1package approle 2 3import ( 4 "context" 5 "encoding/json" 6 "reflect" 7 "strings" 8 "testing" 9 "time" 10 11 "github.com/go-test/deep" 12 "github.com/hashicorp/go-sockaddr" 13 "github.com/hashicorp/vault/sdk/helper/policyutil" 14 "github.com/hashicorp/vault/sdk/helper/tokenutil" 15 "github.com/hashicorp/vault/sdk/logical" 16 "github.com/mitchellh/mapstructure" 17) 18 19func TestAppRole_LocalSecretIDsRead(t *testing.T) { 20 var resp *logical.Response 21 var err error 22 b, storage := createBackendWithStorage(t) 23 24 roleData := map[string]interface{}{ 25 "local_secret_ids": true, 26 "bind_secret_id": true, 27 } 28 29 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 30 Operation: logical.CreateOperation, 31 Path: "role/testrole", 32 Storage: storage, 33 Data: roleData, 34 }) 35 if err != nil || (resp != nil && resp.IsError()) { 36 t.Fatalf("err:%v resp:%#v", err, resp) 37 } 38 39 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 40 Operation: logical.ReadOperation, 41 Storage: storage, 42 Path: "role/testrole/local-secret-ids", 43 }) 44 if err != nil || (resp != nil && resp.IsError()) { 45 t.Fatalf("err:%v resp:%#v", err, resp) 46 } 47 if !resp.Data["local_secret_ids"].(bool) { 48 t.Fatalf("expected local_secret_ids to be returned") 49 } 50} 51 52func TestAppRole_LocalNonLocalSecretIDs(t *testing.T) { 53 var resp *logical.Response 54 var err error 55 56 b, storage := createBackendWithStorage(t) 57 58 // Create a role with local_secret_ids set 59 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 60 Path: "role/testrole1", 61 Operation: logical.CreateOperation, 62 Storage: storage, 63 Data: map[string]interface{}{ 64 "policies": []string{"default", "role1policy"}, 65 "bind_secret_id": true, 66 "local_secret_ids": true, 67 }, 68 }) 69 if err != nil || (resp != nil && resp.IsError()) { 70 t.Fatalf("bad: err: %v\n resp: %#v", err, resp) 71 } 72 73 // Create another role without setting local_secret_ids 74 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 75 Path: "role/testrole2", 76 Operation: logical.CreateOperation, 77 Storage: storage, 78 Data: map[string]interface{}{ 79 "policies": []string{"default", "role1policy"}, 80 "bind_secret_id": true, 81 }, 82 }) 83 if err != nil || (resp != nil && resp.IsError()) { 84 t.Fatalf("bad: err: %v\n resp: %#v", err, resp) 85 } 86 87 count := 10 88 // Create secret IDs on testrole1 89 for i := 0; i < count; i++ { 90 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 91 Path: "role/testrole1/secret-id", 92 Operation: logical.UpdateOperation, 93 Storage: storage, 94 }) 95 if err != nil || (resp != nil && resp.IsError()) { 96 t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) 97 } 98 } 99 100 // Check the number of secret IDs generated 101 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 102 Path: "role/testrole1/secret-id", 103 Operation: logical.ListOperation, 104 Storage: storage, 105 }) 106 if err != nil || (resp != nil && resp.IsError()) { 107 t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) 108 } 109 if len(resp.Data["keys"].([]string)) != count { 110 t.Fatalf("failed to list secret IDs") 111 } 112 113 // Create secret IDs on testrole1 114 for i := 0; i < count; i++ { 115 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 116 Path: "role/testrole2/secret-id", 117 Operation: logical.UpdateOperation, 118 Storage: storage, 119 }) 120 if err != nil || (resp != nil && resp.IsError()) { 121 t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) 122 } 123 } 124 125 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 126 Path: "role/testrole2/secret-id", 127 Operation: logical.ListOperation, 128 Storage: storage, 129 }) 130 if err != nil || (resp != nil && resp.IsError()) { 131 t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) 132 } 133 if len(resp.Data["keys"].([]string)) != count { 134 t.Fatalf("failed to list secret IDs") 135 } 136} 137 138func TestAppRole_UpgradeSecretIDPrefix(t *testing.T) { 139 var resp *logical.Response 140 var err error 141 142 b, storage := createBackendWithStorage(t) 143 144 // Create a role entry directly in storage without SecretIDPrefix 145 err = b.setRoleEntry(context.Background(), storage, "testrole", &roleStorageEntry{ 146 RoleID: "testroleid", 147 HMACKey: "testhmackey", 148 Policies: []string{"default"}, 149 BindSecretID: true, 150 BoundCIDRListOld: "127.0.0.1/18,192.178.1.2/24", 151 }, "") 152 if err != nil { 153 t.Fatal(err) 154 } 155 156 // Reading the role entry should upgrade it to contain SecretIDPrefix 157 role, err := b.roleEntry(context.Background(), storage, "testrole") 158 if err != nil { 159 t.Fatal(err) 160 } 161 if role.SecretIDPrefix == "" { 162 t.Fatalf("expected SecretIDPrefix to be set") 163 } 164 165 // Ensure that the API response contains local_secret_ids 166 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 167 Path: "role/testrole", 168 Operation: logical.ReadOperation, 169 Storage: storage, 170 }) 171 if err != nil || (resp != nil && resp.IsError()) { 172 t.Fatalf("bad: err: %v\n resp: %#v", err, resp) 173 } 174 _, ok := resp.Data["local_secret_ids"] 175 if !ok { 176 t.Fatalf("expected local_secret_ids to be present in the response") 177 } 178} 179 180func TestAppRole_LocalSecretIDImmutability(t *testing.T) { 181 var resp *logical.Response 182 var err error 183 184 b, storage := createBackendWithStorage(t) 185 186 roleData := map[string]interface{}{ 187 "policies": []string{"default"}, 188 "bind_secret_id": true, 189 "bound_cidr_list": []string{"127.0.0.1/18", "192.178.1.2/24"}, 190 "local_secret_ids": true, 191 } 192 193 // Create a role with local_secret_ids set 194 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 195 Path: "role/testrole", 196 Operation: logical.CreateOperation, 197 Storage: storage, 198 Data: roleData, 199 }) 200 if err != nil || (resp != nil && resp.IsError()) { 201 t.Fatalf("bad: err: %v\nresp: %#v", err, resp) 202 } 203 204 // Attempt to modify local_secret_ids should fail 205 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 206 Path: "role/testrole", 207 Operation: logical.UpdateOperation, 208 Storage: storage, 209 Data: roleData, 210 }) 211 if resp == nil || !resp.IsError() { 212 t.Fatalf("expected an error since local_secret_ids can't be overwritten") 213 } 214} 215 216func TestAppRole_UpgradeBoundCIDRList(t *testing.T) { 217 var resp *logical.Response 218 var err error 219 220 b, storage := createBackendWithStorage(t) 221 222 roleData := map[string]interface{}{ 223 "policies": []string{"default"}, 224 "bind_secret_id": true, 225 "bound_cidr_list": []string{"127.0.0.1/18", "192.178.1.2/24"}, 226 } 227 228 // Create a role with bound_cidr_list set 229 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 230 Path: "role/testrole", 231 Operation: logical.CreateOperation, 232 Storage: storage, 233 Data: roleData, 234 }) 235 if err != nil || (resp != nil && resp.IsError()) { 236 t.Fatalf("bad: err: %v\nresp: %#v", err, resp) 237 } 238 239 // Read the role and check that the bound_cidr_list is set properly 240 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 241 Path: "role/testrole", 242 Operation: logical.ReadOperation, 243 Storage: storage, 244 }) 245 if err != nil || (resp != nil && resp.IsError()) { 246 t.Fatalf("bad: err: %v\nresp: %#v", err, resp) 247 } 248 249 expected := []string{"127.0.0.1/18", "192.178.1.2/24"} 250 actual := resp.Data["secret_id_bound_cidrs"].