Skip to content

Commit

Permalink
Added tests for identity token support. Fixed unnecessary space at th…
Browse files Browse the repository at this point in the history
…e end of error message.
  • Loading branch information
michelvocks committed Feb 20, 2019
1 parent 1194954 commit 45f3fc4
Show file tree
Hide file tree
Showing 2 changed files with 73 additions and 1 deletion.
2 changes: 1 addition & 1 deletion vault/token_store.go
Original file line number Diff line number Diff line change
Expand Up @@ -2446,7 +2446,7 @@ func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Reque
// This is only possible when client token has sudo/root.
if data.EntityID != "" && ts.core.identityStore != nil {
if !isSudo {
return logical.ErrorResponse("root or sudo privileges required to specify entity id "), logical.ErrInvalidRequest
return logical.ErrorResponse("root or sudo privileges required to specify entity id"), logical.ErrInvalidRequest
}
entity, err := ts.core.identityStore.MemDBEntityByID(data.EntityID, false)
if err != nil {
Expand Down
72 changes: 72 additions & 0 deletions vault/token_store_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -2637,6 +2637,78 @@ func TestTokenStore_HandleRequest_RenewSelf(t *testing.T) {
}
}

func TestTokenStore_HandleRequest_CreateToken_EntityID(t *testing.T) {
core, _, root := TestCoreUnsealed(t)
i := core.identityStore
ctx := namespace.RootContext(nil)
policyName := "test1"

// Create an entity
resp, err := i.HandleRequest(ctx, &logical.Request{
Path: "entity",
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"name": "testentity",
"policies": []string{policyName},
},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: err:%v\nresp: %#v", err, resp)
}
entityID := resp.Data["id"].(string)

req := logical.Request{
Path: "auth/token/create",
Operation: logical.UpdateOperation,
ClientToken: root,
Data: map[string]interface{}{
"entity_id": entityID,
},
}

resp, err = core.HandleRequest(ctx, &req)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
}
if resp == nil {
t.Fatalf("expected a response")
}
if resp.Auth.EntityID != entityID {
t.Fatalf("expected '%s' got '%s'", entityID, resp.Auth.EntityID)
}
policyFound := false
for _, policy := range resp.Auth.IdentityPolicies {
if policy == policyName {
policyFound = true
}
}
if !policyFound {
t.Fatalf("Policy '%s' not derived by entity but should be. Auth: %#v", policyName, resp.Auth)
}
}

func TestTokenStore_HandleRequest_CreateToken_EntityID_NonRoot(t *testing.T) {
core, _, root := TestCoreUnsealed(t)
ts := core.tokenStore
ctx := namespace.RootContext(nil)

testMakeServiceTokenViaBackend(t, ts, root, "client", "", []string{"foo"})
req := logical.TestRequest(t, logical.UpdateOperation, "create")
req.ClientToken = "client"
req.Data["entity_id"] = "new-entity-id"

resp, _ := ts.HandleRequest(ctx, req)
/*if err != nil {
t.Fatalf("err: %v", err)
}*/
if resp == nil || resp.Data == nil {
t.Fatalf("expected a response with data")
}
if resp.Data["error"] != "root or sudo privileges required to specify entity id" {
t.Fatalf("wrong error returned. Err:%s", resp.Data["error"])
}
}

func TestTokenStore_RoleCRUD(t *testing.T) {
core, _, root := TestCoreUnsealed(t)

Expand Down

0 comments on commit 45f3fc4

Please sign in to comment.