Python-pyo3: add library interface #833
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Integration Tests | |
on: | |
push: | |
branches: | |
- master | |
- main | |
paths: | |
- "!**/README.md" | |
pull_request: | |
permissions: | |
id-token: write | |
contents: read | |
# Cancel previous runs for PRs but not pushes to main | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} | |
cancel-in-progress: true | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
lang: [go, rust] | |
defaults: | |
run: | |
working-directory: ${{matrix.lang}} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: dtolnay/rust-toolchain@stable | |
if: ${{ matrix.lang == 'rust'}} | |
- uses: Swatinem/[email protected] | |
if: ${{ matrix.lang == 'rust'}} | |
with: | |
# The build script creates a `release` build so use separate cache | |
key: "release" | |
- uses: actions/setup-go@v5 | |
if: ${{ matrix.lang == 'go'}} | |
with: | |
go-version: ">=1.21.0" | |
cache-dependency-path: go/go.sum | |
- name: Run build script for compiled languages | |
run: "./build.sh" | |
- name: Upload built binaries | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{matrix.lang}} | |
path: ${{matrix.lang}}/vault | |
tests: | |
needs: build | |
runs-on: ubuntu-latest | |
env: | |
# VAULT_STACK overwrites default 'vault' for vaults | |
VAULT_STACK: nitor-vault-integration-testing | |
# at the moment we store to the values to fixed keys so this needs to have limited concurrency | |
concurrency: "integration-test" | |
steps: | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ secrets.AWS_CI_ROLE }} | |
role-session-name: GitHubVaultIntegrationTests | |
aws-region: eu-west-1 | |
- uses: actions/checkout@v4 | |
- name: Download artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
path: bin | |
- uses: pnpm/action-setup@v4 | |
with: | |
version: 9 | |
- uses: actions/setup-node@v4 | |
with: | |
node-version: 20 | |
cache: "pnpm" | |
cache-dependency-path: nodejs/pnpm-lock.yaml | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: 3.x | |
cache: pip | |
- name: Install zip | |
run: sudo apt-get install zip unzip | |
- name: Build node vault | |
run: pnpm install --frozen-lockfile && pnpm build | |
working-directory: nodejs | |
- name: Install Python vault | |
run: python -m pip install . | |
working-directory: python | |
- name: Add execute rights and run --version for all versions | |
run: | | |
chmod +x bin/go/vault bin/rust/vault nodejs/dist/cli/vault.js | |
vault --version | |
bin/go/vault --version | |
bin/rust/vault --version | |
nodejs/dist/cli/vault.js --version | |
- name: Check help output | |
run: | | |
echo "============================== Python Vault CLI ==============================" | |
vault --help | |
echo "------------------------------------------------------------------------------" | |
echo "================================= Go Vault CLI ===============================" | |
bin/go/vault --help | |
echo "------------------------------------------------------------------------------" | |
echo "================================ Rust Vault CLI ==============================" | |
bin/rust/vault -h | |
echo "------------------------------------------------------------------------------" | |
echo "=============================== Node.js Vault CLI ============================" | |
nodejs/dist/cli/vault.js --help | |
- name: Store secret with Python | |
run: vault -s 'secret-python' -v 'sha-${{github.sha}}' -w | |
- name: Store secret with Go | |
run: bin/go/vault -s 'secret-go' -v 'sha-${{github.sha}}' -w | |
- name: Store secret with Rust | |
run: bin/rust/vault -s 'secret-rust' -v 'sha-${{github.sha}}' -w | |
- name: Store secret with Nodejs | |
run: nodejs/dist/cli/vault.js s 'secret-nodejs' 'sha-${{github.sha}}' -w | |
- name: Validate storing worked Python | |
run: diff <(vault -l secret-python) <(echo -n sha-${{github.sha}}) | |
- name: Validate Go and Rust secret equality with Python | |
run: diff <(vault -l secret-go) <(vault -l secret-rust) | |
- name: Validate Python secret equality with Rust and Go | |
run: diff <(bin/rust/vault -l secret-python) <(bin/go/vault -l secret-python) | |
- name: Validate Rust and Python secret equality with Go and Nodejs | |
run: diff <(bin/go/vault -l secret-rust) <(nodejs/dist/cli/vault.js lookup secret-python) | |
- name: Validate Go and Python secret equality with Rust and Go | |
