def test_cli_simple_login_logout_flow_netrc(self, keystore_disable_mock):
utils.setup_cli(self)
assert os.path.isfile(DEFAULT_NETRC_FILE)
self.invoke_cli(self.cli_auth_params, ['logout'])
with open(DEFAULT_NETRC_FILE) as netrc_file:
assert netrc_file.read().strip() == "", 'netrc file is not empty!'
self.invoke_cli(self.cli_auth_params, ['list'], exit_code=1)
def test_https_netrc_is_created_with_host_netrc(self,
keystore_disable_mock):
utils.setup_cli(self)
# Setup for fetching the API key of a host. To fetch we need to login
credentials = CredentialsData(self.client_params.hostname, "admin",
self.client_params.env_api_key)
utils.save_credentials(credentials)
self.invoke_cli(self.cli_auth_params, [
'policy', 'replace', '-b', 'root', '-f',
self.environment.path_provider.get_policy_path('conjur')
])
host_api_key = self.invoke_cli(
self.cli_auth_params, ['host', 'rotate-api-key', '-i', 'somehost'])
extract_api_key_from_message = host_api_key.split(":")[1].strip()
self.invoke_cli(self.cli_auth_params, ['logout'])
output = self.invoke_cli(self.cli_auth_params, [
'login', '-i', 'host/somehost', '-p',
f'{extract_api_key_from_message}'
])
self.validate_netrc(f"{self.client_params.hostname}", "host/somehost",
extract_api_key_from_message)
self.assertIn("Successfully logged in to Conjur", output.strip())
def setUp(self):
self.setup_cli_params({})
utils.setup_cli(self)
return self.invoke_cli(self.cli_auth_params, [
'policy', 'replace', '-b', 'root', '-f',
self.environment.path_provider.get_policy_path("initial")
])
def test_cli_simple_login_logout_flow_keyring(self):
utils.setup_cli(self)
creds = utils.get_credentials()
assert creds.machine == self.client_params.hostname
self.invoke_cli(self.cli_auth_params, ['logout'])
assert not utils.is_credentials_exist(creds.machine)
self.invoke_cli(self.cli_auth_params, ['list'], exit_code=1)
def test_https_can_load_policy_keyring(self):
self.setup_cli_params({})
utils.setup_cli(self)
policy, variables = utils.generate_policy_string()
utils.load_policy_from_string(self, policy)
for variable in variables:
utils.assert_set_and_get(self, variable)
def setUp(self):
self.setup_cli_params({})
# Used to configure the CLI and login to run tests
utils.setup_cli(self)
return self.invoke_cli(self.cli_auth_params, [
'policy', 'replace', '-b', 'root', '-f',
self.environment.path_provider.get_policy_path("initial")
])
def test_https_can_load_policy_netrc(self, keystore_disable_mock):
utils.setup_cli(self)
self.setup_cli_params({})
policy, variables = utils.generate_policy_string()
utils.load_policy_from_string(self, policy)
for variable in variables:
utils.assert_set_and_get(self, variable)
def setUp(self):
self.setup_cli_params({})
utils.delete_credentials()
# Need to configure the CLI and login to perform further commands
utils.setup_cli(self)
self.invoke_cli(self.cli_auth_params, [
'policy', 'replace', '-b', 'root', '-f',
self.environment.path_provider.get_policy_path("resource")
])
def test_https_logout_successful_keyring(self):
utils.setup_cli(self)
self.invoke_cli(self.cli_auth_params,
['login', '-i', 'admin', '-p', self.client_params.env_api_key])
output = self.invoke_cli(self.cli_auth_params,
['logout'])
self.assertIn('Successfully logged out from Conjur', output.strip())
def test_https_netrc_raises_error_with_wrong_user_netrc(
self, mock_pass, keystore_disable_mock):
utils.setup_cli(self)
