luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity
open-vault/vault/logical_system_test.go

5447 lines
156 KiB
Go
Raw Normal View History

vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
package vault
import (
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers
2018-01-08 18:31:38 +00:00
"context"
Reintroduce the ability to look up obfuscated values in the audit log with a new endpoint '/sys/audit-hash', which returns the given input string hashed with the given audit backend's hash function and salt (currently, always HMAC-SHA256 and a backend-specific salt). In the process of adding the HTTP handler, this also removes the custom HTTP handlers for the other audit endpoints, which were simply forwarding to the logical system backend. This means that the various audit functions will now redirect correctly from a standby to master. (Tests all pass.) Fixes #784
2015-11-19 01:26:03 +00:00
"crypto/sha256"
copying general purpose tools from transit backend to /sys/tools (#3391)
2017-10-20 14:59:17 +00:00
"encoding/base64"
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
"encoding/hex"
"fmt"
"io/ioutil"
Add user configurable password policies available to secret engines (#8637) * Add random string generator with rules engine This adds a random string generation library that validates random strings against a set of rules. The library is designed for use as generating passwords, but can be used to generate any random strings.
2020-05-27 18:28:00 +00:00
"net/http"
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
"os"
"path/filepath"
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
"reflect"
Update tests for change in raw blacklisting
2016-04-19 20:26:26 +00:00
"strings"
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
"testing"
Plumb per-mount config options through API
2015-08-31 18:27:49 +00:00
"time"
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
Add DynamicSystemView. This uses a pointer to a pointer to always have up-to-date information. This allows remount to be implemented with the same source and dest, allowing mount options to be changed on the fly. If/when Vault gains the ability to HUP its configuration, this should just work for the global values as well. Need specific unit tests for this functionality.
2015-09-01 22:29:30 +00:00
"github.com/fatih/structs"
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
"github.com/go-test/deep"
Update mount table and CLI with plugin version for auth (#16856)
2022-08-31 18:23:05 +00:00
"github.com/hashicorp/go-hclog"
Version-aware plugin catalog (#16688) Adds support for using semantic version information when registering and managing plugins. New `detailed` field in the response data for listing plugins and new `version` field in the response data for reading a single plugin.
2022-08-25 20:31:42 +00:00
semver "github.com/hashicorp/go-version"
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
"github.com/hashicorp/vault/audit"
Vault 4632 auth remount oss (#14141) * Update plugin-portal.mdx (#13229) Add a Vault plugin to allow authentication via SSH certificates and public keys * oss changes Co-authored-by: Wim <wim@42.be>
2022-02-18 16:04:21 +00:00
credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
"github.com/hashicorp/vault/helper/builtinplugins"
Fix hasMountPath for segment wildcard mounts; introduce priority order (#6532) * Add prioritization when multiple segment/glob rules can match. * Disallow ambiguous "+*" in policy paths.
2019-04-10 21:46:17 +00:00
"github.com/hashicorp/vault/helper/identity"
The big one (#5346)
2018-09-18 03:03:00 +00:00
"github.com/hashicorp/vault/helper/namespace"
Move sdk/helper/random -> helper/random (#9226) * This package is new for 1.5 so this is not a breaking change. * This is being moved because this code was originally intended to be used within plugins, however the design of password policies has changed such that this is no longer needed. Thus, this code doesn't need to be in the public SDK.
2020-06-17 20:24:38 +00:00
"github.com/hashicorp/vault/helper/random"
Add plugin version to GRPC interface (#17088) Add plugin version to GRPC interface Added a version interface in the sdk/logical so that it can be shared between all plugin types, and then wired it up to RunningVersion in the mounts, auth list, and database systems. I've tested that this works with auth, database, and secrets plugin types, with the following logic to populate RunningVersion: If a plugin has a PluginVersion() method implemented, then that is used If not, and the plugin is built into the Vault binary, then the go.mod version is used Otherwise, the it will be the empty string. My apologies for the length of this PR. * Placeholder backend should be external We use a placeholder backend (previously a framework.Backend) before a GRPC plugin is lazy-loaded. This makes us later think the plugin is a builtin plugin. So we added a `placeholderBackend` type that overrides the `IsExternal()` method so that later we know that the plugin is external, and don't give it a default builtin version.
2022-09-15 23:37:59 +00:00
"github.com/hashicorp/vault/helper/versions"
Switch to go modules (#6585) * Switch to go modules * Make fmt
2019-04-13 07:44:06 +00:00
"github.com/hashicorp/vault/sdk/framework"
Enhance sys/raw to read and write values that cannot be encoded in json (#13537)
2022-01-20 12:52:53 +00:00
"github.com/hashicorp/vault/sdk/helper/compressutil"
Switch to go modules (#6585) * Switch to go modules * Make fmt
2019-04-13 07:44:06 +00:00
"github.com/hashicorp/vault/sdk/helper/consts"
"github.com/hashicorp/vault/sdk/helper/jsonutil"
Version-aware plugin catalog (#16688) Adds support for using semantic version information when registering and managing plugins. New `detailed` field in the response data for listing plugins and new `version` field in the response data for reading a single plugin.
2022-08-25 20:31:42 +00:00
"github.com/hashicorp/vault/sdk/helper/pluginutil"
Create sdk/ and api/ submodules (#6583)
2019-04-12 21:54:35 +00:00
"github.com/hashicorp/vault/sdk/helper/salt"
"github.com/hashicorp/vault/sdk/logical"
Move version out of SDK. (#14229) Move version out of SDK. For now it's a copy rather than move: the part not addressed by this change is sdk/helper/useragent.String, which we'll want to remove in favour of PluginString. That will have to wait until we've removed uses of useragent.String from all builtins.
2022-12-07 18:29:51 +00:00
"github.com/hashicorp/vault/version"
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
"github.com/mitchellh/mapstructure"
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
)
func TestSystemBackend_RootPaths(t *testing.T) {
expected := []string{
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
"auth/*",
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
"remount",
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
"audit",
"audit/*",
Disable the `sys/raw` endpoint by default (#3329) * disable raw endpoint by default * adding docs * config option raw -> raw_storage_endpoint * docs updates * adding listing on raw endpoint * reworking tests for enabled raw endpoints * root protecting base raw endpoint
2017-09-15 04:21:35 +00:00
"raw",
vault: Adding the raw/ endpoints to sys
2015-04-02 00:44:43 +00:00
"raw/*",
Make reindex a root path as well
2017-02-17 04:36:06 +00:00
"replication/primary/secondary-token",
The big one (#5346)
2018-09-18 03:03:00 +00:00
"replication/performance/primary/secondary-token",
"replication/dr/primary/secondary-token",
Make reindex a root path as well
2017-02-17 04:36:06 +00:00
"replication/reindex",
The big one (#5346)
2018-09-18 03:03:00 +00:00
"replication/dr/reindex",
"replication/performance/reindex",
vault: adding sys/key-status and sys/rotate
2015-05-28 00:53:42 +00:00
"rotate",
Fix root paths test
2017-06-17 05:51:42 +00:00
"config/cors",
Configure the request headers that are output to the audit log (#2321) * Add /sys/config/audited-headers endpoint for configuring the headers that will be audited * Remove some debug lines * Add a persistant layer and refactor a bit * update the api endpoints to be more restful * Add comments and clean up a few functions * Remove unneeded hash structure functionaility * Fix existing tests * Add tests * Add test for Applying the header config * Add Benchmark for the ApplyConfig method * ResetTimer on the benchmark: * Update the headers comment * Add test for audit broker * Use hyphens instead of camel case * Add size paramater to the allocation of the result map * Fix the tests for the audit broker * PR feedback * update the path and permissions on config/* paths * Add docs file * Fix TestSystemBackend_RootPaths test
2017-02-02 19:49:20 +00:00
"config/auditing/*",
Fix compilation and tests failures (#4254)
2018-04-03 18:07:43 +00:00
"config/ui/headers/*",
Update root paths test
2017-04-24 19:47:40 +00:00
"plugins/catalog/*",
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
"revoke-prefix/*",
root protect /sys/revoke-force/* (#2876)
2017-07-25 15:59:43 +00:00
"revoke-force/*",
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
"leases/revoke-prefix/*",
"leases/revoke-force/*",
"leases/lookup/*",
OSS changes for enterprise automated snapshots (#10160)
2020-10-16 18:57:11 +00:00
"storage/raft/snapshot-auto/config/*",
Require special privileges to list irrevocable leases (#11888) * add leases path to sudo required set * update TestSystemBackend_RootPaths with new special privilege paths * note that list-leases requires sudo * minor typo fixes
2021-06-28 22:51:47 +00:00
"leases",
Introspection API Implementation for Router Struct (#17789) * OSS Commit from ENT for Introspection API * Add changelog
2022-11-04 16:39:09 +00:00
"internal/inspect/*",
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
}
b := testSystemBackend(t)
logical: move cred stuff over here
2015-03-31 00:46:18 +00:00
actual := b.SpecialPaths().Root
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
if !reflect.DeepEqual(actual, expected) {
Fix compilation and tests failures (#4254)
2018-04-03 18:07:43 +00:00
t.Fatalf("bad: mismatch\nexpected:\n%#v\ngot:\n%#v", expected, actual)
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
}
}
Cors headers (#2021)
2017-06-17 04:04:55 +00:00
func TestSystemConfigCORS(t *testing.T) {
b := testSystemBackend(t)
Fix up CORS. Ref #2021
2017-06-17 05:26:25 +00:00
_, barrier, _ := mockBarrier(t)
view := NewBarrierView(barrier, "")
b.(*SystemBackend).Core.systemBarrierView = view
Cors headers (#2021)
2017-06-17 04:04:55 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "config/cors")
req.Data["allowed_origins"] = "http://www.example.com"
Set allowed headers via API instead of defaulting to wildcard. (#3023)
2017-08-07 14:03:30 +00:00
req.Data["allowed_headers"] = "X-Custom-Header"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
_, err := b.HandleRequest(namespace.RootContext(nil), req)
Cors headers (#2021)
2017-06-17 04:04:55 +00:00
if err != nil {
t.Fatal(err)
}
expected := &logical.Response{
Data: map[string]interface{}{
"enabled": true,
Fix up CORS. Ref #2021
2017-06-17 05:26:25 +00:00
"allowed_origins": []string{"http://www.example.com"},
Fix exporting stdAllowedHeaders
2017-08-07 19:02:08 +00:00
"allowed_headers": append(StdAllowedHeaders, "X-Custom-Header"),
Cors headers (#2021)
2017-06-17 04:04:55 +00:00
},
}
req = logical.TestRequest(t, logical.ReadOperation, "config/cors")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
actual, err := b.HandleRequest(namespace.RootContext(nil), req)
Cors headers (#2021)
2017-06-17 04:04:55 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if !reflect.DeepEqual(actual, expected) {
Fix up CORS. Ref #2021
2017-06-17 05:26:25 +00:00
t.Fatalf("bad: %#v", actual)
Cors headers (#2021)
2017-06-17 04:04:55 +00:00
}
Don't duplicate CORS headers (#6207) Fixes #6182
2019-02-11 18:10:26 +00:00
// Do it again. Bug #6182
req = logical.TestRequest(t, logical.UpdateOperation, "config/cors")
req.Data["allowed_origins"] = "http://www.example.com"
req.Data["allowed_headers"] = "X-Custom-Header"
_, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatal(err)
}
req = logical.TestRequest(t, logical.ReadOperation, "config/cors")
actual, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("bad: %#v", actual)
}
Cors headers (#2021)
2017-06-17 04:04:55 +00:00
req = logical.TestRequest(t, logical.DeleteOperation, "config/cors")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
_, err = b.HandleRequest(namespace.RootContext(nil), req)
Cors headers (#2021)
2017-06-17 04:04:55 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
req = logical.TestRequest(t, logical.ReadOperation, "config/cors")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
actual, err = b.HandleRequest(namespace.RootContext(nil), req)
Cors headers (#2021)
2017-06-17 04:04:55 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
expected = &logical.Response{
Data: map[string]interface{}{
Fix up CORS. Ref #2021
2017-06-17 05:26:25 +00:00
"enabled": false,
Cors headers (#2021)
2017-06-17 04:04:55 +00:00
},
}
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("DELETE FAILED -- bad: %#v", actual)
}
}
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
func TestSystemBackend_mounts(t *testing.T) {
b := testSystemBackend(t)
req := logical.TestRequest(t, logical.ReadOperation, "mounts")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Add DynamicSystemView. This uses a pointer to a pointer to always have up-to-date information. This allows remount to be implemented with the same source and dest, allowing mount options to be changed on the fly. If/when Vault gains the ability to HUP its configuration, this should just work for the global values as well. Need specific unit tests for this functionality.
2015-09-01 22:29:30 +00:00
// We can't know the pointer address ahead of time so simply
// copy what's given
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
exp := map[string]interface{}{
Plumb per-mount config options through API
2015-08-31 18:27:49 +00:00
"secret/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"type": "kv",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "key/value secret storage",
"accessor": resp.Data["secret/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["secret/"].(map[string]interface{})["uuid"],
Plumb per-mount config options through API
2015-08-31 18:27:49 +00:00
"config": map[string]interface{}{
Made default_lease_ttl and max_lease_ttl as int64 and fixed tests
2016-06-21 00:08:12 +00:00
"default_lease_ttl": resp.Data["secret/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
"max_lease_ttl": resp.Data["secret/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
Add option to disable caching per-backend. (#2455)
2017-03-08 14:20:09 +00:00
"force_no_cache": false,
Plumb per-mount config options through API
2015-08-31 18:27:49 +00:00
},
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
"local": false,
"seal_wrap": false,
Add options to mount tune and mount endpoints in preparation for versioning (#4155) * Add some requirements for versioned k/v * Add a warning message when an upgrade is triggered * Add path help values * Make the kv header a const * Add the uid to mount entry instead of options map * Pass the backend aware uuid to the mounts and plugins * Fix comment * Add options to secret/auth enable and tune CLI commands (#4170) * Switch mount/tune options to use TypeKVPairs (#4171) * switching options to TypeKVPairs, adding bool parse for versioned flag * flipping bool check * Fix leases coming back from non-leased pluin kv store * add a test for updating mount options * Fix tests
2018-03-21 19:04:27 +00:00
"options": map[string]string{
Fix tests from version update
2018-04-09 20:14:44 +00:00
"version": "1",
Add options to mount tune and mount endpoints in preparation for versioning (#4155) * Add some requirements for versioned k/v * Add a warning message when an upgrade is triggered * Add path help values * Make the kv header a const * Add the uid to mount entry instead of options map * Pass the backend aware uuid to the mounts and plugins * Fix comment * Add options to secret/auth enable and tune CLI commands (#4170) * Switch mount/tune options to use TypeKVPairs (#4171) * switching options to TypeKVPairs, adding bool parse for versioned flag * flipping bool check * Fix leases coming back from non-leased pluin kv store * add a test for updating mount options * Fix tests
2018-03-21 19:04:27 +00:00
},
Plugins: Consistently use plugin_version (#17171) * Delete Sha field, rename RunningSha -> RunningSha256 * Rename version -> plugin_version
2022-09-20 11:35:50 +00:00
"plugin_version": "",
"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "kv"),
"running_sha256": "",
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
},
Plumb per-mount config options through API
2015-08-31 18:27:49 +00:00
"sys/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"type": "system",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "system endpoints used for control, policy and debugging",
"accessor": resp.Data["sys/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["sys/"].(map[string]interface{})["uuid"],
Plumb per-mount config options through API
2015-08-31 18:27:49 +00:00
"config": map[string]interface{}{
make fmt
2019-02-20 20:12:21 +00:00
"default_lease_ttl": resp.Data["sys/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
"max_lease_ttl": resp.Data["sys/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
"force_no_cache": false,
Fix TestSystemBackend_mount, TestSystemBackend_mounts. (#6247)
2019-02-15 19:14:45 +00:00
"passthrough_request_headers": []string{"Accept"},
Plumb per-mount config options through API
2015-08-31 18:27:49 +00:00
},
Plugins: Consistently use plugin_version (#17171) * Delete Sha field, rename RunningSha -> RunningSha256 * Rename version -> plugin_version
2022-09-20 11:35:50 +00:00
"local": false,
"seal_wrap": true,
"options": map[string]string(nil),
"plugin_version": "",
"running_plugin_version": versions.DefaultBuiltinVersion,
"running_sha256": "",
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
},
Implement the cubbyhole backend In order to implement this efficiently, I have introduced the concept of "singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't much reason to allow sys to be mounted at multiple places, and there isn't much reason you'd need multiple per-token storage areas. By restricting it to just one, I can store that particular mount instead of iterating through them in order to call the appropriate revoke function. Additionally, because revocation on the backend needs to be triggered by the token store, the token store's salt is kept in the router and client tokens going to the cubbyhole backend are double-salted by the router. This allows the token store to drive when revocation happens using its salted tokens.
2015-09-10 01:58:09 +00:00
"cubbyhole/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "per-token private secret storage",
"type": "cubbyhole",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"accessor": resp.Data["cubbyhole/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["cubbyhole/"].(map[string]interface{})["uuid"],
Implement the cubbyhole backend In order to implement this efficiently, I have introduced the concept of "singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't much reason to allow sys to be mounted at multiple places, and there isn't much reason you'd need multiple per-token storage areas. By restricting it to just one, I can store that particular mount instead of iterating through them in order to call the appropriate revoke function. Additionally, because revocation on the backend needs to be triggered by the token store, the token store's salt is kept in the router and client tokens going to the cubbyhole backend are double-salted by the router. This allows the token store to drive when revocation happens using its salted tokens.
2015-09-10 01:58:09 +00:00
"config": map[string]interface{}{
Made default_lease_ttl and max_lease_ttl as int64 and fixed tests
2016-06-21 00:08:12 +00:00
"default_lease_ttl": resp.Data["cubbyhole/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
"max_lease_ttl": resp.Data["cubbyhole/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
Add option to disable caching per-backend. (#2455)
2017-03-08 14:20:09 +00:00
"force_no_cache": false,
Implement the cubbyhole backend In order to implement this efficiently, I have introduced the concept of "singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't much reason to allow sys to be mounted at multiple places, and there isn't much reason you'd need multiple per-token storage areas. By restricting it to just one, I can store that particular mount instead of iterating through them in order to call the appropriate revoke function. Additionally, because revocation on the backend needs to be triggered by the token store, the token store's salt is kept in the router and client tokens going to the cubbyhole backend are double-salted by the router. This allows the token store to drive when revocation happens using its salted tokens.
2015-09-10 01:58:09 +00:00
},
Plugins: Consistently use plugin_version (#17171) * Delete Sha field, rename RunningSha -> RunningSha256 * Rename version -> plugin_version
2022-09-20 11:35:50 +00:00
"local": true,
"seal_wrap": false,
"options": map[string]string(nil),
"plugin_version": "",
"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "cubbyhole"),
"running_sha256": "",
Implement the cubbyhole backend In order to implement this efficiently, I have introduced the concept of "singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't much reason to allow sys to be mounted at multiple places, and there isn't much reason you'd need multiple per-token storage areas. By restricting it to just one, I can store that particular mount instead of iterating through them in order to call the appropriate revoke function. Additionally, because revocation on the backend needs to be triggered by the token store, the token store's salt is kept in the router and client tokens going to the cubbyhole backend are double-salted by the router. This allows the token store to drive when revocation happens using its salted tokens.
