open-vault/vault/capabilities_test.go

package vault

import (
	"context"
	"reflect"
	"sort"
	"testing"
	"time"

	"github.com/hashicorp/vault/logical"
)

func TestCapabilities_DerivedPolicies(t *testing.T) {
	var resp *logical.Response
	var err error

	i, _, c := testIdentityStoreWithGithubAuth(t)

	policy1 := `
name = "policy1"
path "secret/sample" {
	capabilities = ["update", "create", "sudo"]
}
`
	policy2 := `
name = "policy2"
path "secret/sample" {
	capabilities = ["read", "delete"]
}
`

	policy3 := `
name = "policy3"
path "secret/sample" {
	capabilities = ["list", "list"]
}
`
	// Create the above policies
	policy, _ := ParseACLPolicy(policy1)
	err = c.policyStore.SetPolicy(context.Background(), policy)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	policy, _ = ParseACLPolicy(policy2)
	err = c.policyStore.SetPolicy(context.Background(), policy)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	policy, _ = ParseACLPolicy(policy3)
	err = c.policyStore.SetPolicy(context.Background(), policy)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	// Create an entity and assign policy1 to it
	entityReq := &logical.Request{
		Path:      "entity",
		Operation: logical.UpdateOperation,
		Data: map[string]interface{}{
			"policies": "policy1",
		},
	}
	resp, err = i.HandleRequest(context.Background(), entityReq)
	if err != nil || (resp != nil && resp.IsError()) {
		t.Fatalf("bad: resp: %#v\nerr: %#v\n", resp, err)
	}
	entityID := resp.Data["id"].(string)

	// Create a token for the entity and assign policy2 on the token
	ent := &logical.TokenEntry{
		ID:       "capabilitiestoken",
		Path:     "secret/sample",
		Policies: []string{"policy2"},
		EntityID: entityID,
		TTL:      time.Hour,
	}
	testMakeTokenDirectly(t, c.tokenStore, ent)

	actual, err := c.Capabilities(context.Background(), "capabilitiestoken", "secret/sample")
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	expected := []string{"create", "read", "sudo", "delete", "update"}
	sort.Strings(actual)
	sort.Strings(expected)
	if !reflect.DeepEqual(actual, expected) {
		t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actual, expected)
	}

	// Create a group and add the above created entity to it
	groupReq := &logical.Request{
		Path:      "group",
		Operation: logical.UpdateOperation,
		Data: map[string]interface{}{
			"member_entity_ids": []string{entityID},
			"policies":          "policy3",
		},
	}
	resp, err = i.HandleRequest(context.Background(), groupReq)
	if err != nil || (resp != nil && resp.IsError()) {
		t.Fatalf("bad: resp: %#v\nerr: %#v\n", resp, err)
	}

	actual, err = c.Capabilities(context.Background(), "capabilitiestoken", "secret/sample")
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	expected = []string{"create", "read", "sudo", "delete", "update", "list"}
	sort.Strings(actual)
	sort.Strings(expected)
	if !reflect.DeepEqual(actual, expected) {
		t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actual, expected)
	}
}

func TestCapabilities(t *testing.T) {
	c, _, token := TestCoreUnsealed(t)

	actual, err := c.Capabilities(context.Background(), token, "path")
	if err != nil {
		t.Fatalf("err: %s", err)
	}
	expected := []string{"root"}
	if !reflect.DeepEqual(actual, expected) {
		t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actual, expected)
	}

	// Create a policy
	policy, _ := ParseACLPolicy(aclPolicy)
	err = c.policyStore.SetPolicy(context.Background(), policy)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	// Create a token for the policy
	ent := &logical.TokenEntry{
		ID:       "capabilitiestoken",
		Path:     "testpath",
		Policies: []string{"dev"},
		TTL:      time.Hour,
	}
	testMakeTokenDirectly(t, c.tokenStore, ent)

	actual, err = c.Capabilities(context.Background(), "capabilitiestoken", "foo/bar")
	if err != nil {
		t.Fatalf("err: %s", err)
	}
	expected = []string{"create", "read", "sudo"}
	if !reflect.DeepEqual(actual, expected) {
		t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actual, expected)
	}
}
Test files for capabilities endpoint 2016-03-03 17:24:28 +00:00			`package vault`
test cases for capabilities endpoint 2016-03-05 05:03:55 +00:00
			`import (`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`"context"`
test cases for capabilities endpoint 2016-03-05 05:03:55 +00:00			`"reflect"`
Capabilities responds considering policies on entities and groups (#3522) * Capabilities endpoint will now return considering policies on entities and groups * refactor the policy derivation into a separate function * Docs: Update docs to reflect the change in capabilities endpoint 2017-11-03 15:20:10 +00:00			`"sort"`
test cases for capabilities endpoint 2016-03-05 05:03:55 +00:00			`"testing"`
Offline token revocation fix 2018-06-03 22:14:51 +00:00			`"time"`
Capabilities responds considering policies on entities and groups (#3522) * Capabilities endpoint will now return considering policies on entities and groups * refactor the policy derivation into a separate function * Docs: Update docs to reflect the change in capabilities endpoint 2017-11-03 15:20:10 +00:00
			`"github.com/hashicorp/vault/logical"`
test cases for capabilities endpoint 2016-03-05 05:03:55 +00:00			`)`

