open-consul/agent/connect/ca/provider_vault_test.go

package ca

import (
	"fmt"
	"io/ioutil"
	"net"
	"sync"
	"testing"
	"time"

	"github.com/hashicorp/consul/agent/connect"
	"github.com/hashicorp/consul/agent/structs"
	vaultapi "github.com/hashicorp/vault/api"
	"github.com/hashicorp/vault/builtin/logical/pki"
	vaulthttp "github.com/hashicorp/vault/http"
	"github.com/hashicorp/vault/vault"
	"github.com/stretchr/testify/require"
)

var vaultLock sync.Mutex

func testVaultCluster(t *testing.T) (*VaultProvider, *vault.Core, net.Listener) {
	return testVaultClusterWithConfig(t, true, nil)
}

func testVaultClusterWithConfig(t *testing.T, isRoot bool, rawConf map[string]interface{}) (*VaultProvider, *vault.Core, net.Listener) {
	vaultLock.Lock()
	defer vaultLock.Unlock()

	if err := vault.AddTestLogicalBackend("pki", pki.Factory); err != nil {
		t.Fatal(err)
	}
	core, _, token := vault.TestCoreUnsealedRaw(t)

	ln, addr := vaulthttp.TestServer(t, core)

	conf := map[string]interface{}{
		"Address":             addr,
		"Token":               token,
		"RootPKIPath":         "pki-root/",
		"IntermediatePKIPath": "pki-intermediate/",
		// Tests duration parsing after msgpack type mangling during raft apply.
		"LeafCertTTL": []uint8("72h"),
	}
	for k, v := range rawConf {
		conf[k] = v
	}

	require := require.New(t)
	provider := &VaultProvider{}
	require.NoError(provider.Configure("asdf", isRoot, conf))
	if isRoot {
		require.NoError(provider.GenerateRoot())
		_, err := provider.GenerateIntermediate()
		require.NoError(err)
	}

	return provider, core, ln
}

func TestVaultCAProvider_VaultTLSConfig(t *testing.T) {
	config := &structs.VaultCAProviderConfig{
		CAFile:        "/capath/ca.pem",
		CAPath:        "/capath/",
		CertFile:      "/certpath/cert.pem",
		KeyFile:       "/certpath/key.pem",
		TLSServerName: "server.name",
		TLSSkipVerify: true,
	}
	tlsConfig := vaultTLSConfig(config)
	require := require.New(t)
	require.Equal(config.CAFile, tlsConfig.CACert)
	require.Equal(config.CAPath, tlsConfig.CAPath)
	require.Equal(config.CertFile, tlsConfig.ClientCert)
	require.Equal(config.KeyFile, tlsConfig.ClientKey)
	require.Equal(config.TLSServerName, tlsConfig.TLSServerName)
	require.Equal(config.TLSSkipVerify, tlsConfig.Insecure)
}

func TestVaultCAProvider_Bootstrap(t *testing.T) {
	t.Parallel()

	require := require.New(t)
	provider, core, listener := testVaultCluster(t)
	defer core.Shutdown()
	defer listener.Close()
	client, err := vaultapi.NewClient(&vaultapi.Config{
		Address: "http://" + listener.Addr().String(),
	})
	require.NoError(err)
	client.SetToken(provider.config.Token)

	cases := []struct {
		certFunc    func() (string, error)
		backendPath string
	}{
		{
			certFunc:    provider.ActiveRoot,
			backendPath: "pki-root/",
		},
		{
			certFunc:    provider.ActiveIntermediate,
			backendPath: "pki-intermediate/",
		},
	}

	// Verify the root and intermediate certs match the ones in the vault backends
	for _, tc := range cases {
		cert, err := tc.certFunc()
		require.NoError(err)
		req := client.NewRequest("GET", "/v1/"+tc.backendPath+"ca/pem")
		resp, err := client.RawRequest(req)
		require.NoError(err)
		bytes, err := ioutil.ReadAll(resp.Body)
		require.NoError(err)
		require.Equal(cert, string(bytes))

