Skip to content

Commit

Permalink
Merge branch '3007.x' into fix-failed-render-when-syncing-renderers
Browse files Browse the repository at this point in the history
  • Loading branch information
@dmurphy18
dmurphy18 authored Oct 21, 2024
2 parents d32102c + d7b4d10 commit ae024de
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 5 deletions.
1 change: 1 addition & 0 deletions changelog/66213.fixed.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Fix vault module doesn't respect `server.verify` option during unwrap if verify is set to `False` or CA file on the disk
7 changes: 2 additions & 5 deletions salt/utils/vault/client.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -240,17 +240,14 @@ def unwrap(self, wrapped, expected_creation_path=None):
namespace=self.namespace,
verify=self.verify,
)
url = self._get_url("sys/wrapping/unwrap")
endpoint = "sys/wrapping/unwrap"
headers = self._get_headers()
payload = {}
if "X-Vault-Token" not in headers:
headers["X-Vault-Token"] = str(wrapped)
else:
payload["token"] = str(wrapped)
res = self.session.request("POST", url, headers=headers, json=payload)
if not res.ok:
self._raise_status(res)
return res.json()
return self.post(endpoint=endpoint, add_headers=headers, payload=payload)

def wrap_info(self, wrapped):
"""
Expand Down
18 changes: 18 additions & 0 deletions tests/pytests/unit/utils/vault/test_client.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -280,6 +280,24 @@ def test_vault_client_unwrap_should_default_to_token_header_before_payload(
assert headers.get("X-Vault-Token") == token


@pytest.mark.usefixtures("server_config")
@pytest.mark.parametrize(
"server_config",
({"verify": "/usr/local/share/ca-certificates/my-ca.crt"},),
indirect=True,
)
def test_vault_client_unwrap_respects_verify_option(role_id_response, client, req):
"""
As unwrap is special call which can be done both authenticated and unauthenticated
we need to ensure that in both cases it respects verify option.
"""
token = "test-wrapping-token"
req.return_value = _mock_json_response(role_id_response)
client.unwrap(token)
verify = req.call_args.kwargs.get("verify", None)
assert verify == client.get_config()["verify"]


@pytest.mark.parametrize("func", ["unwrap", "token_lookup"])
@pytest.mark.parametrize(
"req_failed,expected",
Expand Down

0 comments on commit ae024de

Please sign in to comment.