metis/pkg/secrets/vault_test.go

package secrets

import (
	"context"
	"encoding/json"
	"net/http"
	"net/http/httptest"
	"testing"
)

func TestFetchNodeReturnsData(t *testing.T) {
	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		switch r.URL.Path {
		case "/v1/secret/data/nodes/n1":
			w.Header().Set("Content-Type", "application/json")
			_ = json.NewEncoder(w).Encode(map[string]any{
				"data": map[string]any{
					"data": map[string]any{
						"ssh_password": "p1",
						"k3s_token":    "t1",
						"cloud_init":   "ci",
					},
				},
			})
		default:
			http.NotFound(w, r)
		}
	}))
	defer srv.Close()

	c := &Client{Addr: srv.URL, Token: "tok"}
	sec, err := c.FetchNode(context.Background(), "n1")
	if err != nil {
		t.Fatalf("fetch: %v", err)
	}
	if sec.SSHPassword != "p1" || sec.K3sToken != "t1" || sec.CloudInit != "ci" {
		t.Fatalf("unexpected secrets: %+v", sec)
	}
}

func TestApproRoleLogin(t *testing.T) {
	loginCalled := false
	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		switch r.URL.Path {
		case "/v1/auth/approle/login":
			loginCalled = true
			w.Header().Set("Content-Type", "application/json")
			_ = json.NewEncoder(w).Encode(map[string]any{
				"auth": map[string]any{
					"client_token": "newtoken",
				},
			})
		case "/v1/secret/data/nodes/n1":
			if r.Header.Get("X-Vault-Token") != "newtoken" {
				t.Fatalf("missing token after approle login")
			}
			w.Header().Set("Content-Type", "application/json")
			_ = json.NewEncoder(w).Encode(map[string]any{
				"data": map[string]any{
					"data": map[string]any{},
				},
			})
		default:
			http.NotFound(w, r)
		}
	}))
	defer srv.Close()

	c := &Client{Addr: srv.URL, RoleID: "r", SecretID: "s", Client: srv.Client()}
	if _, err := c.FetchNode(context.Background(), "n1"); err != nil {
		t.Fatalf("fetch with approle: %v", err)
	}
	if !loginCalled {
		t.Fatalf("approle login not called")
	}
}
feat: add metis service and autonomous recovery path 2026-03-31 14:52:50 -03:00			`package secrets`

			`import (`
			`"context"`
			`"encoding/json"`
			`"net/http"`
			`"net/http/httptest"`
			`"testing"`
			`)`

			`func TestFetchNodeReturnsData(t *testing.T) {`
			`srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`switch r.URL.Path {`
			`case "/v1/secret/data/nodes/n1":`
			`w.Header().Set("Content-Type", "application/json")`
			`_ = json.NewEncoder(w).Encode(map[string]any{`
			`"data": map[string]any{`
			`"data": map[string]any{`
			`"ssh_password": "p1",`
			`"k3s_token": "t1",`
			`"cloud_init": "ci",`
			`},`
			`},`
			`})`
			`default:`
			`http.NotFound(w, r)`
			`}`
			`}))`
			`defer srv.Close()`

			`c := &Client{Addr: srv.URL, Token: "tok"}`
			`sec, err := c.FetchNode(context.Background(), "n1")`
			`if err != nil {`
			`t.Fatalf("fetch: %v", err)`
			`}`
			`if sec.SSHPassword != "p1" \|\| sec.K3sToken != "t1" \|\| sec.CloudInit != "ci" {`
			`t.Fatalf("unexpected secrets: %+v", sec)`
			`}`
			`}`

			`func TestApproRoleLogin(t *testing.T) {`
			`loginCalled := false`
			`srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`switch r.URL.Path {`
			`case "/v1/auth/approle/login":`
			`loginCalled = true`
			`w.Header().Set("Content-Type", "application/json")`
			`_ = json.NewEncoder(w).Encode(map[string]any{`
			`"auth": map[string]any{`
			`"client_token": "newtoken",`
			`},`
			`})`
			`case "/v1/secret/data/nodes/n1":`
			`if r.Header.Get("X-Vault-Token") != "newtoken" {`
			`t.Fatalf("missing token after approle login")`
			`}`
			`w.Header().Set("Content-Type", "application/json")`
			`_ = json.NewEncoder(w).Encode(map[string]any{`
			`"data": map[string]any{`
			`"data": map[string]any{},`
			`},`
			`})`
			`default:`
			`http.NotFound(w, r)`
			`}`
			`}))`
			`defer srv.Close()`

			`c := &Client{Addr: srv.URL, RoleID: "r", SecretID: "s", Client: srv.Client()}`
			`if _, err := c.FetchNode(context.Background(), "n1"); err != nil {`
			`t.Fatalf("fetch with approle: %v", err)`
			`}`
			`if !loginCalled {`
			`t.Fatalf("approle login not called")`
			`}`
			`}`