Feat/css

README.md

@@ -44,11 +44,12 @@ See: [Confluence Documentation](https://apps.nrs.gov.bc.ca/int/confluence/x/m4Fv
 
 The following will start up vault in docker. The Vault Sync Tool defaults for the address and token should work with it.
 
-`docker run --rm --cap-add=IPC_LOCK -e 'VAULT_DEV_ROOT_TOKEN_ID=myroot' -e 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200' --name=dev-vault -p 8200:8200 vault`
+`podman run --rm -e 'VAULT_DEV_ROOT_TOKEN_ID=myroot' -e 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200' --name=dev-vault -p 8200:8200 vault`
 
 You will need to add an OIDC authentication method to do local testing of group syncs.
 
 ```
+source setenv-local.sh
 vault auth enable oidc
 vault auth enable -path=vs_apps_approle approle
 vault secrets enable -path=apps -version=2 kv

package.json

@@ -21,18 +21,18 @@
   },
   "devDependencies": {
     "@oclif/dev-cli": "^1.26.10",
-    "@types/jest": "^28.1.1",
+    "@types/jest": "^29.2.3",
     "@types/merge-deep": "^3.0.0",
     "@types/node": "^16.11.41",
     "@types/request": "^2.48.8",
     "@typescript-eslint/eslint-plugin": "^5.28.0",
     "@typescript-eslint/parser": "^5.28.0",
     "eslint": "^8.17.0",
     "eslint-config-google": "^0.14.0",
-    "eslint-plugin-jest": "^26.5.3",
-    "jest": "^28.1.1",
+    "eslint-plugin-jest": "^27.1.5",
+    "jest": "^29.3.1",
     "rimraf": "^3.0.2",
-    "ts-jest": "^28.0.5",
+    "ts-jest": "^29.0.3",
     "ts-node": "^10.8.1",
     "typescript": "^4.7.3"
   },

setenv-local.sh

@@ -1,2 +1,2 @@
 export VAULT_ADDR="http://127.0.0.1:8200"
-export VAULT_TOKEN=""
+export VAULT_TOKEN="myroot"

src/commands/approle-sync.spec.ts

@@ -24,8 +24,8 @@ describe('approle sync command', () => {
     // Test command
     await ApproleSync.run(['--vault-addr', 'addr', '--vault-token', 'token']);
 
-    expect(mockBindVault).toBeCalledTimes(1);
-    expect(mockBindVault).toBeCalledWith('addr', 'token');
+    expect(mockBindVault).toHaveBeenCalledTimes(1);
+    expect(mockBindVault).toHaveBeenCalledWith('addr', 'token');
     expect(mockVgcInstance.sync).toHaveBeenCalled();
     expect(stdoutSpy).toHaveBeenCalledWith('Vault Approle Sync\n');
   });

src/commands/group-sync.spec.ts

@@ -24,8 +24,8 @@ describe('group sync command', () => {
     // Test command
     await GroupSync.run(['--vault-addr', 'addr', '--vault-token', 'token']);
 
-    expect(mockBindVault).toBeCalledTimes(1);
-    expect(mockBindVault).toBeCalledWith('addr', 'token');
+    expect(mockBindVault).toHaveBeenCalledTimes(1);
+    expect(mockBindVault).toHaveBeenCalledWith('addr', 'token');
     expect(mockVgcInstance.sync).toHaveBeenCalled();
     expect(stdoutSpy).toHaveBeenCalledWith('Vault Group Sync\n');
   });

src/commands/health.spec.ts

@@ -23,8 +23,8 @@ describe('health command', () => {
     // Test command
     await Health.run(['--vault-addr', 'addr', '--vault-token', 'token']);
 
-    expect(vaultFactory).toBeCalledTimes(1);
-    expect(vaultFactory).toBeCalledWith('addr', 'token');
+    expect(vaultFactory).toHaveBeenCalledTimes(1);
+    expect(vaultFactory).toHaveBeenCalledWith('addr', 'token');
     expect(stdoutSpy).toHaveBeenCalledWith('Vault health - endpoint\n');
     expect(stdoutSpy).toHaveBeenCalledWith('{}\n');
   });

src/commands/init.spec.ts

@@ -23,8 +23,8 @@ describe('init command', () => {
     // Test command
     await Init.run(['--vault-addr', 'addr', '--vault-token', 'token']);
 
-    expect(vaultFactory).toBeCalledTimes(1);
-    expect(vaultFactory).toBeCalledWith('addr', 'token');
+    expect(vaultFactory).toHaveBeenCalledTimes(1);
+    expect(vaultFactory).toHaveBeenCalledWith('addr', 'token');
