open-vault/vault/router_test.go

package vault

import (
	"fmt"
	"strings"
	"testing"

	"github.com/hashicorp/vault/logical"
)

type NoopBackend struct {
	Root     []string
	Login    []string
	Paths    []string
	Requests []*logical.Request
	Response *logical.Response
}

func (n *NoopBackend) HandleRequest(req *logical.Request) (*logical.Response, error) {
	requestCopy := *req
	n.Paths = append(n.Paths, req.Path)
	n.Requests = append(n.Requests, &requestCopy)
	if req.Storage == nil {
		return nil, fmt.Errorf("missing view")
	}

	return n.Response, nil
}

func (n *NoopBackend) SpecialPaths() *logical.Paths {
	return &logical.Paths{
		Root:            n.Root,
		Unauthenticated: n.Login,
	}
}

func TestRouter_Mount(t *testing.T) {
	r := NewRouter()
	_, barrier, _ := mockBarrier(t)
	view := NewBarrierView(barrier, "logical/")

	n := &NoopBackend{}
	err := r.Mount(n, "prod/aws/", view)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	err = r.Mount(n, "prod/aws/", view)
	if !strings.Contains(err.Error(), "cannot mount under existing mount") {
		t.Fatalf("err: %v", err)
	}

	if path := r.MatchingMount("prod/aws/foo"); path != "prod/aws/" {
		t.Fatalf("bad: %s", path)
	}

	if v := r.MatchingView("prod/aws/foo"); v != view {
		t.Fatalf("bad: %s", v)
	}

	if path := r.MatchingMount("stage/aws/foo"); path != "" {
		t.Fatalf("bad: %s", path)
	}

	if v := r.MatchingView("stage/aws/foo"); v != nil {
		t.Fatalf("bad: %s", v)
	}

	req := &logical.Request{
		Path: "prod/aws/foo",
	}
	resp, err := r.Route(req)
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	if resp != nil {
		t.Fatalf("bad: %v", resp)
	}

	// Verify the path
	if len(n.Paths) != 1 || n.Paths[0] != "foo" {
		t.Fatalf("bad: %v", n.Paths)
	}
}

func TestRouter_Unmount(t *testing.T) {
	r := NewRouter()
	_, barrier, _ := mockBarrier(t)
	view := NewBarrierView(barrier, "logical/")

	n := &NoopBackend{}
	err := r.Mount(n, "prod/aws/", view)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	err = r.Unmount("prod/aws/")
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	req := &logical.Request{
		Path: "prod/aws/foo",
	}
	_, err = r.Route(req)
	if !strings.Contains(err.Error(), "no handler for route") {
		t.Fatalf("err: %v", err)
	}
}

func TestRouter_Remount(t *testing.T) {
	r := NewRouter()
	_, barrier, _ := mockBarrier(t)
	view := NewBarrierView(barrier, "logical/")

	n := &NoopBackend{}
	err := r.Mount(n, "prod/aws/", view)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	err = r.Remount("prod/aws/", "stage/aws/")
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	err = r.Remount("prod/aws/", "stage/aws/")
	if !strings.Contains(err.Error(), "no mount at") {
		t.Fatalf("err: %v", err)
	}

	req := &logical.Request{
		Path: "prod/aws/foo",
	}
	_, err = r.Route(req)
	if !strings.Contains(err.Error(), "no handler for route") {
		t.Fatalf("err: %v", err)
	}

	req = &logical.Request{
		Path: "stage/aws/foo",
	}
	_, err = r.Route(req)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	// Verify the path
	if len(n.Paths) != 1 || n.Paths[0] != "foo" {
		t.Fatalf("bad: %v", n.Paths)
	}
}

func TestRouter_RootPath(t *testing.T) {
	r := NewRouter()
	_, barrier, _ := mockBarrier(t)
	view := NewBarrierView(barrier, "logical/")

	n := &NoopBackend{
		Root: []string{
			"root",
			"policy/*",
		},
	}
	err := r.Mount(n, "prod/aws/", view)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	type tcase struct {
		path   string
		expect bool
	}
	tcases := []tcase{
		{"random", false},
		{"prod/aws/foo", false},
		{"prod/aws/root", true},
		{"prod/aws/root-more", false},
		{"prod/aws/policy", false},
		{"prod/aws/policy/", true},
		{"prod/aws/policy/ops", true},
	}

	for _, tc := range tcases {
		out := r.RootPath(tc.path)
		if out != tc.expect {
			t.Fatalf("bad: path: %s expect: %v got %v", tc.path, tc.expect, out)
		}
	}
}

