1package approle 2 3import ( 4 "context" 5 "encoding/json" 6 "fmt" 7 "reflect" 8 "strings" 9 "testing" 10 "time" 11 12 "github.com/go-test/deep" 13 "github.com/hashicorp/go-sockaddr" 14 "github.com/hashicorp/vault/sdk/helper/policyutil" 15 "github.com/hashicorp/vault/sdk/helper/tokenutil" 16 "github.com/hashicorp/vault/sdk/logical" 17 "github.com/mitchellh/mapstructure" 18) 19 20func TestAppRole_LocalSecretIDsRead(t *testing.T) { 21 var resp *logical.Response 22 var err error 23 b, storage := createBackendWithStorage(t) 24 25 roleData := map[string]interface{}{ 26 "local_secret_ids": true, 27 "bind_secret_id": true, 28 } 29 30 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 31 Operation: logical.CreateOperation, 32 Path: "role/testrole", 33 Storage: storage, 34 Data: roleData, 35 }) 36 if err != nil || (resp != nil && resp.IsError()) { 37 t.Fatalf("err:%v resp:%#v", err, resp) 38 } 39 40 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 41 Operation: logical.ReadOperation, 42 Storage: storage, 43 Path: "role/testrole/local-secret-ids", 44 }) 45 if err != nil || (resp != nil && resp.IsError()) { 46 t.Fatalf("err:%v resp:%#v", err, resp) 47 } 48 if !resp.Data["local_secret_ids"].(bool) { 49 t.Fatalf("expected local_secret_ids to be returned") 50 } 51} 52 53func TestAppRole_LocalNonLocalSecretIDs(t *testing.T) { 54 var resp *logical.Response 55 var err error 56 57 b, storage := createBackendWithStorage(t) 58 59 // Create a role with local_secret_ids set 60 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 61 Path: "role/testrole1", 62 Operation: logical.CreateOperation, 63 Storage: storage, 64 Data: map[string]interface{}{ 65 "policies": []string{"default", "role1policy"}, 66 "bind_secret_id": true, 67 "local_secret_ids": true, 68 }, 69 }) 70 if err != nil || (resp != nil && resp.IsError()) { 71 t.Fatalf("bad: err: %v\n resp: %#v", err, resp) 72 } 73 74 // Create another role without setting local_secret_ids 75 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 76 Path: "role/testrole2", 77 Operation: logical.CreateOperation, 78 Storage: storage, 79 Data: map[string]interface{}{ 80 "policies": []string{"default", "role1policy"}, 81 "bind_secret_id": true, 82 }, 83 }) 84 if err != nil || (resp != nil && resp.IsError()) { 85 t.Fatalf("bad: err: %v\n resp: %#v", err, resp) 86 } 87 88 count := 10 89 // Create secret IDs on testrole1 90 for i := 0; i < count; i++ { 91 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 92 Path: "role/testrole1/secret-id", 93 Operation: logical.UpdateOperation, 94 Storage: storage, 95 }) 96 if err != nil || (resp != nil && resp.IsError()) { 97 t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) 98 } 99 } 100 101 // Check the number of secret IDs generated 102 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 103 Path: "role/testrole1/secret-id", 104 Operation: logical.ListOperation, 105 Storage: storage, 106 }) 107 if err != nil || (resp != nil && resp.IsError()) { 108 t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) 109 } 110 if len(resp.Data["keys"].([]string)) != count { 111 t.Fatalf("failed to list secret IDs") 112 } 113 114 // Create secret IDs on testrole1 115 for i := 0; i < count; i++ { 116 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 117 Path: "role/testrole2/secret-id", 118 Operation: logical.UpdateOperation, 119 Storage: storage, 120 }) 121 if err != nil || (resp != nil && resp.IsError()) { 122 t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) 123 } 124 } 125 126 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 127 Path: "role/testrole2/secret-id", 128 Operation: logical.ListOperation, 129 Storage: storage, 130 }) 131 if err != nil || (resp != nil && resp.IsError()) { 132 t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) 133 } 134 if len(resp.Data["keys"].([]string)) != count { 135 t.Fatalf("failed to list secret IDs") 136 } 137} 138 139func TestAppRole_UpgradeSecretIDPrefix(t *testing.T) { 140 var resp *logical.Response 141 var err error 142 143 b, storage := createBackendWithStorage(t) 144 145 // Create a role entry directly in storage without SecretIDPrefix 146 err = b.setRoleEntry(context.Background(), storage, "testrole", &roleStorageEntry{ 147 RoleID: "testroleid", 148 HMACKey: "testhmackey", 149 Policies: []string{"default"}, 150 BindSecretID: true, 151 BoundCIDRListOld: "127.0.0.1/18,192.178.1.2/24", 152 }, "") 153 if err != nil { 154 t.Fatal(err) 155 } 156 157 // Reading the role entry should upgrade it to contain SecretIDPrefix 158 role, err := b.roleEntry(context.Background(), storage, "testrole") 159 if err != nil { 160 t.Fatal(err) 161 } 162 if role.SecretIDPrefix == "" { 163 t.Fatalf("expected SecretIDPrefix to be set") 164 } 165 166 // Ensure that the API response contains local_secret_ids 167 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 168 Path: "role/testrole", 169 Operation: logical.ReadOperation, 170 Storage: storage, 171 }) 172 if err != nil || (resp != nil && resp.IsError()) { 173 t.Fatalf("bad: err: %v\n resp: %#v", err, resp) 174 } 175 _, ok := resp.Data["local_secret_ids"] 176 if !ok { 177 t.Fatalf("expected local_secret_ids to be present in the response") 178 } 179} 180 181func TestAppRole_LocalSecretIDImmutability(t *testing.T) { 182 var resp *logical.Response 183 var err error 184 185 b, storage := createBackendWithStorage(t) 186 187 roleData := map[string]interface{}{ 188 "policies": []string{"default"}, 189 "bind_secret_id": true, 190 "bound_cidr_list": []string{"127.0.0.1/18", "192.178.1.2/24"}, 191 "local_secret_ids": true, 192 } 193 194 // Create a role with local_secret_ids set 195 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 196 Path: "role/testrole", 197 Operation: logical.CreateOperation, 198 Storage: storage, 199 Data: roleData, 200 }) 201 if err != nil || (resp != nil && resp.IsError()) { 202 t.Fatalf("bad: err: %v\nresp: %#v", err, resp) 203 } 204 205 // Attempt to modify local_secret_ids should fail 206 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 207 Path: "role/testrole", 208 Operation: logical.UpdateOperation, 209 Storage: storage, 210 Data: roleData, 211 }) 212 if resp == nil || !resp.IsError() { 213 t.Fatalf("expected an error since local_secret_ids can't be overwritten") 214 } 215} 216 217func TestAppRole_UpgradeBoundCIDRList(t *testing.T) { 218 var resp *logical.Response 219 var err error 220 221 b, storage := createBackendWithStorage(t) 222 223 roleData := map[string]interface{}{ 224 "policies": []string{"default"}, 225 "bind_secret_id": true, 226 "bound_cidr_list": []string{"127.0.0.1/18", "192.178.1.2/24"}, 227 } 228 229 // Create a role with bound_cidr_list set 230 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 231 Path: "role/testrole", 232 Operation: logical.CreateOperation, 233 Storage: storage, 234 Data: roleData, 235 }) 236 if err != nil || (resp != nil && resp.IsError()) { 237 t.Fatalf("bad: err: %v\nresp: %#v", err, resp) 238 } 239 240 // Read the role and check that the bound_cidr_list is set properly 241 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 242 Path: "role/testrole", 243 Operation: logical.ReadOperation, 244 Storage: storage, 245 }) 246 if err != nil || (resp != nil && resp.IsError()) { 247 t.Fatalf("bad: err: %v\nresp: %#v", err, resp) 248 } 249 250 expected := []string{"127.0.0.1/18", "192.178.1.2/24"} 251 actual := resp.Data["secret_id_bound_cidrs"].