open-vault/vault/policy_test.go

package vault

import (
	"reflect"
	"strings"
	"testing"
)

var rawPolicy = strings.TrimSpace(`
# Developer policy
name = "dev"

# Deny all paths by default
path "*" {
	policy = "deny"
}

# Allow full access to staging
path "stage/*" {
	policy = "sudo"
}

# Limited read privilege to production
path "prod/version" {
	policy = "read"
}

# Read access to foobar
# Also tests stripping of leading slash
path "/foo/bar" {
	policy = "read"
}

# Add capabilities for creation and sudo to foobar
# This will be separate; they are combined when compiled into an ACL
path "foo/bar" {
	capabilities = ["create", "sudo"]
}

# Check that only allowed_parameters are being added to foobar
path "foo/bar" {
	capabilities = ["create", "sudo"]
	permissions = {
	  allowed_parameters = {
	    "zip" = []
	    "zap" = []
	  }
	}
}

# Check that only denied_parameters are being added to bazbar
path "baz/bar" {
	capabilities = ["create", "sudo"]
	permissions = {
	  denied_parameters = {
	    "zip" = []
	    "zap" = []
	  }
	}
}

# Check that both allowed and denied parameters are being added to bizbar
path "biz/bar" {
	capabilities = ["create", "sudo"]
	permissions = {
	  allowed_parameters = {
	    "zim" = []
	    "zam" = []
	  }
	  denied_parameters = {
	    "zip" = []
	    "zap" = []
	  }
	}
}
path "test/types" {
	capabilities = ["create", "sudo"]
	permissions = {
		allowed_parameters = {
			"map" = [{"good" = "one"}]
			"int" = [1, 2]
		}
		denied_parameters = {
			"string" = ["test"]
			"bool" = [false]
		}
	}
}
`)

func TestPolicy_Parse(t *testing.T) {
	p, err := Parse(rawPolicy)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	if p.Name != "dev" {
		t.Fatalf("bad name: %q", p.Name)
	}

	expect := []*PathCapabilities{
		&PathCapabilities{"", "deny",
			[]string{
				"deny",
			},
			&Permissions{CapabilitiesBitmap: DenyCapabilityInt},
			true,
		},
		&PathCapabilities{"stage/", "sudo",
			[]string{
				"create",
				"read",
				"update",
				"delete",
				"list",
				"sudo",
			},
			&Permissions{
				CapabilitiesBitmap: (CreateCapabilityInt | ReadCapabilityInt | UpdateCapabilityInt | DeleteCapabilityInt | ListCapabilityInt | SudoCapabilityInt),
			},
			true,
		},
		&PathCapabilities{"prod/version", "read",
			[]string{
				"read",
				"list",
			},
			&Permissions{CapabilitiesBitmap: (ReadCapabilityInt | ListCapabilityInt)},
			false,
		},
		&PathCapabilities{"foo/bar", "read",
			[]string{
				"read",
				"list",
			},
			&Permissions{CapabilitiesBitmap: (ReadCapabilityInt | ListCapabilityInt)},
			false,
		},
		&PathCapabilities{"foo/bar", "",
			[]string{
				"create",
				"sudo",
			},
			&Permissions{CapabilitiesBitmap: (CreateCapabilityInt | SudoCapabilityInt)},
			false,
		},
		&PathCapabilities{"foo/bar", "",
			[]string{
				"create",
				"sudo",
			},
			&Permissions{
				CapabilitiesBitmap: (CreateCapabilityInt | SudoCapabilityInt),
				AllowedParameters:  map[string][]interface{}{"zip": {}, "zap": {}},
			},
			false,
		},
		&PathCapabilities{"baz/bar", "",
			[]string{
				"create",
				"sudo",
			},
			&Permissions{
				CapabilitiesBitmap: (CreateCapabilityInt | SudoCapabilityInt),
				DeniedParameters:   map[string][]interface{}{"zip": []interface{}{}, "zap": []interface{}{}},
			},
			false,
		},
		&PathCapabilities{"biz/bar", "",
			[]string{
				"create",
				"sudo",
			},
			&Permissions{
				CapabilitiesBitmap: (CreateCapabilityInt | SudoCapabilityInt),
				AllowedParameters:  map[string][]interface{}{"zim": {}, "zam": {}},
				DeniedParameters:   map[string][]interface{}{"zip": {}, "zap": {}},
			},
			false,
		},
		&PathCapabilities{"test/types", "",
			[]string{
				"create",
				"sudo",
			},
			&Permissions{
				CapabilitiesBitmap: (CreateCapabilityInt | SudoCapabilityInt),
				AllowedParameters:  map[string][]interface{}{"map": []interface{}{map[string]interface{}{"good": "one"}}, "int": []interface{}{1, 2}},
				DeniedParameters:   map[string][]interface{}{"string": []interface{}{"test"}, "bool": []interface{}{false}},
			},
			false,
		},
	}
	if !reflect.DeepEqual(p.Paths, expect) {
		t.Errorf("expected \n\n%#v\n\n to be \n\n%#v\n\n", p.Paths, expect)
	}
}

