2015-03-15 21:42:05 +00:00
|
|
|
package vault
|
|
|
|
|
|
|
|
import (
|
|
|
|
"reflect"
|
|
|
|
"testing"
|
2015-08-31 18:27:49 +00:00
|
|
|
"time"
|
2015-03-15 21:42:05 +00:00
|
|
|
|
2015-09-01 22:29:30 +00:00
|
|
|
"github.com/fatih/structs"
|
2015-03-31 23:45:00 +00:00
|
|
|
"github.com/hashicorp/vault/audit"
|
2015-03-15 21:42:05 +00:00
|
|
|
"github.com/hashicorp/vault/logical"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestSystemBackend_RootPaths(t *testing.T) {
|
|
|
|
expected := []string{
|
2015-03-16 17:52:35 +00:00
|
|
|
"mounts/*",
|
2015-03-20 19:48:19 +00:00
|
|
|
"auth/*",
|
2015-03-15 21:42:05 +00:00
|
|
|
"remount",
|
2015-03-16 23:33:48 +00:00
|
|
|
"revoke-prefix/*",
|
2015-03-23 21:43:31 +00:00
|
|
|
"policy",
|
|
|
|
"policy/*",
|
2015-03-31 23:45:00 +00:00
|
|
|
"audit",
|
|
|
|
"audit/*",
|
2015-04-01 21:03:17 +00:00
|
|
|
"seal",
|
2015-04-02 00:44:43 +00:00
|
|
|
"raw/*",
|
2015-05-28 00:53:42 +00:00
|
|
|
"rotate",
|
2015-03-15 21:42:05 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
b := testSystemBackend(t)
|
2015-03-31 00:46:18 +00:00
|
|
|
actual := b.SpecialPaths().Root
|
2015-03-15 21:42:05 +00:00
|
|
|
if !reflect.DeepEqual(actual, expected) {
|
|
|
|
t.Fatalf("bad: %#v", actual)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestSystemBackend_mounts(t *testing.T) {
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
req := logical.TestRequest(t, logical.ReadOperation, "mounts")
|
|
|
|
resp, err := b.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
2015-09-01 22:29:30 +00:00
|
|
|
// We can't know the pointer address ahead of time so simply
|
|
|
|
// copy what's given
|
2015-03-15 21:42:05 +00:00
|
|
|
exp := map[string]interface{}{
|
2015-08-31 18:27:49 +00:00
|
|
|
"secret/": map[string]interface{}{
|
2015-03-15 21:42:05 +00:00
|
|
|
"type": "generic",
|
|
|
|
"description": "generic secret storage",
|
2015-08-31 18:27:49 +00:00
|
|
|
"config": map[string]interface{}{
|
2015-09-25 13:46:20 +00:00
|
|
|
"default_lease_ttl": resp.Data["secret/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int),
|
|
|
|
"max_lease_ttl": resp.Data["secret/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int),
|
2015-08-31 18:27:49 +00:00
|
|
|
},
|
2015-03-15 21:42:05 +00:00
|
|
|
},
|
2015-08-31 18:27:49 +00:00
|
|
|
"sys/": map[string]interface{}{
|
2015-03-15 21:42:05 +00:00
|
|
|
"type": "system",
|
|
|
|
"description": "system endpoints used for control, policy and debugging",
|
2015-08-31 18:27:49 +00:00
|
|
|
"config": map[string]interface{}{
|
2015-09-25 13:46:20 +00:00
|
|
|
"default_lease_ttl": resp.Data["sys/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int),
|
|
|
|
"max_lease_ttl": resp.Data["sys/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int),
|
2015-08-31 18:27:49 +00:00
|
|
|
},
|
2015-03-15 21:42:05 +00:00
|
|
|
},
|
2015-09-10 01:58:09 +00:00
|
|
|
"cubbyhole/": map[string]interface{}{
|
|
|
|
"description": "per-token private secret storage",
|
|
|
|
"type": "cubbyhole",
|
|
|
|
"config": map[string]interface{}{
|
2015-09-25 13:46:20 +00:00
|
|
|
"default_lease_ttl": resp.Data["cubbyhole/"].(map[string]interface{})["config"].(map[string]interface{})["default_lease_ttl"].(int),
|
|
|
|
"max_lease_ttl": resp.Data["cubbyhole/"].(map[string]interface{})["config"].(map[string]interface{})["max_lease_ttl"].(int),
|
2015-09-10 01:58:09 +00:00
|
|
|
},
|
|
|
|
},
|
2015-03-15 21:42:05 +00:00
|
|
|
}
|
|
|
|
if !reflect.DeepEqual(resp.Data, exp) {
|
2015-08-31 18:27:49 +00:00
|
|
|
t.Fatalf("Got:\n%#v\nExpected:\n%#v", resp.Data, exp)
|
2015-03-15 21:42:05 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestSystemBackend_mount(t *testing.T) {
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
|
2015-03-16 17:52:35 +00:00
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "mounts/prod/secret/")
|
2015-03-15 21:42:05 +00:00
