From 128b1c0371280f94ae2c7547bad8bbae889f93d7 Mon Sep 17 00:00:00 2001 From: Geoff Wilson Date: Mon, 18 Nov 2024 11:44:01 -0500 Subject: [PATCH] Some extra integration test for read-group membership --- README.md | 2 +- test/integration/secrets_test.rb | 32 +++++++++++++++++++++++++++----- test/test_helper.rb | 9 ++++++++- 3 files changed, 36 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 84802f5..c7699fe 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ Some features of Astral: 0) Configure Astral-specific Certificate Authority and Key-Value stores in Vault 1) Authenticate requests for cerficates or secrets using a third party trusted source (JWT with signing key, eg) -2) For certiciates: +2) For certificates: a) Authorize the request using a Domain Ownership registry, where domain owner or authorized groups must match the identity of the requesting client b) When authorized, obtain a certificate for the common name diff --git a/test/integration/secrets_test.rb b/test/integration/secrets_test.rb index bdb1ac8..4707bf5 100644 --- a/test/integration/secrets_test.rb +++ b/test/integration/secrets_test.rb @@ -19,6 +19,13 @@ class SecretsTest < ActionDispatch::IntegrationTest end end + test "#update an existing secret with a different user is unauthorized" do + existing_path = create_secret + assert_response :success + create_secret(jwt_read_group, existing_path) + assert_response :unauthorized + end + test "#show" do path = create_secret # view the secret @@ -29,6 +36,16 @@ class SecretsTest < ActionDispatch::IntegrationTest end end + test "#show with read_group is authorized" do + path = create_secret + # view the secret + get secret_path(path), headers: { "Authorization" => "Bearer #{jwt_read_group}" } + assert_response :success + %w[ data metadata lease_id ].each do |key| + assert_includes response.parsed_body["secret"].keys, key + end + end + test "#delete" do path = create_secret # delete the secret @@ -36,14 +53,19 @@ class SecretsTest < ActionDispatch::IntegrationTest assert_response :success end + test "#delete with a read-authorized user is unauthorized" do + path = create_secret + # delete the secret + delete destroy_secret_path(path), headers: { "Authorization" => "Bearer #{jwt_read_group}" } + assert_response :unauthorized + end + private - def create_secret - # make a path - path = "top/secret/#{SecureRandom.hex}" + def create_secret(jwt = jwt_authorized, path = "top/secret/#{SecureRandom.hex}") # create the secret - post secrets_path, headers: { "Authorization" => "Bearer #{jwt_authorized}" }, - params: { secret: { path: path, data: { password: "sicr3t" } } } + post secrets_path, headers: { "Authorization" => "Bearer #{jwt}" }, + params: { secret: { path: path, data: { password: "sicr3t" }, groups: "read_group" } } path end diff --git a/test/test_helper.rb b/test/test_helper.rb index 8157058..ad9629b 100644 --- a/test/test_helper.rb +++ b/test/test_helper.rb @@ -22,9 +22,16 @@ def jwt_unauthorized @@unauthorized_token ||= JWT.encode(@@unauthorized_data, "bad_secret") end + def jwt_read_group + @@read_group_token ||= JWT.encode(@@read_group_data, Config[:jwt_signing_key]) + end + private + @@authorized_data = { "sub"=>"john.doe@example.com", "name"=>"John Doe", "iat"=>1516239022, - "groups"=>[ "group1", "group2" ], "aud"=>"astral" } + "groups"=>[ "group1", "group2" ], "aud"=>"astral" } @@unauthorized_data = { "sub"=>"application_name", "common_name"=>"example.com", "ip_sans"=>"10.0.1.100" } + @@read_group_data = { "sub"=>"exene.cervenka@example.com", "name"=>"Exene Cervenka", "iat"=>1516239022, + "groups"=>[ "read_group" ], "aud"=>"astral" } end end