def connect(): ''' Connect to the vault server and return the connected vault client instance. ''' url = os.environ.get('VAULT_ADDR') token = os.environ.get('VAULT_TOKEN') if not url or not token: halt('Failed connecting to vault. ' + '`VAULT_ADDR` and `VAULT_TOKEN` must be set in your environment.') return Client(url=url, token=token)
def get_client(obj): client = Client( **{k: v for k, v in obj.VAULT_FOR_DYNACONF.items() if v is not None} ) if obj.VAULT_ROLE_ID_FOR_DYNACONF is not None: client.auth_approle( role_id=obj.VAULT_ROLE_ID_FOR_DYNACONF, secret_id=obj.get("VAULT_SECRET_ID_FOR_DYNACONF"), ) assert client.is_authenticated(), ( "Vault authentication error: is VAULT_TOKEN_FOR_DYNACONF or " "VAULT_ROLE_ID_FOR_DYNACONF defined?" ) return client
def test_auth_approle(self, test_label, mount_point, role_id, secret_id, requests_mocker): expected_status_code = 200 mock_response = { "auth": { "accessor": "f8b576f9-9146-4173-e174-40257d58015a", "client_token": "3db3d089-7d3c-f531-cd3e-bfe44696a92c", "lease_duration": 600, "metadata": { "role_name": "application1" }, "policies": [ "default" ], "renewable": True }, "data": None, "lease_duration": 0, "lease_id": "", "renewable": False, "request_id": "2eb635ad-a763-926a-9815-4cb4d14a40f9", "warnings": None, "wrap_info": None } mock_url = 'http://localhost:8200/v1/auth/{0}/login'.format( 'approle' if mount_point is None else mount_point, ) requests_mocker.register_uri( method='POST', url=mock_url, status_code=expected_status_code, json=mock_response, ) client = Client() if mount_point is None: actual_response = client.auth_approle( role_id=role_id, secret_id=secret_id, ) else: actual_response = client.auth_approle( role_id=role_id, secret_id=secret_id, mount_point=mount_point, ) self.assertEquals( first=mock_response, second=actual_response, )
def test_get_role_secret_id_accessor(self, test_label, mount_point, role_name, secret_id_accessor, requests_mocker): expected_status_code = 200 mock_response = { "auth": None, "data": { "SecretIDNumUses": 0, "cidr_list": [], "creation_time": "2018-06-11T07:33:57.771908-05:00", "expiration_time": "0001-01-01T00:00:00Z", "last_updated_time": "2018-06-11T07:33:57.771908-05:00", "metadata": {}, "secret_id_accessor": secret_id_accessor, "secret_id_num_uses": 0, "secret_id_ttl": 0 }, "lease_duration": 0, "lease_id": "", "renewable": False, "request_id": "2c9fcba6-425d-e4c0-45fa-ee90450a3c00", "wrap_info": None } mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/secret-id-accessor/lookup'.format( 'approle' if mount_point is None else mount_point, role_name, ) requests_mocker.register_uri( method='POST', url=mock_url, status_code=expected_status_code, json=mock_response, ) client = Client() if mount_point is None: actual_response = client.get_role_secret_id_accessor( role_name=role_name, secret_id_accessor=secret_id_accessor, ) else: actual_response = client.get_role_secret_id_accessor( role_name=role_name, secret_id_accessor=secret_id_accessor, mount_point=mount_point, ) self.assertEquals( first=mock_response, second=actual_response, )
def test_get_role_secret_id(self, test_label, mount_point, role_name, secret_id, requests_mocker): expected_status_code = 200 mock_response = { "auth": None, "data": { "SecretIDNumUses": 0, "cidr_list": [], "creation_time": "2018-06-11T07:33:57.771908-05:00", "expiration_time": "0001-01-01T00:00:00Z", "last_updated_time": "2018-06-11T07:33:57.771908-05:00", "metadata": {}, "secret_id_accessor": "b58fd0ee-130c-33bb-5f69-6d4fd1731e5f", "secret_id_num_uses": 0, "secret_id_ttl": 0 }, "lease_duration": 0, "lease_id": "", "renewable": False, "request_id": "718a00fa-e76f-f1fc-9b9e-f9c4baa766b3", "wrap_info": None } mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/secret-id/lookup'.format( 'approle' if mount_point is None else mount_point, role_name, ) requests_mocker.register_uri( method='POST', url=mock_url, status_code=expected_status_code, json=mock_response, ) client = Client() if mount_point is None: actual_response = client.get_role_secret_id( role_name=role_name, secret_id=secret_id, ) else: actual_response = client.get_role_secret_id( role_name=role_name, secret_id=secret_id, mount_point=mount_point, ) self.assertEquals( first=mock_response, second=actual_response, )
