bartvdbraak/keyweave
1
0
Fork 0
mirror of https://github.com/bartvdbraak/keyweave.git synced 2025-04-28 07:11:21 +00:00
Code Issues Projects Releases Packages Wiki Activity

feat: test multiple jobs

Browse source
This commit is contained in:
Bart van der Braak 2023-11-25 19:07:07 +01:00
parent b7b2a3de6a
commit ce9aa2898f
5 changed files with 134 additions and 121 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/checks.yml vendored
View file

@ -39,7 +39,7 @@ jobs:
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable - uses: dtolnay/rust-toolchain@stable
- name: Run tests - name: Run unit tests
run: cargo test --bins run: cargo test --bins
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest

67
.github/workflows/tests.yml vendored
View file

@ -35,20 +35,67 @@ jobs:
template: bicep/main.bicep template: bicep/main.bicep
deploymentName: ${{ env.DEPLOYMENT_NAME }} deploymentName: ${{ env.DEPLOYMENT_NAME }}
test: tests-no-access:
name: Tests name: Tests with No Access
needs: bicep needs: bicep
runs-on: ubuntu-latest runs-on: ubuntu-latest
environment: test environment: test
env:
AZURE_CLIENT_ID_NO_ACCESS: ${{ secrets.AZURE_CLIENT_ID_NO_ACCESS }}
AZURE_CLIENT_ID_GET: ${{ secrets.AZURE_CLIENT_ID_GET }}
AZURE_CLIENT_ID_LIST: ${{ secrets.AZURE_CLIENT_ID_LIST }}
AZURE_CLIENT_ID_GET_LIST: ${{ secrets.AZURE_CLIENT_ID_GET_LIST }}
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable - uses: dtolnay/rust-toolchain@stable
- name: 'Az CLI login'
uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID_NO_ACCESS }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Run all tests - name: Run all tests
run: cargo test --all run: cargo test no_access
tests-get:
name: Tests with Get
needs: bicep
runs-on: ubuntu-latest
environment: test
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- name: 'Az CLI login'
uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID_GET }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Run all tests
run: cargo test only_get
tests-list:
name: Tests with List
needs: bicep
runs-on: ubuntu-latest
environment: test
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- name: 'Az CLI login'
uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID_LIST }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Run all tests
run: cargo test only_list
tests-get-list:
name: Tests with Get and List
needs: bicep
runs-on: ubuntu-latest
environment: test
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- name: 'Az CLI login'
uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID_GET_LIST }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Run all tests
run: cargo test get_and_list_access

2
bicep/modules/kv.bicep
View file

@ -8,7 +8,7 @@ var accessPolicies = [for identity in identities: {
tenantId: tenant().tenantId tenantId: tenant().tenantId
objectId: identity.id objectId: identity.id
permissions: { permissions: {
secrets: contains(identity.name, 'get') && contains(identity.name, 'list') ? ['Get', 'List'] : contains(identity.name, 'get') ? ['Get'] : ['List'] secrets: contains(identity.name, 'get') && contains(identity.name, 'list') ? ['Get', 'List'] : contains(identity.name, 'get') ? ['Get'] : contains(identity.name, 'list') ? ['List'] : []
} }
}] }]

