From 660c9ab3827b3c75fe0be82d1111748876db71a6 Mon Sep 17 00:00:00 2001 From: Vishal Nayak Date: Thu, 9 Nov 2017 01:29:19 -0500 Subject: [PATCH] Merge identity alias lookups into either entity or group lookup endpoints (#3538) * merge identity alias lookups into either entity or group lookups * Address review feedback * address review feedback --- vault/identity_lookup.go | 432 ++++++++++++++++++---------------- vault/identity_lookup_test.go | 370 +++++++++++++++++------------ 2 files changed, 440 insertions(+), 362 deletions(-) diff --git a/vault/identity_lookup.go b/vault/identity_lookup.go index bae1cf322..e5891afaf 100644 --- a/vault/identity_lookup.go +++ b/vault/identity_lookup.go @@ -14,10 +14,6 @@ func lookupPaths(i *IdentityStore) []*framework.Path { { Pattern: "lookup/entity$", Fields: map[string]*framework.FieldSchema{ - "type": { - Type: framework.TypeString, - Description: "Type of lookup. Current supported values are 'id' and 'name'.", - }, "name": { Type: framework.TypeString, Description: "Name of the entity.", @@ -26,6 +22,18 @@ func lookupPaths(i *IdentityStore) []*framework.Path { Type: framework.TypeString, Description: "ID of the entity.", }, + "alias_id": { + Type: framework.TypeString, + Description: "ID of the alias.", + }, + "alias_name": { + Type: framework.TypeString, + Description: "Name of the alias. This should be supplied in conjuction with 'alias_mount_accessor'.", + }, + "alias_mount_accessor": { + Type: framework.TypeString, + Description: "Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'.", + }, }, Callbacks: map[logical.Operation]framework.OperationFunc{ logical.UpdateOperation: i.pathLookupEntityUpdate, @@ -37,10 +45,6 @@ func lookupPaths(i *IdentityStore) []*framework.Path { { Pattern: "lookup/group$", Fields: map[string]*framework.FieldSchema{ - "type": { - Type: framework.TypeString, - Description: "Type of lookup. Current supported values are 'id' and 'name'", - }, "name": { Type: framework.TypeString, Description: "Name of the group.", @@ -49,6 +53,18 @@ func lookupPaths(i *IdentityStore) []*framework.Path { Type: framework.TypeString, Description: "ID of the group.", }, + "alias_id": { + Type: framework.TypeString, + Description: "ID of the alias.", + }, + "alias_name": { + Type: framework.TypeString, + Description: "Name of the alias. This should be supplied in conjuction with 'alias_mount_accessor'.", + }, + "alias_mount_accessor": { + Type: framework.TypeString, + Description: "Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'.", + }, }, Callbacks: map[logical.Operation]framework.OperationFunc{ logical.UpdateOperation: i.pathLookupGroupUpdate, @@ -57,103 +73,110 @@ func lookupPaths(i *IdentityStore) []*framework.Path { HelpSynopsis: strings.TrimSpace(lookupHelp["lookup-group"][0]), HelpDescription: strings.TrimSpace(lookupHelp["lookup-group"][1]), }, - { - Pattern: "lookup/entity-alias$", - Fields: map[string]*framework.FieldSchema{ - "type": { - Type: framework.TypeString, - Description: "Type of lookup. Current supported values are 'id', 'canonical_id' and 'factors'.", - }, - "id": { - Type: framework.TypeString, - Description: "ID of the entity.", - }, - "canonical_id": { - Type: framework.TypeString, - Description: "ID of the entity to which the alias belongs to.", - }, - "name": { - Type: framework.TypeString, - Description: "Name of the alias.", - }, - "mount_accessor": { - Type: framework.TypeString, - Description: "Accessor of the mount to which the entity alias belongs to.", - }, - }, - Callbacks: map[logical.Operation]framework.OperationFunc{ - logical.UpdateOperation: i.pathLookupEntityAliasUpdate, - }, - - HelpSynopsis: strings.TrimSpace(lookupHelp["lookup-entity-alias"][0]), - HelpDescription: strings.TrimSpace(lookupHelp["lookup-entity-alias"][1]), - }, - { - Pattern: "lookup/group-alias$", - Fields: map[string]*framework.FieldSchema{ - "type": { - Type: framework.TypeString, - Description: "Type of lookup. Current supported values are 'id', 'canonical_id' and 'factors'.", - }, - "id": { - Type: framework.TypeString, - Description: "ID of the group.", - }, - "canonical_id": { - Type: framework.TypeString, - Description: "ID of the group to which the alias belongs to.", - }, - "name": { - Type: framework.TypeString, - Description: "Name of the alias.", - }, - "mount_accessor": { - Type: framework.TypeString, - Description: "Accessor of the mount to which the group alias belongs to.", - }, - }, - Callbacks: map[logical.Operation]framework.OperationFunc{ - logical.UpdateOperation: i.pathLookupGroupAliasUpdate, - }, - - HelpSynopsis: strings.TrimSpace(lookupHelp["lookup-group-alias"][0]), - HelpDescription: strings.TrimSpace(lookupHelp["lookup-group-alias"][1]), - }, } } func (i *IdentityStore) pathLookupEntityUpdate(req *logical.Request, d *framework.FieldData) (*logical.Response, error) { - lookupType := d.Get("type").(string) - if lookupType == "" { - return logical.ErrorResponse("empty type"), nil - } - var entity *identity.Entity var err error - switch lookupType { - case "id": - entityID := d.Get("id").(string) - if entityID == "" { - return logical.ErrorResponse("empty id"), nil + inputCount := 0 + + id := "" + idRaw, ok := d.GetOk("id") + if ok { + inputCount++ + id = idRaw.(string) + } + + name := "" + nameRaw, ok := d.GetOk("name") + if ok { + inputCount++ + name = nameRaw.(string) + } + + aliasID := "" + aliasIDRaw, ok := d.GetOk("alias_id") + if ok { + inputCount++ + aliasID = aliasIDRaw.(string) + } + + aliasName := "" + aliasNameRaw, ok := d.GetOk("alias_name") + if ok { + inputCount++ + aliasName = aliasNameRaw.(string) + } + + aliasMountAccessor := "" + aliasMountAccessorRaw, ok := d.GetOk("alias_mount_accessor") + if ok { + inputCount++ + aliasMountAccessor = aliasMountAccessorRaw.(string) + } + + switch { + case inputCount == 0: + return logical.ErrorResponse(fmt.Sprintf("query parameter not supplied")), nil + + case inputCount != 1: + switch { + case inputCount == 2 && aliasName != "" && aliasMountAccessor != "": + default: + return logical.ErrorResponse(fmt.Sprintf("query parameter conflict; please supply distinct set of query parameters")), nil } - entity, err = i.MemDBEntityByID(entityID, false) + + case inputCount == 1: + switch { + case aliasName != "" || aliasMountAccessor != "": + return logical.ErrorResponse(fmt.Sprintf("both 'alias_name' and 'alias_mount_accessor' needs to be set")), nil + } + } + + switch { + case id != "": + entity, err = i.MemDBEntityByID(id, false) if err != nil { return nil, err } - case "name": - entityName := d.Get("name").(string) - if entityName == "" { - return logical.ErrorResponse("empty name"), nil - } - entity, err = i.MemDBEntityByName(entityName, false) + case name != "": + entity, err = i.MemDBEntityByName(name, false) if err != nil { return nil, err } - default: - return logical.ErrorResponse(fmt.Sprintf("unrecognized type %q", lookupType)), nil + case aliasID != "": + alias, err := i.MemDBAliasByID(aliasID, false, false) + if err != nil { + return nil, err + } + + if alias == nil { + break + } + + entity, err = i.MemDBEntityByAliasID(alias.ID, false) + if err != nil { + return nil, err + } + + case aliasName != "" && aliasMountAccessor != "": + alias, err := i.MemDBAliasByFactors(aliasMountAccessor, aliasName, false, false) + if err != nil { + return nil, err + } + + if alias == nil { + break + } + + entity, err = i.MemDBEntityByAliasID(alias.ID, false) + if err != nil { + return nil, err + } } if entity == nil { @@ -164,141 +187,138 @@ func (i *IdentityStore) pathLookupEntityUpdate(req *logical.Request, d *framewor } func (i *IdentityStore) pathLookupGroupUpdate(req *logical.Request, d *framework.FieldData) (*logical.Response, error) { - lookupType := d.Get("type").