chef 17.2.29-universal-mingw32 → 17.5.22-universal-mingw32

data/spec/unit/resource/rhsm_subscription_spec.rb

@@ -18,15 +18,24 @@
 require "spec_helper"
 
 describe Chef::Resource::RhsmSubscription do
-  let(:resource) { Chef::Resource::RhsmSubscription.new("fakey_fakerton") }
-  let(:provider) { resource.provider_for_action(:attach) }
+  let(:event_dispatch) { Chef::EventDispatch::Dispatcher.new }
+  let(:node) { Chef::Node.new }
+  let(:run_context) { Chef::RunContext.new(node, {}, event_dispatch) }
+
+  let(:pool_id) { "8a8dd78c766232550226b46e59404aba" }
+  let(:resource) { Chef::Resource::RhsmSubscription.new(pool_id, run_context) }
+  let(:provider) { resource.provider_for_action(Array(resource.action).first) }
+
+  before do
+    allow(resource).to receive(:provider_for_action).with(:attach).and_return(provider)
+  end
 
   it "has a resource name of :rhsm_subscription" do
     expect(resource.resource_name).to eql(:rhsm_subscription)
   end
 
   it "the pool_id property is the name_property" do
-    expect(resource.pool_id).to eql("fakey_fakerton")
+    expect(resource.pool_id).to eql(pool_id)
   end
 
   it "sets the default action as :attach" do
@@ -38,6 +47,44 @@ describe Chef::Resource::RhsmSubscription do
     expect { resource.action :remove }.not_to raise_error
   end
 
+  describe "#action_attach" do
+    let(:yum_package_double) { instance_double("Chef::Resource::YumPackage") }
+    let(:so_double) { instance_double("Mixlib::ShellOut", stdout: "Successfully attached a subscription for: My Subscription", exitstatus: 0, error?: false) }
+
+    before do
+      allow(provider).to receive(:shell_out!).with("subscription-manager attach --pool=#{resource.pool_id}").and_return(so_double)
+      allow(provider).to receive(:build_resource).with(:package, "rhsm_subscription-#{pool_id}-flush_cache").and_return(yum_package_double)
+      allow(yum_package_double).to receive(:run_action).with(:flush_cache)
+    end
+
+    context "when already attached to pool" do
+      before do
+        allow(provider).to receive(:subscription_attached?).with(resource.pool_id).and_return(true)
+      end
+
+      it "does not attach to pool" do
+        expect(provider).not_to receive(:shell_out!)
+        resource.run_action(:attach)
+      end
+    end
+
+    context "when not attached to pool" do
+      before do
+        allow(provider).to receive(:subscription_attached?).with(resource.pool_id).and_return(false)
+      end
+
+      it "attaches to pool" do
+        expect(provider).to receive(:shell_out!).with("subscription-manager attach --pool=#{resource.pool_id}")
+        resource.run_action(:attach)
+      end
+
+      it "flushes package provider cache" do
+        expect(yum_package_double).to receive(:run_action).with(:flush_cache)
+        resource.run_action(:attach)
+      end
+    end
+  end
+
   describe "#subscription_attached?" do
     let(:cmd)    { double("cmd") }
     let(:output) { "Pool ID:    pool123" }

data/spec/unit/resource/systemd_unit_spec.rb

@@ -20,7 +20,7 @@ require "spec_helper"
 
 describe Chef::Resource::SystemdUnit do
   let(:resource) { Chef::Resource::SystemdUnit.new("sysstat-collect.timer") }
-  let(:unit_content_string) { "[Unit]\nDescription = Run system activity accounting tool every 10 minutes\nDocumentation = foo\nDocumentation = bar\n\n[Timer]\nOnCalendar = *:00/10\n\n[Install]\nWantedBy = sysstat.service\n" }
+  let(:unit_content_string) { "[Unit]\nDescription=Run system activity accounting tool every 10 minutes\nDocumentation=foo\nDocumentation=bar\n\n[Timer]\nOnCalendar=*:00/10\n\n[Install]\nWantedBy=sysstat.service\n" }
   let(:unit_content_hash) do
     {
       "Unit" => {

