From 38049bd5641b43ee3b4505f2a1703ffb8b6f4ca2 Mon Sep 17 00:00:00 2001 From: Geoff Wilson Date: Mon, 23 Sep 2024 15:25:15 -0400 Subject: [PATCH] add test for pki/cert configuration --- app/lib/clients/vault/certificate.rb | 4 ++-- test/lib/clients/vault_test.rb | 36 +++++++++++++++++++++++++--- 2 files changed, 35 insertions(+), 5 deletions(-) diff --git a/app/lib/clients/vault/certificate.rb b/app/lib/clients/vault/certificate.rb index 6b7f7b3..b07a46b 100644 --- a/app/lib/clients/vault/certificate.rb +++ b/app/lib/clients/vault/certificate.rb @@ -2,14 +2,14 @@ module Clients class Vault class << self def issue_cert(cert_issue_request) - configure_ca + configure_pki opts = cert_issue_request.attributes # Generate the TLS certificate using the intermediate CA tls_cert = client.logical.write(cert_path, opts) OpenStruct.new tls_cert.data end - def configure_ca + def configure_pki enable_ca end diff --git a/test/lib/clients/vault_test.rb b/test/lib/clients/vault_test.rb index db7cd3d..ddbb38a 100644 --- a/test/lib/clients/vault_test.rb +++ b/test/lib/clients/vault_test.rb @@ -1,25 +1,55 @@ require "test_helper" class VaultTest < ActiveSupport::TestCase + attr_reader :random_mount + setup do @client = Clients::Vault + @random_mount = SecureRandom.hex(4) + end + + teardown do + vault_client.sys.unmount(random_mount) end test "#configure_kv" do - random_mount = SecureRandom.hex(4) @client.stub :kv_mount, random_mount do - assert_not_nil @client.configure_kv + assert @client.configure_kv engines = vault_client.sys.mounts assert_equal "kv", engines[random_mount.to_sym].type end end + test "#configure_pki" do + @client.stub :intermediate_ca_mount, random_mount do + assert @client.configure_pki + engines = vault_client.sys.mounts + assert_equal "pki", engines[random_mount.to_sym].type + + read_cert = vault_client.logical.read("#{random_mount}/cert/ca").data[:certificate] + assert_match "BEGIN CERTIFICATE", read_cert + + cluster_config = vault_client.logical.read("#{random_mount}/config/cluster").data + assert_equal "#{vault_addr}/v1/#{random_mount}", cluster_config[:path] + assert_equal "#{vault_addr}/v1/#{random_mount}", cluster_config[:aia_path] + + role_config = vault_client.logical.read("#{random_mount}/roles/astral").data + assert_not_nil role_config[:issuer_ref] + assert_equal 720.hours, role_config[:max_ttl] + assert_equal true, role_config[:allow_any_name] + end + end + private def vault_client ::Vault::Client.new( - address: Rails.configuration.astral[:vault_addr], + address: vault_addr, token: Rails.configuration.astral[:vault_token] ) end + + def vault_addr + Rails.configuration.astral[:vault_addr] + end end