Add some tests for aws auth list binds

joelthompson · Feb 22, 2018 · 71bd5e1 · 71bd5e1
1 parent c342691
commit 71bd5e1
Showing 1 changed file with 16 additions and 15 deletions.
diff --git a/builtin/credential/aws/backend_test.go b/builtin/credential/aws/backend_test.go
@@ -1078,7 +1078,7 @@ func TestBackendAcc_LoginWithInstanceIdentityDocAndWhitelistIdentity(t *testing.
 		"auth_type":          "ec2",
 		"policies":           "root",
 		"max_ttl":            "120s",
-		"bound_ami_id":       "wrong_ami_id",
+		"bound_ami_id":       []string{"wrong_ami_id", "wrong_ami_id2"},
 		"bound_account_id":   accountID,
 		"bound_iam_role_arn": iamARN,
 	}
@@ -1102,10 +1102,10 @@ func TestBackendAcc_LoginWithInstanceIdentityDocAndWhitelistIdentity(t *testing.
 		t.Fatalf("bad: expected error response: resp:%#v\nerr:%v", resp, err)
 	}
 
-	// Place the correct AMI ID, but make the AccountID wrong
+	// Place the correct AMI ID in one of the values, but make the AccountID wrong
 	roleReq.Operation = logical.UpdateOperation
-	data["bound_ami_id"] = amiID
-	data["bound_account_id"] = "wrong-account-id"
+	data["bound_ami_id"] = []string{amiID, "wrong_ami_id_2"}
+	data["bound_account_id"] = []string{"wrong-account-id", "wrong-account-id-2"}
 	resp, err = b.HandleRequest(context.Background(), roleReq)
 	if err != nil || (resp != nil && resp.IsError()) {
 		t.Fatalf("bad: failed to create role: resp:%#v\nerr:%v", resp, err)
@@ -1117,9 +1117,9 @@ func TestBackendAcc_LoginWithInstanceIdentityDocAndWhitelistIdentity(t *testing.
 		t.Fatalf("bad: expected error response: resp:%#v\nerr:%v", resp, err)
 	}
 
-	// Place the correct AccountID, but make the wrong IAMRoleARN
-	data["bound_account_id"] = accountID
-	data["bound_iam_role_arn"] = "wrong_iam_role_arn"
+	// Place the correct AccountID in one of the values, but make the wrong IAMRoleARN
+	data["bound_account_id"] = []string{accountID, "wrong-account-id-2"}
+	data["bound_iam_role_arn"] = []string{"wrong_iam_role_arn", "wrong_iam_role_arn_2"}
 	resp, err = b.HandleRequest(context.Background(), roleReq)
 	if err != nil || (resp != nil && resp.IsError()) {
 		t.Fatalf("bad: failed to create role: resp:%#v\nerr:%v", resp, err)
@@ -1131,8 +1131,8 @@ func TestBackendAcc_LoginWithInstanceIdentityDocAndWhitelistIdentity(t *testing.
 		t.Fatalf("bad: expected error response: resp:%#v\nerr:%v", resp, err)
 	}
 
-	// place the correct IAM role ARN
-	data["bound_iam_role_arn"] = iamARN
+	// place a correct IAM role ARN
+	data["bound_iam_role_arn"] = []string{iamARN, "wrong_iam_role_arn_2"}
 	resp, err = b.HandleRequest(context.Background(), roleReq)
 	if err != nil || (resp != nil && resp.IsError()) {
 		t.Fatalf("bad: failed to create role: resp:%#v\nerr:%v", resp, err)
@@ -1438,7 +1438,7 @@ func TestBackendAcc_LoginWithCallerIdentity(t *testing.T) {
 
 	// configuring the valid role we'll be able to login to
 	roleData := map[string]interface{}{
-		"bound_iam_principal_arn": entity.canonicalArn(),
+		"bound_iam_principal_arn": []string{entity.canonicalArn()}, // not filling in a fake ARN here as we're resolving unique IDs, so that would fail
 		"policies":                "root",
 		"auth_type":               iamAuthType,
 	}
@@ -1471,16 +1471,17 @@ func TestBackendAcc_LoginWithCallerIdentity(t *testing.T) {
 	}
 
 	fakeArn := "arn:aws:iam::123456789012:role/somePath/FakeRole"
+	fakeArn2 := "arn:aws:iam::123456789012:role/somePath/FakeRole2"
 	fakeArnResolver := func(ctx context.Context, s logical.Storage, arn string) (string, error) {
-		if arn == fakeArn {
-			return fmt.Sprintf("FakeUniqueIdFor%s", fakeArn), nil
+		if strings.HasPrefix(arn, fakeArn) {
+			return fmt.Sprintf("FakeUniqueIdFor%s", arn), nil
 		}
 		return b.resolveArnToRealUniqueId(context.Background(), s, arn)
 	}
 	b.resolveArnToUniqueIDFunc = fakeArnResolver
 
 	// now we're creating the invalid role we won't be able to login to
-	roleData["bound_iam_principal_arn"] = fakeArn
+	roleData["bound_iam_principal_arn"] = []string{fakeArn, fakeArn2}
 	roleRequest.Path = "role/" + testInvalidRoleName
 	resp, err = b.HandleRequest(context.Background(), roleRequest)
 	if err != nil || (resp != nil && resp.IsError()) {
@@ -1612,11 +1613,11 @@ func TestBackendAcc_LoginWithCallerIdentity(t *testing.T) {
 	wildcardRoleName := "valid_wildcard"
 	wildcardEntity := *entity
 	wildcardEntity.FriendlyName = "*"
-	roleData["bound_iam_principal_arn"] = wildcardEntity.canonicalArn()
+	roleData["bound_iam_principal_arn"] = []string{wildcardEntity.canonicalArn(), "arn:aws:iam::123456789012:role/DoesNotExist/Vault_Fake_Role*"}
 	roleRequest.Path = "role/" + wildcardRoleName
 	resp, err = b.HandleRequest(context.Background(), roleRequest)
 	if err != nil || (resp != nil && resp.IsError()) {
-		t.Fatalf("bad: failed to create wildcard role: resp:%#v\nerr:%v", resp, err)
+		t.Fatalf("bad: failed to create wildcard roles: resp:%#v\nerr:%v", resp, err)
 	}
 
 	loginData["role"] = wildcardRoleName