mirror of
https://github.com/optim-enterprises-bv/vault.git
synced 2025-11-01 02:57:59 +00:00
Refactor approle response validation tests (#19188)
This commit is contained in:
Anton Averchenkov
committed by
GitHub
GitHub
parent
8fd34ca479
commit
bc303fee63
@@ -6,8 +6,6 @@ import (
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/helper/testhelpers/schema"
|
||||
"github.com/hashicorp/vault/sdk/logical"
|
||||
)
|
||||
|
||||
@@ -16,11 +14,9 @@ func TestAppRole_BoundCIDRLogin(t *testing.T) {
|
||||
var err error
|
||||
b, s := createBackendWithStorage(t)
|
||||
|
||||
paths := []*framework.Path{pathLogin(b)}
|
||||
|
||||
// Create a role with secret ID binding disabled and only bound cidr list
|
||||
// enabled
|
||||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||||
resp = b.requestNoErr(t, &logical.Request{
|
||||
Path: "role/testrole",
|
||||
Operation: logical.CreateOperation,
|
||||
Data: map[string]interface{}{
|
||||
@@ -30,24 +26,18 @@ func TestAppRole_BoundCIDRLogin(t *testing.T) {
|
||||
},
|
||||
Storage: s,
|
||||
})
|
||||
if err != nil || (resp != nil && resp.IsError()) {
|
||||
t.Fatalf("err:%v resp:%#v", err, resp)
|
||||
}
|
||||
|
||||
// Read the role ID
|
||||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||||
resp = b.requestNoErr(t, &logical.Request{
|
||||
Path: "role/testrole/role-id",
|
||||
Operation: logical.ReadOperation,
|
||||
Storage: s,
|
||||
})
|
||||
if err != nil || (resp != nil && resp.IsError()) {
|
||||
t.Fatalf("err:%v resp:%#v", err, resp)
|
||||
}
|
||||
|
||||
roleID := resp.Data["role_id"]
|
||||
|
||||
// Fill in the connection information and login with just the role ID
|
||||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||||
resp = b.requestNoErr(t, &logical.Request{
|
||||
Path: "login",
|
||||
Operation: logical.UpdateOperation,
|
||||
Data: map[string]interface{}{
|
||||
@@ -56,9 +46,7 @@ func TestAppRole_BoundCIDRLogin(t *testing.T) {
|
||||
Storage: s,
|
||||
Connection: &logical.Connection{RemoteAddr: "127.0.0.1"},
|
||||
})
|
||||
if err != nil || (resp != nil && resp.IsError()) {
|
||||
t.Fatalf("err:%v resp:%#v", err, resp)
|
||||
}
|
||||
|
||||
if resp.Auth == nil {
|
||||
t.Fatal("expected login to succeed")
|
||||
}
|
||||
@@ -68,15 +56,9 @@ func TestAppRole_BoundCIDRLogin(t *testing.T) {
|
||||
if resp.Auth.BoundCIDRs[0].String() != "10.0.0.0/8" {
|
||||
t.Fatalf("bad: %s", resp.Auth.BoundCIDRs[0].String())
|
||||
}
|
||||
schema.ValidateResponse(
|
||||
t,
|
||||
schema.FindResponseSchema(t, paths, 0, logical.UpdateOperation),
|
||||
resp,
|
||||
true,
|
||||
)
|
||||
|
||||
// Override with a secret-id value, verify it doesn't pass
|
||||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||||
resp = b.requestNoErr(t, &logical.Request{
|
||||
Path: "role/testrole",
|
||||
Operation: logical.UpdateOperation,
|
||||
Data: map[string]interface{}{
|
||||
@@ -84,9 +66,6 @@ func TestAppRole_BoundCIDRLogin(t *testing.T) {
|
||||
},
|
||||
Storage: s,
|
||||
})
|
||||
if err != nil || (resp != nil && resp.IsError()) {
|
||||
t.Fatalf("err:%v resp:%#v", err, resp)
|
||||
}
|
||||
|
||||
roleSecretIDReq := &logical.Request{
|
||||
Operation: logical.UpdateOperation,
|
||||
@@ -102,13 +81,11 @@ func TestAppRole_BoundCIDRLogin(t *testing.T) {
|
||||
}
|
||||
|
||||
