diff --git a/app/lib/clients/vault/identity_alias.rb b/app/lib/clients/vault/identity_alias.rb index f81103d..d5cac85 100644 --- a/app/lib/clients/vault/identity_alias.rb +++ b/app/lib/clients/vault/identity_alias.rb @@ -5,14 +5,18 @@ def put_entity_alias(entity_name, alias_name, auth_method) write_identity_alias("entity", entity_name, alias_name, auth_method) end - def put_group_alias(group_name, auth_method) - write_identity_alias("group", group_name, group_name, auth_method) + def put_group_alias(group_name, alias_name, auth_method) + write_identity_alias("group", group_name, alias_name, auth_method) end def read_entity_alias(entity_name, alias_name, auth_path) read_identity_alias("entity", entity_name, alias_name, auth_path) end + def read_group_alias(group_name, alias_name, auth_path) + read_identity_alias("group", group_name, alias_name, auth_path) + end + def delete_entity_alias(entity_name, alias_name, auth_path) identity = client.logical.read("identity/entity/name/#{entity_name}") if identity.nil? diff --git a/app/lib/clients/vault/policy.rb b/app/lib/clients/vault/policy.rb index dfa3761..7fbe942 100644 --- a/app/lib/clients/vault/policy.rb +++ b/app/lib/clients/vault/policy.rb @@ -22,7 +22,7 @@ def assign_entity_policy(identity, policy_name) def assign_groups_policy(groups, policy_name) groups.each do |group| put_group(group, [ policy_name ]) - put_group_alias(group, "oidc") + put_group_alias(group, "#{group}-alias", "oidc") end end @@ -98,6 +98,9 @@ def create_astral_policy path "identity/entity-alias" { capabilities = ["create", "read", "update", "delete", "list"] } + path "identity/entity-alias/*" { + capabilities = ["create", "read", "update", "delete", "list"] + } path "identity/group" { capabilities = ["create", "read", "update", "delete", "list"] } @@ -107,6 +110,9 @@ def create_astral_policy path "identity/group-alias" { capabilities = ["create", "read", "update", "delete", "list"] } + path "identity/group-alias/*" { + capabilities = ["create", "read", "update", "delete", "list"] + } path "/sys/auth" { capabilities = ["read"] } diff --git a/test/lib/clients/vault/identity_alias_test.rb b/test/lib/clients/vault/identity_alias_test.rb new file mode 100644 index 0000000..7b89510 --- /dev/null +++ b/test/lib/clients/vault/identity_alias_test.rb @@ -0,0 +1,71 @@ +require "test_helper" + +class IdentityAliasTest < ActiveSupport::TestCase + setup do + @client = Clients::Vault + @identity = Identity.new + email = SecureRandom.hex(4) + @identity.sub = email + @alias_name = @identity.sub + @group_name = SecureRandom.hex(4) + @policies = %w[ my_policy1 my_policy2 ] + @auth_path = "oidc" + end + + test "#put_entity_alias creates an entity_alias" do + assert_raise { @client.read_entity_alias(@identity.sub, @alias_name, @auth_path) } + @client.put_entity(@identity.sub, @policies) + + assert_kind_of Vault::Secret, @client.put_entity_alias(@identity.sub, @alias_name, @auth_path) + entity_alias = @client.read_entity_alias(@identity.sub, @alias_name, @auth_path) + assert_not_nil entity_alias + end + + test "#put_entity_alias skips an existing entity_alias" do + existing_alias = SecureRandom.hex + assert_raise { @client.read_entity_alias(@identity.sub, existing_alias, @auth_path) } + @client.put_entity(@identity.sub, @policies) + assert_kind_of Vault::Secret, @client.put_entity_alias(@identity.sub, existing_alias, @auth_path) + entity_alias = @client.read_entity_alias(@identity.sub, existing_alias, @auth_path) + assert_not_nil entity_alias + + # returns nil/no error when an existing alias exists + assert_nil @client.put_entity_alias(@identity.sub, existing_alias, @auth_path) + entity_alias = @client.read_entity_alias(@identity.sub, existing_alias, @auth_path) + assert_not_nil entity_alias + end + + test "#delete_entity_alias removes an entity_alias" do + @client.put_entity(@identity.sub, @policies) + + assert_kind_of Vault::Secret, @client.put_entity_alias(@identity.sub, @alias_name, @auth_path) + entity_alias = @client.read_entity_alias(@identity.sub, @alias_name, @auth_path) + assert_not_nil entity_alias + + @client.delete_entity_alias(@identity.sub, @alias_name, @auth_path) + assert_raise { @client.read_entity_alias(@identity.sub, @alias_name, @auth_path) } + end + + test "#put_group_alias creates a group_alias" do + assert_raise { @client.read_group_alias(@group_name, @alias_name, @auth_path) } + @client.put_group(@group_name, @policies) + + assert_kind_of Vault::Secret, @client.put_group_alias(@group_name, @alias_name, @auth_path) + group_alias = @client.read_group_alias(@group_name, @alias_name, @auth_path) + assert_not_nil group_alias + end + + test "#put_group_alias skips an existing group_alias" do + existing_alias = SecureRandom.hex + assert_raise { @client.read_group_alias(@group_name, existing_alias, @auth_path) } + @client.put_group(@group_name, @policies) + assert_kind_of Vault::Secret, @client.put_group_alias(@group_name, existing_alias, @auth_path) + group_alias = @client.read_group_alias(@group_name, existing_alias, @auth_path) + assert_not_nil group_alias + + # returns nil/no error when an existing alias exists + assert_nil @client.put_group_alias(@group_name, existing_alias, @auth_path) + group_alias = @client.read_group_alias(@group_name, existing_alias, @auth_path) + assert_not_nil group_alias + end +end diff --git a/test/lib/clients/vault/identity_test.rb b/test/lib/clients/vault/identity_test.rb new file mode 100644 index 0000000..8256ab9 --- /dev/null +++ b/test/lib/clients/vault/identity_test.rb @@ -0,0 +1,63 @@ +require "test_helper" + +class IdentityTest < ActiveSupport::TestCase + setup do + @client = Clients::Vault + @identity = Identity.new + email = SecureRandom.hex(4) + @identity.sub = email + @group_name = SecureRandom.hex(4) + @policies = %w[ my_policy1 my_policy2 ] + end + + test "#put_entity creates an entity" do + entity = @client.read_entity(@identity.sub) + assert_nil entity + + @client.put_entity(@identity.sub, @policies) + entity = @client.read_entity(@identity.sub) + assert_equal @policies, entity.data[:policies] + end + + test "#put_entity merges policies for an existing entity" do + existing_policies = %w[ policy_from_elsewhere ] + existing_entity = SecureRandom.hex(4) + + @client.put_entity(existing_entity, existing_policies) + policies, metadata = @client.get_entity_data(existing_entity) + assert_equal existing_policies, policies + + @client.put_entity(existing_entity, @policies) + policies, metadata = @client.get_entity_data(existing_entity) + assert_equal @policies + existing_policies, policies + end + + test "#delete_entity removes an entity" do + @client.put_entity(@identity.sub, @policies) + @client.delete_entity(@identity.sub) + entity = @client.read_entity(@identity.sub) + assert_nil entity + end + + test "#put_group creates an group" do + policies, metadata = @client.get_group_data(@group_name) + assert_empty policies + + @client.put_group(@group_name, @policies) + policies, metadata = @client.get_group_data(@group_name) + assert_equal @policies, policies + end + + test "#put_group merges policies for an existing group" do + existing_policies = %w[ policy_from_elsewhere ] + existing_group = SecureRandom.hex(4) + + @client.put_group(existing_group, existing_policies) + policies, metadata = @client.get_group_data(existing_group) + assert_equal existing_policies, policies + + @client.put_group(existing_group, @policies) + policies, metadata = @client.get_group_data(existing_group) + assert_equal @policies + existing_policies, policies + end +end