def test_read_config(self, label, write_config_first=True, raises=None):
credentials = utils.load_config_file('example.jwt.json')
if write_config_first:
self.client.auth.gcp.configure(
credentials=credentials,
mount_point=self.TEST_MOUNT_POINT,
)
if raises is not None:
with self.assertRaises(raises):
self.client.auth.gcp.read_config(
mount_point=self.TEST_MOUNT_POINT,
)
else:
read_config_response = self.client.auth.gcp.read_config(
mount_point=self.TEST_MOUNT_POINT,
)
logging.debug('read_config_response: %s' % read_config_response)
creds_dict = json.loads(credentials)
expected_config = {
'project_id': creds_dict['project_id'],
'client_email': creds_dict['client_email'],
'private_key_id': creds_dict['private_key_id'],
}
for k, v in expected_config.items():
self.assertEqual(
first=v,
second=read_config_response[k],
)
def test_read_config(self, label, write_config_first=True, raises=None):
credentials = utils.load_config_file('example.jwt.json')
if write_config_first:
self.client.auth.gcp.configure(
credentials=credentials,
mount_point=self.TEST_MOUNT_POINT,
)
if raises is not None:
with self.assertRaises(raises):
self.client.auth.gcp.read_config(
mount_point=self.TEST_MOUNT_POINT, )
else:
read_config_response = self.client.auth.gcp.read_config(
mount_point=self.TEST_MOUNT_POINT, )
logging.debug('read_config_response: %s' % read_config_response)
creds_dict = json.loads(credentials)
expected_config = {
'project_id': creds_dict['project_id'],
'client_email': creds_dict['client_email'],
'private_key_id': creds_dict['private_key_id'],
}
for k, v in expected_config.items():
self.assertEqual(
first=v,
second=read_config_response[k],
)
def get_active_vault_addresses(self):
vault_addresses = []
for config_path in self.config_paths:
config_hcl = load_config_file(config_path)
config = hcl.loads(config_hcl)
try:
vault_address = 'https://{addr}'.format(addr=config['listener']['tcp']['address'])
except KeyError as error:
logger.debug('Unable to find explict Vault address in config file {path}: {err}'.format(
path=config_path,
err=error,
))
vault_address = 'https://127.0.0.1:8200'
logger.debug('Using default address: {addr}'.format(addr=vault_address))
vault_addresses.append(vault_address)
return vault_addresses
def get_active_vault_addresses(self):
vault_addresses = []
for config_path in self.config_paths:
config_hcl = load_config_file(config_path)
config = hcl.loads(config_hcl)
try:
vault_address = 'https://{addr}'.format(addr=config['listener']['tcp']['address'])
except KeyError as error:
logger.debug('Unable to find explict Vault address in config file {path}: {err}'.format(
path=config_path,
err=error,
))
vault_address = 'https://127.0.0.1:8200'
logger.debug('Using default address: {addr}'.format(addr=vault_address))
vault_addresses.append(vault_address)
return vault_addresses
def test_login(self, label, test_params, raises, requests_mocker):
role_name = 'hvac'
credentials = utils.load_config_file('example.jwt.json')
test_policies = [
"default",
"dev",
"prod",
]
expected_status_code = 200
mock_url = 'http://localhost:8200/v1/auth/{mount_point}/login'.format(
mount_point=self.TEST_MOUNT_POINT, )
mock_response = {
"auth": {
"client_token": "f33f8c72-924e-11f8-cb43-ac59d697597c",
"accessor": "0e9e354a-520f-df04-6867-ee81cae3d42d",
"policies": test_policies,
"lease_duration": 2764800,
"renewable": True,
},
}
requests_mocker.register_uri(
method='POST',
url=mock_url,
status_code=expected_status_code,
json=mock_response,
)
gcp = Gcp(adapter=Request())
if raises is not None:
with self.assertRaises(raises):
gcp.login(role=role_name,
jwt=credentials,
mount_point=self.TEST_MOUNT_POINT,
**test_params)
else:
