| // Copyright (c) HashiCorp, Inc. |
| // SPDX-License-Identifier: MPL-2.0 |
| |
| package authmetadata |
| |
| import ( |
| "context" |
| "fmt" |
| "reflect" |
| "testing" |
| |
| "github.com/hashicorp/go-hclog" |
| "github.com/hashicorp/vault/sdk/framework" |
| "github.com/hashicorp/vault/sdk/logical" |
| ) |
| |
| type environment struct { |
| ctx context.Context |
| storage logical.Storage |
| backend logical.Backend |
| } |
| |
| func TestAcceptance(t *testing.T) { |
| ctx := context.Background() |
| storage := &logical.InmemStorage{} |
| b, err := backend(ctx, storage) |
| if err != nil { |
| t.Fatal(err) |
| } |
| env := &environment{ |
| ctx: ctx, |
| storage: storage, |
| backend: b, |
| } |
| t.Run("test initial fields are default", env.TestInitialFieldsAreDefault) |
| t.Run("test fields can be unset", env.TestAuthMetadataCanBeUnset) |
| t.Run("test defaults can be restored", env.TestDefaultCanBeReused) |
| t.Run("test default plus more cannot be selected", env.TestDefaultPlusMoreCannotBeSelected) |
| t.Run("test only non-defaults can be selected", env.TestOnlyNonDefaultsCanBeSelected) |
| t.Run("test bad field results in useful error", env.TestAddingBadField) |
| } |
| |
| func (e *environment) TestInitialFieldsAreDefault(t *testing.T) { |
| // On the first read of auth_metadata, when nothing has been touched, |
| // we should receive the default field(s) if a read is performed. |
| resp, err := e.backend.HandleRequest(e.ctx, &logical.Request{ |
| Operation: logical.ReadOperation, |
| Path: "config", |
| Storage: e.storage, |
| Connection: &logical.Connection{ |
| RemoteAddr: "http://foo.com", |
| }, |
| }) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if resp == nil || resp.Data == nil { |
| t.Fatal("expected non-nil response") |
| } |
| if !reflect.DeepEqual(resp.Data[authMetadataFields.FieldName], []string{"role_name"}) { |
| t.Fatal("expected default field of role_name to be returned") |
| } |
| |
| // The auth should only have the default metadata. |
| resp, err = e.backend.HandleRequest(e.ctx, &logical.Request{ |
| Operation: logical.UpdateOperation, |
| Path: "login", |
| Storage: e.storage, |
| Connection: &logical.Connection{ |
| RemoteAddr: "http://foo.com", |
| }, |
| Data: map[string]interface{}{ |
| "role_name": "something", |
| }, |
| }) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if resp == nil || resp.Auth == nil || resp.Auth.Alias == nil || resp.Auth.Alias.Metadata == nil { |
| t.Fatalf("expected alias metadata") |
| } |
| if len(resp.Auth.Alias.Metadata) != 1 { |
| t.Fatal("expected only 1 field") |
| } |
| if resp.Auth.Alias.Metadata["role_name"] != "something" { |
| t.Fatal("expected role_name to be something") |
| } |
| } |
| |
| func (e *environment) TestAuthMetadataCanBeUnset(t *testing.T) { |
| // We should be able to set the auth_metadata to empty by sending an |
| // explicitly empty array. |
| resp, err := e.backend.HandleRequest(e.ctx, &logical.Request{ |
| Operation: logical.UpdateOperation, |
| Path: "config", |
| Storage: e.storage, |
| Connection: &logical.Connection{ |
| RemoteAddr: "http://foo.com", |
| }, |
| Data: map[string]interface{}{ |
| authMetadataFields.FieldName: []string{}, |
| }, |
| }) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if resp != nil { |
| t.Fatal("expected nil response") |
| } |
| |
| // Now we should receive no fields for auth_metadata. |
| resp, err = e.backend.HandleRequest(e.ctx, &logical.Request{ |
| Operation: logical.ReadOperation, |
| Path: "config", |
| Storage: e.storage, |
| Connection: &logical.Connection{ |
