198 lines
9.6 KiB
Clojure
198 lines
9.6 KiB
Clojure
(ns vault.client.http-test
|
|
(:require
|
|
[clojure.test :refer [deftest testing is]]
|
|
[vault.authenticate :as authenticate]
|
|
[vault.client.api-util :as api-util]
|
|
[vault.client.http :refer [http-client]]
|
|
[vault.core :as vault]
|
|
[vault.secrets.kvv1 :as vault-kvv1]))
|
|
|
|
|
|
(def example-url "https://vault.example.com")
|
|
|
|
|
|
(deftest http-client-instantiation
|
|
(is (thrown? IllegalArgumentException
|
|
(http-client nil)))
|
|
(is (thrown? IllegalArgumentException
|
|
(http-client :foo)))
|
|
(is (instance? vault.client.http.HTTPClient (http-client example-url))))
|
|
|
|
|
|
(deftest http-read-checks
|
|
(let [client (http-client example-url)]
|
|
(is (thrown? IllegalArgumentException
|
|
(vault-kvv1/read-secret client nil))
|
|
"should throw an exception on non-string path")
|
|
(is (thrown? RuntimeException
|
|
(vault-kvv1/read-secret client "secret/foo/bar"))
|
|
"should throw an exception on unauthenticated client")))
|
|
|
|
|
|
(deftest app-role
|
|
(let [api-endpoint (str example-url "/v1/auth/approle/login")
|
|
client (http-client example-url)
|
|
connection-attempt (atom nil)]
|
|
(with-redefs [api-util/do-api-request (fn [_method url _req]
|
|
(reset! connection-attempt url))
|
|
authenticate/api-auth! (constantly nil)]
|
|
(vault/authenticate! client :app-role {:secret-id "secret"
|
|
:role-id "role-id"})
|
|
(is (= @connection-attempt api-endpoint)
|
|
(str "should attempt to auth with: " api-endpoint)))))
|
|
|
|
|
|
(deftest authenticate-via-k8s
|
|
(testing "When a token file is available"
|
|
(let [client (http-client example-url)
|
|
api-requests (atom [])
|
|
api-auths (atom [])]
|
|
(with-redefs [api-util/do-api-request (fn [& args]
|
|
(swap! api-requests conj args)
|
|
:do-api-request-response)
|
|
authenticate/api-auth! (fn [& args]
|
|
(swap! api-auths conj args)
|
|
:api-auth!-response)]
|
|
(vault/authenticate! client :k8s {:jwt "fake-jwt-goes-here"
|
|
:role "my-role"})
|
|
(is (= [[:post
|
|
(str example-url "/v1/auth/kubernetes/login")
|
|
{:form-params {:jwt "fake-jwt-goes-here" :role "my-role"}
|
|
:content-type :json
|
|
:accept :json}]]
|
|
@api-requests))
|
|
(is (= [[(str "Kubernetes auth role=my-role")
|
|
(:auth client)
|
|
:do-api-request-response]]
|
|
@api-auths)))))
|
|
(testing "When no jwt is specified"
|
|
(let [client (http-client example-url)
|
|
api-requests (atom [])
|
|
api-auths (atom [])]
|
|
(with-redefs [api-util/do-api-request (fn [& args]
|
|
(swap! api-requests conj args))
|
|
authenticate/api-auth! (fn [& args]
|
|
(swap! api-auths conj args))]
|
|
(is (thrown? IllegalArgumentException
|
|
(vault/authenticate! client :k8s {:role "my-role"})))
|
|
(is (empty? @api-requests))
|
|
(is (empty? @api-auths)))))
|
|
(testing "When no role is specified"
|
|
(let [client (http-client example-url)
|
|
api-requests (atom [])
|
|
api-auths (atom [])]
|
|
(with-redefs [api-util/do-api-request (fn [& args]
|
|
(swap! api-requests conj args))
|
|
authenticate/api-auth! (fn [& args]
|
|
(swap! api-auths conj args))]
|
|
(is (thrown? IllegalArgumentException
|
|
(vault/authenticate! client :k8s {:jwt "fake-jwt-goes-here"})))
|
|
(is (empty? @api-requests))
|
|
(is (empty? @api-auths))))))
|
|
|
|
|
|
(deftest authenticate-via-aws
|
|
(testing "When all parameters are specified"
|
|
(let [client (http-client example-url)
|
|
api-requests (atom [])
|
|
api-auths (atom [])]
|
|
(with-redefs [api-util/do-api-request (fn [& args]
|
|
(swap! api-requests conj args)
|
|
:do-api-request-response)
|
|
authenticate/api-auth! (fn [& args]
|
|
