From c065ceb1f07f2947e03fc57e2bd94e6fad1d5136 Mon Sep 17 00:00:00 2001
From: decentral1se <cellarspoon@riseup.net>
Date: Mon, 25 Sep 2023 10:33:15 +0200
Subject: [PATCH] test: secret generation & --offline/chaos handling tests

---
 tests/integration/app_deploy.bats  |   7 +-
 tests/integration/app_new.bats     |  98 ++++++++++++++--
 tests/integration/app_secret.bats  | 173 +++++++++++++++++++++++++++--
 tests/integration/helpers/app.bash |  14 +++
 4 files changed, 273 insertions(+), 19 deletions(-)

diff --git a/tests/integration/app_deploy.bats b/tests/integration/app_deploy.bats
index ed705362..7769ab71 100644
--- a/tests/integration/app_deploy.bats
+++ b/tests/integration/app_deploy.bats
@@ -86,7 +86,10 @@ teardown(){
   run $ABRA app deploy "$TEST_APP_DOMAIN" --no-input --no-converge-checks
   assert_success
 
-  _reset_recipe "$TEST_RECIPE"
+  run git -C "$ABRA_DIR/recipes/$TEST_RECIPE" status
+  refute_output --partial 'behind 3'
+
+  _reset_recipe
   _undeploy_app
 }
 
@@ -107,7 +110,7 @@ teardown(){
   assert_output --partial 'behind 3'
 
   _undeploy_app
-  _reset_recipe "$TEST_RECIPE"
+  _reset_recipe
 }
 
 # bats test_tags=slow
diff --git a/tests/integration/app_new.bats b/tests/integration/app_new.bats
index 4ce67680..4f8985ed 100644
--- a/tests/integration/app_new.bats
+++ b/tests/integration/app_new.bats
@@ -7,20 +7,17 @@ setup_file(){
 }
 
 teardown_file(){
-  _rm_app
   _rm_server
 }
 
 setup(){
   load "$PWD/tests/integration/helpers/common"
   _common_setup
+  _fetch_recipe
 }
 
 teardown(){
-  # https://github.com/bats-core/bats-core/issues/383#issuecomment-738628888
-  if [[ -z "${BATS_TEST_COMPLETED}" ]]; then
-    _undeploy_app
-  fi
+  _rm_app
 }
 
 @test "create new app" {
@@ -30,8 +27,6 @@ teardown(){
     --domain "$TEST_APP_DOMAIN"
   assert_success
   assert_exists "$ABRA_DIR/servers/$TEST_SERVER/$TEST_APP_DOMAIN.env"
-
-  _rm_app
 }
 
 @test "does not overwrite existing env files" {
@@ -43,8 +38,93 @@ teardown(){
     --domain "$TEST_APP_DOMAIN"
   assert_failure
   assert_output --partial 'already exists'
+}
 
