diff --git a/internal/tests/cli/boundary/_credential_libraries.bash b/internal/tests/cli/boundary/_credential_libraries.bash index 6d3c43646e..b5bf1270e0 100644 --- a/internal/tests/cli/boundary/_credential_libraries.bash +++ b/internal/tests/cli/boundary/_credential_libraries.bash @@ -5,6 +5,11 @@ function create_vault_ssh_certificate_library() { create vault-ssh-certificate $@ } +function update_vault_ssh_certificate_library() { + boundary credential-libraries \ + update vault-ssh-certificate $@ +} + function create_vault_generic_library() { boundary credential-libraries \ create vault-generic $@ diff --git a/internal/tests/cli/boundary/_helpers.bash b/internal/tests/cli/boundary/_helpers.bash index efa9d49d3d..68ff2d2a30 100644 --- a/internal/tests/cli/boundary/_helpers.bash +++ b/internal/tests/cli/boundary/_helpers.bash @@ -31,3 +31,11 @@ function has_status_code() { diag() { echo "$@" | sed -e 's/^/# /' >&3 ; } + +function field_eq() { + local json=$1 + local field=$2 + local expected=$3 + echo "checking $field == $expected in $json" + echo "$json" | jq -e "$field == $expected" +} diff --git a/internal/tests/cli/boundary/credential_libraries.bats b/internal/tests/cli/boundary/credential_libraries.bats old mode 100755 new mode 100644 index c26405bf9d..f7e7ae30d5 --- a/internal/tests/cli/boundary/credential_libraries.bats +++ b/internal/tests/cli/boundary/credential_libraries.bats @@ -162,6 +162,417 @@ export NEW_VAULT_LIB="test_vault" [ "$status" -eq 0 ] } +@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library ecdsa-256" { + skip_if_no_vault + + local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID) + local clid=$(credential_library_id $NEW_VAULT_LIB $csid) + run update_vault_ssh_certificate_library -id $clid -key-type ecdsa -key-bits 256 + echo "$output" + [ "$status" -eq 0 ] + + run read_credential_library $clid + echo "$output" + [ "$status" -eq 0 ] + got=$(echo "$output") + + run field_eq "$got" ".item.attributes.key_type" '"ecdsa"' + [ "$status" -eq 0 ] + run field_eq "$got" ".item.attributes.key_bits" "256" + [ "$status" -eq 0 ] +} + +@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library ecdsa-384" { + skip_if_no_vault + + local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID) + local clid=$(credential_library_id $NEW_VAULT_LIB $csid) + run update_vault_ssh_certificate_library -id $clid -key-type ecdsa -key-bits 384 + echo "$output" + [ "$status" -eq 0 ] + + run read_credential_library $clid + echo "$output" + [ "$status" -eq 0 ] + got=$(echo "$output") + + run field_eq "$got" ".item.attributes.key_type" '"ecdsa"' + [ "$status" -eq 0 ] + run field_eq "$got" ".item.attributes.key_bits" "384" + [ "$status" -eq 0 ] +} + +@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library ecdsa-521" { + skip_if_no_vault + + local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID) + local clid=$(credential_library_id $NEW_VAULT_LIB $csid) + run update_vault_ssh_certificate_library -id $clid -key-type ecdsa -key-bits 521 + echo "$output" + [ "$status" -eq 0 ] + + run read_credential_library $clid + echo "$output" + [ "$status" -eq 0 ] + got=$(echo "$output") + + run field_eq "$got" ".item.attributes.key_type" '"ecdsa"' + [ "$status" -eq 0 ] + run field_eq "$got" ".item.attributes.key_bits" "521" + [ "$status" -eq 0 ] +} + +@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library ecdsa-0" { + skip_if_no_vault + + local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID) + local clid=$(credential_library_id $NEW_VAULT_LIB $csid) + run update_vault_ssh_certificate_library -id $clid -key-type ecdsa -key-bits 0 + echo "$output" + [ "$status" -eq 0 ] + + run read_credential_library $clid + echo "$output" + [ "$status" -eq 0 ] + got=$(echo "$output") + + run field_eq "$got" ".item.attributes.key_type" '"ecdsa"' + [ "$status" -eq 0 ] + run field_eq "$got" ".item.attributes.key_bits" "256" + [ "$status" -eq 0 ] +} + +@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library rsa-2048" { + skip_if_no_vault + + local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID) + local clid=$(credential_library_id $NEW_VAULT_LIB $csid) + run update_vault_ssh_certificate_library -id $clid -key-type rsa -key-bits 2048 + echo "$output" + [ "$status" -eq 0 ] + + run read_credential_library $clid + echo "$output" + [ "$status" -eq 0 ] + got=$(echo "$output") + + run field_eq "$got" ".item.attributes.key_type" '"rsa"' + [ "$status" -eq 0 ] + run field_eq "$got" ".item.attributes.key_bits" "2048" + [ "$status" -eq 0 ] +} + +@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library rsa-3072" { + skip_if_no_vault + + local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID) + local clid=$(credential_library_id $NEW_VAULT_LIB $csid) + run update_vault_ssh_certificate_library -id $clid -key-type rsa -key-bits 3072 + echo "$output" + [ "$status" -eq 0 ] + + run read_credential_library $clid + echo "$output" + [ "$status" -eq 0 ] + got=$(echo "$output") + + run field_eq "$got" ".item.attributes.key_type" '"rsa"' + [ "$status" -eq 0 ] + run field_eq "$got" ".item.attributes.key_bits" "3072" + [ "$status" -eq 0 ] +} + +@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library rsa-4096" { + skip_if_no_vault + + local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID) + local clid=$(credential_library_id $NEW_VAULT_LIB $csid) + run update_vault_ssh_certificate_library -id $clid -key-type rsa -key-bits 4096 + echo "$output" + [ "$status" -eq 0 ] + + run read_credential_library $clid + echo "$output" + [ "$status" -eq 0 ] + got=$(echo "$output") + + run field_eq "$got" ".item.attributes.key_type" '"rsa"' + [ "$status" -eq 0 ] + run field_eq "$got" ".item.attributes.key_bits" "4096" + [ "$status" -eq 0 ] +} + +@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library rsa-0" { + skip_if_no_vault + + local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID) + local clid=$(credential_library_id $NEW_VAULT_LIB $csid) + run update_vault_ssh_certificate_library -id $clid -key-type rsa -key-bits 0 + echo "$output" + [ "$status" -eq 0 ] + + run read_credential_library $clid + echo "$output" + [ "$status" -eq 0 ] + got=$(echo "$output") + + run field_eq "$got" ".item.attributes.key_type" '"rsa"' + [ "$status" -eq 0 ] + run field_eq "$got" ".item.attributes.key_bits" "2048" + [ "$status" -eq 0 ] +} + + +@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library ed25519" { + skip_if_no_vault + + local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID) + local clid=$(credential_library_id $NEW_VAULT_LIB $csid) + run update_vault_ssh_certificate_library -id $clid -key-type ed25519 -key-bits null + echo "$output" + [ "$status" -eq 0 ] + + run read_credential_library $clid + echo "$output" + [ "$status" -eq 0 ] + got=$(echo "$output") + + run field_eq "$got" ".item.attributes.key_type" '"ed25519"' + [ "$status" -eq 0 ] + run field_eq "$got" ".item.attributes.key_bits" "null" + [ "$status" -eq 0 ] +} + +@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library key_type default" { + skip_if_no_vault + + local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID) + local clid=$(credential_library_id $NEW_VAULT_LIB $csid) + + # set to something other than the default + run update_vault_ssh_certificate_library -id $clid -key-type ecdsa -key-bits 384 + echo "$output" + [ "$status" -eq 0 ] + + run read_credential_library $clid + echo "$output" + [ "$status" -eq 0 ] + got=$(echo "$output") + + run field_eq "$got" ".item.attributes.key_type" '"ecdsa"' + [ "$status" -eq 0 ] + run field_eq "$got" ".item.attributes.key_bits" "384" + [ "$status" -eq 0 ] + + # now set to the default + run update_vault_ssh_certificate_library -id $clid -key-type null -key-bits null + echo "$output" + [ "$status" -eq 0 ] + + run read_credential_library $clid + echo "$output" + [ "$status" -eq 0 ] + got=$(echo "$output") + + run field_eq "$got" ".item.attributes.key_type" '"ed25519"' + [ "$status" -eq 0 ] + run field_eq "$got" ".item.attributes.key_bits" "null" + [ "$status" -eq 0 ] +} + +@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library ttl" { + skip_if_no_vault + + local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID) + local clid=$(credential_library_id $NEW_VAULT_LIB $csid) + + # can set it + run update_vault_ssh_certificate_library -id $clid -ttl 1d + echo "$output" + [ "$status" -eq 0 ] + + run read_credential_library $clid + echo "$output" + [ "$status" -eq 0 ] + got=$(echo "$output") + + run field_eq "$got" ".item.attributes.ttl" '"1d"' + [ "$status" -eq 0 ] + + # can unset it + run update_vault_ssh_certificate_library -id $clid -ttl null + echo "$output" + [ "$status" -eq 0 ] + + run read_credential_library $clid + echo "$output" + [ "$status" -eq 0 ] + got=$(echo "$output") + + run field_eq "$got" ".item.attributes.ttl" "null" + [ "$status" -eq 0 ] +} + +@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library