def test_should_catch_approle_invalid_secret_id_abort_the_run(hvac):
config = {
"vault_addr": "http://someaddr.com",
"vault_role_id": "mighty_id",
"vault_role_secret": "expired",
}
fake_client = MagicMock()
fake_client.auth_approle.side_effect = InvalidRequest()
hvac.Client.return_value = fake_client
with pytest.raises(InvalidExperiment):
create_vault_client(config)
def test_should_catch_service_account_invalid_abort_the_run(hvac):
config = {
"vault_addr": "http://someaddr.com",
"vault_sa_role": "invalid",
"vault_kv_version": "1",
}
fake_client = MagicMock()
fake_client.auth_kubernetes.side_effect = InvalidRequest()
hvac.Client.return_value = fake_client
with pytest.raises(InvalidExperiment):
create_vault_client(config)
def test_should_auth_with_token(hvac):
config = {
"vault_addr": "http://someaddr.com",
"vault_token": "not_awesome_token",
"vault_kv_version": "1",
}
fake_client = MagicMock()
hvac.Client.return_value = fake_client
vault_client = create_vault_client(config)
assert vault_client.token == config["vault_token"]
fake_client.auth_approle.assert_not_called()
def test_should_auth_with_token(hvac):
config = {
'vault_addr': 'http://someaddr.com',
'vault_token': 'not_awesome_token',
'vault_kv_version': '1'
}
fake_client = MagicMock()
hvac.Client.return_value = fake_client
vault_client = create_vault_client(config)
assert vault_client.token == config['vault_token']
fake_client.auth_approle.assert_not_called()
def test_should_auth_with_approle(hvac):
config = {
"vault_addr": "http://someaddr.com",
"vault_role_id": "mighty_id",
"vault_role_secret": "secret_secret",
}
fake_auth_object = {"auth": {"client_token": "awesome_token"}}
fake_client = MagicMock()
fake_client.auth_approle.return_value = fake_auth_object
hvac.Client.return_value = fake_client
vault_client = create_vault_client(config)
assert vault_client.token == fake_auth_object["auth"]["client_token"]
fake_client.auth_approle.assert_called_with(config["vault_role_id"],
config["vault_role_secret"])
def test_should_auth_with_approle(hvac):
config = {
'vault_addr': 'http://someaddr.com',
'vault_role_id': 'mighty_id',
'vault_role_secret': 'secret_secret'
}
fake_auth_object = {'auth': {'client_token': 'awesome_token'}}
fake_client = MagicMock()
fake_client.auth_approle.return_value = fake_auth_object
hvac.Client.return_value = fake_client
vault_client = create_vault_client(config)
assert vault_client.token == fake_auth_object['auth']['client_token']
fake_client.auth_approle.assert_called_with(config['vault_role_id'],
config['vault_role_secret'])
def test_should_auth_with_service_account(hvac):
config = {
'vault_addr': 'http://someaddr.com',
'vault_sa_role': 'some_role',
'vault_k8s_mount_point': 'not_kubernetes',
'vault_kv_version': '1'
}
fake_client = MagicMock()
hvac.Client.return_value = fake_client
with patch('chaoslib.secret.open', mock_open(read_data="fake_sa_token")):
vault_client = create_vault_client(config)
vault_client.auth_approle.assert_not_called()
vault_client.auth_kubernetes.assert_called_with(
role=config['vault_sa_role'],
jwt='fake_sa_token',
use_token=True,
mount_point=config['vault_k8s_mount_point'])
def test_should_auth_with_service_account(hvac):
config = {
"vault_addr": "http://someaddr.com",
"vault_sa_role": "some_role",
"vault_k8s_mount_point": "not_kubernetes",
"vault_kv_version": "1",
}
fake_client = MagicMock()
hvac.Client.return_value = fake_client
with patch("chaoslib.secret.open", mock_open(read_data="fake_sa_token")):
vault_client = create_vault_client(config)
vault_client.auth_approle.assert_not_called()
vault_client.auth_kubernetes.assert_called_with(
role=config["vault_sa_role"],
jwt="fake_sa_token",
use_token=True,
mount_point=config["vault_k8s_mount_point"],
)
@patch("chaoslib.secret.hvac")
def test_should_auth_with_approle(hvac):
config = {
"vault_addr": "http://someaddr.com",
"vault_role_id": "mighty_id",
"vault_role_secret": "secret_secret",
}
fake_auth_object = {"auth": {"client_token": "awesome_token"}}
fake_client = MagicMock()
fake_client.auth_approle.return_value = fake_auth_object
hvac.Client.return_value = fake_client
vault_client = create_vault_client(config)
assert vault_client.token == fake_auth_object["auth"]["client_token"]
fake_client.auth_approle.assert_called_with(
config["vault_role_id"], config["vault_role_secret"]
)
@patch("chaoslib.secret.hvac")
def test_should_catch_approle_invalid_secret_id_abort_the_run(hvac):
config = {
"vault_addr": "http://someaddr.com",
"vault_role_id": "mighty_id",
"vault_role_secret": "expired",
}
