entitlements-gitrepo-auditor-plugin/spec/acceptance/tests/spec_helper.rb at 48792d7201724ce81c66d052c3dd7f77d4b8d394 · github/entitlements-gitrepo-auditor-plugin · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
# frozen_string_literal: true

require "base64"
require "logger"
require "net/http"
require "net/ldap"
require "ostruct"
require "open3"
require "rugged"
require "shellwords"
require "set"
require "stringio"
require "tmpdir"
require "uri"

require "rspec"
require "rspec/support"
require "rspec/support/object_formatter"

require "entitlements"

# REQUIRE YOUR PLUGIN DIRECTORIES HERE
# require_relative "../../lib/entitlements/<your_plugin_files>"

RSpec::Support::ObjectFormatter.default_instance.max_formatted_output_length = 100000

ENV["LDAP_URI"] = "ldaps://ldap-server.fake:636"
ENV["LDAP_BINDDN"] = "uid=emmy,ou=Service_Accounts,dc=kittens,dc=net"
ENV["LDAP_BINDPW"] = "kittens"

RSpec.configure do |config|
  config.before(:suite) do
    ENV["ENTITLEMENTS_ACCEPTANCE_GIT_CHECKOUT_BASE"] = Dir.mktmpdir

    # SSH key
    ENV["GIT_REPO_SSH_KEY"] = File.join(ENV["ENTITLEMENTS_ACCEPTANCE_GIT_CHECKOUT_BASE"], ".ssh", "id_rsa")
    FileUtils.mkdir_p File.join(ENV["ENTITLEMENTS_ACCEPTANCE_GIT_CHECKOUT_BASE"], ".ssh")
    File.open(File.join(ENV["GIT_REPO_SSH_KEY"]), "w") do |f|
      f.write(Base64.decode64(File.read(File.expand_path("../git-server/private/id_rsa.base64", __dir__))))
    end

    # Git repo
    ENV["GIT_REPO_CHECKOUT_DIRECTORY"] = File.join(ENV["ENTITLEMENTS_ACCEPTANCE_GIT_CHECKOUT_BASE"], "git-repos")
  end

  config.after(:suite) do
    if File.directory?(ENV["ENTITLEMENTS_ACCEPTANCE_GIT_CHECKOUT_BASE"])
      FileUtils.remove_entry_secure(ENV["ENTITLEMENTS_ACCEPTANCE_GIT_CHECKOUT_BASE"])
    end
    ENV["ENTITLEMENTS_ACCEPTANCE_GIT_CHECKOUT_BASE"] = nil
    ENV["GIT_REPO_SSH_KEY"] = nil
    ENV["GIT_REPO_CHECKOUT_DIRECTORY"] = nil
  end
end

def fixture(path)
  File.expand_path(File.join("../fixtures", path.sub(%r{\A/+}, "")), File.dirname(__FILE__))
end

def run(fixture_dir, args = [])
  binary = File.expand_path("../../../bin/deploy-entitlements", File.dirname(__FILE__))
  configfile = fixture(File.join(fixture_dir, "config.yaml"))
  command_parts = [binary, "--config-file", configfile] + args
  command = command_parts.map { |i| Shellwords.escape(i) }.join(" ")
  stdout, stderr, exitstatus = Open3.capture3(command)
  OpenStruct.new({ stdout:, stderr:, exitstatus: exitstatus.exitstatus, success?: exitstatus.exitstatus == 0 })
end

def log(priority, pattern)
  Regexp.new("^#{priority[0].upcase}, \\[[^\\]]+\\]\s+#{priority.upcase} -- : #{pattern}")
end

def ldap_exist?(dn)
  ldap_obj.search(base: dn, scope: Net::LDAP::SearchScope_BaseObject, return_result: false)
end

def ldap_obj
  @ldap_obj ||= begin
    uri = URI(ENV["LDAP_URI"])

    ldap_object = Net::LDAP.new(
      host: uri.host,
      port: uri.port,
      encryption: (uri.scheme == "ldaps" ? :simple_tls : nil),
      auth: { method: :simple, username: ENV["LDAP_BINDDN"], password: ENV["LDAP_BINDPW"] }
    )

    ldap_object.bind
    operation_result = ldap_object.get_operation_result
    if operation_result["code"] != 0
      raise "spec_helper failed to bind to LDAP: #{operation_result['code']} - #{operation_result['message']}"
    end

    ldap_object
  end
end

def ldap_entry(dn)
  result = nil
  ldap_obj.search(base: dn, scope: Net::LDAP::SearchScope_BaseObject, return_result: true) do |entry|
    if result
      raise "Duplicate LDAP result for #{dn}. This=#{entry.inspect} ldap_entry=#{ldap_entry.inspect}"
    end
    result = entry
  end
  result
end

# Helper for acceptance testing
def members(dn)
  result = ldap_entry(dn)
  raise "No LDAP group found for #{dn}!" unless result
  if result[:objectclass].include?("groupOfUniqueNames")
    Set.new(result[:uniquemember].map { |u| u.downcase })
  elsif result[:objectclass].include?("groupOfNames")
    Set.new(result[:member].map { |u| u.downcase })
  elsif result[:objectclass].include?("posixGroup")
    Set.new(result[:memberuid].map { |u| u.downcase })
  else
    Set.new
  end
end

def people_set(people_array)
  Set.new(people_array.map { |uid| "uid=#{uid.downcase},ou=people,dc=kittens,dc=net" })
end

# SSH key for the git server in the entitlements container
def setup_git_ssh_key
  return if File.file?(File.join(ENV["HOME"], ".ssh", "id_rsa"))
end

# Recursive tree using rugged - return an array of the files found.
# "result" should be started as an empty hash and will be populated with { "filename" => "content" }.
def rugged_recursive_tree(repo, tree, path, result)
  tree.each_blob do |entry|
    key = File.join(path, entry[:name])
    result[key] = repo.lookup(entry[:oid]).content
  end

  tree.each_tree do |entry|
    new_tree = repo.lookup(entry[:oid])
    rugged_recursive_tree(repo, new_tree, File.join(path, entry[:name]), result)
  end
end

# From an array of UIDs, construct the text that would be used in GitRepo files.
def gitrepo_file(people_array)
  people_array.map { |uid| "uid=#{uid},ou=People,dc=kittens,dc=net".downcase }.sort.join("\n") + "\n"
end