mirror of https://github.com/hashicorp/boundary
pull/2559/head
Michael Li
3 years ago
parent
07b16e877c
commit
6bd168b2a3
@ -0,0 +1,75 @@
|
||||
package boundary
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"os"
|
||||
"testing"
|
||||
|
||||
"github.com/hashicorp/boundary/api"
|
||||
"github.com/hashicorp/boundary/api/accounts"
|
||||
"github.com/hashicorp/boundary/testing/internal/e2e"
|
||||
"github.com/hashicorp/go-secure-stdlib/base62"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
// CreateNewAccountApi creates a new account using the go api.
|
||||
// Returns the id of the new account as well as the password that was generated
|
||||
func CreateNewAccountApi(t testing.TB, ctx context.Context, client *api.Client, loginName string) (accountId string, password string) {
|
||||
c, err := loadConfig()
|
||||
require.NoError(t, err)
|
||||
|
||||
aClient := accounts.NewClient(client)
|
||||
password, err = base62.Random(16)
|
||||
require.NoError(t, err)
|
||||
newAccountResult, err := aClient.Create(ctx, c.AuthMethodId,
|
||||
accounts.WithPasswordAccountLoginName(loginName),
|
||||
accounts.WithPasswordAccountPassword(password),
|
||||
)
|
||||
require.NoError(t, err)
|
||||
|
||||
accountId = newAccountResult.Item.Id
|
||||
t.Logf("Create Account: %s", accountId)
|
||||
t.Cleanup(func() {
|
||||
_, err := aClient.Delete(ctx, accountId)
|
||||
require.NoError(t, err)
|
||||
})
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
// CreateNewAccountCli creates a new account using the cli.
|
||||
// Returns the id of the new account as well as the password that was generated
|
||||
func CreateNewAccountCli(t testing.TB, loginName string) (string, string) {
|
||||
c, err := loadConfig()
|
||||
require.NoError(t, err)
|
||||
|
||||
ctx := context.Background()
|
||||
password, err := base62.Random(16)
|
||||
require.NoError(t, err)
|
||||
os.Setenv("E2E_TEST_ACCOUNT_PASSWORD", password)
|
||||
output := e2e.RunCommand(ctx, "boundary", "accounts", "create", "password",
|
||||
"-auth-method-id", c.AuthMethodId,
|
||||
"-login-name", loginName,
|
||||
"-password", "env://E2E_TEST_ACCOUNT_PASSWORD",
|
||||
"-name", "e2e Account "+loginName,
|
||||
"-description", "e2e Account",
|
||||
"-format", "json",
|
||||
)
|
||||
require.NoError(t, output.Err, string(output.Stderr))
|
||||
|
||||
var newAccountResult accounts.AccountCreateResult
|
||||
err = json.Unmarshal(output.Stdout, &newAccountResult)
|
||||
require.NoError(t, err)
|
||||
|
||||
newAccountId := newAccountResult.Item.Id
|
||||
t.Cleanup(func() {
|
||||
AuthenticateAdminCli(t)
|
||||
output := e2e.RunCommand(ctx, "boundary", "accounts", "delete", "-id", newAccountId)
|
||||
require.NoError(t, output.Err, string(output.Stderr))
|
||||
})
|
||||
|
||||
t.Logf("Created Account: %s", newAccountId)
|
||||
|
||||
return newAccountId, password
|
||||
}
|
||||
@ -0,0 +1,64 @@
|
||||
package boundary
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"testing"
|
||||
|
||||
"github.com/hashicorp/boundary/api"
|
||||
"github.com/hashicorp/boundary/api/users"
|
||||
"github.com/hashicorp/boundary/testing/internal/e2e"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
// CreateNewUserCli creates a new user using the go api.
|
||||
// Returns the id of the new user
|
||||
func CreateNewUserApi(t testing.TB, ctx context.Context, client *api.Client, scopeId string) string {
|
||||
uClient := users.NewClient(client)
|
||||
newUserResult, err := uClient.Create(ctx, scopeId)
|
||||
require.NoError(t, err)
|
||||
newUserId := newUserResult.Item.Id
|
||||
t.Logf("Created User: %s", newUserId)
|
||||
t.Cleanup(func() {
|
||||
_, err := uClient.Delete(ctx, newUserId)
|
||||
require.NoError(t, err)
|
||||
})
|
||||
|
||||
return newUserId
|
||||
}
|
||||
|
||||
// CreateNewUserCli creates a new user using the cli.