2015-09-10 01:58:09 +00:00
},
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
"identity/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "identity store",
"type": "identity",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"accessor": resp.Data["identity/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["identity/"].(map[string]interface{})["uuid"],
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
"config": map[string]interface{}{
Adds OIDC Token and UserInfo endpoints (#12711)
2021-10-14 01:59:36 +00:00
"default_lease_ttl": resp.Data["identity/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
"max_lease_ttl": resp.Data["identity/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
"force_no_cache": false,
"passthrough_request_headers": []string{"Authorization"},
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
},
Plugins: Consistently use plugin_version (#17171) * Delete Sha field, rename RunningSha -> RunningSha256 * Rename version -> plugin_version
2022-09-20 11:35:50 +00:00
"local": false,
"seal_wrap": false,
"options": map[string]string(nil),
"plugin_version": "",
"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "identity"),
"running_sha256": "",
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
},
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
}
Fix TestSystemBackend_mount, TestSystemBackend_mounts. (#6247)
2019-02-15 19:14:45 +00:00
if diff := deep.Equal(resp.Data, exp); len(diff) > 0 {
t.Fatalf("bad, diff: %#v", diff)
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
}
Add read support to sys/mounts/:path (#12792) * Add read support to sys/mounts/:path Closes https://github.com/hashicorp/vault/issues/12349 * Add changelog entry * Empty commit to trigger CI * Empty commit to trigger CI
2021-11-08 18:32:01 +00:00
for name, conf := range exp {
req := logical.TestRequest(t, logical.ReadOperation, "mounts/"+name)
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
if diff := deep.Equal(resp.Data, conf); len(diff) > 0 {
t.Fatalf("bad, diff: %#v", diff)
}
}
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
}
func TestSystemBackend_mount(t *testing.T) {
b := testSystemBackend(t)
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "mounts/prod/secret/")
Rename "generic" secret backend to "kv" (#3292)
2017-09-15 13:02:29 +00:00
req.Data["type"] = "kv"
Add TTL related config options on auth enable (#4019)
2018-02-22 15:26:29 +00:00
req.Data["config"] = map[string]interface{}{
"default_lease_ttl": "35m",
"max_lease_ttl": "45m",
}
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
req.Data["local"] = true
req.Data["seal_wrap"] = true
Add options to mount tune and mount endpoints in preparation for versioning (#4155) * Add some requirements for versioned k/v * Add a warning message when an upgrade is triggered * Add path help values * Make the kv header a const * Add the uid to mount entry instead of options map * Pass the backend aware uuid to the mounts and plugins * Fix comment * Add options to secret/auth enable and tune CLI commands (#4170) * Switch mount/tune options to use TypeKVPairs (#4171) * switching options to TypeKVPairs, adding bool parse for versioned flag * flipping bool check * Fix leases coming back from non-leased pluin kv store * add a test for updating mount options * Fix tests
2018-03-21 19:04:27 +00:00
req.Data["options"] = map[string]string{
Fix tests from version update
2018-04-09 20:14:44 +00:00
"version": "1",
Add options to mount tune and mount endpoints in preparation for versioning (#4155) * Add some requirements for versioned k/v * Add a warning message when an upgrade is triggered * Add path help values * Make the kv header a const * Add the uid to mount entry instead of options map * Pass the backend aware uuid to the mounts and plugins * Fix comment * Add options to secret/auth enable and tune CLI commands (#4170) * Switch mount/tune options to use TypeKVPairs (#4171) * switching options to TypeKVPairs, adding bool parse for versioned flag * flipping bool check * Fix leases coming back from non-leased pluin kv store * add a test for updating mount options * Fix tests
2018-03-21 19:04:27 +00:00
}
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "mounts")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
// We can't know the pointer address ahead of time so simply
// copy what's given
exp := map[string]interface{}{
"secret/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"type": "kv",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "key/value secret storage",
"accessor": resp.Data["secret/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["secret/"].(map[string]interface{})["uuid"],
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
"config": map[string]interface{}{
"default_lease_ttl": resp.Data["secret/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
"max_lease_ttl": resp.Data["secret/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
"force_no_cache": false,
},
"local": false,
"seal_wrap": false,
Add options to mount tune and mount endpoints in preparation for versioning (#4155) * Add some requirements for versioned k/v * Add a warning message when an upgrade is triggered * Add path help values * Make the kv header a const * Add the uid to mount entry instead of options map * Pass the backend aware uuid to the mounts and plugins * Fix comment * Add options to secret/auth enable and tune CLI commands (#4170) * Switch mount/tune options to use TypeKVPairs (#4171) * switching options to TypeKVPairs, adding bool parse for versioned flag * flipping bool check * Fix leases coming back from non-leased pluin kv store * add a test for updating mount options * Fix tests
2018-03-21 19:04:27 +00:00
"options": map[string]string{
Fix tests from version update
2018-04-09 20:14:44 +00:00
"version": "1",
Add options to mount tune and mount endpoints in preparation for versioning (#4155) * Add some requirements for versioned k/v * Add a warning message when an upgrade is triggered * Add path help values * Make the kv header a const * Add the uid to mount entry instead of options map * Pass the backend aware uuid to the mounts and plugins * Fix comment * Add options to secret/auth enable and tune CLI commands (#4170) * Switch mount/tune options to use TypeKVPairs (#4171) * switching options to TypeKVPairs, adding bool parse for versioned flag * flipping bool check * Fix leases coming back from non-leased pluin kv store * add a test for updating mount options * Fix tests
2018-03-21 19:04:27 +00:00
},
Plugins: Consistently use plugin_version (#17171) * Delete Sha field, rename RunningSha -> RunningSha256 * Rename version -> plugin_version
2022-09-20 11:35:50 +00:00
"plugin_version": "",
"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "kv"),
"running_sha256": "",
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
},
"sys/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"type": "system",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "system endpoints used for control, policy and debugging",
"accessor": resp.Data["sys/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["sys/"].(map[string]interface{})["uuid"],
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
"config": map[string]interface{}{
make fmt
2019-02-20 20:12:21 +00:00
"default_lease_ttl": resp.Data["sys/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
"max_lease_ttl": resp.Data["sys/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
"force_no_cache": false,
Fix TestSystemBackend_mount, TestSystemBackend_mounts. (#6247)
2019-02-15 19:14:45 +00:00
"passthrough_request_headers": []string{"Accept"},
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
},
Plugins: Consistently use plugin_version (#17171) * Delete Sha field, rename RunningSha -> RunningSha256 * Rename version -> plugin_version
2022-09-20 11:35:50 +00:00
"local": false,
"seal_wrap": true,
"options": map[string]string(nil),
"plugin_version": "",
"running_plugin_version": versions.DefaultBuiltinVersion,
"running_sha256": "",
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
},
"cubbyhole/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "per-token private secret storage",
"type": "cubbyhole",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"accessor": resp.Data["cubbyhole/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["cubbyhole/"].(map[string]interface{})["uuid"],
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
"config": map[string]interface{}{
"default_lease_ttl": resp.Data["cubbyhole/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
"max_lease_ttl": resp.Data["cubbyhole/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
"force_no_cache": false,
},
Plugins: Consistently use plugin_version (#17171) * Delete Sha field, rename RunningSha -> RunningSha256 * Rename version -> plugin_version
2022-09-20 11:35:50 +00:00
"local": true,
"seal_wrap": false,
"options": map[string]string(nil),
"plugin_version": "",
"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "cubbyhole"),
"running_sha256": "",
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
},
"identity/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "identity store",
"type": "identity",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"accessor": resp.Data["identity/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["identity/"].(map[string]interface{})["uuid"],
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
"config": map[string]interface{}{
Adds OIDC Token and UserInfo endpoints (#12711)
2021-10-14 01:59:36 +00:00
"default_lease_ttl": resp.Data["identity/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
"max_lease_ttl": resp.Data["identity/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
"force_no_cache": false,
"passthrough_request_headers": []string{"Authorization"},
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
},
Plugins: Consistently use plugin_version (#17171) * Delete Sha field, rename RunningSha -> RunningSha256 * Rename version -> plugin_version
2022-09-20 11:35:50 +00:00
"local": false,
"seal_wrap": false,
"options": map[string]string(nil),
"plugin_version": "",
"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "identity"),
"running_sha256": "",
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
},
"prod/secret/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "",
"type": "kv",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"accessor": resp.Data["prod/secret/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["prod/secret/"].(map[string]interface{})["uuid"],
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
"config": map[string]interface{}{
Add TTL related config options on auth enable (#4019)
2018-02-22 15:26:29 +00:00
"default_lease_ttl": int64(2100),
"max_lease_ttl": int64(2700),
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
"force_no_cache": false,
},
"local": true,
"seal_wrap": true,
Add options to mount tune and mount endpoints in preparation for versioning (#4155) * Add some requirements for versioned k/v * Add a warning message when an upgrade is triggered * Add path help values * Make the kv header a const * Add the uid to mount entry instead of options map * Pass the backend aware uuid to the mounts and plugins * Fix comment * Add options to secret/auth enable and tune CLI commands (#4170) * Switch mount/tune options to use TypeKVPairs (#4171) * switching options to TypeKVPairs, adding bool parse for versioned flag * flipping bool check * Fix leases coming back from non-leased pluin kv store * add a test for updating mount options * Fix tests
2018-03-21 19:04:27 +00:00
"options": map[string]string{
Fix tests from version update
2018-04-09 20:14:44 +00:00
"version": "1",
Add options to mount tune and mount endpoints in preparation for versioning (#4155) * Add some requirements for versioned k/v * Add a warning message when an upgrade is triggered * Add path help values * Make the kv header a const * Add the uid to mount entry instead of options map * Pass the backend aware uuid to the mounts and plugins * Fix comment * Add options to secret/auth enable and tune CLI commands (#4170) * Switch mount/tune options to use TypeKVPairs (#4171) * switching options to TypeKVPairs, adding bool parse for versioned flag * flipping bool check * Fix leases coming back from non-leased pluin kv store * add a test for updating mount options * Fix tests
2018-03-21 19:04:27 +00:00
},
Plugins: Consistently use plugin_version (#17171) * Delete Sha field, rename RunningSha -> RunningSha256 * Rename version -> plugin_version
2022-09-20 11:35:50 +00:00
"plugin_version": "",
"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "kv"),
"running_sha256": "",
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
},
}
Fix TestSystemBackend_mount, TestSystemBackend_mounts. (#6247)
2019-02-15 19:14:45 +00:00
if diff := deep.Equal(resp.Data, exp); len(diff) > 0 {
t.Fatalf("bad: diff: %#v", diff)
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
}
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
}
Add option to disable caching per-backend. (#2455)
2017-03-08 14:20:09 +00:00
func TestSystemBackend_mount_force_no_cache(t *testing.T) {
core, b, _ := testCoreSystemBackend(t)
req := logical.TestRequest(t, logical.UpdateOperation, "mounts/prod/secret/")
Rename "generic" secret backend to "kv" (#3292)
2017-09-15 13:02:29 +00:00
req.Data["type"] = "kv"
Add option to disable caching per-backend. (#2455)
2017-03-08 14:20:09 +00:00
req.Data["config"] = map[string]interface{}{
"force_no_cache": true,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
Add option to disable caching per-backend. (#2455)
2017-03-08 14:20:09 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
mountEntry := core.router.MatchingMountEntry(namespace.RootContext(nil), "prod/secret/")
Add option to disable caching per-backend. (#2455)
2017-03-08 14:20:09 +00:00
if mountEntry == nil {
t.Fatalf("missing mount entry")
}
if !mountEntry.Config.ForceNoCache {
t.Fatalf("bad config %#v", mountEntry)
}
}
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
func TestSystemBackend_mount_invalid(t *testing.T) {
b := testSystemBackend(t)
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "mounts/prod/secret/")
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
req.Data["type"] = "nope"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: convert to logical.Request and friends
2015-03-15 21:53:41 +00:00
if err != logical.ErrInvalidRequest {
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
t.Fatalf("err: %v", err)
}
Run all builtins as plugins (#5536)
2018-11-07 01:21:24 +00:00
if resp.Data["error"] != `plugin not found in the catalog: nope` {
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
t.Fatalf("bad: %v", resp)
}
}
func TestSystemBackend_unmount(t *testing.T) {
b := testSystemBackend(t)
vault: change to /sys/mounts
2015-03-16 17:52:35 +00:00
req := logical.TestRequest(t, logical.DeleteOperation, "mounts/secret/")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
}
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
var capabilitiesPolicy = `
name = "test"
path "foo/bar*" {
capabilities = ["create", "sudo", "update"]
}
path "sys/capabilities*" {
capabilities = ["update"]
}
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
path "bar/baz" {
capabilities = ["read", "update"]
}
path "bar/baz" {
capabilities = ["delete"]
}
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
`
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
func TestSystemBackend_PathCapabilities(t *testing.T) {
var resp *logical.Response
var err error
core, b, rootToken := testCoreSystemBackend(t)
The big one (#5346)
2018-09-18 03:03:00 +00:00
policy, _ := ParseACLPolicy(namespace.RootNamespace, capabilitiesPolicy)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err = core.policyStore.SetPolicy(namespace.RootContext(nil), policy)
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
path1 := "foo/bar"
path2 := "foo/bar/sample"
path3 := "sys/capabilities"
path4 := "bar/baz"
rootCheckFunc := func(t *testing.T, resp *logical.Response) {
// All the paths should have "root" as the capability
expectedRoot := []string{"root"}
if !reflect.DeepEqual(resp.Data[path1], expectedRoot) ||
!reflect.DeepEqual(resp.Data[path2], expectedRoot) ||
!reflect.DeepEqual(resp.Data[path3], expectedRoot) ||
!reflect.DeepEqual(resp.Data[path4], expectedRoot) {
t.Fatalf("bad: capabilities; expected: %#v, actual: %#v", expectedRoot, resp.Data)
}
}
// Check the capabilities using the root token
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), &logical.Request{
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
Path: "capabilities",
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"paths": []string{path1, path2, path3, path4},
"token": rootToken,
},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
rootCheckFunc(t, resp)
// Check the capabilities using capabilities-self
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), &logical.Request{
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
ClientToken: rootToken,
Path: "capabilities-self",
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"paths": []string{path1, path2, path3, path4},
},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
rootCheckFunc(t, resp)
// Lookup the accessor of the root token
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err := core.tokenStore.Lookup(namespace.RootContext(nil), rootToken)
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
if err != nil {
t.Fatal(err)
}
// Check the capabilities using capabilities-accessor endpoint
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), &logical.Request{
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
Path: "capabilities-accessor",
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"paths": []string{path1, path2, path3, path4},
"accessor": te.Accessor,
},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
rootCheckFunc(t, resp)
// Create a non-root token
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
testMakeServiceTokenViaBackend(t, core.tokenStore, rootToken, "tokenid", "", []string{"test"})
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
nonRootCheckFunc := func(t *testing.T, resp *logical.Response) {
expected1 := []string{"create", "sudo", "update"}
expected2 := expected1
expected3 := []string{"update"}
expected4 := []string{"delete", "read", "update"}
if !reflect.DeepEqual(resp.Data[path1], expected1) ||
!reflect.DeepEqual(resp.Data[path2], expected2) ||
!reflect.DeepEqual(resp.Data[path3], expected3) ||
!reflect.DeepEqual(resp.Data[path4], expected4) {
t.Fatalf("bad: capabilities; actual: %#v", resp.Data)
}
}
// Check the capabilities using a non-root token
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), &logical.Request{
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
Path: "capabilities",
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"paths": []string{path1, path2, path3, path4},
"token": "tokenid",
},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
nonRootCheckFunc(t, resp)
// Check the capabilities of a non-root token using capabilities-self
// endpoint
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), &logical.Request{
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
ClientToken: "tokenid",
Path: "capabilities-self",
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"paths": []string{path1, path2, path3, path4},
},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
nonRootCheckFunc(t, resp)
// Lookup the accessor of the non-root token
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err = core.tokenStore.Lookup(namespace.RootContext(nil), "tokenid")
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
if err != nil {
t.Fatal(err)
}
// Check the capabilities using a non-root token using
// capabilities-accessor endpoint
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), &logical.Request{
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
Path: "capabilities-accessor",
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"paths": []string{path1, path2, path3, path4},
"accessor": te.Accessor,
},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
nonRootCheckFunc(t, resp)
}
func TestSystemBackend_Capabilities_BC(t *testing.T) {
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
testCapabilities(t, "capabilities")
testCapabilities(t, "capabilities-self")
}
func testCapabilities(t *testing.T, endpoint string) {
core, b, rootToken := testCoreSystemBackend(t)
req := logical.TestRequest(t, logical.UpdateOperation, endpoint)
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
if endpoint == "capabilities-self" {
req.ClientToken = rootToken
} else {
req.Data["token"] = rootToken
}
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
req.Data["path"] = "any_path"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
if err != nil {
t.Fatal(err)
}
if resp == nil {
t.Fatalf("bad: %v", resp)
}
actual := resp.Data["capabilities"]
expected := []string{"root"}
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actual, expected)
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
policy, _ := ParseACLPolicy(namespace.RootNamespace, capabilitiesPolicy)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err = core.policyStore.SetPolicy(namespace.RootContext(nil), policy)
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
testMakeServiceTokenViaBackend(t, core.tokenStore, rootToken, "tokenid", "", []string{"test"})
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
req = logical.TestRequest(t, logical.UpdateOperation, endpoint)
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
if endpoint == "capabilities-self" {
req.ClientToken = "tokenid"
} else {
req.Data["token"] = "tokenid"
}
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
req.Data["path"] = "foo/bar"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil {
t.Fatalf("bad: %v", resp)
}
actual = resp.Data["capabilities"]
Sort the capabilities before returning
2016-03-18 16:40:17 +00:00
expected = []string{"create", "sudo", "update"}
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actual, expected)
}
}
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
func TestSystemBackend_CapabilitiesAccessor_BC(t *testing.T) {
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
core, b, rootToken := testCoreSystemBackend(t)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err := core.tokenStore.Lookup(namespace.RootContext(nil), rootToken)
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
if err != nil {
t.Fatal(err)
}
Rename PrepareRequest to PrepareRequestFunc
2016-03-18 14:37:49 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "capabilities-accessor")
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
// Accessor of root token
req.Data["accessor"] = te.Accessor
req.Data["path"] = "any_path"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
Rename PrepareRequest to PrepareRequestFunc
2016-03-18 14:37:49 +00:00
if err != nil {
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
t.Fatalf("err: %v", err)
}
if resp == nil {
t.Fatalf("bad: %v", resp)
}
actual := resp.Data["capabilities"]
expected := []string{"root"}
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actual, expected)
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
policy, _ := ParseACLPolicy(namespace.RootNamespace, capabilitiesPolicy)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err = core.policyStore.SetPolicy(namespace.RootContext(nil), policy)
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
testMakeServiceTokenViaBackend(t, core.tokenStore, rootToken, "tokenid", "", []string{"test"})
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err = core.tokenStore.Lookup(namespace.RootContext(nil), "tokenid")
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
if err != nil {
t.Fatal(err)
}
req = logical.TestRequest(t, logical.UpdateOperation, "capabilities-accessor")
req.Data["accessor"] = te.Accessor
req.Data["path"] = "foo/bar"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil {
t.Fatalf("bad: %v", resp)
}
actual = resp.Data["capabilities"]
Sort the capabilities before returning
2016-03-18 16:40:17 +00:00
expected = []string{"create", "sudo", "update"}
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actual, expected)
Rename PrepareRequest to PrepareRequestFunc
2016-03-18 14:37:49 +00:00
}
}
Vault 4632 auth remount oss (#14141) * Update plugin-portal.mdx (#13229) Add a Vault plugin to allow authentication via SSH certificates and public keys * oss changes Co-authored-by: Wim <wim@42.be>
2022-02-18 16:04:21 +00:00
func TestSystemBackend_remount_auth(t *testing.T) {
err := AddTestCredentialBackend("userpass", credUserpass.Factory)
if err != nil {
t.Fatal(err)
}
c, b, _ := testCoreSystemBackend(t)
userpassMe := &MountEntry{
Table: credentialTableType,
Path: "userpass1/",
Type: "userpass",
Description: "userpass",
}
err = c.enableCredential(namespace.RootContext(nil), userpassMe)
if err != nil {
t.Fatal(err)
}
req := logical.TestRequest(t, logical.UpdateOperation, "remount")
req.Data["from"] = "auth/userpass1"
req.Data["to"] = "auth/userpass2"
req.Data["config"] = structs.Map(MountConfig{})
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
RetryUntil(t, 5*time.Second, func() error {
req = logical.TestRequest(t, logical.ReadOperation, fmt.Sprintf("remount/status/%s", resp.Data["migration_id"]))
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
migrationInfo := resp.Data["migration_info"].(*MountMigrationInfo)
if migrationInfo.MigrationStatus != MigrationSuccessStatus.String() {
return fmt.Errorf("Expected migration status to be successful, got %q", migrationInfo.MigrationStatus)
}
return nil
})
}
func TestSystemBackend_remount_auth_invalid(t *testing.T) {
b := testSystemBackend(t)
req := logical.TestRequest(t, logical.UpdateOperation, "remount")
req.Data["from"] = "auth/unknown"
req.Data["to"] = "auth/foo"
req.Data["config"] = structs.Map(MountConfig{})
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
if !strings.Contains(resp.Data["error"].(string), "no matching mount at \"auth/unknown/\"") {
t.Fatalf("Found unexpected error %q", resp.Data["error"].(string))
}
req.Data["to"] = "foo"
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
if !strings.Contains(resp.Data["error"].(string), "cannot remount auth mount to non-auth mount \"foo/\"") {
t.Fatalf("Found unexpected error %q", resp.Data["error"].(string))
}
}
func TestSystemBackend_remount_auth_protected(t *testing.T) {
b := testSystemBackend(t)
req := logical.TestRequest(t, logical.UpdateOperation, "remount")
req.Data["from"] = "auth/token"
req.Data["to"] = "auth/foo"
req.Data["config"] = structs.Map(MountConfig{})
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
if !strings.Contains(resp.Data["error"].(string), "cannot remount \"auth/token/\"") {
t.Fatalf("Found unexpected error %q", resp.Data["error"].(string))
}
req.Data["from"] = "auth/foo"
req.Data["to"] = "auth/token"
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
if !strings.Contains(resp.Data["error"].(string), "cannot remount to destination \"auth/token/\"") {
t.Fatalf("Found unexpected error %q", resp.Data["error"].(string))
}
}
func TestSystemBackend_remount_auth_destinationInUse(t *testing.T) {
err := AddTestCredentialBackend("userpass", credUserpass.Factory)
if err != nil {
t.Fatal(err)
}
c, b, _ := testCoreSystemBackend(t)
userpassMe := &MountEntry{
Table: credentialTableType,
Path: "userpass1/",
Type: "userpass",
Description: "userpass",
}
err = c.enableCredential(namespace.RootContext(nil), userpassMe)
if err != nil {
t.Fatal(err)
}
userpassMe2 := &MountEntry{
Table: credentialTableType,
Path: "userpass2/",
Type: "userpass",
Description: "userpass",
}
err = c.enableCredential(namespace.RootContext(nil), userpassMe2)
if err != nil {
t.Fatal(err)
}
req := logical.TestRequest(t, logical.UpdateOperation, "remount")
req.Data["from"] = "auth/userpass1"
req.Data["to"] = "auth/userpass2"
req.Data["config"] = structs.Map(MountConfig{})
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
if !strings.Contains(resp.Data["error"].(string), "path already in use at \"auth/userpass2/\"") {
t.Fatalf("Found unexpected error %q", resp.Data["error"].(string))
}
req.Data["to"] = "auth/userpass2/mypass"
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
if !strings.Contains(resp.Data["error"].(string), "path already in use at \"auth/userpass2/\"") {
t.Fatalf("Found unexpected error %q", resp.Data["error"].(string))
}
userpassMe3 := &MountEntry{
Table: credentialTableType,
Path: "userpass3/mypass/",
Type: "userpass",
Description: "userpass",
}
err = c.enableCredential(namespace.RootContext(nil), userpassMe3)
if err != nil {
t.Fatal(err)
}
req.Data["to"] = "auth/userpass3/"
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
if !strings.Contains(resp.Data["error"].(string), "path already in use at \"auth/userpass3/mypass/\"") {
t.Fatalf("Found unexpected error %q", resp.Data["error"].(string))
}
}
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
func TestSystemBackend_remount(t *testing.T) {
b := testSystemBackend(t)
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "remount")
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
req.Data["from"] = "secret"
req.Data["to"] = "foo"
Add DynamicSystemView. This uses a pointer to a pointer to always have up-to-date information. This allows remount to be implemented with the same source and dest, allowing mount options to be changed on the fly. If/when Vault gains the ability to HUP its configuration, this should just work for the global values as well. Need specific unit tests for this functionality.
2015-09-01 22:29:30 +00:00
req.Data["config"] = structs.Map(MountConfig{})
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
Revert "MFA (#14049)" (#14135) This reverts commit 5f17953b5980e6438215d5cb62c8575d16c63193.
2022-02-17 20:17:59 +00:00
RetryUntil(t, 5*time.Second, func() error {
req = logical.TestRequest(t, logical.ReadOperation, fmt.Sprintf("remount/status/%s", resp.Data["migration_id"]))
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
migrationInfo := resp.Data["migration_info"].(*MountMigrationInfo)
if migrationInfo.MigrationStatus != MigrationSuccessStatus.String() {
return fmt.Errorf("Expected migration status to be successful, got %q", migrationInfo.MigrationStatus)
}
return nil
})
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
}
add missed test (#14168)
2022-02-18 22:01:43 +00:00
func TestSystemBackend_remount_destinationInUse(t *testing.T) {
c, b, _ := testCoreSystemBackend(t)
me := &MountEntry{
Table: mountTableType,
Path: "foo/",
Type: "generic",
}
err := c.mount(namespace.RootContext(nil), me)
if err != nil {
t.Fatalf("err: %v", err)
}
req := logical.TestRequest(t, logical.UpdateOperation, "remount")
req.Data["from"] = "secret"
req.Data["to"] = "foo"
req.Data["config"] = structs.Map(MountConfig{})
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
if !strings.Contains(resp.Data["error"].(string), "path already in use at \"foo/\"") {
t.Fatalf("Found unexpected error %q", resp.Data["error"].(string))
}
req.Data["to"] = "foo/foo2"
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
if !strings.Contains(resp.Data["error"].(string), "path already in use at \"foo/\"") {
t.Fatalf("Found unexpected error %q", resp.Data["error"].(string))
}
me2 := &MountEntry{
Table: mountTableType,
Path: "foo2/foo3/",
Type: "generic",
}
err = c.mount(namespace.RootContext(nil), me2)
if err != nil {
t.Fatalf("err: %v", err)
}
req.Data["to"] = "foo2/"
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
if !strings.Contains(resp.Data["error"].(string), "path already in use at \"foo2/foo3/\"") {
t.Fatalf("Found unexpected error %q", resp.Data["error"].(string))
}
}
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
func TestSystemBackend_remount_invalid(t *testing.T) {
b := testSystemBackend(t)
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "remount")
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
req.Data["from"] = "unknown"
req.Data["to"] = "foo"
Add DynamicSystemView. This uses a pointer to a pointer to always have up-to-date information. This allows remount to be implemented with the same source and dest, allowing mount options to be changed on the fly. If/when Vault gains the ability to HUP its configuration, this should just work for the global values as well. Need specific unit tests for this functionality.
2015-09-01 22:29:30 +00:00
req.Data["config"] = structs.Map(MountConfig{})
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: convert to logical.Request and friends
2015-03-15 21:53:41 +00:00
if err != logical.ErrInvalidRequest {
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
t.Fatalf("err: %v", err)
}
Revert "MFA (#14049)" (#14135) This reverts commit 5f17953b5980e6438215d5cb62c8575d16c63193.
2022-02-17 20:17:59 +00:00
if !strings.Contains(resp.Data["error"].(string), "no matching mount at \"unknown/\"") {
t.Fatalf("Found unexpected error %q", resp.Data["error"].(string))
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
}
}
func TestSystemBackend_remount_system(t *testing.T) {
b := testSystemBackend(t)
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "remount")
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
req.Data["from"] = "sys"
req.Data["to"] = "foo"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: convert to logical.Request and friends
2015-03-15 21:53:41 +00:00
if err != logical.ErrInvalidRequest {
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
t.Fatalf("err: %v", err)
}
Revert "MFA (#14049)" (#14135) This reverts commit 5f17953b5980e6438215d5cb62c8575d16c63193.
2022-02-17 20:17:59 +00:00
if !strings.Contains(resp.Data["error"].(string), "cannot remount \"sys/\"") {
t.Fatalf("Found unexpected error %q", resp.Data["error"].(string))
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
}
}
Validate to/from parameters when remounting a backend (#9890) Vault uses http.ServeMux which issues an HTTP 301 redirect if the request path contains a double slash (`//`). Additionally, vault handles all paths to ensure that the path only contains printable characters. Therefore use the same validation on the to/from parameters for remounting. Not doing this can result in a Vault mount that was originally mounted at `pki/foo` to being remounted at `pki/foo//bar` resulting in mounts that cannot be accessed. Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com>
2020-10-29 18:06:07 +00:00
func TestSystemBackend_remount_clean(t *testing.T) {
b := testSystemBackend(t)
req := logical.TestRequest(t, logical.UpdateOperation, "remount")
req.Data["from"] = "foo"
req.Data["to"] = "foo//bar"
req.Data["config"] = structs.Map(MountConfig{})
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
Revert "MFA (#14049)" (#14135) This reverts commit 5f17953b5980e6438215d5cb62c8575d16c63193.
2022-02-17 20:17:59 +00:00
if resp.Data["error"] != `invalid destination mount: path 'foo//bar/' does not match cleaned path 'foo/bar/'` {
Validate to/from parameters when remounting a backend (#9890) Vault uses http.ServeMux which issues an HTTP 301 redirect if the request path contains a double slash (`//`). Additionally, vault handles all paths to ensure that the path only contains printable characters. Therefore use the same validation on the to/from parameters for remounting. Not doing this can result in a Vault mount that was originally mounted at `pki/foo` to being remounted at `pki/foo//bar` resulting in mounts that cannot be accessed. Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com>
2020-10-29 18:06:07 +00:00
t.Fatalf("bad: %v", resp)
}
}
func TestSystemBackend_remount_nonPrintable(t *testing.T) {
b := testSystemBackend(t)
req := logical.TestRequest(t, logical.UpdateOperation, "remount")
req.Data["from"] = "foo"
req.Data["to"] = "foo\nbar"
req.Data["config"] = structs.Map(MountConfig{})
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
Revert "MFA (#14049)" (#14135) This reverts commit 5f17953b5980e6438215d5cb62c8575d16c63193.
