luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity
open-vault/vault/identity_store_test.go

625 lines
16 KiB
Go
Raw Normal View History

Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
package vault
import (
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers
2018-01-08 18:31:38 +00:00
"context"
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
"testing"
"time"
Merge Identity Entities if two claim the same alias (#5075) * Merge Identity Entities if two claim the same alias Past bugs/race conditions meant two entities could be created each claiming the same alias. There are planned longer term fixes for this (outside of the race condition being fixed in 0.10.4) that involve changing the data model, but this is an immediate workaround that has the same net effect: if two entities claim the same alias, assume they were created due to this race condition and merge them. In this situation, also automatically merge policies so we don't lose e.g. RGPs.
2018-08-09 20:37:36 +00:00
"github.com/go-test/deep"
"github.com/golang/protobuf/ptypes"
Passthrough EntityID to backends (#4663) * passthrough entity id * address review feedback
2018-05-31 14:18:34 +00:00
uuid "github.com/hashicorp/go-uuid"
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
credGithub "github.com/hashicorp/vault/builtin/credential/github"
Merge Identity Entities if two claim the same alias (#5075) * Merge Identity Entities if two claim the same alias Past bugs/race conditions meant two entities could be created each claiming the same alias. There are planned longer term fixes for this (outside of the race condition being fixed in 0.10.4) that involve changing the data model, but this is an immediate workaround that has the same net effect: if two entities claim the same alias, assume they were created due to this race condition and merge them. In this situation, also automatically merge policies so we don't lose e.g. RGPs.
2018-08-09 20:37:36 +00:00
"github.com/hashicorp/vault/helper/identity"
The big one (#5346)
2018-09-18 03:03:00 +00:00
"github.com/hashicorp/vault/helper/namespace"
Merge Identity Entities if two claim the same alias (#5075) * Merge Identity Entities if two claim the same alias Past bugs/race conditions meant two entities could be created each claiming the same alias. There are planned longer term fixes for this (outside of the race condition being fixed in 0.10.4) that involve changing the data model, but this is an immediate workaround that has the same net effect: if two entities claim the same alias, assume they were created due to this race condition and merge them. In this situation, also automatically merge policies so we don't lose e.g. RGPs.
2018-08-09 20:37:36 +00:00
"github.com/hashicorp/vault/helper/storagepacker"
Create sdk/ and api/ submodules (#6583)
2019-04-12 21:54:35 +00:00
"github.com/hashicorp/vault/sdk/logical"
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
)
Merge entities during unseal only on the primary (#6075) * Merge entities during unseal only on the primary * Add another guard check * Add perf standby to the check * Make primary to not differ from case-insensitivity status w.r.t secondaries * Ensure mutual exclusivity between loading and invalidations * Both primary and secondaries won't persist during startup and invalidations * Allow primary to persist when loading case sensitively * Using core.perfStandby * Add a tweak in core for testing * Address review feedback * update memdb but not storage in secondaries * Wire all the things directly do mergeEntity * Fix persist behavior * Address review feedback
2019-02-08 21:32:06 +00:00
func TestIdentityStore_UnsealingWhenConflictingAliasNames(t *testing.T) {
err := AddTestCredentialBackend("github", credGithub.Factory)
if err != nil {
t.Fatalf("err: %s", err)
}
c, unsealKey, root := TestCoreUnsealed(t)
meGH := &MountEntry{
Table: credentialTableType,
Path: "github/",
Type: "github",
Description: "github auth",
}
err = c.enableCredential(namespace.RootContext(nil), meGH)
if err != nil {
t.Fatal(err)
}
alias := &identity.Alias{
ID: "alias1",
CanonicalID: "entity1",
MountType: "github",
MountAccessor: meGH.Accessor,
Name: "githubuser",
}
entity := &identity.Entity{
ID: "entity1",
Name: "name1",
Policies: []string{"foo", "bar"},
Aliases: []*identity.Alias{
alias,
},
NamespaceID: namespace.RootNamespaceID,
}
entity.BucketKeyHash = c.identityStore.entityPacker.BucketKeyHashByItemID(entity.ID)
err = c.identityStore.upsertEntity(namespace.RootContext(nil), entity, nil, true)
if err != nil {
t.Fatal(err)
}
alias2 := &identity.Alias{
ID: "alias2",
CanonicalID: "entity2",
MountType: "github",
MountAccessor: meGH.Accessor,
Name: "GITHUBUSER",
}
entity2 := &identity.Entity{
ID: "entity2",
Name: "name2",
Policies: []string{"foo", "bar"},
Aliases: []*identity.Alias{
alias2,
},
NamespaceID: namespace.RootNamespaceID,
}
entity2.BucketKeyHash = c.identityStore.entityPacker.BucketKeyHashByItemID(entity2.ID)
// Persist the second entity directly without the regular flow. This will skip
// merging of these enties.