run: diff <(bin/rust/vault -l secret-go) <(bin/go/vault -l secret-python) | |
- name: Validate Python and Nodejs secret equality with Rust | |
run: diff <(bin/rust/vault -l secret-python) <(bin/rust/vault -l secret-nodejs) | |
- name: Validate Rust and Go secret equality with Nodejs and Go | |
run: diff <(bin/rust/vault -l secret-rust) <(nodejs/dist/cli/vault.js lookup secret-nodejs) | |
- name: Delete secret with Python | |
run: vault -d 'secret-python' | |
- name: Delete secret with Go | |
run: bin/go/vault -d 'secret-go' | |
- name: Delete secret with Rust | |
run: bin/rust/vault -d 'secret-rust' | |
- name: Delete secret with Nodejs | |
run: nodejs/dist/cli/vault.js d 'secret-nodejs' | |
- name: Verify that keys have been deleted using Rust | |
run: | | |
bin/rust/vault exists secret-python | grep -q "key 'secret-python' does not exist" | |
bin/rust/vault exists secret-go | grep -q "key 'secret-go' does not exist" | |
bin/rust/vault exists secret-rust | grep -q "key 'secret-rust' does not exist" | |
bin/rust/vault exists secret-nodejs | grep -q "key 'secret-nodejs' does not exist" | |
- name: Create dummy text file | |
run: echo "Vault test ${{ github.sha }} ${{ github.ref_name }}" > test.txt | |
- name: Zip the text file | |
run: zip "secret-${{github.sha}}.zip" test.txt | |
- name: Store zip file using Python | |
run: vault --store --file "secret-${{github.sha}}.zip" | |
- name: Lookup the stored zip file and write to output | |
run: vault -l "secret-${{github.sha}}.zip" > output-python.zip | |
- name: Extract the retrieved zip file | |
run: unzip output-python.zip -d extracted-python | |
- name: Verify the extracted file content | |
run: diff extracted-python/test.txt test.txt | |
- name: Delete secret with Python | |
run: vault -d "secret-${{github.sha}}.zip" | |
- name: Verify that key has been deleted with Rust | |
run: bin/rust/vault exists secret-${{github.sha}}.zip | grep -q "does not exist" | |
- name: Store zip file using Rust vault | |
run: bin/rust/vault --store --file "secret-${{github.sha}}.zip" | |
- name: Lookup the stored zip file and write to output | |
run: bin/rust/vault -l "secret-${{github.sha}}.zip" > output-rust.zip | |
- name: Extract the retrieved zip file | |
run: unzip output-rust.zip -d extracted-rust | |
- name: Verify the extracted file content | |
run: diff extracted-rust/test.txt test.txt | |
- name: Delete secret with Rust | |
run: bin/rust/vault -d "secret-${{github.sha}}.zip" | |
- name: Verify that keys have been deleted using Rust | |
run: | | |
bin/rust/vault exists secret-python | grep -q "key 'secret-python' does not exist" | |
bin/rust/vault exists secret-python-pyo3 | grep -q "key 'secret-python-pyo3' does not exist" | |
bin/rust/vault exists secret-go | grep -q "key 'secret-go' does not exist" | |
bin/rust/vault exists secret-rust | grep -q "key 'secret-rust' does not exist" | |
bin/rust/vault exists secret-nodejs | grep -q "key 'secret-nodejs' does not exist" | |
- name: Check Python vault package | |
run: python -m pip show nitor-vault | |
- name: Store secret using Python library | |
run: | | |
python -c "from n_vault import Vault; Vault().store('secret-python-library', 'sha-${{github.sha}}')" | |
- name: Verify secret using Python library | |
run: | | |
python -c "from n_vault import Vault; print('true') if Vault().exists('secret-python-library') else print('false')" | grep -q "true" | |
- name: Validate storing worked with Rust | |
run: diff <(bin/rust/vault -l secret-python-library) <(echo -n sha-${{github.sha}}) | |
- name: Lookup with Python library | |
run: | | |
diff <(python -c "from n_vault import Vault; print(Vault().lookup('secret-python-library').decode('utf-8'), end='', flush=True)") <(echo -n sha-${{github.sha}}) | |
- name: List with Python library | |
run: python -c "from n_vault import Vault; print('\n'.join(Vault().list_all()))" | |
- name: Delete with Python library | |
run: python -c "from n_vault import Vault; Vault().delete('secret-python-library')" | |
- name: Verify that key has been deleted with Rust | |
run: bin/rust/vault exists secret-python-library | grep -q "key 'secret-python-library' does not exist" | |
- name: Install Python PyO3 vault | |
run: python -m pip install --force-reinstall . | |
working-directory: python-pyo3 | |
- name: Check version | |
run: vault --version | |
- name: Check help output | |
run: | | |
echo "============================ Python-pyo3 Vault CLI ===========================" | |
