poise-citadel 1.1.0

data/test/cookbooks/citadel_test/recipes/default.rb

@@ -0,0 +1,19 @@
+#
+# Copyright 2016, Noah Kantrowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+file '/mysecret' do
+  content citadel['mysecret'].strip
+end

data/test/gemfiles/chef-12.0.gemfile

@@ -0,0 +1,19 @@
+#
+# Copyright 2015-2016, Noah Kantrowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+eval_gemfile File.expand_path('../../../Gemfile', __FILE__)
+
+gem 'chef', '~> 12.0.3'

data/test/gemfiles/chef-12.1.gemfile

@@ -0,0 +1,19 @@
+#
+# Copyright 2015-2016, Noah Kantrowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+eval_gemfile File.expand_path('../../../Gemfile', __FILE__)
+
+gem 'chef', '~> 12.1.2'

data/test/gemfiles/chef-12.10.gemfile

@@ -0,0 +1,19 @@
+#
+# Copyright 2016, Noah Kantrowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+eval_gemfile File.expand_path('../../../Gemfile', __FILE__)
+
+gem 'chef', '~> 12.10.24'

data/test/gemfiles/chef-12.2.gemfile

@@ -0,0 +1,19 @@
+#
+# Copyright 2015-2016, Noah Kantrowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+eval_gemfile File.expand_path('../../../Gemfile', __FILE__)
+
+gem 'chef', '~> 12.2.1'

data/test/gemfiles/chef-12.3.gemfile

@@ -0,0 +1,19 @@
+#
+# Copyright 2015-2016, Noah Kantrowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+eval_gemfile File.expand_path('../../../Gemfile', __FILE__)
+
+gem 'chef', '~> 12.3.0'

data/test/gemfiles/chef-12.4.gemfile

@@ -0,0 +1,21 @@
+#
+# Copyright 2015-2016, Noah Kantrowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+eval_gemfile File.expand_path('../../../Gemfile', __FILE__)
+
+gem 'chef', '~> 12.4.3'
+# Pending https://github.com/berkshelf/ridley/pull/335
+gem 'ridley', '4.4.1'

data/test/gemfiles/chef-12.5.gemfile

@@ -0,0 +1,19 @@
+#
+# Copyright 2015-2016, Noah Kantrowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+eval_gemfile File.expand_path('../../../Gemfile', __FILE__)
+
+gem 'chef', '~> 12.5.1'

data/test/gemfiles/chef-12.6.gemfile

@@ -0,0 +1,19 @@
+#
+# Copyright 2015-2016, Noah Kantrowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+eval_gemfile File.expand_path('../../../Gemfile', __FILE__)
+
+gem 'chef', '~> 12.6.0'

data/test/gemfiles/chef-12.7.gemfile

@@ -0,0 +1,19 @@
+#
+# Copyright 2015-2016, Noah Kantrowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+eval_gemfile File.expand_path('../../../Gemfile', __FILE__)
+
+gem 'chef', '~> 12.7.2'

data/test/gemfiles/chef-12.8.gemfile

@@ -0,0 +1,19 @@
+#
+# Copyright 2015-2016, Noah Kantrowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+eval_gemfile File.expand_path('../../../Gemfile', __FILE__)
+
+gem 'chef', '~> 12.8.1'

data/test/gemfiles/chef-12.9.gemfile

@@ -0,0 +1,19 @@
+#
+# Copyright 2016, Noah Kantrowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+eval_gemfile File.expand_path('../../../Gemfile', __FILE__)
+
+gem 'chef', '~> 12.9.41'

data/test/gemfiles/chef-12.gemfile

@@ -0,0 +1,19 @@
+#
+# Copyright 2015-2016, Noah Kantrowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+eval_gemfile File.expand_path('../../../Gemfile', __FILE__)
+
+gem 'chef', '~> 12.6'

