luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity
open-vault/vault/logical_system_test.go

3583 lines
103 KiB
Go
Raw Normal View History

vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
package vault
import (
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers
2018-01-08 18:31:38 +00:00
"context"
Reintroduce the ability to look up obfuscated values in the audit log with a new endpoint '/sys/audit-hash', which returns the given input string hashed with the given audit backend's hash function and salt (currently, always HMAC-SHA256 and a backend-specific salt). In the process of adding the HTTP handler, this also removes the custom HTTP handlers for the other audit endpoints, which were simply forwarding to the logical system backend. This means that the various audit functions will now redirect correctly from a standby to master. (Tests all pass.) Fixes #784
2015-11-19 01:26:03 +00:00
"crypto/sha256"
copying general purpose tools from transit backend to /sys/tools (#3391)
2017-10-20 14:59:17 +00:00
"encoding/base64"
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
"encoding/hex"
"fmt"
"io/ioutil"
Add user configurable password policies available to secret engines (#8637) * Add random string generator with rules engine This adds a random string generation library that validates random strings against a set of rules. The library is designed for use as generating passwords, but can be used to generate any random strings.
2020-05-27 18:28:00 +00:00
"net/http"
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
"os"
"path/filepath"
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
"reflect"
Update tests for change in raw blacklisting
2016-04-19 20:26:26 +00:00
"strings"
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
"testing"
Plumb per-mount config options through API
2015-08-31 18:27:49 +00:00
"time"
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
Add DynamicSystemView. This uses a pointer to a pointer to always have up-to-date information. This allows remount to be implemented with the same source and dest, allowing mount options to be changed on the fly. If/when Vault gains the ability to HUP its configuration, this should just work for the global values as well. Need specific unit tests for this functionality.
2015-09-01 22:29:30 +00:00
"github.com/fatih/structs"
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
"github.com/go-test/deep"
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 00:46:59 +00:00
hclog "github.com/hashicorp/go-hclog"
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
"github.com/hashicorp/vault/audit"
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
"github.com/hashicorp/vault/helper/builtinplugins"
Fix hasMountPath for segment wildcard mounts; introduce priority order (#6532) * Add prioritization when multiple segment/glob rules can match. * Disallow ambiguous "+*" in policy paths.
2019-04-10 21:46:17 +00:00
"github.com/hashicorp/vault/helper/identity"
The big one (#5346)
2018-09-18 03:03:00 +00:00
"github.com/hashicorp/vault/helper/namespace"
Move sdk/helper/random -> helper/random (#9226) * This package is new for 1.5 so this is not a breaking change. * This is being moved because this code was originally intended to be used within plugins, however the design of password policies has changed such that this is no longer needed. Thus, this code doesn't need to be in the public SDK.
2020-06-17 20:24:38 +00:00
"github.com/hashicorp/vault/helper/random"
Switch to go modules (#6585) * Switch to go modules * Make fmt
2019-04-13 07:44:06 +00:00
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/helper/consts"
"github.com/hashicorp/vault/sdk/helper/jsonutil"
Create sdk/ and api/ submodules (#6583)
2019-04-12 21:54:35 +00:00
"github.com/hashicorp/vault/sdk/helper/salt"
"github.com/hashicorp/vault/sdk/logical"
"github.com/hashicorp/vault/sdk/version"
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
"github.com/mitchellh/mapstructure"
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
)
func TestSystemBackend_RootPaths(t *testing.T) {
expected := []string{
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
"auth/*",
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
"remount",
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
"audit",
"audit/*",
Disable the `sys/raw` endpoint by default (#3329) * disable raw endpoint by default * adding docs * config option raw -> raw_storage_endpoint * docs updates * adding listing on raw endpoint * reworking tests for enabled raw endpoints * root protecting base raw endpoint
2017-09-15 04:21:35 +00:00
"raw",
vault: Adding the raw/ endpoints to sys
2015-04-02 00:44:43 +00:00
"raw/*",
Make reindex a root path as well
2017-02-17 04:36:06 +00:00
"replication/primary/secondary-token",
The big one (#5346)
2018-09-18 03:03:00 +00:00
"replication/performance/primary/secondary-token",
"replication/dr/primary/secondary-token",
Make reindex a root path as well
2017-02-17 04:36:06 +00:00
"replication/reindex",
The big one (#5346)
2018-09-18 03:03:00 +00:00
"replication/dr/reindex",
"replication/performance/reindex",
vault: adding sys/key-status and sys/rotate
2015-05-28 00:53:42 +00:00
"rotate",
Fix root paths test
2017-06-17 05:51:42 +00:00
"config/cors",
Configure the request headers that are output to the audit log (#2321) * Add /sys/config/audited-headers endpoint for configuring the headers that will be audited * Remove some debug lines * Add a persistant layer and refactor a bit * update the api endpoints to be more restful * Add comments and clean up a few functions * Remove unneeded hash structure functionaility * Fix existing tests * Add tests * Add test for Applying the header config * Add Benchmark for the ApplyConfig method * ResetTimer on the benchmark: * Update the headers comment * Add test for audit broker * Use hyphens instead of camel case * Add size paramater to the allocation of the result map * Fix the tests for the audit broker * PR feedback * update the path and permissions on config/* paths * Add docs file * Fix TestSystemBackend_RootPaths test
2017-02-02 19:49:20 +00:00
"config/auditing/*",
Fix compilation and tests failures (#4254)
2018-04-03 18:07:43 +00:00
"config/ui/headers/*",
Update root paths test
2017-04-24 19:47:40 +00:00
"plugins/catalog/*",
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
"revoke-prefix/*",
root protect /sys/revoke-force/* (#2876)
2017-07-25 15:59:43 +00:00
"revoke-force/*",
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
"leases/revoke-prefix/*",
"leases/revoke-force/*",
"leases/lookup/*",
OSS changes for enterprise automated snapshots (#10160)
2020-10-16 18:57:11 +00:00
"storage/raft/snapshot-auto/config/*",
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
}
b := testSystemBackend(t)
logical: move cred stuff over here
2015-03-31 00:46:18 +00:00
actual := b.SpecialPaths().Root
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
if !reflect.DeepEqual(actual, expected) {
Fix compilation and tests failures (#4254)
2018-04-03 18:07:43 +00:00
t.Fatalf("bad: mismatch\nexpected:\n%#v\ngot:\n%#v", expected, actual)
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
}
}
Cors headers (#2021)
2017-06-17 04:04:55 +00:00
func TestSystemConfigCORS(t *testing.T) {
b := testSystemBackend(t)
Fix up CORS. Ref #2021
2017-06-17 05:26:25 +00:00
_, barrier, _ := mockBarrier(t)
view := NewBarrierView(barrier, "")
b.(*SystemBackend).Core.systemBarrierView = view
Cors headers (#2021)
2017-06-17 04:04:55 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "config/cors")
req.Data["allowed_origins"] = "http://www.example.com"
Set allowed headers via API instead of defaulting to wildcard. (#3023)
2017-08-07 14:03:30 +00:00
req.Data["allowed_headers"] = "X-Custom-Header"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
_, err := b.HandleRequest(namespace.RootContext(nil), req)
Cors headers (#2021)
2017-06-17 04:04:55 +00:00
if err != nil {
t.Fatal(err)
}
expected := &logical.Response{
Data: map[string]interface{}{
"enabled": true,
Fix up CORS. Ref #2021
2017-06-17 05:26:25 +00:00
"allowed_origins": []string{"http://www.example.com"},
Fix exporting stdAllowedHeaders
2017-08-07 19:02:08 +00:00
"allowed_headers": append(StdAllowedHeaders, "X-Custom-Header"),
Cors headers (#2021)
2017-06-17 04:04:55 +00:00
},
}
req = logical.TestRequest(t, logical.ReadOperation, "config/cors")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
actual, err := b.HandleRequest(namespace.RootContext(nil), req)
Cors headers (#2021)
2017-06-17 04:04:55 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if !reflect.DeepEqual(actual, expected) {
Fix up CORS. Ref #2021
2017-06-17 05:26:25 +00:00
t.Fatalf("bad: %#v", actual)
Cors headers (#2021)
2017-06-17 04:04:55 +00:00
}
Don't duplicate CORS headers (#6207) Fixes #6182
2019-02-11 18:10:26 +00:00
// Do it again. Bug #6182
req = logical.TestRequest(t, logical.UpdateOperation, "config/cors")
req.Data["allowed_origins"] = "http://www.example.com"
req.Data["allowed_headers"] = "X-Custom-Header"
_, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatal(err)
}
req = logical.TestRequest(t, logical.ReadOperation, "config/cors")
actual, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("bad: %#v", actual)
}
Cors headers (#2021)
2017-06-17 04:04:55 +00:00
req = logical.TestRequest(t, logical.DeleteOperation, "config/cors")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
_, err = b.HandleRequest(namespace.RootContext(nil), req)
Cors headers (#2021)
2017-06-17 04:04:55 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
req = logical.TestRequest(t, logical.ReadOperation, "config/cors")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
actual, err = b.HandleRequest(namespace.RootContext(nil), req)
Cors headers (#2021)
2017-06-17 04:04:55 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
expected = &logical.Response{
Data: map[string]interface{}{
Fix up CORS. Ref #2021
2017-06-17 05:26:25 +00:00
"enabled": false,
Cors headers (#2021)
2017-06-17 04:04:55 +00:00
},
}
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("DELETE FAILED -- bad: %#v", actual)
}
}
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
func TestSystemBackend_mounts(t *testing.T) {
b := testSystemBackend(t)
req := logical.TestRequest(t, logical.ReadOperation, "mounts")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Add DynamicSystemView. This uses a pointer to a pointer to always have up-to-date information. This allows remount to be implemented with the same source and dest, allowing mount options to be changed on the fly. If/when Vault gains the ability to HUP its configuration, this should just work for the global values as well. Need specific unit tests for this functionality.
2015-09-01 22:29:30 +00:00
// We can't know the pointer address ahead of time so simply
// copy what's given
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
exp := map[string]interface{}{
Plumb per-mount config options through API
2015-08-31 18:27:49 +00:00
"secret/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"type": "kv",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "key/value secret storage",
"accessor": resp.Data["secret/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["secret/"].(map[string]interface{})["uuid"],
Plumb per-mount config options through API
2015-08-31 18:27:49 +00:00
"config": map[string]interface{}{
Made default_lease_ttl and max_lease_ttl as int64 and fixed tests
2016-06-21 00:08:12 +00:00
"default_lease_ttl": resp.Data["secret/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
"max_lease_ttl": resp.Data["secret/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
Add option to disable caching per-backend. (#2455)
2017-03-08 14:20:09 +00:00
"force_no_cache": false,
Plumb per-mount config options through API
2015-08-31 18:27:49 +00:00
},
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
"local": false,
"seal_wrap": false,
Add options to mount tune and mount endpoints in preparation for versioning (#4155) * Add some requirements for versioned k/v * Add a warning message when an upgrade is triggered * Add path help values * Make the kv header a const * Add the uid to mount entry instead of options map * Pass the backend aware uuid to the mounts and plugins * Fix comment * Add options to secret/auth enable and tune CLI commands (#4170) * Switch mount/tune options to use TypeKVPairs (#4171) * switching options to TypeKVPairs, adding bool parse for versioned flag * flipping bool check * Fix leases coming back from non-leased pluin kv store * add a test for updating mount options * Fix tests
2018-03-21 19:04:27 +00:00
"options": map[string]string{
Fix tests from version update
2018-04-09 20:14:44 +00:00
"version": "1",
Add options to mount tune and mount endpoints in preparation for versioning (#4155) * Add some requirements for versioned k/v * Add a warning message when an upgrade is triggered * Add path help values * Make the kv header a const * Add the uid to mount entry instead of options map * Pass the backend aware uuid to the mounts and plugins * Fix comment * Add options to secret/auth enable and tune CLI commands (#4170) * Switch mount/tune options to use TypeKVPairs (#4171) * switching options to TypeKVPairs, adding bool parse for versioned flag * flipping bool check * Fix leases coming back from non-leased pluin kv store * add a test for updating mount options * Fix tests
2018-03-21 19:04:27 +00:00
},
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
},
Plumb per-mount config options through API
2015-08-31 18:27:49 +00:00
"sys/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"type": "system",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "system endpoints used for control, policy and debugging",
"accessor": resp.Data["sys/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["sys/"].(map[string]interface{})["uuid"],
Plumb per-mount config options through API
2015-08-31 18:27:49 +00:00
"config": map[string]interface{}{
make fmt
2019-02-20 20:12:21 +00:00
"default_lease_ttl": resp.Data["sys/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
"max_lease_ttl": resp.Data["sys/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
"force_no_cache": false,
Fix TestSystemBackend_mount, TestSystemBackend_mounts. (#6247)
2019-02-15 19:14:45 +00:00
"passthrough_request_headers": []string{"Accept"},
Plumb per-mount config options through API
2015-08-31 18:27:49 +00:00
},
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
"local": false,
"seal_wrap": false,
Add options to mount tune and mount endpoints in preparation for versioning (#4155) * Add some requirements for versioned k/v * Add a warning message when an upgrade is triggered * Add path help values * Make the kv header a const * Add the uid to mount entry instead of options map * Pass the backend aware uuid to the mounts and plugins * Fix comment * Add options to secret/auth enable and tune CLI commands (#4170) * Switch mount/tune options to use TypeKVPairs (#4171) * switching options to TypeKVPairs, adding bool parse for versioned flag * flipping bool check * Fix leases coming back from non-leased pluin kv store * add a test for updating mount options * Fix tests
2018-03-21 19:04:27 +00:00
"options": map[string]string(nil),
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
},
Implement the cubbyhole backend In order to implement this efficiently, I have introduced the concept of "singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't much reason to allow sys to be mounted at multiple places, and there isn't much reason you'd need multiple per-token storage areas. By restricting it to just one, I can store that particular mount instead of iterating through them in order to call the appropriate revoke function. Additionally, because revocation on the backend needs to be triggered by the token store, the token store's salt is kept in the router and client tokens going to the cubbyhole backend are double-salted by the router. This allows the token store to drive when revocation happens using its salted tokens.
2015-09-10 01:58:09 +00:00
"cubbyhole/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "per-token private secret storage",
"type": "cubbyhole",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"accessor": resp.Data["cubbyhole/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["cubbyhole/"].(map[string]interface{})["uuid"],
Implement the cubbyhole backend In order to implement this efficiently, I have introduced the concept of "singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't much reason to allow sys to be mounted at multiple places, and there isn't much reason you'd need multiple per-token storage areas. By restricting it to just one, I can store that particular mount instead of iterating through them in order to call the appropriate revoke function. Additionally, because revocation on the backend needs to be triggered by the token store, the token store's salt is kept in the router and client tokens going to the cubbyhole backend are double-salted by the router. This allows the token store to drive when revocation happens using its salted tokens.
2015-09-10 01:58:09 +00:00
"config": map[string]interface{}{
Made default_lease_ttl and max_lease_ttl as int64 and fixed tests
2016-06-21 00:08:12 +00:00
"default_lease_ttl": resp.Data["cubbyhole/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
"max_lease_ttl": resp.Data["cubbyhole/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
Add option to disable caching per-backend. (#2455)
2017-03-08 14:20:09 +00:00
"force_no_cache": false,
Implement the cubbyhole backend In order to implement this efficiently, I have introduced the concept of "singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't much reason to allow sys to be mounted at multiple places, and there isn't much reason you'd need multiple per-token storage areas. By restricting it to just one, I can store that particular mount instead of iterating through them in order to call the appropriate revoke function. Additionally, because revocation on the backend needs to be triggered by the token store, the token store's salt is kept in the router and client tokens going to the cubbyhole backend are double-salted by the router. This allows the token store to drive when revocation happens using its salted tokens.
2015-09-10 01:58:09 +00:00
},
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
"local": true,
"seal_wrap": false,
Add options to mount tune and mount endpoints in preparation for versioning (#4155) * Add some requirements for versioned k/v * Add a warning message when an upgrade is triggered * Add path help values * Make the kv header a const * Add the uid to mount entry instead of options map * Pass the backend aware uuid to the mounts and plugins * Fix comment * Add options to secret/auth enable and tune CLI commands (#4170) * Switch mount/tune options to use TypeKVPairs (#4171) * switching options to TypeKVPairs, adding bool parse for versioned flag * flipping bool check * Fix leases coming back from non-leased pluin kv store * add a test for updating mount options * Fix tests
2018-03-21 19:04:27 +00:00
"options": map[string]string(nil),
Implement the cubbyhole backend In order to implement this efficiently, I have introduced the concept of "singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't much reason to allow sys to be mounted at multiple places, and there isn't much reason you'd need multiple per-token storage areas. By restricting it to just one, I can store that particular mount instead of iterating through them in order to call the appropriate revoke function. Additionally, because revocation on the backend needs to be triggered by the token store, the token store's salt is kept in the router and client tokens going to the cubbyhole backend are double-salted by the router. This allows the token store to drive when revocation happens using its salted tokens.
