Removed http/sys_capabilties_test.go

2016-03-17 23:01:28 -04:00 · 2016-03-17 23:01:28 -04:00 · fbfe72f286
parent 55f03b5d25
commit fbfe72f286
3 changed files with 24 additions and 183 deletions
--- a/http/handler.go
+++ b/http/handler.go
@ -33,7 +33,7 @@ func Handler(core *vault.Core) http.Handler {
 	mux.Handle("/v1/sys/generate-root/update", handleSysGenerateRootUpdate(core))
 	mux.Handle("/v1/sys/rekey/init", handleSysRekeyInit(core))
 	mux.Handle("/v1/sys/rekey/update", handleSysRekeyUpdate(core))
-	mux.Handle("/v1/sys/capabilities-self", handleLogical(core, true, sysCapabilitiesCallback))
+	mux.Handle("/v1/sys/capabilities-self", handleLogical(core, true, sysCapabilitiesSelfCallback))
 	mux.Handle("/v1/sys/", handleLogical(core, true, nil))
 	mux.Handle("/v1/", handleLogical(core, false, nil))

@ -43,7 +43,14 @@ func Handler(core *vault.Core) http.Handler {
 	return handler
 }

-func sysCapabilitiesCallback(req *logical.Request) error {
+// ClientToken is required in the handler of sys/capabilities-self endpoint in
+// system backend. But the ClientToken gets obfuscated before the request gets
+// forwarded to any logical backend. So, setting the ClientToken in the data
+// field for this request.
+func sysCapabilitiesSelfCallback(req *logical.Request) error {
+	if req == nil || req.Data == nil {
+		return fmt.Errorf("invalid request")
+	}
 	req.Data["token"] = req.ClientToken
 	return nil
 }
--- a/http/sys_capabilities_test.go
+++ b/http/sys_capabilities_test.go
@ -1,177 +0,0 @@
-package http
-
-import (
-	"reflect"
-	"testing"
-
-	"github.com/hashicorp/vault/vault"
-)
-
-func TestSysCapabilitiesAccessor(t *testing.T) {
-	core, _, token := vault.TestCoreUnsealed(t)
-	ln, addr := TestServer(t, core)
-	defer ln.Close()
-	TestServerAuth(t, addr, token)
-
-	// Lookup the token properties
-	resp := testHttpGet(t, token, addr+"/v1/auth/token/lookup/"+token)
-	var lookupResp map[string]interface{}
-	testResponseStatus(t, resp, 200)
-	testResponseBody(t, resp, &lookupResp)
-
-	// Retrieve the accessor from the token properties
-	lookupData := lookupResp["data"].(map[string]interface{})
-	accessor := lookupData["accessor"].(string)
-
-	resp = testHttpPost(t, token, addr+"/v1/sys/capabilities-accessor", map[string]interface{}{
-		"accessor": accessor,
-		"path":     "testpath",
-	})
-
-	var result map[string]interface{}
-	testResponseStatus(t, resp, 200)
-	testResponseBody(t, resp, &result)
-
-	var actual []string
-	capabilitiesRaw := result["data"].(map[string]interface{})["capabilities"].([]interface{})
-	for _, capability := range capabilitiesRaw {
-		actual = append(actual, capability.(string))
-	}
-
-	expected := []string{"root"}
-	if !reflect.DeepEqual(actual, expected) {
-		t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actual, expected)
-	}
-
-	// Testing for non-root token's accessor
-	// Create a policy first
-	resp = testHttpPost(t, token, addr+"/v1/sys/policy/foo", map[string]interface{}{
-		"rules": `path "testpath" {capabilities = ["read","sudo"]}`,
-	})
-	testResponseStatus(t, resp, 204)
-
-	// Create a token against the test policy
-	resp = testHttpPost(t, token, addr+"/v1/auth/token/create", map[string]interface{}{
-		"policies": []string{"foo"},
-	})
-
-	var tokenResp map[string]interface{}
-	testResponseStatus(t, resp, 200)
-	testResponseBody(t, resp, &tokenResp)
-
-	// Check if desired policies are present in the token
-	auth := tokenResp["auth"].(map[string]interface{})
-	actualPolicies := auth["policies"]
-	expectedPolicies := []interface{}{"default", "foo"}
-	if !reflect.DeepEqual(actualPolicies, expectedPolicies) {
-		t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actualPolicies, expectedPolicies)
-	}
-
-	// Check the capabilities of non-root token using the accessor
-	resp = testHttpPost(t, token, addr+"/v1/sys/capabilities-accessor", map[string]interface{}{
-		"accessor": auth["accessor"],
-		"path":     "testpath",
-	})
-	testResponseStatus(t, resp, 200)
-	testResponseBody(t, resp, &result)
-
-	actual = nil
-	capabilitiesRaw = result["data"].(map[string]interface{})["capabilities"].([]interface{})
-	for _, capability := range capabilitiesRaw {
-		actual = append(actual, capability.(string))
-	}
-
-	expected = []string{"sudo", "read"}
-	if !reflect.DeepEqual(actual, expected) {
-		t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actual, expected)
-	}
-}
-
-func TestSysCapabilities(t *testing.T) {
-	core, _, token := vault.TestCoreUnsealed(t)
-	ln, addr := TestServer(t, core)
-	defer ln.Close()
-	TestServerAuth(t, addr, token)
-
-	// Send both token and path
-	resp := testHttpPost(t, token, addr+"/v1/sys/capabilities", map[string]interface{}{
-		"token": token,
-		"path":  "testpath",
-	})
-
-	var result map[string]interface{}
-	testResponseStatus(t, resp, 200)
-	testResponseBody(t, resp, &result)
-
-	var actual []string
-	capabilitiesRaw := result["data"].(map[string]interface{})["capabilities"].([]interface{})
-	for _, capability := range capabilitiesRaw {
-		actual = append(actual, capability.(string))
-	}
-
-	expected := []string{"root"}
-	if !reflect.DeepEqual(actual, expected) {
-		t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actual, expected)
-	}
-
-	// Send only path to capabilities-self
-	resp = testHttpPost(t, token, addr+"/v1/sys/capabilities-self", map[string]interface{}{
-		"path": "testpath",
-	})
-	testResponseStatus(t, resp, 200)
-	testResponseBody(t, resp, &result)
-
-	actual = nil
-	capabilitiesRaw = result["data"].(map[string]interface{})["capabilities"].([]interface{})
-	for _, capability := range capabilitiesRaw {
-		actual = append(actual, capability.(string))
-	}
-
-	if !reflect.DeepEqual(actual, expected) {
-		t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actual, expected)
-	}
-
-	// Testing for non-root tokens
-
-	// Create a policy first
-	resp = testHttpPost(t, token, addr+"/v1/sys/policy/foo", map[string]interface{}{
-		"rules": `path "testpath" {capabilities = ["read","sudo"]}`,
-	})
-	testResponseStatus(t, resp, 204)
-
-	// Create a token against the test policy
-	resp = testHttpPost(t, token, addr+"/v1/auth/token/create", map[string]interface{}{
-		"policies": []string{"foo"},
-	})
-
-	var tokenResp map[string]interface{}
-	testResponseStatus(t, resp, 200)
-	testResponseBody(t, resp, &tokenResp)
-
-	// Check if desired policies are present in the token
-	auth := tokenResp["auth"].(map[string]interface{})
-	actualPolicies := auth["policies"]
-	expectedPolicies := []interface{}{"default", "foo"}
-	if !reflect.DeepEqual(actualPolicies, expectedPolicies) {
-		t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actualPolicies, expectedPolicies)
-	}
-
-	// Check the capabilities with the created non-root token
-	resp = testHttpPost(t, token, addr+"/v1/sys/capabilities", map[string]interface{}{
-		"token": auth["client_token"],
-		"path":  "testpath",
-	})
-	testResponseStatus(t, resp, 200)
-	testResponseBody(t, resp, &result)
-
-	actual = nil
-	capabilitiesRaw = result["data"].(map[string]interface{})["capabilities"].([]interface{})
-	for _, capability := range capabilitiesRaw {
-		actual = append(actual, capability.(string))
-	}
-
-	expected = []string{"sudo", "read"}
-	if !reflect.DeepEqual(actual, expected) {
-		t.Fatalf("bad: got\n%#v\nexpected\n%#v\n", actual, expected)
-	}
-}
--- a/vault/logical_system.go
+++ b/vault/logical_system.go
@ -59,8 +59,9 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) logical.Backend
 				},