entity2Any, err := ptypes.MarshalAny(entity2)
if err != nil {
t.Fatal(err)
}
item := &storagepacker.Item{
ID: entity2.ID,
Message: entity2Any,
}
Port over some SP v2 bits (#6516) * Port over some SP v2 bits Specifically: * Add too-large handling to Physical (Consul only for now) * Contextify some identity funcs * Update SP protos * Add size limiting to inmem storage
2019-05-01 17:47:41 +00:00
ctx := namespace.RootContext(nil)
if err = c.identityStore.entityPacker.PutItem(ctx, item); err != nil {
Merge entities during unseal only on the primary (#6075) * Merge entities during unseal only on the primary * Add another guard check * Add perf standby to the check * Make primary to not differ from case-insensitivity status w.r.t secondaries * Ensure mutual exclusivity between loading and invalidations * Both primary and secondaries won't persist during startup and invalidations * Allow primary to persist when loading case sensitively * Using core.perfStandby * Add a tweak in core for testing * Address review feedback * update memdb but not storage in secondaries * Wire all the things directly do mergeEntity * Fix persist behavior * Address review feedback
2019-02-08 21:32:06 +00:00
t.Fatal(err)
}
// Seal and ensure that unseal works
if err = c.Seal(root); err != nil {
t.Fatal(err)
}
var unsealed bool
for i := 0; i < 3; i++ {
unsealed, err = c.Unseal(unsealKey[i])
if err != nil {
t.Fatal(err)
}
}
if !unsealed {
t.Fatal("still sealed")
}
}
Passthrough EntityID to backends (#4663) * passthrough entity id * address review feedback
2018-05-31 14:18:34 +00:00
func TestIdentityStore_EntityIDPassthrough(t *testing.T) {
// Enable GitHub auth and initialize
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
ctx := namespace.RootContext(nil)
The big one (#5346)
2018-09-18 03:03:00 +00:00
is, ghAccessor, core := testIdentityStoreWithGithubAuth(ctx, t)
Passthrough EntityID to backends (#4663) * passthrough entity id * address review feedback
2018-05-31 14:18:34 +00:00
alias := &logical.Alias{
MountType: "github",
MountAccessor: ghAccessor,
Name: "githubuser",
}
// Create an entity with GitHub alias
The big one (#5346)
2018-09-18 03:03:00 +00:00
entity, err := is.CreateOrFetchEntity(ctx, alias)
Passthrough EntityID to backends (#4663) * passthrough entity id * address review feedback
2018-05-31 14:18:34 +00:00
if err != nil {
t.Fatal(err)
}
if entity == nil {
t.Fatalf("expected a non-nil entity")
}
// Create a token with the above created entity set on it
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
ent := &logical.TokenEntry{
Passthrough EntityID to backends (#4663) * passthrough entity id * address review feedback
2018-05-31 14:18:34 +00:00
ID: "testtokenid",
Path: "test",
Policies: []string{"root"},
CreationTime: time.Now().Unix(),
EntityID: entity.ID,
The big one (#5346)
2018-09-18 03:03:00 +00:00
NamespaceID: namespace.RootNamespaceID,
Passthrough EntityID to backends (#4663) * passthrough entity id * address review feedback
2018-05-31 14:18:34 +00:00
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
if err := core.tokenStore.create(ctx, ent); err != nil {
Passthrough EntityID to backends (#4663) * passthrough entity id * address review feedback
2018-05-31 14:18:34 +00:00
t.Fatalf("err: %s", err)
}
// Set a request handler to the noop backend which responds with the entity
// ID received in the request object
requestHandler := func(ctx context.Context, req *logical.Request) (*logical.Response, error) {
return &logical.Response{
Data: map[string]interface{}{
"entity_id": req.EntityID,
},
}, nil
}
noop := &NoopBackend{
RequestHandler: requestHandler,
}
// Mount the noop backend
_, barrier, _ := mockBarrier(t)
view := NewBarrierView(barrier, "logical/")
meUUID, err := uuid.GenerateUUID()
if err != nil {
t.Fatal(err)
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
err = core.router.Mount(noop, "test/backend/", &MountEntry{Path: "test/backend/", Type: "noop", UUID: meUUID, Accessor: "noop-accessor", namespace: namespace.RootNamespace}, view)
