deb.open-vault/command/auth_enable_test.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package command

import (
	"io/ioutil"
	"strings"
	"testing"

	"github.com/go-test/deep"
	"github.com/hashicorp/vault/helper/builtinplugins"
	"github.com/hashicorp/vault/sdk/helper/consts"
	"github.com/mitchellh/cli"
)

func testAuthEnableCommand(tb testing.TB) (*cli.MockUi, *AuthEnableCommand) {
	tb.Helper()

	ui := cli.NewMockUi()
	return ui, &AuthEnableCommand{
		BaseCommand: &BaseCommand{
			UI: ui,
		},
	}
}

func TestAuthEnableCommand_Run(t *testing.T) {
	t.Parallel()

	cases := []struct {
		name string
		args []string
		out  string
		code int
	}{
		{
			"not_enough_args",
			nil,
			"Not enough arguments",
			1,
		},
		{
			"too_many_args",
			[]string{"foo", "bar"},
			"Too many arguments",
			1,
		},
		{
			"not_a_valid_auth",
			[]string{"nope_definitely_not_a_valid_mount_like_ever"},
			"",
			2,
		},
	}

	for _, tc := range cases {
		tc := tc

		t.Run(tc.name, func(t *testing.T) {
			t.Parallel()

			client, closer := testVaultServer(t)
			defer closer()

			ui, cmd := testAuthEnableCommand(t)
			cmd.client = client

			code := cmd.Run(tc.args)
			if code != tc.code {
				t.Errorf("expected command return code to be %d, got %d", tc.code, code)
			}

			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
			if !strings.Contains(combined, tc.out) {
				t.Errorf("expected %q in response\n got: %+v", tc.out, combined)
			}
		})
	}

	t.Run("integration", func(t *testing.T) {
		t.Parallel()

		client, closer := testVaultServer(t)
		defer closer()

		ui, cmd := testAuthEnableCommand(t)
		cmd.client = client

		code := cmd.Run([]string{
			"-path", "auth_integration/",
			"-description", "The best kind of test",
			"-audit-non-hmac-request-keys", "foo,bar",
			"-audit-non-hmac-response-keys", "foo,bar",
			"-passthrough-request-headers", "authorization,authentication",
			"-passthrough-request-headers", "www-authentication",
			"-allowed-response-headers", "authorization",
			"-listing-visibility", "unauth",
			"userpass",
		})
		if exp := 0; code != exp {
			t.Errorf("expected %d to be %d", code, exp)
		}

		expected := "Success! Enabled userpass auth method at:"
		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
		if !strings.Contains(combined, expected) {
			t.Errorf("expected %q to contain %q", combined, expected)
		}

		auths, err := client.Sys().ListAuth()
		if err != nil {
			t.Fatal(err)
		}

		authInfo, ok := auths["auth_integration/"]
		if !ok {
			t.Fatalf("expected mount to exist")
		}
		if exp := "userpass"; authInfo.Type != exp {
			t.Errorf("expected %q to be %q", authInfo.Type, exp)
		}
		if exp := "The best kind of test"; authInfo.Description != exp {
			t.Errorf("expected %q to be %q", authInfo.Description, exp)
		}
		if diff := deep.Equal([]string{"authorization,authentication", "www-authentication"}, authInfo.Config.PassthroughRequestHeaders); len(diff) > 0 {
			t.Errorf("Failed to find expected values in PassthroughRequestHeaders. Difference is: %v", diff)
		}
		if diff := deep.Equal([]string{"authorization"}, authInfo.Config.AllowedResponseHeaders); len(diff) > 0 {
			t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff)
		}
		if diff := deep.Equal([]string{"foo,bar"}, authInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 {
			t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff)
		}
		if diff := deep.Equal([]string{"foo,bar"}, authInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
			t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
		}
	})

	t.Run("communication_failure", func(t *testing.T) {
		t.Parallel()

		client, closer := testVaultServerBad(t)
		defer closer()

		ui, cmd := testAuthEnableCommand(t)
		cmd.client = client

		code := cmd.Run([]string{
			"userpass",
		})
		if exp := 2; code != exp {
			t.Errorf("expected %d to be %d", code, exp)
		}

		expected := "Error enabling userpass auth: "
		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
		if !strings.Contains(combined, expected) {
			t.Errorf("expected %q to contain %q", combined, expected)
		}
	})

	t.Run("no_tabs", func(t *testing.T) {
		t.Parallel()