([]string) 252 253 if !reflect.DeepEqual(expected, actual) { 254 t.Fatalf("bad: secret_id_bound_cidrs; expected: %#v\nactual: %#v\n", expected, actual) 255 } 256 257 // Modify the storage entry of the role to hold the old style string typed bound_cidr_list 258 role := &roleStorageEntry{ 259 RoleID: "testroleid", 260 HMACKey: "testhmackey", 261 Policies: []string{"default"}, 262 BindSecretID: true, 263 BoundCIDRListOld: "127.0.0.1/18,192.178.1.2/24", 264 SecretIDPrefix: secretIDPrefix, 265 } 266 err = b.setRoleEntry(context.Background(), storage, "testrole", role, "") 267 if err != nil { 268 t.Fatal(err) 269 } 270 271 // Read the role. The upgrade code should have migrated the old type to the new type 272 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 273 Path: "role/testrole", 274 Operation: logical.ReadOperation, 275 Storage: storage, 276 }) 277 if err != nil || (resp != nil && resp.IsError()) { 278 t.Fatalf("bad: err: %v\nresp: %#v", err, resp) 279 } 280 if !reflect.DeepEqual(expected, actual) { 281 t.Fatalf("bad: bound_cidr_list; expected: %#v\nactual: %#v\n", expected, actual) 282 } 283 284 // Create a secret-id by supplying a subset of the role's CIDR blocks with the new type 285 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 286 Path: "role/testrole/secret-id", 287 Operation: logical.UpdateOperation, 288 Storage: storage, 289 Data: map[string]interface{}{ 290 "cidr_list": []string{"127.0.0.1/24"}, 291 }, 292 }) 293 if err != nil || (resp != nil && resp.IsError()) { 294 t.Fatalf("bad: err: %v\nresp: %#v", err, resp) 295 } 296 if resp.Data["secret_id"].(string) == "" { 297 t.Fatalf("failed to generate secret-id") 298 } 299 300 // Check that the backwards compatibility for the string type is not broken 301 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 302 Path: "role/testrole/secret-id", 303 Operation: logical.UpdateOperation, 304 Storage: storage, 305 Data: map[string]interface{}{ 306 "cidr_list": "127.0.0.1/24", 307 }, 308 }) 309 if err != nil || (resp != nil && resp.IsError()) { 310 t.Fatalf("bad: err: %v\nresp: %#v", err, resp) 311 } 312 if resp.Data["secret_id"].(string) == "" { 313 t.Fatalf("failed to generate secret-id") 314 } 315} 316 317func TestAppRole_RoleNameLowerCasing(t *testing.T) { 318 var resp *logical.Response 319 var err error 320 var roleID, secretID string 321 322 b, storage := createBackendWithStorage(t) 323 324 // Save a role with out LowerCaseRoleName set 325 role := &roleStorageEntry{ 326 RoleID: "testroleid", 327 HMACKey: "testhmackey", 328 Policies: []string{"default"}, 329 BindSecretID: true, 330 SecretIDPrefix: secretIDPrefix, 331 } 332 err = b.setRoleEntry(context.Background(), storage, "testRoleName", role, "") 333 if err != nil { 334 t.Fatal(err) 335 } 336 337 secretIDReq := &logical.Request{ 338 Path: "role/testRoleName/secret-id", 339 Operation: logical.UpdateOperation, 340 Storage: storage, 341 } 342 resp, err = b.HandleRequest(context.Background(), secretIDReq) 343 if err != nil || (resp != nil && resp.IsError()) { 344 t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) 345 } 346 secretID = resp.Data["secret_id"].(string) 347 roleID = "testroleid" 348 349 // Regular login flow. This should succeed. 350 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 351 Path: "login", 352 Operation: logical.UpdateOperation, 353 Storage: storage, 354 Data: map[string]interface{}{ 355 "role_id": roleID, 356 "secret_id": secretID, 357 }, 358 }) 359 if err != nil || (resp != nil && resp.IsError()) { 360 t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) 361 } 362 363 // Lower case the role name when generating the secret id 364 secretIDReq.Path = "role/testrolename/secret-id" 365 resp, err = b.HandleRequest(context.Background(), secretIDReq) 366 if err != nil || (resp != nil && resp.IsError()) { 367 t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) 368 } 369 secretID = resp.Data["secret_id"].(string) 370 371 // Login should fail 372 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 373 Path: "login", 374 Operation: logical.UpdateOperation, 375 Storage: storage, 376 Data: map[string]interface{}{ 377 "role_id": roleID, 378 "secret_id": secretID, 379 }, 380 }) 381 if err != nil { 382 t.Fatal(err) 383 } 384 if resp == nil || !resp.IsError() { 385 t.Fatalf("expected an error") 386 } 387 388 // Delete the role and create it again. This time don't directly persist 389 // it, but route the request to the creation handler so that it sets the 390 // LowerCaseRoleName to true. 391 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 392 Path: "role/testRoleName", 393 Operation: logical.DeleteOperation, 394 Storage: storage, 395 }) 396 if err != nil || (resp != nil && resp.IsError()) { 397 t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) 398 } 399 400 roleReq := &logical.Request{ 401 Path: "role/testRoleName", 402 Operation: logical.CreateOperation, 403 Storage: storage, 404 Data: map[string]interface{}{ 405 "bind_secret_id": true, 406 }, 407 } 408 resp, err = b.HandleRequest(context.Background(), roleReq) 409 if err != nil || (resp != nil && resp.IsError()) { 410 t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) 411 } 412 413 // Create secret id with lower cased role name 414 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 415 Path: "role/testrolename/secret-id", 416 Operation: logical.UpdateOperation, 417 Storage: storage, 418 }) 419 if err != nil || (resp != nil && resp.IsError()) { 420 t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) 421 } 422 secretID = resp.Data["secret_id"].(string) 423 424 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 425 Path: "role/testrolename/role-id", 426 Operation: logical.ReadOperation, 427 Storage: storage, 428 }) 429 if err != nil || (resp != nil && resp.IsError()) { 430 t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) 431 } 432 roleID = resp.Data["role_id"].(string) 433 434 // Login should pass 435 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 436 Path: "login", 437 Operation: logical.UpdateOperation, 438 Storage: storage, 439 Data: map[string]interface{}{ 440 "role_id": roleID, 441 "secret_id": secretID, 442 }, 443 }) 444 if err != nil || (resp != nil && resp.IsError()) { 445 t.Fatalf("bad: resp: %#v\nerr:%v", resp, err) 446 } 447 448 // Lookup of secret ID should work in case-insensitive manner 449 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 450 Path: "role/testrolename/secret-id/lookup", 451 Operation: logical.UpdateOperation, 452 Storage: storage, 453 Data: map[string]interface{}{ 454 "secret_id": secretID, 455 }, 456 }) 457 if err != nil || (resp != nil && resp.IsError()) { 458 t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) 459 } 460 if resp == nil { 461 t.Fatalf("failed to lookup secret IDs") 462 } 463 464 // Listing of secret IDs should work in case-insensitive manner 465 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 466 Path: "role/testrolename/secret-id", 467 Operation: logical.ListOperation, 468 Storage: storage, 469 }) 470 if err != nil || (resp != nil && resp.IsError()) { 471 t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) 472 } 473 474 if len(resp.Data["keys"].([]string)) != 1 { 475 t.Fatalf("failed to list secret IDs") 476 } 477} 478 479func TestAppRole_RoleReadSetIndex(t *testing.T) { 480 var resp *logical.Response 481 var err error 482 483 b, storage := createBackendWithStorage(t) 484 485 roleReq := &logical.Request{ 486 Path: "role/testrole", 487 Operation: logical.CreateOperation, 488 Storage: storage, 489 Data: map[string]interface{}{ 490 "bind_secret_id": true, 491 }, 492 } 493 494 // Create a role 495 resp, err = b.HandleRequest(context.Background(), roleReq) 496 if err != nil || (resp != nil && resp.IsError()) { 497 t.Fatalf("bad: resp: %#v\n err: %v\n", resp, err) 498 } 499 500 roleIDReq := &logical.Request{ 501 Path: "role/testrole/role-id", 502 Operation: logical.ReadOperation, 503 Storage: storage, 504 } 505 506 // Get the role ID 507 resp, err = b.HandleRequest(context.Background(), roleIDReq) 508 if err != nil || (resp != nil && resp.IsError()) { 509 t.Fatalf("bad: resp: %#v\n err: %v\n", resp, err) 510 } 511 roleID := resp.Data["role_id"].