2015-04-05 01:40:21 +00:00
|
|
|
package appId
|
|
|
|
|
|
|
|
import (
|
2018-01-08 18:31:38 +00:00
|
|
|
"context"
|
2016-02-12 01:36:07 +00:00
|
|
|
"fmt"
|
2015-04-05 01:40:21 +00:00
|
|
|
"testing"
|
|
|
|
|
2019-04-12 21:54:35 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/helper/salt"
|
|
|
|
"github.com/hashicorp/vault/sdk/logical"
|
|
|
|
logicaltest "github.com/hashicorp/vault/helper/testhelpers/logical"
|
2015-04-05 01:40:21 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func TestBackend_basic(t *testing.T) {
|
Backend plugin system (#2874)
* Add backend plugin changes
* Fix totp backend plugin tests
* Fix logical/plugin InvalidateKey test
* Fix plugin catalog CRUD test, fix NoopBackend
* Clean up commented code block
* Fix system backend mount test
* Set plugin_name to omitempty, fix handleMountTable config parsing
* Clean up comments, keep shim connections alive until cleanup
* Include pluginClient, disallow LookupPlugin call from within a plugin
* Add wrapper around backendPluginClient for proper cleanup
* Add logger shim tests
* Add logger, storage, and system shim tests
* Use pointer receivers for system view shim
* Use plugin name if no path is provided on mount
* Enable plugins for auth backends
* Add backend type attribute, move builtin/plugin/package
* Fix merge conflict
* Fix missing plugin name in mount config
* Add integration tests on enabling auth backend plugins
* Remove dependency cycle on mock-plugin
* Add passthrough backend plugin, use logical.BackendType to determine lease generation
* Remove vault package dependency on passthrough package
* Add basic impl test for passthrough plugin
* Incorporate feedback; set b.backend after shims creation on backendPluginServer
* Fix totp plugin test
* Add plugin backends docs
* Fix tests
* Fix builtin/plugin tests
* Remove flatten from PluginRunner fields
* Move mock plugin to logical/plugin, remove totp and passthrough plugins
* Move pluginMap into newPluginClient
* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck
* Change shim logger's Fatal to no-op
* Change BackendType to uint32, match UX backend types
* Change framework.Backend Setup signature
* Add Setup func to logical.Backend interface
* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments
* Remove commented var in plugin package
* RegisterLicense on logical.Backend interface (#3017)
* Add RegisterLicense to logical.Backend interface
* Update RegisterLicense to use callback func on framework.Backend
* Refactor framework.Backend.RegisterLicense
* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs
* plugin: Revert BackendType to remove TypePassthrough and related references
* Fix typo in plugin backends docs
2017-07-20 17:28:40 +00:00
|
|
|
var b *backend
|
2017-06-05 15:37:16 +00:00
|
|
|
var err error
|
|
|
|
var storage logical.Storage
|
2018-01-19 06:44:44 +00:00
|
|
|
factory := func(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
|
2017-06-05 15:37:16 +00:00
|
|
|
b, err = Backend(conf)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
storage = conf.StorageView
|
2018-01-19 06:44:44 +00:00
|
|
|
if err := b.Setup(ctx, conf); err != nil {
|
Backend plugin system (#2874)
* Add backend plugin changes
* Fix totp backend plugin tests
* Fix logical/plugin InvalidateKey test
* Fix plugin catalog CRUD test, fix NoopBackend
* Clean up commented code block
* Fix system backend mount test
* Set plugin_name to omitempty, fix handleMountTable config parsing
