# Tests success paths for rendering a secret document:
#
# 1. Verifies that rendering a document with storagePolicy: encrypted
#    results in the secret payload getting returned instead of the ref.

defaults:
  request_headers:
    content-type: application/x-yaml
    X-Auth-Token: $ENVIRON['TEST_AUTH_TOKEN']
  response_headers:
    content-type: application/x-yaml
  verbose: true

tests:
  - name: purge
    desc: Begin testing from known state.
    DELETE: /api/v1.0/revisions
    status: 204
    response_headers: null

  - name: create_encrypted_passphrase
    desc: Create passphrase with storagePolicy=encrypted
    PUT: /api/v1.0/buckets/secret/documents
    status: 200
    data: |-
      ---
      schema: deckhand/LayeringPolicy/v1
      metadata:
        schema: metadata/Control/v1
        name: layering-policy
      data:
        layerOrder:
          - site
      ---
      schema: deckhand/Passphrase/v1
      metadata:
        schema: metadata/Document/v1
        name: my-passphrase
        storagePolicy: encrypted
        layeringDefinition:
          layer: site
      data: not-a-real-password
      ...
    response_multidoc_jsonpaths:
      $.`len`: 2
      # NOTE(felipemonteiro): jsonpath-rw-ext uses a 1 character separator (rather than allowing a string)
      # leading to this nastiness:
      $.[1].data.`split(:, 0, 1)` + "://" + $.[1].data.`split(/, 2, 3)`: $ENVIRON['TEST_BARBICAN_URL']

  - name: verify_rendered_documents_returns_secret_payload
    desc: Verify that the rendering the document returns the secret payload.
    GET: /api/v1.0/revisions/$RESPONSE['$.[0].status.revision']/rendered-documents
    status: 200
    query_parameters:
      cleartext-secrets: true
      metadata.name: my-passphrase
    response_multidoc_jsonpaths:
      $.`len`: 1
      $.[0].data: not-a-real-password