Some additional tests for identity/identity_alias

G-Research · Nov 17, 2024 · 7f5823d · 7f5823d
1 parent 13608b1
commit 7f5823d
Show file tree

Hide file tree

Showing 4 changed files with 147 additions and 3 deletions.
diff --git a/app/lib/clients/vault/identity_alias.rb b/app/lib/clients/vault/identity_alias.rb
@@ -5,14 +5,18 @@ def put_entity_alias(entity_name, alias_name, auth_method)
         write_identity_alias("entity", entity_name, alias_name, auth_method)
       end
 
-      def put_group_alias(group_name, auth_method)
-        write_identity_alias("group", group_name, group_name, auth_method)
+      def put_group_alias(group_name, alias_name, auth_method)
+        write_identity_alias("group", group_name, alias_name, auth_method)
       end
 
       def read_entity_alias(entity_name, alias_name, auth_path)
         read_identity_alias("entity", entity_name, alias_name, auth_path)
       end
 
+      def read_group_alias(group_name, alias_name, auth_path)
+        read_identity_alias("group", group_name, alias_name, auth_path)
+      end
+
       def delete_entity_alias(entity_name, alias_name, auth_path)
         identity = client.logical.read("identity/entity/name/#{entity_name}")
         if identity.nil?

diff --git a/app/lib/clients/vault/policy.rb b/app/lib/clients/vault/policy.rb
@@ -22,7 +22,7 @@ def assign_entity_policy(identity, policy_name)
       def assign_groups_policy(groups, policy_name)
         groups.each do |group|
           put_group(group, [ policy_name ])
-          put_group_alias(group, "oidc")
+          put_group_alias(group, "#{group}-alias", "oidc")
         end
       end
 
@@ -98,6 +98,9 @@ def create_astral_policy
         path "identity/entity-alias" {
           capabilities = ["create", "read", "update", "delete", "list"]
         }
+        path "identity/entity-alias/*" {
+          capabilities = ["create", "read", "update", "delete", "list"]
+        }
         path "identity/group" {
           capabilities = ["create", "read", "update", "delete", "list"]
         }
@@ -107,6 +110,9 @@ def create_astral_policy
         path "identity/group-alias" {
           capabilities = ["create", "read", "update", "delete", "list"]
         }
+        path "identity/group-alias/*" {
+          capabilities = ["create", "read", "update", "delete", "list"]
+        }
         path "/sys/auth" {
           capabilities = ["read"]
         }

