diff options
Diffstat (limited to 'ansible_collections/cyberark/conjur/tests')
60 files changed, 1074 insertions, 0 deletions
diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/.dockerignore b/ansible_collections/cyberark/conjur/tests/conjur_variable/.dockerignore new file mode 100644 index 000000000..5ed3ebd29 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/.dockerignore @@ -0,0 +1 @@ +conjur-intro/
\ No newline at end of file diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/.gitignore b/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/.gitignore new file mode 100644 index 000000000..bc1a1f616 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/.gitignore @@ -0,0 +1,2 @@ +# Created by pytest automatically. +* diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/CACHEDIR.TAG b/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/CACHEDIR.TAG new file mode 100644 index 000000000..fce15ad7e --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/CACHEDIR.TAG @@ -0,0 +1,4 @@ +Signature: 8a477f597d28d172789f06886806bc55 +# This file is a cache directory tag created by pytest. +# For information about cache directory tags, see: +# https://bford.info/cachedir/spec.html diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/README.md b/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/README.md new file mode 100644 index 000000000..b89018ced --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/README.md @@ -0,0 +1,8 @@ +# pytest cache directory # + +This directory contains data from the pytest's cache plugin, +which provides the `--lf` and `--ff` options, as well as the `cache` fixture. + +**Do not** commit this to version control. + +See [the docs](https://docs.pytest.org/en/stable/how-to/cache.html) for more information. diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/v/cache/nodeids b/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/v/cache/nodeids new file mode 100644 index 000000000..c6b2f5e13 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/v/cache/nodeids @@ -0,0 +1,11 @@ +[ + "test_cases/retrieve-variable-bad-cert-path/tests/test_default.py::test_retrieval_failed[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]", + "test_cases/retrieve-variable-bad-certs/tests/test_default.py::test_retrieval_failed[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]", + "test_cases/retrieve-variable-disable-verify-certs/tests/test_default.py::test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]", + "test_cases/retrieve-variable-into-file/tests/test_default.py::test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]", + "test_cases/retrieve-variable-no-cert-provided/tests/test_default.py::test_retrieval_failed[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]", + "test_cases/retrieve-variable-with-authn-token-bad-cert/tests/test_default.py::test_retrieve_secret_failed[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]", + "test_cases/retrieve-variable-with-authn-token/tests/test_default.py::test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]", + "test_cases/retrieve-variable-with-spaces-secret/tests/test_default.py::test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]", + "test_cases/retrieve-variable/tests/test_default.py::test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]" +]
\ No newline at end of file diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/v/cache/stepwise b/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/v/cache/stepwise new file mode 100644 index 000000000..0637a088a --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/.pytest_cache/v/cache/stepwise @@ -0,0 +1 @@ +[]
\ No newline at end of file diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/Dockerfile b/ansible_collections/cyberark/conjur/tests/conjur_variable/Dockerfile new file mode 100644 index 000000000..293ccdca0 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/Dockerfile @@ -0,0 +1,31 @@ +FROM ubuntu:20.04 + +ENV DEBIAN_FRONTEND=noninteractive + +WORKDIR /cyberark + +# install python 3 +RUN apt-get update && \ + apt-get install -y python3-pip && \ + pip3 install --upgrade pip + +ARG ANSIBLE_VERSION +# install ansible and its test tool +RUN pip3 install ansible==${ANSIBLE_VERSION}.* pytest-testinfra + +# install docker installation requirements +RUN apt-get update && \ + apt-get install -y apt-transport-https \ + ca-certificates \ + curl \ + software-properties-common + +# install docker +RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - +RUN add-apt-repository \ + "deb [arch=amd64] https://download.docker.com/linux/ubuntu \ + $(lsb_release -cs) \ + stable" + +RUN apt-get update && \ + apt-get -y install docker-ce diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/Dockerfile_nginx b/ansible_collections/cyberark/conjur/tests/conjur_variable/Dockerfile_nginx new file mode 100644 index 000000000..6f1e28107 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/Dockerfile_nginx @@ -0,0 +1,17 @@ +FROM nginx:1.13.3 + +RUN export DEBIAN_FRONTEND=noninteractive && \ + apt-get update && \ + apt-get install -y iputils-ping \ + procps \ + openssl && \ + rm -rf /var/lib/apt/lists/* + +WORKDIR /etc/nginx/ + +COPY proxy/ssl.conf /etc/ssl/openssl.cnf +COPY proxy/default.conf /etc/nginx/conf.d/default.conf + +RUN openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ + -config /etc/ssl/openssl.cnf -extensions v3_ca \ + -keyout cert.key -out cert.crt diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/docker-compose.yml b/ansible_collections/cyberark/conjur/tests/conjur_variable/docker-compose.yml new file mode 100644 index 000000000..01294d94b --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/docker-compose.yml @@ -0,0 +1,67 @@ +version: '3' +services: + ansible: + image: ansiblecontainername + container_name: ${COMPOSE_PROJECT_NAME}-ansible + build: + context: . + dockerfile: Dockerfile + args: + ANSIBLE_VERSION: ${ANSIBLE_VERSION} + entrypoint: sleep + command: infinity + environment: + CONJUR_APPLIANCE_URL: ${CONJUR_APPLIANCE_URL} + CONJUR_ACCOUNT: ${CONJUR_ACCOUNT} + CONJUR_AUTHN_LOGIN: ${CONJUR_AUTHN_LOGIN} + CONJUR_AUTHN_API_KEY: ${ANSIBLE_MASTER_AUTHN_API_KEY} + COMPOSE_PROJECT_NAME: ${COMPOSE_PROJECT_NAME} + networks: + - "${DOCKER_NETWORK}" + volumes: + - ../../plugins:/root/.ansible/plugins + - ../..:/cyberark + - /var/run/docker.sock:/var/run/docker.sock + + pg: + image: postgres:9.4 + environment: + POSTGRES_HOST_AUTH_METHOD: password + POSTGRES_PASSWORD: StrongPass + + conjur: + image: cyberark/conjur + command: server -a cucumber -p 3000 + environment: + DATABASE_URL: postgres://postgres:StrongPass@pg/postgres + CONJUR_DATA_KEY: "W0BuL8iTr/7QvtjIluJbrb5LDAnmXzmcpxkqihO3dXA=" + depends_on: + - pg + + conjur_https: + hostname: conjur-https + build: + context: . + dockerfile: Dockerfile_nginx + entrypoint: nginx-debug -g 'daemon off;' + environment: + TERM: xterm + depends_on: + - conjur + + conjur_cli: + image: cyberark/conjur-cli:5 + entrypoint: sleep + command: infinity + environment: + CONJUR_APPLIANCE_URL: http://conjur:3000 + CONJUR_ACCOUNT: cucumber + CONJUR_AUTHN_LOGIN: admin + CONJUR_AUTHN_API_KEY: ${CONJUR_ADMIN_AUTHN_API_KEY} + volumes: + - ./policy:/policy + +networks: + dap_net: + name: dap_net + external: true diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable new file mode 100644 index 000000000..08c9ccb5e --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable @@ -0,0 +1 @@ +<?xml version="1.0" encoding="utf-8"?><testsuites><testsuite name="pytest" errors="0" failures="0" skipped="0" tests="1" time="0.575" timestamp="2022-09-09T15:07:48.307449" hostname="96989ca8092d"><testcase classname="test_cases.retrieve-variable.tests.test_default" name="test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]" time="0.530" /></testsuite></testsuites>
