hybrid_platforms_conductor 32.18.0 → 33.0.0

data/spec/hybrid_platforms_conductor_test/executables/options/deployer_spec.rb

@@ -12,188 +12,6 @@ describe 'executables\' Deployer options' do
     end
   end
 
-  # Mock calls being made to a Thycotic SOAP API using Savon
-  #
-  # Parameters::
-  # * *url* (String): Mocked URL
-  # * *secret_id* (String): The mocked secret ID
-  # * *mocked_secrets_file* (String or nil): The mocked secrets file stored in Thycotic, or nil to mock a missing secret
-  # * *user* (String or nil): The user to be expected, or nil if it should be read from netrc [default: nil]
-  # * *password* (String or nil): The password to be expected, or nil if it should be read from netrc [default: nil]
-  def mock_thycotic_file_download_on(url, secret_id, mocked_secrets_file, user: nil, password: nil)
-    if user.nil?
-      user = 'thycotic_user_from_netrc'
-      password = 'thycotic_password_from_netrc'
-      expect(HybridPlatformsConductor::Credentials).to receive(:with_credentials_for) do |id, _logger, _logger_stderr, url: nil, &client_code|
-        expect(id).to eq :thycotic
-        expect(url).to eq url
-        client_code.call user, password
-      end
-    end
-    # Mock the Savon calls
-    mocked_savon_client = double 'Mocked Savon client'
-    expect(Savon).to receive(:client) do |params|
-      expect(params[:wsdl]).to eq "#{url}/webservices/SSWebservice.asmx?wsdl"
-      expect(params[:ssl_verify_mode]).to eq :none
-      mocked_savon_client
-    end
-    expect(mocked_savon_client).to receive(:call).with(
-      :authenticate,
-      message: {
-        username: user,
-        password: password,
-        domain: 'thycotic_auth_domain'
-      }
-    ) do
-      { authenticate_response: { authenticate_result: { token: 'soap_token' } } }
-    end
-    expect(mocked_savon_client).to receive(:call).with(
-      :get_secret,
-      message: {
-        token: 'soap_token',
-        secretId: secret_id
-      }
-    ) do
-      {
-        get_secret_response: {
-          get_secret_result:
-            if mocked_secrets_file
-              { secret: { items: { secret_item: { id: '4242' } } } }
-            else
-              { errors: { string: 'Access Denied'}, secret_error: { error_code: 'LOAD', error_message: 'Access Denied', allows_response: false } }
-            end
-        }
-      }
-    end
-    if mocked_secrets_file
-      expect(mocked_savon_client).to receive(:call).with(
-        :download_file_attachment_by_item_id,
-        message: {
-          token: 'soap_token',
-          secretId: secret_id,
-          secretItemId: '4242'
-        }
-      ) do
-        {
-          download_file_attachment_by_item_id_response: {
-            download_file_attachment_by_item_id_result: {
-              file_attachment: Base64.encode64(mocked_secrets_file)
-            }
-          }
-        }
-      end
-    end
-    ENV['hpc_domain_for_thycotic'] = 'thycotic_auth_domain'
-  end
-
-  it 'gets secrets from a file' do
-    with_test_platform_for_deployer_options do |repository|
-      secrets_file = "#{repository}/my_secrets.json"
-      File.write(secrets_file, '{ "secret_name": "secret_value" }')
-      expect(test_deployer).to receive(:deploy_on).with(['node']) do
-        expect(test_deployer.secrets).to eq [{ 'secret_name' => 'secret_value' }]
-        {}
-      end
-      exit_code, stdout, stderr = run 'deploy', '--node', 'node', '--secrets', secrets_file
-      expect(exit_code).to eq 0
-      expect(stderr).to eq ''
-    end
-  end
-
-  it 'gets secrets from several files' do
-    with_test_platform_for_deployer_options do |repository|
-      secrets_file1 = "#{repository}/my_secrets1.json"
-      File.write(secrets_file1, '{ "secret1": "value1" }')
-      secrets_file2 = "#{repository}/my_secrets2.json"
-      File.write(secrets_file2, '{ "secret2": "value2" }')
-      expect(test_deployer).to receive(:deploy_on).with(['node']) do