2015-09-10 01:58:09 +00:00
},
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
"identity/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "identity store",
"type": "identity",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"accessor": resp.Data["identity/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["identity/"].(map[string]interface{})["uuid"],
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
"config": map[string]interface{}{
"default_lease_ttl": resp.Data["identity/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
"max_lease_ttl": resp.Data["identity/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
"force_no_cache": false,
},
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
"local": false,
"seal_wrap": false,
Add options to mount tune and mount endpoints in preparation for versioning (#4155) * Add some requirements for versioned k/v * Add a warning message when an upgrade is triggered * Add path help values * Make the kv header a const * Add the uid to mount entry instead of options map * Pass the backend aware uuid to the mounts and plugins * Fix comment * Add options to secret/auth enable and tune CLI commands (#4170) * Switch mount/tune options to use TypeKVPairs (#4171) * switching options to TypeKVPairs, adding bool parse for versioned flag * flipping bool check * Fix leases coming back from non-leased pluin kv store * add a test for updating mount options * Fix tests
2018-03-21 19:04:27 +00:00
"options": map[string]string(nil),
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
},
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
}
Fix TestSystemBackend_mount, TestSystemBackend_mounts. (#6247)
2019-02-15 19:14:45 +00:00
if diff := deep.Equal(resp.Data, exp); len(diff) > 0 {
t.Fatalf("bad, diff: %#v", diff)
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
}
}
func TestSystemBackend_mount(t *testing.T) {
b := testSystemBackend(t)
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "mounts/prod/secret/")
Rename "generic" secret backend to "kv" (#3292)
2017-09-15 13:02:29 +00:00
req.Data["type"] = "kv"
Add TTL related config options on auth enable (#4019)
2018-02-22 15:26:29 +00:00
req.Data["config"] = map[string]interface{}{
"default_lease_ttl": "35m",
"max_lease_ttl": "45m",
}
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
req.Data["local"] = true
req.Data["seal_wrap"] = true
Add options to mount tune and mount endpoints in preparation for versioning (#4155) * Add some requirements for versioned k/v * Add a warning message when an upgrade is triggered * Add path help values * Make the kv header a const * Add the uid to mount entry instead of options map * Pass the backend aware uuid to the mounts and plugins * Fix comment * Add options to secret/auth enable and tune CLI commands (#4170) * Switch mount/tune options to use TypeKVPairs (#4171) * switching options to TypeKVPairs, adding bool parse for versioned flag * flipping bool check * Fix leases coming back from non-leased pluin kv store * add a test for updating mount options * Fix tests
2018-03-21 19:04:27 +00:00
req.Data["options"] = map[string]string{
Fix tests from version update
2018-04-09 20:14:44 +00:00
"version": "1",
Add options to mount tune and mount endpoints in preparation for versioning (#4155) * Add some requirements for versioned k/v * Add a warning message when an upgrade is triggered * Add path help values * Make the kv header a const * Add the uid to mount entry instead of options map * Pass the backend aware uuid to the mounts and plugins * Fix comment * Add options to secret/auth enable and tune CLI commands (#4170) * Switch mount/tune options to use TypeKVPairs (#4171) * switching options to TypeKVPairs, adding bool parse for versioned flag * flipping bool check * Fix leases coming back from non-leased pluin kv store * add a test for updating mount options * Fix tests
2018-03-21 19:04:27 +00:00
}
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "mounts")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
// We can't know the pointer address ahead of time so simply
// copy what's given
exp := map[string]interface{}{
"secret/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"type": "kv",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "key/value secret storage",
"accessor": resp.Data["secret/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["secret/"].(map[string]interface{})["uuid"],
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
"config": map[string]interface{}{
"default_lease_ttl": resp.Data["secret/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
"max_lease_ttl": resp.Data["secret/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
"force_no_cache": false,
},
"local": false,
"seal_wrap": false,
Add options to mount tune and mount endpoints in preparation for versioning (#4155) * Add some requirements for versioned k/v * Add a warning message when an upgrade is triggered * Add path help values * Make the kv header a const * Add the uid to mount entry instead of options map * Pass the backend aware uuid to the mounts and plugins * Fix comment * Add options to secret/auth enable and tune CLI commands (#4170) * Switch mount/tune options to use TypeKVPairs (#4171) * switching options to TypeKVPairs, adding bool parse for versioned flag * flipping bool check * Fix leases coming back from non-leased pluin kv store * add a test for updating mount options * Fix tests
2018-03-21 19:04:27 +00:00
"options": map[string]string{
Fix tests from version update
2018-04-09 20:14:44 +00:00
"version": "1",
Add options to mount tune and mount endpoints in preparation for versioning (#4155) * Add some requirements for versioned k/v * Add a warning message when an upgrade is triggered * Add path help values * Make the kv header a const * Add the uid to mount entry instead of options map * Pass the backend aware uuid to the mounts and plugins * Fix comment * Add options to secret/auth enable and tune CLI commands (#4170) * Switch mount/tune options to use TypeKVPairs (#4171) * switching options to TypeKVPairs, adding bool parse for versioned flag * flipping bool check * Fix leases coming back from non-leased pluin kv store * add a test for updating mount options * Fix tests
2018-03-21 19:04:27 +00:00
},
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
},
"sys/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"type": "system",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "system endpoints used for control, policy and debugging",
"accessor": resp.Data["sys/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["sys/"].(map[string]interface{})["uuid"],
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
"config": map[string]interface{}{
make fmt
2019-02-20 20:12:21 +00:00
"default_lease_ttl": resp.Data["sys/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
"max_lease_ttl": resp.Data["sys/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
"force_no_cache": false,
Fix TestSystemBackend_mount, TestSystemBackend_mounts. (#6247)
2019-02-15 19:14:45 +00:00
"passthrough_request_headers": []string{"Accept"},
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
},
"local": false,
"seal_wrap": false,
Add options to mount tune and mount endpoints in preparation for versioning (#4155) * Add some requirements for versioned k/v * Add a warning message when an upgrade is triggered * Add path help values * Make the kv header a const * Add the uid to mount entry instead of options map * Pass the backend aware uuid to the mounts and plugins * Fix comment * Add options to secret/auth enable and tune CLI commands (#4170) * Switch mount/tune options to use TypeKVPairs (#4171) * switching options to TypeKVPairs, adding bool parse for versioned flag * flipping bool check * Fix leases coming back from non-leased pluin kv store * add a test for updating mount options * Fix tests
2018-03-21 19:04:27 +00:00
"options": map[string]string(nil),
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
},
"cubbyhole/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "per-token private secret storage",
"type": "cubbyhole",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"accessor": resp.Data["cubbyhole/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["cubbyhole/"].(map[string]interface{})["uuid"],
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
"config": map[string]interface{}{
"default_lease_ttl": resp.Data["cubbyhole/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
"max_lease_ttl": resp.Data["cubbyhole/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
"force_no_cache": false,
},
"local": true,
"seal_wrap": false,
Add options to mount tune and mount endpoints in preparation for versioning (#4155) * Add some requirements for versioned k/v * Add a warning message when an upgrade is triggered * Add path help values * Make the kv header a const * Add the uid to mount entry instead of options map * Pass the backend aware uuid to the mounts and plugins * Fix comment * Add options to secret/auth enable and tune CLI commands (#4170) * Switch mount/tune options to use TypeKVPairs (#4171) * switching options to TypeKVPairs, adding bool parse for versioned flag * flipping bool check * Fix leases coming back from non-leased pluin kv store * add a test for updating mount options * Fix tests
2018-03-21 19:04:27 +00:00
"options": map[string]string(nil),
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
},
"identity/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "identity store",
"type": "identity",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"accessor": resp.Data["identity/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["identity/"].(map[string]interface{})["uuid"],
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
"config": map[string]interface{}{
"default_lease_ttl": resp.Data["identity/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
"max_lease_ttl": resp.Data["identity/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
"force_no_cache": false,
},
"local": false,
"seal_wrap": false,
Add options to mount tune and mount endpoints in preparation for versioning (#4155) * Add some requirements for versioned k/v * Add a warning message when an upgrade is triggered * Add path help values * Make the kv header a const * Add the uid to mount entry instead of options map * Pass the backend aware uuid to the mounts and plugins * Fix comment * Add options to secret/auth enable and tune CLI commands (#4170) * Switch mount/tune options to use TypeKVPairs (#4171) * switching options to TypeKVPairs, adding bool parse for versioned flag * flipping bool check * Fix leases coming back from non-leased pluin kv store * add a test for updating mount options * Fix tests
2018-03-21 19:04:27 +00:00
"options": map[string]string(nil),
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
},
"prod/secret/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "",
"type": "kv",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"accessor": resp.Data["prod/secret/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["prod/secret/"].(map[string]interface{})["uuid"],
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
"config": map[string]interface{}{
Add TTL related config options on auth enable (#4019)
2018-02-22 15:26:29 +00:00
"default_lease_ttl": int64(2100),
"max_lease_ttl": int64(2700),
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
"force_no_cache": false,
},
"local": true,
"seal_wrap": true,
Add options to mount tune and mount endpoints in preparation for versioning (#4155) * Add some requirements for versioned k/v * Add a warning message when an upgrade is triggered * Add path help values * Make the kv header a const * Add the uid to mount entry instead of options map * Pass the backend aware uuid to the mounts and plugins * Fix comment * Add options to secret/auth enable and tune CLI commands (#4170) * Switch mount/tune options to use TypeKVPairs (#4171) * switching options to TypeKVPairs, adding bool parse for versioned flag * flipping bool check * Fix leases coming back from non-leased pluin kv store * add a test for updating mount options * Fix tests
2018-03-21 19:04:27 +00:00
"options": map[string]string{
Fix tests from version update
2018-04-09 20:14:44 +00:00
"version": "1",
Add options to mount tune and mount endpoints in preparation for versioning (#4155) * Add some requirements for versioned k/v * Add a warning message when an upgrade is triggered * Add path help values * Make the kv header a const * Add the uid to mount entry instead of options map * Pass the backend aware uuid to the mounts and plugins * Fix comment * Add options to secret/auth enable and tune CLI commands (#4170) * Switch mount/tune options to use TypeKVPairs (#4171) * switching options to TypeKVPairs, adding bool parse for versioned flag * flipping bool check * Fix leases coming back from non-leased pluin kv store * add a test for updating mount options * Fix tests
2018-03-21 19:04:27 +00:00
},
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
},
}
Fix TestSystemBackend_mount, TestSystemBackend_mounts. (#6247)
2019-02-15 19:14:45 +00:00
if diff := deep.Equal(resp.Data, exp); len(diff) > 0 {
t.Fatalf("bad: diff: %#v", diff)
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
}
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
}
Add option to disable caching per-backend. (#2455)
2017-03-08 14:20:09 +00:00
func TestSystemBackend_mount_force_no_cache(t *testing.T) {
core, b, _ := testCoreSystemBackend(t)
req := logical.TestRequest(t, logical.UpdateOperation, "mounts/prod/secret/")
Rename "generic" secret backend to "kv" (#3292)
2017-09-15 13:02:29 +00:00
req.Data["type"] = "kv"
Add option to disable caching per-backend. (#2455)
2017-03-08 14:20:09 +00:00
req.Data["config"] = map[string]interface{}{
"force_no_cache": true,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
Add option to disable caching per-backend. (#2455)
2017-03-08 14:20:09 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
mountEntry := core.router.MatchingMountEntry(namespace.RootContext(nil), "prod/secret/")
Add option to disable caching per-backend. (#2455)
2017-03-08 14:20:09 +00:00
if mountEntry == nil {
t.Fatalf("missing mount entry")
}
if !mountEntry.Config.ForceNoCache {
t.Fatalf("bad config %#v", mountEntry)
}
}
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
func TestSystemBackend_mount_invalid(t *testing.T) {
b := testSystemBackend(t)
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "mounts/prod/secret/")
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
req.Data["type"] = "nope"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: convert to logical.Request and friends
2015-03-15 21:53:41 +00:00
if err != logical.ErrInvalidRequest {
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
t.Fatalf("err: %v", err)
}
Run all builtins as plugins (#5536)
2018-11-07 01:21:24 +00:00
if resp.Data["error"] != `plugin not found in the catalog: nope` {
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
t.Fatalf("bad: %v", resp)
}
}
func TestSystemBackend_unmount(t *testing.T) {
b := testSystemBackend(t)
vault: change to /sys/mounts
2015-03-16 17:52:35 +00:00
req := logical.TestRequest(t, logical.DeleteOperation, "mounts/secret/")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
}
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
var capabilitiesPolicy = `
name = "test"
path "foo/bar*" {
capabilities = ["create", "sudo", "update"]
}
path "sys/capabilities*" {
capabilities = ["update"]
}
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
path "bar/baz" {
capabilities = ["read", "update"]
}
path "bar/baz" {
capabilities = ["delete"]
}
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
`
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
func TestSystemBackend_PathCapabilities(t *testing.T) {
var resp *logical.Response
var err error
core, b, rootToken := testCoreSystemBackend(t)
The big one (#5346)
2018-09-18 03:03:00 +00:00
policy, _ := ParseACLPolicy(namespace.RootNamespace, capabilitiesPolicy)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err = core.policyStore.SetPolicy(namespace.RootContext(nil), policy)
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
path1 := "foo/bar"
path2 := "foo/bar/sample"
path3 := "sys/capabilities"
path4 := "bar/baz"
rootCheckFunc := func(t *testing.T, resp *logical.Response) {
// All the paths should have "root" as the capability
expectedRoot := []string{"root"}
if !reflect.DeepEqual(resp.Data[path1], expectedRoot) ||
!reflect.DeepEqual(resp.Data[path2], expectedRoot) ||
!reflect.DeepEqual(resp.Data[path3], expectedRoot) ||
!reflect.DeepEqual(resp.Data[path4], expectedRoot) {
t.Fatalf("bad: capabilities; expected: %#v, actual: %#v", expectedRoot, resp.Data)
}
}
// Check the capabilities using the root token
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), &logical.Request{
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
Path: "capabilities",
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"paths": []string{path1, path2, path3, path4},
"token": rootToken,
},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
rootCheckFunc(t, resp)
// Check the capabilities using capabilities-self
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), &logical.Request{
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
ClientToken: rootToken,
Path: "capabilities-self",
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"paths": []string{path1, path2, path3, path4},
},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
rootCheckFunc(t, resp)
// Lookup the accessor of the root token
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err := core.tokenStore.Lookup(namespace.RootContext(nil), rootToken)
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
if err != nil {
t.Fatal(err)
}
// Check the capabilities using capabilities-accessor endpoint
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), &logical.Request{
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
Path: "capabilities-accessor",
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"paths": []string{path1, path2, path3, path4},
"accessor": te.Accessor,
},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
rootCheckFunc(t, resp)
// Create a non-root token
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
testMakeServiceTokenViaBackend(t, core.tokenStore, rootToken, "tokenid", "", []string{"test"})
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
nonRootCheckFunc := func(t *testing.T, resp *logical.Response) {
expected1 := []string{"create", "sudo", "update"}
expected2 := expected1
expected3 := []string{"update"}
expected4 := []string{"delete", "read", "update"}
if !reflect.DeepEqual(resp.Data[path1], expected1) ||
!reflect.DeepEqual(resp.Data[path2], expected2) ||
!reflect.DeepEqual(resp.Data[path3], expected3) ||
!reflect.DeepEqual(resp.Data[path4], expected4) {
t.Fatalf("bad: capabilities; actual: %#v", resp.Data)
}
}
// Check the capabilities using a non-root token
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), &logical.Request{
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
Path: "capabilities",
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"paths": []string{path1, path2, path3, path4},
"token": "tokenid",
},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
nonRootCheckFunc(t, resp)
// Check the capabilities of a non-root token using capabilities-self
// endpoint
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), &logical.Request{
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
ClientToken: "tokenid",
Path: "capabilities-self",
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"paths": []string{path1, path2, path3, path4},
},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
nonRootCheckFunc(t, resp)
// Lookup the accessor of the non-root token
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err = core.tokenStore.Lookup(namespace.RootContext(nil), "tokenid")
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
if err != nil {
t.Fatal(err)
}
// Check the capabilities using a non-root token using
// capabilities-accessor endpoint
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), &logical.Request{
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
Path: "capabilities-accessor",
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"paths": []string{path1, path2, path3, path4},
"accessor": te.Accessor,
},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
nonRootCheckFunc(t, resp)
}
func TestSystemBackend_Capabilities_BC(t *testing.T) {
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
testCapabilities(t, "capabilities")
testCapabilities(t, "capabilities-self")
}
func testCapabilities(t *testing.T, endpoint string) {
core, b, rootToken := testCoreSystemBackend(t)
req := logical.TestRequest(t, logical.UpdateOperation, endpoint)
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
if endpoint == "capabilities-self" {
req.ClientToken = rootToken
} else {
req.Data["token"] = rootToken
}
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
req.Data["path"] = "any_path"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
if err != nil {
t.Fatal(err)
}
if resp == nil {
t.Fatalf("bad: %v", resp)
}
actual := resp.Data["capabilities"]
expected := []string{"root"}
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actual, expected)
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
policy, _ := ParseACLPolicy(namespace.RootNamespace, capabilitiesPolicy)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err = core.policyStore.SetPolicy(namespace.RootContext(nil), policy)
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
testMakeServiceTokenViaBackend(t, core.tokenStore, rootToken, "tokenid", "", []string{"test"})
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
req = logical.TestRequest(t, logical.UpdateOperation, endpoint)
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
if endpoint == "capabilities-self" {
req.ClientToken = "tokenid"
} else {
req.Data["token"] = "tokenid"
}
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
req.Data["path"] = "foo/bar"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil {
t.Fatalf("bad: %v", resp)
}
actual = resp.Data["capabilities"]
Sort the capabilities before returning
2016-03-18 16:40:17 +00:00
expected = []string{"create", "sudo", "update"}
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actual, expected)
}
}
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
func TestSystemBackend_CapabilitiesAccessor_BC(t *testing.T) {
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
core, b, rootToken := testCoreSystemBackend(t)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err := core.tokenStore.Lookup(namespace.RootContext(nil), rootToken)
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
if err != nil {
t.Fatal(err)
}
Rename PrepareRequest to PrepareRequestFunc
2016-03-18 14:37:49 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "capabilities-accessor")
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
// Accessor of root token
req.Data["accessor"] = te.Accessor
req.Data["path"] = "any_path"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
Rename PrepareRequest to PrepareRequestFunc
2016-03-18 14:37:49 +00:00
if err != nil {
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
t.Fatalf("err: %v", err)
}
if resp == nil {
t.Fatalf("bad: %v", resp)
}
actual := resp.Data["capabilities"]
expected := []string{"root"}
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actual, expected)
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
policy, _ := ParseACLPolicy(namespace.RootNamespace, capabilitiesPolicy)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err = core.policyStore.SetPolicy(namespace.RootContext(nil), policy)
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
testMakeServiceTokenViaBackend(t, core.tokenStore, rootToken, "tokenid", "", []string{"test"})
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err = core.tokenStore.Lookup(namespace.RootContext(nil), "tokenid")
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
if err != nil {
t.Fatal(err)
}
req = logical.TestRequest(t, logical.UpdateOperation, "capabilities-accessor")
req.Data["accessor"] = te.Accessor
req.Data["path"] = "foo/bar"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil {
t.Fatalf("bad: %v", resp)
}
actual = resp.Data["capabilities"]
Sort the capabilities before returning
2016-03-18 16:40:17 +00:00
expected = []string{"create", "sudo", "update"}
Tests for capabilites in system backend
2016-03-18 15:58:06 +00:00
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actual, expected)
Rename PrepareRequest to PrepareRequestFunc
2016-03-18 14:37:49 +00:00
}
}
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
func TestSystemBackend_remount(t *testing.T) {
b := testSystemBackend(t)
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "remount")
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
req.Data["from"] = "secret"
req.Data["to"] = "foo"
Add DynamicSystemView. This uses a pointer to a pointer to always have up-to-date information. This allows remount to be implemented with the same source and dest, allowing mount options to be changed on the fly. If/when Vault gains the ability to HUP its configuration, this should just work for the global values as well. Need specific unit tests for this functionality.
2015-09-01 22:29:30 +00:00
req.Data["config"] = structs.Map(MountConfig{})
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
}
func TestSystemBackend_remount_invalid(t *testing.T) {
b := testSystemBackend(t)
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "remount")
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
req.Data["from"] = "unknown"
req.Data["to"] = "foo"
Add DynamicSystemView. This uses a pointer to a pointer to always have up-to-date information. This allows remount to be implemented with the same source and dest, allowing mount options to be changed on the fly. If/when Vault gains the ability to HUP its configuration, this should just work for the global values as well. Need specific unit tests for this functionality.
