mirror of https://github.com/hashicorp/consul
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
151 lines
4.8 KiB
151 lines
4.8 KiB
3 years ago
|
package iamauth
|
||
|
|
||
|
import (
|
||
|
"fmt"
|
||
|
"testing"
|
||
|
|
||
|
"github.com/stretchr/testify/require"
|
||
|
)
|
||
|
|
||
|
func TestConfigValidate(t *testing.T) {
|
||
|
principalArn := "arn:aws:iam::000000000000:role/my-role"
|
||
|
|
||
|
cases := map[string]struct {
|
||
|
expError string
|
||
|
configs []Config
|
||
|
|
||
|
includeHeaderNames bool
|
||
|
}{
|
||
|
"bound iam principals are required": {
|
||
|
expError: "BoundIAMPrincipalARNs is required and must have at least 1 entry",
|
||
|
configs: []Config{
|
||
|
{BoundIAMPrincipalARNs: nil},
|
||
|
{BoundIAMPrincipalARNs: []string{}},
|
||
|
},
|
||
|
},
|
||
|
"entity tags require entity details": {
|
||
|
expError: "Must set EnableIAMEntityDetails=true to use IAMUserTags",
|
||
|
configs: []Config{
|
||
|
{
|
||
|
BoundIAMPrincipalARNs: []string{principalArn},
|
||
|
EnableIAMEntityDetails: false,
|
||
|
IAMEntityTags: []string{"some-tag"},
|
||
|
},
|
||
|
},
|
||
|
},
|
||
|
"entity details require all entity header names": {
|
||
|
expError: "Must set all of GetEntityMethodHeader, GetEntityURLHeader, " +
|
||
|
"GetEntityHeadersHeader, and GetEntityBodyHeader when EnableIAMEntityDetails=true",
|
||
|
configs: []Config{
|
||
|
{
|
||
|
BoundIAMPrincipalARNs: []string{principalArn},
|
||
|
EnableIAMEntityDetails: true,
|
||
|
},
|
||
|
{
|
||
|
BoundIAMPrincipalARNs: []string{principalArn},
|
||
|
EnableIAMEntityDetails: true,
|
||
|
GetEntityBodyHeader: "X-Test-Header",
|
||
|
},
|
||
|
{
|
||
|
BoundIAMPrincipalARNs: []string{principalArn},
|
||
|
EnableIAMEntityDetails: true,
|
||
|
GetEntityHeadersHeader: "X-Test-Header",
|
||
|
},
|
||
|
{
|
||
|
BoundIAMPrincipalARNs: []string{principalArn},
|
||
|
EnableIAMEntityDetails: true,
|
||
|
GetEntityURLHeader: "X-Test-Header",
|
||
|
},
|
||
|
{
|
||
|
BoundIAMPrincipalARNs: []string{principalArn},
|
||
|
EnableIAMEntityDetails: true,
|
||
|
GetEntityMethodHeader: "X-Test-Header",
|
||
|
},
|
||
|
},
|
||
|
},
|
||
|
"wildcard principals require entity details": {
|
||
|
expError: "Must set EnableIAMEntityDetails=true to use wildcards in BoundIAMPrincipalARNs",
|
||
|
configs: []Config{
|
||
|
{BoundIAMPrincipalARNs: []string{"arn:aws:iam::000000000000:role/*"}},
|
||
|
{BoundIAMPrincipalARNs: []string{"arn:aws:iam::000000000000:role/path/*"}},
|
||
|
},
|
||
|
},
|
||
|
"only one wildcard suffix is allowed": {
|
||
|
expError: "Only one wildcard is allowed at the end of the bound IAM principal ARN",
|
||
|
configs: []Config{
|
||
|
{
|
||
|
BoundIAMPrincipalARNs: []string{"arn:aws:iam::000000000000:role/**"},
|
||
|
EnableIAMEntityDetails: true,
|
||
|
},
