-
Notifications
You must be signed in to change notification settings - Fork 123
/
secrets_batch.feature
125 lines (110 loc) · 6.13 KB
/
secrets_batch.feature
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
Feature: Batch retrieval of secrets
Background:
Given I am a user named "bob"
Given I create a new "variable" resource called "secret1"
And I add the secret value "s1" to the resource "cucumber:variable:secret1"
And I create a new "variable" resource called "secret2"
And I add the secret value "s2" to the resource "cucumber:variable:secret2"
And I create a new "variable" resource called "secret3"
And I add the secret value "s3" to the resource "cucumber:variable:secret3"
Scenario: Returns a JSON hash mapping resource id to value
When I GET "/secrets?variable_ids=cucumber:variable:secret1,cucumber:variable:secret2"
Then the JSON should be:
"""
{ "cucumber:variable:secret1": "s1", "cucumber:variable:secret2": "s2" }
"""
And there is an audit record matching:
"""
<38>1 * * conjur * fetch
[auth@43868 user="cucumber:user:bob"]
[subject@43868 resource="cucumber:variable:secret1"]
[action@43868 operation="fetch" result="success"]
cucumber:user:bob fetched cucumber:variable:secret1
"""
And there is an audit record matching:
"""
<38>1 * * conjur * fetch
[auth@43868 user="cucumber:user:bob"]
[subject@43868 resource="cucumber:variable:secret2"]
[action@43868 operation="fetch" result="success"]
cucumber:user:bob fetched cucumber:variable:secret2
"""
Scenario: Fails with 422 if variable_ids param is missing
When I GET "/secrets"
Then the HTTP response status code is 422
Scenario: Fails with 422 if variable_ids param is empty
When I GET "/secrets?variable_ids="
Then the HTTP response status code is 422
Scenario: Fails with 422 if variable_ids param has only blank items
When I GET "/secrets?variable_ids=,,,"
Then the HTTP response status code is 422
Scenario: Fails with 403 if execute privilege is not held
When I am a user named "someone-else"
And I GET "/secrets?variable_ids=cucumber:variable:secret1"
Then the HTTP response status code is 403
Scenario: Fails with 404 if variable_ids param has some blank items
When I GET "/secrets?variable_ids=cucumber:variable:secret1,,,cucumber:variable:secret2"
Then the HTTP response status code is 404
Scenario: Fails with 404 if a variable_id param is of an incorrect format
When I GET "/secrets?variable_ids=1,2,3"
Then the HTTP response status code is 404
Scenario: Fails with 404 if a resource doesn't exist
When I GET "/secrets?variable_ids=cucumber:variable:secret1,cucumber:variable:not-a-secret"
Then the HTTP response status code is 404
Scenario: Fails with 404 if a resource doesn't have a value
Given I create a new "variable" resource called "secret-no-value"
When I GET "/secrets?variable_ids=cucumber:variable:secret1,cucumber:variable:secret-no-value"
Then the HTTP response status code is 404
# This test explicitly tests an error case that was discovered in Conjur v4 where
# resource IDs were matched with incorrect variable values in the JSON response.
# It was fixed in: https://github.com/conjurinc/core/pull/46/files
Scenario: Returns a correct mapping of resource ids to secret values
Given I add the secret value "v1" to the resource "cucumber:variable:secret1"
And I add the secret value "v2" to the resource "cucumber:variable:secret2"
And I add the secret value "v3" to the resource "cucumber:variable:secret1"
And I add the secret value "v4" to the resource "cucumber:variable:secret3"
And I add the secret value "v5" to the resource "cucumber:variable:secret2"
And I add the secret value "v6" to the resource "cucumber:variable:secret3"
When I GET "/secrets?variable_ids=cucumber:variable:secret1,cucumber:variable:secret2,cucumber:variable:secret3"
Then the JSON should be:
"""
{ "cucumber:variable:secret1": "v3", "cucumber:variable:secret2": "v5", "cucumber:variable:secret3": "v6" }
"""
When I GET "/secrets?variable_ids=cucumber:variable:secret3,cucumber:variable:secret2,cucumber:variable:secret1"
Then the JSON should be:
"""
{ "cucumber:variable:secret1": "v3", "cucumber:variable:secret2": "v5", "cucumber:variable:secret3": "v6" }
"""
When I GET "/secrets?variable_ids=cucumber:variable:secret2,cucumber:variable:secret3,cucumber:variable:secret1"
Then the JSON should be:
"""
{ "cucumber:variable:secret1": "v3", "cucumber:variable:secret2": "v5", "cucumber:variable:secret3": "v6" }
"""
Scenario: Returns the correct result for binary secrets
Given I create a binary secret value for resource "cucumber:variable:secret3"
And I add the secret value "v2" to the resource "cucumber:variable:secret2"
And I set the "Accept-Encoding" header to "base64"
When I GET "/secrets?variable_ids=cucumber:variable:secret3,cucumber:variable:secret2"
Then the binary data is preserved for "cucumber:variable:secret3"
And the content encoding is "base64"
Scenario: Returns the correct result for binary secrets
Given I create a binary secret value for resource "cucumber:variable:secret3"
And I set the "Accept-Encoding" header to "Base64"
When I GET "/secrets?variable_ids=cucumber:variable:secret3"
Then the binary data is preserved for "cucumber:variable:secret3"
Scenario: Returns the correct result for binary secrets
Given I create a binary secret value for resource "cucumber:variable:secret3"
When I GET "/secrets?variable_ids=cucumber:variable:secret3"
Then the HTTP response status code is 500
Scenario: Raises error on binary secret with no annotation
Given I create a binary secret value for resource "cucumber:variable:secret3"
And I add the secret value "v2" to the resource "cucumber:variable:secret2"
When I GET "/secrets?variable_ids=cucumber:variable:secret3,cucumber:variable:secret2"
Then the HTTP response status code is 500
Scenario: Omit the Accept-Encoding header entirely from batch secrets request
Given I add the secret value "v2" to the resource "cucumber:variable:secret2"
When I GET "/secrets?variable_ids=cucumber:variable:secret2" with no default headers
Then the JSON should be:
"""
{ "cucumber:variable:secret2": "v2" }
"""