2015-09-01 22:29:30 +00:00
req.Data["config"] = structs.Map(MountConfig{})
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: convert to logical.Request and friends
2015-03-15 21:53:41 +00:00
if err != logical.ErrInvalidRequest {
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
t.Fatalf("err: %v", err)
}
Fix output-related tests (#4288) * Fix command tests * More test fixes * Use backticks to escape quoted strings * More test fixes * Fix mismatched error output failures * Fix mismatched error output failures
2018-04-06 00:43:29 +00:00
if resp.Data["error"] != `no matching mount at "unknown/"` {
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
t.Fatalf("bad: %v", resp)
}
}
func TestSystemBackend_remount_system(t *testing.T) {
b := testSystemBackend(t)
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "remount")
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
req.Data["from"] = "sys"
req.Data["to"] = "foo"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: convert to logical.Request and friends
2015-03-15 21:53:41 +00:00
if err != logical.ErrInvalidRequest {
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
t.Fatalf("err: %v", err)
}
Fix output-related tests (#4288) * Fix command tests * More test fixes * Use backticks to escape quoted strings * More test fixes * Fix mismatched error output failures * Fix mismatched error output failures
2018-04-06 00:43:29 +00:00
if resp.Data["error"] != `cannot remount "sys/"` {
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
t.Fatalf("bad: %v", resp)
}
}
Validate to/from parameters when remounting a backend (#9890) Vault uses http.ServeMux which issues an HTTP 301 redirect if the request path contains a double slash (`//`). Additionally, vault handles all paths to ensure that the path only contains printable characters. Therefore use the same validation on the to/from parameters for remounting. Not doing this can result in a Vault mount that was originally mounted at `pki/foo` to being remounted at `pki/foo//bar` resulting in mounts that cannot be accessed. Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com>
2020-10-29 18:06:07 +00:00
func TestSystemBackend_remount_clean(t *testing.T) {
b := testSystemBackend(t)
req := logical.TestRequest(t, logical.UpdateOperation, "remount")
req.Data["from"] = "foo"
req.Data["to"] = "foo//bar"
req.Data["config"] = structs.Map(MountConfig{})
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
if resp.Data["error"] != `'to' path 'foo//bar' does not match cleaned path 'foo/bar'` {
t.Fatalf("bad: %v", resp)
}
}
func TestSystemBackend_remount_nonPrintable(t *testing.T) {
b := testSystemBackend(t)
req := logical.TestRequest(t, logical.UpdateOperation, "remount")
req.Data["from"] = "foo"
req.Data["to"] = "foo\nbar"
req.Data["config"] = structs.Map(MountConfig{})
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
if resp.Data["error"] != `'to' path cannot contain non-printable characters` {
t.Fatalf("bad: %v", resp)
}
}
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
func TestSystemBackend_leases(t *testing.T) {
core, b, root := testCoreSystemBackend(t)
// Create a key with a lease
req := logical.TestRequest(t, logical.UpdateOperation, "secret/foo")
req.Data["foo"] = "bar"
req.ClientToken = root
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := core.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
// Read a key with a LeaseID
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
t.Fatalf("bad: %#v", resp)
}
// Read lease
req = logical.TestRequest(t, logical.UpdateOperation, "leases/lookup")
req.Data["lease_id"] = resp.Secret.LeaseID
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp.Data["renewable"] == nil || resp.Data["renewable"].(bool) {
Rename "generic" secret backend to "kv" (#3292)
2017-09-15 13:02:29 +00:00
t.Fatal("kv leases are not renewable")
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
}
// Invalid lease
req = logical.TestRequest(t, logical.UpdateOperation, "leases/lookup")
req.Data["lease_id"] = "invalid"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != logical.ErrInvalidRequest {
t.Fatalf("expected invalid request, got err: %v", err)
}
}
func TestSystemBackend_leases_list(t *testing.T) {
core, b, root := testCoreSystemBackend(t)
// Create a key with a lease
req := logical.TestRequest(t, logical.UpdateOperation, "secret/foo")
req.Data["foo"] = "bar"
req.ClientToken = root
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := core.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
// Read a key with a LeaseID
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
t.Fatalf("bad: %#v", resp)
}
// List top level
req = logical.TestRequest(t, logical.ListOperation, "leases/lookup/")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Data == nil {
t.Fatalf("bad: %#v", resp)
}
var keys []string
if err := mapstructure.WeakDecode(resp.Data["keys"], &keys); err != nil {
t.Fatalf("err: %v", err)
}
if len(keys) != 1 {
t.Fatalf("Expected 1 subkey lease, got %d: %#v", len(keys), keys)
}
if keys[0] != "secret/" {
t.Fatal("Expected only secret subkey")
}
// List lease
req = logical.TestRequest(t, logical.ListOperation, "leases/lookup/secret/foo")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Data == nil {
t.Fatalf("bad: %#v", resp)
}
keys = []string{}
if err := mapstructure.WeakDecode(resp.Data["keys"], &keys); err != nil {
t.Fatalf("err: %v", err)
}
if len(keys) != 1 {
t.Fatalf("Expected 1 secret lease, got %d: %#v", len(keys), keys)
}
// Generate multiple leases
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
t.Fatalf("bad: %#v", resp)
}
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
t.Fatalf("bad: %#v", resp)
}
req = logical.TestRequest(t, logical.ListOperation, "leases/lookup/secret/foo")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Data == nil {
t.Fatalf("bad: %#v", resp)
}
keys = []string{}
if err := mapstructure.WeakDecode(resp.Data["keys"], &keys); err != nil {
t.Fatalf("err: %v", err)
}
if len(keys) != 3 {
t.Fatalf("Expected 3 secret lease, got %d: %#v", len(keys), keys)
}
// Listing subkeys
req = logical.TestRequest(t, logical.UpdateOperation, "secret/bar")
req.Data["foo"] = "bar"
req.ClientToken = root
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
// Read a key with a LeaseID
req = logical.TestRequest(t, logical.ReadOperation, "secret/bar")
req.ClientToken = root
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
t.Fatalf("bad: %#v", resp)
}
req = logical.TestRequest(t, logical.ListOperation, "leases/lookup/secret")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Data == nil {
t.Fatalf("bad: %#v", resp)
}
keys = []string{}
if err := mapstructure.WeakDecode(resp.Data["keys"], &keys); err != nil {
t.Fatalf("err: %v", err)
}
if len(keys) != 2 {
t.Fatalf("Expected 2 secret lease, got %d: %#v", len(keys), keys)
}
expected := []string{"bar/", "foo/"}
if !reflect.DeepEqual(expected, keys) {
t.Fatalf("exp: %#v, act: %#v", expected, keys)
}
}
vault: Testing sys/renew
2015-03-16 23:11:55 +00:00
func TestSystemBackend_renew(t *testing.T) {
vault: Adding ACL enforcement
2015-03-24 18:37:07 +00:00
core, b, root := testCoreSystemBackend(t)
vault: Testing sys/renew
2015-03-16 23:11:55 +00:00
// Create a key with a lease
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "secret/foo")
vault: Testing sys/renew
2015-03-16 23:11:55 +00:00
req.Data["foo"] = "bar"
vault: Adding ACL enforcement
2015-03-24 18:37:07 +00:00
req.ClientToken = root
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := core.HandleRequest(namespace.RootContext(nil), req)
vault: Testing sys/renew
2015-03-16 23:11:55 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
Replace VaultID with LeaseID for terminology simplification
2015-04-08 20:35:32 +00:00
// Read a key with a LeaseID
vault: Testing sys/renew
2015-03-16 23:11:55 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
vault: Adding ACL enforcement
2015-03-24 18:37:07 +00:00
req.ClientToken = root
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
vault: Testing sys/renew
2015-03-16 23:11:55 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Replace VaultID with LeaseID for terminology simplification
2015-04-08 20:35:32 +00:00
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
vault: Testing sys/renew
2015-03-16 23:11:55 +00:00
t.Fatalf("bad: %#v", resp)
}
// Attempt renew
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
req2 := logical.TestRequest(t, logical.UpdateOperation, "leases/renew/"+resp.Secret.LeaseID)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp2, err := b.HandleRequest(namespace.RootContext(nil), req2)
vault: Enforce non-renewability
2015-04-09 00:03:46 +00:00
if err != logical.ErrInvalidRequest {
vault: Testing sys/renew
2015-03-16 23:11:55 +00:00
t.Fatalf("err: %v", err)
}
vault: Enforce non-renewability
2015-04-09 00:03:46 +00:00
// Should get error about non-renewability
if resp2.Data["error"] != "lease is not renewable" {
vault: Testing sys/renew
2015-03-16 23:11:55 +00:00
t.Fatalf("bad: %#v", resp)
}
Add test for both paths in backend
2016-08-08 22:32:18 +00:00
// Add a TTL to the lease
req = logical.TestRequest(t, logical.UpdateOperation, "secret/foo")
req.Data["foo"] = "bar"
req.Data["ttl"] = "180s"
req.ClientToken = root
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add test for both paths in backend
2016-08-08 22:32:18 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
// Read a key with a LeaseID
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add test for both paths in backend
2016-08-08 22:32:18 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
t.Fatalf("bad: %#v", resp)
}
// Attempt renew
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
req2 = logical.TestRequest(t, logical.UpdateOperation, "leases/renew/"+resp.Secret.LeaseID)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp2, err = b.HandleRequest(namespace.RootContext(nil), req2)
Add test for both paths in backend
2016-08-08 22:32:18 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp2.IsError() {
t.Fatalf("got an error")
}
if resp2.Data == nil {
t.Fatal("nil data")
}
if resp.Secret.TTL != 180*time.Second {
Minor test fix
2016-08-09 11:13:29 +00:00
t.Fatalf("bad lease duration: %v", resp.Secret.TTL)
Add test for both paths in backend
2016-08-08 22:32:18 +00:00
}
// Test the other route path
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
req2 = logical.TestRequest(t, logical.UpdateOperation, "leases/renew")
req2.Data["lease_id"] = resp.Secret.LeaseID
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp2, err = b.HandleRequest(namespace.RootContext(nil), req2)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp2.IsError() {
t.Fatalf("got an error")
}
if resp2.Data == nil {
t.Fatal("nil data")
}
if resp.Secret.TTL != 180*time.Second {
t.Fatalf("bad lease duration: %v", resp.Secret.TTL)
}
// Test orig path
Add test for both paths in backend
2016-08-08 22:32:18 +00:00
req2 = logical.TestRequest(t, logical.UpdateOperation, "renew")
req2.Data["lease_id"] = resp.Secret.LeaseID
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp2, err = b.HandleRequest(namespace.RootContext(nil), req2)
Add test for both paths in backend
2016-08-08 22:32:18 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp2.IsError() {
t.Fatalf("got an error")
}
if resp2.Data == nil {
t.Fatal("nil data")
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if resp.Secret.TTL != time.Second*180 {
Minor test fix
2016-08-09 11:13:29 +00:00
t.Fatalf("bad lease duration: %v", resp.Secret.TTL)
Add test for both paths in backend
2016-08-08 22:32:18 +00:00
}
vault: Testing sys/renew
2015-03-16 23:11:55 +00:00
}
vault: Test renew of bad ID
2015-03-16 23:14:53 +00:00
func TestSystemBackend_renew_invalidID(t *testing.T) {
b := testSystemBackend(t)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
// Attempt renew
req := logical.TestRequest(t, logical.UpdateOperation, "leases/renew/foobarbaz")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if resp.Data["error"] != "lease not found" {
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
t.Fatalf("bad: %v", resp)
}
// Attempt renew with other method
req = logical.TestRequest(t, logical.UpdateOperation, "leases/renew")
req.Data["lease_id"] = "foobarbaz"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if resp.Data["error"] != "lease not found" {
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
t.Fatalf("bad: %v", resp)
}
}
func TestSystemBackend_renew_invalidID_origUrl(t *testing.T) {
b := testSystemBackend(t)
vault: Test renew of bad ID
2015-03-16 23:14:53 +00:00
// Attempt renew
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "renew/foobarbaz")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: Test renew of bad ID
2015-03-16 23:14:53 +00:00
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if resp.Data["error"] != "lease not found" {
vault: Test renew of bad ID
2015-03-16 23:14:53 +00:00
t.Fatalf("bad: %v", resp)
}
Updating revoke/renew to prefer PUT method (#2646)
2017-04-27 14:47:43 +00:00
// Attempt renew with other method
req = logical.TestRequest(t, logical.UpdateOperation, "renew")
req.Data["lease_id"] = "foobarbaz"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Updating revoke/renew to prefer PUT method (#2646)
2017-04-27 14:47:43 +00:00
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if resp.Data["error"] != "lease not found" {
Updating revoke/renew to prefer PUT method (#2646)
2017-04-27 14:47:43 +00:00
t.Fatalf("bad: %v", resp)
}
vault: Test renew of bad ID
2015-03-16 23:14:53 +00:00
}
vault: Adding sys/revoke
2015-03-16 23:26:34 +00:00
func TestSystemBackend_revoke(t *testing.T) {
vault: Adding ACL enforcement
2015-03-24 18:37:07 +00:00
core, b, root := testCoreSystemBackend(t)
vault: Adding sys/revoke
2015-03-16 23:26:34 +00:00
// Create a key with a lease
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "secret/foo")
vault: Adding sys/revoke
2015-03-16 23:26:34 +00:00
req.Data["foo"] = "bar"
req.Data["lease"] = "1h"
vault: Adding ACL enforcement
2015-03-24 18:37:07 +00:00
req.ClientToken = root
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := core.HandleRequest(namespace.RootContext(nil), req)
vault: Adding sys/revoke
2015-03-16 23:26:34 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
Replace VaultID with LeaseID for terminology simplification
2015-04-08 20:35:32 +00:00
// Read a key with a LeaseID
vault: Adding sys/revoke
2015-03-16 23:26:34 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
vault: Adding ACL enforcement
2015-03-24 18:37:07 +00:00
req.ClientToken = root
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
vault: Adding sys/revoke
2015-03-16 23:26:34 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Replace VaultID with LeaseID for terminology simplification
2015-04-08 20:35:32 +00:00
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
vault: Adding sys/revoke
2015-03-16 23:26:34 +00:00
t.Fatalf("bad: %#v", resp)
}
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
// Attempt revoke
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req2 := logical.TestRequest(t, logical.UpdateOperation, "revoke/"+resp.Secret.LeaseID)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp2, err := b.HandleRequest(namespace.RootContext(nil), req2)
vault: Adding sys/revoke
2015-03-16 23:26:34 +00:00
if err != nil {
t.Fatalf("err: %v %#v", err, resp2)
}
if resp2 != nil {
t.Fatalf("bad: %#v", resp)
}
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
// Attempt renew
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req3 := logical.TestRequest(t, logical.UpdateOperation, "renew/"+resp.Secret.LeaseID)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp3, err := b.HandleRequest(namespace.RootContext(nil), req3)
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if resp3.Data["error"] != "lease not found" {
t.Fatalf("bad: %v", *resp3)
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
}
Updating revoke/renew to prefer PUT method (#2646)
2017-04-27 14:47:43 +00:00
// Read a key with a LeaseID
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Updating revoke/renew to prefer PUT method (#2646)
2017-04-27 14:47:43 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
t.Fatalf("bad: %#v", resp)
}
// Test the other route path
req2 = logical.TestRequest(t, logical.UpdateOperation, "revoke")
req2.Data["lease_id"] = resp.Secret.LeaseID
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp2, err = b.HandleRequest(namespace.RootContext(nil), req2)
Updating revoke/renew to prefer PUT method (#2646)
2017-04-27 14:47:43 +00:00
if err != nil {
t.Fatalf("err: %v %#v", err, resp2)
}
if resp2 != nil {
t.Fatalf("bad: %#v", resp)
}
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
// Read a key with a LeaseID
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
t.Fatalf("bad: %#v", resp)
}
// Test the other route path
req2 = logical.TestRequest(t, logical.UpdateOperation, "leases/revoke")
req2.Data["lease_id"] = resp.Secret.LeaseID
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp2, err = b.HandleRequest(namespace.RootContext(nil), req2)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v %#v", err, resp2)
}
if resp2 != nil {
t.Fatalf("bad: %#v", resp)
}
vault: Adding sys/revoke
2015-03-16 23:26:34 +00:00
}
func TestSystemBackend_revoke_invalidID(t *testing.T) {
b := testSystemBackend(t)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
// Attempt revoke
req := logical.TestRequest(t, logical.UpdateOperation, "leases/revoke/foobarbaz")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
// Attempt revoke with other method
req = logical.TestRequest(t, logical.UpdateOperation, "leases/revoke")
req.Data["lease_id"] = "foobarbaz"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
}
func TestSystemBackend_revoke_invalidID_origUrl(t *testing.T) {
b := testSystemBackend(t)
Updating revoke/renew to prefer PUT method (#2646)
2017-04-27 14:47:43 +00:00
// Attempt revoke
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "revoke/foobarbaz")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: Adding sys/revoke
2015-03-16 23:26:34 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
Updating revoke/renew to prefer PUT method (#2646)
2017-04-27 14:47:43 +00:00
// Attempt revoke with other method
req = logical.TestRequest(t, logical.UpdateOperation, "revoke")
req.Data["lease_id"] = "foobarbaz"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Updating revoke/renew to prefer PUT method (#2646)
2017-04-27 14:47:43 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
vault: Adding sys/revoke
2015-03-16 23:26:34 +00:00
}
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
func TestSystemBackend_revokePrefix(t *testing.T) {
vault: Adding ACL enforcement
2015-03-24 18:37:07 +00:00
core, b, root := testCoreSystemBackend(t)
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
// Create a key with a lease
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "secret/foo")
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
req.Data["foo"] = "bar"
req.Data["lease"] = "1h"
vault: Adding ACL enforcement
2015-03-24 18:37:07 +00:00
req.ClientToken = root
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := core.HandleRequest(namespace.RootContext(nil), req)
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
Replace VaultID with LeaseID for terminology simplification
2015-04-08 20:35:32 +00:00
// Read a key with a LeaseID
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
vault: Adding ACL enforcement
2015-03-24 18:37:07 +00:00
req.ClientToken = root
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Replace VaultID with LeaseID for terminology simplification
2015-04-08 20:35:32 +00:00
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
t.Fatalf("bad: %#v", resp)
}
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
// Attempt revoke
req2 := logical.TestRequest(t, logical.UpdateOperation, "leases/revoke-prefix/secret/")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp2, err := b.HandleRequest(namespace.RootContext(nil), req2)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v %#v", err, resp2)
}
if resp2 != nil {
t.Fatalf("bad: %#v", resp)
}
// Attempt renew
req3 := logical.TestRequest(t, logical.UpdateOperation, "leases/renew/"+resp.Secret.LeaseID)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp3, err := b.HandleRequest(namespace.RootContext(nil), req3)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if resp3.Data["error"] != "lease not found" {
