airship
/
deckhand
Code Issues Proposed changes
deckhand/deckhand/tests/integration/gabbits/document-render-secret-edge...

193 lines
6.5 KiB
YAML
Raw Blame History

# Tests success paths for edge cases around rendering with secrets.
#
# 1. Verifies that attempting to encrypt a secret passphrase with an empty
# string skips encryption and stores the document as cleartext instead
# and that rendering the document works (which should avoid Barbican
# API call).
# 2. Verifies that attempting to encrypt any document with an incompatible
# payload type (non-str, non-binary) results in the payload being properly
# encoded and decoded by Deckhand before and after storing and retrieving
# the encrypted data.
defaults:
request_headers:
X-Auth-Token: $ENVIRON['TEST_AUTH_TOKEN']
verbose: true
tests:
### Scenario 1 ###
- name: purge
desc: Begin testing from known state.
DELETE: /api/v1.0/revisions
status: 204
request_headers:
content-type: application/x-yaml
response_headers: null
- name: create_encrypted_passphrase_empty_payload_skips
desc: |
Attempting to create an encrypted passphrase with empty payload should
avoid encryption and return the empty payload instead.
PUT: /api/v1.0/buckets/secret/documents
status: 200
request_headers:
content-type: application/x-yaml
response_headers:
content-type: application/x-yaml
data: |-
---
schema: deckhand/LayeringPolicy/v1
metadata:
schema: metadata/Control/v1
name: layering-policy
data:
layerOrder:
- site
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: my-passphrase
storagePolicy: encrypted
layeringDefinition:
abstract: false
layer: site
data: ''
...
response_multidoc_jsonpaths:
$.`len`: 2
$.[1].metadata.name: my-passphrase
$.[1].data: ''
- name: validate_no_secret_exists_in_barbican
desc: Validate that no secret was created in Barbican.
GET: $ENVIRON['TEST_BARBICAN_URL']/v1/secrets
status: 200
request_headers:
content-type: application/json
response_headers:
content-type: application/json; charset=UTF-8
response_json_paths:
$.secrets.`len`: 0
$.secrets: []
- name: verify_revision_documents_returns_same_empty_payload
desc: Verify that the created document wasn't encrypted.
GET: /api/v1.0/revisions/$HISTORY['create_encrypted_passphrase_empty_payload_skips'].$RESPONSE['$.[0].status.revision']/documents
status: 200
request_headers:
content-type: application/x-yaml
response_headers:
content-type: application/x-yaml
query_parameters:
metadata.name: my-passphrase
response_multidoc_jsonpaths:
$.`len`: 1
$.[0].data: ''
- name: verify_rendered_documents_returns_same_empty_payload
desc: |
Verify that rendering the document returns the same empty payload
which requires that the data be read directly from Deckhand's DB
rather than Barbican.
GET: /api/v1.0/revisions/$HISTORY['create_encrypted_passphrase_empty_payload_skips'].$RESPONSE['$.[0].status.revision']/rendered-documents
status: 200
request_headers:
content-type: application/x-yaml
response_headers:
content-type: application/x-yaml
query_parameters:
metadata.name: my-passphrase
response_multidoc_jsonpaths:
$.`len`: 1
$.[0].data: ''
### Scenario 2 ###
- name: create_encrypted_passphrase_with_incompatible_payload
desc: |
Attempting to encrypt a non-str/non-bytes payload should result in
it first being base64-encoded then passed to Barbican. The response
should be a Barbican reference, which indicates the scenario passed
successfully.
PUT: /api/v1.0/buckets/secret/documents
status: 200
request_headers:
content-type: application/x-yaml
response_headers:
content-type: application/x-yaml
data: |-
---
schema: deckhand/LayeringPolicy/v1
metadata:
schema: metadata/Control/v1
name: layering-policy
data:
layerOrder:
- site
---
schema: armada/Generic/v1
metadata:
schema: metadata/Document/v1
name: armada-doc
storagePolicy: encrypted
layeringDefinition:
abstract: false
layer: site
data:
# This will be an object in memory requiring base64 encoding.
foo: bar
...
response_multidoc_jsonpaths:
$.`len`: 2
$.[1].metadata.name: armada-doc
# NOTE(felipemonteiro): jsonpath-rw-ext uses a 1 character separator (rather than allowing a string)
# leading to this nastiness:
$.[1].data.`split(:, 0, 1)` + "://" + $.[1].data.`split(/, 2, 3)`: $ENVIRON['TEST_BARBICAN_URL']
- name: validate_opaque_secret_exists_in_barbican
desc: Validate that the secret was created as opaque in Barbican.
GET: $ENVIRON['TEST_BARBICAN_URL']/v1/secrets/$HISTORY['create_encrypted_passphrase_with_incompatible_payload'].$RESPONSE['$.[1].data.`split(/, 5, -1)`']
status: 200
request_headers:
content-type: application/json
response_headers:
content-type: application/json; charset=UTF-8
response_json_paths:
$.status: ACTIVE
$.name: armada-doc
$.secret_type: opaque
- name: verify_revision_documents_returns_barbican_ref
desc: Verify that the encrypted document returns a Barbican ref.
GET: /api/v1.0/revisions/$HISTORY['create_encrypted_passphrase_with_incompatible_payload'].$RESPONSE['$.[0].status.revision']/documents
status: 200
request_headers:
content-type: application/x-yaml
response_headers:
content-type: application/x-yaml
query_parameters:
metadata.name: armada-doc
cleartext-secrets: 'true'
response_multidoc_jsonpaths:
$.`len`: 1
$.[0].data.`split(:, 0, 1)` + "://" + $.[0].data.`split(/, 2, 3)`: $ENVIRON['TEST_BARBICAN_URL']
- name: verify_rendered_documents_returns_unencrypted_payload
desc: |
Verify that rendering the document returns the original payload which
means that Deckhand successfully encoded and decoded the non-compatible
payload using base64 encoding.
GET: /api/v1.0/revisions/$HISTORY['create_encrypted_passphrase_with_incompatible_payload'].$RESPONSE['$.[0].status.revision']/rendered-documents
status: 200
request_headers:
content-type: application/x-yaml
response_headers:
content-type: application/x-yaml
query_parameters:
metadata.name: armada-doc
cleartext-secrets: true
response_multidoc_jsonpaths:
$.`len`: 1
$.[0].data:
foo: bar
View Git Blame Copy Permalink