open-vault/vault/logical_system_test.go

317 lines
7.5 KiB
Go
Raw Normal View History

package vault
import (
"reflect"
"testing"
"github.com/hashicorp/vault/logical"
)
func TestSystemBackend_RootPaths(t *testing.T) {
expected := []string{
2015-03-16 17:52:35 +00:00
"mounts/*",
"remount",
2015-03-16 23:33:48 +00:00
"revoke-prefix/*",
}
b := testSystemBackend(t)
actual := b.RootPaths()
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("bad: %#v", actual)
}
}
func TestSystemBackend_mounts(t *testing.T) {
b := testSystemBackend(t)
req := logical.TestRequest(t, logical.ReadOperation, "mounts")
resp, err := b.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v", err)
}
exp := map[string]interface{}{
"secret/": map[string]string{
"type": "generic",
"description": "generic secret storage",
},
"sys/": map[string]string{
"type": "system",
"description": "system endpoints used for control, policy and debugging",
},
}
if !reflect.DeepEqual(resp.Data, exp) {
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
}
}
func TestSystemBackend_mount(t *testing.T) {
b := testSystemBackend(t)
2015-03-16 17:52:35 +00:00
req := logical.TestRequest(t, logical.WriteOperation, "mounts/prod/secret/")
req.Data["type"] = "generic"
resp, err := b.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
}
func TestSystemBackend_mount_invalid(t *testing.T) {
b := testSystemBackend(t)
2015-03-16 17:52:35 +00:00
req := logical.TestRequest(t, logical.WriteOperation, "mounts/prod/secret/")
req.Data["type"] = "nope"
resp, err := b.HandleRequest(req)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
2015-03-15 23:25:38 +00:00
if resp.Data["error"] != "unknown backend type: nope" {
t.Fatalf("bad: %v", resp)
}
}
func TestSystemBackend_unmount(t *testing.T) {
b := testSystemBackend(t)
2015-03-16 17:52:35 +00:00
req := logical.TestRequest(t, logical.DeleteOperation, "mounts/secret/")
resp, err := b.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
}
func TestSystemBackend_unmount_invalid(t *testing.T) {
b := testSystemBackend(t)
2015-03-16 17:52:35 +00:00
req := logical.TestRequest(t, logical.DeleteOperation, "mounts/foo/")
resp, err := b.HandleRequest(req)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
if resp.Data["error"] != "no matching mount" {
t.Fatalf("bad: %v", resp)
}
}
func TestSystemBackend_remount(t *testing.T) {
b := testSystemBackend(t)
req := logical.TestRequest(t, logical.WriteOperation, "remount")
req.Data["from"] = "secret"
req.Data["to"] = "foo"
resp, err := b.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
}
func TestSystemBackend_remount_invalid(t *testing.T) {
b := testSystemBackend(t)
req := logical.TestRequest(t, logical.WriteOperation, "remount")
req.Data["from"] = "unknown"
req.Data["to"] = "foo"
resp, err := b.HandleRequest(req)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
if resp.Data["error"] != "no matching mount at 'unknown/'" {
t.Fatalf("bad: %v", resp)
}
}
func TestSystemBackend_remount_system(t *testing.T) {
b := testSystemBackend(t)
req := logical.TestRequest(t, logical.WriteOperation, "remount")
req.Data["from"] = "sys"
req.Data["to"] = "foo"
resp, err := b.HandleRequest(req)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
if resp.Data["error"] != "cannot remount 'sys/'" {
t.Fatalf("bad: %v", resp)
}
}
2015-03-16 23:11:55 +00:00
func TestSystemBackend_renew(t *testing.T) {
core, b := testCoreSystemBackend(t)
// Create a key with a lease
req := logical.TestRequest(t, logical.WriteOperation, "secret/foo")
req.Data["foo"] = "bar"
req.Data["lease"] = "1h"
resp, err := core.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
// Read a key with a VaultID