([]string) 251 252 if !reflect.DeepEqual(expected, actual) { 253 t.Fatalf("bad: secret_id_bound_cidrs; expected: %#v\nactual: %#v\n", expected, actual) 254 } 255 256 // Modify the storage entry of the role to hold the old style string typed bound_cidr_list 257 role := &roleStorageEntry{ 258 RoleID: "testroleid", 259 HMACKey: "testhmackey", 260 Policies: []string{"default"}, 261 BindSecretID: true, 262 BoundCIDRListOld: "127.0.0.1/18,192.178.1.2/24", 263 SecretIDPrefix: secretIDPrefix, 264 } 265 err = b.setRoleEntry(context.Background(), storage, "testrole", role, "") 266 if err != nil { 267 t.Fatal(err) 268 } 269 270 // Read the role. The upgrade code should have migrated the old type to the new type 271 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 272 Path: "role/testrole", 273 Operation: logical.ReadOperation, 274 Storage: storage, 275 }) 276 if err != nil || (resp != nil && resp.IsError()) { 277 t.Fatalf("bad: err: %v\nresp: %#v", err, resp) 278 } 279 if !reflect.DeepEqual(expected, actual) { 280 t.Fatalf("bad: bound_cidr_list; expected: %#v\nactual: %#v\n", expected, actual) 281 } 282 283 // Create a secret-id by supplying a subset of the role's CIDR blocks with the new type 284 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 285 Path: "role/testrole/secret-id", 286 Operation: logical.UpdateOperation, 287 Storage: storage, 288 Data: map[string]interface{}{ 289 "cidr_list": []string{"127.0.0.1/24"}, 290 }, 291 }) 292 if err != nil || (resp != nil && resp.IsError()) { 293 t.Fatalf("bad: err: %v\nresp: %#v", err, resp) 294 } 295 if resp.Data["secret_id"].(string) == "" { 296 t.Fatalf("failed to generate secret-id") 297 } 298 299 // Check that the backwards compatibility for the string type is not broken 300 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 301 Path: "role/testrole/secret-id", 302 Operation: logical.UpdateOperation, 303 Storage: storage, 304 Data: map[string]interface{}{ 305 "cidr_list": "127.0.0.1/24", 306 }, 307 }) 308 if err != nil || (resp != nil && resp.IsError()) { 309 t.Fatalf("bad: err: %v\nresp: %#v", err, resp) 310 } 311 if resp.Data["secret_id"].(string) == "" { 312 t.Fatalf("failed to generate secret-id") 313 } 314} 315 316func TestAppRole_RoleNameLowerCasing(t *testing.T) { 317 var resp *logical.Response 318 var err error 319 var roleID, secretID string 320 321 b, storage := createBackendWithStorage(t) 322 323 // Save a role with out LowerCaseRoleName set 324 role := &roleStorageEntry{ 325 RoleID: "testroleid", 326 HMACKey: "testhmackey", 327 Policies: []string{"default"}, 328 BindSecretID: true, 329 SecretIDPrefix: secretIDPrefix, 330 } 331 err = b.setRoleEntry(context.Background(), storage, "testRoleName", role, "") 332 if err != nil { 333 t.Fatal(err) 334 } 335 336 secretIDReq := &logical.Request{ 337 Path: "role/testRoleName/secret-id", 338 Operation: logical.UpdateOperation, 339 Storage: storage, 340 } 341 resp, err = b.HandleRequest(context.Background(), secretIDReq) 342 if err != nil || (resp != nil && resp.IsError()) { 343 t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) 344 } 345 secretID = resp.Data["secret_id"].(string) 346 roleID = "testroleid" 347 348 // Regular login flow. This should succeed. 349 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 350 Path: "login", 351 Operation: logical.UpdateOperation, 352 Storage: storage, 353 Data: map[string]interface{}{ 354 "role_id": roleID, 355 "secret_id": secretID, 356 }, 357 }) 358 if err != nil || (resp != nil && resp.IsError()) { 359 t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) 360 } 361 362 // Lower case the role name when generating the secret id 363 secretIDReq.Path = "role/testrolename/secret-id" 364 resp, err = b.HandleRequest(context.Background(), secretIDReq) 365 if err != nil || (resp != nil && resp.IsError()) { 366 t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) 367 } 368 secretID = resp.Data["secret_id"].(string) 369 370 // Login should fail 371 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 372 Path: "login", 373 Operation: logical.UpdateOperation, 374 Storage: storage, 375 Data: map[string]interface{}{ 376 "role_id": roleID, 377 "secret_id": secretID, 378 }, 379 }) 380 if err != nil { 381 t.Fatal(err) 382 } 383 if resp == nil || !resp.IsError() { 384 t.Fatalf("expected an error") 385 } 386 387 // Delete the role and create it again. This time don't directly persist 388 // it, but route the request to the creation handler so that it sets the 389 // LowerCaseRoleName to true. 390 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 391 Path: "role/testRoleName", 392 Operation: logical.DeleteOperation, 393 Storage: storage, 394 }) 395 if err != nil || (resp != nil && resp.IsError()) { 396 t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) 397 } 398 399 roleReq := &logical.Request{ 400 Path: "role/testRoleName", 401 Operation: logical.CreateOperation, 402 Storage: storage, 403 Data: map[string]interface{}{ 404 "bind_secret_id": true, 405 }, 406 } 407 resp, err = b.HandleRequest(context.Background(), roleReq) 408 if err != nil || (resp != nil && resp.IsError()) { 409 t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) 410 } 411 412 // Create secret id with lower cased role name 413 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 414 Path: "role/testrolename/secret-id", 415 Operation: logical.UpdateOperation, 416 Storage: storage, 417 }) 418 if err != nil || (resp != nil && resp.IsError()) { 419 t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) 420 } 421 secretID = resp.Data["secret_id"].(string) 422 423 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 424 Path: "role/testrolename/role-id", 425 Operation: logical.ReadOperation, 426 Storage: storage, 427 }) 428 if err != nil || (resp != nil && resp.IsError()) { 429 t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) 430 } 431 roleID = resp.Data["role_id"].(string) 432 433 // Login should pass 434 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 435 Path: "login", 436 Operation: logical.UpdateOperation, 437 Storage: storage, 438 Data: map[string]interface{}{ 439 "role_id": roleID, 440 "secret_id": secretID, 441 }, 442 }) 443 if err != nil || (resp != nil && resp.IsError()) { 444 t.Fatalf("bad: resp: %#v\nerr:%v", resp, err) 445 } 446 447 // Lookup of secret ID should work in case-insensitive manner 448 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 449 Path: "role/testrolename/secret-id/lookup", 450 Operation: logical.UpdateOperation, 451 Storage: storage, 452 Data: map[string]interface{}{ 453 "secret_id": secretID, 454 }, 455 }) 456 if err != nil || (resp != nil && resp.IsError()) { 457 t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) 458 } 459 if resp == nil { 460 t.Fatalf("failed to lookup secret IDs") 461 } 462 463 // Listing of secret IDs should work in case-insensitive manner 464 resp, err = b.HandleRequest(context.Background(), &logical.Request{ 465 Path: "role/testrolename/secret-id", 466 Operation: logical.ListOperation, 467 Storage: storage, 468 }) 469 if err != nil || (resp != nil && resp.IsError()) { 470 t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) 471 } 472 473 if len(resp.Data["keys"].([]string)) != 1 { 474 t.Fatalf("failed to list secret IDs") 475 } 476} 477 478func TestAppRole_RoleReadSetIndex(t *testing.T) { 479 var resp *logical.Response 480 var err error 481 482 b, storage := createBackendWithStorage(t) 483 484 roleReq := &logical.Request{ 485 Path: "role/testrole", 486 Operation: logical.CreateOperation, 487 Storage: storage, 488 Data: map[string]interface{}{ 489 "bind_secret_id": true, 490 }, 491 } 492 493 // Create a role 494 resp, err = b.HandleRequest(context.Background(), roleReq) 495 if err != nil || (resp != nil && resp.IsError()) { 496 t.Fatalf("bad: resp: %#v\n err: %v\n", resp, err) 497 } 498 499 roleIDReq := &logical.Request{ 500 Path: "role/testrole/role-id", 501 Operation: logical.ReadOperation, 502 Storage: storage, 503 } 504 505 // Get the role ID 506 resp, err = b.HandleRequest(context.Background(), roleIDReq) 507 if err != nil || (resp != nil && resp.IsError()) { 508 t.Fatalf("bad: resp: %#v\n err: %v\n", resp, err) 509 } 510 roleID := resp.Data["role_id"].