Implement HashiCorp Vault integration #8
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…andling overhaul
This commit introduces significant new functionality by adding support for HashiCorp Vault secret fetching and completely refactors the library's error handling mechanisms for improved robustness and clarity. Documentation and tests have been updated accordingly.
Key Changes:
1. **HashiCorp Vault Integration:**
* Introduced a new `!VAULT` YAML tag, allowing users to seamlessly fetch secrets directly from HashiCorp Vault within their YAML configuration files.
* Implemented `vault_constructor` for the YAML loader to process the `!VAULT` tag, handling path and key parsing.
* Added `_get_vault_client` helper function for robust Vault client initialization, including authentication using `VAULT_TOKEN`.
* Configuration for Vault access is managed via `VAULT_ADDR` and `VAULT_TOKEN` environment variables.
* The `hvac` library has been added as a new core dependency for Vault communication.
2. **Explicit Error Handling with Custom Exceptions:**
* Core library functions (including `_load_fernet_key`, `_get_vault_client`, `encrypt_string_value`, `load_yaml_secrets`, YAML tag constructors like `sec_constructor` & `vault_constructor`, and `sec_representer` in the dumper) have been refactored.
* These functions now raise specific, custom exceptions (e.g., `KeylockerFileError`, `KeylockerEncryptionError`, `KeylockerConfigError`, `KeylockerVaultError`, `VaultClientNotInitializedError`, `VaultKeyNotFoundError`, `VaultInvalidPathError`) instead of printing error messages and returning `None` or directly calling `sys.exit()`. This makes the library's error contract clearer and facilitates better error handling by calling code.
* A bug in `vault_constructor` was fixed where custom exceptions like `VaultKeyNotFoundError` were being incorrectly caught and re-wrapped by a generic `except Exception` block. The `try-except` structure within `vault_constructor` has been refined for correct propagation of specific custom exceptions.
3. **CLI Enhancements (`Manager` class):**
* The CLI command methods (`view`, `encrypt`) within the `Manager` class have been updated to catch the newly introduced specific exceptions from the core library functions.
* These CLI methods now output user-friendly error messages to `stderr` and exit with appropriate non-zero status codes, adhering to standard CLI best practices.
4. **Testing (`pytest`):**
* A new suite of `pytest` unit tests (`tests/test_keylocker_vault.py`) has been developed to cover the HashiCorp Vault integration, including various success and failure scenarios.
* Existing unit tests for Fernet key management, `!SEC` tag processing, and `!ENV` tag resolution (`tests/test_keylocker_yaml.py`) have been updated and refactored to align with the new exception-based error handling paradigm (e.g., using `pytest.raises` to assert specific exceptions).
* Minor issues in test setup, such as missing imports (e.g., `Fernet` in test files), have been resolved.
5. **Documentation (`README.md`):**
* The `README.md` file has been extensively updated to accurately reflect all new features and significant changes.
* Comprehensive documentation for the HashiCorp Vault integration has been added, including details on the `!VAULT` tag syntax and the required `VAULT_ADDR` and `VAULT_TOKEN` environment variables.
* Python code usage examples in `README.md` have been revised to demonstrate best practices for `try-except` blocks to handle the new specific `KeylockerError` exceptions.
* Bash usage examples have also been updated.
* The entire `README.md` content has been translated into English.
6. **Dependencies:**
* `hvac` has been added to `requirements.txt` as a runtime dependency.
* `pytest` and `pytest-mock` are confirmed as development dependencies for the test suite.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit introduces significant new functionality by adding support for HashiCorp Vault secret fetching and completely refactors the library's error handling mechanisms for improved robustness and clarity. Documentation and tests have been updated accordingly.
Key Changes:
HashiCorp Vault Integration:
!VAULTYAML tag, allowing users to seamlessly fetch secrets directly from HashiCorp Vault within their YAML configuration files.vault_constructorfor the YAML loader to process the!VAULTtag, handling path and key parsing._get_vault_clienthelper function for robust Vault client initialization, including authentication usingVAULT_TOKEN.VAULT_ADDRandVAULT_TOKENenvironment variables.hvaclibrary has been added as a new core dependency for Vault communication.Explicit Error Handling with Custom Exceptions:
_load_fernet_key,_get_vault_client,encrypt_string_value,load_yaml_secrets, YAML tag constructors likesec_constructor&vault_constructor, andsec_representerin the dumper) have been refactored.KeylockerFileError,KeylockerEncryptionError,KeylockerConfigError,KeylockerVaultError,VaultClientNotInitializedError,VaultKeyNotFoundError,VaultInvalidPathError) instead of printing error messages and returningNoneor directly callingsys.exit(). This makes the library's error contract clearer and facilitates better error handling by calling code.vault_constructorwas fixed where custom exceptions likeVaultKeyNotFoundErrorwere being incorrectly caught and re-wrapped by a genericexcept Exceptionblock. Thetry-exceptstructure withinvault_constructorhas been refined for correct propagation of specific custom exceptions.CLI Enhancements (
Managerclass):view,encrypt) within theManagerclass have been updated to catch the newly introduced specific exceptions from the core library functions.stderrand exit with appropriate non-zero status codes, adhering to standard CLI best practices.Testing (
pytest):pytestunit tests (tests/test_keylocker_vault.py) has been developed to cover the HashiCorp Vault integration, including various success and failure scenarios.!SECtag processing, and!ENVtag resolution (tests/test_keylocker_yaml.py) have been updated and refactored to align with the new exception-based error handling paradigm (e.g., usingpytest.raisesto assert specific exceptions).Fernetin test files), have been resolved.Documentation (
README.md):README.mdfile has been extensively updated to accurately reflect all new features and significant changes.!VAULTtag syntax and the requiredVAULT_ADDRandVAULT_TOKENenvironment variables.README.mdhave been revised to demonstrate best practices fortry-exceptblocks to handle the new specificKeylockerErrorexceptions.README.mdcontent has been translated into English.Dependencies:
hvachas been added torequirements.txtas a runtime dependency.pytestandpytest-mockare confirmed as development dependencies for the test suite.