open-vault/http/logical_test.go

297 lines
7.8 KiB
Go
Raw Normal View History

package http
import (
2015-05-27 21:19:12 +00:00
"bytes"
"encoding/json"
2015-05-27 21:19:12 +00:00
"io"
"net/http"
"reflect"
"strconv"
"strings"
"testing"
2015-04-05 00:42:19 +00:00
"time"
2016-08-19 20:45:17 +00:00
log "github.com/mgutz/logxi/v1"
"github.com/hashicorp/vault/helper/logformat"
2015-04-19 20:18:09 +00:00
"github.com/hashicorp/vault/physical"
"github.com/hashicorp/vault/vault"
)
func TestLogical(t *testing.T) {
2015-03-29 23:14:54 +00:00
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := TestServer(t, core)
defer ln.Close()
2015-03-29 23:14:54 +00:00
TestServerAuth(t, addr, token)
2015-04-07 18:04:06 +00:00
// WRITE
2015-08-22 00:36:19 +00:00
resp := testHttpPut(t, token, addr+"/v1/secret/foo", map[string]interface{}{
"data": "bar",
})
testResponseStatus(t, resp, 204)
2015-04-07 18:04:06 +00:00
// READ
// Bad token should return a 403
resp = testHttpGet(t, token+"bad", addr+"/v1/secret/foo")
testResponseStatus(t, resp, 403)
resp = testHttpGet(t, token, addr+"/v1/secret/foo")
var actual map[string]interface{}
2015-10-07 21:21:41 +00:00
var nilWarnings interface{}
expected := map[string]interface{}{
2015-03-16 20:29:51 +00:00
"renewable": false,
"lease_duration": json.Number(strconv.Itoa(int((32 * 24 * time.Hour) / time.Second))),
"data": map[string]interface{}{
"data": "bar",
},
"auth": nil,
"wrap_info": nil,
"warnings": nilWarnings,
}
testResponseStatus(t, resp, 200)
testResponseBody(t, resp, &actual)
delete(actual, "lease_id")
2016-07-26 22:30:13 +00:00
expected["request_id"] = actual["request_id"]
if !reflect.DeepEqual(actual, expected) {
2015-10-07 21:21:41 +00:00
t.Fatalf("bad:\nactual:\n%#v\nexpected:\n%#v", actual, expected)
}
2015-04-07 18:04:06 +00:00
// DELETE
2015-08-22 00:36:19 +00:00
resp = testHttpDelete(t, token, addr+"/v1/secret/foo")
2015-04-07 18:04:06 +00:00
testResponseStatus(t, resp, 204)
2015-08-22 00:36:19 +00:00
resp = testHttpGet(t, token, addr+"/v1/secret/foo")
2015-04-07 18:04:06 +00:00
testResponseStatus(t, resp, 404)
}
func TestLogical_noExist(t *testing.T) {
2015-03-29 23:14:54 +00:00
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := TestServer(t, core)
defer ln.Close()
2015-03-29 23:14:54 +00:00
TestServerAuth(t, addr, token)
2015-08-22 00:36:19 +00:00
resp := testHttpGet(t, token, addr+"/v1/secret/foo")
testResponseStatus(t, resp, 404)
}
2015-04-19 20:18:09 +00:00
func TestLogical_StandbyRedirect(t *testing.T) {
ln1, addr1 := TestListener(t)
defer ln1.Close()
ln2, addr2 := TestListener(t)
defer ln2.Close()
// Create an HA Vault
2016-08-19 20:45:17 +00:00
logger := logformat.NewVaultLogger(log.LevelTrace)
inmha := physical.NewInmemHA(logger)
2015-04-29 01:12:57 +00:00
conf := &vault.CoreConfig{
Physical: inmha,
HAPhysical: inmha,
RedirectAddr: addr1,
DisableMlock: true,
2015-04-29 01:12:57 +00:00
}
2015-04-19 20:18:09 +00:00
core1, err := vault.NewCore(conf)
if err != nil {
t.Fatalf("err: %v", err)
}
2017-01-17 20:43:10 +00:00
keys, root := vault.TestCoreInit(t, core1)
for _, key := range keys {
