Added draft for new role schema cli management tools and tests

2025-08-29 23:08:06 +02:00 · 2025-05-09 09:17:43 +02:00
parent 9d9f11cb3d
commit 9764941c7e
3 changed files with 278 additions and 0 deletions
--- a/tests/unit/test_generate_vaulted_credentials.py
+++ b/tests/unit/test_generate_vaulted_credentials.py
@@ -0,0 +1,133 @@
+import os
+import sys
+import tempfile
+import unittest
+import shutil
+import yaml
+from pathlib import Path
+from unittest.mock import patch
+
+# Ensure cli directory is importable
+sys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__), "../../cli")))
+
+import generate_vaulted_credentials as gvc
+
+
+class TestGenerateVaultedCredentials(unittest.TestCase):
+    def setUp(self):
+        # Create temporary directory structure for a fake role and inventory
+        self.temp_dir = tempfile.mkdtemp()
+        self.role_path = Path(self.temp_dir) / "roles" / "docker-demoapp"
+        self.meta_path = self.role_path / "meta"
+        self.meta_path.mkdir(parents=True)
+
+        # Define schema with no "applications" root (direct app-specific structure)
+        self.schema = {
+            "credentials": {
+                "shared_secret": {
+                    "description": "A shared secret",
+                    "algorithm": "sha256",
+                    "validation": "^[a-f0-9]{64}$"
+                },
+                "postgresql_secret": {
+                    "description": "Postgres password",
+                    "algorithm": "bcrypt",
+                    "validation": "^\\$2[aby]\\$.{56}$"
+                }
+            }
+        }
+
+        with open(self.meta_path / "schema.yml", "w") as f:
+            yaml.dump(self.schema, f)
+
+        # Create an empty inventory file
+        self.inventory_path = Path(self.temp_dir) / "host_vars" / "testhost.yml"
+        self.inventory_path.parent.mkdir(parents=True)
+        with open(self.inventory_path, "w") as f:
+            f.write("")
+
+        self.vault_mock = "$ANSIBLE_VAULT;1.1;AES256\nmockedvaultdata=="
+
+    def tearDown(self):
+        shutil.rmtree(self.temp_dir)
+
+    def test_apply_schema_creates_vaulted_credentials(self):
+        schema_data = gvc.load_yaml_file(self.meta_path / "schema.yml")
+        inventory_data = gvc.load_yaml_file(self.inventory_path)
+
+        with patch("generate_vaulted_credentials.encrypt_with_vault") as mock_encrypt:
+            mock_encrypt.return_value = self.vault_mock
+            updated = gvc.apply_schema_to_inventory(
+                schema=schema_data,
+                inventory_data=inventory_data,
+                app_id="demoapp",
+                overrides={},
+                vault_password_file="dummy",
+                ask_vault_pass=False
+            )
+
+        # Expect credentials to be written under applications.demoapp
+        self.assertIn("applications", updated)
+        self.assertIn("demoapp", updated["applications"])
+        creds = updated["applications"]["demoapp"]["credentials"]
+        self.assertIn("shared_secret", creds)
+        self.assertIn("postgresql_secret", creds)
+
+        for key in creds:
+            self.assertTrue(str(creds[key]).startswith("!vault") or "$ANSIBLE_VAULT" in str(creds[key]))
+
+    def test_existing_key_prompts_before_overwriting(self):
+        # Pre-populate the inventory with one value
+        pre_existing = {
+            "applications": {
+                "demoapp": {
+                    "credentials": {
+                        "shared_secret": "unchanged"
+                    }
+                }
+            }
+        }
+        gvc.save_yaml_file(self.inventory_path, pre_existing)
+
+        schema_data = gvc.load_yaml_file(self.meta_path / "schema.yml")
+        inventory_data = gvc.load_yaml_file(self.inventory_path)
+
+        with patch("generate_vaulted_credentials.encrypt_with_vault") as mock_encrypt, \
+             patch("builtins.input", return_value="n"):
+            mock_encrypt.return_value = self.vault_mock
+            updated = gvc.apply_schema_to_inventory(
+                schema=schema_data,
+                inventory_data=inventory_data,
+                app_id="demoapp",
+                overrides={},
+                vault_password_file="dummy",
+                ask_vault_pass=False
+            )
+
+        # Value should remain unchanged
+        self.assertEqual(updated["applications"]["demoapp"]["credentials"]["shared_secret"], "unchanged")
+
+    def test_set_override_applies_correctly(self):
+        schema_data = gvc.load_yaml_file(self.meta_path / "schema.yml")
+        inventory_data = gvc.load_yaml_file(self.inventory_path)
+
+        override_value = "custom-override-value"
+        override_key = "credentials.shared_secret"
+
+        # Patch vault encryption to just return the plaintext prefixed as mock
+        with patch("generate_vaulted_credentials.encrypt_with_vault") as mock_encrypt:
+            mock_encrypt.side_effect = lambda val, name, **kwargs: f"$ANSIBLE_VAULT;1.1;AES256\n{val}"
+            updated = gvc.apply_schema_to_inventory(
+                schema=schema_data,
+                inventory_data=inventory_data,
+                app_id="demoapp",
+                overrides={override_key: override_value},
+                vault_password_file="dummy",
+                ask_vault_pass=False
+            )
+
+        actual = updated["applications"]["demoapp"]["credentials"]["shared_secret"]
+        self.assertIn(override_value, str(actual), "The override value was not used during encryption.")
+
+if __name__ == "__main__":
+    unittest.main()