test(cli): Add tests for vault-ssh-certificate credential library

This adds tests for updating specific fields of the credential library.
3 years ago · f9a2f44f5b
parent e66ea15fef
commit f9a2f44f5b
3 changed files with 424 additions and 0 deletions
--- a/internal/tests/cli/boundary/_credential_libraries.bash
+++ b/internal/tests/cli/boundary/_credential_libraries.bash
@ -5,6 +5,11 @@ function create_vault_ssh_certificate_library() {
    create vault-ssh-certificate $@
 }

+function update_vault_ssh_certificate_library() {
+  boundary credential-libraries \
+    update vault-ssh-certificate $@
+}
+
 function create_vault_generic_library() {
  boundary credential-libraries \
    create vault-generic $@
--- a/internal/tests/cli/boundary/_helpers.bash
+++ b/internal/tests/cli/boundary/_helpers.bash
@ -31,3 +31,11 @@ function has_status_code() {
 diag() {
    echo "$@" | sed -e 's/^/# /' >&3 ;
 }
+
+function field_eq() {
+    local json=$1
+    local field=$2
+    local expected=$3
+    echo "checking $field == $expected in $json"
+    echo "$json" | jq -e "$field == $expected"
+}
--- a/internal/tests/cli/boundary/credential_libraries.bats
+++ b/internal/tests/cli/boundary/credential_libraries.bats
@ -162,6 +162,417 @@ export NEW_VAULT_LIB="test_vault"
  [ "$status" -eq 0 ]
 }

+@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library ecdsa-256" {
+  skip_if_no_vault
+
+  local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID)
+  local clid=$(credential_library_id $NEW_VAULT_LIB $csid)
+  run update_vault_ssh_certificate_library -id $clid -key-type ecdsa -key-bits 256
+  echo "$output"
+  [ "$status" -eq 0 ]
+
+  run read_credential_library $clid
+  echo "$output"
+  [ "$status" -eq 0 ]
+  got=$(echo "$output")
+
+  run field_eq "$got" ".item.attributes.key_type" '"ecdsa"'
+  [ "$status" -eq 0 ]
+  run field_eq "$got" ".item.attributes.key_bits" "256"
+  [ "$status" -eq 0 ]
+}
+
+@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library ecdsa-384" {
+  skip_if_no_vault
+
+  local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID)
+  local clid=$(credential_library_id $NEW_VAULT_LIB $csid)
+  run update_vault_ssh_certificate_library -id $clid -key-type ecdsa -key-bits 384
+  echo "$output"
+  [ "$status" -eq 0 ]
+
+  run read_credential_library $clid
+  echo "$output"
+  [ "$status" -eq 0 ]
+  got=$(echo "$output")
+
+  run field_eq "$got" ".item.attributes.key_type" '"ecdsa"'
+  [ "$status" -eq 0 ]
+  run field_eq "$got" ".item.attributes.key_bits" "384"
+  [ "$status" -eq 0 ]
+}
+
+@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library ecdsa-521" {
+  skip_if_no_vault
+
+  local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID)
+  local clid=$(credential_library_id $NEW_VAULT_LIB $csid)
+  run update_vault_ssh_certificate_library -id $clid -key-type ecdsa -key-bits 521
+  echo "$output"
+  [ "$status" -eq 0 ]
+
+  run read_credential_library $clid
+  echo "$output"
+  [ "$status" -eq 0 ]
+  got=$(echo "$output")
+
+  run field_eq "$got" ".item.attributes.key_type" '"ecdsa"'
+  [ "$status" -eq 0 ]
+  run field_eq "$got" ".item.attributes.key_bits" "521"
+  [ "$status" -eq 0 ]
+}
+
+@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library ecdsa-0" {
+  skip_if_no_vault
+
+  local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID)
