Merge branch 'main' into gcp_secret_manager_adapter

2025-01-17 11:57:52 +00:00
parent 8103d68688 ea7e72d75f
commit 06f2cb223e
32 changed files with 540 additions and 106 deletions
--- a/test/cli/app_test.rb
+++ b/test/cli/app_test.rb
@@ -73,7 +73,7 @@ class CliAppTest < CliTestCase
    run_command("boot", config: :with_assets).tap do |output|
      assert_match "docker tag dhh/app:latest dhh/app:latest", output
      assert_match "/usr/bin/env mkdir -p .kamal/apps/app/assets/volumes/web-latest ; cp -rnT .kamal/apps/app/assets/extracted/web-latest .kamal/apps/app/assets/volumes/web-latest ; cp -rnT .kamal/apps/app/assets/extracted/web-latest .kamal/apps/app/assets/volumes/web-123 || true ; cp -rnT .kamal/apps/app/assets/extracted/web-123 .kamal/apps/app/assets/volumes/web-latest || true", output
-      assert_match "/usr/bin/env mkdir -p .kamal/apps/app/assets/extracted/web-latest && docker stop -t 1 app-web-assets 2> /dev/null || true && docker run --name app-web-assets --detach --rm --entrypoint sleep dhh/app:latest 1000000 && docker cp -L app-web-assets:/public/assets/. .kamal/apps/app/assets/extracted/web-latest && docker stop -t 1 app-web-assets", output
+      assert_match "/usr/bin/env mkdir -p .kamal/apps/app/assets/extracted/web-latest && docker container rm app-web-assets 2> /dev/null || true && docker container create --name app-web-assets dhh/app:latest && docker container cp -L app-web-assets:/public/assets/. .kamal/apps/app/assets/extracted/web-latest && docker container rm app-web-assets", output
      assert_match /docker run --detach --restart unless-stopped --name app-web-latest --network kamal --hostname 1.1.1.1-[0-9a-f]{12} /, output
      assert_match "docker container ls --all --filter name=^app-web-123$ --quiet | xargs docker stop", output
      assert_match "/usr/bin/env find .kamal/apps/app/assets/extracted -maxdepth 1 -name 'web-*' ! -name web-latest -exec rm -rf \"{}\" + ; find .kamal/apps/app/assets/volumes -maxdepth 1 -name 'web-*' ! -name web-latest -exec rm -rf \"{}\" +", output
@@ -382,8 +382,10 @@ class CliAppTest < CliTestCase


  test "version through main" do
-    stdouted { Kamal::Cli::Main.start([ "app", "version", "-c", "test/fixtures/deploy_with_accessories.yml", "--hosts", "1.1.1.1" ]) }.tap do |output|
-      assert_match "sh -c 'docker ps --latest --format '\\''{{.Names}}'\\'' --filter label=service=app --filter label=destination= --filter label=role=web --filter status=running --filter status=restarting --filter ancestor=$(docker image ls --filter reference=dhh/app:latest --format '\\''{{.ID}}'\\'') ; docker ps --latest --format '\\''{{.Names}}'\\'' --filter label=service=app --filter label=destination= --filter label=role=web --filter status=running --filter status=restarting' | head -1 | while read line; do echo ${line#app-web-}; done", output
+    with_argv([ "app", "version", "-c", "test/fixtures/deploy_with_accessories.yml", "--hosts", "1.1.1.1" ]) do
+      stdouted { Kamal::Cli::Main.start }.tap do |output|
+        assert_match "sh -c 'docker ps --latest --format '\\''{{.Names}}'\\'' --filter label=service=app --filter label=destination= --filter label=role=web --filter status=running --filter status=restarting --filter ancestor=$(docker image ls --filter reference=dhh/app:latest --format '\\''{{.ID}}'\\'') ; docker ps --latest --format '\\''{{.Names}}'\\'' --filter label=service=app --filter label=destination= --filter label=role=web --filter status=running --filter status=restarting' | head -1 | while read line; do echo ${line#app-web-}; done", output
+      end
    end
  end