2022-02-17 20:17:59 +00:00
if resp.Data["error"] != `invalid destination mount: path cannot contain non-printable characters` {
Validate to/from parameters when remounting a backend (#9890) Vault uses http.ServeMux which issues an HTTP 301 redirect if the request path contains a double slash (`//`). Additionally, vault handles all paths to ensure that the path only contains printable characters. Therefore use the same validation on the to/from parameters for remounting. Not doing this can result in a Vault mount that was originally mounted at `pki/foo` to being remounted at `pki/foo//bar` resulting in mounts that cannot be accessed. Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com>
2020-10-29 18:06:07 +00:00
t.Fatalf("bad: %v", resp)
}
}
Fixes from mount move testing (#14492) * Add validation, fix docs * add changelog * fmt fix * Update vault/logical_system.go Co-authored-by: Josh Black <raskchanky@users.noreply.github.com> * Update vault/logical_system.go Co-authored-by: Josh Black <raskchanky@users.noreply.github.com> * Update vault/logical_system_test.go Co-authored-by: Josh Black <raskchanky@users.noreply.github.com> * Update vault/logical_system_test.go Co-authored-by: Josh Black <raskchanky@users.noreply.github.com> Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
2022-03-15 18:11:23 +00:00
func TestSystemBackend_remount_spacesInFromPath(t *testing.T) {
b := testSystemBackend(t)
req := logical.TestRequest(t, logical.UpdateOperation, "remount")
req.Data["from"] = " foo / "
req.Data["to"] = "bar"
req.Data["config"] = structs.Map(MountConfig{})
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
if resp.Data["error"] != `'from' path cannot contain whitespace` {
t.Fatalf("bad: %v", resp)
}
}
func TestSystemBackend_remount_spacesInToPath(t *testing.T) {
b := testSystemBackend(t)
req := logical.TestRequest(t, logical.UpdateOperation, "remount")
req.Data["from"] = "foo"
req.Data["to"] = " bar / "
req.Data["config"] = structs.Map(MountConfig{})
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
if resp.Data["error"] != `'to' path cannot contain whitespace` {
t.Fatalf("bad: %v", resp)
}
}
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
func TestSystemBackend_leases(t *testing.T) {
core, b, root := testCoreSystemBackend(t)
// Create a key with a lease
req := logical.TestRequest(t, logical.UpdateOperation, "secret/foo")
req.Data["foo"] = "bar"
req.ClientToken = root
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := core.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
// Read a key with a LeaseID
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
SSCT Optimizations (OSS) (#14323) * update ci.hcl to remove 1.6.x and add in 1.10.x * SSCT OSS PR review comments and optimizations * check errors in populate token entry calls
2022-03-01 20:24:45 +00:00
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
t.Fatalf("bad: %#v", resp)
}
// Read lease
req = logical.TestRequest(t, logical.UpdateOperation, "leases/lookup")
req.Data["lease_id"] = resp.Secret.LeaseID
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp.Data["renewable"] == nil || resp.Data["renewable"].(bool) {
Rename "generic" secret backend to "kv" (#3292)
2017-09-15 13:02:29 +00:00
t.Fatal("kv leases are not renewable")
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
}
// Invalid lease
req = logical.TestRequest(t, logical.UpdateOperation, "leases/lookup")
req.Data["lease_id"] = "invalid"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != logical.ErrInvalidRequest {
t.Fatalf("expected invalid request, got err: %v", err)
}
}
func TestSystemBackend_leases_list(t *testing.T) {
core, b, root := testCoreSystemBackend(t)
// Create a key with a lease
req := logical.TestRequest(t, logical.UpdateOperation, "secret/foo")
req.Data["foo"] = "bar"
req.ClientToken = root
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := core.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
// Read a key with a LeaseID
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
SSCT Optimizations (OSS) (#14323) * update ci.hcl to remove 1.6.x and add in 1.10.x * SSCT OSS PR review comments and optimizations * check errors in populate token entry calls
2022-03-01 20:24:45 +00:00
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
t.Fatalf("bad: %#v", resp)
}
// List top level
req = logical.TestRequest(t, logical.ListOperation, "leases/lookup/")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Data == nil {
t.Fatalf("bad: %#v", resp)
}
var keys []string
if err := mapstructure.WeakDecode(resp.Data["keys"], &keys); err != nil {
t.Fatalf("err: %v", err)
}
if len(keys) != 1 {
t.Fatalf("Expected 1 subkey lease, got %d: %#v", len(keys), keys)
}
if keys[0] != "secret/" {
t.Fatal("Expected only secret subkey")
}
// List lease
req = logical.TestRequest(t, logical.ListOperation, "leases/lookup/secret/foo")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Data == nil {
t.Fatalf("bad: %#v", resp)
}
keys = []string{}
if err := mapstructure.WeakDecode(resp.Data["keys"], &keys); err != nil {
t.Fatalf("err: %v", err)
}
if len(keys) != 1 {
t.Fatalf("Expected 1 secret lease, got %d: %#v", len(keys), keys)
}
// Generate multiple leases
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
SSCT Optimizations (OSS) (#14323) * update ci.hcl to remove 1.6.x and add in 1.10.x * SSCT OSS PR review comments and optimizations * check errors in populate token entry calls
2022-03-01 20:24:45 +00:00
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
t.Fatalf("bad: %#v", resp)
}
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
SSCT Optimizations (OSS) (#14323) * update ci.hcl to remove 1.6.x and add in 1.10.x * SSCT OSS PR review comments and optimizations * check errors in populate token entry calls
2022-03-01 20:24:45 +00:00
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
t.Fatalf("bad: %#v", resp)
}
req = logical.TestRequest(t, logical.ListOperation, "leases/lookup/secret/foo")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Data == nil {
t.Fatalf("bad: %#v", resp)
}
keys = []string{}
if err := mapstructure.WeakDecode(resp.Data["keys"], &keys); err != nil {
t.Fatalf("err: %v", err)
}
if len(keys) != 3 {
t.Fatalf("Expected 3 secret lease, got %d: %#v", len(keys), keys)
}
// Listing subkeys
req = logical.TestRequest(t, logical.UpdateOperation, "secret/bar")
req.Data["foo"] = "bar"
req.ClientToken = root
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
// Read a key with a LeaseID
req = logical.TestRequest(t, logical.ReadOperation, "secret/bar")
req.ClientToken = root
SSCT Optimizations (OSS) (#14323) * update ci.hcl to remove 1.6.x and add in 1.10.x * SSCT OSS PR review comments and optimizations * check errors in populate token entry calls
2022-03-01 20:24:45 +00:00
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
t.Fatalf("bad: %#v", resp)
}
req = logical.TestRequest(t, logical.ListOperation, "leases/lookup/secret")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Data == nil {
t.Fatalf("bad: %#v", resp)
}
keys = []string{}
if err := mapstructure.WeakDecode(resp.Data["keys"], &keys); err != nil {
t.Fatalf("err: %v", err)
}
if len(keys) != 2 {
t.Fatalf("Expected 2 secret lease, got %d: %#v", len(keys), keys)
}
expected := []string{"bar/", "foo/"}
if !reflect.DeepEqual(expected, keys) {
t.Fatalf("exp: %#v, act: %#v", expected, keys)
}
}
vault: Testing sys/renew
2015-03-16 23:11:55 +00:00
func TestSystemBackend_renew(t *testing.T) {
vault: Adding ACL enforcement
2015-03-24 18:37:07 +00:00
core, b, root := testCoreSystemBackend(t)
vault: Testing sys/renew
2015-03-16 23:11:55 +00:00
// Create a key with a lease
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "secret/foo")
vault: Testing sys/renew
2015-03-16 23:11:55 +00:00
req.Data["foo"] = "bar"
vault: Adding ACL enforcement
2015-03-24 18:37:07 +00:00
req.ClientToken = root
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := core.HandleRequest(namespace.RootContext(nil), req)
vault: Testing sys/renew
2015-03-16 23:11:55 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
Replace VaultID with LeaseID for terminology simplification
2015-04-08 20:35:32 +00:00
// Read a key with a LeaseID
vault: Testing sys/renew
2015-03-16 23:11:55 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
vault: Adding ACL enforcement
2015-03-24 18:37:07 +00:00
req.ClientToken = root
SSCT Optimizations (OSS) (#14323) * update ci.hcl to remove 1.6.x and add in 1.10.x * SSCT OSS PR review comments and optimizations * check errors in populate token entry calls
2022-03-01 20:24:45 +00:00
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
vault: Testing sys/renew
2015-03-16 23:11:55 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Replace VaultID with LeaseID for terminology simplification
2015-04-08 20:35:32 +00:00
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
vault: Testing sys/renew
2015-03-16 23:11:55 +00:00
t.Fatalf("bad: %#v", resp)
}
// Attempt renew
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
req2 := logical.TestRequest(t, logical.UpdateOperation, "leases/renew/"+resp.Secret.LeaseID)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp2, err := b.HandleRequest(namespace.RootContext(nil), req2)
vault: Enforce non-renewability
2015-04-09 00:03:46 +00:00
if err != logical.ErrInvalidRequest {
vault: Testing sys/renew
2015-03-16 23:11:55 +00:00
t.Fatalf("err: %v", err)
}
vault: Enforce non-renewability
2015-04-09 00:03:46 +00:00
// Should get error about non-renewability
if resp2.Data["error"] != "lease is not renewable" {
vault: Testing sys/renew
2015-03-16 23:11:55 +00:00
t.Fatalf("bad: %#v", resp)
}
Add test for both paths in backend
2016-08-08 22:32:18 +00:00
// Add a TTL to the lease
req = logical.TestRequest(t, logical.UpdateOperation, "secret/foo")
req.Data["foo"] = "bar"
req.Data["ttl"] = "180s"
req.ClientToken = root
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add test for both paths in backend
2016-08-08 22:32:18 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
// Read a key with a LeaseID
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
SSCT Optimizations (OSS) (#14323) * update ci.hcl to remove 1.6.x and add in 1.10.x * SSCT OSS PR review comments and optimizations * check errors in populate token entry calls
2022-03-01 20:24:45 +00:00
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add test for both paths in backend
2016-08-08 22:32:18 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
t.Fatalf("bad: %#v", resp)
}
// Attempt renew
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
req2 = logical.TestRequest(t, logical.UpdateOperation, "leases/renew/"+resp.Secret.LeaseID)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp2, err = b.HandleRequest(namespace.RootContext(nil), req2)
Add test for both paths in backend
2016-08-08 22:32:18 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp2.IsError() {
t.Fatalf("got an error")
}
if resp2.Data == nil {
t.Fatal("nil data")
}
if resp.Secret.TTL != 180*time.Second {
Minor test fix
2016-08-09 11:13:29 +00:00
t.Fatalf("bad lease duration: %v", resp.Secret.TTL)
Add test for both paths in backend
2016-08-08 22:32:18 +00:00
}
// Test the other route path
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
req2 = logical.TestRequest(t, logical.UpdateOperation, "leases/renew")
req2.Data["lease_id"] = resp.Secret.LeaseID
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp2, err = b.HandleRequest(namespace.RootContext(nil), req2)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp2.IsError() {
t.Fatalf("got an error")
}
if resp2.Data == nil {
t.Fatal("nil data")
}
if resp.Secret.TTL != 180*time.Second {
t.Fatalf("bad lease duration: %v", resp.Secret.TTL)
}
// Test orig path
Add test for both paths in backend
2016-08-08 22:32:18 +00:00
req2 = logical.TestRequest(t, logical.UpdateOperation, "renew")
req2.Data["lease_id"] = resp.Secret.LeaseID
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp2, err = b.HandleRequest(namespace.RootContext(nil), req2)
Add test for both paths in backend
2016-08-08 22:32:18 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp2.IsError() {
t.Fatalf("got an error")
}
if resp2.Data == nil {
t.Fatal("nil data")
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if resp.Secret.TTL != time.Second*180 {
Minor test fix
2016-08-09 11:13:29 +00:00
t.Fatalf("bad lease duration: %v", resp.Secret.TTL)
Add test for both paths in backend
2016-08-08 22:32:18 +00:00
}
vault: Testing sys/renew
2015-03-16 23:11:55 +00:00
}
vault: Test renew of bad ID
2015-03-16 23:14:53 +00:00
func TestSystemBackend_renew_invalidID(t *testing.T) {
b := testSystemBackend(t)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
// Attempt renew
req := logical.TestRequest(t, logical.UpdateOperation, "leases/renew/foobarbaz")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if resp.Data["error"] != "lease not found" {
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
t.Fatalf("bad: %v", resp)
}
// Attempt renew with other method
req = logical.TestRequest(t, logical.UpdateOperation, "leases/renew")
req.Data["lease_id"] = "foobarbaz"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if resp.Data["error"] != "lease not found" {
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
t.Fatalf("bad: %v", resp)
}
}
func TestSystemBackend_renew_invalidID_origUrl(t *testing.T) {
b := testSystemBackend(t)
vault: Test renew of bad ID
2015-03-16 23:14:53 +00:00
// Attempt renew
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "renew/foobarbaz")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: Test renew of bad ID
2015-03-16 23:14:53 +00:00
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if resp.Data["error"] != "lease not found" {
vault: Test renew of bad ID
2015-03-16 23:14:53 +00:00
t.Fatalf("bad: %v", resp)
}
Updating revoke/renew to prefer PUT method (#2646)
2017-04-27 14:47:43 +00:00
// Attempt renew with other method
req = logical.TestRequest(t, logical.UpdateOperation, "renew")
req.Data["lease_id"] = "foobarbaz"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Updating revoke/renew to prefer PUT method (#2646)
2017-04-27 14:47:43 +00:00
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if resp.Data["error"] != "lease not found" {
Updating revoke/renew to prefer PUT method (#2646)
2017-04-27 14:47:43 +00:00
t.Fatalf("bad: %v", resp)
}
vault: Test renew of bad ID
2015-03-16 23:14:53 +00:00
}
vault: Adding sys/revoke
2015-03-16 23:26:34 +00:00
func TestSystemBackend_revoke(t *testing.T) {
vault: Adding ACL enforcement
2015-03-24 18:37:07 +00:00
core, b, root := testCoreSystemBackend(t)
vault: Adding sys/revoke
2015-03-16 23:26:34 +00:00
// Create a key with a lease
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "secret/foo")
vault: Adding sys/revoke
2015-03-16 23:26:34 +00:00
req.Data["foo"] = "bar"
req.Data["lease"] = "1h"
vault: Adding ACL enforcement
2015-03-24 18:37:07 +00:00
req.ClientToken = root
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := core.HandleRequest(namespace.RootContext(nil), req)
vault: Adding sys/revoke
2015-03-16 23:26:34 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
Replace VaultID with LeaseID for terminology simplification
2015-04-08 20:35:32 +00:00
// Read a key with a LeaseID
vault: Adding sys/revoke
2015-03-16 23:26:34 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
vault: Adding ACL enforcement
2015-03-24 18:37:07 +00:00
req.ClientToken = root
SSCT Optimizations (OSS) (#14323) * update ci.hcl to remove 1.6.x and add in 1.10.x * SSCT OSS PR review comments and optimizations * check errors in populate token entry calls
2022-03-01 20:24:45 +00:00
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
vault: Adding sys/revoke
2015-03-16 23:26:34 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Replace VaultID with LeaseID for terminology simplification
2015-04-08 20:35:32 +00:00
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
vault: Adding sys/revoke
2015-03-16 23:26:34 +00:00
t.Fatalf("bad: %#v", resp)
}
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
// Attempt revoke
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req2 := logical.TestRequest(t, logical.UpdateOperation, "revoke/"+resp.Secret.LeaseID)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp2, err := b.HandleRequest(namespace.RootContext(nil), req2)
vault: Adding sys/revoke
2015-03-16 23:26:34 +00:00
if err != nil {
t.Fatalf("err: %v %#v", err, resp2)
}
if resp2 != nil {
t.Fatalf("bad: %#v", resp)
}
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
// Attempt renew
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req3 := logical.TestRequest(t, logical.UpdateOperation, "renew/"+resp.Secret.LeaseID)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp3, err := b.HandleRequest(namespace.RootContext(nil), req3)
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if resp3.Data["error"] != "lease not found" {
t.Fatalf("bad: %v", *resp3)
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
}
Updating revoke/renew to prefer PUT method (#2646)
2017-04-27 14:47:43 +00:00
// Read a key with a LeaseID
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
SSCT Optimizations (OSS) (#14323) * update ci.hcl to remove 1.6.x and add in 1.10.x * SSCT OSS PR review comments and optimizations * check errors in populate token entry calls
2022-03-01 20:24:45 +00:00
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Updating revoke/renew to prefer PUT method (#2646)
2017-04-27 14:47:43 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
t.Fatalf("bad: %#v", resp)
}
// Test the other route path
req2 = logical.TestRequest(t, logical.UpdateOperation, "revoke")
req2.Data["lease_id"] = resp.Secret.LeaseID
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp2, err = b.HandleRequest(namespace.RootContext(nil), req2)
Updating revoke/renew to prefer PUT method (#2646)
2017-04-27 14:47:43 +00:00
if err != nil {
t.Fatalf("err: %v %#v", err, resp2)
}
if resp2 != nil {
t.Fatalf("bad: %#v", resp)
}
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
// Read a key with a LeaseID
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
SSCT Optimizations (OSS) (#14323) * update ci.hcl to remove 1.6.x and add in 1.10.x * SSCT OSS PR review comments and optimizations * check errors in populate token entry calls
2022-03-01 20:24:45 +00:00
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
t.Fatalf("bad: %#v", resp)
}
// Test the other route path
req2 = logical.TestRequest(t, logical.UpdateOperation, "leases/revoke")
req2.Data["lease_id"] = resp.Secret.LeaseID
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp2, err = b.HandleRequest(namespace.RootContext(nil), req2)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v %#v", err, resp2)
}
if resp2 != nil {
t.Fatalf("bad: %#v", resp)
}
vault: Adding sys/revoke
2015-03-16 23:26:34 +00:00
}
func TestSystemBackend_revoke_invalidID(t *testing.T) {
b := testSystemBackend(t)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
// Attempt revoke
req := logical.TestRequest(t, logical.UpdateOperation, "leases/revoke/foobarbaz")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
// Attempt revoke with other method
req = logical.TestRequest(t, logical.UpdateOperation, "leases/revoke")
req.Data["lease_id"] = "foobarbaz"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
}
func TestSystemBackend_revoke_invalidID_origUrl(t *testing.T) {
b := testSystemBackend(t)
Updating revoke/renew to prefer PUT method (#2646)
2017-04-27 14:47:43 +00:00
// Attempt revoke
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "revoke/foobarbaz")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: Adding sys/revoke
2015-03-16 23:26:34 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
Updating revoke/renew to prefer PUT method (#2646)
2017-04-27 14:47:43 +00:00
// Attempt revoke with other method
req = logical.TestRequest(t, logical.UpdateOperation, "revoke")
req.Data["lease_id"] = "foobarbaz"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Updating revoke/renew to prefer PUT method (#2646)
2017-04-27 14:47:43 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
vault: Adding sys/revoke
2015-03-16 23:26:34 +00:00
}
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
func TestSystemBackend_revokePrefix(t *testing.T) {
vault: Adding ACL enforcement
2015-03-24 18:37:07 +00:00
core, b, root := testCoreSystemBackend(t)
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
// Create a key with a lease
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "secret/foo")
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
req.Data["foo"] = "bar"
req.Data["lease"] = "1h"
vault: Adding ACL enforcement
2015-03-24 18:37:07 +00:00
req.ClientToken = root
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := core.HandleRequest(namespace.RootContext(nil), req)
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
Replace VaultID with LeaseID for terminology simplification
2015-04-08 20:35:32 +00:00
// Read a key with a LeaseID
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
vault: Adding ACL enforcement
2015-03-24 18:37:07 +00:00
req.ClientToken = root
SSCT Optimizations (OSS) (#14323) * update ci.hcl to remove 1.6.x and add in 1.10.x * SSCT OSS PR review comments and optimizations * check errors in populate token entry calls
2022-03-01 20:24:45 +00:00
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Replace VaultID with LeaseID for terminology simplification
2015-04-08 20:35:32 +00:00
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
t.Fatalf("bad: %#v", resp)
}
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
// Attempt revoke
req2 := logical.TestRequest(t, logical.UpdateOperation, "leases/revoke-prefix/secret/")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp2, err := b.HandleRequest(namespace.RootContext(nil), req2)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v %#v", err, resp2)
}
if resp2 != nil {
t.Fatalf("bad: %#v", resp)
}
// Attempt renew
req3 := logical.TestRequest(t, logical.UpdateOperation, "leases/renew/"+resp.Secret.LeaseID)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp3, err := b.HandleRequest(namespace.RootContext(nil), req3)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if resp3.Data["error"] != "lease not found" {
t.Fatalf("bad: %v", *resp3)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
}
}
func TestSystemBackend_revokePrefix_origUrl(t *testing.T) {
core, b, root := testCoreSystemBackend(t)
// Create a key with a lease
req := logical.TestRequest(t, logical.UpdateOperation, "secret/foo")
req.Data["foo"] = "bar"
req.Data["lease"] = "1h"
req.ClientToken = root
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := core.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
// Read a key with a LeaseID
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
SSCT Optimizations (OSS) (#14323) * update ci.hcl to remove 1.6.x and add in 1.10.x * SSCT OSS PR review comments and optimizations * check errors in populate token entry calls
2022-03-01 20:24:45 +00:00
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
t.Fatalf("bad: %#v", resp)
}
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
// Attempt revoke
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req2 := logical.TestRequest(t, logical.UpdateOperation, "revoke-prefix/secret/")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp2, err := b.HandleRequest(namespace.RootContext(nil), req2)
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
if err != nil {
t.Fatalf("err: %v %#v", err, resp2)
}
if resp2 != nil {
t.Fatalf("bad: %#v", resp)
}
// Attempt renew
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req3 := logical.TestRequest(t, logical.UpdateOperation, "renew/"+resp.Secret.LeaseID)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp3, err := b.HandleRequest(namespace.RootContext(nil), req3)
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if resp3.Data["error"] != "lease not found" {
t.Fatalf("bad: %#v", *resp3)
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
}
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
func TestSystemBackend_revokePrefixAuth_newUrl(t *testing.T) {
core, _, _ := TestCoreUnsealed(t)
ts := core.tokenStore
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 22:04:05 +00:00
bc := &logical.BackendConfig{
Logger: core.logger,
System: logical.StaticSystemView{
DefaultLeaseTTLVal: time.Hour * 24,
Change default TTL from 30 to 32 to accommodate monthly operations (#1942)
2016-09-28 22:32:49 +00:00
MaxLeaseTTLVal: time.Hour * 24 * 32,
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 22:04:05 +00:00
},
}
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 00:46:59 +00:00
b := NewSystemBackend(core, hclog.New(&hclog.LoggerOptions{}))
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err := b.Backend.Setup(namespace.RootContext(nil), bc)
Wrapping enhancements (#1927)
2016-09-29 04:01:28 +00:00
if err != nil {
t.Fatal(err)
}
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 22:04:05 +00:00
exp := ts.expiration
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
te := &logical.TokenEntry{
The big one (#5346)
2018-09-18 03:03:00 +00:00
ID: "foo",
Path: "auth/github/login/bar",
TTL: time.Hour,
NamespaceID: namespace.RootNamespaceID,
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
testMakeTokenDirectly(t, ts, te)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err = ts.Lookup(namespace.RootContext(nil), "foo")
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatal(err)
}
if te == nil {
t.Fatal("token entry was nil")
}
// Create a new token
auth := &logical.Auth{
ClientToken: te.ID,
LeaseOptions: logical.LeaseOptions{
TTL: time.Hour,
},
}
VAULT-6614 Enable role based quotas for lease-count quotas (OSS) (#16157) * VAULT-6613 add DetermineRoleFromLoginRequest function to Core * Fix body handling * Role resolution for rate limit quotas * VAULT-6613 update precedence test * Add changelog * VAULT-6614 start of changes for roles in LCQs * Expiration changes for leases * Add role information to RequestAuth * VAULT-6614 Test updates * VAULT-6614 Add expiration test with roles * VAULT-6614 fix comment * VAULT-6614 Protobuf on OSS * VAULT-6614 Add rlock to determine role code * VAULT-6614 Try lock instead of rlock * VAULT-6614 back to rlock while I think about this more * VAULT-6614 Additional safety for nil dereference * VAULT-6614 Use %q over %s * VAULT-6614 Add overloading to plugin backends * VAULT-6614 RLocks instead * VAULT-6614 Fix return for backend factory
2022-07-05 17:02:00 +00:00
err = exp.RegisterAuth(namespace.RootContext(nil), te, auth, "")
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
req := logical.TestRequest(t, logical.UpdateOperation, "leases/revoke-prefix/auth/github/")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err = ts.Lookup(namespace.RootContext(nil), te.ID)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if te != nil {
t.Fatalf("bad: %v", te)
}
}
func TestSystemBackend_revokePrefixAuth_origUrl(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
core, _, _ := TestCoreUnsealed(t)
ts := core.tokenStore
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 22:04:05 +00:00
bc := &logical.BackendConfig{
Logger: core.logger,
System: logical.StaticSystemView{
DefaultLeaseTTLVal: time.Hour * 24,
Change default TTL from 30 to 32 to accommodate monthly operations (#1942)
2016-09-28 22:32:49 +00:00
MaxLeaseTTLVal: time.Hour * 24 * 32,
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 22:04:05 +00:00
},
}
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 00:46:59 +00:00
b := NewSystemBackend(core, hclog.New(&hclog.LoggerOptions{}))
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err := b.Backend.Setup(namespace.RootContext(nil), bc)
Wrapping enhancements (#1927)
2016-09-29 04:01:28 +00:00
if err != nil {
t.Fatal(err)
}
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 22:04:05 +00:00
exp := ts.expiration
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
te := &logical.TokenEntry{
The big one (#5346)
2018-09-18 03:03:00 +00:00
ID: "foo",
Path: "auth/github/login/bar",
TTL: time.Hour,
NamespaceID: namespace.RootNamespaceID,
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 22:04:05 +00:00
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
testMakeTokenDirectly(t, ts, te)
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 22:04:05 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err = ts.Lookup(namespace.RootContext(nil), "foo")
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 22:04:05 +00:00
if err != nil {
t.Fatal(err)
}
if te == nil {
t.Fatal("token entry was nil")
}
// Create a new token
auth := &logical.Auth{
ClientToken: te.ID,
LeaseOptions: logical.LeaseOptions{
TTL: time.Hour,
},
}
VAULT-6614 Enable role based quotas for lease-count quotas (OSS) (#16157) * VAULT-6613 add DetermineRoleFromLoginRequest function to Core * Fix body handling * Role resolution for rate limit quotas * VAULT-6613 update precedence test * Add changelog * VAULT-6614 start of changes for roles in LCQs * Expiration changes for leases * Add role information to RequestAuth * VAULT-6614 Test updates * VAULT-6614 Add expiration test with roles * VAULT-6614 fix comment * VAULT-6614 Protobuf on OSS * VAULT-6614 Add rlock to determine role code * VAULT-6614 Try lock instead of rlock * VAULT-6614 back to rlock while I think about this more * VAULT-6614 Additional safety for nil dereference * VAULT-6614 Use %q over %s * VAULT-6614 Add overloading to plugin backends * VAULT-6614 RLocks instead * VAULT-6614 Fix return for backend factory
2022-07-05 17:02:00 +00:00
err = exp.RegisterAuth(namespace.RootContext(nil), te, auth, "")
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 22:04:05 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
req := logical.TestRequest(t, logical.UpdateOperation, "revoke-prefix/auth/github/")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 22:04:05 +00:00
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err = ts.Lookup(namespace.RootContext(nil), te.ID)
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 22:04:05 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if te != nil {
t.Fatalf("bad: %v", te)
}
}
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
func TestSystemBackend_authTable(t *testing.T) {
b := testSystemBackend(t)
req := logical.TestRequest(t, logical.ReadOperation, "auth")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
exp := map[string]interface{}{
Fix the test cases
2016-06-20 19:55:21 +00:00
"token/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"type": "token",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "token based credentials",
"accessor": resp.Data["token/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["token/"].(map[string]interface{})["uuid"],
Fix the test cases
2016-06-20 19:55:21 +00:00
"config": map[string]interface{}{
Made default_lease_ttl and max_lease_ttl as int64 and fixed tests
2016-06-21 00:08:12 +00:00
"default_lease_ttl": int64(0),
"max_lease_ttl": int64(0),
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
"force_no_cache": false,
"token_type": "default-service",
Fix the test cases
2016-06-20 19:55:21 +00:00
},
Plugins: Consistently use plugin_version (#17171) * Delete Sha field, rename RunningSha -> RunningSha256 * Rename version -> plugin_version
2022-09-20 11:35:50 +00:00
"local": false,
"seal_wrap": false,
"options": map[string]string(nil),
"plugin_version": "",
Plugins: Update running version everywhere running sha256 is set (#17292)
2022-09-23 10:19:38 +00:00
"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeCredential, "token"),
Plugins: Consistently use plugin_version (#17171) * Delete Sha field, rename RunningSha -> RunningSha256 * Rename version -> plugin_version
2022-09-20 11:35:50 +00:00
"running_sha256": "",
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
},
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if diff := deep.Equal(resp.Data, exp); diff != nil {
t.Fatal(diff)
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
}
Add read support to sys/auth/:path (#12793) * Add read support to sys/auth/:path Closes https://github.com/hashicorp/vault/issues/7411 * Add changelog entry
2022-01-25 19:56:40 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "auth/token")
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
if diff := deep.Equal(resp.Data, exp["token/"]); diff != nil {
t.Fatal(diff)
}
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
}
func TestSystemBackend_enableAuth(t *testing.T) {
vault: Adding ACL enforcement
2015-03-24 18:37:07 +00:00
c, b, _ := testCoreSystemBackend(t)
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
Run all builtins as plugins (#5536)
2018-11-07 01:21:24 +00:00
return &NoopBackend{BackendType: logical.TypeCredential}, nil
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
}
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "auth/foo")
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
req.Data["type"] = "noop"
Add TTL related config options on auth enable (#4019)
2018-02-22 15:26:29 +00:00
req.Data["config"] = map[string]interface{}{
"default_lease_ttl": "35m",
"max_lease_ttl": "45m",
}
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
req.Data["local"] = true
req.Data["seal_wrap"] = true
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "auth")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil {
t.Fatal("resp is nil")
}
exp := map[string]interface{}{
"foo/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"type": "noop",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "",
"accessor": resp.Data["foo/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["foo/"].(map[string]interface{})["uuid"],
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
"config": map[string]interface{}{
Add TTL related config options on auth enable (#4019)
2018-02-22 15:26:29 +00:00
"default_lease_ttl": int64(2100),
"max_lease_ttl": int64(2700),
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
"force_no_cache": false,
"token_type": "default-service",
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
},
Plugins: Consistently use plugin_version (#17171) * Delete Sha field, rename RunningSha -> RunningSha256 * Rename version -> plugin_version
2022-09-20 11:35:50 +00:00
"local": true,
"seal_wrap": true,
"options": map[string]string{},
"plugin_version": "",
"running_plugin_version": versions.DefaultBuiltinVersion,
"running_sha256": "",
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
},
"token/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"type": "token",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "token based credentials",
"accessor": resp.Data["token/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["token/"].(map[string]interface{})["uuid"],
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
"config": map[string]interface{}{
"default_lease_ttl": int64(0),
"max_lease_ttl": int64(0),
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
"force_no_cache": false,
"token_type": "default-service",
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
},
Plugins: Consistently use plugin_version (#17171) * Delete Sha field, rename RunningSha -> RunningSha256 * Rename version -> plugin_version
2022-09-20 11:35:50 +00:00
"local": false,
"seal_wrap": false,
"options": map[string]string(nil),
"plugin_version": "",
Plugins: Update running version everywhere running sha256 is set (#17292)
2022-09-23 10:19:38 +00:00
"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeCredential, "token"),
Plugins: Consistently use plugin_version (#17171) * Delete Sha field, rename RunningSha -> RunningSha256 * Rename version -> plugin_version
2022-09-20 11:35:50 +00:00
"running_sha256": "",
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
},
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if diff := deep.Equal(resp.Data, exp); diff != nil {
t.Fatal(diff)
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
}
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
}
func TestSystemBackend_enableAuth_invalid(t *testing.T) {
b := testSystemBackend(t)
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "auth/foo")
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
req.Data["type"] = "nope"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
Run all builtins as plugins (#5536)
2018-11-07 01:21:24 +00:00
if resp.Data["error"] != `plugin not found in the catalog: nope` {
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
t.Fatalf("bad: %v", resp)
}
}
func TestSystemBackend_disableAuth(t *testing.T) {
vault: Adding ACL enforcement
2015-03-24 18:37:07 +00:00
c, b, _ := testCoreSystemBackend(t)
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
remove credential/ lots of tests faililng
2015-03-31 01:07:05 +00:00
return &NoopBackend{}, nil
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
}
// Register the backend
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "auth/foo")
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
req.Data["type"] = "noop"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
b.HandleRequest(namespace.RootContext(nil), req)
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
// Deregister it
req = logical.TestRequest(t, logical.DeleteOperation, "auth/foo")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
}
Add missed description field for GET /sys/auth/:path/tune endpoint (#8193) * fix #7623: add missed description field for GET /sys/auth/:path/tune endpoint * fix #7623: allow empty description * fix #7623: update tests with description field
2020-02-15 18:32:47 +00:00
func TestSystemBackend_tuneAuth(t *testing.T) {
c, b, _ := testCoreSystemBackend(t)
c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
return &NoopBackend{BackendType: logical.TypeCredential}, nil
}
req := logical.TestRequest(t, logical.ReadOperation, "auth/token/tune")
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil {
t.Fatal("resp is nil")
}
exp := map[string]interface{}{
"description": "token based credentials",
"default_lease_ttl": int(2764800),
"max_lease_ttl": int(2764800),
"force_no_cache": false,
"token_type": "default-service",
}
if diff := deep.Equal(resp.Data, exp); diff != nil {
t.Fatal(diff)
}
req = logical.TestRequest(t, logical.UpdateOperation, "auth/token/tune")
req.Data["description"] = ""
Plugins: Auto version selection for auth/secrets + tune version (#17167)
2022-09-22 12:53:52 +00:00
req.Data["plugin_version"] = "v1.0.0"
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err == nil || resp == nil || !resp.IsError() || !strings.Contains(resp.Error().Error(), ErrPluginNotFound.Error()) {
t.Fatalf("expected tune request to fail, but got resp: %#v, err: %s", resp, err)
}
// Register the plugin in the catalog, and then try the same request again.
