open-vault/ui/tests/acceptance/transit-test.js

285 lines
8.8 KiB
JavaScript
Raw Normal View History

import { click, fillIn, find, currentURL, settled, visit } from '@ember/test-helpers';
import { module, test } from 'qunit';
import { setupApplicationTest } from 'ember-qunit';
2018-04-03 14:16:57 +00:00
import { encodeString } from 'vault/utils/b64';
import authPage from 'vault/tests/pages/auth';
import enablePage from 'vault/tests/pages/settings/mount-secret-backend';
2018-04-03 14:16:57 +00:00
const keyTypes = [
{
name: ts => `aes-${ts}`,
type: 'aes256-gcm96',
exportable: true,
supportsEncryption: true,
},
{
name: ts => `aes-convergent-${ts}`,
type: 'aes256-gcm96',
convergent: true,
supportsEncryption: true,
},
{
name: ts => `chacha-${ts}`,
type: 'chacha20-poly1305',
exportable: true,
supportsEncryption: true,
},
{
name: ts => `chacha-convergent-${ts}`,
type: 'chacha20-poly1305',
convergent: true,
supportsEncryption: true,
},
{
name: ts => `ecdsa-${ts}`,
type: 'ecdsa-p256',
exportable: true,
supportsSigning: true,
},
{
name: ts => `ed25519-${ts}`,
type: 'ed25519',
derived: true,
supportsSigning: true,
},
{
name: ts => `rsa-2048-${ts}`,
type: `rsa-2048`,
supportsSigning: true,
supportsEncryption: true,
},
{
name: ts => `rsa-4096-${ts}`,
type: `rsa-4096`,
supportsSigning: true,
supportsEncryption: true,
},
];
2018-04-03 14:16:57 +00:00
let generateTransitKey = async function(key, now) {
let name = key.name(now);
await click('[data-test-secret-create]');
await fillIn('[data-test-transit-key-name]', name);
await fillIn('[data-test-transit-key-type]', key.type);
if (key.exportable) {
await click('[data-test-transit-key-exportable]');
}
if (key.derived) {
await click('[data-test-transit-key-derived]');
}
if (key.convergent) {
await click('[data-test-transit-key-convergent-encryption]');
}
await click('[data-test-transit-key-create]');
await settled();
// link back to the list
await click('[data-test-secret-root-link]');
await settled();
return name;
2018-04-03 14:16:57 +00:00
};
const testConvergentEncryption = async function(assert, keyName) {
2018-04-03 14:16:57 +00:00
const tests = [
// raw bytes for plaintext and context
{
plaintext: 'NaXud2QW7KjyK6Me9ggh+zmnCeBGdG93LQED49PtoOI=',
context: 'nqR8LiVgNh/lwO2rArJJE9F9DMhh0lKo4JX9DAAkCDw=',
encodePlaintext: false,
encodeContext: false,
decodeAfterDecrypt: false,
assertAfterEncrypt: key => {
assert.ok(
/vault:/.test(find('[data-test-transit-input="ciphertext"]').value),
2018-04-03 14:16:57 +00:00
`${key}: ciphertext shows a vault-prefixed ciphertext`
);
},
assertBeforeDecrypt: key => {
assert
.dom('[data-test-transit-input="context"]')
.hasValue(
'nqR8LiVgNh/lwO2rArJJE9F9DMhh0lKo4JX9DAAkCDw=',
`${key}: the ui shows the base64-encoded context`
);
2018-04-03 14:16:57 +00:00
},
assertAfterDecrypt: key => {
assert
.dom('[data-test-transit-input="plaintext"]')
.hasValue(
'NaXud2QW7KjyK6Me9ggh+zmnCeBGdG93LQED49PtoOI=',
`${key}: the ui shows the base64-encoded plaintext`
);
2018-04-03 14:16:57 +00:00
},
},
// raw bytes for plaintext, string for context
{
plaintext: 'NaXud2QW7KjyK6Me9ggh+zmnCeBGdG93LQED49PtoOI=',
context: encodeString('context'),
encodePlaintext: false,
encodeContext: false,
decodeAfterDecrypt: false,
assertAfterEncrypt: key => {
assert.ok(
/vault:/.test(find('[data-test-transit-input="ciphertext"]').value),
2018-04-03 14:16:57 +00:00
`${key}: ciphertext shows a vault-prefixed ciphertext`
);
},
assertBeforeDecrypt: key => {
assert
.dom('[data-test-transit-input="context"]')
.hasValue(encodeString('context'), `${key}: the ui shows the input context`);
2018-04-03 14:16:57 +00:00
},
assertAfterDecrypt: key => {
assert
.dom('[data-test-transit-input="plaintext"]')
.hasValue(
'NaXud2QW7KjyK6Me9ggh+zmnCeBGdG93LQED49PtoOI=',
`${key}: the ui shows the base64-encoded plaintext`
);
2018-04-03 14:16:57 +00:00