-  _rm_app
+@test "bail if unstaged changes and no --chaos" {
+  run bash -c "echo foo >> $ABRA_DIR/recipes/$TEST_RECIPE/foo"
+  assert_success
+  assert_exists "$ABRA_DIR/recipes/$TEST_RECIPE/foo"
+
+  run git -C "$ABRA_DIR/recipes/$TEST_RECIPE" status
+  assert_success
+  assert_output --partial 'foo'
+
+  run $ABRA app new "$TEST_RECIPE" \
+    --no-input \
+    --server "$TEST_SERVER" \
+    --domain "$TEST_APP_DOMAIN"
+  assert_failure
+  assert_output --partial 'locally unstaged changes'
+
+  run rm -rf "$ABRA_DIR/recipes/$TEST_RECIPE/foo"
+  assert_not_exists "$ABRA_DIR/recipes/$TEST_RECIPE/foo"
+}
+
+@test "do not bail if unstaged changes and --chaos" {
+  run bash -c 'echo "unstaged changes" >> "$ABRA_DIR/recipes/$TEST_RECIPE/foo"'
+  assert_success
+  assert_exists "$ABRA_DIR/recipes/$TEST_RECIPE/foo"
+
+  run git -C "$ABRA_DIR/recipes/$TEST_RECIPE" status
+  assert_success
+  assert_output --partial 'foo'
+
+  run $ABRA app new "$TEST_RECIPE" \
+    --no-input \
+    --chaos \
+    --server "$TEST_SERVER" \
+    --domain "$TEST_APP_DOMAIN" \
+    --secrets
+  assert_success
+  assert_exists "$ABRA_DIR/servers/$TEST_SERVER/$TEST_APP_DOMAIN.env"
+
+  run rm -rf "$ABRA_DIR/recipes/$TEST_RECIPE/foo"
+  assert_not_exists "$ABRA_DIR/recipes/$TEST_RECIPE/foo"
+}
+
+@test "ensure recipe up to date if no --offline" {
+  run git -C "$ABRA_DIR/recipes/$TEST_RECIPE" reset --hard HEAD~3
+  assert_success
+
+  run git -C "$ABRA_DIR/recipes/$TEST_RECIPE" status
+  assert_output --partial 'behind 3'
+
+  run $ABRA app new "$TEST_RECIPE" \
+    --no-input \
+    --server "$TEST_SERVER" \
+    --domain "$TEST_APP_DOMAIN" \
+    --secrets
+  assert_success
+  assert_exists "$ABRA_DIR/servers/$TEST_SERVER/$TEST_APP_DOMAIN.env"
+
+  run git -C "$ABRA_DIR/recipes/$TEST_RECIPE" status
+  refute_output --partial 'behind 3'
+
+  _reset_recipe
+}
+
+@test "ensure recipe not up to date if --offline" {
+  run git -C "$ABRA_DIR/recipes/$TEST_RECIPE" reset --hard HEAD~3
+  assert_success
+
+  run git -C "$ABRA_DIR/recipes/$TEST_RECIPE" status
+  assert_output --partial 'behind 3'
+
+  # NOTE(d1): need to use --chaos to force same commit
+  run $ABRA app new "$TEST_RECIPE" \
+    --no-input \
+    --offline \
+    --chaos \
+    --server "$TEST_SERVER" \
+    --domain "$TEST_APP_DOMAIN" \
+    --secrets
+  assert_success
+  assert_exists "$ABRA_DIR/servers/$TEST_SERVER/$TEST_APP_DOMAIN.env"
+
+  run git -C "$ABRA_DIR/recipes/$TEST_RECIPE" status
+  assert_output --partial 'behind 3'
+
+  _reset_recipe
 }
 
 @test "generate secrets" {
@@ -54,6 +134,8 @@ teardown(){
     --domain "$TEST_APP_DOMAIN" \
     --secrets
   assert_success
+  assert_output --partial 'generated secrets'
+  assert_output --partial 'test_password'
   assert_exists "$ABRA_DIR/servers/$TEST_SERVER/$TEST_APP_DOMAIN.env"
 
   run $ABRA app secret ls "$TEST_APP_DOMAIN"
diff --git a/tests/integration/app_secret.bats b/tests/integration/app_secret.bats
index 2f629047..a0297196 100644
--- a/tests/integration/app_secret.bats
+++ b/tests/integration/app_secret.bats
@@ -5,15 +5,9 @@ setup_file(){
   _common_setup
   _add_server
   _new_app
-
-  run $ABRA app secret rm "$TEST_APP_DOMAIN" --all
-  assert_success
 }
 
 teardown_file(){
-  run $ABRA app secret rm "$TEST_APP_DOMAIN" --all
-  assert_success
-
   _rm_app
   _rm_server
 }
@@ -23,6 +17,9 @@ teardown(){
   if [[ -z "${BATS_TEST_COMPLETED}" ]]; then
     _undeploy_app
   fi
+
+  # NOTE(d1): teardown secrets from "--secrets" in _new_app
+  run $ABRA app secret rm "$TEST_APP_DOMAIN" --all
 }
 
 setup(){
@@ -58,15 +55,147 @@ setup(){
 @test "generate: create secrets" {
   run $ABRA app secret ls "$TEST_APP_DOMAIN"
   assert_success
+  assert_output --partial 'test_pass_one'
+  assert_output --partial 'test_pass_two'
+  refute_output --partial 'extra_pass'
   assert_output --partial 'false'
+  refute_output --partial 'true'
 
   run $ABRA app secret generate "$TEST_APP_DOMAIN" --all
   assert_success
+  assert_output --partial 'test_pass_one'
+  assert_output --partial 'test_pass_two'
+  refute_output --partial 'extra_pass'
 
   run $ABRA app secret ls "$TEST_APP_DOMAIN"
   assert_success
+  assert_output --partial 'test_pass_one'
+  assert_output --partial 'test_pass_two'
+  refute_output --partial 'extra_pass'
+  refute_output --partial 'false'
   assert_output --partial 'true'
 
