open-vault/vault/policy_store_test.go

277 lines
7.2 KiB
Go
Raw Normal View History

2015-03-18 19:17:03 +00:00
package vault
import (
"context"
2015-03-18 19:17:03 +00:00
"reflect"
"testing"
2018-09-18 03:03:00 +00:00
"github.com/hashicorp/vault/helper/namespace"
2015-03-18 19:17:03 +00:00
)
2018-09-18 03:03:00 +00:00
func mockPolicyWithCore(t *testing.T, disableCache bool) (*Core, *PolicyStore) {
conf := &CoreConfig{
DisableCache: disableCache,
}
core, _, _ := TestCoreUnsealedWithConfig(t, conf)
ps := core.policyStore
return core, ps
}
2015-03-24 18:27:21 +00:00
func TestPolicyStore_Root(t *testing.T) {
2018-09-18 03:03:00 +00:00
t.Run("root", func(t *testing.T) {
t.Parallel()
2015-03-24 18:27:21 +00:00
2018-09-18 03:03:00 +00:00
core, _, _ := TestCoreUnsealed(t)
ps := core.policyStore
testPolicyRoot(t, ps, namespace.RootNamespace, true)
})
}
func testPolicyRoot(t *testing.T, ps *PolicyStore, ns *namespace.Namespace, expectFound bool) {
2015-03-24 18:27:21 +00:00
// Get should return a special policy
2018-09-18 03:03:00 +00:00
ctx := namespace.ContextWithNamespace(context.Background(), ns)
p, err := ps.GetPolicy(ctx, "root", PolicyTypeToken)
2015-03-24 18:27:21 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
2018-09-18 03:03:00 +00:00
// Handle whether a root token is expected
if expectFound {
if p == nil {
t.Fatalf("bad: %v", p)
}
if p.Name != "root" {
t.Fatalf("bad: %v", p)
}
} else {
if p != nil {
t.Fatal("expected nil root policy")
}
// Create root policy for subsequent modification and deletion failure
// tests
p = &Policy{
Name: "root",
}
2015-03-24 18:27:21 +00:00
}
// Set should fail
2018-09-18 03:03:00 +00:00
ctx = namespace.ContextWithNamespace(context.Background(), ns)
err = ps.SetPolicy(ctx, p)
if err.Error() != `cannot update "root" policy` {
2015-03-24 18:27:21 +00:00
t.Fatalf("err: %v", err)
}
// Delete should fail
2018-09-18 03:03:00 +00:00
ctx = namespace.ContextWithNamespace(context.Background(), ns)
err = ps.DeletePolicy(ctx, "root", PolicyTypeACL)
if err.Error() != `cannot delete "root" policy` {
2015-03-24 18:27:21 +00:00
t.Fatalf("err: %v", err)
}
}
2015-03-18 19:17:03 +00:00
func TestPolicyStore_CRUD(t *testing.T) {
2018-09-18 03:03:00 +00:00
t.Run("root-ns", func(t *testing.T) {
t.Run("cached", func(t *testing.T) {
_, ps := mockPolicyWithCore(t, false)
testPolicyStoreCRUD(t, ps, namespace.RootNamespace)
})
2018-09-18 03:03:00 +00:00
t.Run("no-cache", func(t *testing.T) {
_, ps := mockPolicyWithCore(t, true)
testPolicyStoreCRUD(t, ps, namespace.RootNamespace)
})
})
}
2015-03-18 19:17:03 +00:00
2018-09-18 03:03:00 +00:00
func testPolicyStoreCRUD(t *testing.T, ps *PolicyStore, ns *namespace.Namespace) {
2015-03-18 19:17:03 +00:00
// Get should return nothing
2018-09-18 03:03:00 +00:00
ctx := namespace.ContextWithNamespace(context.Background(), ns)
p, err := ps.GetPolicy(ctx, "Dev", PolicyTypeToken)
2015-03-18 19:17:03 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if p != nil {
t.Fatalf("bad: %v", p)
}
// Delete should be no-op