login_response = gcp.login(role=role_name,
jwt=credentials,
mount_point=self.TEST_MOUNT_POINT,
**test_params)
logging.debug('login_response: %s' % login_response)
self.assertEqual(
first=login_response['auth']['policies'],
second=test_policies,
)
def test_write_config(self,
label,
max_ttl=3600,
raises=False,
exception_message=''):
credentials = utils.load_config_file('example.jwt.json')
if raises:
with self.assertRaises(raises) as cm:
self.client.secrets.gcp.configure(
credentials=credentials,
max_ttl=max_ttl,
mount_point=self.TEST_MOUNT_POINT,
)
self.assertIn(
member=exception_message,
container=str(cm.exception),
)
else:
configure_response = self.client.secrets.gcp.configure(
credentials=credentials,
max_ttl=max_ttl,
mount_point=self.TEST_MOUNT_POINT,
)
logging.debug('configure_response: %s' % configure_response)
self.assertEqual(
first=bool(configure_response),
second=True,
)
read_configuration_response = self.client.secrets.gcp.read_config(
mount_point=self.TEST_MOUNT_POINT, )
logging.debug('read_configuration_response: %s' %
read_configuration_response)
self.assertEqual(
first=read_configuration_response['data']['max_ttl'],
second=max_ttl,
)
class TestLdap(HvacIntegrationTestCase, TestCase):
TEST_LDAP_PATH = 'test-ldap'
ldap_server = None
mock_server_port = None
mock_ldap_url = None
@classmethod
def setUpClass(cls):
super(TestLdap, cls).setUpClass()
logging.getLogger('ldap_test').setLevel(logging.ERROR)
cls.mock_server_port = utils.get_free_port()
cls.mock_ldap_url = 'ldap://localhost:{port}'.format(port=cls.mock_server_port)
cls.ldap_server = LdapServer({
'port': cls.mock_server_port,
'bind_dn': LDAP_BIND_DN,
'password': LDAP_BIND_PASSWORD,
'base': {
'objectclass': ['domain'],
'dn': LDAP_BASE_DN,
'attributes': {'dc': LDAP_BASE_DC}
},
'entries': LDAP_ENTRIES,
})
cls.ldap_server.start()
@classmethod
def tearDownClass(cls):
super(TestLdap, cls).tearDownClass()
cls.ldap_server.stop()
def setUp(self):
super(TestLdap, self).setUp()
if 'ldap/' not in self.client.list_auth_backends():
self.client.sys.enable_auth_method(
method_type='ldap',
path=self.TEST_LDAP_PATH
)
def tearDown(self):
super(TestLdap, self).tearDown()
self.client.disable_auth_backend(
mount_point=self.TEST_LDAP_PATH,
)
@parameterized.expand([
('update url', dict(url=LDAP_URL)),
('update binddn', dict(url=LDAP_URL, bind_dn='cn=vault,ou=Users,dc=hvac,dc=network')),
('update upn_domain', dict(url=LDAP_URL, upn_domain='python-hvac.org')),
('update certificate', dict(url=LDAP_URL, certificate=utils.load_config_file('server-cert.pem'))),
('incorrect tls version', dict(url=LDAP_URL, tls_min_version='cats'), exceptions.InvalidRequest,
"invalid 'tls_min_version'"),
])
def test_configure(self, test_label, parameters, raises=None, exception_message=''):
parameters.update({
'user_dn': LDAP_USERS_DN,
'group_dn': LDAP_GROUPS_DN,
'mount_point': self.TEST_LDAP_PATH,
})
if raises:
with self.assertRaises(raises) as cm:
self.client.auth.ldap.configure(**parameters)
self.assertIn(
member=exception_message,
container=str(cm.exception),
)
else:
expected_status_code = 204
configure_response = self.client.auth.ldap.configure(**parameters)
self.assertEqual(
first=expected_status_code,
second=configure_response.status_code
)
read_config_response = self.client.auth.ldap.read_configuration(
mount_point=self.TEST_LDAP_PATH,
)
for parameter, argument in parameters.items():
if parameter == 'mount_point':
continue
self.assertIn(
member=argument,
container=read_config_response['data'].values(),
)
def test_read_configuration(self):
response = self.client.auth.ldap.read_configuration(
mount_point=self.TEST_LDAP_PATH,
)
self.assertIn(
member='data',
container=response,
)
@parameterized.expand([
