open-vault/command/secrets_enable_test.go

268 lines
7.3 KiB
Go
Raw Normal View History

2015-03-31 23:28:46 +00:00
package command
import (
"io/ioutil"
"os"
2017-09-05 04:02:24 +00:00
"strings"
2015-03-31 23:28:46 +00:00
"testing"
"github.com/go-test/deep"
2018-11-07 01:21:24 +00:00
"github.com/hashicorp/vault/helper/builtinplugins"
"github.com/hashicorp/vault/sdk/helper/consts"
2015-03-31 23:28:46 +00:00
"github.com/mitchellh/cli"
)
// logicalBackendAdjustmentFactor is set to plus 1 for the database backend
// which is a plugin but not found in go.mod files, and minus 1 for the ldap
// and openldap secret backends which have the same underlying plugin.
var logicalBackendAdjustmentFactor = 1 - 1
func testSecretsEnableCommand(tb testing.TB) (*cli.MockUi, *SecretsEnableCommand) {
2017-09-05 04:02:24 +00:00
tb.Helper()
2015-03-31 23:28:46 +00:00
2017-09-05 04:02:24 +00:00
ui := cli.NewMockUi()
return ui, &SecretsEnableCommand{
2017-09-05 04:02:24 +00:00
BaseCommand: &BaseCommand{
UI: ui,
2015-03-31 23:28:46 +00:00
},
}
2017-09-05 04:02:24 +00:00
}
func TestSecretsEnableCommand_Run(t *testing.T) {
2017-09-05 04:02:24 +00:00
t.Parallel()
2015-03-31 23:28:46 +00:00
2017-09-05 04:02:24 +00:00
cases := []struct {
name string
args []string
out string
code int
}{
{
"not_enough_args",
[]string{},
"Not enough arguments",
2017-09-05 04:02:24 +00:00
1,
},
{
"too_many_args",
[]string{"foo", "bar"},
"Too many arguments",
1,
},
{
"not_a_valid_mount",
[]string{"nope_definitely_not_a_valid_mount_like_ever"},
"",
2,
},
{
"mount",
[]string{"transit"},
"Success! Enabled the transit secrets engine at: transit/",
2017-09-05 04:02:24 +00:00
0,
},
{
"mount_path",
[]string{
"-path", "transit_mount_point",
"transit",
},
"Success! Enabled the transit secrets engine at: transit_mount_point/",
2017-09-05 04:02:24 +00:00
0,
},
}
2017-09-05 04:02:24 +00:00
for _, tc := range cases {
tc := tc
2017-09-05 04:02:24 +00:00
t.Run(tc.name, func(t *testing.T) {
t.Parallel()
2017-09-05 04:02:24 +00:00
client, closer := testVaultServer(t)
defer closer()
ui, cmd := testSecretsEnableCommand(t)
2017-09-05 04:02:24 +00:00
cmd.client = client
2017-09-05 04:02:24 +00:00
code := cmd.Run(tc.args)
if code != tc.code {
t.Errorf("expected %d to be %d", code, tc.code)
}
2017-09-05 04:02:24 +00:00
combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
if !strings.Contains(combined, tc.out) {
t.Errorf("expected %q to contain %q", combined, tc.out)
}
})
2015-03-31 23:28:46 +00:00
}
2017-09-05 04:02:24 +00:00
t.Run("integration", func(t *testing.T) {
t.Parallel()
2015-03-31 23:28:46 +00:00
2017-09-05 04:02:24 +00:00
client, closer := testVaultServer(t)
defer closer()
2015-03-31 23:28:46 +00:00
ui, cmd := testSecretsEnableCommand(t)
2017-09-05 04:02:24 +00:00
cmd.client = client
code := cmd.Run([]string{
"-path", "mount_integration/",
"-description", "The best kind of test",
"-default-lease-ttl", "30m",
"-max-lease-ttl", "1h",
"-audit-non-hmac-request-keys", "foo,bar",
"-audit-non-hmac-response-keys", "foo,bar",
"-passthrough-request-headers", "authorization,authentication",
"-passthrough-request-headers", "www-authentication",
"-allowed-response-headers", "authorization",
"-allowed-managed-keys", "key1,key2",
2017-09-05 04:02:24 +00:00
"-force-no-cache",
"pki",
})
if exp := 0; code != exp {
t.Errorf("expected %d to be %d", code, exp)
}
expected := "Success! Enabled the pki secrets engine at: mount_integration/"
2017-09-05 04:02:24 +00:00
combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
if !strings.Contains(combined, expected) {
t.Errorf("expected %q to contain %q", combined, expected)
}
mounts, err := client.Sys().ListMounts()
2017-09-05 04:02:24 +00:00
if err != nil {
t.Fatal(err)
}
mountInfo, ok := mounts["mount_integration/"]
if !ok {
t.Fatalf("expected mount to exist")
}
if exp := "pki"; mountInfo.Type != exp {
t.Errorf("expected %q to be %q", mountInfo.Type, exp)
