deckhand/deckhand/tests/integration/gabbits/document-render-secret.yaml

60 lines
1.8 KiB
YAML

# Tests success paths for rendering a secret document:
#
# 1. Verifies that rendering a document with storagePolicy: encrypted
# results in the secret payload getting returned instead of the ref.
defaults:
request_headers:
content-type: application/x-yaml
X-Auth-Token: $ENVIRON['TEST_AUTH_TOKEN']
response_headers:
content-type: application/x-yaml
verbose: true
tests:
- name: purge
desc: Begin testing from known state.
DELETE: /api/v1.0/revisions
status: 204
response_headers: null
- name: create_encrypted_passphrase
desc: Create passphrase with storagePolicy=encrypted
PUT: /api/v1.0/buckets/secret/documents
status: 200
data: |-
---
schema: deckhand/LayeringPolicy/v1
metadata:
schema: metadata/Control/v1
name: layering-policy
data:
layerOrder:
- site
---
schema: deckhand/Passphrase/v1
metadata:
schema: metadata/Document/v1
name: my-passphrase
storagePolicy: encrypted
layeringDefinition:
layer: site
data: not-a-real-password
...
response_multidoc_jsonpaths:
$.`len`: 2
# NOTE(felipemonteiro): jsonpath-rw-ext uses a 1 character separator (rather than allowing a string)
# leading to this nastiness:
$.[1].data.`split(:, 0, 1)` + "://" + $.[1].data.`split(/, 2, 3)`: $ENVIRON['TEST_BARBICAN_URL']
- name: verify_rendered_documents_returns_secret_payload
desc: Verify that the rendering the document returns the secret payload.
GET: /api/v1.0/revisions/$RESPONSE['$.[0].status.revision']/rendered-documents
status: 200
query_parameters:
cleartext-secrets: true
metadata.name: my-passphrase
response_multidoc_jsonpaths:
$.`len`: 1
$.[0].data: not-a-real-password