roleSecretIDReq.Data["token_bound_cidrs"] = "10.0.0.0/24"
|
||||
resp, err = b.HandleRequest(context.Background(), roleSecretIDReq)
|
||||
if err != nil || (resp != nil && resp.IsError()) {
|
||||
t.Fatalf("err:%v resp:%#v", err, resp)
|
||||
}
|
||||
resp = b.requestNoErr(t, roleSecretIDReq)
|
||||
|
||||
secretID := resp.Data["secret_id"]
|
||||
|
||||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||||
resp = b.requestNoErr(t, &logical.Request{
|
||||
Path: "login",
|
||||
Operation: logical.UpdateOperation,
|
||||
Data: map[string]interface{}{
|
||||
@@ -118,9 +95,7 @@ func TestAppRole_BoundCIDRLogin(t *testing.T) {
|
||||
Storage: s,
|
||||
Connection: &logical.Connection{RemoteAddr: "127.0.0.1"},
|
||||
})
|
||||
if err != nil || (resp != nil && resp.IsError()) {
|
||||
t.Fatalf("err:%v resp:%#v", err, resp)
|
||||
}
|
||||
|
||||
if resp.Auth == nil {
|
||||
t.Fatal("expected login to succeed")
|
||||
}
|
||||
@@ -130,12 +105,6 @@ func TestAppRole_BoundCIDRLogin(t *testing.T) {
|
||||
if resp.Auth.BoundCIDRs[0].String() != "10.0.0.0/24" {
|
||||
t.Fatalf("bad: %s", resp.Auth.BoundCIDRs[0].String())
|
||||
}
|
||||
schema.ValidateResponse(
|
||||
t,
|
||||
schema.FindResponseSchema(t, paths, 0, logical.UpdateOperation),
|
||||
resp,
|
||||
true,
|
||||
)
|
||||
}
|
||||
|
||||
func TestAppRole_RoleLogin(t *testing.T) {
|
||||
@@ -143,18 +112,14 @@ func TestAppRole_RoleLogin(t *testing.T) {
|
||||
var err error
|
||||
b, storage := createBackendWithStorage(t)
|
||||
|
||||
paths := []*framework.Path{pathLogin(b)}
|
||||
|
||||
createRole(t, b, storage, "role1", "a,b,c")
|
||||
roleRoleIDReq := &logical.Request{
|
||||
Operation: logical.ReadOperation,
|
||||
Path: "role/role1/role-id",
|
||||
Storage: storage,
|
||||
}
|
||||
resp, err = b.HandleRequest(context.Background(), roleRoleIDReq)
|
||||
if err != nil || (resp != nil && resp.IsError()) {
|
||||
t.Fatalf("err:%v resp:%#v", err, resp)
|
||||
}
|
||||
resp = b.requestNoErr(t, roleRoleIDReq)
|
||||
|
||||
roleID := resp.Data["role_id"]
|
||||
|
||||
roleSecretIDReq := &logical.Request{
|
||||
@@ -162,10 +127,8 @@ func TestAppRole_RoleLogin(t *testing.T) {
|
||||
Path: "role/role1/secret-id",
|
||||
Storage: storage,
|
||||
}
|
||||
resp, err = b.HandleRequest(context.Background(), roleSecretIDReq)
|
||||
if err != nil || (resp != nil && resp.IsError()) {
|
||||
t.Fatalf("err:%v resp:%#v", err, resp)
|
||||
}
|
||||
resp = b.requestNoErr(t, roleSecretIDReq)
|
||||
|
||||
secretID := resp.Data["secret_id"]
|
||||
|
||||
loginData := map[string]interface{}{
|
||||
@@ -206,13 +169,6 @@ func TestAppRole_RoleLogin(t *testing.T) {
|
||||
t.Fatalf("expected metadata.alias.role_name to equal 'role1', got: %v", val)
|
||||
}
|
||||
|
||||
schema.ValidateResponse(
|
||||
t,
|
||||
schema.FindResponseSchema(t, paths, 0, loginReq.Operation),
|
||||
resp,
|
||||
true,
|
||||
)
|
||||
|
||||
// Test renewal
|
||||
renewReq := generateRenewRequest(storage, loginResp.Auth)
|
||||
|
||||
@@ -241,20 +197,15 @@ func TestAppRole_RoleLogin(t *testing.T) {
|
||||
Storage: storage,
|
||||
Data: roleData,
|
||||
}
|
||||
resp, err = b.HandleRequest(context.Background(), roleReq)
|
||||
if err != nil || (resp != nil && resp.IsError()) {
|
||||
t.Fatalf("err:%v resp:%#v", err, resp)
|
||||
}
|
||||