('no policies', 'cats'),
('policies as list', 'cats', ['purr-policy']),
('policies as invalid type', 'cats', 'purr-policy', exceptions.ParamValidationError, '"policies" argument must be an instance of list'),
])
def test_create_or_update_group(self, test_label, name, policies=None, raises=None, exception_message=''):
expected_status_code = 204
if raises:
with self.assertRaises(raises) as cm:
create_response = self.client.auth.ldap.create_or_update_group(
name=name,
policies=policies,
mount_point=self.TEST_LDAP_PATH,
)
if exception_message is not None:
self.assertIn(
member=exception_message,
container=str(cm.exception),
)
else:
create_response = self.client.auth.ldap.create_or_update_group(
name=name,
policies=policies,
mount_point=self.TEST_LDAP_PATH,
)
self.assertEqual(
first=expected_status_code,
second=create_response.status_code
)
@parameterized.expand([
('read configured groups', 'cats'),
('non-existent groups', 'cats', False, exceptions.InvalidPath),
])
def test_list_groups(self, test_label, name, configure_first=True, raises=None, exception_message=None):
if configure_first:
self.client.auth.ldap.create_or_update_group(
name=name,
mount_point=self.TEST_LDAP_PATH,
)
if raises:
with self.assertRaises(raises) as cm:
self.client.auth.ldap.list_groups(
mount_point=self.TEST_LDAP_PATH,
)
if exception_message is not None:
self.assertIn(
member=exception_message,
container=str(cm.exception),
)
else:
list_groups_response = self.client.auth.ldap.list_groups(
mount_point=self.TEST_LDAP_PATH,
)
# raise Exception(list_groups_response)
self.assertDictEqual(
d1=dict(keys=[name]),
d2=list_groups_response['data'],
)
@parameterized.expand([
('read configured group', 'cats'),
('non-existent group', 'cats', False, exceptions.InvalidPath),
])
def test_read_group(self, test_label, name, configure_first=True, raises=None, exception_message=None):
if configure_first:
self.client.auth.ldap.create_or_update_group(
name=name,
mount_point=self.TEST_LDAP_PATH,
)
if raises:
with self.assertRaises(raises) as cm:
self.client.auth.ldap.read_group(
name=name,
mount_point=self.TEST_LDAP_PATH,
)
if exception_message is not None:
self.assertIn(
member=exception_message,
container=str(cm.exception),
)
else:
read_group_response = self.client.auth.ldap.read_group(
name=name,
mount_point=self.TEST_LDAP_PATH,
)
self.assertIn(
member='policies',
container=read_group_response['data'],
)
@parameterized.expand([
('no policies or groups', 'cats'),
('policies as list', 'cats', ['purr-policy']),
('policies as invalid type', 'cats', 'purr-policy', None, exceptions.ParamValidationError, '"policies" argument must be an instance of list'),
('no groups', 'cats', ['purr-policy']),
('groups as list', 'cats', None, ['meow-group']),
('groups as invalid type', 'cats', None, 'meow-group', exceptions.ParamValidationError, '"groups" argument must be an instance of list'),
])
def test_create_or_update_user(self, test_label, username, policies=None, groups=None, raises=None, exception_message=''):
expected_status_code = 204
if raises:
with self.assertRaises(raises) as cm:
self.client.auth.ldap.create_or_update_user(
username=username,
policies=policies,
groups=groups,
mount_point=self.TEST_LDAP_PATH,
)
if exception_message is not None:
self.assertIn(
member=exception_message,
container=str(cm.exception),
)
else:
create_response = self.client.auth.ldap.create_or_update_user(
username=username,
policies=policies,
groups=groups,
mount_point=self.TEST_LDAP_PATH,
)
self.assertEqual(
first=expected_status_code,
second=create_response.status_code
)
@parameterized.expand([
('read configured group', 'cats'),
('non-existent group', 'cats', False, exceptions.InvalidPath),