|
|
|
req.Data["type"] = "generic"
|
|
|
|
|
|
|
|
resp, err := b.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestSystemBackend_mount_invalid(t *testing.T) {
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
|
2015-03-16 17:52:35 +00:00
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "mounts/prod/secret/")
|
2015-03-15 21:42:05 +00:00
|
|
|
req.Data["type"] = "nope"
|
|
|
|
resp, err := b.HandleRequest(req)
|
2015-03-15 21:53:41 +00:00
|
|
|
if err != logical.ErrInvalidRequest {
|
2015-03-15 21:42:05 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2015-03-15 23:25:38 +00:00
|
|
|
if resp.Data["error"] != "unknown backend type: nope" {
|
2015-03-15 21:42:05 +00:00
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestSystemBackend_unmount(t *testing.T) {
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
|
2015-03-16 17:52:35 +00:00
|
|
|
req := logical.TestRequest(t, logical.DeleteOperation, "mounts/secret/")
|
2015-03-15 21:42:05 +00:00
|
|
|
resp, err := b.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestSystemBackend_unmount_invalid(t *testing.T) {
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
|
2015-03-16 17:52:35 +00:00
|
|
|
req := logical.TestRequest(t, logical.DeleteOperation, "mounts/foo/")
|
2015-03-15 21:42:05 +00:00
|
|
|
resp, err := b.HandleRequest(req)
|
2015-03-15 21:53:41 +00:00
|
|
|
if err != logical.ErrInvalidRequest {
|
2015-03-15 21:42:05 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp.Data["error"] != "no matching mount" {
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestSystemBackend_remount(t *testing.T) {
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
|
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "remount")
|
|
|
|
req.Data["from"] = "secret"
|
|
|
|
req.Data["to"] = "foo"
|
2015-09-01 22:29:30 +00:00
|
|
|
req.Data["config"] = structs.Map(MountConfig{})
|
2015-03-15 21:42:05 +00:00
|
|
|
resp, err := b.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestSystemBackend_remount_invalid(t *testing.T) {
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
|
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "remount")
|
|
|
|
req.Data["from"] = "unknown"
|
|
|
|
req.Data["to"] = "foo"
|
2015-09-01 22:29:30 +00:00
|
|
|
req.Data["config"] = structs.Map(MountConfig{})
|
2015-03-15 21:42:05 +00:00
|
|
|
resp, err := b.HandleRequest(req)
|
2015-03-15 21:53:41 +00:00
|
|
|
if err != logical.ErrInvalidRequest {
|
2015-03-15 21:42:05 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp.Data["error"] != "no matching mount at 'unknown/'" {
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestSystemBackend_remount_system(t *testing.T) {
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
|
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "remount")
|
|
|
|
req.Data["from"] = "sys"
|
|
|
|
req.Data["to"] = "foo"
|
|
|
|
resp, err := b.HandleRequest(req)
|
2015-03-15 21:53:41 +00:00
|
|
|
if err != logical.ErrInvalidRequest {
|
2015-03-15 21:42:05 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp.Data["error"] != "cannot remount 'sys/'" {
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-03-16 23:11:55 +00:00
|
|
|
func TestSystemBackend_renew(t *testing.T) {
|
2015-03-24 18:37:07 +00:00
|
|
|
core, b, root := testCoreSystemBackend(t)
|
2015-03-16 23:11:55 +00:00
|
|
|
|
|
|
|
// Create a key with a lease
|
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "secret/foo")
|
|
|
|
req.Data["foo"] = "bar"
|
2015-03-24 18:37:07 +00:00
|
|
|
req.ClientToken = root
|
2015-03-16 23:11:55 +00:00
|
|
|
resp, err := core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
2015-04-08 20:35:32 +00:00
|
|
|
// Read a key with a LeaseID
|
2015-03-16 23:11:55 +00:00
|
|
|
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
|
2015-03-24 18:37:07 +00:00
|
|
|
req.ClientToken = root
|
