Migrate tests to named_run_list

Author: taylorific

cookbooks/boxcutter_onepassword/Policyfile.rb

@@ -11,7 +11,12 @@
 default_source :chef_repo, '../'
 
 # run_list: chef-client will run these recipes in the order specified.
-run_list 'boxcutter_ohai', 'boxcutter_init', 'boxcutter_onepassword_test'
+run_list 'boxcutter_ohai', 'boxcutter_init', 'boxcutter_onepassword_test::cli'
+named_run_list 'boxcutter_onepassword_test_cli', 'boxcutter_ohai', 'boxcutter_init', 'boxcutter_onepassword_test::cli'
+named_run_list 'boxcutter_onepassword_test_service_account', 'boxcutter_ohai', 'boxcutter_init',
+               'boxcutter_onepassword_test::service_account'
+named_run_list 'boxcutter_onepassword_test_connect_server', 'boxcutter_ohai', 'boxcutter_init',
+               'boxcutter_onepassword_test::connect_server'
 
 # Specify a custom source for a single cookbook:
 cookbook 'boxcutter_onepassword', path: '.'

cookbooks/boxcutter_onepassword/kitchen.yml

@@ -30,14 +30,14 @@ verifier:
 platforms:
   # @see https://github.com/chef-cookbooks/testing_examples/blob/main/kitchen.dokken.yml
   # @see https://hub.docker.com/u/dokken
-  - name: ubuntu-20.04
+  - name: ubuntu-22.04
     driver:
-      image: boxcutter/dokken-ubuntu-20.04
+      image: boxcutter/dokken-ubuntu-22.04
       pid_one_command: /bin/systemd
 
-  - name: ubuntu-22.04
+  - name: ubuntu-24.04
     driver:
-      image: boxcutter/dokken-ubuntu-22.04
+      image: boxcutter/dokken-ubuntu-24.04
       pid_one_command: /bin/systemd
 
   - name: centos-stream-9
@@ -51,21 +51,57 @@ platforms:
         - RUN rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
 
 suites:
-  - name: default
-    # run_list set in Policyfile.rb, this does nothing
-    # run_list:
-    #   - recipe[boxcutter_ohai]
-    #   - recipe[boxcutter_init]
-    #   - recipe[boxcutter_onepassword::default]
+  - name: cli
+    named_run_list: boxcutter_onepassword_test_cli
     verifier:
       inspec_tests:
-        - test/integration/default
+        - test/integration/cli
+    attributes:
+
+  - name: service-account
+    named_run_list: boxcutter_onepassword_test_service_account
+    verifier:
+      inspec_tests:
+        - test/integration/cli
     attributes:
     lifecycle:
+      # op item get 'Service Account Auth Token: automation-org-readonly-blue' --vault Automation-Org --account PB5KE5S2ORAQTDUOLBDJTLAPVU
+      # op item get mzqlddelxv6oe7dfz3vc7iad7m --vault Automation-Org --account PB5KE5S2ORAQTDUOLBDJTLAPVU --format json
+      # export OP_SERVICE_ACCOUNT_TOKEN=$(op read 'op://Automation-Org/mzqlddelxv6oe7dfz3vc7iad7m/credential' --account PB5KE5S2ORAQTDUOLBDJTLAPVU)
       pre_converge:
         - remote: |
             bash -xc '
               set +x
-              echo "<%= ENV['OP_SERVICE_ACCOUNT_TOKEN'] %>" > /opt/kitchen/op_service_account_token
+              mkdir -p /etc/cinc
+              ln -s /etc/cinc /etc/chef
+              echo "<%= ENV['OP_SERVICE_ACCOUNT_TOKEN'] %>" > /etc/chef/op_service_account_token
               set -x
             '
+
+  - name: connect-server
+    named_run_list: boxcutter_onepassword_test_connect_server
+    verifier:
+      inspec_tests:
+        - test/integration/cli
+    attributes:
+    lifecycle:
+      # op item get 'Service Account Auth Token: automation-org-readonly-blue' --vault Automation-Org --account PB5KE5S2ORAQTDUOLBDJTLAPVU
+      # op item get mzqlddelxv6oe7dfz3vc7iad7m --vault Automation-Org --account PB5KE5S2ORAQTDUOLBDJTLAPVU --format json
+      # export OP_SERVICE_ACCOUNT_TOKEN=$(op read 'op://Automation-Org/mzqlddelxv6oe7dfz3vc7iad7m/credential' --account PB5KE5S2ORAQTDUOLBDJTLAPVU)
+      #
+      # op item get 'sandbox-connect-server Access Token: sandbox-rw-blue' --vault Automation-Org --account PB5KE5S2ORAQTDUOLBDJTLAPVU
+      # op item get nuhhhrxxzz4cjmssx3226ejfzm --vault Automation-Org --account PB5KE5S2ORAQTDUOLBDJTLAPVU --format json
+      # export OP_CONNECT_TOKEN=$(op read 'op://Automation-Org/nuhhhrxxzz4cjmssx3226ejfzm/credential' --account PB5KE5S2ORAQTDUOLBDJTLAPVU)
+      #
+      # export OP_CONNECT_HOST=http://localhost:8080
+      pre_converge:
+        - remote: |
+            bash -xc '
+              set +x
+              mkdir -p /etc/cinc
+              ln -s /etc/cinc /etc/chef
+              echo "<%= ENV['OP_CONNECT_HOST'] %>" > /etc/chef/op_connect_host
+              echo "<%= ENV['OP_CONNECT_TOKEN'] %>" > /etc/chef/op_connect_token
+              echo "<%= ENV['OP_SERVICE_ACCOUNT_TOKEN'] %>" > /etc/chef/op_service_account_token
+              set -x
+            '