/*
func TestRouter_RouteLogin(t *testing.T) {
	r := NewRouter()
	_, barrier, _ := mockBarrier(t)
	view := NewBarrierView(barrier, "auth/")

	n := &NoopBackend{
		Login: []string{"bar"},
	}
	err := r.Mount(n, "auth/foo/", view)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	if path := r.MatchingMount("auth/foo/bar"); path != "auth/foo/" {
		t.Fatalf("bad: %s", path)
	}

	req := &logical.Request{
		Path: "auth/foo/bar",
	}
	resp, err := r.RouteLogin(req)
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	if resp != nil {
		t.Fatalf("bad: %v", resp)
	}

	// Verify the path
	if len(n.LPaths) != 1 || n.LPaths[0] != "bar" {
		t.Fatalf("bad: %v", n.Paths)
	}
}
*/

func TestRouter_LoginPath(t *testing.T) {
	r := NewRouter()
	_, barrier, _ := mockBarrier(t)
	view := NewBarrierView(barrier, "auth/")

	n := &NoopBackend{
		Login: []string{
			"login",
			"oauth/*",
		},
	}
	err := r.Mount(n, "auth/foo/", view)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	type tcase struct {
		path   string
		expect bool
	}
	tcases := []tcase{
		{"random", false},
		{"auth/foo/bar", false},
		{"auth/foo/login", true},
		{"auth/foo/oauth", false},
		{"auth/foo/oauth/redirect", true},
	}

	for _, tc := range tcases {
		out := r.LoginPath(tc.path)
		if out != tc.expect {
			t.Fatalf("bad: path: %s expect: %v got %v", tc.path, tc.expect, out)
		}
	}
}

func TestRouter_Taint(t *testing.T) {
	r := NewRouter()
	_, barrier, _ := mockBarrier(t)
	view := NewBarrierView(barrier, "logical/")

	n := &NoopBackend{}
	err := r.Mount(n, "prod/aws/", view)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	err = r.Taint("prod/aws/")
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	req := &logical.Request{
		Operation: logical.ReadOperation,
		Path:      "prod/aws/foo",
	}
	_, err = r.Route(req)
	if err.Error() != "no handler for route 'prod/aws/foo'" {
		t.Fatalf("err: %v", err)
	}

	// Rollback and Revoke should work
	req.Operation = logical.RollbackOperation
	_, err = r.Route(req)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	req.Operation = logical.RevokeOperation
	_, err = r.Route(req)
	if err != nil {
		t.Fatalf("err: %v", err)
	}
}

func TestPathsToRadix(t *testing.T) {
	// Provide real paths
	paths := []string{
		"foo",
		"foo/*",
		"sub/bar*",
	}
	r := pathsToRadix(paths)

	raw, ok := r.Get("foo")
	if !ok || raw.(bool) != false {
		t.Fatalf("bad: %v (foo)", raw)
	}

	raw, ok = r.Get("foo/")
	if !ok || raw.(bool) != true {
		t.Fatalf("bad: %v (foo/)", raw)
	}

	raw, ok = r.Get("sub/bar")
	if !ok || raw.(bool) != true {
		t.Fatalf("bad: %v (sub/bar)", raw)
	}
}
vault: Adding router 2015-03-06 01:23:56 +00:00			`package vault`

			`import (`
			`"fmt"`
			`"strings"`
			`"testing"`
vault: convert to logical.Request and friends 2015-03-15 21:53:41 +00:00
			`"github.com/hashicorp/vault/logical"`
vault: Adding router 2015-03-06 01:23:56 +00:00			`)`

