Newer
Older
openstack-caracal-ipv4 / tests / vault-kv-health / run-tests.sh
@JANeumatrix JANeumatrix 42 minutes ago 2 KB Patch
#!/usr/bin/env bash
# tests/vault-kv-health/run-tests.sh -- mock harness for scripts/vault-kv-health.sh
# Scenarios: happy=0, sealed=1, binding-drift=1 (D-067 clobber), plane-wrong=1,
#            conf-mismatch=1, login-403=1, unknown-consumer=2 (coverage gap).
set -u
SD="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
W=$(mktemp -d); trap 'rm -rf "$W"' EXIT
mkdir -p "$W/bin" "$W/scripts"
cp "$SD/../../scripts/vault-kv-health.sh" "$SD/../../scripts/vault-kv-inner-probe.sh" "$W/scripts/"
printf 'METAL_INTERNAL_CIDR="10.12.12.0/22"\n' > "$W/scripts/lib-net.sh"
cat > "$W/bin/juju" <<'JMOCK'
#!/usr/bin/env bash
S="${MOCK_SCEN:-happy}"
case "$*" in
  *"ssh"*vault/0*) echo "Initialized     true"; if [ "$S" = sealed ]; then echo "Sealed          true"; else echo "Sealed          false"; fi;;
  *"show-application vault"*)
    echo "vault:"; echo "  endpoint-bindings:"; echo "    access: metal-internal"
    if [ "$S" = binddrift ]; then echo "    external: metal-admin"; else echo "    external: metal-internal"; fi;;
  *"status vault"*)
    if [ "$S" = unknowncons ]; then R='[{"related-application":"barbican-vault"},{"related-application":"mystery-vault"}]'; else R='[{"related-application":"barbican-vault"}]'; fi
    printf '{"applications":{"vault":{"relations":{"secrets":%s}}}}\n' "$R";;
  *"show-unit barbican-vault/0"*)
    if [ "$S" = planewrong ]; then echo "          vault_url: '\"http://10.12.8.190:8200\"'"; else echo "          vault_url: '\"http://10.12.12.117:8200\"'"; fi;;
  *"ssh"*barbican/0*)
    cat >/dev/null
    if [ "$S" = confmismatch ]; then echo "conf_vault_url=http://10.12.8.190:8200"; else echo "conf_vault_url=http://10.12.12.117:8200"; fi
    echo "route: 10.12.12.117 dev eth1 src 10.12.12.110"
    if [ "$S" = login403 ]; then echo "login_http=403"; echo "errors: ['cidr']"; else echo "login_http=200"; echo "PROBE-PASS"; fi;;
esac
JMOCK
chmod +x "$W/bin/juju"
P=0; F=0
for t in happy:0 sealed:1 binddrift:1 planewrong:1 confmismatch:1 login403:1 unknowncons:2; do
  s="${t%%:*}"; e="${t##*:}"
  MOCK_SCEN="$s" PATH="$W/bin:$PATH" bash "$W/scripts/vault-kv-health.sh" >/dev/null 2>&1; RC=$?
  if [ "$RC" = "$e" ]; then echo "PASS: $s (exit $RC)"; P=$((P+1)); else echo "FAIL: $s (exit $RC, want $e)"; F=$((F+1)); fi
done
# DOCFIX-083 argv hygiene: the probe's curl invocation must read the body from stdin
# (--data @-) and must not carry the secret-bearing var or -d on its argv.
LOGIN_LINE=$(grep 'HTTP=' "$W/scripts/vault-kv-inner-probe.sh" | head -1)
CURLPART="${LOGIN_LINE#*curl }"
if [ "$CURLPART" != "$LOGIN_LINE" ] && grep -q -- '--data @-' <<<"$CURLPART" \
   && ! grep -qE 'BODY|[[:space:]]-d[[:space:]]' <<<"$CURLPART"; then
  echo "PASS: argv-hygiene (curl reads body from stdin, no secret var on argv)"; P=$((P+1))
else echo "FAIL: argv-hygiene (curl part: $CURLPART)"; F=$((F+1)); fi
echo; [ "$F" = 0 ] && { echo "ALL PASS ($P/8)"; exit 0; } || { echo "FAILURES: $F"; exit 1; }