+  run docker -c "$TEST_SERVER" secret ls
+  assert_success
+  assert_output --partial 'test_pass_one'
+  assert_output --partial 'test_pass_two'
+  refute_output --partial 'extra_pass'
+
+  run $ABRA app secret rm "$TEST_APP_DOMAIN" --all
+  assert_success
+}
+
+@test "generate: broken if missing version" {
+  run sed -i '/SECRET_TEST_PASS_ONE_VERSION=.*/d' \
+    "$ABRA_DIR/servers/$TEST_SERVER/$TEST_APP_DOMAIN.env"
+  assert_success
+
+  run $ABRA app secret generate "$TEST_APP_DOMAIN" --all
+  assert_failure
+  assert_output --partial 'missing version'
+
+  _reset_app
+}
+
+@test "generate: use version from app env" {
+  run sed -i 's/SECRET_TEST_PASS_ONE_VERSION=v1/SECRET_TEST_PASS_ONE_VERSION=v2/g' \
+    "$ABRA_DIR/servers/$TEST_SERVER/$TEST_APP_DOMAIN.env"
+  assert_success
+
+  run $ABRA app secret generate "$TEST_APP_DOMAIN" --all
+  assert_success
+  assert_output --partial 'test_pass_one'
+
+  run docker -c "$TEST_SERVER" secret ls
+  assert_success
+  assert_output --partial "test_pass_one_v2"
+  refute_output --partial "test_pass_one_v1"
+
+  run $ABRA app secret rm "$TEST_APP_DOMAIN" --all
+  assert_success
+
+  _reset_app
+}
+
+@test "generate: generate extra secret based on COMPOSE_FILE" {
+  run sed -i 's/COMPOSE_FILE="compose.yml"/COMPOSE_FILE="compose.yml:compose.extra_secret.yml"/g' \
+    "$ABRA_DIR/servers/$TEST_SERVER/$TEST_APP_DOMAIN.env"
+  assert_success
+
+  run sed -i 's/#SECRET_EXTRA_PASS_VERSION=v1/SECRET_EXTRA_PASS_VERSION=v1/g' \
+    "$ABRA_DIR/servers/$TEST_SERVER/$TEST_APP_DOMAIN.env"
+  assert_success
+
+  run $ABRA app secret generate "$TEST_APP_DOMAIN" --all
+  assert_success
+  assert_output --partial 'extra_pass'
+
+  run docker -c "$TEST_SERVER" secret ls
+  assert_success
+  assert_output --partial "$TEST_APP_DOMAIN_extra_pass_v1"
+
+  run $ABRA app secret rm "$TEST_APP_DOMAIN" --all
+  assert_success
+
+  _reset_app
+}
+
+@test "generate: bail if unstaged changes and no --chaos" {
+  run bash -c "echo foo >> $ABRA_DIR/recipes/$TEST_RECIPE/foo"
+  assert_success
+  assert_exists "$ABRA_DIR/recipes/$TEST_RECIPE/foo"
+
+  run $ABRA app secret generate "$TEST_APP_DOMAIN" --all
+  assert_failure
+  assert_output --partial 'locally unstaged changes'
+
+  run rm -rf "$ABRA_DIR/recipes/$TEST_RECIPE/foo"
+  assert_not_exists "$ABRA_DIR/recipes/$TEST_RECIPE/foo"
+}
+
+@test "generate: do not generate if not enabled" {
+  run sed -i '/- test_pass_one/d' "$ABRA_DIR/recipes/$TEST_RECIPE/compose.yml"
+  assert_success
+
+  run $ABRA app secret generate "$TEST_APP_DOMAIN" --all --chaos
+  assert_success
+  refute_output --partial 'test_pass_one'
+  assert_output --partial 'test_pass_two'
+
+  run $ABRA app secret rm "$TEST_APP_DOMAIN" --all --chaos
+  assert_success
+
+  _checkout_recipe
+}
+
+@test "generate: ensure secret name uses trimmed stack name" {
+  # NOTE(d1): 45 chars, to ensure that the app name must be trimmed
+  testAppDomain="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+
+  run $ABRA app new "$TEST_RECIPE" \
+    --no-input \
+    --server "$TEST_SERVER" \
+    --domain "$testAppDomain.$TEST_SERVER" \
+    --secrets \
+    --debug
+  assert_success
+  assert_exists "$ABRA_DIR/servers/$TEST_SERVER/$testAppDomain.$TEST_SERVER.env"
+  assert_output --partial "avoid runtime limits"
+
+  run $ABRA app secret rm "$testAppDomain.$TEST_SERVER" --all
+  assert_success
+
+  run rm -rf "$ABRA_DIR/servers/$TEST_SERVER/$testAppDomain.$TEST_SERVER.env"
+  assert_success
+  assert_not_exists "$ABRA_DIR/servers/$TEST_SERVER/$testAppDomain.$TEST_SERVER.env"
+}
+
+@test "generate: secret length honoured" {
+  run bash -c '$ABRA app secret generate "$TEST_APP_DOMAIN" --all --machine \
+    | jq -r ".[] | select(.name==\"test_pass_two\") | .value" | awk "{print length}"'
+  assert_success
+  assert_output --partial '10'  # NOTE(d1): hardcoded # length=10 in recipe config
+
   run $ABRA app secret rm "$TEST_APP_DOMAIN" --all
   assert_success
 }
@@ -94,7 +223,7 @@ setup(){
   assert_success
   assert_output --partial 'false'
 