data/test/gemfiles/master.gemfile

@@ -0,0 +1,22 @@
+#
+# Copyright 2015-2016, Noah Kantrowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+eval_gemfile File.expand_path('../../../Gemfile', __FILE__)
+
+gem 'chef', github: 'chef/chef'
+gem 'halite', github: 'poise/halite'
+# gem 'poise-boiler', github: 'poise/poise-boiler'
+gem 'poise-profiler', github: 'poise/poise-profiler'

data/test/integration/attr/serverspec/default_spec.rb

@@ -0,0 +1,23 @@
+#
+# Copyright 2013-2016, Balanced, Inc.
+# Copyright 2016, Noah Kantrowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'serverspec'
+set :backend, :exec
+
+describe file('/mysecret') do
+  its(:content) { is_expected.to eq 'allyourbase' }
+end

data/test/integration/iam/serverspec/default_spec.rb

@@ -0,0 +1,23 @@
+#
+# Copyright 2013-2016, Balanced, Inc.
+# Copyright 2016, Noah Kantrowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'serverspec'
+set :backend, :exec
+
+describe file('/mysecret') do
+  its(:content) { is_expected.to eq 'allyourbase' }
+end

data/test/spec/citadel_spec.rb

@@ -0,0 +1,70 @@
+#
+# Copyright 2016, Noah Kantrowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'spec_helper'
+
+describe Citadel do
+  let(:args) { [] }
+  subject { described_class.new(chef_run.node, *args)['mykey'] }
+  before do
+    override_attributes['citadel'] ||= {}
+    override_attributes['citadel']['bucket'] = 'mybucket'
+  end
+
+  context 'with testing node attributes' do
+    before do
+      override_attributes['citadel']['access_key_id'] = 'mykey'
+      override_attributes['citadel']['secret_access_key'] = 'mysecret'
+    end
+
+    it do
+      expect(Citadel::S3).to receive(:get).with(bucket: 'mybucket', region: 'us-east-1', path: 'mykey', access_key_id: 'mykey', secret_access_key: 'mysecret', token: nil).and_return(double(to_s: ''))
+      subject
+    end
+  end # /context with testing node attributes
+
+  context 'with ohai credentials' do
+    before do
+      override_attributes['ec2'] ||= {}
+      override_attributes['ec2']['iam'] ||= {}
+      override_attributes['ec2']['iam']['security-credentials'] ||= {}
+      override_attributes['ec2']['iam']['security-credentials']['myrole'] ||= {}
+      override_attributes['ec2']['iam']['security-credentials']['myrole']['AccessKeyId'] = 'mykey'
+      override_attributes['ec2']['iam']['security-credentials']['myrole']['SecretAccessKey'] = 'mysecret'
+      override_attributes['ec2']['iam']['security-credentials']['myrole']['Token'] = 'mytoken'
+    end
+
+    it do
+      expect(Citadel::S3).to receive(:get).with(bucket: 'mybucket', region: 'us-east-1', path: 'mykey', access_key_id: 'mykey', secret_access_key: 'mysecret', token: 'mytoken').and_return(double(to_s: ''))
+      subject
+    end
+  end # /context with ohai credentials
+
+  context 'with direct metadata access' do
+    before do
+      override_attributes['ec2'] ||= {}
+    end
+
+    it do
+      fake_http = double('metadata_service')
+      expect(fake_http).to receive(:get).with('latest/meta-data/iam/security-credentials/').and_return('myrole')
+      expect(fake_http).to receive(:get).with('latest/meta-data/iam/security-credentials/myrole').and_return({AccessKeyId: 'mykey', SecretAccessKey: 'mysecret', Token: 'mytoken'}.to_json)
+      expect(Chef::HTTP).to receive(:new).with('http://169.254.169.254').and_return(fake_http)
+      expect(Citadel::S3).to receive(:get).with(bucket: 'mybucket', region: 'us-east-1', path: 'mykey', access_key_id: 'mykey', secret_access_key: 'mysecret', token: 'mytoken').and_return(double(to_s: ''))
+      subject
+    end
+  end # /context with direct metadata access
+end

