public async Task SettingUndeleteAllowed_ProvidesAbilityToUndeleteSecret()
{
// Setup basics.
(string policyPath, KV2Secret origSecret) = await SetupIndividualTestAsync();
// Setup Policy
(VaultPolicyContainer polContainer, VaultPolicyPathItem vppi) = await SetupPolicy(policyPath);
// Setup the Test Engines, One has a good token and one has a control token.
(KV2SecretEngine engOK, KV2SecretEngine engFail) = await SetupTokenEngines(polContainer.Name);
//**************************************
// Test Setup. Lets save several versions of the secret.
KV2Secret secret2 = await UpdateSecretRandom(origSecret);
secret2 = await UpdateSecretRandom(secret2);
secret2 = await UpdateSecretRandom(secret2);
// Delete the latest version.
int versionNum = secret2.Version;
Assert.True(await _rootEng.DeleteSecretVersion(secret2, secret2.Version), "A10: Expected deletion of specific secret version to succeed..");
// Read it back with the root engine.
Thread.Sleep(200);
KV2Secret delSecret = await _rootEng.ReadSecret(secret2);
Assert.IsNull(delSecret, "A20: Deletion of secret does not appear to have worked.");
// Failure Test
// Lets try to undelete the secret.
VaultForbiddenException eDL1 = Assert.ThrowsAsync <VaultForbiddenException>(async() => await engOK.UndeleteSecretVersion(secret2, secret2.Version), "DL10: Expected VaultForbidden Error to be thrown.");
// Provide Access
vppi.Denied = true;
vppi.ExtKV2_UndeleteSecret = true;
Assert.True(await _vaultSystemBackend.SysPoliciesACLUpdate(polContainer), "A30: Updating the policy object failed.");
// Success Test.
Assert.True(await engOK.UndeleteSecretVersion(secret2, secret2.Version), "A40: Expected Undelete to succeed.");
// Validate - We use the root accessor, since our base token does not have Read Access.
KV2Secret secret3 = null;
secret3 = await _rootEng.ReadSecret(secret2);
Assert.IsNotNull(secret3, "A50: Expected the Secret to be found and successfully read. We did not find a secret object. Something is wrong with permissions.");
Assert.AreEqual(secret2.Attributes.Count, secret3.Attributes.Count, "A60: Undeleted version of secret is not same as deleted version.");
}
public async Task DeletionOfSpecificVersions_Success()
{
// Setup basics.
(string policyPath, KV2Secret origSecret) = await SetupIndividualTestAsync();
// Setup Policy
(VaultPolicyContainer polContainer, VaultPolicyPathItem vppi) = await SetupPolicy(policyPath);
// Setup the Test Engines, One has a good token and one has a control token.
(KV2SecretEngine engOK, KV2SecretEngine engFail) = await SetupTokenEngines(polContainer.Name);
// Setup
// Lets save several versions of the secret.
KV2Secret secret2 = await UpdateSecretRandom(origSecret);
KV2Secret secret3 = await UpdateSecretRandom(secret2);
KV2Secret secret4 = await UpdateSecretRandom(secret3);
KV2Secret secret5 = await UpdateSecretRandom(secret4);
KV2Secret secret6 = await UpdateSecretRandom(secret5);
// Failure Test
VaultForbiddenException eEC1 = Assert.ThrowsAsync <VaultForbiddenException>(async() => await engOK.DeleteSecretVersion(secret4, secret4.Version), "A10: Expected VaultForbidden Error to be thrown.");
Assert.AreEqual(EnumVaultExceptionCodes.PermissionDenied, eEC1.SpecificErrorCode, "A20: Expected PermissionDenied to be set on SpecificErrorCode Field.");
// Provide Access
vppi.Denied = true;
vppi.ReadAllowed = true;
vppi.ExtKV2_DeleteAnyKeyVersion = true;
Assert.True(await _vaultSystemBackend.SysPoliciesACLUpdate(polContainer), "A30: Updating the policy object failed.");
// Success Test
Assert.True(await engOK.DeleteSecretVersion(secret4, secret4.Version), "A40: Expected deletion of specific secret version to succeed..");
// Validate
Thread.Sleep(200);
KV2Secret secGone = await engOK.ReadSecret(secret4, secret4.Version);
Assert.IsNull(secGone, "A50: Expected to not find the given secret. But found it. This means it did not get deleted.");
}
public async Task SettingDeleteAllowed_ProvidesAbilityToDeleteSecret()
{
// Setup basics.
(string policyPath, KV2Secret origSecret) = await SetupIndividualTestAsync();
// Setup Policy
(VaultPolicyContainer polContainer, VaultPolicyPathItem vppi) = await SetupPolicy(policyPath);
// Setup the Test Engines, One has a good token and one has a control token.
(KV2SecretEngine engOK, KV2SecretEngine engFail) = await SetupTokenEngines(polContainer.Name);
//**************************************
// Test Setup. Lets save several versions of the secret.