{
tempDir, err := filepath.EvalSymlinks(t.TempDir())
if err != nil {
t.Fatal(err)
}
c.pluginCatalog.directory = tempDir
file, err := os.Create(filepath.Join(tempDir, "foo"))
if err != nil {
t.Fatal(err)
}
if err := file.Close(); err != nil {
t.Fatal(err)
}
err = c.pluginCatalog.Set(context.Background(), "token", consts.PluginTypeCredential, "v1.0.0", "foo", []string{}, []string{}, []byte{})
if err != nil {
t.Fatal(err)
}
}
Add missed description field for GET /sys/auth/:path/tune endpoint (#8193) * fix #7623: add missed description field for GET /sys/auth/:path/tune endpoint * fix #7623: allow empty description * fix #7623: update tests with description field
2020-02-15 18:32:47 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
Plugins: Auto version selection for auth/secrets + tune version (#17167)
2022-09-22 12:53:52 +00:00
t.Fatal(resp, err)
Add missed description field for GET /sys/auth/:path/tune endpoint (#8193) * fix #7623: add missed description field for GET /sys/auth/:path/tune endpoint * fix #7623: allow empty description * fix #7623: update tests with description field
2020-02-15 18:32:47 +00:00
}
req = logical.TestRequest(t, logical.ReadOperation, "auth/token/tune")
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil {
t.Fatal("resp is nil")
}
if resp.Data["description"] != "" {
t.Fatalf("got: %#v expect: %#v", resp.Data["description"], "")
}
Plugins: Auto version selection for auth/secrets + tune version (#17167)
2022-09-22 12:53:52 +00:00
if resp.Data["plugin_version"] != "v1.0.0" {
t.Fatalf("got: %#v, expected: %v", resp.Data["version"], "v1.0.0")
}
Add missed description field for GET /sys/auth/:path/tune endpoint (#8193) * fix #7623: add missed description field for GET /sys/auth/:path/tune endpoint * fix #7623: allow empty description * fix #7623: update tests with description field
2020-02-15 18:32:47 +00:00
}
vault: Support policy CRUD
2015-03-23 21:43:31 +00:00
func TestSystemBackend_policyList(t *testing.T) {
b := testSystemBackend(t)
req := logical.TestRequest(t, logical.ReadOperation, "policy")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: Support policy CRUD
2015-03-23 21:43:31 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
exp := map[string]interface{}{
Add test for non-assignable policies
2016-07-25 19:59:02 +00:00
"keys": []string{"default", "root"},
"policies": []string{"default", "root"},
vault: Support policy CRUD
2015-03-23 21:43:31 +00:00
}
if !reflect.DeepEqual(resp.Data, exp) {
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
}
}
func TestSystemBackend_policyCRUD(t *testing.T) {
b := testSystemBackend(t)
// Create the policy
rules := `path "foo/" { policy = "read" }`
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "policy/Foo")
vault: Support policy CRUD
2015-03-23 21:43:31 +00:00
req.Data["rules"] = rules
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: Support policy CRUD
2015-03-23 21:43:31 +00:00
if err != nil {
t.Fatalf("err: %v %#v", err, resp)
}
Sync
2017-10-23 19:35:28 +00:00
if resp != nil && (resp.IsError() || len(resp.Data) > 0) {
vault: Support policy CRUD
2015-03-23 21:43:31 +00:00
t.Fatalf("bad: %#v", resp)
}
// Read the policy
req = logical.TestRequest(t, logical.ReadOperation, "policy/foo")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
vault: Support policy CRUD
2015-03-23 21:43:31 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
exp := map[string]interface{}{
"name": "foo",
"rules": rules,
}
if !reflect.DeepEqual(resp.Data, exp) {
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
}
Normalize policy names to lowercase on write. They are not currently normalized when reading or deleting, for backwards compatibility. Ping #676.
2015-10-07 17:52:21 +00:00
// Read, and make sure that case has been normalized
req = logical.TestRequest(t, logical.ReadOperation, "policy/Foo")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Stop Vault Package Tests From Swallowing Errors (#2960) * Fix ignored error in TestAESGCMBarrier_MoveIntegrityV1(). * Fix ignored error in TestAESGCMBarrier_MoveIntegrityV2(). * Fix ignored err in TestExpiration_Tidy(). * Fix ignored error in TestSystemBackend_policyCRUD().
2017-07-04 17:58:28 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Properly lowercase policy names. (#3210) Previously we lowercased names on ingress but not on lookup or delete which could cause unexpected results. Now, just unilaterally lowercase policy names on write and delete. On get, to avoid the performance hit of always lowercasing when not necessary since it's in the critical path, we have a minor optimization -- we check the LRU first before normalizing. For tokens, because they're already normalized when adding policies during creation, this should always work; it might just be slower for API calls. Fixes #3187
2017-08-18 23:47:23 +00:00
exp = map[string]interface{}{
"name": "foo",
"rules": rules,
}
if !reflect.DeepEqual(resp.Data, exp) {
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
Normalize policy names to lowercase on write. They are not currently normalized when reading or deleting, for backwards compatibility. Ping #676.
2015-10-07 17:52:21 +00:00
}
vault: Support policy CRUD
2015-03-23 21:43:31 +00:00
// List the policies
req = logical.TestRequest(t, logical.ReadOperation, "policy")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
vault: Support policy CRUD
2015-03-23 21:43:31 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
exp = map[string]interface{}{
Add test for non-assignable policies
2016-07-25 19:59:02 +00:00
"keys": []string{"default", "foo", "root"},
"policies": []string{"default", "foo", "root"},
vault: Support policy CRUD
2015-03-23 21:43:31 +00:00
}
if !reflect.DeepEqual(resp.Data, exp) {
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
}
// Delete the policy
req = logical.TestRequest(t, logical.DeleteOperation, "policy/foo")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
vault: Support policy CRUD
2015-03-23 21:43:31 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
// Read the policy (deleted)
req = logical.TestRequest(t, logical.ReadOperation, "policy/foo")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
vault: Support policy CRUD
2015-03-23 21:43:31 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
// List the policies (deleted)
req = logical.TestRequest(t, logical.ReadOperation, "policy")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
vault: Support policy CRUD
2015-03-23 21:43:31 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
exp = map[string]interface{}{
Add test for non-assignable policies
2016-07-25 19:59:02 +00:00
"keys": []string{"default", "root"},
"policies": []string{"default", "root"},
vault: Support policy CRUD
2015-03-23 21:43:31 +00:00
}
if !reflect.DeepEqual(resp.Data, exp) {
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
}
}
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
func TestSystemBackend_enableAudit(t *testing.T) {
c, b, _ := testCoreSystemBackend(t)
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass.
2015-09-18 21:36:42 +00:00
return &NoopAudit{
Config: config,
}, nil
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
}
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "audit/foo")
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
req.Data["type"] = "noop"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
}
Reintroduce the ability to look up obfuscated values in the audit log with a new endpoint '/sys/audit-hash', which returns the given input string hashed with the given audit backend's hash function and salt (currently, always HMAC-SHA256 and a backend-specific salt). In the process of adding the HTTP handler, this also removes the custom HTTP handlers for the other audit endpoints, which were simply forwarding to the logical system backend. This means that the various audit functions will now redirect correctly from a standby to master. (Tests all pass.) Fixes #784
2015-11-19 01:26:03 +00:00
func TestSystemBackend_auditHash(t *testing.T) {
c, b, _ := testCoreSystemBackend(t)
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
Reintroduce the ability to look up obfuscated values in the audit log with a new endpoint '/sys/audit-hash', which returns the given input string hashed with the given audit backend's hash function and salt (currently, always HMAC-SHA256 and a backend-specific salt). In the process of adding the HTTP handler, this also removes the custom HTTP handlers for the other audit endpoints, which were simply forwarding to the logical system backend. This means that the various audit functions will now redirect correctly from a standby to master. (Tests all pass.) Fixes #784
2015-11-19 01:26:03 +00:00
view := &logical.InmemStorage{}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
view.Put(namespace.RootContext(nil), &logical.StorageEntry{
Reintroduce the ability to look up obfuscated values in the audit log with a new endpoint '/sys/audit-hash', which returns the given input string hashed with the given audit backend's hash function and salt (currently, always HMAC-SHA256 and a backend-specific salt). In the process of adding the HTTP handler, this also removes the custom HTTP handlers for the other audit endpoints, which were simply forwarding to the logical system backend. This means that the various audit functions will now redirect correctly from a standby to master. (Tests all pass.) Fixes #784
2015-11-19 01:26:03 +00:00
Key: "salt",
Value: []byte("foo"),
})
Delay salt initialization for audit backends
2017-05-24 00:36:20 +00:00
config.SaltView = view
config.SaltConfig = &salt.Config{
Reintroduce the ability to look up obfuscated values in the audit log with a new endpoint '/sys/audit-hash', which returns the given input string hashed with the given audit backend's hash function and salt (currently, always HMAC-SHA256 and a backend-specific salt). In the process of adding the HTTP handler, this also removes the custom HTTP handlers for the other audit endpoints, which were simply forwarding to the logical system backend. This means that the various audit functions will now redirect correctly from a standby to master. (Tests all pass.) Fixes #784
2015-11-19 01:26:03 +00:00
HMAC: sha256.New,
HMACType: "hmac-sha256",
Delay salt initialization for audit backends
2017-05-24 00:36:20 +00:00
Location: salt.DefaultLocation,
Reintroduce the ability to look up obfuscated values in the audit log with a new endpoint '/sys/audit-hash', which returns the given input string hashed with the given audit backend's hash function and salt (currently, always HMAC-SHA256 and a backend-specific salt). In the process of adding the HTTP handler, this also removes the custom HTTP handlers for the other audit endpoints, which were simply forwarding to the logical system backend. This means that the various audit functions will now redirect correctly from a standby to master. (Tests all pass.) Fixes #784
2015-11-19 01:26:03 +00:00
}
return &NoopAudit{
Config: config,
}, nil
}
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "audit/foo")
Reintroduce the ability to look up obfuscated values in the audit log with a new endpoint '/sys/audit-hash', which returns the given input string hashed with the given audit backend's hash function and salt (currently, always HMAC-SHA256 and a backend-specific salt). In the process of adding the HTTP handler, this also removes the custom HTTP handlers for the other audit endpoints, which were simply forwarding to the logical system backend. This means that the various audit functions will now redirect correctly from a standby to master. (Tests all pass.) Fixes #784
2015-11-19 01:26:03 +00:00
req.Data["type"] = "noop"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
Reintroduce the ability to look up obfuscated values in the audit log with a new endpoint '/sys/audit-hash', which returns the given input string hashed with the given audit backend's hash function and salt (currently, always HMAC-SHA256 and a backend-specific salt). In the process of adding the HTTP handler, this also removes the custom HTTP handlers for the other audit endpoints, which were simply forwarding to the logical system backend. This means that the various audit functions will now redirect correctly from a standby to master. (Tests all pass.) Fixes #784
2015-11-19 01:26:03 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req = logical.TestRequest(t, logical.UpdateOperation, "audit-hash/foo")
Reintroduce the ability to look up obfuscated values in the audit log with a new endpoint '/sys/audit-hash', which returns the given input string hashed with the given audit backend's hash function and salt (currently, always HMAC-SHA256 and a backend-specific salt). In the process of adding the HTTP handler, this also removes the custom HTTP handlers for the other audit endpoints, which were simply forwarding to the logical system backend. This means that the various audit functions will now redirect correctly from a standby to master. (Tests all pass.) Fixes #784
2015-11-19 01:26:03 +00:00
req.Data["input"] = "bar"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Reintroduce the ability to look up obfuscated values in the audit log with a new endpoint '/sys/audit-hash', which returns the given input string hashed with the given audit backend's hash function and salt (currently, always HMAC-SHA256 and a backend-specific salt). In the process of adding the HTTP handler, this also removes the custom HTTP handlers for the other audit endpoints, which were simply forwarding to the logical system backend. This means that the various audit functions will now redirect correctly from a standby to master. (Tests all pass.) Fixes #784
2015-11-19 01:26:03 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Data == nil {
t.Fatalf("response or its data was nil")
}
hash, ok := resp.Data["hash"]
if !ok {
t.Fatalf("did not get hash back in response, response was %#v", resp.Data)
}
if hash.(string) != "hmac-sha256:f9320baf0249169e73850cd6156ded0106e2bb6ad8cab01b7bbbebe6d1065317" {
t.Fatalf("bad hash back: %s", hash.(string))
}
}
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
func TestSystemBackend_enableAudit_invalid(t *testing.T) {
b := testSystemBackend(t)
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "audit/foo")
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
req.Data["type"] = "nope"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
Fix output-related tests (#4288) * Fix command tests * More test fixes * Use backticks to escape quoted strings * More test fixes * Fix mismatched error output failures * Fix mismatched error output failures
2018-04-06 00:43:29 +00:00
if resp.Data["error"] != `unknown backend type: "nope"` {
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
t.Fatalf("bad: %v", resp)
}
}
func TestSystemBackend_auditTable(t *testing.T) {
c, b, _ := testCoreSystemBackend(t)
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass.
2015-09-18 21:36:42 +00:00
return &NoopAudit{
Config: config,
}, nil
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
}
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "audit/foo")
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
req.Data["type"] = "noop"
req.Data["description"] = "testing"
req.Data["options"] = map[string]interface{}{
"foo": "bar",
}
More porting from rep (#2388) * More porting from rep * Address review feedback
2017-02-16 21:29:30 +00:00
req.Data["local"] = true
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
b.HandleRequest(namespace.RootContext(nil), req)
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "audit")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
exp := map[string]interface{}{
vault: Allow deep paths for audit backends
2015-04-03 21:27:33 +00:00
"foo/": map[string]interface{}{
Fix broken test case
2016-03-14 22:40:12 +00:00
"path": "foo/",
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
"type": "noop",
"description": "testing",
"options": map[string]string{
"foo": "bar",
},
More porting from rep (#2388) * More porting from rep * Address review feedback
2017-02-16 21:29:30 +00:00
"local": true,
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
},
}
if !reflect.DeepEqual(resp.Data, exp) {
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
}
}
func TestSystemBackend_disableAudit(t *testing.T) {
c, b, _ := testCoreSystemBackend(t)
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass.
2015-09-18 21:36:42 +00:00
return &NoopAudit{
Config: config,
}, nil
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
}
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "audit/foo")
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
req.Data["type"] = "noop"
req.Data["description"] = "testing"
req.Data["options"] = map[string]interface{}{
"foo": "bar",
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
b.HandleRequest(namespace.RootContext(nil), req)
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
// Deregister it
req = logical.TestRequest(t, logical.DeleteOperation, "audit/foo")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
}
Decompress data before sending via sys/raw (#3954)
2018-02-09 23:43:48 +00:00
func TestSystemBackend_rawRead_Compressed(t *testing.T) {
Enhance sys/raw to read and write values that cannot be encoded in json (#13537)
2022-01-20 12:52:53 +00:00
t.Run("basic", func(t *testing.T) {
b := testSystemBackendRaw(t)
Decompress data before sending via sys/raw (#3954)
2018-02-09 23:43:48 +00:00
Enhance sys/raw to read and write values that cannot be encoded in json (#13537)
2022-01-20 12:52:53 +00:00
req := logical.TestRequest(t, logical.ReadOperation, "raw/core/mounts")
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
if !strings.HasPrefix(resp.Data["value"].(string), `{"type":"mounts"`) {
t.Fatalf("bad: %v", resp)
}
})
t.Run("base64", func(t *testing.T) {
b := testSystemBackendRaw(t)
req := logical.TestRequest(t, logical.ReadOperation, "raw/core/mounts")
req.Data = map[string]interface{}{
"encoding": "base64",
}
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
if _, ok := resp.Data["value"].([]byte); !ok {
t.Fatalf("value is a not an array of bytes, it is %T", resp.Data["value"])
}
if !strings.HasPrefix(string(resp.Data["value"].([]byte)), `{"type":"mounts"`) {
t.Fatalf("bad: %v", resp)
}
})
t.Run("invalid_encoding", func(t *testing.T) {
b := testSystemBackendRaw(t)
req := logical.TestRequest(t, logical.ReadOperation, "raw/core/mounts")
req.Data = map[string]interface{}{
"encoding": "invalid_encoding",
}
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
if !resp.IsError() {
t.Fatalf("bad: %v", resp)
}
})
t.Run("compressed_false", func(t *testing.T) {
b := testSystemBackendRaw(t)
req := logical.TestRequest(t, logical.ReadOperation, "raw/core/mounts")
req.Data = map[string]interface{}{
"compressed": false,
}
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
if _, ok := resp.Data["value"].(string); !ok {
t.Fatalf("value is a not a string, it is %T", resp.Data["value"])
}
if !strings.HasPrefix(string(resp.Data["value"].(string)), string(compressutil.CompressionCanaryGzip)) {
t.Fatalf("bad: %v", resp)
}
})
t.Run("compressed_false_base64", func(t *testing.T) {
b := testSystemBackendRaw(t)
req := logical.TestRequest(t, logical.ReadOperation, "raw/core/mounts")
req.Data = map[string]interface{}{
"compressed": false,
"encoding": "base64",
}
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
if _, ok := resp.Data["value"].([]byte); !ok {
t.Fatalf("value is a not an array of bytes, it is %T", resp.Data["value"])
}
if !strings.HasPrefix(string(resp.Data["value"].([]byte)), string(compressutil.CompressionCanaryGzip)) {
t.Fatalf("bad: %v", resp)
}
})
t.Run("uncompressed_entry_with_prefix_byte", func(t *testing.T) {
b := testSystemBackendRaw(t)
req := logical.TestRequest(t, logical.CreateOperation, "raw/test_raw")
req.Data = map[string]interface{}{
"value": "414c1e7f-0a9a-49e0-9fc4-61af329d0724",
}
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
req = logical.TestRequest(t, logical.ReadOperation, "raw/test_raw")
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err == nil {
t.Fatalf("expected error if trying to read uncompressed entry with prefix byte")
}
if !resp.IsError() {
t.Fatalf("bad: %v", resp)
}
req = logical.TestRequest(t, logical.ReadOperation, "raw/test_raw")
req.Data = map[string]interface{}{
"compressed": false,
}
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
if resp.IsError() {
t.Fatalf("bad: %v", resp)
}
if resp.Data["value"].(string) != "414c1e7f-0a9a-49e0-9fc4-61af329d0724" {
t.Fatalf("bad: %v", resp)
}
})
Decompress data before sending via sys/raw (#3954)
2018-02-09 23:43:48 +00:00
}
vault: prevent raw access to protected paths
2015-05-28 17:24:41 +00:00
func TestSystemBackend_rawRead_Protected(t *testing.T) {
Disable the `sys/raw` endpoint by default (#3329) * disable raw endpoint by default * adding docs * config option raw -> raw_storage_endpoint * docs updates * adding listing on raw endpoint * reworking tests for enabled raw endpoints * root protecting base raw endpoint
2017-09-15 04:21:35 +00:00
b := testSystemBackendRaw(t)
vault: prevent raw access to protected paths
2015-05-28 17:24:41 +00:00
req := logical.TestRequest(t, logical.ReadOperation, "raw/"+keyringPath)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
_, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: prevent raw access to protected paths
2015-05-28 17:24:41 +00:00
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
}
func TestSystemBackend_rawWrite_Protected(t *testing.T) {
Disable the `sys/raw` endpoint by default (#3329) * disable raw endpoint by default * adding docs * config option raw -> raw_storage_endpoint * docs updates * adding listing on raw endpoint * reworking tests for enabled raw endpoints * root protecting base raw endpoint
2017-09-15 04:21:35 +00:00
b := testSystemBackendRaw(t)
vault: prevent raw access to protected paths
2015-05-28 17:24:41 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "raw/"+keyringPath)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
_, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: prevent raw access to protected paths
2015-05-28 17:24:41 +00:00
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
}
Update tests for change in raw blacklisting
2016-04-19 20:26:26 +00:00
func TestSystemBackend_rawReadWrite(t *testing.T) {
Sync
2017-10-23 19:35:28 +00:00
_, b, _ := testCoreSystemBackendRaw(t)
vault: Adding the raw/ endpoints to sys
2015-04-02 00:44:43 +00:00
Enhance sys/raw to read and write values that cannot be encoded in json (#13537)
2022-01-20 12:52:53 +00:00
req := logical.TestRequest(t, logical.CreateOperation, "raw/sys/policy/test")
vault: Adding the raw/ endpoints to sys
2015-04-02 00:44:43 +00:00
req.Data["value"] = `path "secret/" { policy = "read" }`
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: Adding the raw/ endpoints to sys
2015-04-02 00:44:43 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
Update tests for change in raw blacklisting
2016-04-19 20:26:26 +00:00
// Read via raw API
req = logical.TestRequest(t, logical.ReadOperation, "raw/sys/policy/test")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Update tests for change in raw blacklisting
2016-04-19 20:26:26 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if !strings.HasPrefix(resp.Data["value"].(string), "path") {
t.Fatalf("bad: %v", resp)
}
Sync
2017-10-23 19:35:28 +00:00
// Note: since the upgrade code is gone that upgraded from 0.1, we can't
// simply parse this out directly via GetPolicy, so the test now ends here.