(string) 511 512 // Delete the role ID index 513 err = b.roleIDEntryDelete(context.Background(), storage, roleID) 514 if err != nil { 515 t.Fatal(err) 516 } 517 518 // Read the role again. This should add the index and return a warning 519 roleReq.Operation = logical.ReadOperation 520 resp, err = b.HandleRequest(context.Background(), roleReq) 521 if err != nil || (resp != nil && resp.IsError()) { 522 t.Fatalf("bad: resp: %#v\n err: %v\n", resp, err) 523 } 524 525 // Check if the warning is being returned 526 if !strings.Contains(resp.Warnings[0], "Role identifier was missing an index back to role name.") { 527 t.Fatalf("bad: expected a warning in the response") 528 } 529 530 roleIDIndex, err := b.roleIDEntry(context.Background(), storage, roleID) 531 if err != nil { 532 t.Fatal(err) 533 } 534 535 // Check if the index has been successfully created 536 if roleIDIndex == nil || roleIDIndex.Name != "testrole" { 537 t.Fatalf("bad: expected role to have an index") 538 } 539 540 roleReq.Operation = logical.UpdateOperation 541 roleReq.Data = map[string]interface{}{ 542 "bind_secret_id": true, 543 "policies": "default", 544 } 545 546 // Check if updating and reading of roles work and that there are no lock 547 // contentions dangling due to previous operation 548 resp, err = b.HandleRequest(context.Background(), roleReq) 549 if err != nil || (resp != nil && resp.IsError()) { 550 t.Fatalf("bad: resp: %#v\n err: %v\n", resp, err) 551 } 552 roleReq.Operation = logical.ReadOperation 553 resp, err = b.HandleRequest(context.Background(), roleReq) 554 if err != nil || (resp != nil && resp.IsError()) { 555 t.Fatalf("bad: resp: %#v\n err: %v\n", resp, err) 556 } 557} 558 559func TestAppRole_CIDRSubset(t *testing.T) { 560 var resp *logical.Response 561 var err error 562 563 b, storage := createBackendWithStorage(t) 564 565 roleData := map[string]interface{}{ 566 "role_id": "role-id-123", 567 "policies": "a,b", 568 "bound_cidr_list": "127.0.0.1/24", 569 } 570 571 roleReq := &logical.Request{ 572 Operation: logical.CreateOperation, 573 Path: "role/testrole1", 574 Storage: storage, 575 Data: roleData, 576 } 577 578 resp, err = b.HandleRequest(context.Background(), roleReq) 579 if err != nil || (resp != nil && resp.IsError()) { 580 t.Fatalf("err: %v resp: %#v", err, resp) 581 } 582 583 secretIDData := map[string]interface{}{ 584 "cidr_list": "127.0.0.1/16", 585 } 586 secretIDReq := &logical.Request{ 587 Operation: logical.UpdateOperation, 588 Storage: storage, 589 Path: "role/testrole1/secret-id", 590 Data: secretIDData, 591 } 592 593 resp, err = b.HandleRequest(context.Background(), secretIDReq) 594 if resp != nil || resp.IsError() { 595 t.Fatalf("resp:%#v", resp) 596 } 597 if err == nil { 598 t.Fatal("expected an error") 599 } 600 601 roleData["bound_cidr_list"] = "192.168.27.29/16,172.245.30.40/24,10.20.30.40/30" 602 roleReq.Operation = logical.UpdateOperation 603 resp, err = b.HandleRequest(context.Background(), roleReq) 604 if err != nil || (resp != nil && resp.IsError()) { 605 t.Fatalf("err: %v resp: %#v", err, resp) 606 } 607 608 secretIDData["cidr_list"] = "192.168.27.29/20,172.245.30.40/25,10.20.30.40/32" 609 resp, err = b.HandleRequest(context.Background(), secretIDReq) 610 if err != nil { 611 t.Fatal(err) 612 } 613 if resp != nil && resp.IsError() { 614 t.Fatalf("resp: %#v", resp) 615 } 616} 617 618func TestAppRole_RoleConstraints(t *testing.T) { 619 var resp *logical.Response 620 var err error 621 b, storage := createBackendWithStorage(t) 622 623 roleData := map[string]interface{}{ 624 "role_id": "role-id-123", 625 "policies": "a,b", 626 } 627 628 roleReq := &logical.Request{ 629 Operation: logical.CreateOperation, 630 Path: "role/testrole1", 631 Storage: storage, 632 Data: roleData, 633 } 634 635 // Set bind_secret_id, which is enabled by default 636 resp, err = b.HandleRequest(context.Background(), roleReq) 637 if err != nil || (resp != nil && resp.IsError()) { 638 t.Fatalf("err:%v resp:%#v", err, resp) 639 } 640 641 // Set bound_cidr_list alone by explicitly disabling bind_secret_id 642 roleReq.Operation = logical.UpdateOperation 643 roleData["bind_secret_id"] = false 644 roleData["bound_cidr_list"] = "0.0.0.0/0" 645 resp, err = b.HandleRequest(context.Background(), roleReq) 646 if err != nil || (resp != nil && resp.IsError()) { 647 t.Fatalf("err:%v resp:%#v", err, resp) 648 } 649 650 // Remove both constraints 651 roleReq.Operation = logical.UpdateOperation 652 roleData["bound_cidr_list"] = "" 653 roleData["bind_secret_id"] = false 654 resp, err = b.HandleRequest(context.Background(), roleReq) 655 if resp != nil && resp.IsError() { 656 t.Fatalf("err:%v, resp:%#v", err, resp) 657 } 658 if err == nil { 659 t.Fatalf("expected an error") 660 } 661} 662 663func TestAppRole_RoleIDUpdate(t *testing.T) { 664 var resp *logical.Response 665 var err error 666 b, storage := createBackendWithStorage(t) 667 668 roleData := map[string]interface{}{ 669 "role_id": "role-id-123", 670 "policies": "a,b", 671 "secret_id_num_uses": 10, 672 "secret_id_ttl": 300, 673 "token_ttl": 400, 674 "token_max_ttl": 500, 675 } 676 roleReq := &logical.Request{ 677 Operation: logical.CreateOperation, 678 Path: "role/testrole1", 679 Storage: storage, 680 Data: roleData, 681 } 682 resp, err = b.HandleRequest(context.Background(), roleReq) 683 if err != nil || (resp != nil && resp.IsError()) { 684 t.Fatalf("err:%v resp:%#v", err, resp) 685 } 686 687 roleIDUpdateReq := &logical.Request{ 688 Operation: logical.UpdateOperation, 689 Path: "role/testrole1/role-id", 690 Storage: storage, 691 Data: map[string]interface{}{ 692 "role_id": "customroleid", 693 }, 694 } 695 resp, err = b.HandleRequest(context.Background(), roleIDUpdateReq) 696 if err != nil || (resp != nil && resp.IsError()) { 697 t.Fatalf("err:%v resp:%#v", err, resp) 698 } 699 700 secretIDReq := &logical.Request{ 701 Operation: logical.UpdateOperation, 702 Storage: storage, 703 Path: "role/testrole1/secret-id", 704 } 705 resp, err = b.HandleRequest(context.Background(), secretIDReq) 706 if err != nil || (resp != nil && resp.IsError()) { 707 t.Fatalf("err:%v resp:%#v", err, resp) 708 } 709 secretID := resp.Data["secret_id"].(string) 710 711 loginData := map[string]interface{}{ 712 "role_id": "customroleid", 713 "secret_id": secretID, 714 } 715 loginReq := &logical.Request{ 716 Operation: logical.UpdateOperation, 717 Path: "login", 718 Storage: storage, 719 Data: loginData, 720 Connection: &logical.Connection{ 721 RemoteAddr: "127.0.0.1", 722 }, 723 } 724 resp, err = b.HandleRequest(context.Background(), loginReq) 725 if err != nil || (resp != nil && resp.IsError()) { 726 t.Fatalf("err:%v resp:%#v", err, resp) 727 } 728 729 if resp.Auth == nil { 730 t.Fatalf("expected a non-nil auth object in the response") 731 } 732} 733 734func TestAppRole_RoleIDUniqueness(t *testing.T) { 735 var resp *logical.Response 736 var err error 737 b, storage := createBackendWithStorage(t) 738 739 roleData := map[string]interface{}{ 740 "role_id": "role-id-123", 741 "policies": "a,b", 742 "secret_id_num_uses": 10, 743 "secret_id_ttl": 300, 744 "token_ttl": 400, 745 "token_max_ttl": 500, 746 } 747 roleReq := &logical.Request{ 748 Operation: logical.CreateOperation, 749 Path: "role/testrole1", 750 Storage: storage, 751 Data: roleData, 752 } 753 754 resp, err = b.HandleRequest(context.Background(), roleReq) 755 if err != nil || (resp != nil && resp.IsError()) { 756 t.Fatalf("err:%v resp:%#v", err, resp) 757 } 758 759 roleReq.Path = "role/testrole2" 760 resp, err = b.HandleRequest(context.Background(), roleReq) 761 if err == nil && !(resp != nil && resp.IsError()) { 762 t.Fatalf("expected an error: got resp:%#v", resp) 763 } 764 765 roleData["role_id"] = "role-id-456" 766 resp, err = b.HandleRequest(context.Background(), roleReq) 767 if err != nil || (resp != nil && resp.IsError()) { 768 t.Fatalf("err:%v resp:%#v", err, resp) 769 } 770 771 roleReq.Operation = logical.UpdateOperation 772 roleData["role_id"] = "role-id-123" 773 resp, err = b.HandleRequest(context.Background(), roleReq) 774 if err == nil && !