@bugcrowd/briareus
Version:
Briareus assists with Feature Branch deploys to ECS
135 lines (116 loc) • 4.3 kB
JavaScript
const expect = require('expect.js');
const AWS = require('aws-sdk-mock');
const crypto = require('crypto');
const helpers = require('../../helpers');
const SyncSsmParameterSecrets = require('../../../lib/service/actions/sync-ssm-parameter-secrets');
describe('Action:SyncSsmParameterSecrets', function () {
afterEach(helpers.afterEach);
/* This test does way too much. But hard to break it up and I don't feel
like refactoring the action to be easier to test */
it('should add and remove secrets', (done) => {
const ssmParameterScopePrefix = '/briareus/abc';
const encryptedValue = 'encrypted';
const decryptedValue = 'decrypted';
const oldSecret = {
id: 'web/API_KEY',
scope: 'app',
container: 'web',
name: 'API_KEY',
value: Buffer.from(encryptedValue).toString('base64')
};
const oldSecretHashedId = crypto.createHash('md5').update(oldSecret.id).digest("hex");
const inUseSecret = {
id: 'web/PASSWORD',
scope: 'app',
container: 'web',
name: 'PASSWORD',
value: Buffer.from(encryptedValue).toString('base64')
};
const inUseSecretHashedId = crypto.createHash('md5').update(inUseSecret.id).digest("hex");
const payload = {
id: 'abc',
kmsKeyArn: 'arn:key:1',
ssmParameterScopePrefix: ssmParameterScopePrefix,
awsAccountId: '123',
assets: {
ssmParameters: {
[oldSecretHashedId]: {
id: oldSecret.id,
hashedId: oldSecretHashedId,
arn: `arn:parameter/secret/a`,
path: `${ssmParameterScopePrefix}/${oldSecret.id}`,
name: oldSecret.name,
container: oldSecret.container
},
[inUseSecretHashedId]: {
id: inUseSecret.id,
hashedId: inUseSecretHashedId,
arn: `arn:parameter/secret/b`,
path: `${ssmParameterScopePrefix}/${inUseSecret.id}`,
name: inUseSecret.name,
container: inUseSecret.container
}
}
},
secrets: [inUseSecret]
};
AWS.mock('KMS', 'decrypt', function (params, cb) {
expect(Buffer.from(params.CiphertextBlob, 'base64').toString('utf8')).to.equal(encryptedValue);
cb(null, {
Plaintext: Buffer.from(decryptedValue, 'utf8')
});
});
AWS.mock('SSM', 'putParameter', function (params, cb) {
expect(params.Name).to.equal(`${payload.ssmParameterScopePrefix}/${inUseSecret.id}`);
expect(params.Type).to.equal('SecureString');
expect(params.Value).to.equal(decryptedValue);
expect(params.KeyId).to.equal(payload.kmsKeyArn);
cb(null, {});
});
AWS.mock('SSM', 'deleteParameters', function (params, cb) {
expect(params.Names).to.eql([`${payload.ssmParameterScopePrefix}/${oldSecret.id}`]);
cb(null, {});
});
SyncSsmParameterSecrets({}, payload, (err, patches) => {
expect(err).to.equal(null);
expect(patches.length).to.equal(2);
expect(patches[0]).to.eql({
op: 'add',
path: `/assets/ssmParameters/${inUseSecretHashedId}`,
value: {
id: inUseSecret.id,
hashedId: inUseSecretHashedId,
arn: `arn:aws:ssm:us-east-1:${payload.awsAccountId}:parameter${payload.ssmParameterScopePrefix}/${inUseSecret.id}`,
path: `${payload.ssmParameterScopePrefix}/${inUseSecret.id}`,
name: inUseSecret.name,
container: inUseSecret.container
}
});
expect(patches[1]).to.eql({ op: 'remove', path: `/assets/ssmParameters/${oldSecretHashedId}` });
done();
});
});
it('should not try to sync parameters when there are none to sync', (done) => {
const payload = {
assets: {
ssmParameters: {}
},
secrets: []
};
AWS.mock('KMS', 'decrypt', function (params, cb) {
expect(true).to.equal(false);
});
AWS.mock('SSM', 'putParameter', function (params, cb) {
expect(true).to.equal(false);
});
AWS.mock('SSM', 'deleteParameters', function (params, cb) {
expect(true).to.equal(false);
});
SyncSsmParameterSecrets({}, payload, (err, patches) => {
expect(err).to.equal(null);
expect(patches.length).to.equal(0);
done();
});
});
});