| RemoteAddr: "http://foo.com", |
| }, |
| }) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if resp == nil || resp.Data == nil { |
| t.Fatal("expected non-nil response") |
| } |
| if !reflect.DeepEqual(resp.Data[authMetadataFields.FieldName], []string{}) { |
| t.Fatal("expected no fields to be returned") |
| } |
| |
| // The auth should have no metadata. |
| resp, err = e.backend.HandleRequest(e.ctx, &logical.Request{ |
| Operation: logical.UpdateOperation, |
| Path: "login", |
| Storage: e.storage, |
| Connection: &logical.Connection{ |
| RemoteAddr: "http://foo.com", |
| }, |
| Data: map[string]interface{}{ |
| "role_name": "something", |
| }, |
| }) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if resp == nil || resp.Auth == nil || resp.Auth.Alias == nil || resp.Auth.Alias.Metadata == nil { |
| t.Fatal("expected alias metadata") |
| } |
| if len(resp.Auth.Alias.Metadata) != 0 { |
| t.Fatal("expected 0 fields") |
| } |
| } |
| |
| func (e *environment) TestDefaultCanBeReused(t *testing.T) { |
| // Now if we set it to "default", the default fields should |
| // be restored. |
| resp, err := e.backend.HandleRequest(e.ctx, &logical.Request{ |
| Operation: logical.UpdateOperation, |
| Path: "config", |
| Storage: e.storage, |
| Connection: &logical.Connection{ |
| RemoteAddr: "http://foo.com", |
| }, |
| Data: map[string]interface{}{ |
| authMetadataFields.FieldName: []string{"default"}, |
| }, |
| }) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if resp != nil { |
| t.Fatal("expected nil response") |
| } |
| |
| // Let's make sure we've returned to the default fields. |
| resp, err = e.backend.HandleRequest(e.ctx, &logical.Request{ |
| Operation: logical.ReadOperation, |
| Path: "config", |
| Storage: e.storage, |
| Connection: &logical.Connection{ |
| RemoteAddr: "http://foo.com", |
| }, |
| }) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if resp == nil || resp.Data == nil { |
| t.Fatal("expected non-nil response") |
| } |
| if !reflect.DeepEqual(resp.Data[authMetadataFields.FieldName], []string{"role_name"}) { |
| t.Fatal("expected default field of role_name to be returned") |
| } |
| |
| // We should again only receive the default field on the login. |
| resp, err = e.backend.HandleRequest(e.ctx, &logical.Request{ |
| Operation: logical.UpdateOperation, |
| Path: "login", |
| Storage: e.storage, |
| Connection: &logical.Connection{ |
| RemoteAddr: "http://foo.com", |
| }, |
| Data: map[string]interface{}{ |
| "role_name": "something", |
| }, |
| }) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if resp == nil || resp.Auth == nil || resp.Auth.Alias == nil || resp.Auth.Alias.Metadata == nil { |
| t.Fatal("expected alias metadata") |
| } |
| if len(resp.Auth.Alias.Metadata) != 1 { |
| t.Fatal("expected only 1 field") |
| } |
| if resp.Auth.Alias.Metadata["role_name"] != "something" { |
| t.Fatal("expected role_name to be something") |
| } |
| } |
| |
| func (e *environment) TestDefaultPlusMoreCannotBeSelected(t *testing.T) { |
| // We should not be able to set it to "default" plus 1 optional field. |
| _, err := e.backend.HandleRequest(e.ctx, &logical.Request{ |
| Operation: logical.UpdateOperation, |
| Path: "config", |
| Storage: e.storage, |
| Connection: &logical.Connection{ |
| RemoteAddr: "http://foo.com", |
| }, |
| Data: map[string]interface{}{ |
| authMetadataFields.FieldName: []string{"default", "remote_addr"}, |
| }, |
| }) |
| if err == nil { |
| t.Fatal("expected err") |
| } |
| } |
| |
| func (e *environment) TestOnlyNonDefaultsCanBeSelected(t *testing.T) { |
