secrets/database: adds ability to manage alternative credential types and configuration (#15376)

2025-11-01 19:17:58 +00:00 · 2022-05-17 09:21:26 -07:00
parent 83bc726273
commit 0f1784dce2
19 changed files with 1627 additions and 400 deletions
--- a/builtin/logical/database/version_wrapper_test.go
+++ b/builtin/logical/database/version_wrapper_test.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"reflect"
-	"regexp"
 	"testing"
 	"time"

@@ -176,176 +175,6 @@ func TestInitDatabase_legacyDB(t *testing.T) {
 	}
 }

-type fakePasswordGenerator struct {
-	password string
-	err      error
-}
-
-func (pg fakePasswordGenerator) GeneratePasswordFromPolicy(ctx context.Context, policy string) (string, error) {
-	return pg.password, pg.err
-}
-
-func TestGeneratePassword_missingDB(t *testing.T) {
-	dbw := databaseVersionWrapper{}
-
-	gen := fakePasswordGenerator{
-		err: fmt.Errorf("this shouldn't be called"),
-	}
-	pass, err := dbw.GeneratePassword(context.Background(), gen, "policy")
-	if err == nil {
-		t.Fatalf("err expected, got nil")
-	}
-
-	if pass != "" {
-		t.Fatalf("Password should be empty but was: %s", pass)
-	}
-}
-
-func TestGeneratePassword_legacy(t *testing.T) {
-	type testCase struct {
-		legacyPassword string
-		legacyErr      error
-		legacyCalls    int
-
-		expectedPassword string
-		expectErr        bool
-	}
-
-	tests := map[string]testCase{
-		"legacy password generation": {
-			legacyPassword: "legacy_password",
-			legacyErr:      nil,
-			legacyCalls:    1,
-
-			expectedPassword: "legacy_password",
-			expectErr:        false,
-		},
-		"legacy password failure": {
-			legacyPassword: "",
-			legacyErr:      fmt.Errorf("failed :("),
-			legacyCalls:    1,
-
-			expectedPassword: "",
-			expectErr:        true,
-		},
-	}
-
-	for name, test := range tests {
-		t.Run(name, func(t *testing.T) {
-			legacyDB := new(mockLegacyDatabase)
-			legacyDB.On("GenerateCredentials", mock.Anything).
-				Return(test.legacyPassword, test.legacyErr)
-			defer legacyDB.AssertNumberOfCalls(t, "GenerateCredentials", test.legacyCalls)
-
-			dbw := databaseVersionWrapper{
-				v4: legacyDB,
-			}
-
-			passGen := fakePasswordGenerator{
-				err: fmt.Errorf("this should not be called"),
-			}
-
-			ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
-			defer cancel()
-			password, err := dbw.GeneratePassword(ctx, passGen, "test_policy")
-			if test.expectErr && err == nil {
-				t.Fatalf("err expected, got nil")
-			}
-			if !test.expectErr && err != nil {
-				t.Fatalf("no error expected, got: %s", err)
-			}
-			if password != test.expectedPassword {
-				t.Fatalf("Actual password: %s Expected password: %s", password, test.expectedPassword)
-			}
-		})
-	}
-}
-
-func TestGeneratePassword_policies(t *testing.T) {
-	type testCase struct {
-		passwordPolicyPassword string
-		passwordPolicyErr      error
-
-		expectedPassword string
-		expectErr        bool
-	}
-
-	tests := map[string]testCase{
-		"password policy generation": {
-			passwordPolicyPassword: "new_password",
-
-			expectedPassword: "new_password",
-			expectErr:        false,
-		},
-		"password policy error": {
-			passwordPolicyPassword: "",
-			passwordPolicyErr:      fmt.Errorf("test error"),
-
-			expectedPassword: "",
-			expectErr:        true,
-		},
-	}
-
-	for name, test := range tests {
-		t.Run(name, func(t *testing.T) {
-			newDB := new(mockNewDatabase)
-			defer newDB.AssertExpectations(t)
-
-			dbw := databaseVersionWrapper{
-				v5: newDB,
-			}
-
-			passGen := fakePasswordGenerator{
-				password: test.passwordPolicyPassword,
-				err:      test.passwordPolicyErr,
-			}
-
-			ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
-			defer cancel()
-			password, err := dbw.GeneratePassword(ctx, passGen, "test_policy")
-			if test.expectErr && err == nil {
-				t.Fatalf("err expected, got nil")
-			}
-			if !test.expectErr && err != nil {
-				t.Fatalf("no error expected, got: %s", err)
-			}
-			if password != test.expectedPassword {
-				t.Fatalf("Actual password: %s Expected password: %s", password, test.expectedPassword)
-			}
-		})
-	}
-}
-
-func TestGeneratePassword_no_policy(t *testing.T) {
-	newDB := new(mockNewDatabase)
-	defer newDB.AssertExpectations(t)
-
-	dbw := databaseVersionWrapper{
-		v5: newDB,
-	}
-
-	passGen := fakePasswordGenerator{
-		password: "",
-		err:      fmt.Errorf("should not be called"),
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
-	defer cancel()
-	password, err := dbw.GeneratePassword(ctx, passGen, "")
-	if err != nil {
-		t.Fatalf("no error expected, got: %s", err)
-	}
-	if password == "" {
-		t.Fatalf("missing password")
-	}
-
-	rawRegex := "^[a-zA-Z0-9-]{20}$"
-	re := regexp.MustCompile(rawRegex)
-	if !re.MatchString(password) {
-		t.Fatalf("password %q did not match regex: %q", password, rawRegex)
-	}
-}
-
 func TestNewUser_missingDB(t *testing.T) {
 	dbw := databaseVersionWrapper{}