193 lines
6.6 KiB
YAML
193 lines
6.6 KiB
YAML
# Tests success paths for edge cases around rendering with secrets.
|
|
#
|
|
# 1. Verifies that attempting to encrypt a secret passphrase with an empty
|
|
# string skips encryption and stores the document as cleartext instead
|
|
# and that rendering the document works (which should avoid Barbican
|
|
# API call).
|
|
# 2. Verifies that attempting to encrypt any document with an incompatible
|
|
# payload type (non-str, non-binary) results in the payload being properly
|
|
# encoded and decoded by Deckhand before and after storing and retrieving
|
|
# the encrypted data.
|
|
|
|
defaults:
|
|
request_headers:
|
|
X-Auth-Token: $ENVIRON['TEST_AUTH_TOKEN']
|
|
verbose: true
|
|
|
|
tests:
|
|
### Scenario 1 ###
|
|
- name: purge
|
|
desc: Begin testing from known state.
|
|
DELETE: /api/v1.0/revisions
|
|
status: 204
|
|
request_headers:
|
|
content-type: application/x-yaml
|
|
response_headers: null
|
|
|
|
- name: create_encrypted_passphrase_empty_payload_skips
|
|
desc: |
|
|
Attempting to create an encrypted passphrase with empty payload should
|
|
avoid encryption and return the empty payload instead.
|
|
PUT: /api/v1.0/buckets/secret/documents
|
|
status: 200
|
|
request_headers:
|
|
content-type: application/x-yaml
|
|
response_headers:
|
|
content-type: application/x-yaml
|
|
data: |-
|
|
---
|
|
schema: deckhand/LayeringPolicy/v1
|
|
metadata:
|
|
schema: metadata/Control/v1
|
|
name: layering-policy
|
|
data:
|
|
layerOrder:
|
|
- site
|
|
---
|
|
schema: deckhand/Passphrase/v1
|
|
metadata:
|
|
schema: metadata/Document/v1
|
|
name: my-passphrase
|
|
storagePolicy: encrypted
|
|
layeringDefinition:
|
|
abstract: false
|
|
layer: site
|
|
data: ''
|
|
...
|
|
response_multidoc_jsonpaths:
|
|
$.`len`: 2
|
|
$.[1].metadata.name: my-passphrase
|
|
$.[1].data: ''
|
|
|
|
- name: validate_no_secret_exists_in_barbican
|
|
desc: Validate that no secret was created in Barbican.
|
|
GET: $ENVIRON['TEST_BARBICAN_URL']/v1/secrets
|
|
status: 200
|
|
request_headers:
|
|
content-type: application/json
|
|
response_headers:
|
|
content-type: /^application\/json$|^application\/json;\ charset=UTF-8$/
|
|
response_json_paths:
|
|
$.secrets.`len`: 0
|
|
$.secrets: []
|
|
|
|
- name: verify_revision_documents_returns_same_empty_payload
|
|
desc: Verify that the created document wasn't encrypted.
|
|
GET: /api/v1.0/revisions/$HISTORY['create_encrypted_passphrase_empty_payload_skips'].$RESPONSE['$.[0].status.revision']/documents
|
|
status: 200
|
|
request_headers:
|
|
content-type: application/x-yaml
|
|
response_headers:
|
|
content-type: application/x-yaml
|
|
query_parameters:
|
|
metadata.name: my-passphrase
|
|
response_multidoc_jsonpaths:
|
|
$.`len`: 1
|
|
$.[0].data: ''
|
|
|
|
- name: verify_rendered_documents_returns_same_empty_payload
|
|
desc: |
|
|
Verify that rendering the document returns the same empty payload
|
|
which requires that the data be read directly from Deckhand's DB
|
|
rather than Barbican.
|
|
GET: /api/v1.0/revisions/$HISTORY['create_encrypted_passphrase_empty_payload_skips'].$RESPONSE['$.[0].status.revision']/rendered-documents
|
|
status: 200
|
|
request_headers:
|
|
content-type: application/x-yaml
|
|
response_headers:
|
|
content-type: application/x-yaml
|
|
query_parameters:
|
|
metadata.name: my-passphrase
|
|
response_multidoc_jsonpaths:
|
|
$.`len`: 1
|
|
$.[0].data: ''
|
|
|
|
### Scenario 2 ###
|
|
- name: create_encrypted_passphrase_with_incompatible_payload
|
|
desc: |
|
|
Attempting to encrypt a non-str/non-bytes payload should result in
|
|
it first being base64-encoded then passed to Barbican. The response
|
|
should be a Barbican reference, which indicates the scenario passed
|
|
successfully.