     expect(stdoutSpy).toHaveBeenCalledWith('Init vault - endpoint (best)\n');
     expect(stdoutSpy).toHaveBeenCalledWith('Already initialized. No action taken.\n');
   });

src/commands/policy-sync.spec.ts

@@ -24,8 +24,8 @@ describe('policy sync command', () => {
     // Test command
     await PolicySync.run(['--vault-addr', 'addr', '--vault-token', 'token']);
 
-    expect(mockBindVault).toBeCalledTimes(1);
-    expect(mockBindVault).toBeCalledWith('addr', 'token');
+    expect(mockBindVault).toHaveBeenCalledTimes(1);
+    expect(mockBindVault).toHaveBeenCalledWith('addr', 'token');
     expect(mockVpcInstance.sync).toHaveBeenCalled();
     expect(mockVpcInstance.sync).toHaveBeenCalledWith([]);
     expect(stdoutSpy).toHaveBeenCalledWith('Vault Policy Sync\n');

src/services/impl/app-file.service.spec.ts

@@ -53,9 +53,9 @@ describe('app-file.service', () => {
   it('reads file once', () => {
     new AppFileService(cs);
     new AppFileService(cs);
-    expect(mockFs.readFileSync).toBeCalledWith(
+    expect(mockFs.readFileSync).toHaveBeenCalledWith(
       expect.stringContaining('applications.json'), {encoding: 'utf8'});
-    expect(mockFs.readFileSync).toBeCalledTimes(1);
+    expect(mockFs.readFileSync).toHaveBeenCalledTimes(1);
   });
 
   it('getAllApps', async () => {
@@ -68,7 +68,7 @@ describe('app-file.service', () => {
         'name': 'APP-TUS',
       }},
     ]);
-    expect(cs.getApps).toBeCalled();
+    expect(cs.getApps).toHaveBeenCalled();
   });
 
   it('getAllApps - config error', async () => {
@@ -82,7 +82,7 @@ describe('app-file.service', () => {
       .rejects
       .toThrow();
 
-    expect(cs.getApps).toBeCalled();
+    expect(cs.getApps).toHaveBeenCalled();
   });
 
   it('getApp - exists', async () => {

src/services/impl/config-file.service.spec.ts

@@ -42,9 +42,9 @@ describe('config-file.service', () => {
   it('reads file once', () => {
     new ConfigFileService();
     new ConfigFileService();
-    expect(mockFs.readFileSync).toBeCalledWith(
+    expect(mockFs.readFileSync).toHaveBeenCalledWith(
       expect.stringContaining('config.json'), {encoding: 'utf8'});
-    expect(mockFs.readFileSync).toBeCalledTimes(1);
+    expect(mockFs.readFileSync).toHaveBeenCalledTimes(1);
   });
 
 

src/services/impl/policy-registration-memory.service.spec.ts

@@ -48,6 +48,6 @@ describe('policy-registration-memory.service', () => {
     await expect(prms.filterPoliciesForUnregistered([], true))
       .rejects
       .toThrow();
-    expect(logger.error).toBeCalled();
+    expect(logger.error).toHaveBeenCalled();
   });
 });

src/util/hcl.util.spec.ts

@@ -23,11 +23,11 @@ describe('hcl util', () => {
     const filePath = path.join('group', 'cool-temp.hcl.tpl');
 
     expect(rVal).toBe('rendered!');
-    expect(mockFs.readFileSync).toBeCalledTimes(1);
-    expect(mockFs.readFileSync).toBeCalledWith(expect.stringContaining(filePath), {encoding: 'utf8'});
+    expect(mockFs.readFileSync).toHaveBeenCalledTimes(1);
+    expect(mockFs.readFileSync).toHaveBeenCalledWith(expect.stringContaining(filePath), {encoding: 'utf8'});
 
-    expect(mockEjs.render).toBeCalledTimes(1);
-    expect(mockEjs.render).toBeCalledWith('template', {data: 'data'});
+    expect(mockEjs.render).toHaveBeenCalledTimes(1);
+    expect(mockEjs.render).toHaveBeenCalledWith('template', {data: 'data'});
   });
 
   it('renderName - renders a name with template', () => {
@@ -40,13 +40,13 @@ describe('hcl util', () => {
     const filePath = path.join('group', 'cool-temp.name.tpl');
 
     expect(rVal).toBe('group/rendered!');
-    expect(mockFs.existsSync).toBeCalledTimes(1);
