mirror of
https://github.com/bartvdbraak/keyweave.git
synced 2025-04-28 07:11:21 +00:00
188 lines
7 KiB
Rust
188 lines
7 KiB
Rust
use assert_cmd::prelude::*;
|
|
use assert_fs::prelude::*;
|
|
use assert_fs::TempDir;
|
|
use std::process::Command;
|
|
use predicates::prelude::*;
|
|
use serial_test::serial;
|
|
use std::env;
|
|
|
|
static BINARY: &str = "keyweave";
|
|
static KEYVAULT: &str = "bvdbkeyweavetweukvt1";
|
|
static FIREWALL_KEYVAULT: &str = "bvdbkeyweavetweukvt2";
|
|
static NON_EXISTENT_KEYVAULT: &str = "bvdbkeyweavetweukvt3";
|
|
|
|
fn azure_cli_login(client_id: String, tenant_id: String, subscription_id: String) -> Result<(), std::io::Error> {
|
|
Command::new("az")
|
|
.arg("login")
|
|
.arg("--identity")
|
|
.arg("--username")
|
|
.arg(client_id)
|
|
.arg("--tenant")
|
|
.arg(tenant_id)
|
|
.output()?;
|
|
|
|
Command::new("az")
|
|
.arg("account")
|
|
.arg("set")
|
|
.arg("--subscription")
|
|
.arg(subscription_id)
|
|
.output()?;
|
|
|
|
Ok(())
|
|
}
|
|
|
|
/// Test with no access policies - expected to fail.
|
|
#[tokio::test]
|
|
#[serial]
|
|
async fn test_no_access_policies() {
|
|
azure_cli_login(
|
|
env::var("AZURE_CLIENT_ID_NO_ACCESS").expect("Failed to get AZURE_CLIENT_ID_NO_ACCESS"),
|
|
env::var("AZURE_TENANT_ID").expect("Failed to get AZURE_TENANT_ID"),
|
|
env::var("AZURE_SUBSCRIPTION_ID").expect("Failed to get AZURE_SUBSCRIPTION_ID"),
|
|
).expect("Failed to log in to Azure CLI");
|
|
|
|
let temp_dir = TempDir::new().unwrap();
|
|
let output_path = temp_dir.child(".env");
|
|
|
|
let mut cmd = Command::cargo_bin(BINARY).unwrap();
|
|
cmd.arg("--vault-name").arg(KEYVAULT)
|
|
.arg("--output").arg(output_path.path());
|
|
cmd.assert().failure().stderr(predicate::str::contains("Make sure you have List permissions on the Key Vault."));
|
|
|
|
temp_dir.close().unwrap();
|
|
}
|
|
|
|
/// Test with only Get access policy - expected to fail.
|
|
#[tokio::test]
|
|
#[serial]
|
|
async fn test_only_get_access_policy() {
|
|
azure_cli_login(
|
|
env::var("AZURE_CLIENT_ID_GET").expect("Failed to get AZURE_CLIENT_ID_GET"),
|
|
env::var("AZURE_TENANT_ID").expect("Failed to get AZURE_TENANT_ID"),
|
|
env::var("AZURE_SUBSCRIPTION_ID").expect("Failed to get AZURE_SUBSCRIPTION_ID"),
|
|
).expect("Failed to log in to Azure CLI");
|
|
|
|
let temp_dir = TempDir::new().unwrap();
|
|
let output_path = temp_dir.child(".env");
|
|
|
|
let mut cmd = Command::cargo_bin(BINARY).unwrap();
|
|
cmd.arg("--vault-name").arg(KEYVAULT)
|
|
.arg("--output").arg(output_path.path());
|
|
cmd.assert().failure().stderr(predicate::str::contains("Make sure you have List permissions on the Key Vault."));
|
|
|
|
temp_dir.close().unwrap();
|
|
}
|
|
|
|
/// Test with only List access policy - expected to succeed with get errors.
|
|
#[tokio::test]
|
|
#[serial]
|
|
async fn test_only_list_access_policy() {
|
|
azure_cli_login(
|
|
env::var("AZURE_CLIENT_ID_LIST").expect("Failed to get AZURE_CLIENT_ID_LIST"),
|
|
env::var("AZURE_TENANT_ID").expect("Failed to get AZURE_TENANT_ID"),
|
|
env::var("AZURE_SUBSCRIPTION_ID").expect("Failed to get AZURE_SUBSCRIPTION_ID"),
|
|
).expect("Failed to log in to Azure CLI");
|
|
|
|
let temp_dir = TempDir::new().unwrap();
|
|
let output_path = temp_dir.child(".env");
|
|
|
|
let mut cmd = Command::cargo_bin(BINARY).unwrap();
|
|
cmd.arg("--vault-name").arg(KEYVAULT)
|
|
.arg("--output").arg(output_path.path());
|
|
cmd.assert().success().stderr(predicate::str::contains("Make sure you have Get permissions on the Key Vault."));
|
|
|
|
temp_dir.close().unwrap();
|
|
}
|
|
|
|
/// Test with both Get and List access policies - expected to pass.
