open-vault/builtin/logical/aws/path_roles_test.go

package aws

import (
	"context"
	"reflect"
	"strconv"
	"testing"

	"github.com/hashicorp/vault/logical"
)

func TestBackend_PathListRoles(t *testing.T) {
	var resp *logical.Response
	var err error
	config := logical.TestBackendConfig()
	config.StorageView = &logical.InmemStorage{}

	b := Backend()
	if err := b.Setup(context.Background(), config); err != nil {
		t.Fatal(err)
	}

	roleData := map[string]interface{}{
		"role_arns":       []string{"arn:aws:iam::123456789012:role/path/RoleName"},
		"credential_type": assumedRoleCred,
		"default_sts_ttl": 3600,
	}

	roleReq := &logical.Request{
		Operation: logical.UpdateOperation,
		Storage:   config.StorageView,
		Data:      roleData,
	}

	for i := 1; i <= 10; i++ {
		roleReq.Path = "roles/testrole" + strconv.Itoa(i)
		resp, err = b.HandleRequest(context.Background(), roleReq)
		if err != nil || (resp != nil && resp.IsError()) {
			t.Fatalf("bad: role creation failed. resp:%#v\n err:%v", resp, err)
		}
	}

	resp, err = b.HandleRequest(context.Background(), &logical.Request{
		Operation: logical.ListOperation,
		Path:      "roles",
		Storage:   config.StorageView,
	})
	if err != nil || (resp != nil && resp.IsError()) {
		t.Fatalf("bad: listing roles failed. resp:%#v\n err:%v", resp, err)
	}

	if len(resp.Data["keys"].([]string)) != 10 {
		t.Fatalf("failed to list all 10 roles")
	}

	resp, err = b.HandleRequest(context.Background(), &logical.Request{
		Operation: logical.ListOperation,
		Path:      "roles/",
		Storage:   config.StorageView,
	})
	if err != nil || (resp != nil && resp.IsError()) {
		t.Fatalf("bad: listing roles failed. resp:%#v\n err:%v", resp, err)
	}

	if len(resp.Data["keys"].([]string)) != 10 {
		t.Fatalf("failed to list all 10 roles")
	}
}

func TestUpgradeLegacyPolicyEntry(t *testing.T) {
	var input string
	var expected awsRoleEntry
	var output *awsRoleEntry

	input = "arn:aws:iam::123456789012:role/path/RoleName"
	expected = awsRoleEntry{
		CredentialTypes:          []string{assumedRoleCred},
		RoleArns:                 []string{input},
		ProhibitFlexibleCredPath: true,
		Version:                  1,
	}
	output = upgradeLegacyPolicyEntry(input)
	if output.InvalidData != "" {
		t.Fatalf("bad: error processing upgrade of %q: got invalid data of %v", input, output.InvalidData)
	}
	if !reflect.DeepEqual(*output, expected) {
		t.Fatalf("bad: expected %#v; received %#v", expected, *output)
	}

	input = "arn:aws:iam::123456789012:policy/MyPolicy"
	expected = awsRoleEntry{
		CredentialTypes:          []string{iamUserCred},
		PolicyArns:               []string{input},
		ProhibitFlexibleCredPath: true,
		Version:                  1,
	}
	output = upgradeLegacyPolicyEntry(input)
	if output.InvalidData != "" {
		t.Fatalf("bad: error processing upgrade of %q: got invalid data of %v", input, output.InvalidData)
	}
	if !reflect.DeepEqual(*output, expected) {
		t.Fatalf("bad: expected %#v; received %#v", expected, *output)
	}

	input = "arn:aws:iam::aws:policy/AWSManagedPolicy"
	expected.PolicyArns = []string{input}
	output = upgradeLegacyPolicyEntry(input)
	if output.InvalidData != "" {
		t.Fatalf("bad: error processing upgrade of %q: got invalid data of %v", input, output.InvalidData)
	}
	if !reflect.DeepEqual(*output, expected) {
		t.Fatalf("bad: expected %#v; received %#v", expected, *output)
	}