},
},
// base64 input
{
plaintext: encodeString('This is the secret'),
context: encodeString('context'),
encodePlaintext: false,
encodeContext: false,
decodeAfterDecrypt: true,
assertAfterEncrypt: key => {
assert.ok(
/vault:/.test(find('[data-test-transit-input="ciphertext"]').value),
2018-04-03 14:16:57 +00:00
`${key}: ciphertext shows a vault-prefixed ciphertext`
);
},
assertBeforeDecrypt: key => {
assert
.dom('[data-test-transit-input="context"]')
.hasValue(encodeString('context'), `${key}: the ui shows the input context`);
2018-04-03 14:16:57 +00:00
},
assertAfterDecrypt: key => {
assert
.dom('[data-test-transit-input="plaintext"]')
.hasValue('This is the secret', `${key}: the ui decodes plaintext`);
2018-04-03 14:16:57 +00:00
},
},
// string input
{
plaintext: 'There are many secrets 🤐',
context: 'secret 2',
encodePlaintext: true,
encodeContext: true,
decodeAfterDecrypt: true,
assertAfterEncrypt: key => {
assert.ok(find('[data-test-transit-input="ciphertext"]'), `${key}: ciphertext box shows`);
2018-04-03 14:16:57 +00:00
assert.ok(
/vault:/.test(find('[data-test-transit-input="ciphertext"]').value),
2018-04-03 14:16:57 +00:00
`${key}: ciphertext shows a vault-prefixed ciphertext`
);
},
assertBeforeDecrypt: key => {
assert
.dom('[data-test-transit-input="context"]')
.hasValue(encodeString('secret 2'), `${key}: the ui shows the encoded context`);
2018-04-03 14:16:57 +00:00
},
assertAfterDecrypt: key => {
assert.ok(find('[data-test-transit-input="plaintext"]'), `${key}: plaintext box shows`);
assert
.dom('[data-test-transit-input="plaintext"]')
.hasValue('There are many secrets 🤐', `${key}: the ui decodes plaintext`);
2018-04-03 14:16:57 +00:00
},
},
];
for (let testCase of tests) {
await click('[data-test-transit-action-link="encrypt"]');
await fillIn('[data-test-transit-input="plaintext"]', testCase.plaintext);
await fillIn('[data-test-transit-input="context"]', testCase.context);
2018-04-03 14:16:57 +00:00
if (testCase.encodePlaintext) {
await click('[data-test-transit-b64-toggle="plaintext"]');
2018-04-03 14:16:57 +00:00
}
if (testCase.encodeContext) {
await click('[data-test-transit-b64-toggle="context"]');
2018-04-03 14:16:57 +00:00
}
await click('[data-test-button-encrypt]');
await settled();
2018-04-03 14:16:57 +00:00
if (testCase.assertAfterEncrypt) {
testCase.assertAfterEncrypt(keyName);
2018-04-03 14:16:57 +00:00
}
await click('[data-test-transit-action-link="decrypt"]');
await settled();
2018-04-03 14:16:57 +00:00
if (testCase.assertBeforeDecrypt) {
testCase.assertBeforeDecrypt(keyName);
2018-04-03 14:16:57 +00:00
}
await click('[data-test-button-decrypt]');
await settled();
2018-04-03 14:16:57 +00:00
if (testCase.assertAfterDecrypt) {
if (testCase.decodeAfterDecrypt) {
await click('[data-test-transit-b64-toggle="plaintext"]');
testCase.assertAfterDecrypt(keyName);
} else {
testCase.assertAfterDecrypt(keyName);
}
2018-04-03 14:16:57 +00:00
}
}
2018-04-03 14:16:57 +00:00
};
module('Acceptance | transit', function(hooks) {
setupApplicationTest(hooks);
let path;
let now;
2018-04-03 14:16:57 +00:00
hooks.beforeEach(async function() {
await authPage.login();
now = new Date().getTime();
path = `transit-${now}`;
2018-04-03 14:16:57 +00:00
await enablePage.enable('transit', path);
await settled();
});
2018-04-03 14:16:57 +00:00
for (let key of keyTypes) {
test(`transit backend: ${key.type}`, async function(assert) {
let name = await generateTransitKey(key, now);
await visit(`vault/secrets/${path}/show/${name}`);
await settled();
await click('[data-test-transit-link="versions"]');
// wait for capabilities
await settled();
assert.dom('[data-test-transit-key-version-row]').exists({ count: 1 }, `${name}: only one key version`);
await click('[data-test-confirm-action-trigger');
await click('[data-test-confirm-button]');
// wait for rotate call
