Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix race on group #105

Merged
merged 15 commits into from
Nov 27, 2024
+27 −15
Merged

Fix race on group #105

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
e7615c7
Add better auth error propogation from interactor to controller; added
suprjinx Sep 6, 2024
0c2c8c5
Merge branch 'main' of github.com:suprjinx/astral
suprjinx Sep 13, 2024
9793f3f
Merge branch 'main' of github.com:suprjinx/astral
suprjinx Sep 17, 2024
a2b6f6a
Merge branch 'main' of github.com:suprjinx/astral
suprjinx Oct 21, 2024
08fa788
Merge branch 'main' of github.com:g-research/astral
suprjinx Oct 22, 2024
88b65d4
Merge branch 'main' of github.com:G-Research/astral
suprjinx Oct 22, 2024
d87c082
Merge branch 'main' of github.com:G-Research/astral
suprjinx Oct 22, 2024
04c97b9
Merge branch 'main' of github.com:g-research/astral
suprjinx Oct 25, 2024
52d4dca
Merge branch 'main' of github.com:G-Research/astral
suprjinx Oct 31, 2024
aa81e34
Merge branch 'main' of github.com:G-Research/astral
suprjinx Nov 1, 2024
f6b76ab
Merge branch 'main' of github.com:g-research/astral
suprjinx Nov 4, 2024
3e558f8
Merge branch 'main' of github.com:suprjinx/astral
suprjinx Nov 26, 2024
9419793
Fix flakey test race condition; remove unused cleanup func
suprjinx Nov 26, 2024
d25b651
Deflake test with unique sub and group for each test
suprjinx Nov 27, 2024
31d011d
redundant advisory lock (already locking in private method)
suprjinx Nov 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 2 additions & 4 deletions app/lib/clients/vault/policy.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,8 @@ def rotate_token
def assign_entity_policy(identity, policy_name)
sub = identity.sub
email = identity.email
Domain.with_advisory_lock(sub) do
put_entity(sub, [ policy_name ])
put_entity_alias(sub, email, "oidc")
end
put_entity(sub, [ policy_name ])
put_entity_alias(sub, email, "oidc")
end

def assign_groups_policy(groups, policy_name)
Expand Down
27 changes: 18 additions & 9 deletions test/integration/secrets_test.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,14 @@
require "test_helper"

class SecretsTest < ActionDispatch::IntegrationTest
setup do
jwt_json = unique_jwt
@jwt_groups = jwt_json["groups"]
@jwt_authorized = make_signed_jwt(jwt_json)
jwt_read_group_json = unique_jwt.tap { |h| h["groups"] = @jwt_groups }
@jwt_read_group = make_signed_jwt(jwt_read_group_json)
end

test "#create unauthorized" do
post secrets_path
assert_response :unauthorized
Expand All @@ -22,7 +30,7 @@ class SecretsTest < ActionDispatch::IntegrationTest
test "#update an existing secret with same user is authorized" do
existing_path = create_secret
assert_response :success
create_secret(jwt_authorized, existing_path)
create_secret(@jwt_authorized, existing_path)
assert_response :success
end

Expand All @@ -36,7 +44,7 @@ class SecretsTest < ActionDispatch::IntegrationTest
test "#show" do
path = create_secret
# view the secret
get secret_path(path), headers: { "Authorization" => "Bearer #{jwt_authorized}" }
get secret_path(path), headers: { "Authorization" => "Bearer #{@jwt_authorized}" }
assert_response :success
%w[ data metadata lease_id ].each do |key|
assert_includes response.parsed_body["secret"].keys, key
Expand All @@ -46,7 +54,7 @@ class SecretsTest < ActionDispatch::IntegrationTest
test "#show with read_group is authorized" do
path = create_secret
# view the secret
get secret_path(path), headers: { "Authorization" => "Bearer #{jwt_read_group}" }
get secret_path(path), headers: { "Authorization" => "Bearer #{@jwt_read_group}" }
assert_response :success
%w[ data metadata lease_id ].each do |key|
assert_includes response.parsed_body["secret"].keys, key
Expand All @@ -56,27 +64,28 @@ class SecretsTest < ActionDispatch::IntegrationTest
test "#delete" do
path = create_secret
# delete the secret
delete destroy_secret_path(path), headers: { "Authorization" => "Bearer #{jwt_authorized}" }
delete destroy_secret_path(path), headers: { "Authorization" => "Bearer #{@jwt_authorized}" }
assert_response :success
end

test "#delete with a read-authorized user is unauthorized" do
path = create_secret
# delete the secret
delete destroy_secret_path(path), headers: { "Authorization" => "Bearer #{jwt_read_group}" }
delete destroy_secret_path(path), headers: { "Authorization" => "Bearer #{@jwt_read_group}" }
assert_response :unauthorized
end

private

def create_secret(jwt = jwt_authorized, path = "top/secret/#{SecureRandom.hex}")
def create_secret(jwt = @jwt_authorized, path = "top/secret/#{SecureRandom.hex}", groups = @jwt_groups)
# create the secret
post secrets_path, headers: { "Authorization" => "Bearer #{jwt}" },
params: { secret: { path: path, data: { password: "sicr3t" }, groups: "read_group" } }
params: { secret: { path: path, data: { password: "sicr3t" }, groups: groups.join(",") } }
path
end

def remove_pki_engine
vault_client.sys.unmount "pki_astral"
def unique_jwt
{ "sub"=>SecureRandom.hex, "name"=>"John Doe", "iat"=>1516239022,
"groups"=>[ SecureRandom.hex ], "aud"=>"astral" }
end
end
9 changes: 7 additions & 2 deletions test/test_helper.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,16 +14,21 @@ class TestCase
fixtures :all

# Helper methods

def make_signed_jwt(json)
JWT.encode(json, Config[:jwt_signing_key])
end

def jwt_authorized
@@authorized_token ||= JWT.encode(@@authorized_data, Config[:jwt_signing_key])
@@authorized_token ||= make_signed_jwt(@@authorized_data)
end

def jwt_unauthorized
@@unauthorized_token ||= JWT.encode(@@unauthorized_data, "bad_secret")
end

def jwt_read_group
@@read_group_token ||= JWT.encode(@@read_group_data, Config[:jwt_signing_key])
@@read_group_token ||= make_signed_jwt(@@read_group_data)
end

private
Expand Down