(string) - if lookupType == "" { - return logical.ErrorResponse("empty type"), nil + var group *identity.Group + var err error + + inputCount := 0 + + id := "" + idRaw, ok := d.GetOk("id") + if ok { + inputCount++ + id = idRaw.(string) } - switch lookupType { - case "id": - groupID := d.Get("id").(string) - if groupID == "" { - return logical.ErrorResponse("empty ID"), nil - } - group, err := i.MemDBGroupByID(groupID, false) - if err != nil { - return nil, err - } - return i.handleGroupReadCommon(group) - case "name": - groupName := d.Get("name").(string) - if groupName == "" { - return logical.ErrorResponse("empty name"), nil - } - group, err := i.MemDBGroupByName(groupName, false) - if err != nil { - return nil, err - } - return i.handleGroupReadCommon(group) - default: - return logical.ErrorResponse(fmt.Sprintf("unrecognized type %q", lookupType)), nil + name := "" + nameRaw, ok := d.GetOk("name") + if ok { + inputCount++ + name = nameRaw.(string) } - return nil, nil -} - -func (i *IdentityStore) pathLookupEntityAliasUpdate(req *logical.Request, d *framework.FieldData) (*logical.Response, error) { - return i.handleLookupAliasUpdateCommon(req, d, false) -} - -func (i *IdentityStore) pathLookupGroupAliasUpdate(req *logical.Request, d *framework.FieldData) (*logical.Response, error) { - return i.handleLookupAliasUpdateCommon(req, d, true) -} - -func (i *IdentityStore) handleLookupAliasUpdateCommon(req *logical.Request, d *framework.FieldData, groupAlias bool) (*logical.Response, error) { - lookupType := d.Get("type").(string) - if lookupType == "" { - return logical.ErrorResponse("empty type"), nil + aliasID := "" + aliasIDRaw, ok := d.GetOk("alias_id") + if ok { + inputCount++ + aliasID = aliasIDRaw.(string) } - switch lookupType { - case "id": - aliasID := d.Get("id").(string) - if aliasID == "" { - return logical.ErrorResponse("empty ID"), nil - } - - alias, err := i.MemDBAliasByID(aliasID, false, groupAlias) - if err != nil { - return nil, err - } - - return i.handleAliasReadCommon(alias) - - case "canonical_id": - canonicalID := d.Get("canonical_id").(string) - if canonicalID == "" { - return logical.ErrorResponse("empty canonical_id"), nil - } - - alias, err := i.MemDBAliasByCanonicalID(canonicalID, false, groupAlias) - if err != nil { - return nil, err - } - - return i.handleAliasReadCommon(alias) - - case "factors": - aliasName := d.Get("name").(string) - if aliasName == "" { - return logical.ErrorResponse("empty name"), nil - } - mountAccessor := d.Get("mount_accessor").(string) - if mountAccessor == "" { - return logical.ErrorResponse("empty 'mount_accessor'"), nil - } - - alias, err := i.MemDBAliasByFactors(mountAccessor, aliasName, false, groupAlias) - if err != nil { - return nil, err - } - - return i.handleAliasReadCommon(alias) - - default: - return logical.ErrorResponse(fmt.Sprintf("unrecognized type %q", lookupType)), nil + aliasName := "" + aliasNameRaw, ok := d.GetOk("alias_name") + if ok { + inputCount++ + aliasName = aliasNameRaw.(string) } + + aliasMountAccessor := "" + aliasMountAccessorRaw, ok := d.GetOk("alias_mount_accessor") + if ok { + inputCount++ + aliasMountAccessor = aliasMountAccessorRaw.