open-vault/vault/logical_passthrough_test.go

package vault

import (
	"reflect"
	"testing"
	"time"

	"github.com/hashicorp/vault/logical"
)

func TestPassthroughBackend_RootPaths(t *testing.T) {
	b := testPassthroughBackend()
	root := b.SpecialPaths()
	if root != nil {
		t.Fatalf("unexpected: %v", root)
	}
}

func TestPassthroughBackend_Write(t *testing.T) {
	b := testPassthroughBackend()
	req := logical.TestRequest(t, logical.WriteOperation, "foo")
	req.Data["raw"] = "test"

	resp, err := b.HandleRequest(req)
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	if resp != nil {
		t.Fatalf("bad: %v", resp)
	}

	out, err := req.Storage.Get("foo")
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	if out == nil {
		t.Fatalf("failed to write to view")
	}
}

func TestPassthroughBackend_Read_Lease(t *testing.T) {
	b := testPassthroughBackend()
	req := logical.TestRequest(t, logical.WriteOperation, "foo")
	req.Data["raw"] = "test"
	req.Data["lease"] = "1h"
	storage := req.Storage

	if _, err := b.HandleRequest(req); err != nil {
		t.Fatalf("err: %v", err)
	}

	req = logical.TestRequest(t, logical.ReadOperation, "foo")
	req.Storage = storage

	resp, err := b.HandleRequest(req)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	expected := &logical.Response{
		Secret: &logical.Secret{
			LeaseOptions: logical.LeaseOptions{
				Renewable: true,
				TTL:       time.Hour,
			},
		},
		Data: map[string]interface{}{
			"raw":   "test",
			"lease": "1h",
		},
	}

	resp.Secret.InternalData = nil
	resp.Secret.LeaseID = ""
	if !reflect.DeepEqual(resp, expected) {
		t.Fatalf("bad response.\n\nexpected: %#v\n\nGot: %#v", expected, resp)
	}
}

func TestPassthroughBackend_Read_TTL(t *testing.T) {
	b := testPassthroughBackend()
	req := logical.TestRequest(t, logical.WriteOperation, "foo")
	req.Data["raw"] = "test"
	req.Data["ttl"] = "1h"
	storage := req.Storage

	if _, err := b.HandleRequest(req); err != nil {
		t.Fatalf("err: %v", err)
	}

	req = logical.TestRequest(t, logical.ReadOperation, "foo")
	req.Storage = storage

	resp, err := b.HandleRequest(req)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	expected := &logical.Response{
		Secret: &logical.Secret{
			LeaseOptions: logical.LeaseOptions{
				Renewable: true,
				TTL:       time.Hour,
			},
		},
		Data: map[string]interface{}{
			"raw": "test",
			"ttl": "1h",
		},
	}

	resp.Secret.InternalData = nil
	resp.Secret.LeaseID = ""
	if !reflect.DeepEqual(resp, expected) {
		t.Fatalf("bad response.\n\nexpected: %#v\n\nGot: %#v", expected, resp)
	}
}

func TestPassthroughBackend_Delete(t *testing.T) {
	b := testPassthroughBackend()
	req := logical.TestRequest(t, logical.WriteOperation, "foo")
	req.Data["raw"] = "test"
	storage := req.Storage

	if _, err := b.HandleRequest(req); err != nil {
		t.Fatalf("err: %v", err)
	}

	req = logical.TestRequest(t, logical.DeleteOperation, "foo")
	req.Storage = storage
	resp, err := b.HandleRequest(req)
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	if resp != nil {
		t.Fatalf("bad: %v", resp)
	}

	req = logical.TestRequest(t, logical.ReadOperation, "foo")
	req.Storage = storage
	resp, err = b.HandleRequest(req)
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	if resp != nil {
		t.Fatalf("bad: %v", resp)
	}
}

func TestPassthroughBackend_List(t *testing.T) {
	b := testPassthroughBackend()
	req := logical.TestRequest(t, logical.WriteOperation, "foo")
	req.Data["raw"] = "test"
	storage := req.Storage

	if _, err := b.HandleRequest(req); err != nil {
		t.Fatalf("err: %v", err)
	}

	req = logical.TestRequest(t, logical.ListOperation, "")
	req.Storage = storage
	resp, err := b.HandleRequest(req)
	if err != nil {
		t.Fatalf("err: %v", err)
	}

	expected := &logical.Response{
		Data: map[string]interface{}{
			"keys": []string{"foo"},
		},
	}

	if !reflect.DeepEqual(resp, expected) {
		t.Fatalf("bad response.\n\nexpected: %#v\n\nGot: %#v", expected, resp)
	}
}

func testPassthroughBackend() logical.Backend {
	b, _ := PassthroughBackendFactory(nil)
	return b
}
vault: Passthrough backend uses logical.Backend 2015-03-15 21:26:48 +00:00			`package vault`

