From 70e696a4466669827c28520f50aed77f17130034 Mon Sep 17 00:00:00 2001 From: Jeff Malnick Date: Mon, 12 Oct 2020 20:57:57 -0700 Subject: [PATCH] tests: add roles CLI tests (#644) --- internal/tests/cli/boundary/_helpers.bash | 11 +- internal/tests/cli/boundary/_roles.bash | 91 ++++++++++++++ internal/tests/cli/boundary/groups.bats | 2 +- .../tests/cli/boundary/host_catalogs.bats | 2 +- internal/tests/cli/boundary/host_sets.bats | 2 +- internal/tests/cli/boundary/hosts.bats | 2 +- internal/tests/cli/boundary/roles.bats | 114 ++++++++++++++++++ internal/tests/cli/boundary/target.bats | 2 +- internal/tests/cli/boundary/user.bats | 6 +- 9 files changed, 222 insertions(+), 10 deletions(-) create mode 100644 internal/tests/cli/boundary/_roles.bash create mode 100644 internal/tests/cli/boundary/roles.bats diff --git a/internal/tests/cli/boundary/_helpers.bash b/internal/tests/cli/boundary/_helpers.bash index 954e47b006..f427b2ab74 100644 --- a/internal/tests/cli/boundary/_helpers.bash +++ b/internal/tests/cli/boundary/_helpers.bash @@ -1,14 +1,21 @@ -export BOUNDARY_ADDR='http://127.0.0.1:9200' +export BOUNDARY_ADDR="${BOUNDARY_ADDR:-http://127.0.0.1:9200}" export DEFAULT_PASSWORD='password' -export DEFAULT_USER='admin' +export DEFAULT_LOGIN='admin' export DEFAULT_AMPW='ampw_1234567890' export DEFAULT_P_ID='p_1234567890' export DEFAULT_O_ID='o_1234567890' +export DEFAULT_GLOBAL='global' export DEFAULT_TARGET='ttcp_1234567890' export DEFAULT_HOST_SET='hsst_1234567890' export DEFAULT_HOST_CATALOG='hcst_1234567890' export DEFAULT_HOST='hst_1234567890' +export DEFAULT_USER='u_1234567890' function strip() { echo "$1" | tr -d '"' } + +function strip_all() { + echo "$1" | tr -d '"' | tr -d '\'\' +} + diff --git a/internal/tests/cli/boundary/_roles.bash b/internal/tests/cli/boundary/_roles.bash new file mode 100644 index 0000000000..5f1284d1ba --- /dev/null +++ b/internal/tests/cli/boundary/_roles.bash @@ -0,0 +1,91 @@ +function create_role() { + local sid=$1 + local name=$2 + local gsid=$3 + + boundary roles create \ + -scope-id $sid \ + -name $name \ + -description 'test role' \ + -grant-scope-id $gsid +} + +function read_role() { + boundary roles read -id $1 -format json +} + +function delete_role() { + boundary roles delete -id $1 +} + +function list_roles() { + boundary roles list -scope-id $1 -format json +} + +function assoc_role_grant() { + local grant=$1 + local id=$2 + + boundary roles add-grants -grant $grant -id $id +} + +function assoc_role_principal() { + local principal=$1 + local id=$2 + + boundary roles add-principals -principal $principal -id $id +} + +function remove_role_grant() { + local grant=$1 + local id=$2 + + boundary roles remove-grants -grant $grant -id $id +} + +function remove_role_principal() { + local principal=$1 + local id=$2 + + boundary roles remove-principals -principal $principal -id $id +} + +function role_id() { + local name=$1 + local sid=$2 + strip $(list_roles $sid | jq -c ".[] | select(.name | contains(\"$name\")) | .[\"id\"]") +} + +function role_principal_ids() { + local rid=$1 + strip $(read_role $rid | jq '.