Added test for revoking mysql user with wild card host and non-wildcard host

2016-10-02 22:28:54 -04:00 · 2016-10-02 22:28:54 -04:00 · bb70ecc5a7
parent dbb00534d9
commit bb70ecc5a7
2 changed files with 56 additions and 12 deletions
--- a/builtin/logical/mysql/backend_test.go
+++ b/builtin/logical/mysql/backend_test.go
@ -126,11 +126,39 @@ func TestBackend_basic(t *testing.T) {
 		"connection_url": connURL,
 	}

+	// for wildcard base mysql user
 	logicaltest.Test(t, logicaltest.TestCase{
 		Backend: b,
 		Steps: []logicaltest.TestStep{
 			testAccStepConfig(t, connData, false),
-			testAccStepRole(t),
+			testAccStepRole(t, true),
+			testAccStepReadCreds(t, "web"),
+		},
+	})
+}
+
+func TestBackend_basicHostRevoke(t *testing.T) {
+	config := logical.TestBackendConfig()
+	config.StorageView = &logical.InmemStorage{}
+	b, err := Factory(config)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	cid, connURL := prepareTestContainer(t, config.StorageView, b)
+	if cid != "" {
+		defer cleanupTestContainer(t, cid)
+	}
+	connData := map[string]interface{}{
+		"connection_url": connURL,
+	}
+
+	// for wildcard base mysql user
+	logicaltest.Test(t, logicaltest.TestCase{
+		Backend: b,
+		Steps: []logicaltest.TestStep{
+			testAccStepConfig(t, connData, false),
+			testAccStepRole(t, false),
 			testAccStepReadCreds(t, "web"),
 		},
 	})
@ -156,8 +184,8 @@ func TestBackend_roleCrud(t *testing.T) {
 		Backend: b,
 		Steps: []logicaltest.TestStep{
 			testAccStepConfig(t, connData, false),
-			testAccStepRole(t),
-			testAccStepReadRole(t, "web", testRole),
+			testAccStepRole(t, false),
+			testAccStepReadRole(t, "web", testRoleHost),
 			testAccStepDeleteRole(t, "web"),
 			testAccStepReadRole(t, "web", ""),
 		},
@ -209,7 +237,7 @@ func testAccStepConfig(t *testing.T, d map[string]interface{}, expectError bool)
 					return err
 				}
 				if len(e.Error) == 0 {
-					return fmt.Errorf("expected error, but write succeeded.")
+					return fmt.Errorf("expected error, but write succeeded")
 				}
 				return nil
 			} else if resp != nil && resp.IsError() {
@ -220,14 +248,26 @@ func testAccStepConfig(t *testing.T, d map[string]interface{}, expectError bool)
 	}
 }

-func testAccStepRole(t *testing.T) logicaltest.TestStep {
+func testAccStepRole(t *testing.T, wildCard bool) logicaltest.TestStep {
+
+	if wildCard == true {
+		return logicaltest.TestStep{
+			Operation: logical.UpdateOperation,
+			Path:      "roles/web",
+			Data: map[string]interface{}{
+				"sql": testRoleWildCard,
+			},
+		}
+	}
 	return logicaltest.TestStep{
 		Operation: logical.UpdateOperation,
 		Path:      "roles/web",
 		Data: map[string]interface{}{
-			"sql": testRole,
+			"sql":        testRoleHost,
+			"revoke_sql": testRevokeSQL,
 		},
 	}
+
 }

 func testAccStepDeleteRole(t *testing.T, n string) logicaltest.TestStep {
@ -310,7 +350,15 @@ func testAccStepReadLease(t *testing.T) logicaltest.TestStep {
 	}
 }

-const testRole = `
+const testRoleWildCard = `
 CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';
 GRANT SELECT ON *.* TO '{{name}}'@'%';
 `
+const testRoleHost = `
+CREATE USER '{{name}}'@'10.1.1.2' IDENTIFIED BY '{{password}}';
+GRANT SELECT ON *.* TO '{{name}}'@'10.1.1.2';
+`
+const testRevokeSQL = `
+REVOKE ALL PRIVILEGES, GRANT OPTION FROM '{{name}}'@'10.1.1.2'; 
+DROP USER '{{name}}'@'10.1.1.2';
+`
--- a/builtin/logical/mysql/secret_creds.go
+++ b/builtin/logical/mysql/secret_creds.go
@ -2,7 +2,6 @@ package mysql

 import (
 	"fmt"
-	"log"
 	"strings"

 	"github.com/hashicorp/vault/helper/strutil"
@ -68,10 +67,7 @@ func (b *backend) secretCredsRevoke(
 		return nil, err
 	}

-	// Get the role
-	// pathParts := strings.Split(req.Path, "/")
-	log.Println("InternalData")
-	log.Printf("%+v", req.Secret.InternalData)
+	// Get the role name
 	rolenameRaw, ok := req.Secret.InternalData["rolename"]
 	if !ok {
 		return nil, fmt.Errorf("secret is missing rollname internal data")