|
|
#[tokio::test]
|
|
#[serial]
|
|
async fn test_get_and_list_access_policies() {
|
|
azure_cli_login(
|
|
env::var("AZURE_CLIENT_ID_GET_LIST").expect("Failed to get AZURE_CLIENT_ID_GET_LIST"),
|
|
env::var("AZURE_TENANT_ID").expect("Failed to get AZURE_TENANT_ID"),
|
|
env::var("AZURE_SUBSCRIPTION_ID").expect("Failed to get AZURE_SUBSCRIPTION_ID"),
|
|
).expect("Failed to log in to Azure CLI");
|
|
|
|
let temp_dir = TempDir::new().unwrap();
|
|
let output_path = temp_dir.child(".env");
|
|
|
|
let mut cmd = Command::cargo_bin(BINARY).unwrap();
|
|
cmd.arg("--vault-name").arg(KEYVAULT)
|
|
.arg("--output").arg(output_path.path());
|
|
cmd.assert().success();
|
|
|
|
output_path.assert(predicate::path::is_file());
|
|
output_path.assert(predicate::str::contains("testSecret=testSecretValue"));
|
|
output_path.assert(predicate::str::contains("filterTestSecret=filterTestSecretValue"));
|
|
|
|
temp_dir.close().unwrap();
|
|
}
|
|
|
|
/// Test with both Get and List access policies and filter - expected to pass.
|
|
#[tokio::test]
|
|
#[serial]
|
|
async fn test_get_and_list_access_policies_filter() {
|
|
azure_cli_login(
|
|
env::var("AZURE_CLIENT_ID_GET_LIST").expect("Failed to get AZURE_CLIENT_ID_GET_LIST"),
|
|
env::var("AZURE_TENANT_ID").expect("Failed to get AZURE_TENANT_ID"),
|
|
env::var("AZURE_SUBSCRIPTION_ID").expect("Failed to get AZURE_SUBSCRIPTION_ID"),
|
|
).expect("Failed to log in to Azure CLI");
|
|
|
|
let temp_dir = TempDir::new().unwrap();
|
|
let output_path = temp_dir.child(".env");
|
|
|
|
let mut cmd = Command::cargo_bin(BINARY).unwrap();
|
|
cmd.arg("--vault-name").arg(KEYVAULT)
|
|
.arg("--output").arg(output_path.path())
|
|
.arg("--filter").arg("filter");
|
|
cmd.assert().success();
|
|
|
|
output_path.assert(predicate::path::is_file());
|
|
output_path.assert(predicate::str::contains("filterTestSecret=filterTestSecretValue"));
|
|
|
|
temp_dir.close().unwrap();
|
|
}
|
|
|
|
/// Test with both Get and List access policies on a Key Vault with Firewall - expected to fail.
|
|
#[tokio::test]
|
|
#[serial]
|
|
async fn test_get_and_list_access_policies_firewall() {
|
|
azure_cli_login(
|
|
env::var("AZURE_CLIENT_ID_GET_LIST").expect("Failed to get AZURE_CLIENT_ID_GET_LIST"),
|
|
env::var("AZURE_TENANT_ID").expect("Failed to get AZURE_TENANT_ID"),
|
|
env::var("AZURE_SUBSCRIPTION_ID").expect("Failed to get AZURE_SUBSCRIPTION_ID"),
|
|
).expect("Failed to log in to Azure CLI");
|
|
|
|
let temp_dir = TempDir::new().unwrap();
|
|
let output_path = temp_dir.child(".env");
|
|
|
|
let mut cmd = Command::cargo_bin(BINARY).unwrap();
|
|
cmd.arg("--vault-name").arg(FIREWALL_KEYVAULT)
|
|
.arg("--output").arg(output_path.path());
|
|
cmd.assert().failure().stderr(predicate::str::contains("Make sure you're on the Key Vaults Firewall allowlist."));
|
|
|
|
temp_dir.close().unwrap();
|
|
}
|
|
|
|
/// Test with both Get and List access policies on a non-existent Key Vault - expected to fail.
|
|
#[tokio::test]
|
|
#[serial]
|
|
async fn test_get_and_list_access_policies_non_existent() {
|
|
azure_cli_login(
|
|
env::var("AZURE_CLIENT_ID_GET_LIST").expect("Failed to get AZURE_CLIENT_ID_GET_LIST"),
|
|
env::var("AZURE_TENANT_ID").expect("Failed to get AZURE_TENANT_ID"),
|
|
env::var("AZURE_SUBSCRIPTION_ID").expect("Failed to get AZURE_SUBSCRIPTION_ID"),
|
|
).expect("Failed to log in to Azure CLI");
|
|
|
|
let temp_dir = TempDir::new().unwrap();
|
|
let output_path = temp_dir.child(".env");
|
|
|
|
let mut cmd = Command::cargo_bin(BINARY).unwrap();
|
|
cmd.arg("--vault-name").arg(NON_EXISTENT_KEYVAULT)
|
|
.arg("--output").arg(output_path.path());
|
|
cmd.assert().failure().stderr(predicate::str::contains("Please check that the Key Vault exists or that you have no connectivity issues."));
|
|
|
|
temp_dir.close().unwrap();
|
|
}
|
|
|