Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consistent consul secrets parameter names #15400

Merged
merged 10 commits into from
May 19, 2022
Merged

Consistent consul secrets parameter names #15400

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
2af88bf
Empty commit for draft PR
robmonte May 10, 2022
1bdbde0
Change some parameter names
robmonte May 11, 2022
fbcdc05
Change more parameter names
robmonte May 12, 2022
b7d83be
Restore most parameters, add deprecated tag to policy and token_type,…
robmonte May 16, 2022
7bcde38
Add back lease to response, remove deprecated tags from policy, token…
robmonte May 17, 2022
9feaec7
Add changelog
robmonte May 17, 2022
925b98d
Update tests
robmonte May 18, 2022
f23d2e0
Add test for param version
robmonte May 18, 2022
eb173ec
Add test for both params
robmonte May 18, 2022
20fab0f
Remove superfluous log statements
robmonte May 19, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
107 changes: 59 additions & 48 deletions builtin/logical/consul/backend_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,18 @@ func TestBackend_Renew_Revoke(t *testing.T) {
testBackendRenewRevoke(t, "1.4.4")
})

testBackendRenewRevoke14(t, "")
t.Run("param-policies", func(t *testing.T) {
t.Parallel()
testBackendRenewRevoke14(t, "", "policies")
})
t.Run("param-consul_policies", func(t *testing.T) {
t.Parallel()
testBackendRenewRevoke14(t, "", "consul_policies")
})
robmonte marked this conversation as resolved.
Show resolved Hide resolved
t.Run("both-params", func(t *testing.T) {
t.Parallel()
testBackendRenewRevoke14(t, "", "both")
})
})
})
}
Expand Down Expand Up @@ -163,7 +174,6 @@ func testBackendRenewRevoke(t *testing.T, version string) {
if err := mapstructure.Decode(resp.Data, &d); err != nil {
t.Fatal(err)
}
t.Logf("Generated token: %s", d.Token)

// Build a client and verify that the credentials work
consulapiConfig := consulapi.DefaultConfig()
Expand All @@ -174,7 +184,6 @@ func testBackendRenewRevoke(t *testing.T, version string) {
t.Fatal(err)
}

t.Logf("Verifying that the generated token works...")
_, err = client.KV().Put(&consulapi.KVPair{
Key: "foo",
Value: []byte("bar"),
Expand All @@ -199,7 +208,6 @@ func testBackendRenewRevoke(t *testing.T, version string) {
t.Fatal(err)
}

t.Logf("Verifying that the generated token does not work...")
_, err = client.KV().Put(&consulapi.KVPair{
Key: "foo",
Value: []byte("bar"),
Expand All @@ -209,7 +217,7 @@ func testBackendRenewRevoke(t *testing.T, version string) {
}
}

func testBackendRenewRevoke14(t *testing.T, version string) {
func testBackendRenewRevoke14(t *testing.T, version string, policiesParam string) {
config := logical.TestBackendConfig()
config.StorageView = &logical.InmemStorage{}
b, err := Factory(context.Background(), config)
Expand Down Expand Up @@ -238,14 +246,36 @@ func testBackendRenewRevoke14(t *testing.T, version string) {

req.Path = "roles/test"
req.Data = map[string]interface{}{
"policies": []string{"test"},
"lease": "6h",
"lease": "6h",
}
if policiesParam == "both" {
req.Data["policies"] = []string{"wrong-name"}
req.Data["consul_policies"] = []string{"test"}
} else {
req.Data[policiesParam] = []string{"test"}
}

_, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}

read := &logical.Request{
Storage: config.StorageView,
Operation: logical.ReadOperation,
Path: "roles/test",
Data: connData,
}
roleResp, err := b.HandleRequest(context.Background(), read)

expectExtract := roleResp.Data["consul_policies"]
respExtract := roleResp.Data[policiesParam]
if respExtract != nil {
if expectExtract.([]string)[0] != respExtract.([]string)[0] {
t.Errorf("mismatch: response consul_policies '%s' does not match '[test]'", roleResp.Data["consul_policies"])
}
}

req.Operation = logical.ReadOperation
req.Path = "creds/test"
resp, err := b.HandleRequest(context.Background(), req)
Expand All @@ -269,7 +299,6 @@ func testBackendRenewRevoke14(t *testing.T, version string) {
if err := mapstructure.Decode(resp.Data, &d); err != nil {
t.Fatal(err)
}
t.Logf("Generated token: %s with accessor %s", d.Token, d.Accessor)