41
src/main.rs
View file

@ -1,17 +1,16 @@
use anyhow::Result; use anyhow::Result;
use azure_core::error::HttpError;
use azure_identity::DefaultAzureCredential; use azure_identity::DefaultAzureCredential;
use azure_security_keyvault::prelude::KeyVaultGetSecretsResponse; use azure_security_keyvault::prelude::KeyVaultGetSecretsResponse;
use azure_security_keyvault::KeyvaultClient; use azure_security_keyvault::KeyvaultClient;
use clap::Parser; use clap::Parser;
use futures::stream::StreamExt; use futures::stream::StreamExt;
use paris::{info, log};
use paris::{error, Logger}; use paris::{error, Logger};
use std::fs::File; use std::fs::File;
use std::io::Write; use std::io::Write;
use std::sync::Arc; use std::sync::Arc;
use tokio::sync::mpsc; use tokio::sync::mpsc;
use tokio::sync::Semaphore; use tokio::sync::Semaphore;
use azure_core::error::HttpError;
#[derive(Parser, Debug)] #[derive(Parser, Debug)]
#[clap(author, version, about, long_about = None)] #[clap(author, version, about, long_about = None)]
@ -32,21 +31,20 @@ struct Opts {
async fn check_vault_dns(vault_name: &str) -> Result<()> { async fn check_vault_dns(vault_name: &str) -> Result<()> {
let vault_host = format!("{}.vault.azure.net", vault_name); let vault_host = format!("{}.vault.azure.net", vault_name);
let lookup_result = { let lookup_result = { tokio::net::lookup_host((vault_host.as_str(), 443)).await };
tokio::net::lookup_host((vault_host.as_str(), 443)).await
};
match lookup_result { match lookup_result {
Ok(_) => Ok(()), Ok(_) => Ok(()),
Err(err) => { Err(err) => {
error!("DNS lookup failed for Key Vault: {}", vault_name); error!("DNS lookup failed for Key Vault: {}", vault_name);
info!("Please check that the Key Vault exists or that you have no connectivity issues."); error!(
"Please check that the Key Vault exists or that you have no connectivity issues."
);
Err(err.into()) Err(err.into())
} }
} }
} }
async fn fetch_secrets_from_key_vault( async fn fetch_secrets_from_key_vault(
client: &KeyvaultClient, client: &KeyvaultClient,
filter: Option<&str>, filter: Option<&str>,
@ -58,15 +56,24 @@ async fn fetch_secrets_from_key_vault(
let page = match page { let page = match page {
Ok(p) => p, Ok(p) => p,
Err(err) => { Err(err) => {
log!("\n"); error!("\n");
error!("Failed to fetch secrets page: {}", err); error!("Failed to fetch secrets.");
let specific_error = err.downcast_ref::<HttpError>(); let specific_error = err.downcast_ref::<HttpError>();
if let Some(specific_error) = specific_error { if let Some(specific_error) = specific_error {
// Check the contents of the specific error if specific_error
if specific_error.error_message().unwrap().to_string().contains("does not have secrets list permission on key vault") { .error_message()
info!("Make sure you have List permissions on the Key Vault."); .unwrap()
} else if specific_error.error_message().unwrap().to_string().contains("is not authorized and caller is not a trusted service") { .to_string()
info!("Make sure you're on the Key Vaults Firewall allowlist."); .contains("does not have secrets list permission on key vault")
{
error!("Make sure you have List permissions on the Key Vault.");
} else if specific_error
.error_message()
.unwrap()
.to_string()
.contains("is not authorized and caller is not a trusted service")
{
error!("Make sure you're on the Key Vaults Firewall allowlist.");
} }
} }
return Err(err.into()); return Err(err.into());
@ -79,7 +86,6 @@ async fn fetch_secrets_from_key_vault(
Ok(secret_values) Ok(secret_values)
} }
async fn fetch_secrets_from_page( async fn fetch_secrets_from_page(
client: &azure_security_keyvault::SecretClient, client: &azure_security_keyvault::SecretClient,
page: &KeyVaultGetSecretsResponse, page: &KeyVaultGetSecretsResponse,
@ -136,9 +142,8 @@ async fn fetch_and_send_secret(
let _ = tx.send((secret_id.clone(), bundle.value.clone())).await; let _ = tx.send((secret_id.clone(), bundle.value.clone())).await;
(secret_id, bundle.value) (secret_id, bundle.value)
} }
Err(err) => { Err(_err) => {
error!("Error fetching secret: {}", err); error!("Error fetching secret. Make sure you have Get permissions on the Key Vault.");
info!("Make sure you have Get permissions on the Key Vault.");
(secret_id, String::new()) (secret_id, String::new())
} }
} }