}
if exp := "The best kind of test"; mountInfo.Description != exp {
t.Errorf("expected %q to be %q", mountInfo.Description, exp)
}
if exp := 1800; mountInfo.Config.DefaultLeaseTTL != exp {
t.Errorf("expected %d to be %d", mountInfo.Config.DefaultLeaseTTL, exp)
}
if exp := 3600; mountInfo.Config.MaxLeaseTTL != exp {
t.Errorf("expected %d to be %d", mountInfo.Config.MaxLeaseTTL, exp)
}
if exp := true; mountInfo.Config.ForceNoCache != exp {
t.Errorf("expected %t to be %t", mountInfo.Config.ForceNoCache, exp)
}
if diff := deep.Equal([]string{"authorization,authentication", "www-authentication"}, mountInfo.Config.PassthroughRequestHeaders); len(diff) > 0 {
t.Errorf("Failed to find expected values in PassthroughRequestHeaders. Difference is: %v", diff)
}
if diff := deep.Equal([]string{"authorization"}, mountInfo.Config.AllowedResponseHeaders); len(diff) > 0 {
t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff)
}
if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 {
t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff)
}
if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
}
if diff := deep.Equal([]string{"key1,key2"}, mountInfo.Config.AllowedManagedKeys); len(diff) > 0 {
t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff)
}
2017-09-05 04:02:24 +00:00
})
t.Run("communication_failure", func(t *testing.T) {
t.Parallel()
client, closer := testVaultServerBad(t)
defer closer()
ui, cmd := testSecretsEnableCommand(t)
2017-09-05 04:02:24 +00:00
cmd.client = client
code := cmd.Run([]string{
"pki",
})
if exp := 2; code != exp {
t.Errorf("expected %d to be %d", code, exp)
}
expected := "Error enabling: "
2017-09-05 04:02:24 +00:00
combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
if !strings.Contains(combined, expected) {
t.Errorf("expected %q to contain %q", combined, expected)
}
})
t.Run("no_tabs", func(t *testing.T) {
t.Parallel()
_, cmd := testSecretsEnableCommand(t)
2017-09-05 04:02:24 +00:00
assertNoTabs(t, cmd)
})
t.Run("mount_all", func(t *testing.T) {
t.Parallel()
client, closer := testVaultServerAllBackends(t)
defer closer()
files, err := ioutil.ReadDir("../builtin/logical")
if err != nil {
t.Fatal(err)
}
var backends []string
for _, f := range files {
if f.IsDir() {
if f.Name() == "plugin" {
continue
}
backends = append(backends, f.Name())
}
}
modFile, err := ioutil.ReadFile("../go.mod")
if err != nil {
t.Fatal(err)
}
modLines := strings.Split(string(modFile), "\n")
for _, p := range modLines {
splitLine := strings.Split(strings.TrimSpace(p), " ")
if len(splitLine) == 0 {
continue
}
potPlug := strings.TrimPrefix(splitLine[0], "github.com/hashicorp/")
if strings.HasPrefix(potPlug, "vault-plugin-secrets-") {
backends = append(backends, strings.TrimPrefix(potPlug, "vault-plugin-secrets-"))
}
}
2018-11-07 01:21:24 +00:00
// backends are found by walking the directory, which includes the database backend,
// however, the plugins registry omits that one
if len(backends) != len(builtinplugins.Registry.Keys(consts.PluginTypeSecrets))+logicalBackendAdjustmentFactor {
2020-04-07 18:26:51 +00:00
t.Fatalf("expected %d logical backends, got %d", len(builtinplugins.Registry.Keys(consts.PluginTypeSecrets))+logicalBackendAdjustmentFactor, len(backends))
}
for _, b := range backends {
expectedResult := 0
status, _ := builtinplugins.Registry.DeprecationStatus(b, consts.PluginTypeSecrets)
allowDeprecated := os.Getenv(consts.VaultAllowPendingRemovalMountsEnv)
// Need to handle deprecated builtins specially
if (status == consts.PendingRemoval && allowDeprecated == "") || status == consts.Removed {
expectedResult = 2
}
ui, cmd := testSecretsEnableCommand(t)
cmd.client = client
actualResult := cmd.Run([]string{
b,
})
if actualResult != expectedResult {
t.Errorf("type: %s - got: %d, expected: %d - %s", b, actualResult, expectedResult, ui.OutputWriter.String()+ui.ErrorWriter.String())
}
}
})
2015-03-31 23:28:46 +00:00
}