Giters

cyberark / conjur-service-broker

Implementation of the Open Service Broker API for Conjur

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Clean up bulky service broker test docker-compose services

doodlesbykumbi opened this issue · comments

commented

Is your feature request related to a problem? Please describe.

We currently have a number of service broker test docker-compose services, each with slightly different environment variables. This arrangement is bulky and static, and requires a whole container to be spun up to change (what is in general) the behavior of single endpoint for each instance. Developing against this comes with, what I think is, an unnecessary overheard.

I think a better approach is to use the rspec helpers for rails and to make the requests in-process, using stubs/mocks to modify the environment for each test scenario. It would allow us to achieve the same thing but give us a lot more flexibility.

Describe the solution you would like

Right now we have 2 docker-compose services:

  service-broker-bad-url:
    image: conjur-service-broker
    environment:
      CONJUR_ACCOUNT: cucumber
      CONJUR_AUTHN_LOGIN: admin
      CONJUR_APPLIANCE_URL: http://badurl.invalid
      CONJUR_FOLLOWER_URL: ""
      SECURITY_USER_NAME: TEST_USER_NAME
      SECURITY_USER_PASSWORD: TEST_USER_PASSWORD
      CONJUR_AUTHN_API_KEY: doesntmatter
      CONJUR_SSL_CERTIFICATE:
      CONJUR_VERSION:
    command: rails s -p 3001 -b 0.0.0.0 -P tmp/pids/server1.pid
    expose:
      - "3001"

  service-broker-bad-key:
    image: conjur-service-broker
    environment:
      CONJUR_ACCOUNT: cucumber
      CONJUR_AUTHN_LOGIN: admin
      CONJUR_APPLIANCE_URL:
      CONJUR_FOLLOWER_URL: ""
      SECURITY_USER_NAME: TEST_USER_NAME
      SECURITY_USER_PASSWORD: TEST_USER_PASSWORD
      CONJUR_AUTHN_API_KEY: 123badconjurkey
      CONJUR_SSL_CERTIFICATE:
      CONJUR_VERSION:
    command: rails s -p 3002 -b 0.0.0.0 -P tmp/pids/server2.pid
    expose:
      - "3002"

These services cater to the following cucumber scenarios:

Scenario: Bind resource with incorrect Conjur credentials
    Given I use a service broker with a bad Conjur API key
    When I make a bind request with body:
    """
    {
      "service_id": "c024e536-6dc4-45c6-8a53-127e7f8275ab",
      "plan_id": "3a116ac2-fc8b-496f-a715-e9a1b205d05c.community",
      "bind_resource": {
        "app_guid": "bb841d2b-8287-47a9-ac8f-eef4c16106f8"
      },
      "parameters": {
        "parameter1": 1,
        "parameter2": "foo"
      }
    }
    """
    Then the HTTP response status code is "403"
    And the JSON should be {}

  Scenario: Bind resource with Conjur server error
    Given I use a service broker with a bad Conjur URL
    When I make a bind request with body:
    """
    {
      "service_id": "c024e536-6dc4-45c6-8a53-127e7f8275ab",
      "plan_id": "3a116ac2-fc8b-496f-a715-e9a1b205d05c.community",
      "bind_resource": {
        "app_guid": "bb841d2b-8287-47a9-ac8f-eef4c16106f8"
      },
      "parameters": {
        "parameter1": 1,
        "parameter2": "foo"
      }
    }
    """
    Then the HTTP response status code is "500"
    And the JSON should be {}

The suggestion here is to get rid of both the docker-compose services and the associated cucumber tests in favour of the following rspec tests which are equivalent and more lightweight.

require 'spec_helper'

# make_bind_request_with_env makes a valid bind request, and for the duration of its run uses the provided 
# hash to replace the environment variables in the context that the endpoint is evaluated.
def make_bind_request_with_env(env = {})
  # Setup stubs
  allow(ENV).to receive(:[]).and_call_original
  env.each do |key, value|
    allow(ENV).to receive(:[]).with(key.to_s).and_return(value)
  end

  service_id = SecureRandom.uuid
  binding_id = SecureRandom.uuid
  url = "/v2/service_instances/#{service_id}/service_bindings/#{binding_id}"

  put(url,
      params: {
          service_id: "c024e536-6dc4-45c6-8a53-127e7f8275ab",
          plan_id: "3a116ac2-fc8b-496f-a715-e9a1b205d05c.community",
          bind_resource: {
              app_guid: "bb841d2b-8287-47a9-ac8f-eef4c16106f8"
          },
          parameters: {
              parameter1: 1,
              parameter2: "foo"
          }
      },
      headers: {
          'X-Broker-API-Version' => '2.13',
          'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials(
              ENV['SECURITY_USER_NAME'],
              ENV['SECURITY_USER_PASSWORD'],
              )
      })

  # Clear stubs
  allow(ENV).to receive(:[]).and_call_original
end

# Here it is assumed that the environment already has the environment variables for the happy path, 
# so that a call to make_bind_request_with_env is a deviation from the happy path.
RSpec.describe BindController, type: :request do
  it '500 when bind resource with a bad Conjur URL' do
    make_bind_request_with_env(
    {
        CONJUR_APPLIANCE_URL: "http://badurl.invalid"
      })

    expect(response.content_type).to eq("text/html")
    expect(response).to have_http_status(:internal_server_error )
  end

  it '403 when bind resource with a bad Conjur API key' do
    make_bind_request_with_env(
        {
            CONJUR_AUTHN_API_KEY: "bad-api-key"
        })

    expect(response.content_type).to eq("application/json")
    expect(response).to have_http_status(:forbidden )
  end

end

Describe alternatives you have considered

N/A

Additional context

N/A