2015-03-16 23:11:55 +00:00
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2015-04-08 20:35:32 +00:00
|
|
|
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
|
2015-03-16 23:11:55 +00:00
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Attempt renew
|
2015-04-08 20:35:32 +00:00
|
|
|
req2 := logical.TestRequest(t, logical.WriteOperation, "renew/"+resp.Secret.LeaseID)
|
2015-06-17 22:58:20 +00:00
|
|
|
req2.Data["increment"] = "100s"
|
2015-03-16 23:11:55 +00:00
|
|
|
resp2, err := b.HandleRequest(req2)
|
2015-04-09 00:03:46 +00:00
|
|
|
if err != logical.ErrInvalidRequest {
|
2015-03-16 23:11:55 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
2015-04-09 00:03:46 +00:00
|
|
|
// Should get error about non-renewability
|
|
|
|
if resp2.Data["error"] != "lease is not renewable" {
|
2015-03-16 23:11:55 +00:00
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-03-16 23:14:53 +00:00
|
|
|
func TestSystemBackend_renew_invalidID(t *testing.T) {
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
|
|
|
|
// Attempt renew
|
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "renew/foobarbaz")
|
|
|
|
resp, err := b.HandleRequest(req)
|
|
|
|
if err != logical.ErrInvalidRequest {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2015-06-18 22:37:08 +00:00
|
|
|
if resp.Data["error"] != "lease not found or lease is not renewable" {
|
2015-03-16 23:14:53 +00:00
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-03-16 23:26:34 +00:00
|
|
|
func TestSystemBackend_revoke(t *testing.T) {
|
2015-03-24 18:37:07 +00:00
|
|
|
core, b, root := testCoreSystemBackend(t)
|
2015-03-16 23:26:34 +00:00
|
|
|
|
|
|
|
// Create a key with a lease
|
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "secret/foo")
|
|
|
|
req.Data["foo"] = "bar"
|
|
|
|
req.Data["lease"] = "1h"
|
2015-03-24 18:37:07 +00:00
|
|
|
req.ClientToken = root
|
2015-03-16 23:26:34 +00:00
|
|
|
resp, err := core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
2015-04-08 20:35:32 +00:00
|
|
|
// Read a key with a LeaseID
|
2015-03-16 23:26:34 +00:00
|
|
|
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
|
2015-03-24 18:37:07 +00:00
|
|
|
req.ClientToken = root
|
2015-03-16 23:26:34 +00:00
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2015-04-08 20:35:32 +00:00
|
|
|
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
|
2015-03-16 23:26:34 +00:00
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
2015-03-16 23:33:48 +00:00
|
|
|
// Attempt revoke
|
2015-04-08 20:35:32 +00:00
|
|
|
req2 := logical.TestRequest(t, logical.WriteOperation, "revoke/"+resp.Secret.LeaseID)
|
2015-03-16 23:26:34 +00:00
|
|
|
resp2, err := b.HandleRequest(req2)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %#v", err, resp2)
|
|
|
|
}
|
|
|
|
if resp2 != nil {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
2015-03-16 23:33:48 +00:00
|
|
|
|
|
|
|
// Attempt renew
|
2015-04-08 20:35:32 +00:00
|
|
|
req3 := logical.TestRequest(t, logical.WriteOperation, "renew/"+resp.Secret.LeaseID)
|
2015-03-16 23:33:48 +00:00
|
|
|
resp3, err := b.HandleRequest(req3)
|
|
|
|
if err != logical.ErrInvalidRequest {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2015-06-18 22:37:08 +00:00
|
|
|
if resp3.Data["error"] != "lease not found or lease is not renewable" {
|
2015-03-16 23:33:48 +00:00
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
}
|
2015-03-16 23:26:34 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestSystemBackend_revoke_invalidID(t *testing.T) {
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
|
|
|
|
// Attempt renew
|
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "revoke/foobarbaz")
|
|
|
|
resp, err := b.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-03-16 23:33:48 +00:00
|
|
|
func TestSystemBackend_revokePrefix(t *testing.T) {
|
2015-03-24 18:37:07 +00:00
|
|
|
core, b, root := testCoreSystemBackend(t)