2018-09-18 03:03:00 +00:00
ctx = namespace.ContextWithNamespace(context.Background(), ns)
err = ps.DeletePolicy(ctx, "deV", PolicyTypeACL)
2015-03-18 19:17:03 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
// List should be blank
2018-09-18 03:03:00 +00:00
ctx = namespace.ContextWithNamespace(context.Background(), ns)
out, err := ps.ListPolicies(ctx, PolicyTypeACL)
2015-03-18 19:17:03 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
2018-09-18 03:03:00 +00:00
if len(out) != 1 {
2015-03-18 19:17:03 +00:00
t.Fatalf("bad: %v", out)
}
// Set should work
2018-09-18 03:03:00 +00:00
ctx = namespace.ContextWithNamespace(context.Background(), ns)
policy, _ := ParseACLPolicy(ns, aclPolicy)
err = ps.SetPolicy(ctx, policy)
2015-03-18 19:17:03 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
// Get should work
2018-09-18 03:03:00 +00:00
ctx = namespace.ContextWithNamespace(context.Background(), ns)
p, err = ps.GetPolicy(ctx, "dEv", PolicyTypeToken)
2015-03-18 19:17:03 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if !reflect.DeepEqual(p, policy) {
t.Fatalf("bad: %v", p)
}
2018-09-18 03:03:00 +00:00
// List should contain two elements
ctx = namespace.ContextWithNamespace(context.Background(), ns)
out, err = ps.ListPolicies(ctx, PolicyTypeACL)
2015-03-18 19:17:03 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
2018-09-18 03:03:00 +00:00
if len(out) != 2 {
2015-03-18 19:17:03 +00:00
t.Fatalf("bad: %v", out)
}
2018-09-18 03:03:00 +00:00
expected := []string{"default", "dev"}
if !reflect.DeepEqual(expected, out) {
t.Fatalf("expected: %v\ngot: %v", expected, out)
}
2015-03-18 19:17:03 +00:00
// Delete should be clear the entry
2018-09-18 03:03:00 +00:00
ctx = namespace.ContextWithNamespace(context.Background(), ns)
err = ps.DeletePolicy(ctx, "Dev", PolicyTypeACL)
2015-03-18 19:17:03 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
2018-09-18 03:03:00 +00:00
// List should contain one element
ctx = namespace.ContextWithNamespace(context.Background(), ns)
out, err = ps.ListPolicies(ctx, PolicyTypeACL)
if err != nil {
t.Fatalf("err: %v", err)
}
if len(out) != 1 || out[0] != "default" {
t.Fatalf("bad: %v", out)
}
2015-03-18 19:17:03 +00:00
// Get should fail
2018-09-18 03:03:00 +00:00
ctx = namespace.ContextWithNamespace(context.Background(), ns)
p, err = ps.GetPolicy(ctx, "deV", PolicyTypeToken)
2015-03-18 19:17:03 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if p != nil {
t.Fatalf("bad: %v", p)
}
}
func TestPolicyStore_Predefined(t *testing.T) {
2018-09-18 03:03:00 +00:00
t.Run("root-ns", func(t *testing.T) {
_, ps := mockPolicyWithCore(t, false)
testPolicyStorePredefined(t, ps, namespace.RootNamespace)
})
}
// Test predefined policy handling
func testPolicyStorePredefined(t *testing.T, ps *PolicyStore, ns *namespace.Namespace) {
// List should be two elements
2018-09-18 03:03:00 +00:00
ctx := namespace.ContextWithNamespace(context.Background(), ns)
out, err := ps.ListPolicies(ctx, PolicyTypeACL)
if err != nil {
t.Fatalf("err: %v", err)
}
