1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
|
import logging
from unittest import TestCase
from parameterized import parameterized, param
from hvac import exceptions
from tests.utils.hvac_integration_test_case import HvacIntegrationTestCase
class TestApprole(HvacIntegrationTestCase, TestCase):
TEST_MOUNT_POINT = "approle"
def setUp(self):
super().setUp()
self.client.sys.enable_auth_method(
method_type="approle",
path=self.TEST_MOUNT_POINT,
)
def tearDown(self):
self.client.token = self.manager.root_token
self.client.sys.disable_auth_method(path=self.TEST_MOUNT_POINT)
super().tearDown()
@parameterized.expand(
[
param(
"no secret ids",
num_secrets_to_create=0,
raises=exceptions.InvalidPath,
),
param(
"one secret id",
num_secrets_to_create=1,
),
param(
"two secret ids",
num_secrets_to_create=2,
),
]
)
def test_list_role_secrets(self, label, num_secrets_to_create=0, raises=None):
test_role_name = "testrole"
self.client.auth.approle.create_or_update_approle(
role_name=test_role_name,
mount_point=self.TEST_MOUNT_POINT,
)
for _ in range(0, num_secrets_to_create):
self.client.auth.approle.generate_secret_id(
role_name=test_role_name,
mount_point=self.TEST_MOUNT_POINT,
)
if raises:
with self.assertRaises(raises):
self.client.auth.approle.list_secret_id_accessors(
role_name=test_role_name,
mount_point=self.TEST_MOUNT_POINT,
)
else:
list_role_secrets_response = (
self.client.auth.approle.list_secret_id_accessors(
role_name=test_role_name,
mount_point=self.TEST_MOUNT_POINT,
)
)
logging.debug("list_role_secrets_response: %s" % list_role_secrets_response)
self.assertEqual(
first=num_secrets_to_create,
second=len(list_role_secrets_response["data"]["keys"]),
)
def test_create_role(self):
self.client.auth.approle.create_or_update_approle("testrole")
result = self.client.read("auth/approle/role/testrole")
lib_result = self.client.auth.approle.read_role("testrole")
del result["request_id"]
del lib_result["request_id"]
self.assertEqual(result, lib_result)
def test_delete_role(self):
test_role_name = "test-role"
self.client.auth.approle.create_or_update_approle(test_role_name)
# We add a second dummy test role so we can still hit the /role?list=true route after deleting the first role
self.client.auth.approle.create_or_update_approle("test-role-2")
# Ensure our created role shows up when calling list_roles as expected
result = self.client.auth.approle.list_roles()
actual_list_role_keys = result["data"]["keys"]
self.assertIn(
member=test_role_name,
container=actual_list_role_keys,
)
# Now delete the role and verify its absence when calling list_roles
self.client.auth.approle.delete_role(test_role_name)
result = self.client.auth.approle.list_roles()
actual_list_role_keys = result["data"]["keys"]
self.assertNotIn(
member=test_role_name,
container=actual_list_role_keys,
)
def test_create_delete_role_secret_id(self):
self.client.auth.approle.create_or_update_approle("testrole")
create_result = self.client.auth.approle.generate_secret_id(
"testrole", {"foo": "bar"}
)
secret_id = create_result["data"]["secret_id"]
result = self.client.auth.approle.read_secret_id("testrole", secret_id)
self.assertEqual(result["data"]["metadata"]["foo"], "bar")
self.client.auth.approle.destroy_secret_id("testrole", secret_id)
missing_secret_response = self.client.auth.approle.read_secret_id(
"testrole", secret_id
)
self.assertEqual(
first=missing_secret_response.status_code,
second=204,
)
def test_auth_approle(self):
self.client.auth.approle.create_or_update_approle("testrole")
create_result = self.client.auth.approle.generate_secret_id(
"testrole", {"foo": "bar"}
)
secret_id = create_result["data"]["secret_id"]
role_id = self.client.auth.approle.read_role_id("testrole")["data"]["role_id"]
logging.debug("role_id: %s" % role_id)
result = self.client.auth.approle.login(role_id, secret_id)
self.assertEqual(result["auth"]["metadata"]["foo"], "bar")
self.assertEqual(self.client.token, result["auth"]["client_token"])
self.assertTrue(self.client.is_authenticated())
def test_auth_approle_dont_use_token(self):
self.client.auth.approle.create_or_update_approle("testrole")
create_result = self.client.auth.approle.generate_secret_id(
"testrole", {"foo": "bar"}
)
secret_id = create_result["data"]["secret_id"]
role_id = self.client.auth.approle.read_role_id("testrole")["data"]["role_id"]
result = self.client.auth.approle.login(role_id, secret_id, use_token=False)
self.assertEqual(result["auth"]["metadata"]["foo"], "bar")
self.assertNotEqual(self.client.token, result["auth"]["client_token"])
|
