open-vault/vault/acl_test.go

694 lines
15 KiB
Go
Raw Normal View History

2015-03-18 01:31:20 +00:00
package vault
import (
2016-03-05 05:03:55 +00:00
"reflect"
2015-03-18 01:31:20 +00:00
"testing"
"github.com/hashicorp/vault/logical"
)
2016-03-05 05:03:55 +00:00
func TestACL_Capabilities(t *testing.T) {
// Create the root policy ACL
policy := []*Policy{&Policy{Name: "root"}}
acl, err := NewACL(policy)
if err != nil {
t.Fatalf("err: %v", err)
}
actual := acl.Capabilities("any/path")
expected := []string{"root"}
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actual, expected)
}
policies, err := Parse(aclPolicy)
if err != nil {
t.Fatalf("err: %v", err)
}
acl, err = NewACL([]*Policy{policies})
if err != nil {
t.Fatalf("err: %v", err)
}
actual = acl.Capabilities("dev")
expected = []string{"deny"}
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("bad: path:%s\ngot\n%#v\nexpected\n%#v\n", "deny", actual, expected)
}
actual = acl.Capabilities("dev/")
expected = []string{"sudo", "read", "list", "update", "delete", "create"}
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("bad: path:%s\ngot\n%#v\nexpected\n%#v\n", "dev/", actual, expected)
}
actual = acl.Capabilities("stage/aws/test")
expected = []string{"sudo", "read", "list", "update"}
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("bad: path:%s\ngot\n%#v\nexpected\n%#v\n", "stage/aws/test", actual, expected)
}
}
2015-03-18 01:31:20 +00:00
func TestACL_Root(t *testing.T) {
// Create the root policy ACL
policy := []*Policy{&Policy{Name: "root"}}
acl, err := NewACL(policy)
if err != nil {
t.Fatalf("err: %v", err)
}
request := new(logical.Request)
request.Operation = logical.UpdateOperation
request.Path = "sys/mount/foo"
allowed, rootPrivs := acl.AllowOperation(request)
if !rootPrivs {
2015-03-18 01:31:20 +00:00
t.Fatalf("expected root")
}
if !allowed {
2016-10-30 22:09:45 +00:00
t.Fatalf("expected permissions")
2015-03-18 01:31:20 +00:00
}
}
func TestACL_Single(t *testing.T) {
policy, err := Parse(aclPolicy)
if err != nil {
t.Fatalf("err: %v", err)
}
acl, err := NewACL([]*Policy{policy})
if err != nil {
t.Fatalf("err: %v", err)
}
// Type of operation is not important here as we only care about checking
// sudo/root
request := new(logical.Request)
request.Operation = logical.ReadOperation
request.Path = "sys/mount/foo"
_, rootPrivs := acl.AllowOperation(request)
if rootPrivs {
2015-03-18 01:31:20 +00:00
t.Fatalf("unexpected root")
}
type tcase struct {
op logical.Operation
path string
allowed bool
rootPrivs bool
2015-03-18 01:31:20 +00:00
}
tcases := []tcase{
{logical.ReadOperation, "root", false, false},
{logical.HelpOperation, "root", true, false},
2015-03-18 01:31:20 +00:00
{logical.ReadOperation, "dev/foo", true, true},
{logical.UpdateOperation, "dev/foo", true, true},
2015-03-18 01:31:20 +00:00
{logical.DeleteOperation, "stage/foo", true, false},
{logical.ListOperation, "stage/aws/foo", true, true},
{logical.UpdateOperation, "stage/aws/foo", true, true},
{logical.UpdateOperation, "stage/aws/policy/foo", true, true},
2015-03-18 01:31:20 +00:00
{logical.DeleteOperation, "prod/foo", false, false},
{logical.UpdateOperation, "prod/foo", false, false},
{logical.ReadOperation, "prod/foo", true, false},