(string) 512 513 // Delete the role ID index 514 err = b.roleIDEntryDelete(context.Background(), storage, roleID) 515 if err != nil { 516 t.Fatal(err) 517 } 518 519 // Read the role again. This should add the index and return a warning 520 roleReq.Operation = logical.ReadOperation 521 resp, err = b.HandleRequest(context.Background(), roleReq) 522 if err != nil || (resp != nil && resp.IsError()) { 523 t.Fatalf("bad: resp: %#v\n err: %v\n", resp, err) 524 } 525 526 // Check if the warning is being returned 527 if !strings.Contains(resp.Warnings[0], "Role identifier was missing an index back to role name.") { 528 t.Fatalf("bad: expected a warning in the response") 529 } 530 531 roleIDIndex, err := b.roleIDEntry(context.Background(), storage, roleID) 532 if err != nil { 533 t.Fatal(err) 534 } 535 536 // Check if the index has been successfully created 537 if roleIDIndex == nil || roleIDIndex.Name != "testrole" { 538 t.Fatalf("bad: expected role to have an index") 539 } 540 541 roleReq.Operation = logical.UpdateOperation 542 roleReq.Data = map[string]interface{}{ 543 "bind_secret_id": true, 544 "policies": "default", 545 } 546 547 // Check if updating and reading of roles work and that there are no lock 548 // contentions dangling due to previous operation 549 resp, err = b.HandleRequest(context.Background(), roleReq) 550 if err != nil || (resp != nil && resp.IsError()) { 551 t.Fatalf("bad: resp: %#v\n err: %v\n", resp, err) 552 } 553 roleReq.Operation = logical.ReadOperation 554 resp, err = b.HandleRequest(context.Background(), roleReq) 555 if err != nil || (resp != nil && resp.IsError()) { 556 t.Fatalf("bad: resp: %#v\n err: %v\n", resp, err) 557 } 558} 559 560func TestAppRole_CIDRSubset(t *testing.T) { 561 var resp *logical.Response 562 var err error 563 564 b, storage := createBackendWithStorage(t) 565 566 roleData := map[string]interface{}{ 567 "role_id": "role-id-123", 568 "policies": "a,b", 569 "bound_cidr_list": "127.0.0.1/24", 570 } 571 572 roleReq := &logical.Request{ 573 Operation: logical.CreateOperation, 574 Path: "role/testrole1", 575 Storage: storage, 576 Data: roleData, 577 } 578 579 resp, err = b.HandleRequest(context.Background(), roleReq) 580 if err != nil || (resp != nil && resp.IsError()) { 581 t.Fatalf("err: %v resp: %#v", err, resp) 582 } 583 584 secretIDData := map[string]interface{}{ 585 "cidr_list": "127.0.0.1/16", 586 } 587 secretIDReq := &logical.Request{ 588 Operation: logical.UpdateOperation, 589 Storage: storage, 590 Path: "role/testrole1/secret-id", 591 Data: secretIDData, 592 } 593 594 resp, err = b.HandleRequest(context.Background(), secretIDReq) 595 if resp != nil || resp.IsError() { 596 t.Fatalf("resp:%#v", resp) 597 } 598 if err == nil { 599 t.Fatal("expected an error") 600 } 601 602 roleData["bound_cidr_list"] = "192.168.27.29/16,172.245.30.40/24,10.20.30.40/30" 603 roleReq.Operation = logical.UpdateOperation 604 resp, err = b.HandleRequest(context.Background(), roleReq) 605 if err != nil || (resp != nil && resp.IsError()) { 606 t.Fatalf("err: %v resp: %#v", err, resp) 607 } 608 609 secretIDData["cidr_list"] = "192.168.27.29/20,172.245.30.40/25,10.20.30.40/32" 610 resp, err = b.HandleRequest(context.Background(), secretIDReq) 611 if err != nil { 612 t.Fatal(err) 613 } 614 if resp != nil && resp.IsError() { 615 t.Fatalf("resp: %#v", resp) 616 } 617} 618 619func TestAppRole_RoleConstraints(t *testing.T) { 620 var resp *logical.Response 621 var err error 622 b, storage := createBackendWithStorage(t) 623 624 roleData := map[string]interface{}{ 625 "role_id": "role-id-123", 626 "policies": "a,b", 627 } 628 629 roleReq := &logical.Request{ 630 Operation: logical.CreateOperation, 631 Path: "role/testrole1", 632 Storage: storage, 633 Data: roleData, 634 } 635 636 // Set bind_secret_id, which is enabled by default 637 resp, err = b.HandleRequest(context.Background(), roleReq) 638 if err != nil || (resp != nil && resp.IsError()) { 639 t.Fatalf("err:%v resp:%#v", err, resp) 640 } 641 642 // Set bound_cidr_list alone by explicitly disabling bind_secret_id 643 roleReq.Operation = logical.UpdateOperation 644 roleData["bind_secret_id"] = false 645 roleData["bound_cidr_list"] = "0.0.0.0/0" 646 resp, err = b.HandleRequest(context.Background(), roleReq) 647 if err != nil || (resp != nil && resp.IsError()) { 648 t.Fatalf("err:%v resp:%#v", err, resp) 649 } 650 651 // Remove both constraints 652 roleReq.Operation = logical.UpdateOperation 653 roleData["bound_cidr_list"] = "" 654 roleData["bind_secret_id"] = false 655 resp, err = b.HandleRequest(context.Background(), roleReq) 656 if resp != nil && resp.IsError() { 657 t.Fatalf("err:%v, resp:%#v", err, resp) 658 } 659 if err == nil { 660 t.Fatalf("expected an error") 661 } 662} 663 664func TestAppRole_RoleIDUpdate(t *testing.T) { 665 var resp *logical.Response 666 var err error 667 b, storage := createBackendWithStorage(t) 668 669 roleData := map[string]interface{}{ 670 "role_id": "role-id-123", 671 "policies": "a,b", 672 "secret_id_num_uses": 10, 673 "secret_id_ttl": 300, 674 "token_ttl": 400, 675 "token_max_ttl": 500, 676 } 677 roleReq := &logical.Request{ 678 Operation: logical.CreateOperation, 679 Path: "role/testrole1", 680 Storage: storage, 681 Data: roleData, 682 } 683 resp, err = b.HandleRequest(context.Background(), roleReq) 684 if err != nil || (resp != nil && resp.IsError()) { 685 t.Fatalf("err:%v resp:%#v", err, resp) 686 } 687 688 roleIDUpdateReq := &logical.Request{ 689 Operation: logical.UpdateOperation, 690 Path: "role/testrole1/role-id", 691 Storage: storage, 692 Data: map[string]interface{}{ 693 "role_id": "customroleid", 694 }, 695 } 696 resp, err = b.HandleRequest(context.Background(), roleIDUpdateReq) 697 if err != nil || (resp != nil && resp.IsError()) { 698 t.Fatalf("err:%v resp:%#v", err, resp) 699 } 700 701 secretIDReq := &logical.Request{ 702 Operation: logical.UpdateOperation, 703 Storage: storage, 704 Path: "role/testrole1/secret-id", 705 } 706 resp, err = b.HandleRequest(context.Background(), secretIDReq) 707 if err != nil || (resp != nil && resp.IsError()) { 708 t.Fatalf("err:%v resp:%#v", err, resp) 709 } 710 secretID := resp.Data["secret_id"].(string) 711 712 loginData := map[string]interface{}{ 713 "role_id": "customroleid", 714 "secret_id": secretID, 715 } 716 loginReq := &logical.Request{ 717 Operation: logical.UpdateOperation, 718 Path: "login", 719 Storage: storage, 720 Data: loginData, 721 Connection: &logical.Connection{ 722 RemoteAddr: "127.0.0.1", 723 }, 724 } 725 resp, err = b.HandleRequest(context.Background(), loginReq) 726 if err != nil || (resp != nil && resp.IsError()) { 727 t.Fatalf("err:%v resp:%#v", err, resp) 728 } 729 730 if resp.Auth == nil { 731 t.Fatalf("expected a non-nil auth object in the response") 732 } 733} 734 735func TestAppRole_RoleIDUniqueness(t *testing.T) { 736 var resp *logical.Response 737 var err error 738 b, storage := createBackendWithStorage(t) 739 740 roleData := map[string]interface{}{ 741 "role_id": "role-id-123", 742 "policies": "a,b", 743 "secret_id_num_uses": 10, 744 "secret_id_ttl": 300, 745 "token_ttl": 400, 746 "token_max_ttl": 500, 747 } 748 roleReq := &logical.Request{ 749 Operation: logical.CreateOperation, 750 Path: "role/testrole1", 751 Storage: storage, 752 Data: roleData, 753 } 754 755 resp, err = b.HandleRequest(context.Background(), roleReq) 756 if err != nil || (resp != nil && resp.IsError()) { 757 t.Fatalf("err:%v resp:%#v", err, resp) 758 } 759 760 roleReq.Path = "role/testrole2" 761 resp, err = b.HandleRequest(context.Background(), roleReq) 762 if err == nil && !(resp != nil && resp.IsError()) { 763 t.Fatalf("expected an error: got resp:%#v", resp) 764 } 765 766 roleData["role_id"] = "role-id-456" 767 resp, err = b.HandleRequest(context.Background(), roleReq) 768 if err != nil || (resp != nil && resp.IsError()) { 769 t.Fatalf("err:%v resp:%#v", err, resp) 770 } 771 772 roleReq.Operation = logical.UpdateOperation 773 roleData["role_id"] = "role-id-123" 774 resp, err = b.HandleRequest(context.Background(), roleReq) 775 if err == nil && !(resp != nil && resp.IsError()) { 776 t.Fatalf("expected an error: got resp:%#v", resp) 777 } 778 779 roleReq.Path = "role/testrole1" 780 roleData["role_id"] = "role-id-456" 781 resp, err = b.HandleRequest(context.Background(), roleReq) 782 if err == nil && !