ansible/test/units/plugins/lookup/test_conjur_variable.py

# -*- coding: utf-8 -*-
# (c) 2018, Jason Vanderhoof <jason.vanderhoof@cyberark.com>
#
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.

# Make coding more python3-ish
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type


import pytest
from units.compat.mock import MagicMock
from ansible.errors import AnsibleError
from ansible.module_utils.six.moves import http_client
from ansible.plugins.lookup import conjur_variable
import tempfile


class TestLookupModule:
    def test_valid_netrc_file(self):
        with tempfile.NamedTemporaryFile() as temp_netrc:
            temp_netrc.write(b"machine http://localhost/authn\n")
            temp_netrc.write(b"  login admin\n")
            temp_netrc.write(b"  password my-pass\n")
            temp_netrc.seek(0)

            results = conjur_variable._load_identity_from_file(temp_netrc.name, 'http://localhost')

            assert results['id'] == 'admin'
            assert results['api_key'] == 'my-pass'

    def test_netrc_without_host_file(self):
        with tempfile.NamedTemporaryFile() as temp_netrc:
            temp_netrc.write(b"machine http://localhost/authn\n")
            temp_netrc.write(b"  login admin\n")
            temp_netrc.write(b"  password my-pass\n")
            temp_netrc.seek(0)

            with pytest.raises(AnsibleError):
                conjur_variable._load_identity_from_file(temp_netrc.name, 'http://foo')

    def test_valid_configuration(self):
        with tempfile.NamedTemporaryFile() as configuration_file:
            configuration_file.write(b"---\n")
            configuration_file.write(b"account: demo-policy\n")
            configuration_file.write(b"plugins: []\n")
            configuration_file.write(b"appliance_url: http://localhost:8080\n")
            configuration_file.seek(0)

            results = conjur_variable._load_conf_from_file(configuration_file.name)
            assert results['account'] == 'demo-policy'
            assert results['appliance_url'] == 'http://localhost:8080'

    def test_valid_token_retrieval(self, mocker):
        mock_response = MagicMock(spec_set=http_client.HTTPResponse)
        try:
            mock_response.getcode.return_value = 200
        except Exception:
            # HTTPResponse is a Python 3 only feature. This uses a generic mock for python 2.6
            mock_response = MagicMock()
            mock_response.getcode.return_value = 200

        mock_response.read.return_value = 'foo-bar-token'
        mocker.patch.object(conjur_variable, 'open_url', return_value=mock_response)

        response = conjur_variable._fetch_conjur_token('http://conjur', 'account', 'username', 'api_key')
        assert response == 'foo-bar-token'

    def test_valid_fetch_conjur_variable(self, mocker):
        mock_response = MagicMock(spec_set=http_client.HTTPResponse)
        try:
            mock_response.getcode.return_value = 200
        except Exception:
            # HTTPResponse is a Python 3 only feature. This uses a generic mock for python 2.6
            mock_response = MagicMock()
            mock_response.getcode.return_value = 200

        mock_response.read.return_value = 'foo-bar'
        mocker.patch.object(conjur_variable, 'open_url', return_value=mock_response)

        response = conjur_variable._fetch_conjur_token('super-secret', 'token', 'http://conjur', 'account')
        assert response == 'foo-bar'

    def test_invalid_fetch_conjur_variable(self, mocker):
        for code in [401, 403, 404]:
            mock_response = MagicMock(spec_set=http_client.HTTPResponse)
            try:
                mock_response.getcode.return_value = code
            except Exception:
                # HTTPResponse is a Python 3 only feature. This uses a generic mock for python 2.6
                mock_response = MagicMock()
                mock_response.getcode.return_value = code

            mocker.patch.object(conjur_variable, 'open_url', return_value=mock_response)