		_, cmd := testAuthEnableCommand(t)
		assertNoTabs(t, cmd)
	})

	t.Run("mount_all", func(t *testing.T) {
		t.Parallel()

		client, closer := testVaultServerAllBackends(t)
		defer closer()

		files, err := ioutil.ReadDir("../builtin/credential")
		if err != nil {
			t.Fatal(err)
		}

		var backends []string
		for _, f := range files {
			if f.IsDir() {
				backends = append(backends, f.Name())
			}
		}

		modFile, err := ioutil.ReadFile("../go.mod")
		if err != nil {
			t.Fatal(err)
		}
		modLines := strings.Split(string(modFile), "\n")
		for _, p := range modLines {
			splitLine := strings.Split(strings.TrimSpace(p), " ")
			if len(splitLine) == 0 {
				continue
			}
			potPlug := strings.TrimPrefix(splitLine[0], "github.com/hashicorp/")
			if strings.HasPrefix(potPlug, "vault-plugin-auth-") {
				backends = append(backends, strings.TrimPrefix(potPlug, "vault-plugin-auth-"))
			}
		}
		// Since "pcf" plugin in the Vault registry is also pointed at the "vault-plugin-auth-cf"
		// repository, we need to manually append it here so it'll tie out with our expected number
		// of credential backends.
		backends = append(backends, "pcf")

		// Add 1 to account for the "token" backend, which is visible when you walk the filesystem but
		// is treated as special and excluded from the registry.
		// Subtract 1 to account for "oidc" which is an alias of "jwt" and not a separate plugin.
		expected := len(builtinplugins.Registry.Keys(consts.PluginTypeCredential))
		if len(backends) != expected {
			t.Fatalf("expected %d credential backends, got %d", expected, len(backends))
		}

		for _, b := range backends {
			var expectedResult int = 0

			// Not a builtin
			if b == "token" {
				continue
			}

			ui, cmd := testAuthEnableCommand(t)
			cmd.client = client

			actualResult := cmd.Run([]string{
				b,
			})

			// Need to handle deprecated builtins specially
			status, _ := builtinplugins.Registry.DeprecationStatus(b, consts.PluginTypeCredential)
			if status == consts.PendingRemoval || status == consts.Removed {
				expectedResult = 2
			}

			if actualResult != expectedResult {
				t.Errorf("type: %s - got: %d, expected: %d - %s", b, actualResult, expectedResult, ui.OutputWriter.String()+ui.ErrorWriter.String())
			}
		}
	})
}
New upstream version 1.14.8 2024-04-20 12:23:50 +00:00			`// Copyright (c) HashiCorp, Inc.`
			`// SPDX-License-Identifier: MPL-2.0`

			`package command`

			`import (`
			`"io/ioutil"`
			`"strings"`
			`"testing"`

			`"github.com/go-test/deep"`
			`"github.com/hashicorp/vault/helper/builtinplugins"`
			`"github.com/hashicorp/vault/sdk/helper/consts"`
			`"github.com/mitchellh/cli"`
			`)`

			`func testAuthEnableCommand(tb testing.TB) (cli.MockUi, AuthEnableCommand) {`
			`tb.Helper()`

			`ui := cli.NewMockUi()`
			`return ui, &AuthEnableCommand{`
			`BaseCommand: &BaseCommand{`
			`UI: ui,`
			`},`
			`}`
			`}`

			`func TestAuthEnableCommand_Run(t *testing.T) {`
			`t.Parallel()`

			`cases := []struct {`
			`name string`
			`args []string`
			`out string`
			`code int`
			`}{`
			`{`
			`"not_enough_args",`
			`nil,`
			`"Not enough arguments",`
			`1,`
			`},`
			`{`
			`"too_many_args",`
			`[]string{"foo", "bar"},`
			`"Too many arguments",`
			`1,`
			`},`
			`{`
			`"not_a_valid_auth",`
			`[]string{"nope_definitely_not_a_valid_mount_like_ever"},`
			`"",`
			`2,`
			`},`
			`}`

			`for _, tc := range cases {`
			`tc := tc`

			`t.Run(tc.name, func(t *testing.T) {`
			`t.Parallel()`

			`client, closer := testVaultServer(t)`
			`defer closer()`

			`ui, cmd := testAuthEnableCommand(t)`
			`cmd.client = client`

			`code := cmd.Run(tc.args)`
			`if code != tc.code {`
			`t.Errorf("expected command return code to be %d, got %d", tc.code, code)`
			`}`

			`combined := ui.OutputWriter.String() + ui.ErrorWriter.String()`
			`if !strings.Contains(combined, tc.out) {`
			`t.Errorf("expected %q in response\n got: %+v", tc.out, combined)`
			`}`
			`})`
			`}`

			`t.Run("integration", func(t *testing.T) {`
			`t.Parallel()`

			`client, closer := testVaultServer(t)`
			`defer closer()`

			`ui, cmd := testAuthEnableCommand(t)`
			`cmd.client = client`

			`code := cmd.Run([]string{`
			`"-path", "auth_integration/",`
			`"-description", "The best kind of test",`
			`"-audit-non-hmac-request-keys", "foo,bar",`
			`"-audit-non-hmac-response-keys", "foo,bar",`
			`"-passthrough-request-headers", "authorization,authentication",`
			`"-passthrough-request-headers", "www-authentication",`
			`"-allowed-response-headers", "authorization",`
			`"-listing-visibility", "unauth",`
			`"userpass",`
			`})`
			`if exp := 0; code != exp {`
			`t.Errorf("expected %d to be %d", code, exp)`
			`}`

