Merge pull request #735 from hvac/issue_548_ca-related_envvars

Support CA-related Environment Variables
hvac · Jul 12, 2021 · 8863f77 · 8863f77
2 parents 6820c9b + 3e3ae1c
commit 8863f77
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 7 deletions.
diff --git a/hvac/adapters.py b/hvac/adapters.py
@@ -9,8 +9,7 @@
 import requests.exceptions
 
 from hvac import utils
-
-DEFAULT_BASE_URI = "http://localhost:8200"
+from hvac.constants.client import DEFAULT_URL
 
 
 class Adapter(object):
@@ -20,7 +19,7 @@ class Adapter(object):
 
     def __init__(
         self,
-        base_uri=DEFAULT_BASE_URI,
+        base_uri=DEFAULT_URL,
         token=None,
         cert=None,
         verify=True,

diff --git a/hvac/constants/client.py b/hvac/constants/client.py
@@ -2,6 +2,8 @@
 # -*- coding: utf-8 -*-
 """Constants related to the hvac.Client class."""
 
+from os import getenv
+
 DEPRECATED_PROPERTIES = {
     "github": dict(
         to_be_removed_in_version="0.9.0",
@@ -22,3 +24,7 @@
 }
 
 DEFAULT_URL = "http://localhost:8200"
+VAULT_CACERT = getenv("VAULT_CACERT")
+VAULT_CAPATH = getenv("VAULT_CAPATH")
+VAULT_CLIENT_CERT = getenv("VAULT_CLIENT_CERT")
+VAULT_CLIENT_KEY = getenv("VAULT_CLIENT_KEY")
diff --git a/hvac/v1/__init__.py b/hvac/v1/__init__.py
@@ -4,8 +4,15 @@
 import os
 from base64 import b64encode
 
-from hvac import aws_utils, exceptions, adapters, utils, api
-from hvac.constants.client import DEPRECATED_PROPERTIES, DEFAULT_URL
+from hvac import adapters, api, aws_utils, exceptions, utils
+from hvac.constants.client import (
+    DEFAULT_URL,
+    DEPRECATED_PROPERTIES,
+    VAULT_CACERT,
+    VAULT_CAPATH,
+    VAULT_CLIENT_CERT,
+    VAULT_CLIENT_KEY,
+)
 from hvac.utils import generate_property_deprecation_message
 
 try:
@@ -65,6 +72,26 @@ def __init__(
 
         token = token if token is not None else utils.get_token_from_env()
         url = url if url else os.getenv("VAULT_ADDR", DEFAULT_URL)
+
+        if cert is not None and VAULT_CLIENT_CERT:
+            cert = "\n".join(
+                [
+                    VAULT_CLIENT_CERT,
+                    VAULT_CLIENT_KEY,
+                ]
+            )
+
+        # Consider related CA env vars _only if_ no argument is passed in under the
+        # `verify` parameter.
+        if verify is not None:
+            # Reference: https://www.vaultproject.io/docs/commands#vault_cacert
+            # Note: "[VAULT_CACERT] takes precedence over VAULT_CAPATH." and thus we
+            # check for VAULT_CAPATH _first_.
+            if VAULT_CAPATH:
+                verify = VAULT_CAPATH
+            if VAULT_CACERT:
+                verify = VAULT_CACERT
+
         self._adapter = adapter(
             base_uri=url,
             token=token,

diff --git a/tests/unit_tests/test_adapters.py b/tests/unit_tests/test_adapters.py
@@ -5,7 +5,7 @@
 
 import requests_mock
 from parameterized import parameterized, param
-
+from hvac.constants.client import DEFAULT_URL
 from hvac import adapters
 
 
@@ -95,7 +95,7 @@ def test_list(self, test_label, test_path, requests_mocker):
             "wrap_info": None,
         }
         expected_status_code = 200
-        mock_url = "{0}/{1}".format(adapters.DEFAULT_BASE_URI, test_path)
+        mock_url = "{0}/{1}".format(DEFAULT_URL, test_path)
         requests_mocker.register_uri(method="LIST", url=mock_url, json=mock_response)
         adapter = adapters.RawAdapter()
         response = adapter.list(