open-vault/vault/policy_store_test.go

package vault

import (
	"reflect"
	"testing"

	"github.com/hashicorp/vault/logical"
)

func mockPolicyStore(t *testing.T) *PolicyStore {
	_, barrier, _ := mockBarrier(t)
	view := NewBarrierView(barrier, "foo/")
	p := NewPolicyStore(view, logical.TestSystemView())
	return p
}

func mockPolicyStoreNoCache(t *testing.T) *PolicyStore {
	sysView := logical.TestSystemView()
	sysView.CachingDisabledVal = true
	_, barrier, _ := mockBarrier(t)
	view := NewBarrierView(barrier, "foo/")
	p := NewPolicyStore(view, sysView)
	return p
}

func TestPolicyStore_Root(t *testing.T) {
	ps := mockPolicyStore(t)

	// Get should return a special policy
	p, err := ps.GetPolicy("root", PolicyTypeToken)
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	if p == nil {
		t.Fatalf("bad: %v", p)
	}
	if p.Name != "root" {
		t.Fatalf("bad: %v", p)
	}

	// Set should fail
	err = ps.SetPolicy(p)
	if err.Error() != "cannot update root policy" {
		t.Fatalf("err: %v", err)
	}

	// Delete should fail
	err = ps.DeletePolicy("root", PolicyTypeACL)
	if err.Error() != "cannot delete root policy" {
		t.Fatalf("err: %v", err)
	}
}

func TestPolicyStore_CRUD(t *testing.T) {
	ps := mockPolicyStore(t)
	testPolicyStore_CRUD(t, ps)

	ps = mockPolicyStoreNoCache(t)
	testPolicyStore_CRUD(t, ps)
}

func testPolicyStore_CRUD(t *testing.T, ps *PolicyStore) {
	// Get should return nothing
	p, err := ps.GetPolicy("Dev", PolicyTypeToken)
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	if p != nil {
		t.Fatalf("bad: %v", p)
	}

	// Delete should be no-op
	err = ps.DeletePolicy("deV", PolicyTypeACL)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	// List should be blank
	out, err := ps.ListPolicies(PolicyTypeACL)
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	if len(out) != 0 {
		t.Fatalf("bad: %v", out)
	}

	// Set should work
	policy, _ := ParseACLPolicy(aclPolicy)
	err = ps.SetPolicy(policy)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	// Get should work
	p, err = ps.GetPolicy("dEv", PolicyTypeToken)
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	if !reflect.DeepEqual(p, policy) {
		t.Fatalf("bad: %v", p)
	}

	// List should be one element
	out, err = ps.ListPolicies(PolicyTypeACL)
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	if len(out) != 1 || out[0] != "dev" {
		t.Fatalf("bad: %v", out)
	}

	// Delete should be clear the entry
	err = ps.DeletePolicy("Dev", PolicyTypeACL)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	// Get should fail
	p, err = ps.GetPolicy("deV", PolicyTypeToken)
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	if p != nil {
		t.Fatalf("bad: %v", p)
	}
}

// Test predefined policy handling
func TestPolicyStore_Predefined(t *testing.T) {
	core, _, _ := TestCoreUnsealed(t)
	// Ensure both default policies are created
	err := core.setupPolicyStore()
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	// List should be two elements
	out, err := core.policyStore.ListPolicies(PolicyTypeACL)
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	// This shouldn't contain response-wrapping since it's non-assignable
	if len(out) != 1 || out[0] != "default" {
		t.Fatalf("bad: %v", out)
	}

	pCubby, err := core.policyStore.GetPolicy("response-wrapping", PolicyTypeToken)
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	if pCubby == nil {
		t.Fatal("nil cubby policy")
	}
	if pCubby.Raw != responseWrappingPolicy {
		t.Fatalf("bad: expected\n%s\ngot\n%s\n", responseWrappingPolicy, pCubby.Raw)
	}
	pRoot, err := core.policyStore.GetPolicy("root", PolicyTypeToken)
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	if pRoot == nil {
		t.Fatal("nil root policy")
	}

	err = core.policyStore.SetPolicy(pCubby)
	if err == nil {
		t.Fatalf("expected err setting %s", pCubby.Name)
	}
	err = core.policyStore.SetPolicy(pRoot)
	if err == nil {
		t.Fatalf("expected err setting %s", pRoot.Name)
	}
	err = core.policyStore.DeletePolicy(pCubby.Name, PolicyTypeACL)
	if err == nil {
		t.Fatalf("expected err deleting %s", pCubby.Name)
	}
	err = core.policyStore.DeletePolicy(pRoot.Name, PolicyTypeACL)
	if err == nil {
		t.Fatalf("expected err deleting %s", pRoot.Name)
	}
}

func TestPolicyStore_ACL(t *testing.T) {
	ps := mockPolicyStore(t)

	policy, _ := ParseACLPolicy(aclPolicy)
	err := ps.SetPolicy(policy)
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	policy, _ = ParseACLPolicy(aclPolicy2)
	err = ps.SetPolicy(policy)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	acl, err := ps.ACL("dev", "ops")
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	testLayeredACL(t, acl)
}
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`package vault`

