# Tests success paths for secret substitution using a generic document type. # This entails setting storagePolicy=encrypted for a non-built-in secret # document. # # 1. Tests that creating an encrypted generic document results in a # Barbican reference being returned. # 2. Tests that the encrypted payload is included in the destination # and source documents after document rendering. defaults: request_headers: content-type: application/x-yaml X-Auth-Token: $ENVIRON['TEST_AUTH_TOKEN'] response_headers: content-type: application/x-yaml verbose: true tests: - name: purge desc: Begin testing from known state. DELETE: /api/v1.0/revisions status: 204 response_headers: null - name: encrypt_generic_document_for_secret_substitution desc: | Create documents using a generic document type (armada/Generic/v1) as the substitution source with storagePolicy=encrypted. PUT: /api/v1.0/buckets/secret/documents status: 200 data: |- --- schema: deckhand/LayeringPolicy/v1 metadata: schema: metadata/Control/v1 name: layering-policy data: layerOrder: - site --- # Generic document as substitution source. schema: armada/Generic/v1 metadata: name: example-armada-cert schema: metadata/Document/v1 layeringDefinition: abstract: false layer: site storagePolicy: encrypted data: ARMADA CERTIFICATE DATA --- schema: armada/Chart/v1 metadata: schema: metadata/Document/v1 name: armada-chart-01 # We don't need to encrypt the destination document. storagePolicy: cleartext layeringDefinition: abstract: false layer: site substitutions: - dest: path: .chart.values.tls.certificate src: schema: armada/Generic/v1 name: example-armada-cert path: . data: {} ... - name: verify_multiple_revision_documents_returns_secret_ref desc: Verify that secret ref was created for example-armada-cert among multiple created documents. GET: /api/v1.0/revisions/$RESPONSE['$.[0].status.revision']/documents status: 200 query_parameters: metadata.name: example-armada-cert cleartext-secrets: 'true' response_multidoc_jsonpaths: $.`len`: 1 # NOTE(felipemonteiro): jsonpath-rw-ext uses a 1 character separator (rather than allowing a string) # leading to this nastiness: $.[0].data.`split(:, 0, 1)` + "://" + $.[0].data.`split(/, 2, 3)`: $ENVIRON['TEST_BARBICAN_URL'] - name: verify_generic_secret_created_in_barbican desc: Validate that the generic secret gets stored with secret_type passphrase. GET: $ENVIRON['TEST_BARBICAN_URL']/v1/secrets/$RESPONSE['$.[0].data.`split(/, 5, -1)`'] status: 200 request_headers: content-type: application/json response_headers: content-type: application/json; charset=UTF-8 response_json_paths: $.status: ACTIVE $.name: example-armada-cert # Default type for documents with generic schema. $.secret_type: passphrase - name: verify_secret_payload_in_destination_document desc: Verify secret payload is injected in destination document as well as example-armada-cert. GET: /api/v1.0/revisions/$HISTORY['encrypt_generic_document_for_secret_substitution'].$RESPONSE['$.[0].status.revision']/rendered-documents status: 200 query_parameters: cleartext-secrets: true metadata.name: - armada-chart-01 - example-armada-cert sort: metadata.name response_multidoc_jsonpaths: $.`len`: 2 $.[0].metadata.name: armada-chart-01 $.[0].data: chart: values: tls: certificate: ARMADA CERTIFICATE DATA $.[1].metadata.name: example-armada-cert $.[1].data: ARMADA CERTIFICATE DATA