hybrid_platforms_conductor 32.18.0 → 33.0.0

data/lib/hybrid_platforms_conductor/hpc_plugins/secrets_reader/cli.rb

@@ -0,0 +1,75 @@
+require 'hybrid_platforms_conductor/secrets_reader'
+
+module HybridPlatformsConductor
+
+  module HpcPlugins
+
+    module SecretsReader
+
+      # Get secrets from the command-line
+      class Cli < HybridPlatformsConductor::SecretsReader
+
+        # Constructor
+        #
+        # Parameters::
+        # * *logger* (Logger): Logger to be used [default: Logger.new(STDOUT)]
+        # * *logger_stderr* (Logger): Logger to be used for stderr [default: Logger.new(STDERR)]
+        # * *config* (Config): Config to be used. [default: Config.new]
+        # * *cmd_runner* (CmdRunner): CmdRunner to be used. [default: CmdRunner.new]
+        # * *nodes_handler* (NodesHandler): Nodes handler to be used. [default: NodesHandler.new]
+        def initialize(
+          logger: Logger.new(STDOUT),
+          logger_stderr: Logger.new(STDERR),
+          config: Config.new,
+          cmd_runner: CmdRunner.new,
+          nodes_handler: NodesHandler.new
+        )
+          super
+          @secrets_files = []
+        end
+
+        # Complete an option parser with options meant to control this secrets reader
+        # [API] - This method is optional
+        #
+        # Parameters::
+        # * *options_parser* (OptionParser): The option parser to complete
+        def options_parse(options_parser)
+          options_parser.on('-e', '--secrets JSON_FILE', 'Specify a secrets location from a local JSON file. Can be specified several times.') do |file|
+            @secrets_files << file
+          end
+        end
+
+        # Return secrets for a given service to be deployed on a node.
+        # [API] - This method is mandatory
+        # [API] - The following API components are accessible:
+        # * *@config* (Config): Main configuration API.
+        # * *@cmd_runner* (CmdRunner): Command Runner API.
+        # * *@nodes_handler* (NodesHandler): Nodes handler API.
+        #
+        # Parameters::
+        # * *node* (String): Node to be deployed
+        # * *service* (String): Service to be deployed
+        # Result::
+        # * Hash: The secrets
+        def secrets_for(node, service)
+          # As we are dealing with global secrets, cache the reading for performance between nodes and services.
+          unless defined?(@secrets)
+            @secrets = {}
+            @secrets_files.each do |secrets_file|
+              raise "Missing secrets file: #{secrets_file}" unless File.exist?(secrets_file)
+              @secrets.merge!(JSON.parse(File.read(secrets_file))) do |key, value1, value2|
+                raise "Secret #{key} has conflicting values between different secret JSON files." if value1 != value2
+                value1
+              end
+            end
+          end
+          @secrets
+        end
+
+      end
+
+    end
+
+  end
+
+end

data/lib/hybrid_platforms_conductor/hpc_plugins/secrets_reader/my_secrets_reader_plugin.rb.sample

@@ -0,0 +1,46 @@
+require 'hybrid_platforms_conductor/secrets_reader'
+
+module HybridPlatformsConductor
+
+  module HpcPlugins
+
+    module SecretsReader
+
+      # Read secrets from a secrets source
+      class MySecretsReaderPlugin < HybridPlatformsConductor::SecretsReader
+
+        # Complete an option parser with options meant to control this secrets reader
+        # [API] - This method is optional
+        #
+        # Parameters::
+        # * *options_parser* (OptionParser): The option parser to complete
+        def options_parse(options_parser)
+          @key_file = nil
+          options_parser.on('--key-file FILE', 'Key file decrypting a secret vault.') do |file|
+            @key_file = file
+          end
+        end
+
+        # Return secrets for a given service to be deployed on a node.
+        # [API] - This method is mandatory
+        # [API] - The following API components are accessible:
+        # * *@config* (Config): Main configuration API.
+        # * *@cmd_runner* (CmdRunner): Command Runner API.
+        # * *@nodes_handler* (NodesHandler): Nodes handler API.
+        #
+        # Parameters::
+        # * *node* (String): Node to be deployed
+        # * *service* (String): Service to be deployed
+        # Result::
+        # * Hash: The secrets
+        def secrets_for(node, service)
+          JSON.parse(Vault.decrypt("/path/to/#{node}_#{service}.vault", key: @key_file))
+        end
+
+      end
+
+    end
+
+  end
+
+end

