diff --git a/cmd/kas-grants.go b/cmd/kas-grants.go index c0c4514a..b05ebd83 100644 --- a/cmd/kas-grants.go +++ b/cmd/kas-grants.go @@ -4,6 +4,8 @@ import ( "errors" "fmt" + "github.com/evertras/bubble-table/table" + "github.com/google/uuid" "github.com/opentdf/otdfctl/pkg/cli" "github.com/opentdf/otdfctl/pkg/man" "github.com/spf13/cobra" @@ -153,6 +155,80 @@ func policy_unassignKasGrant(cmd *cobra.Command, args []string) { HandleSuccess(cmd, "", t, res) } +func policy_listKasGrants(cmd *cobra.Command, args []string) { + c := cli.New(cmd, args) + h := NewHandler(c) + defer h.Close() + kasF := c.Flags.GetOptionalString("kas") + var ( + kasID string + kasURI string + ) + + // if not a UUID, infer flag value passed was a URI + if kasF != "" { + _, err := uuid.Parse(kasF) + if err != nil { + kasURI = kasF + } else { + kasID = kasF + } + } + + grants, err := h.ListKasGrants(cmd.Context(), kasID, kasURI) + if err != nil { + cli.ExitWithError("Failed to list assigned KAS Grants", err) + } + + rows := []table.Row{} + t := cli.NewTable( + // columns should be kas id, kas uri, type, id, fqn + table.NewFlexColumn("kas_id", "KAS ID", 3), + table.NewFlexColumn("kas_uri", "KAS URI", 3), + table.NewFlexColumn("grant_type", "Assigned To", 1), + table.NewFlexColumn("id", "Granted Object ID", 3), + table.NewFlexColumn("fqn", "Granted Object FQN", 3), + ) + + for _, g := range grants { + kasID := g.GetKeyAccessServer().GetId() + kasURI := g.GetKeyAccessServer().GetUri() + for _, ag := range g.GetAttributeGrants() { + rows = append(rows, table.NewRow(table.RowData{ + "kas_id": kasID, + "kas_uri": kasURI, + "grant_type": "Definition", + "id": ag.GetId(), + "fqn": ag.GetFqn(), + })) + } + for _, vg := range g.GetValueGrants() { + rows = append(rows, table.NewRow(table.RowData{ + "kas_id": kasID, + "kas_uri": kasURI, + "grant_type": "Value", + "id": vg.GetId(), + "fqn": vg.GetFqn(), + })) + } + for _, ng := range g.GetNamespaceGrants() { + rows = append(rows, table.NewRow(table.RowData{ + "kas_id": kasID, + "kas_uri": kasURI, + "grant_type": "Namespace", + "id": ng.GetId(), + "fqn": ng.GetFqn(), + })) + } + } + t = t.WithRows(rows) + + // Do not supporting printing the 'get --id=...' helper message as grants are atypical + // with no individual ID. + cmd.Use = "" + HandleSuccess(cmd, "", t, grants) +} + func init() { assignCmd := man.Docs.GetCommand("policy/kas-grants/assign", man.WithRun(policy_assignKasGrant), @@ -217,8 +293,17 @@ func init() { unassignCmd.GetDocFlag("force").Description, ) + listCmd := man.Docs.GetCommand("policy/kas-grants/list", + man.WithRun(policy_listKasGrants), + ) + listCmd.Flags().StringP( + listCmd.GetDocFlag("kas").Name, + listCmd.GetDocFlag("kas").Shorthand, + listCmd.GetDocFlag("kas").Default, + listCmd.GetDocFlag("kas").Description, + ) cmd := man.Docs.GetCommand("policy/kas-grants", - man.WithSubcommands(assignCmd, unassignCmd), + man.WithSubcommands(assignCmd, unassignCmd, listCmd), ) policyCmd.AddCommand(&cmd.Command) } diff --git a/cmd/kas-registry.go b/cmd/kas-registry.go index 172ef057..c5896bce 100644 --- a/cmd/kas-registry.go +++ b/cmd/kas-registry.go @@ -127,11 +127,16 @@ func policy_createKeyAccessRegistry(cmd *cobra.Command, args []string) { cli.ExitWithError("Failed to create Registered KAS entry", err) } + keyJSON, err := protojson.Marshal(key) + if err != nil { + cli.ExitWithError("Failed to marshal public key to JSON", err) + } + rows := [][]string{ {"Id", created.GetId()}, {"URI", created.GetUri()}, {"PublicKey Type", keyType}, - {"PublicKey", key.String()}, + {"PublicKey", string(keyJSON)}, } if mdRows := getMetadataRows(created.GetMetadata()); mdRows != nil { rows = append(rows, mdRows...) diff --git a/docs/man/policy/kas-grants/list.md b/docs/man/policy/kas-grants/list.md new file mode 100644 index 00000000..dba055e0 --- /dev/null +++ b/docs/man/policy/kas-grants/list.md @@ -0,0 +1,21 @@ +--- +title: List KAS Grants + +command: + name: list + aliases: + - l + description: List the Grants of KASes to Attribute Namespaces, Definitions, and Values + flags: + - name: kas + shorthand: k + description: The optional ID or URI of a KAS to filter the list +--- + +List the Grants of Registered Key Access Servers (KASes) to attribute namespaces, definitions, +or values. + +Omitting `kas` lists all grants known to platform policy, otherwise results are filtered to +the KAS URI or ID specified by the flag value. + +For more information, see `kas-registry` and `kas-grants` manuals. diff --git a/pkg/handlers/kas-grants.go b/pkg/handlers/kas-grants.go index 48360d48..a32dd0fb 100644 --- a/pkg/handlers/kas-grants.go +++ b/pkg/handlers/kas-grants.go @@ -4,6 +4,7 @@ import ( "context" "github.com/opentdf/platform/protocol/go/policy/attributes" + "github.com/opentdf/platform/protocol/go/policy/kasregistry" "github.com/opentdf/platform/protocol/go/policy/namespaces" ) @@ -96,3 +97,14 @@ func (h Handler) DeleteKasGrantFromNamespace(ctx context.Context, ns_id string, return resp.GetNamespaceKeyAccessServer(), nil } + +func (h Handler) ListKasGrants(ctx context.Context, kas_id, kas_uri string) ([]*kasregistry.KeyAccessServerGrants, error) { + resp, err := h.sdk.KeyAccessServerRegistry.ListKeyAccessServerGrants(ctx, &kasregistry.ListKeyAccessServerGrantsRequest{ + KasId: kas_id, + KasUri: kas_uri, + }) + if err != nil { + return nil, err + } + return resp.GetGrants(), nil +} diff --git a/tests/kas-grants.bats b/tests/kas-grants.bats index 2c022605..3e096c12 100755 --- a/tests/kas-grants.bats +++ b/tests/kas-grants.bats @@ -2,101 +2,221 @@ # Tests for KAS grants -setup() { +setup_file() { echo -n '{"clientId":"opentdf","clientSecret":"secret"}' > creds.json export WITH_CREDS='--with-client-creds-file ./creds.json' export HOST='--host http://localhost:8080' - if [[ "$BATS_TEST_NUMBER" -eq 1 ]]; then - export KAS_ID=$(./otdfctl $HOST $WITH_CREDS policy kas-registry create --uri 'https://e2etestkas.com' --public-key-remote 'https://e2etestkas.com/pub_key' --json | jq -r '.id') - else - export KAS_ID=$(./otdfctl $HOST $WITH_CREDS policy kas-registry list --json | jq -r '.[-1].id') - fi - + export KAS_URI="https://e2etestkas.com" + export KAS_ID=$(./otdfctl $HOST $WITH_CREDS policy kas-registry create --uri "$KAS_URI" --public-key-remote 'https://e2etestkas.com/pub_key' --json | jq -r '.id') export KAS_ID_FLAG="--kas-id $KAS_ID" + + export NS_ID=$(./otdfctl $HOST $WITH_CREDS policy attributes namespaces create -n "testing-kasg.uk" --json | jq -r '.id') + ATTR=$(./otdfctl $HOST $WITH_CREDS policy attributes create -n "attr1" --json --rule ANY_OF --namespace "$NS_ID" -v "val1") + export