(resp != nil && resp.IsError()) { 775 t.Fatalf("expected an error: got resp:%#v", resp) 776 } 777 778 roleReq.Path = "role/testrole1" 779 roleData["role_id"] = "role-id-456" 780 resp, err = b.HandleRequest(context.Background(), roleReq) 781 if err == nil && !(resp != nil && resp.IsError()) { 782 t.Fatalf("expected an error: got resp:%#v", resp) 783 } 784 785 roleIDData := map[string]interface{}{ 786 "role_id": "role-id-456", 787 } 788 roleIDReq := &logical.Request{ 789 Operation: logical.UpdateOperation, 790 Path: "role/testrole1/role-id", 791 Storage: storage, 792 Data: roleIDData, 793 } 794 resp, err = b.HandleRequest(context.Background(), roleIDReq) 795 if err == nil && !(resp != nil && resp.IsError()) { 796 t.Fatalf("expected an error: got resp:%#v", resp) 797 } 798 799 roleIDData["role_id"] = "role-id-123" 800 roleIDReq.Path = "role/testrole2/role-id" 801 resp, err = b.HandleRequest(context.Background(), roleIDReq) 802 if err == nil && !(resp != nil && resp.IsError()) { 803 t.Fatalf("expected an error: got resp:%#v", resp) 804 } 805 806 roleIDData["role_id"] = "role-id-2000" 807 resp, err = b.HandleRequest(context.Background(), roleIDReq) 808 if err != nil || (resp != nil && resp.IsError()) { 809 t.Fatalf("err:%v resp:%#v", err, resp) 810 } 811 812 roleIDData["role_id"] = "role-id-1000" 813 roleIDReq.Path = "role/testrole1/role-id" 814 resp, err = b.HandleRequest(context.Background(), roleIDReq) 815 if err != nil || (resp != nil && resp.IsError()) { 816 t.Fatalf("err:%v resp:%#v", err, resp) 817 } 818} 819 820func TestAppRole_RoleDeleteSecretID(t *testing.T) { 821 var resp *logical.Response 822 var err error 823 b, storage := createBackendWithStorage(t) 824 825 createRole(t, b, storage, "role1", "a,b") 826 secretIDReq := &logical.Request{ 827 Operation: logical.UpdateOperation, 828 Storage: storage, 829 Path: "role/role1/secret-id", 830 } 831 // Create 3 secrets on the role 832 resp, err = b.HandleRequest(context.Background(), secretIDReq) 833 if err != nil || (resp != nil && resp.IsError()) { 834 t.Fatalf("err:%v resp:%#v", err, resp) 835 } 836 resp, err = b.HandleRequest(context.Background(), secretIDReq) 837 if err != nil || (resp != nil && resp.IsError()) { 838 t.Fatalf("err:%v resp:%#v", err, resp) 839 } 840 resp, err = b.HandleRequest(context.Background(), secretIDReq) 841 if err != nil || (resp != nil && resp.IsError()) { 842 t.Fatalf("err:%v resp:%#v", err, resp) 843 } 844 845 listReq := &logical.Request{ 846 Operation: logical.ListOperation, 847 Storage: storage, 848 Path: "role/role1/secret-id", 849 } 850 resp, err = b.HandleRequest(context.Background(), listReq) 851 if err != nil || (resp != nil && resp.IsError()) { 852 t.Fatalf("err:%v resp:%#v", err, resp) 853 } 854 secretIDAccessors := resp.Data["keys"].([]string) 855 if len(secretIDAccessors) != 3 { 856 t.Fatalf("bad: len of secretIDAccessors: expected:3 actual:%d", len(secretIDAccessors)) 857 } 858 859 roleReq := &logical.Request{ 860 Operation: logical.DeleteOperation, 861 Storage: storage, 862 Path: "role/role1", 863 } 864 resp, err = b.HandleRequest(context.Background(), roleReq) 865 if err != nil || (resp != nil && resp.IsError()) { 866 t.Fatalf("err:%v resp:%#v", err, resp) 867 } 868 resp, err = b.HandleRequest(context.Background(), listReq) 869 if err != nil || resp == nil || (resp != nil && !resp.IsError()) { 870 t.Fatalf("expected an error. err:%v resp:%#v", err, resp) 871 } 872} 873 874func TestAppRole_RoleSecretIDReadDelete(t *testing.T) { 875 var resp *logical.Response 876 var err error 877 b, storage := createBackendWithStorage(t) 878 879 createRole(t, b, storage, "role1", "a,b") 880 secretIDCreateReq := &logical.Request{ 881 Operation: logical.UpdateOperation, 882 Storage: storage, 883 Path: "role/role1/secret-id", 884 } 885 resp, err = b.HandleRequest(context.Background(), secretIDCreateReq) 886 if err != nil || (resp != nil && resp.IsError()) { 887 t.Fatalf("err:%v resp:%#v", err, resp) 888 } 889 890 secretID := resp.Data["secret_id"].(string) 891 if secretID == "" { 892 t.Fatal("expected non empty secret ID") 893 } 894 895 secretIDReq := &logical.Request{ 896 Operation: logical.UpdateOperation, 897 Storage: storage, 898 Path: "role/role1/secret-id/lookup", 899 Data: map[string]interface{}{ 900 "secret_id": secretID, 901 }, 902 } 903 resp, err = b.HandleRequest(context.Background(), secretIDReq) 904 if err != nil || (resp != nil && resp.IsError()) { 905 t.Fatalf("err:%v resp:%#v", err, resp) 906 } 907 if resp.Data == nil { 908 t.Fatal(err) 909 } 910 911 deleteSecretIDReq := &logical.Request{ 912 Operation: logical.DeleteOperation, 913 Storage: storage, 914 Path: "role/role1/secret-id/destroy", 915 Data: map[string]interface{}{ 916 "secret_id": secretID, 917 }, 918 } 919 resp, err = b.HandleRequest(context.Background(), deleteSecretIDReq) 920 if err != nil || (resp != nil && resp.IsError()) { 921 t.Fatalf("err:%v resp:%#v", err, resp) 922 } 923 924 resp, err = b.HandleRequest(context.Background(), secretIDReq) 925 if resp != nil && resp.IsError() { 926 t.Fatalf("error response:%#v", resp) 927 } 928 if err != nil { 929 t.Fatal(err) 930 } 931} 932 933func TestAppRole_RoleSecretIDAccessorReadDelete(t *testing.T) { 934 var resp *logical.Response 935 var err error 936 b, storage := createBackendWithStorage(t) 937 938 createRole(t, b, storage, "role1", "a,b") 939 secretIDReq := &logical.Request{ 940 Operation: logical.UpdateOperation, 941 Storage: storage, 942 Path: "role/role1/secret-id", 943 } 944 resp, err = b.HandleRequest(context.Background(), secretIDReq) 945 if err != nil || (resp != nil && resp.IsError()) { 946 t.Fatalf("err:%v resp:%#v", err, resp) 947 } 948 949 listReq := &logical.Request{ 950 Operation: logical.ListOperation, 951 Storage: storage, 952 Path: "role/role1/secret-id", 953 } 954 resp, err = b.HandleRequest(context.Background(), listReq) 955 if err != nil || (resp != nil && resp.IsError()) { 956 t.Fatalf("err:%v resp:%#v", err, resp) 957 } 958 hmacSecretID := resp.Data["keys"].([]string)[0] 959 960 hmacReq := &logical.Request{ 961 Operation: logical.UpdateOperation, 962 Storage: storage, 963 Path: "role/role1/secret-id-accessor/lookup", 964 Data: map[string]interface{}{ 965 "secret_id_accessor": hmacSecretID, 966 }, 967 } 968 resp, err = b.HandleRequest(context.Background(), hmacReq) 969 if err != nil || (resp != nil && resp.IsError()) { 970 t.Fatalf("err:%v resp:%#v", err, resp) 971 } 972 if resp.Data == nil { 973 t.Fatal(err) 974 } 975 976 hmacReq.Path = "role/role1/secret-id-accessor/destroy" 977 resp, err = b.HandleRequest(context.Background(), hmacReq) 978 if err != nil || (resp != nil && resp.IsError()) { 979 t.Fatalf("err:%v resp:%#v", err, resp) 980 } 981 982 hmacReq.Operation = logical.ReadOperation 983 resp, err = b.HandleRequest(context.Background(), hmacReq) 984 if resp != nil && resp.IsError() { 985 t.Fatalf("err:%v resp:%#v", err, resp) 986 } 987 if err == nil { 988 t.Fatalf("expected an error") 989 } 990} 991 992func TestAppRoleRoleListSecretID(t *testing.T) { 993 var resp *logical.Response 994 var err error 995 b, storage := createBackendWithStorage(t) 996 997 createRole(t, b, storage, "role1", "a,b") 998 999 secretIDReq := &logical.Request{ 1000 Operation: logical.UpdateOperation, 1001 Storage: storage, 1002 Path: "role/role1/secret-id", 1003 } 1004 // Create 5 'secret_id's 1005 resp, err = b.HandleRequest(context.Background(), secretIDReq) 1006 if err != nil || (resp != nil && resp.IsError()) { 1007 t.Fatalf("err:%v resp:%#v", err, resp) 1008 } 1009 resp, err = b.HandleRequest(context.Background(), secretIDReq) 1010 if err != nil || (resp != nil && resp.IsError()) { 1011 t.Fatalf("err:%v resp:%#v", err, resp) 1012 } 1013 resp, err = b.HandleRequest(context.Background(), secretIDReq) 1014 if err != nil || (resp != nil && resp.IsError()) { 1015 t.Fatalf("err:%v resp:%#v", err, resp) 1016 } 1017 resp, err = b.HandleRequest(context.Background(), secretIDReq) 1018 if err != nil || (resp != nil && resp.IsError()) { 1019 t.Fatalf("err:%v resp:%#v", err, resp) 1020 } 1021 resp, err = b.HandleRequest(context.Background(), secretIDReq) 1022 if err != nil || (resp != nil && resp.IsError()) { 1023 t.Fatalf("err:%v resp:%#v", err, resp) 1024 } 1025 1026 listReq := &logical.Request{ 1027 Operation: logical.ListOperation, 1028 Storage: storage, 1029 Path: "role/role1/secret-id/", 1030 } 1031 resp, err = b.HandleRequest(context.Background(), listReq) 1032 if err != nil || (resp != nil && resp.IsError()) { 1033 t.Fatalf("err:%v resp:%#v", err, resp) 1034 } 1035 secrets := resp.Data["keys"].