			`type NoopBackend struct {`
vault: testing internal expiration manager methods 2015-03-16 20:58:22 +00:00			`Root []string`
remove credential/ lots of tests faililng 2015-03-31 01:07:05 +00:00			`Login []string`
vault: testing internal expiration manager methods 2015-03-16 20:58:22 +00:00			`Paths []string`
			`Requests []*logical.Request`
			`Response *logical.Response`
vault: Adding router 2015-03-06 01:23:56 +00:00			`}`

vault: convert to logical.Request and friends 2015-03-15 21:53:41 +00:00			`func (n NoopBackend) HandleRequest(req logical.Request) (*logical.Response, error) {`
vault: keep the connection info around for auth 2015-03-31 03:55:01 +00:00			`requestCopy := *req`
vault: Adding router 2015-03-06 01:23:56 +00:00			`n.Paths = append(n.Paths, req.Path)`
vault: keep the connection info around for auth 2015-03-31 03:55:01 +00:00			`n.Requests = append(n.Requests, &requestCopy)`
vault: incremental change to get closer to logical structs 2015-03-15 20:54:20 +00:00			`if req.Storage == nil {`
vault: Adding router 2015-03-06 01:23:56 +00:00			`return nil, fmt.Errorf("missing view")`
			`}`
vault: keep the connection info around for auth 2015-03-31 03:55:01 +00:00
vault: testing internal expiration manager methods 2015-03-16 20:58:22 +00:00			`return n.Response, nil`
vault: Adding router 2015-03-06 01:23:56 +00:00			`}`

logical: move cred stuff over here 2015-03-31 00:46:18 +00:00			`func (n NoopBackend) SpecialPaths() logical.Paths {`
			`return &logical.Paths{`
remove credential/ lots of tests faililng 2015-03-31 01:07:05 +00:00			`Root: n.Root,`
			`Unauthenticated: n.Login,`
logical: move cred stuff over here 2015-03-31 00:46:18 +00:00			`}`
vault: Adding router 2015-03-06 01:23:56 +00:00			`}`

			`func TestRouter_Mount(t *testing.T) {`
			`r := NewRouter()`
			`_, barrier, _ := mockBarrier(t)`
			`view := NewBarrierView(barrier, "logical/")`

			`n := &NoopBackend{}`
vault: Removing mtype from router 2015-03-18 22:48:14 +00:00			`err := r.Mount(n, "prod/aws/", view)`
vault: Adding router 2015-03-06 01:23:56 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

vault: Removing mtype from router 2015-03-18 22:48:14 +00:00			`err = r.Mount(n, "prod/aws/", view)`
vault: Adding router 2015-03-06 01:23:56 +00:00			`if !strings.Contains(err.Error(), "cannot mount under existing mount") {`
			`t.Fatalf("err: %v", err)`
			`}`

vault: Router can check for matching mounts 2015-03-12 00:56:01 +00:00			`if path := r.MatchingMount("prod/aws/foo"); path != "prod/aws/" {`
			`t.Fatalf("bad: %s", path)`
			`}`

vault: Added MatchingView method 2015-04-02 18:03:59 +00:00			`if v := r.MatchingView("prod/aws/foo"); v != view {`
			`t.Fatalf("bad: %s", v)`
			`}`

vault: Router can check for matching mounts 2015-03-12 00:56:01 +00:00			`if path := r.MatchingMount("stage/aws/foo"); path != "" {`
			`t.Fatalf("bad: %s", path)`
			`}`

vault: Added MatchingView method 2015-04-02 18:03:59 +00:00			`if v := r.MatchingView("stage/aws/foo"); v != nil {`
			`t.Fatalf("bad: %s", v)`
			`}`

vault: convert to logical.Request and friends 2015-03-15 21:53:41 +00:00			`req := &logical.Request{`
vault: Adding router 2015-03-06 01:23:56 +00:00			`Path: "prod/aws/foo",`
			`}`
			`resp, err := r.Route(req)`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`if resp != nil {`
			`t.Fatalf("bad: %v", resp)`
			`}`

			`// Verify the path`
			`if len(n.Paths) != 1 \|\| n.Paths[0] != "foo" {`
			`t.Fatalf("bad: %v", n.Paths)`
			`}`
			`}`

