github.com/pf-qiu/concourse/v6@v6.7.3-0.20201207032516-1f455d73275f/topgun/core/creds_test.go (about)

     1  package topgun_test
     2  
     3  import (
     4  	"github.com/onsi/gomega/gbytes"
     5  
     6  	. "github.com/pf-qiu/concourse/v6/topgun"
     7  	. "github.com/pf-qiu/concourse/v6/topgun/common"
     8  	. "github.com/onsi/ginkgo"
     9  	. "github.com/onsi/gomega"
    10  )
    11  
    12  const assertionScript = `#!/bin/sh
    13  
    14  test "$SECRET_USERNAME" = "some_username"
    15  test "$SECRET_PASSWORD" = "some_password"
    16  test "$TEAM_SECRET" = "some_team_secret"
    17  
    18  test "$MIRRORED_VERSION" = "some_exposed_version_secret"
    19  
    20  test "$(cat some-resource/resource_secret)" = "some_resource_secret"
    21  test "$(cat custom-resource/custom_resource_secret)" = "some_resource_secret"
    22  test "$(cat params-in-get/username)" = "get_some_username"
    23  test "$(cat params-in-get/password)" = "get_some_password"
    24  test "$(cat params-in-put/version)" = "some_exposed_version_secret"
    25  test "$(cat params-in-put/username)" = "put_get_some_username"
    26  test "$(cat params-in-put/password)" = "put_get_some_password"
    27  
    28  # note: don't assert against canary/canary, since that's used for
    29  # testing that the credential isn't visible in 'get-pipeline'
    30  
    31  echo all credentials matched expected values
    32  `
    33  
    34  func testCredentialManagement(
    35  	pipelineSetup func(),
    36  	oneOffSetup func(),
    37  ) {
    38  	Context("with a pipeline build", func() {
    39  		BeforeEach(func() {
    40  			pipelineSetup()
    41  
    42  			By("setting a pipeline that uses vars for secrets")
    43  			Fly.Run("set-pipeline", "-n", "-c", "pipelines/credential-management.yml", "-p", "pipeline-creds-test")
    44  
    45  			By("getting the pipeline config")
    46  			session := Fly.Start("get-pipeline", "-p", "pipeline-creds-test")
    47  			<-session.Exited
    48  			Expect(session.ExitCode()).To(Equal(0))
    49  			Expect(string(session.Out.Contents())).ToNot(ContainSubstring("some_canary"))
    50  			Expect(string(session.Out.Contents())).To(ContainSubstring("((resource_type_secret))"))
    51  			Expect(string(session.Out.Contents())).To(ContainSubstring("((resource_secret))"))
    52  			Expect(string(session.Out.Contents())).To(ContainSubstring("((job_secret.username))"))
    53  			Expect(string(session.Out.Contents())).To(ContainSubstring("((job_secret.password))"))
    54  			Expect(string(session.Out.Contents())).To(ContainSubstring("((resource_version))"))
    55  			Expect(string(session.Out.Contents())).To(ContainSubstring("((team_secret))"))
    56  
    57  			By("unpausing the pipeline")
    58  			Fly.Run("unpause-pipeline", "-p", "pipeline-creds-test")
    59  		})
    60  
    61  		It("parameterizes via Vault and leaves the pipeline uninterpolated", func() {
    62  			By("triggering job")
    63  			watch := Fly.Start("trigger-job", "-w", "-j", "pipeline-creds-test/some-job")
    64  			Wait(watch)
    65  			Expect(watch).To(gbytes.Say("all credentials matched expected values"))
    66  
    67  			By("taking a dump")
    68  			session := PgDump()
    69  			Expect(session).ToNot(gbytes.Say("some_resource_type_secret"))
    70  			Expect(session).ToNot(gbytes.Say("some_resource_secret"))
    71  			Expect(session).ToNot(gbytes.Say("some_username"))
    72  			Expect(session).ToNot(gbytes.Say("some_password"))
    73  			Expect(session).ToNot(gbytes.Say("some_team_secret"))
    74  
    75  			// versions aren't protected
    76  			Expect(session).To(gbytes.Say("some_exposed_version_secret"))
    77  		})
    78  
    79  		Context("when the job's inputs are used for a one-off build", func() {
    80  			It("parameterizes the values using the job's pipeline scope", func() {
    81  				By("triggering job to populate its inputs")
    82  				watch := Fly.Start("trigger-job", "-w", "-j", "pipeline-creds-test/some-job")
    83  				Wait(watch)
    84  				Expect(watch).To(gbytes.Say("all credentials matched expected values"))
    85  
    86  				By("executing a task that parameterizes image_resource and uses a pipeline resource with credentials")
    87  				watch = Fly.StartWithEnv(
    88  					[]string{
    89  						"EXPECTED_RESOURCE_SECRET=some_resource_secret",
    90  						"EXPECTED_RESOURCE_VERSION_SECRET=some_exposed_version_secret",
    91  					},
    92  					"execute",
    93  					"-c", "tasks/credential-management-with-job-inputs.yml",
    94  					"-j", "pipeline-creds-test/some-job",
    95  				)
    96  				Wait(watch)
    97  				Expect(watch).To(gbytes.Say("all credentials matched expected values"))
    98  
    99  				By("taking a dump")
   100  				session := PgDump()
   101  				Expect(session).ToNot(gbytes.Say("some_resource_secret"))
   102  
   103  				// versions aren't protected
   104  				Expect(session).To(gbytes.Say("some_exposed_version_secret"))
   105  			})
   106  		})
   107  	})
   108  
   109  	Context("with a one-off build", func() {
   110  		BeforeEach(oneOffSetup)
   111  
   112  		It("parameterizes image_resource and params in a task config", func() {
   113  			watch := Fly.StartWithEnv(
   114  				[]string{
   115  					"EXPECTED_TEAM_SECRET=some_team_secret",
   116  					"EXPECTED_RESOURCE_VERSION_SECRET=some_exposed_version_secret",
   117  				},
   118  				"execute", "-c", "tasks/credential-management.yml",
   119  			)
   120  			Wait(watch)
   121  			Expect(watch).To(gbytes.Say("all credentials matched expected values"))
   122  
   123  			By("taking a dump")
   124  			session := PgDump()
   125  			Expect(session).ToNot(gbytes.Say("some_team_secret"))
   126  
   127  			// versions aren't protected
   128  			Expect(session).To(gbytes.Say("some_exposed_version_secret"))
   129  		})
   130  	})
   131  }