data/lib/hybrid_platforms_conductor/hpc_plugins/secrets_reader/thycotic.rb

@@ -0,0 +1,87 @@
+require 'hybrid_platforms_conductor/secrets_reader'
+require 'hybrid_platforms_conductor/thycotic'
+
+module HybridPlatformsConductor
+
+  module HpcPlugins
+
+    module SecretsReader
+
+      # Get secrets from a Thycotic secrets server
+      class Thycotic < HybridPlatformsConductor::SecretsReader
+
+        # Extend the Config DSL
+        module ConfigDSLExtension
+
+          # List of defined Thycotic secrets. Each info has the following properties:
+          # * *nodes_selectors_stack* (Array<Object>): Stack of nodes selectors impacted by this rule.
+          # * *thycotic_url* (String): Thycotic URL.
+          # * *secret_id* (Integer): Thycotic secret ID.
+          # Array< Hash<Symbol, Object> >
+          attr_reader :thycotic_secrets
+
+          # Mixin initializer
+          def init_thycotic_config
+            @thycotic_secrets = []
+          end
+
+          # Set a Thycotic secret server configuration
+          #
+          # Parameters::
+          # * *thycotic_url* (String): The Thycotic server URL.
+          # * *secret_id* (Integer): The Thycotic secret ID containing the secrets file to be used as secrets.
+          def secrets_from_thycotic(thycotic_url:, secret_id:)
+            @thycotic_secrets << {
+              nodes_selectors_stack: current_nodes_selectors_stack,
+              thycotic_url: thycotic_url,
+              secret_id: secret_id
+            }
+          end
+
+        end
+
+        Config.extend_config_dsl_with ConfigDSLExtension, :init_thycotic_config
+
+        # Return secrets for a given service to be deployed on a node.
+        # [API] - This method is mandatory
+        # [API] - The following API components are accessible:
+        # * *@config* (Config): Main configuration API.
+        # * *@cmd_runner* (CmdRunner): Command Runner API.
+        # * *@nodes_handler* (NodesHandler): Nodes handler API.
+        #
+        # Parameters::
+        # * *node* (String): Node to be deployed
+        # * *service* (String): Service to be deployed
+        # Result::
+        # * Hash: The secrets
+        def secrets_for(node, service)
+          secrets = {}
+          # As we are dealing with global secrets, cache the reading for performance between nodes and services.
+          # Keep secrets cache grouped by URL/ID
+          @secrets = {} unless defined?(@secrets)
+          @nodes_handler.select_confs_for_node(node, @config.thycotic_secrets).each do |thycotic_secrets_info|
+            server_id = "#{thycotic_secrets_info[:thycotic_url]}:#{thycotic_secrets_info[:secret_id]}"
+            unless @secrets.key?(server_id)
+              HybridPlatformsConductor::Thycotic.with_thycotic(thycotic_secrets_info[:thycotic_url], @logger, @logger_stderr) do |thycotic|
+                secret_file_item_id = thycotic.get_secret(thycotic_secrets_info[:secret_id]).dig(:secret, :items, :secret_item, :id)
+                raise "Unable to fetch secret file ID #{thycotic_secrets_info[:secret_id]} from #{thycotic_secrets_info[:thycotic_url]}" if secret_file_item_id.nil?
+                secret = thycotic.download_file_attachment_by_item_id(thycotic_secrets_info[:secret_id], secret_file_item_id)
+                raise "Unable to fetch secret file attachment from secret ID #{thycotic_secrets_info[:secret_id]} from #{thycotic_secrets_info[:thycotic_url]}" if secret.nil?
+                @secrets[server_id] = JSON.parse(secret)
+              end
+            end
+            secrets.merge!(@secrets[server_id]) do |key, value1, value2|
+              raise "Thycotic secret #{key} served by #{thycotic_secrets_info[:thycotic_url]} from secret ID #{thycotic_secrets_info[:secret_id]} has conflicting values between different secrets." if value1 != value2
+              value1
+            end
+          end
+          secrets
+        end
+
+      end
+
+    end
+
+  end
+
+end