Passthrough EntityID to backends (#4663) * passthrough entity id * address review feedback
2018-05-31 14:18:34 +00:00
if err != nil {
t.Fatal(err)
}
// Make the request with the above created token
The big one (#5346)
2018-09-18 03:03:00 +00:00
resp, err := core.HandleRequest(ctx, &logical.Request{
Passthrough EntityID to backends (#4663) * passthrough entity id * address review feedback
2018-05-31 14:18:34 +00:00
ClientToken: "testtokenid",
Operation: logical.ReadOperation,
Path: "test/backend/foo",
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\n err: %v", resp, err)
}
// Expected entity ID to be in the response
if resp.Data["entity_id"] != entity.ID {
t.Fatalf("expected entity ID to be passed through to the backend")
}
}
AppRole/Identity: Fix for race when creating an entity during login (#3932) * possible fix for race in approle login while creating entity * Add a test that hits the login request concurrently * address review comments
2018-02-09 15:40:56 +00:00
func TestIdentityStore_CreateOrFetchEntity(t *testing.T) {
The big one (#5346)
2018-09-18 03:03:00 +00:00
ctx := namespace.RootContext(nil)
is, ghAccessor, _ := testIdentityStoreWithGithubAuth(ctx, t)
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
alias := &logical.Alias{
MountType: "github",
MountAccessor: ghAccessor,
Name: "githubuser",
Update existing alias metadata during authentication (#6068)
2019-01-23 16:26:50 +00:00
Metadata: map[string]string{
"foo": "a",
},
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
entity, err := is.CreateOrFetchEntity(ctx, alias)
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
if err != nil {
t.Fatal(err)
}
if entity == nil {
t.Fatalf("expected a non-nil entity")
}
if len(entity.Aliases) != 1 {
t.Fatalf("bad: length of aliases; expected: 1, actual: %d", len(entity.Aliases))
}
if entity.Aliases[0].Name != alias.Name {
t.Fatalf("bad: alias name; expected: %q, actual: %q", alias.Name, entity.Aliases[0].Name)
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
entity, err = is.CreateOrFetchEntity(ctx, alias)
AppRole/Identity: Fix for race when creating an entity during login (#3932) * possible fix for race in approle login while creating entity * Add a test that hits the login request concurrently * address review comments
2018-02-09 15:40:56 +00:00
if err != nil {
t.Fatal(err)
}
if entity == nil {
t.Fatalf("expected a non-nil entity")
}
if len(entity.Aliases) != 1 {
t.Fatalf("bad: length of aliases; expected: 1, actual: %d", len(entity.Aliases))
}
if entity.Aliases[0].Name != alias.Name {
t.Fatalf("bad: alias name; expected: %q, actual: %q", alias.Name, entity.Aliases[0].Name)
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
}
Update existing alias metadata during authentication (#6068)
2019-01-23 16:26:50 +00:00
if diff := deep.Equal(entity.Aliases[0].Metadata, map[string]string{"foo": "a"}); diff != nil {
t.Fatal(diff)
}
// Add a new alias to the entity and verify its existence
registerReq := &logical.Request{
Operation: logical.UpdateOperation,
Path: "entity-alias",
Data: map[string]interface{}{
"name": "githubuser2",
"canonical_id": entity.ID,
"mount_accessor": ghAccessor,
},
}
resp, err := is.HandleRequest(ctx, registerReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%#v", err, resp)
}
entity, err = is.CreateOrFetchEntity(ctx, alias)
if err != nil {
t.Fatal(err)
}
if entity == nil {
t.Fatalf("expected a non-nil entity")
}
if len(entity.Aliases) != 2 {
t.Fatalf("bad: length of aliases; expected: 2, actual: %d", len(entity.Aliases))
}
if entity.Aliases[1].Name != "githubuser2" {
t.Fatalf("bad: alias name; expected: %q, actual: %q", alias.Name, "githubuser2")
}
if diff := deep.Equal(entity.Aliases[1].Metadata, map[string]string(nil)); diff != nil {
t.Fatal(diff)
}
// Change the metadata of an existing alias and verify that
// a the change takes effect only for the target alias.
