253 lines
6.7 KiB
Go
253 lines
6.7 KiB
Go
package identity
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/hashicorp/vault/api"
|
|
"github.com/hashicorp/vault/builtin/credential/github"
|
|
"github.com/hashicorp/vault/builtin/credential/userpass"
|
|
vaulthttp "github.com/hashicorp/vault/http"
|
|
"github.com/hashicorp/vault/sdk/logical"
|
|
"github.com/hashicorp/vault/vault"
|
|
)
|
|
|
|
func TestIdentityStore_ListAlias(t *testing.T) {
|
|
coreConfig := &vault.CoreConfig{
|
|
CredentialBackends: map[string]logical.Factory{
|
|
"github": github.Factory,
|
|
},
|
|
}
|
|
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
|
|
HandlerFunc: vaulthttp.Handler,
|
|
})
|
|
cluster.Start()
|
|
defer cluster.Cleanup()
|
|
|
|
core := cluster.Cores[0].Core
|
|
vault.TestWaitActive(t, core)
|
|
client := cluster.Cores[0].Client
|
|
|
|
err := client.Sys().EnableAuthWithOptions("github", &api.EnableAuthOptions{
|
|
Type: "github",
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
mounts, err := client.Sys().ListAuth()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
var githubAccessor string
|
|
for k, v := range mounts {
|
|
t.Logf("key: %v\nmount: %#v", k, *v)
|
|
if k == "github/" {
|
|
githubAccessor = v.Accessor
|
|
break
|
|
}
|
|
}
|
|
if githubAccessor == "" {
|
|
t.Fatal("did not find github accessor")
|
|
}
|
|
|
|
resp, err := client.Logical().Write("identity/entity", nil)
|
|
if err != nil {
|
|
t.Fatalf("err:%v resp:%#v", err, resp)
|
|
}
|
|
if resp == nil {
|
|
t.Fatalf("expected a non-nil response")
|
|
}
|
|
|
|
entityID := resp.Data["id"].(string)
|
|
|
|
// Create an alias
|
|
resp, err = client.Logical().Write("identity/entity-alias", map[string]interface{}{
|
|
"name": "testaliasname",
|
|
"mount_accessor": githubAccessor,
|
|
})
|
|
if err != nil {
|
|
t.Fatalf("err:%v resp:%#v", err, resp)
|
|
}
|
|
testAliasCanonicalID := resp.Data["canonical_id"].(string)
|
|
testAliasAliasID := resp.Data["id"].(string)
|
|
|
|
resp, err = client.Logical().Write("identity/entity-alias", map[string]interface{}{
|
|
"name": "entityalias",
|
|
"mount_accessor": githubAccessor,
|
|
"canonical_id": entityID,
|
|
})
|
|
if err != nil {
|
|
t.Fatalf("err:%v resp:%#v", err, resp)
|
|
}
|
|
entityAliasAliasID := resp.Data["id"].(string)
|
|
|
|
resp, err = client.Logical().List("identity/entity-alias/id")
|
|
if err != nil {
|
|
t.Fatalf("err:%v resp:%#v", err, resp)
|
|
}
|
|
|
|
keys := resp.Data["keys"].([]interface{})
|
|
if len(keys) != 2 {
|
|
t.Fatalf("bad: length of alias IDs listed; expected: 2, actual: %d", len(keys))
|
|
}
|
|
|
|
// Do some due diligence on the key info
|
|
aliasInfoRaw, ok := resp.Data["key_info"]
|
|
if !ok {
|
|
t.Fatal("expected key_info map in response")
|
|
}
|
|
aliasInfo := aliasInfoRaw.(map[string]interface{})
|
|
for _, keyRaw := range keys {
|
|
key := keyRaw.(string)
|
|
infoRaw, ok := aliasInfo[key]
|
|
if !ok {
|
|
t.Fatal("expected key info")
|
|
}
|
|
info := infoRaw.(map[string]interface{})
|
|
currName := "entityalias"
|
|
if info["canonical_id"].(string) == testAliasCanonicalID {
|
|
currName = "testaliasname"
|
|
}
|
|
t.Logf("alias info: %#v", info)
|
|
switch {
|
|
case info["name"].(string) != currName:
|
|
t.Fatalf("bad name: %v", info["name"].(string))
|
|
case info["mount_accessor"].(string) != githubAccessor:
|
|
t.Fatalf("bad mount_path: %v", info["mount_accessor"].(string))
|
|
}
|
|
}
|
|
|
|
// Now do the same with entity info
|
|
resp, err = client.Logical().List("identity/entity/id")
|
|
if err != nil {
|
|
t.Fatalf("err:%v resp:%#v", err, resp)
|
|
}
|
|
|
|
keys = resp.Data["keys"].([]interface{})
|
|
if len(keys) != 2 {
|
|
t.Fatalf("bad: length of entity IDs listed; expected: 2, actual: %d", len(keys))
|
|
}
|
|