+  local clid=$(credential_library_id $NEW_VAULT_LIB $csid)
+  run update_vault_ssh_certificate_library -id $clid -key-type ecdsa -key-bits 0
+  echo "$output"
+  [ "$status" -eq 0 ]
+
+  run read_credential_library $clid
+  echo "$output"
+  [ "$status" -eq 0 ]
+  got=$(echo "$output")
+
+  run field_eq "$got" ".item.attributes.key_type" '"ecdsa"'
+  [ "$status" -eq 0 ]
+  run field_eq "$got" ".item.attributes.key_bits" "256"
+  [ "$status" -eq 0 ]
+}
+
+@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library rsa-2048" {
+  skip_if_no_vault
+
+  local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID)
+  local clid=$(credential_library_id $NEW_VAULT_LIB $csid)
+  run update_vault_ssh_certificate_library -id $clid -key-type rsa -key-bits 2048
+  echo "$output"
+  [ "$status" -eq 0 ]
+
+  run read_credential_library $clid
+  echo "$output"
+  [ "$status" -eq 0 ]
+  got=$(echo "$output")
+
+  run field_eq "$got" ".item.attributes.key_type" '"rsa"'
+  [ "$status" -eq 0 ]
+  run field_eq "$got" ".item.attributes.key_bits" "2048"
+  [ "$status" -eq 0 ]
+}
+
+@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library rsa-3072" {
+  skip_if_no_vault
+
+  local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID)
+  local clid=$(credential_library_id $NEW_VAULT_LIB $csid)
+  run update_vault_ssh_certificate_library -id $clid -key-type rsa -key-bits 3072
+  echo "$output"
+  [ "$status" -eq 0 ]
+
+  run read_credential_library $clid
+  echo "$output"
+  [ "$status" -eq 0 ]
+  got=$(echo "$output")
+
+  run field_eq "$got" ".item.attributes.key_type" '"rsa"'
+  [ "$status" -eq 0 ]
+  run field_eq "$got" ".item.attributes.key_bits" "3072"
+  [ "$status" -eq 0 ]
+}
+
+@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library rsa-4096" {
+  skip_if_no_vault
+
+  local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID)
+  local clid=$(credential_library_id $NEW_VAULT_LIB $csid)
+  run update_vault_ssh_certificate_library -id $clid -key-type rsa -key-bits 4096
+  echo "$output"
+  [ "$status" -eq 0 ]
+
+  run read_credential_library $clid
+  echo "$output"
+  [ "$status" -eq 0 ]
+  got=$(echo "$output")
+
+  run field_eq "$got" ".item.attributes.key_type" '"rsa"'
+  [ "$status" -eq 0 ]
+  run field_eq "$got" ".item.attributes.key_bits" "4096"
+  [ "$status" -eq 0 ]
+}
+
+@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library rsa-0" {
+  skip_if_no_vault
+
+  local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID)
+  local clid=$(credential_library_id $NEW_VAULT_LIB $csid)
+  run update_vault_ssh_certificate_library -id $clid -key-type rsa -key-bits 0
+  echo "$output"
+  [ "$status" -eq 0 ]
+
+  run read_credential_library $clid
+  echo "$output"
+  [ "$status" -eq 0 ]
+  got=$(echo "$output")
+
+  run field_eq "$got" ".item.attributes.key_type" '"rsa"'
+  [ "$status" -eq 0 ]
+  run field_eq "$got" ".item.attributes.key_bits" "2048"
+  [ "$status" -eq 0 ]
+}
+
+
+@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library ed25519" {
+  skip_if_no_vault
+
+  local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID)
+  local clid=$(credential_library_id $NEW_VAULT_LIB $csid)
+  run update_vault_ssh_certificate_library -id $clid -key-type ed25519 -key-bits null
+  echo "$output"
+  [ "$status" -eq 0 ]
+
+  run read_credential_library $clid
+  echo "$output"
+  [ "$status" -eq 0 ]