143
tests/e2e.rs
View file

@ -1,76 +1,47 @@
use assert_cmd::prelude::*; use assert_cmd::prelude::*;
use assert_fs::prelude::*; use assert_fs::prelude::*;
use assert_fs::TempDir; use assert_fs::TempDir;
use std::process::Command;
use predicates::prelude::*; use predicates::prelude::*;
use serial_test::serial; use serial_test::serial;
use std::env; use std::process::Command;
static BINARY: &str = "keyweave"; static BINARY: &str = "keyweave";
static KEYVAULT: &str = "bvdbkeyweavetweukvt1"; static KEYVAULT: &str = "bvdbkeyweavetweukvt1";
static FIREWALL_KEYVAULT: &str = "bvdbkeyweavetweukvt2"; static FIREWALL_KEYVAULT: &str = "bvdbkeyweavetweukvt2";
static NON_EXISTENT_KEYVAULT: &str = "bvdbkeyweavetweukvt3"; static NON_EXISTENT_KEYVAULT: &str = "bvdbkeyweavetweukvt3";
fn azure_cli_login(client_id: String, tenant_id: String, subscription_id: String) -> Result<(), std::io::Error> {
println!("Executing 'az login' with client ID: {}", client_id);
let login_output = Command::new("az")
.arg("login")
.arg("--identity")
.arg("--username")
.arg(&client_id)
.arg("--tenant")
.arg(&tenant_id)
.output()?;
println!("Login output: {:?}", login_output);
println!("Executing 'az account set' with subscription ID: {}", subscription_id);
let account_output = Command::new("az")
.arg("account")
.arg("set")
.arg("--subscription")
.arg(&subscription_id)
.output()?;
println!("Account output: {:?}", account_output);
Ok(())
}
/// Test with no access policies - expected to fail.
#[tokio::test] #[tokio::test]
#[serial] #[serial]
async fn test_no_access_policies() { async fn test_no_access_policies() {
azure_cli_login(
env::var("AZURE_CLIENT_ID_NO_ACCESS").expect("Failed to get AZURE_CLIENT_ID_NO_ACCESS"),
env::var("AZURE_TENANT_ID").expect("Failed to get AZURE_TENANT_ID"),
env::var("AZURE_SUBSCRIPTION_ID").expect("Failed to get AZURE_SUBSCRIPTION_ID"),
).expect("Failed to log in to Azure CLI");
let temp_dir = TempDir::new().unwrap(); let temp_dir = TempDir::new().unwrap();
let output_path = temp_dir.child(".env"); let output_path = temp_dir.child(".env");
let mut cmd = Command::cargo_bin(BINARY).unwrap(); let mut cmd = Command::cargo_bin(BINARY).unwrap();
cmd.arg("--vault-name").arg(KEYVAULT) cmd.arg("--vault-name")
.arg("--output").arg(output_path.path()); .arg(KEYVAULT)
cmd.assert().failure().stderr(predicate::str::contains("Make sure you have List permissions on the Key Vault.")); .arg("--output")
.arg(output_path.path());
cmd.assert().failure().stderr(predicate::str::contains(
"Make sure you have List permissions on the Key Vault.",
));
temp_dir.close().unwrap(); temp_dir.close().unwrap();
} }
/// Test with only Get access policy - expected to fail.
#[tokio::test] #[tokio::test]
#[serial] #[serial]
async fn test_only_get_access_policy() { async fn test_only_get_access_policy() {
azure_cli_login(
env::var("AZURE_CLIENT_ID_GET").expect("Failed to get AZURE_CLIENT_ID_GET"),
env::var("AZURE_TENANT_ID").expect("Failed to get AZURE_TENANT_ID"),
env::var("AZURE_SUBSCRIPTION_ID").expect("Failed to get AZURE_SUBSCRIPTION_ID"),
).expect("Failed to log in to Azure CLI");
let temp_dir = TempDir::new().unwrap(); let temp_dir = TempDir::new().unwrap();
let output_path = temp_dir.child(".env"); let output_path = temp_dir.child(".env");
let mut cmd = Command::cargo_bin(BINARY).unwrap(); let mut cmd = Command::cargo_bin(BINARY).unwrap();
cmd.arg("--vault-name").arg(KEYVAULT) cmd.arg("--vault-name")
.arg("--output").arg(output_path.path()); .arg(KEYVAULT)