			`import (`
			`"reflect"`
			`"testing"`
			`"time"`

			`"github.com/hashicorp/vault/logical"`
			`)`

			`func TestPassthroughBackend_RootPaths(t *testing.T) {`
vault: passthrough backend uses logical/framework 2015-03-16 00:07:54 +00:00			`b := testPassthroughBackend()`
logical: move cred stuff over here 2015-03-31 00:46:18 +00:00			`root := b.SpecialPaths()`
			`if root != nil {`
vault: Passthrough backend uses logical.Backend 2015-03-15 21:26:48 +00:00			`t.Fatalf("unexpected: %v", root)`
			`}`
			`}`

			`func TestPassthroughBackend_Write(t *testing.T) {`
vault: passthrough backend uses logical/framework 2015-03-16 00:07:54 +00:00			`b := testPassthroughBackend()`
vault: Passthrough backend uses logical.Backend 2015-03-15 21:26:48 +00:00			`req := logical.TestRequest(t, logical.WriteOperation, "foo")`
			`req.Data["raw"] = "test"`

			`resp, err := b.HandleRequest(req)`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`if resp != nil {`
			`t.Fatalf("bad: %v", resp)`
			`}`

			`out, err := req.Storage.Get("foo")`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`if out == nil {`
			`t.Fatalf("failed to write to view")`
			`}`
			`}`

Change "lease" parameter in the generic backend to be "ttl" to reduce confusion. "lease" is now deprecated but will remain valid until 0.4. Fixes #528. 2015-08-20 23:41:25 +00:00			`func TestPassthroughBackend_Read_Lease(t *testing.T) {`
vault: passthrough backend uses logical/framework 2015-03-16 00:07:54 +00:00			`b := testPassthroughBackend()`
vault: Passthrough backend uses logical.Backend 2015-03-15 21:26:48 +00:00			`req := logical.TestRequest(t, logical.WriteOperation, "foo")`
			`req.Data["raw"] = "test"`
			`req.Data["lease"] = "1h"`
			`storage := req.Storage`

			`if _, err := b.HandleRequest(req); err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`req = logical.TestRequest(t, logical.ReadOperation, "foo")`
			`req.Storage = storage`

			`resp, err := b.HandleRequest(req)`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`expected := &logical.Response{`
vault: clean up VaultID duplications, make secret responses clearer /cc @armon - This is a reasonably major refactor that I think cleans up a lot of the logic with secrets in responses. The reason for the refactor is that while implementing Renew/Revoke in logical/framework I found the existing API to be really awkward to work with. Primarily, we needed a way to send down internal data for Vault core to store since not all the data you need to revoke a key is always sent down to the user (for example the user than AWS key belongs to). At first, I was doing this manually in logical/framework with req.Storage, but this is going to be such a common event that I think its something core should assist with. Additionally, I think the added context for secrets will be useful in the future when we have a Vault API for returning orphaned out keys: we can also return the internal data that might help an operator. So this leads me to this refactor. I've removed most of the fields in `logical.Response` and replaced it with a single `*Secret` pointer. If this is non-nil, then the response represents a secret. The Secret struct encapsulates all the lease info and such. It also has some fields on it that are only populated at _request_ time for Revoke/Renew operations. There is precedent for this sort of behavior in the Go stdlib where http.Request/http.Response have fields that differ based on client/server. I copied this style. All core unit tests pass. The APIs fail for obvious reasons but I'll fix that up in the next commit. 2015-03-19 22:11:42 +00:00			`Secret: &logical.Secret{`
logical: Refactor LeaseOptions to share between Secret and Auth 2015-04-09 19:14:04 +00:00			`LeaseOptions: logical.LeaseOptions{`
vault: fix tests 2015-04-14 00:44:04 +00:00			`Renewable: true,`
Change "lease" parameter in the generic backend to be "ttl" to reduce confusion. "lease" is now deprecated but will remain valid until 0.4. Fixes #528. 2015-08-20 23:41:25 +00:00			`TTL: time.Hour,`
logical: Refactor LeaseOptions to share between Secret and Auth 2015-04-09 19:14:04 +00:00			`},`
vault: Passthrough backend uses logical.Backend 2015-03-15 21:26:48 +00:00			`},`
			`Data: map[string]interface{}{`
			`"raw": "test",`
			`"lease": "1h",`
			`},`
			`}`

