# Tests success paths for deleting all revisions:
#
# 1. Tests that deleting all revisions purges secret references from
#    Barbican.

defaults:
  verbose: true

tests:
  - name: purge
    desc: Begin testing from known state.
    DELETE: /api/v1.0/revisions
    status: 204
    request_headers:
      content-type: application/x-yaml
      X-Auth-Token: $ENVIRON['TEST_AUTH_TOKEN']
    response_headers: null

  - name: create_encrypted_passphrase
    desc: Create passphrase with storagePolicy=encrypted
    PUT: /api/v1.0/buckets/secret/documents
    status: 200
    request_headers:
      content-type: application/x-yaml
      X-Auth-Token: $ENVIRON['TEST_AUTH_TOKEN']
    response_headers:
      content-type: application/x-yaml
    data: |-
      ---
      schema: deckhand/Passphrase/v1
      metadata:
        schema: metadata/Document/v1
        name: my-passphrase
        layeringDefinition:
          layer: fake
        storagePolicy: encrypted
      data: not-a-real-password
      ...
    response_multidoc_jsonpaths:
      $.`len`: 1
      # NOTE(fmontei): jsonpath-rw-ext uses a 1 character separator (rather than allowing a string)
      # leading to this nastiness:
      $.[0].data.`split(:, 0, 1)` + "://" + $.[0].data.`split(/, 2, 3)`: $ENVIRON['TEST_BARBICAN_URL']

  - name: validate_secret_exists_in_barbican
    desc: Validate that the secret ref exists in Barbican
    GET: $ENVIRON['TEST_BARBICAN_URL']/v1/secrets/$HISTORY['create_encrypted_passphrase'].$RESPONSE['$.[0].data.`split(/, 5, -1)`']
    status: 200
    request_headers:
      X-Auth-Token: $ENVIRON['TEST_AUTH_TOKEN']
    response_headers:
      content-type: application/json; charset=UTF-8
    response_json_paths:
      $.status: ACTIVE

  - name: validate_secret_payload_matches_in_barbican
    desc: Validate that the secret itself matches in Barbican
    GET: $ENVIRON['TEST_BARBICAN_URL']/v1/secrets/$HISTORY['create_encrypted_passphrase'].$RESPONSE['$.[0].data.`split(/, 5, -1)`']/payload
    status: 200
    request_headers:
      X-Auth-Token: $ENVIRON['TEST_AUTH_TOKEN']
    response_headers:
      content-type: application/octet-stream; charset=UTF-8
    response_strings:
      - not-a-real-password

  - name: delete_all_revisions
    desc: Delete all revisions from Deckhand, which should delete all secrets.
    DELETE: /api/v1.0/revisions
    status: 204
    request_headers:
      content-type: application/x-yaml
      X-Auth-Token: $ENVIRON['TEST_AUTH_TOKEN']
    response_headers: null

  - name: validate_all_secrets_deleted_from_barbican
    desc: |-
      Validate that deleting all revisions deletes all secrets from Barbican.
    GET: $ENVIRON['TEST_BARBICAN_URL']/v1/secrets
    status: 200
    request_headers:
      X-Auth-Token: $ENVIRON['TEST_AUTH_TOKEN']
    response_headers:
      content-type: application/json; charset=UTF-8
    response_json_paths:
      $.secrets.`len`: 0
      $.secrets: []