+  got=$(echo "$output")
+
+  run field_eq "$got" ".item.attributes.key_type" '"ed25519"'
+  [ "$status" -eq 0 ]
+  run field_eq "$got" ".item.attributes.key_bits" "null"
+  [ "$status" -eq 0 ]
+}
+
+@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library key_type default" {
+  skip_if_no_vault
+
+  local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID)
+  local clid=$(credential_library_id $NEW_VAULT_LIB $csid)
+
+  # set to something other than the default
+  run update_vault_ssh_certificate_library -id $clid -key-type ecdsa -key-bits 384
+  echo "$output"
+  [ "$status" -eq 0 ]
+
+  run read_credential_library $clid
+  echo "$output"
+  [ "$status" -eq 0 ]
+  got=$(echo "$output")
+
+  run field_eq "$got" ".item.attributes.key_type" '"ecdsa"'
+  [ "$status" -eq 0 ]
+  run field_eq "$got" ".item.attributes.key_bits" "384"
+  [ "$status" -eq 0 ]
+
+  # now set to the default
+  run update_vault_ssh_certificate_library -id $clid -key-type null -key-bits null
+  echo "$output"
+  [ "$status" -eq 0 ]
+
+  run read_credential_library $clid
+  echo "$output"
+  [ "$status" -eq 0 ]
+  got=$(echo "$output")
+
+  run field_eq "$got" ".item.attributes.key_type" '"ed25519"'
+  [ "$status" -eq 0 ]
+  run field_eq "$got" ".item.attributes.key_bits" "null"
+  [ "$status" -eq 0 ]
+}
+
+@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library ttl" {
+  skip_if_no_vault
+
+  local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID)
+  local clid=$(credential_library_id $NEW_VAULT_LIB $csid)
+
+  # can set it
+  run update_vault_ssh_certificate_library -id $clid -ttl 1d
+  echo "$output"
+  [ "$status" -eq 0 ]
+
+  run read_credential_library $clid
+  echo "$output"
+  [ "$status" -eq 0 ]
+  got=$(echo "$output")
+
+  run field_eq "$got" ".item.attributes.ttl" '"1d"'
+  [ "$status" -eq 0 ]
+
+  # can unset it
+  run update_vault_ssh_certificate_library -id $clid -ttl null
+  echo "$output"
+  [ "$status" -eq 0 ]
+
+  run read_credential_library $clid
+  echo "$output"
+  [ "$status" -eq 0 ]
+  got=$(echo "$output")
+
+  run field_eq "$got" ".item.attributes.ttl" "null"
+  [ "$status" -eq 0 ]
+}
+
+@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library key_id" {
+  skip_if_no_vault
+
+  local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID)
+  local clid=$(credential_library_id $NEW_VAULT_LIB $csid)
+
+  # can set it
+  run update_vault_ssh_certificate_library -id $clid -key-id id
+  echo "$output"
+  [ "$status" -eq 0 ]
+
+  run read_credential_library $clid
+  echo "$output"
+  [ "$status" -eq 0 ]
+  got=$(echo "$output")
+
+  run field_eq "$got" ".item.attributes.key_id" '"id"'
+  [ "$status" -eq 0 ]
+
+  # can unset it
+  run update_vault_ssh_certificate_library -id $clid -key-id null
+  echo "$output"
+  [ "$status" -eq 0 ]
+
+  run read_credential_library $clid
+  echo "$output"
+  [ "$status" -eq 0 ]
+  got=$(echo "$output")
+
+  run field_eq "$got" ".item.attributes.key_id" "null"
+  [ "$status" -eq 0 ]
+}
+
+@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library extensions" {
+  skip_if_no_vault
+
+  local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID)
+  local clid=$(credential_library_id $NEW_VAULT_LIB $csid)
+
+  # can set it
+  run update_vault_ssh_certificate_library -id $clid -extension permit-pty
+  echo "$output"
+  [ "$status" -eq 0 ]
+