alias.Metadata = map[string]string{
"foo": "zzzz",
}
entity, err = is.CreateOrFetchEntity(ctx, alias)
if err != nil {
t.Fatal(err)
}
if entity == nil {
t.Fatalf("expected a non-nil entity")
}
if len(entity.Aliases) != 2 {
t.Fatalf("bad: length of aliases; expected: 2, actual: %d", len(entity.Aliases))
}
if diff := deep.Equal(entity.Aliases[0].Metadata, map[string]string{"foo": "zzzz"}); diff != nil {
t.Fatal(diff)
}
if diff := deep.Equal(entity.Aliases[1].Metadata, map[string]string(nil)); diff != nil {
t.Fatal(diff)
}
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
}
func TestIdentityStore_EntityByAliasFactors(t *testing.T) {
var err error
var resp *logical.Response
The big one (#5346)
2018-09-18 03:03:00 +00:00
ctx := namespace.RootContext(nil)
is, ghAccessor, _ := testIdentityStoreWithGithubAuth(ctx, t)
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
registerData := map[string]interface{}{
"name": "testentityname",
"metadata": []string{"someusefulkey=someusefulvalue"},
"policies": []string{"testpolicy1", "testpolicy2"},
}
registerReq := &logical.Request{
Operation: logical.UpdateOperation,
Path: "entity",
Data: registerData,
}
// Register the entity
The big one (#5346)
2018-09-18 03:03:00 +00:00
resp, err = is.HandleRequest(ctx, registerReq)
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%#v", err, resp)
}
idRaw, ok := resp.Data["id"]
if !ok {
t.Fatalf("entity id not present in response")
}
entityID := idRaw.(string)
if entityID == "" {
t.Fatalf("invalid entity id")
}
aliasData := map[string]interface{}{
"entity_id": entityID,
"name": "alias_name",
"mount_accessor": ghAccessor,
}
aliasReq := &logical.Request{
Operation: logical.UpdateOperation,
Path: "alias",
Data: aliasData,
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
resp, err = is.HandleRequest(ctx, aliasReq)
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%#v", err, resp)
}
if resp == nil {
t.Fatalf("expected a non-nil response")
}
External identity groups (#3447) * external identity groups * add local LDAP groups as well to group aliases * add group aliases for okta credential backend * Fix panic in tests * fix build failure * remove duplicated struct tag * add test steps to test out removal of group member during renewals * Add comment for having a prefix check in router * fix tests * s/parent_id/canonical_id * s/parent/canonical in comments and errors
2017-11-02 20:05:48 +00:00
entity, err := is.entityByAliasFactors(ghAccessor, "alias_name", false)
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
if err != nil {
t.Fatal(err)
}
if entity == nil {
t.Fatalf("expected a non-nil entity")
}
if entity.ID != entityID {
t.Fatalf("bad: entity ID; expected: %q actual: %q", entityID, entity.ID)
}
}
func TestIdentityStore_WrapInfoInheritance(t *testing.T) {
var err error
var resp *logical.Response
The big one (#5346)
2018-09-18 03:03:00 +00:00
ctx := namespace.RootContext(nil)
core, is, ts, _ := testCoreWithIdentityTokenGithub(ctx, t)
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
registerData := map[string]interface{}{
"name": "testentityname",
"metadata": []string{"someusefulkey=someusefulvalue"},
"policies": []string{"testpolicy1", "testpolicy2"},
}
registerReq := &logical.Request{
Operation: logical.UpdateOperation,
Path: "entity",
Data: registerData,
}
// Register the entity
The big one (#5346)
2018-09-18 03:03:00 +00:00
resp, err = is.HandleRequest(ctx, registerReq)
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%#v", err, resp)
}
idRaw, ok := resp.Data["id"]
if !ok {
t.Fatalf("entity id not present in response")
}
entityID := idRaw.(string)
if entityID == "" {
t.Fatalf("invalid entity id")
}
// Create a token which has EntityID set and has update permissions to
// sys/wrapping/wrap
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
te := &logical.TokenEntry{
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
Path: "test",
Policies: []string{"default", responseWrappingPolicyName},
EntityID: entityID,
Offline token revocation fix
2018-06-03 22:14:51 +00:00
TTL: time.Hour,
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
testMakeTokenDirectly(t, ts, te)
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
wrapReq := &logical.Request{