|
||||
// Returns the id of the new user
|
||||
func CreateNewUserCli(t testing.TB, scopeId string) string {
|
||||
ctx := context.Background()
|
||||
output := e2e.RunCommand(ctx, "boundary", "users", "create",
|
||||
"-scope-id", scopeId,
|
||||
"-name", "e2e User",
|
||||
"-description", "e2e User",
|
||||
"-format", "json",
|
||||
)
|
||||
require.NoError(t, output.Err, string(output.Stderr))
|
||||
|
||||
var newUserResult users.UserCreateResult
|
||||
err := json.Unmarshal(output.Stdout, &newUserResult)
|
||||
require.NoError(t, err)
|
||||
|
||||
newUserId := newUserResult.Item.Id
|
||||
t.Cleanup(func() {
|
||||
AuthenticateAdminCli(t)
|
||||
output := e2e.RunCommand(ctx, "boundary", "users", "delete", "-id", newUserId)
|
||||
require.NoError(t, output.Err, string(output.Stderr))
|
||||
})
|
||||
t.Logf("Created User: %s", newUserId)
|
||||
|
||||
return newUserId
|
||||
}
|
||||
|
||||
// SetAccountToUserCli sets an account to a the specified user using the cli.
|
||||
func SetAccountToUserCli(t testing.TB, userId string, accountId string) {
|
||||
output := e2e.RunCommand(context.Background(), "boundary", "users", "set-accounts",
|
||||
"-id", userId,
|
||||
"-account", accountId,
|
||||
)
|
||||
require.NoError(t, output.Err, string(output.Stderr))
|
||||
}
|
||||
@ -0,0 +1,217 @@
|
||||
package static_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/cenkalti/backoff/v4"
|
||||
"github.com/hashicorp/boundary/api/roles"
|
||||
"github.com/hashicorp/boundary/api/sessions"
|
||||
"github.com/hashicorp/boundary/api/users"
|
||||
"github.com/hashicorp/boundary/testing/internal/e2e"
|
||||
"github.com/hashicorp/boundary/testing/internal/e2e/boundary"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
// TestSessionCancelUserCli uses the cli to create a new user and sets up the right permissions for
|
||||
// the user to connect to the created target. The test also confirms that an admin can cancel the
|
||||
// user's session.
|
||||
func TestSessionCancelUserCli(t *testing.T) {
|
||||
e2e.MaybeSkipTest(t)
|
||||
c, err := loadConfig()
|
||||
require.NoError(t, err)
|
||||
|
||||
boundary.AuthenticateAdminCli(t)
|
||||
newOrgId := boundary.CreateNewOrgCli(t)
|
||||
newProjectId := boundary.CreateNewProjectCli(t, newOrgId)
|
||||
newHostCatalogId := boundary.CreateNewHostCatalogCli(t, newProjectId)
|
||||
newHostSetId := boundary.CreateNewHostSetCli(t, newHostCatalogId)
|
||||
newHostId := boundary.CreateNewHostCli(t, newHostCatalogId, c.TargetIp)
|
||||
boundary.AddHostToHostSetCli(t, newHostSetId, newHostId)
|
||||
newTargetId := boundary.CreateNewTargetCli(t, newProjectId, c.TargetPort)
|
||||
boundary.AddHostSourceToTargetCli(t, newTargetId, newHostSetId)
|
||||
acctName := "e2e-account"
|
||||
newAccountId, acctPassword := boundary.CreateNewAccountCli(t, acctName)
|
||||
newUserId := boundary.CreateNewUserCli(t, "global")
|
||||
boundary.SetAccountToUserCli(t, newUserId, newAccountId)
|
||||
|
||||
// Try to connect to the target as a user without permissions
|
||||
ctx := context.Background()
|
||||
boundary.AuthenticateCli(t, acctName, acctPassword)
|
||||
output := e2e.RunCommand(ctx, "boundary", "connect",
|
||||
"-target-id", newTargetId,
|
||||
"-format", "json",
|
||||
"-exec", "/usr/bin/ssh", "--",
|
||||
"-l", c.TargetSshUser,
|
||||
"-i", c.TargetSshKeyPath,
|
||||
"-o", "UserKnownHostsFile=/dev/null",
|
||||
