open-vault/builtin/credential/app-id/backend_test.go

240 lines
5.6 KiB
Go
Raw Normal View History

2015-04-05 01:40:21 +00:00
package appId
import (
"context"
"fmt"
2015-04-05 01:40:21 +00:00
"testing"
"github.com/hashicorp/vault/sdk/helper/salt"
"github.com/hashicorp/vault/sdk/logical"
logicaltest "github.com/hashicorp/vault/helper/testhelpers/logical"
2015-04-05 01:40:21 +00:00
)
func TestBackend_basic(t *testing.T) {
Backend plugin system (#2874) * Add backend plugin changes * Fix totp backend plugin tests * Fix logical/plugin InvalidateKey test * Fix plugin catalog CRUD test, fix NoopBackend * Clean up commented code block * Fix system backend mount test * Set plugin_name to omitempty, fix handleMountTable config parsing * Clean up comments, keep shim connections alive until cleanup * Include pluginClient, disallow LookupPlugin call from within a plugin * Add wrapper around backendPluginClient for proper cleanup * Add logger shim tests * Add logger, storage, and system shim tests * Use pointer receivers for system view shim * Use plugin name if no path is provided on mount * Enable plugins for auth backends * Add backend type attribute, move builtin/plugin/package * Fix merge conflict * Fix missing plugin name in mount config * Add integration tests on enabling auth backend plugins * Remove dependency cycle on mock-plugin * Add passthrough backend plugin, use logical.BackendType to determine lease generation * Remove vault package dependency on passthrough package * Add basic impl test for passthrough plugin * Incorporate feedback; set b.backend after shims creation on backendPluginServer * Fix totp plugin test * Add plugin backends docs * Fix tests * Fix builtin/plugin tests * Remove flatten from PluginRunner fields * Move mock plugin to logical/plugin, remove totp and passthrough plugins * Move pluginMap into newPluginClient * Do not create storage RPC connection on HandleRequest and HandleExistenceCheck * Change shim logger's Fatal to no-op * Change BackendType to uint32, match UX backend types * Change framework.Backend Setup signature * Add Setup func to logical.Backend interface * Move OptionallyEnableMlock call into plugin.Serve, update docs and comments * Remove commented var in plugin package * RegisterLicense on logical.Backend interface (#3017) * Add RegisterLicense to logical.Backend interface * Update RegisterLicense to use callback func on framework.Backend * Refactor framework.Backend.RegisterLicense * plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs * plugin: Revert BackendType to remove TypePassthrough and related references * Fix typo in plugin backends docs
2017-07-20 17:28:40 +00:00
var b *backend
2017-06-05 15:37:16 +00:00
var err error
var storage logical.Storage
factory := func(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
2017-06-05 15:37:16 +00:00
b, err = Backend(conf)
if err != nil {
t.Fatal(err)
}
storage = conf.StorageView
if err := b.Setup(ctx, conf); err != nil {
Backend plugin system (#2874) * Add backend plugin changes * Fix totp backend plugin tests * Fix logical/plugin InvalidateKey test * Fix plugin catalog CRUD test, fix NoopBackend * Clean up commented code block * Fix system backend mount test * Set plugin_name to omitempty, fix handleMountTable config parsing * Clean up comments, keep shim connections alive until cleanup * Include pluginClient, disallow LookupPlugin call from within a plugin * Add wrapper around backendPluginClient for proper cleanup * Add logger shim tests * Add logger, storage, and system shim tests * Use pointer receivers