(resp != nil && resp.IsError()) { 783 t.Fatalf("expected an error: got resp:%#v", resp) 784 } 785 786 roleIDData := map[string]interface{}{ 787 "role_id": "role-id-456", 788 } 789 roleIDReq := &logical.Request{ 790 Operation: logical.UpdateOperation, 791 Path: "role/testrole1/role-id", 792 Storage: storage, 793 Data: roleIDData, 794 } 795 resp, err = b.HandleRequest(context.Background(), roleIDReq) 796 if err == nil && !(resp != nil && resp.IsError()) { 797 t.Fatalf("expected an error: got resp:%#v", resp) 798 } 799 800 roleIDData["role_id"] = "role-id-123" 801 roleIDReq.Path = "role/testrole2/role-id" 802 resp, err = b.HandleRequest(context.Background(), roleIDReq) 803 if err == nil && !(resp != nil && resp.IsError()) { 804 t.Fatalf("expected an error: got resp:%#v", resp) 805 } 806 807 roleIDData["role_id"] = "role-id-2000" 808 resp, err = b.HandleRequest(context.Background(), roleIDReq) 809 if err != nil || (resp != nil && resp.IsError()) { 810 t.Fatalf("err:%v resp:%#v", err, resp) 811 } 812 813 roleIDData["role_id"] = "role-id-1000" 814 roleIDReq.Path = "role/testrole1/role-id" 815 resp, err = b.HandleRequest(context.Background(), roleIDReq) 816 if err != nil || (resp != nil && resp.IsError()) { 817 t.Fatalf("err:%v resp:%#v", err, resp) 818 } 819} 820 821func TestAppRole_RoleDeleteSecretID(t *testing.T) { 822 var resp *logical.Response 823 var err error 824 b, storage := createBackendWithStorage(t) 825 826 createRole(t, b, storage, "role1", "a,b") 827 secretIDReq := &logical.Request{ 828 Operation: logical.UpdateOperation, 829 Storage: storage, 830 Path: "role/role1/secret-id", 831 } 832 // Create 3 secrets on the role 833 resp, err = b.HandleRequest(context.Background(), secretIDReq) 834 if err != nil || (resp != nil && resp.IsError()) { 835 t.Fatalf("err:%v resp:%#v", err, resp) 836 } 837 resp, err = b.HandleRequest(context.Background(), secretIDReq) 838 if err != nil || (resp != nil && resp.IsError()) { 839 t.Fatalf("err:%v resp:%#v", err, resp) 840 } 841 resp, err = b.HandleRequest(context.Background(), secretIDReq) 842 if err != nil || (resp != nil && resp.IsError()) { 843 t.Fatalf("err:%v resp:%#v", err, resp) 844 } 845 846 listReq := &logical.Request{ 847 Operation: logical.ListOperation, 848 Storage: storage, 849 Path: "role/role1/secret-id", 850 } 851 resp, err = b.HandleRequest(context.Background(), listReq) 852 if err != nil || (resp != nil && resp.IsError()) { 853 t.Fatalf("err:%v resp:%#v", err, resp) 854 } 855 secretIDAccessors := resp.Data["keys"].([]string) 856 if len(secretIDAccessors) != 3 { 857 t.Fatalf("bad: len of secretIDAccessors: expected:3 actual:%d", len(secretIDAccessors)) 858 } 859 860 roleReq := &logical.Request{ 861 Operation: logical.DeleteOperation, 862 Storage: storage, 863 Path: "role/role1", 864 } 865 resp, err = b.HandleRequest(context.Background(), roleReq) 866 if err != nil || (resp != nil && resp.IsError()) { 867 t.Fatalf("err:%v resp:%#v", err, resp) 868 } 869 resp, err = b.HandleRequest(context.Background(), listReq) 870 if err != nil || resp == nil || (resp != nil && !resp.IsError()) { 871 t.Fatalf("expected an error. err:%v resp:%#v", err, resp) 872 } 873} 874 875func TestAppRole_RoleSecretIDReadDelete(t *testing.T) { 876 var resp *logical.Response 877 var err error 878 b, storage := createBackendWithStorage(t) 879 880 createRole(t, b, storage, "role1", "a,b") 881 secretIDCreateReq := &logical.Request{ 882 Operation: logical.UpdateOperation, 883 Storage: storage, 884 Path: "role/role1/secret-id", 885 } 886 resp, err = b.HandleRequest(context.Background(), secretIDCreateReq) 887 if err != nil || (resp != nil && resp.IsError()) { 888 t.Fatalf("err:%v resp:%#v", err, resp) 889 } 890 891 secretID := resp.Data["secret_id"].(string) 892 if secretID == "" { 893 t.Fatal("expected non empty secret ID") 894 } 895 896 secretIDReq := &logical.Request{ 897 Operation: logical.UpdateOperation, 898 Storage: storage, 899 Path: "role/role1/secret-id/lookup", 900 Data: map[string]interface{}{ 901 "secret_id": secretID, 902 }, 903 } 904 resp, err = b.HandleRequest(context.Background(), secretIDReq) 905 if err != nil || (resp != nil && resp.IsError()) { 906 t.Fatalf("err:%v resp:%#v", err, resp) 907 } 908 if resp.Data == nil { 909 t.Fatal(err) 910 } 911 912 deleteSecretIDReq := &logical.Request{ 913 Operation: logical.DeleteOperation, 914 Storage: storage, 915 Path: "role/role1/secret-id/destroy", 916 Data: map[string]interface{}{ 917 "secret_id": secretID, 918 }, 919 } 920 resp, err = b.HandleRequest(context.Background(), deleteSecretIDReq) 921 if err != nil || (resp != nil && resp.IsError()) { 922 t.Fatalf("err:%v resp:%#v", err, resp) 923 } 924 925 resp, err = b.HandleRequest(context.Background(), secretIDReq) 926 if resp != nil && resp.IsError() { 927 t.Fatalf("error response:%#v", resp) 928 } 929 if err != nil { 930 t.Fatal(err) 931 } 932} 933 934func TestAppRole_RoleSecretIDAccessorReadDelete(t *testing.T) { 935 var resp *logical.Response 936 var err error 937 b, storage := createBackendWithStorage(t) 938 939 createRole(t, b, storage, "role1", "a,b") 940 secretIDReq := &logical.Request{ 941 Operation: logical.UpdateOperation, 942 Storage: storage, 943 Path: "role/role1/secret-id", 944 } 945 resp, err = b.HandleRequest(context.Background(), secretIDReq) 946 if err != nil || (resp != nil && resp.IsError()) { 947 t.Fatalf("err:%v resp:%#v", err, resp) 948 } 949 950 listReq := &logical.Request{ 951 Operation: logical.ListOperation, 952 Storage: storage, 953 Path: "role/role1/secret-id", 954 } 955 resp, err = b.HandleRequest(context.Background(), listReq) 956 if err != nil || (resp != nil && resp.IsError()) { 957 t.Fatalf("err:%v resp:%#v", err, resp) 958 } 959 hmacSecretID := resp.Data["keys"].([]string)[0] 960 961 hmacReq := &logical.Request{ 962 Operation: logical.UpdateOperation, 963 Storage: storage, 964 Path: "role/role1/secret-id-accessor/lookup", 965 Data: map[string]interface{}{ 966 "secret_id_accessor": hmacSecretID, 967 }, 968 } 969 resp, err = b.HandleRequest(context.Background(), hmacReq) 970 if err != nil || (resp != nil && resp.IsError()) { 971 t.Fatalf("err:%v resp:%#v", err, resp) 972 } 973 if resp.Data == nil { 974 t.Fatal(err) 975 } 976 977 hmacReq.Path = "role/role1/secret-id-accessor/destroy" 978 resp, err = b.HandleRequest(context.Background(), hmacReq) 979 if err != nil || (resp != nil && resp.IsError()) { 980 t.Fatalf("err:%v resp:%#v", err, resp) 981 } 982 983 hmacReq.Operation = logical.ReadOperation 984 resp, err = b.HandleRequest(context.Background(), hmacReq) 985 if resp != nil && resp.IsError() { 986 t.Fatalf("err:%v resp:%#v", err, resp) 987 } 988 if err == nil { 989 t.Fatalf("expected an error") 990 } 991} 992 993func TestAppRoleRoleListSecretID(t *testing.T) { 994 var resp *logical.Response 995 var err error 996 b, storage := createBackendWithStorage(t) 997 998 createRole(t, b, storage, "role1", "a,b") 999 1000 secretIDReq := &logical.Request{ 1001 Operation: logical.UpdateOperation, 1002 Storage: storage, 1003 Path: "role/role1/secret-id", 1004 } 1005 // Create 5 'secret_id's 1006 resp, err = b.HandleRequest(context.Background(), secretIDReq) 1007 if err != nil || (resp != nil && resp.IsError()) { 1008 t.Fatalf("err:%v resp:%#v", err, resp) 1009 } 1010 resp, err = b.HandleRequest(context.Background(), secretIDReq) 1011 if err != nil || (resp != nil && resp.IsError()) { 1012 t.Fatalf("err:%v resp:%#v", err, resp) 1013 } 1014 resp, err = b.HandleRequest(context.Background(), secretIDReq) 1015 if err != nil || (resp != nil && resp.IsError()) { 1016 t.Fatalf("err:%v resp:%#v", err, resp) 1017 } 1018 resp, err = b.HandleRequest(context.Background(), secretIDReq) 1019 if err != nil || (resp != nil && resp.IsError()) { 1020 t.Fatalf("err:%v resp:%#v", err, resp) 1021 } 1022 resp, err = b.HandleRequest(context.Background(), secretIDReq) 1023 if err != nil || (resp != nil && resp.IsError()) { 1024 t.Fatalf("err:%v resp:%#v", err, resp) 1025 } 1026 1027 listReq := &logical.Request{ 1028 Operation: logical.ListOperation, 1029 Storage: storage, 1030 Path: "role/role1/secret-id/", 1031 } 1032 resp, err = b.HandleRequest(context.Background(), listReq) 1033 if err != nil || (resp != nil && resp.IsError()) { 1034 t.Fatalf("err:%v resp:%#v", err, resp) 1035 } 1036 secrets := resp.Data["keys"].