cmd.assert().failure().stderr(predicate::str::contains("Make sure you have List permissions on the Key Vault.")); .arg("--output")
.arg(output_path.path());
cmd.assert().failure().stderr(predicate::str::contains(
"Make sure you have List permissions on the Key Vault.",
));
temp_dir.close().unwrap(); temp_dir.close().unwrap();
} }
@ -79,19 +50,17 @@ async fn test_only_get_access_policy() {
#[tokio::test] #[tokio::test]
#[serial] #[serial]
async fn test_only_list_access_policy() { async fn test_only_list_access_policy() {
azure_cli_login(
env::var("AZURE_CLIENT_ID_LIST").expect("Failed to get AZURE_CLIENT_ID_LIST"),
env::var("AZURE_TENANT_ID").expect("Failed to get AZURE_TENANT_ID"),
env::var("AZURE_SUBSCRIPTION_ID").expect("Failed to get AZURE_SUBSCRIPTION_ID"),
).expect("Failed to log in to Azure CLI");
let temp_dir = TempDir::new().unwrap(); let temp_dir = TempDir::new().unwrap();
let output_path = temp_dir.child(".env"); let output_path = temp_dir.child(".env");
let mut cmd = Command::cargo_bin(BINARY).unwrap(); let mut cmd = Command::cargo_bin(BINARY).unwrap();
cmd.arg("--vault-name").arg(KEYVAULT) cmd.arg("--vault-name")
.arg("--output").arg(output_path.path()); .arg(KEYVAULT)
cmd.assert().success().stderr(predicate::str::contains("Make sure you have Get permissions on the Key Vault.")); .arg("--output")
.arg(output_path.path());
cmd.assert().success().stderr(predicate::str::contains(
"Make sure you have Get permissions on the Key Vault.",
));
temp_dir.close().unwrap(); temp_dir.close().unwrap();
} }
@ -100,23 +69,21 @@ async fn test_only_list_access_policy() {
#[tokio::test] #[tokio::test]
#[serial] #[serial]
async fn test_get_and_list_access_policies() { async fn test_get_and_list_access_policies() {
azure_cli_login(
env::var("AZURE_CLIENT_ID_GET_LIST").expect("Failed to get AZURE_CLIENT_ID_GET_LIST"),
env::var("AZURE_TENANT_ID").expect("Failed to get AZURE_TENANT_ID"),
env::var("AZURE_SUBSCRIPTION_ID").expect("Failed to get AZURE_SUBSCRIPTION_ID"),
).expect("Failed to log in to Azure CLI");
let temp_dir = TempDir::new().unwrap(); let temp_dir = TempDir::new().unwrap();
let output_path = temp_dir.child(".env"); let output_path = temp_dir.child(".env");
let mut cmd = Command::cargo_bin(BINARY).unwrap(); let mut cmd = Command::cargo_bin(BINARY).unwrap();
cmd.arg("--vault-name").arg(KEYVAULT) cmd.arg("--vault-name")
.arg("--output").arg(output_path.path()); .arg(KEYVAULT)
.arg("--output")
.arg(output_path.path());
cmd.assert().success(); cmd.assert().success();
output_path.assert(predicate::path::is_file()); output_path.assert(predicate::path::is_file());
output_path.assert(predicate::str::contains("testSecret=testSecretValue")); output_path.assert(predicate::str::contains("testSecret=testSecretValue"));
output_path.assert(predicate::str::contains("filterTestSecret=filterTestSecretValue")); output_path.assert(predicate::str::contains(
"filterTestSecret=filterTestSecretValue",
));
temp_dir.close().unwrap(); temp_dir.close().unwrap();
} }
@ -125,23 +92,22 @@ async fn test_get_and_list_access_policies() {
#[tokio::test] #[tokio::test]
#[serial] #[serial]
async fn test_get_and_list_access_policies_filter() { async fn test_get_and_list_access_policies_filter() {
azure_cli_login(
env::var("AZURE_CLIENT_ID_GET_LIST").expect("Failed to get AZURE_CLIENT_ID_GET_LIST"),
env::var("AZURE_TENANT_ID").expect("Failed to get AZURE_TENANT_ID"),
env::var("AZURE_SUBSCRIPTION_ID").expect("Failed to get AZURE_SUBSCRIPTION_ID"),
).expect("Failed to log in to Azure CLI");