		// Should be a valid CA cert
		parsed, err := connect.ParseCert(cert)
		require.NoError(err)
		require.True(parsed.IsCA)
		require.Len(parsed.URIs, 1)
		require.Equal(parsed.URIs[0].String(), fmt.Sprintf("spiffe://%s.consul", provider.clusterId))
	}
}

func TestVaultCAProvider_SignLeaf(t *testing.T) {
	t.Parallel()

	require := require.New(t)
	provider, core, listener := testVaultClusterWithConfig(t, true, map[string]interface{}{
		"LeafCertTTL": "1h",
	})
	defer core.Shutdown()
	defer listener.Close()
	client, err := vaultapi.NewClient(&vaultapi.Config{
		Address: "http://" + listener.Addr().String(),
	})
	require.NoError(err)
	client.SetToken(provider.config.Token)

	spiffeService := &connect.SpiffeIDService{
		Host:       "node1",
		Namespace:  "default",
		Datacenter: "dc1",
		Service:    "foo",
	}

	// Generate a leaf cert for the service.
	var firstSerial uint64
	{
		raw, _ := connect.TestCSR(t, spiffeService)

		csr, err := connect.ParseCSR(raw)
		require.NoError(err)

		cert, err := provider.Sign(csr)
		require.NoError(err)

		parsed, err := connect.ParseCert(cert)
		require.NoError(err)
		require.Equal(parsed.URIs[0], spiffeService.URI())
		firstSerial = parsed.SerialNumber.Uint64()

		// Ensure the cert is valid now and expires within the correct limit.
		now := time.Now()
		require.True(parsed.NotAfter.Sub(now) < time.Hour)
		require.True(parsed.NotBefore.Before(now))
	}

	// Generate a new cert for another service and make sure
	// the serial number is unique.
	spiffeService.Service = "bar"
	{
		raw, _ := connect.TestCSR(t, spiffeService)

		csr, err := connect.ParseCSR(raw)
		require.NoError(err)

		cert, err := provider.Sign(csr)
		require.NoError(err)

		parsed, err := connect.ParseCert(cert)
		require.NoError(err)
		require.Equal(parsed.URIs[0], spiffeService.URI())
		require.NotEqual(firstSerial, parsed.SerialNumber.Uint64())

		// Ensure the cert is valid now and expires within the correct limit.
		require.True(time.Until(parsed.NotAfter) < time.Hour)
		require.True(parsed.NotBefore.Before(time.Now()))
	}
}

func TestVaultCAProvider_CrossSignCA(t *testing.T) {
	t.Parallel()

	provider1, core1, listener1 := testVaultCluster(t)
	defer core1.Shutdown()
	defer listener1.Close()

	provider2, core2, listener2 := testVaultCluster(t)
	defer core2.Shutdown()
	defer listener2.Close()

	testCrossSignProviders(t, provider1, provider2)
}

func TestVaultProvider_SignIntermediate(t *testing.T) {
	t.Parallel()

	provider1, core1, listener1 := testVaultCluster(t)
	defer core1.Shutdown()
	defer listener1.Close()

	provider2, core2, listener2 := testVaultClusterWithConfig(t, false, nil)
	defer core2.Shutdown()
	defer listener2.Close()

	testSignIntermediateCrossDC(t, provider1, provider2)
}

func TestVaultProvider_SignIntermediateConsul(t *testing.T) {
	t.Parallel()

	require := require.New(t)

	// primary = Vault, secondary = Consul
	{
		provider1, core, listener := testVaultCluster(t)
		defer core.Shutdown()
		defer listener.Close()

		conf := testConsulCAConfig()
		delegate := newMockDelegate(t, conf)
		provider2 := &ConsulProvider{Delegate: delegate}
		require.NoError(provider2.Configure(conf.ClusterID, false, conf.Config))

		testSignIntermediateCrossDC(t, provider1, provider2)
	}

	// primary = Consul, secondary = Vault
	{
		conf := testConsulCAConfig()
		delegate := newMockDelegate(t, conf)
		provider1 := &ConsulProvider{Delegate: delegate}
		require.NoError(provider1.Configure(conf.ClusterID, true, conf.Config))
		require.NoError(provider1.GenerateRoot())

		provider2, core, listener := testVaultClusterWithConfig(t, false, nil)
		defer core.Shutdown()
		defer listener.Close()

		testSignIntermediateCrossDC(t, provider1, provider2)
	}
}
connect/ca: add the Vault CA provider 2018-06-13 08:40:03 +00:00			`package ca`