resp = b.requestNoErr(t, roleReq)
|
||||
|
||||
roleRoleIDReq = &logical.Request{
|
||||
Operation: logical.ReadOperation,
|
||||
Path: "role/role-period/role-id",
|
||||
Storage: storage,
|
||||
}
|
||||
resp, err = b.HandleRequest(context.Background(), roleRoleIDReq)
|
||||
if err != nil || (resp != nil && resp.IsError()) {
|
||||
t.Fatalf("err:%v resp:%#v", err, resp)
|
||||
}
|
||||
resp = b.requestNoErr(t, roleRoleIDReq)
|
||||
|
||||
roleID = resp.Data["role_id"]
|
||||
|
||||
roleSecretIDReq = &logical.Request{
|
||||
@@ -262,10 +213,8 @@ func TestAppRole_RoleLogin(t *testing.T) {
|
||||
Path: "role/role-period/secret-id",
|
||||
Storage: storage,
|
||||
}
|
||||
resp, err = b.HandleRequest(context.Background(), roleSecretIDReq)
|
||||
if err != nil || (resp != nil && resp.IsError()) {
|
||||
t.Fatalf("err:%v resp:%#v", err, resp)
|
||||
}
|
||||
resp = b.requestNoErr(t, roleSecretIDReq)
|
||||
|
||||
secretID = resp.Data["secret_id"]
|
||||
|
||||
loginData["role_id"] = roleID
|
||||
@@ -328,12 +277,8 @@ func generateRenewRequest(s logical.Storage, auth *logical.Auth) *logical.Reques
|
||||
}
|
||||
|
||||
func TestAppRole_RoleResolve(t *testing.T) {
|
||||
var resp *logical.Response
|
||||
var err error
|
||||
b, storage := createBackendWithStorage(t)
|
||||
|
||||
paths := []*framework.Path{pathLogin(b)}
|
||||
|
||||
role := "role1"
|
||||
createRole(t, b, storage, role, "a,b,c")
|
||||
roleRoleIDReq := &logical.Request{
|
||||
@@ -341,10 +286,8 @@ func TestAppRole_RoleResolve(t *testing.T) {
|
||||
Path: "role/role1/role-id",
|
||||
Storage: storage,
|
||||
}
|
||||
resp, err = b.HandleRequest(context.Background(), roleRoleIDReq)
|
||||
if err != nil || (resp != nil && resp.IsError()) {
|
||||
t.Fatalf("err:%v resp:%#v", err, resp)
|
||||
}
|
||||
resp := b.requestNoErr(t, roleRoleIDReq)
|
||||
|
||||
roleID := resp.Data["role_id"]
|
||||
|
||||
roleSecretIDReq := &logical.Request{
|
||||
@@ -352,10 +295,8 @@ func TestAppRole_RoleResolve(t *testing.T) {
|
||||
Path: "role/role1/secret-id",
|
||||
Storage: storage,
|
||||
}
|
||||
resp, err = b.HandleRequest(context.Background(), roleSecretIDReq)
|
||||
if err != nil || (resp != nil && resp.IsError()) {
|
||||
t.Fatalf("err:%v resp:%#v", err, resp)
|
||||
}
|
||||
resp = b.requestNoErr(t, roleSecretIDReq)
|
||||
|
||||
secretID := resp.Data["secret_id"]
|
||||
|
||||
loginData := map[string]interface{}{
|
||||
@@ -372,21 +313,11 @@ func TestAppRole_RoleResolve(t *testing.T) {
|
||||
},
|
||||
}
|
||||
|
||||
resp, err = b.HandleRequest(context.Background(), loginReq)
|
||||
if err != nil || (resp != nil && resp.IsError()) {
|
||||
t.Fatalf("err:%v resp:%#v", err, resp)
|
||||
}
|
||||
resp = b.requestNoErr(t, loginReq)
|
||||
|
||||
if resp.Data["role"] != role {
|
||||
t.Fatalf("Role was not as expected. Expected %s, received %s", role, resp.Data["role"])
|
||||
}
|
||||
|
||||
schema.ValidateResponse(
|
||||
t,
|
||||
schema.FindResponseSchema(t, paths, 0, loginReq.Operation),
|
||||
resp,
|
||||
true,
|
||||
)
|
||||
}
|
||||
|
||||
func TestAppRole_RoleDoesNotExist(t *testing.T) {
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@@ -8,18 +8,13 @@ import (
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/hashicorp/vault/sdk/framework"
|
||||
"github.com/hashicorp/vault/sdk/helper/testhelpers/schema"
