in proxy_agent/src/key_keeper/key.rs [905:1342]
fn key_status_v2_test() {
let status_response = r#"{
"authorizationScheme": "Azure-HMAC-SHA256",
"keyDeliveryMethod": "http",
"keyGuid": null,
"requiredClaimsHeaderPairs": null,
"secureChannelEnabled": true,
"version": "2.0",
"authorizationRules": {
"imds": {
"defaultAccess": "allow",
"mode": "enforce",
"id": "sigid",
"rules": {
"privileges": [
{
"name": "test",
"path": "/test"
},
{
"name": "test1",
"path": "/test1"
}
],
"roles": [
{
"name": "test",
"privileges": [
"test",
"test1"
]
}
],
"identities": [
{
"name": "test",
"userName": "test",
"groupName": "test",
"exePath": "test",
"processName": "test"
}
],
"roleAssignments": [
{
"role": "test",
"identities": [
"test",
"test1"
]
}
]
}
},
"wireserver": {
"defaultAccess": "deny",
"mode": "enforce",
"id": "sigid",
"rules": {
"privileges": [
{
"name": "test",
"path": "/test",
"queryParameters": {
"key1": "value1",
"key2": "value2"
}
},
{
"name": "test1",
"path": "/test1",
"queryParameters": {
"key1": "value1",
"key2": "value2"
}
}
],
"roles": [
{
"name": "test",
"privileges": [
"test",
"test1"
]
},
{
"name": "test1",
"privileges": [
"test",
"test1"
]
}
],
"identities": [
{
"name": "test",
"userName": "test",
"groupName": "test",
"exePath": "test",
"processName": "test"
},
{
"name": "test1",
"userName": "test1",
"groupName": "test1",
"exePath": "test1",
"processName": "test1"
}
],
"roleAssignments": [
{
"role": "test",
"identities": [
"test",
"test1"
]
},
{
"role": "test1",
"identities": [
"test",
"test1"
]
}
]
}
},
"hostga": {
"defaultAccess": "allow",
"mode": "enforce",
"id": "sigid",
"rules": {
"privileges": [
{
"name": "test",
"path": "/test",
"queryParameters": {
"key1": "value1",
"key2": "value2"
}
},
{
"name": "test2",
"path": "/test2",
"queryParameters": {
"key1": "value3",
"key2": "value4"
}
}
],
"roles": [
{
"name": "test3",
"privileges": [
"test1",
"test2"
]
},
{
"name": "test6",
"privileges": [
"test4",
"test5"
]
}
],
"identities": [
{
"name": "test",
"userName": "test",
"groupName": "test",
"exePath": "test",
"processName": "test"
},
{
"name": "test1",
"userName": "test1",
"groupName": "test1",
"exePath": "test1",
"processName": "test1"
}
],
"roleAssignments": [
{
"role": "test4",
"identities": [
"test",
"test1"
]
},
{
"role": "test5",
"identities": [
"test",
"test1"
]
}
]
}
}
}
}"#;
let status: KeyStatus = serde_json::from_str(status_response).unwrap();
assert_eq!(
constants::AUTHORIZATION_SCHEME,
status.authorizationScheme,
"authorizationScheme mismatch"
);
assert_eq!(
"http", status.keyDeliveryMethod,
"keyDeliveryMethod mismatch"
);
assert_eq!("2.0".to_string(), status.version, "version 2.0 mismatch");
assert!(
status.validate().unwrap(),
"Key status validation must be true"
);
assert!(
status.secureChannelEnabled.is_some(),
"secureChannelEnabled must have value in version 2.0"
);
assert!(
status.secureChannelState.is_none(),
"secureChannelState must be None in version 2.0"
);
// validate IMDS rules
let imds_rules = status.get_imds_rules().unwrap();
assert_eq!("allow", imds_rules.defaultAccess, "defaultAccess mismatch");
assert_eq!("sigid", status.get_imds_rule_id(), "IMDS rule id mismatch");
assert_eq!("enforce", status.get_imds_mode(), "IMDS mode mismatch");
// validate WireServer rules
let wireserver_rules = status.get_wireserver_rules().unwrap();
assert_eq!(
"deny", wireserver_rules.defaultAccess,
"defaultAccess mismatch"
);
assert_eq!(
"sigid",
status.get_wireserver_rule_id(),
"WireServer rule id mismatch"
);
assert_eq!(
"enforce",
status.get_wire_server_mode(),
"WireServer mode mismatch"
);
// validate WireServer rule details
let first_privilege = &wireserver_rules
.rules
.as_ref()
.unwrap()
.privileges
.as_ref()
.unwrap()[0];
assert_eq!("test", first_privilege.name, "privilege name mismatch");
assert_eq!("/test", first_privilege.path, "privilege path mismatch");
assert_eq!(
"value1",
first_privilege.queryParameters.as_ref().unwrap()["key1"],