{logical.ListOperation, "prod/foo", true, false},
{logical.ReadOperation, "prod/aws/foo", false, false},
{logical.ReadOperation, "foo/bar", true, true},
{logical.ListOperation, "foo/bar", false, true},
{logical.UpdateOperation, "foo/bar", false, true},
{logical.CreateOperation, "foo/bar", true, true},
2015-03-18 01:31:20 +00:00
}
for _, tc := range tcases {
request := new(logical.Request)
request.Operation = tc.op
request.Path = tc.path
allowed, rootPrivs := acl.AllowOperation(request)
if allowed != tc.allowed {
t.Fatalf("bad: case %#v: %v, %v", tc, allowed, rootPrivs)
}
if rootPrivs != tc.rootPrivs {
t.Fatalf("bad: case %#v: %v, %v", tc, allowed, rootPrivs)
2015-03-18 01:31:20 +00:00
}
}
}
func TestACL_Layered(t *testing.T) {
policy1, err := Parse(aclPolicy)
if err != nil {
t.Fatalf("err: %v", err)
}
policy2, err := Parse(aclPolicy2)
if err != nil {
t.Fatalf("err: %v", err)
}
2016-11-02 02:48:00 +00:00
acl, err := NewACL([]*Policy{policy1, policy2})
2015-03-18 01:31:20 +00:00
if err != nil {
t.Fatalf("err: %v", err)
2016-11-02 02:48:00 +00:00
}
2015-03-18 19:17:03 +00:00
testLayeredACL(t, acl)
}
2015-03-18 19:17:03 +00:00
func testLayeredACL(t *testing.T, acl *ACL) {
// Type of operation is not important here as we only care about checking
// sudo/root
request := new(logical.Request)
request.Operation = logical.ReadOperation
request.Path = "sys/mount/foo"
_, rootPrivs := acl.AllowOperation(request)
if rootPrivs {
2015-03-18 01:31:20 +00:00
t.Fatalf("unexpected root")
}
type tcase struct {
op logical.Operation
path string
allowed bool
rootPrivs bool
2015-03-18 01:31:20 +00:00
}
tcases := []tcase{
{logical.ReadOperation, "root", false, false},
{logical.HelpOperation, "root", true, false},
2015-03-18 01:31:20 +00:00
{logical.ReadOperation, "dev/foo", true, true},
{logical.UpdateOperation, "dev/foo", true, true},
{logical.ReadOperation, "dev/hide/foo", false, false},
{logical.UpdateOperation, "dev/hide/foo", false, false},
2015-03-18 01:31:20 +00:00
{logical.DeleteOperation, "stage/foo", true, false},
{logical.ListOperation, "stage/aws/foo", true, true},
{logical.UpdateOperation, "stage/aws/foo", true, true},
{logical.UpdateOperation, "stage/aws/policy/foo", false, false},
2015-03-18 01:31:20 +00:00
{logical.DeleteOperation, "prod/foo", true, false},
{logical.UpdateOperation, "prod/foo", true, false},
{logical.ReadOperation, "prod/foo", true, false},
{logical.ListOperation, "prod/foo", true, false},
{logical.ReadOperation, "prod/aws/foo", false, false},
2015-07-05 23:34:34 +00:00
{logical.ReadOperation, "sys/status", false, false},
{logical.UpdateOperation, "sys/seal", true, true},
{logical.ReadOperation, "foo/bar", false, false},
{logical.ListOperation, "foo/bar", false, false},
{logical.UpdateOperation, "foo/bar", false, false},
{logical.CreateOperation, "foo/bar", false, false},
2015-03-18 01:31:20 +00:00
}
for _, tc := range tcases {
request := new(logical.Request)
request.Operation = tc.op
request.Path = tc.path
allowed, rootPrivs := acl.AllowOperation(request)
if allowed != tc.allowed {
t.Fatalf("bad: case %#v: %v, %v", tc, allowed, rootPrivs)
}
if rootPrivs != tc.rootPrivs {
t.Fatalf("bad: case %#v: %v, %v", tc, allowed, rootPrivs)
2015-03-18 01:31:20 +00:00
}
}
}
func TestPolicyMerge(t *testing.T) {
