2015-03-15 21:42:05 +00:00
|
|
|
package vault
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"reflect"
|
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
|
|
"github.com/hashicorp/vault/logical"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func TestSystemBackend_RootPaths(t *testing.T) {
|
|
|
|
|
expected := []string{
|
2015-03-16 17:52:35 +00:00
|
|
|
"mounts/*",
|
2015-03-15 21:42:05 +00:00
|
|
|
"remount",
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
|
actual := b.RootPaths()
|
|
|
|
|
if !reflect.DeepEqual(actual, expected) {
|
|
|
|
|
t.Fatalf("bad: %#v", actual)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestSystemBackend_mounts(t *testing.T) {
|
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
|
req := logical.TestRequest(t, logical.ReadOperation, "mounts")
|
|
|
|
|
resp, err := b.HandleRequest(req)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
exp := map[string]interface{}{
|
|
|
|
|
"secret/": map[string]string{
|
|
|
|
|
"type": "generic",
|
|
|
|
|
"description": "generic secret storage",
|
|
|
|
|
},
|
|
|
|
|
"sys/": map[string]string{
|
|
|
|
|
"type": "system",
|
|
|
|
|
"description": "system endpoints used for control, policy and debugging",
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
if !reflect.DeepEqual(resp.Data, exp) {
|
|
|
|
|
t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestSystemBackend_mount(t *testing.T) {
|
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
|
|
2015-03-16 17:52:35 +00:00
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "mounts/prod/secret/")
|
2015-03-15 21:42:05 +00:00
|
|
|
req.Data["type"] = "generic"
|
|
|
|
|
|
|
|
|
|
resp, err := b.HandleRequest(req)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
|
}
|
|
|
|
|
if resp != nil {
|
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestSystemBackend_mount_invalid(t *testing.T) {
|
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
|
|
2015-03-16 17:52:35 +00:00
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "mounts/prod/secret/")
|
2015-03-15 21:42:05 +00:00
|
|
|
req.Data["type"] = "nope"
|
|
|
|
|
resp, err := b.HandleRequest(req)
|
2015-03-15 21:53:41 +00:00
|
|
|
if err != logical.ErrInvalidRequest {
|
2015-03-15 21:42:05 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
|
}
|
2015-03-15 23:25:38 +00:00
|
|
|
if resp.Data["error"] != "unknown backend type: nope" {
|
2015-03-15 21:42:05 +00:00
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestSystemBackend_unmount(t *testing.T) {
|
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
|
|
2015-03-16 17:52:35 +00:00
|
|
|
req := logical.TestRequest(t, logical.DeleteOperation, "mounts/secret/")
|
2015-03-15 21:42:05 +00:00
|
|
|
resp, err := b.HandleRequest(req)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
|
}
|
|
|
|
|
if resp != nil {
|
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestSystemBackend_unmount_invalid(t *testing.T) {
|
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
|
|
2015-03-16 17:52:35 +00:00
|
|
|
req := logical.TestRequest(t, logical.DeleteOperation, "mounts/foo/")
|
2015-03-15 21:42:05 +00:00
|
|
|
resp, err := b.HandleRequest(req)
|
2015-03-15 21:53:41 +00:00
|
|
|
if err != logical.ErrInvalidRequest {
|
2015-03-15 21:42:05 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
|
}
|
|
|
|
|
if resp.Data["error"] != "no matching mount" {
|
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestSystemBackend_remount(t *testing.T) {
|
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
|
|
|
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "remount")
|
|
|
|
|
req.Data["from"] = "secret"
|
|
|
|
|
req.Data["to"] = "foo"
|
|
|
|
|
resp, err := b.HandleRequest(req)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
|
}
|
|
|
|
|
if resp != nil {
|
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestSystemBackend_remount_invalid(t *testing.T) {
|
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
|
|
|
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "remount")
|
|
|
|
|
req.Data["from"] = "unknown"
|
|
|
|
|
req.Data["to"] = "foo"
|
|
|
|
|
resp, err := b.HandleRequest(req)
|
2015-03-15 21:53:41 +00:00
|
|
|
if err != logical.ErrInvalidRequest {
|
2015-03-15 21:42:05 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
|
}
|
|
|
|
|
