From 60c7d15d801f0cc3428ece4c81d00bff12847922 Mon Sep 17 00:00:00 2001
From: James Page <james.page@ubuntu.com>
Date: Thu, 19 Apr 2018 16:10:15 +0100
Subject: [PATCH] Ensure security of etcd connection

The code assumes that etc.tls.available has been set; however that
might not be the case so guard the configuration of vault to use
etcd to check for this flag before adding etcd configuration.

Change-Id: I52f6fb2db309564634ba1698bd7905b2c1e8ceeb
---
 src/reactive/vault.py    | 5 +++--
 unit_tests/test_vault.py | 3 +++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/reactive/vault.py b/src/reactive/vault.py
index eb01e34..525a5fc 100644
--- a/src/reactive/vault.py
+++ b/src/reactive/vault.py
@@ -169,8 +169,9 @@ def configure_vault(context):
     log("Running configure_vault", level=DEBUG)
     context['disable_mlock'] = config()['disable-mlock']
     context['ssl_available'] = is_state('vault.ssl.available')
-    etcd = endpoint_from_flag('etcd.available')
-    if etcd:
+
+    if is_flag_set('etcd.tls.available'):
+        etcd = endpoint_from_flag('etcd.available')
         log("Etcd detected, adding to context", level=DEBUG)
         context['etcd_conn'] = etcd.connection_string()
         context['etcd_tls_ca_file'] = '/var/snap/vault/common/etcd-ca.pem'
diff --git a/unit_tests/test_vault.py b/unit_tests/test_vault.py
index 04105ba..68959e9 100644
--- a/unit_tests/test_vault.py
+++ b/unit_tests/test_vault.py
@@ -104,6 +104,7 @@ class TestHandlers(unittest.TestCase):
         db_context = {
             'storage_name': 'psql',
             'psql_db_conn': 'myuri'}
+        self.is_flag_set.return_value = False
         self.endpoint_from_flag.return_value = None
         handlers.configure_vault(db_context)
         expected_context = {
@@ -235,6 +236,7 @@ class TestHandlers(unittest.TestCase):
         self.config.return_value = {'disable-mlock': False}
         etcd_mock = mock.MagicMock()
         etcd_mock.connection_string.return_value = 'http://etcd'
+        self.is_flag_set.return_value = True
         self.endpoint_from_flag.return_value = etcd_mock
         self.is_state.return_value = True
         handlers.configure_vault({})
@@ -266,6 +268,7 @@ class TestHandlers(unittest.TestCase):
             cert=expected_context['etcd_tls_cert_file'],
             ca=expected_context['etcd_tls_ca_file'],
         )
+        self.is_flag_set.assert_called_with('etcd.tls.available')
 
     @patch.object(handlers.hvac, 'Client')
     @patch.object(handlers, 'get_api_url')