-  run $ABRA app secret insert "$TEST_APP_DOMAIN" test_password v1 foo
+  run $ABRA app secret insert "$TEST_APP_DOMAIN" test_pass_one v1 foo
   assert_success
   assert_output --partial 'successfully stored on server'
 
@@ -102,7 +231,7 @@ setup(){
   assert_success
   assert_output --partial 'true'
 
-  run $ABRA app secret rm "$TEST_APP_DOMAIN" test_password
+  run $ABRA app secret rm "$TEST_APP_DOMAIN" test_pass_one
   assert_success
 }
 
@@ -119,7 +248,7 @@ setup(){
   assert_failure
   assert_output --partial 'no secret(s) specified'
 
-  run $ABRA app secret rm "$TEST_APP_DOMAIN" test_password --all
+  run $ABRA app secret rm "$TEST_APP_DOMAIN" test_pass_one --all
   assert_failure
   assert_output --partial 'cannot use'
   assert_output --partial "'--all' together"
@@ -153,6 +282,19 @@ setup(){
   assert_output --partial 'false'
 }
 
+@test "rm: bail if unstaged changes and no --chaos" {
+  run bash -c "echo foo >> $ABRA_DIR/recipes/$TEST_RECIPE/foo"
+  assert_success
+  assert_exists "$ABRA_DIR/recipes/$TEST_RECIPE/foo"
+
+  run $ABRA app secret rm "$TEST_APP_DOMAIN" --all
+  assert_failure
+  assert_output --partial 'locally unstaged changes'
+
+  run rm -rf "$ABRA_DIR/recipes/$TEST_RECIPE/foo"
+  assert_not_exists "$ABRA_DIR/recipes/$TEST_RECIPE/foo"
+}
+
 @test "ls: validate arguments" {
   run $ABRA app secret ls
   assert_failure
@@ -178,3 +320,16 @@ setup(){
   run $ABRA app secret rm "$TEST_APP_DOMAIN" --all
   assert_success
 }
+
+@test "ls: bail if unstaged changes and no --chaos" {
+  run bash -c "echo foo >> $ABRA_DIR/recipes/$TEST_RECIPE/foo"
+  assert_success
+  assert_exists "$ABRA_DIR/recipes/$TEST_RECIPE/foo"
+
+  run $ABRA app secret ls "$TEST_APP_DOMAIN"
+  assert_failure
+  assert_output --partial 'locally unstaged changes'
+
+  run rm -rf "$ABRA_DIR/recipes/$TEST_RECIPE/foo"
+  assert_not_exists "$ABRA_DIR/recipes/$TEST_RECIPE/foo"
+}
diff --git a/tests/integration/helpers/app.bash b/tests/integration/helpers/app.bash
index 17dbbc2f..281e4e6a 100644
--- a/tests/integration/helpers/app.bash
+++ b/tests/integration/helpers/app.bash
@@ -40,3 +40,17 @@ _rm_app() {
     run $ABRA app remove "$TEST_APP_DOMAIN" --no-input
   fi
 }
+
+_reset_app(){
+  run rm -rf "$ABRA_DIR/servers/$TEST_SERVER/$TEST_APP_DOMAIN.env"
+  assert_success
+  assert_not_exists "$ABRA_DIR/servers/$TEST_SERVER/$TEST_APP_DOMAIN.env"
+
+  run $ABRA app new "$TEST_RECIPE" \
+    --no-input \
+    --server "$TEST_SERVER" \
+    --domain "$TEST_APP_DOMAIN" \
+    --secrets
+  assert_success
+  assert_exists "$ABRA_DIR/servers/$TEST_SERVER/$TEST_APP_DOMAIN.env"
+}