Adding changelog and cleaning up tests for #107

Author: tyler-ball

CHANGELOG.md

@@ -1,3 +1,13 @@
+## Unreleased
+
+### Bug Fixes
+
+### New Features
+
+* Pull Request [#68][], [#104][], [#107][]: If provisioning from an EC2 host and credentials are not set use the local nodes's credentials.  If access key & secret are set, do not use local session token - leave it unset. ([@JamesAwesome][], [@Igorshp][], [@daanemanz][])
+
+### Improvements
+
 ## 0.8.0 / 2014-02-11
 
 ### Bug fixes
@@ -61,27 +71,33 @@
 * Remove default_config :port in favor of SSHBase default (also 22). ([@fnichol][])
 
 <!--- The following link definition list is generated by PimpMyChangelog --->
-[#2]: https://github.com/opscode/kitchen-ec2/issues/2
-[#5]: https://github.com/opscode/kitchen-ec2/issues/5
-[#7]: https://github.com/opscode/kitchen-ec2/issues/7
-[#8]: https://github.com/opscode/kitchen-ec2/issues/8
-[#9]: https://github.com/opscode/kitchen-ec2/issues/9
-[#13]: https://github.com/opscode/kitchen-ec2/issues/13
-[#14]: https://github.com/opscode/kitchen-ec2/issues/14
-[#15]: https://github.com/opscode/kitchen-ec2/issues/15
-[#20]: https://github.com/opscode/kitchen-ec2/issues/20
-[#21]: https://github.com/opscode/kitchen-ec2/issues/21
-[#22]: https://github.com/opscode/kitchen-ec2/issues/22
-[#23]: https://github.com/opscode/kitchen-ec2/issues/23
-[#27]: https://github.com/opscode/kitchen-ec2/issues/27
-[#28]: https://github.com/opscode/kitchen-ec2/issues/28
-[#29]: https://github.com/opscode/kitchen-ec2/issues/29
-[#31]: https://github.com/opscode/kitchen-ec2/issues/31
-[#34]: https://github.com/opscode/kitchen-ec2/issues/34
+[#2]: https://github.com/test-kitchen/kitchen-ec2/issues/2
+[#5]: https://github.com/test-kitchen/kitchen-ec2/issues/5
+[#7]: https://github.com/test-kitchen/kitchen-ec2/issues/7
+[#8]: https://github.com/test-kitchen/kitchen-ec2/issues/8
+[#9]: https://github.com/test-kitchen/kitchen-ec2/issues/9
+[#13]: https://github.com/test-kitchen/kitchen-ec2/issues/13
+[#14]: https://github.com/test-kitchen/kitchen-ec2/issues/14
+[#15]: https://github.com/test-kitchen/kitchen-ec2/issues/15
+[#20]: https://github.com/test-kitchen/kitchen-ec2/issues/20
+[#21]: https://github.com/test-kitchen/kitchen-ec2/issues/21
+[#22]: https://github.com/test-kitchen/kitchen-ec2/issues/22
+[#23]: https://github.com/test-kitchen/kitchen-ec2/issues/23
+[#27]: https://github.com/test-kitchen/kitchen-ec2/issues/27
+[#28]: https://github.com/test-kitchen/kitchen-ec2/issues/28
+[#29]: https://github.com/test-kitchen/kitchen-ec2/issues/29
+[#31]: https://github.com/test-kitchen/kitchen-ec2/issues/31
+[#34]: https://github.com/test-kitchen/kitchen-ec2/issues/34
+[#68]: https://github.com/test-kitchen/kitchen-ec2/issues/68
+[#104]: https://github.com/test-kitchen/kitchen-ec2/issues/104
+[#107]: https://github.com/test-kitchen/kitchen-ec2/issues/107
 [@Atalanta]: https://github.com/Atalanta
+[@Igorshp]: https://github.com/Igorshp
+[@JamesAwesome]: https://github.com/JamesAwesome
 [@arangamani]: https://github.com/arangamani
 [@bozinsky]: https://github.com/bozinsky
 [@coderanger]: https://github.com/coderanger
+[@daanemanz]: https://github.com/daanemanz
 [@dissonanz]: https://github.com/dissonanz
 [@dysinger]: https://github.com/dysinger
 [@eherot]: https://github.com/eherot

lib/kitchen/driver/ec2.rb

@@ -100,8 +100,7 @@ class Ec2 < Kitchen::Driver::SSHBase
       end
 
       # First we check the existence of the metadata host.  Only fetch_credentials
-      # if we can find the host.  Ping logic taken from
-      # http://stackoverflow.com/questions/7519159/ruby-ping-pingecho-missing
+      # if we can find the host.
       def iam_creds
         require 'net/http'
         require 'timeout'
@@ -110,7 +109,7 @@ def iam_creds
             Net::HTTP.get(URI.parse('http://169.254.169.254'))
           end
           fetch_credentials(use_iam_profile: true)
-        rescue Errno::EHOSTUNREACH, Timeout::Error, NoMethodError, ::StandardError => e
+        rescue Errno::EHOSTUNREACH, Errno::EHOSTDOWN, Timeout::Error, NoMethodError, ::StandardError => e
           debug("fetch_credentials failed with exception #{e.message}:#{e.backtrace.join("\n")}")
           {}
         end
@@ -176,14 +175,20 @@ def default_public_ip_association
         !!config[:subnet_id]
       end
 