 				HelpSynopsis:    strings.TrimSpace(sysHelp["capabilities_accessor"][0]),
-				HelpDescription: strings.TrimSpace(sysHelp["capabilities_accessor"][0]),
+				HelpDescription: strings.TrimSpace(sysHelp["capabilities_accessor"][1]),
 			},
+
 			&framework.Path{
 				Pattern: "capabilities$",

@ -80,7 +81,7 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) logical.Backend
 				},

 				HelpSynopsis:    strings.TrimSpace(sysHelp["capabilities"][0]),
-				HelpDescription: strings.TrimSpace(sysHelp["capabilities"][0]),
+				HelpDescription: strings.TrimSpace(sysHelp["capabilities"][1]),
 			},
 			&framework.Path{
 				Pattern: "capabilities-self$",
@ -100,8 +101,8 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) logical.Backend
 					logical.UpdateOperation: b.handleCapabilities,
 				},

-				HelpSynopsis:    strings.TrimSpace(sysHelp["capabilities"][0]),
-				HelpDescription: strings.TrimSpace(sysHelp["capabilities"][0]),
+				HelpSynopsis:    strings.TrimSpace(sysHelp["capabilities_self"][0]),
+				HelpDescription: strings.TrimSpace(sysHelp["capabilities_self"][1]),
 			},

 			&framework.Path{
@ -1506,9 +1507,19 @@ Enable a new audit backend or disable an existing backend.

 	"capabilities": {
 		"Fetches the capabilities of the given token on the given path.",
+		`Returns the capabilities of the given token on the path.
+		The path will be searched for a path match in all the policies associated with the token.`,
+	},
+
+	"capabilities_self": {
+		"Fetches the capabilities of the given token on the given path.",
+		`Returns the capabilities of the client token on the path.
+		The path will be searched for a path match in all the policies associated with the client token.`,
 	},

 	"capabilities_accessor": {
 		"Fetches the capabilities of the token associated with the given token, on the given path.",
+		`When there is no access to the token, token accessor can be used to fetch the token's capabilities
+		on a given path.`,
 	},
 }