-
Notifications
You must be signed in to change notification settings - Fork 540
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add audit non HMAC'd request / response keys to mount resource #1194
Conversation
Hey, thanks for the contribution! Would really love to see this merged as we're blocked by this at @monzo too |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good. I made some suggestions for the tests. There was some code duplication in the tests, we also want to verify the state matches.
func testResourceMount_UpdateAuditNonHMACRequestKeys(s *terraform.State) error { | ||
resourceState := s.Modules[0].Resources["vault_mount.test"] | ||
instanceState := resourceState.Primary | ||
|
||
path := instanceState.ID | ||
|
||
if path != instanceState.Attributes["path"] { | ||
return fmt.Errorf("id doesn't match path") | ||
} | ||
|
||
if path != "remountingExample" { | ||
return fmt.Errorf("unexpected path value") | ||
} | ||
|
||
mount, err := findMount(path) | ||
if err != nil { | ||
return fmt.Errorf("error reading back mount: %s", err) | ||
} | ||
|
||
if len(mount.Config.AuditNonHMACRequestKeys) < 2 || mount.Config.AuditNonHMACRequestKeys[0] != "test3request" || mount.Config.AuditNonHMACRequestKeys[1] != "test4request" { | ||
return fmt.Errorf("audit_non_hmac_request_keys is %v; expected [\"test3request\", \"test4request\"]", mount.Config.AuditNonHMACRequestKeys) | ||
} | ||
|
||
if len(mount.Config.AuditNonHMACResponseKeys) < 2 || mount.Config.AuditNonHMACResponseKeys[0] != "test3response" || mount.Config.AuditNonHMACResponseKeys[1] != "test4response" { | ||
return fmt.Errorf("audit_non_hmac_response_keys is %v; expected [\"test3response\", \"test4response\"]", mount.Config.AuditNonHMACRequestKeys) | ||
} | ||
|
||
return nil | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use testResourceMount_CheckAuditNonHMACRequestKeys()
instead
func testResourceMount_UpdateAuditNonHMACRequestKeys(s *terraform.State) error { | |
resourceState := s.Modules[0].Resources["vault_mount.test"] | |
instanceState := resourceState.Primary | |
path := instanceState.ID | |
if path != instanceState.Attributes["path"] { | |
return fmt.Errorf("id doesn't match path") | |
} | |
if path != "remountingExample" { | |
return fmt.Errorf("unexpected path value") | |
} | |
mount, err := findMount(path) | |
if err != nil { | |
return fmt.Errorf("error reading back mount: %s", err) | |
} | |
if len(mount.Config.AuditNonHMACRequestKeys) < 2 || mount.Config.AuditNonHMACRequestKeys[0] != "test3request" || mount.Config.AuditNonHMACRequestKeys[1] != "test4request" { | |
return fmt.Errorf("audit_non_hmac_request_keys is %v; expected [\"test3request\", \"test4request\"]", mount.Config.AuditNonHMACRequestKeys) | |
} | |
if len(mount.Config.AuditNonHMACResponseKeys) < 2 || mount.Config.AuditNonHMACResponseKeys[0] != "test3response" || mount.Config.AuditNonHMACResponseKeys[1] != "test4response" { | |
return fmt.Errorf("audit_non_hmac_response_keys is %v; expected [\"test3response\", \"test4response\"]", mount.Config.AuditNonHMACRequestKeys) | |
} | |
return nil | |
} |
`, path) | ||
} | ||
|
||
func testResourceMount_InitialCheckAuditNonHMACRequestKeys(expectedPath string) resource.TestCheckFunc { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
func testResourceMount_InitialCheckAuditNonHMACRequestKeys(expectedPath string) resource.TestCheckFunc { | |
func testResourceMount_CheckAuditNonHMACRequestKeys(expectedPath string, expectedReqKeys, expectedRespKeys []string) resource.TestCheckFunc { |
Steps: []resource.TestStep{ | ||
{ | ||
Config: testResourceMount_InitialConfigAuditNonHMACRequestKeys(path), | ||
Check: testResourceMount_InitialCheckAuditNonHMACRequestKeys(path), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggest checking the state attributes as well.