			`import (`
connect/ca: add URI SAN support to the Vault provider 2018-06-14 21:20:10 +00:00			`"fmt"`
connect/ca: add the Vault CA provider 2018-06-13 08:40:03 +00:00			`"io/ioutil"`
connect/ca: fix vault provider URI SANs and test 2018-06-14 17:56:17 +00:00			`"net"`
test: fix concurrent map access when setting up test vault 2019-03-01 18:24:32 +00:00			`"sync"`
connect/ca: add the Vault CA provider 2018-06-13 08:40:03 +00:00			`"testing"`
connect/ca: add URI SAN support to the Vault provider 2018-06-14 21:20:10 +00:00			`"time"`
connect/ca: add the Vault CA provider 2018-06-13 08:40:03 +00:00
			`"github.com/hashicorp/consul/agent/connect"`
connect: add tls config for vault connect ca provider (#5125) * add tlsconfig for vault connect ca provider. * add options to the docs * add tests for new configuration 2019-01-08 16:09:22 +00:00			`"github.com/hashicorp/consul/agent/structs"`
connect/ca: fix vault provider URI SANs and test 2018-06-14 17:56:17 +00:00			`vaultapi "github.com/hashicorp/vault/api"`
connect/ca: add the Vault CA provider 2018-06-13 08:40:03 +00:00			`"github.com/hashicorp/vault/builtin/logical/pki"`
			`vaulthttp "github.com/hashicorp/vault/http"`
			`"github.com/hashicorp/vault/vault"`
			`"github.com/stretchr/testify/require"`
			`)`

test: fix concurrent map access when setting up test vault 2019-03-01 18:24:32 +00:00			`var vaultLock sync.Mutex`

connect/ca: fix vault provider URI SANs and test 2018-06-14 17:56:17 +00:00			`func testVaultCluster(t testing.T) (VaultProvider, *vault.Core, net.Listener) {`
connect/ca: add intermediate functions to Vault ca provider 2018-09-13 20:09:07 +00:00			`return testVaultClusterWithConfig(t, true, nil)`
connect/ca: add configurable leaf cert TTL 2018-07-16 09:46:10 +00:00			`}`

connect/ca: add intermediate functions to Vault ca provider 2018-09-13 20:09:07 +00:00			`func testVaultClusterWithConfig(t testing.T, isRoot bool, rawConf map[string]interface{}) (VaultProvider, *vault.Core, net.Listener) {`
test: fix concurrent map access when setting up test vault 2019-03-01 18:24:32 +00:00			`vaultLock.Lock()`
			`defer vaultLock.Unlock()`

connect/ca: fix vault provider URI SANs and test 2018-06-14 17:56:17 +00:00			`if err := vault.AddTestLogicalBackend("pki", pki.Factory); err != nil {`
			`t.Fatal(err)`
connect/ca: add the Vault CA provider 2018-06-13 08:40:03 +00:00			`}`
connect/ca: fix vault provider URI SANs and test 2018-06-14 17:56:17 +00:00			`core, _, token := vault.TestCoreUnsealedRaw(t)`
connect/ca: add the Vault CA provider 2018-06-13 08:40:03 +00:00
connect/ca: fix vault provider URI SANs and test 2018-06-14 17:56:17 +00:00			`ln, addr := vaulthttp.TestServer(t, core)`
connect/ca: add the Vault CA provider 2018-06-13 08:40:03 +00:00
connect/ca: add configurable leaf cert TTL 2018-07-16 09:46:10 +00:00			`conf := map[string]interface{}{`
connect/ca: fix vault provider URI SANs and test 2018-06-14 17:56:17 +00:00			`"Address": addr,`
			`"Token": token,`
connect/ca: add the Vault CA provider 2018-06-13 08:40:03 +00:00			`"RootPKIPath": "pki-root/",`
			`"IntermediatePKIPath": "pki-intermediate/",`
Fix CA pruning when CA config uses string durations. (#4669) * Fix CA pruning when CA config uses string durations. The tl;dr here is: - Configuring LeafCertTTL with a string like "72h" is how we do it by default and should be supported - Most of our tests managed to escape this by defining them as time.Duration directly - Out actual default value is a string - Since this is stored in a map[string]interface{} config, when it is written to Raft it goes through a msgpack encode/decode cycle (even though it's written from server not over RPC). - msgpack decode leaves the string as a `[]uint8` - Some of our parsers required string and failed - So after 1 hour, a default configured server would throw an error about pruning old CAs - If a new CA was configured that set LeafCertTTL as a time.Duration, things might be OK after that, but if a new CA was just configured from config file, intialization would cause same issue but always fail still so would never prune the old CA. - Mostly this is just a janky error that got passed tests due to many levels of complicated encoding/decoding. tl;dr of the tl;dr: Yay for type safety. Map[string]interface{} combined with msgpack always goes wrong but we somehow get bitten every time in a new way :D We already fixed this once! The main CA config had the same problem so @kyhavlov already wrote the mapstructure DecodeHook that fixes it. It wasn't used in several places it needed to be and one of those is notw in `structs` which caused a dependency cycle so I've moved them. This adds a whole new test thta explicitly tests the case that broke here. It also adds tests that would have failed in other places before (Consul and Vaul provider parsing functions). I'm not sure if they would ever be affected as it is now as we've not seen things broken with them but it seems better to explicitly test that and support it to not be bitten a third time! * Typo fix * Fix bad Uint8 usage 2018-09-13 14:43:00 +00:00			`// Tests duration parsing after msgpack type mangling during raft apply.`
			`"LeafCertTTL": []uint8("72h"),`
connect/ca: add configurable leaf cert TTL 2018-07-16 09:46:10 +00:00			`}`
			`for k, v := range rawConf {`
			`conf[k] = v`
			`}`