def test_get_role(self, test_label, mount_point, role_name, requests_mocker): expected_status_code = 200 mock_response = { "auth": None, "data": { "bind_secret_id": True, "bound_cidr_list": "", "period": 0, "policies": [ "default" ], "secret_id_num_uses": 0, "secret_id_ttl": 0, "token_max_ttl": 900, "token_num_uses": 0, "token_ttl": 600 }, "lease_duration": 0, "lease_id": "", "renewable": False, "request_id": "0aab655f-ecd2-b3d4-3817-35b5bdfd3f28", "warnings": None, "wrap_info": None } mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}'.format( 'approle' if mount_point is None else mount_point, role_name, ) requests_mocker.register_uri( method='GET', url=mock_url, status_code=expected_status_code, json=mock_response, ) client = Client() if mount_point is None: actual_response = client.get_role( role_name=role_name, ) else: actual_response = client.get_role( role_name=role_name, mount_point=mount_point, ) self.assertEquals( first=mock_response, second=actual_response, )
def __init__(self): if not os.getenv("SERVICE_ACCOUNT_TOEKN_PATH"): self.k8s_service_account_token_path = "/var/run/secrets/kubernetes.io/serviceaccount/token" else: self.k8s_service_account_token_path = os.getenv("SERVICE_ACCOUNT_TOEKN_PATH") if not os.getenv("VAULT_ROLE"): raise Exception('VAULT_ROLE is a mandatory env variable') else: self.role = os.getenv("VAULT_ROLE") if not os.getenv("VAULT_URL"): raise Exception("VAULT_URL is a mandatory env variable") else: self.vault_url = os.getenv("VAULT_URL") self.client = Client(url=self.vault_url)
def create_client(**kwargs): """Small helper to instantiate a :py:class:`hvac.v1.Client` class with the appropriate parameters for the test env. :param kwargs: Dictionary of additional keyword arguments to pass through to the Client instance being created. :type kwargs: dict :return: Instantiated :py:class:`hvac.v1.Client` class. :rtype: hvac.v1.Client """ client_cert_path = get_test_data_path('client-cert.pem') client_key_path = get_test_data_path('client-key.pem') server_cert_path = get_test_data_path('server-cert.pem') return Client(url='https://localhost:8200', cert=(client_cert_path, client_key_path), verify=server_cert_path, **kwargs)
def __init__(self, client_token): if not os.getenv("VAULT_URL"): raise Exception("VAULT_URL is a mandatory env variable") else: self.vault_url = os.getenv("VAULT_URL") self.client = Client(url=self.vault_url, token=client_token) if not os.getenv("VAULT_SECRET_PATH"): raise Exception("VAULT_SECRET_PATH is a mandatory env variable") else: self.secret_path = os.getenv("VAULT_SECRET_PATH") if not os.getenv("ENV_VARIABLES_PATH"): raise Exception("ENV_VARIABLES_PATH is a mandatory env variable") else: self.ENV_VARIABLES_PATH = os.getenv("ENV_VARIABLES_PATH")
def test_auth_aws_iam(self, login_mock, datetime_mock): datetime_mock.utcnow.return_value = datetime(2015, 8, 30, 12, 36, 0) client = Client() client.auth_aws_iam('AKIDEXAMPLE', 'wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY') login_mock.assert_called() args, kwargs = login_mock.call_args actual_params = kwargs['json'] actual_iam_http_request_method = actual_params[ 'iam_http_request_method'] self.assertEqual('POST', actual_iam_http_request_method) actual_iam_request_url = b64decode( actual_params['iam_request_url']).decode('utf-8') self.assertEqual('https://sts.amazonaws.com/', actual_iam_request_url) expected_auth_header_parts = [ 'Credential=AKIDEXAMPLE/20150830/us-east-1/sts/aws4_request', 'SignedHeaders=content-length;content-type;host;x-amz-date', 'Signature=0268ea4a725deae1116f5228d6b177fb047f9f3a9e1c5fd4baa0dc1fbb0d1a99', ] expected_iam_request_headers = { 'Authorization': [ '{0} {1}'.format('AWS4-HMAC-SHA256', ', '.join(expected_auth_header_parts)) ], 'Content-Length': ['43'], 'Content-Type': ['application/x-www-form-urlencoded; charset=utf-8'], 'Host': ['sts.amazonaws.com'], 'X-Amz-Date': ['20150830T123600Z'], } actual_iam_request_headers = json.loads( b64decode(actual_params['iam_request_headers'])) self.assertEqual(expected_iam_request_headers, actual_iam_request_headers) actual_iam_request_body = b64decode( actual_params['iam_request_body']).decode('utf-8') self.assertEqual('Action=GetCallerIdentity&Version=2011-06-15', actual_iam_request_body) actual_role = actual_params['role'] self.assertEqual('', actual_role)