-        expect(test_deployer.secrets).to eq [{ 'secret1' => 'value1' }, { 'secret2' => 'value2' }]
-        {}
-      end
-      exit_code, stdout, stderr = run 'deploy', '--node', 'node', '--secrets', secrets_file1, '--secrets', secrets_file2
-      expect(exit_code).to eq 0
-      expect(stderr).to eq ''
-    end
-  end
-
-  it 'fails to get secrets from a missing file' do
-    with_test_platform_for_deployer_options do
-      expect do
-        run 'deploy', '--node', 'node', '--secrets', 'unknown_file.json'
-      end.to raise_error 'Missing secret file: unknown_file.json'
-    end
-  end
-
-  it 'gets secrets from a Thycotic Secret Server' do
-    with_test_platform_for_deployer_options do
-      expect(test_deployer).to receive(:deploy_on).with(['node']) do
-        expect(test_deployer.secrets).to eq [{ 'secret_name' => 'secret_value' }]
-        {}
-      end
-      mock_thycotic_file_download_on('https://my_thycotic.domain.com/SecretServer', '1107', '{ "secret_name": "secret_value" }')
-      exit_code, stdout, stderr = run 'deploy', '--node', 'node', '--secrets', 'https://my_thycotic.domain.com/SecretServer:1107'
-      expect(exit_code).to eq 0
-      expect(stderr).to eq ''
-    end
-  end
-
-  it 'gets secrets from a Thycotic Secret Server using env variables' do
-    with_test_platform_for_deployer_options do
-      expect(test_deployer).to receive(:deploy_on).with(['node']) do
-        expect(test_deployer.secrets).to eq [{ 'secret_name' => 'secret_value' }]
-        {}
-      end
-      mock_thycotic_file_download_on(
-        'https://my_thycotic.domain.com/SecretServer',
-        '1107',
-        '{ "secret_name": "secret_value" }',
-        user: 'thycotic_user_from_env',
-        password: 'thycotic_password_from_env'
-      )
-      ENV['hpc_user_for_thycotic'] = 'thycotic_user_from_env'
-      ENV['hpc_password_for_thycotic'] = 'thycotic_password_from_env'
-      exit_code, stdout, stderr = run 'deploy', '--node', 'node', '--secrets', 'https://my_thycotic.domain.com/SecretServer:1107'
-      expect(exit_code).to eq 0
-      expect(stderr).to eq ''
-    end
-  end
-
-  it 'gets secrets from several Thycotic Secret Servers and files' do
-    with_test_platform_for_deployer_options do |repository|
-      secrets_file1 = "#{repository}/my_secrets1.json"
-      File.write(secrets_file1, '{ "secret1": "value1" }')
-      secrets_file3 = "#{repository}/my_secrets3.json"
-      File.write(secrets_file3, '{ "secret3": "value3" }')
-      expect(test_deployer).to receive(:deploy_on).with(['node']) do
-        expect(test_deployer.secrets).to eq [
-          { 'secret1' => 'value1' },
-          { 'secret2' => 'value2' },
-          { 'secret3' => 'value3' },
-          { 'secret4' => 'value4' }
-        ]
-        {}
-      end
-      mock_thycotic_file_download_on('https://my_thycotic2.domain.com/SecretServer', '110702', '{ "secret2": "value2" }')
-      mock_thycotic_file_download_on('https://my_thycotic4.domain.com/SecretServer', '110704', '{ "secret4": "value4" }')
-      exit_code, stdout, stderr = run 'deploy', '--node', 'node',
-        '--secrets', secrets_file1,
-        '--secrets', 'https://my_thycotic2.domain.com/SecretServer:110702',
-        '--secrets', secrets_file3,
-        '--secrets', 'https://my_thycotic4.domain.com/SecretServer:110704'
-      expect(exit_code).to eq 0
-      expect(stderr).to eq ''
-    end
-  end
-
-  it 'fails to get secrets from a missing Thycotic Secret Server' do
-    with_test_platform_for_deployer_options do
-      mock_thycotic_file_download_on('https://my_thycotic.domain.com/SecretServer', '1107', nil)
-      expect do
-        run 'deploy', '--node', 'node', '--secrets', 'https://my_thycotic.domain.com/SecretServer:1107'
-      end.to raise_error 'Unable to fetch secret file ID https://my_thycotic.domain.com/SecretServer:1107'
-    end
-  end
-
   it 'uses parallel mode' do
     with_test_platform_for_deployer_options do |repository|
       expect(test_deployer).to receive(:deploy_on).with(['node']) do