"-o", "StrictHostKeyChecking=no",
|
||||
"-o", "IdentitiesOnly=yes", // forces the use of the provided key
|
||||
"-p", "{{boundary.port}}", // this is provided by boundary
|
||||
"{{boundary.ip}}",
|
||||
"hostname -i",
|
||||
)
|
||||
require.Error(t, output.Err, string(output.Stdout), string(output.Stderr))
|
||||
var response e2e.CliError
|
||||
err = json.Unmarshal(output.Stderr, &response)
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, 403, response.Status)
|
||||
t.Log("Successfully received an error when connecting to target as a user without permissions")
|
||||
|
||||
// Create a role
|
||||
boundary.AuthenticateAdminCli(t)
|
||||
output = e2e.RunCommand(ctx, "boundary", "roles", "create",
|
||||
"-scope-id", newProjectId,
|
||||
"-name", "e2e Role",
|
||||
"-format", "json",
|
||||
)
|
||||
require.NoError(t, output.Err, string(output.Stderr))
|
||||
var newRoleResult roles.RoleCreateResult
|
||||
err = json.Unmarshal(output.Stdout, &newRoleResult)
|
||||
require.NoError(t, err)
|
||||
newRoleId := newRoleResult.Item.Id
|
||||
t.Logf("Created Role: %s", newRoleId)
|
||||
|
||||
// Add grant to role
|
||||
output = e2e.RunCommand(ctx, "boundary", "roles", "add-grants",
|
||||
"-id", newRoleId,
|
||||
"-grant", "id=*;type=target;actions=authorize-session",
|
||||
)
|
||||
require.NoError(t, output.Err, string(output.Stderr))
|
||||
|
||||
// Add user to role
|
||||
output = e2e.RunCommand(ctx, "boundary", "roles", "add-principals",
|
||||
"-id", newRoleId,
|
||||
"-principal", newUserId,
|
||||
)
|
||||
require.NoError(t, output.Err, string(output.Stderr))
|
||||
|
||||
// Connect to target to create a session
|
||||
ctxCancel, cancel := context.WithCancel(context.Background())
|
||||
errChan := make(chan *e2e.CommandResult)
|
||||
go func() {
|
||||
boundary.AuthenticateCli(t, acctName, acctPassword)
|
||||
t.Log("Starting session as user...")
|
||||
errChan <- e2e.RunCommand(ctxCancel, "boundary", "connect",
|
||||
"-target-id", newTargetId,
|
||||
"-exec", "/usr/bin/ssh", "--",
|
||||
"-l", c.TargetSshUser,
|
||||
"-i", c.TargetSshKeyPath,
|
||||
"-o", "UserKnownHostsFile=/dev/null",
|
||||
"-o", "StrictHostKeyChecking=no",
|
||||
"-o", "IdentitiesOnly=yes", // forces the use of the provided key
|
||||
"-p", "{{boundary.port}}", // this is provided by boundary
|
||||
"{{boundary.ip}}",
|
||||
"hostname -i; sleep 60",
|
||||
)
|
||||
}()
|
||||
t.Cleanup(cancel)
|
||||
|
||||
// Get list of sessions
|
||||
var session *sessions.Session
|
||||
err = backoff.RetryNotify(
|
||||
func() error {
|
||||
output := e2e.RunCommand(ctx, "boundary", "sessions", "list", "-scope-id", newProjectId, "-format", "json")
|
||||
if output.Err != nil {
|
||||
return backoff.Permanent(errors.New(string(output.Stderr)))
|
||||
}
|
||||
|
||||
var sessionListResult sessions.SessionListResult
|
||||
err = json.Unmarshal(output.Stdout, &sessionListResult)
|
||||
if err != nil {
|
||||
return backoff.Permanent(err)
|
||||
}
|
||||
|
||||
sessionCount := len(sessionListResult.Items)
|
||||
if sessionCount == 0 {
|
||||
return errors.New("No items are appearing in the session list")
|
||||
}
|
||||
|
||||
t.Logf("Found %d session(s)", sessionCount)
|
||||
if sessionCount != 1 {
|
||||
return backoff.Permanent(errors.New("Only one session was expected to be found"))
|
||||
}
|
||||
|
||||
session = sessionListResult.Items[0]
|
||||
return nil
|
||||
},
|
||||