def test_create_role_custom_secret_id(self, test_label, mount_point, role_name, secret_id, requests_mocker): expected_status_code = 200 mock_response = { "auth": None, "data": { "secret_id": secret_id, "secret_id_accessor": "f5cb4b7d-9111-320e-6f24-73bf45d3845d" }, "lease_duration": 0, "lease_id": "", "renewable": False, "request_id": "e7c8b2e1-95e8-cb17-e98a-6c428201f1d5", "warnings": None, "wrap_info": None } mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/custom-secret-id'.format( 'approle' if mount_point is None else mount_point, role_name, ) requests_mocker.register_uri( method='POST', url=mock_url, status_code=expected_status_code, json=mock_response, ) client = Client() if mount_point is None: actual_response = client.create_role_custom_secret_id( role_name=role_name, secret_id=secret_id, ) else: actual_response = client.create_role_custom_secret_id( role_name=role_name, secret_id=secret_id, mount_point=mount_point, ) self.assertEquals( first=mock_response, second=actual_response, )
def test_list_role_secrets(self, test_label, mount_point, role_name, secret_id, requests_mocker): expected_status_code = 200 mock_response = { "auth": None, "data": { "keys": [ secret_id ] }, "lease_duration": 0, "lease_id": "", "renewable": False, "request_id": "eb805845-f6ce-a514-9238-6914664dd601", "warnings": None, "wrap_info": None } mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/secret-id'.format( 'approle' if mount_point is None else mount_point, role_name, ) requests_mocker.register_uri( method='LIST', url=mock_url, status_code=expected_status_code, json=mock_response, ) client = Client() if mount_point is None: actual_response = client.list_role_secrets( role_name=role_name, ) else: actual_response = client.list_role_secrets( role_name=role_name, mount_point=mount_point, ) self.assertEquals( first=mock_response, second=actual_response, )
def test_auth_kubernetes(self, test_label, test_role, test_jwt, mount_point, requests_mocker): mock_response = { 'auth': { 'accessor': 'accessor-1234-5678-9012-345678901234', 'client_token': 'cltoken-1234-5678-9012-345678901234', 'lease_duration': 10000, 'metadata': { 'role': 'custom_role', 'service_account_name': 'vault-auth', 'service_account_namespace': 'default', 'service_account_secret_name': 'vault-auth-token-pd21c', 'service_account_uid': 'aa9aa8ff-98d0-11e7-9bb7-0800276d99bf' }, 'policies': ['default', 'custom_role'], 'renewable': True }, 'data': None, 'lease_duration': 0, 'lease_id': '', 'renewable': False, 'request_id': 'requesti-1234-5678-9012-345678901234', 'warnings': [], 'wrap_info': None } mock_url = 'http://localhost:8200/v1/auth/{0}/login'.format( 'kubernetes' if mount_point is None else mount_point) requests_mocker.register_uri(method='POST', url=mock_url, json=mock_response) client = Client() test_arguments = dict( role=test_role, jwt=test_jwt, ) if mount_point: test_arguments['mount_point'] = mount_point actual_response = client.auth_kubernetes(**test_arguments) # ensure we received our mock response data back successfully self.assertEqual(mock_response, actual_response)
def __init__(self, connection_config) -> None: ''' Args: connection_config (Dict): Parameters required to connect to the Vault ''' try: token = os.environ[connection_config['token_env']] except KeyError as error: raise SecretsException( 'Token environment variable missing: {}'.format(error) ) self._client = Client( url=connection_config['url'], token=token ) if not self._client.is_authenticated(): raise SecretsException('Vault client authentication failed!') else: logging.debug('Sucessfully connected to Vault.')