// Build a client and verify that the credentials work
consulapiConfig := consulapi.DefaultNonPooledConfig()
Expand All @@ -280,7 +309,6 @@ func testBackendRenewRevoke14(t *testing.T, version string) {
t.Fatal(err)
}

t.Log("Verifying that the generated token works...")
_, err = client.Catalog(), nil
if err != nil {
t.Fatal(err)
Expand Down Expand Up @@ -314,7 +342,6 @@ func testBackendRenewRevoke14(t *testing.T, version string) {
Datacenter: "DC1",
}

t.Log("Verifying that the generated token does not exist...")
_, _, err = mgmtclient.ACL().TokenRead(d.Accessor, q)
if err == nil {
t.Fatal("err: expected error")
Expand Down Expand Up @@ -350,9 +377,9 @@ func TestBackend_LocalToken(t *testing.T) {

req.Path = "roles/test"
req.Data = map[string]interface{}{
"policies": []string{"test"},
"ttl": "6h",
"local": false,
"consul_policies": []string{"test"},
"ttl": "6h",
"local": false,
}
_, err = b.HandleRequest(context.Background(), req)
if err != nil {
Expand All @@ -361,9 +388,9 @@ func TestBackend_LocalToken(t *testing.T) {

req.Path = "roles/test_local"
req.Data = map[string]interface{}{
"policies": []string{"test"},
"ttl": "6h",
"local": true,
"consul_policies": []string{"test"},
"ttl": "6h",
"local": true,
}
_, err = b.HandleRequest(context.Background(), req)
if err != nil {
Expand Down Expand Up @@ -391,7 +418,6 @@ func TestBackend_LocalToken(t *testing.T) {
if err := mapstructure.Decode(resp.Data, &d); err != nil {
t.Fatal(err)
}
t.Logf("Generated token: %s with accessor %s", d.Token, d.Accessor)

if d.Local {
t.Fatalf("requested global token, got local one")
Expand All @@ -406,7 +432,6 @@ func TestBackend_LocalToken(t *testing.T) {
t.Fatal(err)
}

t.Log("Verifying that the generated token works...")
_, err = client.Catalog(), nil
if err != nil {
t.Fatal(err)
Expand All @@ -428,7 +453,6 @@ func TestBackend_LocalToken(t *testing.T) {
if err := mapstructure.Decode(resp.Data, &d); err != nil {
t.Fatal(err)
}
t.Logf("Generated token: %s with accessor %s", d.Token, d.Accessor)

if !d.Local {
t.Fatalf("requested local token, got global one")
Expand All @@ -443,7 +467,6 @@ func TestBackend_LocalToken(t *testing.T) {
t.Fatal(err)
}

t.Log("Verifying that the generated token works...")
_, err = client.Catalog(), nil
if err != nil {
t.Fatal(err)
Expand Down Expand Up @@ -771,7 +794,6 @@ func TestBackend_Roles(t *testing.T) {
if err := mapstructure.Decode(resp.Data, &d); err != nil {
t.Fatal(err)
}
t.Logf("Generated consul_roles token: %s with accessor %s", d.Token, d.Accessor)

// Build a client and verify that the credentials work
consulapiConfig := consulapi.DefaultNonPooledConfig()
Expand All @@ -782,7 +804,6 @@ func TestBackend_Roles(t *testing.T) {
t.Fatal(err)
}

t.Log("Verifying that the generated token works...")
_, err = client.Catalog(), nil
if err != nil {
t.Fatal(err)
Expand Down Expand Up @@ -816,7 +837,6 @@ func TestBackend_Roles(t *testing.T) {
Datacenter: "DC1",
}

t.Log("Verifying that the generated token does not exist...")
_, _, err = mgmtclient.ACL().TokenRead(d.Accessor, q)
if err == nil {
t.Fatal("err: expected error")
Expand Down Expand Up @@ -869,7 +889,7 @@ func testBackendEntNamespace(t *testing.T) {
// Create the role in namespace "ns1"
req.Path = "roles/test-ns"
req.Data = map[string]interface{}{
"policies": []string{"ns-test"},
"consul_policies": []string{"ns-test"},
"lease": "6h",
"consul_namespace": "ns1",
}
Expand Down Expand Up @@ -902,7 +922,6 @@ func testBackendEntNamespace(t *testing.T) {
if err := mapstructure.Decode(resp.Data, &d); err != nil {
t.Fatal(err)
}
t.Logf("Generated namespace '%s' token: %s with accessor %s", d.ConsulNamespace, d.Token, d.Accessor)

if d.ConsulNamespace != "ns1" {
t.Fatalf("Failed to access namespace")
Expand All @@ -917,7 +936,6 @@ func testBackendEntNamespace(t *testing.T) {
t.Fatal(err)
}

t.Log("Verifying that the generated token works...")
_, err = client.Catalog(), nil
if err != nil {
t.Fatal(err)
Expand Down Expand Up @@ -952,7 +970,6 @@ func testBackendEntNamespace(t *testing.T) {
Namespace: "ns1",
}

t.Log("Verifying that the generated token does not exist...")
_, _, err = mgmtclient.ACL().TokenRead(d.Accessor, q)
if err == nil {
t.Fatal("err: expected error")
Expand Down Expand Up @@ -989,9 +1006,9 @@ func testBackendEntPartition(t *testing.T) {
// Create the role in partition "part1"
req.Path = "roles/test-part"
req.Data = map[string]interface{}{
"policies": []string{"part-test"},
"lease": "6h",
"partition": "part1",
"consul_policies": []string{"part-test"},
"lease": "6h",
"partition": "part1",
}
_, err = b.HandleRequest(context.Background(), req)
if err != nil {
Expand Down Expand Up @@ -1022,7 +1039,6 @@ func testBackendEntPartition(t *testing.T) {
if err := mapstructure.Decode(resp.Data, &d); err != nil {
t.Fatal(err)
}
t.Logf("Generated partition '%s' token: %s with accessor %s", d.Partition, d.Token, d.Accessor)

