# Tests success paths for secret management:
#
# 1. Tests that creating a secret passphrase results in the Barbican secret
#    ref being returned.
# 2. Tests that the same happens when querying revision documents.

defaults:
  request_headers:
    X-Auth-Token: $ENVIRON['TEST_AUTH_TOKEN']
  verbose: true

tests:
  - name: purge
    desc: Begin testing from known state.
    DELETE: /api/v1.0/revisions
    status: 204
    request_headers:
      content-type: application/x-yaml
    response_headers: null

  - name: create_encrypted_passphrase
    desc: Create passphrase with storagePolicy=encrypted
    PUT: /api/v1.0/buckets/secret/documents
    status: 200
    request_headers:
      content-type: application/x-yaml
    response_headers:
      content-type: application/x-yaml
    data: |-
      ---
      schema: deckhand/Passphrase/v1
      metadata:
        schema: metadata/Document/v1
        name: my-passphrase
        layeringDefinition:
          abstract: false
          layer: noop
        storagePolicy: encrypted
      data: not-a-real-password
      ...
    response_multidoc_jsonpaths:
      $.`len`: 1
      # NOTE(felipemonteiro): jsonpath-rw-ext uses a 1 character separator (rather than allowing a string)
      # leading to this nastiness:
      $.[0].data.`split(:, 0, 1)` + "://" + $.[0].data.`split(/, 2, 3)`: $ENVIRON['TEST_BARBICAN_URL']

  - name: validate_secret_exists_in_barbican
    desc: Validate that the secret ref exists in Barbican.
    GET: $ENVIRON['TEST_BARBICAN_URL']/v1/secrets/$RESPONSE['$.[0].data.`split(/, 5, -1)`']
    status: 200
    request_headers:
      content-type: application/json
    response_headers:
      content-type: application/json; charset=UTF-8
    response_json_paths:
      $.status: ACTIVE
      $.name: my-passphrase

  - name: validate_secret_payload_matches_in_barbican
    desc: Validate that the secret itself matches in Barbican.
    GET: $ENVIRON['TEST_BARBICAN_URL']/v1/secrets/$HISTORY['create_encrypted_passphrase'].$RESPONSE['$.[0].data.`split(/, 5, -1)`']/payload
    status: 200
    request_headers:
      content-type: application/json
    response_headers:
      content-type: application/octet-stream; charset=UTF-8
    response_strings:
      - not-a-real-password

  - name: verify_revision_documents_returns_secret_ref
    desc: Verify that the documents for the created revision returns the secret ref.
    GET: /api/v1.0/revisions/$HISTORY['create_encrypted_passphrase'].$RESPONSE['$.[0].status.revision']/documents
    status: 200
    request_headers:
      content-type: application/x-yaml
    response_headers:
      content-type: application/x-yaml
    response_multidoc_jsonpaths:
      $.`len`: 1
      # NOTE(felipemonteiro): jsonpath-rw-ext uses a 1 character separator (rather than allowing a string)
      # leading to this nastiness:
      $.[0].data.`split(:, 0, 1)` + "://" + $.[0].data.`split(/, 2, 3)`: $ENVIRON['TEST_BARBICAN_URL']