(string) + } + + switch { + case inputCount == 0: + return logical.ErrorResponse(fmt.Sprintf("query parameter not supplied")), nil + + case inputCount != 1: + switch { + case inputCount == 2 && aliasName != "" && aliasMountAccessor != "": + default: + return logical.ErrorResponse(fmt.Sprintf("query parameter conflict; please supply distinct set of query parameters")), nil + } + + case inputCount == 1: + switch { + case aliasName != "" || aliasMountAccessor != "": + return logical.ErrorResponse(fmt.Sprintf("both 'alias_name' and 'alias_mount_accessor' needs to be set")), nil + } + } + + switch { + case id != "": + group, err = i.MemDBGroupByID(id, false) + if err != nil { + return nil, err + } + case name != "": + group, err = i.MemDBGroupByName(name, false) + if err != nil { + return nil, err + } + case aliasID != "": + alias, err := i.MemDBAliasByID(aliasID, false, true) + if err != nil { + return nil, err + } + + if alias == nil { + break + } + + group, err = i.MemDBGroupByAliasID(alias.ID, false) + if err != nil { + return nil, err + } + + case aliasName != "" && aliasMountAccessor != "": + alias, err := i.MemDBAliasByFactors(aliasMountAccessor, aliasName, false, true) + if err != nil { + return nil, err + } + + if alias == nil { + break + } + + group, err = i.MemDBGroupByAliasID(alias.ID, false) + if err != nil { + return nil, err + } + } + + if group == nil { + return nil, nil + } + + return i.handleGroupReadCommon(group) } var lookupHelp = map[string][2]string{ "lookup-entity": { - "Query entities based on types.", - `Supported types: + "Query entities based on various properties.", + `Distinct query parameters to be set: - 'id' - To query the entity by its ID. This requires 'id' parameter to be set. + To query the entity by its ID. - 'name' - To query the entity by its name. This requires 'name' parameter to be set. + To query the entity by its name. + - 'alias_id' + To query the entity by the ID of any of its aliases. + - 'alias_name' and 'alias_mount_accessor' + To query the entity by the unique factors that represent an alias; the name and the mount accessor. `, }, "lookup-group": { - "Query groups based on types.", - `Supported types: + "Query groups based on various properties.", + `Distinct query parameters to be set: - 'id' - To query the group by its ID. This requires 'id' parameter to be set. + To query the group by its ID. - 'name' - To query the group by its name. This requires 'name' parameter to be set. - `, - }, - "lookup-group-alias": { - "Query group alias based on types.", - `Supported types: - - 'id' - To query the group alias by its ID. This requires 'id' parameter to be set. - - 'canonical_id' - To query the group alias by the ID of the group it belongs to. This requires the 'canonical_id' parameter to be set. - - 'factors' - To query the group alias using the factors that uniquely identifies a group alias; its name and the mount accessor. This requires the 'name' and 'mount_accessor' parameters to be set. - `, - }, - "lookup-entity-alias": { - "Query entity alias based on types.", - `Supported types: - - 'id' - To query the entity alias by its ID. This requires 'id' parameter to be set. - - 'canonical_id' - To query the entity alias by the ID of the entity it belongs to. This requires the 'canonical_id' parameter to be set. - - 'factors' - To query the entity alias using the factors that uniquely identifies an entity alias; its name and the mount accessor. This requires the 'name' and 'mount_accessor' parameters to be set. + To query the group by its name. + - 'alias_id' + To query the group by the ID of any of its aliases. + - 'alias_name' and 'alias_mount_accessor' + To query the group by the unique factors that represent an alias; the name and the mount accessor. `, }, } diff --git a/vault/identity_lookup_test.go b/vault/identity_lookup_test.go index 981cdcbb4..278f6b98f 100644 --- a/vault/identity_lookup_test.go +++ b/vault/identity_lookup_test.go @@ -10,7 +10,7 @@ func TestIdentityStore_Lookup_Entity(t *testing.T) { var err error var resp *logical.Response - i, _, _ := testIdentityStoreWithGithubAuth(t) + i, accessor, _ := testIdentityStoreWithGithubAuth(t) entityReq := &logical.Request{ Path: "entity", @@ -22,6 +22,22 @@ func TestIdentityStore_Lookup_Entity(t *testing.T) { } entityID := resp.Data["id"].