* Clean up comments, keep shim connections alive until cleanup
* Include pluginClient, disallow LookupPlugin call from within a plugin
* Add wrapper around backendPluginClient for proper cleanup
* Add logger shim tests
* Add logger, storage, and system shim tests
* Use pointer receivers for system view shim
* Use plugin name if no path is provided on mount
* Enable plugins for auth backends
* Add backend type attribute, move builtin/plugin/package
* Fix merge conflict
* Fix missing plugin name in mount config
* Add integration tests on enabling auth backend plugins
* Remove dependency cycle on mock-plugin
* Add passthrough backend plugin, use logical.BackendType to determine lease generation
* Remove vault package dependency on passthrough package
* Add basic impl test for passthrough plugin
* Incorporate feedback; set b.backend after shims creation on backendPluginServer
* Fix totp plugin test
* Add plugin backends docs
* Fix tests
* Fix builtin/plugin tests
* Remove flatten from PluginRunner fields
* Move mock plugin to logical/plugin, remove totp and passthrough plugins
* Move pluginMap into newPluginClient
* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck
* Change shim logger's Fatal to no-op
* Change BackendType to uint32, match UX backend types
* Change framework.Backend Setup signature
* Add Setup func to logical.Backend interface
* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments
* Remove commented var in plugin package
* RegisterLicense on logical.Backend interface (#3017)
* Add RegisterLicense to logical.Backend interface
* Update RegisterLicense to use callback func on framework.Backend
* Refactor framework.Backend.RegisterLicense
* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs
* plugin: Revert BackendType to remove TypePassthrough and related references
* Fix typo in plugin backends docs
2017-07-20 17:28:40 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return b, nil
|
2017-06-05 15:37:16 +00:00
|
|
|
}
|
2015-04-05 01:40:21 +00:00
|
|
|
logicaltest.Test(t, logicaltest.TestCase{
|
2018-11-07 01:21:24 +00:00
|
|
|
CredentialFactory: factory,
|
2015-04-05 01:40:21 +00:00
|
|
|
Steps: []logicaltest.TestStep{
|
|
|
|
testAccStepMapAppId(t),
|
|
|
|
testAccStepMapUserId(t),
|
2015-04-17 17:00:48 +00:00
|
|
|
testAccLogin(t, ""),
|
2016-03-14 20:24:01 +00:00
|
|
|
testAccLoginAppIDInPath(t, ""),
|
2015-04-17 17:00:48 +00:00
|
|
|
testAccLoginInvalid(t),
|
2015-05-14 12:30:02 +00:00
|
|
|
testAccStepDeleteUserId(t),
|
|
|
|
testAccLoginDeleted(t),
|
2015-04-17 17:00:48 +00:00
|
|
|
},
|
|
|
|
})
|
2017-06-05 15:37:16 +00:00
|
|
|
|
|
|
|
req := &logical.Request{
|
|
|
|
Path: "map/app-id",
|
|
|
|
Operation: logical.ListOperation,
|
|
|
|
Storage: storage,
|
|
|
|
}
|
2018-01-08 18:31:38 +00:00
|
|
|
resp, err := b.HandleRequest(context.Background(), req)
|
2017-06-05 15:37:16 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
if resp == nil {
|
|
|
|
t.Fatal("nil response")
|
|
|
|
}
|
|
|
|
keys := resp.Data["keys"].([]string)
|
|
|
|
if len(keys) != 1 {
|
|
|
|
t.Fatalf("expected 1 key, got %d", len(keys))
|
|
|
|
}
|
2018-03-08 19:21:11 +00:00
|
|
|
bSalt, err := b.Salt(context.Background())
|
2017-06-05 15:37:16 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
2018-01-18 00:48:32 +00:00
|
|
|
if keys[0] != "s"+bSalt.SaltIDHashFunc("foo", salt.SHA256Hash) {
|
2017-06-05 15:37:16 +00:00
|
|
|
t.Fatal("value was improperly salted")