			`expected := "Success! Enabled userpass auth method at:"`
			`combined := ui.OutputWriter.String() + ui.ErrorWriter.String()`
			`if !strings.Contains(combined, expected) {`
			`t.Errorf("expected %q to contain %q", combined, expected)`
			`}`

			`auths, err := client.Sys().ListAuth()`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`authInfo, ok := auths["auth_integration/"]`
			`if !ok {`
			`t.Fatalf("expected mount to exist")`
			`}`
			`if exp := "userpass"; authInfo.Type != exp {`
			`t.Errorf("expected %q to be %q", authInfo.Type, exp)`
			`}`
			`if exp := "The best kind of test"; authInfo.Description != exp {`
			`t.Errorf("expected %q to be %q", authInfo.Description, exp)`
			`}`
			`if diff := deep.Equal([]string{"authorization,authentication", "www-authentication"}, authInfo.Config.PassthroughRequestHeaders); len(diff) > 0 {`
			`t.Errorf("Failed to find expected values in PassthroughRequestHeaders. Difference is: %v", diff)`
			`}`
			`if diff := deep.Equal([]string{"authorization"}, authInfo.Config.AllowedResponseHeaders); len(diff) > 0 {`
			`t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff)`
			`}`
			`if diff := deep.Equal([]string{"foo,bar"}, authInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 {`
			`t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff)`
			`}`
			`if diff := deep.Equal([]string{"foo,bar"}, authInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {`
			`t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)`
			`}`
			`})`

			`t.Run("communication_failure", func(t *testing.T) {`
			`t.Parallel()`

			`client, closer := testVaultServerBad(t)`
			`defer closer()`

			`ui, cmd := testAuthEnableCommand(t)`
			`cmd.client = client`

			`code := cmd.Run([]string{`
			`"userpass",`
			`})`
			`if exp := 2; code != exp {`
			`t.Errorf("expected %d to be %d", code, exp)`
			`}`

			`expected := "Error enabling userpass auth: "`
			`combined := ui.OutputWriter.String() + ui.ErrorWriter.String()`
			`if !strings.Contains(combined, expected) {`
			`t.Errorf("expected %q to contain %q", combined, expected)`
			`}`
			`})`

			`t.Run("no_tabs", func(t *testing.T) {`
			`t.Parallel()`

			`_, cmd := testAuthEnableCommand(t)`
			`assertNoTabs(t, cmd)`
			`})`

			`t.Run("mount_all", func(t *testing.T) {`
			`t.Parallel()`

			`client, closer := testVaultServerAllBackends(t)`
			`defer closer()`

			`files, err := ioutil.ReadDir("../builtin/credential")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`var backends []string`
			`for _, f := range files {`
			`if f.IsDir() {`
			`backends = append(backends, f.Name())`
			`}`
			`}`

			`modFile, err := ioutil.ReadFile("../go.mod")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`modLines := strings.Split(string(modFile), "\n")`
			`for _, p := range modLines {`
			`splitLine := strings.Split(strings.TrimSpace(p), " ")`
			`if len(splitLine) == 0 {`
			`continue`
			`}`
			`potPlug := strings.TrimPrefix(splitLine[0], "github.com/hashicorp/")`
			`if strings.HasPrefix(potPlug, "vault-plugin-auth-") {`
			`backends = append(backends, strings.TrimPrefix(potPlug, "vault-plugin-auth-"))`
			`}`
			`}`
			`// Since "pcf" plugin in the Vault registry is also pointed at the "vault-plugin-auth-cf"`
			`// repository, we need to manually append it here so it'll tie out with our expected number`
			`// of credential backends.`
			`backends = append(backends, "pcf")`

			`// Add 1 to account for the "token" backend, which is visible when you walk the filesystem but`
			`// is treated as special and excluded from the registry.`
			`// Subtract 1 to account for "oidc" which is an alias of "jwt" and not a separate plugin.`
			`expected := len(builtinplugins.Registry.Keys(consts.PluginTypeCredential))`
			`if len(backends) != expected {`
			`t.Fatalf("expected %d credential backends, got %d", expected, len(backends))`
			`}`

			`for _, b := range backends {`
			`var expectedResult int = 0`

			`// Not a builtin`
			`if b == "token" {`
			`continue`
			`}`

			`ui, cmd := testAuthEnableCommand(t)`
			`cmd.client = client`

			`actualResult := cmd.Run([]string{`
			`b,`
			`})`

			`// Need to handle deprecated builtins specially`
			`status, _ := builtinplugins.Registry.DeprecationStatus(b, consts.PluginTypeCredential)`
			`if status == consts.PendingRemoval \|\| status == consts.Removed {`
			`expectedResult = 2`
			`}`

			`if actualResult != expectedResult {`
			`t.Errorf("type: %s - got: %d, expected: %d - %s", b, actualResult, expectedResult, ui.OutputWriter.String()+ui.ErrorWriter.String())`
			`}`
			`}`
			`})`
			`}`