+      # If running on an EC2 node there are 3 possible scenarios:
+      #  1) The user has supplied the session token as an environment variable
+      #  2) The user has manually set access key/secret - don't use the session token from
+      #    the metadata service, only auth with key/secret supplied
+      #  3) The user has not set the access key/secret - because we default these values
+      #    we cannot tell if these have not been set.  So we do our best guess by checking
+      #    if the current value is the same as what is returned from the metadata service.
+      #    If they are the same we assume no user values have been set and we use the
+      #    metadata service values.
       def default_aws_session_token
         env = ENV['AWS_SESSION_TOKEN'] || ENV['AWS_TOKEN']
-        if config[:aws_secret_access_key] == iam_creds[:aws_secret_access_key] \
-          && config[:aws_access_key_id] == iam_creds[:aws_access_key_id]
-          env || iam_creds[:aws_session_token]
-        else
-          env
-        end
+        env ||= iam_creds[:aws_session_token] if config[:aws_secret_access_key] == iam_creds[:aws_secret_access_key] &&
+          config[:aws_access_key_id] == iam_creds[:aws_access_key_id]
+        env
       end
 
       private

spec/create_spec.rb

@@ -3,51 +3,51 @@
 
 describe Kitchen::Driver::Ec2 do
 
-    let(:config) do
-      {
-        aws_ssh_key_id: 'larry',
-        aws_access_key_id: 'secret',
-        aws_secret_access_key: 'moarsecret',
-        user_data: nil
-      }
-    end
+  let(:config) do
+    {
+      aws_ssh_key_id: 'larry',
+      aws_access_key_id: 'secret',
+      aws_secret_access_key: 'moarsecret',
+      user_data: nil
+    }
+  end
 
-    let(:state) do
-      {}
-    end
+  let(:state) do
+    {}
+  end
 
-    let(:server) do
-      double(
-       :id => "123",
-       :wait_for => nil,
-       :dns_name => "server.example.com",
-       :private_ip_address => '172.13.16.11',
-       :public_ip_address => '213.225.123.134'
-      )
-    end
+  let(:server) do
+    double(
+     :id => "123",
+     :wait_for => nil,
+     :dns_name => "server.example.com",
+     :private_ip_address => '172.13.16.11',
+     :public_ip_address => '213.225.123.134'
+    )
+  end
 
-    let(:instance) do
-      Kitchen::Instance.new(
-        :platform => double(:name => "centos-6.4"),
-        :suite => double(:name => "default"),
-        :driver => driver,
-        :provisioner => Kitchen::Provisioner::Dummy.new({}),
-        :busser => double("busser"),
-        :state_file => double("state_file")
-      )
-    end
+  let(:instance) do
+    Kitchen::Instance.new(
+      :platform => double(:name => "centos-6.4"),
+      :suite => double(:name => "default"),
+      :driver => driver,
+      :provisioner => Kitchen::Provisioner::Dummy.new({}),
+      :busser => double("busser"),
+      :state_file => double("state_file")
+    )
+  end
 
-    let(:driver) do
-      Kitchen::Driver::Ec2.new(config)
-    end
+  let(:driver) do
+    Kitchen::Driver::Ec2.new(config)
+  end
 
-    let(:iam_creds) do
-      {
-        aws_access_key_id: 'iam_creds_access_key',
-        aws_secret_access_key: 'iam_creds_secret_access_key',
-        aws_session_token: 'iam_creds_session_token'
-      }
-    end
+  let(:iam_creds) do
+    {
+      aws_access_key_id: 'iam_creds_access_key',
+      aws_secret_access_key: 'iam_creds_secret_access_key',
+      aws_session_token: 'iam_creds_session_token'
+    }
+  end
 
   context 'Interface is set in config' do
     before do
@@ -160,46 +160,45 @@
     end
 
     context 'but they should not be used' do
-      context 'because :aws_access_key_id is set but not via #iam_creds' do
+      shared_examples ':aws_session_token not set' do
+        it 'does not set :aws_session_token via #iam_creds' do
+          expect(driver[:aws_session_token]).to_not eq(iam_creds[:aws_session_token])
+        end
+      end
+      context 'because :aws_access_key_id is set from config' do
         let(:aws_access_key_id) { 'secret' }
         before do
           config[:aws_access_key_id] = aws_access_key_id
         end
 
         it 'does not override :aws_access_key_id' do
-          expect(driver.send(:config)[:aws_access_key_id]).to eq(aws_access_key_id)
+          expect(driver[:aws_access_key_id]).to eq(aws_access_key_id)
         end
 