t.Fatalf("bad: %v", *resp3)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
}
}
func TestSystemBackend_revokePrefix_origUrl(t *testing.T) {
core, b, root := testCoreSystemBackend(t)
// Create a key with a lease
req := logical.TestRequest(t, logical.UpdateOperation, "secret/foo")
req.Data["foo"] = "bar"
req.Data["lease"] = "1h"
req.ClientToken = root
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := core.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
// Read a key with a LeaseID
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}})
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
t.Fatalf("bad: %#v", resp)
}
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
// Attempt revoke
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req2 := logical.TestRequest(t, logical.UpdateOperation, "revoke-prefix/secret/")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp2, err := b.HandleRequest(namespace.RootContext(nil), req2)
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
if err != nil {
t.Fatalf("err: %v %#v", err, resp2)
}
if resp2 != nil {
t.Fatalf("bad: %#v", resp)
}
// Attempt renew
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req3 := logical.TestRequest(t, logical.UpdateOperation, "renew/"+resp.Secret.LeaseID)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp3, err := b.HandleRequest(namespace.RootContext(nil), req3)
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if resp3.Data["error"] != "lease not found" {
t.Fatalf("bad: %#v", *resp3)
vault: Support sys/revoke-prefix/
2015-03-16 23:33:48 +00:00
}
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
func TestSystemBackend_revokePrefixAuth_newUrl(t *testing.T) {
core, _, _ := TestCoreUnsealed(t)
ts := core.tokenStore
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 22:04:05 +00:00
bc := &logical.BackendConfig{
Logger: core.logger,
System: logical.StaticSystemView{
DefaultLeaseTTLVal: time.Hour * 24,
Change default TTL from 30 to 32 to accommodate monthly operations (#1942)
2016-09-28 22:32:49 +00:00
MaxLeaseTTLVal: time.Hour * 24 * 32,
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 22:04:05 +00:00
},
}
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 00:46:59 +00:00
b := NewSystemBackend(core, hclog.New(&hclog.LoggerOptions{}))
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err := b.Backend.Setup(namespace.RootContext(nil), bc)
Wrapping enhancements (#1927)
2016-09-29 04:01:28 +00:00
if err != nil {
t.Fatal(err)
}
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 22:04:05 +00:00
exp := ts.expiration
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
te := &logical.TokenEntry{
The big one (#5346)
2018-09-18 03:03:00 +00:00
ID: "foo",
Path: "auth/github/login/bar",
TTL: time.Hour,
NamespaceID: namespace.RootNamespaceID,
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
testMakeTokenDirectly(t, ts, te)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err = ts.Lookup(namespace.RootContext(nil), "foo")
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatal(err)
}
if te == nil {
t.Fatal("token entry was nil")
}
// Create a new token
auth := &logical.Auth{
ClientToken: te.ID,
LeaseOptions: logical.LeaseOptions{
TTL: time.Hour,
},
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err = exp.RegisterAuth(namespace.RootContext(nil), te, auth)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
req := logical.TestRequest(t, logical.UpdateOperation, "leases/revoke-prefix/auth/github/")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err = ts.Lookup(namespace.RootContext(nil), te.ID)
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if te != nil {
t.Fatalf("bad: %v", te)
}
}
func TestSystemBackend_revokePrefixAuth_origUrl(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
core, _, _ := TestCoreUnsealed(t)
ts := core.tokenStore
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 22:04:05 +00:00
bc := &logical.BackendConfig{
Logger: core.logger,
System: logical.StaticSystemView{
DefaultLeaseTTLVal: time.Hour * 24,
Change default TTL from 30 to 32 to accommodate monthly operations (#1942)
2016-09-28 22:32:49 +00:00
MaxLeaseTTLVal: time.Hour * 24 * 32,
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 22:04:05 +00:00
},
}
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 00:46:59 +00:00
b := NewSystemBackend(core, hclog.New(&hclog.LoggerOptions{}))
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err := b.Backend.Setup(namespace.RootContext(nil), bc)
Wrapping enhancements (#1927)
2016-09-29 04:01:28 +00:00
if err != nil {
t.Fatal(err)
}
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 22:04:05 +00:00
exp := ts.expiration
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
te := &logical.TokenEntry{
The big one (#5346)
2018-09-18 03:03:00 +00:00
ID: "foo",
Path: "auth/github/login/bar",
TTL: time.Hour,
NamespaceID: namespace.RootNamespaceID,
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 22:04:05 +00:00
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
testMakeTokenDirectly(t, ts, te)
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 22:04:05 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err = ts.Lookup(namespace.RootContext(nil), "foo")
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 22:04:05 +00:00
if err != nil {
t.Fatal(err)
}
if te == nil {
t.Fatal("token entry was nil")
}
// Create a new token
auth := &logical.Auth{
ClientToken: te.ID,
LeaseOptions: logical.LeaseOptions{
TTL: time.Hour,
},
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err = exp.RegisterAuth(namespace.RootContext(nil), te, auth)
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 22:04:05 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
req := logical.TestRequest(t, logical.UpdateOperation, "revoke-prefix/auth/github/")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 22:04:05 +00:00
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err = ts.Lookup(namespace.RootContext(nil), te.ID)
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 22:04:05 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if te != nil {
t.Fatalf("bad: %v", te)
}
}
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
func TestSystemBackend_authTable(t *testing.T) {
b := testSystemBackend(t)
req := logical.TestRequest(t, logical.ReadOperation, "auth")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
exp := map[string]interface{}{
Fix the test cases
2016-06-20 19:55:21 +00:00
"token/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"type": "token",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "token based credentials",
"accessor": resp.Data["token/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["token/"].(map[string]interface{})["uuid"],
Fix the test cases
2016-06-20 19:55:21 +00:00
"config": map[string]interface{}{
Made default_lease_ttl and max_lease_ttl as int64 and fixed tests
2016-06-21 00:08:12 +00:00
"default_lease_ttl": int64(0),
"max_lease_ttl": int64(0),
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
"force_no_cache": false,
"token_type": "default-service",
Fix the test cases
2016-06-20 19:55:21 +00:00
},
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
"local": false,
"seal_wrap": false,
Add options to mount tune and mount endpoints in preparation for versioning (#4155) * Add some requirements for versioned k/v * Add a warning message when an upgrade is triggered * Add path help values * Make the kv header a const * Add the uid to mount entry instead of options map * Pass the backend aware uuid to the mounts and plugins * Fix comment * Add options to secret/auth enable and tune CLI commands (#4170) * Switch mount/tune options to use TypeKVPairs (#4171) * switching options to TypeKVPairs, adding bool parse for versioned flag * flipping bool check * Fix leases coming back from non-leased pluin kv store * add a test for updating mount options * Fix tests
2018-03-21 19:04:27 +00:00
"options": map[string]string(nil),
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
},
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if diff := deep.Equal(resp.Data, exp); diff != nil {
t.Fatal(diff)
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
}
}
func TestSystemBackend_enableAuth(t *testing.T) {
vault: Adding ACL enforcement
2015-03-24 18:37:07 +00:00
c, b, _ := testCoreSystemBackend(t)
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
Run all builtins as plugins (#5536)
2018-11-07 01:21:24 +00:00
return &NoopBackend{BackendType: logical.TypeCredential}, nil
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
}
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "auth/foo")
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
req.Data["type"] = "noop"
Add TTL related config options on auth enable (#4019)
2018-02-22 15:26:29 +00:00
req.Data["config"] = map[string]interface{}{
"default_lease_ttl": "35m",
"max_lease_ttl": "45m",
}
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
req.Data["local"] = true
req.Data["seal_wrap"] = true
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "auth")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil {
t.Fatal("resp is nil")
}
exp := map[string]interface{}{
"foo/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"type": "noop",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "",
"accessor": resp.Data["foo/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["foo/"].(map[string]interface{})["uuid"],
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
"config": map[string]interface{}{
Add TTL related config options on auth enable (#4019)
2018-02-22 15:26:29 +00:00
"default_lease_ttl": int64(2100),
"max_lease_ttl": int64(2700),
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
"force_no_cache": false,
"token_type": "default-service",
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
},
"local": true,
"seal_wrap": true,
Add options to mount tune and mount endpoints in preparation for versioning (#4155) * Add some requirements for versioned k/v * Add a warning message when an upgrade is triggered * Add path help values * Make the kv header a const * Add the uid to mount entry instead of options map * Pass the backend aware uuid to the mounts and plugins * Fix comment * Add options to secret/auth enable and tune CLI commands (#4170) * Switch mount/tune options to use TypeKVPairs (#4171) * switching options to TypeKVPairs, adding bool parse for versioned flag * flipping bool check * Fix leases coming back from non-leased pluin kv store * add a test for updating mount options * Fix tests
2018-03-21 19:04:27 +00:00
"options": map[string]string{},
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
},
"token/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"type": "token",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "token based credentials",
"accessor": resp.Data["token/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["token/"].(map[string]interface{})["uuid"],
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
"config": map[string]interface{}{
"default_lease_ttl": int64(0),
"max_lease_ttl": int64(0),
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
"force_no_cache": false,
"token_type": "default-service",
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
},
"local": false,
"seal_wrap": false,
Add options to mount tune and mount endpoints in preparation for versioning (#4155) * Add some requirements for versioned k/v * Add a warning message when an upgrade is triggered * Add path help values * Make the kv header a const * Add the uid to mount entry instead of options map * Pass the backend aware uuid to the mounts and plugins * Fix comment * Add options to secret/auth enable and tune CLI commands (#4170) * Switch mount/tune options to use TypeKVPairs (#4171) * switching options to TypeKVPairs, adding bool parse for versioned flag * flipping bool check * Fix leases coming back from non-leased pluin kv store * add a test for updating mount options * Fix tests
2018-03-21 19:04:27 +00:00
"options": map[string]string(nil),
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
},
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if diff := deep.Equal(resp.Data, exp); diff != nil {
t.Fatal(diff)
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572)
2017-11-13 16:22:22 +00:00
}
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
}
func TestSystemBackend_enableAuth_invalid(t *testing.T) {
b := testSystemBackend(t)
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "auth/foo")
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
req.Data["type"] = "nope"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
Run all builtins as plugins (#5536)
2018-11-07 01:21:24 +00:00
if resp.Data["error"] != `plugin not found in the catalog: nope` {
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
t.Fatalf("bad: %v", resp)
}
}
func TestSystemBackend_disableAuth(t *testing.T) {
vault: Adding ACL enforcement
2015-03-24 18:37:07 +00:00
c, b, _ := testCoreSystemBackend(t)
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
remove credential/ lots of tests faililng
2015-03-31 01:07:05 +00:00
return &NoopBackend{}, nil
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
}
// Register the backend
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "auth/foo")
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
req.Data["type"] = "noop"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
b.HandleRequest(namespace.RootContext(nil), req)
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
// Deregister it
req = logical.TestRequest(t, logical.DeleteOperation, "auth/foo")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: implement the sys/auth* endpoints
2015-03-20 19:48:19 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
}
Add missed description field for GET /sys/auth/:path/tune endpoint (#8193) * fix #7623: add missed description field for GET /sys/auth/:path/tune endpoint * fix #7623: allow empty description * fix #7623: update tests with description field
2020-02-15 18:32:47 +00:00
func TestSystemBackend_tuneAuth(t *testing.T) {
c, b, _ := testCoreSystemBackend(t)
c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) {
return &NoopBackend{BackendType: logical.TypeCredential}, nil
}
req := logical.TestRequest(t, logical.ReadOperation, "auth/token/tune")
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil {
t.Fatal("resp is nil")
}
exp := map[string]interface{}{
"description": "token based credentials",
"default_lease_ttl": int(2764800),
"max_lease_ttl": int(2764800),
"force_no_cache": false,
"token_type": "default-service",
}
if diff := deep.Equal(resp.Data, exp); diff != nil {
t.Fatal(diff)
}
req = logical.TestRequest(t, logical.UpdateOperation, "auth/token/tune")
req.Data["description"] = ""
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
req = logical.TestRequest(t, logical.ReadOperation, "auth/token/tune")
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil {
t.Fatal("resp is nil")
}
if resp.Data["description"] != "" {
t.Fatalf("got: %#v expect: %#v", resp.Data["description"], "")
}
}
vault: Support policy CRUD
2015-03-23 21:43:31 +00:00
func TestSystemBackend_policyList(t *testing.T) {
b := testSystemBackend(t)
req := logical.TestRequest(t, logical.ReadOperation, "policy")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: Support policy CRUD
2015-03-23 21:43:31 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
exp := map[string]interface{}{
Add test for non-assignable policies
2016-07-25 19:59:02 +00:00
"keys": []string{"default", "root"},
"policies": []string{"default", "root"},
vault: Support policy CRUD
2015-03-23 21:43:31 +00:00
}
if !reflect.DeepEqual(resp.Data, exp) {
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
}
}
func TestSystemBackend_policyCRUD(t *testing.T) {
b := testSystemBackend(t)
// Create the policy
rules := `path "foo/" { policy = "read" }`
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "policy/Foo")
vault: Support policy CRUD
2015-03-23 21:43:31 +00:00
req.Data["rules"] = rules
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: Support policy CRUD
2015-03-23 21:43:31 +00:00
if err != nil {
t.Fatalf("err: %v %#v", err, resp)
}
Sync
2017-10-23 19:35:28 +00:00
if resp != nil && (resp.IsError() || len(resp.Data) > 0) {
vault: Support policy CRUD
2015-03-23 21:43:31 +00:00
t.Fatalf("bad: %#v", resp)
}
// Read the policy
req = logical.TestRequest(t, logical.ReadOperation, "policy/foo")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
vault: Support policy CRUD
2015-03-23 21:43:31 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
exp := map[string]interface{}{
"name": "foo",
"rules": rules,
}
if !reflect.DeepEqual(resp.Data, exp) {
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
}
Normalize policy names to lowercase on write. They are not currently normalized when reading or deleting, for backwards compatibility. Ping #676.
2015-10-07 17:52:21 +00:00
// Read, and make sure that case has been normalized
req = logical.TestRequest(t, logical.ReadOperation, "policy/Foo")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Stop Vault Package Tests From Swallowing Errors (#2960) * Fix ignored error in TestAESGCMBarrier_MoveIntegrityV1(). * Fix ignored error in TestAESGCMBarrier_MoveIntegrityV2(). * Fix ignored err in TestExpiration_Tidy(). * Fix ignored error in TestSystemBackend_policyCRUD().
2017-07-04 17:58:28 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Properly lowercase policy names. (#3210) Previously we lowercased names on ingress but not on lookup or delete which could cause unexpected results. Now, just unilaterally lowercase policy names on write and delete. On get, to avoid the performance hit of always lowercasing when not necessary since it's in the critical path, we have a minor optimization -- we check the LRU first before normalizing. For tokens, because they're already normalized when adding policies during creation, this should always work; it might just be slower for API calls. Fixes #3187
2017-08-18 23:47:23 +00:00
exp = map[string]interface{}{
"name": "foo",
"rules": rules,
}
if !reflect.DeepEqual(resp.Data, exp) {
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
Normalize policy names to lowercase on write. They are not currently normalized when reading or deleting, for backwards compatibility. Ping #676.
2015-10-07 17:52:21 +00:00
}
vault: Support policy CRUD
2015-03-23 21:43:31 +00:00
// List the policies
req = logical.TestRequest(t, logical.ReadOperation, "policy")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
vault: Support policy CRUD
2015-03-23 21:43:31 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
exp = map[string]interface{}{
Add test for non-assignable policies
2016-07-25 19:59:02 +00:00
"keys": []string{"default", "foo", "root"},
"policies": []string{"default", "foo", "root"},
vault: Support policy CRUD
2015-03-23 21:43:31 +00:00
}
if !reflect.DeepEqual(resp.Data, exp) {
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
}
// Delete the policy
req = logical.TestRequest(t, logical.DeleteOperation, "policy/foo")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
vault: Support policy CRUD
2015-03-23 21:43:31 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
// Read the policy (deleted)
req = logical.TestRequest(t, logical.ReadOperation, "policy/foo")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
vault: Support policy CRUD
2015-03-23 21:43:31 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
// List the policies (deleted)
req = logical.TestRequest(t, logical.ReadOperation, "policy")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
vault: Support policy CRUD
2015-03-23 21:43:31 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
exp = map[string]interface{}{
Add test for non-assignable policies
2016-07-25 19:59:02 +00:00
"keys": []string{"default", "root"},
"policies": []string{"default", "root"},
vault: Support policy CRUD
2015-03-23 21:43:31 +00:00
}
if !reflect.DeepEqual(resp.Data, exp) {
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
}
}
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
func TestSystemBackend_enableAudit(t *testing.T) {
c, b, _ := testCoreSystemBackend(t)
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass.