vault: Adding the raw/ endpoints to sys
2015-04-02 00:44:43 +00:00
}
Enhance sys/raw to read and write values that cannot be encoded in json (#13537)
2022-01-20 12:52:53 +00:00
func TestSystemBackend_rawWrite_ExistanceCheck(t *testing.T) {
b := testSystemBackendRaw(t)
req := logical.TestRequest(t, logical.CreateOperation, "raw/core/mounts")
_, exist, err := b.HandleExistenceCheck(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: #{err}")
}
if !exist {
t.Fatalf("raw existence check failed for actual key")
}
req = logical.TestRequest(t, logical.CreateOperation, "raw/non_existent")
_, exist, err = b.HandleExistenceCheck(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: #{err}")
}
if exist {
t.Fatalf("raw existence check failed for non-existent key")
}
}
func TestSystemBackend_rawReadWrite_base64(t *testing.T) {
t.Run("basic", func(t *testing.T) {
_, b, _ := testCoreSystemBackendRaw(t)
req := logical.TestRequest(t, logical.CreateOperation, "raw/sys/policy/test")
req.Data = map[string]interface{}{
"value": base64.StdEncoding.EncodeToString([]byte(`path "secret/" { policy = "read"[ }`)),
"encoding": "base64",
}
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
// Read via raw API
req = logical.TestRequest(t, logical.ReadOperation, "raw/sys/policy/test")
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
if !strings.HasPrefix(resp.Data["value"].(string), "path") {
t.Fatalf("bad: %v", resp)
}
})
t.Run("invalid_value", func(t *testing.T) {
_, b, _ := testCoreSystemBackendRaw(t)
req := logical.TestRequest(t, logical.CreateOperation, "raw/sys/policy/test")
req.Data = map[string]interface{}{
"value": "invalid base64",
"encoding": "base64",
}
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err == nil {
t.Fatalf("no error")
}
if err != logical.ErrInvalidRequest {
t.Fatalf("unexpected error: %v", err)
}
if !resp.IsError() {
t.Fatalf("response is not error: %v", resp)
}
})
t.Run("invalid_encoding", func(t *testing.T) {
_, b, _ := testCoreSystemBackendRaw(t)
req := logical.TestRequest(t, logical.CreateOperation, "raw/sys/policy/test")
req.Data = map[string]interface{}{
"value": "text",
"encoding": "invalid_encoding",
}
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err == nil {
t.Fatalf("no error")
}
if err != logical.ErrInvalidRequest {
t.Fatalf("unexpected error: %v", err)
}
if !resp.IsError() {
t.Fatalf("response is not error: %v", resp)
}
})
}
func TestSystemBackend_rawReadWrite_Compressed(t *testing.T) {
t.Run("use_existing_compression", func(t *testing.T) {
b := testSystemBackendRaw(t)
req := logical.TestRequest(t, logical.ReadOperation, "raw/core/mounts")
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
mounts := resp.Data["value"].(string)
req = logical.TestRequest(t, logical.UpdateOperation, "raw/core/mounts")
req.Data = map[string]interface{}{
"value": mounts,
"compression_type": compressutil.CompressionTypeGzip,
}
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
// Read back and check gzip was applied by looking for prefix byte
req = logical.TestRequest(t, logical.ReadOperation, "raw/core/mounts")
req.Data = map[string]interface{}{
"compressed": false,
"encoding": "base64",
}
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
if _, ok := resp.Data["value"].([]byte); !ok {
t.Fatalf("value is a not an array of bytes, it is %T", resp.Data["value"])
}
if !strings.HasPrefix(string(resp.Data["value"].([]byte)), string(compressutil.CompressionCanaryGzip)) {
t.Fatalf("bad: %v", resp)
}
})
t.Run("compression_type_matches_existing_compression", func(t *testing.T) {
b := testSystemBackendRaw(t)
req := logical.TestRequest(t, logical.ReadOperation, "raw/core/mounts")
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
mounts := resp.Data["value"].(string)
req = logical.TestRequest(t, logical.UpdateOperation, "raw/core/mounts")
req.Data = map[string]interface{}{
"value": mounts,
}
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
// Read back and check gzip was applied by looking for prefix byte
req = logical.TestRequest(t, logical.ReadOperation, "raw/core/mounts")
req.Data = map[string]interface{}{
"compressed": false,
"encoding": "base64",
}
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
if _, ok := resp.Data["value"].([]byte); !ok {
t.Fatalf("value is a not an array of bytes, it is %T", resp.Data["value"])
}
if !strings.HasPrefix(string(resp.Data["value"].([]byte)), string(compressutil.CompressionCanaryGzip)) {
t.Fatalf("bad: %v", resp)
}
})
t.Run("write_uncompressed_over_existing_compressed", func(t *testing.T) {
b := testSystemBackendRaw(t)
req := logical.TestRequest(t, logical.ReadOperation, "raw/core/mounts")
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
mounts := resp.Data["value"].(string)
req = logical.TestRequest(t, logical.UpdateOperation, "raw/core/mounts")
req.Data = map[string]interface{}{
"value": mounts,
"compression_type": "",
}
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
// Read back and check gzip was not applied by looking for prefix byte
req = logical.TestRequest(t, logical.ReadOperation, "raw/core/mounts")
req.Data = map[string]interface{}{
"compressed": false,
"encoding": "base64",
}
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
if _, ok := resp.Data["value"].([]byte); !ok {
t.Fatalf("value is a not an array of bytes, it is %T", resp.Data["value"])
}
if !strings.HasPrefix(string(resp.Data["value"].([]byte)), `{"type":"mounts"`) {
t.Fatalf("bad: %v", resp)
}
})
t.Run("invalid_compression_type", func(t *testing.T) {
b := testSystemBackendRaw(t)
req := logical.TestRequest(t, logical.ReadOperation, "raw/core/mounts")
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
mounts := resp.Data["value"].(string)
req = logical.TestRequest(t, logical.UpdateOperation, "raw/core/mounts")
req.Data = map[string]interface{}{
"value": mounts,
"compression_type": "invalid_type",
}
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != logical.ErrInvalidRequest {
t.Fatalf("unexpected error: %v", err)
}
if !resp.IsError() {
t.Fatalf("response is not error: %v", resp)
}
})
t.Run("update_non_existent_entry", func(t *testing.T) {
b := testSystemBackendRaw(t)
req := logical.TestRequest(t, logical.UpdateOperation, "raw/non_existent")
req.Data = map[string]interface{}{
"value": "{}",
}
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != logical.ErrInvalidRequest {
t.Fatalf("unexpected error: %v", err)
}
if !resp.IsError() {
t.Fatalf("response is not error: %v", resp)
}
})
t.Run("invalid_compression_over_existing_uncompressed_data", func(t *testing.T) {
b := testSystemBackendRaw(t)
req := logical.TestRequest(t, logical.CreateOperation, "raw/test")
req.Data = map[string]interface{}{
"value": "{}",
}
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if resp.IsError() {
t.Fatalf("response is an error: %v", resp)
}
req = logical.TestRequest(t, logical.UpdateOperation, "raw/test")
req.Data = map[string]interface{}{
"value": "{}",
"compression_type": compressutil.CompressionTypeGzip,
}
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != logical.ErrInvalidRequest {
t.Fatalf("unexpected error: %v", err)
}
if !resp.IsError() {
t.Fatalf("response is not error: %v", resp)
}
})
t.Run("wrong_compression_type_over_existing_compressed_data", func(t *testing.T) {
b := testSystemBackendRaw(t)
req := logical.TestRequest(t, logical.CreateOperation, "raw/test")
req.Data = map[string]interface{}{
"value": "{}",
"compression_type": compressutil.CompressionTypeGzip,
}
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if resp.IsError() {
t.Fatalf("response is an error: %v", resp)
}
req = logical.TestRequest(t, logical.UpdateOperation, "raw/test")
req.Data = map[string]interface{}{
"value": "{}",
"compression_type": compressutil.CompressionTypeSnappy,
}
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != logical.ErrInvalidRequest {
t.Fatalf("unexpected error: %v", err)
}
if !resp.IsError() {
t.Fatalf("response is not error: %v", resp)
}
})
}
vault: prevent raw access to protected paths
2015-05-28 17:24:41 +00:00
func TestSystemBackend_rawDelete_Protected(t *testing.T) {
Disable the `sys/raw` endpoint by default (#3329) * disable raw endpoint by default * adding docs * config option raw -> raw_storage_endpoint * docs updates * adding listing on raw endpoint * reworking tests for enabled raw endpoints * root protecting base raw endpoint
2017-09-15 04:21:35 +00:00
b := testSystemBackendRaw(t)
vault: prevent raw access to protected paths
2015-05-28 17:24:41 +00:00
req := logical.TestRequest(t, logical.DeleteOperation, "raw/"+keyringPath)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
_, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: prevent raw access to protected paths
2015-05-28 17:24:41 +00:00
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
}
vault: Adding the raw/ endpoints to sys
2015-04-02 00:44:43 +00:00
func TestSystemBackend_rawDelete(t *testing.T) {
Disable the `sys/raw` endpoint by default (#3329) * disable raw endpoint by default * adding docs * config option raw -> raw_storage_endpoint * docs updates * adding listing on raw endpoint * reworking tests for enabled raw endpoints * root protecting base raw endpoint
2017-09-15 04:21:35 +00:00
c, b, _ := testCoreSystemBackendRaw(t)
vault: Adding the raw/ endpoints to sys
2015-04-02 00:44:43 +00:00
// set the policy!
Sync
2017-10-23 19:35:28 +00:00
p := &Policy{
The big one (#5346)
2018-09-18 03:03:00 +00:00
Name: "test",
Type: PolicyTypeACL,
namespace: namespace.RootNamespace,
Sync
2017-10-23 19:35:28 +00:00
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err := c.policyStore.SetPolicy(namespace.RootContext(nil), p)
vault: Adding the raw/ endpoints to sys
2015-04-02 00:44:43 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
// Delete the policy
req := logical.TestRequest(t, logical.DeleteOperation, "raw/sys/policy/test")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: Adding the raw/ endpoints to sys
2015-04-02 00:44:43 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
// Policy should be gone
Sync
2017-10-23 19:35:28 +00:00
c.policyStore.tokenPoliciesLRU.Purge()
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err := c.policyStore.GetPolicy(namespace.RootContext(nil), "test", PolicyTypeToken)
vault: Adding the raw/ endpoints to sys
2015-04-02 00:44:43 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if out != nil {
t.Fatalf("policy should be gone")
}
}
vault: adding sys/key-status and sys/rotate
2015-05-28 00:53:42 +00:00
func TestSystemBackend_keyStatus(t *testing.T) {
b := testSystemBackend(t)
req := logical.TestRequest(t, logical.ReadOperation, "key-status")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: adding sys/key-status and sys/rotate
2015-05-28 00:53:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
exp := map[string]interface{}{
"term": 1,
}
delete(resp.Data, "install_time")
OSS side barrier encryption tracking and automatic rotation (#11007) * Automatic barrier key rotation, OSS portion * Fix build issues * Vendored version * Add missing encs field, not sure where this got lost.
2021-02-25 20:27:25 +00:00
delete(resp.Data, "encryptions")
if !reflect.DeepEqual(resp.Data, exp) {
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
}
}
func TestSystemBackend_rotateConfig(t *testing.T) {
b := testSystemBackend(t)
req := logical.TestRequest(t, logical.ReadOperation, "rotate/config")
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
exp := map[string]interface{}{
"max_operations": absoluteOperationMaximum,
"interval": 0,
"enabled": true,
}
if !reflect.DeepEqual(resp.Data, exp) {
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
}
req2 := logical.TestRequest(t, logical.UpdateOperation, "rotate/config")
Fix barrier key autoration config edge cases (#11541) * Add an Int64 type * Use the new Int64 type so that even 32 bit builds can specify max_operations above 2^31 * Missed a spot * go mod vendor * fix cast * changelog * Update unit test to ensure this works on both 32 and 64-bit archs
2021-05-05 19:39:04 +00:00
req2.Data["max_operations"] = int64(3221225472)
OSS side barrier encryption tracking and automatic rotation (#11007) * Automatic barrier key rotation, OSS portion * Fix build issues * Vendored version * Add missing encs field, not sure where this got lost.
2021-02-25 20:27:25 +00:00
req2.Data["interval"] = "5432h0m0s"
req2.Data["enabled"] = false
resp, err = b.HandleRequest(namespace.RootContext(nil), req2)
if err != nil {
t.Fatalf("err: %v", err)
}
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
exp = map[string]interface{}{
Fix barrier key autoration config edge cases (#11541) * Add an Int64 type * Use the new Int64 type so that even 32 bit builds can specify max_operations above 2^31 * Missed a spot * go mod vendor * fix cast * changelog * Update unit test to ensure this works on both 32 and 64-bit archs
2021-05-05 19:39:04 +00:00
"max_operations": int64(3221225472),
OSS side barrier encryption tracking and automatic rotation (#11007) * Automatic barrier key rotation, OSS portion * Fix build issues * Vendored version * Add missing encs field, not sure where this got lost.
2021-02-25 20:27:25 +00:00
"interval": "5432h0m0s",
"enabled": false,
}
vault: adding sys/key-status and sys/rotate
2015-05-28 00:53:42 +00:00
if !reflect.DeepEqual(resp.Data, exp) {
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
}
}
func TestSystemBackend_rotate(t *testing.T) {
b := testSystemBackend(t)
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "rotate")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: adding sys/key-status and sys/rotate
2015-05-28 00:53:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
req = logical.TestRequest(t, logical.ReadOperation, "key-status")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
vault: adding sys/key-status and sys/rotate
2015-05-28 00:53:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
exp := map[string]interface{}{
"term": 2,
}
delete(resp.Data, "install_time")
OSS side barrier encryption tracking and automatic rotation (#11007) * Automatic barrier key rotation, OSS portion * Fix build issues * Vendored version * Add missing encs field, not sure where this got lost.
2021-02-25 20:27:25 +00:00
delete(resp.Data, "encryptions")
vault: adding sys/key-status and sys/rotate
2015-05-28 00:53:42 +00:00
if !reflect.DeepEqual(resp.Data, exp) {
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
}
}
vault: system using the framework
2015-03-16 00:35:59 +00:00
func testSystemBackend(t *testing.T) logical.Backend {
Update mount table and CLI with plugin version for auth (#16856)
2022-08-31 18:23:05 +00:00
t.Helper()
vault: tests passing
2015-03-29 23:18:08 +00:00
c, _, _ := TestCoreUnsealed(t)
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
return c.systemBackend
Disable the `sys/raw` endpoint by default (#3329) * disable raw endpoint by default * adding docs * config option raw -> raw_storage_endpoint * docs updates * adding listing on raw endpoint * reworking tests for enabled raw endpoints * root protecting base raw endpoint
2017-09-15 04:21:35 +00:00
}
Wrapping enhancements (#1927)
2016-09-29 04:01:28 +00:00
Disable the `sys/raw` endpoint by default (#3329) * disable raw endpoint by default * adding docs * config option raw -> raw_storage_endpoint * docs updates * adding listing on raw endpoint * reworking tests for enabled raw endpoints * root protecting base raw endpoint
2017-09-15 04:21:35 +00:00
func testSystemBackendRaw(t *testing.T) logical.Backend {
Update mount table and CLI with plugin version for auth (#16856)
2022-08-31 18:23:05 +00:00
t.Helper()
Disable the `sys/raw` endpoint by default (#3329) * disable raw endpoint by default * adding docs * config option raw -> raw_storage_endpoint * docs updates * adding listing on raw endpoint * reworking tests for enabled raw endpoints * root protecting base raw endpoint
2017-09-15 04:21:35 +00:00
c, _, _ := TestCoreUnsealedRaw(t)
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
return c.systemBackend
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
}
vault: Testing sys/renew
2015-03-16 23:11:55 +00:00
vault: Adding ACL enforcement
2015-03-24 18:37:07 +00:00
func testCoreSystemBackend(t *testing.T) (*Core, logical.Backend, string) {
Update mount table and CLI with plugin version for auth (#16856)
2022-08-31 18:23:05 +00:00
t.Helper()
vault: tests passing
2015-03-29 23:18:08 +00:00
c, _, root := TestCoreUnsealed(t)
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
return c, c.systemBackend, root
Disable the `sys/raw` endpoint by default (#3329) * disable raw endpoint by default * adding docs * config option raw -> raw_storage_endpoint * docs updates * adding listing on raw endpoint * reworking tests for enabled raw endpoints * root protecting base raw endpoint
2017-09-15 04:21:35 +00:00
}
func testCoreSystemBackendRaw(t *testing.T) (*Core, logical.Backend, string) {
Update mount table and CLI with plugin version for auth (#16856)
2022-08-31 18:23:05 +00:00
t.Helper()
Disable the `sys/raw` endpoint by default (#3329) * disable raw endpoint by default * adding docs * config option raw -> raw_storage_endpoint * docs updates * adding listing on raw endpoint * reworking tests for enabled raw endpoints * root protecting base raw endpoint
2017-09-15 04:21:35 +00:00
c, _, root := TestCoreUnsealedRaw(t)
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
return c, c.systemBackend, root
Disable the `sys/raw` endpoint by default (#3329) * disable raw endpoint by default * adding docs * config option raw -> raw_storage_endpoint * docs updates * adding listing on raw endpoint * reworking tests for enabled raw endpoints * root protecting base raw endpoint
2017-09-15 04:21:35 +00:00
}
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
func TestSystemBackend_PluginCatalog_CRUD(t *testing.T) {
c, b, _ := testCoreSystemBackend(t)
// Bootstrap the pluginCatalog
sym, err := filepath.EvalSymlinks(os.TempDir())
if err != nil {
t.Fatalf("error: %v", err)
}
c.pluginCatalog.directory = sym
Run all builtins as plugins (#5536)
2018-11-07 01:21:24 +00:00
req := logical.TestRequest(t, logical.ListOperation, "plugins/catalog/database")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Run all builtins as plugins (#5536)
2018-11-07 01:21:24 +00:00
if len(resp.Data["keys"].([]string)) != len(c.builtinRegistry.Keys(consts.PluginTypeDatabase)) {
t.Fatalf("Wrong number of plugins, got %d, expected %d", len(resp.Data["keys"].([]string)), len(builtinplugins.Registry.Keys(consts.PluginTypeDatabase)))
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
}
Run all builtins as plugins (#5536)
2018-11-07 01:21:24 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "plugins/catalog/database/mysql-database-plugin")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Add deprecation status to plugin api and cli (#17077) * api: Add deprecation status to plugin endpoints * cli: Add -detailed flag to `plugin list` * docs: Update plugin list/info docs
2022-09-09 20:03:07 +00:00
// Get deprecation status directly from the registry so we can compare it to the API response
deprecationStatus, _ := c.builtinRegistry.DeprecationStatus("mysql-database-plugin", consts.PluginTypeDatabase)
Make the plugin catalog endpoint roundtrip so we can use terraform to manage them. (#3778)
2018-01-18 00:19:28 +00:00
actualRespData := resp.Data
expectedRespData := map[string]interface{}{
Add deprecation status to plugin api and cli (#17077) * api: Add deprecation status to plugin endpoints * cli: Add -detailed flag to `plugin list` * docs: Update plugin list/info docs
2022-09-09 20:03:07 +00:00
"name": "mysql-database-plugin",
"command": "",
"args": []string(nil),
"sha256": "",
"builtin": true,
Add plugin version to GRPC interface (#17088) Add plugin version to GRPC interface Added a version interface in the sdk/logical so that it can be shared between all plugin types, and then wired it up to RunningVersion in the mounts, auth list, and database systems. I've tested that this works with auth, database, and secrets plugin types, with the following logic to populate RunningVersion: If a plugin has a PluginVersion() method implemented, then that is used If not, and the plugin is built into the Vault binary, then the go.mod version is used Otherwise, the it will be the empty string. My apologies for the length of this PR. * Placeholder backend should be external We use a placeholder backend (previously a framework.Backend) before a GRPC plugin is lazy-loaded. This makes us later think the plugin is a builtin plugin. So we added a `placeholderBackend` type that overrides the `IsExternal()` method so that later we know that the plugin is external, and don't give it a default builtin version.
2022-09-15 23:37:59 +00:00
"version": versions.GetBuiltinVersion(consts.PluginTypeDatabase, "mysql-database-plugin"),
Add deprecation status to plugin api and cli (#17077) * api: Add deprecation status to plugin endpoints * cli: Add -detailed flag to `plugin list` * docs: Update plugin list/info docs
2022-09-09 20:03:07 +00:00
"deprecation_status": deprecationStatus.String(),
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
}
Backend plugin system (#2874) * Add backend plugin changes * Fix totp backend plugin tests * Fix logical/plugin InvalidateKey test * Fix plugin catalog CRUD test, fix NoopBackend * Clean up commented code block * Fix system backend mount test * Set plugin_name to omitempty, fix handleMountTable config parsing * Clean up comments, keep shim connections alive until cleanup * Include pluginClient, disallow LookupPlugin call from within a plugin * Add wrapper around backendPluginClient for proper cleanup * Add logger shim tests * Add logger, storage, and system shim tests * Use pointer receivers for system view shim * Use plugin name if no path is provided on mount * Enable plugins for auth backends * Add backend type attribute, move builtin/plugin/package * Fix merge conflict * Fix missing plugin name in mount config * Add integration tests on enabling auth backend plugins * Remove dependency cycle on mock-plugin * Add passthrough backend plugin, use logical.BackendType to determine lease generation * Remove vault package dependency on passthrough package * Add basic impl test for passthrough plugin * Incorporate feedback; set b.backend after shims creation on backendPluginServer * Fix totp plugin test * Add plugin backends docs * Fix tests * Fix builtin/plugin tests * Remove flatten from PluginRunner fields * Move mock plugin to logical/plugin, remove totp and passthrough plugins * Move pluginMap into newPluginClient * Do not create storage RPC connection on HandleRequest and HandleExistenceCheck * Change shim logger's Fatal to no-op * Change BackendType to uint32, match UX backend types * Change framework.Backend Setup signature * Add Setup func to logical.Backend interface * Move OptionallyEnableMlock call into plugin.Serve, update docs and comments * Remove commented var in plugin package * RegisterLicense on logical.Backend interface (#3017) * Add RegisterLicense to logical.Backend interface * Update RegisterLicense to use callback func on framework.Backend * Refactor framework.Backend.RegisterLicense * plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs * plugin: Revert BackendType to remove TypePassthrough and related references * Fix typo in plugin backends docs
2017-07-20 17:28:40 +00:00
if !reflect.DeepEqual(actualRespData, expectedRespData) {
t.Fatalf("expected did not match actual, got %#v\n expected %#v\n", actualRespData, expectedRespData)
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
}
// Set a plugin
file, err := ioutil.TempFile(os.TempDir(), "temp")
if err != nil {
t.Fatal(err)
}
defer file.Close()
Make the plugin catalog endpoint roundtrip so we can use terraform to manage them. (#3778)
2018-01-18 00:19:28 +00:00
// Check we can only specify args in one of command or args.
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
command := fmt.Sprintf("%s --test", filepath.Base(file.Name()))
Run all builtins as plugins (#5536)
2018-11-07 01:21:24 +00:00
req = logical.TestRequest(t, logical.UpdateOperation, "plugins/catalog/database/test-plugin")
Make the plugin catalog endpoint roundtrip so we can use terraform to manage them. (#3778)
2018-01-18 00:19:28 +00:00
req.Data["args"] = []string{"--foo"}
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
req.Data["sha_256"] = hex.EncodeToString([]byte{'1'})
req.Data["command"] = command
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Spelling (#4119)
2018-03-20 18:54:10 +00:00
if resp.Error().Error() != "must not specify args in command and args field" {
Make the plugin catalog endpoint roundtrip so we can use terraform to manage them. (#3778)
2018-01-18 00:19:28 +00:00
t.Fatalf("err: %v", resp.Error())
}
delete(req.Data, "args")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Make the plugin catalog endpoint roundtrip so we can use terraform to manage them. (#3778)
2018-01-18 00:19:28 +00:00
if err != nil || resp.Error() != nil {
t.Fatalf("err: %v %v", err, resp.Error())
}
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
Run all builtins as plugins (#5536)
2018-11-07 01:21:24 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "plugins/catalog/database/test-plugin")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Make the plugin catalog endpoint roundtrip so we can use terraform to manage them. (#3778)
2018-01-18 00:19:28 +00:00
actual := resp.Data
expected := map[string]interface{}{
"name": "test-plugin",
"command": filepath.Base(file.Name()),
"args": []string{"--test"},
"sha256": "31",
"builtin": false,
Version-aware plugin catalog (#16688) Adds support for using semantic version information when registering and managing plugins. New `detailed` field in the response data for listing plugins and new `version` field in the response data for reading a single plugin.
2022-08-25 20:31:42 +00:00
"version": "",
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
}
Backend plugin system (#2874) * Add backend plugin changes * Fix totp backend plugin tests * Fix logical/plugin InvalidateKey test * Fix plugin catalog CRUD test, fix NoopBackend * Clean up commented code block * Fix system backend mount test * Set plugin_name to omitempty, fix handleMountTable config parsing * Clean up comments, keep shim connections alive until cleanup * Include pluginClient, disallow LookupPlugin call from within a plugin * Add wrapper around backendPluginClient for proper cleanup * Add logger shim tests * Add logger, storage, and system shim tests * Use pointer receivers for system view shim * Use plugin name if no path is provided on mount * Enable plugins for auth backends * Add backend type attribute, move builtin/plugin/package * Fix merge conflict * Fix missing plugin name in mount config * Add integration tests on enabling auth backend plugins * Remove dependency cycle on mock-plugin * Add passthrough backend plugin, use logical.BackendType to determine lease generation * Remove vault package dependency on passthrough package * Add basic impl test for passthrough plugin * Incorporate feedback; set b.backend after shims creation on backendPluginServer * Fix totp plugin test * Add plugin backends docs * Fix tests * Fix builtin/plugin tests * Remove flatten from PluginRunner fields * Move mock plugin to logical/plugin, remove totp and passthrough plugins * Move pluginMap into newPluginClient * Do not create storage RPC connection on HandleRequest and HandleExistenceCheck * Change shim logger's Fatal to no-op * Change BackendType to uint32, match UX backend types * Change framework.Backend Setup signature * Add Setup func to logical.Backend interface * Move OptionallyEnableMlock call into plugin.Serve, update docs and comments * Remove commented var in plugin package * RegisterLicense on logical.Backend interface (#3017) * Add RegisterLicense to logical.Backend interface * Update RegisterLicense to use callback func on framework.Backend * Refactor framework.Backend.RegisterLicense * plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs * plugin: Revert BackendType to remove TypePassthrough and related references * Fix typo in plugin backends docs
2017-07-20 17:28:40 +00:00
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("expected did not match actual, got %#v\n expected %#v\n", actual, expected)
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
}
// Delete plugin
Run all builtins as plugins (#5536)
2018-11-07 01:21:24 +00:00
req = logical.TestRequest(t, logical.DeleteOperation, "plugins/catalog/database/test-plugin")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Run all builtins as plugins (#5536)
2018-11-07 01:21:24 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "plugins/catalog/database/test-plugin")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Update test to reflect the correct read response
2017-04-25 04:24:19 +00:00
if resp != nil || err != nil {
t.Fatalf("expected nil response, plugin not deleted correctly got resp: %v, err: %v", resp, err)
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
}
Version-aware plugin catalog (#16688) Adds support for using semantic version information when registering and managing plugins. New `detailed` field in the response data for listing plugins and new `version` field in the response data for reading a single plugin.
2022-08-25 20:31:42 +00:00
// Add a versioned plugin, and check we get the version back in the right form when we read.
req = logical.TestRequest(t, logical.UpdateOperation, "plugins/catalog/database/test-plugin")
req.Data["version"] = "v0.1.0"
req.Data["sha_256"] = hex.EncodeToString([]byte{'1'})
req.Data["command"] = command
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil || resp.Error() != nil {
t.Fatalf("err: %v %v", err, resp.Error())
}
req = logical.TestRequest(t, logical.ReadOperation, "plugins/catalog/database/test-plugin")
req.Data["version"] = "v0.1.0"
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
actual = resp.Data
expected = map[string]interface{}{
"name": "test-plugin",
"command": filepath.Base(file.Name()),
"args": []string{"--test"},
"sha256": "31",
"builtin": false,
Update mount table and CLI with plugin version for auth (#16856)
2022-08-31 18:23:05 +00:00
"version": "v0.1.0",
Version-aware plugin catalog (#16688) Adds support for using semantic version information when registering and managing plugins. New `detailed` field in the response data for listing plugins and new `version` field in the response data for reading a single plugin.