ATTR_ID=$(echo $ATTR | jq -r '.id') + export VAL_ID=$(echo $ATTR | jq -r '.values[0].id') +} + +setup() { + load "${BATS_LIB_PATH}/bats-support/load.bash" + load "${BATS_LIB_PATH}/bats-assert/load.bash" + + # invoke binary with credentials + run_otdfctl_kasg () { + run sh -c "./otdfctl $HOST $WITH_CREDS policy kas-grants $*" + } +} + +teardown_file() { + # clear out all test env vars + unset HOST WITH_CREDS KAS_ID KAS_ID_FLAG KAS_URI NS_ID NS_ID_FLAG ATTR_ID ATTR_ID_FLAG VAL_ID VAL_ID_FLAG } @test "namespace: assign grant then unassign it" { - export NS_ID=$(./otdfctl $HOST $WITH_CREDS policy attributes namespaces list --json | jq -r '.[0].id') + # assign the namespace a grant export NS_ID_FLAG="--namespace-id $NS_ID" - result="$(./otdfctl $HOST $WITH_CREDS policy kas-grants assign $NS_ID_FLAG $KAS_ID_FLAG)" - [[ "$result" == *"SUCCESS"* ]] - [[ "$result" == *"Namespace ID"* ]] - [[ "$result" == *$NS_ID* ]] - [[ "$result" == *"KAS ID"* ]] - [[ "$result" == *$KAS_ID* ]] - - result="$(./otdfctl $HOST $WITH_CREDS policy kas-grants unassign $NS_ID_FLAG $KAS_ID_FLAG --force)" - [[ "$result" == *"SUCCESS"* ]] - [[ "$result" == *"Namespace ID"* ]] - [[ "$result" == *$NS_ID* ]] - [[ "$result" == *"KAS ID"* ]] - [[ "$result" == *$KAS_ID* ]] + + run_otdfctl_kasg assign "$NS_ID_FLAG" "$KAS_ID_FLAG" + assert_output --partial "SUCCESS" + assert_output --partial "Namespace ID" + assert_output --partial $NS_ID + assert_output --partial "KAS ID" + assert_output --partial $KAS_ID + + # LIST should find the namespace in the grants + # filtered by KAS + # json + run_otdfctl_kasg list --kas $KAS_ID --json + assert_output --partial "$NS_ID" + run_otdfctl_kasg list --kas $KAS_URI --json + assert_output --partial "$NS_ID" + # table + run_otdfctl_kasg list --kas $KAS_ID + assert_output --regexp "$KAS_URI.*Namespace.*$NS_ID" + run_otdfctl_kasg list --kas $KAS_URI + assert_output --regexp "$KAS_URI.*Namespace.*$NS_ID" + + + # unfiltered (all KASes) + # json + run_otdfctl_kasg list --json + assert_output --partial "$NS_ID" + # table + run_otdfctl_kasg list + assert_output --regexp "$KAS_URI.*Namespace.*$NS_ID" + + # unassign the namespace grant + run_otdfctl_kasg unassign $NS_ID_FLAG $KAS_ID_FLAG --force + assert_output --partial "SUCCESS" + assert_output --partial "Namespace ID" + assert_output --partial $NS_ID + assert_output --partial "KAS ID" + assert_output --partial $KAS_ID + + # LIST should not find the namespace in the grants + # filtered by KAS + # json + run_otdfctl_kasg list --kas $KAS_ID --json + refute_output --partial "$NS_ID" + run_otdfctl_kasg list --kas $KAS_URI --json + refute_output --partial "$NS_ID" + # table + run_otdfctl_kasg list + refute_output --regexp "$KAS_URI.*Namespace.*$NS_ID" + # unfiltered + # json + run_otdfctl_kasg list --json + refute_output --partial "$NS_ID" + # table + run_otdfctl_kasg list + refute_output --regexp "$KAS_URI.*Namespace.*$NS_ID" } @test "attribute: assign grant then unassign it" { - export ATTR_ID=$(./otdfctl $HOST $WITH_CREDS policy attributes list --json | jq -r '.