data/spec/unit/resource/user_ulimit_spec.rb

@@ -17,7 +17,6 @@
 #
 
 require "spec_helper"
-
 describe Chef::Resource::UserUlimit do
   let(:node) { Chef::Node.new }
   let(:events) { Chef::EventDispatch::Dispatcher.new }
@@ -50,4 +49,18 @@ describe Chef::Resource::UserUlimit do
     expect { resource.action :create }.not_to raise_error
     expect { resource.action :delete }.not_to raise_error
   end
+
+  describe "sensitive attribute" do
+    context "should be insensitive by default" do
+      it { expect(resource.sensitive).to(be_falsey) }
+    end
+
+    context "when set" do
+      before { resource.sensitive(true) }
+
+      it "should be set on the resource" do
+        expect(resource.sensitive).to(be_truthy)
+      end
+    end
+  end
 end

data/spec/unit/resource/windows_defender_exclusion_spec.rb

@@ -0,0 +1,62 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "spec_helper"
+
+describe Chef::Resource::WindowsDefenderExclusion do
+  let(:resource) { Chef::Resource::WindowsDefenderExclusion.new("fakey_fakerton") }
+
+  it "sets resource name as :windows_defender_exclusion" do
+    expect(resource.resource_name).to eql(:windows_defender_exclusion)
+  end
+
+  it "sets the default action as :add" do
+    expect(resource.action).to eql([:add])
+  end
+
+  it "supports :add, :remove actions" do
+    expect { resource.action :add }.not_to raise_error
+    expect { resource.action :remove }.not_to raise_error
+  end
+
+  it "paths property defaults to []" do
+    expect(resource.paths).to eql([])
+  end
+
+  it "paths coerces strings to arrays" do
+    resource.paths "foo,bar"
+    expect(resource.paths).to eq(%w{foo bar})
+  end
+
+  it "extensions property defaults to []" do
+    expect(resource.extensions).to eql([])
+  end
+
+  it "extensions coerces strings to arrays" do
+    resource.extensions "foo,bar"
+    expect(resource.extensions).to eq(%w{foo bar})
+  end
+
+  it "process_paths property defaults to []" do
+    expect(resource.process_paths).to eql([])
+  end
+
+  it "process_paths coerces strings to arrays" do
+    resource.process_paths "foo,bar"
+    expect(resource.process_paths).to eq(%w{foo bar})
+  end
+end

data/spec/unit/resource/windows_defender_spec.rb

@@ -0,0 +1,71 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "spec_helper"
+
+describe Chef::Resource::WindowsDefender do
+  let(:resource) { Chef::Resource::WindowsDefender.new("fakey_fakerton") }
+
+  it "sets resource name as :windows_defender" do
+    expect(resource.resource_name).to eql(:windows_defender)
+  end
+
+  it "sets the default action as :enable" do
+    expect(resource.action).to eql([:enable])
+  end
+
+  it "supports :enable, :disable actions" do
+    expect { resource.action :enable }.not_to raise_error
+    expect { resource.action :disable }.not_to raise_error
+  end
+
+  it "realtime_protection property defaults to true" do
+    expect(resource.realtime_protection).to eql(true)
+  end
+
+  it "intrusion_protection_system property defaults to true" do
+    expect(resource.intrusion_protection_system).to eql(true)
+  end
+
+  it "lock_ui property defaults to true" do
+    expect(resource.lock_ui).to eql(false)
+  end
+
+  it "scan_archives property defaults to true" do
+    expect(resource.scan_archives).to eql(true)
+  end
+
+  it "scan_scripts property defaults to true" do
+    expect(resource.scan_scripts).to eql(false)
+  end
+
+  it "scan_email property defaults to true" do
+    expect(resource.scan_email).to eql(false)
+  end
+
+  it "scan_removable_drives property defaults to true" do
+    expect(resource.scan_removable_drives).to eql(false)
+  end
+
+  it "scan_network_files property defaults to true" do
+    expect(resource.scan_network_files).to eql(false)
+  end
+
+  it "scan_mapped_drives property defaults to true" do
+    expect(resource.scan_mapped_drives).to eql(true)
+  end
+end

data/spec/unit/resource/windows_update_settings_spec.rb

@@ -0,0 +1,64 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# Author:: Tim Smith (tsmith@chef.io)
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "spec_helper"
+
+describe Chef::Resource::WindowsUpdateSettings do
+  let(:resource) { Chef::Resource::WindowsUpdateSettings.new("foobar") }
+
+  it "sets resource name as :windows_update_settings" do
+    expect(resource.resource_name).to eql(:windows_update_settings)
+  end
+
+  it "sets the default action as :set" do
+    expect(resource.action).to eql([:set])
+  end
+
+  it "supports :set and legacy :enable actions" do
+    expect { resource.action :set }.not_to raise_error
+    expect { resource.action :enable }.not_to raise_error
+  end
+
+  it "raises an error if scheduled_install_day isn't a validate day" do
+    expect { resource.scheduled_install_day "Saturday" }.not_to raise_error
+    expect { resource.scheduled_install_day "Sunday" }.not_to raise_error
+    expect { resource.scheduled_install_day "Extraday" }.to raise_error(ArgumentError)
+  end
+
+  it "raises an error if automatic_update_option isn't a validate option" do
+    expect { resource.automatic_update_option 2 }.not_to raise_error
+    expect { resource.automatic_update_option :notify }.not_to raise_error
+    expect { resource.automatic_update_option :nope }.to raise_error(ArgumentError)
+  end
+
+  it "coerces legacy Integer value in automatic_update_option to friendly symbol" do
+    resource.automatic_update_option 2
+    expect(resource.automatic_update_option).to eql(:notify)
+  end
+
+  it "raises an error if scheduled_install_hour isn't a 24 hour clock hour" do
+    expect { resource.scheduled_install_hour 2 }.not_to raise_error
+    expect { resource.scheduled_install_hour 0 }.to raise_error(ArgumentError)
+    expect { resource.scheduled_install_hour 25 }.to raise_error(ArgumentError)
+  end
+
+  it "raises an error if custom_detection_frequency isn't a valid frequency" do
+    expect { resource.custom_detection_frequency 0 }.not_to raise_error
+    expect { resource.custom_detection_frequency 23 }.to raise_error(ArgumentError)
+  end
+end

data/spec/unit/resource_spec.rb

@@ -1172,21 +1172,23 @@ describe Chef::Resource do
       action :base_action3, description: "unmodified base action 3 desc" do; end
     end
 
+    let(:resource_inst) { TestResource.new("TestResource", nil) }
+
     it "returns nil when no description was provided for the action" do
-      expect(TestResource.action_description(:base_action0)).to eql(nil)
+      expect(resource_inst.action_description(:base_action0)).to eql(nil)
     end
 
     context "when action definition is a string" do
       it "returns the description whether a symbol or string is used to look it up" do
-        expect(TestResource.action_description("string_action")).to eql("a string test")
-        expect(TestResource.action_description(:string_action)).to eql("a string test")
+        expect(resource_inst.action_description("string_action")).to eql("a string test")
+        expect(resource_inst.action_description(:string_action)).to eql("a string test")
       end
     end
 
     context "when action definition is a symbol" do
       it "returns the description whether a symbol or string is used to look up" do
-        expect(TestResource.action_description("symbol_action")).to eql("a symbol test")
-        expect(TestResource.action_description(:symbol_action)).to eql("a symbol test")
+        expect(resource_inst.action_description("symbol_action")).to eql("a symbol test")
+        expect(resource_inst.action_description(:symbol_action)).to eql("a symbol test")
       end
     end
 
@@ -1196,14 +1198,23 @@ describe Chef::Resource do
         action :base_action3 do; end
       end
 
+      class TestResourceChild2 < TestResource
+        # We should never see this description
+        action :base_action2, description: "if you see this in an error, TestResourceChild was polluted with this description" do; end
+      end
+      let(:resource_inst) { TestResourceChild.new("TestResource", nil) }
+
       it "returns original description when a described action is not overridden in child resource" do
-        expect(TestResourceChild.action_description(:base_action1)).to eq "unmodified base action 1 desc"
+        expect(resource_inst.action_description(:base_action1)).to eq "unmodified base action 1 desc"
       end
       it "returns original description when the child resource overrides an inherited action but NOT its description" do
-        expect(TestResourceChild.action_description(:base_action3)).to eq "unmodified base action 3 desc"
+        expect(resource_inst.action_description(:base_action3)).to eq "unmodified base action 3 desc"
+      end
+      it "returns new description when the child resource overrides an inherited action and its description" do
+        expect(resource_inst.action_description(:base_action2)).to eq "modified base action 2 desc"
       end
       it "returns new description when the child resource overrides an inherited action and its description" do
-        expect(TestResourceChild.action_description(:base_action2)).to eq "modified base action 2 desc"
+        expect(resource_inst.action_description(:base_action2)).to eq "modified base action 2 desc"
       end
     end
   end