|
||
|
{
|
||
|
BoundIAMPrincipalARNs: []string{"arn:aws:iam::000000000000:role/*/*"},
|
||
|
EnableIAMEntityDetails: true,
|
||
|
},
|
||
|
{
|
||
|
BoundIAMPrincipalARNs: []string{"arn:aws:iam::000000000000:role/*/path"},
|
||
|
EnableIAMEntityDetails: true,
|
||
|
},
|
||
|
{
|
||
|
BoundIAMPrincipalARNs: []string{"arn:aws:iam::000000000000:role/*/path/*"},
|
||
|
EnableIAMEntityDetails: true,
|
||
|
},
|
||
|
},
|
||
|
},
|
||
|
"invalid principal arns are disallowed": {
|
||
|
expError: fmt.Sprintf("Invalid principal ARN"),
|
||
|
configs: []Config{
|
||
|
{BoundIAMPrincipalARNs: []string{""}},
|
||
|
{BoundIAMPrincipalARNs: []string{" "}},
|
||
|
{BoundIAMPrincipalARNs: []string{"*"}, EnableIAMEntityDetails: true},
|
||
|
{BoundIAMPrincipalARNs: []string{"arn:aws:iam:role/my-role"}},
|
||
|
},
|
||
|
},
|
||
|
"valid principal arns are allowed": {
|
||
|
includeHeaderNames: true,
|
||
|
configs: []Config{
|
||
|
{BoundIAMPrincipalARNs: []string{"arn:aws:sts::000000000000:assumed-role/my-role/some-session-name"}},
|
||
|
{BoundIAMPrincipalARNs: []string{"arn:aws:iam::000000000000:user/my-user"}},
|
||
|
{BoundIAMPrincipalARNs: []string{"arn:aws:iam::000000000000:role/my-role"}},
|
||
|
{BoundIAMPrincipalARNs: []string{"arn:aws:iam::000000000000:*"}, EnableIAMEntityDetails: true},
|
||
|
{BoundIAMPrincipalARNs: []string{"arn:aws:iam::000000000000:role/*"}, EnableIAMEntityDetails: true},
|
||
|
{BoundIAMPrincipalARNs: []string{"arn:aws:iam::000000000000:role/path/*"}, EnableIAMEntityDetails: true},
|
||
|
{BoundIAMPrincipalARNs: []string{"arn:aws:iam::000000000000:user/*"}, EnableIAMEntityDetails: true},
|
||
|
{BoundIAMPrincipalARNs: []string{"arn:aws:iam::000000000000:user/path/*"}, EnableIAMEntityDetails: true},
|
||
|
},
|
||
|
},
|
||
|
"server id header value requires service id header name": {
|
||
|
expError: "Must set ServerIDHeaderName to use a server ID value",
|
||
|
configs: []Config{
|
||
|
{
|
||
|
BoundIAMPrincipalARNs: []string{principalArn},
|
||
|
ServerIDHeaderValue: "consul.test.example.com",
|
||
|
},
|
||
|
},
|
||
|
},
|
||
|
}
|
||
|
|
||
|
for name, c := range cases {
|
||
|
t.Run(name, func(t *testing.T) {
|
||
|
for _, conf := range c.configs {
|
||
|
if c.includeHeaderNames {
|
||
|
setTestHeaderNames(&conf)
|
||
|
}
|
||
|
err := conf.Validate()
|
||
|
if c.expError != "" {
|
||
|
require.Error(t, err)
|
||
|
require.Contains(t, err.Error(), c.expError)
|
||
|
} else {
|
||
|
require.NoError(t, err)
|
||
|
}
|
||
|
}
|
||
|
})
|
||
|
}
|
||
|
}
|
||
|
|
||
|
func setTestHeaderNames(conf *Config) {
|
||
|
conf.GetEntityMethodHeader = "X-Test-Method"
|
||
|
conf.GetEntityURLHeader = "X-Test-URL"
|
||
|
conf.GetEntityHeadersHeader = "X-Test-Headers"
|
||
|
conf.GetEntityBodyHeader = "X-Test-Body"
|
||
|
}
|