await settled();
assert
.dom('[data-test-transit-key-version-row]')
.exists({ count: 2 }, `${name}: two key versions after rotate`);
await click('[data-test-transit-key-actions-link]');
await settled();
UI namespaces (#5119) * add namespace sidebar item * depend on ember-inflector directly * list-view and list-item components * fill out components and render empty namespaces page * list namespaces in access * add menu contextual component to list item * popup contextual component * full crud for namespaces * add namespaces service and picker component * split application and vault.cluster templates and controllers, add namespace query param, add namespace-picker to vault.namespace template * remove usage of href-to * remove ember-href-to from deps * add ember-responsive * start styling the picker and link to appropriate namespaces, use ember-responsive to render picker in different places based on the breakpoint * get query param working and save ns to authdata when authenticating, feed through ns in application adapter * move to observer on the controller for setting state on the service * set state in the beforeModel hook and clear the ember data model cache * nav to secrets on change and make error handling more resilient utilizing the method that atlas does to eagerly update URLs * add a list of sys endpoints in a helper * hide header elements if not in the root namespace * debounce namespace input on auth, fix 404 for auth method fetch, move auth method fetch to a task on the auth-form component and refretch on namespace change * fix display of supported engines and exclusion of sys and identity engines * don't fetch replication status if you're in a non-root namespace * hide seal sub-menu if not in the root namespace * don't autocomplete auth form inputs * always send some requests to the root namespace * use methodType and engineType instead of type in case there it is ns_ prefixed * use sys/internal/ui/namespaces to fetch the list in the dropdown * don't use model for namespace picker and always make the request to the token namespace * fix header handling for fetch calls * use namespace-reminder component on creation and edit forms throughout the application * add namespace-reminder to the console * add flat * add deepmerge for creating the tree in the menu * delayed rendering for animation timing * design and code feedback on the first round * white text in the namespace picker * fix namespace picker issues with root keys * separate path-to-tree * add tests for path-to-tree util * hide picker if you're in the root ns and you can't access other namespaces * show error message if you enter invalid characters for namespace path * return a different model if we dont have the namespaces feature and show upgrade page * if a token has a namespace_path, use that as the root user namespace and transition them there on login * use token namespace for user, but use specified namespace to log in * always renew tokens in the token namespace * fix edition-badge test
2018-08-16 17:48:24 +00:00
assert.ok(
currentURL().startsWith(`/vault/secrets/${path}/actions/${name}`),
`${name}: navigates to tranist actions`
);
assert.ok(
find('[data-test-transit-key-version-select]'),
`${name}: the rotated key allows you to select versions`
2018-04-03 14:16:57 +00:00
);
if (key.exportable) {
assert.ok(
find('[data-test-transit-action-link="export"]'),
`${name}: exportable key has a link to export action`
2018-04-03 14:16:57 +00:00
);
} else {
assert
.dom('[data-test-transit-action-link="export"]')
.doesNotExist(`${name}: non-exportable key does not link to export action`);
2018-04-03 14:16:57 +00:00
}
if (key.convergent && key.supportsEncryption) {
await testConvergentEncryption(assert, name);
2018-04-03 14:16:57 +00:00
}
await settled();
});
}
2018-04-03 14:16:57 +00:00
});