open-vault/vault/policy_test.go

151 lines
2.9 KiB
Go
Raw Normal View History

2015-03-17 22:53:29 +00:00
package vault
import (
"reflect"
2016-03-10 18:36:54 +00:00
"strings"
2015-03-17 22:53:29 +00:00
"testing"
)
2016-03-10 18:36:54 +00:00
var rawPolicy = strings.TrimSpace(`
# Developer policy
name = "dev"
# Deny all paths by default
path "*" {
policy = "deny"
}
# Allow full access to staging
path "stage/*" {
policy = "sudo"
}
# Limited read privilege to production
path "prod/version" {
policy = "read"
}
# Read access to foobar
# Also tests stripping of leading slash
path "/foo/bar" {
policy = "read"
}
# Add capabilities for creation and sudo to foobar
# This will be separate; they are combined when compiled into an ACL
path "foo/bar" {
capabilities = ["create", "sudo"]
}
`)
2015-03-17 22:53:29 +00:00
func TestPolicy_Parse(t *testing.T) {
p, err := Parse(rawPolicy)
if err != nil {
t.Fatalf("err: %v", err)
}
if p.Name != "dev" {
2016-03-10 18:36:54 +00:00
t.Fatalf("bad name: %q", p.Name)
2015-03-17 22:53:29 +00:00
}
expect := []*PathCapabilities{
&PathCapabilities{"", "deny",
[]string{
"deny",
2016-01-12 22:08:10 +00:00
}, DenyCapabilityInt, true},
&PathCapabilities{"stage/", "sudo",
[]string{
"create",
"read",
"update",
"delete",
"list",
"sudo",
2016-01-12 22:08:10 +00:00
}, CreateCapabilityInt | ReadCapabilityInt | UpdateCapabilityInt |
DeleteCapabilityInt | ListCapabilityInt | SudoCapabilityInt, true},
&PathCapabilities{"prod/version", "read",
[]string{
"read",
"list",
2016-01-12 22:08:10 +00:00
}, ReadCapabilityInt | ListCapabilityInt, false},
&PathCapabilities{"foo/bar", "read",
[]string{
"read",
"list",
2016-01-12 22:08:10 +00:00
}, ReadCapabilityInt | ListCapabilityInt, false},
&PathCapabilities{"foo/bar", "",
[]string{
"create",
"sudo",
2016-01-12 22:08:10 +00:00
}, CreateCapabilityInt | SudoCapabilityInt, false},
2015-03-17 22:53:29 +00:00
}
if !reflect.DeepEqual(p.Paths, expect) {
2016-03-10 18:36:54 +00:00
t.Errorf("expected \n\n%#v\n\n to be \n\n%#v\n\n", p.Paths, expect)
2015-03-17 22:53:29 +00:00
}
}
2016-03-10 18:36:54 +00:00
func TestPolicy_ParseBadRoot(t *testing.T) {
_, err := Parse(strings.TrimSpace(`
name = "test"
bad = "foo"
nope = "yes"
`))
if err == nil {
t.Fatalf("expected error")
}
2015-03-17 22:53:29 +00:00
2016-03-10 18:36:54 +00:00
if !strings.Contains(err.Error(), "invalid key 'bad' on line 2") {
t.Errorf("bad error: %q", err)
}
if !strings.Contains(err.Error(), "invalid key 'nope' on line 3") {
t.Errorf("bad error: %q", err)
}
2015-03-17 22:53:29 +00:00
}
2016-03-10 18:36:54 +00:00
func TestPolicy_ParseBadPath(t *testing.T) {
_, err := Parse(strings.TrimSpace(`
path "/" {
capabilities = ["read"]
capabilites = ["read"]
2015-03-17 22:53:29 +00:00
}
2016-03-10 18:36:54 +00:00
`))
if err == nil {
t.Fatalf("expected error")
}
2015-03-17 22:53:29 +00:00
2016-03-10 18:36:54 +00:00
if !strings.Contains(err.Error(), "invalid key 'capabilites' on line 3") {
t.Errorf("bad error: %s", err)
}
2015-03-17 22:53:29 +00:00
}
2016-03-10 18:36:54 +00:00
func TestPolicy_ParseBadPolicy(t *testing.T) {
_, err := Parse(strings.TrimSpace(`
path "/" {
policy = "banana"
}
2016-03-10 18:36:54 +00:00
`))
if err == nil {
t.Fatalf("expected error")
}
2016-03-10 18:36:54 +00:00
if !strings.Contains(err.Error(), `path "/": invalid policy 'banana'`) {
t.Errorf("bad error: %s", err)
}
}
func TestPolicy_ParseBadCapabilities(t *testing.T) {
_, err := Parse(strings.TrimSpace(`
path "/" {
capabilities = ["read", "banana"]
}
`))
if err == nil {
t.Fatalf("expected error")
}
if !strings.Contains(err.Error(), `path "/": invalid capability 'banana'`) {
t.Errorf("bad error: %s", err)
}
}