            with pytest.raises(AnsibleError):
                response = conjur_variable._fetch_conjur_token('super-secret', 'token', 'http://conjur', 'account')
Conjur Lookup Plugin (#34280) * Imported lookup plugin from Role * Plugin cleanup, including: * Use existing Python YAML parsing * Remove environment variables as connection options * Added initial debugging information * Reworked the lookup plugin using the Python Request library. As it's available through Ansible, it makes communication with Conjur much more straight forward. * Removed un-used libraries * Fixed linting issues * Standardized output on `format` and insure it works for 2.6, 2.7, and 3.x. * Use quote_plus from the six library for improved python 2/3 behavior. * Refactored identity & configuration to prefer user's file. This also includes a refactor to remove an un-needed dictionary merge method. * Removed `requests` in favor of `ansible.module_utils.urls`. * Refactored netrc loading to warn if host is not present. * Tests and a refactor to support easier testing. * Added reference to website * Fixed two linting errors * Fixed an extra line found by linting * Updated file write to use binary to insure config files are written correctly * Resolved linting issues * Refactored config & identity loading to take advantage of plugin options * Cleanup a bunch of small items caught by linting * Removed extra line caught by linting * Swapped in pytest and added some tests with mocked network responses * Pushing to see if this approach works better... * Refactored be open_url mocking based on feedback * Fixed a couple linting issues & refactored mocking into each method to attempt to resolve a failing test * Use a generic MagicMock for python 2.6 * Fixes doc typo require -> required * Use `type: path` in identity_file and config_file Also removes `expanduser` calls below (which will now be called automatically on paths.) * Defines maintainers for conjur_variable plugin * BOTMETA.yml: defines $team_cyberark_conjur as maintainers of Conjur Variable plugin adds myself and @jvanderhoof to that team * Adds URLs to relevant documentation for Conjur Variable lookup plugin * Clarifies "the server," "the machine" -> "controlling host" The machine identity used is that of the Ansible controlling host, not any server being provisioned or instructed. This documentation change aims to make that relationship clear. * Adds response code to exception message on authentication failure * Enhances exception messages to specify the controlling host These error messages are less likely to confuse a user as to which machine is associated with the files, identities, and configurations being described. * Adds ANSIBLE_METADATA for Conjur variable lookup plugin 7 years ago			`# -- coding: utf-8 --`
			`# (c) 2018, Jason Vanderhoof <jason.vanderhoof@cyberark.com>`
			`#`
			`# This file is part of Ansible`
			`#`
			`# Ansible is free software: you can redistribute it and/or modify`
			`# it under the terms of the GNU General Public License as published by`
			`# the Free Software Foundation, either version 3 of the License, or`
			`# (at your option) any later version.`
			`#`
			`# Ansible is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public License`
			`# along with Ansible. If not, see <http://www.gnu.org/licenses/>.`

			`# Make coding more python3-ish`
			`from __future__ import (absolute_import, division, print_function)`
			`__metaclass__ = type`