data/spec/unit/secret_fetcher/akeyless_vault_spec.rb

@@ -0,0 +1,37 @@
+#
+# Author:: Marc Paradise <marc@chef.io>
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "../../spec_helper"
+require "chef/secret_fetcher/akeyless_vault"
+
+describe Chef::SecretFetcher::AKeylessVault do
+  let(:node) { {} }
+  let(:run_context) { double("run_context", node: node) }
+
+  context "when validating provided AKeyless Vault configuration" do
+    it "raises ConfigurationInvalid when :secret_access_key is not provided" do
+      fetcher = Chef::SecretFetcher::AKeylessVault.new( { access_id: "provided" }, run_context)
+      expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid, /:secret_access_key/)
+    end
+
+    it "raises ConfigurationInvalid when :access_key_id is not provided" do
+      fetcher = Chef::SecretFetcher::AKeylessVault.new( { access_key: "provided" }, run_context)
+      expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid, /:access_key_id/)
+    end
+  end
+end

data/spec/unit/secret_fetcher/aws_secrets_manager_spec.rb

@@ -0,0 +1,70 @@
+#
+# Author:: Marc Paradise <marc@chef.io>
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+
+require_relative "../../spec_helper"
+require "chef/secret_fetcher/aws_secrets_manager"
+
+describe Chef::SecretFetcher::AWSSecretsManager do
+  let(:node) { {} }
+  let(:aws_global_config) { {} }
+  let(:fetcher_config) { {} }
+  let(:run_context) { double("run_context", node: node) }
+  let(:fetcher) {
+    Chef::SecretFetcher::AWSSecretsManager.new( fetcher_config, run_context )
+  }
+
+  before do
+    allow(Aws).to receive(:config).and_return(aws_global_config)
+  end
+
+  context "when region is provided" do
+    let(:fetcher_config) { { region: "region-from-caller" } }
+    it "uses the provided region" do
+      fetcher.validate!
+      expect(fetcher.config[:region]).to eq "region-from-caller"
+    end
+  end
+
+  context "when region is not provided" do
+    context "and no region exists in AWS config or node attributes" do
+      it "raises a ConfigurationInvalid error" do
+        expect { fetcher.validate! }.to raise_error Chef::Exceptions::Secret::ConfigurationInvalid
+      end
+    end
+
+    context "and region exists in AWS config and node attributes" do
+      let(:aws_global_config)  { { region: "region-from-aws-global-config" } }
+      let(:node) { { "ec2" => { "region" => "region-from-ohai-data" } } }
+      it "uses the region from AWS config" do
+        fetcher.validate!
+        expect(fetcher.config[:region]).to eq "region-from-aws-global-config"
+      end
+    end
+
+    context "and region exists only in node attributes" do
+      let(:node) { { "ec2" => { "region" => "region-from-ohai-data" } } }
+      it "uses the region from AWS config" do
+        fetcher.validate!
+        expect(fetcher.config[:region]).to eq "region-from-ohai-data"
+      end
+
+    end
+
+  end
+end