func TestPolicy_ParseBadRoot(t *testing.T) {
	_, err := Parse(strings.TrimSpace(`
name = "test"
bad  = "foo"
nope = "yes"
`))
	if err == nil {
		t.Fatalf("expected error")
	}

	if !strings.Contains(err.Error(), "invalid key 'bad' on line 2") {
		t.Errorf("bad error: %q", err)
	}

	if !strings.Contains(err.Error(), "invalid key 'nope' on line 3") {
		t.Errorf("bad error: %q", err)
	}
}

func TestPolicy_ParseBadPath(t *testing.T) {
	_, err := Parse(strings.TrimSpace(`
path "/" {
	capabilities = ["read"]
	capabilites  = ["read"]
}
`))
	if err == nil {
		t.Fatalf("expected error")
	}

	if !strings.Contains(err.Error(), "invalid key 'capabilites' on line 3") {
		t.Errorf("bad error: %s", err)
	}
}

func TestPolicy_ParseBadPolicy(t *testing.T) {
	_, err := Parse(strings.TrimSpace(`
path "/" {
	policy = "banana"
}
`))
	if err == nil {
		t.Fatalf("expected error")
	}

	if !strings.Contains(err.Error(), `path "/": invalid policy 'banana'`) {
		t.Errorf("bad error: %s", err)
	}
}

func TestPolicy_ParseBadCapabilities(t *testing.T) {
	_, err := Parse(strings.TrimSpace(`
path "/" {
	capabilities = ["read", "banana"]
}
`))
	if err == nil {
		t.Fatalf("expected error")
	}

	if !strings.Contains(err.Error(), `path "/": invalid capability 'banana'`) {
		t.Errorf("bad error: %s", err)
	}
}
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`package vault`

			`import (`
			`"reflect"`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`"strings"`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`"testing"`
			`)`

Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			var rawPolicy = strings.TrimSpace(`
			`# Developer policy`
			`name = "dev"`

			`# Deny all paths by default`
			`path "*" {`
			`policy = "deny"`
			`}`

			`# Allow full access to staging`
			`path "stage/*" {`
			`policy = "sudo"`
			`}`

			`# Limited read privilege to production`
			`path "prod/version" {`
			`policy = "read"`
			`}`

			`# Read access to foobar`
			`# Also tests stripping of leading slash`
			`path "/foo/bar" {`
			`policy = "read"`
			`}`

			`# Add capabilities for creation and sudo to foobar`
			`# This will be separate; they are combined when compiled into an ACL`
			`path "foo/bar" {`
			`capabilities = ["create", "sudo"]`
			`}`
updated testing on a policy to cover parameters in the policy 2016-10-28 17:18:31 +00:00
fix some of the tests and rename allowed/dissallowed paramaters 2017-01-20 00:40:19 +00:00			`# Check that only allowed_parameters are being added to foobar`
updated testing on a policy to cover parameters in the policy 2016-10-28 17:18:31 +00:00			`path "foo/bar" {`
			`capabilities = ["create", "sudo"]`
			`permissions = {`
fix some of the tests and rename allowed/dissallowed paramaters 2017-01-20 00:40:19 +00:00			`allowed_parameters = {`
Permissions were changed from a structure to and array of interfaces. Code optimization for acl.go. Fixed bug where multiple parameters would allow if second or following parameters were denied and there was a wildcard in allow. 2016-12-07 02:14:15 +00:00			`"zip" = []`
			`"zap" = []`
updated testing on a policy to cover parameters in the policy 2016-10-28 17:18:31 +00:00			`}`
			`}`
			`}`

fix some of the tests and rename allowed/dissallowed paramaters 2017-01-20 00:40:19 +00:00			`# Check that only denied_parameters are being added to bazbar`
updated testing on a policy to cover parameters in the policy 2016-10-28 17:18:31 +00:00			`path "baz/bar" {`
			`capabilities = ["create", "sudo"]`
			`permissions = {`
fix some of the tests and rename allowed/dissallowed paramaters 2017-01-20 00:40:19 +00:00			`denied_parameters = {`
Permissions were changed from a structure to and array of interfaces. Code optimization for acl.go. Fixed bug where multiple parameters would allow if second or following parameters were denied and there was a wildcard in allow. 2016-12-07 02:14:15 +00:00			`"zip" = []`
			`"zap" = []`
updated testing on a policy to cover parameters in the policy 2016-10-28 17:18:31 +00:00			`}`
			`}`
			`}`