data/lib/hybrid_platforms_conductor/plugins.rb

@@ -38,6 +38,7 @@ module HybridPlatformsConductor
       []
       each
       empty?
+      find
       key?
       keys
       select

data/lib/hybrid_platforms_conductor/secrets_reader.rb

@@ -0,0 +1,31 @@
+require 'hybrid_platforms_conductor/logger_helpers'
+require 'hybrid_platforms_conductor/plugin'
+
+module HybridPlatformsConductor
+
+  # Ancestor of all secrets reader plugins
+  class SecretsReader < Plugin
+
+    # Constructor
+    #
+    # Parameters::
+    # * *logger* (Logger): Logger to be used [default: Logger.new(STDOUT)]
+    # * *logger_stderr* (Logger): Logger to be used for stderr [default: Logger.new(STDERR)]
+    # * *config* (Config): Config to be used. [default: Config.new]
+    # * *cmd_runner* (CmdRunner): CmdRunner to be used. [default: CmdRunner.new]
+    # * *nodes_handler* (NodesHandler): Nodes handler to be used. [default: NodesHandler.new]
+    def initialize(
+      logger: Logger.new(STDOUT),
+      logger_stderr: Logger.new(STDERR),
+      config: Config.new,
+      cmd_runner: CmdRunner.new,
+      nodes_handler: NodesHandler.new
+    )
+      super(logger: logger, logger_stderr: logger_stderr, config: config)
+      @cmd_runner = cmd_runner
+      @nodes_handler = nodes_handler
+    end
+
+  end
+
+end

data/lib/hybrid_platforms_conductor/version.rb

@@ -1,5 +1,5 @@
 module HybridPlatformsConductor
 
-  VERSION = '32.18.0'
+  VERSION = '33.0.0'
 
 end

data/spec/hybrid_platforms_conductor_test.rb

@@ -4,6 +4,7 @@ require 'hybrid_platforms_conductor/config'
 require 'hybrid_platforms_conductor/platforms_handler'
 require 'hybrid_platforms_conductor/actions_executor'
 require 'hybrid_platforms_conductor/cmd_runner'
+require 'hybrid_platforms_conductor/credentials'
 require 'hybrid_platforms_conductor/deployer'
 require 'hybrid_platforms_conductor/log'
 require 'hybrid_platforms_conductor/nodes_handler'
@@ -53,6 +54,7 @@ require 'hybrid_platforms_conductor_test/test_plugins/node_ssh'
 require 'hybrid_platforms_conductor_test/test_plugins/platform'
 require 'hybrid_platforms_conductor_test/test_plugins/several_checks'
 require 'hybrid_platforms_conductor_test/test_provisioner'
+require 'hybrid_platforms_conductor_test/test_secrets_reader_plugin'
 require 'hybrid_platforms_conductor_test/tests_report_plugin'
 