2016-11-02 02:48:00 +00:00
policy, err := Parse(permissionsPolicy2)
if err != nil {
2016-10-30 22:09:45 +00:00
t.Fatalf("err: %v", err)
}
acl, err := NewACL([]*Policy{policy})
if err != nil {
t.Fatalf("err: %v", err)
}
2016-11-02 02:48:00 +00:00
type tcase struct {
path string
parameter string
2016-11-02 02:48:00 +00:00
allowed bool
}
toperations := []logical.Operation{
logical.UpdateOperation,
logical.CreateOperation,
logical.DeleteOperation,
}
2016-11-02 02:48:00 +00:00
tcases := []tcase{
{"foo/bar", "baz", false},
{"foo/bar", "zip", false},
{"hello/universe", "bob", true},
{"hello/universe", "tom", true},
{"rainy/day", "bob", true},
{"rainy/day", "tom", true},
{"cool/bike", "four", false},
{"cool/bike", "frank", false},
{"clean/bed", "one", false},
{"clean/bed", "two", false},
{"coca/cola", "john", false},
{"coca/cola", "two", false},
2016-11-02 02:48:00 +00:00
}
for _, tc := range tcases {
request := logical.Request{Path: tc.path, Data: make(map[string]interface{})}
request.Data[tc.parameter] = ""
for _, op := range toperations {
request.Operation = op
allowed, _ := acl.AllowOperation(&request)
if allowed != tc.allowed {
t.Fatalf("bad: case %#v: %v", tc, allowed)
}
2016-11-02 02:48:00 +00:00
}
}
}
2016-11-07 20:28:41 +00:00
func TestAllowOperation(t *testing.T) {
policy, err := Parse(permissionsPolicy)
2016-11-07 20:28:41 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
acl, err := NewACL([]*Policy{policy})
if err != nil {
t.Fatalf("err: %v", err)
}
toperations := []logical.Operation{
logical.UpdateOperation,
logical.DeleteOperation,
logical.CreateOperation,
}
2016-11-07 20:28:41 +00:00
type tcase struct {
path string
parameters []string
allowed bool
2016-11-07 20:28:41 +00:00
}
2016-11-07 20:28:41 +00:00
tcases := []tcase{
{"dev/ops", []string{"zip"}, true},
{"foo/bar", []string{"zap"}, false},
{"foo/baz", []string{"hello"}, true},
{"foo/baz", []string{"zap"}, false},
{"broken/phone", []string{"steve"}, false},
{"hello/world", []string{"one"}, false},
{"tree/fort", []string{"one"}, true},
{"tree/fort", []string{"beer"}, false},
{"fruit/apple", []string{"pear"}, false},
{"fruit/apple", []string{"one"}, false},
{"cold/weather", []string{"four"}, true},
{"var/aws", []string{"cold", "warm", "kitty"}, false},
}
for _, tc := range tcases {
2016-11-07 20:28:41 +00:00
request := logical.Request{Path: tc.path, Data: make(map[string]interface{})}
for _, parameter := range tc.parameters {
request.Data[parameter] = ""
}
2016-11-07 20:28:41 +00:00
for _, op := range toperations {
request.Operation = op
allowed, _ := acl.AllowOperation(&request)
2016-11-07 20:28:41 +00:00
if allowed != tc.allowed {
t.Fatalf("bad: case %#v: %v", tc, allowed)
2016-11-07 20:28:41 +00:00
}
}
}
}
2016-10-30 22:09:45 +00:00
func TestValuePermissions(t *testing.T) {
policy, err := Parse(valuePermissionsPolicy)
if err != nil {
t.Fatalf("err: %v", err)
}
acl, err := NewACL([]*Policy{policy})
if err != nil {
t.Fatalf("err: %v", err)
}
toperations := []logical.Operation{
logical.UpdateOperation,
logical.DeleteOperation,
logical.CreateOperation,
}
type tcase struct {
path string
parameters []string
values []interface{}
allowed bool
}
tcases := []tcase{
{"dev/ops", []string{"allow"}, []interface{}{"good"}, true},