2015-09-18 21:36:42 +00:00
return &NoopAudit{
Config: config,
}, nil
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
}
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "audit/foo")
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
req.Data["type"] = "noop"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
}
Reintroduce the ability to look up obfuscated values in the audit log with a new endpoint '/sys/audit-hash', which returns the given input string hashed with the given audit backend's hash function and salt (currently, always HMAC-SHA256 and a backend-specific salt). In the process of adding the HTTP handler, this also removes the custom HTTP handlers for the other audit endpoints, which were simply forwarding to the logical system backend. This means that the various audit functions will now redirect correctly from a standby to master. (Tests all pass.) Fixes #784
2015-11-19 01:26:03 +00:00
func TestSystemBackend_auditHash(t *testing.T) {
c, b, _ := testCoreSystemBackend(t)
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
Reintroduce the ability to look up obfuscated values in the audit log with a new endpoint '/sys/audit-hash', which returns the given input string hashed with the given audit backend's hash function and salt (currently, always HMAC-SHA256 and a backend-specific salt). In the process of adding the HTTP handler, this also removes the custom HTTP handlers for the other audit endpoints, which were simply forwarding to the logical system backend. This means that the various audit functions will now redirect correctly from a standby to master. (Tests all pass.) Fixes #784
2015-11-19 01:26:03 +00:00
view := &logical.InmemStorage{}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
view.Put(namespace.RootContext(nil), &logical.StorageEntry{
Reintroduce the ability to look up obfuscated values in the audit log with a new endpoint '/sys/audit-hash', which returns the given input string hashed with the given audit backend's hash function and salt (currently, always HMAC-SHA256 and a backend-specific salt). In the process of adding the HTTP handler, this also removes the custom HTTP handlers for the other audit endpoints, which were simply forwarding to the logical system backend. This means that the various audit functions will now redirect correctly from a standby to master. (Tests all pass.) Fixes #784
2015-11-19 01:26:03 +00:00
Key: "salt",
Value: []byte("foo"),
})
Delay salt initialization for audit backends
2017-05-24 00:36:20 +00:00
config.SaltView = view
config.SaltConfig = &salt.Config{
Reintroduce the ability to look up obfuscated values in the audit log with a new endpoint '/sys/audit-hash', which returns the given input string hashed with the given audit backend's hash function and salt (currently, always HMAC-SHA256 and a backend-specific salt). In the process of adding the HTTP handler, this also removes the custom HTTP handlers for the other audit endpoints, which were simply forwarding to the logical system backend. This means that the various audit functions will now redirect correctly from a standby to master. (Tests all pass.) Fixes #784
2015-11-19 01:26:03 +00:00
HMAC: sha256.New,
HMACType: "hmac-sha256",
Delay salt initialization for audit backends
2017-05-24 00:36:20 +00:00
Location: salt.DefaultLocation,
Reintroduce the ability to look up obfuscated values in the audit log with a new endpoint '/sys/audit-hash', which returns the given input string hashed with the given audit backend's hash function and salt (currently, always HMAC-SHA256 and a backend-specific salt). In the process of adding the HTTP handler, this also removes the custom HTTP handlers for the other audit endpoints, which were simply forwarding to the logical system backend. This means that the various audit functions will now redirect correctly from a standby to master. (Tests all pass.) Fixes #784
2015-11-19 01:26:03 +00:00
}
return &NoopAudit{
Config: config,
}, nil
}
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "audit/foo")
Reintroduce the ability to look up obfuscated values in the audit log with a new endpoint '/sys/audit-hash', which returns the given input string hashed with the given audit backend's hash function and salt (currently, always HMAC-SHA256 and a backend-specific salt). In the process of adding the HTTP handler, this also removes the custom HTTP handlers for the other audit endpoints, which were simply forwarding to the logical system backend. This means that the various audit functions will now redirect correctly from a standby to master. (Tests all pass.) Fixes #784
2015-11-19 01:26:03 +00:00
req.Data["type"] = "noop"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
Reintroduce the ability to look up obfuscated values in the audit log with a new endpoint '/sys/audit-hash', which returns the given input string hashed with the given audit backend's hash function and salt (currently, always HMAC-SHA256 and a backend-specific salt). In the process of adding the HTTP handler, this also removes the custom HTTP handlers for the other audit endpoints, which were simply forwarding to the logical system backend. This means that the various audit functions will now redirect correctly from a standby to master. (Tests all pass.) Fixes #784
2015-11-19 01:26:03 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req = logical.TestRequest(t, logical.UpdateOperation, "audit-hash/foo")
Reintroduce the ability to look up obfuscated values in the audit log with a new endpoint '/sys/audit-hash', which returns the given input string hashed with the given audit backend's hash function and salt (currently, always HMAC-SHA256 and a backend-specific salt). In the process of adding the HTTP handler, this also removes the custom HTTP handlers for the other audit endpoints, which were simply forwarding to the logical system backend. This means that the various audit functions will now redirect correctly from a standby to master. (Tests all pass.) Fixes #784
2015-11-19 01:26:03 +00:00
req.Data["input"] = "bar"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Reintroduce the ability to look up obfuscated values in the audit log with a new endpoint '/sys/audit-hash', which returns the given input string hashed with the given audit backend's hash function and salt (currently, always HMAC-SHA256 and a backend-specific salt). In the process of adding the HTTP handler, this also removes the custom HTTP handlers for the other audit endpoints, which were simply forwarding to the logical system backend. This means that the various audit functions will now redirect correctly from a standby to master. (Tests all pass.) Fixes #784
2015-11-19 01:26:03 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Data == nil {
t.Fatalf("response or its data was nil")
}
hash, ok := resp.Data["hash"]
if !ok {
t.Fatalf("did not get hash back in response, response was %#v", resp.Data)
}
if hash.(string) != "hmac-sha256:f9320baf0249169e73850cd6156ded0106e2bb6ad8cab01b7bbbebe6d1065317" {
t.Fatalf("bad hash back: %s", hash.(string))
}
}
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
func TestSystemBackend_enableAudit_invalid(t *testing.T) {
b := testSystemBackend(t)
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "audit/foo")
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
req.Data["type"] = "nope"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
Fix output-related tests (#4288) * Fix command tests * More test fixes * Use backticks to escape quoted strings * More test fixes * Fix mismatched error output failures * Fix mismatched error output failures
2018-04-06 00:43:29 +00:00
if resp.Data["error"] != `unknown backend type: "nope"` {
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
t.Fatalf("bad: %v", resp)
}
}
func TestSystemBackend_auditTable(t *testing.T) {
c, b, _ := testCoreSystemBackend(t)
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass.
2015-09-18 21:36:42 +00:00
return &NoopAudit{
Config: config,
}, nil
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
}
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "audit/foo")
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
req.Data["type"] = "noop"
req.Data["description"] = "testing"
req.Data["options"] = map[string]interface{}{
"foo": "bar",
}
More porting from rep (#2388) * More porting from rep * Address review feedback
2017-02-16 21:29:30 +00:00
req.Data["local"] = true
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
b.HandleRequest(namespace.RootContext(nil), req)
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "audit")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
exp := map[string]interface{}{
vault: Allow deep paths for audit backends
2015-04-03 21:27:33 +00:00
"foo/": map[string]interface{}{
Fix broken test case
2016-03-14 22:40:12 +00:00
"path": "foo/",
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
"type": "noop",
"description": "testing",
"options": map[string]string{
"foo": "bar",
},
More porting from rep (#2388) * More porting from rep * Address review feedback
2017-02-16 21:29:30 +00:00
"local": true,
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
},
}
if !reflect.DeepEqual(resp.Data, exp) {
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
}
}
func TestSystemBackend_disableAudit(t *testing.T) {
c, b, _ := testCoreSystemBackend(t)
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass.
2015-09-18 21:36:42 +00:00
return &NoopAudit{
Config: config,
}, nil
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
}
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "audit/foo")
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
req.Data["type"] = "noop"
req.Data["description"] = "testing"
req.Data["options"] = map[string]interface{}{
"foo": "bar",
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
b.HandleRequest(namespace.RootContext(nil), req)
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
// Deregister it
req = logical.TestRequest(t, logical.DeleteOperation, "audit/foo")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: Adding sys/ paths to enable/disable audit backends
2015-03-31 23:45:00 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
}
Decompress data before sending via sys/raw (#3954)
2018-02-09 23:43:48 +00:00
func TestSystemBackend_rawRead_Compressed(t *testing.T) {
b := testSystemBackendRaw(t)
req := logical.TestRequest(t, logical.ReadOperation, "raw/core/mounts")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
Decompress data before sending via sys/raw (#3954)
2018-02-09 23:43:48 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if !strings.HasPrefix(resp.Data["value"].(string), "{\"type\":\"mounts\"") {
t.Fatalf("bad: %v", resp)
}
}
vault: prevent raw access to protected paths
2015-05-28 17:24:41 +00:00
func TestSystemBackend_rawRead_Protected(t *testing.T) {
Disable the `sys/raw` endpoint by default (#3329) * disable raw endpoint by default * adding docs * config option raw -> raw_storage_endpoint * docs updates * adding listing on raw endpoint * reworking tests for enabled raw endpoints * root protecting base raw endpoint
2017-09-15 04:21:35 +00:00
b := testSystemBackendRaw(t)
vault: prevent raw access to protected paths
2015-05-28 17:24:41 +00:00
req := logical.TestRequest(t, logical.ReadOperation, "raw/"+keyringPath)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
_, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: prevent raw access to protected paths
2015-05-28 17:24:41 +00:00
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
}
func TestSystemBackend_rawWrite_Protected(t *testing.T) {
Disable the `sys/raw` endpoint by default (#3329) * disable raw endpoint by default * adding docs * config option raw -> raw_storage_endpoint * docs updates * adding listing on raw endpoint * reworking tests for enabled raw endpoints * root protecting base raw endpoint
2017-09-15 04:21:35 +00:00
b := testSystemBackendRaw(t)
vault: prevent raw access to protected paths
2015-05-28 17:24:41 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "raw/"+keyringPath)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
_, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: prevent raw access to protected paths
2015-05-28 17:24:41 +00:00
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
}
Update tests for change in raw blacklisting
2016-04-19 20:26:26 +00:00
func TestSystemBackend_rawReadWrite(t *testing.T) {
Sync
2017-10-23 19:35:28 +00:00
_, b, _ := testCoreSystemBackendRaw(t)
vault: Adding the raw/ endpoints to sys
2015-04-02 00:44:43 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "raw/sys/policy/test")
vault: Adding the raw/ endpoints to sys
2015-04-02 00:44:43 +00:00
req.Data["value"] = `path "secret/" { policy = "read" }`
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: Adding the raw/ endpoints to sys
2015-04-02 00:44:43 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
Update tests for change in raw blacklisting
2016-04-19 20:26:26 +00:00
// Read via raw API
req = logical.TestRequest(t, logical.ReadOperation, "raw/sys/policy/test")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Update tests for change in raw blacklisting
2016-04-19 20:26:26 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if !strings.HasPrefix(resp.Data["value"].(string), "path") {
t.Fatalf("bad: %v", resp)
}
Sync
2017-10-23 19:35:28 +00:00
// Note: since the upgrade code is gone that upgraded from 0.1, we can't
// simply parse this out directly via GetPolicy, so the test now ends here.
vault: Adding the raw/ endpoints to sys
2015-04-02 00:44:43 +00:00
}
vault: prevent raw access to protected paths
2015-05-28 17:24:41 +00:00
func TestSystemBackend_rawDelete_Protected(t *testing.T) {
Disable the `sys/raw` endpoint by default (#3329) * disable raw endpoint by default * adding docs * config option raw -> raw_storage_endpoint * docs updates * adding listing on raw endpoint * reworking tests for enabled raw endpoints * root protecting base raw endpoint
2017-09-15 04:21:35 +00:00
b := testSystemBackendRaw(t)
vault: prevent raw access to protected paths
2015-05-28 17:24:41 +00:00
req := logical.TestRequest(t, logical.DeleteOperation, "raw/"+keyringPath)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
_, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: prevent raw access to protected paths
2015-05-28 17:24:41 +00:00
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
}
}
vault: Adding the raw/ endpoints to sys
2015-04-02 00:44:43 +00:00
func TestSystemBackend_rawDelete(t *testing.T) {
Disable the `sys/raw` endpoint by default (#3329) * disable raw endpoint by default * adding docs * config option raw -> raw_storage_endpoint * docs updates * adding listing on raw endpoint * reworking tests for enabled raw endpoints * root protecting base raw endpoint
2017-09-15 04:21:35 +00:00
c, b, _ := testCoreSystemBackendRaw(t)
vault: Adding the raw/ endpoints to sys
2015-04-02 00:44:43 +00:00
// set the policy!
Sync
2017-10-23 19:35:28 +00:00
p := &Policy{
The big one (#5346)
2018-09-18 03:03:00 +00:00
Name: "test",
Type: PolicyTypeACL,
namespace: namespace.RootNamespace,
Sync
2017-10-23 19:35:28 +00:00
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err := c.policyStore.SetPolicy(namespace.RootContext(nil), p)
vault: Adding the raw/ endpoints to sys
2015-04-02 00:44:43 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
// Delete the policy
req := logical.TestRequest(t, logical.DeleteOperation, "raw/sys/policy/test")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: Adding the raw/ endpoints to sys
2015-04-02 00:44:43 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
// Policy should be gone
Sync
2017-10-23 19:35:28 +00:00
c.policyStore.tokenPoliciesLRU.Purge()
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err := c.policyStore.GetPolicy(namespace.RootContext(nil), "test", PolicyTypeToken)
vault: Adding the raw/ endpoints to sys
2015-04-02 00:44:43 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if out != nil {
t.Fatalf("policy should be gone")
}
}
vault: adding sys/key-status and sys/rotate
2015-05-28 00:53:42 +00:00
func TestSystemBackend_keyStatus(t *testing.T) {
b := testSystemBackend(t)
req := logical.TestRequest(t, logical.ReadOperation, "key-status")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: adding sys/key-status and sys/rotate
2015-05-28 00:53:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
exp := map[string]interface{}{
"term": 1,
}
delete(resp.Data, "install_time")
OSS side barrier encryption tracking and automatic rotation (#11007) * Automatic barrier key rotation, OSS portion * Fix build issues * Vendored version * Add missing encs field, not sure where this got lost.
2021-02-25 20:27:25 +00:00
delete(resp.Data, "encryptions")
if !reflect.DeepEqual(resp.Data, exp) {
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
}
}
func TestSystemBackend_rotateConfig(t *testing.T) {
b := testSystemBackend(t)
req := logical.TestRequest(t, logical.ReadOperation, "rotate/config")
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
exp := map[string]interface{}{
"max_operations": absoluteOperationMaximum,
"interval": 0,
"enabled": true,
}
if !reflect.DeepEqual(resp.Data, exp) {
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
}
req2 := logical.TestRequest(t, logical.UpdateOperation, "rotate/config")
Fix barrier key autoration config edge cases (#11541) * Add an Int64 type * Use the new Int64 type so that even 32 bit builds can specify max_operations above 2^31 * Missed a spot * go mod vendor * fix cast * changelog * Update unit test to ensure this works on both 32 and 64-bit archs
2021-05-05 19:39:04 +00:00
req2.Data["max_operations"] = int64(3221225472)
OSS side barrier encryption tracking and automatic rotation (#11007) * Automatic barrier key rotation, OSS portion * Fix build issues * Vendored version * Add missing encs field, not sure where this got lost.
2021-02-25 20:27:25 +00:00
req2.Data["interval"] = "5432h0m0s"
req2.Data["enabled"] = false
resp, err = b.HandleRequest(namespace.RootContext(nil), req2)
if err != nil {
t.Fatalf("err: %v", err)
}
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
exp = map[string]interface{}{
Fix barrier key autoration config edge cases (#11541) * Add an Int64 type * Use the new Int64 type so that even 32 bit builds can specify max_operations above 2^31 * Missed a spot * go mod vendor * fix cast * changelog * Update unit test to ensure this works on both 32 and 64-bit archs
2021-05-05 19:39:04 +00:00
"max_operations": int64(3221225472),
OSS side barrier encryption tracking and automatic rotation (#11007) * Automatic barrier key rotation, OSS portion * Fix build issues * Vendored version * Add missing encs field, not sure where this got lost.
2021-02-25 20:27:25 +00:00
"interval": "5432h0m0s",
"enabled": false,
}
vault: adding sys/key-status and sys/rotate
2015-05-28 00:53:42 +00:00
if !reflect.DeepEqual(resp.Data, exp) {
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
}
}
func TestSystemBackend_rotate(t *testing.T) {
b := testSystemBackend(t)
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "rotate")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
vault: adding sys/key-status and sys/rotate
2015-05-28 00:53:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if resp != nil {
t.Fatalf("bad: %v", resp)
}
req = logical.TestRequest(t, logical.ReadOperation, "key-status")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
vault: adding sys/key-status and sys/rotate
2015-05-28 00:53:42 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
exp := map[string]interface{}{
"term": 2,
}
delete(resp.Data, "install_time")
OSS side barrier encryption tracking and automatic rotation (#11007) * Automatic barrier key rotation, OSS portion * Fix build issues * Vendored version * Add missing encs field, not sure where this got lost.