	input = `
{
	"Version": "2012-10-07",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": "ec2:Describe*",
			"Resource": "*"
		}
	]
}`
	compacted, err := compactJSON(input)
	if err != nil {
		t.Fatalf("error parsing JSON: %v", err)
	}
	expected = awsRoleEntry{
		CredentialTypes:          []string{iamUserCred, federationTokenCred},
		PolicyDocument:           compacted,
		ProhibitFlexibleCredPath: true,
		Version:                  1,
	}
	output = upgradeLegacyPolicyEntry(input)
	if output.InvalidData != "" {
		t.Fatalf("bad: error processing upgrade of %q: got invalid data of %v", input, output.InvalidData)
	}
	if !reflect.DeepEqual(*output, expected) {
		t.Fatalf("bad: expected %#v; received %#v", expected, *output)
	}

	// Due to lack of prior input validation, this could exist in the storage, and we need
	// to be able to read it out in some fashion, so have to handle this in a poor fashion
	input = "arn:gobbledygook"
	expected = awsRoleEntry{
		InvalidData: input,
		Version:     1,
	}
	output = upgradeLegacyPolicyEntry(input)
	if !reflect.DeepEqual(*output, expected) {
		t.Fatalf("bad: expected %#v; received %#v", expected, *output)
	}
}
Added test case for listing aws secret backend roles 2016-06-21 00:09:17 +00:00			`package aws`

			`import (`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`"context"`
Make AWS credential types more explicit (#4360) * Make AWS credential types more explicit The AWS secret engine had a lot of confusing overloading with role paramemters and how they mapped to each of the three credential types supported. This now adds parameters to remove the overloading while maintaining backwards compatibility. With the change, it also becomes easier to add other feature requests. Attaching multiple managed policies to IAM users and adding a policy document to STS AssumedRole credentials is now also supported. Fixes #4229 Fixes #3751 Fixes #2817 * Add missing write action to STS endpoint * Allow unsetting policy_document with empty string This allows unsetting the policy_document by passing in an empty string. Previously, it would fail because the empty string isn't a valid JSON document. * Respond to some PR feedback * Refactor and simplify role reading/upgrading This gets rid of the duplicated role upgrade code between both role reading and role writing by handling the upgrade all in the role reading. * Eliminate duplicated AWS secret test code The testAccStepReadUser and testAccStepReadSTS were virtually identical, so they are consolidated into a single method with the path passed in. * Switch to use AWS ARN parser 2018-08-16 10:38:13 +00:00			`"reflect"`
Added test case for listing aws secret backend roles 2016-06-21 00:09:17 +00:00			`"strconv"`
			`"testing"`

			`"github.com/hashicorp/vault/logical"`
			`)`

			`func TestBackend_PathListRoles(t *testing.T) {`
			`var resp *logical.Response`
			`var err error`
			`config := logical.TestBackendConfig()`
			`config.StorageView = &logical.InmemStorage{}`

			`b := Backend()`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`if err := b.Setup(context.Background(), config); err != nil {`
Added test case for listing aws secret backend roles 2016-06-21 00:09:17 +00:00			`t.Fatal(err)`
			`}`