+  run read_credential_library $clid
+  echo "$output"
+  [ "$status" -eq 0 ]
+  got=$(echo "$output")
+
+  run field_eq "$got" ".item.attributes.extensions" '{"permit-pty":""}'
+  [ "$status" -eq 0 ]
+
+  # can set multiple
+  run update_vault_ssh_certificate_library -id $clid -extension permit-pty -extension permit-X11-forwarding
+  echo "$output"
+  [ "$status" -eq 0 ]
+
+  run read_credential_library $clid
+  echo "$output"
+  [ "$status" -eq 0 ]
+  got=$(echo "$output")
+
+  run field_eq "$got" ".item.attributes.extensions" '{"permit-X11-forwarding":"","permit-pty":""}'
+  [ "$status" -eq 0 ]
+
+  # can unset it
+  run update_vault_ssh_certificate_library -id $clid -extensions null
+  echo "$output"
+  [ "$status" -eq 0 ]
+
+  run read_credential_library $clid
+  echo "$output"
+  [ "$status" -eq 0 ]
+  got=$(echo "$output")
+
+  run field_eq "$got" ".item.attributes.extensions" "null"
+  [ "$status" -eq 0 ]
+}
+
+@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library critical-options" {
+  skip_if_no_vault
+
+  local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID)
+  local clid=$(credential_library_id $NEW_VAULT_LIB $csid)
+
+  # can set it
+  run update_vault_ssh_certificate_library -id $clid -critical-option force-command=/bin/foo
+  echo "$output"
+  [ "$status" -eq 0 ]
+
+  run read_credential_library $clid
+  echo "$output"
+  [ "$status" -eq 0 ]
+  got=$(echo "$output")
+
+  run field_eq "$got" '.item.attributes.critical_options["force-command"]' '"/bin/foo"'
+  [ "$status" -eq 0 ]
+
+  # can set multiple
+  run update_vault_ssh_certificate_library -id $clid -critical-option force-command=/bin/foo -critical-option source-address=10.0.0.1/32
+  echo "$output"
+  [ "$status" -eq 0 ]
+
+  run read_credential_library $clid
+  echo "$output"
+  [ "$status" -eq 0 ]
+  got=$(echo "$output")
+
+  run field_eq "$got" '.item.attributes.critical_options["force-command"]' '"/bin/foo"'
+  [ "$status" -eq 0 ]
+  run field_eq "$got" '.item.attributes.critical_options["source-address"]' '"10.0.0.1/32"'
+  [ "$status" -eq 0 ]
+
+  # can unset it
+  run update_vault_ssh_certificate_library -id $clid -extensions null
+  echo "$output"
+  [ "$status" -eq 0 ]
+
+  run read_credential_library $clid
+  echo "$output"
+  [ "$status" -eq 0 ]
+  got=$(echo "$output")
+
+  run field_eq "$got" ".item.attributes.extensions" "null"
+  [ "$status" -eq 0 ]
+}
+
+@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library " {
+  skip_if_no_vault
+
+  local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID)
+  local clid=$(credential_library_id $NEW_VAULT_LIB $csid)
+
+  # can set a ttl
+  run update_vault_ssh_certificate_library -id $clid -key-id id
+  echo "$output"
+  [ "$status" -eq 0 ]
+
+  run read_credential_library $clid
+  echo "$output"
+  [ "$status" -eq 0 ]
+  got=$(echo "$output")
+
+  run field_eq "$got" ".item.attributes.key_id" '"id"'
+  [ "$status" -eq 0 ]
+
+  # can unset it
+  run update_vault_ssh_certificate_library -id $clid -key-id null
+  echo "$output"
+  [ "$status" -eq 0 ]
+
+  run read_credential_library $clid
+  echo "$output"
+  [ "$status" -eq 0 ]
+  got=$(echo "$output")
+
+  run field_eq "$got" ".item.attributes.key_id" "null"
+  [ "$status" -eq 0 ]
+}
+
@test "boundary/credential-libraries: can delete $NEW_VAULT_LIB vault-ssh-certificate library" {
  skip_if_no_vault