# Tests success paths for secret substitution using each Deckhand secret type. # The types include: Certificate, CertificateKey, CertificateAuthority, # CertificateAuthorityKey, Passphrase, PrivateKey, PublicKey. # # 1. Tests that creating each supported Deckhand secret type results in the # Barbican secret ref being returned. # 2. Tests that each secret payload is included in the destination # and source documents after document rendering. defaults: request_headers: X-Auth-Token: $ENVIRON['TEST_AUTH_TOKEN'] verbose: true tests: - name: purge desc: Begin testing from known state. DELETE: /api/v1.0/revisions status: 204 request_headers: content-type: application/x-yaml response_headers: null - name: create_documents_for_secret_substitution desc: Create documents with substitution source with storagePolicy=encrypted PUT: /api/v1.0/buckets/secret/documents status: 200 request_headers: content-type: application/x-yaml response_headers: content-type: application/x-yaml data: |- --- schema: deckhand/LayeringPolicy/v1 metadata: schema: metadata/Control/v1 name: layering-policy data: layerOrder: - site --- schema: deckhand/Certificate/v1 metadata: name: example-cert schema: metadata/Document/v1 layeringDefinition: abstract: false layer: site storagePolicy: encrypted data: CERTIFICATE DATA --- schema: deckhand/CertificateAuthority/v1 metadata: name: example-ca schema: metadata/Document/v1 layeringDefinition: abstract: false layer: site storagePolicy: encrypted data: CA DATA --- schema: deckhand/CertificateAuthorityKey/v1 metadata: name: example-ca-key schema: metadata/Document/v1 layeringDefinition: abstract: false layer: site storagePolicy: encrypted data: CA KEY DATA --- schema: deckhand/CertificateKey/v1 metadata: name: example-cert-key schema: metadata/Document/v1 layeringDefinition: abstract: false layer: site storagePolicy: encrypted data: CERTIFICATE KEY DATA --- schema: deckhand/Passphrase/v1 metadata: name: example-passphrase schema: metadata/Document/v1 layeringDefinition: abstract: false layer: site storagePolicy: encrypted data: PASSPHRASE DATA --- schema: deckhand/PrivateKey/v1 metadata: name: example-private-key schema: metadata/Document/v1 layeringDefinition: abstract: false layer: site storagePolicy: encrypted data: PRIVATE KEY DATA --- schema: deckhand/PublicKey/v1 metadata: name: example-public-key schema: metadata/Document/v1 layeringDefinition: abstract: false layer: site storagePolicy: encrypted data: PUBLIC KEY DATA --- schema: armada/Chart/v1 metadata: schema: metadata/Document/v1 name: armada-chart-01 # We don't need to encrypt the destination document. storagePolicy: cleartext layeringDefinition: layer: site substitutions: - dest: path: .certificate src: schema: deckhand/Certificate/v1 name: example-cert path: . - dest: path: .certificate_authority src: schema: deckhand/CertificateAuthority/v1 name: example-ca path: . - dest: path: .certificate_authority_key src: schema: deckhand/CertificateAuthorityKey/v1 name: example-ca-key path: . - dest: path: .certificate_key src: schema: deckhand/CertificateKey/v1 name: example-cert-key path: . - dest: path: .passphrase src: schema: deckhand/Passphrase/v1 name: example-passphrase path: . - dest: path: .private_key src: schema: deckhand/PrivateKey/v1 name: example-private-key path: . - dest: path: .public_key src: schema: deckhand/PublicKey/v1 name: example-public-key path: . data: {} ... - name: verify_multiple_revision_documents_returns_secret_ref desc: Verify that secret ref was created for each secret document type. GET: /api/v1.0/revisions/$RESPONSE['$.[0].status.revision']/documents status: 200 request_headers: content-type: application/x-yaml response_headers: content-type: application/x-yaml query_parameters: metadata.name: - example-ca - example-ca-key - example-cert - example-cert-key - example-passphrase - example-private-key - example-public-key cleartext-secrets: 'true' response_multidoc_jsonpaths: $.`len`: 7 # NOTE(felipemonteiro): jsonpath-rw-ext uses a 1 character separator (rather than allowing a string) # leading to this nastiness: $.[0].data.`split(:, 0, 1)` + "://" + $.[0].data.`split(/, 2, 3)`: $ENVIRON['TEST_BARBICAN_URL'] $.[1].data.`split(:, 0, 1)` + "://" + $.[1].data.`split(/, 2, 3)`: $ENVIRON['TEST_BARBICAN_URL'] $.[2].data.`split(:, 0, 1)` + "://" + $.[2].data.`split(/, 2, 3)`: $ENVIRON['TEST_BARBICAN_URL'] $.[3].data.`split(:, 0, 1)` + "://" + $.[3].data.`split(/, 2, 3)`: $ENVIRON['TEST_BARBICAN_URL'] $.[4].data.`split(:, 0, 1)` + "://" + $.[4].data.`split(/, 2, 3)`: $ENVIRON['TEST_BARBICAN_URL'] $.[5].data.`split(:, 0, 1)` + "://" + $.[5].data.`split(/, 2, 3)`: $ENVIRON['TEST_BARBICAN_URL'] $.[6].data.`split(:, 0, 1)` + "://" + $.[6].data.`split(/, 2, 3)`: $ENVIRON['TEST_BARBICAN_URL'] - name: validate_expected_secrets_exist_in_barbican desc: Validate that all the expected secrets were created in Barbican. GET: $ENVIRON['TEST_BARBICAN_URL']/v1/secrets status: 200 query_parameters: sort: name request_headers: content-type: application/json response_headers: content-type: application/json; charset=UTF-8 response_json_paths: $.secrets.`len`: 7 $.secrets[*].status: - ACTIVE - ACTIVE - ACTIVE - ACTIVE - ACTIVE - ACTIVE - ACTIVE $.secrets[*].name: - example-ca - example-ca-key - example-cert - example-cert-key - example-passphrase - example-private-key - example-public-key $.secrets[*].secret_type: - certificate - private - certificate - private - passphrase - private - public - name: verify_secret_payload_in_destination_document desc: | Verify each secret payload is injected into the destination document and that the secret payload is present in each secret document type rather than the Barbican reference. GET: /api/v1.0/revisions/$HISTORY['create_documents_for_secret_substitution'].$RESPONSE['$.[0].status.revision']/rendered-documents status: 200 request_headers: content-type: application/x-yaml response_headers: content-type: application/x-yaml query_parameters: cleartext-secrets: true sort: 'metadata.name' response_multidoc_jsonpaths: $.`len`: 9 $.[0].metadata.name: armada-chart-01 $.[0].data: certificate: CERTIFICATE DATA certificate_authority: CA DATA certificate_authority_key: CA KEY DATA certificate_key: CERTIFICATE KEY DATA passphrase: PASSPHRASE DATA private_key: PRIVATE KEY DATA public_key: PUBLIC KEY DATA $.[1].metadata.name: example-ca $.[1].data: CA DATA $.[2].metadata.name: example-ca-key $.[2].data: CA KEY DATA $.[3].metadata.name: example-cert $.[3].data: CERTIFICATE DATA $.[4].metadata.name: example-cert-key $.[4].data: CERTIFICATE KEY DATA $.[5].metadata.name: example-passphrase $.[5].data: PASSPHRASE DATA $.[6].metadata.name: example-private-key $.[6].data: PRIVATE KEY DATA $.[7].metadata.name: example-public-key $.[7].data: PUBLIC KEY DATA