-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathcheckout_handler_test.go
157 lines (134 loc) · 3.97 KB
/
checkout_handler_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
package openldap
import (
"context"
"fmt"
"reflect"
"testing"
"github.com/hashicorp/vault/sdk/logical"
)
func TestCheckOutHandlerStorageLayer(t *testing.T) {
ctx := context.Background()
b, s := getBackend(false)
defer b.Cleanup(ctx)
checkOut := &CheckOut{
BorrowerEntityID: "entity-id",
BorrowerClientToken: "client-token",
}
serviceAccountName := "[email protected]"
config := &config{
PasswordLength: 14,
}
entry, err := logical.StorageEntryJSON(configPath, config)
if err != nil {
t.Fatal(err)
}
if err := s.Put(ctx, entry); err != nil {
t.Fatal(err)
}
// Service accounts must initially be checked in to the library
if err := b.CheckIn(ctx, s, serviceAccountName); err != nil {
t.Fatal(err)
}
// If we try to check something out for the first time, it should succeed.
if err := b.CheckOut(ctx, s, serviceAccountName, checkOut); err != nil {
t.Fatal(err)
}
// We should have the testCheckOut in storage now.
storedCheckOut, err := b.LoadCheckOut(ctx, s, serviceAccountName)
if err != nil {
t.Fatal(err)
}
if storedCheckOut == nil {
t.Fatal("storedCheckOut should not be nil")
}
if !reflect.DeepEqual(checkOut, storedCheckOut) {
t.Fatalf(fmt.Sprintf(`expected %+v to be equal to %+v`, checkOut, storedCheckOut))
}
// If we try to check something out that's already checked out, we should
// get a CurrentlyCheckedOutErr.
if err := b.CheckOut(ctx, s, serviceAccountName, checkOut); err == nil {
t.Fatal("expected err but received none")
} else if err != errCheckedOut {
t.Fatalf("expected errCheckedOut, but received %s", err)
}
// If we try to check something in, it should succeed.
if err := b.CheckIn(ctx, s, serviceAccountName); err != nil {
t.Fatal(err)
}
// We should no longer have the testCheckOut in s.
storedCheckOut, err = b.LoadCheckOut(ctx, s, serviceAccountName)
if err != nil {
t.Fatal(err)
}
if !storedCheckOut.IsAvailable {
t.Fatal("storedCheckOut should be nil")
}
// If we try to check it in again, it should have the same behavior.
if err := b.CheckIn(ctx, s, serviceAccountName); err != nil {
t.Fatal(err)
}
// If we check it out again, it should succeed.
if err := b.CheckOut(ctx, s, serviceAccountName, checkOut); err != nil {
t.Fatal(err)
}
}
func TestPasswordHandlerInterfaceFulfillment(t *testing.T) {
ctx := context.Background()
b, s := getBackend(false)
defer b.Cleanup(ctx)
checkOut := &CheckOut{
BorrowerEntityID: "entity-id",
BorrowerClientToken: "client-token",
}
serviceAccountName := "[email protected]"
config := &config{
PasswordLength: 14,
}
entry, err := logical.StorageEntryJSON(configPath, config)
if err != nil {
panic(err)
}
if err := s.Put(ctx, entry); err != nil {
panic(err)
}
// We must always start managing a service account by checking it in.
if err := b.CheckIn(ctx, s, serviceAccountName); err != nil {
t.Fatal(err)
}
// There should be no error during check-out.
if err := b.CheckOut(ctx, s, serviceAccountName, checkOut); err != nil {
t.Fatal(err)
}
// The password should get rotated successfully during check-in.
origPassword, err := retrievePassword(ctx, s, serviceAccountName)
if err != nil {
t.Fatal(err)
}
if err := b.CheckIn(ctx, s, serviceAccountName); err != nil {
t.Fatal(err)
}
currPassword, err := retrievePassword(ctx, s, serviceAccountName)
if err != nil {
t.Fatal(err)
}
if currPassword == "" || currPassword == origPassword {
t.Fatal("expected password, but received none")
}
// There should be no error during delete and the password should be deleted.
if err := b.DeleteCheckout(ctx, s, serviceAccountName); err != nil {
t.Fatal(err)
}
currPassword, err = retrievePassword(ctx, s, serviceAccountName)
if err != errNotFound {
t.Fatal("expected errNotFound")
}
checkOut, err = b.LoadCheckOut(ctx, s, serviceAccountName)
if err != errNotFound {
t.Fatal("expected err not found")
}
if checkOut != nil {
t.Fatal("expected checkOut to be nil")
}
}