right_infrastructure_agent 1.1.2

data/spec/infrastructure_auth_client_spec.rb

@@ -0,0 +1,140 @@
+#--
+# Copyright (c) 2013 RightScale Inc
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#++
+
+require File.expand_path(File.join(File.dirname(__FILE__), 'spec_helper'))
+require File.expand_path(File.join(File.dirname(__FILE__), '..', 'lib', 'right_infrastructure_agent', 'infrastructure_auth_client'))
+
+describe RightScale::InfrastructureAuthClient do
+
+  include FlexMock::ArgumentTypes
+
+  class GlobalSessionTestDirectory
+    def initialize(configuration, authorities)
+    end
+
+    def configuration
+      {"cookie" => {"name" => "yum"}}
+    end
+  end
+
+  before(:each) do
+    @log = flexmock(RightScale::Log)
+    @log.should_receive(:error).by_default.and_return { |m| raise RightScale::Log.format(*m) }
+    @log.should_receive(:warning).by_default.and_return { |m| raise RightScale::Log.format(*m) }
+
+    @config_dir = "/tmp"
+    @global_session_timeout = 3600
+    @global_session_client_timeout = (@global_session_timeout * 8) / 10
+    @global_session_config = flexmock("global_session configuration")
+    @global_session_config.should_receive(:[]).with("directory").and_return("GlobalSessionTestDirectory").by_default
+    @global_session_config.should_receive(:[]).with("timeout").and_return(@global_session_timeout).by_default
+    flexmock(GlobalSession::Configuration).should_receive(:new).and_return(@global_session_config).by_default
+    @global_session_dir = GlobalSessionTestDirectory.new(@global_session_config, "authorities")
+    @global_session = flexmock("global session")
+    @global_session.should_receive(:[]=).by_default
+    @global_session.should_receive(:directory).and_return(@global_session_dir).by_default
+    @global_session.should_receive(:to_s).and_return("session").by_default
+    flexmock(GlobalSession::Session).should_receive(:new).and_return(@global_session).by_default
+
+    @client_name = "agent"
+    @router_url = "http://router.com"
+    @agent_id = "rs-agent-1-1"
+    @options = {:agent_id => @agent_id}
+  end
+
+  context :initialize do
+    it "creates global session directory" do
+      flexmock(GlobalSession::Configuration).should_receive(:new).and_return(@global_session_config).once
+      client = RightScale::InfrastructureAuthClient.new(@client_name, @router_url, @config_dir, @options)
+      client.instance_variable_get(:@global_session_dir).is_a?(GlobalSessionTestDirectory).should be_true
+    end
+
+    it "sets timeout at 80% of actual global session timeout" do
+      @global_session_config.should_receive(:[]).with("directory").and_return("GlobalSessionTestDirectory").once
+      @global_session_config.should_receive(:[]).with("timeout").and_return(@global_session_timeout).once
+      client = RightScale::InfrastructureAuthClient.new(@client_name, @router_url, @config_dir, @options)
+      client.instance_variable_get(:@global_session_timeout).should == @global_session_client_timeout
+    end
+  end
+
+  context :headers do
+    before(:each) do
+      @client = RightScale::InfrastructureAuthClient.new(@client_name, @router_url, @config_dir, @options)
+    end
+
+    it "raises if not authorized" do
+      @client.send(:state=, :unauthorized)
+      lambda { @client.headers }.should raise_error(RightScale::Exceptions::Unauthorized)
+    end
+
+    it "returns headers" do
+      @client.headers.should == {"Authorization" => "Bearer session"}
+    end
+  end
+
+  context :auth_header do
+    before(:each) do
+      @client = RightScale::InfrastructureAuthClient.new(@client_name, @router_url, @config_dir, @options)
+    end
+
+    it "raises if not authorized" do
+      @client.send(:state=, :unauthorized)
+      lambda { @client.auth_header }.should raise_error(RightScale::Exceptions::Unauthorized)
+    end
+
+    it "returns authorization header" do
+      @client.auth_header.should == {"Authorization" => "Bearer session"}
+    end
+  end
+