			`func TestRouter_Unmount(t *testing.T) {`
			`r := NewRouter()`
			`_, barrier, _ := mockBarrier(t)`
			`view := NewBarrierView(barrier, "logical/")`

			`n := &NoopBackend{}`
vault: Removing mtype from router 2015-03-18 22:48:14 +00:00			`err := r.Mount(n, "prod/aws/", view)`
vault: Adding router 2015-03-06 01:23:56 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`err = r.Unmount("prod/aws/")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

vault: convert to logical.Request and friends 2015-03-15 21:53:41 +00:00			`req := &logical.Request{`
vault: Adding router 2015-03-06 01:23:56 +00:00			`Path: "prod/aws/foo",`
			`}`
			`_, err = r.Route(req)`
			`if !strings.Contains(err.Error(), "no handler for route") {`
			`t.Fatalf("err: %v", err)`
			`}`
			`}`

			`func TestRouter_Remount(t *testing.T) {`
			`r := NewRouter()`
			`_, barrier, _ := mockBarrier(t)`
			`view := NewBarrierView(barrier, "logical/")`

			`n := &NoopBackend{}`
vault: Removing mtype from router 2015-03-18 22:48:14 +00:00			`err := r.Mount(n, "prod/aws/", view)`
vault: Adding router 2015-03-06 01:23:56 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`err = r.Remount("prod/aws/", "stage/aws/")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`err = r.Remount("prod/aws/", "stage/aws/")`
			`if !strings.Contains(err.Error(), "no mount at") {`
			`t.Fatalf("err: %v", err)`
			`}`

vault: convert to logical.Request and friends 2015-03-15 21:53:41 +00:00			`req := &logical.Request{`
vault: Adding router 2015-03-06 01:23:56 +00:00			`Path: "prod/aws/foo",`
			`}`
			`_, err = r.Route(req)`
			`if !strings.Contains(err.Error(), "no handler for route") {`
			`t.Fatalf("err: %v", err)`
			`}`

vault: convert to logical.Request and friends 2015-03-15 21:53:41 +00:00			`req = &logical.Request{`
vault: Adding router 2015-03-06 01:23:56 +00:00			`Path: "stage/aws/foo",`
			`}`
			`_, err = r.Route(req)`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`// Verify the path`
			`if len(n.Paths) != 1 \|\| n.Paths[0] != "foo" {`
			`t.Fatalf("bad: %v", n.Paths)`
			`}`
			`}`

			`func TestRouter_RootPath(t *testing.T) {`
			`r := NewRouter()`
			`_, barrier, _ := mockBarrier(t)`
			`view := NewBarrierView(barrier, "logical/")`

			`n := &NoopBackend{`
			`Root: []string{`
			`"root",`
			`"policy/*",`
			`},`
			`}`
vault: Removing mtype from router 2015-03-18 22:48:14 +00:00			`err := r.Mount(n, "prod/aws/", view)`
vault: Adding router 2015-03-06 01:23:56 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`type tcase struct {`
			`path string`
			`expect bool`
			`}`
			`tcases := []tcase{`
			`{"random", false},`
			`{"prod/aws/foo", false},`
			`{"prod/aws/root", true},`
			`{"prod/aws/root-more", false},`
			`{"prod/aws/policy", false},`
			`{"prod/aws/policy/", true},`
			`{"prod/aws/policy/ops", true},`
			`}`

			`for _, tc := range tcases {`
			`out := r.RootPath(tc.path)`
			`if out != tc.expect {`
			`t.Fatalf("bad: path: %s expect: %v got %v", tc.path, tc.expect, out)`
			`}`
			`}`
			`}`
vault: extend router to handle login routing 2015-03-23 18:47:55 +00:00
remove credential/ lots of tests faililng 2015-03-31 01:07:05 +00:00			`/*`
vault: extend router to handle login routing 2015-03-23 18:47:55 +00:00			`func TestRouter_RouteLogin(t *testing.T) {`
			`r := NewRouter()`
			`_, barrier, _ := mockBarrier(t)`
			`view := NewBarrierView(barrier, "auth/")`

