Merge branch 'main' into gcp_secret_manager_adapter

test/secrets/aws_secrets_manager_adapter_test.rb

@@ -1,6 +1,35 @@
 require "test_helper"
 
 class AwsSecretsManagerAdapterTest < SecretAdapterTestCase
+  test "fails when errors are present" do
+    stub_ticks.with("aws --version 2> /dev/null")
+    stub_ticks
+      .with("aws secretsmanager batch-get-secret-value --secret-id-list unknown1 unknown2 --profile default")
+      .returns(<<~JSON)
+        {
+          "SecretValues": [],
+          "Errors": [
+            {
+                "SecretId": "unknown1",
+                "ErrorCode": "ResourceNotFoundException",
+                "Message": "Secrets Manager can't find the specified secret."
+            },
+            {
+                "SecretId": "unknown2",
+                "ErrorCode": "ResourceNotFoundException",
+                "Message": "Secrets Manager can't find the specified secret."
+            }
+          ]
+        }
+      JSON
+
+    error = assert_raises RuntimeError do
+      JSON.parse(shellunescape(run_command("fetch", "unknown1", "unknown2")))
+    end
+
+    assert_equal [ "unknown1: Secrets Manager can't find the specified secret.", "unknown2: Secrets Manager can't find the specified secret." ].join(" "), error.message
+  end
+
   test "fetch" do
     stub_ticks.with("aws --version 2> /dev/null")
     stub_ticks
@@ -44,6 +73,48 @@ class AwsSecretsManagerAdapterTest < SecretAdapterTestCase
     assert_equal expected_json, json
   end
 
+  test "fetch with string value" do
+    stub_ticks.with("aws --version 2> /dev/null")
+    stub_ticks
+      .with("aws secretsmanager batch-get-secret-value --secret-id-list secret secret2/KEY1 --profile default")
+      .returns(<<~JSON)
+        {
+          "SecretValues": [
+            {
+              "ARN": "arn:aws:secretsmanager:us-east-1:aaaaaaaaaaaa:secret:secret",
+              "Name": "secret",
+              "VersionId": "vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv",
+              "SecretString": "a-string-secret",
+              "VersionStages": [
+                  "AWSCURRENT"
+              ],
+              "CreatedDate": "2024-01-01T00:00:00.000000"
+            },
+            {
+              "ARN": "arn:aws:secretsmanager:us-east-1:aaaaaaaaaaaa:secret:secret2",
+              "Name": "secret2",
+              "VersionId": "vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv",
+              "SecretString": "{\\"KEY2\\":\\"VALUE2\\"}",
+              "VersionStages": [
+                  "AWSCURRENT"
+              ],
+              "CreatedDate": "2024-01-01T00:00:00.000000"
+            }
+          ],
+          "Errors": []
+        }
+      JSON
+
+    json = JSON.parse(shellunescape(run_command("fetch", "secret", "secret2/KEY1")))
+
+    expected_json = {
+      "secret"=>"a-string-secret",
+      "secret2/KEY2"=>"VALUE2"
+    }
+
+    assert_equal expected_json, json
+  end
+
   test "fetch with secret names" do
     stub_ticks.with("aws --version 2> /dev/null")
     stub_ticks

test/secrets/bitwarden_secrets_manager_adapter_test.rb

@@ -0,0 +1,119 @@
+require "test_helper"
+
+class BitwardenSecretsManagerAdapterTest < SecretAdapterTestCase
+  test "fetch with no parameters" do
+    stub_ticks.with("bws --version 2> /dev/null")
+    stub_login
+
+    error = assert_raises RuntimeError do
+      (shellunescape(run_command("fetch")))
+    end
+    assert_equal("You must specify what to retrieve from Bitwarden Secrets Manager", error.message)
+  end
+
+  test "fetch all" do
+    stub_ticks.with("bws --version 2> /dev/null")
+    stub_login
+    stub_ticks
+      .with("bws secret list -o env")
+      .returns("KAMAL_REGISTRY_PASSWORD=\"some_password\"\nMY_OTHER_SECRET=\"my=weird\"secret\"")
+
+    expected = '{"KAMAL_REGISTRY_PASSWORD":"some_password","MY_OTHER_SECRET":"my\=weird\"secret"}'
+    actual = shellunescape(run_command("fetch", "all"))
+    assert_equal expected, actual
+  end
+
+  test "fetch all with from" do
+    stub_ticks.with("bws --version 2> /dev/null")
+    stub_login
+    stub_ticks
+      .with("bws secret list -o env 82aeb5bd-6958-4a89-8197-eacab758acce")
+      .returns("KAMAL_REGISTRY_PASSWORD=\"some_password\"\nMY_OTHER_SECRET=\"my=weird\"secret\"")
+
+    expected = '{"KAMAL_REGISTRY_PASSWORD":"some_password","MY_OTHER_SECRET":"my\=weird\"secret"}'
+    actual = shellunescape(run_command("fetch", "all", "--from", "82aeb5bd-6958-4a89-8197-eacab758acce"))
+    assert_equal expected, actual
+  end
+
+  test "fetch item" do
+    stub_ticks.with("bws --version 2> /dev/null")
+    stub_login
+    stub_ticks
+      .with("bws secret get -o env 82aeb5bd-6958-4a89-8197-eacab758acce")
+      .returns("KAMAL_REGISTRY_PASSWORD=\"some_password\"")
+
+    expected = '{"KAMAL_REGISTRY_PASSWORD":"some_password"}'
+    actual = shellunescape(run_command("fetch", "82aeb5bd-6958-4a89-8197-eacab758acce"))
+    assert_equal expected, actual
+  end
+
+  test "fetch with multiple items" do
+    stub_ticks.with("bws --version 2> /dev/null")
+    stub_login
+    stub_ticks
+      .with("bws secret get -o env 82aeb5bd-6958-4a89-8197-eacab758acce")
+      .returns("KAMAL_REGISTRY_PASSWORD=\"some_password\"")
+    stub_ticks
+      .with("bws secret get -o env 6f8cdf27-de2b-4c77-a35d-07df8050e332")
+      .returns("MY_OTHER_SECRET=\"my=weird\"secret\"")
+
+    expected = '{"KAMAL_REGISTRY_PASSWORD":"some_password","MY_OTHER_SECRET":"my\=weird\"secret"}'
+    actual = shellunescape(run_command("fetch", "82aeb5bd-6958-4a89-8197-eacab758acce", "6f8cdf27-de2b-4c77-a35d-07df8050e332"))
+    assert_equal expected, actual
+  end
+
+  test "fetch all empty" do
+    stub_ticks.with("bws --version 2> /dev/null")
+    stub_login
+    stub_ticks_with("bws secret list -o env", succeed: false).returns("Error:\n0: Received error message from server")
+
+    error = assert_raises RuntimeError do
+      (shellunescape(run_command("fetch", "all")))
+    end
+    assert_equal("Could not read secrets from Bitwarden Secrets Manager", error.message)
+  end
+
+  test "fetch nonexistent item" do
+    stub_ticks.with("bws --version 2> /dev/null")
+    stub_login
+    stub_ticks_with("bws secret get -o env 82aeb5bd-6958-4a89-8197-eacab758acce", succeed: false)
+      .returns("ERROR (RuntimeError): Could not read 82aeb5bd-6958-4a89-8197-eacab758acce from Bitwarden Secrets Manager")
+
+    error = assert_raises RuntimeError do
+      (shellunescape(run_command("fetch", "82aeb5bd-6958-4a89-8197-eacab758acce")))
+    end
+    assert_equal("Could not read 82aeb5bd-6958-4a89-8197-eacab758acce from Bitwarden Secrets Manager", error.message)
+  end
+
+  test "fetch with no access token" do
+    stub_ticks.with("bws --version 2> /dev/null")
+    stub_ticks_with("bws run 'echo OK'", succeed: false)
+
+    error = assert_raises RuntimeError do
+      (shellunescape(run_command("fetch", "all")))
+    end
+    assert_equal("Could not authenticate to Bitwarden Secrets Manager. Did you set a valid access token?", error.message)
+  end
+
+  test "fetch without CLI installed" do
+    stub_ticks_with("bws --version 2> /dev/null", succeed: false)
+
+    error = assert_raises RuntimeError do
+      shellunescape(run_command("fetch"))
+    end
+    assert_equal "Bitwarden Secrets Manager CLI is not installed", error.message
+  end
+
+  private
+    def stub_login
+      stub_ticks.with("bws run 'echo OK'").returns("OK")
+    end
+
+    def run_command(*command)
+      stdouted do
+        Kamal::Cli::Secrets.start \
+          [ *command,
+            "--adapter", "bitwarden-sm" ]
+      end
+    end
+end