			`import pytest`
Move unit test compat code out of `lib/ansible/`. (#46996) * Move ansible.compat.tests to test/units/compat/. * Fix unit test references to ansible.compat.tests. * Move builtins compat to separate file. * Fix classification of test/units/compat/ dir. 6 years ago			`from units.compat.mock import MagicMock`
Conjur Lookup Plugin (#34280) * Imported lookup plugin from Role * Plugin cleanup, including: * Use existing Python YAML parsing * Remove environment variables as connection options * Added initial debugging information * Reworked the lookup plugin using the Python Request library. As it's available through Ansible, it makes communication with Conjur much more straight forward. * Removed un-used libraries * Fixed linting issues * Standardized output on `format` and insure it works for 2.6, 2.7, and 3.x. * Use quote_plus from the six library for improved python 2/3 behavior. * Refactored identity & configuration to prefer user's file. This also includes a refactor to remove an un-needed dictionary merge method. * Removed `requests` in favor of `ansible.module_utils.urls`. * Refactored netrc loading to warn if host is not present. * Tests and a refactor to support easier testing. * Added reference to website * Fixed two linting errors * Fixed an extra line found by linting * Updated file write to use binary to insure config files are written correctly * Resolved linting issues * Refactored config & identity loading to take advantage of plugin options * Cleanup a bunch of small items caught by linting * Removed extra line caught by linting * Swapped in pytest and added some tests with mocked network responses * Pushing to see if this approach works better... * Refactored be open_url mocking based on feedback * Fixed a couple linting issues & refactored mocking into each method to attempt to resolve a failing test * Use a generic MagicMock for python 2.6 * Fixes doc typo require -> required * Use `type: path` in identity_file and config_file Also removes `expanduser` calls below (which will now be called automatically on paths.) * Defines maintainers for conjur_variable plugin * BOTMETA.yml: defines $team_cyberark_conjur as maintainers of Conjur Variable plugin adds myself and @jvanderhoof to that team * Adds URLs to relevant documentation for Conjur Variable lookup plugin * Clarifies "the server," "the machine" -> "controlling host" The machine identity used is that of the Ansible controlling host, not any server being provisioned or instructed. This documentation change aims to make that relationship clear. * Adds response code to exception message on authentication failure * Enhances exception messages to specify the controlling host These error messages are less likely to confuse a user as to which machine is associated with the files, identities, and configurations being described. * Adds ANSIBLE_METADATA for Conjur variable lookup plugin 7 years ago			`from ansible.errors import AnsibleError`
			`from ansible.module_utils.six.moves import http_client`
			`from ansible.plugins.lookup import conjur_variable`
			`import tempfile`


			`class TestLookupModule:`
			`def test_valid_netrc_file(self):`
			`with tempfile.NamedTemporaryFile() as temp_netrc:`
			`temp_netrc.write(b"machine http://localhost/authn\n")`
			`temp_netrc.write(b" login admin\n")`
			`temp_netrc.write(b" password my-pass\n")`
			`temp_netrc.seek(0)`

			`results = conjur_variable._load_identity_from_file(temp_netrc.name, 'http://localhost')`

			`assert results['id'] == 'admin'`
			`assert results['api_key'] == 'my-pass'`

			`def test_netrc_without_host_file(self):`
			`with tempfile.NamedTemporaryFile() as temp_netrc:`
			`temp_netrc.write(b"machine http://localhost/authn\n")`
			`temp_netrc.write(b" login admin\n")`
			`temp_netrc.write(b" password my-pass\n")`
			`temp_netrc.seek(0)`

			`with pytest.raises(AnsibleError):`
			`conjur_variable._load_identity_from_file(temp_netrc.name, 'http://foo')`

			`def test_valid_configuration(self):`
			`with tempfile.NamedTemporaryFile() as configuration_file:`
			`configuration_file.write(b"---\n")`
			`configuration_file.write(b"account: demo-policy\n")`
			`configuration_file.write(b"plugins: []\n")`
			`configuration_file.write(b"appliance_url: http://localhost:8080\n")`
			`configuration_file.seek(0)`

			`results = conjur_variable._load_conf_from_file(configuration_file.name)`
			`assert results['account'] == 'demo-policy'`
			`assert results['appliance_url'] == 'http://localhost:8080'`