-    expect(mockFs.existsSync).toBeCalledWith(expect.stringContaining(filePath));
-    expect(mockFs.readFileSync).toBeCalledTimes(1);
-    expect(mockFs.readFileSync).toBeCalledWith(expect.stringContaining(filePath), {encoding: 'utf8'});
+    expect(mockFs.existsSync).toHaveBeenCalledTimes(1);
+    expect(mockFs.existsSync).toHaveBeenCalledWith(expect.stringContaining(filePath));
+    expect(mockFs.readFileSync).toHaveBeenCalledTimes(1);
+    expect(mockFs.readFileSync).toHaveBeenCalledWith(expect.stringContaining(filePath), {encoding: 'utf8'});
 
-    expect(mockEjs.render).toBeCalledTimes(1);
-    expect(mockEjs.render).toBeCalledWith('template', {data: 'data'});
+    expect(mockEjs.render).toHaveBeenCalledTimes(1);
+    expect(mockEjs.render).toHaveBeenCalledWith('template', {data: 'data'});
   });
 
   it('renderName - renders a name without a template', () => {
@@ -57,10 +57,10 @@ describe('hcl util', () => {
     const filePath = path.join('cool-temp.name.tpl');
 
     expect(rVal).toBe('cool-temp');
-    expect(mockFs.existsSync).toBeCalledTimes(1);
-    expect(mockFs.existsSync).toBeCalledWith(expect.stringContaining(filePath));
+    expect(mockFs.existsSync).toHaveBeenCalledTimes(1);
+    expect(mockFs.existsSync).toHaveBeenCalledWith(expect.stringContaining(filePath));
 
-    expect(mockEjs.render).not.toBeCalled();
+    expect(mockEjs.render).not.toHaveBeenCalled();
   });
 
   it('renderApproleName - renders approles', () => {

src/vault/policy-roots/deduplicate.deco.spec.ts

@@ -27,8 +27,8 @@ describe('deduplicate.deco', () => {
 
     // eslint-disable-next-line @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-assignment
     const rval = await descriptor.value('myargs');
-    expect(value).toBeCalledTimes(1);
-    expect(value).toBeCalledWith('myargs');
+    expect(value).toHaveBeenCalledTimes(1);
+    expect(value).toHaveBeenCalledWith('myargs');
 
     expect(rval).toEqual([{foo: 'bar'}]);
   });

src/vault/policy-roots/impl/app-policy.service.spec.ts

@@ -41,8 +41,8 @@ describe('app-policy.service', () => {
     jest.spyOn(aps, 'buildApplications').mockReturnValue(Promise.resolve([]));
     await aps.build();
 
-    expect(aps.buildApplication).toBeCalledTimes(0);
-    expect(aps.buildApplications).toBeCalledTimes(1);
+    expect(aps.buildApplication).toHaveBeenCalledTimes(0);
+    expect(aps.buildApplications).toHaveBeenCalledTimes(1);
   });
 
   test('sync: buildApplication', async () => {

src/vault/policy-roots/impl/group-policy.service.spec.ts

@@ -28,7 +28,7 @@ describe('group-policy.service', () => {
     jest.spyOn(gps, 'buildGroups').mockReturnValue(Promise.resolve([]));
     await gps.build();
 
-    expect(gps.buildGroup).toBeCalledTimes(0);
-    expect(gps.buildGroups).toBeCalledTimes(1);
+    expect(gps.buildGroup).toHaveBeenCalledTimes(0);
+    expect(gps.buildGroups).toHaveBeenCalledTimes(1);
   });
 });

src/vault/policy-roots/impl/system-policy.service.spec.ts

@@ -29,7 +29,7 @@ describe('system-policy.service', () => {
     jest.spyOn(sps, 'buildKvSecretEngines').mockReturnValue(Promise.resolve([]));
     await sps.build();
 
-    expect(sps.buildSystem).toBeCalledTimes(1);
-    expect(sps.buildKvSecretEngines).toBeCalledTimes(1);
+    expect(sps.buildSystem).toHaveBeenCalledTimes(1);
+    expect(sps.buildKvSecretEngines).toHaveBeenCalledTimes(1);
   });
 });

src/vault/policy-roots/oidc-data.deco.spec.ts

@@ -11,7 +11,7 @@ describe('oidc-data.deco', () => {
   test('adds OIDC info to the HlcRenderSpec', async () => {
     const mockVaultApi = {
       // Simple test for now. Only the first value should go through