def test_auth_ec2(self, test_label, mount_point, requests_mocker): mock_response = { 'auth': { 'accessor': 'accessor-1234-5678-9012-345678901234', 'client_token': 'cltoken-1234-5678-9012-345678901234', 'lease_duration': 10000, 'metadata': { 'account_id': '12345678912', 'ami_id': 'ami-someami', 'instance_id': 'i-instanceid', 'nonce': 'thenonce-1234-5678-9012-345678901234', 'region': 'us-east-1', 'role': 'custom_role', 'role_tag_max_ttl': '0s' }, 'policies': ['default', 'custom_role'], 'renewable': True }, 'data': None, 'lease_duration': 0, 'lease_id': '', 'renewable': False, 'request_id': 'requesti-1234-5678-9012-345678901234', 'warnings': [], 'wrap_info': None } mock_url = 'http://localhost:8200/v1/auth/{0}/login'.format( 'aws-ec2' if mount_point is None else mount_point) requests_mocker.register_uri(method='POST', url=mock_url, json=mock_response) client = Client() if mount_point is None: actual_response = client.auth_ec2(pkcs7='mock_pcks7') else: actual_response = client.auth_ec2(pkcs7='mock_pcks7', mount_point=mount_point) # ensure we received our mock response data back successfully self.assertEqual(mock_response, actual_response)
def test_create_role_secret_id(self, test_label, mount_point, role_name, requests_mocker): expected_status_code = 200 mock_response = { "auth": None, "data": { "secret_id": "be78e3ca-f644-b099-3291-e8a6f5985cfe", "secret_id_accessor": "b58fd0ee-130c-33bb-5f69-6d4fd1731e5f" }, "lease_duration": 0, "lease_id": "", "renewable": False, "request_id": "2310dc21-0fea-a2de-2d94-bb4edd59f1e9", "warnings": None, "wrap_info": None } mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/secret-id'.format( 'approle' if mount_point is None else mount_point, role_name, ) requests_mocker.register_uri( method='POST', url=mock_url, status_code=expected_status_code, json=mock_response, ) client = Client() if mount_point is None: actual_response = client.create_role_secret_id( role_name=role_name, ) else: actual_response = client.create_role_secret_id( role_name=role_name, mount_point=mount_point, ) self.assertEquals( first=mock_response, second=actual_response, )
def test_read_lease(self, test_label, test_lease_id, requests_mocker): test_path = 'http://localhost:8200/v1/sys/leases/lookup' mock_response = { 'issue_time': '2018-07-15T08:35:34.775859245-05:00', 'renewable': False, 'id': test_lease_id, 'ttl': 259199, 'expire_time': '2018-07-18T08:35:34.00004241-05:00', 'last_renewal': None } requests_mocker.register_uri( method='PUT', url=test_path, json=mock_response, ) client = Client() response = client.read_lease(lease_id=test_lease_id, ) self.assertEquals( first=mock_response, second=response, )
def test_auth_gcp(self, test_label, test_role, test_jwt, mount_point, requests_mocker): mock_response = { 'auth': { 'accessor': 'accessor-1234-5678-9012-345678901234', 'client_token': 'cltoken-1234-5678-9012-345678901234', 'lease_duration': 10000, 'metadata': { 'role': 'custom_role', 'service_account_email': '*****@*****.**', 'service_account_id': '111111111111111111111' }, 'policies': ['default', 'custom_role'], 'renewable': True }, 'data': None, 'lease_duration': 0, 'lease_id': '', 'renewable': False, 'request_id': 'requesti-1234-5678-9012-345678901234', 'warnings': [], 'wrap_info': None } mock_url = 'http://localhost:8200/v1/auth/{0}/login'.format( 'gcp' if mount_point is None else mount_point) requests_mocker.register_uri(method='POST', url=mock_url, json=mock_response) client = Client() if mount_point is None: actual_response = client.auth_gcp(role=test_role, jwt=test_jwt) else: actual_response = client.auth_gcp(role=test_role, jwt=test_jwt, mount_point=mount_point) # ensure we received our mock response data back successfully self.assertEqual(mock_response, actual_response)