\ No newline at end of file diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-bad-cert-path b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-bad-cert-path new file mode 100644 index 000000000..0ed22fad7 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-bad-cert-path @@ -0,0 +1 @@ +<?xml version="1.0" encoding="utf-8"?><testsuites><testsuite name="pytest" errors="0" failures="0" skipped="0" tests="1" time="0.458" timestamp="2022-09-09T15:07:51.763243" hostname="96989ca8092d"><testcase classname="test_cases.retrieve-variable-bad-cert-path.tests.test_default" name="test_retrieval_failed[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]" time="0.422" /></testsuite></testsuites>
\ No newline at end of file diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-bad-certs b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-bad-certs new file mode 100644 index 000000000..6b0b865c1 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-bad-certs @@ -0,0 +1 @@ +<?xml version="1.0" encoding="utf-8"?><testsuites><testsuite name="pytest" errors="0" failures="0" skipped="0" tests="1" time="0.459" timestamp="2022-09-09T15:07:55.122204" hostname="96989ca8092d"><testcase classname="test_cases.retrieve-variable-bad-certs.tests.test_default" name="test_retrieval_failed[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]" time="0.423" /></testsuite></testsuites>
\ No newline at end of file diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-disable-verify-certs b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-disable-verify-certs new file mode 100644 index 000000000..9f1fc6494 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-disable-verify-certs @@ -0,0 +1 @@ +<?xml version="1.0" encoding="utf-8"?><testsuites><testsuite name="pytest" errors="0" failures="0" skipped="0" tests="1" time="0.568" timestamp="2022-09-09T15:07:58.851346" hostname="96989ca8092d"><testcase classname="test_cases.retrieve-variable-disable-verify-certs.tests.test_default" name="test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]" time="0.532" /></testsuite></testsuites>
\ No newline at end of file diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-into-file b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-into-file new file mode 100644 index 000000000..5fcc68f80 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-into-file @@ -0,0 +1 @@ +<?xml version="1.0" encoding="utf-8"?><testsuites><testsuite name="pytest" errors="0" failures="0" skipped="0" tests="1" time="0.863" timestamp="2022-09-09T15:08:02.658511" hostname="96989ca8092d"><testcase classname="test_cases.retrieve-variable-into-file.tests.test_default" name="test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]" time="0.828" /></testsuite></testsuites>
\ No newline at end of file diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-no-cert-provided b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-no-cert-provided new file mode 100644 index 000000000..f1c9029a8 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-no-cert-provided @@ -0,0 +1 @@ +<?xml version="1.0" encoding="utf-8"?><testsuites><testsuite name="pytest" errors="0" failures="0" skipped="0" tests="1" time="0.464" timestamp="2022-09-09T15:08:06.406130" hostname="96989ca8092d"><testcase classname="test_cases.retrieve-variable-no-cert-provided.tests.test_default" name="test_retrieval_failed[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]" time="0.429" /></testsuite></testsuites>
\ No newline at end of file diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-with-authn-token b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-with-authn-token new file mode 100644 index 000000000..407145017 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-with-authn-token @@ -0,0 +1 @@ +<?xml version="1.0" encoding="utf-8"?><testsuites><testsuite name="pytest" errors="0" failures="0" skipped="0" tests="1" time="0.551" timestamp="2022-09-09T15:08:10.115226" hostname="96989ca8092d"><testcase classname="test_cases.retrieve-variable-with-authn-token.tests.test_default" name="test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]" time="0.516" /></testsuite></testsuites>
\ No newline at end of file diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-with-authn-token-bad-cert b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-with-authn-token-bad-cert new file mode 100644 index 000000000..680f3913f --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-with-authn-token-bad-cert @@ -0,0 +1 @@ +<?xml version="1.0" encoding="utf-8"?><testsuites><testsuite name="pytest" errors="0" failures="0" skipped="0" tests="1" time="0.460" timestamp="2022-09-09T15:08:13.541799" hostname="96989ca8092d"><testcase classname="test_cases.retrieve-variable-with-authn-token-bad-cert.tests.test_default" name="test_retrieve_secret_failed[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]" time="0.425" /></testsuite></testsuites>
\ No newline at end of file diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-with-spaces-secret b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-with-spaces-secret new file mode 100644 index 000000000..65e72fecb --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/junit/retrieve-variable-with-spaces-secret @@ -0,0 +1 @@ +<?xml version="1.0" encoding="utf-8"?><testsuites><testsuite name="pytest" errors="0" failures="0" skipped="0" tests="1" time="0.571" timestamp="2022-09-09T15:08:17.207877" hostname="96989ca8092d"><testcase classname="test_cases.retrieve-variable-with-spaces-secret.tests.test_default" name="test_retrieved_secret[docker://jenkinscyberarkansibleconjurcollectionv1201conjurvariable-ansible]" time="0.536" /></testsuite></testsuites>