-      getOidcAccessor: jest.fn().mockResolvedValue('accessorId'),
+      getOidcAccessors: jest.fn().mockResolvedValue(['accessorId']),
     };
     const mockVsContainer = jest.mocked(vsContainer);
     mockVsContainer.get.mockReturnValue(mockVaultApi);
@@ -26,8 +26,8 @@ describe('oidc-data.deco', () => {
 
     // eslint-disable-next-line @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-assignment
     const rval = await descriptor.value('myargs');
-    expect(value).toBeCalledTimes(1);
-    expect(value).toBeCalledWith('myargs');
+    expect(value).toHaveBeenCalledTimes(1);
+    expect(value).toHaveBeenCalledWith('myargs');
 
     expect(rval).toEqual([
       {foo: 'bar', data: {global_oidc_accessor: 'accessorId'}},

src/vault/policy-roots/oidc-data.deco.ts

@@ -24,7 +24,7 @@ export default function oidcData(target: unknown, propertyName: string, descript
     const vaultApi = vsContainer.get<VaultApi>(TYPES.VaultApi);
 
     if (!oidcDecoData) {
-      const accessor = await vaultApi.getOidcAccessor();
+      const accessor = (await vaultApi.getOidcAccessors())[0];
       oidcDecoData = {
         global_oidc_accessor: accessor,
       };

src/vault/templates/system/user-generic.hcl.tpl

@@ -7,41 +7,41 @@ path "sys/policy/*" {
 }
 
 # Grant permissions on user specific paths (data, destroy, metadata)
-path "user/data/{{identity.entity.aliases.<%= global_oidc_accessor %>.name}}" {
+path "user/data/{{identity.entity.aliases.<%= global_oidc_accessor %>.email}}" {
     capabilities = [ "create", "update", "read", "delete" ]
 }
-path "user/data/{{identity.entity.aliases.<%= global_oidc_accessor %>.name}}/*" {
+path "user/data/{{identity.entity.aliases.<%= global_oidc_accessor %>.email}}/*" {
     capabilities = [ "create", "update", "read", "delete" ]
 }
-path "user/delete/{{identity.entity.aliases.<%= global_oidc_accessor %>.name}}" {
+path "user/delete/{{identity.entity.aliases.<%= global_oidc_accessor %>.email}}" {
     capabilities = [ "create", "update" ]
 }
-path "user/delete/{{identity.entity.aliases.<%= global_oidc_accessor %>.name}}/*" {
+path "user/delete/{{identity.entity.aliases.<%= global_oidc_accessor %>.email}}/*" {
     capabilities = [ "create", "update" ]
 }
-path "user/undelete/{{identity.entity.aliases.<%= global_oidc_accessor %>.name}}" {
+path "user/undelete/{{identity.entity.aliases.<%= global_oidc_accessor %>.email}}" {
     capabilities = [ "create", "update" ]
 }
-path "user/undelete/{{identity.entity.aliases.<%= global_oidc_accessor %>.name}}/*" {
+path "user/undelete/{{identity.entity.aliases.<%= global_oidc_accessor %>.email}}/*" {
     capabilities = [ "create", "update" ]
 }
-path "user/destroy/{{identity.entity.aliases.<%= global_oidc_accessor %>.name}}" {
+path "user/destroy/{{identity.entity.aliases.<%= global_oidc_accessor %>.email}}" {
     capabilities = [ "create", "update" ]
 }
-path "user/destroy/{{identity.entity.aliases.<%= global_oidc_accessor %>.name}}/*" {
+path "user/destroy/{{identity.entity.aliases.<%= global_oidc_accessor %>.email}}/*" {
     capabilities = [ "create", "update" ]
 }
-path "user/metadata/{{identity.entity.aliases.<%= global_oidc_accessor %>.name}}" {
+path "user/metadata/{{identity.entity.aliases.<%= global_oidc_accessor %>.email}}" {
     capabilities = [ "create", "update", "read", "delete", "list" ]
 }
-path "user/metadata/{{identity.entity.aliases.<%= global_oidc_accessor %>.name}}/*" {
+path "user/metadata/{{identity.entity.aliases.<%= global_oidc_accessor %>.email}}/*" {
     capabilities = [ "create", "update", "read", "delete", "list" ]
 }
 
-// path "user/+/{{identity.entity.aliases.<%= global_oidc_accessor %>.name}}" {