for system view shim * Use plugin name if no path is provided on mount * Enable plugins for auth backends * Add backend type attribute, move builtin/plugin/package * Fix merge conflict * Fix missing plugin name in mount config * Add integration tests on enabling auth backend plugins * Remove dependency cycle on mock-plugin * Add passthrough backend plugin, use logical.BackendType to determine lease generation * Remove vault package dependency on passthrough package * Add basic impl test for passthrough plugin * Incorporate feedback; set b.backend after shims creation on backendPluginServer * Fix totp plugin test * Add plugin backends docs * Fix tests * Fix builtin/plugin tests * Remove flatten from PluginRunner fields * Move mock plugin to logical/plugin, remove totp and passthrough plugins * Move pluginMap into newPluginClient * Do not create storage RPC connection on HandleRequest and HandleExistenceCheck * Change shim logger's Fatal to no-op * Change BackendType to uint32, match UX backend types * Change framework.Backend Setup signature * Add Setup func to logical.Backend interface * Move OptionallyEnableMlock call into plugin.Serve, update docs and comments * Remove commented var in plugin package * RegisterLicense on logical.Backend interface (#3017) * Add RegisterLicense to logical.Backend interface * Update RegisterLicense to use callback func on framework.Backend * Refactor framework.Backend.RegisterLicense * plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs * plugin: Revert BackendType to remove TypePassthrough and related references * Fix typo in plugin backends docs
2017-07-20 17:28:40 +00:00
return nil, err
}
return b, nil
2017-06-05 15:37:16 +00:00
}
2015-04-05 01:40:21 +00:00
logicaltest.Test(t, logicaltest.TestCase{
2018-11-07 01:21:24 +00:00
CredentialFactory: factory,
2015-04-05 01:40:21 +00:00
Steps: []logicaltest.TestStep{
testAccStepMapAppId(t),
testAccStepMapUserId(t),
testAccLogin(t, ""),
testAccLoginAppIDInPath(t, ""),
testAccLoginInvalid(t),
testAccStepDeleteUserId(t),
testAccLoginDeleted(t),
},
})
2017-06-05 15:37:16 +00:00
req := &logical.Request{
Path: "map/app-id",
Operation: logical.ListOperation,
Storage: storage,
}
resp, err := b.HandleRequest(context.Background(), req)
2017-06-05 15:37:16 +00:00
if err != nil {
t.Fatal(err)
}
if resp == nil {
t.Fatal("nil response")
}
keys := resp.Data["keys"].([]string)
if len(keys) != 1 {
t.Fatalf("expected 1 key, got %d", len(keys))
}
bSalt, err := b.Salt(context.Background())
2017-06-05 15:37:16 +00:00
if err != nil {
t.Fatal(err)
}
if keys[0] != "s"+bSalt.SaltIDHashFunc("foo", salt.SHA256Hash) {
2017-06-05 15:37:16 +00:00
t.Fatal("value was improperly salted")
}
}
func TestBackend_cidr(t *testing.T) {
logicaltest.Test(t, logicaltest.TestCase{
2018-11-07 01:21:24 +00:00
CredentialFactory: Factory,
Steps: []logicaltest.TestStep{
testAccStepMapAppIdDisplayName(t),
testAccStepMapUserIdCidr(t, "192.168.1.0/16"),
testAccLoginCidr(t, "192.168.1.5", false),
testAccLoginCidr(t, "10.0.1.5", true),
testAccLoginCidr(t, "", true),
},
})
}
func TestBackend_displayName(t *testing.T) {
logicaltest.Test(t, logicaltest.TestCase{
2018-11-07 01:21:24 +00:00
CredentialFactory: Factory,
Steps: []logicaltest.TestStep{
testAccStepMapAppIdDisplayName(t),
testAccStepMapUserId(t),
testAccLogin(t, "tubbin"),
testAccLoginAppIDInPath(t, "tubbin"),
2015-04-05 01:40:21 +00:00
testAccLoginInvalid(t),
testAccStepDeleteUserId(t),
testAccLoginDeleted(t),
2015-04-05 01:40:21 +00:00
},
})
}
func testAccStepMapAppId(t *testing.T) logicaltest.TestStep {