			`import (`
			`"reflect"`
			`"testing"`
vault: upgrade old policies with implicit glob 2015-07-06 01:14:15 +00:00
			`"github.com/hashicorp/vault/logical"`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`)`

			`func mockPolicyStore(t testing.T) PolicyStore {`
			`_, barrier, _ := mockBarrier(t)`
			`view := NewBarrierView(barrier, "foo/")`
Plumb disabling caches through the policy store 2016-04-21 13:52:42 +00:00			`p := NewPolicyStore(view, logical.TestSystemView())`
			`return p`
			`}`

			`func mockPolicyStoreNoCache(t testing.T) PolicyStore {`
			`sysView := logical.TestSystemView()`
Make a non-caching but still locking variant of transit for when caches are disabled 2016-04-21 20:32:06 +00:00			`sysView.CachingDisabledVal = true`
Plumb disabling caches through the policy store 2016-04-21 13:52:42 +00:00			`_, barrier, _ := mockBarrier(t)`
			`view := NewBarrierView(barrier, "foo/")`
			`p := NewPolicyStore(view, sysView)`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`return p`
			`}`

vault: Special case root policy 2015-03-24 18:27:21 +00:00			`func TestPolicyStore_Root(t *testing.T) {`
			`ps := mockPolicyStore(t)`

			`// Get should return a special policy`
Sync 2017-10-23 18:59:37 +00:00			`p, err := ps.GetPolicy("root", PolicyTypeToken)`
vault: Special case root policy 2015-03-24 18:27:21 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`if p == nil {`
			`t.Fatalf("bad: %v", p)`
			`}`
			`if p.Name != "root" {`
			`t.Fatalf("bad: %v", p)`
			`}`

			`// Set should fail`
			`err = ps.SetPolicy(p)`
			`if err.Error() != "cannot update root policy" {`
			`t.Fatalf("err: %v", err)`
			`}`

			`// Delete should fail`
Sync 2017-10-23 18:59:37 +00:00			`err = ps.DeletePolicy("root", PolicyTypeACL)`
vault: Special case root policy 2015-03-24 18:27:21 +00:00			`if err.Error() != "cannot delete root policy" {`
			`t.Fatalf("err: %v", err)`
			`}`
			`}`

vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`func TestPolicyStore_CRUD(t *testing.T) {`
			`ps := mockPolicyStore(t)`
Plumb disabling caches through the policy store 2016-04-21 13:52:42 +00:00			`testPolicyStore_CRUD(t, ps)`

			`ps = mockPolicyStoreNoCache(t)`
			`testPolicyStore_CRUD(t, ps)`
			`}`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00
Plumb disabling caches through the policy store 2016-04-21 13:52:42 +00:00			`func testPolicyStore_CRUD(t testing.T, ps PolicyStore) {`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`// Get should return nothing`
Sync 2017-10-23 18:59:37 +00:00			`p, err := ps.GetPolicy("Dev", PolicyTypeToken)`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`if p != nil {`
			`t.Fatalf("bad: %v", p)`
			`}`

			`// Delete should be no-op`
Sync 2017-10-23 18:59:37 +00:00			`err = ps.DeletePolicy("deV", PolicyTypeACL)`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`// List should be blank`
Sync 2017-10-23 18:59:37 +00:00			`out, err := ps.ListPolicies(PolicyTypeACL)`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`if len(out) != 0 {`
			`t.Fatalf("bad: %v", out)`
			`}`

			`// Set should work`
Sync 2017-10-23 18:59:37 +00:00			`policy, _ := ParseACLPolicy(aclPolicy)`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`err = ps.SetPolicy(policy)`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`// Get should work`
Sync 2017-10-23 18:59:37 +00:00			`p, err = ps.GetPolicy("dEv", PolicyTypeToken)`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`if !reflect.DeepEqual(p, policy) {`
			`t.Fatalf("bad: %v", p)`
			`}`