+  context :infrastructure_session do
+    before(:each) do
+      @client = RightScale::InfrastructureAuthClient.new(@client_name, @router_url, @config_dir, @options)
+    end
+
+    it "creates session and stores in cache" do
+      now = Time.now
+      flexmock(Time).should_receive(:now).and_return(now)
+      flexmock(GlobalSession::Session).should_receive(:new).and_return(@global_session).once
+      @client.send(:infrastructure_session).should == "session"
+      @client.instance_variable_get(:@cached_infrastructure_session).should == {:session => "session", :created_at => now}
+    end
+
+    it "retrieves existing session from cache" do
+      flexmock(GlobalSession::Session).should_receive(:new).and_return(@global_session).once
+      @client.send(:infrastructure_session).should == "session"
+      @client.send(:infrastructure_session).should == "session"
+    end
+
+    it "creates a new session if session timed out" do
+      now = Time.now
+      later = now + @global_session_client_timeout
+      flexmock(Time).should_receive(:now).and_return(now, later)
+      flexmock(GlobalSession::Session).should_receive(:new).and_return(@global_session).twice
+      @client.send(:infrastructure_session).should == "session"
+      @client.instance_variable_get(:@cached_infrastructure_session).should ==  {:session => "session", :created_at => now}
+      @client.send(:infrastructure_session).should == "session"
+      @client.instance_variable_get(:@cached_infrastructure_session).should ==  {:session => "session", :created_at => later}
+    end
+  end
+end

data/spec/infrastructure_helpers_spec.rb

@@ -0,0 +1,80 @@
+#--
+# Copyright (c) 2011-2013 RightScale, Inc, All Rights Reserved Worldwide.
+#
+# THIS PROGRAM IS CONFIDENTIAL AND PROPRIETARY TO RIGHTSCALE
+# AND CONSTITUTES A VALUABLE TRADE SECRET.  Any unauthorized use,
+# reproduction, modification, or disclosure of this program is
+# strictly prohibited.  Any use of this program by an authorized
+# licensee is strictly subject to the terms and conditions,
+# including confidentiality obligations, set forth in the applicable
+# License Agreement between RightScale.com, Inc. and the licensee.
+#++
+
+require File.expand_path(File.join(File.dirname(__FILE__), 'spec_helper'))
+
+describe RightScale::InfrastructureHelpers do
+
+  include RightScale::InfrastructureHelpers
+
+  context :render_nothing do
+
+    it "renders nothing" do
+      flexmock(self).should_receive(:render).with(:nothing => true, :status => :no_content).once
+      render_nothing.should be_true
+    end
+  end
+
+  context :format_error do
+
+    it "formats exception" do
+      format_error("This is", ArgumentError.new("bad"), :no_trace).should == "This is (ArgumentError: bad)"
+    end
+
+    it "formats error message" do
+      format_error("This is", "bad").should == "This is (bad)"
+    end
+  end
+
+  context :to_int_or_nil do
+
+    class ExtendedString < String
+      def blank?
+        self.empty?
+      end
+    end
+
+    it "converts string to integer" do
+      to_int_or_nil(ExtendedString.new("123")).should == 123
+    end
+
+    it "converts empty string to nil" do
+      to_int_or_nil(ExtendedString.new("")).should == nil
+    end
+
+    it "converts nil to nil" do
+      flexmock(NilClass).should_receive(:blank?).and_return(true)
+      to_int_or_nil(nil).should == nil
+    end
+  end
+
+  context :to_bool do
+
+    it "converts nil to false" do
+      to_bool(nil).should == false
+    end
+
+    it "converts false to false" do
+      to_bool(false).should == false
+    end
+
+    it "converts 'false' to false" do
+      to_bool("false").should == false
+    end
+
+    it "converts anything else to true" do
+      to_bool("anything else").should == true
+      to_bool("true").should == true
+      to_bool(true).should == true
+    end
+  end
+end

data/spec/login_policy_factory_spec.rb

@@ -0,0 +1,279 @@
+# Copyright (c) 2009-2014 RightScale, Inc, All Rights Reserved Worldwide.