\ No newline at end of file diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/policy/root.yml b/ansible_collections/cyberark/conjur/tests/conjur_variable/policy/root.yml new file mode 100644 index 000000000..dbaea73fa --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/policy/root.yml @@ -0,0 +1,21 @@ +--- +- !policy + id: ansible + annotations: + description: Policy for Ansible master + body: + + - !host + id: ansible-master + annotations: + description: Host for running Ansible on remote targets + + - &variables + - !variable test-secret + - !variable test-secret-in-file + - !variable var with spaces + + - !permit + role: !host ansible-master + privileges: [ read, execute ] + resource: *variables diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/proxy/default.conf b/ansible_collections/cyberark/conjur/tests/conjur_variable/proxy/default.conf new file mode 100644 index 000000000..578b3c5f8 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/proxy/default.conf @@ -0,0 +1,29 @@ +server { + listen 80; + return 301 https://conjur$request_uri; +} + +server { + listen 443; + server_name localhost; + ssl_certificate /etc/nginx/cert.crt; + ssl_certificate_key /etc/nginx/cert.key; + + ssl on; + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; + ssl_prefer_server_ciphers on; + + access_log /var/log/nginx/access.log; + + location / { + proxy_pass http://conjur:3000; + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + +} diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/proxy/ssl.conf b/ansible_collections/cyberark/conjur/tests/conjur_variable/proxy/ssl.conf new file mode 100644 index 000000000..1b11cd755 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/proxy/ssl.conf @@ -0,0 +1,39 @@ +[req] +default_bits = 2048 +prompt = no +default_md = sha256 +req_extensions = req_ext +distinguished_name = dn +x509_extensions = v3_ca # The extentions to add to the self signed cert +req_extensions = v3_req +x509_extensions = usr_cert + +[ dn ] +C=IL +ST=Israel +L=TLV +O=Onyx +OU=CyberArk +CN=conjur-https + +[ usr_cert ] +basicConstraints=CA:FALSE +nsCertType = client, server, email +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection +nsComment = "OpenSSL Generated Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +[ v3_req ] +extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] +subjectAltName = @alt_names + +[ alt_names ] +DNS.1 = localhost +DNS.2 = conjur-https +IP.1 = 127.0.0.1 diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/pytest.ini b/ansible_collections/cyberark/conjur/tests/conjur_variable/pytest.ini new file mode 100644 index 000000000..fe55d2ed6 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/pytest.ini @@ -0,0 +1,2 @@ +[pytest] +junit_family=xunit2 diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test.sh b/ansible_collections/cyberark/conjur/tests/conjur_variable/test.sh new file mode 100755 index 000000000..464921b81 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test.sh @@ -0,0 +1,225 @@ +#!/bin/bash -eu + +set -o pipefail + +# normalises project name by filtering non alphanumeric characters and transforming to lowercase +declare -x COMPOSE_PROJECT_NAME='' +declare -x ENTERPRISE_PROJECT='conjur-intro-variable' +declare -x ANSIBLE_PROJECT='' + +declare -x ANSIBLE_MASTER_AUTHN_API_KEY='' +declare -x CONJUR_ADMIN_AUTHN_API_KEY='' +declare -x DOCKER_NETWORK="default" +declare -x ANSIBLE_VERSION="${ANSIBLE_VERSION:-6}" + +ANSIBLE_PROJECT=$(echo "${BUILD_TAG:-ansible-plugin-testing}-conjur-variable" | sed -e 's/[^[:alnum:]]//g' | tr '[:upper:]' '[:lower:]') + +enterprise="false" +cli_cid="" +test_dir="$(pwd)" + +function cleanup { + echo 'Removing test environment' + echo '---' + + # Escape conjur-intro dir if Enterprise setup fails + cd "${test_dir}" + + if [[ -d conjur-intro ]]; then + pushd conjur-intro + COMPOSE_PROJECT_NAME="${ENTERPRISE_PROJECT}" + ./bin/dap --stop + popd + rm -rf conjur-intro + fi + + COMPOSE_PROJECT_NAME="${ANSIBLE_PROJECT}" + docker-compose down -v + rm -f conjur.pem \ + access_token +} +trap cleanup EXIT + +while getopts 'e' flag; do + case "${flag}" in + e) enterprise="true" ;; + *) exit 1 ;; + esac +done + +cleanup + +function wait_for_conjur { + echo "Waiting for Conjur server to come up" + docker-compose exec -T conjur conjurctl wait -r 30 -p 3000 +} + +function fetch_ssl_certs { + echo "Fetching SSL certs" + service_id="conjur_https" + cert_path="cert.crt" + if [[ "${enterprise}" == "true" ]]; then + service_id="conjur-master.mycompany.local" + cert_path="/etc/ssl/certs/ca.pem" + fi + + (docker-compose exec -T "${service_id}" cat "${cert_path}") > conjur.pem +} + +function setup_conjur_resources { + echo "Configuring Conjur via CLI" + + policy_path="root.yml" + if [[ "${enterprise}" == "false" ]]; then + policy_path="/policy/${policy_path}" + fi + + docker exec "${cli_cid}" bash -c " + conjur policy load root ${policy_path} + conjur variable values add ansible/test-secret test_secret_password + conjur variable values add ansible/test-secret-in-file test_secret_in_file_password + conjur variable values add 'ansible/var with spaces' var_with_spaces_secret_password + " +} + +function setup_admin_api_key { + echo "Fetching admin API key" + if [[ "$enterprise" == "true" ]]; then + CONJUR_ADMIN_AUTHN_API_KEY="$(docker exec "${cli_cid}" conjur user rotate_api_key)" + else + CONJUR_ADMIN_AUTHN_API_KEY="$(docker-compose exec -T conjur conjurctl role retrieve-key "${CONJUR_ACCOUNT}":user:admin)" + fi +} + +function setup_ansible_api_key { + echo "Fetching Ansible master host credentials" + ANSIBLE_MASTER_AUTHN_API_KEY="$(docker exec "${cli_cid}" conjur host rotate_api_key --host ansible/ansible-master)" +} + +function setup_access_token { + echo "Get Access Token" + docker exec "${cli_cid}" bash -c " + export CONJUR_AUTHN_LOGIN=host/ansible/ansible-master + export CONJUR_AUTHN_API_KEY=\"$ANSIBLE_MASTER_AUTHN_API_KEY\" + conjur authn authenticate + " > access_token +} + +function setup_conjur_open_source() { + docker-compose up -d --build conjur \ + conjur_https + + wait_for_conjur + fetch_ssl_certs + setup_admin_api_key + + echo "Creating Conjur CLI with admin credentials" + docker-compose up -d conjur_cli + cli_cid="$(docker-compose ps -q conjur_cli)" + + setup_conjur_resources + setup_ansible_api_key + setup_access_token +} + +function setup_conjur_enterprise() { + git clone --single-branch --branch main https://github.com/conjurdemos/conjur-intro.git + pushd ./conjur-intro + + echo "Provisioning Enterprise leader and follower" + ./bin/dap --provision-master + ./bin/dap --provision-follower + + cp ../policy/root.yml . + + # Run 'sleep infinity' in the CLI container, so the scripts + # have access to an alive and authenticated CLI until the script terminates + cli_cid="$(docker-compose run -d \ + -w /src/cli \ + --entrypoint sleep client infinity)" + + echo "Authenticate Conjur CLI container" + docker exec "${cli_cid}" \ + /bin/bash -c " + if [ ! -e /root/conjur-demo.pem ]; then + yes 'yes' | conjur init -u ${CONJUR_APPLIANCE_URL} -a ${CONJUR_ACCOUNT} + fi + conjur authn login -u admin -p MySecretP@ss1 + hostname -I + " + + fetch_ssl_certs + setup_conjur_resources + setup_admin_api_key + setup_ansible_api_key + setup_access_token + + echo "Relocate credential files" + mv conjur.pem ../. + mv access_token ../. + popd +} + +function run_test_cases { + for test_case in test_cases/*; do + run_test_case "$(basename -- "$test_case")" + done +} + +function run_test_case { + local test_case=$1 + echo "---- testing ${test_case} ----" + + if [ -z "$test_case" ]; then + echo ERROR: run_test called with no argument 1>&2 + exit 1 + fi + + docker-compose exec -T ansible bash -exc " + cd