["principals"][]["id"]') +} + +function role_has_principal_id() { + local rid=$1 + local pid=$2 + local ids=$(role_principal_ids $rid) + for id in $ids; do + if [ $(strip "$id") == "$pid" ]; then + return 0 + fi + done + return 1 +} + +function role_grants() { + local rid=$1 + read_role $rid | jq -rc '.grant_strings | @sh' +} + +function role_has_grant() { + local rid=$1 + local g=$2 + local hasgrants=$(role_grants $rid) + for grant in $hasgrants; do + if [ $(strip_all "$grant") == "$g" ]; then + return 0 + fi + done + return 1 +} diff --git a/internal/tests/cli/boundary/groups.bats b/internal/tests/cli/boundary/groups.bats index d7bc8ddbda..b8bb9c6eb5 100644 --- a/internal/tests/cli/boundary/groups.bats +++ b/internal/tests/cli/boundary/groups.bats @@ -8,7 +8,7 @@ load _helpers export NEW_GROUP='test' @test "boundary/login: can login as default user" { - run login $DEFAULT_USER + run login $DEFAULT_LOGIN echo "$output" [ "$status" -eq 0 ] } diff --git a/internal/tests/cli/boundary/host_catalogs.bats b/internal/tests/cli/boundary/host_catalogs.bats index 752214aca4..b7f438e3a9 100644 --- a/internal/tests/cli/boundary/host_catalogs.bats +++ b/internal/tests/cli/boundary/host_catalogs.bats @@ -7,7 +7,7 @@ load _helpers export NEW_HOST_CATALOG='test' @test "boundary/login: can login as default user" { - run login $DEFAULT_USER + run login $DEFAULT_LOGIN echo "$output" [ "$status" -eq 0 ] } diff --git a/internal/tests/cli/boundary/host_sets.bats b/internal/tests/cli/boundary/host_sets.bats index cce77a56e4..099f782047 100644 --- a/internal/tests/cli/boundary/host_sets.bats +++ b/internal/tests/cli/boundary/host_sets.bats @@ -7,7 +7,7 @@ load _helpers export NEW_HOST_SET='test' @test "boundary/login: can login as default user" { - run login $DEFAULT_USER + run login $DEFAULT_LOGIN echo "$output" [ "$status" -eq 0 ] } diff --git a/internal/tests/cli/boundary/hosts.bats b/internal/tests/cli/boundary/hosts.bats index 2367dfc55f..1f72bd644b 100644 --- a/internal/tests/cli/boundary/hosts.bats +++ b/internal/tests/cli/boundary/hosts.bats @@ -7,7 +7,7 @@ load _helpers export NEW_HOST='test' @test "boundary/login: can login as default user" { - run login $DEFAULT_USER + run login $DEFAULT_LOGIN echo "$output" [ "$status" -eq 0 ] } diff --git a/internal/tests/cli/boundary/roles.bats b/internal/tests/cli/boundary/roles.bats new file mode 100644 index 0000000000..9084123520 --- /dev/null +++ b/internal/tests/cli/boundary/roles.bats @@ -0,0 +1,114 @@ +#!/usr/bin/env bats + +load _accounts +load _auth +load _roles +load _helpers + +export NEW_ROLE='test' +export NEW_GRANT='id=*;type=*;actions=create,read,update,delete,list' + +@test "boundary/login: can login as default principal" { + run login $DEFAULT_LOGIN + echo "$output" + [ "$status" -eq 0 ] +} + +@test "boundary/roles: can add $NEW_ROLE role to global scope granting rights in default org scope" { + run create_role 'global' $NEW_ROLE $DEFAULT_O_ID + echo "$output" + [ "$status" -eq 0 ] +} + +@test "boundary/roles: can not add already created $NEW_ROLE role" { + run create_role 'global' $NEW_ROLE $DEFAULT_O_ID + echo "$output" + [ "$status" -eq 1 ] +} + +@test "boundary/roles: can read $NEW_ROLE role" { + local rid=$(role_id $NEW_ROLE $DEFAULT_GLOBAL) + echo "rid $rid" + run read_role $rid + echo "$output" + [ "$status" -eq 0 ] +} + +@test "boundary/role/add-principals: can associate $NEW_ROLE role with default principal" { + local rid=$(role_id $NEW_ROLE $DEFAULT_GLOBAL) + run assoc_role_principal $DEFAULT_USER $rid + echo "$output" + [ "$status" -eq 0 ] +} + + + +@test "boundary/role/add-principals: $NEW_ROLE role contains default principal" { + local rid=$(role_id $NEW_ROLE $DEFAULT_GLOBAL) + run role_has_principal_id $rid $DEFAULT_USER + echo "$output" + [ "$status" -eq 0 ] +} + +@test "boundary/role/remove-principals: can remove default principal from $NEW_ROLE role" { + local rid=$(role_id $NEW_ROLE $DEFAULT_GLOBAL) + run remove_role_principal $DEFAULT_USER $rid + echo "$output" + [ "$status" -eq 0 ] +} + +@test "boundary/role/remove-principals: $NEW_ROLE role no longer contains default principal" { + local rid=$(role_id $NEW_ROLE $DEFAULT_GLOBAL) + run role_has_principal_id $rid $DEFAULT_USER + echo "$output" + [ "$status" -eq 1 ] +} + +@test "boundary/role/add-grants: can associate $NEW_ROLE role with $NEW_GRANT grant" { + local rid=$(role_id $NEW_ROLE $DEFAULT_GLOBAL) + run assoc_role_grant $NEW_GRANT $rid + echo "$output" + [ "$status" -eq 0 ] +} + +@test "boundary/role/add-grantss: $NEW_ROLE role contains $NEW_GRANT grant" { + local rid=$(role_id $NEW_ROLE $DEFAULT_GLOBAL) + run role_has_grant $rid $NEW_GRANT + echo "$output" + [ "$status" -eq 0 ] +} + +@test "boundary/role/remove-grants: can remove $NEW_GRANT grant from $NEW_ROLE role" { + local rid=$(role_id $NEW_ROLE $DEFAULT_GLOBAL) + run remove_role_grant $NEW_GRANT $rid + echo "$output" + [ "$status" -eq 0 ] +} + +@test "boundary/role/remove-grants: $NEW_ROLE role no longer contains $NEW_GRANT grant" { + local rid=$(role_id $NEW_ROLE $DEFAULT_GLOBAL) + run role_has_grant $rid $NEW_GRANT + echo "$output" + [ "$status" -eq 1 ] +} + +@test "boundary/role: can delete $NEW_ROLE role" { + local rid=$(role_id $NEW_ROLE $DEFAULT_GLOBAL) + run delete_role $rid + echo "$output" + [ "$status" -eq 0 ] +} + +@test "boundary/role: can not delete already deleted $NEW_ROLE role" { + local rid=$(role_id $NEW_ROLE $DEFAULT_GLOBAL) + run delete_role $rid + echo "$output" + [ "$status" -eq 1 ] +} + +@test "boundary/roles: can not read deleted $NEW_ROLE role" { + local rid=$(role_id $NEW_ROLE $DEFAULT_GLOBAL) + run read_role $rid + echo "$output" + [ "$status" -eq 1 ] +} diff --git a/internal/tests/cli/boundary/target.bats b/internal/tests/cli/boundary/target.bats index a96977a31f..085301bc72 100644 --- a/internal/tests/cli/boundary/target.bats +++ b/internal/tests/cli/boundary/target.bats @@ -7,7 +7,7 @@ load _helpers @test "boundary/login: can login as default user" { - run login $DEFAULT_USER + run login $DEFAULT_LOGIN [ "$status" -eq 0 ] } diff --git a/internal/tests/cli/boundary/user.bats b/internal/tests/cli/boundary/user.bats index f8ce0a9f2f..c14e2ec32d 100644 --- a/internal/tests/cli/boundary/user.bats +++ b/internal/tests/cli/boundary/user.bats @@ -8,7 +8,7 @@ load _helpers export NEW_USER='test' @test "boundary/login: can login as default user" { - run login $DEFAULT_USER + run login $DEFAULT_LOGIN [ "$status" -eq 0 ] } @@ -57,14 +57,14 @@ export NEW_USER='test' } @test "boundary/user: can delete $NEW_USER user" { - login $DEFAULT_USER + login $DEFAULT_LOGIN local uid=$(user_id $NEW_USER) run delete_user $uid [ "$status" -eq 0 ] } @test "boundary/user: can not delete already deleted $NEW_USER user" { - login $DEFAULT_USER + login $DEFAULT_LOGIN local uid=$(user_id $NEW_USER) run delete_user $uid [ "$status" -eq 1 ]