Check: testResourceMount_InitialCheckAuditNonHMACRequestKeys(path), | |
Check: resource.ComposeTestCheckFunc( | |
resource.TestCheckResourceAttr("vault_mount.test", "path", path), | |
resource.TestCheckResourceAttr("vault_mount.test", "audit_non_hmac_request_keys.#", "2"), | |
resource.TestCheckResourceAttr("vault_mount.test", "audit_non_hmac_request_keys.0", "test1request"), | |
resource.TestCheckResourceAttr("vault_mount.test", "audit_non_hmac_request_keys.1", "test2request"), | |
resource.TestCheckResourceAttr("vault_mount.test", "audit_non_hmac_response_keys.#", "2"), | |
resource.TestCheckResourceAttr("vault_mount.test", "audit_non_hmac_response_keys.0", "test1response"), | |
resource.TestCheckResourceAttr("vault_mount.test", "audit_non_hmac_response_keys.1", "test2response"), | |
testResourceMount_CheckAuditNonHMACRequestKeys( | |
path, | |
[]string{"test1request", "test2request"}, | |
[]string{"test1response", "test2response"}), | |
), |
}, | ||
{ | ||
Config: testResourceMount_UpdateConfigAuditNonHMACRequestKeys, | ||
Check: testResourceMount_UpdateAuditNonHMACRequestKeys, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Check: testResourceMount_UpdateAuditNonHMACRequestKeys, | |
Check: resource.ComposeTestCheckFunc( | |
resource.TestCheckResourceAttr("vault_mount.test", "path", "remountingExample"), | |
resource.TestCheckResourceAttr("vault_mount.test", "audit_non_hmac_request_keys.#", "2"), | |
resource.TestCheckResourceAttr("vault_mount.test", "audit_non_hmac_request_keys.0", "test3request"), | |
resource.TestCheckResourceAttr("vault_mount.test", "audit_non_hmac_request_keys.1", "test4request"), | |
resource.TestCheckResourceAttr("vault_mount.test", "audit_non_hmac_response_keys.#", "2"), | |
resource.TestCheckResourceAttr("vault_mount.test", "audit_non_hmac_response_keys.0", "test3response"), | |
resource.TestCheckResourceAttr("vault_mount.test", "audit_non_hmac_response_keys.1", "test4response"), | |
testResourceMount_CheckAuditNonHMACRequestKeys( | |
"remountingExample", | |
[]string{"test3request", "test4request"}, | |
[]string{"test3response", "test4response"}), | |
), |
path := "example-" + acctest.RandString(10) | ||
resource.Test(t, resource.TestCase{ | ||
Providers: testProviders, | ||
PreCheck: func() { testAccPreCheck(t) }, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
testAccPreCheck()
was just replaced by testutil.TestAccPreCheck()
in 5660a05, you'll want to rebase.
PreCheck: func() { testAccPreCheck(t) }, | |
PreCheck: func() { testutil.TestAccPreCheck(t) }, |
if len(mount.Config.AuditNonHMACRequestKeys) < 2 || mount.Config.AuditNonHMACRequestKeys[0] != "test1request" || mount.Config.AuditNonHMACRequestKeys[1] != "test2request" { | ||
return fmt.Errorf("audit_non_hmac_request_keys is %v; expected [\"test1request\", \"test2request\"]", mount.Config.AuditNonHMACRequestKeys) | ||
} | ||
|
||
if len(mount.Config.AuditNonHMACResponseKeys) < 2 || mount.Config.AuditNonHMACResponseKeys[0] != "test1response" || mount.Config.AuditNonHMACResponseKeys[1] != "test2response" { | ||
return fmt.Errorf("audit_non_hmac_response_keys is %v; expected [\"test1response\", \"test2response\"]", mount.Config.AuditNonHMACRequestKeys) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if len(mount.Config.AuditNonHMACRequestKeys) < 2 || mount.Config.AuditNonHMACRequestKeys[0] != "test1request" || mount.Config.AuditNonHMACRequestKeys[1] != "test2request" { | |
return fmt.Errorf("audit_non_hmac_request_keys is %v; expected [\"test1request\", \"test2request\"]", mount.Config.AuditNonHMACRequestKeys) | |
} | |
if len(mount.Config.AuditNonHMACResponseKeys) < 2 || mount.Config.AuditNonHMACResponseKeys[0] != "test1response" || mount.Config.AuditNonHMACResponseKeys[1] != "test2response" { | |
return fmt.Errorf("audit_non_hmac_response_keys is %v; expected [\"test1response\", \"test2response\"]", mount.Config.AuditNonHMACRequestKeys) | |
if !reflect.DeepEqual(expectedReqKeys, mount.Config.AuditNonHMACRequestKeys) { | |
return fmt.Errorf("expected audit_non_hmac_request_keys %#v, actual %#v", | |
expectedReqKeys, | |
mount.Config.AuditNonHMACRequestKeys) | |
} | |
if !reflect.DeepEqual(expectedRespKeys, mount.Config.AuditNonHMACResponseKeys) { | |
return fmt.Errorf("expected audit_non_hmac_response_keys %#v, actual %#v", | |
expectedRespKeys, | |
mount.Config.AuditNonHMACResponseKeys) |
Moving this work to #1297. Thank you @npurdy-tyro for your contribution. We will make sure you recognized as a co-author! |
Community Note
Closes #667
Release note for CHANGELOG:
Output from acceptance testing: