Catch Vault AppError

Closes #81 Signed-off-by: Sylvain Hellegouarch <sh@defuze.org>
chaostoolkit · Jan 29, 2019 · dc4af11 · dc4af11
1 parent 8ea9e6b
commit dc4af11
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,8 +7,10 @@
 ### Changed
 
 - Fix differences of API between Vault KV secret v1 and v2 [#80][80]
+- Catch Vault AppRole client error [#81][81]
 
 [80]: https://github.com/chaostoolkit/chaostoolkit-lib/issues/80
+[81]: https://github.com/chaostoolkit/chaostoolkit-lib/issues/81
 
 ## [1.0.0rc2][] - 2019-01-28
 

diff --git a/chaoslib/secret.py b/chaoslib/secret.py
@@ -266,6 +266,12 @@ def create_vault_client(configuration: Configuration = None):
             role_id = configuration.get("vault_role_id")
             role_secret = configuration.get("vault_role_secret")
 
-            app_role = client.auth_approle(role_id, role_secret)
+            try:
+                app_role = client.auth_approle(role_id, role_secret)
+            except Exception as ve:
+                raise InvalidExperiment(
+                    "Failed to connect to Vault with the AppRole: {}".format(
+                        str(ve)))
+
             client.token = app_role['auth']['client_token']
     return client
diff --git a/tests/test_secret.py b/tests/test_secret.py
@@ -1,7 +1,9 @@
 # -*- coding: utf-8 -*-
 import os
 
+from hvac.exceptions import InvalidRequest
 import pytest
+from chaoslib.exceptions import InvalidExperiment
 from chaoslib.secret import load_secrets, load_secrets_from_vault, \
     create_vault_client
 from fixtures import config
@@ -71,6 +73,22 @@ def test_should_auth_with_approle(hvac):
     fake_client.auth_approle.assert_called_with(config['vault_role_id'], config['vault_role_secret'])
 
 
+@patch('chaoslib.secret.hvac')
+def test_should_catch_approle_invalid_secret_id_abort_the_run(hvac):
+    config = {
+        'vault_addr' : 'http://someaddr.com',
+        'vault_role_id' : 'mighty_id',
+        'vault_role_secret' : 'expired'
+    }
+
+    fake_client = MagicMock()
+    fake_client.auth_approle.side_effect = InvalidRequest()
+    hvac.Client.return_value = fake_client
+
+    with pytest.raises(InvalidExperiment):
+        create_vault_client(config)
+
+
 @patch('chaoslib.secret.hvac')
 def test_should_auth_with_token(hvac):
     config = {