if _, err := core1.Unseal(vault.TestKeyCopy(key)); err != nil {
t.Fatalf("unseal err: %s", err)
}
2015-04-19 20:18:09 +00:00
}
// Attempt to fix raciness in this test by giving the first core a chance
// to grab the lock
time.Sleep(2 * time.Second)
2015-04-19 20:18:09 +00:00
// Create a second HA Vault
2015-04-29 01:12:57 +00:00
conf2 := &vault.CoreConfig{
Physical: inmha,
HAPhysical: inmha,
RedirectAddr: addr2,
DisableMlock: true,
2015-04-29 01:12:57 +00:00
}
2015-04-19 20:18:09 +00:00
core2, err := vault.NewCore(conf2)
if err != nil {
t.Fatalf("err: %v", err)
}
2017-01-17 20:43:10 +00:00
for _, key := range keys {
if _, err := core2.Unseal(vault.TestKeyCopy(key)); err != nil {
t.Fatalf("unseal err: %s", err)
}
2015-04-19 20:18:09 +00:00
}
TestServerWithListener(t, ln1, addr1, core1)
TestServerWithListener(t, ln2, addr2, core2)
TestServerAuth(t, addr1, root)
// WRITE to STANDBY
2017-01-17 20:43:10 +00:00
resp := testHttpPutDisableRedirect(t, root, addr2+"/v1/secret/foo", map[string]interface{}{
2015-04-19 20:18:09 +00:00
"data": "bar",
})
2017-01-17 20:43:10 +00:00
logger.Trace("307 test one starting")
2015-04-19 20:18:09 +00:00
testResponseStatus(t, resp, 307)
2017-01-17 20:43:10 +00:00
logger.Trace("307 test one stopping")
2015-04-19 20:18:09 +00:00
//// READ to standby
2015-08-22 00:36:19 +00:00
resp = testHttpGet(t, root, addr2+"/v1/auth/token/lookup-self")
2015-04-19 20:18:09 +00:00
var actual map[string]interface{}
2015-10-07 21:21:41 +00:00
var nilWarnings interface{}
2015-04-19 20:18:09 +00:00
expected := map[string]interface{}{
"renewable": false,
"lease_duration": json.Number("0"),
2015-04-19 20:18:09 +00:00
"data": map[string]interface{}{
"meta": nil,
"num_uses": json.Number("0"),
"path": "auth/token/root",
"policies": []interface{}{"root"},
"display_name": "root",
"orphan": true,
"id": root,
"ttl": json.Number("0"),
"creation_ttl": json.Number("0"),
"explicit_max_ttl": json.Number("0"),
"expire_time": nil,
2015-04-19 20:18:09 +00:00
},
"warnings": nilWarnings,
"wrap_info": nil,
"auth": nil,
2015-04-19 20:18:09 +00:00
}
2015-08-22 00:36:19 +00:00
2015-04-19 20:18:09 +00:00
testResponseStatus(t, resp, 200)
testResponseBody(t, resp, &actual)
actualDataMap := actual["data"].(map[string]interface{})
delete(actualDataMap, "creation_time")
2016-03-09 18:45:36 +00:00
delete(actualDataMap, "accessor")
actual["data"] = actualDataMap
2016-07-26 22:30:13 +00:00
expected["request_id"] = actual["request_id"]
2015-04-19 20:18:09 +00:00
delete(actual, "lease_id")
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("bad: got %#v; expected %#v", actual, expected)
2015-04-19 20:18:09 +00:00
}
//// DELETE to standby
2017-01-17 20:43:10 +00:00
resp = testHttpDeleteDisableRedirect(t, root, addr2+"/v1/secret/foo")
logger.Trace("307 test two starting")
2015-04-19 20:18:09 +00:00
testResponseStatus(t, resp, 307)
2017-01-17 20:43:10 +00:00
logger.Trace("307 test two stopping")
2015-04-19 20:18:09 +00:00
}
func TestLogical_CreateToken(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := TestServer(t, core)
defer ln.Close()
TestServerAuth(t, addr, token)