| // Omit all default fields and just select one. |
| resp, err := e.backend.HandleRequest(e.ctx, &logical.Request{ |
| Operation: logical.UpdateOperation, |
| Path: "config", |
| Storage: e.storage, |
| Connection: &logical.Connection{ |
| RemoteAddr: "http://foo.com", |
| }, |
| Data: map[string]interface{}{ |
| authMetadataFields.FieldName: []string{"remote_addr"}, |
| }, |
| }) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if resp != nil { |
| t.Fatal("expected nil response") |
| } |
| |
| // Make sure that worked. |
| resp, err = e.backend.HandleRequest(e.ctx, &logical.Request{ |
| Operation: logical.ReadOperation, |
| Path: "config", |
| Storage: e.storage, |
| Connection: &logical.Connection{ |
| RemoteAddr: "http://foo.com", |
| }, |
| }) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if resp == nil || resp.Data == nil { |
| t.Fatal("expected non-nil response") |
| } |
| if !reflect.DeepEqual(resp.Data[authMetadataFields.FieldName], []string{"remote_addr"}) { |
| t.Fatal("expected remote_addr to be returned") |
| } |
| |
| // Ensure only the selected one is on logins. |
| // They both should now appear on the login. |
| resp, err = e.backend.HandleRequest(e.ctx, &logical.Request{ |
| Operation: logical.UpdateOperation, |
| Path: "login", |
| Storage: e.storage, |
| Connection: &logical.Connection{ |
| RemoteAddr: "http://foo.com", |
| }, |
| Data: map[string]interface{}{ |
| "role_name": "something", |
| }, |
| }) |
| if err != nil { |
| t.Fatal(err) |
| } |
| if resp == nil || resp.Auth == nil || resp.Auth.Alias == nil || resp.Auth.Alias.Metadata == nil { |
| t.Fatal("expected alias metadata") |
| } |
| if len(resp.Auth.Alias.Metadata) != 1 { |
| t.Fatal("expected only 1 field") |
| } |
| if resp.Auth.Alias.Metadata["remote_addr"] != "http://foo.com" { |
| t.Fatal("expected remote_addr to be http://foo.com") |
| } |
| } |
| |
| func (e *environment) TestAddingBadField(t *testing.T) { |
| // Try adding an unsupported field. |
| resp, err := e.backend.HandleRequest(e.ctx, &logical.Request{ |
| Operation: logical.UpdateOperation, |
| Path: "config", |
| Storage: e.storage, |
| Connection: &logical.Connection{ |
| RemoteAddr: "http://foo.com", |
| }, |
| Data: map[string]interface{}{ |
| authMetadataFields.FieldName: []string{"asl;dfkj"}, |
| }, |
| }) |
| if err == nil { |
| t.Fatal("expected err") |
| } |
| if resp == nil { |
| t.Fatal("expected non-nil response") |
| } |
| if !resp.IsError() { |
| t.Fatal("expected error response") |
| } |
| } |
| |
| // We expect people to embed the Handler on their |
| // config so it automatically makes its helper methods |
| // available and easy to find wherever the config is |
| // needed. Explicitly naming it in json avoids it |
| // automatically being named "Handler" by Go's JSON |
| // marshalling library. |
| type fakeConfig struct { |
| *Handler `json:"auth_metadata_handler"` |
| } |
| |
| type fakeBackend struct { |
| *framework.Backend |
| } |
| |
| // We expect each back-end to explicitly define the fields that |
| // will be included by default, and optionally available. |
| var authMetadataFields = &Fields{ |
| FieldName: "some_field_name", |
| Default: []string{ |
| "role_name", // This would likely never change because the alias is the role name. |
| }, |
| AvailableToAdd: []string{ |
| "remote_addr", // This would likely change with every new caller. |
| }, |
| } |
| |
| func configPath() *framework.Path { |
| return &framework.Path{ |
| Pattern: "config", |
| Fields: map[string]*framework.FieldSchema{ |
| authMetadataFields.FieldName: FieldSchema(authMetadataFields), |