|
2015-03-16 23:33:48 +00:00
|
|
|
|
|
|
|
// Create a key with a lease
|
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "secret/foo")
|
|
|
|
req.Data["foo"] = "bar"
|
|
|
|
req.Data["lease"] = "1h"
|
2015-03-24 18:37:07 +00:00
|
|
|
req.ClientToken = root
|
2015-03-16 23:33:48 +00:00
|
|
|
resp, err := core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
2015-04-08 20:35:32 +00:00
|
|
|
// Read a key with a LeaseID
|
2015-03-16 23:33:48 +00:00
|
|
|
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
|
2015-03-24 18:37:07 +00:00
|
|
|
req.ClientToken = root
|
2015-03-16 23:33:48 +00:00
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2015-04-08 20:35:32 +00:00
|
|
|
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
|
2015-03-16 23:33:48 +00:00
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Attempt revoke
|
|
|
|
req2 := logical.TestRequest(t, logical.WriteOperation, "revoke-prefix/secret/")
|
|
|
|
resp2, err := b.HandleRequest(req2)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %#v", err, resp2)
|
|
|
|
}
|
|
|
|
if resp2 != nil {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Attempt renew
|
2015-04-08 20:35:32 +00:00
|
|
|
req3 := logical.TestRequest(t, logical.WriteOperation, "renew/"+resp.Secret.LeaseID)
|
2015-03-16 23:33:48 +00:00
|
|
|
resp3, err := b.HandleRequest(req3)
|
|
|
|
if err != logical.ErrInvalidRequest {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2015-06-18 22:37:08 +00:00
|
|
|
if resp3.Data["error"] != "lease not found or lease is not renewable" {
|
2015-03-16 23:33:48 +00:00
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-03-20 19:48:19 +00:00
|
|
|
func TestSystemBackend_authTable(t *testing.T) {
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
req := logical.TestRequest(t, logical.ReadOperation, "auth")
|
|
|
|
resp, err := b.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
exp := map[string]interface{}{
|
2015-04-03 21:24:00 +00:00
|
|
|
"token/": map[string]string{
|
2015-03-20 19:48:19 +00:00
|
|
|
"type": "token",
|
|
|
|
"description": "token based credentials",
|
|
|
|
},
|
|
|
|
}
|
|
|
|
if !reflect.DeepEqual(resp.Data, exp) {
|
|
|
|
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestSystemBackend_enableAuth(t *testing.T) {
|
2015-03-24 18:37:07 +00:00
|
|
|
c, b, _ := testCoreSystemBackend(t)
|
2015-07-01 00:30:43 +00:00
|
|
|
c.credentialBackends["noop"] = func(*logical.BackendConfig) (logical.Backend, error) {
|
2015-03-31 01:07:05 +00:00
|
|
|
return &NoopBackend{}, nil
|
2015-03-20 19:48:19 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "auth/foo")
|
|
|
|
req.Data["type"] = "noop"
|
|
|
|
|
|
|
|
resp, err := b.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestSystemBackend_enableAuth_invalid(t *testing.T) {
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "auth/foo")
|
|
|
|
req.Data["type"] = "nope"
|
|
|
|
resp, err := b.HandleRequest(req)
|
|
|
|
if err != logical.ErrInvalidRequest {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp.Data["error"] != "unknown backend type: nope" {
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestSystemBackend_disableAuth(t *testing.T) {
|
2015-03-24 18:37:07 +00:00
|
|
|
c, b, _ := testCoreSystemBackend(t)
|
2015-07-01 00:30:43 +00:00
|
|
|
c.credentialBackends["noop"] = func(*logical.BackendConfig) (logical.Backend, error) {
|
2015-03-31 01:07:05 +00:00
|
|
|
return &NoopBackend{}, nil
|
2015-03-20 19:48:19 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Register the backend
|
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "auth/foo")
|
|
|
|
req.Data["type"] = "noop"
|
|
|
|
b.HandleRequest(req)
|
|
|
|
|
|
|
|
// Deregister it
|
|
|
|
req = logical.TestRequest(t, logical.DeleteOperation, "auth/foo")
|
|
|
|
resp, err := b.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestSystemBackend_disableAuth_invalid(t *testing.T) {
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
|
|
|
|
req := logical.TestRequest(t, logical.DeleteOperation, "auth/foo")
|
|
|
|
resp, err := b.HandleRequest(req)
|
|
|
|
if err != logical.ErrInvalidRequest {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp.Data["error"] != "no matching backend" {
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-03-23 21:43:31 +00:00
|
|
|
func TestSystemBackend_policyList(t *testing.T) {
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
req := logical.TestRequest(t, logical.ReadOperation, "policy")
|
|
|
|
resp, err := b.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
exp := map[string]interface{}{
|
|
|
|
"keys": []string{"root"},
|
|
|
|
}
|
|
|
|
if !reflect.DeepEqual(resp.Data, exp) {
|
|
|
|
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestSystemBackend_policyCRUD(t *testing.T) {
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
|
|
|
|
// Create the policy
|
|
|
|
rules := `path "foo/" { policy = "read" }`
|
2015-10-07 17:52:21 +00:00
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "policy/Foo")
|
2015-03-23 21:43:31 +00:00
|
|
|
req.Data["rules"] = rules
|
|
|
|
resp, err := b.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %#v", err, resp)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Read the policy
|
|
|
|
req = logical.TestRequest(t, logical.ReadOperation, "policy/foo")
|
|
|
|
resp, err = b.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
exp := map[string]interface{}{
|
|
|
|
"name": "foo",
|
|
|
|
"rules": rules,
|
|
|
|
}
|
|
|
|
if !reflect.DeepEqual(resp.Data, exp) {
|
|
|
|
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
|
|
|
|
}
|
|
|
|
|
2015-10-07 17:52:21 +00:00
|
|
|
// Read, and make sure that case has been normalized
|
|
|
|
req = logical.TestRequest(t, logical.ReadOperation, "policy/Foo")
|
|
|
|
resp, err = b.HandleRequest(req)
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("err: expected nil response, got %#v", *resp)
|
|
|
|
}
|
|
|
|
|
2015-03-23 21:43:31 +00:00
|
|
|
// List the policies
|
|
|
|
req = logical.TestRequest(t, logical.ReadOperation, "policy")
|
|
|
|
resp, err = b.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
exp = map[string]interface{}{
|
|
|
|
"keys": []string{"foo", "root"},
|
|
|
|
}
|
|
|
|
if !reflect.DeepEqual(resp.Data, exp) {
|
|
|
|
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Delete the policy
|
|
|
|
req = logical.TestRequest(t, logical.DeleteOperation, "policy/foo")
|
|
|
|
resp, err = b.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Read the policy (deleted)
|
|
|
|
req = logical.TestRequest(t, logical.ReadOperation, "policy/foo")
|
|
|
|
resp, err = b.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
// List the policies (deleted)
|
|
|
|
req = logical.TestRequest(t, logical.ReadOperation, "policy")
|
|
|
|
resp, err = b.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
exp = map[string]interface{}{
|
|
|
|
"keys": []string{"root"},
|
|
|
|
}
|
|
|
|
if !reflect.DeepEqual(resp.Data, exp) {
|
|
|
|
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-03-31 23:45:00 +00:00
|
|
|
func TestSystemBackend_enableAudit(t *testing.T) {
|
|
|
|
c, b, _ := testCoreSystemBackend(t)
|
2015-09-18 21:36:42 +00:00
|
|
|
c.auditBackends["noop"] = func(config *audit.BackendConfig) (audit.Backend, error) {
|
|
|
|
return &NoopAudit{
|
|
|
|
Config: config,
|
|
|
|
}, nil
|
2015-03-31 23:45:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "audit/foo")
|
|
|
|
req.Data["type"] = "noop"
|
|
|
|
|
|
|
|
resp, err := b.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestSystemBackend_enableAudit_invalid(t *testing.T) {
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "audit/foo")
|
|
|
|
req.Data["type"] = "nope"
|
|
|
|
resp, err := b.HandleRequest(req)
|
|
|
|
