2016-08-17 00:50:14 +00:00
|
|
|
package nomad
|
|
|
|
|
|
|
|
import (
|
2016-08-18 20:52:15 +00:00
|
|
|
"context"
|
2017-02-15 00:02:18 +00:00
|
|
|
"time"
|
2016-08-18 20:52:15 +00:00
|
|
|
|
2016-08-17 00:50:14 +00:00
|
|
|
"github.com/hashicorp/nomad/nomad/structs"
|
2016-08-22 20:57:27 +00:00
|
|
|
"github.com/hashicorp/nomad/nomad/structs/config"
|
2016-08-17 00:50:14 +00:00
|
|
|
vapi "github.com/hashicorp/vault/api"
|
|
|
|
)
|
|
|
|
|
|
|
|
// TestVaultClient is a Vault client appropriate for use during testing. Its
|
|
|
|
// behavior is programmable such that endpoints can be tested under various
|
|
|
|
// circumstances.
|
|
|
|
type TestVaultClient struct {
|
|
|
|
// LookupTokenErrors maps a token to an error that will be returned by the
|
|
|
|
// LookupToken call
|
|
|
|
LookupTokenErrors map[string]error
|
|
|
|
|
|
|
|
// LookupTokenSecret maps a token to the Vault secret that will be returned
|
|
|
|
// by the LookupToken call
|
|
|
|
LookupTokenSecret map[string]*vapi.Secret
|
2016-08-19 20:13:51 +00:00
|
|
|
|
2022-04-05 18:18:10 +00:00
|
|
|
// LookupTokenRoleErrors maps a token role name to an error that will be
|
|
|
|
// returned by the LookupTokenRole call
|
|
|
|
LookupTokenRoleErrors map[string]error
|
|
|
|
|
|
|
|
// LookupTokenRoleSecret maps a token role name to the Vault secret that
|
|
|
|
// will be returned by the LookupTokenRole call
|
|
|
|
LookupTokenRoleSecret map[string]*vapi.Secret
|
|
|
|
|
2016-08-19 20:13:51 +00:00
|
|
|
// CreateTokenErrors maps a token to an error that will be returned by the
|
|
|
|
// CreateToken call
|
|
|
|
CreateTokenErrors map[string]map[string]error
|
|
|
|
|
|
|
|
// CreateTokenSecret maps a token to the Vault secret that will be returned
|
|
|
|
// by the CreateToken call
|
|
|
|
CreateTokenSecret map[string]map[string]*vapi.Secret
|
2016-08-22 20:57:27 +00:00
|
|
|
|
|
|
|
RevokedTokens []*structs.VaultAccessor
|
2016-08-17 00:50:14 +00:00
|
|
|
}
|
|
|
|
|
2016-08-18 20:52:15 +00:00
|
|
|
func (v *TestVaultClient) LookupToken(ctx context.Context, token string) (*vapi.Secret, error) {
|
2016-08-17 00:50:14 +00:00
|
|
|
var secret *vapi.Secret
|
|
|
|
var err error
|
|
|
|
|
|
|
|
if v.LookupTokenSecret != nil {
|
|
|
|
secret = v.LookupTokenSecret[token]
|
|
|
|
}
|
|
|
|
if v.LookupTokenErrors != nil {
|
|
|
|
err = v.LookupTokenErrors[token]
|
|
|
|
}
|
|
|
|
|
|
|
|
return secret, err
|
|
|
|
}
|
|
|
|
|
2022-04-05 18:18:10 +00:00
|
|
|
func (v *TestVaultClient) LookupTokenRole(ctx context.Context, role string) (*vapi.Secret, error) {
|
|
|
|
var secret *vapi.Secret
|
|
|
|
var err error
|
|
|
|
|
|
|
|
if v.LookupTokenRoleSecret != nil {
|
|
|
|
secret = v.LookupTokenRoleSecret[role]
|
|
|
|
}
|
|
|
|
if v.LookupTokenRoleErrors != nil {
|
|
|
|
err = v.LookupTokenRoleErrors[role]
|
|
|
|
}
|
|
|
|
|
|
|
|
return secret, err
|
|
|
|
}
|
|
|
|
|
2021-08-30 09:08:12 +00:00
|
|
|
// SetLookupTokenError sets the error that will be returned by the token
|
2016-08-17 00:50:14 +00:00
|
|
|
// lookup
|
|
|
|
func (v *TestVaultClient) SetLookupTokenError(token string, err error) {
|
|
|
|
if v.LookupTokenErrors == nil {
|
|
|
|
v.LookupTokenErrors = make(map[string]error)
|
|
|
|
}
|
|
|
|
|
|
|
|
v.LookupTokenErrors[token] = err
|
|
|
|
}
|
|
|
|
|
|
|
|
// SetLookupTokenSecret sets the secret that will be returned by the token
|
|
|
|
// lookup
|
|
|
|
func (v *TestVaultClient) SetLookupTokenSecret(token string, secret *vapi.Secret) {
|
|
|
|
if v.LookupTokenSecret == nil {
|
|
|
|
v.LookupTokenSecret = make(map[string]*vapi.Secret)
|
|
|
|
}
|
|
|
|
|
|
|
|
v.LookupTokenSecret[token] = secret
|
|
|
|
}
|
|
|
|
|
|
|
|
// SetLookupTokenAllowedPolicies is a helper that adds a secret that allows the
|
|
|
|
// given policies
|
|
|
|
func (v *TestVaultClient) SetLookupTokenAllowedPolicies(token string, policies []string) {
|
|
|
|
s := &vapi.Secret{
|
|
|
|
Data: map[string]interface{}{
|
|
|
|
"policies": policies,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
v.SetLookupTokenSecret(token, s)
|
|
|
|
}
|
|
|
|
|
2022-04-05 18:18:10 +00:00
|
|
|
// SetLookupTokenRoleError sets the error that will be returned by the role
|
|
|
|
// lookup.