Path: "sys/wrapping/wrap",
ClientToken: te.ID,
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"foo": "bar",
},
WrapInfo: &logical.RequestWrapInfo{
TTL: time.Duration(5 * time.Second),
},
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
resp, err = core.HandleRequest(ctx, wrapReq)
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v, err: %v", resp, err)
}
if resp.WrapInfo == nil {
t.Fatalf("expected a non-nil WrapInfo")
}
if resp.WrapInfo.WrappedEntityID != entityID {
t.Fatalf("bad: WrapInfo in response not having proper entity ID set; expected: %q, actual:%q", entityID, resp.WrapInfo.WrappedEntityID)
}
}
func TestIdentityStore_TokenEntityInheritance(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, _ := TestCoreUnsealed(t)
ts := c.tokenStore
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
// Create a token which has EntityID set
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
te := &logical.TokenEntry{
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
Path: "test",
Policies: []string{"dev", "prod"},
EntityID: "testentityid",
Offline token revocation fix
2018-06-03 22:14:51 +00:00
TTL: time.Hour,
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
testMakeTokenDirectly(t, ts, te)
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
// Create a child token; this should inherit the EntityID
tokenReq := &logical.Request{
Operation: logical.UpdateOperation,
Path: "create",
ClientToken: te.ID,
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
ctx := namespace.RootContext(nil)
resp, err := ts.HandleRequest(ctx, tokenReq)
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v err: %v", err, resp)
}
if resp.Auth.EntityID != te.EntityID {
t.Fatalf("bad: entity ID; expected: %v, actual: %v", te.EntityID, resp.Auth.EntityID)
}
// Create an orphan token; this should not inherit the EntityID
tokenReq.Path = "create-orphan"
The big one (#5346)
2018-09-18 03:03:00 +00:00
resp, err = ts.HandleRequest(ctx, tokenReq)
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v err: %v", err, resp)
}
if resp.Auth.EntityID != "" {
t.Fatalf("expected entity ID to be not set")
}
}
Merge Identity Entities if two claim the same alias (#5075) * Merge Identity Entities if two claim the same alias Past bugs/race conditions meant two entities could be created each claiming the same alias. There are planned longer term fixes for this (outside of the race condition being fixed in 0.10.4) that involve changing the data model, but this is an immediate workaround that has the same net effect: if two entities claim the same alias, assume they were created due to this race condition and merge them. In this situation, also automatically merge policies so we don't lose e.g. RGPs.
2018-08-09 20:37:36 +00:00
func TestIdentityStore_MergeConflictingAliases(t *testing.T) {
err := AddTestCredentialBackend("github", credGithub.Factory)
if err != nil {
t.Fatalf("err: %s", err)
}
Merge entities during unseal only on the primary (#6075) * Merge entities during unseal only on the primary * Add another guard check * Add perf standby to the check * Make primary to not differ from case-insensitivity status w.r.t secondaries * Ensure mutual exclusivity between loading and invalidations * Both primary and secondaries won't persist during startup and invalidations * Allow primary to persist when loading case sensitively * Using core.perfStandby * Add a tweak in core for testing * Address review feedback * update memdb but not storage in secondaries * Wire all the things directly do mergeEntity * Fix persist behavior * Address review feedback
2019-02-08 21:32:06 +00:00
c, _, _ := TestCoreUnsealed(t)
Merge Identity Entities if two claim the same alias (#5075) * Merge Identity Entities if two claim the same alias Past bugs/race conditions meant two entities could be created each claiming the same alias. There are planned longer term fixes for this (outside of the race condition being fixed in 0.10.4) that involve changing the data model, but this is an immediate workaround that has the same net effect: if two entities claim the same alias, assume they were created due to this race condition and merge them. In this situation, also automatically merge policies so we don't lose e.g. RGPs.