			`roleData := map[string]interface{}{`
Make AWS credential types more explicit (#4360) * Make AWS credential types more explicit The AWS secret engine had a lot of confusing overloading with role paramemters and how they mapped to each of the three credential types supported. This now adds parameters to remove the overloading while maintaining backwards compatibility. With the change, it also becomes easier to add other feature requests. Attaching multiple managed policies to IAM users and adding a policy document to STS AssumedRole credentials is now also supported. Fixes #4229 Fixes #3751 Fixes #2817 * Add missing write action to STS endpoint * Allow unsetting policy_document with empty string This allows unsetting the policy_document by passing in an empty string. Previously, it would fail because the empty string isn't a valid JSON document. * Respond to some PR feedback * Refactor and simplify role reading/upgrading This gets rid of the duplicated role upgrade code between both role reading and role writing by handling the upgrade all in the role reading. * Eliminate duplicated AWS secret test code The testAccStepReadUser and testAccStepReadSTS were virtually identical, so they are consolidated into a single method with the path passed in. * Switch to use AWS ARN parser 2018-08-16 10:38:13 +00:00			`"role_arns": []string{"arn:aws:iam::123456789012:role/path/RoleName"},`
			`"credential_type": assumedRoleCred,`
Allow specifying role-default TTLs in AWS secret engine (#5138) * Allow specifying role-default TTLs in AWS secret engine * Add an acceptance test * Add docs for AWS secret role-default TTLs * Rename default_ttl to default_sts_ttl * Return default_ttl as int64 instead of time.Duration * Fix broken tests The merge of #5383 broke the tests due to some changes in the test style that didn't actually cause a git merge conflict. This updates the tests to the new style. 2018-10-02 14:14:16 +00:00			`"default_sts_ttl": 3600,`
Added test case for listing aws secret backend roles 2016-06-21 00:09:17 +00:00			`}`

			`roleReq := &logical.Request{`
			`Operation: logical.UpdateOperation,`
			`Storage: config.StorageView,`
			`Data: roleData,`
			`}`

			`for i := 1; i <= 10; i++ {`
			`roleReq.Path = "roles/testrole" + strconv.Itoa(i)`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`resp, err = b.HandleRequest(context.Background(), roleReq)`
Added test case for listing aws secret backend roles 2016-06-21 00:09:17 +00:00			`if err != nil \|\| (resp != nil && resp.IsError()) {`
			`t.Fatalf("bad: role creation failed. resp:%#v\n err:%v", resp, err)`
			`}`
			`}`

Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`resp, err = b.HandleRequest(context.Background(), &logical.Request{`
Added test case for listing aws secret backend roles 2016-06-21 00:09:17 +00:00			`Operation: logical.ListOperation,`
			`Path: "roles",`
			`Storage: config.StorageView,`
			`})`
			`if err != nil \|\| (resp != nil && resp.IsError()) {`
			`t.Fatalf("bad: listing roles failed. resp:%#v\n err:%v", resp, err)`
			`}`

			`if len(resp.Data["keys"].([]string)) != 10 {`
			`t.Fatalf("failed to list all 10 roles")`
			`}`

Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`resp, err = b.HandleRequest(context.Background(), &logical.Request{`
Added test case for listing aws secret backend roles 2016-06-21 00:09:17 +00:00			`Operation: logical.ListOperation,`
			`Path: "roles/",`
			`Storage: config.StorageView,`
			`})`
			`if err != nil \|\| (resp != nil && resp.IsError()) {`
			`t.Fatalf("bad: listing roles failed. resp:%#v\n err:%v", resp, err)`
			`}`

			`if len(resp.Data["keys"].([]string)) != 10 {`
			`t.Fatalf("failed to list all 10 roles")`
			`}`
			`}`
Make AWS credential types more explicit (#4360) * Make AWS credential types more explicit The AWS secret engine had a lot of confusing overloading with role paramemters and how they mapped to each of the three credential types supported. This now adds parameters to remove the overloading while maintaining backwards compatibility. With the change, it also becomes easier to add other feature requests. Attaching multiple managed policies to IAM users and adding a policy document to STS AssumedRole credentials is now also supported. Fixes #4229 Fixes #3751 Fixes #2817 * Add missing write action to STS endpoint * Allow unsetting policy_document with empty string This allows unsetting the policy_document by passing in an empty string. Previously, it would fail because the empty string isn't a valid JSON document. * Respond to some PR feedback * Refactor and simplify role reading/upgrading This gets rid of the duplicated role upgrade code between both role reading and role writing by handling the upgrade all in the role reading. * Eliminate duplicated AWS secret test code The testAccStepReadUser and testAccStepReadSTS were virtually identical, so they are consolidated into a single method with the path passed in. * Switch to use AWS ARN parser 2018-08-16 10:38:13 +00:00
			`func TestUpgradeLegacyPolicyEntry(t *testing.T) {`
			`var input string`
			`var expected awsRoleEntry`
			`var output *awsRoleEntry`

