(self, test_label, name, policies=None, raises=None, exception_message=''):
expected_status_code = 204
if raises:
with self.assertRaises(raises) as cm:
create_response = self.client.auth.ldap.create_or_update_group(
name=name,
policies=policies,
mount_point=self.TEST_LDAP_PATH,
)
if exception_message is not None:
self.assertIn(
member=exception_message,
container=str(cm.exception),
)
else:
create_response = self.client.auth.ldap.create_or_update_group(
name=name,
policies=policies,
mount_point=self.TEST_LDAP_PATH,
)
self.assertEqual(
first=expected_status_code,
second=create_response.status_code
)
@parameterized.expand([
('read configured groups', 'cats'),
('non-existent groups', 'cats', False, exceptions.InvalidPath),
])
def test_list_groups(self, test_label, name, configure_first=True, raises=None, exception_message=None):
if configure_first:
self.client.auth.ldap.create_or_update_group(
name=name,
mount_point=self.TEST_LDAP_PATH,
)
if raises:
with self.assertRaises(raises) as cm:
self.client.auth.ldap.list_groups(
mount_point=self.TEST_LDAP_PATH,
)
if exception_message is not None:
self.assertIn(
member=exception_message,
container=str(cm.exception),
)
else:
list_groups_response = self.client.auth.ldap.list_groups(
mount_point=self.TEST_LDAP_PATH,
)
# raise Exception(list_groups_response)
self.assertDictEqual(
d1=dict(keys=[name]),
d2=list_groups_response['data'],
)
@parameterized.expand([
('read configured group', 'cats'),
('non-existent group', 'cats', False, exceptions.InvalidPath),
])
def test_read_group(self, test_label, name, configure_first=True, raises=None, exception_message=None):
if configure_first:
self.client.auth.ldap.create_or_update_group(
name=name,
mount_point=self.TEST_LDAP_PATH,
)
if raises:
with self.assertRaises(raises) as cm:
self.client.auth.ldap.read_group(
name=name,
mount_point=self.TEST_LDAP_PATH,
)
if exception_message is not None:
self.assertIn(
member=exception_message,
container=str(cm.exception),
)
else:
read_group_response = self.client.auth.ldap.read_group(
name=name,
mount_point=self.TEST_LDAP_PATH,
)
self.assertIn(
member='policies',
container=read_group_response['data'],
)
@parameterized.expand([
('no policies or groups', 'cats'),
('policies as list', 'cats', ['purr-policy']),
('policies as invalid type', 'cats', 'purr-policy', None, exceptions.ParamValidationError, '"policies" argument must be an instance of list'),
('no groups', 'cats', ['purr-policy']),
('groups as list', 'cats', None, ['meow-group']),
('groups as invalid type', 'cats', None, 'meow-group', exceptions.ParamValidationError, '"groups" argument must be an instance of list'),
])
def test_create_or_update_user(self, test_label, username, policies=None, groups=None, raises=None, exception_message=''):
expected_status_code = 204
if raises:
with self.assertRaises(raises) as cm:
self.client.auth.ldap.create_or_update_user(
username=username,
policies=policies,
groups=groups,
mount_point=self.TEST_LDAP_PATH,
)
if exception_message is not None:
self.assertIn(
member=exception_message,
container=str(cm.exception),
)
else:
create_response = self.client.auth.ldap.create_or_update_user(
username=username,
policies=policies,
groups=groups,
mount_point=self.TEST_LDAP_PATH,
)
self.assertEqual(
first=expected_status_code,
second=create_response.status_code
)
@parameterized.expand([
('read configured group', 'cats'),
('non-existent group', 'cats', False, exceptions.InvalidPath),
])
def test_delete_group(self, test_label, name, configure_first=True, raises=None, exception_message=None):
if configure_first:
self.client.auth.ldap.create_or_update_group(
name=name,
mount_point=self.TEST_LDAP_PATH,
)
expected_status_code = 204
delete_group_response = self.client.auth.ldap.delete_group(
name=name,
mount_point=self.TEST_LDAP_PATH,
)
self.assertEqual(
first=expected_status_code,
second=delete_group_response.status_code
)
@parameterized.expand([
('read configured user', 'cats'),
('non-existent user', 'cats', False, exceptions.InvalidPath),
])
def test_list_users(self, test_label, username, configure_first=True, raises=None, exception_message=None):
if configure_first:
self.client.auth.ldap.create_or_update_user(
