Tests for sentinel simulator that deliver json payload

trodemaster · September 19, 2019, 10:17pm

Trying to create sentinel policy for vault that will validate the contents of a json payload being written to a kv-v2 secret. I’m having a hard time understanding how to mock that write with json payload and have the sentinel policy import it as a map.

Any suggestions to get me going in the correct direction are appreciated. Example code is posted in this public repo. https://github.com/trodemaster/sentinel-sandbox

vancluever · September 23, 2019, 7:43pm

Hey Blake,

Since Vault writes out the request data as a global, the key to mocking the data accurately is to set the data as a global value versus a mocked import.

You can see examples at: https://www.vaultproject.io/guides/identity/sentinel#step-2-test-the-sentinel-policies

Those examples don’t mock request.data specifically, but you can just add a key there for that. Enter the structured data there - so the data as a JSON object, not as raw string data.
The data is different from request to request, but a good place to start would be to just try
mocking your key/value pairs.

You want to structure the data as you would send it to Vault. For the key/value store, that means something like:

{
  "global": {
    "request": {
      "data": {
        "data": {
          "KEY": "VALUE"
        }
      }
    }
  }
}

You can see the KV version 2 API docs page for more payload examples.

Note that all request data is structured, so you should not need the json import to parse the data (unless your KV value data data is JSON itself, of course).

Hope this helps!

trodemaster · September 23, 2019, 10:24pm

Ok that helps me understand how to send the data to the sentinel policy. I have a basic policy working with structured data now and updated the repo. I’ll play around with it to see if I can get the json payload to work as well.

Thanks!

trodemaster · September 23, 2019, 11:19pm

Ok I think I got it sorted out.

map = request.data.json
main = rule {
  map.Owner matches "^[A-z ,.'-]+$"
}

vancluever · September 24, 2019, 4:18pm

Hey Blake, remember that the data for K/V v2 is stored in request.data.data, so that’s what you will want to reference and how you will want to structure your mock:

{
  "global": {
    "request": {
      "data": {
        "data": {
          "KEY": "VALUE"
        }
      }
    }
  }
}

trodemaster · September 24, 2019, 8:20pm

OK with your help I got this sorted out today. Here is what the working test ended up looking like.

{
    "global": {
        "namespace": {
            "path": ""
        },
        "request": {
            "data": {
                "data": {
                    "cred_description": "Funky Service from external vendor",
                    "Owner": "Blake Garner",
                    "Expiration": "2020-08-16 09:52:05",
                    "TeamName": "IS",
                    "Contact": "username@adobe.com",
                    "AccountID": "adobefunkyservice223",
                    "AccountKEY": "a340b6a946bbdw4515r884dy12b8a484b518",
                    "AccountKEYbase64": false
                }
            }
        }
    }
}

I updated this repo https://github.com/trodemaster/sentinel-sandbox with all the pieces if anybody else wants to look at it.

Thanks!

Topic		Replies	Views
Suggestion for Sentinel Playground: initial mock/policy for Vault Sentinel	2	559	March 26, 2022
Json import - practical integration example? Sentinel	2	1393	April 6, 2020
Mocking Http request type Sentinel	3	315	May 17, 2023
Authoring sentinel policy for vault enterprise Sentinel vault	2	702	January 13, 2021
How to mock http call with param Sentinel	8	724	April 21, 2022

Tests for sentinel simulator that deliver json payload

Related topics