public async Task SettingUndeleteAllowed_ProvidesAbilityToUndeleteSecret() { // Setup basics. (string policyPath, KV2Secret origSecret) = await SetupIndividualTestAsync(); // Setup Policy (VaultPolicyContainer polContainer, VaultPolicyPathItem vppi) = await SetupPolicy(policyPath); // Setup the Test Engines, One has a good token and one has a control token. (KV2SecretEngine engOK, KV2SecretEngine engFail) = await SetupTokenEngines(polContainer.Name); //************************************** // Test Setup. Lets save several versions of the secret. KV2Secret secret2 = await UpdateSecretRandom(origSecret); secret2 = await UpdateSecretRandom(secret2); secret2 = await UpdateSecretRandom(secret2); // Delete the latest version. int versionNum = secret2.Version; Assert.True(await _rootEng.DeleteSecretVersion(secret2, secret2.Version), "A10: Expected deletion of specific secret version to succeed.."); // Read it back with the root engine. Thread.Sleep(200); KV2Secret delSecret = await _rootEng.ReadSecret(secret2); Assert.IsNull(delSecret, "A20: Deletion of secret does not appear to have worked."); // Failure Test // Lets try to undelete the secret. VaultForbiddenException eDL1 = Assert.ThrowsAsync <VaultForbiddenException>(async() => await engOK.UndeleteSecretVersion(secret2, secret2.Version), "DL10: Expected VaultForbidden Error to be thrown."); // Provide Access vppi.Denied = true; vppi.ExtKV2_UndeleteSecret = true; Assert.True(await _vaultSystemBackend.SysPoliciesACLUpdate(polContainer), "A30: Updating the policy object failed."); // Success Test. Assert.True(await engOK.UndeleteSecretVersion(secret2, secret2.Version), "A40: Expected Undelete to succeed."); // Validate - We use the root accessor, since our base token does not have Read Access. KV2Secret secret3 = null; secret3 = await _rootEng.ReadSecret(secret2); Assert.IsNotNull(secret3, "A50: Expected the Secret to be found and successfully read. We did not find a secret object. Something is wrong with permissions."); Assert.AreEqual(secret2.Attributes.Count, secret3.Attributes.Count, "A60: Undeleted version of secret is not same as deleted version."); }
public async Task DeletionOfSpecificVersions_Success() { // Setup basics. (string policyPath, KV2Secret origSecret) = await SetupIndividualTestAsync(); // Setup Policy (VaultPolicyContainer polContainer, VaultPolicyPathItem vppi) = await SetupPolicy(policyPath); // Setup the Test Engines, One has a good token and one has a control token. (KV2SecretEngine engOK, KV2SecretEngine engFail) = await SetupTokenEngines(polContainer.Name); // Setup // Lets save several versions of the secret. KV2Secret secret2 = await UpdateSecretRandom(origSecret); KV2Secret secret3 = await UpdateSecretRandom(secret2); KV2Secret secret4 = await UpdateSecretRandom(secret3); KV2Secret secret5 = await UpdateSecretRandom(secret4); KV2Secret secret6 = await UpdateSecretRandom(secret5); // Failure Test VaultForbiddenException eEC1 = Assert.ThrowsAsync <VaultForbiddenException>(async() => await engOK.DeleteSecretVersion(secret4, secret4.Version), "A10: Expected VaultForbidden Error to be thrown."); Assert.AreEqual(EnumVaultExceptionCodes.PermissionDenied, eEC1.SpecificErrorCode, "A20: Expected PermissionDenied to be set on SpecificErrorCode Field."); // Provide Access vppi.Denied = true; vppi.ReadAllowed = true; vppi.ExtKV2_DeleteAnyKeyVersion = true; Assert.True(await _vaultSystemBackend.SysPoliciesACLUpdate(polContainer), "A30: Updating the policy object failed."); // Success Test Assert.True(await engOK.DeleteSecretVersion(secret4, secret4.Version), "A40: Expected deletion of specific secret version to succeed.."); // Validate Thread.Sleep(200); KV2Secret secGone = await engOK.ReadSecret(secret4, secret4.Version); Assert.IsNull(secGone, "A50: Expected to not find the given secret. But found it. This means it did not get deleted."); }