([]string) 1036 if len(secrets) != 5 { 1037 t.Fatalf("bad: len of secrets: expected:5 actual:%d", len(secrets)) 1038 } 1039} 1040 1041func TestAppRole_RoleList(t *testing.T) { 1042 var resp *logical.Response 1043 var err error 1044 b, storage := createBackendWithStorage(t) 1045 1046 createRole(t, b, storage, "role1", "a,b") 1047 createRole(t, b, storage, "role2", "c,d") 1048 createRole(t, b, storage, "role3", "e,f") 1049 createRole(t, b, storage, "role4", "g,h") 1050 createRole(t, b, storage, "role5", "i,j") 1051 1052 listReq := &logical.Request{ 1053 Operation: logical.ListOperation, 1054 Path: "role", 1055 Storage: storage, 1056 } 1057 resp, err = b.HandleRequest(context.Background(), listReq) 1058 if err != nil || (resp != nil && resp.IsError()) { 1059 t.Fatalf("err:%v resp:%#v", err, resp) 1060 } 1061 1062 actual := resp.Data["keys"].([]string) 1063 expected := []string{"role1", "role2", "role3", "role4", "role5"} 1064 if !policyutil.EquivalentPolicies(actual, expected) { 1065 t.Fatalf("bad: listed roles: expected:%s\nactual:%s", expected, actual) 1066 } 1067} 1068 1069func TestAppRole_RoleSecretID(t *testing.T) { 1070 var resp *logical.Response 1071 var err error 1072 b, storage := createBackendWithStorage(t) 1073 1074 roleData := map[string]interface{}{ 1075 "policies": "p,q,r,s", 1076 "secret_id_num_uses": 10, 1077 "secret_id_ttl": 300, 1078 "token_ttl": 400, 1079 "token_max_ttl": 500, 1080 } 1081 roleReq := &logical.Request{ 1082 Operation: logical.CreateOperation, 1083 Path: "role/role1", 1084 Storage: storage, 1085 Data: roleData, 1086 } 1087 1088 resp, err = b.HandleRequest(context.Background(), roleReq) 1089 if err != nil || (resp != nil && resp.IsError()) { 1090 t.Fatalf("err:%v resp:%#v", err, resp) 1091 } 1092 1093 roleSecretIDReq := &logical.Request{ 1094 Operation: logical.UpdateOperation, 1095 Path: "role/role1/secret-id", 1096 Storage: storage, 1097 } 1098 resp, err = b.HandleRequest(context.Background(), roleSecretIDReq) 1099 if err != nil || (resp != nil && resp.IsError()) { 1100 t.Fatalf("err:%v resp:%#v", err, resp) 1101 } 1102 1103 if resp.Data["secret_id"].(string) == "" { 1104 t.Fatalf("failed to generate secret_id") 1105 } 1106 1107 roleSecretIDReq.Path = "role/role1/custom-secret-id" 1108 roleCustomSecretIDData := map[string]interface{}{ 1109 "secret_id": "abcd123", 1110 } 1111 roleSecretIDReq.Data = roleCustomSecretIDData 1112 roleSecretIDReq.Operation = logical.UpdateOperation 1113 resp, err = b.HandleRequest(context.Background(), roleSecretIDReq) 1114 if err != nil || (resp != nil && resp.IsError()) { 1115 t.Fatalf("err:%v resp:%#v", err, resp) 1116 } 1117 1118 if resp.Data["secret_id"] != "abcd123" { 1119 t.Fatalf("failed to set specific secret_id to role") 1120 } 1121} 1122 1123func TestAppRole_RoleCRUD(t *testing.T) { 1124 var resp *logical.Response 1125 var err error 1126 b, storage := createBackendWithStorage(t) 1127 1128 roleData := map[string]interface{}{ 1129 "policies": "p,q,r,s", 1130 "secret_id_num_uses": 10, 1131 "secret_id_ttl": 300, 1132 "token_ttl": 400, 1133 "token_max_ttl": 500, 1134 "token_num_uses": 600, 1135 "secret_id_bound_cidrs": "127.0.0.1/32,127.0.0.1/16", 1136 } 1137 roleReq := &logical.Request{ 1138 Operation: logical.CreateOperation, 1139 Path: "role/role1", 1140 Storage: storage, 1141 Data: roleData, 1142 } 1143 1144 resp, err = b.HandleRequest(context.Background(), roleReq) 1145 if err != nil || (resp != nil && resp.IsError()) { 1146 t.Fatalf("err:%v resp:%#v", err, resp) 1147 } 1148 1149 roleReq.Operation = logical.ReadOperation 1150 resp, err = b.HandleRequest(context.Background(), roleReq) 1151 if err != nil || (resp != nil && resp.IsError()) { 1152 t.Fatalf("err:%v resp:%#v", err, resp) 1153 } 1154 1155 expected := map[string]interface{}{ 1156 "bind_secret_id": true, 1157 "policies": []string{"p", "q", "r", "s"}, 1158 "secret_id_num_uses": 10, 1159 "secret_id_ttl": 300, 1160 "token_ttl": 400, 1161 "token_max_ttl": 500, 1162 "token_num_uses": 600, 1163 "secret_id_bound_cidrs": []string{"127.0.0.1/32", "127.0.0.1/16"}, 1164 "token_bound_cidrs": []string{}, 1165 "token_type": "default", 1166 } 1167 1168 var expectedStruct roleStorageEntry 1169 err = mapstructure.Decode(expected, &expectedStruct) 1170 if err != nil { 1171 t.Fatal(err) 1172 } 1173 1174 var actualStruct roleStorageEntry 1175 err = mapstructure.Decode(resp.Data, &actualStruct) 1176 if err != nil { 1177 t.Fatal(err) 1178 } 1179 1180 expectedStruct.RoleID = actualStruct.RoleID 1181 if diff := deep.Equal(expectedStruct, actualStruct); diff != nil { 1182 t.Fatal(diff) 1183 } 1184 1185 roleData = map[string]interface{}{ 1186 "role_id": "test_role_id", 1187 "policies": "a,b,c,d", 1188 "secret_id_num_uses": 100, 1189 "secret_id_ttl": 3000, 1190 "token_ttl": 4000, 1191 "token_max_ttl": 5000, 1192 } 1193 roleReq.Data = roleData 1194 roleReq.Operation = logical.UpdateOperation 1195 1196 resp, err = b.HandleRequest(context.Background(), roleReq) 1197 if err != nil || (resp != nil && resp.IsError()) { 1198 t.Fatalf("err:%v resp:%#v", err, resp) 1199 } 1200 1201 roleReq.Operation = logical.ReadOperation 1202 resp, err = b.HandleRequest(context.Background(), roleReq) 1203 if err != nil || (resp != nil && resp.IsError()) { 1204 t.Fatalf("err:%v resp:%#v", err, resp) 1205 } 1206 1207 expected = map[string]interface{}{ 1208 "policies": []string{"a", "b", "c", "d"}, 1209 "secret_id_num_uses": 100, 1210 "secret_id_ttl": 3000, 1211 "token_ttl": 4000, 1212 "token_max_ttl": 5000, 1213 } 1214 err = mapstructure.Decode(expected, &expectedStruct) 1215 if err != nil { 1216 t.Fatal(err) 1217 } 1218 1219 err = mapstructure.Decode(resp.Data, &actualStruct) 1220 if err != nil { 1221 t.Fatal(err) 1222 } 1223 1224 if !reflect.DeepEqual(expectedStruct, actualStruct) { 1225 t.Fatalf("bad:\nexpected:%#v\nactual:%#v\n", expectedStruct, actualStruct) 1226 } 1227 1228 // RU for role_id field 1229 roleReq.Path = "role/role1/role-id" 1230 roleReq.Operation = logical.ReadOperation 1231 resp, err = b.HandleRequest(context.Background(), roleReq) 1232 if err != nil || (resp != nil && resp.IsError()) { 1233 t.Fatalf("err:%v resp:%#v", err, resp) 1234 } 1235 if resp.Data["role_id"].(string) != "test_role_id" { 1236 t.Fatalf("bad: role_id: expected:test_role_id actual:%s\n", resp.Data["role_id"].(string)) 1237 } 1238 1239 roleReq.Data = map[string]interface{}{"role_id": "custom_role_id"} 1240 roleReq.Operation = logical.UpdateOperation 1241 resp, err = b.HandleRequest(context.Background(), roleReq) 1242 if err != nil || (resp != nil && resp.IsError()) { 1243 t.Fatalf("err:%v resp:%#v", err, resp) 1244 } 1245 1246 roleReq.Operation = logical.ReadOperation 1247 resp, err = b.HandleRequest(context.Background(), roleReq) 1248 if err != nil || (resp != nil && resp.IsError()) { 1249 t.Fatalf("err:%v resp:%#v", err, resp) 1250 } 1251 if resp.Data["role_id"].(string) != "custom_role_id" { 1252 t.Fatalf("bad: role_id: expected:custom_role_id actual:%s\n", resp.Data["role_id"].