 module HybridPlatformsConductorTest
@@ -133,6 +135,9 @@ module HybridPlatformsConductorTest
         HybridPlatformsConductorTest::TestPlugins::SeveralChecks.runs = []
         HybridPlatformsConductorTest::TestLogPlugin.calls = []
         HybridPlatformsConductorTest::TestLogNoReadPlugin.calls = []
+        HybridPlatformsConductorTest::TestSecretsReaderPlugin.calls = []
+        HybridPlatformsConductorTest::TestSecretsReaderPlugin.deployer = nil
+        HybridPlatformsConductorTest::TestSecretsReaderPlugin.mocked_secrets = {}
         FileUtils.rm_rf './run_logs'
         FileUtils.rm_rf './testadmin.key.pub'
         FileUtils.rm_rf '/tmp/hpc_ssh'

data/spec/hybrid_platforms_conductor_test/api/deployer/config_dsl_spec.rb

@@ -30,6 +30,28 @@ describe HybridPlatformsConductor::Deployer do
       end
     end
 
+    it 'declares secrets readers plugins to be used' do
+      with_test_platforms(
+        { nodes: { 'node1' => {}, 'node2' => {} } },
+        false,
+        <<~EOS
+          read_secrets_from %i[secrets_reader_plugin_1 secrets_reader_plugin_2]
+          for_nodes('node2') { read_secrets_from :secrets_reader_plugin_3 }
+        EOS
+      ) do
+        expect(test_config.secrets_readers).to eq [
+          {
+            nodes_selectors_stack: [],
+            secrets_readers: %i[secrets_reader_plugin_1 secrets_reader_plugin_2]
+          },
+          {
+            nodes_selectors_stack: %w[node2],
+            secrets_readers: %i[secrets_reader_plugin_3]
+          }
+        ]
+      end
+    end
+
   end
 
 end

data/spec/hybrid_platforms_conductor_test/api/deployer/secrets_reader_plugins/cli_spec.rb

@@ -0,0 +1,63 @@
+describe HybridPlatformsConductor::Deployer do
+
+  context 'checking secrets_reader plugins' do
+
+    context 'cli' do
+
+      # Setup a platform for tests
+      #
+      # Parameters::
+      # * Proc: Code called when the platform is setup
+      #   * Parameters::
+      #     * *repository* (String): Platform's repository
+      def with_test_platform_for_cli_test
+        with_test_platform(
+          { nodes: { 'node' => { services: %w[service] } } },
+          false,
+          'read_secrets_from :cli'
+        ) do |repository|
+          yield repository
+        end
+      end
+
+      it 'gets secrets from a file' do
+        with_test_platform_for_cli_test do |repository|
+          secrets_file = "#{repository}/my_secrets.json"
+          File.write(secrets_file, '{ "secret_name": "secret_value" }')
+          expect(test_services_handler).to receive(:deploy_allowed?).with(
+            services: { 'node' => %w[service] },
+            secrets: { 'secret_name' => 'secret_value' },
+            local_environment: false
+          ) { 'Abort as testing secrets is enough' }
+          expect { run 'deploy', '--node', 'node', '--secrets', secrets_file }.to raise_error 'Deployment not allowed: Abort as testing secrets is enough'
+        end
+      end
+
+      it 'gets secrets from several files' do
+        with_test_platform_for_cli_test do |repository|
+          secrets_file1 = "#{repository}/my_secrets1.json"
+          File.write(secrets_file1, '{ "secret1": "value1" }')
+          secrets_file2 = "#{repository}/my_secrets2.json"
+          File.write(secrets_file2, '{ "secret2": "value2" }')
+          expect(test_services_handler).to receive(:deploy_allowed?).with(
+            services: { 'node' => %w[service] },
+            secrets: { 'secret1' => 'value1', 'secret2' => 'value2' },
+            local_environment: false
+          ) { 'Abort as testing secrets is enough' }
+          expect { run 'deploy', '--node', 'node', '--secrets', secrets_file1, '--secrets', secrets_file2 }.to raise_error 'Deployment not allowed: Abort as testing secrets is enough'
+        end
+      end
+
+      it 'fails to get secrets from a missing file' do
+        with_test_platform_for_cli_test do
+          expect do
+            run 'deploy', '--node', 'node', '--secrets', 'unknown_file.json'
+          end.to raise_error 'Missing secrets file: unknown_file.json'
+        end
+      end
+
+    end
+
+  end
+
+end

data/spec/hybrid_platforms_conductor_test/api/deployer/secrets_reader_plugins/thycotic_spec.rb

@@ -0,0 +1,253 @@
+require 'savon'
+
+describe HybridPlatformsConductor::Deployer do
+
+  context 'checking secrets_reader plugins' do
+
+    context 'thycotic' do
+
+      # Setup a platform for tests
+      #
+      # Parameters::
+      # * *additional_config* (String): Additional config
+      # * *platform_info* (Hash): Platform configuration [default: 1 node having 1 service]
+      # * Proc: Code called when the platform is setup
+      def with_test_platform_for_thycotic_test(additional_config = '', platform_info: { nodes: { 'node' => { services: %w[service] } } })
+        with_test_platform(
+          platform_info,
+          false,
+          "read_secrets_from :thycotic\n" + additional_config
+        ) do
+          yield
+        end
+      end
+
+      # Mock calls being made to a Thycotic SOAP API using Savon
+      #
+      # Parameters::
+      # * *url* (String): Mocked URL
+      # * *secret_id* (String): The mocked secret ID
+      # * *mocked_secrets_file* (String or nil): The mocked secrets file stored in Thycotic, or nil to mock a missing secret
+      # * *user* (String or nil): The user to be expected, or nil if it should be read from netrc [default: nil]
+      # * *password* (String or nil): The password to be expected, or nil if it should be read from netrc [default: nil]
+      def mock_thycotic_file_download_on(url, secret_id, mocked_secrets_file, user: nil, password: nil)
+        if user.nil?
+          user = 'thycotic_user_from_netrc'
+          password = 'thycotic_password_from_netrc'
+          expect(HybridPlatformsConductor::Credentials).to receive(:with_credentials_for) do |id, _logger, _logger_stderr, url: nil, &client_code|
+            expect(id).to eq :thycotic
+            expect(url).to eq url
+            client_code.call user, password
+          end
+        end
+        # Mock the Savon calls
+        mocked_savon_client = double 'Mocked Savon client'
+        expect(Savon).to receive(:client) do |params|
+          expect(params[:wsdl]).to eq "#{url}/webservices/SSWebservice.asmx?wsdl"
+          expect(params[:ssl_verify_mode]).to eq :none
+          mocked_savon_client
+        end
+        expect(mocked_savon_client).to receive(:call).with(
+          :authenticate,
+          message: {
+            username: user,
+            password: password,
+            domain: 'thycotic_auth_domain'
+          }
+        ) do
+          { authenticate_response: { authenticate_result: { token: 'soap_token' } } }
+        end
+        expect(mocked_savon_client).to receive(:call).with(
+          :get_secret,
+          message: {
+            token: 'soap_token',
+            secretId: secret_id
+          }
+        ) do
+          {
+            get_secret_response: {
+              get_secret_result:
+                if mocked_secrets_file
+                  { secret: { items: { secret_item: { id: '4242' } } } }
+                else
+                  { errors: { string: 'Access Denied'}, secret_error: { error_code: 'LOAD', error_message: 'Access Denied', allows_response: false } }
+                end
+            }
+          }
+        end
+        if mocked_secrets_file
+          expect(mocked_savon_client).to receive(:call).with(
+            :download_file_attachment_by_item_id,
+            message: {
+              token: 'soap_token',
+              secretId: secret_id,
+              secretItemId: '4242'
+            }
+          ) do
+            {
+              download_file_attachment_by_item_id_response: {
+                download_file_attachment_by_item_id_result: {
+                  file_attachment: Base64.encode64(mocked_secrets_file)
+                }
+              }
+            }
+          end
+        end
+        ENV['hpc_domain_for_thycotic'] = 'thycotic_auth_domain'
