vault: testing credential enable/disable

2015-03-19 10:39:47 -07:00 · 2015-03-19 10:39:47 -07:00 · 7170bff4f9
parent ca44529c9d
commit 7170bff4f9
1 changed files with 132 additions and 0 deletions
--- a/vault/auth_test.go
+++ b/vault/auth_test.go
@ -1,10 +1,34 @@
 package vault

 import (
+	"fmt"
 	"reflect"
 	"testing"
+
+	"github.com/hashicorp/vault/credential"
+	"github.com/hashicorp/vault/logical"
 )

+type NoopCred struct {
+	Root     []string
+	Paths    []string
+	Requests []*logical.Request
+	Response *logical.Response
+}
+
+func (n *NoopCred) HandleRequest(req *logical.Request) (*logical.Response, error) {
+	n.Paths = append(n.Paths, req.Path)
+	n.Requests = append(n.Requests, req)
+	if req.Storage == nil {
+		return nil, fmt.Errorf("missing view")
+	}
+	return n.Response, nil
+}
+
+func (n *NoopCred) RootPaths() []string {
+	return n.Root
+}
+
 func TestCore_DefaultAuthTable(t *testing.T) {
 	c, key := TestCoreUnsealed(t)
 	verifyDefaultAuthTable(t, c.auth)
@ -29,6 +53,114 @@ func TestCore_DefaultAuthTable(t *testing.T) {
 	}
 }

+func TestCore_EnableCredential(t *testing.T) {
+	c, key := TestCoreUnsealed(t)
+	c.credentialBackends["noop"] = func(map[string]string) (credential.Backend, error) {
+		return &NoopCred{}, nil
+	}
+
+	me := &MountEntry{
+		Path: "foo",
+		Type: "noop",
+	}
+	err := c.enableCredential(me)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	match := c.router.MatchingMount("auth/foo/bar")
+	if match != "auth/foo/" {
+		t.Fatalf("missing mount")
+	}
+
+	conf := &CoreConfig{Physical: c.physical}
+	c2, err := NewCore(conf)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	unseal, err := c2.Unseal(key)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if !unseal {
+		t.Fatalf("should be unsealed")
+	}
+
+	// Verify matching auth tables
+	if !reflect.DeepEqual(c.auth, c2.auth) {
+		t.Fatalf("mismatch: %v %v", c.auth, c2.auth)
+	}
+}
+
+func TestCore_EnableCredential_Token(t *testing.T) {
+	c, _ := TestCoreUnsealed(t)
+	me := &MountEntry{
+		Path: "foo",
+		Type: "token",
+	}
+	err := c.enableCredential(me)
+	if err.Error() != "token credential backend cannot be instantiated" {
+		t.Fatalf("err: %v", err)
+	}
+}
+
+func TestCore_DisableCredential(t *testing.T) {
+	c, key := TestCoreUnsealed(t)
+	c.credentialBackends["noop"] = func(map[string]string) (credential.Backend, error) {
+		return &NoopCred{}, nil
+	}
+
+	err := c.disableCredential("foo")
+	if err.Error() != "no matching backend" {
+		t.Fatalf("err: %v", err)
+	}
+
+	me := &MountEntry{
+		Path: "foo",
+		Type: "noop",
+	}
+	err = c.enableCredential(me)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	err = c.disableCredential("foo")
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	match := c.router.MatchingMount("auth/foo/bar")
+	if match != "" {
+		t.Fatalf("backend present")
+	}
+
+	conf := &CoreConfig{Physical: c.physical}
+	c2, err := NewCore(conf)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	unseal, err := c2.Unseal(key)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if !unseal {
+		t.Fatalf("should be unsealed")
+	}
+
+	// Verify matching mount tables
+	if !reflect.DeepEqual(c.auth, c2.auth) {
+		t.Fatalf("mismatch: %v %v", c.auth, c2.auth)
+	}
+}
+
+func TestCore_DisableCredential_Protected(t *testing.T) {
+	c, _ := TestCoreUnsealed(t)
+	err := c.disableCredential("token")
+	if err.Error() != "token credential backend cannot be disabled" {
+		t.Fatalf("err: %v", err)
+	}
+}
+
 func TestDefaultAuthTable(t *testing.T) {
 	table := defaultAuthTable()
 	verifyDefaultAuthTable(t, table)