|
|
|
|
}
|
2015-04-17 17:00:48 +00:00
|
|
|
}
|
|
|
|
|
2015-04-17 17:14:39 +00:00
|
|
|
func TestBackend_cidr(t *testing.T) {
|
|
|
|
logicaltest.Test(t, logicaltest.TestCase{
|
2018-11-07 01:21:24 +00:00
|
|
|
CredentialFactory: Factory,
|
2015-04-17 17:14:39 +00:00
|
|
|
Steps: []logicaltest.TestStep{
|
|
|
|
testAccStepMapAppIdDisplayName(t),
|
|
|
|
testAccStepMapUserIdCidr(t, "192.168.1.0/16"),
|
|
|
|
testAccLoginCidr(t, "192.168.1.5", false),
|
|
|
|
testAccLoginCidr(t, "10.0.1.5", true),
|
|
|
|
testAccLoginCidr(t, "", true),
|
|
|
|
},
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2015-04-17 17:00:48 +00:00
|
|
|
func TestBackend_displayName(t *testing.T) {
|
|
|
|
logicaltest.Test(t, logicaltest.TestCase{
|
2018-11-07 01:21:24 +00:00
|
|
|
CredentialFactory: Factory,
|
2015-04-17 17:00:48 +00:00
|
|
|
Steps: []logicaltest.TestStep{
|
|
|
|
testAccStepMapAppIdDisplayName(t),
|
|
|
|
testAccStepMapUserId(t),
|
|
|
|
testAccLogin(t, "tubbin"),
|
2016-03-14 20:24:01 +00:00
|
|
|
testAccLoginAppIDInPath(t, "tubbin"),
|
2015-04-05 01:40:21 +00:00
|
|
|
testAccLoginInvalid(t),
|
2015-05-14 12:30:02 +00:00
|
|
|
testAccStepDeleteUserId(t),
|
|
|
|
testAccLoginDeleted(t),
|
2015-04-05 01:40:21 +00:00
|
|
|
},
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func testAccStepMapAppId(t *testing.T) logicaltest.TestStep {
|
|
|
|
return logicaltest.TestStep{
|
2016-01-07 15:30:47 +00:00
|
|
|
Operation: logical.UpdateOperation,
|
2015-04-05 01:40:21 +00:00
|
|
|
Path: "map/app-id/foo",
|
|
|
|
Data: map[string]interface{}{
|
|
|
|
"value": "foo,bar",
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-04-17 17:00:48 +00:00
|
|
|
func testAccStepMapAppIdDisplayName(t *testing.T) logicaltest.TestStep {
|
|
|
|
return logicaltest.TestStep{
|
2016-01-07 15:30:47 +00:00
|
|
|
Operation: logical.UpdateOperation,
|
2015-04-17 17:00:48 +00:00
|
|
|
Path: "map/app-id/foo",
|
|
|
|
Data: map[string]interface{}{
|
|
|
|
"display_name": "tubbin",
|
|
|
|
"value": "foo,bar",
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-04-05 01:40:21 +00:00
|
|
|
func testAccStepMapUserId(t *testing.T) logicaltest.TestStep {
|
|
|
|
return logicaltest.TestStep{
|
2016-01-07 15:30:47 +00:00
|
|
|
Operation: logical.UpdateOperation,
|
2015-04-05 01:40:21 +00:00
|
|
|
Path: "map/user-id/42",
|
|
|
|
Data: map[string]interface{}{
|
|
|
|
"value": "foo",
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-05-14 12:30:02 +00:00
|
|
|
func testAccStepDeleteUserId(t *testing.T) logicaltest.TestStep {
|
|
|
|
return logicaltest.TestStep{
|
|
|
|
Operation: logical.DeleteOperation,
|
|
|
|
Path: "map/user-id/42",
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-04-17 17:14:39 +00:00
|
|
|
func testAccStepMapUserIdCidr(t *testing.T, cidr string) logicaltest.TestStep {
|
|
|
|
return logicaltest.TestStep{
|
2016-01-07 15:30:47 +00:00
|
|
|
Operation: logical.UpdateOperation,
|
2015-04-17 17:14:39 +00:00
|
|
|
Path: "map/user-id/42",
|
|
|
|
Data: map[string]interface{}{
|
|
|
|
"value": "foo",
|
|
|
|
"cidr_block": cidr,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-04-17 17:00:48 +00:00
|
|
|
func testAccLogin(t *testing.T, display string) logicaltest.TestStep {
|
2016-02-12 01:36:07 +00:00
|
|
|
checkTTL := func(resp *logical.Response) error {
|
2016-09-28 22:32:49 +00:00
|
|
|
if resp.Auth.LeaseOptions.TTL.String() != "768h0m0s" {
|
2017-12-15 18:30:05 +00:00
|
|
|