vault -h | |
echo "------------------------------------------------------------------------------" | |
echo "================================ Rust Vault CLI ==============================" | |
bin/rust/vault -h | |
echo "------------------------------------------------------------------------------" | |
- name: Store secret with Python-pyo3 | |
run: vault -s 'secret-python-pyo3' -v 'sha-${{github.sha}}' -w | |
- name: Validate storing worked Python-pyo3 | |
run: diff <(vault -l secret-python-pyo3) <(echo -n sha-${{github.sha}}) | |
- name: Store secret with Go | |
run: bin/go/vault -s 'secret-go' -v 'sha-${{github.sha}}' -w | |
- name: Store secret with Rust | |
run: bin/rust/vault -s 'secret-rust' -v 'sha-${{github.sha}}' -w | |
- name: Store secret with Nodejs | |
run: nodejs/dist/cli/vault.js s 'secret-nodejs' 'sha-${{github.sha}}' -w | |
- name: Validate Go and Rust secret equality with Python-pyo3 | |
run: diff <(vault -l secret-go) <(vault -l secret-rust) | |
- name: Validate Python-pyo3 secret equality with Rust and Go | |
run: diff <(bin/rust/vault -l secret-python-pyo3) <(bin/go/vault -l secret-python-pyo3) | |
- name: Validate Nodejs and Python-pyo3 secret equality with Nodejs | |
run: diff <(nodejs/dist/cli/vault.js l secret-nodejs) <(vault -l secret-python-pyo3) | |
- name: Delete secret with Python-pyo3 | |
run: vault -d 'secret-python-pyo3' | |
- name: Delete secret with Python-pyo3 | |
run: vault -d 'secret-rust' | |
- name: Delete secret with Python-pyo3 | |
run: vault -d 'secret-go' | |
- name: Delete secret with Python-pyo3 | |
run: vault -d 'secret-nodejs' | |
- name: Verify that keys have been deleted using Python-pyo3 | |
run: | | |
vault exists secret-python | grep -q "key 'secret-python' does not exist" | |
vault exists secret-python-pyo3 | grep -q "key 'secret-python-pyo3' does not exist" | |
vault exists secret-go | grep -q "key 'secret-go' does not exist" | |
vault exists secret-rust | grep -q "key 'secret-rust' does not exist" | |
vault exists secret-nodejs | grep -q "key 'secret-nodejs' does not exist" | |
- name: Store zip file using Python-pyo3 | |
run: vault store --file "secret-${{github.sha}}.zip" | |
- name: Lookup the stored zip file and write to output | |
run: vault lookup "secret-${{github.sha}}.zip" > output-python-pyo3.zip | |
- name: Extract the retrieved zip file | |
run: unzip output-python-pyo3.zip -d extracted-python-pyo3 | |
- name: Verify the extracted file content | |
run: diff extracted-python-pyo3/test.txt test.txt | |
- name: Delete secret with Python-pyo3 | |
run: vault delete "secret-${{github.sha}}.zip" | |
- name: Verify that key has been deleted with Rust | |
run: bin/rust/vault exists secret-${{github.sha}}.zip | grep -q "does not exist" | |
- name: Verify that key has been deleted with Python-pyo3 | |
run: vault exists secret-${{github.sha}}.zip | grep -q "does not exist" | |
- name: Check Python vault package | |
run: python -m pip show nitor-vault | |
- name: Delete all keys with Python library | |
run: python -c "from n_vault import Vault; Vault().delete_many(Vault().list_all())" | |
- name: List with Python library | |
run: python -c "from n_vault import Vault; print('\n'.join(Vault().list_all()))" | grep -ve '^\s*$' | wc -l | grep -q "0" | |
- name: Store secret using Python library | |
run: | | |
python -c "from n_vault import Vault; Vault().store('secret-python-library', 'sha-${{github.sha}}')" | |
- name: Verify secret using Python library | |
run: | | |
python -c "from n_vault import Vault; print('true') if Vault().exists('secret-python-library') else print('false')" | grep -q "true" | |
- name: Validate storing worked with Rust | |
run: diff <(bin/rust/vault -l secret-python-library) <(echo -n sha-${{github.sha}}) | |
- name: Lookup with Python library | |
run: | | |
diff <(python -c "from n_vault import Vault; print(Vault().lookup('secret-python-library'), end='', flush=True)") <(echo -n sha-${{github.sha}}) | |
- name: List with Python library | |
run: python -c "from n_vault import Vault; print('\n'.join(Vault().list_all()))" | wc -l | grep -q "1" | |
- name: Delete with Python library | |
run: python -c "from n_vault import Vault; Vault().delete('secret-python-library')" | |
- name: Verify that key has been deleted with Rust | |
run: bin/rust/vault exists secret-python-library | grep -q "key 'secret-python-library' does not exist" |