])
def test_delete_group(self, test_label, name, configure_first=True, raises=None, exception_message=None):
if configure_first:
self.client.auth.ldap.create_or_update_group(
name=name,
mount_point=self.TEST_LDAP_PATH,
)
expected_status_code = 204
delete_group_response = self.client.auth.ldap.delete_group(
name=name,
mount_point=self.TEST_LDAP_PATH,
)
self.assertEqual(
first=expected_status_code,
second=delete_group_response.status_code
)
@parameterized.expand([
('read configured user', 'cats'),
('non-existent user', 'cats', False, exceptions.InvalidPath),
])
def test_list_users(self, test_label, username, configure_first=True, raises=None, exception_message=None):
if configure_first:
self.client.auth.ldap.create_or_update_user(
username=username,
mount_point=self.TEST_LDAP_PATH,
)
if raises:
with self.assertRaises(raises) as cm:
self.client.auth.ldap.list_users(
mount_point=self.TEST_LDAP_PATH,
)
if exception_message is not None:
self.assertIn(
member=exception_message,
container=str(cm.exception),
)
else:
list_users_response = self.client.auth.ldap.list_users(
mount_point=self.TEST_LDAP_PATH,
)
self.assertDictEqual(
d1=dict(keys=[username]),
d2=list_users_response['data'],
)
@parameterized.expand([
('read configured user', 'cats'),
('non-existent user', 'cats', False, exceptions.InvalidPath),
])
def test_read_user(self, test_label, username, configure_first=True, raises=None, exception_message=None):
if configure_first:
self.client.auth.ldap.create_or_update_user(
username=username,
mount_point=self.TEST_LDAP_PATH,
)
if raises:
with self.assertRaises(raises) as cm:
self.client.auth.ldap.read_user(
username=username,
mount_point=self.TEST_LDAP_PATH,
)
if exception_message is not None:
self.assertIn(
member=exception_message,
container=str(cm.exception),
)
else:
read_user_response = self.client.auth.ldap.read_user(
username=username,
mount_point=self.TEST_LDAP_PATH,
)
self.assertIn(
member='policies',
container=read_user_response['data'],
)
@parameterized.expand([
('read configured user', 'cats'),
('non-existent user', 'cats', False, exceptions.InvalidPath),
])
def test_delete_user(self, test_label, username, configure_first=True, raises=None, exception_message=None):
if configure_first:
self.client.auth.ldap.create_or_update_user(
username=username,
mount_point=self.TEST_LDAP_PATH,
)
expected_status_code = 204
delete_user_response = self.client.auth.ldap.delete_user(
username=username,
mount_point=self.TEST_LDAP_PATH,
)
self.assertEqual(
first=expected_status_code,
second=delete_user_response.status_code
)
@parameterized.expand([
param(
label='working creds with policy'
),
param(
label='invalid creds',
username='******',
password='******',
attach_policy=False,
raises=exceptions.InvalidRequest,
),
# The following two test cases cover either side of the associated changelog entry for LDAP auth here:
# https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#0103-june-20th-2018
param(
label='working creds no membership with Vault version >= 0.10.3',
attach_policy=False,
skip_due_to_vault_version=utils.vault_version_lt('0.10.3'),
),
param(
label='working creds no membership with Vault version < 0.10.3',
attach_policy=False,
raises=exceptions.InvalidRequest,
exception_message='user is not a member of any authorized group',
skip_due_to_vault_version=utils.vault_version_ge('0.10.3'),
),
])
def test_login(self, label, username=LDAP_USER_NAME, password=LDAP_USER_PASSWORD, attach_policy=True, raises=None,
exception_message='', skip_due_to_vault_version=False):
if skip_due_to_vault_version:
self.skipTest(reason='test case does not apply to Vault version under test')
test_policy_name = 'test-ldap-policy'
self.client.auth.ldap.configure(
url=self.mock_ldap_url,
bind_dn=self.ldap_server.config['bind_dn'],
bind_pass=self.ldap_server.config['password'],
user_dn=LDAP_USERS_DN,
user_attr='uid',
group_dn=LDAP_GROUPS_DN,
group_attr='cn',
insecure_tls=True,
mount_point=self.TEST_LDAP_PATH,
)
if attach_policy:
self.prep_policy(test_policy_name)
self.client.auth.ldap.create_or_update_group(
name=LDAP_GROUP_NAME,
policies=[test_policy_name],
mount_point=self.TEST_LDAP_PATH,
)
if raises:
with self.assertRaises(raises) as cm:
self.client.auth.ldap.login(
username=username,
password=password,
mount_point=self.TEST_LDAP_PATH,
)
if exception_message is not None:
self.assertIn(
member=exception_message,
container=str(cm.exception),
)
else:
login_response = self.client.auth.ldap.login(
username=username,
password=password,
mount_point=self.TEST_LDAP_PATH,
)
self.assertDictEqual(
d1=dict(username=username),
d2=login_response['auth']['metadata'],
)
self.assertEqual(
first=login_response['auth']['client_token'],
second=self.client.token,
)
if attach_policy:
expected_policies = ['default', test_policy_name]
else:
expected_policies = ['default']
self.assertEqual(
first=expected_policies,
second=login_response['auth']['policies']
)
class TestGcp(HvacIntegrationTestCase, TestCase):
TEST_MOUNT_POINT = 'gcp-test'
def setUp(self):
super(TestGcp, self).setUp()
if '%s/' % self.TEST_MOUNT_POINT not in self.client.list_auth_backends(
):
self.client.enable_auth_backend(
backend_type='gcp',
mount_point=self.TEST_MOUNT_POINT,
)
def tearDown(self):
super(TestGcp, self).tearDown()
self.client.disable_auth_backend(mount_point=self.TEST_MOUNT_POINT, )
@parameterized.expand([
param(
'success',
credentials=utils.load_config_file('example.jwt.json'),
),
param(
'set invalid credentials',
credentials='some invalid JWT',
raises=exceptions.InvalidRequest,
),
])
def test_configure(self, label, credentials='', raises=None):
if raises:
with self.assertRaises(raises):
self.client.auth.gcp.configure(
credentials=credentials,
mount_point=self.TEST_MOUNT_POINT,
)
else:
configure_response = self.client.auth.gcp.configure(
credentials=credentials,
mount_point=self.TEST_MOUNT_POINT,
)
logging.debug('configure_response: %s' % configure_response)
self.assertEqual(
first=bool(configure_response),
second=True,
)
@parameterized.expand([
param('success', ),
param('no config written yet',
write_config_first=False,
raises=exceptions.InvalidPath)
])
def test_read_config(self, label, write_config_first=True, raises=None):
credentials = utils.load_config_file('example.jwt.json')
if write_config_first:
self.client.auth.gcp.configure(
credentials=credentials,
mount_point=self.TEST_MOUNT_POINT,
)
if raises is not None:
with self.assertRaises(raises):
self.client.auth.gcp.read_config(
mount_point=self.TEST_MOUNT_POINT, )
else:
read_config_response = self.client.auth.gcp.read_config(
mount_point=self.TEST_MOUNT_POINT, )
logging.debug('read_config_response: %s' % read_config_response)
creds_dict = json.loads(credentials)
expected_config = {
'project_id': creds_dict['project_id'],
'client_email': creds_dict['client_email'],
'private_key_id': creds_dict['private_key_id'],
}
for k, v in expected_config.items():
self.assertEqual(
first=v,
second=read_config_response[k],
)
@parameterized.expand([
# param(
# 'success', # TODO: figure out why this is returning a 405
# ),
param(
'no existing config',
write_config_first=False,
raises=exceptions.UnexpectedError,
),
])
def test_delete_config(self, label, write_config_first=True, raises=None):
if write_config_first:
self.client.auth.gcp.configure(mount_point=self.TEST_MOUNT_POINT, )
if raises is not None:
with self.assertRaises(raises):
self.client.auth.gcp.delete_config(
mount_point=self.TEST_MOUNT_POINT, )
else:
delete_config_response = self.client.auth.gcp.delete_config(
mount_point=self.TEST_MOUNT_POINT, )
logging.debug('delete_config_response: %s' %
delete_config_response)
self.assertEqual(
first=bool(delete_config_response),
second=True,
)
@parameterized.expand([
param('success iam', role_type='iam', bound_service_accounts=['*']),
param(
'iam no bound service account',
role_type='iam',
raises=exceptions.InvalidRequest,
exception_message=
'IAM role type must have at least one service account',
),
param(
'success gce',
role_type='gce',
),
param(
'invalid role type',
role_type='hvac',
raises=exceptions.ParamValidationError,
exception_message='unsupported role_type argument provided',
),
])
def test_create_role(self,
label,
role_type,
policies=None,
bound_service_accounts=None,
raises=None,
exception_message=''):
role_name = 'hvac'
project_id = 'test-hvac-project-not-a-real-project'
if raises:
with self.assertRaises(raises) as cm:
self.client.auth.gcp.create_role(
name=role_name,
role_type=role_type,
project_id=project_id,
policies=policies,
bound_service_accounts=bound_service_accounts,
mount_point=self.TEST_MOUNT_POINT,
)
self.assertIn(
member=exception_message,
container=str(cm.exception),
)
else:
create_role_response = self.client.auth.gcp.create_role(
name=role_name,
role_type=role_type,
project_id=project_id,
policies=policies,
bound_service_accounts=bound_service_accounts,
mount_point=self.TEST_MOUNT_POINT,
)
logging.debug('create_role_response: %s' % create_role_response)
self.assertEqual(
first=bool(create_role_response),
second=True,
)
@parameterized.expand([
param(
'success add',
add=['test'],
),
param(
'success remove',
remove=['test'],
),
param(
'fail upon no changes',
raises=exceptions.InvalidRequest,
exception_message=
'must provide at least one value to add or remove',
),
# TODO: wrong role type (gce)
])
def test_edit_service_accounts_on_iam_role(self,
label,
add=None,
remove=None,
create_role_first=True,
raises=None,
exception_message=''):
role_name = 'hvac'
project_id = 'test-hvac-project-not-a-real-project'
if create_role_first:
self.client.auth.gcp.create_role(
name=role_name,
role_type='iam',
project_id=project_id,
bound_service_accounts=[
'*****@*****.**'
],
mount_point=self.TEST_MOUNT_POINT,
)
if raises:
with self.assertRaises(raises) as cm:
self.client.auth.gcp.edit_service_accounts_on_iam_role(
name=role_name,
add=add,
remove=remove,
mount_point=self.TEST_MOUNT_POINT,
)
self.assertIn(
member=exception_message,
container=str(cm.exception),
)
else:
edit_sa_on_iam_response = self.client.auth.gcp.edit_service_accounts_on_iam_role(
name=role_name,
add=add,
remove=remove,
mount_point=self.TEST_MOUNT_POINT,
)
logging.debug('create_role_response: %s' % edit_sa_on_iam_response)
self.assertEqual(
first=bool(edit_sa_on_iam_response),
second=True,
)
@parameterized.expand([
param(
'success add',
add=['test-key:test-value'],
),
param(
'success remove',
remove=['test-key:test-value'],
),
param(
'fail upon no changes',
raises=exceptions.InvalidRequest,
exception_message=
'must provide at least one value to add or remove',
),
# TODO: wrong role type (iam)
])
def test_edit_labels_on_gce_role(self,
label,
add=None,
remove=None,
create_role_first=True,
raises=None,
exception_message=''):
role_name = 'hvac'
project_id = 'test-hvac-project-not-a-real-project'
if create_role_first:
self.client.auth.gcp.create_role(
name=role_name,
role_type='gce',
project_id=project_id,
bound_service_accounts=[
'*****@*****.**'
],
mount_point=self.TEST_MOUNT_POINT,
)
if raises:
with self.assertRaises(raises) as cm:
self.client.auth.gcp.edit_labels_on_gce_role(
name=role_name,
add=add,
remove=remove,
mount_point=self.TEST_MOUNT_POINT,
)
self.assertIn(
member=exception_message,
container=str(cm.exception),
)
else:
edit_labled_response = self.client.auth.gcp.edit_labels_on_gce_role(
name=role_name,
add=add,
remove=remove,
mount_point=self.TEST_MOUNT_POINT,
)
logging.debug('create_role_response: %s' % edit_labled_response)
self.assertEqual(
first=bool(edit_labled_response),
second=True,
)
@parameterized.expand([
param('success', ),
param(
'nonexistent role',
create_role_first=False,
raises=exceptions.InvalidPath,
),
])
def test_read_role(self,
label,
create_role_first=True,
raises=None,
exception_message=''):
role_name = 'hvac'
project_id = 'test-hvac-project-not-a-real-project'
if create_role_first:
self.client.auth.gcp.create_role(
name=role_name,
role_type='gce',
project_id=project_id,
bound_service_accounts=[
'*****@*****.**'
],
mount_point=self.TEST_MOUNT_POINT,
)
if raises:
with self.assertRaises(raises) as cm:
self.client.auth.gcp.read_role(
name=role_name,
mount_point=self.TEST_MOUNT_POINT,
)
self.assertIn(
member=exception_message,
container=str(cm.exception),
)
else:
read_role_response = self.client.auth.gcp.read_role(
name=role_name,
mount_point=self.TEST_MOUNT_POINT,
)
logging.debug('create_role_response: %s' % read_role_response)
if utils.vault_version_ge('1.0.0'):
returned_project_id = read_role_response['bound_projects']
expected_project_id = [project_id]
else:
returned_project_id = read_role_response['project_id']
expected_project_id = project_id
self.assertEqual(first=returned_project_id,
second=expected_project_id)
@parameterized.expand([
param('success one role', ),
param(
'success multiple roles',
num_roles_to_create=7,
),
param(
'no roles',
num_roles_to_create=0,
raises=exceptions.InvalidPath,
),
])
def test_list_roles(self, label, num_roles_to_create=1, raises=None):
project_id = 'test-hvac-project-not-a-real-project'
roles_to_create = ['hvac%s' % n for n in range(0, num_roles_to_create)]
logging.debug('roles_to_create: %s' % roles_to_create)
for role_to_create in roles_to_create:
create_role_response = self.client.auth.gcp.create_role(
name=role_to_create,
role_type='gce',
project_id=project_id,
bound_service_accounts=[
'*****@*****.**'
],
mount_point=self.TEST_MOUNT_POINT,
)
logging.debug('create_role_response: %s' % create_role_response)
if raises is not None:
with self.assertRaises(raises):
self.client.auth.gcp.list_roles(
mount_point=self.TEST_MOUNT_POINT, )
else:
list_roles_response = self.client.auth.gcp.list_roles(
mount_point=self.TEST_MOUNT_POINT, )
logging.debug('list_roles_response: %s' % list_roles_response)
self.assertEqual(
first=list_roles_response['keys'],
second=roles_to_create,
)
@parameterized.expand([
param('success', ),
param(
'nonexistent role name',
configure_role_first=False,
),
])
def test_delete_role(self, label, configure_role_first=True, raises=None):
role_name = 'hvac'
project_id = 'test-hvac-project-not-a-real-project'
if configure_role_first:
create_role_response = self.client.auth.gcp.create_role(
name=role_name,
role_type='gce',
project_id=project_id,
bound_service_accounts=[
'*****@*****.**'
],
mount_point=self.TEST_MOUNT_POINT,
)
logging.debug('create_role_response: %s' % create_role_response)
if raises is not None:
with self.assertRaises(raises):
self.client.auth.gcp.delete_role(
role=role_name,
mount_point=self.TEST_MOUNT_POINT,
)
else:
delete_role_response = self.client.auth.gcp.delete_role(
role=role_name,
mount_point=self.TEST_MOUNT_POINT,
)
logging.debug('delete_role_response: %s' % delete_role_response)
self.assertEqual(
first=bool(delete_role_response),
second=True,
)