# Tests success paths for edge cases around rendering with secrets. # # 1. Verifies that attempting to encrypt a secret passphrase with an empty # string skips encryption and stores the document as cleartext instead # and that rendering the document works (which should avoid Barbican # API call). # 2. Verifies that attempting to encrypt any document with an incompatible # payload type (non-str, non-binary) results in the payload being properly # encoded and decoded by Deckhand before and after storing and retrieving # the encrypted data. defaults: request_headers: X-Auth-Token: $ENVIRON['TEST_AUTH_TOKEN'] verbose: true tests: ### Scenario 1 ### - name: purge desc: Begin testing from known state. DELETE: /api/v1.0/revisions status: 204 request_headers: content-type: application/x-yaml response_headers: null - name: create_encrypted_passphrase_empty_payload_skips desc: | Attempting to create an encrypted passphrase with empty payload should avoid encryption and return the empty payload instead. PUT: /api/v1.0/buckets/secret/documents status: 200 request_headers: content-type: application/x-yaml response_headers: content-type: application/x-yaml data: |- --- schema: deckhand/LayeringPolicy/v1 metadata: schema: metadata/Control/v1 name: layering-policy data: layerOrder: - site --- schema: deckhand/Passphrase/v1 metadata: schema: metadata/Document/v1 name: my-passphrase storagePolicy: encrypted layeringDefinition: abstract: false layer: site data: '' ... response_multidoc_jsonpaths: $.`len`: 2 $.[1].metadata.name: my-passphrase $.[1].data: '' - name: validate_no_secret_exists_in_barbican desc: Validate that no secret was created in Barbican. GET: $ENVIRON['TEST_BARBICAN_URL']/v1/secrets status: 200 request_headers: content-type: application/json response_headers: content-type: application/json; charset=UTF-8 response_json_paths: $.secrets.`len`: 0 $.secrets: [] - name: verify_revision_documents_returns_same_empty_payload desc: Verify that the created document wasn't encrypted. GET: /api/v1.0/revisions/$HISTORY['create_encrypted_passphrase_empty_payload_skips'].$RESPONSE['$.[0].status.revision']/documents status: 200 request_headers: content-type: application/x-yaml response_headers: content-type: application/x-yaml query_parameters: metadata.name: my-passphrase response_multidoc_jsonpaths: $.`len`: 1 $.[0].data: '' - name: verify_rendered_documents_returns_same_empty_payload desc: | Verify that rendering the document returns the same empty payload which requires that the data be read directly from Deckhand's DB rather than Barbican. GET: /api/v1.0/revisions/$HISTORY['create_encrypted_passphrase_empty_payload_skips'].$RESPONSE['$.[0].status.revision']/rendered-documents status: 200 request_headers: content-type: application/x-yaml response_headers: content-type: application/x-yaml query_parameters: metadata.name: my-passphrase response_multidoc_jsonpaths: $.`len`: 1 $.[0].data: '' ### Scenario 2 ### - name: create_encrypted_passphrase_with_incompatible_payload desc: | Attempting to encrypt a non-str/non-bytes payload should result in it first being base64-encoded then passed to Barbican. The response should be a Barbican reference, which indicates the scenario passed successfully. PUT: /api/v1.0/buckets/secret/documents status: 200 request_headers: content-type: application/x-yaml response_headers: content-type: application/x-yaml data: |- --- schema: deckhand/LayeringPolicy/v1 metadata: schema: metadata/Control/v1 name: layering-policy data: layerOrder: - site --- schema: armada/Generic/v1 metadata: schema: metadata/Document/v1 name: armada-doc storagePolicy: encrypted layeringDefinition: abstract: false layer: site data: # This will be an object in memory requiring base64 encoding. foo: bar ... response_multidoc_jsonpaths: $.`len`: 2 $.[1].metadata.name: armada-doc # NOTE(felipemonteiro): jsonpath-rw-ext uses a 1 character separator (rather than allowing a string) # leading to this nastiness: $.[1].data.`split(:, 0, 1)` + "://" + $.[1].data.`split(/, 2, 3)`: $ENVIRON['TEST_BARBICAN_URL'] - name: validate_opaque_secret_exists_in_barbican desc: Validate that the secret was created as opaque in Barbican. GET: $ENVIRON['TEST_BARBICAN_URL']/v1/secrets/$HISTORY['create_encrypted_passphrase_with_incompatible_payload'].$RESPONSE['$.[1].data.`split(/, 5, -1)`'] status: 200 request_headers: content-type: application/json response_headers: content-type: application/json; charset=UTF-8 response_json_paths: $.status: ACTIVE $.name: armada-doc $.secret_type: opaque - name: verify_revision_documents_returns_barbican_ref desc: Verify that the encrypted document returns a Barbican ref. GET: /api/v1.0/revisions/$HISTORY['create_encrypted_passphrase_with_incompatible_payload'].$RESPONSE['$.[0].status.revision']/documents status: 200 request_headers: content-type: application/x-yaml response_headers: content-type: application/x-yaml query_parameters: metadata.name: armada-doc cleartext-secrets: 'true' response_multidoc_jsonpaths: $.`len`: 1 $.[0].data.`split(:, 0, 1)` + "://" + $.[0].data.`split(/, 2, 3)`: $ENVIRON['TEST_BARBICAN_URL'] - name: verify_rendered_documents_returns_unencrypted_payload desc: | Verify that rendering the document returns the original payload which means that Deckhand successfully encoded and decoded the non-compatible payload using base64 encoding. GET: /api/v1.0/revisions/$HISTORY['create_encrypted_passphrase_with_incompatible_payload'].$RESPONSE['$.[0].status.revision']/rendered-documents status: 200 request_headers: content-type: application/x-yaml response_headers: content-type: application/x-yaml query_parameters: metadata.name: armada-doc cleartext-secrets: true response_multidoc_jsonpaths: $.`len`: 1 $.[0].data: foo: bar