2022-08-25 20:31:42 +00:00
}
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("expected did not match actual, got %#v\n expected %#v\n", actual, expected)
}
// Delete versioned plugin
req = logical.TestRequest(t, logical.DeleteOperation, "plugins/catalog/database/test-plugin")
req.Data["version"] = "0.1.0"
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
req = logical.TestRequest(t, logical.ReadOperation, "plugins/catalog/database/test-plugin")
req.Data["version"] = "0.1.0"
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if resp != nil || err != nil {
t.Fatalf("expected nil response, plugin not deleted correctly got resp: %v, err: %v", resp, err)
}
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
}
copying general purpose tools from transit backend to /sys/tools (#3391)
2017-10-20 14:59:17 +00:00
Fix plugin list API when audit logging enabled (#18173) * Add test that fails due to audit log panic * Rebuild VersionedPlugin as map of primitive types before adding to response * Changelog * Fix casting in external plugin tests
2022-12-01 10:44:44 +00:00
func TestSystemBackend_PluginCatalog_ListPlugins_SucceedsWithAuditLogEnabled(t *testing.T) {
core, b, root := testCoreSystemBackend(t)
tempDir := t.TempDir()
f, err := os.CreateTemp(tempDir, "")
if err != nil {
t.Fatal(err)
}
// Enable audit logging.
req := logical.TestRequest(t, logical.UpdateOperation, "audit/file")
req.Data = map[string]any{
"type": "file",
"options": map[string]any{
"file_path": f.Name(),
},
}
ctx := namespace.RootContext(nil)
resp, err := b.HandleRequest(ctx, req)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("resp: %#v, err: %v", resp, err)
}
// List plugins
req = logical.TestRequest(t, logical.ReadOperation, "sys/plugins/catalog")
req.ClientToken = root
resp, err = core.HandleRequest(ctx, req)
if err != nil || resp == nil || resp.IsError() {
t.Fatalf("resp: %#v, err: %v", resp, err)
}
}
Plugins: Allow explicitly specifying the builtin version of a plugin (#17289)
2022-09-22 22:15:46 +00:00
func TestSystemBackend_PluginCatalog_CannotRegisterBuiltinPlugins(t *testing.T) {
c, b, _ := testCoreSystemBackend(t)
// Bootstrap the pluginCatalog
sym, err := filepath.EvalSymlinks(os.TempDir())
if err != nil {
t.Fatalf("error: %v", err)
}
c.pluginCatalog.directory = sym
// Set a plugin
req := logical.TestRequest(t, logical.UpdateOperation, "plugins/catalog/database/test-plugin")
req.Data["sha256"] = hex.EncodeToString([]byte{'1'})
req.Data["command"] = "foo"
req.Data["version"] = "v1.2.3+special.builtin"
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
if !strings.Contains(resp.Error().Error(), "reserved metadata") {
t.Fatalf("err: %v", resp.Error())
}
}
copying general purpose tools from transit backend to /sys/tools (#3391)
2017-10-20 14:59:17 +00:00
func TestSystemBackend_ToolsHash(t *testing.T) {
b := testSystemBackend(t)
req := logical.TestRequest(t, logical.UpdateOperation, "tools/hash")
req.Data = map[string]interface{}{
"input": "dGhlIHF1aWNrIGJyb3duIGZveA==",
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
_, err := b.HandleRequest(namespace.RootContext(nil), req)
copying general purpose tools from transit backend to /sys/tools (#3391)
2017-10-20 14:59:17 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
doRequest := func(req *logical.Request, errExpected bool, expected string) {
t.Helper()
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
copying general purpose tools from transit backend to /sys/tools (#3391)
2017-10-20 14:59:17 +00:00
if err != nil && !errExpected {
t.Fatal(err)
}
if resp == nil {
t.Fatal("expected non-nil response")
}
if errExpected {
if !resp.IsError() {
t.Fatalf("bad: got error response: %#v", *resp)
}
return
}
if resp.IsError() {
t.Fatalf("bad: got error response: %#v", *resp)
}
sum, ok := resp.Data["sum"]
if !ok {
t.Fatal("no sum key found in returned data")
}
if sum.(string) != expected {
Adds support for SHA-3 to transit (#13367) * Adding support for SHA3 in the transit backend. * Adds SHA-3 tests for transit sign/verify path. Adds SHA-3 tests for logical system tools path hash functionality. Updates documentation to include SHA-3 algorithms in system tools path hashing. * Adds changelog entry. Co-authored-by: robison jacka <robison@packetized.io>
2021-12-08 18:29:33 +00:00
t.Fatalf("mismatched hashes: got: %s, expect: %s", sum.(string), expected)
copying general purpose tools from transit backend to /sys/tools (#3391)
2017-10-20 14:59:17 +00:00
}
}
// Test defaults -- sha2-256
doRequest(req, false, "9ecb36561341d18eb65484e833efea61edc74b84cf5e6ae1b81c63533e25fc8f")
// Test algorithm selection in the path
req.Path = "tools/hash/sha2-224"
doRequest(req, false, "ea074a96cabc5a61f8298a2c470f019074642631a49e1c5e2f560865")
// Reset and test algorithm selection in the data
req.Path = "tools/hash"
req.Data["algorithm"] = "sha2-224"
doRequest(req, false, "ea074a96cabc5a61f8298a2c470f019074642631a49e1c5e2f560865")
req.Data["algorithm"] = "sha2-384"
doRequest(req, false, "15af9ec8be783f25c583626e9491dbf129dd6dd620466fdf05b3a1d0bb8381d30f4d3ec29f923ff1e09a0f6b337365a6")
req.Data["algorithm"] = "sha2-512"
doRequest(req, false, "d9d380f29b97ad6a1d92e987d83fa5a02653301e1006dd2bcd51afa59a9147e9caedaf89521abc0f0b682adcd47fb512b8343c834a32f326fe9bef00542ce887")
// Test returning as base64
req.Data["format"] = "base64"
doRequest(req, false, "2dOA8puXrWodkumH2D+loCZTMB4QBt0rzVGvpZqRR+nK7a+JUhq8DwtoKtzUf7USuDQ8g0oy8yb+m+8AVCzohw==")
Adds support for SHA-3 to transit (#13367) * Adding support for SHA3 in the transit backend. * Adds SHA-3 tests for transit sign/verify path. Adds SHA-3 tests for logical system tools path hash functionality. Updates documentation to include SHA-3 algorithms in system tools path hashing. * Adds changelog entry. Co-authored-by: robison jacka <robison@packetized.io>
2021-12-08 18:29:33 +00:00
// Test SHA-3
req.Data["format"] = "hex"
req.Data["algorithm"] = "sha3-224"
doRequest(req, false, "ced91e69d89c837e87cff960bd64fd9b9f92325fb9add8988d33d007")
req.Data["algorithm"] = "sha3-256"
doRequest(req, false, "e4bd866ec3fa52df3b7842aa97b448bc859a7606cefcdad1715847f4b82a6c93")
req.Data["algorithm"] = "sha3-384"
doRequest(req, false, "715cd38cbf8d0bab426b6a084d649760be555dd64b34de6db148a3fbf2cd2aa5d8b03eb6eda73a3e9a8769c00b4c2113")
req.Data["algorithm"] = "sha3-512"
doRequest(req, false, "f7cac5ad830422a5408b36a60a60620687be180765a3e2895bc3bdbd857c9e08246c83064d4e3612f0cb927f3ead208413ab98624bf7b0617af0f03f62080976")
copying general purpose tools from transit backend to /sys/tools (#3391)
2017-10-20 14:59:17 +00:00
// Test bad input/format/algorithm
req.Data["format"] = "base92"
doRequest(req, true, "")
req.Data["format"] = "hex"
req.Data["algorithm"] = "foobar"
doRequest(req, true, "")
req.Data["algorithm"] = "sha2-256"
req.Data["input"] = "foobar"
doRequest(req, true, "")
}
func TestSystemBackend_ToolsRandom(t *testing.T) {
b := testSystemBackend(t)
req := logical.TestRequest(t, logical.UpdateOperation, "tools/random")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
_, err := b.HandleRequest(namespace.RootContext(nil), req)
copying general purpose tools from transit backend to /sys/tools (#3391)
2017-10-20 14:59:17 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
doRequest := func(req *logical.Request, errExpected bool, format string, numBytes int) {
t.Helper()
getResponse := func() []byte {
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
copying general purpose tools from transit backend to /sys/tools (#3391)
2017-10-20 14:59:17 +00:00
if err != nil && !errExpected {
t.Fatal(err)
}
if resp == nil {
t.Fatal("expected non-nil response")
}
if errExpected {
if !resp.IsError() {
t.Fatalf("bad: got error response: %#v", *resp)
}
return nil
}
if resp.IsError() {
t.Fatalf("bad: got error response: %#v", *resp)
}
if _, ok := resp.Data["random_bytes"]; !ok {
t.Fatal("no random_bytes found in response")
}
outputStr := resp.Data["random_bytes"].(string)
var outputBytes []byte
switch format {
case "base64":
outputBytes, err = base64.StdEncoding.DecodeString(outputStr)
case "hex":
outputBytes, err = hex.DecodeString(outputStr)
default:
t.Fatal("unknown format")
}
if err != nil {
t.Fatal(err)
}
return outputBytes
}
rand1 := getResponse()
// Expected error
if rand1 == nil {
return
}
rand2 := getResponse()
if len(rand1) != numBytes || len(rand2) != numBytes {
Spelling (#4119)
2018-03-20 18:54:10 +00:00
t.Fatal("length of output random bytes not what is expected")
copying general purpose tools from transit backend to /sys/tools (#3391)
2017-10-20 14:59:17 +00:00
}
if reflect.DeepEqual(rand1, rand2) {
t.Fatal("found identical ouputs")
}
}
// Test defaults
doRequest(req, false, "base64", 32)
// Test size selection in the path
req.Path = "tools/random/24"
req.Data["format"] = "hex"
doRequest(req, false, "hex", 24)
// Test bad input/format
req.Path = "tools/random"
req.Data["format"] = "base92"
doRequest(req, true, "", 0)
req.Data["format"] = "hex"
req.Data["bytes"] = -1
doRequest(req, true, "", 0)
Add maximum amount of random entropy requested (#7144) * Add maximum amount of random characters requested at any given time * Readability changes * Removing sys/tools/random from the default policy * Setting the maxBytes value as const * Declaring maxBytes in the package to use it everywhere * Using maxBytes in the error message
2019-07-25 01:22:23 +00:00
req.Data["format"] = "hex"
req.Data["bytes"] = maxBytes + 1
doRequest(req, true, "", 0)
copying general purpose tools from transit backend to /sys/tools (#3391)
2017-10-20 14:59:17 +00:00
}
Unauthenticated endpoint to list secret and auth mounts (#4134) * Add audit hmac values to AuthConfigInput and AuthConfigOutput, fix docs * docs: Add ttl params to auth enable endpoint * Rewording of go string to simply string * Add audit hmac keys as CLI flags on auth/secrets enable * Fix copypasta mistake * WIP on auth-list endpoint * Rename variable to be singular, add CLI flag, show value in auth and secrets list * Add audit hmac keys to auth and secrets list * Only set config values if they exist * Fix http sys/auth tests * More auth plugin_name test fixes * Rename tag internal_ui_show_mount to _ui_show_mount * Add tests * Make endpoint unauthed * Rename field to listing_visibility * Add listing-visibility to cli tune commands * Use ListingVisiblityType * Fix type conversion * Do not actually change token's value on testHttpGet * Remove unused ListingVisibilityAuth, use const in pathInternalUIMountsRead
2018-03-20 03:16:33 +00:00
func TestSystemBackend_InternalUIMounts(t *testing.T) {
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
_, b, rootToken := testCoreSystemBackend(t)
Unauthenticated endpoint to list secret and auth mounts (#4134) * Add audit hmac values to AuthConfigInput and AuthConfigOutput, fix docs * docs: Add ttl params to auth enable endpoint * Rewording of go string to simply string * Add audit hmac keys as CLI flags on auth/secrets enable * Fix copypasta mistake * WIP on auth-list endpoint * Rename variable to be singular, add CLI flag, show value in auth and secrets list * Add audit hmac keys to auth and secrets list * Only set config values if they exist * Fix http sys/auth tests * More auth plugin_name test fixes * Rename tag internal_ui_show_mount to _ui_show_mount * Add tests * Make endpoint unauthed * Rename field to listing_visibility * Add listing-visibility to cli tune commands * Use ListingVisiblityType * Fix type conversion * Do not actually change token's value on testHttpGet * Remove unused ListingVisibilityAuth, use const in pathInternalUIMountsRead
2018-03-20 03:16:33 +00:00
// Ensure no entries are in the endpoint as a starting point
req := logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
Unauthenticated endpoint to list secret and auth mounts (#4134) * Add audit hmac values to AuthConfigInput and AuthConfigOutput, fix docs * docs: Add ttl params to auth enable endpoint * Rewording of go string to simply string * Add audit hmac keys as CLI flags on auth/secrets enable * Fix copypasta mistake * WIP on auth-list endpoint * Rename variable to be singular, add CLI flag, show value in auth and secrets list * Add audit hmac keys to auth and secrets list * Only set config values if they exist * Fix http sys/auth tests * More auth plugin_name test fixes * Rename tag internal_ui_show_mount to _ui_show_mount * Add tests * Make endpoint unauthed * Rename field to listing_visibility * Add listing-visibility to cli tune commands * Use ListingVisiblityType * Fix type conversion * Do not actually change token's value on testHttpGet * Remove unused ListingVisibilityAuth, use const in pathInternalUIMountsRead
2018-03-20 03:16:33 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
exp := map[string]interface{}{
"secret": map[string]interface{}{},
"auth": map[string]interface{}{},
}
if !reflect.DeepEqual(resp.Data, exp) {
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
}
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts")
req.ClientToken = rootToken
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
exp = map[string]interface{}{
"secret": map[string]interface{}{
"secret/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"type": "kv",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "key/value secret storage",
"accessor": resp.Data["secret"].(map[string]interface{})["secret/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["secret"].(map[string]interface{})["secret/"].(map[string]interface{})["uuid"],
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
"config": map[string]interface{}{
"default_lease_ttl": resp.Data["secret"].(map[string]interface{})["secret/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
"max_lease_ttl": resp.Data["secret"].(map[string]interface{})["secret/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
"force_no_cache": false,
},
"local": false,
"seal_wrap": false,
"options": map[string]string{
"version": "1",
},
Plugins: Consistently use plugin_version (#17171) * Delete Sha field, rename RunningSha -> RunningSha256 * Rename version -> plugin_version
2022-09-20 11:35:50 +00:00
"plugin_version": "",
"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "kv"),
"running_sha256": "",
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
},
"sys/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"type": "system",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "system endpoints used for control, policy and debugging",
"accessor": resp.Data["secret"].(map[string]interface{})["sys/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["secret"].(map[string]interface{})["sys/"].(map[string]interface{})["uuid"],
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
"config": map[string]interface{}{
fix TestSystemBackend_InternalUIMounts
2019-02-15 18:45:55 +00:00
"default_lease_ttl": resp.Data["secret"].(map[string]interface{})["sys/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
"max_lease_ttl": resp.Data["secret"].(map[string]interface{})["sys/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
"force_no_cache": false,
"passthrough_request_headers": []string{"Accept"},
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
},
Plugins: Consistently use plugin_version (#17171) * Delete Sha field, rename RunningSha -> RunningSha256 * Rename version -> plugin_version
2022-09-20 11:35:50 +00:00
"local": false,
"seal_wrap": true,
"options": map[string]string(nil),
"plugin_version": "",
"running_plugin_version": versions.DefaultBuiltinVersion,
"running_sha256": "",
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
},
"cubbyhole/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "per-token private secret storage",
"type": "cubbyhole",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"accessor": resp.Data["secret"].(map[string]interface{})["cubbyhole/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["secret"].(map[string]interface{})["cubbyhole/"].(map[string]interface{})["uuid"],
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
"config": map[string]interface{}{
"default_lease_ttl": resp.Data["secret"].(map[string]interface{})["cubbyhole/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
"max_lease_ttl": resp.Data["secret"].(map[string]interface{})["cubbyhole/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
"force_no_cache": false,
},
Plugins: Consistently use plugin_version (#17171) * Delete Sha field, rename RunningSha -> RunningSha256 * Rename version -> plugin_version
2022-09-20 11:35:50 +00:00
"local": true,
"seal_wrap": false,
"options": map[string]string(nil),
"plugin_version": "",
"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "cubbyhole"),
"running_sha256": "",
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
},
"identity/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "identity store",
"type": "identity",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"accessor": resp.Data["secret"].(map[string]interface{})["identity/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["secret"].(map[string]interface{})["identity/"].(map[string]interface{})["uuid"],
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
"config": map[string]interface{}{
Adds OIDC Token and UserInfo endpoints (#12711)
2021-10-14 01:59:36 +00:00
"default_lease_ttl": resp.Data["secret"].(map[string]interface{})["identity/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
"max_lease_ttl": resp.Data["secret"].(map[string]interface{})["identity/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
"force_no_cache": false,
"passthrough_request_headers": []string{"Authorization"},
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
},
Plugins: Consistently use plugin_version (#17171) * Delete Sha field, rename RunningSha -> RunningSha256 * Rename version -> plugin_version
2022-09-20 11:35:50 +00:00
"local": false,
"seal_wrap": false,
"options": map[string]string(nil),
"plugin_version": "",
"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeSecrets, "identity"),
"running_sha256": "",
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
},
},
"auth": map[string]interface{}{
"token/": map[string]interface{}{
"options": map[string]string(nil),
"config": map[string]interface{}{
"default_lease_ttl": int64(0),
"max_lease_ttl": int64(0),
"force_no_cache": false,
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
"token_type": "default-service",
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
},
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"type": "token",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "token based credentials",
"accessor": resp.Data["auth"].(map[string]interface{})["token/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["auth"].(map[string]interface{})["token/"].(map[string]interface{})["uuid"],
"local": false,
"seal_wrap": false,
Plugins: Consistently use plugin_version (#17171) * Delete Sha field, rename RunningSha -> RunningSha256 * Rename version -> plugin_version
2022-09-20 11:35:50 +00:00
"plugin_version": "",
Plugins: Update running version everywhere running sha256 is set (#17292)
2022-09-23 10:19:38 +00:00
"running_plugin_version": versions.GetBuiltinVersion(consts.PluginTypeCredential, "token"),
Plugins: Consistently use plugin_version (#17171) * Delete Sha field, rename RunningSha -> RunningSha256 * Rename version -> plugin_version
2022-09-20 11:35:50 +00:00
"running_sha256": "",
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
},
},
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if diff := deep.Equal(resp.Data, exp); diff != nil {
t.Fatal(diff)
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
}
Unauthenticated endpoint to list secret and auth mounts (#4134) * Add audit hmac values to AuthConfigInput and AuthConfigOutput, fix docs * docs: Add ttl params to auth enable endpoint * Rewording of go string to simply string * Add audit hmac keys as CLI flags on auth/secrets enable * Fix copypasta mistake * WIP on auth-list endpoint * Rename variable to be singular, add CLI flag, show value in auth and secrets list * Add audit hmac keys to auth and secrets list * Only set config values if they exist * Fix http sys/auth tests * More auth plugin_name test fixes * Rename tag internal_ui_show_mount to _ui_show_mount * Add tests * Make endpoint unauthed * Rename field to listing_visibility * Add listing-visibility to cli tune commands * Use ListingVisiblityType * Fix type conversion * Do not actually change token's value on testHttpGet * Remove unused ListingVisibilityAuth, use const in pathInternalUIMountsRead
2018-03-20 03:16:33 +00:00
// Mount-tune an auth mount
req = logical.TestRequest(t, logical.UpdateOperation, "auth/token/tune")
req.Data["listing_visibility"] = "unauth"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
The big one (#5346)
2018-09-18 03:03:00 +00:00
if resp.IsError() || err != nil {
t.Fatalf("resp.Error: %v, err:%v", resp.Error(), err)
}
Unauthenticated endpoint to list secret and auth mounts (#4134) * Add audit hmac values to AuthConfigInput and AuthConfigOutput, fix docs * docs: Add ttl params to auth enable endpoint * Rewording of go string to simply string * Add audit hmac keys as CLI flags on auth/secrets enable * Fix copypasta mistake * WIP on auth-list endpoint * Rename variable to be singular, add CLI flag, show value in auth and secrets list * Add audit hmac keys to auth and secrets list * Only set config values if they exist * Fix http sys/auth tests * More auth plugin_name test fixes * Rename tag internal_ui_show_mount to _ui_show_mount * Add tests * Make endpoint unauthed * Rename field to listing_visibility * Add listing-visibility to cli tune commands * Use ListingVisiblityType * Fix type conversion * Do not actually change token's value on testHttpGet * Remove unused ListingVisibilityAuth, use const in pathInternalUIMountsRead
2018-03-20 03:16:33 +00:00
// Mount-tune a secret mount
req = logical.TestRequest(t, logical.UpdateOperation, "mounts/secret/tune")
req.Data["listing_visibility"] = "unauth"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
The big one (#5346)
2018-09-18 03:03:00 +00:00
if resp.IsError() || err != nil {
t.Fatalf("resp.Error: %v, err:%v", resp.Error(), err)
}
Unauthenticated endpoint to list secret and auth mounts (#4134) * Add audit hmac values to AuthConfigInput and AuthConfigOutput, fix docs * docs: Add ttl params to auth enable endpoint * Rewording of go string to simply string * Add audit hmac keys as CLI flags on auth/secrets enable * Fix copypasta mistake * WIP on auth-list endpoint * Rename variable to be singular, add CLI flag, show value in auth and secrets list * Add audit hmac keys to auth and secrets list * Only set config values if they exist * Fix http sys/auth tests * More auth plugin_name test fixes * Rename tag internal_ui_show_mount to _ui_show_mount * Add tests * Make endpoint unauthed * Rename field to listing_visibility * Add listing-visibility to cli tune commands * Use ListingVisiblityType * Fix type conversion * Do not actually change token's value on testHttpGet * Remove unused ListingVisibilityAuth, use const in pathInternalUIMountsRead
2018-03-20 03:16:33 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Unauthenticated endpoint to list secret and auth mounts (#4134) * Add audit hmac values to AuthConfigInput and AuthConfigOutput, fix docs * docs: Add ttl params to auth enable endpoint * Rewording of go string to simply string * Add audit hmac keys as CLI flags on auth/secrets enable * Fix copypasta mistake * WIP on auth-list endpoint * Rename variable to be singular, add CLI flag, show value in auth and secrets list * Add audit hmac keys to auth and secrets list * Only set config values if they exist * Fix http sys/auth tests * More auth plugin_name test fixes * Rename tag internal_ui_show_mount to _ui_show_mount * Add tests * Make endpoint unauthed * Rename field to listing_visibility * Add listing-visibility to cli tune commands * Use ListingVisiblityType * Fix type conversion * Do not actually change token's value on testHttpGet * Remove unused ListingVisibilityAuth, use const in pathInternalUIMountsRead
2018-03-20 03:16:33 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
exp = map[string]interface{}{
"secret": map[string]interface{}{
"secret/": map[string]interface{}{
"type": "kv",
"description": "key/value secret storage",
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
"options": map[string]string{"version": "1"},
Unauthenticated endpoint to list secret and auth mounts (#4134) * Add audit hmac values to AuthConfigInput and AuthConfigOutput, fix docs * docs: Add ttl params to auth enable endpoint * Rewording of go string to simply string * Add audit hmac keys as CLI flags on auth/secrets enable * Fix copypasta mistake * WIP on auth-list endpoint * Rename variable to be singular, add CLI flag, show value in auth and secrets list * Add audit hmac keys to auth and secrets list * Only set config values if they exist * Fix http sys/auth tests * More auth plugin_name test fixes * Rename tag internal_ui_show_mount to _ui_show_mount * Add tests * Make endpoint unauthed * Rename field to listing_visibility * Add listing-visibility to cli tune commands * Use ListingVisiblityType * Fix type conversion * Do not actually change token's value on testHttpGet * Remove unused ListingVisibilityAuth, use const in pathInternalUIMountsRead
2018-03-20 03:16:33 +00:00
},
},
"auth": map[string]interface{}{
"token/": map[string]interface{}{
"type": "token",
"description": "token based credentials",
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
"options": map[string]string(nil),
Unauthenticated endpoint to list secret and auth mounts (#4134) * Add audit hmac values to AuthConfigInput and AuthConfigOutput, fix docs * docs: Add ttl params to auth enable endpoint * Rewording of go string to simply string * Add audit hmac keys as CLI flags on auth/secrets enable * Fix copypasta mistake * WIP on auth-list endpoint * Rename variable to be singular, add CLI flag, show value in auth and secrets list * Add audit hmac keys to auth and secrets list * Only set config values if they exist * Fix http sys/auth tests * More auth plugin_name test fixes * Rename tag internal_ui_show_mount to _ui_show_mount * Add tests * Make endpoint unauthed * Rename field to listing_visibility * Add listing-visibility to cli tune commands * Use ListingVisiblityType * Fix type conversion * Do not actually change token's value on testHttpGet * Remove unused ListingVisibilityAuth, use const in pathInternalUIMountsRead
2018-03-20 03:16:33 +00:00
},
},
}
if !reflect.DeepEqual(resp.Data, exp) {
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
}
}
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
func TestSystemBackend_InternalUIMount(t *testing.T) {
core, b, rootToken := testCoreSystemBackend(t)
req := logical.TestRequest(t, logical.UpdateOperation, "policy/secret")
req.ClientToken = rootToken
req.Data = map[string]interface{}{
"rules": `path "secret/foo/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}`,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("Bad %#v %#v", err, resp)
}
req = logical.TestRequest(t, logical.UpdateOperation, "mounts/kv")
req.ClientToken = rootToken
req.Data = map[string]interface{}{
"type": "kv",
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("Bad %#v %#v", err, resp)
}
Rename up path to internal/ui/mounts/<path> (#4435)
2018-04-23 22:16:10 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts/kv/bar")
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
req.ClientToken = rootToken
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("Bad %#v %#v", err, resp)
}
if resp.Data["type"] != "kv" {
t.Fatalf("Bad Response: %#v", resp)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
testMakeServiceTokenViaBackend(t, core.tokenStore, rootToken, "tokenid", "", []string{"secret"})
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
Rename up path to internal/ui/mounts/<path> (#4435)
2018-04-23 22:16:10 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts/kv")
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
req.ClientToken = "tokenid"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
if err != logical.ErrPermissionDenied {
t.Fatal("expected permission denied error")
}
Rename up path to internal/ui/mounts/<path> (#4435)
2018-04-23 22:16:10 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts/secret")
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
req.ClientToken = "tokenid"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("Bad %#v %#v", err, resp)
}
if resp.Data["type"] != "kv" {
t.Fatalf("Bad Response: %#v", resp)
}
Rename up path to internal/ui/mounts/<path> (#4435)
2018-04-23 22:16:10 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts/sys")
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
req.ClientToken = "tokenid"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("Bad %#v %#v", err, resp)
}
if resp.Data["type"] != "system" {
t.Fatalf("Bad Response: %#v", resp)
}
Rename up path to internal/ui/mounts/<path> (#4435)
2018-04-23 22:16:10 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts/non-existent")
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
req.ClientToken = "tokenid"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
if err != logical.ErrPermissionDenied {
t.Fatal("expected permission denied error")
}
}
Framework and API changes to support OpenAPI (#5546)
2018-11-05 20:24:39 +00:00
Revert "Add mount path into the default generated openapi.json spec (#17926)" (#18617) * Revert "Add mount path into the default generated openapi.json spec (UI) (#17926)" This reverts commit db8efac708e5385ec871be9558507eeaf54ac972. * Revert "Remove `generic_mount_paths` field (#18558)" This reverts commit 79c8f626c59ca11bb8e7f460d40b09f5e0cec76d.
2023-01-10 16:16:59 +00:00
func TestSystemBackend_OASGenericMount(t *testing.T) {
_, b, rootToken := testCoreSystemBackend(t)
var oapi map[string]interface{}
// Check that default paths are present with a root token
req := logical.TestRequest(t, logical.ReadOperation, "internal/specs/openapi")
req.Data["generic_mount_paths"] = true
req.ClientToken = rootToken
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
body := resp.Data["http_raw_body"].([]byte)
err = jsonutil.DecodeJSON(body, &oapi)
if err != nil {
t.Fatalf("err: %v", err)
}
doc, err := framework.NewOASDocumentFromMap(oapi)
if err != nil {
t.Fatal(err)
}
pathSamples := []struct {
path string
tag string
}{
{"/auth/{mountPath}/lookup", "auth"},
{"/{mountPath}/{path}", "secrets"},
{"/identity/group/id", "identity"},
{"/{mountPath}/.*", "secrets"},
{"/sys/policy", "system"},
}
for _, path := range pathSamples {
if doc.Paths[path.path] == nil {
t.Fatalf("didn't find expected path '%s'.", path)
}
tag := doc.Paths[path.path].Get.Tags[0]
if tag != path.tag {
t.Fatalf("path: %s; expected tag: %s, actual: %s", path.path, tag, path.tag)
}
}
// Simple check of response size (which is much larger than most
// Vault responses), mainly to catch mass omission of expected path data.
const minLen = 70000
if len(body) < minLen {
t.Fatalf("response size too small; expected: min %d, actual: %d", minLen, len(body))
}
}
Framework and API changes to support OpenAPI (#5546)
2018-11-05 20:24:39 +00:00
func TestSystemBackend_OpenAPI(t *testing.T) {
_, b, rootToken := testCoreSystemBackend(t)
var oapi map[string]interface{}
// Ensure no paths are reported if there is no token
req := logical.TestRequest(t, logical.ReadOperation, "internal/specs/openapi")
Revert "Add mount path into the default generated openapi.json spec (#17926)" (#18617) * Revert "Add mount path into the default generated openapi.json spec (UI) (#17926)" This reverts commit db8efac708e5385ec871be9558507eeaf54ac972. * Revert "Remove `generic_mount_paths` field (#18558)" This reverts commit 79c8f626c59ca11bb8e7f460d40b09f5e0cec76d.