// WRITE
2015-08-22 00:36:19 +00:00
resp := testHttpPut(t, token, addr+"/v1/auth/token/create", map[string]interface{}{
"data": "bar",
})
var actual map[string]interface{}
var nilWarnings interface{}
expected := map[string]interface{}{
"lease_id": "",
"renewable": false,
"lease_duration": json.Number("0"),
"data": nil,
"wrap_info": nil,
"auth": map[string]interface{}{
"policies": []interface{}{"root"},
"metadata": nil,
"lease_duration": json.Number("0"),
"renewable": false,
},
"warnings": nilWarnings,
}
testResponseStatus(t, resp, 200)
testResponseBody(t, resp, &actual)
delete(actual["auth"].(map[string]interface{}), "client_token")
2016-03-09 18:45:36 +00:00
delete(actual["auth"].(map[string]interface{}), "accessor")
2016-07-26 22:30:13 +00:00
expected["request_id"] = actual["request_id"]
if !reflect.DeepEqual(actual, expected) {
2015-10-07 21:21:41 +00:00
t.Fatalf("bad:\nexpected:\n%#v\nactual:\n%#v", expected, actual)
}
}
2015-05-27 21:19:12 +00:00
func TestLogical_RawHTTP(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := TestServer(t, core)
defer ln.Close()
TestServerAuth(t, addr, token)
2015-08-22 00:36:19 +00:00
resp := testHttpPost(t, token, addr+"/v1/sys/mounts/foo", map[string]interface{}{
2015-05-27 21:19:12 +00:00
"type": "http",
})
testResponseStatus(t, resp, 204)
// Get the raw response
2015-08-22 00:36:19 +00:00
resp = testHttpGet(t, token, addr+"/v1/foo/raw")
2015-05-27 21:19:12 +00:00
testResponseStatus(t, resp, 200)
// Test the headers
if resp.Header.Get("Content-Type") != "plain/text" {
t.Fatalf("Bad: %#v", resp.Header)
}
// Get the body
body := new(bytes.Buffer)
io.Copy(body, resp.Body)
if string(body.Bytes()) != "hello world" {
t.Fatalf("Bad: %s", body.Bytes())
}
}
2016-11-17 20:06:43 +00:00
func TestLogical_RequestSizeLimit(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := TestServer(t, core)
defer ln.Close()
TestServerAuth(t, addr, token)
// Write a very large object, should fail
resp := testHttpPut(t, token, addr+"/v1/secret/foo", map[string]interface{}{
"data": make([]byte, MaxRequestSize),
})
testResponseStatus(t, resp, 413)
}
func TestLogical_ListSuffix(t *testing.T) {
core, _, _ := vault.TestCoreUnsealed(t)
req, _ := http.NewRequest("GET", "http://127.0.0.1:8200/v1/secret/foo", nil)
lreq, status, err := buildLogicalRequest(core, nil, req)
if err != nil {
t.Fatal(err)
}
if status != 0 {
t.Fatalf("got status %d", status)
}
if strings.HasSuffix(lreq.Path, "/") {
t.Fatal("trailing slash found on path")
}
req, _ = http.NewRequest("GET", "http://127.0.0.1:8200/v1/secret/foo?list=true", nil)
lreq, status, err = buildLogicalRequest(core, nil, req)
if err != nil {
t.Fatal(err)
}
if status != 0 {
t.Fatalf("got status %d", status)
}
if !strings.HasSuffix(lreq.Path, "/") {
t.Fatal("trailing slash not found on path")
}
req, _ = http.NewRequest("LIST", "http://127.0.0.1:8200/v1/secret/foo", nil)
lreq, status, err = buildLogicalRequest(core, nil, req)
if err != nil {
t.Fatal(err)
}
if status != 0 {
t.Fatalf("got status %d", status)
}
if !strings.HasSuffix(lreq.Path, "/") {
t.Fatal("trailing slash not found on path")
}
}