if d.Partition != "part1" {
t.Fatalf("Failed to access partition")
Expand All @@ -1037,7 +1053,6 @@ func testBackendEntPartition(t *testing.T) {
t.Fatal(err)
}

t.Log("Verifying that the generated token works...")
_, err = client.Catalog(), nil
if err != nil {
t.Fatal(err)
Expand Down Expand Up @@ -1072,7 +1087,6 @@ func testBackendEntPartition(t *testing.T) {
Partition: "test1",
}

t.Log("Verifying that the generated token does not exist...")
_, _, err = mgmtclient.ACL().TokenRead(d.Accessor, q)
if err == nil {
t.Fatal("err: expected error")
Expand Down Expand Up @@ -1120,9 +1134,9 @@ func TestBackendRenewRevokeRolesAndIdentities(t *testing.T) {
"role and policies": {
"rp",
map[string]interface{}{
"policies": []string{"test"},
"consul_roles": []string{"role-test"},
"lease": "6h",
"consul_policies": []string{"test"},
"consul_roles": []string{"role-test"},
"lease": "6h",
},
},
"service identity": {
Expand All @@ -1135,7 +1149,7 @@ func TestBackendRenewRevokeRolesAndIdentities(t *testing.T) {
"service identity and policies": {
"sip",
map[string]interface{}{
"policies": []string{"test"},
"consul_policies": []string{"test"},
"service_identities": "service1",
"lease": "6h",
},
Expand All @@ -1151,7 +1165,7 @@ func TestBackendRenewRevokeRolesAndIdentities(t *testing.T) {
"service identity and role and policies": {
"sirp",
map[string]interface{}{
"policies": []string{"test"},
"consul_policies": []string{"test"},
"consul_roles": []string{"role-test"},
"service_identities": "service1",
"lease": "6h",
Expand All @@ -1167,7 +1181,7 @@ func TestBackendRenewRevokeRolesAndIdentities(t *testing.T) {
"node identity and policies": {
"nip",
map[string]interface{}{
"policies": []string{"test"},
"consul_policies": []string{"test"},
"node_identities": []string{"node1:dc1"},
"lease": "6h",
},
Expand All @@ -1183,10 +1197,10 @@ func TestBackendRenewRevokeRolesAndIdentities(t *testing.T) {
"node identity and role and policies": {
"nirp",
map[string]interface{}{
"consul_roles": []string{"role-test"},
"service_identities": "service1",
"node_identities": []string{"node1:dc1"},
"lease": "6h",
"consul_policies": []string{"test"},
"consul_roles": []string{"role-test"},
"node_identities": []string{"node1:dc1"},
"lease": "6h",
},
},
"node identity and service identity": {
Expand All @@ -1200,7 +1214,7 @@ func TestBackendRenewRevokeRolesAndIdentities(t *testing.T) {
"node identity and service identity and policies": {
"nisip",
map[string]interface{}{
"policies": []string{"test"},
"consul_policies": []string{"test"},
"service_identities": "service1",
"node_identities": []string{"node1:dc1"},
"lease": "6h",
Expand All @@ -1218,7 +1232,7 @@ func TestBackendRenewRevokeRolesAndIdentities(t *testing.T) {
"node identity and service identity and role and policies": {
"nisirp",
map[string]interface{}{
"policies": []string{"test"},
"consul_policies": []string{"test"},
"consul_roles": []string{"role-test"},
"service_identities": "service1",
"node_identities": []string{"node1:dc1"},
Expand Down Expand Up @@ -1261,7 +1275,6 @@ func TestBackendRenewRevokeRolesAndIdentities(t *testing.T) {
if err := mapstructure.Decode(resp.Data, &d); err != nil {
t.Fatal(err)
}
t.Logf("Generated token: %s with accessor %s", d.Token, d.Accessor)

// Build a client and verify that the credentials work
consulapiConfig := consulapi.DefaultNonPooledConfig()
Expand All @@ -1272,7 +1285,6 @@ func TestBackendRenewRevokeRolesAndIdentities(t *testing.T) {
t.Fatal(err)
}

t.Log("Verifying that the generated token works...")
_, err = client.Catalog(), nil
if err != nil {
t.Fatal(err)
Expand Down Expand Up @@ -1304,7 +1316,6 @@ func TestBackendRenewRevokeRolesAndIdentities(t *testing.T) {
Datacenter: "DC1",
}

t.Log("Verifying that the generated token does not exist...")
_, _, err = mgmtclient.ACL().TokenRead(d.Accessor, q)
if err == nil {
t.Fatal("err: expected error")
Expand Down
Loading