			`input = "arn:aws:iam::123456789012:role/path/RoleName"`
			`expected = awsRoleEntry{`
			`CredentialTypes: []string{assumedRoleCred},`
			`RoleArns: []string{input},`
			`ProhibitFlexibleCredPath: true,`
			`Version: 1,`
			`}`
			`output = upgradeLegacyPolicyEntry(input)`
			`if output.InvalidData != "" {`
			`t.Fatalf("bad: error processing upgrade of %q: got invalid data of %v", input, output.InvalidData)`
			`}`
			`if !reflect.DeepEqual(*output, expected) {`
			`t.Fatalf("bad: expected %#v; received %#v", expected, *output)`
			`}`

			`input = "arn:aws:iam::123456789012:policy/MyPolicy"`
			`expected = awsRoleEntry{`
			`CredentialTypes: []string{iamUserCred},`
			`PolicyArns: []string{input},`
			`ProhibitFlexibleCredPath: true,`
			`Version: 1,`
			`}`
			`output = upgradeLegacyPolicyEntry(input)`
			`if output.InvalidData != "" {`
			`t.Fatalf("bad: error processing upgrade of %q: got invalid data of %v", input, output.InvalidData)`
			`}`
			`if !reflect.DeepEqual(*output, expected) {`
			`t.Fatalf("bad: expected %#v; received %#v", expected, *output)`
			`}`

			`input = "arn:aws:iam::aws:policy/AWSManagedPolicy"`
			`expected.PolicyArns = []string{input}`
			`output = upgradeLegacyPolicyEntry(input)`
			`if output.InvalidData != "" {`
			`t.Fatalf("bad: error processing upgrade of %q: got invalid data of %v", input, output.InvalidData)`
			`}`
			`if !reflect.DeepEqual(*output, expected) {`
			`t.Fatalf("bad: expected %#v; received %#v", expected, *output)`
			`}`

			input = `
			`{`
			`"Version": "2012-10-07",`
			`"Statement": [`
			`{`
			`"Effect": "Allow",`
			`"Action": "ec2:Describe*",`
			`"Resource": "*"`
			`}`
			`]`
			}`
			`compacted, err := compactJSON(input)`
			`if err != nil {`
			`t.Fatalf("error parsing JSON: %v", err)`
			`}`
			`expected = awsRoleEntry{`
			`CredentialTypes: []string{iamUserCred, federationTokenCred},`
			`PolicyDocument: compacted,`
			`ProhibitFlexibleCredPath: true,`
			`Version: 1,`
			`}`
			`output = upgradeLegacyPolicyEntry(input)`
			`if output.InvalidData != "" {`
			`t.Fatalf("bad: error processing upgrade of %q: got invalid data of %v", input, output.InvalidData)`
			`}`
			`if !reflect.DeepEqual(*output, expected) {`
			`t.Fatalf("bad: expected %#v; received %#v", expected, *output)`
			`}`

			`// Due to lack of prior input validation, this could exist in the storage, and we need`
			`// to be able to read it out in some fashion, so have to handle this in a poor fashion`
			`input = "arn:gobbledygook"`
			`expected = awsRoleEntry{`
			`InvalidData: input,`
			`Version: 1,`
			`}`
			`output = upgradeLegacyPolicyEntry(input)`
			`if !reflect.DeepEqual(*output, expected) {`
			`t.Fatalf("bad: expected %#v; received %#v", expected, *output)`
			`}`
			`}`