+      end
+
+      it 'gets secrets from a Thycotic Secret Server' do
+        with_test_platform_for_thycotic_test(
+          <<~EOS
+            secrets_from_thycotic(
+              thycotic_url: 'https://my_thycotic.domain.com/SecretServer',
+              secret_id: 1107
+            )
+          EOS
+        ) do
+          mock_thycotic_file_download_on('https://my_thycotic.domain.com/SecretServer', 1107, '{ "secret_name": "secret_value" }')
+          expect(test_services_handler).to receive(:deploy_allowed?).with(
+            services: { 'node' => %w[service] },
+            secrets: { 'secret_name' => 'secret_value' },
+            local_environment: false
+          ) { 'Abort as testing secrets is enough' }
+          expect { test_deployer.deploy_on(%w[node]) }.to raise_error 'Deployment not allowed: Abort as testing secrets is enough'
+        end
+      end
+
+      it 'gets secrets from a Thycotic Secret Server for several nodes' do
+        additional_config = <<~EOS
+          secrets_from_thycotic(
+            thycotic_url: 'https://my_thycotic.domain.com/SecretServer',
+            secret_id: 1107
+          )
+        EOS
+        with_test_platform_for_thycotic_test(additional_config, platform_info: { nodes: { 'node1' => { services: %w[service1] }, 'node2' => { services: %w[service2] } } }) do
+          mock_thycotic_file_download_on('https://my_thycotic.domain.com/SecretServer', 1107, '{ "secret_name": "secret_value" }')
+          expect(test_services_handler).to receive(:deploy_allowed?).with(
+            services: { 'node1' => %w[service1], 'node2' => %w[service2] },
+            secrets: { 'secret_name' => 'secret_value' },
+            local_environment: false
+          ) { 'Abort as testing secrets is enough' }
+          expect { test_deployer.deploy_on(%w[node1 node2]) }.to raise_error 'Deployment not allowed: Abort as testing secrets is enough'
+        end
+      end
+
+      it 'gets secrets from a Thycotic Secret Server using env variables' do
+        with_test_platform_for_thycotic_test(
+          <<~EOS
+            secrets_from_thycotic(
+              thycotic_url: 'https://my_thycotic.domain.com/SecretServer',
+              secret_id: 1107
+            )
+          EOS
+        ) do
+          mock_thycotic_file_download_on(
+            'https://my_thycotic.domain.com/SecretServer',
+            1107,
+            '{ "secret_name": "secret_value" }',
+            user: 'thycotic_user_from_env',
+            password: 'thycotic_password_from_env'
+          )
+          ENV['hpc_user_for_thycotic'] = 'thycotic_user_from_env'
+          ENV['hpc_password_for_thycotic'] = 'thycotic_password_from_env'
+          expect(test_services_handler).to receive(:deploy_allowed?).with(
+            services: { 'node' => %w[service] },
+            secrets: { 'secret_name' => 'secret_value' },
+            local_environment: false
+          ) { 'Abort as testing secrets is enough' }
+          expect { test_deployer.deploy_on(%w[node]) }.to raise_error 'Deployment not allowed: Abort as testing secrets is enough'
+        end
+      end
+
+      it 'gets secrets from several Thycotic Secret Servers' do
+        additional_config = <<~EOS
+          secrets_from_thycotic(
+            thycotic_url: 'https://my_thycotic1.domain.com/SecretServer',
+            secret_id: 110701
+          )
+          for_nodes('node2') do
+            secrets_from_thycotic(
+              thycotic_url: 'https://my_thycotic2.domain.com/SecretServer',
+              secret_id: 110702
+            )
+          end
+        EOS
+        with_test_platform_for_thycotic_test(additional_config, platform_info: { nodes: { 'node1' => { services: %w[service1] }, 'node2' => { services: %w[service2] } } }) do
+          mock_thycotic_file_download_on('https://my_thycotic1.domain.com/SecretServer', 110701, '{ "secret1": "value1" }')
+          mock_thycotic_file_download_on('https://my_thycotic2.domain.com/SecretServer', 110702, '{ "secret2": "value2" }')
+          expect(test_services_handler).to receive(:deploy_allowed?).with(
+            services: { 'node1' => %w[service1], 'node2' => %w[service2] },
+            secrets: { 'secret1' => 'value1', 'secret2' => 'value2' },
+            local_environment: false
+          ) { 'Abort as testing secrets is enough' }
+          expect { test_deployer.deploy_on(%w[node1 node2]) }.to raise_error 'Deployment not allowed: Abort as testing secrets is enough'
+        end
+      end
+
+      it 'merges secrets from several Thycotic Secret Servers' do
+        with_test_platform_for_thycotic_test(
+          <<~EOS
+            secrets_from_thycotic(
+              thycotic_url: 'https://my_thycotic1.domain.com/SecretServer',
+              secret_id: 110701
+            )
+            for_nodes('node') do
+              secrets_from_thycotic(
+                thycotic_url: 'https://my_thycotic2.domain.com/SecretServer',
+                secret_id: 110702
+              )
+            end
+          EOS
+        ) do
+          mock_thycotic_file_download_on('https://my_thycotic1.domain.com/SecretServer', 110701, '{ "secret1": "value1", "secret2": "value2" }')
+          mock_thycotic_file_download_on('https://my_thycotic2.domain.com/SecretServer', 110702, '{ "secret2": "value2", "secret3": "value3" }')
+          expect(test_services_handler).to receive(:deploy_allowed?).with(
+            services: { 'node' => %w[service] },
+            secrets: { 'secret1' => 'value1', 'secret2' => 'value2', 'secret3' => 'value3' },
+            local_environment: false
+          ) { 'Abort as testing secrets is enough' }
+          expect { test_deployer.deploy_on(%w[node]) }.to raise_error 'Deployment not allowed: Abort as testing secrets is enough'
+        end
+      end
+
+      it 'fails in case of secrets conflicts from several Thycotic Secret Servers' do
+        with_test_platform_for_thycotic_test(
+          <<~EOS
+            secrets_from_thycotic(
+              thycotic_url: 'https://my_thycotic1.domain.com/SecretServer',
+              secret_id: 110701
+            )
+            for_nodes('node') do
+              secrets_from_thycotic(
+                thycotic_url: 'https://my_thycotic2.domain.com/SecretServer',
+                secret_id: 110702
+              )
+            end
+          EOS
+        ) do
+          mock_thycotic_file_download_on('https://my_thycotic1.domain.com/SecretServer', 110701, '{ "secret1": "value1", "secret2": "value2" }')
+          mock_thycotic_file_download_on('https://my_thycotic2.domain.com/SecretServer', 110702, '{ "secret2": "other_value", "secret3": "value3" }')
+          expect { test_deployer.deploy_on(%w[node]) }.to raise_error 'Thycotic secret secret2 served by https://my_thycotic2.domain.com/SecretServer from secret ID 110702 has conflicting values between different secrets.'
+        end
+      end
+
+      it 'fails to get secrets from a missing Thycotic Secret Server' do
+        with_test_platform_for_thycotic_test(
+          <<~EOS
+            secrets_from_thycotic(
+              thycotic_url: 'https://my_thycotic.domain.com/SecretServer',
+              secret_id: 1107
+            )
+          EOS
+        ) do
+          mock_thycotic_file_download_on('https://my_thycotic.domain.com/SecretServer', 1107, nil)
+          expect { test_deployer.deploy_on(%w[node]) }.to raise_error 'Unable to fetch secret file ID 1107 from https://my_thycotic.domain.com/SecretServer'
+        end
+      end
+
+    end
+
+  end
+
+end