(string)) 1253 } 1254 1255 // RUD for bind_secret_id field 1256 roleReq.Path = "role/role1/bind-secret-id" 1257 roleReq.Operation = logical.ReadOperation 1258 resp, err = b.HandleRequest(context.Background(), roleReq) 1259 if err != nil || (resp != nil && resp.IsError()) { 1260 t.Fatalf("err:%v resp:%#v", err, resp) 1261 } 1262 1263 roleReq.Data = map[string]interface{}{"bind_secret_id": false} 1264 roleReq.Operation = logical.UpdateOperation 1265 resp, err = b.HandleRequest(context.Background(), roleReq) 1266 if err != nil || (resp != nil && resp.IsError()) { 1267 t.Fatalf("err:%v resp:%#v", err, resp) 1268 } 1269 1270 roleReq.Operation = logical.ReadOperation 1271 resp, err = b.HandleRequest(context.Background(), roleReq) 1272 if err != nil || (resp != nil && resp.IsError()) { 1273 t.Fatalf("err:%v resp:%#v", err, resp) 1274 } 1275 1276 if resp.Data["bind_secret_id"].(bool) { 1277 t.Fatalf("bad: bind_secret_id: expected:false actual:%t\n", resp.Data["bind_secret_id"].(bool)) 1278 } 1279 roleReq.Operation = logical.DeleteOperation 1280 resp, err = b.HandleRequest(context.Background(), roleReq) 1281 if err != nil || (resp != nil && resp.IsError()) { 1282 t.Fatalf("err:%v resp:%#v", err, resp) 1283 } 1284 1285 roleReq.Operation = logical.ReadOperation 1286 resp, err = b.HandleRequest(context.Background(), roleReq) 1287 if err != nil || (resp != nil && resp.IsError()) { 1288 t.Fatalf("err:%v resp:%#v", err, resp) 1289 } 1290 1291 if !resp.Data["bind_secret_id"].(bool) { 1292 t.Fatalf("expected the default value of 'true' to be set") 1293 } 1294 1295 // RUD for policies field 1296 roleReq.Path = "role/role1/policies" 1297 roleReq.Operation = logical.ReadOperation 1298 resp, err = b.HandleRequest(context.Background(), roleReq) 1299 if err != nil || (resp != nil && resp.IsError()) { 1300 t.Fatalf("err:%v resp:%#v", err, resp) 1301 } 1302 1303 roleReq.Data = map[string]interface{}{"policies": "a1,b1,c1,d1"} 1304 roleReq.Operation = logical.UpdateOperation 1305 resp, err = b.HandleRequest(context.Background(), roleReq) 1306 if err != nil || (resp != nil && resp.IsError()) { 1307 t.Fatalf("err:%v resp:%#v", err, resp) 1308 } 1309 1310 roleReq.Operation = logical.ReadOperation 1311 resp, err = b.HandleRequest(context.Background(), roleReq) 1312 if err != nil || (resp != nil && resp.IsError()) { 1313 t.Fatalf("err:%v resp:%#v", err, resp) 1314 } 1315 1316 if !reflect.DeepEqual(resp.Data["policies"].([]string), []string{"a1", "b1", "c1", "d1"}) { 1317 t.Fatalf("bad: policies: actual:%s\n", resp.Data["policies"].([]string)) 1318 } 1319 if !reflect.DeepEqual(resp.Data["token_policies"].([]string), []string{"a1", "b1", "c1", "d1"}) { 1320 t.Fatalf("bad: policies: actual:%s\n", resp.Data["policies"].([]string)) 1321 } 1322 roleReq.Operation = logical.DeleteOperation 1323 resp, err = b.HandleRequest(context.Background(), roleReq) 1324 if err != nil || (resp != nil && resp.IsError()) { 1325 t.Fatalf("err:%v resp:%#v", err, resp) 1326 } 1327 1328 roleReq.Operation = logical.ReadOperation 1329 resp, err = b.HandleRequest(context.Background(), roleReq) 1330 if err != nil || (resp != nil && resp.IsError()) { 1331 t.Fatalf("err:%v resp:%#v", err, resp) 1332 } 1333 1334 expectedPolicies := []string{} 1335 actualPolicies := resp.Data["token_policies"].([]string) 1336 if !policyutil.EquivalentPolicies(expectedPolicies, actualPolicies) { 1337 t.Fatalf("bad: token_policies: expected:%s actual:%s", expectedPolicies, actualPolicies) 1338 } 1339 1340 // RUD for secret-id-num-uses field 1341 roleReq.Path = "role/role1/secret-id-num-uses" 1342 roleReq.Operation = logical.ReadOperation 1343 resp, err = b.HandleRequest(context.Background(), roleReq) 1344 if err != nil || (resp != nil && resp.IsError()) { 1345 t.Fatalf("err:%v resp:%#v", err, resp) 1346 } 1347 1348 roleReq.Data = map[string]interface{}{"secret_id_num_uses": 200} 1349 roleReq.Operation = logical.UpdateOperation 1350 resp, err = b.HandleRequest(context.Background(), roleReq) 1351 if err != nil || (resp != nil && resp.IsError()) { 1352 t.Fatalf("err:%v resp:%#v", err, resp) 1353 } 1354 1355 roleReq.Operation = logical.ReadOperation 1356 resp, err = b.HandleRequest(context.Background(), roleReq) 1357 if err != nil || (resp != nil && resp.IsError()) { 1358 t.Fatalf("err:%v resp:%#v", err, resp) 1359 } 1360 1361 if resp.Data["secret_id_num_uses"].(int) != 200 { 1362 t.Fatalf("bad: secret_id_num_uses: expected:200 actual:%d\n", resp.Data["secret_id_num_uses"].(int)) 1363 } 1364 roleReq.Operation = logical.DeleteOperation 1365 resp, err = b.HandleRequest(context.Background(), roleReq) 1366 if err != nil || (resp != nil && resp.IsError()) { 1367 t.Fatalf("err:%v resp:%#v", err, resp) 1368 } 1369 1370 roleReq.Operation = logical.ReadOperation 1371 resp, err = b.HandleRequest(context.Background(), roleReq) 1372 if err != nil || (resp != nil && resp.IsError()) { 1373 t.Fatalf("err:%v resp:%#v", err, resp) 1374 } 1375 1376 if resp.Data["secret_id_num_uses"].(int) != 0 { 1377 t.Fatalf("expected value to be reset") 1378 } 1379 1380 // RUD for secret_id_ttl field 1381 roleReq.Path = "role/role1/secret-id-ttl" 1382 roleReq.Operation = logical.ReadOperation 1383 resp, err = b.HandleRequest(context.Background(), roleReq) 1384 if err != nil || (resp != nil && resp.IsError()) { 1385 t.Fatalf("err:%v resp:%#v", err, resp) 1386 } 1387 1388 roleReq.Data = map[string]interface{}{"secret_id_ttl": 3001} 1389 roleReq.Operation = logical.UpdateOperation 1390 resp, err = b.HandleRequest(context.Background(), roleReq) 1391 if err != nil || (resp != nil && resp.IsError()) { 1392 t.Fatalf("err:%v resp:%#v", err, resp) 1393 } 1394 1395 roleReq.Operation = logical.ReadOperation 1396 resp, err = b.HandleRequest(context.Background(), roleReq) 1397 if err != nil || (resp != nil && resp.IsError()) { 1398 t.Fatalf("err:%v resp:%#v", err, resp) 1399 } 1400 1401 if resp.Data["secret_id_ttl"].(time.Duration) != 3001 { 1402 t.Fatalf("bad: secret_id_ttl: expected:3001 actual:%d\n", resp.Data["secret_id_ttl"].(time.Duration)) 1403 } 1404 roleReq.Operation = logical.DeleteOperation 1405 resp, err = b.HandleRequest(context.Background(), roleReq) 1406 if err != nil || (resp != nil && resp.IsError()) { 1407 t.Fatalf("err:%v resp:%#v", err, resp) 1408 } 1409 1410 roleReq.Operation = logical.ReadOperation 1411 resp, err = b.HandleRequest(context.Background(), roleReq) 1412 if err != nil || (resp != nil && resp.IsError()) { 1413 t.Fatalf("err:%v resp:%#v", err, resp) 1414 } 1415 1416 if resp.Data["secret_id_ttl"].(time.Duration) != 0 { 1417 t.Fatalf("expected value to be reset") 1418 } 1419 1420 // RUD for secret-id-num-uses field 1421 roleReq.Path = "role/role1/token-num-uses" 1422 roleReq.Operation = logical.ReadOperation 1423 resp, err = b.HandleRequest(context.Background(), roleReq) 1424 if err != nil || (resp != nil && resp.IsError()) { 1425 t.Fatalf("err:%v resp:%#v", err, resp) 1426 } 1427 if resp.Data["token_num_uses"].(int) != 600 { 1428 t.Fatalf("bad: token_num_uses: expected:600 actual:%d\n", resp.Data["token_num_uses"].(int)) 1429 } 1430 1431 roleReq.Data = map[string]interface{}{"token_num_uses": 60} 1432 roleReq.Operation = logical.UpdateOperation 1433 resp, err = b.HandleRequest(context.Background(), roleReq) 1434 if err != nil || (resp != nil && resp.IsError()) { 1435 t.Fatalf("err:%v resp:%#v", err, resp) 1436 } 1437 1438 roleReq.Operation = logical.ReadOperation 1439 resp, err = b.HandleRequest(context.Background(), roleReq) 1440 if err != nil || (resp != nil && resp.IsError()) { 1441 t.Fatalf("err:%v resp:%#v", err, resp) 1442 } 1443 1444 if resp.Data["token_num_uses"].(int) != 60 { 1445 t.Fatalf("bad: token_num_uses: expected:60 actual:%d\n", resp.Data["token_num_uses"].