remove credential/ lots of tests faililng 2015-03-31 01:07:05 +00:00			`n := &NoopBackend{`
vault: extend router to handle login routing 2015-03-23 18:47:55 +00:00			`Login: []string{"bar"},`
			`}`
			`err := r.Mount(n, "auth/foo/", view)`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`if path := r.MatchingMount("auth/foo/bar"); path != "auth/foo/" {`
			`t.Fatalf("bad: %s", path)`
			`}`

remove credential/ lots of tests faililng 2015-03-31 01:07:05 +00:00			`req := &logical.Request{`
vault: extend router to handle login routing 2015-03-23 18:47:55 +00:00			`Path: "auth/foo/bar",`
			`}`
			`resp, err := r.RouteLogin(req)`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`if resp != nil {`
			`t.Fatalf("bad: %v", resp)`
			`}`

			`// Verify the path`
			`if len(n.LPaths) != 1 \|\| n.LPaths[0] != "bar" {`
			`t.Fatalf("bad: %v", n.Paths)`
			`}`
			`}`
remove credential/ lots of tests faililng 2015-03-31 01:07:05 +00:00			`*/`
vault: extend router to handle login routing 2015-03-23 18:47:55 +00:00
			`func TestRouter_LoginPath(t *testing.T) {`
			`r := NewRouter()`
			`_, barrier, _ := mockBarrier(t)`
			`view := NewBarrierView(barrier, "auth/")`

remove credential/ lots of tests faililng 2015-03-31 01:07:05 +00:00			`n := &NoopBackend{`
vault: extend router to handle login routing 2015-03-23 18:47:55 +00:00			`Login: []string{`
			`"login",`
			`"oauth/*",`
			`},`
			`}`
			`err := r.Mount(n, "auth/foo/", view)`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`type tcase struct {`
			`path string`
			`expect bool`
			`}`
			`tcases := []tcase{`
			`{"random", false},`
			`{"auth/foo/bar", false},`
			`{"auth/foo/login", true},`
			`{"auth/foo/oauth", false},`
			`{"auth/foo/oauth/redirect", true},`
			`}`

			`for _, tc := range tcases {`
			`out := r.LoginPath(tc.path)`
			`if out != tc.expect {`
			`t.Fatalf("bad: path: %s expect: %v got %v", tc.path, tc.expect, out)`
			`}`
			`}`
			`}`

vault: Support tainting router paths 2015-04-02 18:12:13 +00:00			`func TestRouter_Taint(t *testing.T) {`
			`r := NewRouter()`
			`_, barrier, _ := mockBarrier(t)`
			`view := NewBarrierView(barrier, "logical/")`

			`n := &NoopBackend{}`
			`err := r.Mount(n, "prod/aws/", view)`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`err = r.Taint("prod/aws/")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`req := &logical.Request{`
			`Operation: logical.ReadOperation,`
			`Path: "prod/aws/foo",`
			`}`
			`_, err = r.Route(req)`
			`if err.Error() != "no handler for route 'prod/aws/foo'" {`
			`t.Fatalf("err: %v", err)`
			`}`

			`// Rollback and Revoke should work`
			`req.Operation = logical.RollbackOperation`
			`_, err = r.Route(req)`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`req.Operation = logical.RevokeOperation`
			`_, err = r.Route(req)`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`}`

vault: extend router to handle login routing 2015-03-23 18:47:55 +00:00			`func TestPathsToRadix(t *testing.T) {`
			`// Provide real paths`
			`paths := []string{`
			`"foo",`
			`"foo/*",`
			`"sub/bar*",`
			`}`
			`r := pathsToRadix(paths)`

			`raw, ok := r.Get("foo")`
			`if !ok \|\| raw.(bool) != false {`
			`t.Fatalf("bad: %v (foo)", raw)`
			`}`

			`raw, ok = r.Get("foo/")`
			`if !ok \|\| raw.(bool) != true {`
			`t.Fatalf("bad: %v (foo/)", raw)`
			`}`

			`raw, ok = r.Get("sub/bar")`
			`if !ok \|\| raw.(bool) != true {`
			`t.Fatalf("bad: %v (sub/bar)", raw)`
			`}`
			`}`