Add test for non-assignable policies

2016-07-25 15:59:02 -04:00 · 2016-07-25 15:59:02 -04:00 · e26487ced5
parent eb75afe54d
commit e26487ced5
3 changed files with 34 additions and 7 deletions
--- a/vault/logical_system_test.go
+++ b/vault/logical_system_test.go
@ -614,8 +614,8 @@ func TestSystemBackend_policyList(t *testing.T) {
 	}

 	exp := map[string]interface{}{
-		"keys":     []string{"default", "response-wrapping", "root"},
-		"policies": []string{"default", "response-wrapping", "root"},
+		"keys":     []string{"default", "root"},
+		"policies": []string{"default", "root"},
 	}
 	if !reflect.DeepEqual(resp.Data, exp) {
 		t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
@ -667,8 +667,8 @@ func TestSystemBackend_policyCRUD(t *testing.T) {
 	}

 	exp = map[string]interface{}{
-		"keys":     []string{"default", "foo", "response-wrapping", "root"},
-		"policies": []string{"default", "foo", "response-wrapping", "root"},
+		"keys":     []string{"default", "foo", "root"},
+		"policies": []string{"default", "foo", "root"},
 	}
 	if !reflect.DeepEqual(resp.Data, exp) {
 		t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
@ -702,8 +702,8 @@ func TestSystemBackend_policyCRUD(t *testing.T) {
 	}

 	exp = map[string]interface{}{
-		"keys":     []string{"default", "response-wrapping", "root"},
-		"policies": []string{"default", "response-wrapping", "root"},
+		"keys":     []string{"default", "root"},
+		"policies": []string{"default", "root"},
 	}
 	if !reflect.DeepEqual(resp.Data, exp) {
 		t.Fatalf("got: %#v expect: %#v", resp.Data, exp)
--- a/vault/policy_store_test.go
+++ b/vault/policy_store_test.go
@ -138,7 +138,8 @@ func TestPolicyStore_Predefined(t *testing.T) {
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
-	if len(out) != 2 || out[0] != "default" || out[1] != "response-wrapping" {
+	// This shouldn't contain response-wrapping since it's non-assignable
+	if len(out) != 1 || out[0] != "default" {
 		t.Fatalf("bad: %v", out)
 	}

--- a/vault/token_store_test.go
+++ b/vault/token_store_test.go
@ -503,6 +503,32 @@ func TestTokenStore_RevokeSelf(t *testing.T) {
 	}
 }

+func TestTokenStore_HandleRequest_NonAssignable(t *testing.T) {
+	_, ts, _, root := TestCoreWithTokenStore(t)
+
+	req := logical.TestRequest(t, logical.UpdateOperation, "create")
+	req.ClientToken = root
+	req.Data["policies"] = []string{"default", "foo"}
+
+	resp, err := ts.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v %v", err, resp)
+	}
+
+	req.Data["policies"] = []string{"default", "foo", cubbyholeResponseWrappingPolicyName}
+
+	resp, err = ts.HandleRequest(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp == nil {
+		t.Fatal("got a nil response")
+	}
+	if !resp.IsError() {
+		t.Fatalf("expected error; response is %#v", *resp)
+	}
+}
+
 func TestTokenStore_HandleRequest_CreateToken_DisplayName(t *testing.T) {
 	_, ts, _, root := TestCoreWithTokenStore(t)