github.com/pf-qiu/concourse/v6@v6.7.3-0.20201207032516-1f455d73275f/topgun/core/creds_test.go (about) 1 package topgun_test 2 3 import ( 4 "github.com/onsi/gomega/gbytes" 5 6 . "github.com/pf-qiu/concourse/v6/topgun" 7 . "github.com/pf-qiu/concourse/v6/topgun/common" 8 . "github.com/onsi/ginkgo" 9 . "github.com/onsi/gomega" 10 ) 11 12 const assertionScript = `#!/bin/sh 13 14 test "$SECRET_USERNAME" = "some_username" 15 test "$SECRET_PASSWORD" = "some_password" 16 test "$TEAM_SECRET" = "some_team_secret" 17 18 test "$MIRRORED_VERSION" = "some_exposed_version_secret" 19 20 test "$(cat some-resource/resource_secret)" = "some_resource_secret" 21 test "$(cat custom-resource/custom_resource_secret)" = "some_resource_secret" 22 test "$(cat params-in-get/username)" = "get_some_username" 23 test "$(cat params-in-get/password)" = "get_some_password" 24 test "$(cat params-in-put/version)" = "some_exposed_version_secret" 25 test "$(cat params-in-put/username)" = "put_get_some_username" 26 test "$(cat params-in-put/password)" = "put_get_some_password" 27 28 # note: don't assert against canary/canary, since that's used for 29 # testing that the credential isn't visible in 'get-pipeline' 30 31 echo all credentials matched expected values 32 ` 33 34 func testCredentialManagement( 35 pipelineSetup func(), 36 oneOffSetup func(), 37 ) { 38 Context("with a pipeline build", func() { 39 BeforeEach(func() { 40 pipelineSetup() 41 42 By("setting a pipeline that uses vars for secrets") 43 Fly.Run("set-pipeline", "-n", "-c", "pipelines/credential-management.yml", "-p", "pipeline-creds-test") 44 45 By("getting the pipeline config") 46 session := Fly.Start("get-pipeline", "-p", "pipeline-creds-test") 47 <-session.Exited 48 Expect(session.ExitCode()).To(Equal(0)) 49 Expect(string(session.Out.Contents())).ToNot(ContainSubstring("some_canary")) 50 Expect(string(session.Out.Contents())).To(ContainSubstring("((resource_type_secret))")) 51 Expect(string(session.Out.Contents())).To(ContainSubstring("((resource_secret))")) 52 Expect(string(session.Out.Contents())).To(ContainSubstring("((job_secret.username))")) 53 Expect(string(session.Out.Contents())).To(ContainSubstring("((job_secret.password))")) 54 Expect(string(session.Out.Contents())).To(ContainSubstring("((resource_version))")) 55 Expect(string(session.Out.Contents())).To(ContainSubstring("((team_secret))")) 56 57 By("unpausing the pipeline") 58 Fly.Run("unpause-pipeline", "-p", "pipeline-creds-test") 59 }) 60 61 It("parameterizes via Vault and leaves the pipeline uninterpolated", func() { 62 By("triggering job") 63 watch := Fly.Start("trigger-job", "-w", "-j", "pipeline-creds-test/some-job") 64 Wait(watch) 65 Expect(watch).To(gbytes.Say("all credentials matched expected values")) 66 67 By("taking a dump") 68 session := PgDump() 69 Expect(session).ToNot(gbytes.Say("some_resource_type_secret")) 70 Expect(session).ToNot(gbytes.Say("some_resource_secret")) 71 Expect(session).ToNot(gbytes.Say("some_username")) 72 Expect(session).ToNot(gbytes.Say("some_password")) 73 Expect(session).ToNot(gbytes.Say("some_team_secret")) 74 75 // versions aren't protected 76 Expect(session).To(gbytes.Say("some_exposed_version_secret")) 77 }) 78 79 Context("when the job's inputs are used for a one-off build", func() { 80 It("parameterizes the values using the job's pipeline scope", func() { 81 By("triggering job to populate its inputs") 82 watch := Fly.Start("trigger-job", "-w", "-j", "pipeline-creds-test/some-job") 83 Wait(watch) 84 Expect(watch).To(gbytes.Say("all credentials matched expected values")) 85 86 By("executing a task that parameterizes image_resource and uses a pipeline resource with credentials") 87 watch = Fly.StartWithEnv( 88 []string{ 89 "EXPECTED_RESOURCE_SECRET=some_resource_secret", 90 "EXPECTED_RESOURCE_VERSION_SECRET=some_exposed_version_secret", 91 }, 92 "execute", 93 "-c", "tasks/credential-management-with-job-inputs.yml", 94 "-j", "pipeline-creds-test/some-job", 95 ) 96 Wait(watch) 97 Expect(watch).To(gbytes.Say("all credentials matched expected values")) 98 99 By("taking a dump") 100 session := PgDump() 101 Expect(session).ToNot(gbytes.Say("some_resource_secret")) 102 103 // versions aren't protected 104 Expect(session).To(gbytes.Say("some_exposed_version_secret")) 105 }) 106 }) 107 }) 108 109 Context("with a one-off build", func() { 110 BeforeEach(oneOffSetup) 111 112 It("parameterizes image_resource and params in a task config", func() { 113 watch := Fly.StartWithEnv( 114 []string{ 115 "EXPECTED_TEAM_SECRET=some_team_secret", 116 "EXPECTED_RESOURCE_VERSION_SECRET=some_exposed_version_secret", 117 }, 118 "execute", "-c", "tasks/credential-management.yml", 119 ) 120 Wait(watch) 121 Expect(watch).To(gbytes.Say("all credentials matched expected values")) 122 123 By("taking a dump") 124 session := PgDump() 125 Expect(session).ToNot(gbytes.Say("some_team_secret")) 126 127 // versions aren't protected 128 Expect(session).To(gbytes.Say("some_exposed_version_secret")) 129 }) 130 }) 131 }