fix vault client certificates loaded from envirnoment variables (#943)

* fix vault client certificates loaded from envirnoment variables * add integration test for configuration via environment variables * fix lint issues * fix python 3.7 compatability issue with tests * remove print + flip default for use_env flag * add packaging to dev dependencies --------- Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com>
hvac · Mar 1, 2023 · 16d1af8 · 16d1af8
1 parent 92f68c9
commit 16d1af8
Show file tree

Hide file tree

Showing 6 changed files with 72 additions and 56 deletions.
diff --git a/hvac/v1/__init__.py b/hvac/v1/__init__.py
@@ -68,12 +68,10 @@ def __init__(
         token = token if token is not None else utils.get_token_from_env()
         url = url if url else os.getenv("VAULT_ADDR", DEFAULT_URL)
 
-        if cert is not None and VAULT_CLIENT_CERT:
-            cert = "\n".join(
-                [
-                    VAULT_CLIENT_CERT,
-                    VAULT_CLIENT_KEY,
-                ]
+        if cert is None and VAULT_CLIENT_CERT:
+            cert = (
+                VAULT_CLIENT_CERT,
+                VAULT_CLIENT_KEY,
             )
 
         # Consider related CA env vars _only if_ no argument is passed in under the

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -58,6 +58,7 @@ Sphinx = "3.1.2"
 sphinx-rtd-theme = "0.5.0"
 mistune = "0.8.4"
 docutils = "<0.18"
+packaging = "<23"
 
 [build-system]
 requires = ["poetry-core>=1.0.0"]

diff --git a/tests/integration_tests/api/auth_methods/test_cert.py b/tests/integration_tests/api/auth_methods/test_cert.py
@@ -153,3 +153,7 @@ def test_login(self, name, cacert, cert_pem, key_pem, mount_point):
                 self.cert[1],
             ):
                 self.assertIsInstance(response, dict)
+
+
+class TestCertEnv(TestCert):
+    use_env = True
diff --git a/tests/utils/__init__.py b/tests/utils/__init__.py
@@ -8,10 +8,10 @@
 import socket
 import subprocess
 from distutils.spawn import find_executable
-from packaging.version import Version
-from unittest import SkipTest
+from unittest import SkipTest, mock
 
 from hvac import Client
+from packaging.version import Version
 
 logger = logging.getLogger(__name__)
 
@@ -79,26 +79,38 @@ def get_generate_root_otp():
     return test_otp
 
 
-def create_client(url="https://localhost:8200", **kwargs):
+def create_client(url="https://localhost:8200", use_env=False, **kwargs):
     """Small helper to instantiate a :py:class:`hvac.v1.Client` class with the appropriate parameters for the test env.
 
     :param url: Vault address to configure the client with.
     :type url: str
+    :param use_env: configure vault using environment variable
+    :type use_env: bool
     :param kwargs: Dictionary of additional keyword arguments to pass through to the Client instance being created.
     :type kwargs: dict
     :return: Instantiated :py:class:`hvac.v1.Client` class.
     :rtype: hvac.v1.Client
     """
+
     client_cert_path = get_config_file_path("client-cert.pem")
     client_key_path = get_config_file_path("client-key.pem")
     server_cert_path = get_config_file_path("server-cert.pem")
-
-    return Client(
-        url=url,
-        cert=(client_cert_path, client_key_path),
-        verify=server_cert_path,
-        **kwargs,
-    )
+    if use_env:
+        with mock.patch("hvac.v1.VAULT_CAPATH", server_cert_path):
+            with mock.patch("hvac.v1.VAULT_CLIENT_CERT", client_cert_path):
+                with mock.patch("hvac.v1.VAULT_CLIENT_KEY", client_key_path):
+                    client = Client(
+                        url=url,
+                        **kwargs,
+                    )
+    else:
+        client = Client(
+            url=url,
+            cert=(client_cert_path, client_key_path),
+            verify=server_cert_path,
+            **kwargs,
+        )
+    return client
 
 
 def get_free_port():

diff --git a/tests/utils/hvac_integration_test_case.py b/tests/utils/hvac_integration_test_case.py
@@ -17,6 +17,7 @@ class HvacIntegrationTestCase:
     client = None
     mock_warnings = None
     enable_vault_ha = False
+    use_env = False
 
     @classmethod
     def setUpClass(cls):
@@ -59,7 +60,7 @@ def tearDownClass(cls):
 
     def setUp(self):
         """Set the client attribute to an authenticated hvac Client instance."""
-        self.client = create_client(token=self.manager.root_token)
+        self.client = create_client(token=self.manager.root_token, use_env=self.use_env)
 
         # Squelch deprecating warnings during tests as we may want to deliberately call deprecated methods and/or verify
         # warnings invocations.