open-vault/vault/policy_store_test.go

package vault

import (
	"reflect"
	"testing"

	"github.com/hashicorp/vault/logical"
)

func mockPolicyStore(t *testing.T) *PolicyStore {
	_, barrier, _ := mockBarrier(t)
	view := NewBarrierView(barrier, "foo/")
	p := NewPolicyStore(view, logical.TestSystemView())
	return p
}

func mockPolicyStoreNoCache(t *testing.T) *PolicyStore {
	sysView := logical.TestSystemView()
	sysView.CachingDisabledVal = true
	_, barrier, _ := mockBarrier(t)
	view := NewBarrierView(barrier, "foo/")
	p := NewPolicyStore(view, sysView)
	return p
}

func TestPolicyStore_Root(t *testing.T) {
	ps := mockPolicyStore(t)

	// Get should return a special policy
	p, err := ps.GetPolicy("root")
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	if p == nil {
		t.Fatalf("bad: %v", p)
	}
	if p.Name != "root" {
		t.Fatalf("bad: %v", p)
	}

	// Set should fail
	err = ps.SetPolicy(p)
	if err.Error() != "cannot update root policy" {
		t.Fatalf("err: %v", err)
	}

	// Delete should fail
	err = ps.DeletePolicy("root")
	if err.Error() != "cannot delete root policy" {
		t.Fatalf("err: %v", err)
	}
}

func TestPolicyStore_CRUD(t *testing.T) {
	ps := mockPolicyStore(t)
	testPolicyStore_CRUD(t, ps)

	ps = mockPolicyStoreNoCache(t)
	testPolicyStore_CRUD(t, ps)
}

func testPolicyStore_CRUD(t *testing.T, ps *PolicyStore) {
	// Get should return nothing
	p, err := ps.GetPolicy("dev")
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	if p != nil {
		t.Fatalf("bad: %v", p)
	}

	// Delete should be no-op
	err = ps.DeletePolicy("dev")
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	// List should be blank
	out, err := ps.ListPolicies()
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	if len(out) != 0 {
		t.Fatalf("bad: %v", out)
	}

	// Set should work
	policy, _ := Parse(aclPolicy)
	err = ps.SetPolicy(policy)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	// Get should work
	p, err = ps.GetPolicy("dev")
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	if !reflect.DeepEqual(p, policy) {
		t.Fatalf("bad: %v", p)
	}

	// List should be one element
	out, err = ps.ListPolicies()
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	if len(out) != 1 || out[0] != "dev" {
		t.Fatalf("bad: %v", out)
	}

	// Delete should be clear the entry
	err = ps.DeletePolicy("dev")
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	// Get should fail
	p, err = ps.GetPolicy("dev")
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	if p != nil {
		t.Fatalf("bad: %v", p)
	}
}

// Test predefined policy handling
func TestPolicyStore_Predefined(t *testing.T) {
	core, _, _ := TestCoreUnsealed(t)
	// Ensure both default policies are created
	err := core.setupPolicyStore()
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	// List should be two elements
	out, err := core.policyStore.ListPolicies()
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	// This shouldn't contain response-wrapping since it's non-assignable
	if len(out) != 1 || out[0] != "default" {
		t.Fatalf("bad: %v", out)
	}

	pCubby, err := core.policyStore.GetPolicy("response-wrapping")
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	if pCubby.Raw != responseWrappingPolicy {
		t.Fatalf("bad: expected\n%s\ngot\n%s\n", responseWrappingPolicy, pCubby.Raw)
	}
	pRoot, err := core.policyStore.GetPolicy("root")
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	err = core.policyStore.SetPolicy(pCubby)
	if err == nil {
		t.Fatalf("expected err setting %s", pCubby.Name)
	}
	err = core.policyStore.SetPolicy(pRoot)
	if err == nil {
		t.Fatalf("expected err setting %s", pRoot.Name)
	}
	err = core.policyStore.DeletePolicy(pCubby.Name)
	if err == nil {
		t.Fatalf("expected err deleting %s", pCubby.Name)
	}
	err = core.policyStore.DeletePolicy(pRoot.Name)
	if err == nil {
		t.Fatalf("expected err deleting %s", pRoot.Name)
	}
}

func TestPolicyStore_ACL(t *testing.T) {
	ps := mockPolicyStore(t)

	policy, _ := Parse(aclPolicy)
	err := ps.SetPolicy(policy)
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	policy, _ = Parse(aclPolicy2)
	err = ps.SetPolicy(policy)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	acl, err := ps.ACL("dev", "ops")
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	testLayeredACL(t, acl)
}

func TestPolicyStore_v1Upgrade(t *testing.T) {
	ps := mockPolicyStore(t)