if err != logical.ErrInvalidRequest {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp.Data["error"] != "unknown backend type: nope" {
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestSystemBackend_auditTable(t *testing.T) {
|
|
|
|
c, b, _ := testCoreSystemBackend(t)
|
2015-09-18 21:36:42 +00:00
|
|
|
c.auditBackends["noop"] = func(config *audit.BackendConfig) (audit.Backend, error) {
|
|
|
|
return &NoopAudit{
|
|
|
|
Config: config,
|
|
|
|
}, nil
|
2015-03-31 23:45:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "audit/foo")
|
|
|
|
req.Data["type"] = "noop"
|
|
|
|
req.Data["description"] = "testing"
|
|
|
|
req.Data["options"] = map[string]interface{}{
|
|
|
|
"foo": "bar",
|
|
|
|
}
|
|
|
|
b.HandleRequest(req)
|
|
|
|
|
|
|
|
req = logical.TestRequest(t, logical.ReadOperation, "audit")
|
|
|
|
resp, err := b.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
exp := map[string]interface{}{
|
2015-04-03 21:27:33 +00:00
|
|
|
"foo/": map[string]interface{}{
|
2015-03-31 23:45:00 +00:00
|
|
|
"type": "noop",
|
|
|
|
"description": "testing",
|
|
|
|
"options": map[string]string{
|
|
|
|
"foo": "bar",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
if !reflect.DeepEqual(resp.Data, exp) {
|
|
|
|
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestSystemBackend_disableAudit(t *testing.T) {
|
|
|
|
c, b, _ := testCoreSystemBackend(t)
|
2015-09-18 21:36:42 +00:00
|
|
|
c.auditBackends["noop"] = func(config *audit.BackendConfig) (audit.Backend, error) {
|
|
|
|
return &NoopAudit{
|
|
|
|
Config: config,
|
|
|
|
}, nil
|
2015-03-31 23:45:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "audit/foo")
|
|
|
|
req.Data["type"] = "noop"
|
|
|
|
req.Data["description"] = "testing"
|
|
|
|
req.Data["options"] = map[string]interface{}{
|
|
|
|
"foo": "bar",
|
|
|
|
}
|
|
|
|
b.HandleRequest(req)
|
|
|
|
|
|
|
|
// Deregister it
|
|
|
|
req = logical.TestRequest(t, logical.DeleteOperation, "audit/foo")
|
|
|
|
resp, err := b.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestSystemBackend_disableAudit_invalid(t *testing.T) {
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
|
|
|
|
req := logical.TestRequest(t, logical.DeleteOperation, "audit/foo")
|
|
|
|
resp, err := b.HandleRequest(req)
|
|
|
|
if err != logical.ErrInvalidRequest {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp.Data["error"] != "no matching backend" {
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-05-28 17:24:41 +00:00
|
|
|
func TestSystemBackend_rawRead_Protected(t *testing.T) {
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
|
|
|
|
req := logical.TestRequest(t, logical.ReadOperation, "raw/"+keyringPath)
|
|
|
|
_, err := b.HandleRequest(req)
|
|
|
|
if err != logical.ErrInvalidRequest {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-04-02 00:44:43 +00:00
|
|
|
func TestSystemBackend_rawRead(t *testing.T) {
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
|
|
|
|
req := logical.TestRequest(t, logical.ReadOperation, "raw/"+coreMountConfigPath)
|
|
|
|
resp, err := b.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp.Data["value"].(string)[0] != '{' {
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-05-28 17:24:41 +00:00
|
|
|
func TestSystemBackend_rawWrite_Protected(t *testing.T) {
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
|
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "raw/"+keyringPath)
|
|
|
|
_, err := b.HandleRequest(req)
|
|
|
|
if err != logical.ErrInvalidRequest {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-04-02 00:44:43 +00:00
|
|
|
func TestSystemBackend_rawWrite(t *testing.T) {
|
|
|
|
c, b, _ := testCoreSystemBackend(t)
|
|
|
|
|
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "raw/sys/policy/test")
|
|
|
|
req.Data["value"] = `path "secret/" { policy = "read" }`
|
|
|
|
resp, err := b.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Read the policy!