[0].id') export ATTR_ID_FLAG="--attribute-id $ATTR_ID" - result="$(./otdfctl $HOST $WITH_CREDS policy kas-grants assign $ATTR_ID_FLAG $KAS_ID_FLAG)" - [[ "$result" == *"SUCCESS"* ]] - [[ "$result" == *"Attribute ID"* ]] - [[ "$result" == *$ATTR_ID* ]] - [[ "$result" == *"KAS ID"* ]] - [[ "$result" == *$KAS_ID* ]] - - result="$(./otdfctl $HOST $WITH_CREDS policy kas-grants unassign $ATTR_ID_FLAG $KAS_ID_FLAG --force)" - [[ "$result" == *"SUCCESS"* ]] - [[ "$result" == *"Attribute ID"* ]] - [[ "$result" == *$ATTR_ID* ]] - [[ "$result" == *"KAS ID"* ]] - [[ "$result" == *$KAS_ID* ]] + run_otdfctl_kasg assign "$ATTR_ID_FLAG" "$KAS_ID_FLAG" + assert_output --partial "SUCCESS" + assert_output --partial "Attribute ID" + assert_output --partial $ATTR_ID + assert_output --partial "KAS ID" + assert_output --partial $KAS_ID + + # LIST should find the attribute in the grants + # filtered by KAS + # json + run_otdfctl_kasg list --kas $KAS_ID --json + assert_output --partial "$ATTR_ID" + run_otdfctl_kasg list --kas $KAS_URI --json + assert_output --partial "$ATTR_ID" + # table + run_otdfctl_kasg list --kas $KAS_URI + assert_output --regexp "$KAS_URI.*Definition.*$ATTR_ID" + run_otdfctl_kasg list --kas $KAS_ID + assert_output --regexp "$KAS_URI.*Definition.*$ATTR_ID" + # unfiltered + # json + run_otdfctl_kasg list --json + assert_output --partial "$ATTR_ID" + # table + run_otdfctl_kasg list + assert_output --regexp "$KAS_URI.*Definition.*$ATTR_ID" + + run_otdfctl_kasg unassign $ATTR_ID_FLAG $KAS_ID_FLAG --force + assert_output --partial "SUCCESS" + assert_output --partial "Attribute ID" + assert_output --partial $ATTR_ID + assert_output --partial "KAS ID" + assert_output --partial $KAS_ID + + # LIST should not find the attribute in the grants + # filtered by KAS + run_otdfctl_kasg list --kas $KAS_ID --json + refute_output --partial "$ATTR_ID" + run_otdfctl_kasg list --kas $KAS_URI --json + refute_output --partial "$ATTR_ID" + # unfiltered + # json + run_otdfctl_kasg list --json + refute_output --partial "$ATTR_ID" + # table + run_otdfctl_kasg list + refute_output --regexp "$KAS_URI.*Definition.*$ATTR_ID" } @test "value: assign grant then unassign it" { - export VAL_ID=$(./otdfctl $HOST $WITH_CREDS policy attributes list --json | jq -r '.[0].values[0].id') export VAL_ID_FLAG="--value-id $VAL_ID" - result="$(./otdfctl $HOST $WITH_CREDS policy kas-grants assign $VAL_ID_FLAG $KAS_ID_FLAG)" - [[ "$result" == *"SUCCESS"* ]] - [[ "$result" == *"Value ID"* ]] - [[ "$result" == *$VAL_ID* ]] - [[ "$result" == *"KAS ID"* ]] - [[ "$result" == *$KAS_ID* ]] - - result="$(./otdfctl $HOST $WITH_CREDS policy kas-grants unassign $VAL_ID_FLAG $KAS_ID_FLAG --force)" - [[ "$result" == *"SUCCESS"* ]] - [[ "$result" == *"Value ID"* ]] - [[ "$result" == *$VAL_ID* ]] - [[ "$result" == *"KAS ID"* ]] - [[ "$result" == *$KAS_ID* ]] -} + run_otdfctl_kasg assign "$VAL_ID_FLAG" "$KAS_ID_FLAG" + assert_output --partial "SUCCESS" + assert_output --partial "Value ID" + assert_output --partial $VAL_ID + assert_output --partial "KAS ID" + assert_output --partial $KAS_ID + + # LIST should find the value in the grants + # filtered by KAS + # json + run_otdfctl_kasg list --kas $KAS_ID --json + assert_output --partial "$VAL_ID" + run_otdfctl_kasg list --kas $KAS_URI --json + assert_output --partial "$VAL_ID" + # table + run_otdfctl_kasg list --kas $KAS_ID + assert_output --regexp "$KAS_URI.*Value.*$VAL_ID" + run_otdfctl_kasg list --kas $KAS_URI + assert_output --regexp "$KAS_URI.*Value.