	// Put a V1 record
	raw := `path "foo" { policy = "read" }`
	ps.view.Put(&logical.StorageEntry{Key: "old", Value: []byte(raw)})

	// Do a read
	p, err := ps.GetPolicy("old")
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	if p == nil || len(p.Paths) != 1 {
		t.Fatalf("bad policy: %#v", p)
	}

	// Check that glob is enabled
	if !p.Paths[0].Glob {
		t.Fatalf("should enable glob")
	}
}
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`package vault`

			`import (`
			`"reflect"`
			`"testing"`
vault: upgrade old policies with implicit glob 2015-07-06 01:14:15 +00:00
			`"github.com/hashicorp/vault/logical"`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`)`

			`func mockPolicyStore(t testing.T) PolicyStore {`
			`_, barrier, _ := mockBarrier(t)`
			`view := NewBarrierView(barrier, "foo/")`
Plumb disabling caches through the policy store 2016-04-21 13:52:42 +00:00			`p := NewPolicyStore(view, logical.TestSystemView())`
			`return p`
			`}`

			`func mockPolicyStoreNoCache(t testing.T) PolicyStore {`
			`sysView := logical.TestSystemView()`
Make a non-caching but still locking variant of transit for when caches are disabled 2016-04-21 20:32:06 +00:00			`sysView.CachingDisabledVal = true`
Plumb disabling caches through the policy store 2016-04-21 13:52:42 +00:00			`_, barrier, _ := mockBarrier(t)`
			`view := NewBarrierView(barrier, "foo/")`
			`p := NewPolicyStore(view, sysView)`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`return p`
			`}`

vault: Special case root policy 2015-03-24 18:27:21 +00:00			`func TestPolicyStore_Root(t *testing.T) {`
			`ps := mockPolicyStore(t)`

			`// Get should return a special policy`
			`p, err := ps.GetPolicy("root")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`if p == nil {`
			`t.Fatalf("bad: %v", p)`
			`}`
			`if p.Name != "root" {`
			`t.Fatalf("bad: %v", p)`
			`}`

			`// Set should fail`
			`err = ps.SetPolicy(p)`
			`if err.Error() != "cannot update root policy" {`
			`t.Fatalf("err: %v", err)`
			`}`

			`// Delete should fail`
			`err = ps.DeletePolicy("root")`
			`if err.Error() != "cannot delete root policy" {`
			`t.Fatalf("err: %v", err)`
			`}`
			`}`

vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`func TestPolicyStore_CRUD(t *testing.T) {`
			`ps := mockPolicyStore(t)`
Plumb disabling caches through the policy store 2016-04-21 13:52:42 +00:00			`testPolicyStore_CRUD(t, ps)`

			`ps = mockPolicyStoreNoCache(t)`
			`testPolicyStore_CRUD(t, ps)`
			`}`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00
Plumb disabling caches through the policy store 2016-04-21 13:52:42 +00:00			`func testPolicyStore_CRUD(t testing.T, ps PolicyStore) {`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`// Get should return nothing`
			`p, err := ps.GetPolicy("dev")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`if p != nil {`
			`t.Fatalf("bad: %v", p)`
			`}`

			`// Delete should be no-op`
			`err = ps.DeletePolicy("dev")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`// List should be blank`
			`out, err := ps.ListPolicies()`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`if len(out) != 0 {`
			`t.Fatalf("bad: %v", out)`
			`}`

			`// Set should work`
			`policy, _ := Parse(aclPolicy)`
			`err = ps.SetPolicy(policy)`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`// Get should work`
			`p, err = ps.GetPolicy("dev")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`if !reflect.DeepEqual(p, policy) {`
			`t.Fatalf("bad: %v", p)`
			`}`

			`// List should be one element`
			`out, err = ps.ListPolicies()`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`if len(out) != 1 \|\| out[0] != "dev" {`
			`t.Fatalf("bad: %v", out)`
			`}`

