117 lines
3.9 KiB
YAML
117 lines
3.9 KiB
YAML
# Tests success paths for secret substitution using a generic document type.
|
|
# This entails setting storagePolicy=encrypted for a non-built-in secret
|
|
# document.
|
|
#
|
|
# 1. Tests that creating an encrypted generic document results in a
|
|
# Barbican reference being returned.
|
|
# 2. Tests that the encrypted payload is included in the destination
|
|
# and source documents after document rendering.
|
|
|
|
defaults:
|
|
request_headers:
|
|
content-type: application/x-yaml
|
|
X-Auth-Token: $ENVIRON['TEST_AUTH_TOKEN']
|
|
response_headers:
|
|
content-type: application/x-yaml
|
|
verbose: true
|
|
|
|
tests:
|
|
- name: purge
|
|
desc: Begin testing from known state.
|
|
DELETE: /api/v1.0/revisions
|
|
status: 204
|
|
response_headers: null
|
|
|
|
- name: encrypt_generic_document_for_secret_substitution
|
|
desc: |
|
|
Create documents using a generic document type (armada/Generic/v1) as the
|
|
substitution source with storagePolicy=encrypted.
|
|
PUT: /api/v1.0/buckets/secret/documents
|
|
status: 200
|
|
data: |-
|
|
---
|
|
schema: deckhand/LayeringPolicy/v1
|
|
metadata:
|
|
schema: metadata/Control/v1
|
|
name: layering-policy
|
|
data:
|
|
layerOrder:
|
|
- site
|
|
---
|
|
# Generic document as substitution source.
|
|
schema: armada/Generic/v1
|
|
metadata:
|
|
name: example-armada-cert
|
|
schema: metadata/Document/v1
|
|
layeringDefinition:
|
|
abstract: false
|
|
layer: site
|
|
storagePolicy: encrypted
|
|
data: ARMADA CERTIFICATE DATA
|
|
---
|
|
schema: armada/Chart/v1
|
|
metadata:
|
|
schema: metadata/Document/v1
|
|
name: armada-chart-01
|
|
# We don't need to encrypt the destination document.
|
|
storagePolicy: cleartext
|
|
layeringDefinition:
|
|
abstract: false
|
|
layer: site
|
|
substitutions:
|
|
- dest:
|
|
path: .chart.values.tls.certificate
|
|
src:
|
|
schema: armada/Generic/v1
|
|
name: example-armada-cert
|
|
path: .
|
|
data: {}
|
|
...
|
|
|
|
- name: verify_multiple_revision_documents_returns_secret_ref
|
|
desc: Verify that secret ref was created for example-armada-cert among multiple created documents.
|
|
GET: /api/v1.0/revisions/$RESPONSE['$.[0].status.revision']/documents
|
|
status: 200
|
|
query_parameters:
|
|
metadata.name: example-armada-cert
|
|
cleartext-secrets: 'true'
|
|
response_multidoc_jsonpaths:
|
|
$.`len`: 1
|
|
# NOTE(felipemonteiro): jsonpath-rw-ext uses a 1 character separator (rather than allowing a string)
|
|
# leading to this nastiness:
|
|
$.[0].data.`split(:, 0, 1)` + "://" + $.[0].data.`split(/, 2, 3)`: $ENVIRON['TEST_BARBICAN_URL']
|
|
|
|
- name: verify_generic_secret_created_in_barbican
|
|
desc: Validate that the generic secret gets stored with secret_type passphrase.
|
|
GET: $ENVIRON['TEST_BARBICAN_URL']/v1/secrets/$RESPONSE['$.[0].data.`split(/, 5, -1)`']
|
|
status: 200
|
|
request_headers:
|
|
content-type: application/json
|
|
response_headers:
|
|
content-type: application/json; charset=UTF-8
|
|
response_json_paths:
|
|
$.status: ACTIVE
|
|
$.name: example-armada-cert
|
|
# Default type for documents with generic schema.
|
|
$.secret_type: passphrase
|
|
|
|
- name: verify_secret_payload_in_destination_document
|
|
desc: Verify secret payload is injected in destination document as well as example-armada-cert.
|
|
GET: /api/v1.0/revisions/$HISTORY['encrypt_generic_document_for_secret_substitution'].$RESPONSE['$.[0].status.revision']/rendered-documents
|
|
status: 200
|
|
query_parameters:
|
|
metadata.name:
|
|
- armada-chart-01
|
|
- example-armada-cert
|
|
sort: metadata.name
|
|
response_multidoc_jsonpaths:
|
|
$.`len`: 2
|
|
$.[0].metadata.name: armada-chart-01
|
|
$.[0].data:
|
|
chart:
|
|
values:
|
|
tls:
|
|
certificate: ARMADA CERTIFICATE DATA
|
|
$.[1].metadata.name: example-armada-cert
|
|
$.[1].data: ARMADA CERTIFICATE DATA
|