From e621b4dec01aab895e33e3d66f6a22fc39435664 Mon Sep 17 00:00:00 2001 From: Chris MacNaughton Date: Mon, 24 Sep 2018 08:27:02 +0200 Subject: [PATCH] Only try to unseal vault when leader has set keys Change-Id: I2574da2f7e6520d4c9bc8e5b9f03b5723840b5c8 Closes-Bug: #1792603 --- src/lib/charm/vault.py | 2 +- unit_tests/test_lib_charm_vault.py | 14 +++++++++++--- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/src/lib/charm/vault.py b/src/lib/charm/vault.py index fe80fcd..bccc160 100644 --- a/src/lib/charm/vault.py +++ b/src/lib/charm/vault.py @@ -239,7 +239,7 @@ def prepare_vault(): vault_health = get_vault_health() if not vault_health['initialized'] and hookenv.is_leader(): initialize_vault() - if vault_health['sealed']: + if vault_health['sealed'] and hookenv.leader_get('keys'): unseal_vault() if hookenv.is_leader(): role_id = setup_charm_vault_access() diff --git a/unit_tests/test_lib_charm_vault.py b/unit_tests/test_lib_charm_vault.py index 0789b89..6242827 100644 --- a/unit_tests/test_lib_charm_vault.py +++ b/unit_tests/test_lib_charm_vault.py @@ -179,6 +179,7 @@ class TestLibCharmVault(unit_tests.test_utils.CharmTestCase): "http://127.0.0.1:8220/v1/sys/health") mock_response.json.assert_called_once() + @patch.object(vault.hookenv, 'leader_get') @patch.object(vault.hookenv, 'leader_set') @patch.object(vault, 'setup_charm_vault_access') @patch.object(vault.hookenv, 'is_leader') @@ -189,8 +190,10 @@ class TestLibCharmVault(unit_tests.test_utils.CharmTestCase): @patch.object(vault.host, 'service_running') def test_prepare_vault(self, service_running, log, get_vault_health, initialize_vault, unseal_vault, is_leader, - setup_charm_vault_access, leader_set): + setup_charm_vault_access, leader_set, + leader_get): is_leader.return_value = True + leader_get.return_value = "[]" service_running.return_value = True get_vault_health.return_value = { 'initialized': False, @@ -204,6 +207,7 @@ class TestLibCharmVault(unit_tests.test_utils.CharmTestCase): {vault.CHARM_ACCESS_ROLE_ID: mock.ANY} ) + @patch.object(vault.hookenv, 'leader_get') @patch.object(vault.hookenv, 'leader_set') @patch.object(vault.hookenv, 'is_leader') @patch.object(vault, 'unseal_vault') @@ -213,7 +217,9 @@ class TestLibCharmVault(unit_tests.test_utils.CharmTestCase): @patch.object(vault.host, 'service_running') def test_prepare_vault_non_leader(self, service_running, log, get_vault_health, initialize_vault, - unseal_vault, is_leader, leader_set): + unseal_vault, is_leader, leader_set, + leader_get): + leader_get.return_value = "[]" is_leader.return_value = False service_running.return_value = True get_vault_health.return_value = { @@ -234,6 +240,7 @@ class TestLibCharmVault(unit_tests.test_utils.CharmTestCase): self.assertFalse(initialize_vault.called) self.assertFalse(unseal_vault.called) + @patch.object(vault.hookenv, 'leader_get') @patch.object(vault.hookenv, 'leader_set') @patch.object(vault, 'setup_charm_vault_access') @patch.object(vault.hookenv, 'is_leader') @@ -246,7 +253,8 @@ class TestLibCharmVault(unit_tests.test_utils.CharmTestCase): get_vault_health, initialize_vault, unseal_vault, is_leader, setup_charm_vault_access, - leader_set): + leader_set, leader_get): + leader_get.return_value = "[]" is_leader.return_value = False service_running.return_value = True get_vault_health.return_value = {