data/spec/hybrid_platforms_conductor_test/helpers/deployer_test_helpers.rb

@@ -78,6 +78,8 @@ module HybridPlatformsConductorTest
           #
           # Parameters::
           # * *nodes_info* (Hash): Node info to give the platform [default: 1 node having 1 service]
+          # * *expect_services_to_deploy* (Hash<String,Array<String>>): Expected services to be deployed [default: all services from nodes_info]
+          # * *expect_deploy_allowed* (Boolean): Should we expect the call to deploy_allowed? [default: true]
           # * *expect_package* (Boolean): Should we expect packaging? [default: true]
           # * *expect_prepare_for_deploy* (Boolean): Should we expect calls to prepare for deploy? [default: true]
           # * *expect_connections_to_nodes* (Boolean): Should we expect connections to nodes? [default: true]
@@ -95,6 +97,8 @@ module HybridPlatformsConductorTest
           #     * *repository* (String): Path to the repository
           def with_platform_to_deploy(
             nodes_info: { nodes: { 'node' => { services: %w[service] } } },
+            expect_services_to_deploy: Hash[nodes_info[:nodes].map { |node, node_info| [node, node_info[:services]] }],
+            expect_deploy_allowed: true,
             expect_package: true,
             expect_prepare_for_deploy: true,
             expect_connections_to_nodes: true,
@@ -111,10 +115,7 @@ module HybridPlatformsConductorTest
             platform_name = check_mode ? 'platform' : 'my_remote_platform'
             with_test_platform(nodes_info, !check_mode, additional_config + "\nsend_logs_to :test_log") do |repository|
               # Mock the ServicesHandler accesses
-              expect_services_to_deploy = Hash[nodes_info[:nodes].map do |node, node_info|
-                [node, node_info[:services]]
-              end]
-              unless check_mode
+              if !check_mode && expect_deploy_allowed
                 expect(test_services_handler).to receive(:deploy_allowed?).with(
                   services: expect_services_to_deploy,
                   secrets: expect_secrets,
@@ -144,7 +145,7 @@ module HybridPlatformsConductorTest
               end
               test_deployer.use_why_run = true if check_mode
               if expect_connections_to_nodes
-                with_connections_mocked_on(nodes_info[:nodes].keys) do
+                with_connections_mocked_on(expect_services_to_deploy.keys) do
                   expect_actions_executor_runs(expected_actions_for_deploy_on(
                     services: expect_services_to_deploy,
                     check_mode: check_mode,
@@ -218,14 +219,7 @@ module HybridPlatformsConductorTest
 
           it 'deploys on 1 node using 1 secret' do
             with_platform_to_deploy(expect_secrets: { 'secret1' => 'password1' }) do
-              test_deployer.secrets = [{ 'secret1' => 'password1' }]
-              expect(test_deployer.deploy_on('node')).to eq('node' => expected_deploy_result)
-            end
-          end
-
-          it 'deploys on 1 node using several secrets' do
-            with_platform_to_deploy(expect_secrets: { 'secret1' => 'password1', 'secret2' => 'password2' }) do
-              test_deployer.secrets = [{ 'secret1' => 'password1' }, { 'secret2' => 'password2' }]
+              test_deployer.override_secrets('secret1' => 'password1')
               expect(test_deployer.deploy_on('node')).to eq('node' => expected_deploy_result)
             end
           end
@@ -901,6 +895,248 @@ module HybridPlatformsConductorTest
 
           end
 
+          context 'checking secrets handling' do
+
+            it 'calls secrets readers only for nodes and services to be deployed and merges their secrets' do
+              register_plugins(
+                :secrets_reader,
+                {
+                  secrets_reader1: HybridPlatformsConductorTest::TestSecretsReaderPlugin,
+                  secrets_reader2: HybridPlatformsConductorTest::TestSecretsReaderPlugin,
+                  secrets_reader3: HybridPlatformsConductorTest::TestSecretsReaderPlugin
+                }
+              )
+              with_platform_to_deploy(
+                nodes_info: {
+                  nodes: {
+                    'node1' => { services: %w[service1 service2] },
+                    'node2' => { services: %w[service2 service3] },
+                    'node3' => { services: %w[service3] },
+                    'node4' => { services: %w[service1 service3] }
+                  }
+                },
+                expect_services_to_deploy: {
+                  'node1' => %w[service1 service2],
+                  'node2' => %w[service2 service3],
+                  'node3' => %w[service3]
+                },
+                expect_secrets: {
+                  'node1' => {
+                    'service1' => {
+                      'secrets_reader1' => 'Secret value',
+                      'secrets_reader2' => 'Secret value'
+                    },
+                    'service2' => {
+                      'secrets_reader1' => 'Secret value',
+                      'secrets_reader2' => 'Secret value'
+                    }
+                  },
+                  'node2' => {
+                    'service2' => {
+                      'secrets_reader1' => 'Secret value',
+                      'secrets_reader2' => 'Secret value',
+                      'secrets_reader3' => 'Secret value'
+                    },
+                    'service3' => {
+                      'secrets_reader1' => 'Secret value',
+                      'secrets_reader2' => 'Secret value',
+                      'secrets_reader3' => 'Secret value'
+                    }
+                  },
+                  'node3' => {
+                    'service3' => {
+                      'secrets_reader1' => 'Secret value',
+                      'secrets_reader2' => 'Secret value'
+                    }
+                  }
+                },
+                additional_config: <<~EOS
+                  read_secrets_from %i[secrets_reader1 secrets_reader2]
+                  for_nodes('node2') { read_secrets_from :secrets_reader3 }
+                EOS
+              ) do
+                TestSecretsReaderPlugin.deployer = test_deployer
+                expect(test_deployer.deploy_on(%w[node1 node2 node3])).to eq(
+                  'node1' => expected_deploy_result,
+                  'node2' => expected_deploy_result,
+                  'node3' => expected_deploy_result
+                )
+                expect(HybridPlatformsConductorTest::TestSecretsReaderPlugin.calls).to eq [
+                  { instance: :secrets_reader1, node: 'node1', service: 'service1' },
+                  { instance: :secrets_reader1, node: 'node1', service: 'service2' },
+                  { instance: :secrets_reader2, node: 'node1', service: 'service1' },
+                  { instance: :secrets_reader2, node: 'node1', service: 'service2' },
+                  { instance: :secrets_reader1, node: 'node2', service: 'service2' },
+                  { instance: :secrets_reader1, node: 'node2', service: 'service3' },
+                  { instance: :secrets_reader2, node: 'node2', service: 'service2' },
+                  { instance: :secrets_reader2, node: 'node2', service: 'service3' },
+                  { instance: :secrets_reader3, node: 'node2', service: 'service2' },
+                  { instance: :secrets_reader3, node: 'node2', service: 'service3' },
+                  { instance: :secrets_reader1, node: 'node3', service: 'service3' },
+                  { instance: :secrets_reader2, node: 'node3', service: 'service3' }
+                ]
+              end
+            end
+
+            it 'merges secrets having same values' do
+              register_plugins(
+                :secrets_reader,
+                {
+                  secrets_reader1: HybridPlatformsConductorTest::TestSecretsReaderPlugin,
+                  secrets_reader2: HybridPlatformsConductorTest::TestSecretsReaderPlugin
+                }
+              )
+              with_platform_to_deploy(
+                nodes_info: {
+                  nodes: {
+                    'node1' => { services: %w[service1] },
+                    'node2' => { services: %w[service2] }
+                  }
+                },
+                expect_secrets: {
+                  'global1' => 'value1',
+                  'global2' => 'value2',
+                  'global3' => 'value3',
+                  'global4' => 'value4'
+                },
+                additional_config: <<~EOS
+                  read_secrets_from :secrets_reader1
+                  for_nodes('node2') { read_secrets_from :secrets_reader2 }
+                EOS
+              ) do
+                TestSecretsReaderPlugin.deployer = test_deployer
+                TestSecretsReaderPlugin.mocked_secrets = {
+                  'node1' => {
+                    'service1' => {
+                      secrets_reader1: {
+                        'global1' => 'value1',
+                        'global2' => 'value2'
+                      }
+                    }
+                  },
+                  'node2' => {
+                    'service2' => {
+                      secrets_reader1: {
+                        'global2' => 'value2',
+                        'global3' => 'value3'
+                      },
+                      secrets_reader2: {
+                        'global3' => 'value3',
+                        'global4' => 'value4'
+                      }
+                    }
+                  }
+                }
+                expect(test_deployer.deploy_on(%w[node1 node2])).to eq(
+                  'node1' => expected_deploy_result,
+                  'node2' => expected_deploy_result
+                )
+                expect(HybridPlatformsConductorTest::TestSecretsReaderPlugin.calls).to eq [
+                  { instance: :secrets_reader1, node: 'node1', service: 'service1' },
+                  { instance: :secrets_reader1, node: 'node2', service: 'service2' },
+                  { instance: :secrets_reader2, node: 'node2', service: 'service2' }
+                ]
+              end
+            end
+
+            it 'fails when merging secrets having different values' do
+              register_plugins(
+                :secrets_reader,
+                {
+                  secrets_reader1: HybridPlatformsConductorTest::TestSecretsReaderPlugin,
+                  secrets_reader2: HybridPlatformsConductorTest::TestSecretsReaderPlugin
+                }
+              )
+              with_platform_to_deploy(
+                nodes_info: {
+                  nodes: {
+                    'node1' => { services: %w[service1] },
+                    'node2' => { services: %w[service2] }
+                  }
+                },
+                expect_deploy_allowed: false,
+                expect_package: false,
+                expect_prepare_for_deploy: false,
+                expect_connections_to_nodes: false,
+                additional_config: <<~EOS
+                  read_secrets_from :secrets_reader1
+                  for_nodes('node2') { read_secrets_from :secrets_reader2 }
+                EOS
+              ) do
+                TestSecretsReaderPlugin.deployer = test_deployer
+                TestSecretsReaderPlugin.mocked_secrets = {
+                  'node1' => {
+                    'service1' => {
+                      secrets_reader1: {
+                        'global1' => 'value1',
+                        'global2' => 'value2'
+                      }
+                    }
+                  },
+                  'node2' => {
+                    'service2' => {
+                      secrets_reader1: {
+                        'global2' => 'value2',
+                        'global3' => {
+                          'sub_key' => 'value3'
+                        }
+                      },
+                      secrets_reader2: {
+                        'global3' => {
+                          'sub_key' => 'Other value'
+                        },
+                        'global4' => 'value4'
+                      }
+                    }
+                  }
+                }
+                expect { test_deployer.deploy_on(%w[node1 node2]) }.to raise_error 'Secret set at path global3->sub_key by secrets_reader2 for service service2 on node node2 has conflicting values (set debug for value details).'
+                expect(HybridPlatformsConductorTest::TestSecretsReaderPlugin.calls).to eq [
+                  { instance: :secrets_reader1, node: 'node1', service: 'service1' },
+                  { instance: :secrets_reader1, node: 'node2', service: 'service2' },
+                  { instance: :secrets_reader2, node: 'node2', service: 'service2' }
+                ]
+              end
+            end
+
+            it 'does not call secrets readers when secrets are overridden' do
+              register_plugins(
+                :secrets_reader,
+                {
+                  secrets_reader1: HybridPlatformsConductorTest::TestSecretsReaderPlugin,
+                  secrets_reader2: HybridPlatformsConductorTest::TestSecretsReaderPlugin,
+                  secrets_reader3: HybridPlatformsConductorTest::TestSecretsReaderPlugin
+                }
+              )
+              with_platform_to_deploy(
+                nodes_info: {
+                  nodes: {
+                    'node1' => { services: %w[service1] },
+                    'node2' => { services: %w[service2] },
+                    'node3' => { services: %w[service3] }
+                  }
+                },
+                expect_secrets: {
+                  'overridden_secrets' => 'value'
+                },
+                additional_config: <<~EOS
+                  read_secrets_from %i[secrets_reader1 secrets_reader2]
+                  for_nodes('node2') { read_secrets_from :secrets_reader3 }
+                EOS
+              ) do
+                TestSecretsReaderPlugin.deployer = test_deployer
+                test_deployer.override_secrets('overridden_secrets' => 'value')
+                expect(test_deployer.deploy_on(%w[node1 node2 node3])).to eq(
+                  'node1' => expected_deploy_result,
+                  'node2' => expected_deploy_result,
+                  'node3' => expected_deploy_result
+                )
+                expect(HybridPlatformsConductorTest::TestSecretsReaderPlugin.calls).to eq []
+              end
+            end
+
+          end
+
         end
 
       end