Ensure security of etcd connection

The code assumes that etc.tls.available has been set; however that
might not be the case so guard the configuration of vault to use
etcd to check for this flag before adding etcd configuration.

Change-Id: I52f6fb2db309564634ba1698bd7905b2c1e8ceeb

src/reactive/vault.py

@@ -169,8 +169,9 @@ def configure_vault(context):
     log("Running configure_vault", level=DEBUG)
     context['disable_mlock'] = config()['disable-mlock']
     context['ssl_available'] = is_state('vault.ssl.available')
-    etcd = endpoint_from_flag('etcd.available')
+
-    if etcd:
+    if is_flag_set('etcd.tls.available'):
+        etcd = endpoint_from_flag('etcd.available')
         log("Etcd detected, adding to context", level=DEBUG)
         context['etcd_conn'] = etcd.connection_string()
         context['etcd_tls_ca_file'] = '/var/snap/vault/common/etcd-ca.pem'

unit_tests/test_vault.py

@@ -104,6 +104,7 @@ class TestHandlers(unittest.TestCase):
         db_context = {
             'storage_name': 'psql',
             'psql_db_conn': 'myuri'}
+        self.is_flag_set.return_value = False
         self.endpoint_from_flag.return_value = None
         handlers.configure_vault(db_context)
         expected_context = {
@@ -235,6 +236,7 @@ class TestHandlers(unittest.TestCase):
         self.config.return_value = {'disable-mlock': False}
         etcd_mock = mock.MagicMock()
         etcd_mock.connection_string.return_value = 'http://etcd'
+        self.is_flag_set.return_value = True
         self.endpoint_from_flag.return_value = etcd_mock
         self.is_state.return_value = True
         handlers.configure_vault({})
@@ -266,6 +268,7 @@ class TestHandlers(unittest.TestCase):
             cert=expected_context['etcd_tls_cert_file'],
             ca=expected_context['etcd_tls_ca_file'],
         )
+        self.is_flag_set.assert_called_with('etcd.tls.available')
 
     @patch.object(handlers.hvac, 'Client')
     @patch.object(handlers, 'get_api_url')