cookbooks/boxcutter_onepassword/kitchen_digitalocean.yml

@@ -18,6 +18,17 @@
 
 connect_server_username = 'opuser'
 
+node.default['fb_users']['users']['opuser'] = {
+  'action' => :add,
+  'home' => '/home/opuser',
+  'shell' => '/bin/bash',
+}
+
+node.default['fb_users']['groups']['opuser'] = {
+  'members' => ['opuser'],
+  'action' => :add,
+}
+
 include_recipe 'boxcutter_docker'
 
 node.default['fb_users']['groups']['docker']['members'] << 'opuser'

cookbooks/boxcutter_onepassword/policyfiles/connect_server.rb

@@ -15,13 +15,13 @@
   case node['kernel']['machine']
   when 'x86_64', 'amd64'
     package_info = {
-      'url' => 'https://cache.agilebits.com/dist/1P/op2/pkg/v2.27.0/op_linux_amd64_v2.27.0.zip',
-      'checksum' => 'e076905292bba0d6e459353f89fd1d29b626f37e610ee56299bcf8c9201e0405',
+      'url' => 'https://cache.agilebits.com/dist/1P/op2/pkg/v2.30.3/op_linux_amd64_v2.30.3.zip',
+      'checksum' => 'a16307ebcecb40fd091d7a6ff4f0c380c3c0897c4f4616de2c5d285e57d5ee28',
     }
   when 'aarch64', 'arm64'
     package_info = {
-      'url' => 'https://cache.agilebits.com/dist/1P/op2/pkg/v2.27.0/op_linux_arm64_v2.27.0.zip',
-      'checksum' => '3ee60ec19020fb2bb43c3a73a2aa1988d85dd651eedb195b72d555f329737502',
+      'url' => 'https://cache.agilebits.com/dist/1P/op2/pkg/v2.30.3/op_linux_arm64_v2.30.3.zip',
+      'checksum' => '39bd361b2cd4819ea757583624eeda33f6062ba5ccfc2b90ad0764aed94cd1c4',
     }
   end
 

cookbooks/boxcutter_onepassword/recipes/connect_server.rb

@@ -1,6 +1,6 @@
 #
 # Cookbook:: boxcutter_onepassword_test
-# Recipe:: default
+# Recipe:: cli
 #
 
 include_recipe 'boxcutter_onepassword::cli'

cookbooks/boxcutter_onepassword/recipes/user.rb

@@ -3,8 +3,20 @@
 # Recipe:: connect_server
 #
 
-puts 'MISCHA: connect_server'
-include_recipe 'boxcutter_onepassword::user'
+# Configuring credentials in 1Password.com
+# 1. Sign into your account on 1Password.com.
+# 2. Select "Developer" from the sidebar.
+# 3. In "From" at the top, choose "Infrastructure Secrets Management > Other"
+# 4. Select "Create a Connect server"
+#
+# Set up an environment:
+#   Environment Name: sandbox-connect-server
+#   Vaults: Automation-Org / Read
+#           Sandbox / Read-Write
+# Set up an access token:
+#   Token Name: sandbox-rw-blue
+#   Vaults: Automation-Org / Read
+#           Sandbox / Read-Write
 