			`def test_valid_token_retrieval(self, mocker):`
			`mock_response = MagicMock(spec_set=http_client.HTTPResponse)`
			`try:`
			`mock_response.getcode.return_value = 200`
Update bare exceptions to specify Exception. This will keep us from accidentally catching program-exiting exceptions like KeyboardInterupt and SystemExit. 6 years ago			`except Exception:`
Conjur Lookup Plugin (#34280) * Imported lookup plugin from Role * Plugin cleanup, including: * Use existing Python YAML parsing * Remove environment variables as connection options * Added initial debugging information * Reworked the lookup plugin using the Python Request library. As it's available through Ansible, it makes communication with Conjur much more straight forward. * Removed un-used libraries * Fixed linting issues * Standardized output on `format` and insure it works for 2.6, 2.7, and 3.x. * Use quote_plus from the six library for improved python 2/3 behavior. * Refactored identity & configuration to prefer user's file. This also includes a refactor to remove an un-needed dictionary merge method. * Removed `requests` in favor of `ansible.module_utils.urls`. * Refactored netrc loading to warn if host is not present. * Tests and a refactor to support easier testing. * Added reference to website * Fixed two linting errors * Fixed an extra line found by linting * Updated file write to use binary to insure config files are written correctly * Resolved linting issues * Refactored config & identity loading to take advantage of plugin options * Cleanup a bunch of small items caught by linting * Removed extra line caught by linting * Swapped in pytest and added some tests with mocked network responses * Pushing to see if this approach works better... * Refactored be open_url mocking based on feedback * Fixed a couple linting issues & refactored mocking into each method to attempt to resolve a failing test * Use a generic MagicMock for python 2.6 * Fixes doc typo require -> required * Use `type: path` in identity_file and config_file Also removes `expanduser` calls below (which will now be called automatically on paths.) * Defines maintainers for conjur_variable plugin * BOTMETA.yml: defines $team_cyberark_conjur as maintainers of Conjur Variable plugin adds myself and @jvanderhoof to that team * Adds URLs to relevant documentation for Conjur Variable lookup plugin * Clarifies "the server," "the machine" -> "controlling host" The machine identity used is that of the Ansible controlling host, not any server being provisioned or instructed. This documentation change aims to make that relationship clear. * Adds response code to exception message on authentication failure * Enhances exception messages to specify the controlling host These error messages are less likely to confuse a user as to which machine is associated with the files, identities, and configurations being described. * Adds ANSIBLE_METADATA for Conjur variable lookup plugin 7 years ago			`# HTTPResponse is a Python 3 only feature. This uses a generic mock for python 2.6`
			`mock_response = MagicMock()`
			`mock_response.getcode.return_value = 200`

			`mock_response.read.return_value = 'foo-bar-token'`
			`mocker.patch.object(conjur_variable, 'open_url', return_value=mock_response)`

			`response = conjur_variable._fetch_conjur_token('http://conjur', 'account', 'username', 'api_key')`
			`assert response == 'foo-bar-token'`

			`def test_valid_fetch_conjur_variable(self, mocker):`
			`mock_response = MagicMock(spec_set=http_client.HTTPResponse)`
			`try:`
			`mock_response.getcode.return_value = 200`
Update bare exceptions to specify Exception. This will keep us from accidentally catching program-exiting exceptions like KeyboardInterupt and SystemExit. 6 years ago			`except Exception:`
Conjur Lookup Plugin (#34280) * Imported lookup plugin from Role * Plugin cleanup, including: * Use existing Python YAML parsing * Remove environment variables as connection options * Added initial debugging information * Reworked the lookup plugin using the Python Request library. As it's available through Ansible, it makes communication with Conjur much more straight forward. * Removed un-used libraries * Fixed linting issues * Standardized output on `format` and insure it works for 2.6, 2.7, and 3.x. * Use quote_plus from the six library for improved python 2/3 behavior. * Refactored identity & configuration to prefer user's file. This also includes a refactor to remove an un-needed dictionary merge method. * Removed `requests` in favor of `ansible.module_utils.urls`. * Refactored netrc loading to warn if host is not present. * Tests and a refactor to support easier testing. * Added reference to website * Fixed two linting errors * Fixed an extra line found by linting * Updated file write to use binary to insure config files are written correctly * Resolved linting issues * Refactored config & identity loading to take advantage of plugin options * Cleanup a bunch of small items caught by linting * Removed extra line caught by linting * Swapped in pytest and added some tests with mocked network responses * Pushing to see if this approach works better... * Refactored be open_url mocking based on feedback * Fixed a couple linting issues & refactored mocking into each method to attempt to resolve a failing test * Use a generic MagicMock for python 2.6 * Fixes doc typo require -> required * Use `type: path` in identity_file and config_file Also removes `expanduser` calls below (which will now be called automatically on paths.) * Defines maintainers for conjur_variable plugin * BOTMETA.yml: defines $team_cyberark_conjur as maintainers of Conjur Variable plugin adds myself and @jvanderhoof to that team * Adds URLs to relevant documentation for Conjur Variable lookup plugin * Clarifies "the server," "the machine" -> "controlling host" The machine identity used is that of the Ansible controlling host, not any server being provisioned or instructed. This documentation change aims to make that relationship clear. * Adds response code to exception message on authentication failure * Enhances exception messages to specify the controlling host These error messages are less likely to confuse a user as to which machine is associated with the files, identities, and configurations being described. * Adds ANSIBLE_METADATA for Conjur variable lookup plugin 7 years ago			`# HTTPResponse is a Python 3 only feature. This uses a generic mock for python 2.6`
			`mock_response = MagicMock()`
			`mock_response.getcode.return_value = 200`

