def test_https_can_load_policy_keyring(self):
self.setup_cli_params({})
utils.setup_cli(self)
policy, variables = utils.generate_policy_string()
utils.load_policy_from_string(self, policy)
for variable in variables:
utils.assert_set_and_get(self, variable)
def test_https_can_load_policy_netrc(self, keystore_disable_mock):
utils.setup_cli(self)
self.setup_cli_params({})
policy, variables = utils.generate_policy_string()
utils.load_policy_from_string(self, policy)
for variable in variables:
utils.assert_set_and_get(self, variable)
def test_load_policy_of_new_resources_returns_new_entry_json_data(self):
self.setup_cli_params({})
user_id1 = utils.generate_uuid()
user_id2 = utils.generate_uuid()
policy = "- !user {user_id1}\n- !user {user_id2}\n".format(
user_id1=user_id1, user_id2=user_id2)
# Run the new load that should not result in newly created roles
json_result = json.loads(utils.load_policy_from_string(self, policy))
account_name = self.client_params.account
expected_object = {
'version': json_result['version'],
'created_roles': {
f'{account_name}:user:'******'id':
f'{account_name}:user:'******'api_key':
json_result['created_roles'][f'{account_name}:user:'******'api_key'],
},
f'{account_name}:user:'******'id':
f'{account_name}:user:'******'api_key':
json_result['created_roles'][f'{account_name}:user:'******'api_key'],
}
}
}
self.assertDictEqual(json_result, expected_object)
def test_basic_secret_retrieval_with_keyring(self):
"""
Note about version tests, the Conjur server only keeps a certain number of versions.
With each run of the integration tests, version tests are resetting variable values
making, after a certain number of runs, version=1 not valid and fail
Therefore, the variable name needs to be a random string so that the version
will still be accessible
"""
utils.setup_cli(self)
variable_name = "someversionedvar" + uuid.uuid4().hex
policy = f"- !variable {variable_name}"
utils.load_policy_from_string(self, policy)
expected_value = "anothersecret"
utils.set_variable(self, variable_name, expected_value)
output = self.invoke_cli(self.cli_auth_params,
['variable', 'get', '-i', variable_name, '--version', '1'])
self.assertIn(expected_value, output.strip())
def test_variable_different_version_calls_returns_different_versions(self):
variable_name = "someversionedsecret" + uuid.uuid4().hex
policy = f"- !variable {variable_name}"
utils.load_policy_from_string(self, policy)
first_version = "first_secret"
utils.set_variable(self, variable_name, first_version)
output = self.invoke_cli(
self.cli_auth_params,
['variable', 'get', '-i', variable_name, '--version', '1'])
self.assertIn(first_version, output.strip())
second_version = "second_secret"
utils.set_variable(self, variable_name, second_version)
output = self.invoke_cli(
self.cli_auth_params,
['variable', 'get', '-i', variable_name, '--version', '2'])
self.assertIn(second_version, output.strip())
def test_https_load_policy_doesnt_break_if_no_created_roles(self):
self.setup_cli_params({})
user_id1 = utils.generate_uuid()
user_id2 = utils.generate_uuid()
policy = "- !user {user_id1}\n- !user {user_id2}\n".format(
user_id1=user_id1, user_id2=user_id2)
# Ensure that the accounts exist
utils.load_policy_from_string(self, policy)
# Run the new load that should not result in newly created roles
json_result = json.loads(utils.load_policy_from_string(self, policy))
expected_object = {
'version': json_result['version'],
'created_roles': {}
}
self.assertDictEqual(json_result, expected_object)
def test_policy_bad_syntax_raises_error(self):
policy = "- ! user bad syntax"
with self.assertLogs('', level='DEBUG') as mock_log:
with redirect_stderr(self.capture_stream):
output = utils.load_policy_from_string(self,
policy,
exit_code=1)
self.assertIn("422 (Unprocessable Entity) for url:", output)
self.assertIn(
"422 Unprocessable Entity {\"error\":{\"code\":\"validation_failed\",\"message\":",
str(mock_log.output))
def test_policy_update_policy_removes_user(self):
user_id = utils.generate_uuid()
load_policy = f"- !user {user_id}"
json.loads(utils.load_policy_from_string(self, load_policy))
update_policy = f"- !delete\n record: !user {user_id}"
json.loads(utils.update_policy_from_string(self, update_policy))
output = self.invoke_cli(self.cli_auth_params, ['list'])
# Assert that user_id is not in output
self.assertTrue(output.find(user_id) == -1)
def test_policy_bad_syntax_error_user_recieve_detailed_error(self):
policy_with_bad_syntax = "- ! user bad syntax"
with redirect_stderr(self.capture_stream):
output = utils.load_policy_from_string(self,
policy_with_bad_syntax,
exit_code=1)
self.assertIn(
"{\"error\":{\"code\":\"validation_failed\",\"message\":", output,
"Could not find detailed error in the output. "
"Expected to find:"
"{\"error\":{\"code\":\"validation_failed\",\"message\":"
"Result:"
f"{output}")