diff --git a/test/lib/clients/vault/identity_alias_test.rb b/test/lib/clients/vault/identity_alias_test.rb
@@ -0,0 +1,71 @@
+require "test_helper"
+
+class IdentityAliasTest < ActiveSupport::TestCase
+  setup do
+    @client = Clients::Vault
+    @identity = Identity.new
+    email = SecureRandom.hex(4)
+    @identity.sub = email
+    @alias_name = @identity.sub
+    @group_name = SecureRandom.hex(4)
+    @policies = %w[ my_policy1 my_policy2 ]
+    @auth_path = "oidc"
+  end
+
+  test "#put_entity_alias creates an entity_alias" do
+    assert_raise {  @client.read_entity_alias(@identity.sub, @alias_name, @auth_path) }
+    @client.put_entity(@identity.sub, @policies)
+
+    assert_kind_of Vault::Secret, @client.put_entity_alias(@identity.sub, @alias_name, @auth_path)
+    entity_alias = @client.read_entity_alias(@identity.sub, @alias_name, @auth_path)
+    assert_not_nil entity_alias
+  end
+
+  test "#put_entity_alias skips an existing entity_alias" do
+    existing_alias = SecureRandom.hex
+    assert_raise {  @client.read_entity_alias(@identity.sub, existing_alias, @auth_path) }
+    @client.put_entity(@identity.sub, @policies)
+    assert_kind_of Vault::Secret, @client.put_entity_alias(@identity.sub, existing_alias, @auth_path)
+    entity_alias = @client.read_entity_alias(@identity.sub, existing_alias, @auth_path)
+    assert_not_nil entity_alias
+
+    # returns nil/no error when an existing alias exists
+    assert_nil @client.put_entity_alias(@identity.sub, existing_alias, @auth_path)
+    entity_alias = @client.read_entity_alias(@identity.sub, existing_alias, @auth_path)
+    assert_not_nil entity_alias
+  end
+
+  test "#delete_entity_alias removes an entity_alias" do
+    @client.put_entity(@identity.sub, @policies)
+
+    assert_kind_of Vault::Secret, @client.put_entity_alias(@identity.sub, @alias_name, @auth_path)
+    entity_alias = @client.read_entity_alias(@identity.sub, @alias_name, @auth_path)
+    assert_not_nil entity_alias
+
+    @client.delete_entity_alias(@identity.sub, @alias_name, @auth_path)
+    assert_raise {  @client.read_entity_alias(@identity.sub, @alias_name, @auth_path) }
+  end
+
+  test "#put_group_alias creates a group_alias" do
+    assert_raise {  @client.read_group_alias(@group_name, @alias_name, @auth_path) }
+    @client.put_group(@group_name, @policies)
+
+    assert_kind_of Vault::Secret, @client.put_group_alias(@group_name, @alias_name, @auth_path)
+    group_alias = @client.read_group_alias(@group_name, @alias_name, @auth_path)
+    assert_not_nil group_alias
+  end
+
+  test "#put_group_alias skips an existing group_alias" do
+    existing_alias = SecureRandom.hex
+    assert_raise {  @client.read_group_alias(@group_name, existing_alias, @auth_path) }
+    @client.put_group(@group_name, @policies)
+    assert_kind_of Vault::Secret, @client.put_group_alias(@group_name, existing_alias, @auth_path)
+    group_alias = @client.read_group_alias(@group_name, existing_alias, @auth_path)
+    assert_not_nil group_alias
+
+    # returns nil/no error when an existing alias exists
+    assert_nil @client.put_group_alias(@group_name, existing_alias, @auth_path)
+    group_alias = @client.read_group_alias(@group_name, existing_alias, @auth_path)
+    assert_not_nil group_alias
+  end
+end
diff --git a/test/lib/clients/vault/identity_test.rb b/test/lib/clients/vault/identity_test.rb
@@ -0,0 +1,63 @@
+require "test_helper"
+
+class IdentityTest < ActiveSupport::TestCase
+  setup do
+    @client = Clients::Vault
+    @identity = Identity.new
+    email = SecureRandom.hex(4)
+    @identity.sub = email
+    @group_name = SecureRandom.hex(4)
+    @policies = %w[ my_policy1 my_policy2 ]
+  end
+
+  test "#put_entity creates an entity" do
+    entity =  @client.read_entity(@identity.sub)
+    assert_nil entity
+
+    @client.put_entity(@identity.sub, @policies)
+    entity =  @client.read_entity(@identity.sub)
+    assert_equal @policies, entity.data[:policies]
+  end
+
+ test "#put_entity merges policies for an existing entity" do
+    existing_policies = %w[ policy_from_elsewhere ]
+    existing_entity = SecureRandom.hex(4)
+
+    @client.put_entity(existing_entity, existing_policies)
+    policies, metadata =  @client.get_entity_data(existing_entity)
+    assert_equal existing_policies, policies
+
+    @client.put_entity(existing_entity, @policies)
+    policies, metadata =  @client.get_entity_data(existing_entity)
+    assert_equal @policies + existing_policies, policies
+  end
+
+  test "#delete_entity removes an entity" do
+    @client.put_entity(@identity.sub, @policies)
+    @client.delete_entity(@identity.sub)
+    entity =  @client.read_entity(@identity.sub)
+    assert_nil entity
+  end
+
+  test "#put_group creates an group" do
+    policies, metadata =  @client.get_group_data(@group_name)
+    assert_empty policies
+
+    @client.put_group(@group_name, @policies)
+    policies, metadata =  @client.get_group_data(@group_name)
+    assert_equal @policies, policies
+  end
+
+  test "#put_group merges policies for an existing group" do
+    existing_policies = %w[ policy_from_elsewhere ]
+    existing_group = SecureRandom.hex(4)
+
+    @client.put_group(existing_group, existing_policies)
+    policies, metadata =  @client.get_group_data(existing_group)
+    assert_equal existing_policies, policies
+
+    @client.put_group(existing_group, @policies)
+    policies, metadata =  @client.get_group_data(existing_group)
+    assert_equal @policies + existing_policies, policies
+  end
+end