tests/conjur_variable + + # If env vars were provided, load them + if [ -e 'test_cases/${test_case}/env' ]; then + . ./test_cases/${test_case}/env + fi + + # You can add -vvvv here for debugging + ansible-playbook 'test_cases/${test_case}/playbook.yml' + + py.test --junitxml='./junit/${test_case}' \ + --connection docker \ + -v 'test_cases/${test_case}/tests/test_default.py' + " +} + +function main() { + if [[ "$enterprise" == "true" ]]; then + echo "Deploying Conjur Enterprise" + + export CONJUR_APPLIANCE_URL="https://conjur-master.mycompany.local" + export CONJUR_ACCOUNT="demo" + COMPOSE_PROJECT_NAME="${ENTERPRISE_PROJECT}" + DOCKER_NETWORK="dap_net" + + setup_conjur_enterprise + else + echo "Deploying Conjur Open Source" + + export CONJUR_APPLIANCE_URL="https://conjur-https" + export CONJUR_ACCOUNT="cucumber" + COMPOSE_PROJECT_NAME="${ANSIBLE_PROJECT}" + + setup_conjur_open_source + fi + + COMPOSE_PROJECT_NAME="${ANSIBLE_PROJECT}" + export CONJUR_AUTHN_LOGIN="host/ansible/ansible-master" + + echo "Preparing Ansible for test run" + docker-compose up -d --build ansible + + echo "Running tests" + run_test_cases +} + +main diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/env b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/env new file mode 100644 index 000000000..07d7632c0 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/env @@ -0,0 +1 @@ +export CONJUR_CERT_FILE=./bad/cert/path diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/playbook.yml b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/playbook.yml new file mode 100644 index 000000000..516faec41 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/playbook.yml @@ -0,0 +1,15 @@ +--- +- name: Retrieve Conjur variable fails with bad cert + hosts: localhost + connection: local + tasks: + - name: Clean artifact path + file: + state: absent + path: /conjur_secrets.txt + + - name: Retrieve Conjur variable with bad cert + vars: + super_secret_key: "{{lookup('conjur_variable', 'ansible/test-secret')}}" + shell: echo "{{super_secret_key}}" > /conjur_secrets.txt + ignore_errors: True diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/tests/test_default.py b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/tests/test_default.py new file mode 100644 index 000000000..a3f2bbdf3 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-cert-path/tests/test_default.py @@ -0,0 +1,13 @@ +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +import os +import testinfra.utils.ansible_runner + +testinfra_hosts = [os.environ['COMPOSE_PROJECT_NAME'] + '-ansible'] + + +def test_retrieval_failed(host): + secrets_file = host.file('/conjur_secrets.txt') + + assert not secrets_file.exists diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/bad-cert.pem b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/bad-cert.pem new file mode 100644 index 000000000..a3831e0ce --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/bad-cert.pem @@ -0,0 +1,41 @@ +-----BEGIN CERTIFICATE----- +MIIDqTCCApGgAwIBAgIQN/xr5EKbXSqdyhGyGBWCizANBgkqhkiG9w0BAQsFADAY +MRYwFAYDVQQDEw1jb25qdXItb3NzLWNhMB4XDTIwMDYxMjIwNTYzOVoXDTIxMDYx +MjIwNTYzOVowGzEZMBcGA1UEAxMQY29uanVyLm15b3JnLmNvbTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAOewPeFNcuLuE1tgpINSm4EajDXC+C6qsPhn +Jf3PhDFCpAEHckx1BVK01kFUdC6FOI6JEuI6pFnV1Tb9+WFYTX6wcGBAy90i+K9u +Xcjqb3sz5O3p6MjKL4xVvT4TxllT8cslNJix8gFrTYSvBFaUqCioGJAgyQyJ4SV+ +Tm/bXu/KdtfJQaLie+J5Xz/28220hC5NYlIjhMg5YgtRB7JjCj5bPe3PYykN5m8i +INWEw20EW+54YKNs5RDFNKzXOqF5h6Mrc/RcE1rbCGNOqveQ43DTFUgS4rVF8T8S +juO+LGfso2w6YvO7pT+ob9GxZytZXQSxrOXe8LpU4jSDS5g0+cECAwEAAaOB6zCB +6DAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC +MAwGA1UdEwEB/wQCMAAwgagGA1UdEQSBoDCBnYIQY29uanVyLm15b3JnLmNvbYIK +Y29uanVyLW9zc4IhY29uanVyLW9zcy50ZXN0LWRlcGxveS1kZWZhdWx0cy0xgiVj +b25qdXItb3NzLnRlc3QtZGVwbG95LWRlZmF1bHRzLTEuc3ZjgjNjb25qdXItb3Nz +LnRlc3QtZGVwbG95LWRlZmF1bHRzLTEuc3ZjLmNsdXN0ZXIubG9jYWwwDQYJKoZI +hvcNAQELBQADggEBAIdtOYlIdnojqVBbHGKPAJS8ZWDUm97W1KajZ6QGy6X7fD66 +tOb0QNhzLwbi4HQsuNR0rpWa48Z/sN1E6V5WlfG8pTrNRjqAc/sdobERMMS+rhtu +RfLu1UbYCRLXYIAQFIQFtGDVNXnuvhkCwDz6PV4rniml24qhnGeL3+8ZkW6m5+8u +XIt4Wq9otR3qj/Jx8eUg9eY/7RKgqCClP5Eg4szO0LaqQNblSR+3OgcGxmdTaJQt +BlXRIH0CPpX+3p3mO4zfKIDRHZ0tueWLqOVRARyx9n9qBbhlpBJnecS19PNUAGVa +10H1XkmpVXdadcV/8vBhjEpeq4cVgguS5oozG7Y= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIC/TCCAeWgAwIBAgIRAMUGxDd4cpSs7m9hvzTHoi4wDQYJKoZIhvcNAQELBQAw +GDEWMBQGA1UEAxMNY29uanVyLW9zcy1jYTAeFw0yMDA2MTIyMDU2MzhaFw0yMTA2 +MTIyMDU2MzhaMBgxFjAUBgNVBAMTDWNvbmp1ci1vc3MtY2EwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQC111bZxfhVHPerwHXvc+ycgCcI02VtfsrH9Tyk +cmMsbUO6jF5aKBQj4fKSwbOCdXcqYoGwaQHQzOVMCGGruOYrOwfusOg2t2EQ7KIE +KWdP0BpAvASvkKwk/GGfaBqtzy1DvVyl0B8b/4C7tnta21Zs5HFOKo0CE+iX/FUQ +RDjpncE9Zhg2E2f1eCef4D+h2JJLtZPLOUZIUs0IMBPqQiL7iNSfY+e8dy6dRC9v +AhyFLULpK34aPm1DqwX3rHDPoLJl24sZFo8q9UvpCwj3sqVoABagS32yL/8//LvU +DaR4pgwuyd9sWf/CQkT0OHsHup5CH7xbYB0DSdmRJPeb07lHAgMBAAGjQjBAMA4G +A1UdDwEB/wQEAwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDwYD +VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANrAiuLkZGmSQlURpWtvm +PgfPFPKPt1PAqjNwWhzMjHZg2P3UNBUTLeUdo52yJai6/iajlYTRPVvNUqiVnTay +/X9LwWH5EXTKCHagfQh4fYtTSFa12BUBlSP7at3S25pMDOpylb3CxdGe/Oh8S0HZ +gu7MMayFhcGCSJnT+F+JIqwnWkbWPYgHn0VCbBXN+5s7GJWFWwZljQzMCIa/xvwr +xuSX6Lsgai1Abqo1pDJA8RNyxMtn5V8RHgwjQ/BdeodptqZc/kULVDOZ0dkAKxyH +UYfqxxk4Ywc2JSSJYRs/RJpjngGnnLIOHgnruEIDtdOHw2yxAJZ/e7p8y9ThSxRo +5Q== +-----END CERTIFICATE----- diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/env b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/env new file mode 100644 index 000000000..73e6e980a --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/env @@ -0,0 +1 @@ +export CONJUR_CERT_FILE=./test_cases/retrieve-variable-bad-certs/bad_cert.pem diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/playbook.yml b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/playbook.yml new file mode 100644 index 000000000..516faec41 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/playbook.yml @@ -0,0 +1,15 @@ +--- +- name: Retrieve Conjur variable fails with bad cert + hosts: localhost + connection: local + tasks: + - name: Clean artifact path + file: + state: absent + path: /conjur_secrets.txt + + - name: Retrieve Conjur variable with bad cert + vars: + super_secret_key: "{{lookup('conjur_variable', 'ansible/test-secret')}}" + shell: echo "{{super_secret_key}}" > /conjur_secrets.txt + ignore_errors: True diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/tests/test_default.py b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/tests/test_default.py new file mode 100644 index 000000000..a3f2bbdf3 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-bad-certs/tests/test_default.py @@ -0,0 +1,13 @@ +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +import os +import testinfra.utils.ansible_runner + +testinfra_hosts = [os.environ['COMPOSE_PROJECT_NAME'] + '-ansible'] + + +def test_retrieval_failed(host): + secrets_file = host.file('/conjur_secrets.txt') + + assert not secrets_file.exists diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-disable-verify-certs/playbook.yml b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-disable-verify-certs/playbook.yml new file mode 100644 index 000000000..f1085642f --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-disable-verify-certs/playbook.yml @@ -0,0 +1,14 @@ +--- +- name: Retrieve Conjur variable with disabled cert verification + hosts: localhost + connection: local + tasks: + - name: Clean artifact path + file: + state: absent + path: /conjur_secrets.txt + + - name: Retrieve Conjur variable with disabled cert verification + vars: + super_secret_key: "{{lookup('conjur_variable', 'ansible/test-secret', validate_certs=False)}}" + shell: echo "{{super_secret_key}}" > /conjur_secrets.txt diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-disable-verify-certs/tests/test_default.py b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-disable-verify-certs/tests/test_default.py new file mode 100644 index 000000000..a98ce29e9 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-disable-verify-certs/tests/test_default.py @@ -0,0 +1,17 @@ +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +import os +import testinfra.utils.ansible_runner + +testinfra_hosts = [os.environ['COMPOSE_PROJECT_NAME'] + '-ansible'] + + +def test_retrieved_secret(host): + secrets_file = host.file('/conjur_secrets.txt') + + assert secrets_file.exists + + result = host.check_output("cat /conjur_secrets.txt", shell=True) + + assert result == "test_secret_password" diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-into-file/env b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-into-file/env new file mode 100644 index 000000000..2363951d1 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-into-file/env @@ -0,0 +1 @@ +export CONJUR_CERT_FILE=./conjur.pem diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-into-file/playbook.yml b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-into-file/playbook.yml new file mode 100644 index 000000000..ef982db4f --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-into-file/playbook.yml @@ -0,0 +1,14 @@ +--- +- name: Retrieve Conjur variable into file + hosts: localhost + connection: local + tasks: + - name: Clean artifact path + file: + state: absent + path: /conjur_secret_path.txt + + - name: Retrieve Conjur variable into file using as_file option + vars: + secret_path: "{{lookup('conjur_variable', 'ansible/test-secret-in-file', as_file=True)}}" + shell: echo -n "{{secret_path}}" > /lookup_output.txt diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-into-file/tests/test_default.py b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-into-file/tests/test_default.py new file mode 100644 index 000000000..5d05f950b --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-into-file/tests/test_default.py @@ -0,0 +1,22 @@ +from __future__ import (absolute_import, division, print_function) + +__metaclass__ = type + +import os +import testinfra.utils.ansible_runner + +testinfra_hosts = [os.environ['COMPOSE_PROJECT_NAME'] + '-ansible'] + + +def test_retrieved_secret(host): + """ + Verify that the as_file parameter makes the lookup plugin return the path to a temporary file + containing the secret. + """ + lookup_output_file = host.file('/lookup_output.txt') + assert lookup_output_file.exists + + secret_file = host.file(lookup_output_file.content_string) + assert secret_file.exists + assert secret_file.mode == 0o600 + assert secret_file.content_string == "test_secret_in_file_password" diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-no-cert-provided/playbook.yml b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-no-cert-provided/playbook.yml new file mode 100644 index 000000000..516faec41 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-no-cert-provided/playbook.yml @@ -0,0 +1,15 @@ +--- +- name: Retrieve Conjur variable fails with bad cert + hosts: localhost + connection: local + tasks: + - name: Clean artifact path + file: + state: absent + path: /conjur_secrets.txt + + - name: Retrieve Conjur variable with bad cert + vars: + super_secret_key: "{{lookup('conjur_variable', 'ansible/test-secret')}}" + shell: echo "{{super_secret_key}}" > /conjur_secrets.txt + ignore_errors: True diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-no-cert-provided/tests/test_default.py b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-no-cert-provided/tests/test_default.py new file mode 100644 index 000000000..a3f2bbdf3 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-no-cert-provided/tests/test_default.py @@ -0,0 +1,13 @@ +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +import os +import testinfra.utils.ansible_runner + +testinfra_hosts = [os.environ['COMPOSE_PROJECT_NAME'] + '-ansible'] + + +def test_retrieval_failed(host): + secrets_file = host.file('/conjur_secrets.txt') + + assert not secrets_file.exists diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token-bad-cert/bad-cert.pem b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token-bad-cert/bad-cert.pem new file mode 100644 index 000000000..a3831e0ce --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token-bad-cert/bad-cert.pem @@ -0,0 +1,41 @@ +-----BEGIN CERTIFICATE----- +MIIDqTCCApGgAwIBAgIQN/xr5EKbXSqdyhGyGBWCizANBgkqhkiG9w0BAQsFADAY +MRYwFAYDVQQDEw1jb25qdXItb3NzLWNhMB4XDTIwMDYxMjIwNTYzOVoXDTIxMDYx +MjIwNTYzOVowGzEZMBcGA1UEAxMQY29uanVyLm15b3JnLmNvbTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAOewPeFNcuLuE1tgpINSm4EajDXC+C6qsPhn +Jf3PhDFCpAEHckx1BVK01kFUdC6FOI6JEuI6pFnV1Tb9+WFYTX6wcGBAy90i+K9u +Xcjqb3sz5O3p6MjKL4xVvT4TxllT8cslNJix8gFrTYSvBFaUqCioGJAgyQyJ4SV+ +Tm/bXu/KdtfJQaLie+J5Xz/28220hC5NYlIjhMg5YgtRB7JjCj5bPe3PYykN5m8i +INWEw20EW+54YKNs5RDFNKzXOqF5h6Mrc/RcE1rbCGNOqveQ43DTFUgS4rVF8T8S +juO+LGfso2w6YvO7pT+ob9GxZytZXQSxrOXe8LpU4jSDS5g0+cECAwEAAaOB6zCB +6DAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC +MAwGA1UdEwEB/wQCMAAwgagGA1UdEQSBoDCBnYIQY29uanVyLm15b3JnLmNvbYIK +Y29uanVyLW9zc4IhY29uanVyLW9zcy50ZXN0LWRlcGxveS1kZWZhdWx0cy0xgiVj +b25qdXItb3NzLnRlc3QtZGVwbG95LWRlZmF1bHRzLTEuc3ZjgjNjb25qdXItb3Nz +LnRlc3QtZGVwbG95LWRlZmF1bHRzLTEuc3ZjLmNsdXN0ZXIubG9jYWwwDQYJKoZI +hvcNAQELBQADggEBAIdtOYlIdnojqVBbHGKPAJS8ZWDUm97W1KajZ6QGy6X7fD66 +tOb0QNhzLwbi4HQsuNR0rpWa48Z/sN1E6V5WlfG8pTrNRjqAc/sdobERMMS+rhtu +RfLu1UbYCRLXYIAQFIQFtGDVNXnuvhkCwDz6PV4rniml24qhnGeL3+8ZkW6m5+8u +XIt4Wq9otR3qj/Jx8eUg9eY/7RKgqCClP5Eg4szO0LaqQNblSR+3OgcGxmdTaJQt +BlXRIH0CPpX+3p3mO4zfKIDRHZ0tueWLqOVRARyx9n9qBbhlpBJnecS19PNUAGVa +10H1XkmpVXdadcV/8vBhjEpeq4cVgguS5oozG7Y= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIC/TCCAeWgAwIBAgIRAMUGxDd4cpSs7m9hvzTHoi4wDQYJKoZIhvcNAQELBQAw +GDEWMBQGA1UEAxMNY29uanVyLW9zcy1jYTAeFw0yMDA2MTIyMDU2MzhaFw0yMTA2 +MTIyMDU2MzhaMBgxFjAUBgNVBAMTDWNvbmp1ci1vc3MtY2EwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQC111bZxfhVHPerwHXvc+ycgCcI02VtfsrH9Tyk +cmMsbUO6jF5aKBQj4fKSwbOCdXcqYoGwaQHQzOVMCGGruOYrOwfusOg2t2EQ7KIE +KWdP0BpAvASvkKwk/GGfaBqtzy1DvVyl0B8b/4C7tnta21Zs5HFOKo0CE+iX/FUQ +RDjpncE9Zhg2E2f1eCef4D+h2JJLtZPLOUZIUs0IMBPqQiL7iNSfY+e8dy6dRC9v +AhyFLULpK34aPm1DqwX3rHDPoLJl24sZFo8q9UvpCwj3sqVoABagS32yL/8//LvU +DaR4pgwuyd9sWf/CQkT0OHsHup5CH7xbYB0DSdmRJPeb07lHAgMBAAGjQjBAMA4G +A1UdDwEB/wQEAwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDwYD +VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANrAiuLkZGmSQlURpWtvm +PgfPFPKPt1PAqjNwWhzMjHZg2P3UNBUTLeUdo52yJai6/iajlYTRPVvNUqiVnTay +/X9LwWH5EXTKCHagfQh4fYtTSFa12BUBlSP7at3S25pMDOpylb3CxdGe/Oh8S0HZ +gu7MMayFhcGCSJnT+F+JIqwnWkbWPYgHn0VCbBXN+5s7GJWFWwZljQzMCIa/xvwr +xuSX6Lsgai1Abqo1pDJA8RNyxMtn5V8RHgwjQ/BdeodptqZc/kULVDOZ0dkAKxyH +UYfqxxk4Ywc2JSSJYRs/RJpjngGnnLIOHgnruEIDtdOHw2yxAJZ/e7p8y9ThSxRo +5Q== +-----END CERTIFICATE----- diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token-bad-cert/env b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token-bad-cert/env new file mode 100644 index 000000000..b93328faf --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token-bad-cert/env @@ -0,0 +1,4 @@ +unset CONJUR_AUTHN_API_KEY +unset CONJUR_AUTHN_LOGIN +export CONJUR_AUTHN_TOKEN_FILE=./access_token +export CONJUR_CERT_FILE=./test_cases/retrieve-variable-with-authn-token-bad-cert/bad-cert.pem diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token-bad-cert/playbook.yml b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token-bad-cert/playbook.yml new file mode 100644 index 000000000..8423a2c13 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token-bad-cert/playbook.yml @@ -0,0 +1,15 @@ +--- +- name: Retrieve Conjur variable with authn-token fails with bad cert + hosts: localhost + connection: local + tasks: + - name: Clean artifact path + file: + state: absent + path: /conjur_secrets.txt + + - name: Retrieve Conjur variable with bad cert + vars: + super_secret_key: "{{lookup('conjur_variable', 'ansible/test-secret')}}" + shell: echo "{{super_secret_key}}" > /conjur_secrets.txt + ignore_errors: True diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token-bad-cert/tests/test_default.py b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token-bad-cert/tests/test_default.py new file mode 100644 index 000000000..c87b160f4 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token-bad-cert/tests/test_default.py @@ -0,0 +1,13 @@ +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +import os +import testinfra.utils.ansible_runner + +testinfra_hosts = [os.environ['COMPOSE_PROJECT_NAME'] + '-ansible'] + + +def test_retrieve_secret_failed(host): + secrets_file = host.file('/conjur_secrets.txt') + + assert not secrets_file.exists diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/env b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/env new file mode 100644 index 000000000..f4e4155ea --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/env @@ -0,0 +1,4 @@ +export CONJUR_CERT_FILE=./conjur.pem +unset CONJUR_AUTHN_API_KEY +unset CONJUR_AUTHN_LOGIN +export CONJUR_AUTHN_TOKEN_FILE=./access_token diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/playbook.yml b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/playbook.yml new file mode 100644 index 000000000..e515b0f11 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/playbook.yml @@ -0,0 +1,14 @@ +--- +- name: Retrieve Conjur variable with authn-token + hosts: localhost + connection: local + tasks: + - name: Clean artifact path + file: + state: absent + path: /conjur_secrets.txt + + - name: Retrieve Conjur variable + vars: + super_secret_key: "{{lookup('conjur_variable', 'ansible/test-secret')}}" + shell: echo "{{super_secret_key}}" > /conjur_secrets.txt diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/tests/test_default.py b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/tests/test_default.py new file mode 100644 index 000000000..a98ce29e9 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-authn-token/tests/test_default.py @@ -0,0 +1,17 @@ +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +import os +import testinfra.utils.ansible_runner + +testinfra_hosts = [os.environ['COMPOSE_PROJECT_NAME'] + '-ansible'] + + +def test_retrieved_secret(host): + secrets_file = host.file('/conjur_secrets.txt') + + assert secrets_file.exists + + result = host.check_output("cat /conjur_secrets.txt", shell=True) + + assert result == "test_secret_password" diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/env b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/env new file mode 100644 index 000000000..2363951d1 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/env @@ -0,0 +1 @@ +export CONJUR_CERT_FILE=./conjur.pem diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/playbook.yml b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/playbook.yml new file mode 100644 index 000000000..103d7e082 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/playbook.yml @@ -0,0 +1,14 @@ +--- +- name: Retrieve Conjur variable with spaces in the variable name + hosts: localhost + connection: local + tasks: + - name: Clean artifact path + file: + state: absent + path: /conjur_secrets.txt + + - name: Retrieve Conjur variable with spaces in the variable name + vars: + super_secret_key: "{{lookup('conjur_variable', 'ansible/var with spaces')}}" + shell: echo "{{super_secret_key}}" > /conjur_secrets.txt diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/tests/test_default.py b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/tests/test_default.py new file mode 100644 index 000000000..145cbb2eb --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable-with-spaces-secret/tests/test_default.py @@ -0,0 +1,17 @@ +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +import os +import testinfra.utils.ansible_runner + +testinfra_hosts = [os.environ['COMPOSE_PROJECT_NAME'] + '-ansible'] + + +def test_retrieved_secret(host): + secrets_file = host.file('/conjur_secrets.txt') + + assert secrets_file.exists + + result = host.check_output("cat /conjur_secrets.txt", shell=True) + + assert result == "var_with_spaces_secret_password" diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable/env b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable/env new file mode 100644 index 000000000..2363951d1 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable/env @@ -0,0 +1 @@ +export CONJUR_CERT_FILE=./conjur.pem diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable/playbook.yml b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable/playbook.yml new file mode 100644 index 000000000..44e993f97 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable/playbook.yml @@ -0,0 +1,14 @@ +--- +- name: Retrieve Conjur variable + hosts: localhost + connection: local + tasks: + - name: Clean artifact path + file: + state: absent + path: /conjur_secrets.txt + + - name: Retrieve Conjur variable + vars: + super_secret_key: "{{lookup('conjur_variable', 'ansible/test-secret')}}" + shell: echo "{{super_secret_key}}" > /conjur_secrets.txt diff --git a/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable/tests/test_default.py b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable/tests/test_default.py new file mode 100644 index 000000000..a98ce29e9 