|
|
|
|
func (v *TestVaultClient) SetLookupTokenRoleError(token string, err error) {
|
|
|
|
if v.LookupTokenRoleErrors == nil {
|
|
|
|
v.LookupTokenRoleErrors = make(map[string]error)
|
|
|
|
}
|
|
|
|
|
|
|
|
v.LookupTokenRoleErrors[token] = err
|
|
|
|
}
|
|
|
|
|
|
|
|
// SetLookupTokenRoleSecret sets the secret that will be returned by the role
|
|
|
|
// lookup.
|
|
|
|
func (v *TestVaultClient) SetLookupTokenRoleSecret(role string, secret *vapi.Secret) {
|
|
|
|
if v.LookupTokenRoleSecret == nil {
|
|
|
|
v.LookupTokenRoleSecret = make(map[string]*vapi.Secret)
|
|
|
|
}
|
|
|
|
v.LookupTokenRoleSecret[role] = secret
|
|
|
|
}
|
|
|
|
|
2016-08-18 20:52:15 +00:00
|
|
|
func (v *TestVaultClient) CreateToken(ctx context.Context, a *structs.Allocation, task string) (*vapi.Secret, error) {
|
2016-08-19 20:13:51 +00:00
|
|
|
var secret *vapi.Secret
|
|
|
|
var err error
|
|
|
|
|
|
|
|
if v.CreateTokenSecret != nil {
|
|
|
|
tasks := v.CreateTokenSecret[a.ID]
|
|
|
|
if tasks != nil {
|
|
|
|
secret = tasks[task]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if v.CreateTokenErrors != nil {
|
|
|
|
tasks := v.CreateTokenErrors[a.ID]
|
|
|
|
if tasks != nil {
|
|
|
|
err = tasks[task]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return secret, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// SetCreateTokenError sets the error that will be returned by the token
|
|
|
|
// creation
|
|
|
|
func (v *TestVaultClient) SetCreateTokenError(allocID, task string, err error) {
|
|
|
|
if v.CreateTokenErrors == nil {
|
|
|
|
v.CreateTokenErrors = make(map[string]map[string]error)
|
|
|
|
}
|
|
|
|
|
|
|
|
tasks := v.CreateTokenErrors[allocID]
|
|
|
|
if tasks == nil {
|
|
|
|
tasks = make(map[string]error)
|
|
|
|
v.CreateTokenErrors[allocID] = tasks
|
|
|
|
}
|
|
|
|
|
|
|
|
v.CreateTokenErrors[allocID][task] = err
|
|
|
|
}
|
|
|
|
|
|
|
|
// SetCreateTokenSecret sets the secret that will be returned by the token
|
|
|
|
// creation
|
|
|
|
func (v *TestVaultClient) SetCreateTokenSecret(allocID, task string, secret *vapi.Secret) {
|
|
|
|
if v.CreateTokenSecret == nil {
|
|
|
|
v.CreateTokenSecret = make(map[string]map[string]*vapi.Secret)
|
|
|
|
}
|
|
|
|
|
|
|
|
tasks := v.CreateTokenSecret[allocID]
|
|
|
|
if tasks == nil {
|
|
|
|
tasks = make(map[string]*vapi.Secret)
|
|
|
|
v.CreateTokenSecret[allocID] = tasks
|
|
|
|
}
|
|
|
|
|
|
|
|
v.CreateTokenSecret[allocID][task] = secret
|
2016-08-17 00:50:14 +00:00
|
|
|
}
|
|
|
|
|
2016-08-22 20:57:27 +00:00
|
|
|
func (v *TestVaultClient) RevokeTokens(ctx context.Context, accessors []*structs.VaultAccessor, committed bool) error {
|
|
|
|
v.RevokedTokens = append(v.RevokedTokens, accessors...)
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2020-05-21 11:38:27 +00:00
|
|
|
func (v *TestVaultClient) MarkForRevocation(accessors []*structs.VaultAccessor) error {
|
|
|
|
v.RevokedTokens = append(v.RevokedTokens, accessors...)
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2019-03-12 21:25:14 +00:00
|
|
|
func (v *TestVaultClient) Stop() {}
|
|
|
|
func (v *TestVaultClient) SetActive(enabled bool) {}
|
|
|
|
func (v *TestVaultClient) SetConfig(config *config.VaultConfig) error { return nil }
|
|
|
|
func (v *TestVaultClient) Running() bool { return true }
|
|
|
|
func (v *TestVaultClient) Stats() map[string]string { return map[string]string{} }
|
|
|
|
func (v *TestVaultClient) EmitStats(period time.Duration, stopCh <-chan struct{}) {}
|