key_id" { + skip_if_no_vault + + local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID) + local clid=$(credential_library_id $NEW_VAULT_LIB $csid) + + # can set it + run update_vault_ssh_certificate_library -id $clid -key-id id + echo "$output" + [ "$status" -eq 0 ] + + run read_credential_library $clid + echo "$output" + [ "$status" -eq 0 ] + got=$(echo "$output") + + run field_eq "$got" ".item.attributes.key_id" '"id"' + [ "$status" -eq 0 ] + + # can unset it + run update_vault_ssh_certificate_library -id $clid -key-id null + echo "$output" + [ "$status" -eq 0 ] + + run read_credential_library $clid + echo "$output" + [ "$status" -eq 0 ] + got=$(echo "$output") + + run field_eq "$got" ".item.attributes.key_id" "null" + [ "$status" -eq 0 ] +} + +@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library extensions" { + skip_if_no_vault + + local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID) + local clid=$(credential_library_id $NEW_VAULT_LIB $csid) + + # can set it + run update_vault_ssh_certificate_library -id $clid -extension permit-pty + echo "$output" + [ "$status" -eq 0 ] + + run read_credential_library $clid + echo "$output" + [ "$status" -eq 0 ] + got=$(echo "$output") + + run field_eq "$got" ".item.attributes.extensions" '{"permit-pty":""}' + [ "$status" -eq 0 ] + + # can set multiple + run update_vault_ssh_certificate_library -id $clid -extension permit-pty -extension permit-X11-forwarding + echo "$output" + [ "$status" -eq 0 ] + + run read_credential_library $clid + echo "$output" + [ "$status" -eq 0 ] + got=$(echo "$output") + + run field_eq "$got" ".item.attributes.extensions" '{"permit-X11-forwarding":"","permit-pty":""}' + [ "$status" -eq 0 ] + + # can unset it + run update_vault_ssh_certificate_library -id $clid -extensions null + echo "$output" + [ "$status" -eq 0 ] + + run read_credential_library $clid + echo "$output" + [ "$status" -eq 0 ] + got=$(echo "$output") + + run field_eq "$got" ".item.attributes.extensions" "null" + [ "$status" -eq 0 ] +} + +@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library critical-options" { + skip_if_no_vault + + local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID) + local clid=$(credential_library_id $NEW_VAULT_LIB $csid) + + # can set it + run update_vault_ssh_certificate_library -id $clid -critical-option force-command=/bin/foo + echo "$output" + [ "$status" -eq 0 ] + + run read_credential_library $clid + echo "$output" + [ "$status" -eq 0 ] + got=$(echo "$output") + + run field_eq "$got" '.item.attributes.critical_options["force-command"]' '"/bin/foo"' + [ "$status" -eq 0 ] + + # can set multiple + run update_vault_ssh_certificate_library -id $clid -critical-option force-command=/bin/foo -critical-option source-address=10.0.0.1/32 + echo "$output" + [ "$status" -eq 0 ] + + run read_credential_library $clid + echo "$output" + [ "$status" -eq 0 ] + got=$(echo "$output") + + run field_eq "$got" '.item.attributes.critical_options["force-command"]' '"/bin/foo"' + [ "$status" -eq 0 ] + run field_eq "$got" '.item.attributes.critical_options["source-address"]' '"10.0.0.1/32"' + [ "$status" -eq 0 ] + + # can unset it + run update_vault_ssh_certificate_library -id $clid -extensions null + echo "$output" + [ "$status" -eq 0 ] + + run read_credential_library $clid + echo "$output" + [ "$status" -eq 0 ] + got=$(echo "$output") + + run field_eq "$got" ".item.attributes.extensions" "null" + [ "$status" -eq 0 ] +} + +@test "boundary/credential-libraries: can update $NEW_VAULT_LIB vault-ssh-certificate library " { + skip_if_no_vault + + local csid=$(credential_store_id $NEW_STORE $DEFAULT_P_ID) + local clid=$(credential_library_id $NEW_VAULT_LIB $csid) + + # can set a ttl + run update_vault_ssh_certificate_library -id $clid -key-id id + echo "$output" + [ "$status" -eq 0 ] + + run read_credential_library $clid + echo "$output" + [ "$status" -eq 0 ] + got=$(echo "$output") + + run field_eq "$got" ".item.attributes.key_id" '"id"' + [ "$status" -eq 0 ] + + # can unset it + run update_vault_ssh_certificate_library -id $clid -key-id null + echo "$output" + [ "$status" -eq 0 ] + + run read_credential_library $clid + echo "$output" + [ "$status" -eq 0 ] + got=$(echo "$output") + + run field_eq "$got" ".item.attributes.key_id" "null" + [ "$status" -eq 0 ] +} + @test "boundary/credential-libraries: can delete $NEW_VAULT_LIB vault-ssh-certificate library" { skip_if_no_vault