2021-02-25 20:27:25 +00:00
delete(resp.Data, "encryptions")
vault: adding sys/key-status and sys/rotate
2015-05-28 00:53:42 +00:00
if !reflect.DeepEqual(resp.Data, exp) {
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
}
}
vault: system using the framework
2015-03-16 00:35:59 +00:00
func testSystemBackend(t *testing.T) logical.Backend {
vault: tests passing
2015-03-29 23:18:08 +00:00
c, _, _ := TestCoreUnsealed(t)
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
return c.systemBackend
Disable the `sys/raw` endpoint by default (#3329) * disable raw endpoint by default * adding docs * config option raw -> raw_storage_endpoint * docs updates * adding listing on raw endpoint * reworking tests for enabled raw endpoints * root protecting base raw endpoint
2017-09-15 04:21:35 +00:00
}
Wrapping enhancements (#1927)
2016-09-29 04:01:28 +00:00
Disable the `sys/raw` endpoint by default (#3329) * disable raw endpoint by default * adding docs * config option raw -> raw_storage_endpoint * docs updates * adding listing on raw endpoint * reworking tests for enabled raw endpoints * root protecting base raw endpoint
2017-09-15 04:21:35 +00:00
func testSystemBackendRaw(t *testing.T) logical.Backend {
c, _, _ := TestCoreUnsealedRaw(t)
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
return c.systemBackend
vault: convert system to logical.Backend
2015-03-15 21:42:05 +00:00
}
vault: Testing sys/renew
2015-03-16 23:11:55 +00:00
vault: Adding ACL enforcement
2015-03-24 18:37:07 +00:00
func testCoreSystemBackend(t *testing.T) (*Core, logical.Backend, string) {
vault: tests passing
2015-03-29 23:18:08 +00:00
c, _, root := TestCoreUnsealed(t)
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
return c, c.systemBackend, root
Disable the `sys/raw` endpoint by default (#3329) * disable raw endpoint by default * adding docs * config option raw -> raw_storage_endpoint * docs updates * adding listing on raw endpoint * reworking tests for enabled raw endpoints * root protecting base raw endpoint
2017-09-15 04:21:35 +00:00
}
func testCoreSystemBackendRaw(t *testing.T) (*Core, logical.Backend, string) {
c, _, root := TestCoreUnsealedRaw(t)
Add the ability to use multiple paths for capability checking (#3663) * Add the ability to use multiple paths for capability checking. WIP (tests, docs). Fixes #3336 * Added tests * added 'paths' field * Update docs * return error if paths is not supplied
2018-03-01 16:14:56 +00:00
return c, c.systemBackend, root
Disable the `sys/raw` endpoint by default (#3329) * disable raw endpoint by default * adding docs * config option raw -> raw_storage_endpoint * docs updates * adding listing on raw endpoint * reworking tests for enabled raw endpoints * root protecting base raw endpoint
2017-09-15 04:21:35 +00:00
}
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
func TestSystemBackend_PluginCatalog_CRUD(t *testing.T) {
c, b, _ := testCoreSystemBackend(t)
// Bootstrap the pluginCatalog
sym, err := filepath.EvalSymlinks(os.TempDir())
if err != nil {
t.Fatalf("error: %v", err)
}
c.pluginCatalog.directory = sym
Run all builtins as plugins (#5536)
2018-11-07 01:21:24 +00:00
req := logical.TestRequest(t, logical.ListOperation, "plugins/catalog/database")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Run all builtins as plugins (#5536)
2018-11-07 01:21:24 +00:00
if len(resp.Data["keys"].([]string)) != len(c.builtinRegistry.Keys(consts.PluginTypeDatabase)) {
t.Fatalf("Wrong number of plugins, got %d, expected %d", len(resp.Data["keys"].([]string)), len(builtinplugins.Registry.Keys(consts.PluginTypeDatabase)))
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
}
Run all builtins as plugins (#5536)
2018-11-07 01:21:24 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "plugins/catalog/database/mysql-database-plugin")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Make the plugin catalog endpoint roundtrip so we can use terraform to manage them. (#3778)
2018-01-18 00:19:28 +00:00
actualRespData := resp.Data
expectedRespData := map[string]interface{}{
"name": "mysql-database-plugin",
"command": "",
"args": []string(nil),
"sha256": "",
"builtin": true,
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
}
Backend plugin system (#2874) * Add backend plugin changes * Fix totp backend plugin tests * Fix logical/plugin InvalidateKey test * Fix plugin catalog CRUD test, fix NoopBackend * Clean up commented code block * Fix system backend mount test * Set plugin_name to omitempty, fix handleMountTable config parsing * Clean up comments, keep shim connections alive until cleanup * Include pluginClient, disallow LookupPlugin call from within a plugin * Add wrapper around backendPluginClient for proper cleanup * Add logger shim tests * Add logger, storage, and system shim tests * Use pointer receivers for system view shim * Use plugin name if no path is provided on mount * Enable plugins for auth backends * Add backend type attribute, move builtin/plugin/package * Fix merge conflict * Fix missing plugin name in mount config * Add integration tests on enabling auth backend plugins * Remove dependency cycle on mock-plugin * Add passthrough backend plugin, use logical.BackendType to determine lease generation * Remove vault package dependency on passthrough package * Add basic impl test for passthrough plugin * Incorporate feedback; set b.backend after shims creation on backendPluginServer * Fix totp plugin test * Add plugin backends docs * Fix tests * Fix builtin/plugin tests * Remove flatten from PluginRunner fields * Move mock plugin to logical/plugin, remove totp and passthrough plugins * Move pluginMap into newPluginClient * Do not create storage RPC connection on HandleRequest and HandleExistenceCheck * Change shim logger's Fatal to no-op * Change BackendType to uint32, match UX backend types * Change framework.Backend Setup signature * Add Setup func to logical.Backend interface * Move OptionallyEnableMlock call into plugin.Serve, update docs and comments * Remove commented var in plugin package * RegisterLicense on logical.Backend interface (#3017) * Add RegisterLicense to logical.Backend interface * Update RegisterLicense to use callback func on framework.Backend * Refactor framework.Backend.RegisterLicense * plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs * plugin: Revert BackendType to remove TypePassthrough and related references * Fix typo in plugin backends docs
2017-07-20 17:28:40 +00:00
if !reflect.DeepEqual(actualRespData, expectedRespData) {
t.Fatalf("expected did not match actual, got %#v\n expected %#v\n", actualRespData, expectedRespData)
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
}
// Set a plugin
file, err := ioutil.TempFile(os.TempDir(), "temp")
if err != nil {
t.Fatal(err)
}
defer file.Close()
Make the plugin catalog endpoint roundtrip so we can use terraform to manage them. (#3778)
2018-01-18 00:19:28 +00:00
// Check we can only specify args in one of command or args.
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
command := fmt.Sprintf("%s --test", filepath.Base(file.Name()))
Run all builtins as plugins (#5536)
2018-11-07 01:21:24 +00:00
req = logical.TestRequest(t, logical.UpdateOperation, "plugins/catalog/database/test-plugin")
Make the plugin catalog endpoint roundtrip so we can use terraform to manage them. (#3778)
2018-01-18 00:19:28 +00:00
req.Data["args"] = []string{"--foo"}
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
req.Data["sha_256"] = hex.EncodeToString([]byte{'1'})
req.Data["command"] = command
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Spelling (#4119)
2018-03-20 18:54:10 +00:00
if resp.Error().Error() != "must not specify args in command and args field" {
Make the plugin catalog endpoint roundtrip so we can use terraform to manage them. (#3778)
2018-01-18 00:19:28 +00:00
t.Fatalf("err: %v", resp.Error())
}
delete(req.Data, "args")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Make the plugin catalog endpoint roundtrip so we can use terraform to manage them. (#3778)
2018-01-18 00:19:28 +00:00
if err != nil || resp.Error() != nil {
t.Fatalf("err: %v %v", err, resp.Error())
}
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
Run all builtins as plugins (#5536)
2018-11-07 01:21:24 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "plugins/catalog/database/test-plugin")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Make the plugin catalog endpoint roundtrip so we can use terraform to manage them. (#3778)
2018-01-18 00:19:28 +00:00
actual := resp.Data
expected := map[string]interface{}{
"name": "test-plugin",
"command": filepath.Base(file.Name()),
"args": []string{"--test"},
"sha256": "31",
"builtin": false,
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
}
Backend plugin system (#2874) * Add backend plugin changes * Fix totp backend plugin tests * Fix logical/plugin InvalidateKey test * Fix plugin catalog CRUD test, fix NoopBackend * Clean up commented code block * Fix system backend mount test * Set plugin_name to omitempty, fix handleMountTable config parsing * Clean up comments, keep shim connections alive until cleanup * Include pluginClient, disallow LookupPlugin call from within a plugin * Add wrapper around backendPluginClient for proper cleanup * Add logger shim tests * Add logger, storage, and system shim tests * Use pointer receivers for system view shim * Use plugin name if no path is provided on mount * Enable plugins for auth backends * Add backend type attribute, move builtin/plugin/package * Fix merge conflict * Fix missing plugin name in mount config * Add integration tests on enabling auth backend plugins * Remove dependency cycle on mock-plugin * Add passthrough backend plugin, use logical.BackendType to determine lease generation * Remove vault package dependency on passthrough package * Add basic impl test for passthrough plugin * Incorporate feedback; set b.backend after shims creation on backendPluginServer * Fix totp plugin test * Add plugin backends docs * Fix tests * Fix builtin/plugin tests * Remove flatten from PluginRunner fields * Move mock plugin to logical/plugin, remove totp and passthrough plugins * Move pluginMap into newPluginClient * Do not create storage RPC connection on HandleRequest and HandleExistenceCheck * Change shim logger's Fatal to no-op * Change BackendType to uint32, match UX backend types * Change framework.Backend Setup signature * Add Setup func to logical.Backend interface * Move OptionallyEnableMlock call into plugin.Serve, update docs and comments * Remove commented var in plugin package * RegisterLicense on logical.Backend interface (#3017) * Add RegisterLicense to logical.Backend interface * Update RegisterLicense to use callback func on framework.Backend * Refactor framework.Backend.RegisterLicense * plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs * plugin: Revert BackendType to remove TypePassthrough and related references * Fix typo in plugin backends docs
2017-07-20 17:28:40 +00:00
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("expected did not match actual, got %#v\n expected %#v\n", actual, expected)
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
}
// Delete plugin
Run all builtins as plugins (#5536)
2018-11-07 01:21:24 +00:00
req = logical.TestRequest(t, logical.DeleteOperation, "plugins/catalog/database/test-plugin")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Run all builtins as plugins (#5536)
2018-11-07 01:21:24 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "plugins/catalog/database/test-plugin")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Update test to reflect the correct read response
2017-04-25 04:24:19 +00:00
if resp != nil || err != nil {
t.Fatalf("expected nil response, plugin not deleted correctly got resp: %v, err: %v", resp, err)
Add test for logical_system plugin-catalog handling
2017-04-12 17:39:18 +00:00
}
}
copying general purpose tools from transit backend to /sys/tools (#3391)
2017-10-20 14:59:17 +00:00
func TestSystemBackend_ToolsHash(t *testing.T) {
b := testSystemBackend(t)
req := logical.TestRequest(t, logical.UpdateOperation, "tools/hash")
req.Data = map[string]interface{}{
"input": "dGhlIHF1aWNrIGJyb3duIGZveA==",
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
_, err := b.HandleRequest(namespace.RootContext(nil), req)
copying general purpose tools from transit backend to /sys/tools (#3391)
2017-10-20 14:59:17 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
doRequest := func(req *logical.Request, errExpected bool, expected string) {
t.Helper()
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
copying general purpose tools from transit backend to /sys/tools (#3391)
2017-10-20 14:59:17 +00:00
if err != nil && !errExpected {
t.Fatal(err)
}
if resp == nil {
t.Fatal("expected non-nil response")
}
if errExpected {
if !resp.IsError() {
t.Fatalf("bad: got error response: %#v", *resp)
}
return
}
if resp.IsError() {
t.Fatalf("bad: got error response: %#v", *resp)
}
sum, ok := resp.Data["sum"]
if !ok {
t.Fatal("no sum key found in returned data")
}
if sum.(string) != expected {
t.Fatal("mismatched hashes")
}
}
// Test defaults -- sha2-256
doRequest(req, false, "9ecb36561341d18eb65484e833efea61edc74b84cf5e6ae1b81c63533e25fc8f")
// Test algorithm selection in the path
req.Path = "tools/hash/sha2-224"
doRequest(req, false, "ea074a96cabc5a61f8298a2c470f019074642631a49e1c5e2f560865")
// Reset and test algorithm selection in the data
req.Path = "tools/hash"
req.Data["algorithm"] = "sha2-224"
doRequest(req, false, "ea074a96cabc5a61f8298a2c470f019074642631a49e1c5e2f560865")
req.Data["algorithm"] = "sha2-384"
doRequest(req, false, "15af9ec8be783f25c583626e9491dbf129dd6dd620466fdf05b3a1d0bb8381d30f4d3ec29f923ff1e09a0f6b337365a6")
req.Data["algorithm"] = "sha2-512"
doRequest(req, false, "d9d380f29b97ad6a1d92e987d83fa5a02653301e1006dd2bcd51afa59a9147e9caedaf89521abc0f0b682adcd47fb512b8343c834a32f326fe9bef00542ce887")
// Test returning as base64
req.Data["format"] = "base64"
doRequest(req, false, "2dOA8puXrWodkumH2D+loCZTMB4QBt0rzVGvpZqRR+nK7a+JUhq8DwtoKtzUf7USuDQ8g0oy8yb+m+8AVCzohw==")
// Test bad input/format/algorithm
req.Data["format"] = "base92"
doRequest(req, true, "")
req.Data["format"] = "hex"
req.Data["algorithm"] = "foobar"
doRequest(req, true, "")
req.Data["algorithm"] = "sha2-256"
req.Data["input"] = "foobar"
doRequest(req, true, "")
}
func TestSystemBackend_ToolsRandom(t *testing.T) {
b := testSystemBackend(t)
req := logical.TestRequest(t, logical.UpdateOperation, "tools/random")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
_, err := b.HandleRequest(namespace.RootContext(nil), req)
copying general purpose tools from transit backend to /sys/tools (#3391)
2017-10-20 14:59:17 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
doRequest := func(req *logical.Request, errExpected bool, format string, numBytes int) {
t.Helper()
getResponse := func() []byte {
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
copying general purpose tools from transit backend to /sys/tools (#3391)
2017-10-20 14:59:17 +00:00
if err != nil && !errExpected {
t.Fatal(err)
}
if resp == nil {
t.Fatal("expected non-nil response")
}
if errExpected {
if !resp.IsError() {
t.Fatalf("bad: got error response: %#v", *resp)
}
return nil
}
if resp.IsError() {
t.Fatalf("bad: got error response: %#v", *resp)
}
if _, ok := resp.Data["random_bytes"]; !ok {
t.Fatal("no random_bytes found in response")
}
outputStr := resp.Data["random_bytes"].(string)
var outputBytes []byte
switch format {
case "base64":
outputBytes, err = base64.StdEncoding.DecodeString(outputStr)
case "hex":
outputBytes, err = hex.DecodeString(outputStr)
default:
t.Fatal("unknown format")
}
if err != nil {
t.Fatal(err)
}
return outputBytes
}
rand1 := getResponse()
// Expected error
if rand1 == nil {
return
}
rand2 := getResponse()
if len(rand1) != numBytes || len(rand2) != numBytes {
Spelling (#4119)
2018-03-20 18:54:10 +00:00
t.Fatal("length of output random bytes not what is expected")
copying general purpose tools from transit backend to /sys/tools (#3391)
2017-10-20 14:59:17 +00:00
}
if reflect.DeepEqual(rand1, rand2) {
t.Fatal("found identical ouputs")
}
}
// Test defaults
doRequest(req, false, "base64", 32)
// Test size selection in the path
req.Path = "tools/random/24"
req.Data["format"] = "hex"
doRequest(req, false, "hex", 24)
// Test bad input/format
req.Path = "tools/random"
req.Data["format"] = "base92"
doRequest(req, true, "", 0)
req.Data["format"] = "hex"
req.Data["bytes"] = -1
doRequest(req, true, "", 0)
Add maximum amount of random entropy requested (#7144) * Add maximum amount of random characters requested at any given time * Readability changes * Removing sys/tools/random from the default policy * Setting the maxBytes value as const * Declaring maxBytes in the package to use it everywhere * Using maxBytes in the error message
2019-07-25 01:22:23 +00:00
req.Data["format"] = "hex"
req.Data["bytes"] = maxBytes + 1
doRequest(req, true, "", 0)
copying general purpose tools from transit backend to /sys/tools (#3391)
2017-10-20 14:59:17 +00:00
}
Unauthenticated endpoint to list secret and auth mounts (#4134) * Add audit hmac values to AuthConfigInput and AuthConfigOutput, fix docs * docs: Add ttl params to auth enable endpoint * Rewording of go string to simply string * Add audit hmac keys as CLI flags on auth/secrets enable * Fix copypasta mistake * WIP on auth-list endpoint * Rename variable to be singular, add CLI flag, show value in auth and secrets list * Add audit hmac keys to auth and secrets list * Only set config values if they exist * Fix http sys/auth tests * More auth plugin_name test fixes * Rename tag internal_ui_show_mount to _ui_show_mount * Add tests * Make endpoint unauthed * Rename field to listing_visibility * Add listing-visibility to cli tune commands * Use ListingVisiblityType * Fix type conversion * Do not actually change token's value on testHttpGet * Remove unused ListingVisibilityAuth, use const in pathInternalUIMountsRead
2018-03-20 03:16:33 +00:00
func TestSystemBackend_InternalUIMounts(t *testing.T) {
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
_, b, rootToken := testCoreSystemBackend(t)
Unauthenticated endpoint to list secret and auth mounts (#4134) * Add audit hmac values to AuthConfigInput and AuthConfigOutput, fix docs * docs: Add ttl params to auth enable endpoint * Rewording of go string to simply string * Add audit hmac keys as CLI flags on auth/secrets enable * Fix copypasta mistake * WIP on auth-list endpoint * Rename variable to be singular, add CLI flag, show value in auth and secrets list * Add audit hmac keys to auth and secrets list * Only set config values if they exist * Fix http sys/auth tests * More auth plugin_name test fixes * Rename tag internal_ui_show_mount to _ui_show_mount * Add tests * Make endpoint unauthed * Rename field to listing_visibility * Add listing-visibility to cli tune commands * Use ListingVisiblityType * Fix type conversion * Do not actually change token's value on testHttpGet * Remove unused ListingVisibilityAuth, use const in pathInternalUIMountsRead
2018-03-20 03:16:33 +00:00
// Ensure no entries are in the endpoint as a starting point
req := logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
Unauthenticated endpoint to list secret and auth mounts (#4134) * Add audit hmac values to AuthConfigInput and AuthConfigOutput, fix docs * docs: Add ttl params to auth enable endpoint * Rewording of go string to simply string * Add audit hmac keys as CLI flags on auth/secrets enable * Fix copypasta mistake * WIP on auth-list endpoint * Rename variable to be singular, add CLI flag, show value in auth and secrets list * Add audit hmac keys to auth and secrets list * Only set config values if they exist * Fix http sys/auth tests * More auth plugin_name test fixes * Rename tag internal_ui_show_mount to _ui_show_mount * Add tests * Make endpoint unauthed * Rename field to listing_visibility * Add listing-visibility to cli tune commands * Use ListingVisiblityType * Fix type conversion * Do not actually change token's value on testHttpGet * Remove unused ListingVisibilityAuth, use const in pathInternalUIMountsRead
2018-03-20 03:16:33 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
exp := map[string]interface{}{
"secret": map[string]interface{}{},
"auth": map[string]interface{}{},
}
if !reflect.DeepEqual(resp.Data, exp) {
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
}
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts")
req.ClientToken = rootToken
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
exp = map[string]interface{}{
"secret": map[string]interface{}{
"secret/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"type": "kv",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "key/value secret storage",
"accessor": resp.Data["secret"].(map[string]interface{})["secret/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["secret"].(map[string]interface{})["secret/"].(map[string]interface{})["uuid"],
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