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
resp, err = core.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Lease == nil || resp.Lease.VaultID == "" {
t.Fatalf("bad: %#v", resp)
}
// Attempt renew
req2 := logical.TestRequest(t, logical.WriteOperation, "renew/"+resp.Lease.VaultID)
req2.Data["increment"] = 100
resp2, err := b.HandleRequest(req2)
if err != nil {
t.Fatalf("err: %v", err)
}
if resp2.Lease.VaultID != resp.Lease.VaultID {
t.Fatalf("bad: %#v", resp)
}
if resp2.Data["foo"] != "bar" {
t.Fatalf("bad: %#v", resp)
}
}
2015-03-16 23:14:53 +00:00
func TestSystemBackend_renew_invalidID(t *testing.T) {
b := testSystemBackend(t)
// Attempt renew
req := logical.TestRequest(t, logical.WriteOperation, "renew/foobarbaz")
resp, err := b.HandleRequest(req)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
if resp.Data["error"] != "lease not found" {
t.Fatalf("bad: %v", resp)
}
}
2015-03-16 23:26:34 +00:00
func TestSystemBackend_revoke(t *testing.T) {
core, b := testCoreSystemBackend(t)
// Create a key with a lease
req := logical.TestRequest(t, logical.WriteOperation, "secret/foo")
req.Data["foo"] = "bar"
req.Data["lease"] = "1h"
resp, err := core.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
// Read a key with a VaultID
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
resp, err = core.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Lease == nil || resp.Lease.VaultID == "" {
t.Fatalf("bad: %#v", resp)
}
2015-03-16 23:33:48 +00:00
// Attempt revoke
2015-03-16 23:26:34 +00:00
req2 := logical.TestRequest(t, logical.WriteOperation, "revoke/"+resp.Lease.VaultID)
resp2, err := b.HandleRequest(req2)
if err != nil {
t.Fatalf("err: %v %#v", err, resp2)
}
if resp2 != nil {
t.Fatalf("bad: %#v", resp)
}
2015-03-16 23:33:48 +00:00
// Attempt renew
req3 := logical.TestRequest(t, logical.WriteOperation, "renew/"+resp.Lease.VaultID)
resp3, err := b.HandleRequest(req3)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
if resp3.Data["error"] != "lease not found" {
t.Fatalf("bad: %v", resp)
}
2015-03-16 23:26:34 +00:00
}
func TestSystemBackend_revoke_invalidID(t *testing.T) {
b := testSystemBackend(t)
// Attempt renew
req := logical.TestRequest(t, logical.WriteOperation, "revoke/foobarbaz")
resp, err := b.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
}
2015-03-16 23:33:48 +00:00
func TestSystemBackend_revokePrefix(t *testing.T) {
core, b := testCoreSystemBackend(t)
// Create a key with a lease
req := logical.TestRequest(t, logical.WriteOperation, "secret/foo")
req.Data["foo"] = "bar"
req.Data["lease"] = "1h"
resp, err := core.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
// Read a key with a VaultID
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
resp, err = core.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Lease == nil || resp.Lease.VaultID == "" {
t.Fatalf("bad: %#v", resp)
}
// Attempt revoke
req2 := logical.TestRequest(t, logical.WriteOperation, "revoke-prefix/secret/")
resp2, err := b.HandleRequest(req2)
if err != nil {
t.Fatalf("err: %v %#v", err, resp2)
}
if resp2 != nil {
t.Fatalf("bad: %#v", resp)
}
// Attempt renew
req3 := logical.TestRequest(t, logical.WriteOperation, "renew/"+resp.Lease.VaultID)
resp3, err := b.HandleRequest(req3)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
if resp3.Data["error"] != "lease not found" {
t.Fatalf("bad: %v", resp)
}
}
2015-03-16 00:35:59 +00:00
func testSystemBackend(t *testing.T) logical.Backend {
c, _ := TestCoreUnsealed(t)
2015-03-16 00:35:59 +00:00
return NewSystemBackend(c)
}
2015-03-16 23:11:55 +00:00
func testCoreSystemBackend(t *testing.T) (*Core, logical.Backend) {
c, _ := TestCoreUnsealed(t)
return c, NewSystemBackend(c)
}