def test_get_role_id(self, test_label, mount_point, role_name, role_id, requests_mocker): expected_status_code = 200 mock_response = { "auth": None, "data": { "role_id": role_id }, "lease_duration": 0, "lease_id": "", "renewable": False, "request_id": "85590a1a-6dd7-de79-01b0-1c285d505bf2", "warnings": None, "wrap_info": None } mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}/role-id'.format( 'approle' if mount_point is None else mount_point, role_name, ) requests_mocker.register_uri( method='GET', url=mock_url, status_code=expected_status_code, json=mock_response, ) client = Client() if mount_point is None: actual_response = client.get_role_id( role_name=role_name ) else: actual_response = client.get_role_id( role_name=role_name, mount_point=mount_point ) # ensure we received our mock response data back successfully self.assertEqual( first=role_id, second=actual_response )
def test_list_ec2_roles(self, test_label, mount_point, requests_mocker): mock_response = {"data": {"keys": ["dev-role", "prod-role"]}} expected_status_code = 200 mock_url = 'http://localhost:8200/v1/auth/{0}/roles?list=true'.format( 'aws-ec2' if mount_point is None else mount_point, ) requests_mocker.register_uri( method='GET', url=mock_url, json=mock_response, status_code=expected_status_code, ) client = Client() if mount_point is None: actual_response = client.list_ec2_roles() else: actual_response = client.list_ec2_roles(mount_point=mount_point) self.assertEqual( first=mock_response, second=actual_response, )
def test_get_kubernetes_configuration(self, test_label, mount_point, requests_mocker): expected_status_code = 200 mock_response = { 'auth': None, 'data': { 'kubernetes_ca_cert': '', 'kubernetes_host': '127.0.0.1:80', 'pem_keys': ['some key'], 'token_reviewer_jwt': '' }, 'lease_duration': 0, 'lease_id': '', 'renewable': False, 'request_id': '12687b5f-b4f5-2ba4-aae2-2a8d7e53ca55', 'warnings': None, 'wrap_info': None } mock_url = 'http://localhost:8200/v1/auth/{0}/config'.format( 'kubernetes' if mount_point is None else mount_point, ) requests_mocker.register_uri( method='GET', url=mock_url, status_code=expected_status_code, json=mock_response, ) client = Client() test_arguments = dict() if mount_point: test_arguments['mount_point'] = mount_point actual_response = client.get_kubernetes_configuration(**test_arguments) self.assertEquals( first=mock_response, second=actual_response, )
def test_delete_vault_ec2_client_configuration(self, test_label, mount_point, requests_mocker): expected_status_code = 204 mock_url = 'http://localhost:8200/v1/auth/{0}/config/client'.format( 'aws-ec2' if mount_point is None else mount_point) requests_mocker.register_uri( method='DELETE', url=mock_url, status_code=expected_status_code, ) client = Client() if mount_point is None: actual_response = client.delete_vault_ec2_client_configuration() else: actual_response = client.delete_vault_ec2_client_configuration( mount_point=mount_point) self.assertEqual( first=expected_status_code, second=actual_response.status_code, )
def test_get_auth_backend_tuning(self, requests_mocker): expected_status_code = 200 test_backend_type = 'approle' test_mount_point = 'approle-test' mock_response = { 'max_lease_ttl': 12345678, 'lease_id': '', 'force_no_cache': False, 'warnings': None, 'data': { 'force_no_cache': False, 'default_lease_ttl': 2764800, 'max_lease_ttl': 12345678 }, 'wrap_info': None, 'auth': None, 'lease_duration': 0, 'request_id': '673f2336-3235-b988-2194-c68261a02bfe', 'default_lease_ttl': 2764800, 'renewable': False } requests_mocker.register_uri( method='GET', url='http://localhost:8200/v1/sys/auth/{0}/tune'.format(test_mount_point), status_code=expected_status_code, json=mock_response ) client = Client() actual_response = client.get_auth_backend_tuning( backend_type=test_backend_type, mount_point=test_mount_point, ) self.assertEqual( first=mock_response, second=actual_response, )
