diff --git a/app/controllers/secrets_controller.rb b/app/controllers/secrets_controller.rb index 97d3e53..331ec24 100644 --- a/app/controllers/secrets_controller.rb +++ b/app/controllers/secrets_controller.rb @@ -25,7 +25,7 @@ def show @secret = result.secret end - def delete + def destroy req = Requests::SecretRequest.new(path: params.require(:path)) if !req.valid? raise BadRequestError.new req.errors.full_messages diff --git a/app/lib/services/vault_service.rb b/app/lib/services/vault_service.rb index 4cc47a4..cc47319 100644 --- a/app/lib/services/vault_service.rb +++ b/app/lib/services/vault_service.rb @@ -32,10 +32,8 @@ def client end def enable_engine(mount, type) - unless client.sys.mounts.key?(mount + "/") + unless client.sys.mounts.key?(mount.to_sym) client.sys.mount(mount, type, "#{type} secrets engine") - else - puts "#{mount} already enabled." end rescue Vault::HTTPError => e puts "Error enabling #{type} engine: #{e}" diff --git a/config/routes.rb b/config/routes.rb index 8bfed1c..ad88fce 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -15,4 +15,5 @@ resources :certificates, only: %i[create] resources :secrets, only: %i[create] get "secrets/*path", to: "secrets#show", as: :secret + delete "secrets/*path", to: "secrets#destroy", as: :destroy_secret end diff --git a/test/integration/certificates_controller_test.rb b/test/integration/certificates_test.rb similarity index 57% rename from test/integration/certificates_controller_test.rb rename to test/integration/certificates_test.rb index d2f887c..375d459 100644 --- a/test/integration/certificates_controller_test.rb +++ b/test/integration/certificates_test.rb @@ -1,20 +1,18 @@ require "test_helper" -class CertificatesControllerTest < ActionDispatch::IntegrationTest +class CertificatesTest < ActionDispatch::IntegrationTest test "#create unauthorized" do post certificates_path assert_response :unauthorized end test "#create with faulty token (encoded with different signing key)" do - jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhcHBsaWNhdGlvbl9uYW1lIiwiY29tbW9uX25hbWUiOiJleGFtcGxlLmNvbSIsImlwX3NhbnMiOiIxMC4wLjEuMTAwIn0.gEUyaZcARiBQNq2RUwZU0MdFXqthyo_oSQ8DAgKvxCs" - post certificates_path, headers: { "Authorization" => "Bearer #{jwt}" } + post certificates_path, headers: { "Authorization" => "Bearer #{jwt_unauthorized}" } assert_response :unauthorized end test "#create authorized as owner" do - jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsIm5hbWUiOiJKb2huIERvZSIsImlhdCI6MTUxNjIzOTAyMiwiZ3JvdXBzIjpbImdyb3VwMSIsImdyb3VwMiJdLCJhdWQiOiJhc3RyYWwifQ.tfRLXmE_eq-piP88_clwPWrYfMAQbCJAeZQI6OFxZSI" - post certificates_path, headers: { "Authorization" => "Bearer #{jwt}" }, + post certificates_path, headers: { "Authorization" => "Bearer #{jwt_authorized}" }, params: { cert_issue_request: { common_name: "example.com" } } assert_response :success %w[ ca_chain @@ -29,8 +27,7 @@ class CertificatesControllerTest < ActionDispatch::IntegrationTest end test "#create authorized by group" do - jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsIm5hbWUiOiJKb2huIERvZSIsImlhdCI6MTUxNjIzOTAyMiwiZ3JvdXBzIjpbImdyb3VwMSIsImdyb3VwMiJdLCJhdWQiOiJhc3RyYWwifQ.tfRLXmE_eq-piP88_clwPWrYfMAQbCJAeZQI6OFxZSI" - post certificates_path, headers: { "Authorization" => "Bearer #{jwt}" }, + post certificates_path, headers: { "Authorization" => "Bearer #{jwt_authorized}" }, params: { cert_issue_request: { common_name: "example2.com" } } assert_response :success %w[ ca_chain @@ -45,8 +42,7 @@ class CertificatesControllerTest < ActionDispatch::IntegrationTest end test "#create not authorized by group" do - jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsIm5hbWUiOiJKb2huIERvZSIsImlhdCI6MTUxNjIzOTAyMiwiZ3JvdXBzIjpbImdyb3VwMSIsImdyb3VwMiJdLCJhdWQiOiJhc3RyYWwifQ.tfRLXmE_eq-piP88_clwPWrYfMAQbCJAeZQI6OFxZSI" - post certificates_path, headers: { "Authorization" => "Bearer #{jwt}" }, + post certificates_path, headers: { "Authorization" => "Bearer #{jwt_authorized}" }, params: { cert_issue_request: { common_name: "example3.com" } } assert_response :unauthorized end diff --git a/test/integration/secrets_test.rb b/test/integration/secrets_test.rb new file mode 100644 index 0000000..7273109 --- /dev/null +++ b/test/integration/secrets_test.rb @@ -0,0 +1,44 @@ +require "test_helper" + +class SecretsTest < ActionDispatch::IntegrationTest + test "#create unauthorized" do + post secrets_path + assert_response :unauthorized + end + + test "#create with faulty token (encoded with different signing key)" do + post secrets_path, headers: { "Authorization" => "Bearer #{jwt_unauthorized}" } + assert_response :unauthorized + end + + test "#create or update a secret" do + create_secret + end + + test "#show" do + create_secret + # view the secret + get secret_path("top/secret/key"), headers: { "Authorization" => "Bearer #{jwt_authorized}" } + assert_response :success + %w[ data metadata lease_id ].each do |key| + assert_includes response.parsed_body["secret"].keys, key + end + end + + test "#delete" do + create_secret + # delete the secret + delete destroy_secret_path("top/secret/key"), headers: { "Authorization" => "Bearer #{jwt_authorized}" } + assert_response :success + end + + def create_secret + # create the secret + post secrets_path, headers: { "Authorization" => "Bearer #{jwt_authorized}" }, + params: { secret: { path: "top/secret/key", data: { password: "sicr3t" } } } + assert_response :success + %w[ data metadata lease_id ].each do |key| + assert_includes response.parsed_body["secret"].keys, key + end + end +end diff --git a/test/test_helper.rb b/test/test_helper.rb index 332896f..d5cdb9d 100644 --- a/test/test_helper.rb +++ b/test/test_helper.rb @@ -11,6 +11,13 @@ class TestCase # Setup all fixtures in test/fixtures/*.yml for all tests in alphabetical order. fixtures :all - # Add more helper methods to be used by all tests here... + # Helper methods + def jwt_authorized + "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsIm5hbWUiOiJKb2huIERvZSIsImlhdCI6MTUxNjIzOTAyMiwiZ3JvdXBzIjpbImdyb3VwMSIsImdyb3VwMiJdLCJhdWQiOiJhc3RyYWwifQ.tfRLXmE_eq-piP88_clwPWrYfMAQbCJAeZQI6OFxZSI" + end + + def jwt_unauthorized + "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhcHBsaWNhdGlvbl9uYW1lIiwiY29tbW9uX25hbWUiOiJleGFtcGxlLmNvbSIsImlwX3NhbnMiOiIxMC4wLjEuMTAwIn0.gEUyaZcARiBQNq2RUwZU0MdFXqthyo_oSQ8DAgKvxCs" + end end end