|
|
entityInfoRaw, ok := resp.Data["key_info"]
|
|
if !ok {
|
|
t.Fatal("expected key_info map in response")
|
|
}
|
|
|
|
// This is basically verifying that the entity has the alias in key_info
|
|
// that we expect to be tied to it, plus tests a value further down in it
|
|
// for fun
|
|
entityInfo := entityInfoRaw.(map[string]interface{})
|
|
for _, keyRaw := range keys {
|
|
key := keyRaw.(string)
|
|
infoRaw, ok := entityInfo[key]
|
|
if !ok {
|
|
t.Fatal("expected key info")
|
|
}
|
|
info := infoRaw.(map[string]interface{})
|
|
t.Logf("entity info: %#v", info)
|
|
currAliasID := entityAliasAliasID
|
|
if key == testAliasCanonicalID {
|
|
currAliasID = testAliasAliasID
|
|
}
|
|
currAliases := info["aliases"].([]interface{})
|
|
if len(currAliases) != 1 {
|
|
t.Fatal("bad aliases length")
|
|
}
|
|
for _, v := range currAliases {
|
|
curr := v.(map[string]interface{})
|
|
switch {
|
|
case curr["id"].(string) != currAliasID:
|
|
t.Fatalf("bad alias id: %v", curr["id"])
|
|
case curr["mount_accessor"].(string) != githubAccessor:
|
|
t.Fatalf("bad mount accessor: %v", curr["mount_accessor"])
|
|
case curr["mount_path"].(string) != "auth/github/":
|
|
t.Fatalf("bad mount path: %v", curr["mount_path"])
|
|
case curr["mount_type"].(string) != "github":
|
|
t.Fatalf("bad mount type: %v", curr["mount_type"])
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
// TestIdentityStore_RenameAlias_CannotMergeEntity verifies that an error is
|
|
// returned on an attempt to rename an alias to match another alias with the
|
|
// same mount accessor. This used to result in a merge entity.
|
|
func TestIdentityStore_RenameAlias_CannotMergeEntity(t *testing.T) {
|
|
coreConfig := &vault.CoreConfig{
|
|
CredentialBackends: map[string]logical.Factory{
|
|
"userpass": userpass.Factory,
|
|
},
|
|
}
|
|
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
|
|
HandlerFunc: vaulthttp.Handler,
|
|
})
|
|
cluster.Start()
|
|
defer cluster.Cleanup()
|
|
|
|
client := cluster.Cores[0].Client
|
|
|
|
err := client.Sys().EnableAuthWithOptions("userpass", &api.EnableAuthOptions{
|
|
Type: "userpass",
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
_, err = client.Logical().Write("auth/userpass/users/bsmith", map[string]interface{}{
|
|
"password": "training",
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
_, err = client.Logical().Write("auth/userpass/login/bsmith", map[string]interface{}{
|
|
"password": "training",
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
mounts, err := client.Sys().ListAuth()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
var mountAccessor string
|
|
for k, v := range mounts {
|
|
if k == "userpass/" {
|
|
mountAccessor = v.Accessor
|
|
break
|
|
}
|
|
}
|
|
if mountAccessor == "" {
|
|
t.Fatal("did not find userpass accessor")
|
|
}
|
|
|
|
// Now create a new unrelated entity and alias
|
|
entityResp, err := client.Logical().Write("identity/entity", map[string]interface{}{
|
|
"name": "bob-smith",
|
|
})
|
|
if err != nil {
|
|
t.Fatalf("err:%v resp:%#v", err, entityResp)
|
|
}
|
|
if entityResp == nil {
|
|
t.Fatalf("expected a non-nil response")
|
|
}
|
|
|
|
aliasResp, err := client.Logical().Write("identity/entity-alias", map[string]interface{}{
|
|
"name": "bob",
|
|
"mount_accessor": mountAccessor,
|
|
})
|
|
if err != nil {
|
|
t.Fatalf("err:%v resp:%#v", err, aliasResp)
|
|
}
|
|
aliasID2 := aliasResp.Data["id"].(string)
|
|
|
|
// Rename this new alias to have the same name as the one implicitly created by our login as bsmith
|
|
_, err = client.Logical().Write("identity/entity-alias/id/"+aliasID2, map[string]interface{}{
|
|
"name": "bsmith",
|
|
})
|
|
if err == nil {
|
|
t.Fatal("expected rename over existing entity to fail")
|
|
}
|
|
}
|