-        it 'does not set :aws_session_token via #iam_creds' do
-          expect(driver.send(:config)[:aws_session_token])
-            .to_not eq(iam_creds[:aws_session_token])
-        end
+        include_examples ':aws_session_token not set'
       end
 
-      context 'because :aws_secret_access_key is set but not via #iam_creds' do
+      context 'because :aws_secret_access_key is set from config' do
         let(:aws_secret_access_key) { 'moarsecret' }
 
         before do
           config[:aws_secret_access_key] = aws_secret_access_key
         end
 
         it 'does not override :aws_secret_access_key' do
-          expect(driver.send(:config)[:aws_secret_access_key]).to eq(aws_secret_access_key)
+          expect(driver[:aws_secret_access_key]).to eq(aws_secret_access_key)
         end
 
-        it 'does not set :aws_session_token via #iam_creds' do
-          expect(driver.send(:config)[:aws_session_token])
-            .to_not eq(iam_creds[:aws_session_token])
-        end
+        include_examples ':aws_session_token not set'
       end
 
-      context 'because :aws_session_token is set but not via #iam_creds' do
+      context 'because :aws_session_token is set from config' do
         let(:aws_session_token) { 'adifferentsessiontoken' }
         before do
           config[:aws_session_token] = aws_session_token
         end
         it 'does not override :aws_session_token' do
-          expect(driver.send(:config)[:aws_session_token]).to eq('adifferentsessiontoken')
+          expect(driver[:aws_session_token]).to eq('adifferentsessiontoken')
         end
       end
     end
@@ -213,15 +212,15 @@
       end
 
       it 'uses :aws_access_key_id from iam_creds' do
-        expect(driver.send(:config)[:aws_access_key_id]).to eq(iam_creds[:aws_access_key_id])
+        expect(driver[:aws_access_key_id]).to eq(iam_creds[:aws_access_key_id])
       end
 
       it 'uses :aws_secret_key_id from iam_creds' do
-        expect(driver.send(:config)[:aws_secret_key_id]).to eq(iam_creds[:aws_secret_key_id])
+        expect(driver[:aws_secret_key_id]).to eq(iam_creds[:aws_secret_key_id])
       end
 
       it 'uses :aws_session_token from iam_creds' do
-        expect(driver.send(:config)[:aws_session_token]).to eq(iam_creds[:aws_session_token])
+        expect(driver[:aws_session_token]).to eq(iam_creds[:aws_session_token])
       end
     end
   end
@@ -239,44 +238,22 @@
         end
       end
 
-      context 'when #fetch_credentials fails with NoMethodError' do
-        it 'returns an empty hash' do
-          allow(driver).to receive(:fetch_credentials).and_raise(NoMethodError)
-          expect { driver.fetch_credentials }.to raise_error(NoMethodError)
-          expect(driver.iam_creds).to eq({})
-        end
-      end
-
-      context 'when #fetch_credentials fails with ::StandardError' do
-        it 'returns an empty hash' do
-          allow(driver).to receive(:fetch_credentials).and_raise(::StandardError)
-          expect { driver.fetch_credentials }.to raise_error(::StandardError)
-          expect(driver.iam_creds).to eq({})
-        end
-      end
-
-      context 'when #fetch_credentials fails with Errno::EHOSTUNREACH' do
-        it 'returns an empty hash' do
-          allow(driver).to receive(:fetch_credentials).and_raise(Errno::EHOSTUNREACH)
-          expect { driver.fetch_credentials }.to raise_error(Errno::EHOSTUNREACH)
-          expect(driver.iam_creds).to eq({})
-        end
-      end
-
-      context 'when #fetch_credentials fails with Timeout::Error' do
-        it 'returns an empty hash' do
-          allow(driver).to receive(:fetch_credentials).and_raise(Timeout::Error)
-          expect { driver.fetch_credentials }.to raise_error(Timeout::Error)
-          expect(driver.iam_creds).to eq({})
+      errors = [NoMethodError, StandardError, Errno::EHOSTUNREACH, Errno::EHOSTDOWN]
+      errors.each do |e|
+        context "when #fetch_credentials fails with #{e}" do
+          it 'returns an empty hash' do
+            expect(driver).to receive(:fetch_credentials).and_raise(e)
+            expect(driver.iam_creds).to eq({})
+          end
         end
       end
     end
 
-    context 'when a metadata service is not available' do
-      it 'will not call #fetch_credentials' do
-        allow(Net::HTTP).to receive(:get)
-          .with(URI.parse('http://169.254.169.254')).and_return(false)
-        expect(driver).to_not receive(:fetch_credentials)
+    context 'when Net::HTTP#get fails with Timeout::Error' do
+      it 'returns an empty hash' do
+        expect(Net::HTTP).to receive(:get)
+          .with(URI.parse('http://169.254.169.254')).and_raise(Timeout::Error)
+        expect(driver.iam_creds).to eq({})
       end
     end
   end