2023-01-10 16:16:59 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
Framework and API changes to support OpenAPI (#5546)
2018-11-05 20:24:39 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
body := resp.Data["http_raw_body"].([]byte)
err = jsonutil.DecodeJSON(body, &oapi)
if err != nil {
t.Fatalf("err: %v", err)
}
exp := map[string]interface{}{
"openapi": framework.OASVersion,
"info": map[string]interface{}{
"title": "HashiCorp Vault API",
"description": "HTTP API that gives you full access to Vault. All API routes are prefixed with `/v1/`.",
"version": version.GetVersion().Version,
"license": map[string]interface{}{
"name": "Mozilla Public License 2.0",
"url": "https://www.mozilla.org/en-US/MPL/2.0",
},
},
"paths": map[string]interface{}{},
Change OpenAPI code generator to extract request objects (#14217)
2022-03-12 00:00:26 +00:00
"components": map[string]interface{}{
"schemas": map[string]interface{}{},
},
Framework and API changes to support OpenAPI (#5546)
2018-11-05 20:24:39 +00:00
}
if diff := deep.Equal(oapi, exp); diff != nil {
t.Fatal(diff)
}
// Check that default paths are present with a root token
req = logical.TestRequest(t, logical.ReadOperation, "internal/specs/openapi")
req.ClientToken = rootToken
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
body = resp.Data["http_raw_body"].([]byte)
err = jsonutil.DecodeJSON(body, &oapi)
if err != nil {
t.Fatalf("err: %v", err)
}
doc, err := framework.NewOASDocumentFromMap(oapi)
if err != nil {
t.Fatal(err)
}
pathSamples := []struct {
path string
tag string
}{
Revert "Add mount path into the default generated openapi.json spec (#17926)" (#18617) * Revert "Add mount path into the default generated openapi.json spec (UI) (#17926)" This reverts commit db8efac708e5385ec871be9558507eeaf54ac972. * Revert "Remove `generic_mount_paths` field (#18558)" This reverts commit 79c8f626c59ca11bb8e7f460d40b09f5e0cec76d.
2023-01-10 16:16:59 +00:00
{"/auth/token/lookup", "auth"},
{"/cubbyhole/{path}", "secrets"},
Framework and API changes to support OpenAPI (#5546)
2018-11-05 20:24:39 +00:00
{"/identity/group/id", "identity"},
Revert "Add mount path into the default generated openapi.json spec (#17926)" (#18617) * Revert "Add mount path into the default generated openapi.json spec (UI) (#17926)" This reverts commit db8efac708e5385ec871be9558507eeaf54ac972. * Revert "Remove `generic_mount_paths` field (#18558)" This reverts commit 79c8f626c59ca11bb8e7f460d40b09f5e0cec76d.
2023-01-10 16:16:59 +00:00
{"/secret/.*", "secrets"}, // TODO update after kv repo update
Framework and API changes to support OpenAPI (#5546)
2018-11-05 20:24:39 +00:00
{"/sys/policy", "system"},
}
for _, path := range pathSamples {
if doc.Paths[path.path] == nil {
Use %q for quoted strings where appropriate (#15216) * change '%s' to %q where single vs double quotes shouldn't matter * replace double quotes with %q in logs and errors
2022-08-03 18:32:45 +00:00
t.Fatalf("didn't find expected path %q.", path)
Framework and API changes to support OpenAPI (#5546)
2018-11-05 20:24:39 +00:00
}
tag := doc.Paths[path.path].Get.Tags[0]
if tag != path.tag {
t.Fatalf("path: %s; expected tag: %s, actual: %s", path.path, tag, path.tag)
}
}
Dynamic parameter for mountpaths in OpenApi Spec generation(#15835) "generic_mount_paths" query parameter for OpenApiSpec generation
2022-06-30 14:43:04 +00:00
// Simple check of response size (which is much larger than most
Framework and API changes to support OpenAPI (#5546)
2018-11-05 20:24:39 +00:00
// Vault responses), mainly to catch mass omission of expected path data.
Dynamic parameter for mountpaths in OpenApi Spec generation(#15835) "generic_mount_paths" query parameter for OpenApiSpec generation
2022-06-30 14:43:04 +00:00
const minLen = 70000
Framework and API changes to support OpenAPI (#5546)
2018-11-05 20:24:39 +00:00
if len(body) < minLen {
t.Fatalf("response size too small; expected: min %d, actual: %d", minLen, len(body))
}
// Test path-help response
req = logical.TestRequest(t, logical.HelpOperation, "rotate")
req.ClientToken = rootToken
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
doc = resp.Data["openapi"].(*framework.OASDocument)
if len(doc.Paths) != 1 {
t.Fatalf("expected 1 path, actual: %d", len(doc.Paths))
}
if doc.Paths["/rotate"] == nil {
t.Fatalf("expected to find path '/rotate'")
}
}
Fix hasMountPath for segment wildcard mounts; introduce priority order (#6532) * Add prioritization when multiple segment/glob rules can match. * Disallow ambiguous "+*" in policy paths.
2019-04-10 21:46:17 +00:00
func TestSystemBackend_PathWildcardPreflight(t *testing.T) {
core, b, _ := testCoreSystemBackend(t)
ctx := namespace.RootContext(nil)
// Add another mount
me := &MountEntry{
Table: mountTableType,
Revert global plugin reload commits (#9344) * Revert "Some of the OSS changes were clobbered when merging with quotas out of, master (#9343)" This reverts commit 8719a9b7c4d6ca7afb2e0a85e7c570cc17081f41. * Revert "OSS side of Global Plugin Reload (#9340)" This reverts commit f98afb998ae50346849050e882b6be50807983ad.
2020-06-29 22:36:22 +00:00
Path: sanitizePath("kv-v1"),
Fix hasMountPath for segment wildcard mounts; introduce priority order (#6532) * Add prioritization when multiple segment/glob rules can match. * Disallow ambiguous "+*" in policy paths.
2019-04-10 21:46:17 +00:00
Type: "kv",
Options: map[string]string{"version": "1"},
}
if err := core.mount(ctx, me); err != nil {
t.Fatal(err)
}
// Create the policy, designed to fail
rules := `path "foo" { capabilities = ["read"] }`
req := logical.TestRequest(t, logical.UpdateOperation, "policy/foo")
req.Data["rules"] = rules
resp, err := b.HandleRequest(ctx, req)
if err != nil {
t.Fatalf("err: %v %#v", err, resp)
}
if resp != nil && (resp.IsError() || len(resp.Data) > 0) {
t.Fatalf("bad: %#v", resp)
}
if err := core.identityStore.upsertEntity(ctx, &identity.Entity{
Storage packer V1 updates (#6531) * spv1 updates * fix tests
2019-05-07 19:29:51 +00:00
ID: "abcd",
Name: "abcd",
BucketKey: "abcd",
Fix hasMountPath for segment wildcard mounts; introduce priority order (#6532) * Add prioritization when multiple segment/glob rules can match. * Disallow ambiguous "+*" in policy paths.
2019-04-10 21:46:17 +00:00
}, nil, false); err != nil {
t.Fatal(err)
}
te := &logical.TokenEntry{
TTL: 300 * time.Second,
EntityID: "abcd",
Policies: []string{"default", "foo"},
NamespaceID: namespace.RootNamespaceID,
}
if err := core.tokenStore.create(ctx, te); err != nil {
t.Fatal(err)
}
t.Logf("token id: %s", te.ID)
if err := core.expiration.RegisterAuth(ctx, te, &logical.Auth{
LeaseOptions: logical.LeaseOptions{
TTL: te.TTL,
},
ClientToken: te.ID,
Accessor: te.Accessor,
Orphan: true,
VAULT-6614 Enable role based quotas for lease-count quotas (OSS) (#16157) * VAULT-6613 add DetermineRoleFromLoginRequest function to Core * Fix body handling * Role resolution for rate limit quotas * VAULT-6613 update precedence test * Add changelog * VAULT-6614 start of changes for roles in LCQs * Expiration changes for leases * Add role information to RequestAuth * VAULT-6614 Test updates * VAULT-6614 Add expiration test with roles * VAULT-6614 fix comment * VAULT-6614 Protobuf on OSS * VAULT-6614 Add rlock to determine role code * VAULT-6614 Try lock instead of rlock * VAULT-6614 back to rlock while I think about this more * VAULT-6614 Additional safety for nil dereference * VAULT-6614 Use %q over %s * VAULT-6614 Add overloading to plugin backends * VAULT-6614 RLocks instead * VAULT-6614 Fix return for backend factory
2022-07-05 17:02:00 +00:00
}, ""); err != nil {
Fix hasMountPath for segment wildcard mounts; introduce priority order (#6532) * Add prioritization when multiple segment/glob rules can match. * Disallow ambiguous "+*" in policy paths.
2019-04-10 21:46:17 +00:00
t.Fatal(err)
}
// Check the mount access func
req = logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts/kv-v1/baz")
req.ClientToken = te.ID
resp, err = b.HandleRequest(ctx, req)
if err == nil || !strings.Contains(err.Error(), "permission denied") {
t.Fatalf("expected 403, got err: %v", err)
}
// Modify policy to pass
rules = `path "kv-v1/+" { capabilities = ["read"] }`
req = logical.TestRequest(t, logical.UpdateOperation, "policy/foo")
req.Data["rules"] = rules
resp, err = b.HandleRequest(ctx, req)
if err != nil {
t.Fatalf("err: %v %#v", err, resp)
}
if resp != nil && (resp.IsError() || len(resp.Data) > 0) {
t.Fatalf("bad: %#v", resp)
}
// Check the mount access func again
req = logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts/kv-v1/baz")
req.ClientToken = te.ID
resp, err = b.HandleRequest(ctx, req)
if err != nil {
t.Fatalf("err: %v", err)
}
}
Add user configurable password policies available to secret engines (#8637) * Add random string generator with rules engine This adds a random string generation library that validates random strings against a set of rules. The library is designed for use as generating passwords, but can be used to generate any random strings.
2020-05-27 18:28:00 +00:00
func TestHandlePoliciesPasswordSet(t *testing.T) {
type testCase struct {
inputData *framework.FieldData
storage *logical.InmemStorage
expectedResp *logical.Response
expectErr bool
expectedStore map[string]*logical.StorageEntry
}
tests := map[string]testCase{
"missing policy name": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"policy": `length = 20
rule "charset" {
charset="abcdefghij"
}`,
}),
storage: new(logical.InmemStorage),
expectedResp: nil,
expectErr: true,
expectedStore: map[string]*logical.StorageEntry{},
},
"missing policy": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
}),
storage: new(logical.InmemStorage),
expectedResp: nil,
expectErr: true,
expectedStore: map[string]*logical.StorageEntry{},
},
"garbage policy": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
"policy": "hasdukfhiuashdfoiasjdf",
}),
storage: new(logical.InmemStorage),
expectedResp: nil,
expectErr: true,
expectedStore: map[string]*logical.StorageEntry{},
},
"storage failure": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
"policy": "length = 20\n" +
"rule \"charset\" {\n" +
" charset=\"abcdefghij\"\n" +
"}",
}),
storage: new(logical.InmemStorage).FailPut(true),
expectedResp: nil,
expectErr: true,
expectedStore: map[string]*logical.StorageEntry{},
},
"impossible policy": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
"policy": "length = 20\n" +
"rule \"charset\" {\n" +
" charset=\"a\"\n" +
" min-chars = 30\n" +
"}",
}),
storage: new(logical.InmemStorage),
expectedResp: nil,
expectErr: true,
expectedStore: map[string]*logical.StorageEntry{},
},
"not base64 encoded": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
"policy": "length = 20\n" +
"rule \"charset\" {\n" +
" charset=\"abcdefghij\"\n" +
"}",
}),
storage: new(logical.InmemStorage),
expectedResp: &logical.Response{
Data: map[string]interface{}{
logical.HTTPContentType: "application/json",
logical.HTTPStatusCode: http.StatusNoContent,
},
},
expectErr: false,
expectedStore: makeStorageMap(storageEntry(t, "testpolicy", "length = 20\n"+
"rule \"charset\" {\n"+
" charset=\"abcdefghij\"\n"+
"}")),
},
"base64 encoded": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
"policy": base64Encode(
"length = 20\n" +
"rule \"charset\" {\n" +
" charset=\"abcdefghij\"\n" +
"}"),
}),
storage: new(logical.InmemStorage),
expectedResp: &logical.Response{
Data: map[string]interface{}{
logical.HTTPContentType: "application/json",
logical.HTTPStatusCode: http.StatusNoContent,
},
},
expectErr: false,
expectedStore: makeStorageMap(storageEntry(t, "testpolicy",
"length = 20\n"+
"rule \"charset\" {\n"+
" charset=\"abcdefghij\"\n"+
"}")),
},
}
for name, test := range tests {
t.Run(name, func(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
defer cancel()
req := &logical.Request{
Storage: test.storage,
}
b := &SystemBackend{}
actualResp, err := b.handlePoliciesPasswordSet(ctx, req, test.inputData)
if test.expectErr && err == nil {
t.Fatalf("err expected, got nil")
}
if !test.expectErr && err != nil {
t.Fatalf("no error expected, got: %s", err)
}
if !reflect.DeepEqual(actualResp, test.expectedResp) {
t.Fatalf("Actual response: %#v\nExpected response: %#v", actualResp, test.expectedResp)
}
actualStore := LogicalToMap(t, ctx, test.storage)
if !reflect.DeepEqual(actualStore, test.expectedStore) {
t.Fatalf("Actual: %#v\nActual: %#v", dereferenceMap(actualStore), dereferenceMap(test.expectedStore))
}
})
}
}
func TestHandlePoliciesPasswordGet(t *testing.T) {
type testCase struct {
inputData *framework.FieldData
storage *logical.InmemStorage
expectedResp *logical.Response
expectErr bool
expectedStore map[string]*logical.StorageEntry
}
tests := map[string]testCase{
"missing policy name": {
inputData: passwordPoliciesFieldData(map[string]interface{}{}),
storage: new(logical.InmemStorage),
expectedResp: nil,
expectErr: true,
expectedStore: map[string]*logical.StorageEntry{},
},
"storage error": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
}),
storage: new(logical.InmemStorage).FailGet(true),
expectedResp: nil,
expectErr: true,
expectedStore: map[string]*logical.StorageEntry{},
},
"missing value": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
}),
storage: new(logical.InmemStorage),
expectedResp: nil,
expectErr: true,
expectedStore: map[string]*logical.StorageEntry{},
},
"good value": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
}),
storage: makeStorage(t, storageEntry(t, "testpolicy",
"length = 20\n"+
"rule \"charset\" {\n"+
" charset=\"abcdefghij\"\n"+
"}")),
expectedResp: &logical.Response{
Data: map[string]interface{}{
"policy": "length = 20\n" +
"rule \"charset\" {\n" +
" charset=\"abcdefghij\"\n" +
"}",
},
},
expectErr: false,
expectedStore: makeStorageMap(storageEntry(t, "testpolicy",
"length = 20\n"+
"rule \"charset\" {\n"+
" charset=\"abcdefghij\"\n"+
"}")),
},
}
for name, test := range tests {
t.Run(name, func(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Millisecond)
defer cancel()
req := &logical.Request{
Storage: test.storage,
}
b := &SystemBackend{}
actualResp, err := b.handlePoliciesPasswordGet(ctx, req, test.inputData)
if test.expectErr && err == nil {
t.Fatalf("err expected, got nil")
}
if !test.expectErr && err != nil {
t.Fatalf("no error expected, got: %s", err)
}
if !reflect.DeepEqual(actualResp, test.expectedResp) {
t.Fatalf("Actual response: %#v\nExpected response: %#v", actualResp, test.expectedResp)
}
actualStore := LogicalToMap(t, ctx, test.storage)
if !reflect.DeepEqual(actualStore, test.expectedStore) {
t.Fatalf("Actual: %#v\nActual: %#v", dereferenceMap(actualStore), dereferenceMap(test.expectedStore))
}
})
}
}
func TestHandlePoliciesPasswordDelete(t *testing.T) {
type testCase struct {
inputData *framework.FieldData
storage logical.Storage
expectedResp *logical.Response
expectErr bool
expectedStore map[string]*logical.StorageEntry
}
tests := map[string]testCase{
"missing policy name": {
inputData: passwordPoliciesFieldData(map[string]interface{}{}),
storage: new(logical.InmemStorage),
expectedResp: nil,
expectErr: true,
expectedStore: map[string]*logical.StorageEntry{},
},
"storage failure": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
}),
storage: new(logical.InmemStorage).FailDelete(true),
expectedResp: nil,
expectErr: true,
expectedStore: map[string]*logical.StorageEntry{},
},
"successful delete": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
}),
storage: makeStorage(t,
&logical.StorageEntry{
Key: getPasswordPolicyKey("testpolicy"),
Value: toJson(t,
passwordPolicyConfig{
HCLPolicy: "length = 18\n" +
"rule \"charset\" {\n" +
" charset=\"ABCDEFGHIJ\"\n" +
"}",
}),
},
&logical.StorageEntry{
Key: getPasswordPolicyKey("unrelated_policy"),
Value: toJson(t,
passwordPolicyConfig{
HCLPolicy: "length = 20\n" +
"rule \"charset\" {\n" +
" charset=\"abcdefghij\"\n" +
"}",
}),
},
),
expectedResp: nil,
expectErr: false,
expectedStore: makeStorageMap(storageEntry(t, "unrelated_policy",
"length = 20\n"+
"rule \"charset\" {\n"+
" charset=\"abcdefghij\"\n"+
"}")),
},
}
for name, test := range tests {
t.Run(name, func(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Millisecond)
defer cancel()
req := &logical.Request{
Storage: test.storage,
}
b := &SystemBackend{}
actualResp, err := b.handlePoliciesPasswordDelete(ctx, req, test.inputData)
if test.expectErr && err == nil {
t.Fatalf("err expected, got nil")
}
if !test.expectErr && err != nil {
t.Fatalf("no error expected, got: %s", err)
}
if !reflect.DeepEqual(actualResp, test.expectedResp) {
t.Fatalf("Actual response: %#v\nExpected response: %#v", actualResp, test.expectedResp)
}
actualStore := LogicalToMap(t, ctx, test.storage)
if !reflect.DeepEqual(actualStore, test.expectedStore) {
t.Fatalf("Actual: %#v\nExpected: %#v", dereferenceMap(actualStore), dereferenceMap(test.expectedStore))
}
})
}
}
Add LIST support to sys/policies/password (#12787) * Add read support to sys/policies/password Closes https://github.com/hashicorp/vault/issues/12562 * Add changelog * Empty commit to trigger CI * Add optional / Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com> * Use a ListOperation Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2022-01-24 21:42:14 +00:00
func TestHandlePoliciesPasswordList(t *testing.T) {
type testCase struct {
storage logical.Storage
expectErr bool
expectedResp *logical.Response
}
tests := map[string]testCase{
"no policies": {
storage: new(logical.InmemStorage),
expectedResp: &logical.Response{
Data: map[string]interface{}{},
},
},
"one policy": {
storage: makeStorage(t,
&logical.StorageEntry{
Key: getPasswordPolicyKey("testpolicy"),
Value: toJson(t,
passwordPolicyConfig{
HCLPolicy: "length = 18\n" +
"rule \"charset\" {\n" +
" charset=\"ABCDEFGHIJ\"\n" +
"}",
}),
},
),
expectedResp: &logical.Response{
Data: map[string]interface{}{
"keys": []string{"testpolicy"},
},
},
},
"two policies": {
storage: makeStorage(t,
&logical.StorageEntry{
Key: getPasswordPolicyKey("testpolicy"),
Value: toJson(t,
passwordPolicyConfig{
HCLPolicy: "length = 18\n" +
"rule \"charset\" {\n" +
" charset=\"ABCDEFGHIJ\"\n" +
"}",
}),
},
&logical.StorageEntry{
Key: getPasswordPolicyKey("unrelated_policy"),
Value: toJson(t,
passwordPolicyConfig{
HCLPolicy: "length = 20\n" +
"rule \"charset\" {\n" +
" charset=\"abcdefghij\"\n" +
"}",
}),
},
),
expectedResp: &logical.Response{
Data: map[string]interface{}{
"keys": []string{
"testpolicy",
"unrelated_policy",
},
},
},
},
"storage failure": {
storage: new(logical.InmemStorage).FailList(true),
expectErr: true,
},
}
for name, test := range tests {
t.Run(name, func(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Millisecond)
defer cancel()
req := &logical.Request{
Storage: test.storage,
}
b := &SystemBackend{}
actualResp, err := b.handlePoliciesPasswordList(ctx, req, nil)
if test.expectErr && err == nil {
t.Fatalf("err expected, got nil")
}
if !test.expectErr && err != nil {
t.Fatalf("no error expected, got: %s", err)
}
if !reflect.DeepEqual(actualResp, test.expectedResp) {
t.Fatalf("Actual response: %#v\nExpected response: %#v", actualResp, test.expectedResp)
}
})
}
}
Add user configurable password policies available to secret engines (#8637) * Add random string generator with rules engine This adds a random string generation library that validates random strings against a set of rules. The library is designed for use as generating passwords, but can be used to generate any random strings.
2020-05-27 18:28:00 +00:00
func TestHandlePoliciesPasswordGenerate(t *testing.T) {
t.Run("errors", func(t *testing.T) {
type testCase struct {
timeout time.Duration
inputData *framework.FieldData
storage *logical.InmemStorage
expectedResp *logical.Response
expectErr bool
}
tests := map[string]testCase{
"missing policy name": {
inputData: passwordPoliciesFieldData(map[string]interface{}{}),
storage: new(logical.InmemStorage),
expectedResp: nil,
expectErr: true,
},
"storage failure": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
}),
storage: new(logical.InmemStorage).FailGet(true),
expectedResp: nil,
expectErr: true,
},
"policy does not exist": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
}),
storage: new(logical.InmemStorage),
expectedResp: nil,
expectErr: true,
},
"policy improperly saved": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
}),
storage: makeStorage(t, storageEntry(t, "testpolicy", "badpolicy")),
expectedResp: nil,
expectErr: true,
},
"failed to generate": {
timeout: 0 * time.Second, // Timeout immediately
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
}),
storage: makeStorage(t, storageEntry(t, "testpolicy",
"length = 20\n"+
"rule \"charset\" {\n"+
" charset=\"abcdefghij\"\n"+
"}")),
expectedResp: nil,
expectErr: true,
},
}
for name, test := range tests {
t.Run(name, func(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), test.timeout)
defer cancel()
req := &logical.Request{
Storage: test.storage,
}
b := &SystemBackend{}
actualResp, err := b.handlePoliciesPasswordGenerate(ctx, req, test.inputData)
if test.expectErr && err == nil {
t.Fatalf("err expected, got nil")
}
if !test.expectErr && err != nil {
t.Fatalf("no error expected, got: %s", err)
}
if !reflect.DeepEqual(actualResp, test.expectedResp) {
t.Fatalf("Actual response: %#v\nExpected response: %#v", actualResp, test.expectedResp)
}
})
}
})
t.Run("success", func(t *testing.T) {
Integrate password policies into RabbitMQ secret engine (#9143) * Add password policies to RabbitMQ & update docs * Also updates some parts of the password policies to aid/fix testing
2020-06-11 22:08:20 +00:00
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
Add user configurable password policies available to secret engines (#8637) * Add random string generator with rules engine This adds a random string generation library that validates random strings against a set of rules. The library is designed for use as generating passwords, but can be used to generate any random strings.
2020-05-27 18:28:00 +00:00
defer cancel()
policyEntry := storageEntry(t, "testpolicy",
"length = 20\n"+
"rule \"charset\" {\n"+
" charset=\"abcdefghij\"\n"+
"}")
storage := makeStorage(t, policyEntry)
inputData := passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
})
expectedResp := &logical.Response{
Data: map[string]interface{}{
// Doesn't include the password as that's pulled out and compared separately
},
}
// Password assertions
expectedPassLen := 20
rules := []random.Rule{
random.CharsetRule{
Charset: []rune("abcdefghij"),
MinChars: expectedPassLen,
},
}
// Run the test a bunch of times to help ensure we don't have flaky behavior
for i := 0; i < 1000; i++ {
req := &logical.Request{
Storage: storage,
}
b := &SystemBackend{}
actualResp, err := b.handlePoliciesPasswordGenerate(ctx, req, inputData)
if err != nil {
t.Fatalf("no error expected, got: %s", err)
}
Adds OIDC Authorization Endpoint to OIDC providers (#12538)
2021-09-27 17:55:29 +00:00
assertTrue(t, actualResp != nil, "response is nil")
assertTrue(t, actualResp.Data != nil, "expected data, got nil")
Add user configurable password policies available to secret engines (#8637) * Add random string generator with rules engine This adds a random string generation library that validates random strings against a set of rules. The library is designed for use as generating passwords, but can be used to generate any random strings.
2020-05-27 18:28:00 +00:00
assertHasKey(t, actualResp.Data, "password", "password key not found in data")
assertIsString(t, actualResp.Data["password"], "password key should have a string value")
password := actualResp.Data["password"].(string)
// Delete the password so the rest of the response can be compared
delete(actualResp.Data, "password")
Adds OIDC Authorization Endpoint to OIDC providers (#12538)
2021-09-27 17:55:29 +00:00
assertTrue(t, reflect.DeepEqual(actualResp, expectedResp), "Actual response: %#v\nExpected response: %#v", actualResp, expectedResp)
Add user configurable password policies available to secret engines (#8637) * Add random string generator with rules engine This adds a random string generation library that validates random strings against a set of rules. The library is designed for use as generating passwords, but can be used to generate any random strings.
2020-05-27 18:28:00 +00:00
// Check to make sure the password is correctly formatted
passwordLength := len([]rune(password))
if passwordLength != expectedPassLen {
t.Fatalf("password is %d characters but should be %d", passwordLength, expectedPassLen)
}
for _, rule := range rules {
if !rule.Pass([]rune(password)) {
t.Fatalf("password %s does not have the correct characters", password)
}
}
}
})
}
Adds OIDC Authorization Endpoint to OIDC providers (#12538)
2021-09-27 17:55:29 +00:00
func assertTrue(t *testing.T, pass bool, f string, vals ...interface{}) {
Add user configurable password policies available to secret engines (#8637) * Add random string generator with rules engine This adds a random string generation library that validates random strings against a set of rules. The library is designed for use as generating passwords, but can be used to generate any random strings.
2020-05-27 18:28:00 +00:00
t.Helper()
if !pass {
t.Fatalf(f, vals...)
}
}
func assertHasKey(t *testing.T, m map[string]interface{}, key string, f string, vals ...interface{}) {
t.Helper()
_, exists := m[key]
if !exists {
t.Fatalf(f, vals...)
}
}
func assertIsString(t *testing.T, val interface{}, f string, vals ...interface{}) {
t.Helper()
_, ok := val.(string)
if !ok {
t.Fatalf(f, vals...)