data/test/spec/s3_spec.rb

@@ -0,0 +1,70 @@
+#
+# Copyright 2016, Noah Kantrowitz
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'spec_helper'
+
+describe Citadel::S3 do
+  let(:fake_http) { double('Chef::HTTP') }
+  let(:fake_response) { double('Net::HTTPResponse') }
+  let(:s3_hostname) { 's3.amazonaws.com' }
+  before do
+    # Stub out the HTTP object.
+    expect(Chef::HTTP).to receive(:new).with("https://#{s3_hostname}").and_return(fake_http)
+    # Freeze time so our signing is predictable.
+    allow(Time).to receive(:now).and_return(Time.at(0))
+  end
+
+  context 'with mybucket/mysecret' do
+    subject { described_class.get(bucket: 'mybucket', path: 'mysecret', access_key_id: 'AKIAJMKSMHNNCQX4ILAH', secret_access_key: '0ljyHQrk1AGsc2bgx/8fbNghZNYSdckHADR4vNcL') }
+    before do
+      expect(fake_http).to receive(:get).with('mybucket/mysecret', 'date' => 'Thu, 01 Jan 1970 00:00:00 GMT', 'authorization' => "AWS AKIAJMKSMHNNCQX4ILAH:TQPmJfb3Mx2MblMnRHJS1EG6jus=\n").and_return(fake_response)
+    end
+
+    it { is_expected.to be fake_response }
+  end # /context with mybucket/mysecret
+
+  context 'with token' do
+    subject { described_class.get(bucket: 'mybucket', path: 'mysecret', access_key_id: 'AKIAJMKSMHNNCQX4ILAH', secret_access_key: '0ljyHQrk1AGsc2bgx/8fbNghZNYSdckHADR4vNcL', token: 'EIZvol3NYAGhIYo3mxmF8Bw3GjRFQq6xmjrlXNQs') }
+    before do
+      expect(fake_http).to receive(:get).with('mybucket/mysecret', 'date' => 'Thu, 01 Jan 1970 00:00:00 GMT', 'authorization' => "AWS AKIAJMKSMHNNCQX4ILAH:ZapoW/urO8FlRSEf+y5iWYeNsrs=\n", 'x-amz-security-token' => 'EIZvol3NYAGhIYo3mxmF8Bw3GjRFQq6xmjrlXNQs').and_return(fake_response)
+    end
+
+    it { is_expected.to be fake_response }
+  end # /context with token
+
+  context 'with a region' do
+    let(:s3_hostname) { 's3-us-west-2.amazonaws.com' }
+    subject { described_class.get(bucket: 'mybucket', path: 'mysecret', access_key_id: 'AKIAJMKSMHNNCQX4ILAH', secret_access_key: '0ljyHQrk1AGsc2bgx/8fbNghZNYSdckHADR4vNcL', region: 'us-west-2') }
+    before do
+      expect(fake_http).to receive(:get).with('mybucket/mysecret', 'date' => 'Thu, 01 Jan 1970 00:00:00 GMT', 'authorization' => "AWS AKIAJMKSMHNNCQX4ILAH:TQPmJfb3Mx2MblMnRHJS1EG6jus=\n").and_return(fake_response)
+    end
+
+    it { is_expected.to be fake_response }
+  end # /context with a region
+
+  context 'with an exception' do
+    subject { described_class.get(bucket: 'mybucket', path: 'mysecret', access_key_id: 'AKIAJMKSMHNNCQX4ILAH', secret_access_key: '0ljyHQrk1AGsc2bgx/8fbNghZNYSdckHADR4vNcL') }
+    before do
+      expect(fake_http).to receive(:get).with('mybucket/mysecret', 'date' => 'Thu, 01 Jan 1970 00:00:00 GMT', 'authorization' => "AWS AKIAJMKSMHNNCQX4ILAH:TQPmJfb3Mx2MblMnRHJS1EG6jus=\n").and_raise(Net::HTTPServerException.new(nil, nil))
+    end
+
+    it { expect { subject }.to raise_error Citadel::CitadelError }
+  end # /context with an exception
+end
+
+
+
+