+// path "user/+/{{identity.entity.aliases.<%= global_oidc_accessor %>.email}}" {
 //     capabilities = [ "create", "update", "read", "delete", "list" ]
 // }
-// path "user/+/{{identity.entity.aliases.<%= global_oidc_accessor %>.name}}/*" {
+// path "user/+/{{identity.entity.aliases.<%= global_oidc_accessor %>.email}}/*" {
 //     capabilities = [ "create", "update", "read", "delete", "list" ]
 // }
 

src/vault/vault-approle.controller.spec.ts

@@ -88,26 +88,26 @@ describe('vault-approle.controller', () => {
 
     await va.sync();
 
-    expect(va.buildApproleDict).toBeCalledTimes(1);
-    expect(va.createUpdateRoles).toBeCalledTimes(1);
-    expect(va.createUpdateRoles).toBeCalledWith(mockDict);
-    expect(va.removeUnusedRoles).toBeCalledTimes(1);
-    expect(va.removeUnusedRoles).toBeCalledWith(expect.any(Set));
+    expect(va.buildApproleDict).toHaveBeenCalledTimes(1);
+    expect(va.createUpdateRoles).toHaveBeenCalledTimes(1);
+    expect(va.createUpdateRoles).toHaveBeenCalledWith(mockDict);
+    expect(va.removeUnusedRoles).toHaveBeenCalledTimes(1);
+    expect(va.removeUnusedRoles).toHaveBeenCalledWith(expect.any(Set));
   });
 
   test('buildApproleDict', async () => {
     const va = vgcFactory();
 
     const rval = await va.buildApproleDict();
 
-    expect(mockAppService.getAllApps).toBeCalledTimes(1);
-    expect(mockHclUtil.renderApproleName).toBeCalledTimes(1);
-    expect(mockHclUtil.renderApproleName).toBeCalledWith(mockApps[0], 'PRODUCTION');
+    expect(mockAppService.getAllApps).toHaveBeenCalledTimes(1);
+    expect(mockHclUtil.renderApproleName).toHaveBeenCalledTimes(1);
+    expect(mockHclUtil.renderApproleName).toHaveBeenCalledWith(mockApps[0], 'PRODUCTION');
 
-    expect(mockAppRootService.buildApplicationForEnv).toBeCalledTimes(1);
-    expect(mockAppRootService.buildApplicationForEnv).toBeCalledWith(mockApps[0], 'PRODUCTION');
+    expect(mockAppRootService.buildApplicationForEnv).toHaveBeenCalledTimes(1);
+    expect(mockAppRootService.buildApplicationForEnv).toHaveBeenCalledWith(mockApps[0], 'PRODUCTION');
 
-    expect(mockHclUtil.renderName).toBeCalledTimes(1);
+    expect(mockHclUtil.renderName).toHaveBeenCalledTimes(1);
 
     expect(rval).toEqual({
       name: {
@@ -141,8 +141,8 @@ describe('vault-approle.controller', () => {
       },
     });
 
-    expect(vault.addApproleRole).toBeCalledTimes(1);
-    expect(vault.addApproleRole).toBeCalledWith({
+    expect(vault.addApproleRole).toHaveBeenCalledTimes(1);
+    expect(vault.addApproleRole).toHaveBeenCalledWith({
       'bind_secret_id': true,
       'bound_cidr_list': '',
       'mount_point': 'vs_apps_approle',
@@ -163,11 +163,11 @@ describe('vault-approle.controller', () => {
 
     await va.removeUnusedRoles(regSet);
 
-    expect(vault.approleRoles).toBeCalledTimes(1);
-    expect(vault.approleRoles).toBeCalledWith({mount_point: VAULT_APPROLE_MOUNT_POINT});
+    expect(vault.approleRoles).toHaveBeenCalledTimes(1);
+    expect(vault.approleRoles).toHaveBeenCalledWith({mount_point: VAULT_APPROLE_MOUNT_POINT});
 
-    expect(vault.deleteApproleRole).toBeCalledTimes(2);
-    expect(vault.deleteApproleRole).toBeCalledWith({mount_point: VAULT_APPROLE_MOUNT_POINT, role_name: 'c'});
-    expect(vault.deleteApproleRole).toBeCalledWith({mount_point: VAULT_APPROLE_MOUNT_POINT, role_name: 'd'});
+    expect(vault.deleteApproleRole).toHaveBeenCalledTimes(2);
+    expect(vault.deleteApproleRole).toHaveBeenCalledWith({mount_point: VAULT_APPROLE_MOUNT_POINT, role_name: 'c'});
+    expect(vault.deleteApproleRole).toHaveBeenCalledWith({mount_point: VAULT_APPROLE_MOUNT_POINT, role_name: 'd'});
   });
 });