return logicaltest.TestStep{
2016-01-07 15:30:47 +00:00
Operation: logical.UpdateOperation,
2015-04-05 01:40:21 +00:00
Path: "map/app-id/foo",
Data: map[string]interface{}{
"value": "foo,bar",
},
}
}
func testAccStepMapAppIdDisplayName(t *testing.T) logicaltest.TestStep {
return logicaltest.TestStep{
2016-01-07 15:30:47 +00:00
Operation: logical.UpdateOperation,
Path: "map/app-id/foo",
Data: map[string]interface{}{
"display_name": "tubbin",
"value": "foo,bar",
},
}
}
2015-04-05 01:40:21 +00:00
func testAccStepMapUserId(t *testing.T) logicaltest.TestStep {
return logicaltest.TestStep{
2016-01-07 15:30:47 +00:00
Operation: logical.UpdateOperation,
2015-04-05 01:40:21 +00:00
Path: "map/user-id/42",
Data: map[string]interface{}{
"value": "foo",
},
}
}
func testAccStepDeleteUserId(t *testing.T) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.DeleteOperation,
Path: "map/user-id/42",
}
}
func testAccStepMapUserIdCidr(t *testing.T, cidr string) logicaltest.TestStep {
return logicaltest.TestStep{
2016-01-07 15:30:47 +00:00
Operation: logical.UpdateOperation,
Path: "map/user-id/42",
Data: map[string]interface{}{
"value": "foo",
"cidr_block": cidr,
},
}
}
func testAccLogin(t *testing.T, display string) logicaltest.TestStep {
checkTTL := func(resp *logical.Response) error {
if resp.Auth.LeaseOptions.TTL.String() != "768h0m0s" {
return fmt.Errorf("invalid TTL: got %s", resp.Auth.LeaseOptions.TTL)
}
return nil
}
2015-04-05 01:40:21 +00:00
return logicaltest.TestStep{
2016-01-07 15:30:47 +00:00
Operation: logical.UpdateOperation,
2015-04-05 01:40:21 +00:00
Path: "login",
Data: map[string]interface{}{
"app_id": "foo",
"user_id": "42",
},
Unauthenticated: true,
Check: logicaltest.TestCheckMulti(
logicaltest.TestCheckAuth([]string{"bar", "default", "foo"}),
logicaltest.TestCheckAuthDisplayName(display),
checkTTL,
),
}
}
func testAccLoginAppIDInPath(t *testing.T, display string) logicaltest.TestStep {
checkTTL := func(resp *logical.Response) error {
if resp.Auth.LeaseOptions.TTL.String() != "768h0m0s" {
return fmt.Errorf("invalid TTL: got %s", resp.Auth.LeaseOptions.TTL)
}
return nil
}
return logicaltest.TestStep{
Operation: logical.UpdateOperation,
Path: "login/foo",
Data: map[string]interface{}{
"user_id": "42",
},
Unauthenticated: true,
Check: logicaltest.TestCheckMulti(
logicaltest.TestCheckAuth([]string{"bar", "default", "foo"}),
logicaltest.TestCheckAuthDisplayName(display),
checkTTL,
),
2015-04-05 01:40:21 +00:00
}
}
func testAccLoginCidr(t *testing.T, ip string, err bool) logicaltest.TestStep {
check := logicaltest.TestCheckError()
if !err {
check = logicaltest.TestCheckAuth([]string{"bar", "default", "foo"})
}
return logicaltest.TestStep{
2016-01-07 15:30:47 +00:00
Operation: logical.UpdateOperation,
Path: "login",
Data: map[string]interface{}{
"app_id": "foo",
"user_id": "42",
},
ErrorOk: err,
Unauthenticated: true,
RemoteAddr: ip,
Check: check,
}
}
2015-04-05 01:40:21 +00:00
func testAccLoginInvalid(t *testing.T) logicaltest.TestStep {
return logicaltest.TestStep{
2016-01-07 15:30:47 +00:00
Operation: logical.UpdateOperation,
2015-04-05 01:40:21 +00:00
Path: "login",
Data: map[string]interface{}{
"app_id": "foo",
"user_id": "48",
},
ErrorOk: true,
Unauthenticated: true,
Check: logicaltest.TestCheckError(),
}
}
func testAccLoginDeleted(t *testing.T) logicaltest.TestStep {
return logicaltest.TestStep{
2016-01-07 15:30:47 +00:00
Operation: logical.UpdateOperation,
Path: "login",
Data: map[string]interface{}{
"app_id": "foo",
"user_id": "42",
},
ErrorOk: true,
Unauthenticated: true,
Check: logicaltest.TestCheckError(),
}
}