|
||||
"github.com/hashicorp/vault/sdk/logical"
|
||||
)
|
||||
|
||||
func TestAppRole_TidyDanglingAccessors_Normal(t *testing.T) {
|
||||
var resp *logical.Response
|
||||
var err error
|
||||
b, storage := createBackendWithStorage(t)
|
||||
|
||||
paths := []*framework.Path{pathTidySecretID(b)}
|
||||
|
||||
// Create a role
|
||||
createRole(t, b, storage, "role1", "a,b,c")
|
||||
|
||||
@@ -29,10 +24,7 @@ func TestAppRole_TidyDanglingAccessors_Normal(t *testing.T) {
|
||||
Path: "role/role1/secret-id",
|
||||
Storage: storage,
|
||||
}
|
||||
resp, err = b.HandleRequest(context.Background(), roleSecretIDReq)
|
||||
if err != nil || (resp != nil && resp.IsError()) {
|
||||
t.Fatalf("err:%v resp:%#v", err, resp)
|
||||
}
|
||||
_ = b.requestNoErr(t, roleSecretIDReq)
|
||||
|
||||
accessorHashes, err := storage.List(context.Background(), "accessor/")
|
||||
if err != nil {
|
||||
@@ -85,7 +77,7 @@ func TestAppRole_TidyDanglingAccessors_Normal(t *testing.T) {
|
||||
}
|
||||
schema.ValidateResponse(
|
||||
t,
|
||||
schema.FindResponseSchema(t, paths, 0, logical.UpdateOperation),
|
||||
schema.GetResponseSchema(t, pathTidySecretID(b), logical.UpdateOperation),
|
||||
secret,
|
||||
true,
|
||||
)
|
||||
@@ -103,12 +95,8 @@ func TestAppRole_TidyDanglingAccessors_Normal(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestAppRole_TidyDanglingAccessors_RaceTest(t *testing.T) {
|
||||
var resp *logical.Response
|
||||
var err error
|
||||
b, storage := createBackendWithStorage(t)
|
||||
|
||||
paths := []*framework.Path{pathTidySecretID(b)}
|
||||
|
||||
// Create a role
|
||||
createRole(t, b, storage, "role1", "a,b,c")
|
||||
|
||||
@@ -118,10 +106,8 @@ func TestAppRole_TidyDanglingAccessors_RaceTest(t *testing.T) {
|
||||
Path: "role/role1/secret-id",
|
||||
Storage: storage,
|
||||
}
|
||||
resp, err = b.HandleRequest(context.Background(), roleSecretIDReq)
|
||||
if err != nil || (resp != nil && resp.IsError()) {
|
||||
t.Fatalf("err:%v resp:%#v", err, resp)
|
||||
}
|
||||
_ = b.requestNoErr(t, roleSecretIDReq)
|
||||
|
||||
count := 1
|
||||
|
||||
wg := &sync.WaitGroup{}
|
||||
@@ -136,7 +122,7 @@ func TestAppRole_TidyDanglingAccessors_RaceTest(t *testing.T) {
|
||||
}
|
||||
schema.ValidateResponse(
|
||||
t,
|
||||
schema.FindResponseSchema(t, paths, 0, logical.UpdateOperation),
|
||||
schema.GetResponseSchema(t, pathTidySecretID(b), logical.UpdateOperation),
|
||||
secret,
|
||||
true,
|
||||
)
|
||||
@@ -149,10 +135,7 @@ func TestAppRole_TidyDanglingAccessors_RaceTest(t *testing.T) {
|
||||
Path: "role/role1/secret-id",
|
||||
Storage: storage,
|
||||
}
|
||||
resp, err := b.HandleRequest(context.Background(), roleSecretIDReq)
|
||||
if err != nil || (resp != nil && resp.IsError()) {
|
||||
t.Fatalf("err:%v resp:%#v", err, resp)
|
||||
}
|
||||
_ = b.requestNoErr(t, roleSecretIDReq)
|
||||
}()
|
||||
|
||||
entry, err := logical.StorageEntryJSON(
|
||||
@@ -193,7 +176,7 @@ func TestAppRole_TidyDanglingAccessors_RaceTest(t *testing.T) {
|
||||
}
|
||||
schema.ValidateResponse(
|
||||
t,
|
||||
schema.FindResponseSchema(t, paths, 0, logical.UpdateOperation),
|
||||
schema.GetResponseSchema(t, pathTidySecretID(b), logical.UpdateOperation),
|
||||
secret,
|
||||
true,
|
||||
)
|
||||
|
||||
Reference in New Issue
Block a user