(swap! api-auths conj args)
|
|
:api-auth!-response)]
|
|
(vault/authenticate! client :aws-iam {:role "my-role"
|
|
:http-request-method "POST"
|
|
:request-url "fake.sts.com"
|
|
:request-body "FakeAction&Version=1"
|
|
:request-headers "{'foo':'bar'}"})
|
|
(is (= [[:post
|
|
(str example-url "/v1/auth/aws/login")
|
|
{:form-params {:iam_http_request_method "POST"
|
|
:iam_request_url "fake.sts.com"
|
|
:iam_request_body "FakeAction&Version=1"
|
|
:iam_request_headers "{'foo':'bar'}"
|
|
:role "my-role"}
|
|
:content-type :json
|
|
:accept :json}]]
|
|
@api-requests))
|
|
(is (= [["AWS auth role=my-role"
|
|
(:auth client)
|
|
:do-api-request-response]]
|
|
@api-auths)))))
|
|
(testing "When no http-request-method is specified"
|
|
(let [client (http-client example-url)
|
|
api-requests (atom [])
|
|
api-auths (atom [])]
|
|
(with-redefs [api-util/do-api-request (fn [& args]
|
|
(swap! api-requests conj args))
|
|
authenticate/api-auth! (fn [& args]
|
|
(swap! api-auths conj args))]
|
|
(is (thrown? IllegalArgumentException
|
|
(vault/authenticate! client :aws-iam {:role "my-role"
|
|
:request-url "fake.sts.com"
|
|
:request-body "FakeAction&Version=1"
|
|
:request-headers "{'foo':'bar'}"})))
|
|
(is (empty? @api-requests))
|
|
(is (empty? @api-auths)))))
|
|
(testing "When no request-url is specified"
|
|
(let [client (http-client example-url)
|
|
api-requests (atom [])
|
|
api-auths (atom [])]
|
|
(with-redefs [api-util/do-api-request (fn [& args]
|
|
(swap! api-requests conj args))
|
|
authenticate/api-auth! (fn [& args]
|
|
(swap! api-auths conj args))]
|
|
(is (thrown? IllegalArgumentException
|
|
(vault/authenticate! client :aws-iam {:role "my-role"
|
|
:http-request-method "POST"
|
|
:request-body "FakeAction&Version=1"
|
|
:request-headers "{'foo':'bar'}"})))
|
|
(is (empty? @api-requests))
|
|
(is (empty? @api-auths)))))
|
|
(testing "When no request-body is specified"
|
|
(let [client (http-client example-url)
|
|
api-requests (atom [])
|
|
api-auths (atom [])]
|
|
(with-redefs [api-util/do-api-request (fn [& args]
|
|
(swap! api-requests conj args))
|
|
authenticate/api-auth! (fn [& args]
|
|
(swap! api-auths conj args))]
|
|
(is (thrown? IllegalArgumentException
|
|
(vault/authenticate! client :aws-iam {:role "my-role"
|
|
:http-request-method "POST"
|
|
:request-url "fake.sts.com"
|
|
:request-headers "{'foo':'bar'}"})))
|
|
(is (empty? @api-requests))
|
|
(is (empty? @api-auths)))))
|
|
(testing "When no request-headers is specified"
|
|
(let [client (http-client example-url)
|
|
api-requests (atom [])
|
|
api-auths (atom [])]
|
|
(with-redefs [api-util/do-api-request (fn [& args]
|
|
(swap! api-requests conj args))
|
|
authenticate/api-auth! (fn [& args]
|
|
(swap! api-auths conj args))]
|
|
(is (thrown? IllegalArgumentException
|
|
(vault/authenticate! client :aws-iam {:role "my-role"
|
|
:http-request-method "POST"
|
|
:request-url "fake.sts.com"
|
|
:request-body "FakeAction&Version=1"})))
|
|
(is (empty? @api-requests))
|
|
(is (empty? @api-auths)))))
|
|
(testing "When no role is specified"
|
|
(let [client (http-client example-url)
|
|
api-requests (atom [])
|
|
api-auths (atom [])]
|
|
(with-redefs [api-util/do-api-request (fn [& args]
|
|
(swap! api-requests conj args))
|
|
authenticate/api-auth! (fn [& args]
|
|
(swap! api-auths conj args))]
|
|
(is (thrown? IllegalArgumentException
|
|
(vault/authenticate! client :aws-iam {:http-request-method "POST"
|
|
:request-url "fake.sts.com"
|
|
:request-body "FakeAction&Version=1"
|
|
:request-headers "{'foo':'bar'}"})))
|
|
(is (empty? @api-requests))
|
|
(is (empty? @api-auths))))))
|