def test_accessor_validation(): with vault_dev.server() as s: client = s.client() with pytest.raises(Exception, match="Invalid vault accessor"): resolve_secret("VAULT:invalid", client) with pytest.raises(Exception, match="Invalid vault accessor"): resolve_secret("VAULT:invalid:a:b", client)
def test_secret_reading(): with vault_dev.server() as s: client = s.client() client.write("secret/foo", value="s3cret") assert resolve_secret("foo", client) == (False, "foo") assert resolve_secret("VAULT:secret/foo:value", client) == \ (True, "s3cret")
def test_error_for_missing_secret_key(): with vault_dev.server() as s: client = s.client() client.write("secret/foo", value="s3cret") msg = "Did not find key 'bar' at secret path 'secret/foo'" with pytest.raises(Exception, match=msg): resolve_secret("VAULT:secret/foo:bar", client)
def test_vault_github_login_with_mount_path(): os.environ["VAULT_AUTH_GITHUB_TOKEN"] = os.environ["VAULT_TEST_GITHUB_PAT"] with vault_dev.server() as s: cl = s.client() enable_github_login(cl, path="github-custom") cl.write("secret/db/password", value="s3cret") path = "config/vault" vault_addr = "http://localhost:{}".format(s.port) options = { "vault": { "addr": vault_addr, "auth": { "method": "github", "args": { "mount_point": "github-custom" } } } } orderly_web.start(path, options=options) cfg = fetch_config(path) container = cfg.get_container("orderly") res = string_from_container(container, "/root/.Renviron") assert "ORDERLY_DB_PASS=s3cret" in res orderly_web.stop(path, kill=True, volumes=True, network=True)
def test_can_substitute_secrets(): with vault_dev.server() as s: cl = s.client() # Copy the certificates into the vault where we will later on # pull from from. cert = read_file("proxy/ssl/certificate.pem") key = read_file("proxy/ssl/key.pem") cl.write("secret/ssl/certificate", value=cert) cl.write("secret/ssl/key", value=key) cl.write("secret/db/password", value="s3cret") cl.write("secret/github/id", value="ghkey") cl.write("secret/github/secret", value="ghs3cret") cl.write("secret/ssh", public="public-key-data", private="private-key-data") cl.write("secret/slack/webhook", value="http://webhook") # When reading the configuration we have to interpolate in the # correct values here for the vault connection cfg = build_config("config/complete") cfg.vault.url = "http://localhost:{}".format(s.port) cfg.vault.auth_args["token"] = s.token cfg.resolve_secrets() assert not cfg.proxy_ssl_self_signed assert cfg.proxy_ssl_certificate == cert assert cfg.proxy_ssl_key == key assert cfg.orderly_env["ORDERLY_DB_PASS"] == "s3cret" assert cfg.web_auth_github_app["id"] == "ghkey" assert cfg.web_auth_github_app["secret"] == "ghs3cret" assert cfg.orderly_ssh["private"] == "private-key-data" assert cfg.orderly_ssh["public"] == "public-key-data"
def test_verbose_mode(capsys): with vault_dev.server(verbose=True) as s: port = s.port captured = capsys.readouterr().out assert "Starting vault server on port {}".format(port) in captured assert "Waiting for server to become active" in captured assert "Connection made" in captured assert "Configuring old-style kv engine at /secret" in captured
def test_failure_after_start(): with vault_dev.server() as s: s.start() s.token = "root" with pytest.raises(vault_dev.VaultDevServerError) as e: s._wait_until_active(0.5, 0.1) assert e.msg == "Vault did not start in time" assert e.code is None assert e.stdout[0].startswith(">> ")
def test_vault_config_login(): with vault_dev.server() as s: cl = s.client() cl.sys.enable_auth_method(method_type="github") cl.write("auth/github/config", organization="vimc") url = "http://localhost:{}".format(s.port) token = os.environ["VAULT_TEST_GITHUB_PAT"] cfg = vault_config(url, "github", {"token": token}) assert cfg.client().is_authenticated()
def test_failure_to_start(): with socket.socket() as s: s.bind(('localhost', 0)) port = s.getsockname()[1] server = vault_dev.server(port) with pytest.raises(vault_dev.VaultDevServerError) as e: server.start() assert e.msg == "Vault process has terminated" assert e.code is not None assert e.msg in str(e.value) assert e.stdout in str(e.value)
def test_secret_reading_of_dicts(): with vault_dev.server() as s: client = s.client() client.write("secret/foo", value="s3cret") # With data dat = {"foo": "VAULT:secret/foo:value", "bar": "constant"} resolve_secrets(dat, client) assert dat == {"foo": "s3cret", "bar": "constant"} # Without empty = {} resolve_secrets(empty, client) assert empty == {}
def test_server_basic(): s = vault_dev.server() assert not s.is_running() s.start() assert s.is_running() assert s.url() == "http://localhost:{}".format(s.port) cl = s.client() # check that vault came up ok and that the v1 key-value store works cl.write("secret/foo", a="b") assert cl.read("secret/foo")["data"]["a"] == "b" s.stop() assert not s.is_running()