+#
+# THIS PROGRAM IS CONFIDENTIAL AND PROPRIETARY TO RIGHTSCALE
+# AND CONSTITUTES A VALUABLE TRADE SECRET.  Any unauthorized use,
+# reproduction, modification, or disclosure of this program is
+# strictly prohibited.  Any use of this program by an authorized
+# licensee is strictly subject to the terms and conditions,
+# including confidentiality obligations, set forth in the applicable
+# License Agreement between RightScale.com, Inc. and the licensee.
+
+require File.expand_path(File.join(File.dirname(__FILE__), 'spec_helper'))
+require 'right_agent/core_payload_types'
+require File.expand_path(File.join(File.dirname(__FILE__), '..', 'lib', 'right_infrastructure_agent', 'login_policy_factory'))
+
+# LoginPolicyFactory is shared between library and right_api, which is why it lives here.
+# By creating a mock world of RightScale models, we allow this spec to run independently
+# of the Rails web apps.
+class Account; end unless defined?(Account)
+class User; end unless defined?(User)
+class Ec2Instance ; end unless defined?(Ec2Instance)
+class Role
+  def self.[](role)
+    role.hash
+  end
+end unless defined?(Role)
+module Biz
+  module ResourceUuidMixin
+    def self.obfuscate_id(object)
+      object.to_s
+    end
+  end
+end
+
+module MockHelper
+  def months_ago(months)
+    Time.now - (24 * 60 * 60 * 30 * months)
+  end
+
+  def mock_account_and_users(num_users)
+    account = flexmock(:model, Account)
+    account.should_receive(:setting).with('managed_login_mandatory').and_return(false).by_default
+    
+    users = []
+    (0...num_users).each do
+      user = flexmock(:model, User,
+                      :id=>rand(2**16),
+                      :account=>account,
+                      :email=>"user#{rand(2**16)}@rightscale.com")
+      users << user
+    end
+
+    flexmock(User).should_receive(:all).and_return(users)
+    return [account] + users
+  end
+
+  def mock_instance(account)
+    instance = flexmock(:model, Ec2Instance, :account=>account)
+    instance.should_receive(:managed_login_allowed?).and_return(false).by_default
+    return instance
+  end
+
+  def mock_login_permission(account, user, expires_at = nil, updated_at = nil)
+    updated_at ||= months_ago(1)
+
+    user.should_receive(:perm_updated_at).and_return(updated_at.to_s)
+    user.should_receive(:perm_deleted_at).and_return((expires_at.to_s unless expires_at.nil?))
