support for vault approle authentication

Signed-off-by: alexshe <alexshe@wix.com>
chaostoolkit · Dec 26, 2018 · dba08e8 · dba08e8
1 parent ae45e9e
commit dba08e8
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 11 deletions.
diff --git a/chaoslib/secret.py b/chaoslib/secret.py
@@ -13,7 +13,7 @@
 from chaoslib.exceptions import InvalidExperiment
 from chaoslib.types import Configuration, Secrets
 
-__all__ = ["load_secrets"]
+__all__ = ["load_secrets", "create_vault_client"]
 
 
 def load_secrets(secrets_info: Dict[str, Dict[str, str]],
@@ -141,12 +141,7 @@ def load_secrets_from_vault(secrets_info: Dict[str, Dict[str, str]],
                             configuration: Configuration = None) -> Secrets:
     secrets = {}
 
-    url = configuration.get("vault_addr")
-    token = configuration.get("vault_token")
-
-    client = None
-    if HAS_HVAC:
-        client = hvac.Client(url=url, token=token)
+    client = create_vault_client(configuration)
 
     for (target, keys) in secrets_info.items():
         secrets[target] = {}
@@ -164,3 +159,21 @@ def load_secrets_from_vault(secrets_info: Dict[str, Dict[str, str]],
             secrets.pop(target)
 
     return secrets
+
+
+def create_vault_client(configuration: Configuration = None):
+    client = None
+    if HAS_HVAC:
+        url = configuration.get("vault_addr")
+        client = hvac.Client(url=url)
+
+        if "vault_token" in configuration.keys():
+            client.token = configuration.get("vault_token")
+        elif "vault_role_id" in configuration.keys() and \
+             "vault_role_secret" in configuration.keys():
+            role_id = configuration.get("vault_role_id")
+            role_secret = configuration.get("vault_role_secret")
+
+            app_role = client.auth_approle(role_id, role_secret)
+            client.token = app_role['auth']['client_token']
+    return client
diff --git a/tests/test_secret.py b/tests/test_secret.py
@@ -2,11 +2,9 @@
 import os
 
 import pytest
-
-from chaoslib.secret import load_secrets
-
+from chaoslib.secret import load_secrets, create_vault_client
 from fixtures import config
-
+from unittest.mock import ANY, MagicMock, patch
 
 def test_should_load_environment():
     os.environ["KUBE_API_URL"] = "http://1.2.3.4"
@@ -45,3 +43,43 @@ def test_should_merge_properly():
     assert secrets["kubernetes"]["address"]["host"] == "whatever"
     assert secrets["kubernetes"]["address"]["port"] == 8090
     assert secrets["kubernetes"]["api_server_url"] == "http://1.2.3.4"
+
+
+@patch('chaoslib.secret.hvac')
+def test_should_auth_with_approle(hvac):
+    config = {
+        'vault_addr' : 'http://someaddr.com',
+        'vault_role_id' : 'mighty_id',
+        'vault_role_secret' : 'secret_secret'
+    }
+
+    fake_auth_object = {
+        'auth' : {
+            'client_token' : 'awesome_token'
+        }
+    }
+
+    fake_client = MagicMock()
+    fake_client.auth_approle.return_value = fake_auth_object
+    hvac.Client.return_value = fake_client
+
+    vault_client = create_vault_client(config)
+
+    assert vault_client.token == fake_auth_object['auth']['client_token']
+    fake_client.auth_approle.assert_called_with(config['vault_role_id'], config['vault_role_secret'])
+
+
+@patch('chaoslib.secret.hvac')
+def test_should_auth_with_token(hvac):
+    config = {
+        'vault_addr': 'http://someaddr.com',
+        'vault_token': 'not_awesome_token',
+    }
+
+    fake_client = MagicMock()
+    hvac.Client.return_value = fake_client
+
+    vault_client = create_vault_client(config)
+
+    assert vault_client.token == config['vault_token']
+    fake_client.auth_approle.assert_not_called()