public async Task SettingDeleteAllowed_ProvidesAbilityToDeleteSecret() { // Setup basics. (string policyPath, KV2Secret origSecret) = await SetupIndividualTestAsync(); // Setup Policy (VaultPolicyContainer polContainer, VaultPolicyPathItem vppi) = await SetupPolicy(policyPath); // Setup the Test Engines, One has a good token and one has a control token. (KV2SecretEngine engOK, KV2SecretEngine engFail) = await SetupTokenEngines(polContainer.Name); //************************************** // Test Setup. Lets save several versions of the secret. KV2Secret secret2 = await UpdateSecretRandom(origSecret); secret2 = await UpdateSecretRandom(secret2); secret2 = await UpdateSecretRandom(secret2); // Failure Test VaultForbiddenException eDA1 = Assert.ThrowsAsync <VaultForbiddenException>(async() => await engOK.DeleteSecretVersion(secret2), "A300: Expected VaultForbidden Error to be thrown."); Assert.AreEqual(EnumVaultExceptionCodes.PermissionDenied, eDA1.SpecificErrorCode, "A10: Expected PermissionDenied to be set on SpecificErrorCode Field."); // Change policy vppi.Denied = true; vppi.DeleteAllowed = true; Assert.True(await _vaultSystemBackend.SysPoliciesACLUpdate(polContainer), "A20: Updating the policy object failed."); // Success Test Assert.True(await engOK.DeleteSecretVersion(secret2), "A30: Expected deletion of specific secret version to succeed.."); // Validate Test. Thread.Sleep(200); KV2Secret delSecret = await _rootEng.ReadSecret(secret2); Assert.IsNull(delSecret, "A40: Deletion of secret does not appear to have worked."); }
public async Task SettingUpdatellowed_ProvidesAbilityToUpdateSecret() { // Setup basics. (string policyPath, KV2Secret origSecret) = await SetupIndividualTestAsync(); // Setup Policy (VaultPolicyContainer polContainer, VaultPolicyPathItem vppi) = await SetupPolicy(policyPath); // Setup the Test Engines, One has a good token and one has a control token. (KV2SecretEngine engOK, KV2SecretEngine engFail) = await SetupTokenEngines(polContainer.Name); //************************************** // Actual Test // Provide access to Read for the OK Token. vppi.Denied = true; vppi.UpdateAllowed = true; string attC = "attC"; string valueC = "valueC"; int versionNumber = origSecret.Version; origSecret.Attributes.Add(attC, valueC); VaultForbiddenException e1 = Assert.ThrowsAsync <VaultForbiddenException>(async() => await engOK.SaveSecret(origSecret, KV2EnumSecretSaveOptions.OnlyOnExistingVersionMatch, versionNumber), "A200: Expected VaultForbidden Error to be thrown."); Assert.AreEqual(EnumVaultExceptionCodes.PermissionDenied, e1.SpecificErrorCode, "A202: Expected PermissionDenied to be set on SpecificErrorCode Field."); // CB - Try with the Fail Token - should fail. VaultForbiddenException eCB1 = Assert.ThrowsAsync <VaultForbiddenException>(async() => await engFail.SaveSecret(origSecret, KV2EnumSecretSaveOptions.OnlyOnExistingVersionMatch, versionNumber), "A204: Expected VaultForbidden Error to be thrown."); Assert.AreEqual(EnumVaultExceptionCodes.PermissionDenied, eCB1.SpecificErrorCode, "A206: Expected PermissionDenied to be set on SpecificErrorCode Field."); // CC - Update the policy to allow. vppi.UpdateAllowed = true; Assert.True(await _vaultSystemBackend.SysPoliciesACLUpdate(polContainer), "A208: Updating the policy object failed."); // CD - Retry the save. Assert.True(await engOK.SaveSecret(origSecret, KV2EnumSecretSaveOptions.OnlyOnExistingVersionMatch, versionNumber), "A209: Updating of the secret was not successful. This should have succeeded."); }
public async Task SettingDestroyAllowed_ProvidesAbilityToDestroySecret() { // Setup basics. (string policyPath, KV2Secret origSecret) = await SetupIndividualTestAsync(); // Setup Policy (VaultPolicyContainer polContainer, VaultPolicyPathItem vppi) = await SetupPolicy(policyPath); // Setup the Test Engines, One has a good token and one has a control token. (KV2SecretEngine engOK, KV2SecretEngine engFail) = await SetupTokenEngines(polContainer.Name); //************************************** // Test Setup. Lets save several versions of the secret. KV2Secret secret2 = await UpdateSecretRandom(origSecret); secret2 = await UpdateSecretRandom(secret2); secret2 = await UpdateSecretRandom(secret2); // Failure Test VaultForbiddenException eDT1 = Assert.ThrowsAsync <VaultForbiddenException>(async() => await engOK.DestroySecretVersion(secret2, secret2.Version), "A10: Expected VaultForbidden Error to be thrown."); Assert.AreEqual(EnumVaultExceptionCodes.PermissionDenied, eDT1.SpecificErrorCode, "A20: Expected Permission Denied to be set on SpecificErrorCode Field."); // Provide Access vppi.Denied = true; vppi.ExtKV2_DestroySecret = true; Assert.True(await _vaultSystemBackend.SysPoliciesACLUpdate(polContainer), "A30: Updating the policy object failed."); // Success Test Assert.True(await engOK.DestroySecretVersion(secret2, secret2.Version), "A40: Destroy Secret Specific Version Failed."); // Validate - We use the root engine token accessor since our token does not have access. KV2Secret desSecret = await _rootEng.ReadSecret(secret2); Assert.IsNull(desSecret, "A50: Expected the Secret to not be found."); }