open-vault/vault/policy_store_test.go

205 lines
5.1 KiB
Go
Raw Normal View History

2015-03-18 19:17:03 +00:00
package vault
import (
"context"
2015-03-18 19:17:03 +00:00
"reflect"
"testing"
log "github.com/hashicorp/go-hclog"
"github.com/hashicorp/vault/helper/logging"
"github.com/hashicorp/vault/logical"
2015-03-18 19:17:03 +00:00
)
func mockPolicyStore(t *testing.T) *PolicyStore {
_, barrier, _ := mockBarrier(t)
view := NewBarrierView(barrier, "foo/")
p := NewPolicyStore(context.Background(), nil, view, logical.TestSystemView(), logging.NewVaultLogger(log.Trace))
return p
}
func mockPolicyStoreNoCache(t *testing.T) *PolicyStore {
sysView := logical.TestSystemView()
sysView.CachingDisabledVal = true
_, barrier, _ := mockBarrier(t)
view := NewBarrierView(barrier, "foo/")
p := NewPolicyStore(context.Background(), nil, view, sysView, logging.NewVaultLogger(log.Trace))
2015-03-18 19:17:03 +00:00
return p
}
2015-03-24 18:27:21 +00:00
func TestPolicyStore_Root(t *testing.T) {
ps := mockPolicyStore(t)
// Get should return a special policy
p, err := ps.GetPolicy(context.Background(), "root", PolicyTypeToken)
2015-03-24 18:27:21 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if p == nil {
t.Fatalf("bad: %v", p)
}
if p.Name != "root" {
t.Fatalf("bad: %v", p)
}
// Set should fail
err = ps.SetPolicy(context.Background(), p)
if err.Error() != `cannot update "root" policy` {
2015-03-24 18:27:21 +00:00
t.Fatalf("err: %v", err)
}
// Delete should fail
err = ps.DeletePolicy(context.Background(), "root", PolicyTypeACL)
if err.Error() != `cannot delete "root" policy` {
2015-03-24 18:27:21 +00:00
t.Fatalf("err: %v", err)
}
}
2015-03-18 19:17:03 +00:00
func TestPolicyStore_CRUD(t *testing.T) {
ps := mockPolicyStore(t)
testPolicyStore_CRUD(t, ps)
ps = mockPolicyStoreNoCache(t)
testPolicyStore_CRUD(t, ps)
}
2015-03-18 19:17:03 +00:00
func testPolicyStore_CRUD(t *testing.T, ps *PolicyStore) {
2015-03-18 19:17:03 +00:00
// Get should return nothing
p, err := ps.GetPolicy(context.Background(), "Dev", PolicyTypeToken)
2015-03-18 19:17:03 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if p != nil {
t.Fatalf("bad: %v", p)
}
// Delete should be no-op
err = ps.DeletePolicy(context.Background(), "deV", PolicyTypeACL)
2015-03-18 19:17:03 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
// List should be blank
out, err := ps.ListPolicies(context.Background(), PolicyTypeACL)
2015-03-18 19:17:03 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if len(out) != 0 {
t.Fatalf("bad: %v", out)
}
// Set should work
2017-10-23 18:59:37 +00:00
policy, _ := ParseACLPolicy(aclPolicy)
err = ps.SetPolicy(context.Background(), policy)
2015-03-18 19:17:03 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
// Get should work
p, err = ps.GetPolicy(context.Background(), "dEv", PolicyTypeToken)
2015-03-18 19:17:03 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if !reflect.DeepEqual(p, policy) {
t.Fatalf("bad: %v", p)
}
// List should be one element
out, err = ps.ListPolicies(context.Background(), PolicyTypeACL)
2015-03-18 19:17:03 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if len(out) != 1 || out[0] != "dev" {
t.Fatalf("bad: %v", out)
}
// Delete should be clear the entry
err = ps.DeletePolicy(context.Background(), "Dev", PolicyTypeACL)
2015-03-18 19:17:03 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
// Get should fail
p, err = ps.GetPolicy(context.Background(), "deV", PolicyTypeToken)
2015-03-18 19:17:03 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if p != nil {
t.Fatalf("bad: %v", p)
}
}
// Test predefined policy handling
func TestPolicyStore_Predefined(t *testing.T) {
core, _, _ := TestCoreUnsealed(t)
// Ensure both default policies are created
err := core.setupPolicyStore(context.Background())
if err != nil {
t.Fatalf("err: %v", err)
}
// List should be two elements
out, err := core.policyStore.ListPolicies(context.Background(), PolicyTypeACL)
if err != nil {
t.Fatalf("err: %v", err)
}
2016-07-25 19:59:02 +00:00
// This shouldn't contain response-wrapping since it's non-assignable
if len(out) != 1 || out[0] != "default" {
t.Fatalf("bad: %v", out)
}
pCubby, err := core.policyStore.GetPolicy(context.Background(), "response-wrapping", PolicyTypeToken)
if err != nil {
t.Fatalf("err: %v", err)
}
2017-10-23 18:59:37 +00:00
if pCubby == nil {
t.Fatal("nil cubby policy")
}
2016-09-29 04:01:28 +00:00
if pCubby.Raw != responseWrappingPolicy {
t.Fatalf("bad: expected\n%s\ngot\n%s\n", responseWrappingPolicy, pCubby.Raw)
}
pRoot, err := core.policyStore.GetPolicy(context.Background(), "root", PolicyTypeToken)
if err != nil {
t.Fatalf("err: %v", err)
}
2017-10-23 18:59:37 +00:00
if pRoot == nil {
t.Fatal("nil root policy")
}
err = core.policyStore.SetPolicy(context.Background(), pCubby)
if err == nil {
t.Fatalf("expected err setting %s", pCubby.Name)
}
err = core.policyStore.SetPolicy(context.Background(), pRoot)
if err == nil {
t.Fatalf("expected err setting %s", pRoot.Name)
}
err = core.policyStore.DeletePolicy(context.Background(), pCubby.Name, PolicyTypeACL)
if err == nil {
t.Fatalf("expected err deleting %s", pCubby.Name)
}
err = core.policyStore.DeletePolicy(context.Background(), pRoot.Name, PolicyTypeACL)
if err == nil {
t.Fatalf("expected err deleting %s", pRoot.Name)
}
}
2015-03-18 19:17:03 +00:00
func TestPolicyStore_ACL(t *testing.T) {
ps := mockPolicyStore(t)
2017-10-23 18:59:37 +00:00
policy, _ := ParseACLPolicy(aclPolicy)
err := ps.SetPolicy(context.Background(), policy)
2015-03-18 19:17:03 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
2017-10-23 18:59:37 +00:00
policy, _ = ParseACLPolicy(aclPolicy2)
err = ps.SetPolicy(context.Background(), policy)
2015-03-18 19:17:03 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
acl, err := ps.ACL(context.Background(), nil, "dev", "ops")
2015-03-18 19:17:03 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
testLayeredACL(t, acl)
}