with patch('getpass.getpass',
return_value=self.client_params.env_api_key):
output = self.invoke_cli(self.cli_auth_params, ['login'],
exit_code=1)
self.assertRegex(output, "Reason: 401")
def test_https_credentials_created_with_all_parameters_given_netrc(
self, keystore_disable_mock):
utils.setup_cli(self)
self.invoke_cli(
self.cli_auth_params,
['login', '-i', 'admin', '-p', self.client_params.env_api_key])
utils.get_credentials()
self.validate_netrc(f"{self.client_params.hostname}", "admin",
self.client_params.env_api_key)
def test_no_netrc_and_logout_returns_successful_logout_message_netrc(
self, keystore_disable_mock):
utils.setup_cli(self)
try:
os.remove(DEFAULT_NETRC_FILE)
except OSError:
pass
logout = self.invoke_cli(self.cli_auth_params, ['logout'], exit_code=1)
self.assertIn("You are already logged out", logout.strip())
def test_https_netrc_is_created_with_all_parameters_given_interactively_netrc(
self, mock_pass, keystore_disable_mock):
utils.setup_cli(self)
with patch('getpass.getpass',
return_value=self.client_params.env_api_key):
output = self.invoke_cli(self.cli_auth_params, ['login'])
assert utils.get_credentials() is not None
self.assertIn("Successfully logged in to Conjur", output.strip())
self.validate_netrc(f"{self.client_params.hostname}", "admin",
self.client_params.env_api_key)
def test_cli_configured_in_insecure_mode_and_run_in_insecure_mode_passes_netrc(
self, mock_input, keystore_disable_mock):
utils.setup_cli(self)
self.invoke_cli(self.cli_auth_params, [
'--insecure', 'init', '--url', self.client_params.hostname,
'--account', self.client_params.account
])
output = self.invoke_cli(self.cli_auth_params, [
'--insecure', 'login', '-i', 'admin', '-p',
self.client_params.env_api_key
])
self.assertIn('Successfully logged in to Conjur', output)
def test_https_logout_successful_netrc(self, keystore_disable_mock):
utils.setup_cli(self)
self.invoke_cli(
self.cli_auth_params,
['login', '-i', 'admin', '-p', self.client_params.env_api_key])
assert os.path.exists(
DEFAULT_NETRC_FILE) and os.path.getsize(DEFAULT_NETRC_FILE) != 0
output = self.invoke_cli(self.cli_auth_params, ['logout'])
self.assertIn('Successfully logged out from Conjur', output.strip())
with open(DEFAULT_NETRC_FILE) as netrc_file:
assert netrc_file.read().strip() == "", 'netrc file is not empty!'
def test_https_netrc_does_not_remove_irrelevant_entry_netrc(
self, keystore_disable_mock):
utils.setup_cli(self)
creds = CredentialsData(self.client_params.hostname, "admin",
self.client_params.env_api_key)
utils.save_credentials(creds)
creds = CredentialsData("somemachine", "somelogin", "somepass")
utils.save_credentials(creds)
self.invoke_cli(self.cli_auth_params, ['logout'])
cred_store = utils.create_cred_store()
assert cred_store.is_exists("somemachine")
assert not cred_store.is_exists(self.client_params.hostname)
def test_https_logout_twice_returns_could_not_logout_message_netrc(
self, keystore_disable_mock):
utils.setup_cli(self)
self.invoke_cli(
self.cli_auth_params,
['login', '-i', 'admin', '-p', self.client_params.env_api_key])
self.invoke_cli(self.cli_auth_params, ['logout'])
unsuccessful_logout = self.invoke_cli(self.cli_auth_params, ['logout'],
exit_code=1)
self.assertIn("Failed to log out. You are already logged out",
unsuccessful_logout.strip())
with open(DEFAULT_NETRC_FILE) as netrc_file:
assert netrc_file.read().strip() == "", 'netrc file is not empty!'