(int)) 1446 } 1447 1448 roleReq.Operation = logical.DeleteOperation 1449 resp, err = b.HandleRequest(context.Background(), roleReq) 1450 if err != nil || (resp != nil && resp.IsError()) { 1451 t.Fatalf("err:%v resp:%#v", err, resp) 1452 } 1453 1454 roleReq.Operation = logical.ReadOperation 1455 resp, err = b.HandleRequest(context.Background(), roleReq) 1456 if err != nil || (resp != nil && resp.IsError()) { 1457 t.Fatalf("err:%v resp:%#v", err, resp) 1458 } 1459 1460 if resp.Data["token_num_uses"].(int) != 0 { 1461 t.Fatalf("expected value to be reset") 1462 } 1463 1464 // RUD for 'period' field 1465 roleReq.Path = "role/role1/period" 1466 roleReq.Operation = logical.ReadOperation 1467 resp, err = b.HandleRequest(context.Background(), roleReq) 1468 if err != nil || (resp != nil && resp.IsError()) { 1469 t.Fatalf("err:%v resp:%#v", err, resp) 1470 } 1471 1472 roleReq.Data = map[string]interface{}{"period": 9001} 1473 roleReq.Operation = logical.UpdateOperation 1474 resp, err = b.HandleRequest(context.Background(), roleReq) 1475 if err != nil || (resp != nil && resp.IsError()) { 1476 t.Fatalf("err:%v resp:%#v", err, resp) 1477 } 1478 1479 roleReq.Operation = logical.ReadOperation 1480 resp, err = b.HandleRequest(context.Background(), roleReq) 1481 if err != nil || (resp != nil && resp.IsError()) { 1482 t.Fatalf("err:%v resp:%#v", err, resp) 1483 } 1484 1485 if resp.Data["period"].(time.Duration) != 9001 { 1486 t.Fatalf("bad: period: expected:9001 actual:%d\n", resp.Data["9001"].(time.Duration)) 1487 } 1488 roleReq.Operation = logical.DeleteOperation 1489 resp, err = b.HandleRequest(context.Background(), roleReq) 1490 if err != nil || (resp != nil && resp.IsError()) { 1491 t.Fatalf("err:%v resp:%#v", err, resp) 1492 } 1493 1494 roleReq.Operation = logical.ReadOperation 1495 resp, err = b.HandleRequest(context.Background(), roleReq) 1496 if err != nil || (resp != nil && resp.IsError()) { 1497 t.Fatalf("err:%v resp:%#v", err, resp) 1498 } 1499 1500 if resp.Data["token_period"].(time.Duration) != 0 { 1501 t.Fatalf("expected value to be reset") 1502 } 1503 1504 // RUD for token_ttl field 1505 roleReq.Path = "role/role1/token-ttl" 1506 roleReq.Operation = logical.ReadOperation 1507 resp, err = b.HandleRequest(context.Background(), roleReq) 1508 if err != nil || (resp != nil && resp.IsError()) { 1509 t.Fatalf("err:%v resp:%#v", err, resp) 1510 } 1511 1512 roleReq.Data = map[string]interface{}{"token_ttl": 4001} 1513 roleReq.Operation = logical.UpdateOperation 1514 resp, err = b.HandleRequest(context.Background(), roleReq) 1515 if err != nil || (resp != nil && resp.IsError()) { 1516 t.Fatalf("err:%v resp:%#v", err, resp) 1517 } 1518 1519 roleReq.Operation = logical.ReadOperation 1520 resp, err = b.HandleRequest(context.Background(), roleReq) 1521 if err != nil || (resp != nil && resp.IsError()) { 1522 t.Fatalf("err:%v resp:%#v", err, resp) 1523 } 1524 1525 if resp.Data["token_ttl"].(time.Duration) != 4001 { 1526 t.Fatalf("bad: token_ttl: expected:4001 actual:%d\n", resp.Data["token_ttl"].(time.Duration)) 1527 } 1528 roleReq.Operation = logical.DeleteOperation 1529 resp, err = b.HandleRequest(context.Background(), roleReq) 1530 if err != nil || (resp != nil && resp.IsError()) { 1531 t.Fatalf("err:%v resp:%#v", err, resp) 1532 } 1533 1534 roleReq.Operation = logical.ReadOperation 1535 resp, err = b.HandleRequest(context.Background(), roleReq) 1536 if err != nil || (resp != nil && resp.IsError()) { 1537 t.Fatalf("err:%v resp:%#v", err, resp) 1538 } 1539 1540 if resp.Data["token_ttl"].(time.Duration) != 0 { 1541 t.Fatalf("expected value to be reset") 1542 } 1543 1544 // RUD for token_max_ttl field 1545 roleReq.Path = "role/role1/token-max-ttl" 1546 roleReq.Operation = logical.ReadOperation 1547 resp, err = b.HandleRequest(context.Background(), roleReq) 1548 if err != nil || (resp != nil && resp.IsError()) { 1549 t.Fatalf("err:%v resp:%#v", err, resp) 1550 } 1551 1552 roleReq.Data = map[string]interface{}{"token_max_ttl": 5001} 1553 roleReq.Operation = logical.UpdateOperation 1554 resp, err = b.HandleRequest(context.Background(), roleReq) 1555 if err != nil || (resp != nil && resp.IsError()) { 1556 t.Fatalf("err:%v resp:%#v", err, resp) 1557 } 1558 1559 roleReq.Operation = logical.ReadOperation 1560 resp, err = b.HandleRequest(context.Background(), roleReq) 1561 if err != nil || (resp != nil && resp.IsError()) { 1562 t.Fatalf("err:%v resp:%#v", err, resp) 1563 } 1564 1565 if resp.Data["token_max_ttl"].(time.Duration) != 5001 { 1566 t.Fatalf("bad: token_max_ttl: expected:5001 actual:%d\n", resp.Data["token_max_ttl"].(time.Duration)) 1567 } 1568 roleReq.Operation = logical.DeleteOperation 1569 resp, err = b.HandleRequest(context.Background(), roleReq) 1570 if err != nil || (resp != nil && resp.IsError()) { 1571 t.Fatalf("err:%v resp:%#v", err, resp) 1572 } 1573 1574 roleReq.Operation = logical.ReadOperation 1575 resp, err = b.HandleRequest(context.Background(), roleReq) 1576 if err != nil || (resp != nil && resp.IsError()) { 1577 t.Fatalf("err:%v resp:%#v", err, resp) 1578 } 1579 1580 if resp.Data["token_max_ttl"].(time.Duration) != 0 { 1581 t.Fatalf("expected value to be reset") 1582 } 1583 1584 // Delete test for role 1585 roleReq.Path = "role/role1" 1586 roleReq.Operation = logical.DeleteOperation 1587 resp, err = b.HandleRequest(context.Background(), roleReq) 1588 if err != nil || (resp != nil && resp.IsError()) { 1589 t.Fatalf("err:%v resp:%#v", err, resp) 1590 } 1591 1592 roleReq.Operation = logical.ReadOperation 1593 resp, err = b.HandleRequest(context.Background(), roleReq) 1594 if err != nil || (resp != nil && resp.IsError()) { 1595 t.Fatalf("err:%v resp:%#v", err, resp) 1596 } 1597 1598 if resp != nil { 1599 t.Fatalf("expected a nil response") 1600 } 1601} 1602 1603func TestAppRole_RoleWithTokenBoundCIDRsCRUD(t *testing.T) { 1604 var resp *logical.Response 1605 var err error 1606 b, storage := createBackendWithStorage(t) 1607 1608 roleData := map[string]interface{}{ 1609 "policies": "p,q,r,s", 1610 "secret_id_num_uses": 10, 1611 "secret_id_ttl": 300, 1612 "token_ttl": 400, 1613 "token_max_ttl": 500, 1614 "token_num_uses": 600, 1615 "secret_id_bound_cidrs": "127.0.0.1/32,127.0.0.1/16", 1616 "token_bound_cidrs": "127.0.0.1/32,127.0.0.1/16", 1617 } 1618 roleReq := &logical.Request{ 1619 Operation: logical.CreateOperation, 1620 Path: "role/role1", 1621 Storage: storage, 1622 Data: roleData, 1623 } 1624 1625 resp, err = b.HandleRequest(context.Background(), roleReq) 1626 if err != nil || (resp != nil && resp.IsError()) { 1627 t.Fatalf("err:%v resp:%#v", err, resp) 1628 } 1629 1630 roleReq.Operation = logical.ReadOperation 1631 resp, err = b.HandleRequest(context.Background(), roleReq) 1632 if err != nil || (resp != nil && resp.IsError()) { 1633 t.Fatalf("err:%v resp:%#v", err, resp) 1634 } 1635 1636 expected := map[string]interface{}{ 1637 "bind_secret_id": true, 1638 "policies": []string{"p", "q", "r", "s"}, 1639 "secret_id_num_uses": 10, 1640 "secret_id_ttl": 300, 1641 "token_ttl": 400, 1642 "token_max_ttl": 500, 1643 "token_num_uses": 600, 1644 "token_bound_cidrs": []string{"127.0.0.1/32", "127.0.0.1/16"}, 1645 "secret_id_bound_cidrs": []string{"127.0.0.1/32", "127.0.0.1/16"}, 1646 "token_type": "default", 1647 } 1648 1649 var expectedStruct roleStorageEntry 1650 err = mapstructure.Decode(expected, &expectedStruct) 1651 if err != nil { 1652 t.Fatal(err) 1653 } 1654 1655 var actualStruct roleStorageEntry 1656 err = mapstructure.Decode(resp.Data, &actualStruct) 1657 if err != nil { 1658 t.Fatal(err) 1659 } 1660 1661 expectedStruct.RoleID = actualStruct.RoleID 1662 if !reflect.DeepEqual(expectedStruct, actualStruct) { 1663 t.Fatalf("bad:\nexpected:%#v\nactual:%#v\n", expectedStruct, actualStruct) 1664 } 1665 1666 roleData = map[string]interface{}{ 1667 "role_id": "test_role_id", 1668 "policies": "a,b,c,d", 1669 "secret_id_num_uses": 100, 1670 "secret_id_ttl": 3000, 1671 "token_ttl": 4000, 1672 "token_max_ttl": 