Merge remote-tracking branch 'upstream/master' into v0.6.1

Author: lionelz

CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## 0.6.1 (July 12th, 2018)
+
+Merge changes of version 0.6.1 of hvac (Python 2/3 client for HashiCorp Vault), see https://github.com/ianunruh/hvac 
+* see https://github.com/ianunruh/hvac/releases for change logs.
+
 ## 0.6.0 (July 1, 2018)
 
 Merge changes of version 0.6.0 of hvac (Python 2/3 client for HashiCorp Vault), see https://github.com/ianunruh/hvac 

README.md

@@ -36,6 +36,8 @@ client = async_hvac.AsyncClient(url='https://localhost:8200')
 # Using TLS with client-side certificate authentication
 client = async_hvac.AsyncClient(url='https://localhost:8200',
                                 cert=('path/to/cert.pem', 'path/to/key.pem'))
+ # Skipping TLS verification entirely (should only be used for local development; unsafe for production clusters)
+client = async_hvac.AsyncClient(url='https://localhost:8200', verify=False)
 ```
 
 ### Read and write to secret backends
@@ -74,6 +76,24 @@ client.auth_aws_iam(credentials.access_key, credentials.secret_key, credentials.
 # GitHub
 await client.auth_github('MY_GITHUB_TOKEN')
 
+# GCP (from GCE instance)
+import requests
+
+VAULT_ADDR="https://vault.example.com:8200"
+ROLE="example"
+AUDIENCE_URL =  VAULT_ADDR + "/vault/" + ROLE
+METADATA_HEADERS = {'Metadata-Flavor': 'Google'}
+FORMAT = 'full'
+
+url = 'http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience={}&format={}'.format(AUDIENCE_URL, FORMAT)
+r = requests.get(url, headers=METADATA_HEADERS)
+client.auth_gcp(ROLE, r.text)
+
+# Kubernetes (from k8s pod)
+f = open('/var/run/secrets/kubernetes.io/serviceaccount/token')
+jwt = f.read()
+client.auth_kubernetes("example", jwt)
+
 # LDAP, Username & Password
 await client.auth_ldap('MY_USERNAME', 'MY_PASSWORD')
 await client.auth_userpass('MY_USERNAME', 'MY_PASSWORD')

async_hvac/exceptions.py

@@ -42,3 +42,7 @@ class VaultDown(VaultError):
 
 class UnexpectedError(VaultError):
     pass
+
+
+class ParamValidationError(VaultError):
+    pass

async_hvac/tests/test_auth_methods.py

@@ -38,6 +38,7 @@ async def test_tune_auth_backend(self, requests_mocker):
             first=test_description,
             second=actual_request_params['description'],
         )
+        await client.close()
 
     @RequestsMocker()
     async def test_get_auth_backend_tuning(self, requests_mocker):
@@ -77,3 +78,4 @@ async def test_get_auth_backend_tuning(self, requests_mocker):
             first=mock_response,
             second=actual_response,
         )
+        await client.close()

async_hvac/tests/test_aws_ec2_methods.py

@@ -65,6 +65,7 @@ async def test_auth_ec2(self, test_label, mount_point, requests_mocker):
 
         # ensure we received our mock response data back successfully
         self.assertEqual(mock_response, actual_response)
+        await client.close()
 
     @parameterized.expand([
         ("default mount point", None),
@@ -101,6 +102,7 @@ async def test_create_vault_ec2_client_configuration(self, test_label, mount_poi
             first=expected_status_code,
             second=actual_response.status
         )
+        await client.close()
 
     @parameterized.expand([
         ("default mount point", None),
@@ -141,6 +143,7 @@ async def test_get_vault_ec2_client_configuration(self, test_label, mount_point,
             first=mock_response,
             second=actual_response,
         )
+        await client.close()
 
     @parameterized.expand([
         ("default mount point", None),
@@ -170,6 +173,7 @@ async def test_delete_vault_ec2_client_configuration(self, test_label, mount_poi
             first=expected_status_code,
             second=actual_response.status,
         )
+        await client.close()
 
     @parameterized.expand([
         ("default mount point", None, 'my-cool-cert-1'),
@@ -206,6 +210,7 @@ async def test_create_vault_ec2_certificate_configuration(self, test_label, moun
             first=expected_status_code,
             second=actual_response.status,
         )
+        await client.close()
 
     @parameterized.expand([
         ("default mount point", None, 'my-cool-cert-1'),
@@ -246,6 +251,7 @@ async def test_get_vault_ec2_certificate_configuration(self, test_label, mount_p
             first=mock_response,
             second=actual_response,
         )
+        await client.close()
 
     @parameterized.expand([
         ("default mount point", None),
@@ -284,6 +290,7 @@ async def test_list_vault_ec2_certificate_configurations(self, test_label, mount
             first=mock_response,
             second=actual_response,
         )
+        await client.close()
 
     @parameterized.expand([
         ("default mount point", None, 'my-role-1'),
@@ -317,6 +324,7 @@ async def test_create_ec2_role(self, test_label, mount_point, role_name, request
             first=expected_status_code,
             second=actual_response.status,
         )
+        await client.close()
 
     @parameterized.expand([
         ("default mount point", None, 'my-role-1'),
@@ -365,6 +373,7 @@ async def test_get_ec2_role(self, test_label, mount_point, role_name, requests_m
             first=mock_response,
             second=actual_response,
         )
+        await client.close()
 
     @parameterized.expand([
         ("default mount point", None, 'my-role-1'),
@@ -398,6 +407,7 @@ async def test_delete_ec2_role(self, test_label, mount_point, role_name, request
             first=expected_status_code,
             second=actual_response.status,
         )
+        await client.close()
 
     @parameterized.expand([
         ("default mount point", None),
@@ -436,6 +446,7 @@ async def test_list_ec2_roles(self, test_label, mount_point, requests_mocker):
             first=mock_response,
             second=actual_response,
         )
+        await client.close()
 
     @parameterized.expand([
         ("default mount point", None, 'my-role-1'),
@@ -476,3 +487,4 @@ async def test_create_ec2_role_tag(self, test_label, mount_point, role_name, req
             first=mock_response,
             second=await actual_response.json(),
         )
+        await client.close()

async_hvac/tests/test_aws_iam_methods.py

@@ -46,3 +46,4 @@ async def test_auth_aws_iam(self, auth_mock, datetime_mock):
 
         actual_role = actual_params['role']
         self.assertEqual('', actual_role)
+        await client.close()

async_hvac/tests/test_client.py

@@ -0,0 +1,33 @@
+from asynctest import TestCase
+
+from parameterized import parameterized
+
+from async_hvac import AsyncClient
+from async_hvac.tests.util import RequestsMocker
+
+
+class TestClient(TestCase):
+    """Unit tests providing coverage for requests-related methods in the hvac Client class."""
+
+    @parameterized.expand([
+        ("standard Vault address", 'https://localhost:8200'),
+        ("Vault address with route", 'https://example.com/vault'),
+    ])
+    @RequestsMocker()
+    async def test___request(self, test_label, test_url, requests_mocker):
+        test_path = 'v1/sys/health'
+        expected_status_code = 200
+        mock_url = '{0}/{1}'.format(test_url, test_path)
+        requests_mocker.register_uri(
+            method='GET',
+            url=mock_url,
+        )
+        client = AsyncClient(url=test_url)
+        response = await client._get(
+            url='v1/sys/health',
+        )
+        self.assertEqual(
+            first=expected_status_code,
+            second=response.status,
+        )
+        await client.close()

async_hvac/tests/test_gcp_methods.py

@@ -0,0 +1,65 @@
+from asynctest import TestCase
+
+from parameterized import parameterized
+
+from async_hvac import AsyncClient
+from async_hvac.tests.util import RequestsMocker
+
+
+class TestGcpMethods(TestCase):
+    """Unit tests providing coverage for GCP auth backend-related methods/routes."""
+
+    @parameterized.expand([
+        ("default mount point", "custom_role", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9", None),
+        ("custom mount point", "custom_role", "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9", "gcp-not-default")
+    ])
+    @RequestsMocker()
+    async def test_auth_gcp(self, test_label, test_role, test_jwt, mount_point, requests_mocker):
+        mock_response = {
+            'auth': {
+                'accessor': 'accessor-1234-5678-9012-345678901234',
+                'client_token': 'cltoken-1234-5678-9012-345678901234',
+                'lease_duration': 10000,
+                'metadata': {
+                    'role': 'custom_role',
+                    'service_account_email': '[email protected]',
+                    'service_account_id': '111111111111111111111'
+                },
+                'policies': [
+                    'default',
+                    'custom_role'
+                ],
+                'renewable': True
+            },
+            'data': None,
+            'lease_duration': 0,
+            'lease_id': '',
+            'renewable': False,
+            'request_id': 'requesti-1234-5678-9012-345678901234',
+            'warnings': [],
+            'wrap_info': None
+        }
+        mock_url = 'http://127.0.0.1:8200/v1/auth/{0}/login'.format(
+                'gcp' if mount_point is None else mount_point)
+        requests_mocker.register_uri(
+            method='POST',
+            url=mock_url,
+            json=mock_response
+        )
+        client = AsyncClient()
+
+        if mount_point is None:
+            actual_response = await client.auth_gcp(
+                role=test_role,
+                jwt=test_jwt
+            )
+        else:
+            actual_response = await client.auth_gcp(
+                role=test_role,
+                jwt=test_jwt,
+                mount_point=mount_point
+            )
+
+        # ensure we received our mock response data back successfully
+        self.assertEqual(mock_response, actual_response)
+        await client.close()