def _add_secrets_to_vault(vault_name, secrets, confirm, **kwargs):
try:
print("Vault management requires authentication")
kv_mgmt = BHKeyVaultMgmtClient(**kwargs)
vault_uri = kv_mgmt.get_vault_uri(vault_name)
print(f"Vault {vault_name} found.")
except CloudError:
mssg = f"Vault {vault_name} not found. Create new vault (y/n)?"
if _prompt_yn(mssg, confirm):
print("Creating {vault_name}. Please wait...")
new_vault = kv_mgmt.create_vault(vault_name=vault_name)
vault_uri = new_vault.properties.vault_uri
print("New vault {vault_name} created")
if not vault_uri:
print("Vault name was not created. Aborting.")
return
mssg = f"Add secrets to vault {vault_name} (y/n)?"
print("Adding secrets to vault requires authentication")
if _prompt_yn(mssg, confirm):
kv_client = BHKeyVaultClient(vault_name=vault_name, **kwargs)
for sec_name, sec_value in secrets.items():
print(f"setting {sec_name}")
kv_client.set_secret(secret_name=sec_name, value=sec_value)
print("Done")
print("Secrets in vault:\n", "\n".join(kv_client.secrets))
def _list_secrets(vault_name: str, confirm, **kwargs):
mssg = "Show secret values (y/n)?"
print(f"Secrets currently in vault {vault_name}")
show_secrets = _prompt_yn(mssg, confirm)
kv_client = BHKeyVaultClient(vault_name=vault_name, **kwargs)
for sec_name in kv_client.secrets:
print(f"Secret: {sec_name}", end=": ")
if show_secrets:
secret = kv_client.get_secret(secret_name=sec_name)
print(secret.value)
else:
print("************")
print("Done")
def test_keyvault_client(
self,
sec_client,
az_connect_core_patch,
html_ip,
display_ip,
is_ipython_ip,
):
kv_sec_client = SecretClientTest()
sec_client_obj = MagicMock()
sec_client_obj.list_properties_of_secrets = (
kv_sec_client.list_properties_of_secrets
)
sec_client_obj.get_secret = kv_sec_client.get_secret
sec_client_obj.set_secret = kv_sec_client.set_secret
sec_client.return_value = sec_client_obj
# call_prompt = lambda client_id, authority, prompt_callback: _prompt_for_code(
# DEV_CODE
# )
# az_connect_core_patch.side_effect = call_prompt
kv_settings = get_kv_settings("msticpyconfig-kv.yaml")
# Check both vault params
BHKeyVaultClient(
tenant_id=kv_settings.tenantid,
vault_uri="https://myvault.vault.azure.net",
debug=True,
)
BHKeyVaultClient(
tenant_id=kv_settings.tenantid, vault_name="myvault", debug=True
)
# Check missing tenantid
no_tenant_id = deepcopy(kv_settings)
no_tenant_id.tenantid = None
with self.assertRaises(MsticpyKeyVaultConfigError):
BHKeyVaultClient(settings=no_tenant_id, debug=True)
keyvault_client = BHKeyVaultClient(debug=True)
# Check secret methods
for sec_id in keyvault_client.secrets:
sec_name = sec_id.split("/")[-1]
self.assertIn(sec_name, KV_SECRETS)
for sec, val in KV_SECRETS.items():
kv_val = keyvault_client.get_secret(sec)
self.assertEqual(val, kv_val)
with self.assertRaises(MsticpyKeyVaultMissingSecretError):
keyvault_client.get_secret("DoesntExist")
kv_sec_client.set_secret("NoSecret", "")
with self.assertRaises(MsticpyKeyVaultMissingSecretError):
keyvault_client.get_secret("NoSecret")
kv_sec_client.set_secret("MyTestSecret", "TheActualValue")
self.assertEqual(keyvault_client.get_secret("MyTestSecret"), "TheActualValue")
def test_keyvault_client(
self,
sec_client,
interact_cred,
devcode_cred,
html_ip,
display_ip,
is_ipython_ip,
):
kv_sec_client = SecretClientTest()
sec_client_obj = MagicMock()
sec_client_obj.list_properties_of_secrets = (
kv_sec_client.list_properties_of_secrets)
sec_client_obj.get_secret = kv_sec_client.get_secret
sec_client_obj.set_secret = kv_sec_client.set_secret
sec_client.return_value = sec_client_obj
call_prompt = lambda client_id, authority, prompt_callback: _prompt_for_code(
DEV_CODE)
devcode_cred.side_effect = call_prompt
kv_settings = get_kv_settings("msticpyconfig-kv.yaml")
# Check both vault params
BHKeyVaultClient(
tenant_id=kv_settings.tenantid,
vault_uri="https://myvault.vault.azure.net",
debug=True,
)
BHKeyVaultClient(tenant_id=kv_settings.tenantid,
vault_name="myvault",
debug=True)
# Check missing tenantid
no_tenant_id = deepcopy(kv_settings)
no_tenant_id.tenantid = None
with self.assertRaises(MsticpyKeyVaultConfigError):
BHKeyVaultClient(settings=no_tenant_id, debug=True)
# Device auth - simulating IPython
# Get most things from settings
is_ipython_ip.return_value = True
keyvault_client = BHKeyVaultClient(debug=True, authn_type="device")
# Check values in logon message
logon_message_call = html_ip.call_args_list[-1][0][0]
self.assertIn(DEV_CODE["user_code"], logon_message_call)
self.assertIn(DEV_CODE["verification_url"], logon_message_call)
# Device auth - not IPython (capture std out)
is_ipython_ip.return_value = False
txt_stream = StringIO()
with redirect_stdout(txt_stream):
keyvault_client = BHKeyVaultClient(debug=True, authn_type="device")
txt_out = txt_stream.getvalue()
self.assertIn(DEV_CODE["user_code"], txt_out)
self.assertIn(DEV_CODE["verification_url"], txt_out)
# Check secret methods
for sec_id in keyvault_client.secrets:
sec_name = sec_id.split("/")[-1]
self.assertIn(sec_name, KV_SECRETS)
for sec, val in KV_SECRETS.items():
kv_val = keyvault_client.get_secret(sec)
self.assertEqual(val, kv_val)
with self.assertRaises(MsticpyKeyVaultMissingSecretError):
keyvault_client.get_secret("DoesntExist")
kv_sec_client.set_secret("NoSecret", "")
with self.assertRaises(MsticpyKeyVaultMissingSecretError):
keyvault_client.get_secret("NoSecret")
kv_sec_client.set_secret("MyTestSecret", "TheActualValue")
self.assertEqual(keyvault_client.get_secret("MyTestSecret"),
"TheActualValue")