			`mock_response.read.return_value = 'foo-bar'`
			`mocker.patch.object(conjur_variable, 'open_url', return_value=mock_response)`

			`response = conjur_variable._fetch_conjur_token('super-secret', 'token', 'http://conjur', 'account')`
			`assert response == 'foo-bar'`

			`def test_invalid_fetch_conjur_variable(self, mocker):`
			`for code in [401, 403, 404]:`
			`mock_response = MagicMock(spec_set=http_client.HTTPResponse)`
			`try:`
			`mock_response.getcode.return_value = code`
Update bare exceptions to specify Exception. This will keep us from accidentally catching program-exiting exceptions like KeyboardInterupt and SystemExit. 6 years ago			`except Exception:`
Conjur Lookup Plugin (#34280) * Imported lookup plugin from Role * Plugin cleanup, including: * Use existing Python YAML parsing * Remove environment variables as connection options * Added initial debugging information * Reworked the lookup plugin using the Python Request library. As it's available through Ansible, it makes communication with Conjur much more straight forward. * Removed un-used libraries * Fixed linting issues * Standardized output on `format` and insure it works for 2.6, 2.7, and 3.x. * Use quote_plus from the six library for improved python 2/3 behavior. * Refactored identity & configuration to prefer user's file. This also includes a refactor to remove an un-needed dictionary merge method. * Removed `requests` in favor of `ansible.module_utils.urls`. * Refactored netrc loading to warn if host is not present. * Tests and a refactor to support easier testing. * Added reference to website * Fixed two linting errors * Fixed an extra line found by linting * Updated file write to use binary to insure config files are written correctly * Resolved linting issues * Refactored config & identity loading to take advantage of plugin options * Cleanup a bunch of small items caught by linting * Removed extra line caught by linting * Swapped in pytest and added some tests with mocked network responses * Pushing to see if this approach works better... * Refactored be open_url mocking based on feedback * Fixed a couple linting issues & refactored mocking into each method to attempt to resolve a failing test * Use a generic MagicMock for python 2.6 * Fixes doc typo require -> required * Use `type: path` in identity_file and config_file Also removes `expanduser` calls below (which will now be called automatically on paths.) * Defines maintainers for conjur_variable plugin * BOTMETA.yml: defines $team_cyberark_conjur as maintainers of Conjur Variable plugin adds myself and @jvanderhoof to that team * Adds URLs to relevant documentation for Conjur Variable lookup plugin * Clarifies "the server," "the machine" -> "controlling host" The machine identity used is that of the Ansible controlling host, not any server being provisioned or instructed. This documentation change aims to make that relationship clear. * Adds response code to exception message on authentication failure * Enhances exception messages to specify the controlling host These error messages are less likely to confuse a user as to which machine is associated with the files, identities, and configurations being described. * Adds ANSIBLE_METADATA for Conjur variable lookup plugin 7 years ago			`# HTTPResponse is a Python 3 only feature. This uses a generic mock for python 2.6`
			`mock_response = MagicMock()`
			`mock_response.getcode.return_value = code`

			`mocker.patch.object(conjur_variable, 'open_url', return_value=mock_response)`

			`with pytest.raises(AnsibleError):`
			`response = conjur_variable._fetch_conjur_token('super-secret', 'token', 'http://conjur', 'account')`