}
}
func passwordPoliciesFieldData(raw map[string]interface{}) *framework.FieldData {
return &framework.FieldData{
Raw: raw,
Schema: map[string]*framework.FieldSchema{
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"name": {
Add user configurable password policies available to secret engines (#8637) * Add random string generator with rules engine This adds a random string generation library that validates random strings against a set of rules. The library is designed for use as generating passwords, but can be used to generate any random strings.
2020-05-27 18:28:00 +00:00
Type: framework.TypeString,
Description: "The name of the password policy.",
},
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"policy": {
Add user configurable password policies available to secret engines (#8637) * Add random string generator with rules engine This adds a random string generation library that validates random strings against a set of rules. The library is designed for use as generating passwords, but can be used to generate any random strings.
2020-05-27 18:28:00 +00:00
Type: framework.TypeString,
Description: "The password policy",
},
},
}
}
func base64Encode(data string) string {
return base64.StdEncoding.EncodeToString([]byte(data))
}
func toJson(t *testing.T, val interface{}) []byte {
t.Helper()
b, err := jsonutil.EncodeJSON(val)
if err != nil {
t.Fatalf("Unable to marshal to JSON: %s", err)
}
return b
}
func storageEntry(t *testing.T, key string, policy string) *logical.StorageEntry {
return &logical.StorageEntry{
Key: getPasswordPolicyKey(key),
Value: toJson(t, passwordPolicyConfig{
HCLPolicy: policy,
}),
}
}
func makeStorageMap(entries ...*logical.StorageEntry) map[string]*logical.StorageEntry {
m := map[string]*logical.StorageEntry{}
for _, entry := range entries {
m[entry.Key] = entry
}
return m
}
func dereferenceMap(store map[string]*logical.StorageEntry) map[string]interface{} {
m := map[string]interface{}{}
for k, v := range store {
m[k] = map[string]string{
"Key": v.Key,
"Value": string(v.Value),
}
}
return m
}
type walkFunc func(*logical.StorageEntry) error
// WalkLogicalStorage applies the provided walkFunc against each entry in the logical storage.
// This operates as a breadth first search.
// TODO: Figure out a place for this to live permanently. This is generic and should be in a helper package somewhere.
// At the time of writing, none of these locations work due to import cycles:
// - vault/helper/testhelpers
// - vault/helper/testhelpers/logical
// - vault/helper/testhelpers/teststorage
func WalkLogicalStorage(ctx context.Context, store logical.Storage, walker walkFunc) (err error) {
if store == nil {
return fmt.Errorf("no storage provided")
}
if walker == nil {
return fmt.Errorf("no walk function provided")
}
keys, err := store.List(ctx, "")
if err != nil {
return fmt.Errorf("unable to list root keys: %w", err)
}
// Non-recursive breadth-first search through all keys
for i := 0; i < len(keys); i++ {
key := keys[i]
entry, err := store.Get(ctx, key)
if err != nil {
return fmt.Errorf("unable to retrieve key at [%s]: %w", key, err)
}
if entry != nil {
err = walker(entry)
if err != nil {
return err
}
}
if strings.HasSuffix(key, "/") {
// Directory
subkeys, err := store.List(ctx, key)
if err != nil {
return fmt.Errorf("unable to list keys at [%s]: %w", key, err)
}
// Append the sub-keys to the keys slice so it searches into the sub-directory
for _, subkey := range subkeys {
// Avoids infinite loop if the subkey is empty which then repeats indefinitely
if subkey == "" {
continue
}
subkey = fmt.Sprintf("%s%s", key, subkey)
keys = append(keys, subkey)
}
}
}
return nil
}
// LogicalToMap retrieves all entries in the store and returns them as a map of key -> StorageEntry
func LogicalToMap(t *testing.T, ctx context.Context, store logical.Storage) (data map[string]*logical.StorageEntry) {
data = map[string]*logical.StorageEntry{}
f := func(entry *logical.StorageEntry) error {
data[entry.Key] = entry
return nil
}
err := WalkLogicalStorage(ctx, store, f)
if err != nil {
t.Fatalf("Unable to walk the storage: %s", err)
}
return data
}
// Ensure the WalkLogicalStorage function works
func TestWalkLogicalStorage(t *testing.T) {
type testCase struct {
entries []*logical.StorageEntry
}
tests := map[string]testCase{
"no entries": {
entries: []*logical.StorageEntry{},
},
"one entry": {
entries: []*logical.StorageEntry{
{
Key: "root",
},
},
},
"many entries": {
entries: []*logical.StorageEntry{
// Alphabetical, breadth-first
{Key: "bar"},
{Key: "foo"},
{Key: "bar/sub-bar1"},
{Key: "bar/sub-bar2"},
{Key: "foo/sub-foo1"},
{Key: "foo/sub-foo2"},
{Key: "foo/sub-foo3"},
{Key: "bar/sub-bar1/sub-sub-bar1"},
{Key: "bar/sub-bar1/sub-sub-bar2"},
{Key: "bar/sub-bar2/sub-sub-bar1"},
{Key: "foo/sub-foo1/sub-sub-foo1"},
{Key: "foo/sub-foo2/sub-sub-foo1"},
{Key: "foo/sub-foo3/sub-sub-foo1"},
{Key: "foo/sub-foo3/sub-sub-foo2"},
},
},
"sub key without root key": {
entries: []*logical.StorageEntry{
{Key: "foo/bar/baz"},
},
},
"key with trailing slash": {
entries: []*logical.StorageEntry{
{Key: "foo/"},
},
},
"double slash": {
entries: []*logical.StorageEntry{
{Key: "foo//"},
{Key: "foo//bar"},
},
},
}
for name, test := range tests {
t.Run(name, func(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()
store := makeStorage(t, test.entries...)
actualEntries := []*logical.StorageEntry{}
f := func(entry *logical.StorageEntry) error {
actualEntries = append(actualEntries, entry)
return nil
}
err := WalkLogicalStorage(ctx, store, f)
if err != nil {
t.Fatalf("Failed to walk storage: %s", err)
}
if !reflect.DeepEqual(actualEntries, test.entries) {
t.Fatalf("Actual: %#v\nExpected: %#v", actualEntries, test.entries)
}
})
}
}
func makeStorage(t *testing.T, entries ...*logical.StorageEntry) *logical.InmemStorage {
t.Helper()
ctx := context.Background()
store := new(logical.InmemStorage)
for _, entry := range entries {
err := store.Put(ctx, entry)
if err != nil {
t.Fatalf("Unable to load test storage: %s", err)
}
}
return store
}
Vault 1979: Query API for Irrevocable Leases (#11607) * build out lease count (not fully working), start lease list * build out irrevocable lease list * bookkeeping * test irrevocable lease counts for API/CLI * fix listIrrevocableLeases, test listIrrevocableLeases, cleanup * test expiration API limit * namespace tweaks, test force flag on lease list * integration test leases/count API, plenty of fixes and improvements * test lease list API, fixes and improvements * test force flag for irrevocable lease list API * i guess this wasn't saved on the last refactor... * fixes and improvements found during my review * better test error msg * Update vault/logical_system_paths.go Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * Update vault/logical_system_paths.go Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> * return warning with data if more than default leases to list without force flag * make api doc more generalized * list leases in general, not by mount point * change force flag to include_large_results * sort leases by LeaseID for consistent API response * switch from bool flag for API limit to string value * sort first by leaseID, then stable sort by expiration * move some utils to be in oss and ent * improve sort efficiency for API response Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
2021-06-02 16:11:30 +00:00
func leaseLimitFieldData(limit string) *framework.FieldData {
raw := make(map[string]interface{})
raw["limit"] = limit
return &framework.FieldData{
Raw: raw,
Schema: map[string]*framework.FieldSchema{
"limit": {
Type: framework.TypeString,
Default: "",
Description: "limit return results",
},
},
}
}
func TestProcessLimit(t *testing.T) {
testCases := []struct {
d *framework.FieldData
expectReturnAll bool
expectLimit int
expectErr bool
}{
{
d: leaseLimitFieldData("500"),
expectReturnAll: false,
expectLimit: 500,
expectErr: false,
},
{
d: leaseLimitFieldData(""),
expectReturnAll: false,
expectLimit: MaxIrrevocableLeasesToReturn,
expectErr: false,
},
{
d: leaseLimitFieldData("none"),
expectReturnAll: true,
expectLimit: 10000,
expectErr: false,
},
{
d: leaseLimitFieldData("NoNe"),
expectReturnAll: true,
expectLimit: 10000,
expectErr: false,
},
{
d: leaseLimitFieldData("hello_world"),
expectReturnAll: false,
expectLimit: 0,
expectErr: true,
},
{
d: leaseLimitFieldData("0"),
expectReturnAll: false,
expectLimit: 0,
expectErr: true,
},
{
d: leaseLimitFieldData("-1"),
expectReturnAll: false,
expectLimit: 0,
expectErr: true,
},
}
for i, tc := range testCases {
returnAll, limit, err := processLimit(tc.d)
if returnAll != tc.expectReturnAll {
t.Errorf("bad return all for test case %d. expected %t, got %t", i, tc.expectReturnAll, returnAll)
}
if limit != tc.expectLimit {
t.Errorf("bad limit for test case %d. expected %d, got %d", i, tc.expectLimit, limit)
}
haveErr := err != nil
if haveErr != tc.expectErr {
t.Errorf("bad error status for test case %d. expected error: %t, got error: %t", i, tc.expectErr, haveErr)
if err != nil {
t.Errorf("error was: %v", err)
}
}
}
}
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
func TestSystemBackend_Loggers(t *testing.T) {
testCases := []struct {
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
level string
expectedLevel string
expectError bool
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
}{
{
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
"trace",
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
"trace",
false,
},
{
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
"debug",
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
"debug",
false,
},
{
"notice",
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
"info",
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
false,
},
{
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
"info",
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
"info",
false,
},
{
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
"warn",
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
"warn",
false,
},
{
"warning",
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
"warn",
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
false,
},
{
"err",
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
"error",
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
false,
},
{
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
"error",
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
"error",
false,
},
{
"",
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
"info",
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
true,
},
{
"invalid",
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
"",
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
true,
},
}
for _, tc := range testCases {
tc := tc
t.Run(fmt.Sprintf("all-loggers-%s", tc.level), func(t *testing.T) {
t.Parallel()
core, b, _ := testCoreSystemBackend(t)
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
// Test core overrides logging level outside of config,
// an initial delete will ensure that we an initial read
// to get expected values is based off of config and not
// the test override that is hidden from this test
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
req := &logical.Request{
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
Path: "loggers",
Operation: logical.DeleteOperation,
}
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("unexpected error, err: %v, resp: %#v", err, resp)
}
req = &logical.Request{
Path: "loggers",
Operation: logical.ReadOperation,
}
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("unexpected error, err: %v, resp: %#v", err, resp)
}
initialLoggers := resp.Data
req = &logical.Request{
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
Path: "loggers",
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"level": tc.level,
},
}
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
respIsError := resp != nil && resp.IsError()
if err != nil || (!tc.expectError && respIsError) {
t.Fatalf("unexpected error, err: %v, resp: %#v", err, resp)
}
if tc.expectError && !respIsError {
t.Fatalf("expected response error, resp: %#v", resp)
}
if !tc.expectError {
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
req = &logical.Request{
Path: "loggers",
Operation: logical.ReadOperation,
}
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("unexpected error, err: %v, resp: %#v", err, resp)
}
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
for _, logger := range core.allLoggers {
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
loggerName := logger.Name()
levelRaw, ok := resp.Data[loggerName]
if !ok {
t.Errorf("logger %q not found in response", loggerName)
}
if levelStr := levelRaw.(string); levelStr != tc.expectedLevel {
t.Errorf("unexpected level of logger %q, expected: %s, actual: %s", loggerName, tc.expectedLevel, levelStr)
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
}
}
}
req = &logical.Request{
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
Path: "loggers",
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
Operation: logical.DeleteOperation,
}
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("unexpected error, err: %v, resp: %#v", err, resp)
}
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
req = &logical.Request{
Path: "loggers",
Operation: logical.ReadOperation,
}
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("unexpected error, err: %v, resp: %#v", err, resp)
}
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
for _, logger := range core.allLoggers {
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
loggerName := logger.Name()
levelRaw, currentOk := resp.Data[loggerName]
initialLevelRaw, initialOk := initialLoggers[loggerName]
if !currentOk || !initialOk {
t.Errorf("logger %q not found", loggerName)
}
levelStr := levelRaw.(string)
initialLevelStr := initialLevelRaw.(string)
if levelStr != initialLevelStr {
t.Errorf("expected level of logger %q to match original config, expected: %s, actual: %s", loggerName, initialLevelStr, levelStr)
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
}
}
})
}
}
func TestSystemBackend_LoggersByName(t *testing.T) {
testCases := []struct {
logger string
level string
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
expectedLevel string
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
expectWriteError bool
expectDeleteError bool
}{
{
"core",
"trace",
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
"trace",
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
false,
false,
},
{
"token",
"debug",
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
"debug",
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
false,
false,
},
{
"audit",
"notice",
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
"info",
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
false,
false,
},
{
"expiration",
"info",
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
"info",
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
false,
false,
},
{
"policy",
"warn",
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
"warn",
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
false,
false,
},
{
"activity",
"warning",
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
"warn",
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
false,
false,
},
{
"identity",
"err",
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
"error",
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
false,
false,
},
{
"rollback",
"error",
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
"error",
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
false,
false,
},
{
"system",
"",
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
"does-not-matter",
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
true,
false,
},
{
"quotas",
"invalid",
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
"does-not-matter",
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
true,
false,
},
{
"",
"info",
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
"does-not-matter",
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
true,
true,
},
{
"does_not_exist",
"error",
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
"does-not-matter",
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
true,
true,
},
}
for _, tc := range testCases {
tc := tc
t.Run(fmt.Sprintf("loggers-by-name-%s", tc.logger), func(t *testing.T) {
t.Parallel()
core, b, _ := testCoreSystemBackend(t)
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
// Test core overrides logging level outside of config,
// an initial delete will ensure that we an initial read
// to get expected values is based off of config and not
// the test override that is hidden from this test
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
req := &logical.Request{
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
Path: "loggers",
Operation: logical.DeleteOperation,
}
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("unexpected error, err: %v, resp: %#v", err, resp)
}
req = &logical.Request{
Path: "loggers",
Operation: logical.ReadOperation,
}
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("unexpected error, err: %v, resp: %#v", err, resp)
}
initialLoggers := resp.Data
req = &logical.Request{
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
Path: fmt.Sprintf("loggers/%s", tc.logger),
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"level": tc.level,
},
}
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
respIsError := resp != nil && resp.IsError()
if err != nil || (!tc.expectWriteError && respIsError) {
t.Fatalf("unexpected error, err: %v, resp: %#v", err, resp)
}
if tc.expectWriteError && !respIsError {
t.Fatalf("expected response error, resp: %#v", resp)
}
if !tc.expectWriteError {
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
req = &logical.Request{
Path: "loggers",
Operation: logical.ReadOperation,
}
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("unexpected error, err: %v, resp: %#v", err, resp)
}
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
for _, logger := range core.allLoggers {
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
loggerName := logger.Name()
levelRaw, currentOk := resp.Data[loggerName]
initialLevelRaw, initialOk := initialLoggers[loggerName]
if !currentOk || !initialOk {
t.Errorf("logger %q not found", loggerName)
}
levelStr := levelRaw.(string)
initialLevelStr := initialLevelRaw.(string)
if loggerName == tc.logger && levelStr != tc.expectedLevel {
t.Fatalf("expected logger %q to be %q, actual: %s", loggerName, tc.expectedLevel, levelStr)
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
}
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
if loggerName != tc.logger && levelStr != initialLevelStr {
t.Errorf("expected level of logger %q to be unchanged, exepcted: %s, actual: %s", loggerName, initialLevelStr, levelStr)
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
}
}
}
req = &logical.Request{
Path: fmt.Sprintf("loggers/%s", tc.logger),
Operation: logical.DeleteOperation,
}
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
respIsError = resp != nil && resp.IsError()
if err != nil || (!tc.expectDeleteError && respIsError) {
t.Fatalf("unexpected error, err: %v, resp: %#v", err, resp)
}
if tc.expectDeleteError && !respIsError {
t.Fatalf("expected response error, resp: %#v", resp)
}
if !tc.expectDeleteError {
VAULT-9427: Add read support to `sys/loggers` endpoints (#17979) * add logger->log-level str func * ensure SetLogLevelByName accounts for duplicates * add read handlers for sys/loggers endpoints * add changelog entry * update docs * ignore base logger * fix docs formatting issue * add ReadOperation support to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_Loggers * add more robust checks to TestSystemBackend_LoggersByName * check for empty name in delete handler
2022-11-28 16:18:36 +00:00
req = &logical.Request{
Path: fmt.Sprintf("loggers/%s", tc.logger),
Operation: logical.ReadOperation,
}
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("unexpected error, err: %v, resp: %#v", err, resp)
}
currentLevel, ok := resp.Data[tc.logger].(string)
if !ok {
t.Fatalf("expected resp to include %q, resp: %#v", tc.logger, resp)
}
initialLevel, ok := initialLoggers[tc.logger].(string)
if !ok {
t.Fatalf("expected initial loggers to include %q, resp: %#v", tc.logger, initialLoggers)
}
if currentLevel != initialLevel {
t.Errorf("expected level of logger %q to match original config, expected: %s, actual: %s", tc.logger, initialLevel, currentLevel)
Add endpoints to provide ability to modify logging verbosity (#16111) * add func to set level for specific logger * add endpoints to modify log level * initialize base logger with IndependentLevels * test to ensure other loggers remain unchanged * add DELETE loggers endpoints to revert back to config * add API docs page * add changelog entry * remove extraneous line * add log level field to Core struct * add godoc for getLogLevel * add some loggers to c.allLoggers
2022-06-27 15:39:53 +00:00
}
}
})
}
}
Version-aware plugin catalog (#16688) Adds support for using semantic version information when registering and managing plugins. New `detailed` field in the response data for listing plugins and new `version` field in the response data for reading a single plugin.
2022-08-25 20:31:42 +00:00
func TestSortVersionedPlugins(t *testing.T) {
versionedPlugin := func(typ consts.PluginType, name string, version string, builtin bool) pluginutil.VersionedPlugin {
return pluginutil.VersionedPlugin{
Type: typ.String(),
Name: name,
Version: version,
SHA256: "",
Builtin: builtin,
SemanticVersion: func() *semver.Version {
if version != "" {
return semver.Must(semver.NewVersion(version))
}
return semver.Must(semver.NewVersion("0.0.0"))
}(),
}
}
differingTypes := []pluginutil.VersionedPlugin{
versionedPlugin(consts.PluginTypeSecrets, "c", "1.0.0", false),
versionedPlugin(consts.PluginTypeDatabase, "c", "1.0.0", false),
versionedPlugin(consts.PluginTypeCredential, "c", "1.0.0", false),
}
differingNames := []pluginutil.VersionedPlugin{
versionedPlugin(consts.PluginTypeCredential, "c", "1.0.0", false),
versionedPlugin(consts.PluginTypeCredential, "b", "1.0.0", false),
versionedPlugin(consts.PluginTypeCredential, "a", "1.0.0", false),
}
differingVersions := []pluginutil.VersionedPlugin{
versionedPlugin(consts.PluginTypeCredential, "c", "10.0.0", false),
versionedPlugin(consts.PluginTypeCredential, "c", "2.0.1", false),
versionedPlugin(consts.PluginTypeCredential, "c", "2.1.0", false),
}
versionedUnversionedAndBuiltin := []pluginutil.VersionedPlugin{
versionedPlugin(consts.PluginTypeCredential, "c", "1.0.0", false),
versionedPlugin(consts.PluginTypeCredential, "c", "", false),
versionedPlugin(consts.PluginTypeCredential, "c", "1.0.0", true),
}
for name, tc := range map[string][]pluginutil.VersionedPlugin{
"ascending types": differingTypes,
"ascending names": differingNames,
"ascending versions": differingVersions,
// Include differing versions twice so we can test out equality too.
"differing types, names and versions": append(differingTypes,
append(differingNames,
append(differingVersions, differingVersions...)...)...),
"mix of unversioned, versioned, and builtin": versionedUnversionedAndBuiltin,
} {
t.Run(name, func(t *testing.T) {
sortVersionedPlugins(tc)
for i := 1; i < len(tc); i++ {
previous := tc[i-1]
current := tc[i]
if current.Type > previous.Type {
continue
}
if current.Name > previous.Name {
continue
}
if current.SemanticVersion.GreaterThan(previous.SemanticVersion) {
continue
}
if current.Type == previous.Type && current.Name == previous.Name && current.SemanticVersion.Equal(previous.SemanticVersion) {
continue
}
t.Fatalf("versioned plugins at index %d and %d were not properly sorted: %+v, %+v", i-1, i, previous, current)
}
})
}
}
Remove pinned builtin plugin versions from storage (#18051) * Removes _builtin_ versions from mount storage where it already exists * Stops new builtin versions being put into storage on mount creation/tuning * Stops the plugin catalog from returning a builtin plugin that has been overridden, so it more accurately reflects the plugins that are available to actually run
2022-11-23 18:36:25 +00:00
func TestValidateVersion(t *testing.T) {
b := testSystemBackend(t).(*SystemBackend)
k8sAuthBuiltin := versions.GetBuiltinVersion(consts.PluginTypeCredential, "kubernetes")
for name, tc := range map[string]struct {
pluginName string
pluginVersion string
pluginType consts.PluginType
expectLogicalError string
expectedVersion string
}{
"default, nothing in nothing out": {"kubernetes", "", consts.PluginTypeCredential, "", ""},
"builtin specified, empty out": {"kubernetes", k8sAuthBuiltin, consts.PluginTypeCredential, "", ""},
"not canonical is ok": {"kubernetes", "1.0.0", consts.PluginTypeCredential, "", "v1.0.0"},
"not a semantic version, error": {"kubernetes", "not-a-version", consts.PluginTypeCredential, "not a valid semantic version", ""},
"can't select non-builtin token": {"token", "v1.0.0", consts.PluginTypeCredential, "cannot select non-builtin version", ""},
"can't select non-builtin identity": {"identity", "v1.0.0", consts.PluginTypeSecrets, "cannot select non-builtin version", ""},
} {
t.Run(name, func(t *testing.T) {
version, resp, err := b.validateVersion(context.Background(), tc.pluginVersion, tc.pluginName, tc.pluginType)
if err != nil {
t.Fatal(err)
}
if tc.expectLogicalError != "" {
if resp == nil || !resp.IsError() || resp.Error() == nil {
t.Errorf("expected logical error but got none, resp: %#v", resp)
}
if !strings.Contains(resp.Error().Error(), tc.expectLogicalError) {
t.Errorf("expected logical error to contain %q, but got: %s", tc.expectLogicalError, resp.Error())
}
} else if version != tc.expectedVersion {
t.Errorf("expected version %q but got %q", tc.expectedVersion, version)
}
})
}
}
func TestValidateVersion_HelpfulErrorWhenBuiltinOverridden(t *testing.T) {
core, _, _ := TestCoreUnsealed(t)
tempDir, err := filepath.EvalSymlinks(t.TempDir())
if err != nil {
t.Fatal(err)
}
core.pluginCatalog.directory = tempDir
b := core.systemBackend
// Shadow a builtin and test getting a helpful error back.
file, err := ioutil.TempFile(tempDir, "temp")
if err != nil {
t.Fatal(err)
}
defer file.Close()
command := filepath.Base(file.Name())
err = core.pluginCatalog.Set(context.Background(), "kubernetes", consts.PluginTypeCredential, "", command, nil, nil, nil)
if err != nil {
t.Fatal(err)
}
// When we validate the version now, we should get a special error message
// about why the builtin isn't there.
k8sAuthBuiltin := versions.GetBuiltinVersion(consts.PluginTypeCredential, "kubernetes")
_, resp, err := b.validateVersion(context.Background(), k8sAuthBuiltin, "kubernetes", consts.PluginTypeCredential)
if err != nil {
t.Fatal(err)
}
if resp == nil || !resp.IsError() || resp.Error() == nil {
t.Errorf("expected logical error but got none, resp: %#v", resp)
}
if !strings.Contains(resp.Error().Error(), "overridden by an unversioned plugin of the same name") {
t.Errorf("expected logical error to contain overridden message, but got: %s", resp.Error())
}
}
func TestCanUnseal_WithNonExistentBuiltinPluginVersion_InMountStorage(t *testing.T) {
core, keys, _ := TestCoreUnsealed(t)
ctx := namespace.RootContext(nil)
testCases := []struct {
pluginName string
pluginType consts.PluginType
mountTable string
}{
{"consul", consts.PluginTypeSecrets, "mounts"},
{"approle", consts.PluginTypeCredential, "auth"},
}
readMountConfig := func(pluginName, mountTable string) map[string]interface{} {
t.Helper()
req := logical.TestRequest(t, logical.ReadOperation, mountTable+"/"+pluginName)
resp, err := core.systemBackend.HandleRequest(ctx, req)
if err != nil {
t.Fatalf("err: %v", err)
}
return resp.Data
}
for _, tc := range testCases {
req := logical.TestRequest(t, logical.UpdateOperation, tc.mountTable+"/"+tc.pluginName)
req.Data["type"] = tc.pluginName
req.Data["config"] = map[string]interface{}{
"default_lease_ttl": "35m",
"max_lease_ttl": "45m",
"plugin_version": versions.GetBuiltinVersion(tc.pluginType, tc.pluginName),
}
resp, err := core.systemBackend.HandleRequest(ctx, req)
if err != nil {
t.Fatalf("err: %v, resp: %#v", err, resp)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
config := readMountConfig(tc.pluginName, tc.mountTable)
pluginVersion, ok := config["plugin_version"]
if !ok || pluginVersion != "" {
t.Fatalf("expected empty plugin version in config: %#v", config)
}
// Directly store plugin version in mount entry, so we can then simulate
// an upgrade from 1.12.1 to 1.12.2 by sealing and unsealing.
const nonExistentBuiltinVersion = "v1.0.0+builtin"
var mountEntry *MountEntry
if tc.mountTable == "mounts" {
mountEntry, err = core.mounts.find(ctx, tc.pluginName+"/")
} else {
mountEntry, err = core.auth.find(ctx, tc.pluginName+"/")
}
if err != nil {
t.Fatal(err)
}
if mountEntry == nil {
t.Fatal()
}
mountEntry.Version = nonExistentBuiltinVersion
err = core.persistMounts(ctx, core.mounts, &mountEntry.Local)
if err != nil {
t.Fatal(err)
}
config = readMountConfig(tc.pluginName, tc.mountTable)
pluginVersion, ok = config["plugin_version"]
if !ok || pluginVersion != nonExistentBuiltinVersion {
t.Fatalf("expected plugin version %s but was %s, config: %#v", nonExistentBuiltinVersion, pluginVersion, config)
}
}
err := TestCoreSeal(core)
if err != nil {
t.Fatal(err)
}
for _, key := range keys {
if _, err := TestCoreUnseal(core, TestKeyCopy(key)); err != nil {
t.Fatalf("unseal err: %s", err)
}
}
for _, tc := range testCases {
// Storage should have been upgraded during the unseal, so plugin version
// should be empty again.
config := readMountConfig(tc.pluginName, tc.mountTable)
pluginVersion, ok := config["plugin_version"]
if !ok || pluginVersion != "" {
t.Errorf("expected empty plugin version in config: %#v", config)
}
}
}