272 lines
8.5 KiB
YAML
272 lines
8.5 KiB
YAML
# Tests success paths for secret substitution using each Deckhand secret type.
|
|
# The types include: Certificate, CertificateKey, CertificateAuthority,
|
|
# CertificateAuthorityKey, Passphrase, PrivateKey, PublicKey.
|
|
#
|
|
# 1. Tests that creating each supported Deckhand secret type results in the
|
|
# Barbican secret ref being returned.
|
|
# 2. Tests that each secret payload is included in the destination
|
|
# and source documents after document rendering.
|
|
|
|
defaults:
|
|
request_headers:
|
|
X-Auth-Token: $ENVIRON['TEST_AUTH_TOKEN']
|
|
verbose: true
|
|
|
|
tests:
|
|
- name: purge
|
|
desc: Begin testing from known state.
|
|
DELETE: /api/v1.0/revisions
|
|
status: 204
|
|
request_headers:
|
|
content-type: application/x-yaml
|
|
response_headers: null
|
|
|
|
- name: create_documents_for_secret_substitution
|
|
desc: Create documents with substitution source with storagePolicy=encrypted
|
|
PUT: /api/v1.0/buckets/secret/documents
|
|
status: 200
|
|
request_headers:
|
|
content-type: application/x-yaml
|
|
response_headers:
|
|
content-type: application/x-yaml
|
|
data: |-
|
|
---
|
|
schema: deckhand/LayeringPolicy/v1
|
|
metadata:
|
|
schema: metadata/Control/v1
|
|
name: layering-policy
|
|
data:
|
|
layerOrder:
|
|
- site
|
|
---
|
|
schema: deckhand/Certificate/v1
|
|
metadata:
|
|
name: example-cert
|
|
schema: metadata/Document/v1
|
|
layeringDefinition:
|
|
abstract: false
|
|
layer: site
|
|
storagePolicy: encrypted
|
|
data: CERTIFICATE DATA
|
|
---
|
|
schema: deckhand/CertificateAuthority/v1
|
|
metadata:
|
|
name: example-ca
|
|
schema: metadata/Document/v1
|
|
layeringDefinition:
|
|
abstract: false
|
|
layer: site
|
|
storagePolicy: encrypted
|
|
data: CA DATA
|
|
---
|
|
schema: deckhand/CertificateAuthorityKey/v1
|
|
metadata:
|
|
name: example-ca-key
|
|
schema: metadata/Document/v1
|
|
layeringDefinition:
|
|
abstract: false
|
|
layer: site
|
|
storagePolicy: encrypted
|
|
data: CA KEY DATA
|
|
---
|
|
schema: deckhand/CertificateKey/v1
|
|
metadata:
|
|
name: example-cert-key
|
|
schema: metadata/Document/v1
|
|
layeringDefinition:
|
|
abstract: false
|
|
layer: site
|
|
storagePolicy: encrypted
|
|
data: CERTIFICATE KEY DATA
|
|
---
|
|
schema: deckhand/Passphrase/v1
|
|
metadata:
|
|
name: example-passphrase
|
|
schema: metadata/Document/v1
|
|
layeringDefinition:
|
|
abstract: false
|
|
layer: site
|
|
storagePolicy: encrypted
|
|
data: PASSPHRASE DATA
|
|
---
|
|
schema: deckhand/PrivateKey/v1
|
|
metadata:
|
|
name: example-private-key
|
|
schema: metadata/Document/v1
|
|
layeringDefinition:
|
|
abstract: false
|
|
layer: site
|
|
storagePolicy: encrypted
|
|
data: PRIVATE KEY DATA
|
|
---
|
|
schema: deckhand/PublicKey/v1
|
|
metadata:
|
|
name: example-public-key
|
|
schema: metadata/Document/v1
|
|
layeringDefinition:
|
|
abstract: false
|
|
layer: site
|
|
storagePolicy: encrypted
|
|
data: PUBLIC KEY DATA
|
|
---
|
|
schema: armada/Chart/v1
|
|
metadata:
|
|
schema: metadata/Document/v1
|
|
name: armada-chart-01
|
|
# We don't need to encrypt the destination document.
|
|
storagePolicy: cleartext
|
|
layeringDefinition:
|
|
layer: site
|
|
substitutions:
|
|
- dest:
|
|
path: .certificate
|
|
src:
|
|
schema: deckhand/Certificate/v1
|
|
name: example-cert
|
|
path: .
|
|
- dest:
|
|
path: .certificate_authority
|
|
src:
|
|
schema: deckhand/CertificateAuthority/v1
|
|
name: example-ca
|
|
path: .
|
|
- dest:
|
|
path: .certificate_authority_key
|
|
src:
|
|
schema: deckhand/CertificateAuthorityKey/v1
|
|
name: example-ca-key
|
|
path: .
|
|
- dest:
|
|
path: .certificate_key
|
|
src:
|
|
schema: deckhand/CertificateKey/v1
|
|
name: example-cert-key
|
|
path: .
|
|
- dest:
|
|
path: .passphrase
|
|
src:
|
|
schema: deckhand/Passphrase/v1
|
|
name: example-passphrase
|
|
path: .
|
|
- dest:
|
|
path: .private_key
|
|
src:
|
|
schema: deckhand/PrivateKey/v1
|
|
name: example-private-key
|
|
path: .
|
|
- dest:
|
|
path: .public_key
|
|
src:
|
|
schema: deckhand/PublicKey/v1
|
|
name: example-public-key
|
|
path: .