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/conjur_variable/test_cases/retrieve-variable/tests/test_default.py @@ -0,0 +1,17 @@ +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +import os +import testinfra.utils.ansible_runner + +testinfra_hosts = [os.environ['COMPOSE_PROJECT_NAME'] + '-ansible'] + + +def test_retrieved_secret(host): + secrets_file = host.file('/conjur_secrets.txt') + + assert secrets_file.exists + + result = host.check_output("cat /conjur_secrets.txt", shell=True) + + assert result == "test_secret_password" diff --git a/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.10.txt b/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.10.txt new file mode 100644 index 000000000..92bf04480 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.10.txt @@ -0,0 +1,10 @@ +dev/start.sh shebang +Jenkinsfile shebang +tests/conjur_variable/policy/root.yml yamllint:unparsable-with-libyaml +roles/conjur_host_identity/tests/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by summon utility (in Jenkinsfile), not via Python +ci/build_release shebang +ci/parse-changelog.sh shebang +ci/publish_to_galaxy shebang +ci/test.sh shebang +secrets.yml yamllint:unparsable-with-libyaml # File loaded by Conjur server, not via Python +dev/policy/root.yml yamllint:unparsable-with-libyaml
\ No newline at end of file diff --git a/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.11.txt b/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.11.txt new file mode 100644 index 000000000..6049963fb --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.11.txt @@ -0,0 +1,10 @@ +Jenkinsfile shebang +dev/start.sh shebang +tests/conjur_variable/policy/root.yml yamllint:unparsable-with-libyaml +roles/conjur_host_identity/tests/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by summon utility (in Jenkinsfile), not via Python +ci/build_release shebang +ci/parse-changelog.sh shebang +ci/publish_to_galaxy shebang +ci/test.sh shebang +secrets.yml yamllint:unparsable-with-libyaml # File loaded by Conjur server, not via Python +dev/policy/root.yml yamllint:unparsable-with-libyaml
\ No newline at end of file diff --git a/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.12.txt b/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.12.txt new file mode 100644 index 000000000..5d750b26c --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.12.txt @@ -0,0 +1,10 @@ +Jenkinsfile shebang +dev/start.sh shebang +tests/conjur_variable/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by Conjur server, not via Python +roles/conjur_host_identity/tests/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by Conjur server, not via Python +ci/build_release shebang +ci/parse-changelog.sh shebang +ci/publish_to_galaxy shebang +ci/test.sh shebang +secrets.yml yamllint:unparsable-with-libyaml # File loaded by Summon utility (in Jenkinsfile), not via Python +dev/policy/root.yml yamllint:unparsable-with-libyaml
\ No newline at end of file diff --git a/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.13.txt b/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.13.txt new file mode 100644 index 000000000..5d750b26c --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.13.txt @@ -0,0 +1,10 @@ +Jenkinsfile shebang +dev/start.sh shebang +tests/conjur_variable/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by Conjur server, not via Python +roles/conjur_host_identity/tests/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by Conjur server, not via Python +ci/build_release shebang +ci/parse-changelog.sh shebang +ci/publish_to_galaxy shebang +ci/test.sh shebang +secrets.yml yamllint:unparsable-with-libyaml # File loaded by Summon utility (in Jenkinsfile), not via Python +dev/policy/root.yml yamllint:unparsable-with-libyaml
\ No newline at end of file diff --git a/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.14.txt b/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.14.txt new file mode 100644 index 000000000..00a2d8432 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.14.txt @@ -0,0 +1,11 @@ +Jenkinsfile shebang +dev/start.sh shebang +tests/conjur_variable/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by Conjur server, not via Python +roles/conjur_host_identity/tests/policy/root.yml yamllint:unparsable-with-libyaml # File loaded by Conjur server, not via Python +ci/build_release shebang +ci/parse-changelog.sh shebang +ci/publish_to_galaxy shebang +ci/test.sh shebang +secrets.yml yamllint:unparsable-with-libyaml # File loaded by Summon utility (in Jenkinsfile), not via Python +dev/policy/root.yml yamllint:unparsable-with-libyaml +plugins/lookup/conjur_variable.py validate-modules:version-added-must-be-major-or-minor # Lookup plugin added in v1.0.2
\ No newline at end of file diff --git a/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.9.txt b/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.9.txt new file mode 100644 index 000000000..45c7c7e97 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/sanity/ignore-2.9.txt @@ -0,0 +1,8 @@ +Jenkinsfile shebang +dev/start.sh shebang +tests/conjur_variable/test.sh shebang +roles/conjur_host_identity/tests/test.sh shebang +ci/build_release shebang +ci/parse-changelog.sh shebang +ci/publish_to_galaxy shebang +ci/test.sh shebang
\ No newline at end of file diff --git a/ansible_collections/cyberark/conjur/tests/unit/Dockerfile b/ansible_collections/cyberark/conjur/tests/unit/Dockerfile new file mode 100644 index 000000000..66e584669 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/unit/Dockerfile @@ -0,0 +1,8 @@ +ARG PYTHON_VERSION +FROM python:${PYTHON_VERSION} + +ARG ANSIBLE_VERSION +RUN pip install https://github.com/ansible/ansible/archive/${ANSIBLE_VERSION}.tar.gz --disable-pip-version-check + +COPY tests/unit/requirements.txt /tmp/requirements.txt +RUN pip install -r /tmp/requirements.txt diff --git a/ansible_collections/cyberark/conjur/tests/unit/plugins/lookup/__init__.py b/ansible_collections/cyberark/conjur/tests/unit/plugins/lookup/__init__.py new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/unit/plugins/lookup/__init__.py diff --git a/ansible_collections/cyberark/conjur/tests/unit/plugins/lookup/test_conjur_variable.py b/ansible_collections/cyberark/conjur/tests/unit/plugins/lookup/test_conjur_variable.py new file mode 100644 index 000000000..7a0db1e12 --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/unit/plugins/lookup/test_conjur_variable.py @@ -0,0 +1,159 @@ +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +from unittest import TestCase +from unittest.mock import call, MagicMock, patch +from ansible.errors import AnsibleError +from ansible.plugins.loader import lookup_loader + +from ansible_collections.cyberark.conjur.plugins.lookup.conjur_variable import _merge_dictionaries, _fetch_conjur_token, _fetch_conjur_variable +from ansible_collections.cyberark.conjur.plugins.lookup.conjur_variable import _load_identity_from_file, _load_conf_from_file + + +class MockMergeDictionaries(MagicMock): + RESPONSE = {'id': 'host/ansible/ansible-fake', 'api_key': 'fakekey'} + + +class