(string) + aliasReq := &logical.Request{ + Path: "entity-alias", + Operation: logical.UpdateOperation, + Data: map[string]interface{}{ + "name": "testaliasname", + "mount_accessor": accessor, + "entity_id": entityID, + }, + } + + resp, err = i.HandleRequest(aliasReq) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("bad: err: %#v\nresp: %v", err, resp) + } + aliasID := resp.Data["id"].(string) + entity, err := i.MemDBEntityByID(entityID, false) if err != nil { t.Fatal(err) @@ -31,8 +47,7 @@ func TestIdentityStore_Lookup_Entity(t *testing.T) { Path: "lookup/entity", Operation: logical.UpdateOperation, Data: map[string]interface{}{ - "type": "id", - "id": entityID, + "id": entityID, }, } resp, err = i.HandleRequest(lookupReq) @@ -45,7 +60,6 @@ func TestIdentityStore_Lookup_Entity(t *testing.T) { } lookupReq.Data = map[string]interface{}{ - "type": "name", "name": entity.Name, } @@ -57,169 +71,103 @@ func TestIdentityStore_Lookup_Entity(t *testing.T) { if resp.Data["id"].(string) != entityID { t.Fatalf("bad: entity: %#v", resp.Data) } -} -func TestIdentityStore_Lookup_EntityAlias(t *testing.T) { - var err error - var resp *logical.Response - - i, accessor, _ := testIdentityStoreWithGithubAuth(t) - - entityReq := &logical.Request{ - Path: "entity", - Operation: logical.UpdateOperation, + lookupReq.Data = map[string]interface{}{ + "alias_id": aliasID, } - resp, err = i.HandleRequest(entityReq) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("bad: resp: %#v\n err: %#v\n", resp, err) - } - entityID := resp.Data["id"].(string) - - entityAliasReq := &logical.Request{ - Path: "entity-alias", - Operation: logical.UpdateOperation, - Data: map[string]interface{}{ - "canonical_id": entityID, - "name": "testentityaliasname", - "mount_type": "ldap", - "mount_accessor": accessor, - }, - } - - resp, err = i.HandleRequest(entityAliasReq) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("bad: resp: %#v\n err: %#v\n", resp, err) - } - entityAliasID := resp.Data["id"].(string) - - lookupReq := &logical.Request{ - Path: "lookup/entity-alias", - Operation: logical.UpdateOperation, - Data: map[string]interface{}{ - "type": "id", - "id": entityAliasID, - }, - } resp, err = i.HandleRequest(lookupReq) if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("bad: resp: %#v\n err: %#v\n", resp, err) + t.Fatalf("bad: err: %#v\nresp: %v", err, resp) } - if resp.Data["id"].(string) != entityAliasID { - t.Fatalf("bad: group alias: %#v\n", resp.Data) + + if resp.Data["id"].(string) != entityID { + t.Fatalf("bad: entity: %#v", resp.Data) } lookupReq.Data = map[string]interface{}{ - "type": "factors", - "mount_accessor": accessor, - "name": "testentityaliasname", - } - resp, err = i.HandleRequest(lookupReq) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("bad: resp: %#v\n err: %#v\n", resp, err) - } - if resp.Data["id"].(string) != entityAliasID { - t.Fatalf("bad: entity alias: %#v\n", resp.Data) + "alias_name": "testaliasname", + "alias_mount_accessor": accessor, } - entityReq = &logical.Request{ - Path: "entity/id/" + entityID, - Operation: logical.ReadOperation, - } - resp, err = i.HandleRequest(entityReq) + resp, err = i.HandleRequest(lookupReq) if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("bad: resp: %#v\n err: %#v\n", resp, err) + t.Fatalf("bad: err: %#v\nresp: %v", err, resp) + } + + if resp.Data["id"].