connect/ca: add Configure/GenerateRoot to provider interface 2018-09-07 02:18:54 +00:00			`require := require.New(t)`
connect/ca: some cleanup and reorganizing of the new methods 2018-09-11 23:43:04 +00:00			`provider := &VaultProvider{}`
revert commits on master (#6413) 2019-08-27 21:45:58 +00:00			`require.NoError(provider.Configure("asdf", isRoot, conf))`
connect/ca: add intermediate functions to Vault ca provider 2018-09-13 20:09:07 +00:00			`if isRoot {`
			`require.NoError(provider.GenerateRoot())`
			`_, err := provider.GenerateIntermediate()`
			`require.NoError(err)`
			`}`
connect/ca: add the Vault CA provider 2018-06-13 08:40:03 +00:00
connect/ca: fix vault provider URI SANs and test 2018-06-14 17:56:17 +00:00			`return provider, core, ln`
connect/ca: add the Vault CA provider 2018-06-13 08:40:03 +00:00			`}`

connect: add tls config for vault connect ca provider (#5125) * add tlsconfig for vault connect ca provider. * add options to the docs * add tests for new configuration 2019-01-08 16:09:22 +00:00			`func TestVaultCAProvider_VaultTLSConfig(t *testing.T) {`
			`config := &structs.VaultCAProviderConfig{`
			`CAFile: "/capath/ca.pem",`
			`CAPath: "/capath/",`
			`CertFile: "/certpath/cert.pem",`
			`KeyFile: "/certpath/key.pem",`
			`TLSServerName: "server.name",`
			`TLSSkipVerify: true,`
			`}`
			`tlsConfig := vaultTLSConfig(config)`
			`require := require.New(t)`
			`require.Equal(config.CAFile, tlsConfig.CACert)`
			`require.Equal(config.CAPath, tlsConfig.CAPath)`
			`require.Equal(config.CertFile, tlsConfig.ClientCert)`
			`require.Equal(config.KeyFile, tlsConfig.ClientKey)`
			`require.Equal(config.TLSServerName, tlsConfig.TLSServerName)`
			`require.Equal(config.TLSSkipVerify, tlsConfig.Insecure)`
			`}`

connect/ca: add the Vault CA provider 2018-06-13 08:40:03 +00:00			`func TestVaultCAProvider_Bootstrap(t *testing.T) {`
			`t.Parallel()`

			`require := require.New(t)`
connect/ca: fix vault provider URI SANs and test 2018-06-14 17:56:17 +00:00			`provider, core, listener := testVaultCluster(t)`
			`defer core.Shutdown()`
			`defer listener.Close()`
			`client, err := vaultapi.NewClient(&vaultapi.Config{`
			`Address: "http://" + listener.Addr().String(),`
			`})`
			`require.NoError(err)`
			`client.SetToken(provider.config.Token)`
connect/ca: add the Vault CA provider 2018-06-13 08:40:03 +00:00
			`cases := []struct {`
			`certFunc func() (string, error)`
			`backendPath string`
			`}{`
			`{`
			`certFunc: provider.ActiveRoot,`
			`backendPath: "pki-root/",`
			`},`
			`{`
			`certFunc: provider.ActiveIntermediate,`
			`backendPath: "pki-intermediate/",`
			`},`
			`}`