def main(): logger.info("Trying to login with Token") logger.debug("Debug enabled") try: client = Client( url=os.environ['VAULT_ADDR'], token=os.environ['VAULT_TOKEN'] ) client.is_authenticated() except Exception as err: logger.exception("Token Login failed: %s", err) exit(2) transit = Transit(client=client, encryption_key='backup', mount='transit') kv = KVstore(client, cfg['kv_path'], transit=transit) data = kv.get_base_folder() write_to_disk(cfg['out_file'], data) logger.info(f"Finished encrypting and writting data to {cfg['out_file']}") exported_key = transit.backup_key() write_to_disk(cfg['backup_key'], exported_key) logger.info(f"Finished encrypting and writting data to {cfg['backup_key']}")
def test_delete_kubernetes_role(self, test_label, mount_point, role_name, requests_mocker): expected_status_code = 204 mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}'.format( 'kubernetes' if mount_point is None else mount_point, role_name, ) requests_mocker.register_uri( method='DELETE', url=mock_url, status_code=expected_status_code, ) client = Client() test_arguments = dict(role=role_name, ) if mount_point: test_arguments['mount_point'] = mount_point actual_response = client.delete_kubernetes_role(**test_arguments) self.assertEquals( first=expected_status_code, second=actual_response.status_code, )
def test_create_ec2_role(self, test_label, mount_point, role_name, requests_mocker): expected_status_code = 204 mock_url = 'http://localhost:8200/v1/auth/{0}/role/{1}'.format( 'aws-ec2' if mount_point is None else mount_point, role_name, ) requests_mocker.register_uri( method='POST', url=mock_url, status_code=expected_status_code, ) client = Client() if mount_point is None: actual_response = client.create_ec2_role(role=role_name) else: actual_response = client.create_ec2_role(role=role_name, mount_point=mount_point) self.assertEqual( first=expected_status_code, second=actual_response.status_code, )
def __init__(self): '''[summary] Initializes and unseals the Vault [description] Initializes the Vault, if it has not been initialized yet and unseals it. ''' # The Borg Singleton self.__dict__ = self.__shared_state if not self.client: self._logger = logging.getLogger('flask.app') self._logger.info('Initializing Vault @ %s .', VAULT_URL) self.client = Client(url=VAULT_URL) if self._is_vault_initialized(): self._logger.info('Vault already initalized.') self._load_keys() else: vault = self._init_vault() self._token = vault['root_token'] self._unseal_keys = vault['keys'] self._logger.info('Vault initalized.') self._save_keys() self.client.token = self._token self._logger.info('Unsealing Vault.') self._unseal_vault() self._logger.info('Vault unsealed.')
def create_client(**kwargs): return Client(url='https://localhost:8200', cert=('test/client-cert.pem', 'test/client-key.pem'), verify='test/server-cert.pem', **kwargs)
#!/usr/bin/env python import os from hvac import Client from tools.vault import * CURRENT_DIR = os.path.dirname(os.path.realpath(__file__)) SETTINGS_FILE = os.path.join(CURRENT_DIR, '.vault-init.json') vault = Client(url="https://localhost:8200", verify="ssl/certs/ca.pem") vault_settings = load_vault_keys(SETTINGS_FILE) unseal_vault(vault, vault_settings)
def create_client(**kwargs): return Client(**kwargs)