open-vault/helper/mfa/mfa_test.go

package mfa

import (
	"context"
	"testing"

	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
	logicaltest "github.com/hashicorp/vault/logical/testing"
)

// MakeTestBackend creates a simple MFA enabled backend.
// Login (before MFA) always succeeds with policy "foo".
// An MFA "test" type is added to mfa.handlers that succeeds
// if MFA method is "accept", otherwise it rejects.
func MakeTestBackend() *framework.Backend {
	handlers["test"] = testMFAHandler
	b := &framework.Backend{
		Help: "",

		PathsSpecial: &logical.Paths{
			Root: MFARootPaths(),
			Unauthenticated: []string{
				"login",
			},
		},
		Paths: MFAPaths(nil, testPathLogin()),
	}
	return b
}

func testPathLogin() *framework.Path {
	return &framework.Path{
		Pattern: `login`,
		Fields: map[string]*framework.FieldSchema{
			"username": &framework.FieldSchema{
				Type: framework.TypeString,
			},
		},

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.UpdateOperation: testPathLoginHandler,
		},
	}
}

func testPathLoginHandler(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
	username := d.Get("username").(string)

	return &logical.Response{
		Auth: &logical.Auth{
			Policies: []string{"foo"},
			Metadata: map[string]string{
				"username": username,
			},
		},
	}, nil
}

func testMFAHandler(req *logical.Request, d *framework.FieldData, resp *logical.Response) (
	*logical.Response, error) {
	if d.Get("method").(string) != "accept" {
		return logical.ErrorResponse("Deny access"), nil
	} else {
		return resp, nil
	}
}

func TestMFALogin(t *testing.T) {
	b := MakeTestBackend()

	logicaltest.Test(t, logicaltest.TestCase{
		AcceptanceTest: true,
		Backend:        b,
		Steps: []logicaltest.TestStep{
			testAccStepEnableMFA(t),
			testAccStepLogin(t, "user"),
		},
	})
}

func TestMFALoginDenied(t *testing.T) {
	b := MakeTestBackend()

	logicaltest.Test(t, logicaltest.TestCase{
		AcceptanceTest: true,
		Backend:        b,
		Steps: []logicaltest.TestStep{
			testAccStepEnableMFA(t),
			testAccStepLoginDenied(t, "user"),
		},
	})
}

func testAccStepEnableMFA(t *testing.T) logicaltest.TestStep {
	return logicaltest.TestStep{
		Operation: logical.UpdateOperation,
		Path:      "mfa_config",
		Data: map[string]interface{}{
			"type": "test",
		},
	}
}

func testAccStepLogin(t *testing.T, username string) logicaltest.TestStep {
	return logicaltest.TestStep{
		Operation: logical.UpdateOperation,
		Path:      "login",
		Data: map[string]interface{}{
			"method":   "accept",
			"username": username,
		},
		Unauthenticated: true,
		Check:           logicaltest.TestCheckAuth([]string{"foo"}),
	}
}

func testAccStepLoginDenied(t *testing.T, username string) logicaltest.TestStep {
	return logicaltest.TestStep{
		Operation: logical.UpdateOperation,
		Path:      "login",
		Data: map[string]interface{}{
			"method":   "deny",
			"username": username,
		},
		Unauthenticated: true,
		Check:           logicaltest.TestCheckError(),
	}
}
mfa: add test cases for MFA, Duo 2015-07-28 01:05:06 +00:00			`package mfa`

			`import (`
Update plugin deps to include context changes (#3765) * Update plugin deps to include context changes * Fix tests 2018-01-08 20:26:13 +00:00			`"context"`
mfa: add test cases for MFA, Duo 2015-07-28 01:05:06 +00:00			`"testing"`

			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
Added AcceptanceTest boolean to logical.TestCase 2016-04-05 19:10:44 +00:00			`logicaltest "github.com/hashicorp/vault/logical/testing"`
mfa: add test cases for MFA, Duo 2015-07-28 01:05:06 +00:00			`)`

Clean up naming and add documentation 2015-07-31 00:16:53 +00:00			`// MakeTestBackend creates a simple MFA enabled backend.`
			`// Login (before MFA) always succeeds with policy "foo".`
			`// An MFA "test" type is added to mfa.handlers that succeeds`
			`// if MFA method is "accept", otherwise it rejects.`
mfa: add test cases for MFA, Duo 2015-07-28 01:05:06 +00:00			`func MakeTestBackend() *framework.Backend {`
			`handlers["test"] = testMFAHandler`
			`b := &framework.Backend{`
			`Help: "",`

			`PathsSpecial: &logical.Paths{`
Clean up naming and add documentation 2015-07-31 00:16:53 +00:00			`Root: MFARootPaths(),`
mfa: add test cases for MFA, Duo 2015-07-28 01:05:06 +00:00			`Unauthenticated: []string{`
			`"login",`
			`},`
			`},`
			`Paths: MFAPaths(nil, testPathLogin()),`
			`}`
			`return b`
			`}`

Added AcceptanceTest boolean to logical.TestCase 2016-04-05 19:10:44 +00:00			`func testPathLogin() *framework.Path {`
mfa: add test cases for MFA, Duo 2015-07-28 01:05:06 +00:00			`return &framework.Path{`
			Pattern: `login`,
			`Fields: map[string]*framework.FieldSchema{`
			`"username": &framework.FieldSchema{`
Added AcceptanceTest boolean to logical.TestCase 2016-04-05 19:10:44 +00:00			`Type: framework.TypeString,`
mfa: add test cases for MFA, Duo 2015-07-28 01:05:06 +00:00			`},`
			`},`

			`Callbacks: map[logical.Operation]framework.OperationFunc{`
WriteOperation -> UpdateOperation 2016-01-07 15:30:47 +00:00			`logical.UpdateOperation: testPathLoginHandler,`
mfa: add test cases for MFA, Duo 2015-07-28 01:05:06 +00:00			`},`
			`}`
			`}`

Update plugin deps to include context changes (#3765) * Update plugin deps to include context changes * Fix tests 2018-01-08 20:26:13 +00:00			`func testPathLoginHandler(ctx context.Context, req logical.Request, d framework.FieldData) (*logical.Response, error) {`
mfa: add test cases for MFA, Duo 2015-07-28 01:05:06 +00:00			`username := d.Get("username").(string)`

			`return &logical.Response{`
			`Auth: &logical.Auth{`
			`Policies: []string{"foo"},`
			`Metadata: map[string]string{`
			`"username": username,`
			`},`
			`},`
			`}, nil`
			`}`

			`func testMFAHandler(req logical.Request, d framework.FieldData, resp *logical.Response) (`
			`*logical.Response, error) {`
			`if d.Get("method").(string) != "accept" {`
			`return logical.ErrorResponse("Deny access"), nil`
			`} else {`
			`return resp, nil`
			`}`
			`}`

			`func TestMFALogin(t *testing.T) {`
			`b := MakeTestBackend()`

			`logicaltest.Test(t, logicaltest.TestCase{`
Added AcceptanceTest boolean to logical.TestCase 2016-04-05 19:10:44 +00:00			`AcceptanceTest: true,`
			`Backend: b,`
mfa: add test cases for MFA, Duo 2015-07-28 01:05:06 +00:00			`Steps: []logicaltest.TestStep{`
			`testAccStepEnableMFA(t),`
			`testAccStepLogin(t, "user"),`
			`},`
			`})`
			`}`

			`func TestMFALoginDenied(t *testing.T) {`
			`b := MakeTestBackend()`

			`logicaltest.Test(t, logicaltest.TestCase{`
Added AcceptanceTest boolean to logical.TestCase 2016-04-05 19:10:44 +00:00			`AcceptanceTest: true,`
			`Backend: b,`
mfa: add test cases for MFA, Duo 2015-07-28 01:05:06 +00:00			`Steps: []logicaltest.TestStep{`
			`testAccStepEnableMFA(t),`
			`testAccStepLoginDenied(t, "user"),`
			`},`
			`})`
			`}`

			`func testAccStepEnableMFA(t *testing.T) logicaltest.TestStep {`
			`return logicaltest.TestStep{`
WriteOperation -> UpdateOperation 2016-01-07 15:30:47 +00:00			`Operation: logical.UpdateOperation,`
Added AcceptanceTest boolean to logical.TestCase 2016-04-05 19:10:44 +00:00			`Path: "mfa_config",`
mfa: add test cases for MFA, Duo 2015-07-28 01:05:06 +00:00			`Data: map[string]interface{}{`
			`"type": "test",`
			`},`
			`}`
			`}`

			`func testAccStepLogin(t *testing.T, username string) logicaltest.TestStep {`
			`return logicaltest.TestStep{`
WriteOperation -> UpdateOperation 2016-01-07 15:30:47 +00:00			`Operation: logical.UpdateOperation,`
Added AcceptanceTest boolean to logical.TestCase 2016-04-05 19:10:44 +00:00			`Path: "login",`
mfa: add test cases for MFA, Duo 2015-07-28 01:05:06 +00:00			`Data: map[string]interface{}{`
Added AcceptanceTest boolean to logical.TestCase 2016-04-05 19:10:44 +00:00			`"method": "accept",`
mfa: add test cases for MFA, Duo 2015-07-28 01:05:06 +00:00			`"username": username,`
			`},`
			`Unauthenticated: true,`
Added AcceptanceTest boolean to logical.TestCase 2016-04-05 19:10:44 +00:00			`Check: logicaltest.TestCheckAuth([]string{"foo"}),`
mfa: add test cases for MFA, Duo 2015-07-28 01:05:06 +00:00			`}`
			`}`

			`func testAccStepLoginDenied(t *testing.T, username string) logicaltest.TestStep {`
			`return logicaltest.TestStep{`
WriteOperation -> UpdateOperation 2016-01-07 15:30:47 +00:00			`Operation: logical.UpdateOperation,`
Added AcceptanceTest boolean to logical.TestCase 2016-04-05 19:10:44 +00:00			`Path: "login",`
mfa: add test cases for MFA, Duo 2015-07-28 01:05:06 +00:00			`Data: map[string]interface{}{`
Added AcceptanceTest boolean to logical.TestCase 2016-04-05 19:10:44 +00:00			`"method": "deny",`
mfa: add test cases for MFA, Duo 2015-07-28 01:05:06 +00:00			`"username": username,`
			`},`
			`Unauthenticated: true,`
Added AcceptanceTest boolean to logical.TestCase 2016-04-05 19:10:44 +00:00			`Check: logicaltest.TestCheckError(),`
mfa: add test cases for MFA, Duo 2015-07-28 01:05:06 +00:00			`}`
			`}`