(string) != entityID { + t.Fatalf("bad: entity: %#v", resp.Data) + } + + // Supply 2 query criteria + lookupReq.Data = map[string]interface{}{ + "id": entityID, + "name": entity.Name, + } + + resp, err = i.HandleRequest(lookupReq) + if err != nil { + t.Fatal(err) + } + if resp == nil || !resp.IsError() { + t.Fatalf("expected an error") + } + + // Supply alias name and skip accessor + lookupReq.Data = map[string]interface{}{ + "alias_name": "testaliasname", + } + + resp, err = i.HandleRequest(lookupReq) + if err != nil { + t.Fatal(err) + } + if resp == nil || !resp.IsError() { + t.Fatalf("expected an error") + } + + // Supply alias accessor and skip name + lookupReq.Data = map[string]interface{}{ + "alias_mount_accessor": accessor, + } + + resp, err = i.HandleRequest(lookupReq) + if err != nil { + t.Fatal(err) + } + if resp == nil || !resp.IsError() { + t.Fatalf("expected an error") + } + + // Don't supply any criteria + lookupReq.Data = nil + + resp, err = i.HandleRequest(lookupReq) + if err != nil { + t.Fatal(err) + } + if resp == nil || !resp.IsError() { + t.Fatalf("expected an error") + } + + // Delete the alias in the entity + aliasReq.Path = "entity-alias/id/" + aliasID + aliasReq.Operation = logical.DeleteOperation + resp, err = i.HandleRequest(aliasReq) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("bad: err: %#v\nresp: %v", err, resp) } lookupReq.Data = map[string]interface{}{ - "type": "canonical_id", - "canonical_id": entityID, + "alias_id": aliasID, } + resp, err = i.HandleRequest(lookupReq) if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("bad: resp: %#v\n err: %#v\n", resp, err) + t.Fatalf("bad: err: %#v\nresp: %v", err, resp) } - if resp.Data["id"].(string) != entityAliasID { - t.Fatalf("bad: entity alias: %#v\n", resp.Data) - } -} - -func TestIdentityStore_Lookup_GroupAlias(t *testing.T) { - var err error - var resp *logical.Response - - i, accessor, _ := testIdentityStoreWithGithubAuth(t) - - groupReq := &logical.Request{ - Path: "group", - Operation: logical.UpdateOperation, - Data: map[string]interface{}{ - "type": "external", - }, - } - - resp, err = i.HandleRequest(groupReq) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("bad: resp: %#v\n err: %#v\n", resp, err) - } - groupID := resp.Data["id"].(string) - - groupAliasReq := &logical.Request{ - Path: "group-alias", - Operation: logical.UpdateOperation, - Data: map[string]interface{}{ - "canonical_id": groupID, - "name": "testgroupaliasname", - "mount_type": "ldap", - "mount_accessor": accessor, - }, - } - - resp, err = i.HandleRequest(groupAliasReq) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("bad: resp: %#v\n err: %#v\n", resp, err) - } - groupAliasID := resp.Data["id"].(string) - - lookupReq := &logical.Request{ - Path: "lookup/group-alias", - Operation: logical.UpdateOperation, - Data: map[string]interface{}{ - "type": "id", - "id": groupAliasID, - }, - } - resp, err = i.HandleRequest(lookupReq) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("bad: resp: %#v\n err: %#v\n", resp, err) - } - if resp.Data["id"].(string) != groupAliasID { - t.Fatalf("bad: group alias: %#v\n", resp.Data) - } - - lookupReq.Data = map[string]interface{}{ - "type": "factors", - "mount_accessor": accessor, - "name": "testgroupaliasname", - } - resp, err = i.HandleRequest(lookupReq) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("bad: resp: %#v\n err: %#v\n", resp, err) - } - if resp.Data["id"].(string) != groupAliasID { - t.Fatalf("bad: group alias: %#v\n", resp.Data) - } - - lookupReq.Data = map[string]interface{}{ - "type": "canonical_id", - "canonical_id": groupID, - } - resp, err = i.HandleRequest(lookupReq) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("bad: resp: %#v\n err: %#v\n", resp, err) - } - if resp.Data["id"].(string) != groupAliasID { - t.Fatalf("bad: group alias: %#v\n", resp.Data) + if resp != nil { + t.Fatalf("expected a nil response") } } @@ -227,7 +175,7 @@ func TestIdentityStore_Lookup_Group(t *testing.T) { var err error var resp *logical.Response - i, _, _ := testIdentityStoreWithGithubAuth(t) + i, accessor, _ := testIdentityStoreWithGithubAuth(t) groupReq := &logical.Request{ Path: "group", @@ -240,16 +188,15 @@ func TestIdentityStore_Lookup_Group(t *testing.T) { groupID := resp.Data["id"].