([]string) 1037 if len(secrets) != 5 { 1038 t.Fatalf("bad: len of secrets: expected:5 actual:%d", len(secrets)) 1039 } 1040} 1041 1042func TestAppRole_RoleList(t *testing.T) { 1043 var resp *logical.Response 1044 var err error 1045 b, storage := createBackendWithStorage(t) 1046 1047 createRole(t, b, storage, "role1", "a,b") 1048 createRole(t, b, storage, "role2", "c,d") 1049 createRole(t, b, storage, "role3", "e,f") 1050 createRole(t, b, storage, "role4", "g,h") 1051 createRole(t, b, storage, "role5", "i,j") 1052 1053 listReq := &logical.Request{ 1054 Operation: logical.ListOperation, 1055 Path: "role", 1056 Storage: storage, 1057 } 1058 resp, err = b.HandleRequest(context.Background(), listReq) 1059 if err != nil || (resp != nil && resp.IsError()) { 1060 t.Fatalf("err:%v resp:%#v", err, resp) 1061 } 1062 1063 actual := resp.Data["keys"].([]string) 1064 expected := []string{"role1", "role2", "role3", "role4", "role5"} 1065 if !policyutil.EquivalentPolicies(actual, expected) { 1066 t.Fatalf("bad: listed roles: expected:%s\nactual:%s", expected, actual) 1067 } 1068} 1069 1070func TestAppRole_RoleSecretID(t *testing.T) { 1071 var resp *logical.Response 1072 var err error 1073 b, storage := createBackendWithStorage(t) 1074 1075 roleData := map[string]interface{}{ 1076 "policies": "p,q,r,s", 1077 "secret_id_num_uses": 10, 1078 "secret_id_ttl": 300, 1079 "token_ttl": 400, 1080 "token_max_ttl": 500, 1081 } 1082 roleReq := &logical.Request{ 1083 Operation: logical.CreateOperation, 1084 Path: "role/role1", 1085 Storage: storage, 1086 Data: roleData, 1087 } 1088 1089 resp, err = b.HandleRequest(context.Background(), roleReq) 1090 if err != nil || (resp != nil && resp.IsError()) { 1091 t.Fatalf("err:%v resp:%#v", err, resp) 1092 } 1093 1094 roleSecretIDReq := &logical.Request{ 1095 Operation: logical.UpdateOperation, 1096 Path: "role/role1/secret-id", 1097 Storage: storage, 1098 } 1099 resp, err = b.HandleRequest(context.Background(), roleSecretIDReq) 1100 if err != nil || (resp != nil && resp.IsError()) { 1101 t.Fatalf("err:%v resp:%#v", err, resp) 1102 } 1103 1104 if resp.Data["secret_id"].(string) == "" { 1105 t.Fatalf("failed to generate secret_id") 1106 } 1107 1108 roleSecretIDReq.Path = "role/role1/custom-secret-id" 1109 roleCustomSecretIDData := map[string]interface{}{ 1110 "secret_id": "abcd123", 1111 } 1112 roleSecretIDReq.Data = roleCustomSecretIDData 1113 roleSecretIDReq.Operation = logical.UpdateOperation 1114 resp, err = b.HandleRequest(context.Background(), roleSecretIDReq) 1115 if err != nil || (resp != nil && resp.IsError()) { 1116 t.Fatalf("err:%v resp:%#v", err, resp) 1117 } 1118 1119 if resp.Data["secret_id"] != "abcd123" { 1120 t.Fatalf("failed to set specific secret_id to role") 1121 } 1122} 1123 1124func TestAppRole_RoleCRUD(t *testing.T) { 1125 var resp *logical.Response 1126 var err error 1127 b, storage := createBackendWithStorage(t) 1128 1129 roleData := map[string]interface{}{ 1130 "policies": "p,q,r,s", 1131 "secret_id_num_uses": 10, 1132 "secret_id_ttl": 300, 1133 "token_ttl": 400, 1134 "token_max_ttl": 500, 1135 "token_num_uses": 600, 1136 "secret_id_bound_cidrs": "127.0.0.1/32,127.0.0.1/16", 1137 } 1138 roleReq := &logical.Request{ 1139 Operation: logical.CreateOperation, 1140 Path: "role/role1", 1141 Storage: storage, 1142 Data: roleData, 1143 } 1144 1145 resp, err = b.HandleRequest(context.Background(), roleReq) 1146 if err != nil || (resp != nil && resp.IsError()) { 1147 t.Fatalf("err:%v resp:%#v", err, resp) 1148 } 1149 1150 roleReq.Operation = logical.ReadOperation 1151 resp, err = b.HandleRequest(context.Background(), roleReq) 1152 if err != nil || (resp != nil && resp.IsError()) { 1153 t.Fatalf("err:%v resp:%#v", err, resp) 1154 } 1155 1156 expected := map[string]interface{}{ 1157 "bind_secret_id": true, 1158 "policies": []string{"p", "q", "r", "s"}, 1159 "secret_id_num_uses": 10, 1160 "secret_id_ttl": 300, 1161 "token_ttl": 400, 1162 "token_max_ttl": 500, 1163 "token_num_uses": 600, 1164 "secret_id_bound_cidrs": []string{"127.0.0.1/32", "127.0.0.1/16"}, 1165 "token_bound_cidrs": []string{}, 1166 "token_type": "default", 1167 } 1168 1169 var expectedStruct roleStorageEntry 1170 err = mapstructure.Decode(expected, &expectedStruct) 1171 if err != nil { 1172 t.Fatal(err) 1173 } 1174 1175 var actualStruct roleStorageEntry 1176 err = mapstructure.Decode(resp.Data, &actualStruct) 1177 if err != nil { 1178 t.Fatal(err) 1179 } 1180 1181 expectedStruct.RoleID = actualStruct.RoleID 1182 if diff := deep.Equal(expectedStruct, actualStruct); diff != nil { 1183 t.Fatal(diff) 1184 } 1185 1186 roleData = map[string]interface{}{ 1187 "role_id": "test_role_id", 1188 "policies": "a,b,c,d", 1189 "secret_id_num_uses": 100, 1190 "secret_id_ttl": 3000, 1191 "token_ttl": 4000, 1192 "token_max_ttl": 5000, 1193 } 1194 roleReq.Data = roleData 1195 roleReq.Operation = logical.UpdateOperation 1196 1197 resp, err = b.HandleRequest(context.Background(), roleReq) 1198 if err != nil || (resp != nil && resp.IsError()) { 1199 t.Fatalf("err:%v resp:%#v", err, resp) 1200 } 1201 1202 roleReq.Operation = logical.ReadOperation 1203 resp, err = b.HandleRequest(context.Background(), roleReq) 1204 if err != nil || (resp != nil && resp.IsError()) { 1205 t.Fatalf("err:%v resp:%#v", err, resp) 1206 } 1207 1208 expected = map[string]interface{}{ 1209 "policies": []string{"a", "b", "c", "d"}, 1210 "secret_id_num_uses": 100, 1211 "secret_id_ttl": 3000, 1212 "token_ttl": 4000, 1213 "token_max_ttl": 5000, 1214 } 1215 err = mapstructure.Decode(expected, &expectedStruct) 1216 if err != nil { 1217 t.Fatal(err) 1218 } 1219 1220 err = mapstructure.Decode(resp.Data, &actualStruct) 1221 if err != nil { 1222 t.Fatal(err) 1223 } 1224 1225 if !reflect.DeepEqual(expectedStruct, actualStruct) { 1226 t.Fatalf("bad:\nexpected:%#v\nactual:%#v\n", expectedStruct, actualStruct) 1227 } 1228 1229 // RU for role_id field 1230 roleReq.Path = "role/role1/role-id" 1231 roleReq.Operation = logical.ReadOperation 1232 resp, err = b.HandleRequest(context.Background(), roleReq) 1233 if err != nil || (resp != nil && resp.IsError()) { 1234 t.Fatalf("err:%v resp:%#v", err, resp) 1235 } 1236 if resp.Data["role_id"].(string) != "test_role_id" { 1237 t.Fatalf("bad: role_id: expected:test_role_id actual:%s\n", resp.Data["role_id"].(string)) 1238 } 1239 1240 roleReq.Data = map[string]interface{}{"role_id": "custom_role_id"} 1241 roleReq.Operation = logical.UpdateOperation 1242 resp, err = b.HandleRequest(context.Background(), roleReq) 1243 if err != nil || (resp != nil && resp.IsError()) { 1244 t.Fatalf("err:%v resp:%#v", err, resp) 1245 } 1246 1247 roleReq.Operation = logical.ReadOperation 1248 resp, err = b.HandleRequest(context.Background(), roleReq) 1249 if err != nil || (resp != nil && resp.IsError()) { 1250 t.Fatalf("err:%v resp:%#v", err, resp) 1251 } 1252 if resp.Data["role_id"].(string) != "custom_role_id" { 1253 t.Fatalf("bad: role_id: expected:custom_role_id actual:%s\n", resp.Data["role_id"].(string)) 1254 } 1255 1256 // RUD for bind_secret_id field 1257 roleReq.Path = "role/role1/bind-secret-id" 1258 roleReq.Operation = logical.ReadOperation 1259 resp, err = b.HandleRequest(context.Background(), roleReq) 1260 if err != nil || (resp != nil && resp.IsError()) { 1261 t.Fatalf("err:%v resp:%#v", err, resp) 1262 } 1263 1264 roleReq.Data = map[string]interface{}{"bind_secret_id": false} 1265 roleReq.Operation = logical.UpdateOperation 1266 resp, err = b.HandleRequest(context.Background(), roleReq) 1267 if err != nil || (resp != nil && resp.IsError()) { 1268 t.Fatalf("err:%v resp:%#v", err, resp) 1269 } 1270 1271 roleReq.Operation = logical.ReadOperation 1272 resp, err = b.HandleRequest(context.Background(), roleReq) 1273 if err != nil || (resp != nil && resp.IsError()) { 1274 t.Fatalf("err:%v resp:%#v", err, resp) 1275 } 1276 1277 if resp.Data["bind_secret_id"].