"privilege queryParameters mismatch"
);
assert_eq!(
"value2",
first_privilege.queryParameters.as_ref().unwrap()["key2"],
"privilege queryParameters mismatch"
);
let second_privilege = &wireserver_rules
.rules
.as_ref()
.unwrap()
.privileges
.as_ref()
.unwrap()[1];
assert_eq!(
"test1", second_privilege.name,
"second privilege name mismatch"
);
assert_eq!(
"/test1", second_privilege.path,
"second privilege path mismatch"
);
assert_eq!(
"value1",
second_privilege.queryParameters.as_ref().unwrap()["key1"],
"second privilege queryParameters mismatch"
);
assert_eq!(
"value2",
second_privilege.queryParameters.as_ref().unwrap()["key2"],
"second privilege queryParameters mismatch"
);
let first_role = &wireserver_rules
.rules
.as_ref()
.unwrap()
.roles
.as_ref()
.unwrap()[0];
assert_eq!("test", first_role.name, "role name mismatch");
assert_eq!("test", first_role.privileges[0], "role privilege mismatch");
assert_eq!("test1", first_role.privileges[1], "role privilege mismatch");
let first_identity = &wireserver_rules
.rules
.as_ref()
.unwrap()
.identities
.as_ref()
.unwrap()[0];
assert_eq!("test", first_identity.name, "identity name mismatch");
assert_eq!(
"test",
first_identity.userName.as_ref().unwrap(),
"identity userName mismatch"
);
assert_eq!(
"test",
first_identity.groupName.as_ref().unwrap(),
"identity groupName mismatch"
);
assert_eq!(
"test",
first_identity.exePath.as_ref().unwrap(),
"identity exePath mismatch"
);
assert_eq!(
"test",
first_identity.processName.as_ref().unwrap(),
"identity processName mismatch"
);
let first_role_assignment = &wireserver_rules
.rules
.as_ref()
.unwrap()
.roleAssignments
.as_ref()
.unwrap()[0];
assert_eq!(
"test", first_role_assignment.role,
"roleAssignment role mismatch"
);
assert_eq!(
"test", first_role_assignment.identities[0],
"roleAssignment identities mismatch"
);
// Validate HostGA rules
let hostga_rules = status.get_hostga_rules().unwrap();
assert_eq!(
"allow", hostga_rules.defaultAccess,
"defaultAccess mismatch"
);
assert_eq!(
"sigid",
status.get_hostga_rule_id(),
"HostGA rule id mismatch"
);
assert_eq!("enforce", status.get_hostga_mode(), "HostGA mode mismatch");
// Validate HostGA rule details
// Retrieve and validate second privilege for HostGA
let privilege = &hostga_rules
.rules
.as_ref()
.unwrap()
.privileges
.as_ref()
.unwrap()[1];
assert_eq!("test2", privilege.name, "privilege name mismatch");
assert_eq!("/test2", privilege.path, "privilege path mismatch");
assert_eq!(
"value3",
privilege.queryParameters.as_ref().unwrap()["key1"],
"privilege queryParameters mismatch"
);
assert_eq!(
"value4",
privilege.queryParameters.as_ref().unwrap()["key2"],
"privilege queryParameters mismatch"
);
// Retrieve and validate second role for HostGA
let role = &hostga_rules.rules.as_ref().unwrap().roles.as_ref().unwrap()[1];
assert_eq!("test6", role.name, "role name mismatch");
assert_eq!("test4", role.privileges[0], "role privilege mismatch");
assert_eq!("test5", role.privileges[1], "role privilege mismatch");
// Retrieve and validate first identity for HostGA
let identity = &hostga_rules
.rules
.as_ref()
.unwrap()
.identities
.as_ref()
.unwrap()[0];
assert_eq!("test", identity.name, "identity name mismatch");
assert_eq!(
"test",
identity.userName.as_ref().unwrap(),
"identity userName mismatch"
);
assert_eq!(
"test",
identity.groupName.as_ref().unwrap(),
"identity groupName mismatch"
);
assert_eq!(
"test",
identity.exePath.as_ref().unwrap(),
"identity exePath mismatch"
);
assert_eq!(
"test",
identity.processName.as_ref().unwrap(),
"identity processName mismatch"
);
// Retrieve and validate first role assignment for HostGA
let role_assignment = &hostga_rules
.rules
.as_ref()
.unwrap()
.roleAssignments
.as_ref()
.unwrap()[0];
assert_eq!(
"test4", role_assignment.role,
"roleAssignment role mismatch"
);
assert_eq!(
"test", role_assignment.identities[0],
"roleAssignment identities mismatch"
);
}