			`// Delete should be clear the entry`
			`err = ps.DeletePolicy("dev")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`// Get should fail`
			`p, err = ps.GetPolicy("dev")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`if p != nil {`
			`t.Fatalf("bad: %v", p)`
			`}`
			`}`

Add wrapping through core and change to use TTL instead of Duration. 2016-05-02 04:08:07 +00:00			`// Test predefined policy handling`
			`func TestPolicyStore_Predefined(t *testing.T) {`
			`core, _, _ := TestCoreUnsealed(t)`
			`// Ensure both default policies are created`
			`err := core.setupPolicyStore()`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`// List should be two elements`
			`out, err := core.policyStore.ListPolicies()`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
Add test for non-assignable policies 2016-07-25 19:59:02 +00:00			`// This shouldn't contain response-wrapping since it's non-assignable`
			`if len(out) != 1 \|\| out[0] != "default" {`
Add wrapping through core and change to use TTL instead of Duration. 2016-05-02 04:08:07 +00:00			`t.Fatalf("bad: %v", out)`
			`}`

cubbyhole-response-wrapping -> response-wrapping 2016-06-10 17:48:46 +00:00			`pCubby, err := core.policyStore.GetPolicy("response-wrapping")`
Add wrapping through core and change to use TTL instead of Duration. 2016-05-02 04:08:07 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
Wrapping enhancements (#1927) 2016-09-29 04:01:28 +00:00			`if pCubby.Raw != responseWrappingPolicy {`
			`t.Fatalf("bad: expected\n%s\ngot\n%s\n", responseWrappingPolicy, pCubby.Raw)`
Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors 2016-05-16 20:11:33 +00:00			`}`
			`pRoot, err := core.policyStore.GetPolicy("root")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`err = core.policyStore.SetPolicy(pCubby)`
			`if err == nil {`
			`t.Fatalf("expected err setting %s", pCubby.Name)`
			`}`
			`err = core.policyStore.SetPolicy(pRoot)`
			`if err == nil {`
			`t.Fatalf("expected err setting %s", pRoot.Name)`
			`}`
			`err = core.policyStore.DeletePolicy(pCubby.Name)`
			`if err == nil {`
			`t.Fatalf("expected err deleting %s", pCubby.Name)`
			`}`
			`err = core.policyStore.DeletePolicy(pRoot.Name)`
			`if err == nil {`
			`t.Fatalf("expected err deleting %s", pRoot.Name)`
Add wrapping through core and change to use TTL instead of Duration. 2016-05-02 04:08:07 +00:00			`}`
			`}`

vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`func TestPolicyStore_ACL(t *testing.T) {`
			`ps := mockPolicyStore(t)`

			`policy, _ := Parse(aclPolicy)`
			`err := ps.SetPolicy(policy)`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`policy, _ = Parse(aclPolicy2)`
			`err = ps.SetPolicy(policy)`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`acl, err := ps.ACL("dev", "ops")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`testLayeredACL(t, acl)`
			`}`
vault: upgrade old policies with implicit glob 2015-07-06 01:14:15 +00:00
			`func TestPolicyStore_v1Upgrade(t *testing.T) {`
			`ps := mockPolicyStore(t)`

			`// Put a V1 record`
			raw := `path "foo" { policy = "read" }`
Fix warnings returned by `make vet` $GOPATH/src/github.com/hashicorp/vault/vault/policy.go:69: unreachable code $GOPATH/src/github.com/hashicorp/vault/vault/policy_store_test.go:139: github.com/hashicorp/vault/logical.StorageEntry composite literal uses unkeyed fields 2015-09-27 04:17:15 +00:00			`ps.view.Put(&logical.StorageEntry{Key: "old", Value: []byte(raw)})`
vault: upgrade old policies with implicit glob 2015-07-06 01:14:15 +00:00
			`// Do a read`
			`p, err := ps.GetPolicy("old")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`if p == nil \|\| len(p.Paths) != 1 {`
			`t.Fatalf("bad policy: %#v", p)`
			`}`

			`// Check that glob is enabled`
			`if !p.Paths[0].Glob {`
			`t.Fatalf("should enable glob")`
			`}`
			`}`