(bool) { 1278 t.Fatalf("bad: bind_secret_id: expected:false actual:%t\n", resp.Data["bind_secret_id"].(bool)) 1279 } 1280 roleReq.Operation = logical.DeleteOperation 1281 resp, err = b.HandleRequest(context.Background(), roleReq) 1282 if err != nil || (resp != nil && resp.IsError()) { 1283 t.Fatalf("err:%v resp:%#v", err, resp) 1284 } 1285 1286 roleReq.Operation = logical.ReadOperation 1287 resp, err = b.HandleRequest(context.Background(), roleReq) 1288 if err != nil || (resp != nil && resp.IsError()) { 1289 t.Fatalf("err:%v resp:%#v", err, resp) 1290 } 1291 1292 if !resp.Data["bind_secret_id"].(bool) { 1293 t.Fatalf("expected the default value of 'true' to be set") 1294 } 1295 1296 // RUD for policies field 1297 roleReq.Path = "role/role1/policies" 1298 roleReq.Operation = logical.ReadOperation 1299 resp, err = b.HandleRequest(context.Background(), roleReq) 1300 if err != nil || (resp != nil && resp.IsError()) { 1301 t.Fatalf("err:%v resp:%#v", err, resp) 1302 } 1303 1304 roleReq.Data = map[string]interface{}{"policies": "a1,b1,c1,d1"} 1305 roleReq.Operation = logical.UpdateOperation 1306 resp, err = b.HandleRequest(context.Background(), roleReq) 1307 if err != nil || (resp != nil && resp.IsError()) { 1308 t.Fatalf("err:%v resp:%#v", err, resp) 1309 } 1310 1311 roleReq.Operation = logical.ReadOperation 1312 resp, err = b.HandleRequest(context.Background(), roleReq) 1313 if err != nil || (resp != nil && resp.IsError()) { 1314 t.Fatalf("err:%v resp:%#v", err, resp) 1315 } 1316 1317 if !reflect.DeepEqual(resp.Data["policies"].([]string), []string{"a1", "b1", "c1", "d1"}) { 1318 t.Fatalf("bad: policies: actual:%s\n", resp.Data["policies"].([]string)) 1319 } 1320 if !reflect.DeepEqual(resp.Data["token_policies"].([]string), []string{"a1", "b1", "c1", "d1"}) { 1321 t.Fatalf("bad: policies: actual:%s\n", resp.Data["policies"].([]string)) 1322 } 1323 roleReq.Operation = logical.DeleteOperation 1324 resp, err = b.HandleRequest(context.Background(), roleReq) 1325 if err != nil || (resp != nil && resp.IsError()) { 1326 t.Fatalf("err:%v resp:%#v", err, resp) 1327 } 1328 1329 roleReq.Operation = logical.ReadOperation 1330 resp, err = b.HandleRequest(context.Background(), roleReq) 1331 if err != nil || (resp != nil && resp.IsError()) { 1332 t.Fatalf("err:%v resp:%#v", err, resp) 1333 } 1334 1335 expectedPolicies := []string{} 1336 actualPolicies := resp.Data["token_policies"].([]string) 1337 if !policyutil.EquivalentPolicies(expectedPolicies, actualPolicies) { 1338 t.Fatalf("bad: token_policies: expected:%s actual:%s", expectedPolicies, actualPolicies) 1339 } 1340 1341 // RUD for secret-id-num-uses field 1342 roleReq.Path = "role/role1/secret-id-num-uses" 1343 roleReq.Operation = logical.ReadOperation 1344 resp, err = b.HandleRequest(context.Background(), roleReq) 1345 if err != nil || (resp != nil && resp.IsError()) { 1346 t.Fatalf("err:%v resp:%#v", err, resp) 1347 } 1348 1349 roleReq.Data = map[string]interface{}{"secret_id_num_uses": 200} 1350 roleReq.Operation = logical.UpdateOperation 1351 resp, err = b.HandleRequest(context.Background(), roleReq) 1352 if err != nil || (resp != nil && resp.IsError()) { 1353 t.Fatalf("err:%v resp:%#v", err, resp) 1354 } 1355 1356 roleReq.Operation = logical.ReadOperation 1357 resp, err = b.HandleRequest(context.Background(), roleReq) 1358 if err != nil || (resp != nil && resp.IsError()) { 1359 t.Fatalf("err:%v resp:%#v", err, resp) 1360 } 1361 1362 if resp.Data["secret_id_num_uses"].(int) != 200 { 1363 t.Fatalf("bad: secret_id_num_uses: expected:200 actual:%d\n", resp.Data["secret_id_num_uses"].(int)) 1364 } 1365 roleReq.Operation = logical.DeleteOperation 1366 resp, err = b.HandleRequest(context.Background(), roleReq) 1367 if err != nil || (resp != nil && resp.IsError()) { 1368 t.Fatalf("err:%v resp:%#v", err, resp) 1369 } 1370 1371 roleReq.Operation = logical.ReadOperation 1372 resp, err = b.HandleRequest(context.Background(), roleReq) 1373 if err != nil || (resp != nil && resp.IsError()) { 1374 t.Fatalf("err:%v resp:%#v", err, resp) 1375 } 1376 1377 if resp.Data["secret_id_num_uses"].(int) != 0 { 1378 t.Fatalf("expected value to be reset") 1379 } 1380 1381 // RUD for secret_id_ttl field 1382 roleReq.Path = "role/role1/secret-id-ttl" 1383 roleReq.Operation = logical.ReadOperation 1384 resp, err = b.HandleRequest(context.Background(), roleReq) 1385 if err != nil || (resp != nil && resp.IsError()) { 1386 t.Fatalf("err:%v resp:%#v", err, resp) 1387 } 1388 1389 roleReq.Data = map[string]interface{}{"secret_id_ttl": 3001} 1390 roleReq.Operation = logical.UpdateOperation 1391 resp, err = b.HandleRequest(context.Background(), roleReq) 1392 if err != nil || (resp != nil && resp.IsError()) { 1393 t.Fatalf("err:%v resp:%#v", err, resp) 1394 } 1395 1396 roleReq.Operation = logical.ReadOperation 1397 resp, err = b.HandleRequest(context.Background(), roleReq) 1398 if err != nil || (resp != nil && resp.IsError()) { 1399 t.Fatalf("err:%v resp:%#v", err, resp) 1400 } 1401 1402 if resp.Data["secret_id_ttl"].(time.Duration) != 3001 { 1403 t.Fatalf("bad: secret_id_ttl: expected:3001 actual:%d\n", resp.Data["secret_id_ttl"].(time.Duration)) 1404 } 1405 roleReq.Operation = logical.DeleteOperation 1406 resp, err = b.HandleRequest(context.Background(), roleReq) 1407 if err != nil || (resp != nil && resp.IsError()) { 1408 t.Fatalf("err:%v resp:%#v", err, resp) 1409 } 1410 1411 roleReq.Operation = logical.ReadOperation 1412 resp, err = b.HandleRequest(context.Background(), roleReq) 1413 if err != nil || (resp != nil && resp.IsError()) { 1414 t.Fatalf("err:%v resp:%#v", err, resp) 1415 } 1416 1417 if resp.Data["secret_id_ttl"].(time.Duration) != 0 { 1418 t.Fatalf("expected value to be reset") 1419 } 1420 1421 // RUD for secret-id-num-uses field 1422 roleReq.Path = "role/role1/token-num-uses" 1423 roleReq.Operation = logical.ReadOperation 1424 resp, err = b.HandleRequest(context.Background(), roleReq) 1425 if err != nil || (resp != nil && resp.IsError()) { 1426 t.Fatalf("err:%v resp:%#v", err, resp) 1427 } 1428 if resp.Data["token_num_uses"].(int) != 600 { 1429 t.Fatalf("bad: token_num_uses: expected:600 actual:%d\n", resp.Data["token_num_uses"].(int)) 1430 } 1431 1432 roleReq.Data = map[string]interface{}{"token_num_uses": 60} 1433 roleReq.Operation = logical.UpdateOperation 1434 resp, err = b.HandleRequest(context.Background(), roleReq) 1435 if err != nil || (resp != nil && resp.IsError()) { 1436 t.Fatalf("err:%v resp:%#v", err, resp) 1437 } 1438 1439 roleReq.Operation = logical.ReadOperation 1440 resp, err = b.HandleRequest(context.Background(), roleReq) 1441 if err != nil || (resp != nil && resp.IsError()) { 1442 t.Fatalf("err:%v resp:%#v", err, resp) 1443 } 1444 1445 if resp.Data["token_num_uses"].(int) != 60 { 1446 t.Fatalf("bad: token_num_uses: expected:60 actual:%d\n", resp.Data["token_num_uses"].(int)) 1447 } 1448 1449 roleReq.Operation = logical.DeleteOperation 1450 resp, err = b.HandleRequest(context.Background(), roleReq) 1451 if err != nil || (resp != nil && resp.IsError()) { 1452 t.Fatalf("err:%v resp:%#v", err, resp) 1453 } 1454 1455 roleReq.Operation = logical.ReadOperation 1456 resp, err = b.HandleRequest(context.Background(), roleReq) 1457 if err != nil || (resp != nil && resp.IsError()) { 1458 t.Fatalf("err:%v resp:%#v", err, resp) 1459 } 1460 1461 if resp.Data["token_num_uses"].