Capabilities responds considering policies on entities and groups (#3522) * Capabilities endpoint will now return considering policies on entities and groups * refactor the policy derivation into a separate function * Docs: Update docs to reflect the change in capabilities endpoint 2017-11-03 15:20:10 +00:00			`func TestCapabilities_DerivedPolicies(t *testing.T) {`
			`var resp *logical.Response`
			`var err error`

			`i, _, c := testIdentityStoreWithGithubAuth(t)`

			policy1 := `
			`name = "policy1"`
			`path "secret/sample" {`
			`capabilities = ["update", "create", "sudo"]`
			`}`
			`
			policy2 := `
			`name = "policy2"`
			`path "secret/sample" {`
			`capabilities = ["read", "delete"]`
			`}`
			`

			policy3 := `
			`name = "policy3"`
			`path "secret/sample" {`
			`capabilities = ["list", "list"]`
			`}`
			`
			`// Create the above policies`
			`policy, _ := ParseACLPolicy(policy1)`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`err = c.policyStore.SetPolicy(context.Background(), policy)`
Capabilities responds considering policies on entities and groups (#3522) * Capabilities endpoint will now return considering policies on entities and groups * refactor the policy derivation into a separate function * Docs: Update docs to reflect the change in capabilities endpoint 2017-11-03 15:20:10 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`policy, _ = ParseACLPolicy(policy2)`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`err = c.policyStore.SetPolicy(context.Background(), policy)`
Capabilities responds considering policies on entities and groups (#3522) * Capabilities endpoint will now return considering policies on entities and groups * refactor the policy derivation into a separate function * Docs: Update docs to reflect the change in capabilities endpoint 2017-11-03 15:20:10 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`policy, _ = ParseACLPolicy(policy3)`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`err = c.policyStore.SetPolicy(context.Background(), policy)`
Capabilities responds considering policies on entities and groups (#3522) * Capabilities endpoint will now return considering policies on entities and groups * refactor the policy derivation into a separate function * Docs: Update docs to reflect the change in capabilities endpoint 2017-11-03 15:20:10 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`// Create an entity and assign policy1 to it`
			`entityReq := &logical.Request{`
			`Path: "entity",`
			`Operation: logical.UpdateOperation,`
			`Data: map[string]interface{}{`
			`"policies": "policy1",`
			`},`
			`}`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`resp, err = i.HandleRequest(context.Background(), entityReq)`
Capabilities responds considering policies on entities and groups (#3522) * Capabilities endpoint will now return considering policies on entities and groups * refactor the policy derivation into a separate function * Docs: Update docs to reflect the change in capabilities endpoint 2017-11-03 15:20:10 +00:00			`if err != nil \|\| (resp != nil && resp.IsError()) {`
			`t.Fatalf("bad: resp: %#v\nerr: %#v\n", resp, err)`
			`}`
			`entityID := resp.Data["id"].(string)`

			`// Create a token for the entity and assign policy2 on the token`
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use. 2018-06-08 21:24:27 +00:00			`ent := &logical.TokenEntry{`
Capabilities responds considering policies on entities and groups (#3522) * Capabilities endpoint will now return considering policies on entities and groups * refactor the policy derivation into a separate function * Docs: Update docs to reflect the change in capabilities endpoint 2017-11-03 15:20:10 +00:00			`ID: "capabilitiestoken",`
			`Path: "secret/sample",`
			`Policies: []string{"policy2"},`
			`EntityID: entityID,`
Offline token revocation fix 2018-06-03 22:14:51 +00:00			`TTL: time.Hour,`
Capabilities responds considering policies on entities and groups (#3522) * Capabilities endpoint will now return considering policies on entities and groups * refactor the policy derivation into a separate function * Docs: Update docs to reflect the change in capabilities endpoint 2017-11-03 15:20:10 +00:00			`}`
Offline token revocation fix 2018-06-03 22:14:51 +00:00			`testMakeTokenDirectly(t, c.tokenStore, ent)`
Capabilities responds considering policies on entities and groups (#3522) * Capabilities endpoint will now return considering policies on entities and groups * refactor the policy derivation into a separate function * Docs: Update docs to reflect the change in capabilities endpoint 2017-11-03 15:20:10 +00:00
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`actual, err := c.Capabilities(context.Background(), "capabilitiestoken", "secret/sample")`
Capabilities responds considering policies on entities and groups (#3522) * Capabilities endpoint will now return considering policies on entities and groups * refactor the policy derivation into a separate function * Docs: Update docs to reflect the change in capabilities endpoint 2017-11-03 15:20:10 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`expected := []string{"create", "read", "sudo", "delete", "update"}`
			`sort.Strings(actual)`
			`sort.Strings(expected)`
			`if !reflect.DeepEqual(actual, expected) {`
			`t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actual, expected)`
			`}`

			`// Create a group and add the above created entity to it`
			`groupReq := &logical.Request{`
			`Path: "group",`
			`Operation: logical.UpdateOperation,`
			`Data: map[string]interface{}{`
			`"member_entity_ids": []string{entityID},`
			`"policies": "policy3",`
			`},`
			`}`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`resp, err = i.HandleRequest(context.Background(), groupReq)`
Capabilities responds considering policies on entities and groups (#3522) * Capabilities endpoint will now return considering policies on entities and groups * refactor the policy derivation into a separate function * Docs: Update docs to reflect the change in capabilities endpoint 2017-11-03 15:20:10 +00:00			`if err != nil \|\| (resp != nil && resp.IsError()) {`
			`t.Fatalf("bad: resp: %#v\nerr: %#v\n", resp, err)`
			`}`

Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`actual, err = c.Capabilities(context.Background(), "capabilitiestoken", "secret/sample")`
Capabilities responds considering policies on entities and groups (#3522) * Capabilities endpoint will now return considering policies on entities and groups * refactor the policy derivation into a separate function * Docs: Update docs to reflect the change in capabilities endpoint 2017-11-03 15:20:10 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`expected = []string{"create", "read", "sudo", "delete", "update", "list"}`
			`sort.Strings(actual)`
			`sort.Strings(expected)`
			`if !reflect.DeepEqual(actual, expected) {`
			`t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actual, expected)`
			`}`
			`}`

Added tests for lookup-accessor and revoke-accessor endpoints 2016-03-09 17:50:26 +00:00			`func TestCapabilities(t *testing.T) {`
test cases for capabilities endpoint 2016-03-05 05:03:55 +00:00			`c, _, token := TestCoreUnsealed(t)`

Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`actual, err := c.Capabilities(context.Background(), token, "path")`
test cases for capabilities endpoint 2016-03-05 05:03:55 +00:00			`if err != nil {`
			`t.Fatalf("err: %s", err)`
			`}`
			`expected := []string{"root"}`
			`if !reflect.DeepEqual(actual, expected) {`
			`t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actual, expected)`
			`}`

			`// Create a policy`
Sync over 2017-10-23 20:42:56 +00:00			`policy, _ := ParseACLPolicy(aclPolicy)`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`err = c.policyStore.SetPolicy(context.Background(), policy)`
test cases for capabilities endpoint 2016-03-05 05:03:55 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`// Create a token for the policy`
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use. 2018-06-08 21:24:27 +00:00			`ent := &logical.TokenEntry{`
test cases for capabilities endpoint 2016-03-05 05:03:55 +00:00			`ID: "capabilitiestoken",`
			`Path: "testpath",`
			`Policies: []string{"dev"},`
Offline token revocation fix 2018-06-03 22:14:51 +00:00			`TTL: time.Hour,`
test cases for capabilities endpoint 2016-03-05 05:03:55 +00:00			`}`
Offline token revocation fix 2018-06-03 22:14:51 +00:00			`testMakeTokenDirectly(t, c.tokenStore, ent)`
test cases for capabilities endpoint 2016-03-05 05:03:55 +00:00
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`actual, err = c.Capabilities(context.Background(), "capabilitiestoken", "foo/bar")`
test cases for capabilities endpoint 2016-03-05 05:03:55 +00:00			`if err != nil {`
			`t.Fatalf("err: %s", err)`
			`}`
Fix capabilities test case 2016-03-18 16:55:18 +00:00			`expected = []string{"create", "read", "sudo"}`
test cases for capabilities endpoint 2016-03-05 05:03:55 +00:00			`if !reflect.DeepEqual(actual, expected) {`
			`t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actual, expected)`
			`}`
			`}`