 # 'sandbox-connect-server Credentials File', 'Automation-Org'
 # op document get 'sandbox-connect-server Credentials File' --vault Automation-Org
@@ -14,13 +26,25 @@
   'Automation-Org'
 include_recipe 'boxcutter_onepassword::connect_server'
 
-# stuff = Boxcutter::OnePassword.op_read('op://Automation-Org/nexus admin blue/password', 'connect_server')
-# puts "MISCHA: stuff=#{stuff}"
-
-# op item get 'sandbox-connect-server Access Token: sandbox-connect-server-access-token' --vault Automation-Org
-# op item get 7etjvtlft4u4wlbkxvprahvmzq --vault Automation-Org --format json
-# op read 'op://Automation-Org/7etjvtlft4u4wlbkxvprahvmzq/credential'
-# item = Boxcutter::OnePassword.op_read('op://Automation-Org/7etjvtlft4u4wlbkxvprahvmzq/credential')
+# There's no great ways to test these runtime functions that I know of.
+# Can't really use chefspec because it installs the 1Password CLI at
+# runtime and we don't want to install tools on the testing host running
+# rspec. So I'm just using the runtime functions to check known keys
+# and raising errors when they don't match.
+#
+# op item get 'craft SSH Key' --vault Automation-Org --format json
+public_key = Boxcutter::OnePassword.op_read('op://Automation-Org/craft SSH Key/public key', 'connect_server')
+if public_key != 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD2y6TEs9+Mc6FRUbRBDsb+6a3erlYnv39IDge7LxIvI' \
+  'A1/XH5+6ChbQykSyge9gxZFlnVg92nvN82E+B5DKik9HUvkrN4CSOyOUb2ggkMXLLzHJFI29LjU3HruX7' \
+  'DHIHwyJz2mZT9LDqBVX+/urAuRFRPe9hp4eHC0upWijgp2TmV+ghOOY7R8LxmuUbaG/QaxxXGVcYffmC5' \
+  'kzalmOqqcEPue0JfHmWu/QdmMWEjrbVjZevjhLy7rb00hLWeDleURjK8OqupBGAHu16g50QFFXGs1TfzY' \
+  'TFll2Ehy28ZL7gxKObHsJREyn+5eP9lrU4dcZqQZHb/aUUgAOAdYP0ZosUrXBqwf9Rcnck9U+dC8a8WY8' \
+  'ibQvFJ5vtMsDDQhrUlPPAgVJpXf6BAhB+VH1SHBfDFBHOcv6w50/AlJUze6GXYZ6CQOF1K5CsoEInuiD5' \
+  'SJCmDt92/2v5+EIe4GLPRKzed896CMgfRPfam59KzeaeNUNf5E1RMmPGbPleZMMa4yx5DpSkDvrXTalbT' \
+  'DP1SYvrSLiHrFdl97XGx9nmF8yFUlDS+CrJK/W3eT9pt7qvR7FDIBI//HmFtICIkP5pu3gi978QHo5VYe' \
+  'w6p4LPNVJ47LYU6yBfy3DVZv42y13EHlqxQXw0S3FT/t6Vb/y45h8FvAY0eMgU1cyN7KHP9Y1w=='
+  fail 'Unable to read "craft SSH Key" - did you remember to set OP_CONNECT_TOKEN?'
+end
 
 # export OP_API_TOKEN="<token>"
 # curl \
@@ -31,4 +55,4 @@
 # export OP_CONNECT_TOKEN=<token>
 # export OP_CONNECT_HOST=http://localhost:8080
 # op vault list <-- won't work
-# op read 'op://Automation-Org/nexus admin blue/password'
+# op read 'op://Automation-Org/craft SSH Key/public key'