vault: clean up VaultID duplications, make secret responses clearer /cc @armon - This is a reasonably major refactor that I think cleans up a lot of the logic with secrets in responses. The reason for the refactor is that while implementing Renew/Revoke in logical/framework I found the existing API to be really awkward to work with. Primarily, we needed a way to send down internal data for Vault core to store since not all the data you need to revoke a key is always sent down to the user (for example the user than AWS key belongs to). At first, I was doing this manually in logical/framework with req.Storage, but this is going to be such a common event that I think its something core should assist with. Additionally, I think the added context for secrets will be useful in the future when we have a Vault API for returning orphaned out keys: we can also return the internal data that might help an operator. So this leads me to this refactor. I've removed most of the fields in `logical.Response` and replaced it with a single `*Secret` pointer. If this is non-nil, then the response represents a secret. The Secret struct encapsulates all the lease info and such. It also has some fields on it that are only populated at _request_ time for Revoke/Renew operations. There is precedent for this sort of behavior in the Go stdlib where http.Request/http.Response have fields that differ based on client/server. I copied this style. All core unit tests pass. The APIs fail for obvious reasons but I'll fix that up in the next commit. 2015-03-19 22:11:42 +00:00			`resp.Secret.InternalData = nil`
Replace VaultID with LeaseID for terminology simplification 2015-04-08 20:35:32 +00:00			`resp.Secret.LeaseID = ""`
vault: Passthrough backend uses logical.Backend 2015-03-15 21:26:48 +00:00			`if !reflect.DeepEqual(resp, expected) {`
			`t.Fatalf("bad response.\n\nexpected: %#v\n\nGot: %#v", expected, resp)`
			`}`
			`}`

Change "lease" parameter in the generic backend to be "ttl" to reduce confusion. "lease" is now deprecated but will remain valid until 0.4. Fixes #528. 2015-08-20 23:41:25 +00:00			`func TestPassthroughBackend_Read_TTL(t *testing.T) {`
			`b := testPassthroughBackend()`
			`req := logical.TestRequest(t, logical.WriteOperation, "foo")`
			`req.Data["raw"] = "test"`
			`req.Data["ttl"] = "1h"`
			`storage := req.Storage`

			`if _, err := b.HandleRequest(req); err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`req = logical.TestRequest(t, logical.ReadOperation, "foo")`
			`req.Storage = storage`

			`resp, err := b.HandleRequest(req)`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`expected := &logical.Response{`
			`Secret: &logical.Secret{`
			`LeaseOptions: logical.LeaseOptions{`
			`Renewable: true,`
			`TTL: time.Hour,`
			`},`
			`},`
			`Data: map[string]interface{}{`
			`"raw": "test",`
			`"ttl": "1h",`
			`},`
			`}`

			`resp.Secret.InternalData = nil`
			`resp.Secret.LeaseID = ""`
			`if !reflect.DeepEqual(resp, expected) {`
			`t.Fatalf("bad response.\n\nexpected: %#v\n\nGot: %#v", expected, resp)`
			`}`
			`}`

vault: Passthrough backend uses logical.Backend 2015-03-15 21:26:48 +00:00			`func TestPassthroughBackend_Delete(t *testing.T) {`
vault: passthrough backend uses logical/framework 2015-03-16 00:07:54 +00:00			`b := testPassthroughBackend()`
vault: Passthrough backend uses logical.Backend 2015-03-15 21:26:48 +00:00			`req := logical.TestRequest(t, logical.WriteOperation, "foo")`
			`req.Data["raw"] = "test"`
			`storage := req.Storage`

			`if _, err := b.HandleRequest(req); err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`req = logical.TestRequest(t, logical.DeleteOperation, "foo")`
			`req.Storage = storage`
			`resp, err := b.HandleRequest(req)`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`if resp != nil {`
			`t.Fatalf("bad: %v", resp)`
			`}`

			`req = logical.TestRequest(t, logical.ReadOperation, "foo")`
			`req.Storage = storage`
			`resp, err = b.HandleRequest(req)`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`if resp != nil {`
			`t.Fatalf("bad: %v", resp)`
			`}`
			`}`

			`func TestPassthroughBackend_List(t *testing.T) {`
vault: passthrough backend uses logical/framework 2015-03-16 00:07:54 +00:00			`b := testPassthroughBackend()`
vault: Passthrough backend uses logical.Backend 2015-03-15 21:26:48 +00:00			`req := logical.TestRequest(t, logical.WriteOperation, "foo")`
			`req.Data["raw"] = "test"`
			`storage := req.Storage`

			`if _, err := b.HandleRequest(req); err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`req = logical.TestRequest(t, logical.ListOperation, "")`
			`req.Storage = storage`
			`resp, err := b.HandleRequest(req)`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`

			`expected := &logical.Response{`
			`Data: map[string]interface{}{`
			`"keys": []string{"foo"},`
			`},`
			`}`

			`if !reflect.DeepEqual(resp, expected) {`
			`t.Fatalf("bad response.\n\nexpected: %#v\n\nGot: %#v", expected, resp)`
			`}`
			`}`
vault: passthrough backend uses logical/framework 2015-03-16 00:07:54 +00:00
			`func testPassthroughBackend() logical.Backend {`
			`b, _ := PassthroughBackendFactory(nil)`
			`return b`
			`}`