|
|
data: {}
|
|
...
|
|
|
|
- name: verify_multiple_revision_documents_returns_secret_ref
|
|
desc: Verify that secret ref was created for each secret document type.
|
|
GET: /api/v1.0/revisions/$RESPONSE['$.[0].status.revision']/documents
|
|
status: 200
|
|
request_headers:
|
|
content-type: application/x-yaml
|
|
response_headers:
|
|
content-type: application/x-yaml
|
|
query_parameters:
|
|
metadata.name:
|
|
- example-ca
|
|
- example-ca-key
|
|
- example-cert
|
|
- example-cert-key
|
|
- example-passphrase
|
|
- example-private-key
|
|
- example-public-key
|
|
cleartext-secrets: 'true'
|
|
response_multidoc_jsonpaths:
|
|
$.`len`: 7
|
|
# NOTE(felipemonteiro): jsonpath-rw-ext uses a 1 character separator (rather than allowing a string)
|
|
# leading to this nastiness:
|
|
$.[0].data.`split(:, 0, 1)` + "://" + $.[0].data.`split(/, 2, 3)`: $ENVIRON['TEST_BARBICAN_URL']
|
|
$.[1].data.`split(:, 0, 1)` + "://" + $.[1].data.`split(/, 2, 3)`: $ENVIRON['TEST_BARBICAN_URL']
|
|
$.[2].data.`split(:, 0, 1)` + "://" + $.[2].data.`split(/, 2, 3)`: $ENVIRON['TEST_BARBICAN_URL']
|
|
$.[3].data.`split(:, 0, 1)` + "://" + $.[3].data.`split(/, 2, 3)`: $ENVIRON['TEST_BARBICAN_URL']
|
|
$.[4].data.`split(:, 0, 1)` + "://" + $.[4].data.`split(/, 2, 3)`: $ENVIRON['TEST_BARBICAN_URL']
|
|
$.[5].data.`split(:, 0, 1)` + "://" + $.[5].data.`split(/, 2, 3)`: $ENVIRON['TEST_BARBICAN_URL']
|
|
$.[6].data.`split(:, 0, 1)` + "://" + $.[6].data.`split(/, 2, 3)`: $ENVIRON['TEST_BARBICAN_URL']
|
|
|
|
- name: validate_expected_secrets_exist_in_barbican
|
|
desc: Validate that all the expected secrets were created in Barbican.
|
|
GET: $ENVIRON['TEST_BARBICAN_URL']/v1/secrets
|
|
status: 200
|
|
query_parameters:
|
|
sort: name
|
|
request_headers:
|
|
content-type: application/json
|
|
response_headers:
|
|
content-type: application/json; charset=UTF-8
|
|
response_json_paths:
|
|
$.secrets.`len`: 7
|
|
$.secrets[*].status:
|
|
- ACTIVE
|
|
- ACTIVE
|
|
- ACTIVE
|
|
- ACTIVE
|
|
- ACTIVE
|
|
- ACTIVE
|
|
- ACTIVE
|
|
$.secrets[*].name:
|
|
- example-ca
|
|
- example-ca-key
|
|
- example-cert
|
|
- example-cert-key
|
|
- example-passphrase
|
|
- example-private-key
|
|
- example-public-key
|
|
$.secrets[*].secret_type:
|
|
- certificate
|
|
- private
|
|
- certificate
|
|
- private
|
|
- passphrase
|
|
- private
|
|
- public
|
|
|
|
- name: verify_secret_payload_in_destination_document
|
|
desc: |
|
|
Verify each secret payload is injected into the destination document and that
|
|
the secret payload is present in each secret document type rather than the
|
|
Barbican reference.
|
|
GET: /api/v1.0/revisions/$HISTORY['create_documents_for_secret_substitution'].$RESPONSE['$.[0].status.revision']/rendered-documents
|
|
status: 200
|
|
request_headers:
|
|
content-type: application/x-yaml
|
|
response_headers:
|
|
content-type: application/x-yaml
|
|
query_parameters:
|
|
cleartext-secrets: true
|
|
sort: 'metadata.name'
|
|
response_multidoc_jsonpaths:
|
|
$.`len`: 9
|
|
$.[0].metadata.name: armada-chart-01
|
|
$.[0].data:
|
|
certificate: CERTIFICATE DATA
|
|
certificate_authority: CA DATA
|
|
certificate_authority_key: CA KEY DATA
|
|
certificate_key: CERTIFICATE KEY DATA
|
|
passphrase: PASSPHRASE DATA
|
|
private_key: PRIVATE KEY DATA
|
|
public_key: PUBLIC KEY DATA
|
|
$.[1].metadata.name: example-ca
|
|
$.[1].data: CA DATA
|
|
$.[2].metadata.name: example-ca-key
|
|
$.[2].data: CA KEY DATA
|
|
$.[3].metadata.name: example-cert
|
|
$.[3].data: CERTIFICATE DATA
|
|
$.[4].metadata.name: example-cert-key
|
|
$.[4].data: CERTIFICATE KEY DATA
|
|
$.[5].metadata.name: example-passphrase
|
|
$.[5].data: PASSPHRASE DATA
|
|
$.[6].metadata.name: example-private-key
|
|
$.[6].data: PRIVATE KEY DATA
|
|
$.[7].metadata.name: example-public-key
|
|
$.[7].data: PUBLIC KEY DATA
|