let temp_dir = TempDir::new().unwrap(); let temp_dir = TempDir::new().unwrap();
let output_path = temp_dir.child(".env"); let output_path = temp_dir.child(".env");
let mut cmd = Command::cargo_bin(BINARY).unwrap(); let mut cmd = Command::cargo_bin(BINARY).unwrap();
cmd.arg("--vault-name").arg(KEYVAULT) cmd.arg("--vault-name")
.arg("--output").arg(output_path.path()) .arg(KEYVAULT)
.arg("--filter").arg("filter"); .arg("--output")
.arg(output_path.path())
.arg("--filter")
.arg("filter");
cmd.assert().success(); cmd.assert().success();
output_path.assert(predicate::path::is_file()); output_path.assert(predicate::path::is_file());
output_path.assert(predicate::str::contains("filterTestSecret=filterTestSecretValue")); output_path.assert(predicate::str::contains(
"filterTestSecret=filterTestSecretValue",
));
temp_dir.close().unwrap(); temp_dir.close().unwrap();
} }
@ -150,19 +116,17 @@ async fn test_get_and_list_access_policies_filter() {
#[tokio::test] #[tokio::test]
#[serial] #[serial]
async fn test_get_and_list_access_policies_firewall() { async fn test_get_and_list_access_policies_firewall() {
azure_cli_login(
env::var("AZURE_CLIENT_ID_GET_LIST").expect("Failed to get AZURE_CLIENT_ID_GET_LIST"),
env::var("AZURE_TENANT_ID").expect("Failed to get AZURE_TENANT_ID"),
env::var("AZURE_SUBSCRIPTION_ID").expect("Failed to get AZURE_SUBSCRIPTION_ID"),
).expect("Failed to log in to Azure CLI");
let temp_dir = TempDir::new().unwrap(); let temp_dir = TempDir::new().unwrap();
let output_path = temp_dir.child(".env"); let output_path = temp_dir.child(".env");
let mut cmd = Command::cargo_bin(BINARY).unwrap(); let mut cmd = Command::cargo_bin(BINARY).unwrap();
cmd.arg("--vault-name").arg(FIREWALL_KEYVAULT) cmd.arg("--vault-name")
.arg("--output").arg(output_path.path()); .arg(FIREWALL_KEYVAULT)
cmd.assert().failure().stderr(predicate::str::contains("Make sure you're on the Key Vaults Firewall allowlist.")); .arg("--output")
.arg(output_path.path());
cmd.assert().failure().stderr(predicate::str::contains(
"Make sure you're on the Key Vaults Firewall allowlist.",
));
temp_dir.close().unwrap(); temp_dir.close().unwrap();
} }
@ -171,20 +135,17 @@ async fn test_get_and_list_access_policies_firewall() {
#[tokio::test] #[tokio::test]
#[serial] #[serial]
async fn test_get_and_list_access_policies_non_existent() { async fn test_get_and_list_access_policies_non_existent() {
azure_cli_login(
env::var("AZURE_CLIENT_ID_GET_LIST").expect("Failed to get AZURE_CLIENT_ID_GET_LIST"),
env::var("AZURE_TENANT_ID").expect("Failed to get AZURE_TENANT_ID"),
env::var("AZURE_SUBSCRIPTION_ID").expect("Failed to get AZURE_SUBSCRIPTION_ID"),
).expect("Failed to log in to Azure CLI");
let temp_dir = TempDir::new().unwrap(); let temp_dir = TempDir::new().unwrap();
let output_path = temp_dir.child(".env"); let output_path = temp_dir.child(".env");
let mut cmd = Command::cargo_bin(BINARY).unwrap(); let mut cmd = Command::cargo_bin(BINARY).unwrap();
cmd.arg("--vault-name").arg(NON_EXISTENT_KEYVAULT) cmd.arg("--vault-name")
.arg("--output").arg(output_path.path()); .arg(NON_EXISTENT_KEYVAULT)
cmd.assert().failure().stderr(predicate::str::contains("Please check that the Key Vault exists or that you have no connectivity issues.")); .arg("--output")
.arg(output_path.path());
cmd.assert().failure().stderr(predicate::str::contains(
"Please check that the Key Vault exists or that you have no connectivity issues.",
));
temp_dir.close().unwrap(); temp_dir.close().unwrap();
} }