"config": map[string]interface{}{
"default_lease_ttl": resp.Data["secret"].(map[string]interface{})["secret/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
"max_lease_ttl": resp.Data["secret"].(map[string]interface{})["secret/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
"force_no_cache": false,
},
"local": false,
"seal_wrap": false,
"options": map[string]string{
"version": "1",
},
},
"sys/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"type": "system",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "system endpoints used for control, policy and debugging",
"accessor": resp.Data["secret"].(map[string]interface{})["sys/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["secret"].(map[string]interface{})["sys/"].(map[string]interface{})["uuid"],
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
"config": map[string]interface{}{
fix TestSystemBackend_InternalUIMounts
2019-02-15 18:45:55 +00:00
"default_lease_ttl": resp.Data["secret"].(map[string]interface{})["sys/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
"max_lease_ttl": resp.Data["secret"].(map[string]interface{})["sys/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
"force_no_cache": false,
"passthrough_request_headers": []string{"Accept"},
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
},
"local": false,
"seal_wrap": false,
"options": map[string]string(nil),
},
"cubbyhole/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "per-token private secret storage",
"type": "cubbyhole",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"accessor": resp.Data["secret"].(map[string]interface{})["cubbyhole/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["secret"].(map[string]interface{})["cubbyhole/"].(map[string]interface{})["uuid"],
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
"config": map[string]interface{}{
"default_lease_ttl": resp.Data["secret"].(map[string]interface{})["cubbyhole/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
"max_lease_ttl": resp.Data["secret"].(map[string]interface{})["cubbyhole/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
"force_no_cache": false,
},
"local": true,
"seal_wrap": false,
"options": map[string]string(nil),
},
"identity/": map[string]interface{}{
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "identity store",
"type": "identity",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"accessor": resp.Data["secret"].(map[string]interface{})["identity/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["secret"].(map[string]interface{})["identity/"].(map[string]interface{})["uuid"],
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
"config": map[string]interface{}{
"default_lease_ttl": resp.Data["secret"].(map[string]interface{})["identity/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int64),
"max_lease_ttl": resp.Data["secret"].(map[string]interface{})["identity/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int64),
"force_no_cache": false,
},
"local": false,
"seal_wrap": false,
"options": map[string]string(nil),
},
},
"auth": map[string]interface{}{
"token/": map[string]interface{}{
"options": map[string]string(nil),
"config": map[string]interface{}{
"default_lease_ttl": int64(0),
"max_lease_ttl": int64(0),
"force_no_cache": false,
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
"token_type": "default-service",
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
},
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"type": "token",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
"external_entropy_access": false,
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"description": "token based credentials",
"accessor": resp.Data["auth"].(map[string]interface{})["token/"].(map[string]interface{})["accessor"],
"uuid": resp.Data["auth"].(map[string]interface{})["token/"].(map[string]interface{})["uuid"],
"local": false,
"seal_wrap": false,
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
},
},
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if diff := deep.Equal(resp.Data, exp); diff != nil {
t.Fatal(diff)
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
}
Unauthenticated endpoint to list secret and auth mounts (#4134) * Add audit hmac values to AuthConfigInput and AuthConfigOutput, fix docs * docs: Add ttl params to auth enable endpoint * Rewording of go string to simply string * Add audit hmac keys as CLI flags on auth/secrets enable * Fix copypasta mistake * WIP on auth-list endpoint * Rename variable to be singular, add CLI flag, show value in auth and secrets list * Add audit hmac keys to auth and secrets list * Only set config values if they exist * Fix http sys/auth tests * More auth plugin_name test fixes * Rename tag internal_ui_show_mount to _ui_show_mount * Add tests * Make endpoint unauthed * Rename field to listing_visibility * Add listing-visibility to cli tune commands * Use ListingVisiblityType * Fix type conversion * Do not actually change token's value on testHttpGet * Remove unused ListingVisibilityAuth, use const in pathInternalUIMountsRead
2018-03-20 03:16:33 +00:00
// Mount-tune an auth mount
req = logical.TestRequest(t, logical.UpdateOperation, "auth/token/tune")
req.Data["listing_visibility"] = "unauth"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
The big one (#5346)
2018-09-18 03:03:00 +00:00
if resp.IsError() || err != nil {
t.Fatalf("resp.Error: %v, err:%v", resp.Error(), err)
}
Unauthenticated endpoint to list secret and auth mounts (#4134) * Add audit hmac values to AuthConfigInput and AuthConfigOutput, fix docs * docs: Add ttl params to auth enable endpoint * Rewording of go string to simply string * Add audit hmac keys as CLI flags on auth/secrets enable * Fix copypasta mistake * WIP on auth-list endpoint * Rename variable to be singular, add CLI flag, show value in auth and secrets list * Add audit hmac keys to auth and secrets list * Only set config values if they exist * Fix http sys/auth tests * More auth plugin_name test fixes * Rename tag internal_ui_show_mount to _ui_show_mount * Add tests * Make endpoint unauthed * Rename field to listing_visibility * Add listing-visibility to cli tune commands * Use ListingVisiblityType * Fix type conversion * Do not actually change token's value on testHttpGet * Remove unused ListingVisibilityAuth, use const in pathInternalUIMountsRead
2018-03-20 03:16:33 +00:00
// Mount-tune a secret mount
req = logical.TestRequest(t, logical.UpdateOperation, "mounts/secret/tune")
req.Data["listing_visibility"] = "unauth"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
The big one (#5346)
2018-09-18 03:03:00 +00:00
if resp.IsError() || err != nil {
t.Fatalf("resp.Error: %v, err:%v", resp.Error(), err)
}
Unauthenticated endpoint to list secret and auth mounts (#4134) * Add audit hmac values to AuthConfigInput and AuthConfigOutput, fix docs * docs: Add ttl params to auth enable endpoint * Rewording of go string to simply string * Add audit hmac keys as CLI flags on auth/secrets enable * Fix copypasta mistake * WIP on auth-list endpoint * Rename variable to be singular, add CLI flag, show value in auth and secrets list * Add audit hmac keys to auth and secrets list * Only set config values if they exist * Fix http sys/auth tests * More auth plugin_name test fixes * Rename tag internal_ui_show_mount to _ui_show_mount * Add tests * Make endpoint unauthed * Rename field to listing_visibility * Add listing-visibility to cli tune commands * Use ListingVisiblityType * Fix type conversion * Do not actually change token's value on testHttpGet * Remove unused ListingVisibilityAuth, use const in pathInternalUIMountsRead
2018-03-20 03:16:33 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Unauthenticated endpoint to list secret and auth mounts (#4134) * Add audit hmac values to AuthConfigInput and AuthConfigOutput, fix docs * docs: Add ttl params to auth enable endpoint * Rewording of go string to simply string * Add audit hmac keys as CLI flags on auth/secrets enable * Fix copypasta mistake * WIP on auth-list endpoint * Rename variable to be singular, add CLI flag, show value in auth and secrets list * Add audit hmac keys to auth and secrets list * Only set config values if they exist * Fix http sys/auth tests * More auth plugin_name test fixes * Rename tag internal_ui_show_mount to _ui_show_mount * Add tests * Make endpoint unauthed * Rename field to listing_visibility * Add listing-visibility to cli tune commands * Use ListingVisiblityType * Fix type conversion * Do not actually change token's value on testHttpGet * Remove unused ListingVisibilityAuth, use const in pathInternalUIMountsRead
2018-03-20 03:16:33 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
exp = map[string]interface{}{
"secret": map[string]interface{}{
"secret/": map[string]interface{}{
"type": "kv",
"description": "key/value secret storage",
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
"options": map[string]string{"version": "1"},
Unauthenticated endpoint to list secret and auth mounts (#4134) * Add audit hmac values to AuthConfigInput and AuthConfigOutput, fix docs * docs: Add ttl params to auth enable endpoint * Rewording of go string to simply string * Add audit hmac keys as CLI flags on auth/secrets enable * Fix copypasta mistake * WIP on auth-list endpoint * Rename variable to be singular, add CLI flag, show value in auth and secrets list * Add audit hmac keys to auth and secrets list * Only set config values if they exist * Fix http sys/auth tests * More auth plugin_name test fixes * Rename tag internal_ui_show_mount to _ui_show_mount * Add tests * Make endpoint unauthed * Rename field to listing_visibility * Add listing-visibility to cli tune commands * Use ListingVisiblityType * Fix type conversion * Do not actually change token's value on testHttpGet * Remove unused ListingVisibilityAuth, use const in pathInternalUIMountsRead
2018-03-20 03:16:33 +00:00
},
},
"auth": map[string]interface{}{
"token/": map[string]interface{}{
"type": "token",
"description": "token based credentials",
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
"options": map[string]string(nil),
Unauthenticated endpoint to list secret and auth mounts (#4134) * Add audit hmac values to AuthConfigInput and AuthConfigOutput, fix docs * docs: Add ttl params to auth enable endpoint * Rewording of go string to simply string * Add audit hmac keys as CLI flags on auth/secrets enable * Fix copypasta mistake * WIP on auth-list endpoint * Rename variable to be singular, add CLI flag, show value in auth and secrets list * Add audit hmac keys to auth and secrets list * Only set config values if they exist * Fix http sys/auth tests * More auth plugin_name test fixes * Rename tag internal_ui_show_mount to _ui_show_mount * Add tests * Make endpoint unauthed * Rename field to listing_visibility * Add listing-visibility to cli tune commands * Use ListingVisiblityType * Fix type conversion * Do not actually change token's value on testHttpGet * Remove unused ListingVisibilityAuth, use const in pathInternalUIMountsRead
2018-03-20 03:16:33 +00:00
},
},
}
if !reflect.DeepEqual(resp.Data, exp) {
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
}
}
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
func TestSystemBackend_InternalUIMount(t *testing.T) {
core, b, rootToken := testCoreSystemBackend(t)
req := logical.TestRequest(t, logical.UpdateOperation, "policy/secret")
req.ClientToken = rootToken
req.Data = map[string]interface{}{
"rules": `path "secret/foo/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}`,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("Bad %#v %#v", err, resp)
}
req = logical.TestRequest(t, logical.UpdateOperation, "mounts/kv")
req.ClientToken = rootToken
req.Data = map[string]interface{}{
"type": "kv",
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("Bad %#v %#v", err, resp)
}
Rename up path to internal/ui/mounts/<path> (#4435)
2018-04-23 22:16:10 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts/kv/bar")
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
req.ClientToken = rootToken
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("Bad %#v %#v", err, resp)
}
if resp.Data["type"] != "kv" {
t.Fatalf("Bad Response: %#v", resp)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
testMakeServiceTokenViaBackend(t, core.tokenStore, rootToken, "tokenid", "", []string{"secret"})
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
Rename up path to internal/ui/mounts/<path> (#4435)
2018-04-23 22:16:10 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts/kv")
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
req.ClientToken = "tokenid"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
if err != logical.ErrPermissionDenied {
t.Fatal("expected permission denied error")
}
Rename up path to internal/ui/mounts/<path> (#4435)
2018-04-23 22:16:10 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts/secret")
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
req.ClientToken = "tokenid"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("Bad %#v %#v", err, resp)
}
if resp.Data["type"] != "kv" {
t.Fatalf("Bad Response: %#v", resp)
}
Rename up path to internal/ui/mounts/<path> (#4435)
2018-04-23 22:16:10 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts/sys")
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
req.ClientToken = "tokenid"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("Bad %#v %#v", err, resp)
}
if resp.Data["type"] != "system" {
t.Fatalf("Bad Response: %#v", resp)
}
Rename up path to internal/ui/mounts/<path> (#4435)
2018-04-23 22:16:10 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts/non-existent")
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
req.ClientToken = "tokenid"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
Kv preflight (#4430) * Update kv command to use a preflight check * Make the existing ui endpoint return the allowed mounts * Add kv subcommand tests * Enable `-field` in `vault kv get/put` (#4426) * Enable `-field` in `vault kv get/put` Fixes #4424 * Unify nil value handling * Use preflight helper * Update vkv plugin * Add all the mount info when authenticated * Add fix the error message on put * add metadata test * No need to sort the capabilities * Remove the kv client header * kv patch command (#4432) * Fix test * Fix tests * Use permission denied instead of entity disabled
2018-04-23 22:00:02 +00:00
if err != logical.ErrPermissionDenied {
t.Fatal("expected permission denied error")
}
}
Framework and API changes to support OpenAPI (#5546)
2018-11-05 20:24:39 +00:00
func TestSystemBackend_OpenAPI(t *testing.T) {
_, b, rootToken := testCoreSystemBackend(t)
var oapi map[string]interface{}
// Ensure no paths are reported if there is no token
req := logical.TestRequest(t, logical.ReadOperation, "internal/specs/openapi")
resp, err := b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
body := resp.Data["http_raw_body"].([]byte)
err = jsonutil.DecodeJSON(body, &oapi)
if err != nil {
t.Fatalf("err: %v", err)
}
exp := map[string]interface{}{
"openapi": framework.OASVersion,
"info": map[string]interface{}{
"title": "HashiCorp Vault API",
"description": "HTTP API that gives you full access to Vault. All API routes are prefixed with `/v1/`.",
"version": version.GetVersion().Version,
"license": map[string]interface{}{
"name": "Mozilla Public License 2.0",
"url": "https://www.mozilla.org/en-US/MPL/2.0",
},
},
"paths": map[string]interface{}{},
}
if diff := deep.Equal(oapi, exp); diff != nil {
t.Fatal(diff)
}
// Check that default paths are present with a root token
req = logical.TestRequest(t, logical.ReadOperation, "internal/specs/openapi")
req.ClientToken = rootToken
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
body = resp.Data["http_raw_body"].([]byte)
err = jsonutil.DecodeJSON(body, &oapi)
if err != nil {
t.Fatalf("err: %v", err)
}
doc, err := framework.NewOASDocumentFromMap(oapi)
if err != nil {
t.Fatal(err)
}
pathSamples := []struct {
path string
tag string
}{
{"/auth/token/lookup", "auth"},
Update sys path definitions for OpenAPI (#5687)
2018-11-06 18:09:06 +00:00
{"/cubbyhole/{path}", "secrets"},
Framework and API changes to support OpenAPI (#5546)
2018-11-05 20:24:39 +00:00
{"/identity/group/id", "identity"},
Update sys path definitions for OpenAPI (#5687)
2018-11-06 18:09:06 +00:00
{"/secret/.*", "secrets"}, // TODO update after kv repo update
Framework and API changes to support OpenAPI (#5546)
2018-11-05 20:24:39 +00:00
{"/sys/policy", "system"},
}
for _, path := range pathSamples {
if doc.Paths[path.path] == nil {
t.Fatalf("didn't find expected path '%s'.", path)
}
tag := doc.Paths[path.path].Get.Tags[0]
if tag != path.tag {
t.Fatalf("path: %s; expected tag: %s, actual: %s", path.path, tag, path.tag)
}
}
// Simple sanity check of response size (which is much larger than most
// Vault responses), mainly to catch mass omission of expected path data.
minLen := 70000
if len(body) < minLen {
t.Fatalf("response size too small; expected: min %d, actual: %d", minLen, len(body))
}
// Test path-help response
req = logical.TestRequest(t, logical.HelpOperation, "rotate")
req.ClientToken = rootToken
resp, err = b.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
doc = resp.Data["openapi"].(*framework.OASDocument)
if len(doc.Paths) != 1 {
t.Fatalf("expected 1 path, actual: %d", len(doc.Paths))
}
if doc.Paths["/rotate"] == nil {
t.Fatalf("expected to find path '/rotate'")
}
}
Fix hasMountPath for segment wildcard mounts; introduce priority order (#6532) * Add prioritization when multiple segment/glob rules can match. * Disallow ambiguous "+*" in policy paths.
2019-04-10 21:46:17 +00:00
func TestSystemBackend_PathWildcardPreflight(t *testing.T) {
core, b, _ := testCoreSystemBackend(t)
ctx := namespace.RootContext(nil)
// Add another mount
me := &MountEntry{
Table: mountTableType,
Revert global plugin reload commits (#9344) * Revert "Some of the OSS changes were clobbered when merging with quotas out of, master (#9343)" This reverts commit 8719a9b7c4d6ca7afb2e0a85e7c570cc17081f41. * Revert "OSS side of Global Plugin Reload (#9340)" This reverts commit f98afb998ae50346849050e882b6be50807983ad.
2020-06-29 22:36:22 +00:00
Path: sanitizePath("kv-v1"),
Fix hasMountPath for segment wildcard mounts; introduce priority order (#6532) * Add prioritization when multiple segment/glob rules can match. * Disallow ambiguous "+*" in policy paths.
2019-04-10 21:46:17 +00:00
Type: "kv",
Options: map[string]string{"version": "1"},
}
if err := core.mount(ctx, me); err != nil {
t.Fatal(err)
}
// Create the policy, designed to fail
rules := `path "foo" { capabilities = ["read"] }`
req := logical.TestRequest(t, logical.UpdateOperation, "policy/foo")
req.Data["rules"] = rules
resp, err := b.HandleRequest(ctx, req)
if err != nil {
t.Fatalf("err: %v %#v", err, resp)
}
if resp != nil && (resp.IsError() || len(resp.Data) > 0) {
t.Fatalf("bad: %#v", resp)
}
if err := core.identityStore.upsertEntity(ctx, &identity.Entity{
Storage packer V1 updates (#6531) * spv1 updates * fix tests
2019-05-07 19:29:51 +00:00
ID: "abcd",
Name: "abcd",
BucketKey: "abcd",
Fix hasMountPath for segment wildcard mounts; introduce priority order (#6532) * Add prioritization when multiple segment/glob rules can match. * Disallow ambiguous "+*" in policy paths.
2019-04-10 21:46:17 +00:00
}, nil, false); err != nil {
t.Fatal(err)
}
te := &logical.TokenEntry{
TTL: 300 * time.Second,
EntityID: "abcd",
Policies: []string{"default", "foo"},
NamespaceID: namespace.RootNamespaceID,
}
if err := core.tokenStore.create(ctx, te); err != nil {
t.Fatal(err)
}
t.Logf("token id: %s", te.ID)
if err := core.expiration.RegisterAuth(ctx, te, &logical.Auth{
LeaseOptions: logical.LeaseOptions{
TTL: te.TTL,
},
ClientToken: te.ID,
Accessor: te.Accessor,
Orphan: true,
}); err != nil {
t.Fatal(err)
}
// Check the mount access func
req = logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts/kv-v1/baz")
req.ClientToken = te.ID
resp, err = b.HandleRequest(ctx, req)
if err == nil || !strings.Contains(err.Error(), "permission denied") {
t.Fatalf("expected 403, got err: %v", err)
}
// Modify policy to pass
rules = `path "kv-v1/+" { capabilities = ["read"] }`
req = logical.TestRequest(t, logical.UpdateOperation, "policy/foo")
req.Data["rules"] = rules
resp, err = b.HandleRequest(ctx, req)
if err != nil {
t.Fatalf("err: %v %#v", err, resp)
}
if resp != nil && (resp.IsError() || len(resp.Data) > 0) {
t.Fatalf("bad: %#v", resp)
}
// Check the mount access func again
req = logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts/kv-v1/baz")
req.ClientToken = te.ID
resp, err = b.HandleRequest(ctx, req)
if err != nil {
t.Fatalf("err: %v", err)
}
}
Add user configurable password policies available to secret engines (#8637) * Add random string generator with rules engine This adds a random string generation library that validates random strings against a set of rules. The library is designed for use as generating passwords, but can be used to generate any random strings.