2018-08-09 20:37:36 +00:00
meGH := &MountEntry{
Table: credentialTableType,
Path: "github/",
Type: "github",
Description: "github auth",
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err = c.enableCredential(namespace.RootContext(nil), meGH)
Merge Identity Entities if two claim the same alias (#5075) * Merge Identity Entities if two claim the same alias Past bugs/race conditions meant two entities could be created each claiming the same alias. There are planned longer term fixes for this (outside of the race condition being fixed in 0.10.4) that involve changing the data model, but this is an immediate workaround that has the same net effect: if two entities claim the same alias, assume they were created due to this race condition and merge them. In this situation, also automatically merge policies so we don't lose e.g. RGPs.
2018-08-09 20:37:36 +00:00
if err != nil {
t.Fatal(err)
}
alias := &identity.Alias{
ID: "alias1",
CanonicalID: "entity1",
MountType: "github",
MountAccessor: meGH.Accessor,
Name: "githubuser",
}
entity := &identity.Entity{
ID: "entity1",
Name: "name1",
Policies: []string{"foo", "bar"},
Aliases: []*identity.Alias{
alias,
},
Merge entities during unseal only on the primary (#6075) * Merge entities during unseal only on the primary * Add another guard check * Add perf standby to the check * Make primary to not differ from case-insensitivity status w.r.t secondaries * Ensure mutual exclusivity between loading and invalidations * Both primary and secondaries won't persist during startup and invalidations * Allow primary to persist when loading case sensitively * Using core.perfStandby * Add a tweak in core for testing * Address review feedback * update memdb but not storage in secondaries * Wire all the things directly do mergeEntity * Fix persist behavior * Address review feedback
2019-02-08 21:32:06 +00:00
NamespaceID: namespace.RootNamespaceID,
Merge Identity Entities if two claim the same alias (#5075) * Merge Identity Entities if two claim the same alias Past bugs/race conditions meant two entities could be created each claiming the same alias. There are planned longer term fixes for this (outside of the race condition being fixed in 0.10.4) that involve changing the data model, but this is an immediate workaround that has the same net effect: if two entities claim the same alias, assume they were created due to this race condition and merge them. In this situation, also automatically merge policies so we don't lose e.g. RGPs.
2018-08-09 20:37:36 +00:00
}
entity.BucketKeyHash = c.identityStore.entityPacker.BucketKeyHashByItemID(entity.ID)
Merge entities during unseal only on the primary (#6075) * Merge entities during unseal only on the primary * Add another guard check * Add perf standby to the check * Make primary to not differ from case-insensitivity status w.r.t secondaries * Ensure mutual exclusivity between loading and invalidations * Both primary and secondaries won't persist during startup and invalidations * Allow primary to persist when loading case sensitively * Using core.perfStandby * Add a tweak in core for testing * Address review feedback * update memdb but not storage in secondaries * Wire all the things directly do mergeEntity * Fix persist behavior * Address review feedback
2019-02-08 21:32:06 +00:00
err = c.identityStore.upsertEntity(namespace.RootContext(nil), entity, nil, true)
Merge Identity Entities if two claim the same alias (#5075) * Merge Identity Entities if two claim the same alias Past bugs/race conditions meant two entities could be created each claiming the same alias. There are planned longer term fixes for this (outside of the race condition being fixed in 0.10.4) that involve changing the data model, but this is an immediate workaround that has the same net effect: if two entities claim the same alias, assume they were created due to this race condition and merge them. In this situation, also automatically merge policies so we don't lose e.g. RGPs.
2018-08-09 20:37:36 +00:00
if err != nil {
t.Fatal(err)
}
Merge entities during unseal only on the primary (#6075) * Merge entities during unseal only on the primary * Add another guard check * Add perf standby to the check * Make primary to not differ from case-insensitivity status w.r.t secondaries * Ensure mutual exclusivity between loading and invalidations * Both primary and secondaries won't persist during startup and invalidations * Allow primary to persist when loading case sensitively * Using core.perfStandby * Add a tweak in core for testing * Address review feedback * update memdb but not storage in secondaries * Wire all the things directly do mergeEntity * Fix persist behavior * Address review feedback
2019-02-08 21:32:06 +00:00
alias2 := &identity.Alias{
ID: "alias2",
CanonicalID: "entity2",
MountType: "github",
MountAccessor: meGH.Accessor,
Name: "githubuser",
Merge Identity Entities if two claim the same alias (#5075) * Merge Identity Entities if two claim the same alias Past bugs/race conditions meant two entities could be created each claiming the same alias. There are planned longer term fixes for this (outside of the race condition being fixed in 0.10.4) that involve changing the data model, but this is an immediate workaround that has the same net effect: if two entities claim the same alias, assume they were created due to this race condition and merge them. In this situation, also automatically merge policies so we don't lose e.g. RGPs.