data/spec/unit/secret_fetcher/azure_key_vault_spec.rb

@@ -0,0 +1,70 @@
+
+#
+# Author:: Marc Paradise <marc@chef.io>
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "../../spec_helper"
+require "chef/secret_fetcher"
+require "chef/secret_fetcher/azure_key_vault"
+
+describe Chef::SecretFetcher::AzureKeyVault do
+  let(:config) { { vault: "my_vault" } }
+  let(:fetcher) { Chef::SecretFetcher::AzureKeyVault.new(config, nil) }
+
+  context "when performing a fetch" do
+    let(:body) { '{ "value" : "my secret value" }' }
+    let(:response_mock) { double("response", body: body) }
+    let(:http_mock) { double("http", :get => response_mock, :use_ssl= => nil) }
+
+    before do
+      allow(fetcher).to receive(:fetch_token).and_return "a token"
+      allow(Net::HTTP).to receive(:new).and_return(http_mock)
+    end
+
+    context "and vault name is only provided in the secret name" do
+      let(:body) { '{ "value" : "my secret value" }' }
+      let(:config) { {} }
+      it "fetches the value" do
+        expect(fetcher.fetch("my_vault/value")).to eq "my secret value"
+      end
+    end
+
+    context "and vault name is not provided in the secret name" do
+      context "and vault name is not provided in config" do
+        let(:config) { {} }
+        it "raises a ConfigurationInvalid exception" do
+          expect { fetcher.fetch("value") }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid)
+        end
+      end
+
+      context "and vault name is provided in config" do
+        let(:config) { { vault: "my_vault" } }
+        it "fetches the value" do
+          expect(fetcher.fetch("value")).to eq "my secret value"
+        end
+      end
+    end
+    context "and an error response is received in the body" do
+      let(:config) { { vault: "my_vault" } }
+      let(:body) { '{ "error" : { "code" : 404, "message" : "secret not found" } }' }
+      it "raises FetchFailed" do
+        expect { fetcher.fetch("value") }.to raise_error(Chef::Exceptions::Secret::FetchFailed)
+      end
+    end
+  end
+end
+

data/spec/unit/secret_fetcher/hashi_vault_spec.rb

@@ -0,0 +1,80 @@
+#
+# Author:: Marc Paradise <marc@chef.io>
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "../../spec_helper"
+require "chef/secret_fetcher/hashi_vault"
+
+describe Chef::SecretFetcher::HashiVault do
+  let(:node) { {} }
+  let(:run_context) { double("run_context", node: node) }
+
+  context "when validating provided HashiVault configuration" do
+    it "raises ConfigurationInvalid when the :auth_method is not valid" do
+      fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :invalid, vault_addr: "https://vault.example.com:8200" }, run_context)
+      expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid, /:auth_method/)
+    end
+
+    it "raises ConfigurationInvalid when the vault_addr is not provided" do
+      fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :iam_role, role_name: "example-role" }, run_context)
+      expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid)
+    end
+
+    context "and using auth_method: :iam_role" do
+      it "raises ConfigurationInvalid when the role_name is not provided" do
+        fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :iam_role, vault_addr: "https://vault.example.com:8200" }, run_context)
+        expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid)
+      end
+
+      it "obtains a token via AWS IAM auth to allow the gem to do its own validations when all required config is provided" do
+        fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :iam_role, vault_addr: "https://vault.example.com:8200", role_name: "example-role" }, run_context)
+        allow(Aws::InstanceProfileCredentials).to receive(:new).and_return instance_double(Aws::InstanceProfileCredentials)
+        auth_double = instance_double(Vault::Authenticate)
+        expect(auth_double).to receive(:aws_iam)
+        allow(Vault).to receive(:auth).and_return(auth_double)
+        fetcher.validate!
+      end
+    end
+
+    context "and using auth_method: :token" do
+      it "raises ConfigurationInvalid when no token is provided" do
+        fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :token, vault_addr: "https://vault.example.com:8200" }, run_context)
+        expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid)
+      end
+
+      it "authenticates using the token during validation when all configuration is correct" do
+        fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :token, token: "t.1234abcd", vault_addr: "https://vault.example.com:8200" }, run_context)
+        auth = instance_double(Vault::Authenticate)
+        auth_double = instance_double(Vault::Authenticate)
+        expect(auth_double).to receive(:token)
+        allow(Vault).to receive(:auth).and_return(auth_double)
+        fetcher.validate!
+      end
+    end
+  end
+
+  context "when fetching a secret from Hashi Vault" do
+    it "raises an FetchFailed message when no secret is returned due to invalid engine path" do
+      fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :invalid, vault_addr: "https://vault.example.com:8200" }, run_context)
+      logical_double = instance_double(Vault::Logical)
+      expect(logical_double).to receive(:read).and_return nil
+      expect(Vault).to receive(:logical).and_return(logical_double)
+      expect { fetcher.do_fetch("anything", nil) }.to raise_error(Chef::Exceptions::Secret::FetchFailed)
+    end
+  end
+end
+