			`// List should be one element`
Sync 2017-10-23 18:59:37 +00:00			`out, err = ps.ListPolicies(PolicyTypeACL)`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`if len(out) != 1 \|\| out[0] != "dev" {`
			`t.Fatalf("bad: %v", out)`
			`}`

			`// Delete should be clear the entry`
Sync 2017-10-23 18:59:37 +00:00			`err = ps.DeletePolicy("Dev", PolicyTypeACL)`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`// Get should fail`
Sync 2017-10-23 18:59:37 +00:00			`p, err = ps.GetPolicy("deV", PolicyTypeToken)`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`if p != nil {`
			`t.Fatalf("bad: %v", p)`
			`}`
			`}`

Add wrapping through core and change to use TTL instead of Duration. 2016-05-02 04:08:07 +00:00			`// Test predefined policy handling`
			`func TestPolicyStore_Predefined(t *testing.T) {`
			`core, _, _ := TestCoreUnsealed(t)`
			`// Ensure both default policies are created`
			`err := core.setupPolicyStore()`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`// List should be two elements`
Sync 2017-10-23 18:59:37 +00:00			`out, err := core.policyStore.ListPolicies(PolicyTypeACL)`
Add wrapping through core and change to use TTL instead of Duration. 2016-05-02 04:08:07 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
Add test for non-assignable policies 2016-07-25 19:59:02 +00:00			`// This shouldn't contain response-wrapping since it's non-assignable`
			`if len(out) != 1 \|\| out[0] != "default" {`
Add wrapping through core and change to use TTL instead of Duration. 2016-05-02 04:08:07 +00:00			`t.Fatalf("bad: %v", out)`
			`}`

Sync 2017-10-23 18:59:37 +00:00			`pCubby, err := core.policyStore.GetPolicy("response-wrapping", PolicyTypeToken)`
Add wrapping through core and change to use TTL instead of Duration. 2016-05-02 04:08:07 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
Sync 2017-10-23 18:59:37 +00:00			`if pCubby == nil {`
			`t.Fatal("nil cubby policy")`
			`}`
Wrapping enhancements (#1927) 2016-09-29 04:01:28 +00:00			`if pCubby.Raw != responseWrappingPolicy {`
			`t.Fatalf("bad: expected\n%s\ngot\n%s\n", responseWrappingPolicy, pCubby.Raw)`
Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors 2016-05-16 20:11:33 +00:00			`}`
Sync 2017-10-23 18:59:37 +00:00			`pRoot, err := core.policyStore.GetPolicy("root", PolicyTypeToken)`
Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors 2016-05-16 20:11:33 +00:00			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
Sync 2017-10-23 18:59:37 +00:00			`if pRoot == nil {`
			`t.Fatal("nil root policy")`
			`}`
Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors 2016-05-16 20:11:33 +00:00
			`err = core.policyStore.SetPolicy(pCubby)`
			`if err == nil {`
			`t.Fatalf("expected err setting %s", pCubby.Name)`
			`}`
			`err = core.policyStore.SetPolicy(pRoot)`
			`if err == nil {`
			`t.Fatalf("expected err setting %s", pRoot.Name)`
			`}`
Sync 2017-10-23 18:59:37 +00:00			`err = core.policyStore.DeletePolicy(pCubby.Name, PolicyTypeACL)`
Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors 2016-05-16 20:11:33 +00:00			`if err == nil {`
			`t.Fatalf("expected err deleting %s", pCubby.Name)`
			`}`
Sync 2017-10-23 18:59:37 +00:00			`err = core.policyStore.DeletePolicy(pRoot.Name, PolicyTypeACL)`
Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors 2016-05-16 20:11:33 +00:00			`if err == nil {`
			`t.Fatalf("expected err deleting %s", pRoot.Name)`
Add wrapping through core and change to use TTL instead of Duration. 2016-05-02 04:08:07 +00:00			`}`
			`}`

vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`func TestPolicyStore_ACL(t *testing.T) {`
			`ps := mockPolicyStore(t)`

Sync 2017-10-23 18:59:37 +00:00			`policy, _ := ParseACLPolicy(aclPolicy)`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`err := ps.SetPolicy(policy)`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
Sync 2017-10-23 18:59:37 +00:00			`policy, _ = ParseACLPolicy(aclPolicy2)`
vault: Adding PolicyStore 2015-03-18 19:17:03 +00:00			`err = ps.SetPolicy(policy)`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`acl, err := ps.ACL("dev", "ops")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`testLayeredACL(t, acl)`
			`}`