{"dev/ops", []string{"allow"}, []interface{}{"bad"}, false},
{"foo/bar", []string{"deny"}, []interface{}{"bad"}, false},
{"foo/bar", []string{"deny"}, []interface{}{"good"}, true},
{"foo/bar", []string{"allow"}, []interface{}{"good"}, true},
{"foo/baz", []string{"allow"}, []interface{}{"good"}, true},
{"foo/baz", []string{"deny"}, []interface{}{"bad"}, false},
{"foo/baz", []string{"deny"}, []interface{}{"good"}, true},
{"foo/baz", []string{"allow"}, []interface{}{"bad"}, false},
{"foo/baz", []string{"neither"}, []interface{}{"bad"}, false},
{"fizz/buzz", []string{"allow_multi"}, []interface{}{"good"}, true},
{"fizz/buzz", []string{"allow_multi"}, []interface{}{"good1"}, true},
{"fizz/buzz", []string{"allow_multi"}, []interface{}{"good2"}, true},
{"fizz/buzz", []string{"allow_multi"}, []interface{}{"bad"}, false},
{"fizz/buzz", []string{"allow_multi"}, []interface{}{"bad"}, false},
{"fizz/buzz", []string{"allow_multi", "allow"}, []interface{}{"good1", "good"}, true},
{"fizz/buzz", []string{"deny_multi"}, []interface{}{"bad2"}, false},
{"fizz/buzz", []string{"deny_multi", "allow_multi"}, []interface{}{"good", "good2"}, true},
// {"test/types", []string{"array"}, []interface{}{[1]string{"good"}}, true},
{"test/types", []string{"map"}, []interface{}{map[string]interface{}{"good": "one"}}, true},
{"test/types", []string{"map"}, []interface{}{map[string]interface{}{"bad": "one"}}, false},
{"test/types", []string{"int"}, []interface{}{1}, true},
{"test/types", []string{"int"}, []interface{}{3}, false},
2017-01-20 01:41:02 +00:00
{"test/types", []string{"bool"}, []interface{}{false}, false},
{"test/types", []string{"bool"}, []interface{}{true}, true},
}
for _, tc := range tcases {
request := logical.Request{Path: tc.path, Data: make(map[string]interface{})}
for i, parameter := range tc.parameters {
request.Data[parameter] = tc.values[i]
}
for _, op := range toperations {
request.Operation = op
allowed, _ := acl.AllowOperation(&request)
if allowed != tc.allowed {
t.Fatalf("bad: case %#v: %v", tc, allowed)
}
}
}
}
var tokenCreationPolicy = `
name = "tokenCreation"
path "auth/token/create*" {
capabilities = ["update", "create", "sudo"]
}
`
var aclPolicy = `
name = "dev"
path "dev/*" {
policy = "sudo"
}
path "stage/*" {
policy = "write"
}
path "stage/aws/*" {
policy = "read"
capabilities = ["update", "sudo"]
}
path "stage/aws/policy/*" {
policy = "sudo"
}
path "prod/*" {
policy = "read"
}
path "prod/aws/*" {
policy = "deny"
}
path "sys/*" {
policy = "deny"
}
path "foo/bar" {
capabilities = ["read", "create", "sudo"]
}
`
var aclPolicy2 = `
name = "ops"
path "dev/hide/*" {
policy = "deny"
}
path "stage/aws/policy/*" {
policy = "deny"
# This should have no effect
capabilities = ["read", "update", "sudo"]
}
path "prod/*" {
policy = "write"
}
path "sys/seal" {
policy = "sudo"
}
path "foo/bar" {
capabilities = ["deny"]
}
`
//test merging
var permissionsPolicy2 = `
name = "ops"
path "foo/bar" {
policy = "write"
permissions = {
denied_parameters = {
"baz" = []
}
}
}
path "foo/bar" {
policy = "write"
permissions = {
denied_parameters = {
"zip" = []
}
}
}
path "hello/universe" {
policy = "write"
permissions = {
allowed_parameters = {
"bob" = []
}
}
}
path "hello/universe" {
policy = "write"
permissions = {