2020-05-27 18:28:00 +00:00
func TestHandlePoliciesPasswordSet(t *testing.T) {
type testCase struct {
inputData *framework.FieldData
storage *logical.InmemStorage
expectedResp *logical.Response
expectErr bool
expectedStore map[string]*logical.StorageEntry
}
tests := map[string]testCase{
"missing policy name": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"policy": `length = 20
rule "charset" {
charset="abcdefghij"
}`,
}),
storage: new(logical.InmemStorage),
expectedResp: nil,
expectErr: true,
expectedStore: map[string]*logical.StorageEntry{},
},
"missing policy": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
}),
storage: new(logical.InmemStorage),
expectedResp: nil,
expectErr: true,
expectedStore: map[string]*logical.StorageEntry{},
},
"garbage policy": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
"policy": "hasdukfhiuashdfoiasjdf",
}),
storage: new(logical.InmemStorage),
expectedResp: nil,
expectErr: true,
expectedStore: map[string]*logical.StorageEntry{},
},
"storage failure": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
"policy": "length = 20\n" +
"rule \"charset\" {\n" +
" charset=\"abcdefghij\"\n" +
"}",
}),
storage: new(logical.InmemStorage).FailPut(true),
expectedResp: nil,
expectErr: true,
expectedStore: map[string]*logical.StorageEntry{},
},
"impossible policy": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
"policy": "length = 20\n" +
"rule \"charset\" {\n" +
" charset=\"a\"\n" +
" min-chars = 30\n" +
"}",
}),
storage: new(logical.InmemStorage),
expectedResp: nil,
expectErr: true,
expectedStore: map[string]*logical.StorageEntry{},
},
"not base64 encoded": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
"policy": "length = 20\n" +
"rule \"charset\" {\n" +
" charset=\"abcdefghij\"\n" +
"}",
}),
storage: new(logical.InmemStorage),
expectedResp: &logical.Response{
Data: map[string]interface{}{
logical.HTTPContentType: "application/json",
logical.HTTPStatusCode: http.StatusNoContent,
},
},
expectErr: false,
expectedStore: makeStorageMap(storageEntry(t, "testpolicy", "length = 20\n"+
"rule \"charset\" {\n"+
" charset=\"abcdefghij\"\n"+
"}")),
},
"base64 encoded": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
"policy": base64Encode(
"length = 20\n" +
"rule \"charset\" {\n" +
" charset=\"abcdefghij\"\n" +
"}"),
}),
storage: new(logical.InmemStorage),
expectedResp: &logical.Response{
Data: map[string]interface{}{
logical.HTTPContentType: "application/json",
logical.HTTPStatusCode: http.StatusNoContent,
},
},
expectErr: false,
expectedStore: makeStorageMap(storageEntry(t, "testpolicy",
"length = 20\n"+
"rule \"charset\" {\n"+
" charset=\"abcdefghij\"\n"+
"}")),
},
}
for name, test := range tests {
t.Run(name, func(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
defer cancel()
req := &logical.Request{
Storage: test.storage,
}
b := &SystemBackend{}
actualResp, err := b.handlePoliciesPasswordSet(ctx, req, test.inputData)
if test.expectErr && err == nil {
t.Fatalf("err expected, got nil")
}
if !test.expectErr && err != nil {
t.Fatalf("no error expected, got: %s", err)
}
if !reflect.DeepEqual(actualResp, test.expectedResp) {
t.Fatalf("Actual response: %#v\nExpected response: %#v", actualResp, test.expectedResp)
}
actualStore := LogicalToMap(t, ctx, test.storage)
if !reflect.DeepEqual(actualStore, test.expectedStore) {
t.Fatalf("Actual: %#v\nActual: %#v", dereferenceMap(actualStore), dereferenceMap(test.expectedStore))
}
})
}
}
func TestHandlePoliciesPasswordGet(t *testing.T) {
type testCase struct {
inputData *framework.FieldData
storage *logical.InmemStorage
expectedResp *logical.Response
expectErr bool
expectedStore map[string]*logical.StorageEntry
}
tests := map[string]testCase{
"missing policy name": {
inputData: passwordPoliciesFieldData(map[string]interface{}{}),
storage: new(logical.InmemStorage),
expectedResp: nil,
expectErr: true,
expectedStore: map[string]*logical.StorageEntry{},
},
"storage error": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
}),
storage: new(logical.InmemStorage).FailGet(true),
expectedResp: nil,
expectErr: true,
expectedStore: map[string]*logical.StorageEntry{},
},
"missing value": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
}),
storage: new(logical.InmemStorage),
expectedResp: nil,
expectErr: true,
expectedStore: map[string]*logical.StorageEntry{},
},
"good value": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
}),
storage: makeStorage(t, storageEntry(t, "testpolicy",
"length = 20\n"+
"rule \"charset\" {\n"+
" charset=\"abcdefghij\"\n"+
"}")),
expectedResp: &logical.Response{
Data: map[string]interface{}{
"policy": "length = 20\n" +
"rule \"charset\" {\n" +
" charset=\"abcdefghij\"\n" +
"}",
},
},
expectErr: false,
expectedStore: makeStorageMap(storageEntry(t, "testpolicy",
"length = 20\n"+
"rule \"charset\" {\n"+
" charset=\"abcdefghij\"\n"+
"}")),
},
}
for name, test := range tests {
t.Run(name, func(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Millisecond)
defer cancel()
req := &logical.Request{
Storage: test.storage,
}
b := &SystemBackend{}
actualResp, err := b.handlePoliciesPasswordGet(ctx, req, test.inputData)
if test.expectErr && err == nil {
t.Fatalf("err expected, got nil")
}
if !test.expectErr && err != nil {
t.Fatalf("no error expected, got: %s", err)
}
if !reflect.DeepEqual(actualResp, test.expectedResp) {
t.Fatalf("Actual response: %#v\nExpected response: %#v", actualResp, test.expectedResp)
}
actualStore := LogicalToMap(t, ctx, test.storage)
if !reflect.DeepEqual(actualStore, test.expectedStore) {
t.Fatalf("Actual: %#v\nActual: %#v", dereferenceMap(actualStore), dereferenceMap(test.expectedStore))
}
})
}
}
func TestHandlePoliciesPasswordDelete(t *testing.T) {
type testCase struct {
inputData *framework.FieldData
storage logical.Storage
expectedResp *logical.Response
expectErr bool
expectedStore map[string]*logical.StorageEntry
}
tests := map[string]testCase{
"missing policy name": {
inputData: passwordPoliciesFieldData(map[string]interface{}{}),
storage: new(logical.InmemStorage),
expectedResp: nil,
expectErr: true,
expectedStore: map[string]*logical.StorageEntry{},
},
"storage failure": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
}),
storage: new(logical.InmemStorage).FailDelete(true),
expectedResp: nil,
expectErr: true,
expectedStore: map[string]*logical.StorageEntry{},
},
"successful delete": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
}),
storage: makeStorage(t,
&logical.StorageEntry{
Key: getPasswordPolicyKey("testpolicy"),
Value: toJson(t,
passwordPolicyConfig{
HCLPolicy: "length = 18\n" +
"rule \"charset\" {\n" +
" charset=\"ABCDEFGHIJ\"\n" +
"}",
}),
},
&logical.StorageEntry{
Key: getPasswordPolicyKey("unrelated_policy"),
Value: toJson(t,
passwordPolicyConfig{
HCLPolicy: "length = 20\n" +
"rule \"charset\" {\n" +
" charset=\"abcdefghij\"\n" +
"}",
}),
},
),
expectedResp: nil,
expectErr: false,
expectedStore: makeStorageMap(storageEntry(t, "unrelated_policy",
"length = 20\n"+
"rule \"charset\" {\n"+
" charset=\"abcdefghij\"\n"+
"}")),
},
}
for name, test := range tests {
t.Run(name, func(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Millisecond)
defer cancel()
req := &logical.Request{
Storage: test.storage,
}
b := &SystemBackend{}
actualResp, err := b.handlePoliciesPasswordDelete(ctx, req, test.inputData)
if test.expectErr && err == nil {
t.Fatalf("err expected, got nil")
}
if !test.expectErr && err != nil {
t.Fatalf("no error expected, got: %s", err)
}
if !reflect.DeepEqual(actualResp, test.expectedResp) {
t.Fatalf("Actual response: %#v\nExpected response: %#v", actualResp, test.expectedResp)
}
actualStore := LogicalToMap(t, ctx, test.storage)
if !reflect.DeepEqual(actualStore, test.expectedStore) {
t.Fatalf("Actual: %#v\nExpected: %#v", dereferenceMap(actualStore), dereferenceMap(test.expectedStore))
}
})
}
}
func TestHandlePoliciesPasswordGenerate(t *testing.T) {
t.Run("errors", func(t *testing.T) {
type testCase struct {
timeout time.Duration
inputData *framework.FieldData
storage *logical.InmemStorage
expectedResp *logical.Response
expectErr bool
}
tests := map[string]testCase{
"missing policy name": {
inputData: passwordPoliciesFieldData(map[string]interface{}{}),
storage: new(logical.InmemStorage),
expectedResp: nil,
expectErr: true,
},
"storage failure": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
}),
storage: new(logical.InmemStorage).FailGet(true),
expectedResp: nil,
expectErr: true,
},
"policy does not exist": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
}),
storage: new(logical.InmemStorage),
expectedResp: nil,
expectErr: true,
},
"policy improperly saved": {
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
}),
storage: makeStorage(t, storageEntry(t, "testpolicy", "badpolicy")),
expectedResp: nil,
expectErr: true,
},
"failed to generate": {
timeout: 0 * time.Second, // Timeout immediately
inputData: passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
}),
storage: makeStorage(t, storageEntry(t, "testpolicy",
"length = 20\n"+
"rule \"charset\" {\n"+
" charset=\"abcdefghij\"\n"+
"}")),
expectedResp: nil,
expectErr: true,
},
}
for name, test := range tests {
t.Run(name, func(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), test.timeout)
defer cancel()
req := &logical.Request{
Storage: test.storage,
}
b := &SystemBackend{}
actualResp, err := b.handlePoliciesPasswordGenerate(ctx, req, test.inputData)
if test.expectErr && err == nil {
t.Fatalf("err expected, got nil")
}
if !test.expectErr && err != nil {
t.Fatalf("no error expected, got: %s", err)
}
if !reflect.DeepEqual(actualResp, test.expectedResp) {
t.Fatalf("Actual response: %#v\nExpected response: %#v", actualResp, test.expectedResp)
}
})
}
})
t.Run("success", func(t *testing.T) {
Integrate password policies into RabbitMQ secret engine (#9143) * Add password policies to RabbitMQ & update docs * Also updates some parts of the password policies to aid/fix testing
2020-06-11 22:08:20 +00:00
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
Add user configurable password policies available to secret engines (#8637) * Add random string generator with rules engine This adds a random string generation library that validates random strings against a set of rules. The library is designed for use as generating passwords, but can be used to generate any random strings.
2020-05-27 18:28:00 +00:00
defer cancel()
policyEntry := storageEntry(t, "testpolicy",
"length = 20\n"+
"rule \"charset\" {\n"+
" charset=\"abcdefghij\"\n"+
"}")
storage := makeStorage(t, policyEntry)
inputData := passwordPoliciesFieldData(map[string]interface{}{
"name": "testpolicy",
})
expectedResp := &logical.Response{
Data: map[string]interface{}{
// Doesn't include the password as that's pulled out and compared separately
},
}
// Password assertions
expectedPassLen := 20
rules := []random.Rule{
random.CharsetRule{
Charset: []rune("abcdefghij"),
MinChars: expectedPassLen,
},
}
// Run the test a bunch of times to help ensure we don't have flaky behavior
for i := 0; i < 1000; i++ {
req := &logical.Request{
Storage: storage,
}
b := &SystemBackend{}
actualResp, err := b.handlePoliciesPasswordGenerate(ctx, req, inputData)
if err != nil {
t.Fatalf("no error expected, got: %s", err)
}
assert(t, actualResp != nil, "response is nil")
assert(t, actualResp.Data != nil, "expected data, got nil")
assertHasKey(t, actualResp.Data, "password", "password key not found in data")
assertIsString(t, actualResp.Data["password"], "password key should have a string value")
password := actualResp.Data["password"].(string)
// Delete the password so the rest of the response can be compared
delete(actualResp.Data, "password")
assert(t, reflect.DeepEqual(actualResp, expectedResp), "Actual response: %#v\nExpected response: %#v", actualResp, expectedResp)
// Check to make sure the password is correctly formatted
passwordLength := len([]rune(password))
if passwordLength != expectedPassLen {
t.Fatalf("password is %d characters but should be %d", passwordLength, expectedPassLen)
}
for _, rule := range rules {
if !rule.Pass([]rune(password)) {
t.Fatalf("password %s does not have the correct characters", password)
}
}
}
})
}
func assert(t *testing.T, pass bool, f string, vals ...interface{}) {
t.Helper()
if !pass {
t.Fatalf(f, vals...)
}
}
func assertHasKey(t *testing.T, m map[string]interface{}, key string, f string, vals ...interface{}) {
t.Helper()
_, exists := m[key]
if !exists {
t.Fatalf(f, vals...)
}
}
func assertIsString(t *testing.T, val interface{}, f string, vals ...interface{}) {
t.Helper()
_, ok := val.(string)
if !ok {
t.Fatalf(f, vals...)
}
}
func passwordPoliciesFieldData(raw map[string]interface{}) *framework.FieldData {
return &framework.FieldData{
Raw: raw,
Schema: map[string]*framework.FieldSchema{
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"name": {
Add user configurable password policies available to secret engines (#8637) * Add random string generator with rules engine This adds a random string generation library that validates random strings against a set of rules. The library is designed for use as generating passwords, but can be used to generate any random strings.
2020-05-27 18:28:00 +00:00
Type: framework.TypeString,
Description: "The name of the password policy.",
},
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
"policy": {
Add user configurable password policies available to secret engines (#8637) * Add random string generator with rules engine This adds a random string generation library that validates random strings against a set of rules. The library is designed for use as generating passwords, but can be used to generate any random strings.
2020-05-27 18:28:00 +00:00
Type: framework.TypeString,
Description: "The password policy",
},
},
}
}
func base64Encode(data string) string {
return base64.StdEncoding.EncodeToString([]byte(data))
}
func toJson(t *testing.T, val interface{}) []byte {
t.Helper()
b, err := jsonutil.EncodeJSON(val)
if err != nil {
t.Fatalf("Unable to marshal to JSON: %s", err)
}
return b
}
func storageEntry(t *testing.T, key string, policy string) *logical.StorageEntry {
return &logical.StorageEntry{
Key: getPasswordPolicyKey(key),
Value: toJson(t, passwordPolicyConfig{
HCLPolicy: policy,
}),
}
}
func makeStorageMap(entries ...*logical.StorageEntry) map[string]*logical.StorageEntry {
m := map[string]*logical.StorageEntry{}
for _, entry := range entries {
m[entry.Key] = entry
}
return m
}
func dereferenceMap(store map[string]*logical.StorageEntry) map[string]interface{} {
m := map[string]interface{}{}
for k, v := range store {
m[k] = map[string]string{
"Key": v.Key,
"Value": string(v.Value),
}
}
return m
}
type walkFunc func(*logical.StorageEntry) error
// WalkLogicalStorage applies the provided walkFunc against each entry in the logical storage.
// This operates as a breadth first search.
// TODO: Figure out a place for this to live permanently. This is generic and should be in a helper package somewhere.
// At the time of writing, none of these locations work due to import cycles:
// - vault/helper/testhelpers
// - vault/helper/testhelpers/logical
// - vault/helper/testhelpers/teststorage
func WalkLogicalStorage(ctx context.Context, store logical.Storage, walker walkFunc) (err error) {
if store == nil {
return fmt.Errorf("no storage provided")
}
if walker == nil {
return fmt.Errorf("no walk function provided")
}
keys, err := store.List(ctx, "")
if err != nil {
return fmt.Errorf("unable to list root keys: %w", err)
}
// Non-recursive breadth-first search through all keys
for i := 0; i < len(keys); i++ {
key := keys[i]
entry, err := store.Get(ctx, key)
if err != nil {
return fmt.Errorf("unable to retrieve key at [%s]: %w", key, err)
}
if entry != nil {
err = walker(entry)
if err != nil {
return err
}
}
if strings.HasSuffix(key, "/") {
// Directory
subkeys, err := store.List(ctx, key)
if err != nil {
return fmt.Errorf("unable to list keys at [%s]: %w", key, err)
}
// Append the sub-keys to the keys slice so it searches into the sub-directory
for _, subkey := range subkeys {
// Avoids infinite loop if the subkey is empty which then repeats indefinitely
if subkey == "" {
continue
}
subkey = fmt.Sprintf("%s%s", key, subkey)
keys = append(keys, subkey)
}
}
}
return nil
}
// LogicalToMap retrieves all entries in the store and returns them as a map of key -> StorageEntry
func LogicalToMap(t *testing.T, ctx context.Context, store logical.Storage) (data map[string]*logical.StorageEntry) {
data = map[string]*logical.StorageEntry{}
f := func(entry *logical.StorageEntry) error {
data[entry.Key] = entry
return nil
}
err := WalkLogicalStorage(ctx, store, f)
if err != nil {
t.Fatalf("Unable to walk the storage: %s", err)
}
return data
}
// Ensure the WalkLogicalStorage function works
func TestWalkLogicalStorage(t *testing.T) {
type testCase struct {
entries []*logical.StorageEntry
}
tests := map[string]testCase{
"no entries": {
entries: []*logical.StorageEntry{},
},
"one entry": {
entries: []*logical.StorageEntry{
{
Key: "root",
},
},
},
"many entries": {
entries: []*logical.StorageEntry{
// Alphabetical, breadth-first
{Key: "bar"},
{Key: "foo"},
{Key: "bar/sub-bar1"},
{Key: "bar/sub-bar2"},
{Key: "foo/sub-foo1"},
{Key: "foo/sub-foo2"},
{Key: "foo/sub-foo3"},
{Key: "bar/sub-bar1/sub-sub-bar1"},
{Key: "bar/sub-bar1/sub-sub-bar2"},
{Key: "bar/sub-bar2/sub-sub-bar1"},
{Key: "foo/sub-foo1/sub-sub-foo1"},
{Key: "foo/sub-foo2/sub-sub-foo1"},
{Key: "foo/sub-foo3/sub-sub-foo1"},
{Key: "foo/sub-foo3/sub-sub-foo2"},
},
},
"sub key without root key": {
entries: []*logical.StorageEntry{
{Key: "foo/bar/baz"},
},
},
"key with trailing slash": {
entries: []*logical.StorageEntry{
{Key: "foo/"},
},
},
"double slash": {
entries: []*logical.StorageEntry{
{Key: "foo//"},
{Key: "foo//bar"},
},
},
}
for name, test := range tests {
t.Run(name, func(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()
store := makeStorage(t, test.entries...)
actualEntries := []*logical.StorageEntry{}
f := func(entry *logical.StorageEntry) error {
actualEntries = append(actualEntries, entry)
return nil
}
err := WalkLogicalStorage(ctx, store, f)
if err != nil {
t.Fatalf("Failed to walk storage: %s", err)
}
if !reflect.DeepEqual(actualEntries, test.entries) {
t.Fatalf("Actual: %#v\nExpected: %#v", actualEntries, test.entries)
}
})
}
}
func makeStorage(t *testing.T, entries ...*logical.StorageEntry) *logical.InmemStorage {
t.Helper()
ctx := context.Background()
store := new(logical.InmemStorage)
for _, entry := range entries {
err := store.Put(ctx, entry)
if err != nil {
t.Fatalf("Unable to load test storage: %s", err)
}
}
return store
}