require 'spec_helper'

describe Vault::Provision do
  it "has a cubbyhole" do
    expect(client.sys.mounts[:cubbyhole].description).to \
      include 'per-token private secret storage'
  end

  it "has an ldap auth" do
    expect(client.sys.auths[:ldap].type).to be == 'ldap'
  end

  it "has a token auth" do
    expect(client.sys.auths[:token].type).to be == 'token'
  end

  it "has an ldap config" do
    config_data = client.get('v1/auth/ldap/config')[:data]
    expect(config_data[:url]).to be == 'ldaps://ldap.example.com'
  end

  it "has a pki-root mount" do
    expect(client.sys.mounts.keys).to include :'pki-root'
  end

  it "has a CA" do
    expect(client.get('v1/pki-root/ca/pem')).to be
  end

  it "has pki-root config urls" do
    expect(client.get('v1/pki-root/config/urls')[:data][:crl_distribution_points].to_s).to include 'https://cdn.example.com'
  end

  it "has pki-intermediate config urls" do
    expect(client.get('v1/pki-intermediate/config/urls')[:data][:issuing_certificates].to_s).to include 'https://cdn.example.com'
  end

  it "has pki-intermediate ca" do
    expect(client.get('v1/pki-intermediate/ca/pem')).to be
  end

  it "has a dvcert role for intermediate" do
    expect(client.get('v1/pki-intermediate/roles/dvcert')[:data][:allowed_domains]).to include "vault.example.com"
    expect(client.get('v1/pki-intermediate/roles/dvcert')[:data][:allow_any_name]).to be_falsey
  end

  it "has an unlimited role for root" do
    expect(client.get('v1/pki-root/roles/unlimited')[:data][:allow_any_name]).to be_truthy
  end

  it "has a master_of_secrets policy" do
    expect(client.sys.policy('master_of_secrets').rules).to include '"sys/auth/*"'
    expect(client.sys.policy('master_of_secrets').rules).to include '"secret/*"'
  end

  it "has a secret squirrel" do
    expect(client.sys.mounts[:squirrel].type).to be == 'generic'
  end
end