def test_vault_secret_operators(vault_server, version):
path = 'mysecrets'
client = hvac.Client(url=vault_server['http'], token=vault_server['token'])
client.sys.enable_secrets_engine(backend_type='kv',
options={'version': version},
path=path)
prefix = 'keepass/'
importer = main.Importer(keepass_db='tests/test_db.kdbx',
keepass_password='******',
keepass_keyfile=None,
vault_url=vault_server['http'],
vault_prefix=prefix,
vault_token=vault_server['token'],
cert=(None, None),
verify=False,
path=path)
secret_key = prefix + 'my/key'
secret_value = {'field': 'value'}
importer.create_or_update_secret(secret_key, secret_value)
assert importer.read_secret(secret_key) == secret_value
importer.erase(prefix)
with pytest.raises(hvac.exceptions.InvalidPath):
importer.read_secret(secret_key)
def test_client_cert(vault_server):
kwargs = dict(
keepass_db='tests/test_db.kdbx',
keepass_password='******',
keepass_keyfile=None,
vault_url=vault_server['https'],
vault_prefix='keepass/',
vault_token=vault_server['token'],
)
# SUCCESS with CA and client certificate provided
r0 = main.Importer(
verify=vault_server['crt'],
cert=(vault_server['crt'], vault_server['key']),
**kwargs,
).export_to_vault()
verify_expected_secrets(r0, 'new')
# SUCCESS with CA missing but verify False and client certificate provided
r0 = main.Importer(
verify=False,
cert=(vault_server['crt'], vault_server['key']),
**kwargs,
).export_to_vault()
verify_expected_secrets(r0, 'ok')
# FAILURE with missing client certificate
with pytest.raises(requests.exceptions.SSLError):
main.Importer(
verify=False,
cert=(None, None),
**kwargs,
).export_to_vault()
# FAILURE with missing CA
with pytest.raises(requests.exceptions.SSLError):
main.Importer(
verify=True,
cert=(vault_server['crt'], vault_server['key']),
**kwargs,
).export_to_vault()
def test_export_to_vault(vault_server):
importer = main.Importer(keepass_db='tests/test_db.kdbx',
keepass_password='******',
keepass_keyfile=None,
vault_url=vault_server['http'],
vault_prefix='keepass/',
vault_token=vault_server['token'],
cert=(None, None),
verify=False)
verify_expected_secrets(importer.export_to_vault(), 'new')
verify_expected_secrets(importer.export_to_vault(), 'ok')
def test_delete_less_qualified_path(vault_server):
importer = main.Importer(keepass_db='tests/test_db.kdbx',
keepass_password='******',
keepass_keyfile=None,
vault_url=vault_server['http'],
vault_prefix='keepass/',
vault_token=vault_server['token'],
cert=(None, None),
verify=False)
less_qualified = 'keepass/title1'
importer.create_or_update_secret(less_qualified, {'something': 'else'})
verify_expected_secrets(importer.export_to_vault(), 'new')
verify_withattachment(vault_server, '2')
with pytest.raises(hvac.exceptions.InvalidPath):
importer.vault.secrets.kv.v2.read_secret_version(less_qualified)
def test_erase(vault_server):
prefix = 'keepass/'
importer = main.Importer(keepass_db='tests/test_db.kdbx',
keepass_password='******',
keepass_keyfile=None,
vault_url=vault_server['http'],
vault_prefix=prefix,
vault_token=vault_server['token'],
cert=(None, None),
verify=False)
importer.set_verbosity(True)
client = hvac.Client(url=vault_server['http'], token=vault_server['token'])
importer.export_to_vault()
keys = client.secrets.kv.v2.list_secrets(prefix)['data']['keys']
assert 'Group1/' in keys
assert 'withattachment' in keys
importer.erase(importer.prefix)
with pytest.raises(hvac.exceptions.InvalidPath):
client.secrets.kv.v2.list_secrets(prefix)