def test_vault_config_login_no_args(): if "VAULT_TEST_GITHUB_PAT" not in os.environ: pytest.skip("VAULT_TEST_GITHUB_PAT is not defined") with vault_dev.server() as s: cl = s.client() cl.sys.enable_auth_method(method_type="github") cl.write("auth/github/config", organization="vimc") url = "http://localhost:{}".format(s.port) token = os.environ["VAULT_TEST_GITHUB_PAT"] with mock.patch.dict(os.environ, {"VAULT_AUTH_GITHUB_TOKEN": token}): cfg = vault_config(url, "github", None) assert cfg.client().is_authenticated()
def test_secret_reading_of_objects(): with vault_dev.server() as s: client = s.client() client.write("secret/foo", value="s3cret") class Data: def __init__(self): self.foo = "VAULT:secret/foo:value" self.bar = "constant" dat = Data() resolve_secrets(dat, client) assert dat.foo == "s3cret" assert dat.bar == "constant"
def test_vault_ssl(): with vault_dev.server() as s: cl = s.client() # Copy the certificates into the vault where we will later on # pull from from. cert = read_file("proxy/ssl/certificate.pem") key = read_file("proxy/ssl/key.pem") cl.write("secret/ssl/certificate", value=cert) cl.write("secret/ssl/key", value=key) cl.write("secret/db/password", value="s3cret") cl.write("secret/github/id", value="ghid") cl.write("secret/github/secret", value="ghs3cret") cl.write("secret/ssh", public="public-key-data", private="private-key-data") cl.write("secret/slack/webhook", value="http://webhook") path = "config/complete" vault_addr = "http://localhost:{}".format(s.port) vault_auth = {"args": {"token": s.token}} options = {"vault": {"addr": vault_addr, "auth": vault_auth}} res = orderly_web.start(path, options=options) dat = json.loads(http_get("https://localhost/api/v1")) assert dat["status"] == "success" cfg = fetch_config(path) container = cfg.get_container("orderly") res = string_from_container(container, "/root/.Renviron") assert "ORDERLY_DB_PASS=s3cret" in res private = string_from_container(container, "/root/.ssh/id_rsa") assert private == "private-key-data" public = string_from_container(container, "/root/.ssh/id_rsa.pub") assert public == "public-key-data" known_hosts = string_from_container(container, "/root/.ssh/known_hosts") assert "github.com" in known_hosts web_container = cfg.get_container("web") web_config = string_from_container( web_container, "/etc/orderly/web/config.properties").split("\n") assert "auth.github_key=ghid" in web_config assert "auth.github_secret=ghs3cret" in web_config orderly_web.stop(path, kill=True, volumes=True, network=True)
def test_constellation_fetches_secrets_on_startup(): name = "mything" prefix = rand_str() network = "thenw" volumes = {"data": "mydata"} ref_server = ImageReference("library", "nginx", "latest") ref_client = ImageReference("library", "alpine", "latest") arg_client = ["sleep", "1000"] data = {"string": "VAULT:secret/foo:value"} with vault_dev.server() as s: vault_client = s.client() vault_url = vault_client.url secret = rand_str() vault_client.write("secret/foo", value=secret) def cfg_server(container, data): res = docker_util.string_into_container( data["string"], container, "/config") def cfg_client(container, data): res = container.exec_run(["apk", "add", "--no-cache", "curl"]) assert res.exit_code == 0 vault_config = vault.vault_config(vault_client.url, "token", {"token": s.token}) server = ConstellationContainer("server", ref_server, configure=cfg_server) client = ConstellationContainer("client", ref_client, arg_client, configure=cfg_client) obj = Constellation(name, prefix, [server, client], network, volumes, data=data, vault_config=vault_config) obj.start() x = obj.containers.get("server", prefix) res = docker_util.string_from_container(x, "/config") assert res == secret obj.destroy()
def test_vault_github_login_with_prompt(): if "VAULT_AUTH_GITHUB_TOKEN" in os.environ: del os.environ["VAULT_AUTH_GITHUB_TOKEN"] with mock.patch('builtins.input', return_value=os.environ["VAULT_TEST_GITHUB_PAT"]): with vault_dev.server() as s: cl = s.client() enable_github_login(cl) cl.write("secret/db/password", value="s3cret") path = "config/vault" vault_addr = "http://localhost:{}".format(s.port) options = {"vault": {"addr": vault_addr}} orderly_web.start(path, options=options) cfg = fetch_config(path) container = cfg.get_container("orderly") res = string_from_container(container, "/root/.Renviron") assert "ORDERLY_DB_PASS=s3cret" in res orderly_web.stop(path, kill=True, volumes=True, network=True)
def test_restart_is_not_an_error(): with vault_dev.server() as s: assert s.start() is None
def f(): s = vault_dev.server() s.start() return s.process
def test_vault_config(): with vault_dev.server() as s: url = "http://localhost:{}".format(s.port) cfg = vault_config(url, "token", {"token": s.token}) cl = cfg.client() assert cl.is_authenticated()
def test_that_enter_exit_works(): with vault_dev.server() as s: p = s.process assert s.is_running() assert p.poll()
def test_error_for_missing_secret(): with vault_dev.server() as s: client = s.client() msg = "Did not find secret at 'secret/foo'" with pytest.raises(Exception, match=msg): resolve_secret("VAULT:secret/foo:bar", client)