2015-03-18 19:17:03 +00:00
|
|
|
package vault
|
|
|
|
|
|
|
|
import (
|
|
|
|
"reflect"
|
|
|
|
"testing"
|
2015-07-06 01:14:15 +00:00
|
|
|
|
|
|
|
"github.com/hashicorp/vault/logical"
|
2015-03-18 19:17:03 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func mockPolicyStore(t *testing.T) *PolicyStore {
|
|
|
|
_, barrier, _ := mockBarrier(t)
|
|
|
|
view := NewBarrierView(barrier, "foo/")
|
2016-04-21 13:52:42 +00:00
|
|
|
p := NewPolicyStore(view, logical.TestSystemView())
|
|
|
|
return p
|
|
|
|
}
|
|
|
|
|
|
|
|
func mockPolicyStoreNoCache(t *testing.T) *PolicyStore {
|
|
|
|
sysView := logical.TestSystemView()
|
2016-04-21 20:32:06 +00:00
|
|
|
sysView.CachingDisabledVal = true
|
2016-04-21 13:52:42 +00:00
|
|
|
_, barrier, _ := mockBarrier(t)
|
|
|
|
view := NewBarrierView(barrier, "foo/")
|
|
|
|
p := NewPolicyStore(view, sysView)
|
2015-03-18 19:17:03 +00:00
|
|
|
return p
|
|
|
|
}
|
|
|
|
|
2015-03-24 18:27:21 +00:00
|
|
|
func TestPolicyStore_Root(t *testing.T) {
|
|
|
|
ps := mockPolicyStore(t)
|
|
|
|
|
|
|
|
// Get should return a special policy
|
|
|
|
p, err := ps.GetPolicy("root")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if p == nil {
|
|
|
|
t.Fatalf("bad: %v", p)
|
|
|
|
}
|
|
|
|
if p.Name != "root" {
|
|
|
|
t.Fatalf("bad: %v", p)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Set should fail
|
|
|
|
err = ps.SetPolicy(p)
|
|
|
|
if err.Error() != "cannot update root policy" {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Delete should fail
|
|
|
|
err = ps.DeletePolicy("root")
|
|
|
|
if err.Error() != "cannot delete root policy" {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-03-18 19:17:03 +00:00
|
|
|
func TestPolicyStore_CRUD(t *testing.T) {
|
|
|
|
ps := mockPolicyStore(t)
|
2016-04-21 13:52:42 +00:00
|
|
|
testPolicyStore_CRUD(t, ps)
|
|
|
|
|
|
|
|
ps = mockPolicyStoreNoCache(t)
|
|
|
|
testPolicyStore_CRUD(t, ps)
|
|
|
|
}
|
2015-03-18 19:17:03 +00:00
|
|
|
|
2016-04-21 13:52:42 +00:00
|
|
|
func testPolicyStore_CRUD(t *testing.T, ps *PolicyStore) {
|
2015-03-18 19:17:03 +00:00
|
|
|
// Get should return nothing
|
|
|
|
p, err := ps.GetPolicy("dev")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if p != nil {
|
|
|
|
t.Fatalf("bad: %v", p)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Delete should be no-op
|
|
|
|
err = ps.DeletePolicy("dev")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// List should be blank
|
|
|
|
out, err := ps.ListPolicies()
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if len(out) != 0 {
|
|
|
|
t.Fatalf("bad: %v", out)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Set should work
|
|
|
|
policy, _ := Parse(aclPolicy)
|
|
|
|
err = ps.SetPolicy(policy)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Get should work
|
|
|
|
p, err = ps.GetPolicy("dev")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if !reflect.DeepEqual(p, policy) {
|
|
|
|
t.Fatalf("bad: %v", p)
|
|
|
|
}
|
|
|
|
|
|
|
|
// List should be one element
|
|
|
|
out, err = ps.ListPolicies()
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if len(out) != 1 || out[0] != "dev" {
|
|
|
|
t.Fatalf("bad: %v", out)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Delete should be clear the entry
|
|
|
|
err = ps.DeletePolicy("dev")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Get should fail
|
|
|
|
p, err = ps.GetPolicy("dev")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if p != nil {
|
|
|
|
t.Fatalf("bad: %v", p)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-05-02 04:08:07 +00:00
|
|
|
// Test predefined policy handling
|
|
|
|
func TestPolicyStore_Predefined(t *testing.T) {
|
|
|
|
core, _, _ := TestCoreUnsealed(t)
|
|
|
|
// Ensure both default policies are created
|
|
|
|
err := core.setupPolicyStore()
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
// List should be two elements
|
|
|
|
out, err := core.policyStore.ListPolicies()
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if len(out) != 2 || out[0] != "cubbyhole-response-wrapping" || out[1] != "default" {
|
|
|
|
t.Fatalf("bad: %v", out)
|
|
|
|
}
|
|
|
|
|
|
|
|
p, err := core.policyStore.GetPolicy("cubbyhole-response-wrapping")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if p.Raw != cubbyholeResponseWrappingPolicy {
|
|
|
|
t.Fatalf("bad: expected\n%s\ngot\n%s\n", cubbyholeResponseWrappingPolicy, p.Raw)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-03-18 19:17:03 +00:00
|
|
|
func TestPolicyStore_ACL(t *testing.T) {
|
|
|
|
ps := mockPolicyStore(t)
|
|
|
|
|
|
|
|
policy, _ := Parse(aclPolicy)
|
|
|
|
err := ps.SetPolicy(policy)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
policy, _ = Parse(aclPolicy2)
|
|
|
|
err = ps.SetPolicy(policy)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
acl, err := ps.ACL("dev", "ops")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
testLayeredACL(t, acl)
|
|
|
|
}
|
2015-07-06 01:14:15 +00:00
|
|
|
|
|
|
|
func TestPolicyStore_v1Upgrade(t *testing.T) {
|
|
|
|
ps := mockPolicyStore(t)
|
|
|
|
|
|
|
|
// Put a V1 record
|
|
|
|
raw := `path "foo" { policy = "read" }`
|
2015-09-27 04:17:15 +00:00
|
|
|
ps.view.Put(&logical.StorageEntry{Key: "old", Value: []byte(raw)})
|
2015-07-06 01:14:15 +00:00
|
|
|
|
|
|
|
// Do a read
|
|
|
|
p, err := ps.GetPolicy("old")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if p == nil || len(p.Paths) != 1 {
|
|
|
|
t.Fatalf("bad policy: %#v", p)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check that glob is enabled
|
|
|
|
if !p.Paths[0].Glob {
|
|
|
|
t.Fatalf("should enable glob")
|
|
|
|
}
|
|
|
|
}
|