| }, |
| Operations: map[logical.Operation]framework.OperationHandler{ |
| logical.ReadOperation: &framework.PathOperation{ |
| Callback: func(ctx context.Context, req *logical.Request, fd *framework.FieldData) (*logical.Response, error) { |
| entryRaw, err := req.Storage.Get(ctx, "config") |
| if err != nil { |
| return nil, err |
| } |
| conf := &fakeConfig{ |
| Handler: NewHandler(authMetadataFields), |
| } |
| if entryRaw != nil { |
| if err := entryRaw.DecodeJSON(conf); err != nil { |
| return nil, err |
| } |
| } |
| // Note that even if the config entry was nil, we return |
| // a populated response to give info on what the default |
| // auth metadata is when unconfigured. |
| return &logical.Response{ |
| Data: map[string]interface{}{ |
| authMetadataFields.FieldName: conf.AuthMetadata(), |
| }, |
| }, nil |
| }, |
| }, |
| logical.UpdateOperation: &framework.PathOperation{ |
| Callback: func(ctx context.Context, req *logical.Request, fd *framework.FieldData) (*logical.Response, error) { |
| entryRaw, err := req.Storage.Get(ctx, "config") |
| if err != nil { |
| return nil, err |
| } |
| conf := &fakeConfig{ |
| Handler: NewHandler(authMetadataFields), |
| } |
| if entryRaw != nil { |
| if err := entryRaw.DecodeJSON(conf); err != nil { |
| return nil, err |
| } |
| } |
| // This is where we read in the user's given auth metadata. |
| if err := conf.ParseAuthMetadata(fd); err != nil { |
| // Since this will only error on bad input, it's best to give |
| // a 400 response with the explicit problem included. |
| return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest |
| } |
| entry, err := logical.StorageEntryJSON("config", conf) |
| if err != nil { |
| return nil, err |
| } |
| if err = req.Storage.Put(ctx, entry); err != nil { |
| return nil, err |
| } |
| return nil, nil |
| }, |
| }, |
| }, |
| } |
| } |
| |
| func loginPath() *framework.Path { |
| return &framework.Path{ |
| Pattern: "login", |
| Fields: map[string]*framework.FieldSchema{ |
| "role_name": { |
| Type: framework.TypeString, |
| Required: true, |
| }, |
| }, |
| Operations: map[logical.Operation]framework.OperationHandler{ |
| logical.UpdateOperation: &framework.PathOperation{ |
| Callback: func(ctx context.Context, req *logical.Request, fd *framework.FieldData) (*logical.Response, error) { |
| entryRaw, err := req.Storage.Get(ctx, "config") |
| if err != nil { |
| return nil, err |
| } |
| conf := &fakeConfig{ |
| Handler: NewHandler(authMetadataFields), |
| } |
| if entryRaw != nil { |
| if err := entryRaw.DecodeJSON(conf); err != nil { |
| return nil, err |
| } |
| } |
| auth := &logical.Auth{ |
| Alias: &logical.Alias{ |
| Name: fd.Get("role_name").(string), |
| }, |
| } |
| // Here we provide everything and let the method strip out |
| // the undesired stuff. |
| if err := conf.PopulateDesiredMetadata(auth, map[string]string{ |
| "role_name": fd.Get("role_name").(string), |
| "remote_addr": req.Connection.RemoteAddr, |
| }); err != nil { |
| fmt.Println("unable to populate due to " + err.Error()) |
| } |
| return &logical.Response{ |
| Auth: auth, |
| }, nil |
| }, |
| }, |
| }, |
| } |
| } |
| |
| func backend(ctx context.Context, storage logical.Storage) (logical.Backend, error) { |
| b := &fakeBackend{ |
| Backend: &framework.Backend{ |
| Paths: []*framework.Path{ |
| configPath(), |
| loginPath(), |
| }, |
| }, |
| } |
| if err := b.Setup(ctx, &logical.BackendConfig{ |
| StorageView: storage, |
| Logger: hclog.Default(), |
| }); err != nil { |
| return nil, err |
| } |
| return b, nil |
| } |