if resp.Data["error"] != "no matching mount at 'unknown/'" {
|
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestSystemBackend_remount_system(t *testing.T) {
|
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
|
|
|
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "remount")
|
|
|
|
|
req.Data["from"] = "sys"
|
|
|
|
|
req.Data["to"] = "foo"
|
|
|
|
|
resp, err := b.HandleRequest(req)
|
2015-03-15 21:53:41 +00:00
|
|
|
if err != logical.ErrInvalidRequest {
|
2015-03-15 21:42:05 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
|
}
|
|
|
|
|
if resp.Data["error"] != "cannot remount 'sys/'" {
|
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2015-03-16 23:11:55 +00:00
|
|
|
func TestSystemBackend_renew(t *testing.T) {
|
|
|
|
|
core, b := testCoreSystemBackend(t)
|
|
|
|
|
|
|
|
|
|
// Create a key with a lease
|
|
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "secret/foo")
|
|
|
|
|
req.Data["foo"] = "bar"
|
|
|
|
|
req.Data["lease"] = "1h"
|
|
|
|
|
resp, err := core.HandleRequest(req)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
|
}
|
|
|
|
|
if resp != nil {
|
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Read a key with a VaultID
|
|
|
|
|
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
|
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
|
}
|
|
|
|
|
if resp == nil || resp.Lease == nil || resp.Lease.VaultID == "" {
|
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Attempt renew
|
|
|
|
|
req2 := logical.TestRequest(t, logical.WriteOperation, "renew/"+resp.Lease.VaultID)
|
|
|
|
|
req2.Data["increment"] = 100
|
|
|
|
|
resp2, err := b.HandleRequest(req2)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if resp2.Lease.VaultID != resp.Lease.VaultID {
|
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
|
}
|
|
|
|
|
if resp2.Data["foo"] != "bar" {
|
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2015-03-16 23:14:53 +00:00
|
|
|
func TestSystemBackend_renew_invalidID(t *testing.T) {
|
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
|
|
|
|
|
|
// Attempt renew
|
|
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "renew/foobarbaz")
|
|
|
|
|
resp, err := b.HandleRequest(req)
|
|
|
|
|
if err != logical.ErrInvalidRequest {
|
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
|
}
|
|
|
|
|
if resp.Data["error"] != "lease not found" {
|
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2015-03-16 23:26:34 +00:00
|
|
|
func TestSystemBackend_revoke(t *testing.T) {
|
|
|
|
|
core, b := testCoreSystemBackend(t)
|
|
|
|
|
|
|
|
|
|
// Create a key with a lease
|
|
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "secret/foo")
|
|
|
|
|
req.Data["foo"] = "bar"
|
|
|
|
|
req.Data["lease"] = "1h"
|
|
|
|
|
resp, err := core.HandleRequest(req)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
|
}
|
|
|
|
|
if resp != nil {
|
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Read a key with a VaultID
|
|
|
|
|
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
|
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
|
}
|
|
|
|
|
if resp == nil || resp.Lease == nil || resp.Lease.VaultID == "" {
|
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Attempt renew
|
|
|
|
|
req2 := logical.TestRequest(t, logical.WriteOperation, "revoke/"+resp.Lease.VaultID)
|
|
|
|
|
resp2, err := b.HandleRequest(req2)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("err: %v %#v", err, resp2)
|
|
|
|
|
}
|
|
|
|
|
if resp2 != nil {
|
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestSystemBackend_revoke_invalidID(t *testing.T) {
|
|
|
|
|
b := testSystemBackend(t)
|
|
|
|
|
|
|
|
|
|
// Attempt renew
|
|
|
|
|
req := logical.TestRequest(t, logical.WriteOperation, "revoke/foobarbaz")
|
|
|
|
|
resp, err := b.HandleRequest(req)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
|
}
|
|
|
|
|
if resp != nil {
|
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2015-03-16 00:35:59 +00:00
|
|
|
func testSystemBackend(t *testing.T) logical.Backend {
|
2015-03-15 21:42:05 +00:00
|
|
|
c, _ := TestCoreUnsealed(t)
|
2015-03-16 00:35:59 +00:00
|
|
|
return NewSystemBackend(c)
|
2015-03-15 21:42:05 +00:00
|
|
|
}
|
2015-03-16 23:11:55 +00:00
|
|
|
|
|
|
|
|
func testCoreSystemBackend(t *testing.T) (*Core, logical.Backend) {
|
|
|
|
|
c, _ := TestCoreUnsealed(t)
|
|
|
|
|
return c, NewSystemBackend(c)
|
|
|
|
|
}
|