+  end
+
+  def mock_credential(user, public_key = nil, public_key_fingerprint = nil, updated_at = nil)
+    updated_at ||= months_ago(1)
+
+    user.should_receive(:cred_updated_at).and_return(updated_at.to_s)
+    user.should_receive(:cred_public_value).and_return(public_key)
+    user.should_receive(:cred_public_fingerprint).and_return(public_key_fingerprint)
+  end
+end
+
+describe RightScale::LoginPolicyFactory do
+  include MockHelper
+
+  def hours_ago(hours)
+    Time.now - (60 * 60 * hours)
+  end
+
+  def days_ago(days)
+    Time.now - (24 * 60 * 60 * days)
+  end
+
+  context :policy_for_instance do
+    context 'handling oddly-formatted keys' do
+      before(:each) do
+        @account, @user  = mock_account_and_users(1)
+        @instance        = mock_instance(@account)
+        @instance.should_receive(:managed_login_allowed?).with(@user, @account).and_return(true)
+      end
+      
+      it 'should add a comment for keys that are missing it' do
+        @user_credential = mock_credential(@user, 'ssh-rsa abcd1234')
+        @permission = mock_login_permission(@account, @user, nil)
+        @policy = RightScale::LoginPolicyFactory.policy_for_instance(@instance, 1234)
+        @policy.users.size.should == 1
+        components = RightScale::LoginPolicy.parse_public_key(@policy.users[0].public_keys.first)
+        components[3].should_not be_nil # email should be substituted in
+      end
+    end
+
+    context 'calculating policy for a given user' do
+      before(:each) do
+        @account, @user  = mock_account_and_users(1)
+        @instance        = mock_instance(@account)
+      end
+
+      context "for all users" do
+        before(:each) do
+          @user_credential = mock_credential(@user, 'ssh-rsa abcd1234 joe@joebob.com', 'sha1')
+          @instance.should_receive(:managed_login_allowed?).with(@user, @account).and_return(true)
+          @permission = mock_login_permission(@account, @user, nil)
+          @policy = RightScale::LoginPolicyFactory.policy_for_instance(@instance, 1234)
+          @policy.users.size.should == 1
+        end
+
+        it "should specify the user's UUID" do
+          @policy.users[0].uuid.should == @user.id.to_s
+        end
+
+        it "should specify a preferred username" do
+          @policy.users[0].username.should_not be_nil
+        end
+
+        it "should include a single public key for pre-5.5 instances" do
+          @policy.users[0].public_key.should == 'ssh-rsa abcd1234 joe@joebob.com'
+        end
+
+        it "should include a collection of public keys for modern instances" do
+          @policy.users[0].public_keys.should == ['ssh-rsa abcd1234 joe@joebob.com']
+        end
+
+        it "should include a collection of public key fingerprints for modern instances" do
+          @policy.users[0].public_key_fingerprints.should == ['sha1']
+        end
+
+        it "should specify a common name" do
+          @policy.users[0].username.should_not be_nil
+        end
+      end
+
+      context "for users not recently updated" do
+        before(:each) do
+          @permission = mock_login_permission(@account, @user, nil)
+        end
+
+        it "should not be terse by default" do
+          @t = days_ago(1)
+          @user_credential = mock_credential(@user, 'ssh-rsa abcd1234 joe@joebob.com', 'sha1', @t)
+          @instance.should_receive(:managed_login_allowed?).with(@user, @account).and_return(true)
+          @policy = RightScale::LoginPolicyFactory.policy_for_instance(@instance, 1234)
+          @policy.users[0].public_keys.should == ['ssh-rsa abcd1234 joe@joebob.com']
+          @policy.users[0].public_key_fingerprints.should == ['sha1']
+        end
+
+        it "should not omit public keys if credential is considered new when requested to be terse" do
+          @t = hours_ago(23)
+          @user_credential = mock_credential(@user, 'ssh-rsa abcd1234 joe@joebob.com', 'sha1', @t)
+          @instance.should_receive(:managed_login_allowed?).with(@user, @account).and_return(true)
+          @policy = RightScale::LoginPolicyFactory.policy_for_instance(@instance, 1234, true)
+          @policy.users[0].public_keys.should == ['ssh-rsa abcd1234 joe@joebob.com']
+          @policy.users[0].public_key_fingerprints.should == ['sha1']
+        end
+
+        it "should omit public keys that are considered old if requested to be terse" do
+          @t = days_ago(1)
