| // Copyright (c) HashiCorp, Inc. |
| // SPDX-License-Identifier: MPL-2.0 |
| |
| package command |
| |
| import ( |
| "io/ioutil" |
| "strings" |
| "testing" |
| |
| "github.com/go-test/deep" |
| "github.com/hashicorp/vault/helper/builtinplugins" |
| "github.com/hashicorp/vault/sdk/helper/consts" |
| "github.com/mitchellh/cli" |
| ) |
| |
| func testAuthEnableCommand(tb testing.TB) (*cli.MockUi, *AuthEnableCommand) { |
| tb.Helper() |
| |
| ui := cli.NewMockUi() |
| return ui, &AuthEnableCommand{ |
| BaseCommand: &BaseCommand{ |
| UI: ui, |
| }, |
| } |
| } |
| |
| func TestAuthEnableCommand_Run(t *testing.T) { |
| t.Parallel() |
| |
| cases := []struct { |
| name string |
| args []string |
| out string |
| code int |
| }{ |
| { |
| "not_enough_args", |
| nil, |
| "Not enough arguments", |
| 1, |
| }, |
| { |
| "too_many_args", |
| []string{"foo", "bar"}, |
| "Too many arguments", |
| 1, |
| }, |
| { |
| "not_a_valid_auth", |
| []string{"nope_definitely_not_a_valid_mount_like_ever"}, |
| "", |
| 2, |
| }, |
| } |
| |
| for _, tc := range cases { |
| tc := tc |
| |
| t.Run(tc.name, func(t *testing.T) { |
| t.Parallel() |
| |
| client, closer := testVaultServer(t) |
| defer closer() |
| |
| ui, cmd := testAuthEnableCommand(t) |
| cmd.client = client |
| |
| code := cmd.Run(tc.args) |
| if code != tc.code { |
| t.Errorf("expected command return code to be %d, got %d", tc.code, code) |
| } |
| |
| combined := ui.OutputWriter.String() + ui.ErrorWriter.String() |
| if !strings.Contains(combined, tc.out) { |
| t.Errorf("expected %q in response\n got: %+v", tc.out, combined) |
| } |
| }) |
| } |
| |
| t.Run("integration", func(t *testing.T) { |
| t.Parallel() |
| |
| client, closer := testVaultServer(t) |
| defer closer() |
| |
| ui, cmd := testAuthEnableCommand(t) |
| cmd.client = client |
| |
| code := cmd.Run([]string{ |
| "-path", "auth_integration/", |
| "-description", "The best kind of test", |
| "-audit-non-hmac-request-keys", "foo,bar", |
| "-audit-non-hmac-response-keys", "foo,bar", |
| "-passthrough-request-headers", "authorization,authentication", |
| "-passthrough-request-headers", "www-authentication", |
| "-allowed-response-headers", "authorization", |
| "-listing-visibility", "unauth", |
| "userpass", |
| }) |
| if exp := 0; code != exp { |
| t.Errorf("expected %d to be %d", code, exp) |
| } |
| |
| expected := "Success! Enabled userpass auth method at:" |
| combined := ui.OutputWriter.String() + ui.ErrorWriter.String() |
| if !strings.Contains(combined, expected) { |
| t.Errorf("expected %q to contain %q", combined, expected) |
| } |
| |
| auths, err := client.Sys().ListAuth() |
| if err != nil { |
| t.Fatal(err) |
| } |
| |
| authInfo, ok := auths["auth_integration/"] |
| if !ok { |
| t.Fatalf("expected mount to exist") |
| } |
| if exp := "userpass"; authInfo.Type != exp { |
| t.Errorf("expected %q to be %q", authInfo.Type, exp) |
| } |
| if exp := "The best kind of test"; authInfo.Description != exp { |
| t.Errorf("expected %q to be %q", authInfo.Description, exp) |
| } |
| if diff := deep.Equal([]string{"authorization,authentication", "www-authentication"}, authInfo.Config.PassthroughRequestHeaders); len(diff) > 0 { |
| t.Errorf("Failed to find expected values in PassthroughRequestHeaders. Difference is: %v", diff) |
| } |
| if diff := deep.Equal([]string{"authorization"}, authInfo.Config.AllowedResponseHeaders); len(diff) > 0 { |
| t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff) |