MockFileload(MagicMock): + RESPONSE = {} + + +class TestConjurLookup(TestCase): + def setUp(self): + self.lookup = lookup_loader.get("conjur_variable") + + def test_merge_dictionaries(self): + functionOutput = _merge_dictionaries( + {}, + {'id': 'host/ansible/ansible-fake', 'api_key': 'fakekey'} + ) + self.assertEquals(MockMergeDictionaries.RESPONSE, functionOutput) + + def test_load_identity_from_file(self): + load_identity = _load_identity_from_file("/etc/conjur.identity", "https://conjur-fake") + self.assertEquals(MockFileload.RESPONSE, load_identity) + + def test_load_conf_from_file(self): + load_conf = _load_conf_from_file("/etc/conjur.conf") + self.assertEquals(MockFileload.RESPONSE, load_conf) + + @patch('ansible_collections.cyberark.conjur.plugins.lookup.conjur_variable.open_url') + def test_fetch_conjur_token(self, mock_open_url): + mock_response = MagicMock() + mock_response.getcode.return_value = 200 + mock_response.read.return_value = "response body" + mock_open_url.return_value = mock_response + result = _fetch_conjur_token("url", "account", "username", "api_key", True, "cert_file") + mock_open_url.assert_called_with("url/authn/account/username/authenticate", + data="api_key", + method="POST", + validate_certs=True, + ca_path="cert_file") + self.assertEquals("response body", result) + + @patch('ansible_collections.cyberark.conjur.plugins.lookup.conjur_variable._repeat_open_url') + def test_fetch_conjur_variable(self, mock_repeat_open_url): + mock_response = MagicMock() + mock_response.getcode.return_value = 200 + mock_response.read.return_value = "response body".encode("utf-8") + mock_repeat_open_url.return_value = mock_response + result = _fetch_conjur_variable("variable", b'{"protected":"fakeid"}', "url", "account", True, "cert_file") + mock_repeat_open_url.assert_called_with("url/secrets/account/variable/variable", + headers={'Authorization': 'Token token="eyJwcm90ZWN0ZWQiOiJmYWtlaWQifQ=="'}, + method="GET", + validate_certs=True, + ca_path="cert_file") + self.assertEquals(['response body'], result) + + @patch('ansible_collections.cyberark.conjur.plugins.lookup.conjur_variable._fetch_conjur_variable') + @patch('ansible_collections.cyberark.conjur.plugins.lookup.conjur_variable._fetch_conjur_token') + @patch('ansible_collections.cyberark.conjur.plugins.lookup.conjur_variable._merge_dictionaries') + def test_run(self, mock_merge_dictionaries, mock_fetch_conjur_token, mock_fetch_conjur_variable): + mock_fetch_conjur_token.return_value = "token" + mock_fetch_conjur_variable.return_value = ["conjur_variable"] + mock_merge_dictionaries.side_effect = [ + {'account': 'fakeaccount', 'appliance_url': 'https://conjur-fake', 'cert_file': './conjurfake.pem'}, + {'id': 'host/ansible/ansible-fake', 'api_key': 'fakekey'} + ] + + terms = ['ansible/fake-secret'] + kwargs = {'as_file': False, 'conf_file': 'conf_file', 'validate_certs': False} + result = self.lookup.run(terms, **kwargs) + + self.assertEquals(result, ["conjur_variable"]) + + @patch('ansible_collections.cyberark.conjur.plugins.lookup.conjur_variable._fetch_conjur_variable') + @patch('ansible_collections.cyberark.conjur.plugins.lookup.conjur_variable._fetch_conjur_token') + @patch('ansible_collections.cyberark.conjur.plugins.lookup.conjur_variable._merge_dictionaries') + def test_retrieve_to_file(self, mock_merge_dictionaries, mock_fetch_conjur_token, mock_fetch_conjur_variable): + mock_fetch_conjur_token.return_value = "token" + mock_fetch_conjur_variable.return_value = ["conjur_variable"] + mock_merge_dictionaries.side_effect = [ + {'account': 'fakeaccount', 'appliance_url': 'https://conjur-fake', 'cert_file': './conjurfake.pem'}, + {'id': 'host/ansible/ansible-fake', 'api_key': 'fakekey'} + ] + + terms = ['ansible/fake-secret'] + kwargs = {'as_file': True, 'conf_file': 'conf_file', 'validate_certs': False} + filepaths = self.lookup.run(terms, **kwargs) + self.assertRegex(filepaths[0], '/dev/shm/.*') + + with open(filepaths[0], "r") as file: + content = file.read() + self.assertEqual(content, "conjur_variable") + + # Negative test cases + + @patch('ansible_collections.cyberark.conjur.plugins.lookup.conjur_variable._merge_dictionaries') + def test_run_bad_config(self, mock_merge_dictionaries): + # Withhold 'account' field + mock_merge_dictionaries.side_effect = [ + {'appliance_url': 'https://conjur-fake', 'cert_file': './conjurfake.pem'}, + {'id': 'host/ansible/ansible-fake', 'api_key': 'fakekey'} + ] + + terms = ['ansible/fake-secret'] + kwargs = {'as_file': False, 'conf_file': 'conf_file', 'validate_certs': True} + with self.assertRaises(AnsibleError) as context: + self.lookup.run(terms, **kwargs) + self.assertEqual( + context.exception.message, + "Configuration file on the controlling host must define `account` and `appliance_url` entries or they should be environment variables" + ) + + # Withhold 'id' and 'api_key' fields + mock_merge_dictionaries.side_effect = [ + {'account': 'fakeaccount', 'appliance_url': 'https://conjur-fake', 'cert_file': './conjurfake.pem'}, + {} + ] + + with self.assertRaises(AnsibleError) as context: + self.lookup.run(terms, **kwargs) + self.assertEqual( + context.exception.message, + ("Identity file on the controlling host must contain `login` and `password` " + "entries for Conjur appliance URL or they should be environment variables") + ) + + @patch('ansible_collections.cyberark.conjur.plugins.lookup.conjur_variable._merge_dictionaries') + def test_run_bad_cert_path(self, mock_merge_dictionaries): + mock_merge_dictionaries.side_effect = [ + {'account': 'fakeaccount', 'appliance_url': 'https://conjur-fake', 'cert_file': './conjurfake.pem'}, + {'id': 'host/ansible/ansible-fake', 'api_key': 'fakekey'} + ] + + terms = ['ansible/fake-secret'] + kwargs = {'as_file': False, 'conf_file': 'conf_file', 'validate_certs': True} + with self.assertRaises(FileNotFoundError): + self.lookup.run(terms, **kwargs) + + def test_run_no_variable_path(self): + kwargs = {'as_file': False, 'conf_file': 'conf_file', 'validate_certs': True} + + with self.assertRaises(AnsibleError) as context: + self.lookup.run([], **kwargs) + self.assertEqual(context.exception.message, "Invalid secret path: no secret path provided.") + + with self.assertRaises(AnsibleError) as context: + self.lookup.run([''], **kwargs) + self.assertEqual(context.exception.message, "Invalid secret path: empty secret path not accepted.") diff --git a/ansible_collections/cyberark/conjur/tests/unit/requirements.txt b/ansible_collections/cyberark/conjur/tests/unit/requirements.txt new file mode 100644 index 000000000..9b481ce1d --- /dev/null +++ b/ansible_collections/cyberark/conjur/tests/unit/requirements.txt @@ -0,0 +1,14 @@ +mock +pytest +pytest-mock +pytest-xdist +pytest-forked +pyyaml # required by the collection loader (only needed for collections) +coverage==4.5.4 + +bcrypt ; python_version >= '3.8' # controller only +passlib ; python_version >= '3.8' # controller only +pexpect ; python_version >= '3.8' # controller only +pytz +pywinrm ; python_version >= '3.8' # controller only +unittest2 ; python_version < '2.7' |