def test_https_netrc_was_not_overwritten_when_login_failed_but_already_logged_in(
self, keystore_disable_mock):
utils.setup_cli(self)
successful_run = self.invoke_cli(
self.cli_auth_params,
['login', '-i', 'admin', '-p', self.client_params.env_api_key])
self.assertIn("Successfully logged in to Conjur",
successful_run.strip())
unsuccessful_run = self.invoke_cli(
self.cli_auth_params,
['login', '-i', 'someinvaliduser', '-p', 'somewrongpassword'],
exit_code=1)
self.assertIn("Reason: 401 (Unauthorized) for url:", unsuccessful_run)
self.validate_netrc(f"{self.client_params.hostname}", "admin",
self.client_params.env_api_key)
def test_basic_secret_retrieval_with_keyring(self):
"""
Note about version tests, the Conjur server only keeps a certain number of versions.
With each run of the integration tests, version tests are resetting variable values
making, after a certain number of runs, version=1 not valid and fail
Therefore, the variable name needs to be a random string so that the version
will still be accessible
"""
utils.setup_cli(self)
variable_name = "someversionedvar" + uuid.uuid4().hex
policy = f"- !variable {variable_name}"
utils.load_policy_from_string(self, policy)
expected_value = "anothersecret"
utils.set_variable(self, variable_name, expected_value)
output = self.invoke_cli(self.cli_auth_params,
['variable', 'get', '-i', variable_name, '--version', '1'])
self.assertIn(expected_value, output.strip())
def test_https_credentials_user_can_login_successfully_when_another_user_is_already_logged_in(
self, mock_input, keystore_disable_mock):
utils.setup_cli(self)
self.invoke_cli(
self.cli_auth_params,
['login', '-i', 'admin', '-p', self.client_params.env_api_key])
# Load in new user
self.invoke_cli(self.cli_auth_params, [
'policy', 'replace', '-b', 'root', '-f',
self.environment.path_provider.get_policy_path('conjur')
])
# Rotate the new user's API key
user_api_key = self.invoke_cli(
self.cli_auth_params, ['user', 'rotate-api-key', '-i', 'someuser'])
extract_api_key_from_message = user_api_key.split(":")[1].strip()
# Login to change personal password
self.invoke_cli(
self.cli_auth_params,
['login', '-i', 'someuser', '-p', extract_api_key_from_message])
# Creates a password that meets Conjur password complexity standards
password = string.hexdigits + "$!@"
self.invoke_cli(self.cli_auth_params,
['user', 'change-password', '-p', password])
self.invoke_cli(self.cli_auth_params, ['logout'])
# Attempt to login with newly created password
output = self.invoke_cli(self.cli_auth_params,
['login', '-i', 'someuser', '-p', password])
self.assertIn("Successfully logged in to Conjur", output.strip())
utils.get_credentials()
self.validate_netrc(f"{self.client_params.hostname}", "someuser",
extract_api_key_from_message)
def test_keyring_locked_after_login_will_raise_error_keyring(self):
utils.setup_cli(self)
with patch('conjur.wrapper.keystore_wrapper.KeystoreWrapper.is_keyring_accessible', return_value=False):
self.invoke_cli(self.cli_auth_params, ['list'], exit_code=1)
def test_https_netrc_with_wrong_password_netrc(self, mock_pass, mock_input,
keystore_disable_mock):
utils.setup_cli(self)
output = self.invoke_cli(self.cli_auth_params, ['login'], exit_code=1)
self.assertRegex(output, "Reason: 401")
def test_https_can_get_whoami_insecure(self):
utils.setup_cli(self)
output = self.invoke_cli(self.cli_auth_params, ['whoami'])
response = json.loads(output)
self.assertIn(f'{self.client_params.account}', response.get('account'))
self.assertIn('admin', response.get('username'))
def test_provider_can_return_file_provider_netrc(self,
keystore_disable_mock):
utils.setup_cli(self)
cred_store = utils.create_cred_store()
self.assertEquals(type(cred_store), type(FileCredentialsProvider()))
