contained_db DeleteUser unit test (#13895)
* added TestDeleteUserContainedDB | testContainedDBCredsExist helper function * unit test contained db sanitization Co-authored-by: Gary Frederick <imtahghost@protonmail.com>
This commit is contained in:
Gary Frederick
GitHub
parent
2489c958f5
commit
ac4804eae8
|
|
@ -357,6 +357,91 @@ func TestDeleteUser(t *testing.T) {
|
|||
assertCredsDoNotExist(t, connURL, dbUser, initPassword)
|
||||
}
|
||||
|
||||
func TestDeleteUserContainedDB(t *testing.T) {
|
||||
cleanup, connURL := mssqlhelper.PrepareMSSQLTestContainer(t)
|
||||
defer cleanup()
|
||||
|
||||
dbUser := "vaultuser"
|
||||
initPassword := "p4$sw0rd"
|
||||
|
||||
initReq := dbplugin.InitializeRequest{
|
||||
Config: map[string]interface{}{
|
||||
"connection_url": connURL,
|
||||
"contained_db": true,
|
||||
},
|
||||
VerifyConnection: true,
|
||||
}
|
||||
|
||||
db := new()
|
||||
|
||||
dbtesting.AssertInitializeCircleCiTest(t, db, initReq)
|
||||
defer dbtesting.AssertClose(t, db)
|
||||
|
||||
err := createTestMSSQLUser(connURL, dbUser, initPassword, testMSSQLContainedLogin)
|
||||
if err != nil {
|
||||
t.Fatalf("Failed to create user: %s", err)
|
||||
}
|
||||
|
||||
assertCredsExist(t, connURL, dbUser, initPassword)
|
||||
|
||||
deleteReq := dbplugin.DeleteUserRequest{
|
||||
Username: dbUser,
|
||||
}
|
||||
|
||||
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
|
||||
defer cancel()
|
||||
deleteResp, err := db.DeleteUser(ctx, deleteReq)
|
||||
if err != nil {
|
||||
t.Fatalf("Failed to delete user: %s", err)
|
||||
}
|
||||
|
||||
// Protect against future fields that aren't specified
|
||||
expectedResp := dbplugin.DeleteUserResponse{}
|
||||
if !reflect.DeepEqual(deleteResp, expectedResp) {
|
||||
t.Fatalf("Fields missing from expected response: Actual: %#v", deleteResp)
|
||||
}
|
||||
|
||||
assertContainedDBCredsDoNotExist(t, connURL, dbUser)
|
||||
}
|
||||
|
||||
func TestContainedDBSQLSanitization(t *testing.T) {
|
||||
cleanup, connURL := mssqlhelper.PrepareMSSQLTestContainer(t)
|
||||
defer cleanup()
|
||||
|
||||
injectionString := "vaultuser]"
|
||||
dbUser := "vaultuser"
|
||||
initPassword := "p4$sw0rd"
|
||||
|
||||
initReq := dbplugin.InitializeRequest{
|
||||
Config: map[string]interface{}{
|
||||
"connection_url": connURL,
|
||||
},
|
||||
VerifyConnection: true,
|
||||
}
|
||||
|
||||
db := new()
|
||||
|
||||
dbtesting.AssertInitializeCircleCiTest(t, db, initReq)
|
||||
defer dbtesting.AssertClose(t, db)
|
||||
|
||||
err := createTestMSSQLUser(connURL, dbUser, initPassword, testMSSQLContainedLogin)
|
||||
if err != nil {
|
||||
t.Fatalf("Failed to create user: %s", err)
|
||||
}
|
||||
|
||||
assertCredsExist(t, connURL, dbUser, initPassword)
|
||||
|
||||
deleteReq := dbplugin.DeleteUserRequest{
|
||||
Username: injectionString,
|
||||
}
|
||||
|
||||
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
|
||||
defer cancel()
|
||||
_, err = db.DeleteUser(ctx, deleteReq)
|
||||
|
||||
assert.EqualError(t, err, "mssql: Cannot alter the login 'vaultuser]', because it does not exist or you do not have permission.")
|
||||
}
|
||||
|
||||
func TestSQLSanitization(t *testing.T) {
|
||||
cleanup, connURL := mssqlhelper.PrepareMSSQLTestContainer(t)
|
||||
defer cleanup()
|
||||
|
|
@ -411,6 +496,29 @@ func assertCredsDoNotExist(t testing.TB, connURL, username, password string) {
|
|||
}
|
||||
}
|
||||
|
||||
func assertContainedDBCredsDoNotExist(t testing.TB, connURL, username string) {
|
||||
t.Helper()
|
||||
err := testContainedDBCredsExist(connURL, username)
|
||||
assert.EqualError(t, err, "mssql: Cannot drop the user 'vaultuser', because it does not exist or you do not have permission.")
|
||||
}
|
||||
|
||||
func testContainedDBCredsExist(connURL, username string) error {
|
||||
ctx := context.Background()
|
||||
// Log in
|
||||
db, err := sql.Open("mssql", connURL)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer db.Close()
|
||||
userStmt, err := db.PrepareContext(ctx, fmt.Sprintf("DROP USER [%s]", username))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
_, err = userStmt.ExecContext(ctx)
|
||||
defer userStmt.Close()
|
||||
return err
|
||||
}
|
||||
|
||||
func testCredsExist(connURL, username, password string) error {
|
||||
// Log in with the new creds
|
||||
parts := strings.Split(connURL, "@")
|
||||
|
|
@ -462,3 +570,8 @@ GRANT SELECT, INSERT, UPDATE, DELETE ON SCHEMA::dbo TO [{{name}}];`
|
|||
const testMSSQLLogin = `
|
||||
CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';
|
||||
`
|
||||
|
||||
const testMSSQLContainedLogin = `
|
||||
CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';
|
||||
CREATE USER [{{name}}] FOR LOGIN [{{name}}];
|
||||
`
|
||||
|
|
|
|||
Loading…
Reference in New Issue