(string) groupName := resp.Data["name"].(string) - lookupGroupReq := &logical.Request{ + lookupReq := &logical.Request{ Path: "lookup/group", Operation: logical.UpdateOperation, Data: map[string]interface{}{ - "type": "id", - "id": groupID, + "id": groupID, }, } - resp, err = i.HandleRequest(lookupGroupReq) + resp, err = i.HandleRequest(lookupReq) if err != nil || (resp != nil && resp.IsError()) { t.Fatalf("bad: resp: %#v\n err: %#v\n", resp, err) } @@ -257,16 +204,127 @@ func TestIdentityStore_Lookup_Group(t *testing.T) { t.Fatalf("failed to lookup group") } - lookupGroupReq.Data = map[string]interface{}{ - "type": "name", + lookupReq.Data = map[string]interface{}{ "name": groupName, } - resp, err = i.HandleRequest(lookupGroupReq) + resp, err = i.HandleRequest(lookupReq) if err != nil || (resp != nil && resp.IsError()) { t.Fatalf("bad: resp: %#v\n err: %#v\n", resp, err) } if resp.Data["id"].(string) != groupID { t.Fatalf("failed to lookup group") } + + // Query using an invalid alias_id + lookupReq.Data = map[string]interface{}{ + "alias_id": "invalidaliasid", + } + resp, err = i.HandleRequest(lookupReq) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("bad: resp: %#v\n err: %#v\n", resp, err) + } + if resp != nil { + t.Fatalf("expected a nil response") + } + + groupReq.Data = map[string]interface{}{ + "type": "external", + } + resp, err = i.HandleRequest(groupReq) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("bad: resp: %#v\n err: %#v\n", resp, err) + } + groupID = resp.Data["id"].(string) + + aliasReq := &logical.Request{ + Path: "group-alias", + Operation: logical.UpdateOperation, + Data: map[string]interface{}{ + "canonical_id": groupID, + "name": "testgroupalias", + "mount_accessor": accessor, + }, + } + resp, err = i.HandleRequest(aliasReq) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("bad: resp: %#v\n err: %#v\n", resp, err) + } + aliasID := resp.Data["id"].(string) + + lookupReq.Data = map[string]interface{}{ + "alias_id": aliasID, + } + + resp, err = i.HandleRequest(lookupReq) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("bad: resp: %#v\n err: %#v\n", resp, err) + } + if resp.Data["id"].(string) != groupID { + t.Fatalf("failed to lookup group") + } + + lookupReq.Data = map[string]interface{}{ + "alias_name": "testgroupalias", + "alias_mount_accessor": accessor, + } + + resp, err = i.HandleRequest(lookupReq) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("bad: resp: %#v\n err: %#v\n", resp, err) + } + if resp.Data["id"].(string) != groupID { + t.Fatalf("failed to lookup group") + } + + // Supply 2 query criteria + lookupReq.Data = map[string]interface{}{ + "id": groupID, + "name": groupName, + } + + resp, err = i.HandleRequest(lookupReq) + if err != nil { + t.Fatal(err) + } + if resp == nil || !resp.IsError() { + t.Fatalf("expected an error") + } + + // Supply alias name and skip accessor + lookupReq.Data = map[string]interface{}{ + "alias_name": "testgroupalias", + } + + resp, err = i.HandleRequest(lookupReq) + if err != nil { + t.Fatal(err) + } + if resp == nil || !resp.IsError() { + t.Fatalf("expected an error") + } + + // Supply alias accessor and skip name + lookupReq.Data = map[string]interface{}{ + "alias_mount_accessor": accessor, + } + + resp, err = i.HandleRequest(lookupReq) + if err != nil { + t.Fatal(err) + } + if resp == nil || !resp.IsError() { + t.Fatalf("expected an error") + } + + // Don't supply any criteria + lookupReq.Data = nil + + resp, err = i.HandleRequest(lookupReq) + if err != nil { + t.Fatal(err) + } + if resp == nil || !resp.IsError() { + t.Fatalf("expected an error") + } }