|
|
PUT: /api/v1.0/buckets/secret/documents
|
|
status: 200
|
|
request_headers:
|
|
content-type: application/x-yaml
|
|
response_headers:
|
|
content-type: application/x-yaml
|
|
data: |-
|
|
---
|
|
schema: deckhand/LayeringPolicy/v1
|
|
metadata:
|
|
schema: metadata/Control/v1
|
|
name: layering-policy
|
|
data:
|
|
layerOrder:
|
|
- site
|
|
---
|
|
schema: armada/Generic/v1
|
|
metadata:
|
|
schema: metadata/Document/v1
|
|
name: armada-doc
|
|
storagePolicy: encrypted
|
|
layeringDefinition:
|
|
abstract: false
|
|
layer: site
|
|
data:
|
|
# This will be an object in memory requiring base64 encoding.
|
|
foo: bar
|
|
...
|
|
response_multidoc_jsonpaths:
|
|
$.`len`: 2
|
|
$.[1].metadata.name: armada-doc
|
|
# NOTE(felipemonteiro): jsonpath-rw-ext uses a 1 character separator (rather than allowing a string)
|
|
# leading to this nastiness:
|
|
$.[1].data.`split(:, 0, 1)` + "://" + $.[1].data.`split(/, 2, 3)`: $ENVIRON['TEST_BARBICAN_URL']
|
|
|
|
- name: validate_opaque_secret_exists_in_barbican
|
|
desc: Validate that the secret was created as opaque in Barbican.
|
|
GET: $ENVIRON['TEST_BARBICAN_URL']/v1/secrets/$HISTORY['create_encrypted_passphrase_with_incompatible_payload'].$RESPONSE['$.[1].data.`split(/, 5, -1)`']
|
|
status: 200
|
|
request_headers:
|
|
content-type: application/json
|
|
response_headers:
|
|
content-type: /^application\/json$|^application\/json;\ charset=UTF-8$/
|
|
response_json_paths:
|
|
$.status: ACTIVE
|
|
$.name: armada-doc
|
|
$.secret_type: opaque
|
|
|
|
- name: verify_revision_documents_returns_barbican_ref
|
|
desc: Verify that the encrypted document returns a Barbican ref.
|
|
GET: /api/v1.0/revisions/$HISTORY['create_encrypted_passphrase_with_incompatible_payload'].$RESPONSE['$.[0].status.revision']/documents
|
|
status: 200
|
|
request_headers:
|
|
content-type: application/x-yaml
|
|
response_headers:
|
|
content-type: application/x-yaml
|
|
query_parameters:
|
|
metadata.name: armada-doc
|
|
cleartext-secrets: 'true'
|
|
response_multidoc_jsonpaths:
|
|
$.`len`: 1
|
|
$.[0].data.`split(:, 0, 1)` + "://" + $.[0].data.`split(/, 2, 3)`: $ENVIRON['TEST_BARBICAN_URL']
|
|
|
|
- name: verify_rendered_documents_returns_unencrypted_payload
|
|
desc: |
|
|
Verify that rendering the document returns the original payload which
|
|
means that Deckhand successfully encoded and decoded the non-compatible
|
|
payload using base64 encoding.
|
|
GET: /api/v1.0/revisions/$HISTORY['create_encrypted_passphrase_with_incompatible_payload'].$RESPONSE['$.[0].status.revision']/rendered-documents
|
|
status: 200
|
|
request_headers:
|
|
content-type: application/x-yaml
|
|
response_headers:
|
|
content-type: application/x-yaml
|
|
query_parameters:
|
|
metadata.name: armada-doc
|
|
cleartext-secrets: true
|
|
response_multidoc_jsonpaths:
|
|
$.`len`: 1
|
|
$.[0].data:
|
|
foo: bar
|