+          @user_credential = mock_credential(@user, 'ssh-rsa abcd1234 joe@joebob.com', 'sha1', @t)
+          @instance.should_receive(:managed_login_allowed?).with(@user, @account).and_return(true)
+          @policy = RightScale::LoginPolicyFactory.policy_for_instance(@instance, 1234, true)
+          @policy.users[0].public_keys.should == [nil]
+          @policy.users[0].public_key_fingerprints.should == ['sha1']
+        end
+      end
+
+      context "for users with temporary access" do
+        before(:each) do
+          @user_credential = mock_credential(@user, 'ssh-rsa abcd1234 joe@joebob.com', 'sha1')
+          @instance.should_receive(:managed_login_allowed?).with(@user, @account).and_return(true)
+          @t = Time.at((Time.now + 24 * 60 * 60).to_i)
+          @permission = mock_login_permission(@account, @user, @t)
+          @policy = RightScale::LoginPolicyFactory.policy_for_instance(@instance, 1234)
+          @policy.users.size.should == 1
+        end
+
+        it "should specify the expiry time" do
+          @policy.users[0].expires_at.to_i.should == @t.to_i 
+        end
+      end
+
+    end
+
+    context 'calculating users' do
+      before(:each) do
+        @account, @u_ok = mock_account_and_users(1)
+        mock_login_permission(@account, @u_ok)
+        mock_credential(@u_ok, 'moo')
+
+        @instance   = mock_instance(@account)
+        @instance.should_receive(:managed_login_allowed?).with(@u_ok, @account).and_return(true)
+
+        @policy = RightScale::LoginPolicyFactory.policy_for_instance(@instance, 1234)
+        @policy.users.size.should == 1
+        @policy.users.detect { |u| u.common_name == @u_ok.email }.should_not be_nil
+      end
+
+      it 'should include users that satisfy all criteria' do
+        @policy.users.detect { |u| u.common_name == @u_ok.email }.should_not be_nil                
+      end
+    end
+
+    context 'calculating created_at' do
+      before(:each) do
+        @account, @user1, @user2 = mock_account_and_users(2)
+
+        @instance = mock_instance(@account)
+        @instance.should_receive(:managed_login_allowed?).with(@user1, @account).and_return(true)
+        @instance.should_receive(:managed_login_allowed?).with(@user2, @account).and_return(true)
+      end
+
+      it 'should match a UserCredential.updated_at that is most recent within scope' do
+        @t = days_ago(1)
+        mock_login_permission(@account, @user1)
+        mock_login_permission(@account, @user2)
+        mock_credential(@user1, 'moo', 'sha', days_ago(2))
+        mock_credential(@user2, 'moo', 'sha', @t)
+
+        @policy = RightScale::LoginPolicyFactory.policy_for_instance(@instance, 1234)
+        @policy.created_at.to_s.should == @t.to_s
+      end
+
+      it 'should match a Permission.updated_at that is most recent within scope' do
+        @t = days_ago(1)
+        mock_login_permission(@account, @user1, nil, days_ago(2))
+        mock_login_permission(@account, @user2, nil, @t)
+        mock_credential(@user1, 'moo')
+        mock_credential(@user2, 'moo')
+
+        @policy = RightScale::LoginPolicyFactory.policy_for_instance(@instance, 1234)
+        @policy.created_at.to_s.should == @t.to_s
+      end
+    end
+
+    context 'calculating exclusive' do
+      before(:each) do
+        @account, @user  = mock_account_and_users(1)
+        mock_credential(@user, 'moo')
+        mock_login_permission(@account, @user, nil, days_ago(2))
+        @instance = mock_instance(@account)
+      end
+
+      it 'should be exclusive if Managed SSH is mandatory for the account' do
+        @account.should_receive(:setting).with('managed_login_mandatory').and_return(true)
+
+        @policy   = RightScale::LoginPolicyFactory.policy_for_instance(@instance, 1234)
+        @policy.exclusive.should == true
+      end
+      
+      it 'should not be exclusive if Managed SSH is optional for the account' do
+        @policy   = RightScale::LoginPolicyFactory.policy_for_instance(@instance, 1234)
+        @policy.exclusive.should == false
+      end
+    end
+
+    it 'should use the audit_id passed in by the caller' do
+      @account, @user  = mock_account_and_users(1)
+      @instance = mock_instance(@account)
+      mock_credential(@user, 'moo')
+      mock_login_permission(@account, @user, nil, days_ago(2))
+
+      @policy = RightScale::LoginPolicyFactory.policy_for_instance(@instance, 1234)
+      @policy.audit_id.should == 1234
+    end
+  end
+end