(int) != 0 { 1462 t.Fatalf("expected value to be reset") 1463 } 1464 1465 // RUD for 'period' field 1466 roleReq.Path = "role/role1/period" 1467 roleReq.Operation = logical.ReadOperation 1468 resp, err = b.HandleRequest(context.Background(), roleReq) 1469 if err != nil || (resp != nil && resp.IsError()) { 1470 t.Fatalf("err:%v resp:%#v", err, resp) 1471 } 1472 1473 roleReq.Data = map[string]interface{}{"period": 9001} 1474 roleReq.Operation = logical.UpdateOperation 1475 resp, err = b.HandleRequest(context.Background(), roleReq) 1476 if err != nil || (resp != nil && resp.IsError()) { 1477 t.Fatalf("err:%v resp:%#v", err, resp) 1478 } 1479 1480 roleReq.Operation = logical.ReadOperation 1481 resp, err = b.HandleRequest(context.Background(), roleReq) 1482 if err != nil || (resp != nil && resp.IsError()) { 1483 t.Fatalf("err:%v resp:%#v", err, resp) 1484 } 1485 1486 if resp.Data["period"].(time.Duration) != 9001 { 1487 t.Fatalf("bad: period: expected:9001 actual:%d\n", resp.Data["9001"].(time.Duration)) 1488 } 1489 roleReq.Operation = logical.DeleteOperation 1490 resp, err = b.HandleRequest(context.Background(), roleReq) 1491 if err != nil || (resp != nil && resp.IsError()) { 1492 t.Fatalf("err:%v resp:%#v", err, resp) 1493 } 1494 1495 roleReq.Operation = logical.ReadOperation 1496 resp, err = b.HandleRequest(context.Background(), roleReq) 1497 if err != nil || (resp != nil && resp.IsError()) { 1498 t.Fatalf("err:%v resp:%#v", err, resp) 1499 } 1500 1501 if resp.Data["token_period"].(time.Duration) != 0 { 1502 t.Fatalf("expected value to be reset") 1503 } 1504 1505 // RUD for token_ttl field 1506 roleReq.Path = "role/role1/token-ttl" 1507 roleReq.Operation = logical.ReadOperation 1508 resp, err = b.HandleRequest(context.Background(), roleReq) 1509 if err != nil || (resp != nil && resp.IsError()) { 1510 t.Fatalf("err:%v resp:%#v", err, resp) 1511 } 1512 1513 roleReq.Data = map[string]interface{}{"token_ttl": 4001} 1514 roleReq.Operation = logical.UpdateOperation 1515 resp, err = b.HandleRequest(context.Background(), roleReq) 1516 if err != nil || (resp != nil && resp.IsError()) { 1517 t.Fatalf("err:%v resp:%#v", err, resp) 1518 } 1519 1520 roleReq.Operation = logical.ReadOperation 1521 resp, err = b.HandleRequest(context.Background(), roleReq) 1522 if err != nil || (resp != nil && resp.IsError()) { 1523 t.Fatalf("err:%v resp:%#v", err, resp) 1524 } 1525 1526 if resp.Data["token_ttl"].(time.Duration) != 4001 { 1527 t.Fatalf("bad: token_ttl: expected:4001 actual:%d\n", resp.Data["token_ttl"].(time.Duration)) 1528 } 1529 roleReq.Operation = logical.DeleteOperation 1530 resp, err = b.HandleRequest(context.Background(), roleReq) 1531 if err != nil || (resp != nil && resp.IsError()) { 1532 t.Fatalf("err:%v resp:%#v", err, resp) 1533 } 1534 1535 roleReq.Operation = logical.ReadOperation 1536 resp, err = b.HandleRequest(context.Background(), roleReq) 1537 if err != nil || (resp != nil && resp.IsError()) { 1538 t.Fatalf("err:%v resp:%#v", err, resp) 1539 } 1540 1541 if resp.Data["token_ttl"].(time.Duration) != 0 { 1542 t.Fatalf("expected value to be reset") 1543 } 1544 1545 // RUD for token_max_ttl field 1546 roleReq.Path = "role/role1/token-max-ttl" 1547 roleReq.Operation = logical.ReadOperation 1548 resp, err = b.HandleRequest(context.Background(), roleReq) 1549 if err != nil || (resp != nil && resp.IsError()) { 1550 t.Fatalf("err:%v resp:%#v", err, resp) 1551 } 1552 1553 roleReq.Data = map[string]interface{}{"token_max_ttl": 5001} 1554 roleReq.Operation = logical.UpdateOperation 1555 resp, err = b.HandleRequest(context.Background(), roleReq) 1556 if err != nil || (resp != nil && resp.IsError()) { 1557 t.Fatalf("err:%v resp:%#v", err, resp) 1558 } 1559 1560 roleReq.Operation = logical.ReadOperation 1561 resp, err = b.HandleRequest(context.Background(), roleReq) 1562 if err != nil || (resp != nil && resp.IsError()) { 1563 t.Fatalf("err:%v resp:%#v", err, resp) 1564 } 1565 1566 if resp.Data["token_max_ttl"].(time.Duration) != 5001 { 1567 t.Fatalf("bad: token_max_ttl: expected:5001 actual:%d\n", resp.Data["token_max_ttl"].(time.Duration)) 1568 } 1569 roleReq.Operation = logical.DeleteOperation 1570 resp, err = b.HandleRequest(context.Background(), roleReq) 1571 if err != nil || (resp != nil && resp.IsError()) { 1572 t.Fatalf("err:%v resp:%#v", err, resp) 1573 } 1574 1575 roleReq.Operation = logical.ReadOperation 1576 resp, err = b.HandleRequest(context.Background(), roleReq) 1577 if err != nil || (resp != nil && resp.IsError()) { 1578 t.Fatalf("err:%v resp:%#v", err, resp) 1579 } 1580 1581 if resp.Data["token_max_ttl"].(time.Duration) != 0 { 1582 t.Fatalf("expected value to be reset") 1583 } 1584 1585 // Delete test for role 1586 roleReq.Path = "role/role1" 1587 roleReq.Operation = logical.DeleteOperation 1588 resp, err = b.HandleRequest(context.Background(), roleReq) 1589 if err != nil || (resp != nil && resp.IsError()) { 1590 t.Fatalf("err:%v resp:%#v", err, resp) 1591 } 1592 1593 roleReq.Operation = logical.ReadOperation 1594 resp, err = b.HandleRequest(context.Background(), roleReq) 1595 if err != nil || (resp != nil && resp.IsError()) { 1596 t.Fatalf("err:%v resp:%#v", err, resp) 1597 } 1598 1599 if resp != nil { 1600 t.Fatalf("expected a nil response") 1601 } 1602} 1603 1604func TestAppRole_RoleWithTokenBoundCIDRsCRUD(t *testing.T) { 1605 var resp *logical.Response 1606 var err error 1607 b, storage := createBackendWithStorage(t) 1608 1609 roleData := map[string]interface{}{ 1610 "policies": "p,q,r,s", 1611 "secret_id_num_uses": 10, 1612 "secret_id_ttl": 300, 1613 "token_ttl": 400, 1614 "token_max_ttl": 500, 1615 "token_num_uses": 600, 1616 "secret_id_bound_cidrs": "127.0.0.1/32,127.0.0.1/16", 1617 "token_bound_cidrs": "127.0.0.1/32,127.0.0.1/16", 1618 } 1619 roleReq := &logical.Request{ 1620 Operation: logical.CreateOperation, 1621 Path: "role/role1", 1622 Storage: storage, 1623 Data: roleData, 1624 } 1625 1626 resp, err = b.HandleRequest(context.Background(), roleReq) 1627 if err != nil || (resp != nil && resp.IsError()) { 1628 t.Fatalf("err:%v resp:%#v", err, resp) 1629 } 1630 1631 roleReq.Operation = logical.ReadOperation 1632 resp, err = b.HandleRequest(context.Background(), roleReq) 1633 if err != nil || (resp != nil && resp.IsError()) { 1634 t.Fatalf("err:%v resp:%#v", err, resp) 1635 } 1636 1637 expected := map[string]interface{}{ 1638 "bind_secret_id": true, 1639 "policies": []string{"p", "q", "r", "s"}, 1640 "secret_id_num_uses": 10, 1641 "secret_id_ttl": 300, 1642 "token_ttl": 400, 1643 "token_max_ttl": 500, 1644 "token_num_uses": 600, 1645 "token_bound_cidrs": []string{"127.0.0.1/32", "127.0.0.1/16"}, 1646 "secret_id_bound_cidrs": []string{"127.0.0.1/32", "127.0.0.1/16"}, 1647 "token_type": "default", 1648 } 1649 1650 var expectedStruct roleStorageEntry 1651 err = mapstructure.Decode(expected, &expectedStruct) 1652 if err != nil { 1653 t.Fatal(err) 1654 } 1655 1656 var actualStruct roleStorageEntry 1657 err = mapstructure.Decode(resp.Data, &actualStruct) 1658 if err != nil { 1659 t.Fatal(err) 1660 } 1661 1662 expectedStruct.RoleID = actualStruct.RoleID 1663 if !reflect.DeepEqual(expectedStruct, actualStruct) { 1664 t.Fatalf("bad:\nexpected:%#v\nactual:%#v\n", expectedStruct, actualStruct) 1665 } 1666 1667 roleData = map[string]interface{}{ 1668 "role_id": "test_role_id", 1669 "policies": "a,b,c,d", 1670 "secret_id_num_uses": 100, 1671 "secret_id_ttl": 3000, 1672 "token_ttl": 4000, 1673 "token_max_ttl": 5000, 1674 } 1675 roleReq.Data = roleData 1676 roleReq.Operation = logical.UpdateOperation 1677 1678 resp, err = b.HandleRequest(context.Background(), roleReq) 1679 if err != nil || (resp != nil && resp.IsError()) { 1680 t.Fatalf("err:%v resp:%#v", err, resp) 1681 } 1682 1683 roleReq.Operation = logical.ReadOperation 1684 resp, err = b.HandleRequest(context.Background(), roleReq) 1685 if err != nil || (resp != nil && resp.IsError()) { 1686 t.Fatalf("err:%v resp:%#v", err, resp) 1687 } 1688 1689 expected = map[string]interface{}{ 1690 "policies": []string{"a", "b", "c", "d"}, 1691 "secret_id_num_uses": 100, 1692 "secret_id_ttl": 3000, 1693 "token_ttl": 4000, 1694 "token_max_ttl": 5000, 1695 } 1696 err = mapstructure.Decode(expected, &expectedStruct) 1697 if err != nil { 1698 t.Fatal(err) 1699 } 1700 1701 err = mapstructure.Decode(resp.Data, &actualStruct) 1702 if err != nil { 1703 t.Fatal(err) 1704 } 1705 1706 if !reflect.DeepEqual(expectedStruct, actualStruct) { 1707 t.Fatalf("bad:\nexpected:%#v\nactual:%#v\n", expectedStruct, actualStruct) 1708 } 1709 1710 // RUD for secret-id-bound-cidrs field 1711 roleReq.Path = "role/role1/secret-id-bound-cidrs" 1712 roleReq.Operation = logical.ReadOperation 1713 resp, err = b.HandleRequest(context.Background(), roleReq) 1714 if err != nil || (resp != nil && resp.IsError()) { 1715 t.Fatalf("err:%v resp:%#v", err, resp) 1716 } 1717 if resp.Data["secret_id_bound_cidrs"].