return fmt.Errorf("invalid TTL: got %s", resp.Auth.LeaseOptions.TTL)
|
2016-02-12 01:36:07 +00:00
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
2015-04-05 01:40:21 +00:00
|
|
|
return logicaltest.TestStep{
|
2016-01-07 15:30:47 +00:00
|
|
|
Operation: logical.UpdateOperation,
|
2015-04-05 01:40:21 +00:00
|
|
|
Path: "login",
|
|
|
|
Data: map[string]interface{}{
|
|
|
|
"app_id": "foo",
|
|
|
|
"user_id": "42",
|
|
|
|
},
|
|
|
|
Unauthenticated: true,
|
|
|
|
|
2015-04-17 17:00:48 +00:00
|
|
|
Check: logicaltest.TestCheckMulti(
|
2016-03-14 20:24:01 +00:00
|
|
|
logicaltest.TestCheckAuth([]string{"bar", "default", "foo"}),
|
|
|
|
logicaltest.TestCheckAuthDisplayName(display),
|
|
|
|
checkTTL,
|
|
|
|
),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func testAccLoginAppIDInPath(t *testing.T, display string) logicaltest.TestStep {
|
|
|
|
checkTTL := func(resp *logical.Response) error {
|
2016-09-28 22:32:49 +00:00
|
|
|
if resp.Auth.LeaseOptions.TTL.String() != "768h0m0s" {
|
2017-12-15 18:30:05 +00:00
|
|
|
return fmt.Errorf("invalid TTL: got %s", resp.Auth.LeaseOptions.TTL)
|
2016-03-14 20:24:01 +00:00
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return logicaltest.TestStep{
|
|
|
|
Operation: logical.UpdateOperation,
|
|
|
|
Path: "login/foo",
|
|
|
|
Data: map[string]interface{}{
|
|
|
|
"user_id": "42",
|
|
|
|
},
|
|
|
|
Unauthenticated: true,
|
|
|
|
|
|
|
|
Check: logicaltest.TestCheckMulti(
|
|
|
|
logicaltest.TestCheckAuth([]string{"bar", "default", "foo"}),
|
2015-04-17 17:00:48 +00:00
|
|
|
logicaltest.TestCheckAuthDisplayName(display),
|
2016-02-12 01:36:07 +00:00
|
|
|
checkTTL,
|
2015-04-17 17:00:48 +00:00
|
|
|
),
|
2015-04-05 01:40:21 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-04-17 17:14:39 +00:00
|
|
|
func testAccLoginCidr(t *testing.T, ip string, err bool) logicaltest.TestStep {
|
|
|
|
check := logicaltest.TestCheckError()
|
|
|
|
if !err {
|
2016-03-14 20:24:01 +00:00
|
|
|
check = logicaltest.TestCheckAuth([]string{"bar", "default", "foo"})
|
2015-04-17 17:14:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return logicaltest.TestStep{
|
2016-01-07 15:30:47 +00:00
|
|
|
Operation: logical.UpdateOperation,
|
2015-04-17 17:14:39 +00:00
|
|
|
Path: "login",
|
|
|
|
Data: map[string]interface{}{
|
|
|
|
"app_id": "foo",
|
|
|
|
"user_id": "42",
|
|
|
|
},
|
|
|
|
ErrorOk: err,
|
|
|
|
Unauthenticated: true,
|
|
|
|
RemoteAddr: ip,
|
|
|
|
|
|
|
|
Check: check,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-04-05 01:40:21 +00:00
|
|
|
func testAccLoginInvalid(t *testing.T) logicaltest.TestStep {
|
|
|
|
return logicaltest.TestStep{
|
2016-01-07 15:30:47 +00:00
|
|
|
Operation: logical.UpdateOperation,
|
2015-04-05 01:40:21 +00:00
|
|
|
Path: "login",
|
|
|
|
Data: map[string]interface{}{
|
|
|
|
"app_id": "foo",
|
|
|
|
"user_id": "48",
|
|
|
|
},
|
|
|
|
ErrorOk: true,
|
|
|
|
Unauthenticated: true,
|
|
|
|
|
|
|
|
Check: logicaltest.TestCheckError(),
|
|
|
|
}
|
|
|
|
}
|
2015-05-14 12:30:02 +00:00
|
|
|
|
|
|
|
func testAccLoginDeleted(t *testing.T) logicaltest.TestStep {
|
|
|
|
return logicaltest.TestStep{
|
2016-01-07 15:30:47 +00:00
|
|
|
Operation: logical.UpdateOperation,
|
2015-05-14 12:30:02 +00:00
|
|
|
Path: "login",
|
|
|
|
Data: map[string]interface{}{
|
|
|
|
"app_id": "foo",
|
|
|
|
"user_id": "42",
|
|
|
|
},
|
|
|
|
ErrorOk: true,
|
|
|
|
Unauthenticated: true,
|
|
|
|
|
|
|
|
Check: logicaltest.TestCheckError(),
|
|
|
|
}
|
|
|
|
}
|