2016-07-25 19:59:02 +00:00
// This shouldn't contain response-wrapping since it's non-assignable
if len(out) != 1 || out[0] != "default" {
t.Fatalf("bad: %v", out)
}
2018-09-18 03:03:00 +00:00
// Response-wrapping policy checks
ctx = namespace.ContextWithNamespace(context.Background(), ns)
pCubby, err := ps.GetPolicy(ctx, "response-wrapping", PolicyTypeToken)
if err != nil {
t.Fatalf("err: %v", err)
}
2017-10-23 18:59:37 +00:00
if pCubby == nil {
t.Fatal("nil cubby policy")
}
2016-09-29 04:01:28 +00:00
if pCubby.Raw != responseWrappingPolicy {
t.Fatalf("bad: expected\n%s\ngot\n%s\n", responseWrappingPolicy, pCubby.Raw)
}
2018-09-18 03:03:00 +00:00
ctx = namespace.ContextWithNamespace(context.Background(), ns)
err = ps.SetPolicy(ctx, pCubby)
if err == nil {
t.Fatalf("expected err setting %s", pCubby.Name)
}
2018-09-18 03:03:00 +00:00
ctx = namespace.ContextWithNamespace(context.Background(), ns)
err = ps.DeletePolicy(ctx, pCubby.Name, PolicyTypeACL)
if err == nil {
2018-09-18 03:03:00 +00:00
t.Fatalf("expected err deleting %s", pCubby.Name)
}
2018-09-18 03:03:00 +00:00
// Root policy checks, behavior depending on namespace
ctx = namespace.ContextWithNamespace(context.Background(), ns)
pRoot, err := ps.GetPolicy(ctx, "root", PolicyTypeToken)
if err != nil {
t.Fatalf("err: %v", err)
}
if ns == namespace.RootNamespace {
if pRoot == nil {
t.Fatal("nil root policy")
}
} else {
if pRoot != nil {
t.Fatal("expected nil root policy")
}
pRoot = &Policy{
Name: "root",
}
}
ctx = namespace.ContextWithNamespace(context.Background(), ns)
err = ps.SetPolicy(ctx, pRoot)
if err == nil {
2018-09-18 03:03:00 +00:00
t.Fatalf("expected err setting %s", pRoot.Name)
}
2018-09-18 03:03:00 +00:00
ctx = namespace.ContextWithNamespace(context.Background(), ns)
err = ps.DeletePolicy(ctx, pRoot.Name, PolicyTypeACL)
if err == nil {
t.Fatalf("expected err deleting %s", pRoot.Name)
}
}
2015-03-18 19:17:03 +00:00
func TestPolicyStore_ACL(t *testing.T) {
2018-09-18 03:03:00 +00:00
t.Run("root-ns", func(t *testing.T) {
_, ps := mockPolicyWithCore(t, false)
testPolicyStoreACL(t, ps, namespace.RootNamespace)
})
}
2015-03-18 19:17:03 +00:00
2018-09-18 03:03:00 +00:00
func testPolicyStoreACL(t *testing.T, ps *PolicyStore, ns *namespace.Namespace) {
ctx := namespace.ContextWithNamespace(context.Background(), ns)
policy, _ := ParseACLPolicy(ns, aclPolicy)
err := ps.SetPolicy(ctx, policy)
2015-03-18 19:17:03 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
2018-09-18 03:03:00 +00:00
ctx = namespace.ContextWithNamespace(context.Background(), ns)
policy, _ = ParseACLPolicy(ns, aclPolicy2)
err = ps.SetPolicy(ctx, policy)
2015-03-18 19:17:03 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
2018-09-18 03:03:00 +00:00
ctx = namespace.ContextWithNamespace(context.Background(), ns)
acl, err := ps.ACL(ctx, nil, map[string][]string{ns.ID: []string{"dev", "ops"}})
2015-03-18 19:17:03 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
2018-09-18 03:03:00 +00:00
testLayeredACL(t, acl, ns)
2015-03-18 19:17:03 +00:00
}