			`// Verify the root and intermediate certs match the ones in the vault backends`
			`for _, tc := range cases {`
			`cert, err := tc.certFunc()`
			`require.NoError(err)`
connect/ca: fix vault provider URI SANs and test 2018-06-14 17:56:17 +00:00			`req := client.NewRequest("GET", "/v1/"+tc.backendPath+"ca/pem")`
connect/ca: add the Vault CA provider 2018-06-13 08:40:03 +00:00			`resp, err := client.RawRequest(req)`
			`require.NoError(err)`
			`bytes, err := ioutil.ReadAll(resp.Body)`
			`require.NoError(err)`
			`require.Equal(cert, string(bytes))`

connect/ca: fix vault provider URI SANs and test 2018-06-14 17:56:17 +00:00			`// Should be a valid CA cert`
connect/ca: add the Vault CA provider 2018-06-13 08:40:03 +00:00			`parsed, err := connect.ParseCert(cert)`
			`require.NoError(err)`
connect/ca: fix vault provider URI SANs and test 2018-06-14 17:56:17 +00:00			`require.True(parsed.IsCA)`
connect/ca: add URI SAN support to the Vault provider 2018-06-14 21:20:10 +00:00			`require.Len(parsed.URIs, 1)`
revert commits on master (#6413) 2019-08-27 21:45:58 +00:00			`require.Equal(parsed.URIs[0].String(), fmt.Sprintf("spiffe://%s.consul", provider.clusterId))`
connect/ca: add URI SAN support to the Vault provider 2018-06-14 21:20:10 +00:00			`}`
			`}`

			`func TestVaultCAProvider_SignLeaf(t *testing.T) {`
			`t.Parallel()`

			`require := require.New(t)`
connect/ca: add intermediate functions to Vault ca provider 2018-09-13 20:09:07 +00:00			`provider, core, listener := testVaultClusterWithConfig(t, true, map[string]interface{}{`
connect/ca: add configurable leaf cert TTL 2018-07-16 09:46:10 +00:00			`"LeafCertTTL": "1h",`
			`})`
connect/ca: add URI SAN support to the Vault provider 2018-06-14 21:20:10 +00:00			`defer core.Shutdown()`
			`defer listener.Close()`
			`client, err := vaultapi.NewClient(&vaultapi.Config{`
			`Address: "http://" + listener.Addr().String(),`
			`})`
			`require.NoError(err)`
			`client.SetToken(provider.config.Token)`

			`spiffeService := &connect.SpiffeIDService{`
			`Host: "node1",`
			`Namespace: "default",`
			`Datacenter: "dc1",`
			`Service: "foo",`
			`}`

			`// Generate a leaf cert for the service.`
			`var firstSerial uint64`
			`{`
revert commits on master (#6413) 2019-08-27 21:45:58 +00:00			`raw, _ := connect.TestCSR(t, spiffeService)`
connect/ca: add URI SAN support to the Vault provider 2018-06-14 21:20:10 +00:00
			`csr, err := connect.ParseCSR(raw)`
			`require.NoError(err)`

			`cert, err := provider.Sign(csr)`
			`require.NoError(err)`

			`parsed, err := connect.ParseCert(cert)`
			`require.NoError(err)`
revert commits on master (#6413) 2019-08-27 21:45:58 +00:00			`require.Equal(parsed.URIs[0], spiffeService.URI())`
connect/ca: add URI SAN support to the Vault provider 2018-06-14 21:20:10 +00:00			`firstSerial = parsed.SerialNumber.Uint64()`

			`// Ensure the cert is valid now and expires within the correct limit.`
connect/ca: add configurable leaf cert TTL 2018-07-16 09:46:10 +00:00			`now := time.Now()`
			`require.True(parsed.NotAfter.Sub(now) < time.Hour)`
			`require.True(parsed.NotBefore.Before(now))`
connect/ca: add URI SAN support to the Vault provider 2018-06-14 21:20:10 +00:00			`}`

			`// Generate a new cert for another service and make sure`
			`// the serial number is unique.`
			`spiffeService.Service = "bar"`
			`{`
revert commits on master (#6413) 2019-08-27 21:45:58 +00:00			`raw, _ := connect.TestCSR(t, spiffeService)`
connect/ca: add URI SAN support to the Vault provider 2018-06-14 21:20:10 +00:00
			`csr, err := connect.ParseCSR(raw)`
			`require.NoError(err)`

			`cert, err := provider.Sign(csr)`
			`require.NoError(err)`

			`parsed, err := connect.ParseCert(cert)`
			`require.NoError(err)`
revert commits on master (#6413) 2019-08-27 21:45:58 +00:00			`require.Equal(parsed.URIs[0], spiffeService.URI())`
connect/ca: add URI SAN support to the Vault provider 2018-06-14 21:20:10 +00:00			`require.NotEqual(firstSerial, parsed.SerialNumber.Uint64())`

			`// Ensure the cert is valid now and expires within the correct limit.`
Simplified code in various places (#6176) All these changes should have no side-effects or change behavior: - Use bytes.Buffer's String() instead of a conversion - Use time.Since and time.Until where fitting - Drop unnecessary returns and assignment 2019-07-20 13:37:19 +00:00			`require.True(time.Until(parsed.NotAfter) < time.Hour)`
connect/ca: add URI SAN support to the Vault provider 2018-06-14 21:20:10 +00:00			`require.True(parsed.NotBefore.Before(time.Now()))`
connect/ca: add the Vault CA provider 2018-06-13 08:40:03 +00:00			`}`
			`}`
connect/ca: update Vault provider to add cross-signing methods 2018-06-15 23:25:53 +00:00
			`func TestVaultCAProvider_CrossSignCA(t *testing.T) {`
			`t.Parallel()`

			`provider1, core1, listener1 := testVaultCluster(t)`
			`defer core1.Shutdown()`
			`defer listener1.Close()`

			`provider2, core2, listener2 := testVaultCluster(t)`
			`defer core2.Shutdown()`
			`defer listener2.Close()`

connect/ca: undo the interface changes and use sign-self-issued in Vault 2018-06-19 23:46:18 +00:00			`testCrossSignProviders(t, provider1, provider2)`
connect/ca: update Vault provider to add cross-signing methods 2018-06-15 23:25:53 +00:00			`}`
connect/ca: add intermediate functions to Vault ca provider 2018-09-13 20:09:07 +00:00
			`func TestVaultProvider_SignIntermediate(t *testing.T) {`
			`t.Parallel()`

			`provider1, core1, listener1 := testVaultCluster(t)`
			`defer core1.Shutdown()`
			`defer listener1.Close()`

			`provider2, core2, listener2 := testVaultClusterWithConfig(t, false, nil)`
			`defer core2.Shutdown()`
			`defer listener2.Close()`

			`testSignIntermediateCrossDC(t, provider1, provider2)`
			`}`

			`func TestVaultProvider_SignIntermediateConsul(t *testing.T) {`
			`t.Parallel()`

connect/ca: tighten up the intermediate signing verification 2018-09-14 23:08:54 +00:00			`require := require.New(t)`
connect/ca: add intermediate functions to Vault ca provider 2018-09-13 20:09:07 +00:00
connect/ca: tighten up the intermediate signing verification 2018-09-14 23:08:54 +00:00			`// primary = Vault, secondary = Consul`
			`{`
			`provider1, core, listener := testVaultCluster(t)`
			`defer core.Shutdown()`
			`defer listener.Close()`
connect/ca: add intermediate functions to Vault ca provider 2018-09-13 20:09:07 +00:00
connect/ca: tighten up the intermediate signing verification 2018-09-14 23:08:54 +00:00			`conf := testConsulCAConfig()`
			`delegate := newMockDelegate(t, conf)`
			`provider2 := &ConsulProvider{Delegate: delegate}`
revert commits on master (#6413) 2019-08-27 21:45:58 +00:00			`require.NoError(provider2.Configure(conf.ClusterID, false, conf.Config))`
connect/ca: tighten up the intermediate signing verification 2018-09-14 23:08:54 +00:00
			`testSignIntermediateCrossDC(t, provider1, provider2)`
			`}`

			`// primary = Consul, secondary = Vault`
			`{`
			`conf := testConsulCAConfig()`
			`delegate := newMockDelegate(t, conf)`
			`provider1 := &ConsulProvider{Delegate: delegate}`
revert commits on master (#6413) 2019-08-27 21:45:58 +00:00			`require.NoError(provider1.Configure(conf.ClusterID, true, conf.Config))`
connect/ca: tighten up the intermediate signing verification 2018-09-14 23:08:54 +00:00			`require.NoError(provider1.GenerateRoot())`

			`provider2, core, listener := testVaultClusterWithConfig(t, false, nil)`
			`defer core.Shutdown()`
			`defer listener.Close()`

			`testSignIntermediateCrossDC(t, provider1, provider2)`
			`}`
connect/ca: add intermediate functions to Vault ca provider 2018-09-13 20:09:07 +00:00			`}`