| } |
| if diff := deep.Equal([]string{"foo,bar"}, authInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 { |
| t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff) |
| } |
| if diff := deep.Equal([]string{"foo,bar"}, authInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 { |
| t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff) |
| } |
| }) |
| |
| t.Run("communication_failure", func(t *testing.T) { |
| t.Parallel() |
| |
| client, closer := testVaultServerBad(t) |
| defer closer() |
| |
| ui, cmd := testAuthEnableCommand(t) |
| cmd.client = client |
| |
| code := cmd.Run([]string{ |
| "userpass", |
| }) |
| if exp := 2; code != exp { |
| t.Errorf("expected %d to be %d", code, exp) |
| } |
| |
| expected := "Error enabling userpass auth: " |
| combined := ui.OutputWriter.String() + ui.ErrorWriter.String() |
| if !strings.Contains(combined, expected) { |
| t.Errorf("expected %q to contain %q", combined, expected) |
| } |
| }) |
| |
| t.Run("no_tabs", func(t *testing.T) { |
| t.Parallel() |
| |
| _, cmd := testAuthEnableCommand(t) |
| assertNoTabs(t, cmd) |
| }) |
| |
| t.Run("mount_all", func(t *testing.T) { |
| t.Parallel() |
| |
| client, closer := testVaultServerAllBackends(t) |
| defer closer() |
| |
| files, err := ioutil.ReadDir("../builtin/credential") |
| if err != nil { |
| t.Fatal(err) |
| } |
| |
| var backends []string |
| for _, f := range files { |
| if f.IsDir() { |
| backends = append(backends, f.Name()) |
| } |
| } |
| |
| modFile, err := ioutil.ReadFile("../go.mod") |
| if err != nil { |
| t.Fatal(err) |
| } |
| modLines := strings.Split(string(modFile), "\n") |
| for _, p := range modLines { |
| splitLine := strings.Split(strings.TrimSpace(p), " ") |
| if len(splitLine) == 0 { |
| continue |
| } |
| potPlug := strings.TrimPrefix(splitLine[0], "github.com/hashicorp/") |
| if strings.HasPrefix(potPlug, "vault-plugin-auth-") { |
| backends = append(backends, strings.TrimPrefix(potPlug, "vault-plugin-auth-")) |
| } |
| } |
| // Since "pcf" plugin in the Vault registry is also pointed at the "vault-plugin-auth-cf" |
| // repository, we need to manually append it here so it'll tie out with our expected number |
| // of credential backends. |
| backends = append(backends, "pcf") |
| |
| // Add 1 to account for the "token" backend, which is visible when you walk the filesystem but |
| // is treated as special and excluded from the registry. |
| // Subtract 1 to account for "oidc" which is an alias of "jwt" and not a separate plugin. |
| expected := len(builtinplugins.Registry.Keys(consts.PluginTypeCredential)) |
| if len(backends) != expected { |
| t.Fatalf("expected %d credential backends, got %d", expected, len(backends)) |
| } |
| |
| for _, b := range backends { |
| var expectedResult int = 0 |
| |
| // Not a builtin |
| if b == "token" { |
| continue |
| } |
| |
| ui, cmd := testAuthEnableCommand(t) |
| cmd.client = client |
| |
| actualResult := cmd.Run([]string{ |
| b, |
| }) |
| |
| // Need to handle deprecated builtins specially |
| status, _ := builtinplugins.Registry.DeprecationStatus(b, consts.PluginTypeCredential) |
| if status == consts.PendingRemoval || status == consts.Removed { |
| expectedResult = 2 |
| } |
| |
| if actualResult != expectedResult { |
| t.Errorf("type: %s - got: %d, expected: %d - %s", b, actualResult, expectedResult, ui.OutputWriter.String()+ui.ErrorWriter.String()) |
| } |
| } |
| }) |
| } |