5000, 1673 } 1674 roleReq.Data = roleData 1675 roleReq.Operation = logical.UpdateOperation 1676 1677 resp, err = b.HandleRequest(context.Background(), roleReq) 1678 if err != nil || (resp != nil && resp.IsError()) { 1679 t.Fatalf("err:%v resp:%#v", err, resp) 1680 } 1681 1682 roleReq.Operation = logical.ReadOperation 1683 resp, err = b.HandleRequest(context.Background(), roleReq) 1684 if err != nil || (resp != nil && resp.IsError()) { 1685 t.Fatalf("err:%v resp:%#v", err, resp) 1686 } 1687 1688 expected = map[string]interface{}{ 1689 "policies": []string{"a", "b", "c", "d"}, 1690 "secret_id_num_uses": 100, 1691 "secret_id_ttl": 3000, 1692 "token_ttl": 4000, 1693 "token_max_ttl": 5000, 1694 } 1695 err = mapstructure.Decode(expected, &expectedStruct) 1696 if err != nil { 1697 t.Fatal(err) 1698 } 1699 1700 err = mapstructure.Decode(resp.Data, &actualStruct) 1701 if err != nil { 1702 t.Fatal(err) 1703 } 1704 1705 if !reflect.DeepEqual(expectedStruct, actualStruct) { 1706 t.Fatalf("bad:\nexpected:%#v\nactual:%#v\n", expectedStruct, actualStruct) 1707 } 1708 1709 // RUD for secret-id-bound-cidrs field 1710 roleReq.Path = "role/role1/secret-id-bound-cidrs" 1711 roleReq.Operation = logical.ReadOperation 1712 resp, err = b.HandleRequest(context.Background(), roleReq) 1713 if err != nil || (resp != nil && resp.IsError()) { 1714 t.Fatalf("err:%v resp:%#v", err, resp) 1715 } 1716 if resp.Data["secret_id_bound_cidrs"].([]string)[0] != "127.0.0.1/32" || 1717 resp.Data["secret_id_bound_cidrs"].([]string)[1] != "127.0.0.1/16" { 1718 t.Fatalf("bad: secret_id_bound_cidrs: expected:127.0.0.1/32,127.0.0.1/16 actual:%d\n", resp.Data["secret_id_bound_cidrs"].(int)) 1719 } 1720 1721 roleReq.Data = map[string]interface{}{"secret_id_bound_cidrs": []string{"127.0.0.1/20"}} 1722 roleReq.Operation = logical.UpdateOperation 1723 resp, err = b.HandleRequest(context.Background(), roleReq) 1724 if err != nil || (resp != nil && resp.IsError()) { 1725 t.Fatalf("err:%v resp:%#v", err, resp) 1726 } 1727 1728 roleReq.Operation = logical.ReadOperation 1729 resp, err = b.HandleRequest(context.Background(), roleReq) 1730 if err != nil || (resp != nil && resp.IsError()) { 1731 t.Fatalf("err:%v resp:%#v", err, resp) 1732 } 1733 1734 if resp.Data["secret_id_bound_cidrs"].([]string)[0] != "127.0.0.1/20" { 1735 t.Fatalf("bad: secret_id_bound_cidrs: expected:127.0.0.1/20 actual:%s\n", resp.Data["secret_id_bound_cidrs"].([]string)[0]) 1736 } 1737 1738 roleReq.Operation = logical.DeleteOperation 1739 resp, err = b.HandleRequest(context.Background(), roleReq) 1740 if err != nil || (resp != nil && resp.IsError()) { 1741 t.Fatalf("err:%v resp:%#v", err, resp) 1742 } 1743 1744 roleReq.Operation = logical.ReadOperation 1745 resp, err = b.HandleRequest(context.Background(), roleReq) 1746 if err != nil || (resp != nil && resp.IsError()) { 1747 t.Fatalf("err:%v resp:%#v", err, resp) 1748 } 1749 1750 if len(resp.Data["secret_id_bound_cidrs"].([]string)) != 0 { 1751 t.Fatalf("expected value to be reset") 1752 } 1753 1754 // RUD for token-bound-cidrs field 1755 roleReq.Path = "role/role1/token-bound-cidrs" 1756 roleReq.Operation = logical.ReadOperation 1757 resp, err = b.HandleRequest(context.Background(), roleReq) 1758 if err != nil || (resp != nil && resp.IsError()) { 1759 t.Fatalf("err:%v resp:%#v", err, resp) 1760 } 1761 if resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" || 1762 resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[1].String() != "127.0.0.1/16" { 1763 m, err := json.Marshal(resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)) 1764 if err != nil { 1765 t.Fatal(err) 1766 } 1767 t.Fatalf("bad: token_bound_cidrs: expected:127.0.0.1/32,127.0.0.1/16 actual:%s\n", string(m)) 1768 } 1769 1770 roleReq.Data = map[string]interface{}{"token_bound_cidrs": []string{"127.0.0.1/20"}} 1771 roleReq.Operation = logical.UpdateOperation 1772 resp, err = b.HandleRequest(context.Background(), roleReq) 1773 if err != nil || (resp != nil && resp.IsError()) { 1774 t.Fatalf("err:%v resp:%#v", err, resp) 1775 } 1776 1777 roleReq.Operation = logical.ReadOperation 1778 resp, err = b.HandleRequest(context.Background(), roleReq) 1779 if err != nil || (resp != nil && resp.IsError()) { 1780 t.Fatalf("err:%v resp:%#v", err, resp) 1781 } 1782 1783 if resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1/20" { 1784 t.Fatalf("bad: token_bound_cidrs: expected:127.0.0.1/20 actual:%s\n", resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0]) 1785 } 1786 1787 roleReq.Operation = logical.DeleteOperation 1788 resp, err = b.HandleRequest(context.Background(), roleReq) 1789 if err != nil || (resp != nil && resp.IsError()) { 1790 t.Fatalf("err:%v resp:%#v", err, resp) 1791 } 1792 1793 roleReq.Operation = logical.ReadOperation 1794 resp, err = b.HandleRequest(context.Background(), roleReq) 1795 if err != nil || (resp != nil && resp.IsError()) { 1796 t.Fatalf("err:%v resp:%#v", err, resp) 1797 } 1798 1799 if len(resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)) != 0 { 1800 t.Fatalf("expected value to be reset") 1801 } 1802 1803 // Delete test for role 1804 roleReq.Path = "role/role1" 1805 roleReq.Operation = logical.DeleteOperation 1806 resp, err = b.HandleRequest(context.Background(), roleReq) 1807 if err != nil || (resp != nil && resp.IsError()) { 1808 t.Fatalf("err:%v resp:%#v", err, resp) 1809 } 1810 1811 roleReq.Operation = logical.ReadOperation 1812 resp, err = b.HandleRequest(context.Background(), roleReq) 1813 if err != nil || (resp != nil && resp.IsError()) { 1814 t.Fatalf("err:%v resp:%#v", err, resp) 1815 } 1816 1817 if resp != nil { 1818 t.Fatalf("expected a nil response") 1819 } 1820} 1821 1822func createRole(t *testing.T, b *backend, s logical.Storage, roleName, policies string) { 1823 roleData := map[string]interface{}{ 1824 "policies": policies, 1825 "secret_id_num_uses": 10, 1826 "secret_id_ttl": 300, 1827 "token_ttl": 400, 1828 "token_max_ttl": 500, 1829 } 1830 roleReq := &logical.Request{ 1831 Operation: logical.CreateOperation, 1832 Path: "role/" + roleName, 1833 Storage: s, 1834 Data: roleData, 1835 } 1836 1837 resp, err := b.HandleRequest(context.Background(), roleReq) 1838 if err != nil || (resp != nil && resp.IsError()) { 1839 t.Fatalf("err:%v resp:%#v", err, resp) 1840 } 1841} 1842 1843// TestAppRole_TokenutilUpgrade ensures that when we read values out that are 1844// values with upgrade logic we see the correct struct entries populated 1845func TestAppRole_TokenutilUpgrade(t *testing.T) { 1846 s := &logical.InmemStorage{} 1847 1848 config := logical.TestBackendConfig() 1849 config.StorageView = s 1850 1851 ctx := context.Background() 1852 1853 b, err := Backend(config) 1854 if err != nil { 1855 t.Fatal(err) 1856 } 1857 if b == nil { 1858 t.Fatalf("failed to create backend") 1859 } 1860 if err := b.Setup(ctx, config); err != nil { 1861 t.Fatal(err) 1862 } 1863 1864 // Hand craft JSON because there is overlap between fields 1865 if err := s.Put(ctx, &logical.StorageEntry{ 1866 Key: "role/foo", 1867 Value: []byte(`{"policies": ["foo"], "period": 300000000000, "token_bound_cidrs": ["127.0.0.1", "10.10.10.10/24"]}`), 1868 }); err != nil { 1869 t.Fatal(err) 1870 } 1871 1872 fooEntry, err := b.roleEntry(ctx, s, "foo") 1873 if err != nil { 1874 t.Fatal(err) 1875 } 1876 1877 exp := &roleStorageEntry{ 1878 SecretIDPrefix: "secret_id/", 1879 Policies: []string{"foo"}, 1880 Period: 300 * time.Second, 1881 TokenParams: tokenutil.TokenParams{ 1882 TokenPolicies: []string{"foo"}, 1883 TokenPeriod: 300 * time.Second, 1884 TokenBoundCIDRs: []*sockaddr.SockAddrMarshaler{&sockaddr.SockAddrMarshaler{SockAddr: sockaddr.MustIPAddr("127.0.0.1")}, &sockaddr.SockAddrMarshaler{SockAddr: sockaddr.MustIPAddr("10.10.10.10/24")}}, 1885 }, 1886 } 1887 if diff := deep.Equal(fooEntry, exp); diff != nil { 1888 t.Fatal(diff) 1889 } 1890} 1891