KV2Secret secret2 = await UpdateSecretRandom(origSecret);
secret2 = await UpdateSecretRandom(secret2);
secret2 = await UpdateSecretRandom(secret2);
// Failure Test
VaultForbiddenException eDA1 = Assert.ThrowsAsync <VaultForbiddenException>(async() => await engOK.DeleteSecretVersion(secret2), "A300: Expected VaultForbidden Error to be thrown.");
Assert.AreEqual(EnumVaultExceptionCodes.PermissionDenied, eDA1.SpecificErrorCode, "A10: Expected PermissionDenied to be set on SpecificErrorCode Field.");
// Change policy
vppi.Denied = true;
vppi.DeleteAllowed = true;
Assert.True(await _vaultSystemBackend.SysPoliciesACLUpdate(polContainer), "A20: Updating the policy object failed.");
// Success Test
Assert.True(await engOK.DeleteSecretVersion(secret2), "A30: Expected deletion of specific secret version to succeed..");
// Validate Test.
Thread.Sleep(200);
KV2Secret delSecret = await _rootEng.ReadSecret(secret2);
Assert.IsNull(delSecret, "A40: Deletion of secret does not appear to have worked.");
}
public async Task SettingUpdatellowed_ProvidesAbilityToUpdateSecret()
{
// Setup basics.
(string policyPath, KV2Secret origSecret) = await SetupIndividualTestAsync();
// Setup Policy
(VaultPolicyContainer polContainer, VaultPolicyPathItem vppi) = await SetupPolicy(policyPath);
// Setup the Test Engines, One has a good token and one has a control token.
(KV2SecretEngine engOK, KV2SecretEngine engFail) = await SetupTokenEngines(polContainer.Name);
//**************************************
// Actual Test
// Provide access to Read for the OK Token.
vppi.Denied = true;
vppi.UpdateAllowed = true;
string attC = "attC";
string valueC = "valueC";
int versionNumber = origSecret.Version;
origSecret.Attributes.Add(attC, valueC);
VaultForbiddenException e1 = Assert.ThrowsAsync <VaultForbiddenException>(async() => await engOK.SaveSecret(origSecret, KV2EnumSecretSaveOptions.OnlyOnExistingVersionMatch, versionNumber), "A200: Expected VaultForbidden Error to be thrown.");
Assert.AreEqual(EnumVaultExceptionCodes.PermissionDenied, e1.SpecificErrorCode, "A202: Expected PermissionDenied to be set on SpecificErrorCode Field.");
// CB - Try with the Fail Token - should fail.
VaultForbiddenException eCB1 = Assert.ThrowsAsync <VaultForbiddenException>(async() => await engFail.SaveSecret(origSecret, KV2EnumSecretSaveOptions.OnlyOnExistingVersionMatch, versionNumber), "A204: Expected VaultForbidden Error to be thrown.");
Assert.AreEqual(EnumVaultExceptionCodes.PermissionDenied, eCB1.SpecificErrorCode, "A206: Expected PermissionDenied to be set on SpecificErrorCode Field.");
// CC - Update the policy to allow.
vppi.UpdateAllowed = true;
Assert.True(await _vaultSystemBackend.SysPoliciesACLUpdate(polContainer), "A208: Updating the policy object failed.");
// CD - Retry the save.
Assert.True(await engOK.SaveSecret(origSecret, KV2EnumSecretSaveOptions.OnlyOnExistingVersionMatch, versionNumber),
"A209: Updating of the secret was not successful. This should have succeeded.");
}
public async Task SettingDestroyAllowed_ProvidesAbilityToDestroySecret()
{
// Setup basics.
(string policyPath, KV2Secret origSecret) = await SetupIndividualTestAsync();
// Setup Policy
(VaultPolicyContainer polContainer, VaultPolicyPathItem vppi) = await SetupPolicy(policyPath);
// Setup the Test Engines, One has a good token and one has a control token.
(KV2SecretEngine engOK, KV2SecretEngine engFail) = await SetupTokenEngines(polContainer.Name);
//**************************************
// Test Setup. Lets save several versions of the secret.
KV2Secret secret2 = await UpdateSecretRandom(origSecret);
secret2 = await UpdateSecretRandom(secret2);
secret2 = await UpdateSecretRandom(secret2);
// Failure Test
VaultForbiddenException eDT1 = Assert.ThrowsAsync <VaultForbiddenException>(async() => await engOK.DestroySecretVersion(secret2, secret2.Version), "A10: Expected VaultForbidden Error to be thrown.");
Assert.AreEqual(EnumVaultExceptionCodes.PermissionDenied, eDT1.SpecificErrorCode, "A20: Expected Permission Denied to be set on SpecificErrorCode Field.");
// Provide Access
vppi.Denied = true;
vppi.ExtKV2_DestroySecret = true;
Assert.True(await _vaultSystemBackend.SysPoliciesACLUpdate(polContainer), "A30: Updating the policy object failed.");
// Success Test
Assert.True(await engOK.DestroySecretVersion(secret2, secret2.Version), "A40: Destroy Secret Specific Version Failed.");
// Validate - We use the root engine token accessor since our token does not have access.
KV2Secret desSecret = await _rootEng.ReadSecret(secret2);
Assert.IsNull(desSecret, "A50: Expected the Secret to not be found.");
}