*$VAL_ID" + + # unfiltered + # json + run_otdfctl_kasg list --json + assert_output --partial "$VAL_ID" + # table + run_otdfctl_kasg list + assert_output --regexp "$KAS_URI.*Value.*$VAL_ID" + + run_otdfctl_kasg unassign $VAL_ID_FLAG $KAS_ID_FLAG --force + assert_output --partial "SUCCESS" + assert_output --partial "Value ID" + assert_output --partial $VAL_ID + assert_output --partial "KAS ID" + assert_output --partial $KAS_ID + + # LIST should not find the value within any grants + # filtered by KAS + # json + run_otdfctl_kasg list --kas $KAS_ID --json + refute_output --partial "$VAL_ID" + run_otdfctl_kasg list --kas $KAS_URI --json + refute_output --partial "$VAL_ID" + # table + run_otdfctl_kasg list --kas $KAS_ID + refute_output --regexp "$KAS_URI.*Value.*$VAL_ID" + run_otdfctl_kasg list --kas $KAS_URI + refute_output --regexp "$KAS_URI.*Value.*$VAL_ID" + # unfiltered + # json + run_otdfctl_kasg list --json + refute_output --partial "$VAL_ID" + # table + run_otdfctl_kasg list + refute_output --regexp "$KAS_URI.*Value.*$VAL_ID" + } @test "assign rejects more than one type of grant at once" { export NS_ID_FLAG='--namespace-id hello' export ATTR_ID_FLAG='--attribute-id world' export VAL_ID_FLAG='--value-id goodnight' - # simulates try/catch to avoid failed tests on expected errors - result='' - { - result="$(./otdfctl $HOST $WITH_CREDS policy kas-grants assign $ATTR_ID_FLAG $VAL_ID_FLAG $KAS_ID_FLAG)" - } || { - true - } - [[ "$result" == *"Must specify exactly one Attribute Namespace ID, Definition ID, or Value ID to assign"* ]] + run_otdfctl_kasg assign $ATTR_ID_FLAG $VAL_ID_FLAG $KAS_ID_FLAG + assert_failure + assert_output --partial "Must specify exactly one Attribute Namespace ID, Definition ID, or Value ID to assign" - { - result="$(./otdfctl $HOST $WITH_CREDS policy kas-grants assign $NS_ID_FLAG $VAL_ID_FLAG $KAS_ID_FLAG)" - } || { - true - } - [[ "$result" == *"Must specify exactly one Attribute Namespace ID, Definition ID, or Value ID to assign"* ]] + run_otdfctl_kasg assign $NS_ID_FLAG $VAL_ID_FLAG $KAS_ID_FLAG + assert_failure + assert_output --partial "Must specify exactly one Attribute Namespace ID, Definition ID, or Value ID to assign" - { - result="$(./otdfctl $HOST $WITH_CREDS policy kas-grants assign $ATTR_ID_FLAG $NS_ID_FLAG $KAS_ID_FLAG)" - } || { - true - } - [[ "$result" == *"Must specify exactly one Attribute Namespace ID, Definition ID, or Value ID to assign"* ]] + run_otdfctl_kasg assign $ATTR_ID_FLAG $NS_ID_FLAG $KAS_ID_FLAG + assert_failure + assert_output --partial "Must specify exactly one Attribute Namespace ID, Definition ID, or Value ID to assign" } @test "unassign rejects more than one type of grant at once" { @@ -104,26 +224,15 @@ setup() { export ATTR_ID_FLAG='--attribute-id world' export VAL_ID_FLAG='--value-id goodnight' - # simulates try/catch to avoid failed tests on expected errors - result='' - { - result="$(./otdfctl $HOST $WITH_CREDS policy kas-grants unassign $ATTR_ID_FLAG $VAL_ID_FLAG $KAS_ID_FLAG)" - } || { - true - } - [[ "$result" == *"Must specify exactly one Attribute Namespace ID, Definition ID, or Value ID to unassign"* ]] - - { - result="$(./otdfctl $HOST $WITH_CREDS policy kas-grants unassign $NS_ID_FLAG $VAL_ID_FLAG $KAS_ID_FLAG)" - } || { - true - } - [[ "$result" == *"Must specify exactly one Attribute Namespace ID, Definition ID, or Value ID to unassign"* ]] - - { - result="$(./otdfctl $HOST $WITH_CREDS policy kas-grants unassign $ATTR_ID_FLAG $NS_ID_FLAG $KAS_ID_FLAG)" - } || { - true - } - [[ "$result" == *"Must specify exactly one Attribute Namespace ID, Definition ID, or Value ID to unassign"* ]] + run_otdfctl_kasg unassign $ATTR_ID_FLAG $VAL_ID_FLAG $KAS_ID_FLAG + assert_failure + assert_output --partial "Must specify exactly one Attribute Namespace ID, Definition ID, or Value ID to unassign" + + run_otdfctl_kasg unassign $NS_ID_FLAG $VAL_ID_FLAG $KAS_ID_FLAG + assert_failure + assert_output --partial "Must specify exactly one Attribute Namespace ID, Definition ID, or Value ID to unassign" + + run_otdfctl_kasg unassign $ATTR_ID_FLAG $NS_ID_FLAG $KAS_ID_FLAG + assert_failure + assert_output --partial "Must specify exactly one Attribute Namespace ID, Definition ID, or Value ID to unassign" } \ No newline at end of file diff --git a/tests/kas-registry.bats b/tests/kas-registry.bats index 1d1334fa..ec9ceafe 100755 --- a/tests/kas-registry.bats +++ b/tests/kas-registry.bats @@ -6,61 +6,77 @@ setup_file() { export CREDSFILE=creds.json echo -n '{"clientId":"opentdf","clientSecret":"secret"}' > $CREDSFILE export WITH_CREDS="--with-client-creds-file $CREDSFILE" - export DEBUG_LEVEL="--log-level debug" export HOST='--host http://localhost:8080' + export DEBUG_LEVEL="--log-level debug" export REMOTE_KEY='https://hello.world/pubkey' export PEM='LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvVENDQWVXZ0F3SUJBZ0lVTXU4bzhXaDJIVEE2VEFlTENqQzJmVjlwSWVJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0RqRU1NQW9HQTFVRUF3d0RhMkZ6TUI0WERUSTBNRFl4T0RFNE16WXlOMW9YRFRJMU1EWXhPREU0TXpZeQpOMW93RGpFTU1Bb0dBMVVFQXd3RGEyRnpNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFyMXBRam83cGlPdlBDVHRkSUVOZkc4eVZpK1dWMUZVTi82eFREcXJMeFpUdEFrWjE0M3VIVGZQOWExdXEKaFcxSW9heUpPVWpuWXNuUUh6dUVCZGtaNEh1d3pkeTZ3Um5lT1RSY2o3TitEd25aS21EcTF1YWZ6bEdzdG8vQgpoZnRtaWxVRjRZbm5GY0ROK3ZxajJlcDNhYlVramhrbUlRVDhwcjI1YkZ4TGFpd3dPbmx5TTVWUWM4bmFoZ2xuCjBNMGdOV0tJV0ZFSndoajBab2poMUw0ZGptenFVaU9tTkhCUDRRelNwNyswK3RXb3hJb1AyT2Fqa0p5MEljWkgKcS9OOWlTelZiZzFLL2tLZytkdS9QbWRqUCtqNTZsa0pPU1J6ZXpoK2R5NytHaHJCVDNVc21QbmNWM2NXVk1pOApFc1lDS2NUNUVNSGhhTmFHMFhEakptRzI4d0lEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVZ1BUTkZjemQ5ajBFClgzN3A2SGh3UFJpY0JqOHdId1lEVlIwakJCZ3dGb0FVZ1BUTkZjemQ5ajBFWDM3cDZIaHdQUmljQmo4d0R3WUQKVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFDS2VxRkswSlcyYTVzS2JPQnl3WgppazB5MmpyRHJaUG5mMG9kTjVIbThtZWVuQnhteW9CeVZWRm9uUGVDaG1uWUZTdERtMlFJUTZnWVBtdEFhQ3VKCnRVeU5zNkxPQm1wR2JKaFRnNXljZXFXWnhYY3NmVkZ3ZHFxVXQ2NnRXdmNPeFZUQmdrN3h6RFFPbkxnRkxqZDYKSlZIeE16RkxXVFEwa00yVXJOOGd0T2RMazRhZUJhSzdiVHdaUEZ0RnR1YUZlYlFUbTRLY2ZSNXpzZkxTKzhpRgp1MWZGOVpKWkg2ZzZibENUeE50d3Z2eVMxVTMvS1AwVlQ5WVB3OTVmcElWMlNLT2QzejNZMGRKOUE5TGQ5TUkzCkwvWS8rNW05NEZCMTdTSWtERXpZM2d2TkxDSVZxODh2WHlnK2doVEhzSHNjYzNWcUUwK0x6cmZkemltbzMxRWQKTkE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t' export KID='my_key_123' export CACHED_KEY="{\"cached\":{\"keys\":[{\"pem\":\"$PEM\",\"kid\":\"$KID\",\"alg\":1}]}}" - export URI="https://end-to-end-kas.com" +} + +setup() { + load "${BATS_LIB_PATH}/bats-support/load.bash" + load "${BATS_LIB_PATH}/bats-assert/load.bash" + + # invoke binary with credentials + run_otdfctl_kasr () { + run sh -c "./otdfctl policy kas-registry $HOST $WITH_CREDS $*" + } } teardown() { ID=$(echo "$CREATED" | jq -r '.id') - ./otdfctl $HOST $DEBUG_LEVEL $WITH_CREDS policy kas-registry delete --id "$ID" --force + run_otdfctl_kasr delete --id "$ID" --force } @test "create registration of a KAS with remote key" { - export CREATED=$(./otdfctl $HOST $DEBUG_LEVEL $WITH_CREDS policy kas-registry create --uri "$URI" -r "$REMOTE_KEY" --json) - echo $CREATED | grep "$REMOTE_KEY" - echo $CREATED | grep "$URI" + URI="https://testing-create-remote.co" + run_otdfctl_kasr create --uri "$URI" -r "$REMOTE_KEY" --json + assert_output --partial "$REMOTE_KEY" + assert_output --partial "$URI" + export CREATED="$output" } -@test "create registration of a KAS with cached key" { - export CREATED=$(./otdfctl $HOST $DEBUG_LEVEL $WITH_CREDS policy kas-registry create --uri "$URI" -c "$CACHED_KEY" --json) - echo $CREATED | grep "$KID" - echo $CREATED | grep "$PEM" - echo $CREATED | grep "$URI" -} - -@test "get registered KAS" { +@test "create KAS with cached key then get it" { + URI="https://testing-get.gov" export CREATED=$(./otdfctl $HOST $DEBUG_LEVEL $WITH_CREDS policy kas-registry create --uri "$URI" -c "$CACHED_KEY" --json) ID=$(echo "$CREATED" | jq -r '.id') - RESULT=$(./otdfctl $HOST $DEBUG_LEVEL $WITH_CREDS policy kas-registry get --id "$ID") - echo $RESULT | grep "$ID" - echo $RESULT | grep "$URI" - echo $RESULT | grep -i "uri" - echo $RESULT | grep "pem" + run echo $CREATED + assert_output --partial "$URI" + assert_output --partial "uri" + assert_output --partial "pem" + assert_output --partial "$PEM" + assert_output --partial "$KID" + + run_otdfctl_kasr get --id "$ID" --json + assert_output --partial "$ID" + assert_output --partial "$URI" + assert_output --partial "uri" + assert_output --partial "$PEM" + assert_output --partial "pem" + assert_output --partial "$KID" } @test "update registered KAS" { + URI="https://testing-update.net" export CREATED=$(./otdfctl $HOST $DEBUG_LEVEL $WITH_CREDS policy kas-registry create --uri "$URI" -c "$CACHED_KEY" --json) ID=$(echo "$CREATED" | jq -r '.id') - RESULT=$(./otdfctl $HOST $DEBUG_LEVEL $WITH_CREDS policy kas-registry update --id "$ID" -u "https://newuri.com" --public-key-remote "$REMOTE_KEY" --json) - echo $RESULT | grep "$ID" - echo $RESULT | grep "https://newuri.com" - echo $RESULT | grep "$REMOTE_KEY" - echo $RESULT | grep -i "uri" - [ "$(echo "$RESULT" | grep -c "pem")" -eq 0 ] - [ "$(echo "$RESULT" | grep -c "cached")" -eq 0 ] + run_otdfctl_kasr update --id "$ID" -u "https://newuri.com" --public-key-remote "$REMOTE_KEY" --json + assert_output --partial "$ID" + assert_output --partial "https://newuri.com" + assert_output --partial "$REMOTE_KEY" + assert_output --partial "uri" + refute_output --partial "pem" + refute_output --partial "cached" } @test "list registered KASes" { + URI="https://testing-list.io" export CREATED=$(./otdfctl $HOST $DEBUG_LEVEL $WITH_CREDS policy kas-registry create --uri "$URI" -c "$CACHED_KEY" --json) ID=$(echo "$CREATED" | jq -r '.id') - RESULT=$(./otdfctl $HOST $DEBUG_LEVEL $WITH_CREDS policy kas-registry list --json) - echo $RESULT | grep "$ID" - echo $RESULT | grep -i "uri" - echo $RESULT | grep -i "$URI" + run_otdfctl_kasr list --json + assert_output --partial "$ID" + assert_output --partial "uri" + assert_output --partial "$URI" }