--- a/test/cli/build_test.rb
+++ b/test/cli/build_test.rb
@@ -274,17 +274,4 @@ class CliBuildTest < CliTestCase
      SSHKit::Backend::Abstract.any_instance.stubs(:execute)
        .with { |*args| args[0..1] == [ :docker, :buildx ] }
    end
-
-    def with_build_directory
-      build_directory = File.join Dir.tmpdir, "kamal-clones", "app-#{pwd_sha}", "kamal"
-      FileUtils.mkdir_p build_directory
-      FileUtils.touch File.join build_directory, "Dockerfile"
-      yield build_directory + "/"
-    ensure
-      FileUtils.rm_rf build_directory
-    end
-
-    def pwd_sha
-      Digest::SHA256.hexdigest(Dir.pwd)[0..12]
-    end
 end
--- a/test/cli/cli_test_case.rb
+++ b/test/cli/cli_test_case.rb
@@ -51,4 +51,17 @@ class CliTestCase < ActiveSupport::TestCase
    ensure
      ARGV.replace(old_argv)
    end
+
+    def with_build_directory
+      build_directory = File.join Dir.tmpdir, "kamal-clones", "app-#{pwd_sha}", "kamal"
+      FileUtils.mkdir_p build_directory
+      FileUtils.touch File.join build_directory, "Dockerfile"
+      yield build_directory + "/"
+    ensure
+      FileUtils.rm_rf build_directory
+    end
+
+    def pwd_sha
+      Digest::SHA256.hexdigest(Dir.pwd)[0..12]
+    end
 end
--- a/test/cli/main_test.rb
+++ b/test/cli/main_test.rb
@@ -460,6 +460,7 @@ class CliMainTest < CliTestCase

  test "run an alias for a console" do
    run_command("console", config_file: "deploy_with_aliases").tap do |output|
+      assert_no_match "App Host: 1.1.1.4", output
      assert_match "docker exec app-console-999 bin/console on 1.1.1.5", output
      assert_match "App Host: 1.1.1.5", output
    end
@@ -486,6 +487,33 @@ class CliMainTest < CliTestCase
    end
  end

+  test "switch config file with an alias" do
+    with_config_files do
+      with_argv([ "other_config" ]) do
+        stdouted { Kamal::Cli::Main.start }.tap do |output|
+          assert_match ":service_with_version: app2-999", output
+        end
+      end
+    end
+  end
+
+  test "switch destination with an alias" do
+    with_config_files do
+      with_argv([ "other_destination_config" ]) do
+        stdouted { Kamal::Cli::Main.start }.tap do |output|
+          assert_match ":service_with_version: app3-999", output
+        end
+      end
+    end
+  end
+
+  test "run on primary via alias" do
+    run_command("primary_details", config_file: "deploy_with_aliases").tap do |output|
+      assert_match "App Host: 1.1.1.1", output
+      assert_no_match "App Host: 1.1.1.2", output
+    end
+  end
+
  test "upgrade" do
    invoke_options = { "config_file" => "test/fixtures/deploy_with_accessories.yml", "skip_hooks" => false, "confirmed" => true, "rolling" => false }
    Kamal::Cli::Main.any_instance.expects(:invoke).with("kamal:cli:proxy:upgrade", [], invoke_options)
@@ -530,6 +558,20 @@ class CliMainTest < CliTestCase
      end
    end

+    def with_config_files
+      Dir.mktmpdir do |tmpdir|
+        config_dir = File.join(tmpdir, "config")
+        FileUtils.mkdir_p(config_dir)
+        FileUtils.cp "test/fixtures/deploy.yml", config_dir
+        FileUtils.cp "test/fixtures/deploy2.yml", config_dir
+        FileUtils.cp "test/fixtures/deploy.elsewhere.yml", config_dir
+
+        Dir.chdir(tmpdir) do
+          yield
+        end
+      end
+    end
+
    def assert_file(file, content)
      assert_match content, File.read(file)
    end
--- a/test/cli/proxy_test.rb
+++ b/test/cli/proxy_test.rb
@@ -281,6 +281,32 @@ class CliProxyTest < CliTestCase
    end
  end

+  test "boot_config set bind IP" do
+    run_command("boot_config", "set", "--publish-host-ip", "127.0.0.1").tap do |output|
+      %w[ 1.1.1.1 1.1.1.2 ].each do |host|
+        assert_match "Running /usr/bin/env mkdir -p .kamal/proxy on #{host}", output
+        assert_match "Uploading \"--publish 127.0.0.1:80:80 --publish 127.0.0.1:443:443 --log-opt max-size=10m\" to .kamal/proxy/options on #{host}", output
+      end
+    end
+  end
+
+  test "boot_config set multiple bind IPs" do
+    run_command("boot_config", "set", "--publish-host-ip", "127.0.0.1", "--publish-host-ip", "::1").tap do |output|
+      %w[ 1.1.1.1 1.1.1.2 ].each do |host|
+        assert_match "Running /usr/bin/env mkdir -p .kamal/proxy on #{host}", output
+        assert_match "Uploading \"--publish 127.0.0.1:80:80 --publish 127.0.0.1:443:443 --publish [::1]:80:80 --publish [::1]:443:443 --log-opt max-size=10m\" to .kamal/proxy/options on #{host}", output
+      end
+    end
+  end
+
+  test "boot_config set invalid bind IPs" do
+    exception = assert_raises do
+      run_command("boot_config", "set", "--publish-host-ip", "1.2.3.invalidIP", "--publish-host-ip", "::1")
+    end
+
+    assert_includes exception.message, "Invalid publish IP address: 1.2.3.invalidIP"
+  end
+
  test "boot_config set docker options" do
    run_command("boot_config", "set", "--docker_options", "label=foo=bar", "add_host=thishost:thathost").tap do |output|
      %w[ 1.1.1.1 1.1.1.2 ].each do |host|
--- a/test/commands/app_test.rb
+++ b/test/commands/app_test.rb
@@ -469,10 +469,10 @@ class CommandsAppTest < ActiveSupport::TestCase
  test "extract assets" do
    assert_equal [
      :mkdir, "-p", ".kamal/apps/app/assets/extracted/web-999", "&&",
-      :docker, :stop, "-t 1", "app-web-assets", "2> /dev/null", "|| true", "&&",
-      :docker, :run, "--name", "app-web-assets", "--detach", "--rm", "--entrypoint", "sleep", "dhh/app:999", "1000000", "&&",
-      :docker, :cp, "-L", "app-web-assets:/public/assets/.", ".kamal/apps/app/assets/extracted/web-999", "&&",
-      :docker, :stop, "-t 1", "app-web-assets"
+      :docker, :container, :rm, "app-web-assets", "2> /dev/null", "|| true", "&&",
+      :docker, :container, :create, "--name", "app-web-assets", "dhh/app:999", "&&",
+      :docker, :container, :cp, "-L", "app-web-assets:/public/assets/.", ".kamal/apps/app/assets/extracted/web-999", "&&",
+      :docker, :container, :rm, "app-web-assets"
    ], new_command(asset_path: "/public/assets").extract_assets
  end

--- a/test/fixtures/deploy.elsewhere.yml
+++ b/test/fixtures/deploy.elsewhere.yml
@@ -0,0 +1,12 @@
+service: app3
+image: dhh/app3
+servers:
+  - "1.1.1.3"
+  - "1.1.1.4"
+registry:
+  username: user
+  password: pw
+builder:
+  arch: amd64
+aliases:
+  other_config: config -c config/deploy2.yml
--- a/test/fixtures/deploy.yml
+++ b/test/fixtures/deploy.yml
@@ -0,0 +1,13 @@
+service: app
+image: dhh/app
+servers:
+  - "1.1.1.1"
+  - "1.1.1.2"
+registry:
+  username: user
+  password: pw
+builder:
+  arch: amd64
+aliases:
+  other_config: config -c config/deploy2.yml
+  other_destination_config: config -d elsewhere
--- a/test/fixtures/deploy2.yml
+++ b/test/fixtures/deploy2.yml
@@ -0,0 +1,12 @@
+service: app2
+image: dhh/app2
+servers:
+  - "1.1.1.1"
+  - "1.1.1.2"
+registry:
+  username: user2
+  password: pw2
+builder:
+  arch: amd64
+aliases:
+  other_config: config -c config/deploy2.yml
--- a/test/fixtures/deploy_with_aliases.yml
+++ b/test/fixtures/deploy_with_aliases.yml
@@ -21,3 +21,6 @@ aliases:
  console: app exec --reuse -p -r console "bin/console"
  exec: app exec --reuse -p -r console
  rails: app exec --reuse -p -r console rails
+  primary_details: details -p
+  deploy_secondary: deploy -d secondary
+
--- a/test/integration/main_test.rb
+++ b/test/integration/main_test.rb
@@ -90,9 +90,9 @@ class MainTest < IntegrationTest
  test "setup and remove" do
    @app = "app_with_roles"

-    kamal :proxy, :set_config,
+    kamal :proxy, :boot_config, "set",
      "--publish=false",
-      "--options=label=traefik.http.services.kamal_proxy.loadbalancer.server.scheme=http",
+      "--docker-options=label=traefik.http.services.kamal_proxy.loadbalancer.server.scheme=http",
      "label=traefik.http.routers.kamal_proxy.rule=PathPrefix\\\(\\\`/\\\`\\\)",
      "label=traefik.http.routers.kamal_proxy.priority=2"

--- a/test/secrets/aws_secrets_manager_adapter_test.rb
+++ b/test/secrets/aws_secrets_manager_adapter_test.rb
@@ -1,6 +1,35 @@
 require "test_helper"

 class AwsSecretsManagerAdapterTest < SecretAdapterTestCase
+  test "fails when errors are present" do
+    stub_ticks.with("aws --version 2> /dev/null")
+    stub_ticks
+      .with("aws secretsmanager batch-get-secret-value --secret-id-list unknown1 unknown2 --profile default")
+      .returns(<<~JSON)
+        {
+          "SecretValues": [],
+          "Errors": [
+            {
+                "SecretId": "unknown1",
+                "ErrorCode": "ResourceNotFoundException",
+                "Message": "Secrets Manager can't find the specified secret."
+            },
+            {
+                "SecretId": "unknown2",
+                "ErrorCode": "ResourceNotFoundException",
+                "Message": "Secrets Manager can't find the specified secret."
+            }
+          ]
+        }
+      JSON
+
+    error = assert_raises RuntimeError do
+      JSON.parse(shellunescape(run_command("fetch", "unknown1", "unknown2")))
+    end
+
+    assert_equal [ "unknown1: Secrets Manager can't find the specified secret.", "unknown2: Secrets Manager can't find the specified secret." ].join(" "), error.message
+  end
+
  test "fetch" do
    stub_ticks.with("aws --version 2> /dev/null")
    stub_ticks
@@ -44,6 +73,48 @@ class AwsSecretsManagerAdapterTest < SecretAdapterTestCase
    assert_equal expected_json, json
  end

+  test "fetch with string value" do
+    stub_ticks.with("aws --version 2> /dev/null")
+    stub_ticks
+      .with("aws secretsmanager batch-get-secret-value --secret-id-list secret secret2/KEY1 --profile default")
+      .returns(<<~JSON)
+        {
+          "SecretValues": [
+            {
+              "ARN": "arn:aws:secretsmanager:us-east-1:aaaaaaaaaaaa:secret:secret",
+              "Name": "secret",
+              "VersionId": "vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv",
+              "SecretString": "a-string-secret",
+              "VersionStages": [
+                  "AWSCURRENT"
+              ],
+              "CreatedDate": "2024-01-01T00:00:00.000000"
+            },
+            {
+              "ARN": "arn:aws:secretsmanager:us-east-1:aaaaaaaaaaaa:secret:secret2",
+              "Name": "secret2",
+              "VersionId": "vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv",
+              "SecretString": "{\\"KEY2\\":\\"VALUE2\\"}",
+              "VersionStages": [
+                  "AWSCURRENT"
+              ],
+              "CreatedDate": "2024-01-01T00:00:00.000000"
+            }
+          ],
+          "Errors": []
+        }
+      JSON
+
+    json = JSON.parse(shellunescape(run_command("fetch", "secret", "secret2/KEY1")))
+
+    expected_json = {
+      "secret"=>"a-string-secret",
+      "secret2/KEY2"=>"VALUE2"
+    }
+
+    assert_equal expected_json, json
+  end
+
  test "fetch with secret names" do
    stub_ticks.with("aws --version 2> /dev/null")
    stub_ticks
--- a/test/secrets/bitwarden_secrets_manager_adapter_test.rb
+++ b/test/secrets/bitwarden_secrets_manager_adapter_test.rb
@@ -0,0 +1,119 @@
+require "test_helper"
+
+class BitwardenSecretsManagerAdapterTest < SecretAdapterTestCase
+  test "fetch with no parameters" do
+    stub_ticks.with("bws --version 2> /dev/null")
+    stub_login
+
+    error = assert_raises RuntimeError do
+      (shellunescape(run_command("fetch")))
+    end
+    assert_equal("You must specify what to retrieve from Bitwarden Secrets Manager", error.message)
+  end
+
+  test "fetch all" do
+    stub_ticks.with("bws --version 2> /dev/null")
+    stub_login
+    stub_ticks
+      .with("bws secret list -o env")
+      .returns("KAMAL_REGISTRY_PASSWORD=\"some_password\"\nMY_OTHER_SECRET=\"my=weird\"secret\"")
+
+    expected = '{"KAMAL_REGISTRY_PASSWORD":"some_password","MY_OTHER_SECRET":"my\=weird\"secret"}'
+    actual = shellunescape(run_command("fetch", "all"))
+    assert_equal expected, actual
+  end
+
+  test "fetch all with from" do
+    stub_ticks.with("bws --version 2> /dev/null")
+    stub_login
+    stub_ticks
+      .with("bws secret list -o env 82aeb5bd-6958-4a89-8197-eacab758acce")
+      .returns("KAMAL_REGISTRY_PASSWORD=\"some_password\"\nMY_OTHER_SECRET=\"my=weird\"secret\"")
+
+    expected = '{"KAMAL_REGISTRY_PASSWORD":"some_password","MY_OTHER_SECRET":"my\=weird\"secret"}'
+    actual = shellunescape(run_command("fetch", "all", "--from", "82aeb5bd-6958-4a89-8197-eacab758acce"))
+    assert_equal expected, actual
+  end
+
+  test "fetch item" do
+    stub_ticks.with("bws --version 2> /dev/null")
+    stub_login
+    stub_ticks
+      .with("bws secret get -o env 82aeb5bd-6958-4a89-8197-eacab758acce")
+      .returns("KAMAL_REGISTRY_PASSWORD=\"some_password\"")
+
+    expected = '{"KAMAL_REGISTRY_PASSWORD":"some_password"}'
+    actual = shellunescape(run_command("fetch", "82aeb5bd-6958-4a89-8197-eacab758acce"))
+    assert_equal expected, actual
+  end
+
+  test "fetch with multiple items" do
+    stub_ticks.with("bws --version 2> /dev/null")
+    stub_login
+    stub_ticks
+      .with("bws secret get -o env 82aeb5bd-6958-4a89-8197-eacab758acce")
+      .returns("KAMAL_REGISTRY_PASSWORD=\"some_password\"")
+    stub_ticks
+      .with("bws secret get -o env 6f8cdf27-de2b-4c77-a35d-07df8050e332")
+      .returns("MY_OTHER_SECRET=\"my=weird\"secret\"")
+
+    expected = '{"KAMAL_REGISTRY_PASSWORD":"some_password","MY_OTHER_SECRET":"my\=weird\"secret"}'
+    actual = shellunescape(run_command("fetch", "82aeb5bd-6958-4a89-8197-eacab758acce", "6f8cdf27-de2b-4c77-a35d-07df8050e332"))
+    assert_equal expected, actual
+  end
+
+  test "fetch all empty" do
+    stub_ticks.with("bws --version 2> /dev/null")
+    stub_login
+    stub_ticks_with("bws secret list -o env", succeed: false).returns("Error:\n0: Received error message from server")
+
+    error = assert_raises RuntimeError do
+      (shellunescape(run_command("fetch", "all")))
+    end
+    assert_equal("Could not read secrets from Bitwarden Secrets Manager", error.message)
+  end
+
+  test "fetch nonexistent item" do
+    stub_ticks.with("bws --version 2> /dev/null")
+    stub_login
+    stub_ticks_with("bws secret get -o env 82aeb5bd-6958-4a89-8197-eacab758acce", succeed: false)
+      .returns("ERROR (RuntimeError): Could not read 82aeb5bd-6958-4a89-8197-eacab758acce from Bitwarden Secrets Manager")
+
+    error = assert_raises RuntimeError do
+      (shellunescape(run_command("fetch", "82aeb5bd-6958-4a89-8197-eacab758acce")))
+    end
+    assert_equal("Could not read 82aeb5bd-6958-4a89-8197-eacab758acce from Bitwarden Secrets Manager", error.message)
+  end
+
+  test "fetch with no access token" do
+    stub_ticks.with("bws --version 2> /dev/null")
+    stub_ticks_with("bws run 'echo OK'", succeed: false)
+
+    error = assert_raises RuntimeError do
+      (shellunescape(run_command("fetch", "all")))
+    end
+    assert_equal("Could not authenticate to Bitwarden Secrets Manager. Did you set a valid access token?", error.message)
+  end
+
+  test "fetch without CLI installed" do
+    stub_ticks_with("bws --version 2> /dev/null", succeed: false)
+
+    error = assert_raises RuntimeError do
+      shellunescape(run_command("fetch"))
+    end
+    assert_equal "Bitwarden Secrets Manager CLI is not installed", error.message
+  end
+
+  private
+    def stub_login
+      stub_ticks.with("bws run 'echo OK'").returns("OK")
+    end
+
+    def run_command(*command)
+      stdouted do
+        Kamal::Cli::Secrets.start \
+          [ *command,
+            "--adapter", "bitwarden-sm" ]
+      end
+    end
+end
--- a/test/secrets_test.rb
+++ b/test/secrets_test.rb
@@ -20,6 +20,20 @@ class SecretsTest < ActiveSupport::TestCase
    end
  end

+  test "env references" do
+    with_test_secrets("secrets" => "SECRET1=$SECRET1") do
+      ENV["SECRET1"] = "ABC"
+      assert_equal "ABC", Kamal::Secrets.new["SECRET1"]
+    end
+  end
+
+  test "secrets file value overrides env" do
+    with_test_secrets("secrets" => "SECRET1=DEF") do
+      ENV["SECRET1"] = "ABC"
+      assert_equal "DEF", Kamal::Secrets.new["SECRET1"]
+    end
+  end
+
  test "destinations" do
    with_test_secrets("secrets.dest" => "SECRET=DEF", "secrets" => "SECRET=ABC", "secrets-common" => "SECRET=GHI\nSECRET2=JKL") do
      assert_equal "ABC", Kamal::Secrets.new["SECRET"]