([]string)[0] != "127.0.0.1/32" || 1718 resp.Data["secret_id_bound_cidrs"].([]string)[1] != "127.0.0.1/16" { 1719 t.Fatalf("bad: secret_id_bound_cidrs: expected:127.0.0.1/32,127.0.0.1/16 actual:%d\n", resp.Data["secret_id_bound_cidrs"].(int)) 1720 } 1721 1722 roleReq.Data = map[string]interface{}{"secret_id_bound_cidrs": []string{"127.0.0.1/20"}} 1723 roleReq.Operation = logical.UpdateOperation 1724 resp, err = b.HandleRequest(context.Background(), roleReq) 1725 if err != nil || (resp != nil && resp.IsError()) { 1726 t.Fatalf("err:%v resp:%#v", err, resp) 1727 } 1728 1729 roleReq.Operation = logical.ReadOperation 1730 resp, err = b.HandleRequest(context.Background(), roleReq) 1731 if err != nil || (resp != nil && resp.IsError()) { 1732 t.Fatalf("err:%v resp:%#v", err, resp) 1733 } 1734 1735 if resp.Data["secret_id_bound_cidrs"].([]string)[0] != "127.0.0.1/20" { 1736 t.Fatalf("bad: secret_id_bound_cidrs: expected:127.0.0.1/20 actual:%s\n", resp.Data["secret_id_bound_cidrs"].([]string)[0]) 1737 } 1738 1739 roleReq.Operation = logical.DeleteOperation 1740 resp, err = b.HandleRequest(context.Background(), roleReq) 1741 if err != nil || (resp != nil && resp.IsError()) { 1742 t.Fatalf("err:%v resp:%#v", err, resp) 1743 } 1744 1745 roleReq.Operation = logical.ReadOperation 1746 resp, err = b.HandleRequest(context.Background(), roleReq) 1747 if err != nil || (resp != nil && resp.IsError()) { 1748 t.Fatalf("err:%v resp:%#v", err, resp) 1749 } 1750 1751 if len(resp.Data["secret_id_bound_cidrs"].([]string)) != 0 { 1752 t.Fatalf("expected value to be reset") 1753 } 1754 1755 // RUD for token-bound-cidrs field 1756 roleReq.Path = "role/role1/token-bound-cidrs" 1757 roleReq.Operation = logical.ReadOperation 1758 resp, err = b.HandleRequest(context.Background(), roleReq) 1759 if err != nil || (resp != nil && resp.IsError()) { 1760 t.Fatalf("err:%v resp:%#v", err, resp) 1761 } 1762 if resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" || 1763 resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[1].String() != "127.0.0.1/16" { 1764 m, err := json.Marshal(resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)) 1765 if err != nil { 1766 t.Fatal(err) 1767 } 1768 t.Fatalf("bad: token_bound_cidrs: expected:127.0.0.1/32,127.0.0.1/16 actual:%s\n", string(m)) 1769 } 1770 1771 roleReq.Data = map[string]interface{}{"token_bound_cidrs": []string{"127.0.0.1/20"}} 1772 roleReq.Operation = logical.UpdateOperation 1773 resp, err = b.HandleRequest(context.Background(), roleReq) 1774 if err != nil || (resp != nil && resp.IsError()) { 1775 t.Fatalf("err:%v resp:%#v", err, resp) 1776 } 1777 1778 roleReq.Operation = logical.ReadOperation 1779 resp, err = b.HandleRequest(context.Background(), roleReq) 1780 if err != nil || (resp != nil && resp.IsError()) { 1781 t.Fatalf("err:%v resp:%#v", err, resp) 1782 } 1783 1784 if resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1/20" { 1785 t.Fatalf("bad: token_bound_cidrs: expected:127.0.0.1/20 actual:%s\n", resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0]) 1786 } 1787 1788 roleReq.Operation = logical.DeleteOperation 1789 resp, err = b.HandleRequest(context.Background(), roleReq) 1790 if err != nil || (resp != nil && resp.IsError()) { 1791 t.Fatalf("err:%v resp:%#v", err, resp) 1792 } 1793 1794 roleReq.Operation = logical.ReadOperation 1795 resp, err = b.HandleRequest(context.Background(), roleReq) 1796 if err != nil || (resp != nil && resp.IsError()) { 1797 t.Fatalf("err:%v resp:%#v", err, resp) 1798 } 1799 1800 if len(resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)) != 0 { 1801 t.Fatalf("expected value to be reset") 1802 } 1803 1804 // Delete test for role 1805 roleReq.Path = "role/role1" 1806 roleReq.Operation = logical.DeleteOperation 1807 resp, err = b.HandleRequest(context.Background(), roleReq) 1808 if err != nil || (resp != nil && resp.IsError()) { 1809 t.Fatalf("err:%v resp:%#v", err, resp) 1810 } 1811 1812 roleReq.Operation = logical.ReadOperation 1813 resp, err = b.HandleRequest(context.Background(), roleReq) 1814 if err != nil || (resp != nil && resp.IsError()) { 1815 t.Fatalf("err:%v resp:%#v", err, resp) 1816 } 1817 1818 if resp != nil { 1819 t.Fatalf("expected a nil response") 1820 } 1821} 1822 1823func createRole(t *testing.T, b *backend, s logical.Storage, roleName, policies string) { 1824 roleData := map[string]interface{}{ 1825 "policies": policies, 1826 "secret_id_num_uses": 10, 1827 "secret_id_ttl": 300, 1828 "token_ttl": 400, 1829 "token_max_ttl": 500, 1830 } 1831 roleReq := &logical.Request{ 1832 Operation: logical.CreateOperation, 1833 Path: "role/" + roleName, 1834 Storage: s, 1835 Data: roleData, 1836 } 1837 1838 resp, err := b.HandleRequest(context.Background(), roleReq) 1839 if err != nil || (resp != nil && resp.IsError()) { 1840 t.Fatalf("err:%v resp:%#v", err, resp) 1841 } 1842} 1843 1844// TestAppRole_TokenutilUpgrade ensures that when we read values out that are 1845// values with upgrade logic we see the correct struct entries populated 1846func TestAppRole_TokenutilUpgrade(t *testing.T) { 1847 tests := []struct { 1848 name string 1849 storageValMissing bool 1850 storageVal string 1851 expectedTokenType logical.TokenType 1852 }{ 1853 { 1854 "token_type_missing", 1855 true, 1856 "", 1857 logical.TokenTypeDefault, 1858 }, 1859 { 1860 "token_type_empty", 1861 false, 1862 "", 1863 logical.TokenTypeDefault, 1864 }, 1865 { 1866 "token_type_service", 1867 false, 1868 "service", 1869 logical.TokenTypeService, 1870 }, 1871 } 1872 1873 s := &logical.InmemStorage{} 1874 1875 config := logical.TestBackendConfig() 1876 config.StorageView = s 1877 1878 ctx := context.Background() 1879 1880 b, err := Backend(config) 1881 if err != nil { 1882 t.Fatal(err) 1883 } 1884 if b == nil { 1885 t.Fatalf("failed to create backend") 1886 } 1887 if err := b.Setup(ctx, config); err != nil { 1888 t.Fatal(err) 1889 } 1890 1891 for _, tt := range tests { 1892 t.Run(tt.name, func(t *testing.T) { 1893 1894 // Construct the storage entry object based on our test case. 1895 tokenTypeKV := "" 1896 if !tt.storageValMissing { 1897 tokenTypeKV = fmt.Sprintf(`, "token_type": "%s"`, tt.storageVal) 1898 } 1899 entryVal := fmt.Sprintf(`{"policies": ["foo"], "period": 300000000000, "token_bound_cidrs": ["127.0.0.1", "10.10.10.10/24"]%s}`, tokenTypeKV) 1900 1901 // Hand craft JSON because there is overlap between fields 1902 if err := s.Put(ctx, &logical.StorageEntry{ 1903 Key: "role/" + tt.name, 1904 Value: []byte(entryVal), 1905 }); err != nil { 1906 t.Fatal(err) 1907 } 1908 1909 resEntry, err := b.roleEntry(ctx, s, tt.name) 1910 if err != nil { 1911 t.Fatal(err) 1912 } 1913 1914 exp := &roleStorageEntry{ 1915 SecretIDPrefix: "secret_id/", 1916 Policies: []string{"foo"}, 1917 Period: 300 * time.Second, 1918 TokenParams: tokenutil.TokenParams{ 1919 TokenPolicies: []string{"foo"}, 1920 TokenPeriod: 300 * time.Second, 1921 TokenBoundCIDRs: []*sockaddr.SockAddrMarshaler{ 1922 {SockAddr: sockaddr.MustIPAddr("127.0.0.1")}, 1923 {SockAddr: sockaddr.MustIPAddr("10.10.10.10/24")}, 1924 }, 1925 TokenType: tt.expectedTokenType, 1926 }, 1927 } 1928 if diff := deep.Equal(resEntry, exp); diff != nil { 1929 t.Fatal(diff) 1930 } 1931 }) 1932 } 1933} 1934