diff options
Diffstat (limited to 'spec/unit/secret_fetcher/hashi_vault_spec.rb')
| -rw-r--r-- | spec/unit/secret_fetcher/hashi_vault_spec.rb | 47 |
1 files changed, 35 insertions, 12 deletions
diff --git a/spec/unit/secret_fetcher/hashi_vault_spec.rb b/spec/unit/secret_fetcher/hashi_vault_spec.rb index db93a051e4..c4d953ce97 100644 --- a/spec/unit/secret_fetcher/hashi_vault_spec.rb +++ b/spec/unit/secret_fetcher/hashi_vault_spec.rb @@ -15,7 +15,6 @@ # See the License for the specific language governing permissions and # limitations under the License. # -# require_relative "../../spec_helper" require "chef/secret_fetcher/hashi_vault" @@ -24,23 +23,47 @@ describe Chef::SecretFetcher::HashiVault do let(:node) { {} } let(:run_context) { double("run_context", node: node) } - context "when validating HashiVault provided configuration" do - it "raises ConfigurationInvalid when the role_name is not provided" do - fetcher = Chef::SecretFetcher::HashiVault.new( { vault_addr: "vault.example.com" }, run_context) - expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid) + context "when validating provided HashiVault configuration" do + it "raises ConfigurationInvalid when the :auth_method is not valid" do + fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :invalid, vault_addr: "https://vault.example.com" }, run_context) + expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid, /:auth_method/) end it "raises ConfigurationInvalid when the vault_addr is not provided" do - fetcher = Chef::SecretFetcher::HashiVault.new( { role_name: "vault.example.com" }, run_context) + fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :iam_role, role_name: "example-role" }, run_context) expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid) end - it "obtains a token via AWS IAM auth to allow the gem to do its own validations when all required config is provided" do - fetcher = Chef::SecretFetcher::HashiVault.new( { vault_addr: "vault.example.com", role_name: "example-role" }, run_context) - auth_stub = - allow(Aws::InstanceProfileCredentials).to receive(:new).and_return double("credentials") - allow(Vault).to receive(:auth).and_return(instance_double(Vault::Authenticate, aws_iam: nil)) - fetcher.validate! + context "and using auth_method: :iam_role" do + it "raises ConfigurationInvalid when the role_name is not provided" do + fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :iam_role, vault_addr: "vault.example.com" }, run_context) + expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid) + end + + it "obtains a token via AWS IAM auth to allow the gem to do its own validations when all required config is provided" do + fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :iam_role, vault_addr: "vault.example.com", role_name: "example-role" }, run_context) + allow(Aws::InstanceProfileCredentials).to receive(:new).and_return instance_double(Aws::InstanceProfileCredentials) + auth_double = instance_double(Vault::Authenticate) + expect(auth_double).to receive(:aws_iam) + allow(Vault).to receive(:auth).and_return(auth_double) + fetcher.validate! + end + end + + context "and using auth_method: :token" do + it "raises ConfigurationInvalid when no token is provided" do + fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :token, vault_addr: "vault.example.com" }, run_context) + expect { fetcher.validate! }.to raise_error(Chef::Exceptions::Secret::ConfigurationInvalid) + end + + it "authenticates using the token during validation when all configuration is correct" do + fetcher = Chef::SecretFetcher::HashiVault.new( { auth_method: :token, token: "t.1234abcd", vault_addr: "vault.example.com" }, run_context) + auth = instance_double(Vault::Authenticate) + auth_double = instance_double(Vault::Authenticate) + expect(auth_double).to receive(:token) + allow(Vault).to receive(:auth).and_return(auth_double) + fetcher.validate! + end end end end |