username=username,
mount_point=self.TEST_LDAP_PATH,
)
if raises:
with self.assertRaises(raises) as cm:
self.client.auth.ldap.list_users(
mount_point=self.TEST_LDAP_PATH,
)
if exception_message is not None:
self.assertIn(
member=exception_message,
container=str(cm.exception),
)
else:
list_users_response = self.client.auth.ldap.list_users(
mount_point=self.TEST_LDAP_PATH,
)
self.assertDictEqual(
d1=dict(keys=[username]),
d2=list_users_response['data'],
)
@parameterized.expand([
('read configured user', 'cats'),
('non-existent user', 'cats', False, exceptions.InvalidPath),
])
def test_read_user(self, test_label, username, configure_first=True, raises=None, exception_message=None):
if configure_first:
self.client.auth.ldap.create_or_update_user(
username=username,
mount_point=self.TEST_LDAP_PATH,
)
if raises:
with self.assertRaises(raises) as cm:
self.client.auth.ldap.read_user(
username=username,
mount_point=self.TEST_LDAP_PATH,
)
if exception_message is not None:
self.assertIn(
member=exception_message,
container=str(cm.exception),
)
else:
read_user_response = self.client.auth.ldap.read_user(
username=username,
mount_point=self.TEST_LDAP_PATH,
)
self.assertIn(
member='policies',
container=read_user_response['data'],
)
@parameterized.expand([
('read configured user', 'cats'),
('non-existent user', 'cats', False, exceptions.InvalidPath),
])
def test_delete_user(self, test_label, username, configure_first=True, raises=None, exception_message=None):
if configure_first:
self.client.auth.ldap.create_or_update_user(
username=username,
mount_point=self.TEST_LDAP_PATH,
)
expected_status_code = 204
delete_user_response = self.client.auth.ldap.delete_user(
username=username,
mount_point=self.TEST_LDAP_PATH,
)
self.assertEqual(
first=expected_status_code,
second=delete_user_response.status_code
)
@parameterized.expand([
param(
label='working creds with policy'
),
param(
label='invalid creds',
username='******',
password='******',
attach_policy=False,
raises=exceptions.InvalidRequest,
),
# The following two test cases cover either side of the associated changelog entry for LDAP auth here:
# https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#0103-june-20th-2018
param(
label='working creds no membership with Vault version >= 0.10.3',
attach_policy=False,
skip_due_to_vault_version=utils.vault_version_lt('0.10.3'),
),
param(
label='working creds no membership with Vault version < 0.10.3',
attach_policy=False,
raises=exceptions.InvalidRequest,
exception_message='user is not a member of any authorized group',
skip_due_to_vault_version=utils.vault_version_ge('0.10.3'),
),
])
def test_login(self, label, username=LDAP_USER_NAME, password=LDAP_USER_PASSWORD, attach_policy=True, raises=None,
exception_message='', skip_due_to_vault_version=False):
if skip_due_to_vault_version:
self.skipTest(reason='test case does not apply to Vault version under test')
test_policy_name = 'test-ldap-policy'
self.client.auth.ldap.configure(
url=self.mock_ldap_url,
bind_dn=self.ldap_server.config['bind_dn'],
bind_pass=self.ldap_server.config['password'],
user_dn=LDAP_USERS_DN,
user_attr='uid',
group_dn=LDAP_GROUPS_DN,
group_attr='cn',
insecure_tls=True,
mount_point=self.TEST_LDAP_PATH,
)
if attach_policy:
self.prep_policy(test_policy_name)
self.client.auth.ldap.create_or_update_group(
name=LDAP_GROUP_NAME,
policies=[test_policy_name],
mount_point=self.TEST_LDAP_PATH,
)
if raises:
with self.assertRaises(raises) as cm:
self.client.auth.ldap.login(
username=username,
password=password,
mount_point=self.TEST_LDAP_PATH,
)
if exception_message is not None:
self.assertIn(
member=exception_message,
container=str(cm.exception),
)
else:
login_response = self.client.auth.ldap.login(
username=username,
password=password,
mount_point=self.TEST_LDAP_PATH,
)
self.assertDictEqual(
d1=dict(username=username),
d2=login_response['auth']['metadata'],
)
self.assertEqual(
first=login_response['auth']['client_token'],
second=self.client.token,
)
if attach_policy:
expected_policies = ['default', test_policy_name]
else:
expected_policies = ['default']
self.assertEqual(
first=expected_policies,
second=login_response['auth']['policies']
)