			`# Check that both allowed and denied parameters are being added to bizbar`
			`path "biz/bar" {`
			`capabilities = ["create", "sudo"]`
			`permissions = {`
fix some of the tests and rename allowed/dissallowed paramaters 2017-01-20 00:40:19 +00:00			`allowed_parameters = {`
Permissions were changed from a structure to and array of interfaces. Code optimization for acl.go. Fixed bug where multiple parameters would allow if second or following parameters were denied and there was a wildcard in allow. 2016-12-07 02:14:15 +00:00			`"zim" = []`
			`"zam" = []`
updated testing on a policy to cover parameters in the policy 2016-10-28 17:18:31 +00:00			`}`
fix some of the tests and rename allowed/dissallowed paramaters 2017-01-20 00:40:19 +00:00			`denied_parameters = {`
Permissions were changed from a structure to and array of interfaces. Code optimization for acl.go. Fixed bug where multiple parameters would allow if second or following parameters were denied and there was a wildcard in allow. 2016-12-07 02:14:15 +00:00			`"zip" = []`
			`"zap" = []`
updated testing on a policy to cover parameters in the policy 2016-10-28 17:18:31 +00:00			`}`
			`}`
			`}`
Update tests to check parsing of types 2017-01-20 02:13:39 +00:00			`path "test/types" {`
			`capabilities = ["create", "sudo"]`
			`permissions = {`
			`allowed_parameters = {`
			`"map" = [{"good" = "one"}]`
			`"int" = [1, 2]`
			`}`
			`denied_parameters = {`
			`"string" = ["test"]`
			`"bool" = [false]`
			`}`
			`}`
			`}`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`)

vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`func TestPolicy_Parse(t *testing.T) {`
			`p, err := Parse(rawPolicy)`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`if p.Name != "dev" {`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`t.Fatalf("bad name: %q", p.Name)`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`}`

Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`expect := []*PathCapabilities{`
			`&PathCapabilities{"", "deny",`
			`[]string{`
			`"deny",`
Update tests to check parsing of types 2017-01-20 02:13:39 +00:00			`},`
			`&Permissions{CapabilitiesBitmap: DenyCapabilityInt},`
			`true,`
			`},`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`&PathCapabilities{"stage/", "sudo",`
			`[]string{`
			`"create",`
			`"read",`
			`"update",`
			`"delete",`
			`"list",`
			`"sudo",`
Update tests to check parsing of types 2017-01-20 02:13:39 +00:00			`},`
			`&Permissions{`
			`CapabilitiesBitmap: (CreateCapabilityInt \| ReadCapabilityInt \| UpdateCapabilityInt \| DeleteCapabilityInt \| ListCapabilityInt \| SudoCapabilityInt),`
			`},`
			`true,`
			`},`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`&PathCapabilities{"prod/version", "read",`
			`[]string{`
			`"read",`
			`"list",`
Update tests to check parsing of types 2017-01-20 02:13:39 +00:00			`},`
			`&Permissions{CapabilitiesBitmap: (ReadCapabilityInt \| ListCapabilityInt)},`
			`false,`
			`},`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`&PathCapabilities{"foo/bar", "read",`
			`[]string{`
			`"read",`
			`"list",`
Update tests to check parsing of types 2017-01-20 02:13:39 +00:00			`},`
			`&Permissions{CapabilitiesBitmap: (ReadCapabilityInt \| ListCapabilityInt)},`
			`false,`
			`},`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`&PathCapabilities{"foo/bar", "",`
			`[]string{`
			`"create",`
			`"sudo",`
Update tests to check parsing of types 2017-01-20 02:13:39 +00:00			`},`
			`&Permissions{CapabilitiesBitmap: (CreateCapabilityInt \| SudoCapabilityInt)},`
			`false,`
			`},`
updated testing on a policy to cover parameters in the policy 2016-10-28 17:18:31 +00:00			`&PathCapabilities{"foo/bar", "",`
			`[]string{`
			`"create",`
			`"sudo",`
Update tests to check parsing of types 2017-01-20 02:13:39 +00:00			`},`
			`&Permissions{`
			`CapabilitiesBitmap: (CreateCapabilityInt \| SudoCapabilityInt),`
			`AllowedParameters: map[string][]interface{}{"zip": {}, "zap": {}},`
			`},`
			`false,`
			`},`
updated testing on a policy to cover parameters in the policy 2016-10-28 17:18:31 +00:00			`&PathCapabilities{"baz/bar", "",`
			`[]string{`
			`"create",`
			`"sudo",`
Update tests to check parsing of types 2017-01-20 02:13:39 +00:00			`},`
			`&Permissions{`
			`CapabilitiesBitmap: (CreateCapabilityInt \| SudoCapabilityInt),`
			`DeniedParameters: map[string][]interface{}{"zip": []interface{}{}, "zap": []interface{}{}},`
			`},`
			`false,`
			`},`
updated testing on a policy to cover parameters in the policy 2016-10-28 17:18:31 +00:00			`&PathCapabilities{"biz/bar", "",`
			`[]string{`
			`"create",`
			`"sudo",`
Update tests to check parsing of types 2017-01-20 02:13:39 +00:00			`},`
			`&Permissions{`
			`CapabilitiesBitmap: (CreateCapabilityInt \| SudoCapabilityInt),`
			`AllowedParameters: map[string][]interface{}{"zim": {}, "zam": {}},`
			`DeniedParameters: map[string][]interface{}{"zip": {}, "zap": {}},`
			`},`
			`false,`
			`},`
			`&PathCapabilities{"test/types", "",`
			`[]string{`
			`"create",`
			`"sudo",`
			`},`
			`&Permissions{`
			`CapabilitiesBitmap: (CreateCapabilityInt \| SudoCapabilityInt),`
			`AllowedParameters: map[string][]interface{}{"map": []interface{}{map[string]interface{}{"good": "one"}}, "int": []interface{}{1, 2}},`
			`DeniedParameters: map[string][]interface{}{"string": []interface{}{"test"}, "bool": []interface{}{false}},`
			`},`
			`false,`
			`},`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`}`
			`if !reflect.DeepEqual(p.Paths, expect) {`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`t.Errorf("expected \n\n%#v\n\n to be \n\n%#v\n\n", p.Paths, expect)`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`}`
			`}`

Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`func TestPolicy_ParseBadRoot(t *testing.T) {`
			_, err := Parse(strings.TrimSpace(`
			`name = "test"`
			`bad = "foo"`
			`nope = "yes"`
			`))
			`if err == nil {`
			`t.Fatalf("expected error")`
			`}`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`if !strings.Contains(err.Error(), "invalid key 'bad' on line 2") {`
			`t.Errorf("bad error: %q", err)`
			`}`

			`if !strings.Contains(err.Error(), "invalid key 'nope' on line 3") {`
			`t.Errorf("bad error: %q", err)`
			`}`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`}`

Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`func TestPolicy_ParseBadPath(t *testing.T) {`
			_, err := Parse(strings.TrimSpace(`
			`path "/" {`
			`capabilities = ["read"]`
			`capabilites = ["read"]`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`}`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`))
			`if err == nil {`
			`t.Fatalf("expected error")`
			`}`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`if !strings.Contains(err.Error(), "invalid key 'capabilites' on line 3") {`
			`t.Errorf("bad error: %s", err)`
			`}`
vault: Adding policy parsing 2015-03-17 22:53:29 +00:00			`}`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`func TestPolicy_ParseBadPolicy(t *testing.T) {`
			_, err := Parse(strings.TrimSpace(`
			`path "/" {`
			`policy = "banana"`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`}`
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			`))
			`if err == nil {`
			`t.Fatalf("expected error")`
			`}`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00
Parse policy HCL syntax and keys 2016-03-10 18:36:54 +00:00			if !strings.Contains(err.Error(), `path "/": invalid policy 'banana'`) {
			`t.Errorf("bad error: %s", err)`
			`}`
			`}`

			`func TestPolicy_ParseBadCapabilities(t *testing.T) {`
			_, err := Parse(strings.TrimSpace(`
			`path "/" {`
			`capabilities = ["read", "banana"]`
			`}`
			`))
			`if err == nil {`
			`t.Fatalf("expected error")`
			`}`

			if !strings.Contains(err.Error(), `path "/": invalid capability 'banana'`) {
			`t.Errorf("bad error: %s", err)`
			`}`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`}`