|
|
|
|
p, err := c.policy.GetPolicy("test")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if p == nil || len(p.Paths) == 0 {
|
|
|
|
t.Fatalf("missing policy %#v", p)
|
|
|
|
}
|
|
|
|
if p.Paths[0].Prefix != "secret/" || p.Paths[0].Policy != PathPolicyRead {
|
|
|
|
t.Fatalf("Bad: %#v", p)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-05-28 17:24:41 +00:00
|
|
|
func TestSystemBackend_rawDelete_Protected(t *testing.T) {
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
|
|
|
|
req := logical.TestRequest(t, logical.DeleteOperation, "raw/"+keyringPath)
|
|
|
|
_, err := b.HandleRequest(req)
|
|
|
|
if err != logical.ErrInvalidRequest {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-04-02 00:44:43 +00:00
|
|
|
func TestSystemBackend_rawDelete(t *testing.T) {
|
|
|
|
c, b, _ := testCoreSystemBackend(t)
|
|
|
|
|
|
|
|
// set the policy!
|
|
|
|
p := &Policy{Name: "test"}
|
|
|
|
err := c.policy.SetPolicy(p)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Delete the policy
|
|
|
|
req := logical.TestRequest(t, logical.DeleteOperation, "raw/sys/policy/test")
|
|
|
|
resp, err := b.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Policy should be gone
|
2015-04-06 23:41:48 +00:00
|
|
|
c.policy.lru.Purge()
|
2015-04-02 00:44:43 +00:00
|
|
|
out, err := c.policy.GetPolicy("test")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if out != nil {
|
|
|
|
t.Fatalf("policy should be gone")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-05-28 00:53:42 +00:00
|
|
|
func TestSystemBackend_keyStatus(t *testing.T) {
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
req := logical.TestRequest(t, logical.ReadOperation, "key-status")
|
|
|
|
resp, err := b.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
exp := map[string]interface{}{
|
|
|
|
"term": 1,
|
|
|
|
}
|
|
|
|
delete(resp.Data, "install_time")
|
|
|
|
if !reflect.DeepEqual(resp.Data, exp) {
|
|
|
|
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestSystemBackend_rotate(t *testing.T) {
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
|
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "rotate")
|
|
|
|
resp, err := b.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
req = logical.TestRequest(t, logical.ReadOperation, "key-status")
|
|
|
|
resp, err = b.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
exp := map[string]interface{}{
|
|
|
|
"term": 2,
|
|
|
|
}
|
|
|
|
delete(resp.Data, "install_time")
|
|
|
|
if !reflect.DeepEqual(resp.Data, exp) {
|
|
|
|
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-03-16 00:35:59 +00:00
|
|
|
func testSystemBackend(t *testing.T) logical.Backend {
|
2015-03-29 23:18:08 +00:00
|
|
|
c, _, _ := TestCoreUnsealed(t)
|
2015-09-04 20:58:12 +00:00
|
|
|
bc := &logical.BackendConfig{
|
|
|
|
Logger: c.logger,
|
|
|
|
System: logical.StaticSystemView{
|
|
|
|
DefaultLeaseTTLVal: time.Hour * 24,
|
|
|
|
MaxLeaseTTLVal: time.Hour * 24 * 30,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
return NewSystemBackend(c, bc)
|
2015-03-15 21:42:05 +00:00
|
|
|
}
|
2015-03-16 23:11:55 +00:00
|
|
|
|
2015-03-24 18:37:07 +00:00
|
|
|
func testCoreSystemBackend(t *testing.T) (*Core, logical.Backend, string) {
|
2015-03-29 23:18:08 +00:00
|
|
|
c, _, root := TestCoreUnsealed(t)
|
2015-09-04 20:58:12 +00:00
|
|
|
bc := &logical.BackendConfig{
|
|
|
|
Logger: c.logger,
|
|
|
|
System: logical.StaticSystemView{
|
|
|
|
DefaultLeaseTTLVal: time.Hour * 24,
|
|
|
|
MaxLeaseTTLVal: time.Hour * 24 * 30,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
return c, NewSystemBackend(c, bc), root
|
2015-03-16 23:11:55 +00:00
|
|
|
}
|