backoff.WithMaxRetries(backoff.NewConstantBackOff(3*time.Second), 5),
|
||||
func(err error, td time.Duration) {
|
||||
t.Logf("%s. Retrying...", err.Error())
|
||||
},
|
||||
)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, newTargetId, session.TargetId)
|
||||
assert.Equal(t, newHostId, session.HostId)
|
||||
require.Equal(t, "active", session.Status)
|
||||
|
||||
// Cancel session
|
||||
output = e2e.RunCommand(ctx, "boundary", "sessions", "cancel", "-id", session.Id)
|
||||
require.NoError(t, output.Err, string(output.Stderr))
|
||||
|
||||
output = e2e.RunCommand(ctx, "boundary", "sessions", "read", "-id", session.Id, "-format", "json")
|
||||
require.NoError(t, output.Err, string(output.Stderr))
|
||||
var newSessionReadResult sessions.SessionReadResult
|
||||
err = json.Unmarshal(output.Stdout, &newSessionReadResult)
|
||||
require.NoError(t, err)
|
||||
require.Condition(t, func() bool {
|
||||
return newSessionReadResult.Item.Status == "canceling" || newSessionReadResult.Item.Status == "terminated"
|
||||
})
|
||||
|
||||
// Check output from session
|
||||
select {
|
||||
case output := <-errChan:
|
||||
// `boundary connect` returns a 255 when cancelled
|
||||
require.Equal(t, output.ExitCode, 255, string(output.Stdout), string(output.Stderr))
|
||||
case <-time.After(time.Second * 5):
|
||||
t.Fatal("Timed out waiting for session command to exit")
|
||||
}
|
||||
|
||||
t.Log("Successfully cancelled session")
|
||||
}
|
||||
|
||||
// TestCreateUserApi uses the go api to create a new user and add some grants to the user
|
||||
func TestCreateUserApi(t *testing.T) {
|
||||
e2e.MaybeSkipTest(t)
|
||||
c, err := loadConfig()
|
||||
require.NoError(t, err)
|
||||
|
||||
client, err := boundary.NewApiClient()
|
||||
require.NoError(t, err)
|
||||
ctx := context.Background()
|
||||
|
||||
newOrgId := boundary.CreateNewOrgApi(t, ctx, client)
|
||||
newProjectId := boundary.CreateNewProjectApi(t, ctx, client, newOrgId)
|
||||
newHostCatalogId := boundary.CreateNewHostCatalogApi(t, ctx, client, newProjectId)
|
||||
newHostSetId := boundary.CreateNewHostSetApi(t, ctx, client, newHostCatalogId)
|
||||
newHostId := boundary.CreateNewHostApi(t, ctx, client, newHostCatalogId, c.TargetIp)
|
||||
boundary.AddHostToHostSetApi(t, ctx, client, newHostSetId, newHostId)
|
||||
newTargetId := boundary.CreateNewTargetApi(t, ctx, client, newProjectId, c.TargetPort)
|
||||
boundary.AddHostSourceToTargetApi(t, ctx, client, newTargetId, newHostSetId)
|
||||
|
||||
acctName := "e2e-account"
|
||||
newAcctId, _ := boundary.CreateNewAccountApi(t, ctx, client, acctName)
|
||||
newUserId := boundary.CreateNewUserApi(t, ctx, client, "global")
|
||||
uClient := users.NewClient(client)
|
||||
uClient.SetAccounts(ctx, newUserId, 0, []string{newAcctId})
|
||||
|
||||
rClient := roles.NewClient(client)
|
||||
newRoleResult, err := rClient.Create(ctx, newProjectId)
|
||||
require.NoError(t, err)
|
||||
newRoleId := newRoleResult.Item.Id
|
||||
t.Logf("Create Role: %s", newRoleId)
|
||||
|
||||
_, err = rClient.AddGrants(ctx, newRoleId, 0, []string{"id=*;type=target;actions=authorize-session"},
|
||||
roles.WithAutomaticVersioning(true),
|
||||
)
|
||||
require.NoError(t, err)
|
||||
|
||||
_, err = rClient.AddPrincipals(ctx, newRoleId, 0, []string{newUserId},
|
||||
roles.WithAutomaticVersioning(true),
|
||||
)
|
||||
require.NoError(t, err)
|
||||
}
|
||||
Loading…
Reference in new issue