2018-08-09 20:37:36 +00:00
}
Merge entities during unseal only on the primary (#6075) * Merge entities during unseal only on the primary * Add another guard check * Add perf standby to the check * Make primary to not differ from case-insensitivity status w.r.t secondaries * Ensure mutual exclusivity between loading and invalidations * Both primary and secondaries won't persist during startup and invalidations * Allow primary to persist when loading case sensitively * Using core.perfStandby * Add a tweak in core for testing * Address review feedback * update memdb but not storage in secondaries * Wire all the things directly do mergeEntity * Fix persist behavior * Address review feedback
2019-02-08 21:32:06 +00:00
entity2 := &identity.Entity{
ID: "entity2",
Name: "name2",
Policies: []string{"bar", "baz"},
Aliases: []*identity.Alias{
alias2,
},
NamespaceID: namespace.RootNamespaceID,
Merge Identity Entities if two claim the same alias (#5075) * Merge Identity Entities if two claim the same alias Past bugs/race conditions meant two entities could be created each claiming the same alias. There are planned longer term fixes for this (outside of the race condition being fixed in 0.10.4) that involve changing the data model, but this is an immediate workaround that has the same net effect: if two entities claim the same alias, assume they were created due to this race condition and merge them. In this situation, also automatically merge policies so we don't lose e.g. RGPs.
2018-08-09 20:37:36 +00:00
}
Merge entities during unseal only on the primary (#6075) * Merge entities during unseal only on the primary * Add another guard check * Add perf standby to the check * Make primary to not differ from case-insensitivity status w.r.t secondaries * Ensure mutual exclusivity between loading and invalidations * Both primary and secondaries won't persist during startup and invalidations * Allow primary to persist when loading case sensitively * Using core.perfStandby * Add a tweak in core for testing * Address review feedback * update memdb but not storage in secondaries * Wire all the things directly do mergeEntity * Fix persist behavior * Address review feedback
2019-02-08 21:32:06 +00:00
entity2.BucketKeyHash = c.identityStore.entityPacker.BucketKeyHashByItemID(entity2.ID)
Merge Identity Entities if two claim the same alias (#5075) * Merge Identity Entities if two claim the same alias Past bugs/race conditions meant two entities could be created each claiming the same alias. There are planned longer term fixes for this (outside of the race condition being fixed in 0.10.4) that involve changing the data model, but this is an immediate workaround that has the same net effect: if two entities claim the same alias, assume they were created due to this race condition and merge them. In this situation, also automatically merge policies so we don't lose e.g. RGPs.
2018-08-09 20:37:36 +00:00
Merge entities during unseal only on the primary (#6075) * Merge entities during unseal only on the primary * Add another guard check * Add perf standby to the check * Make primary to not differ from case-insensitivity status w.r.t secondaries * Ensure mutual exclusivity between loading and invalidations * Both primary and secondaries won't persist during startup and invalidations * Allow primary to persist when loading case sensitively * Using core.perfStandby * Add a tweak in core for testing * Address review feedback * update memdb but not storage in secondaries * Wire all the things directly do mergeEntity * Fix persist behavior * Address review feedback
2019-02-08 21:32:06 +00:00
err = c.identityStore.upsertEntity(namespace.RootContext(nil), entity2, nil, true)
if err != nil {
t.Fatal(err)
Merge Identity Entities if two claim the same alias (#5075) * Merge Identity Entities if two claim the same alias Past bugs/race conditions meant two entities could be created each claiming the same alias. There are planned longer term fixes for this (outside of the race condition being fixed in 0.10.4) that involve changing the data model, but this is an immediate workaround that has the same net effect: if two entities claim the same alias, assume they were created due to this race condition and merge them. In this situation, also automatically merge policies so we don't lose e.g. RGPs.
