Skip to content

Commit

Permalink
fix wrapped response for auth.token.create (hvac#966)
Browse files Browse the repository at this point in the history 
* add policy and role test context managers

* ensure cleanup on role test

* add test for wrapped periodic token

* cleanup role test with context manager

* add test for wrapped role-based token

* slightly better assertions

* fix wrapped responses
  • Loading branch information
@briantist
briantist committed May 10, 2023
1 parent d06fe41 commit 82c8a23
Show file tree
Hide file tree
Showing 2 changed files with 98 additions and 38 deletions.
12 changes: 3 additions & 9 deletions hvac/api/auth_methods/token.py
View file
Expand Up @@ -111,17 +111,11 @@ def create(
}
)

api_path = f"/v1/auth/{mount_point}/create"

if role_name is not None:
api_path = "/v1/auth/{mount_point}/create/{role_name}".format(
mount_point=mount_point,
role_name=role_name,
)
return self._adapter.post(
url=api_path,
json=params,
)
api_path = f"{api_path}/{role_name}"

api_path = f"/v1/auth/{mount_point}/create"
return self._adapter.post(
url=api_path,
json=params,
Expand Down
124 changes: 95 additions & 29 deletions tests/integration_tests/api/auth_methods/test_token.py
View file
@@ -1,10 +1,42 @@
from contextlib import contextmanager
from unittest import TestCase
from hvac import exceptions

from tests.utils.hvac_integration_test_case import HvacIntegrationTestCase


class TestToken(HvacIntegrationTestCase, TestCase):
# would rather these be pytest fixtures
@contextmanager
def prep_policy(self, name):
try:
yield (name, self.prep_policy(name))
finally:
self.client.sys.delete_policy(name)

@contextmanager
def prep_role(self, name, policies=None):
role = self.client.auth.token.create_or_update_role(
name, allowed_policies=policies
)
assert role.status_code == 204
try:
yield (name, role, policies)
finally:
self.client.auth.token.delete_role(name)

@contextmanager
def test_policy(self):
with self.prep_policy(["testpolicy"]) as p:
yield p

@contextmanager
def test_role(self):
with self.test_policy() as p, self.prep_role(
name="testrole", policies=p[0]
) as r:
yield r

def test_auth_token_manipulation(self):
result = self.client.auth.token.create(ttl="1h", renewable=True)
assert result["auth"]["client_token"]
Expand Down Expand Up @@ -131,45 +163,79 @@ def test_create_token_periodic(self):
assert token["auth"]["client_token"] == lookup["data"]["id"]
assert lookup["data"]["period"] == 1800

def test_create_wrapped_token_periodic(self):

response = self.client.auth.token.create(period="30m", wrap_ttl="15m")

assert "wrap_info" in response, repr(response)
assert response["wrap_info"] is not None, repr(response)
assert response["auth"] is None, repr(response)
assert response["wrap_info"]["ttl"] == 900
assert "token" in response["wrap_info"]

# unwrap
token = self.client.sys.unwrap(token=response["wrap_info"]["token"])

assert token["auth"]["client_token"]
assert token["auth"]["lease_duration"] == 1800

# Validate token
lookup = self.client.auth.token.lookup(token["auth"]["client_token"])
assert token["auth"]["client_token"] == lookup["data"]["id"]
assert lookup["data"]["period"] == 1800

def test_token_roles(self):
# No roles, list_token_roles == None
with self.assertRaises(exceptions.InvalidPath):
self.client.auth.token.list_roles()

# Create token role
assert (
self.client.auth.token.create_or_update_role("testrole").status_code == 204
)
try:
# Create token role
assert (
self.client.auth.token.create_or_update_role("testrole").status_code
== 204
)

# List token roles
during = self.client.auth.token.list_roles()["data"]["keys"]
assert len(during) == 1
assert during[0] == "testrole"
# List token roles
during = self.client.auth.token.list_roles()["data"]["keys"]
assert len(during) == 1
assert during[0] == "testrole"

# Delete token role
self.client.auth.token.delete_role("testrole")
finally:
# Delete token role
self.client.auth.token.delete_role("testrole")

# No roles, list_token_roles == None
with self.assertRaises(exceptions.InvalidPath):
self.client.auth.token.list_roles()

def test_create_token_w_role(self):
# Create policy
self.prep_policy("testpolicy")

# Create token role w/ policy
assert (
self.client.auth.token.create_or_update_role(
"testrole", allowed_policies="testpolicy"
).status_code
== 204
)

# Create token against role
token = self.client.auth.token.create(ttl="1h", role_name="testrole")
assert token["auth"]["client_token"]
assert token["auth"]["policies"] == ["default", "testpolicy"]

# Cleanup
self.client.auth.token.delete_role("testrole")
self.client.sys.delete_policy("testpolicy")
with self.test_role() as test_role:
role_name, _, policies = test_role
expected_policies = ["default"] + policies

# Create token against role
token = self.client.auth.token.create(ttl="1h", role_name=role_name)
assert token["auth"]["client_token"]
assert token["auth"]["policies"] == expected_policies

def test_create_wrapped_token_w_role(self):
with self.test_role() as test_role:
role_name, _, policies = test_role
expected_policies = ["default"] + policies

# Create token against role
response = self.client.auth.token.create(
ttl="1h", role_name=role_name, wrap_ttl="15m"
)

assert "wrap_info" in response, repr(response)
assert response["wrap_info"] is not None, repr(response)
assert response["auth"] is None, repr(response)
assert response["wrap_info"]["ttl"] == 900
assert "token" in response["wrap_info"]

# unwrap
token = self.client.sys.unwrap(token=response["wrap_info"]["token"])
assert token["auth"]["client_token"]
assert token["auth"]["policies"] == expected_policies

0 comments on commit 82c8a23

Please sign in to comment.