allowed_parameters = {
"tom" = []
}
}
}
path "rainy/day" {
policy = "write"
permissions = {
allowed_parameters = {
"bob" = []
}
}
}
path "rainy/day" {
policy = "write"
permissions = {
allowed_parameters = {
"*" = []
}
}
}
path "cool/bike" {
policy = "write"
permissions = {
denied_parameters = {
"frank" = []
}
}
}
path "cool/bike" {
policy = "write"
permissions = {
denied_parameters = {
"*" = []
}
}
}
path "clean/bed" {
policy = "write"
permissions = {
denied_parameters = {
"*" = []
}
}
}
path "clean/bed" {
policy = "write"
permissions = {
allowed_parameters = {
"*" = []
}
}
}
path "coca/cola" {
policy = "write"
permissions = {
denied_parameters = {
"john" = []
}
}
}
path "coca/cola" {
policy = "write"
permissions = {
allowed_parameters = {
"john" = []
}
}
}
`
2016-11-02 02:48:00 +00:00
2016-10-30 22:09:45 +00:00
//allow operation testing
var permissionsPolicy = `
name = "dev"
path "dev/*" {
policy = "write"
permissions = {
allowed_parameters = {
"zip" = []
2016-10-30 22:09:45 +00:00
}
}
}
path "foo/bar" {
policy = "write"
permissions = {
denied_parameters = {
"zap" = []
2016-10-30 22:09:45 +00:00
}
}
}
path "foo/baz" {
policy = "write"
permissions = {
allowed_parameters = {
"hello" = []
2016-10-30 22:09:45 +00:00
}
denied_parameters = {
"zap" = []
2016-10-30 22:09:45 +00:00
}
}
}
path "broken/phone" {
policy = "write"
permissions = {
allowed_parameters = {
"steve" = []
2016-10-30 22:09:45 +00:00
}
denied_parameters = {
"steve" = []
2016-10-30 22:09:45 +00:00
}
}
}
path "hello/world" {
2016-10-30 22:09:45 +00:00
policy = "write"
permissions = {
allowed_parameters = {
"*" = []
2016-10-30 22:09:45 +00:00
}
denied_parameters = {
"*" = []
2016-10-30 22:09:45 +00:00
}
}
}
path "tree/fort" {
2016-10-30 22:09:45 +00:00
policy = "write"
permissions = {
allowed_parameters = {
"*" = []
2016-10-30 22:09:45 +00:00
}
denied_parameters = {
"beer" = []
2016-10-30 22:09:45 +00:00
}
}
}
path "fruit/apple" {
2016-10-30 22:09:45 +00:00
policy = "write"
permissions = {
allowed_parameters = {
"pear" = []
2016-10-30 22:09:45 +00:00
}
denied_parameters = {
"*" = []
2016-10-30 22:09:45 +00:00
}
}
}
path "cold/weather" {
2016-10-30 22:09:45 +00:00
policy = "write"
permissions = {
allowed_parameters = {}
denied_parameters = {}
2016-10-30 22:09:45 +00:00
}
}
path "var/aws" {
policy = "write"
permissions = {
allowed_parameters = {
"*" = []
}
denied_parameters = {
"soft" = []
"warm" = []
"kitty" = []
}
}
}
2016-10-30 22:09:45 +00:00
`
//allow operation testing
var valuePermissionsPolicy = `
name = "op"
path "dev/*" {
policy = "write"
permissions = {
allowed_parameters = {
"allow" = ["good"]
}
}
}
path "foo/bar" {
policy = "write"
permissions = {
denied_parameters = {
"deny" = ["bad"]
}
}
}
path "foo/baz" {
policy = "write"
permissions = {
allowed_parameters = {
"allow" = ["good"]
}
denied_parameters = {
"deny" = ["bad"]
}
}
}
path "fizz/buzz" {
policy = "write"
permissions = {
allowed_parameters = {
"allow_multi" = ["good", "good1", "good2"]
"allow" = ["good"]
}
denied_parameters = {
"deny_multi" = ["bad", "bad1", "bad2"]
}
}
}
path "test/types" {
policy = "write"
permissions = {
allowed_parameters = {
2017-01-20 02:13:39 +00:00
"map" = [{"good" = "one"}]
"int" = [1, 2]
}
denied_parameters = {
"bool" = [false]
}
}
}
`