2018-08-09 20:37:36 +00:00
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
newEntity, err := c.identityStore.CreateOrFetchEntity(namespace.RootContext(nil), &logical.Alias{
Merge Identity Entities if two claim the same alias (#5075) * Merge Identity Entities if two claim the same alias Past bugs/race conditions meant two entities could be created each claiming the same alias. There are planned longer term fixes for this (outside of the race condition being fixed in 0.10.4) that involve changing the data model, but this is an immediate workaround that has the same net effect: if two entities claim the same alias, assume they were created due to this race condition and merge them. In this situation, also automatically merge policies so we don't lose e.g. RGPs.
2018-08-09 20:37:36 +00:00
MountAccessor: meGH.Accessor,
MountType: "github",
Name: "githubuser",
})
if err != nil {
t.Fatal(err)
}
if newEntity == nil {
t.Fatal("nil new entity")
}
entityToUse := "entity1"
if newEntity.ID == "entity1" {
entityToUse = "entity2"
}
if len(newEntity.MergedEntityIDs) != 1 || newEntity.MergedEntityIDs[0] != entityToUse {
t.Fatalf("bad merged entity ids: %v", newEntity.MergedEntityIDs)
}
if diff := deep.Equal(newEntity.Policies, []string{"bar", "baz", "foo"}); diff != nil {
t.Fatal(diff)
}
newEntity, err = c.identityStore.MemDBEntityByID(entityToUse, false)
if err != nil {
t.Fatal(err)
}
if newEntity != nil {
t.Fatal("got a non-nil entity")
}
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
func testCoreWithIdentityTokenGithub(ctx context.Context, t *testing.T) (*Core, *IdentityStore, *TokenStore, string) {
is, ghAccessor, core := testIdentityStoreWithGithubAuth(ctx, t)
Offline token revocation fix
2018-06-03 22:14:51 +00:00
return core, is, core.tokenStore, ghAccessor
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
func testCoreWithIdentityTokenGithubRoot(ctx context.Context, t *testing.T) (*Core, *IdentityStore, *TokenStore, string, string) {
is, ghAccessor, core, root := testIdentityStoreWithGithubAuthRoot(ctx, t)
Offline token revocation fix
2018-06-03 22:14:51 +00:00
return core, is, core.tokenStore, ghAccessor, root
Port over bits (#3575)
2017-11-13 20:31:32 +00:00
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
func testIdentityStoreWithGithubAuth(ctx context.Context, t *testing.T) (*IdentityStore, string, *Core) {
is, ghA, c, _ := testIdentityStoreWithGithubAuthRoot(ctx, t)
Port over bits (#3575)
2017-11-13 20:31:32 +00:00
return is, ghA, c
}
disallow token use if entity is invalid (#4791)
2018-06-19 16:57:19 +00:00
// testIdentityStoreWithGithubAuthRoot returns an instance of identity store
// which is mounted by default. This function also enables the github auth
// backend to assist with testing aliases and entities that require an valid
// mount accessor of an auth backend.
The big one (#5346)
2018-09-18 03:03:00 +00:00
func testIdentityStoreWithGithubAuthRoot(ctx context.Context, t *testing.T) (*IdentityStore, string, *Core, string) {
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
// Add github credential factory to core config
err := AddTestCredentialBackend("github", credGithub.Factory)
if err != nil {
t.Fatalf("err: %s", err)
}
Port over bits (#3575)
2017-11-13 20:31:32 +00:00
c, _, root := TestCoreUnsealed(t)
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
meGH := &MountEntry{
Table: credentialTableType,
Path: "github/",
Type: "github",
Description: "github auth",
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
err = c.enableCredential(ctx, meGH)
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
if err != nil {
t.Fatal(err)
}
disallow token use if entity is invalid (#4791)
2018-06-19 16:57:19 +00:00
return c.identityStore, meGH.Accessor, c, root
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
}
func TestIdentityStore_MetadataKeyRegex(t *testing.T) {
key := "validVALID012_-=+/"
if !metaKeyFormatRegEx(key) {
t.Fatal("failed to accept valid metadata key")
}
key = "a:b"
if metaKeyFormatRegEx(key) {
t.Fatal("accepted invalid metadata key")
}
}