Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VaultSigner test unexpectedly does not depend on environment variables #820

Open
lukpueh opened this issue Jun 4, 2024 · 0 comments
Open

Comments

@lukpueh
Copy link
Member

lukpueh commented Jun 4, 2024

The HashicorpVault client used by VaultSigner to import_ a public key or sign, needs a vault address and a token. We expect users to provide both via specific envvars known to the client, and so do the tests:

securesystemslib/tox.ini

Lines 122 to 123 in 5e734e4

VAULT_ADDR = http://localhost:8200
VAULT_TOKEN = test-root-token

But it turns out that the tests work even if the envvars are not available to VaultSigner, because:

  • above VAULT_ADDR is the default address, which the client falls back to, if the env var is not set, and
  • vault server -dev (in init-vault.sh) secretly writes the token to a ~/.vault-token file, which the client falls back to, if the env var is not set

This is not necessarily an issue but a bit surprising, so I think a note in VaultSigner code doc and tox.ini might be fix enough.

Alternatively, we can set VAULT_ADDR to a non-default port and start the test server like so:

vault server -dev \
    -dev-listen-address="${VAULT_ADDR#http://}" \  # unlike VAULT_ADDR this option does not want the protocol prefix
    -dev-root-token-id="${VAULT_TOKEN}" \
    -dev-no-store-token \
    &
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant