open-vault/builtin/credential/approle/path_tidy_user_id_test.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package approle

import (
	"context"
	"fmt"
	"sync"
	"sync/atomic"
	"testing"
	"time"

	"github.com/hashicorp/vault/sdk/helper/testhelpers/schema"
	"github.com/hashicorp/vault/sdk/logical"
)

func TestAppRole_TidyDanglingAccessors_Normal(t *testing.T) {
	b, storage := createBackendWithStorage(t)

	// Create a role
	createRole(t, b, storage, "role1", "a,b,c")

	// Create a secret-id
	roleSecretIDReq := &logical.Request{
		Operation: logical.UpdateOperation,
		Path:      "role/role1/secret-id",
		Storage:   storage,
	}
	_ = b.requestNoErr(t, roleSecretIDReq)

	accessorHashes, err := storage.List(context.Background(), "accessor/")
	if err != nil {
		t.Fatal(err)
	}
	if len(accessorHashes) != 1 {
		t.Fatalf("bad: len(accessorHashes); expect 1, got %d", len(accessorHashes))
	}

	entry1, err := logical.StorageEntryJSON(
		"accessor/invalid1",
		&secretIDAccessorStorageEntry{
			SecretIDHMAC: "samplesecretidhmac",
		},
	)
	if err != nil {
		t.Fatal(err)
	}

	if err := storage.Put(context.Background(), entry1); err != nil {
		t.Fatal(err)
	}

	entry2, err := logical.StorageEntryJSON(
		"accessor/invalid2",
		&secretIDAccessorStorageEntry{
			SecretIDHMAC: "samplesecretidhmac2",
		},
	)
	if err != nil {
		t.Fatal(err)
	}
	if err := storage.Put(context.Background(), entry2); err != nil {
		t.Fatal(err)
	}

	accessorHashes, err = storage.List(context.Background(), "accessor/")
	if err != nil {
		t.Fatal(err)
	}
	if len(accessorHashes) != 3 {
		t.Fatalf("bad: len(accessorHashes); expect 3, got %d", len(accessorHashes))
	}

	secret, err := b.tidySecretID(context.Background(), &logical.Request{
		Storage: storage,
	})
	if err != nil {
		t.Fatal(err)
	}
	schema.ValidateResponse(
		t,
		schema.GetResponseSchema(t, pathTidySecretID(b), logical.UpdateOperation),
		secret,
		true,
	)

	// It runs async so we give it a bit of time to run
	time.Sleep(10 * time.Second)

	accessorHashes, err = storage.List(context.Background(), "accessor/")
	if err != nil {
		t.Fatal(err)
	}
	if len(accessorHashes) != 1 {
		t.Fatalf("bad: len(accessorHashes); expect 1, got %d", len(accessorHashes))
	}
}

func TestAppRole_TidyDanglingAccessors_RaceTest(t *testing.T) {
	b, storage := createBackendWithStorage(t)

	// Create a role
	createRole(t, b, storage, "role1", "a,b,c")

	// Create an initial entry
	roleSecretIDReq := &logical.Request{
		Operation: logical.UpdateOperation,
		Path:      "role/role1/secret-id",
		Storage:   storage,
	}
	_ = b.requestNoErr(t, roleSecretIDReq)

	count := 1

	wg := &sync.WaitGroup{}
	start := time.Now()
	for time.Now().Sub(start) < 10*time.Second {
		if time.Now().Sub(start) > 100*time.Millisecond && atomic.LoadUint32(b.tidySecretIDCASGuard) == 0 {
			secret, err := b.tidySecretID(context.Background(), &logical.Request{
				Storage: storage,
			})
			if err != nil {
				t.Fatal(err)
			}
			schema.ValidateResponse(
				t,
				schema.GetResponseSchema(t, pathTidySecretID(b), logical.UpdateOperation),
				secret,
				true,
			)
		}
		wg.Add(1)
		go func() {
			defer wg.Done()
			roleSecretIDReq := &logical.Request{
				Operation: logical.UpdateOperation,
				Path:      "role/role1/secret-id",
				Storage:   storage,
			}
			_ = b.requestNoErr(t, roleSecretIDReq)
		}()

		entry, err := logical.StorageEntryJSON(
			fmt.Sprintf("accessor/invalid%d", count),
			&secretIDAccessorStorageEntry{
				SecretIDHMAC: "samplesecretidhmac",
			},
		)
		if err != nil {
			t.Fatal(err)
		}

		if err := storage.Put(context.Background(), entry); err != nil {
			t.Fatal(err)
		}

		count++
		time.Sleep(100 * time.Microsecond)
	}

	logger := b.Logger().Named(t.Name())
	logger.Info("wrote entries", "count", count)

	wg.Wait()
	// Let tidy finish
	for atomic.LoadUint32(b.tidySecretIDCASGuard) != 0 {
		time.Sleep(100 * time.Millisecond)
	}

	logger.Info("running tidy again")

	// Run tidy again
	secret, err := b.tidySecretID(context.Background(), &logical.Request{
		Storage: storage,
	})
	if err != nil || len(secret.Warnings) > 0 {
		t.Fatal(err, secret.Warnings)
	}
	schema.ValidateResponse(
		t,
		schema.GetResponseSchema(t, pathTidySecretID(b), logical.UpdateOperation),
		secret,
		true,
	)

	// Wait for tidy to start
	for atomic.LoadUint32(b.tidySecretIDCASGuard) == 0 {
		time.Sleep(100 * time.Millisecond)
	}

	// Let tidy finish
	for atomic.LoadUint32(b.tidySecretIDCASGuard) != 0 {
		time.Sleep(100 * time.Millisecond)
	}

	accessorHashes, err := storage.List(context.Background(), "accessor/")
	if err != nil {
		t.Fatal(err)
	}
	if len(accessorHashes) != count {
		t.Fatalf("bad: len(accessorHashes); expect %d, got %d", count, len(accessorHashes))
	}

	roleHMACs, err := storage.List(context.Background(), secretIDPrefix)
	if err != nil {
		t.Fatal(err)
	}
	secretIDs, err := storage.List(context.Background(), fmt.Sprintf("%s%s", secretIDPrefix, roleHMACs[0]))
	if err != nil {
		t.Fatal(err)
	}
	if len(secretIDs) != count {
		t.Fatalf("bad: len(secretIDs); expect %d, got %d", count, len(secretIDs))
	}
}
adding copyright header (#19555) * adding copyright header * fix fmt and a test 2023-03-15 16:00:52 +00:00			`// Copyright (c) HashiCorp, Inc.`
			`// SPDX-License-Identifier: MPL-2.0`

AppRole: Cleanup accessor indexes and dangling accessor indexes (#3924) * Cleanup accessor indexes and dangling accessor indexes * Add a test that exercises the accessor cleanup 2018-02-06 20:44:48 +00:00			`package approle`

			`import (`
			`"context"`
Modify approle tidy to validate dangling accessors (#4981) 2018-07-24 21:00:53 +00:00			`"fmt"`
			`"sync"`
Reduce blocking in approle tidy by grabbing only one lock at a time. (#8418) Revamp race test to make it aware of when tidies start/stop, and to generate dangling accessors that need cleaning up. Also run for longer but with slightly less concurrency to ensure the writes and the cleanup actually overlap. 2020-03-03 21:43:24 +00:00			`"sync/atomic"`
AppRole: Cleanup accessor indexes and dangling accessor indexes (#3924) * Cleanup accessor indexes and dangling accessor indexes * Add a test that exercises the accessor cleanup 2018-02-06 20:44:48 +00:00			`"testing"`
Add an idle timeout for the server (#4760) * Add an idle timeout for the server Because tidy operations can be long-running, this also changes all tidy operations to behave the same operationally (kick off the process, get a warning back, log errors to server log) and makes them all run in a goroutine. This could mean a sort of hard stop if Vault gets sealed because the function won't have the read lock. This should generally be okay (running tidy again should pick back up where it left off), but future work could use cleanup funcs to trigger the functions to stop. * Fix up tidy test * Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server 2018-06-16 22:21:33 +00:00			`"time"`
AppRole: Cleanup accessor indexes and dangling accessor indexes (#3924) * Cleanup accessor indexes and dangling accessor indexes * Add a test that exercises the accessor cleanup 2018-02-06 20:44:48 +00:00
Add approle's remaining response schema definitions (#18772) 2023-01-24 18:12:41 +00:00			`"github.com/hashicorp/vault/sdk/helper/testhelpers/schema"`
Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`"github.com/hashicorp/vault/sdk/logical"`
AppRole: Cleanup accessor indexes and dangling accessor indexes (#3924) * Cleanup accessor indexes and dangling accessor indexes * Add a test that exercises the accessor cleanup 2018-02-06 20:44:48 +00:00			`)`

Modify approle tidy to validate dangling accessors (#4981) 2018-07-24 21:00:53 +00:00			`func TestAppRole_TidyDanglingAccessors_Normal(t *testing.T) {`
AppRole: Cleanup accessor indexes and dangling accessor indexes (#3924) * Cleanup accessor indexes and dangling accessor indexes * Add a test that exercises the accessor cleanup 2018-02-06 20:44:48 +00:00			`b, storage := createBackendWithStorage(t)`

			`// Create a role`
			`createRole(t, b, storage, "role1", "a,b,c")`

			`// Create a secret-id`
			`roleSecretIDReq := &logical.Request{`
			`Operation: logical.UpdateOperation,`
			`Path: "role/role1/secret-id",`
			`Storage: storage,`
			`}`
Refactor approle response validation tests (#19188) 2023-02-15 17:29:15 +00:00			`_ = b.requestNoErr(t, roleSecretIDReq)`
AppRole: Cleanup accessor indexes and dangling accessor indexes (#3924) * Cleanup accessor indexes and dangling accessor indexes * Add a test that exercises the accessor cleanup 2018-02-06 20:44:48 +00:00
			`accessorHashes, err := storage.List(context.Background(), "accessor/")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if len(accessorHashes) != 1 {`
			`t.Fatalf("bad: len(accessorHashes); expect 1, got %d", len(accessorHashes))`
			`}`

			`entry1, err := logical.StorageEntryJSON(`
			`"accessor/invalid1",`
			`&secretIDAccessorStorageEntry{`
			`SecretIDHMAC: "samplesecretidhmac",`
			`},`
			`)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

builtin/credential/approle: fix dropped test errors (#11990) 2021-07-05 15:00:12 +00:00			`if err := storage.Put(context.Background(), entry1); err != nil {`
			`t.Fatal(err)`
			`}`

AppRole: Cleanup accessor indexes and dangling accessor indexes (#3924) * Cleanup accessor indexes and dangling accessor indexes * Add a test that exercises the accessor cleanup 2018-02-06 20:44:48 +00:00			`entry2, err := logical.StorageEntryJSON(`
			`"accessor/invalid2",`
			`&secretIDAccessorStorageEntry{`
			`SecretIDHMAC: "samplesecretidhmac2",`
			`},`
			`)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
builtin/credential/approle: fix dropped test errors (#11990) 2021-07-05 15:00:12 +00:00			`if err := storage.Put(context.Background(), entry2); err != nil {`
			`t.Fatal(err)`
			`}`
AppRole: Cleanup accessor indexes and dangling accessor indexes (#3924) * Cleanup accessor indexes and dangling accessor indexes * Add a test that exercises the accessor cleanup 2018-02-06 20:44:48 +00:00
			`accessorHashes, err = storage.List(context.Background(), "accessor/")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if len(accessorHashes) != 3 {`
			`t.Fatalf("bad: len(accessorHashes); expect 3, got %d", len(accessorHashes))`
			`}`

Add approle's remaining response schema definitions (#18772) 2023-01-24 18:12:41 +00:00			`secret, err := b.tidySecretID(context.Background(), &logical.Request{`
Fix test 2018-07-12 12:29:04 +00:00			`Storage: storage,`
			`})`
AppRole: Cleanup accessor indexes and dangling accessor indexes (#3924) * Cleanup accessor indexes and dangling accessor indexes * Add a test that exercises the accessor cleanup 2018-02-06 20:44:48 +00:00			`if err != nil {`
			`t.Fatal(err)`
			`}`
Add approle's remaining response schema definitions (#18772) 2023-01-24 18:12:41 +00:00			`schema.ValidateResponse(`
			`t,`
Refactor approle response validation tests (#19188) 2023-02-15 17:29:15 +00:00			`schema.GetResponseSchema(t, pathTidySecretID(b), logical.UpdateOperation),`
Add approle's remaining response schema definitions (#18772) 2023-01-24 18:12:41 +00:00			`secret,`
			`true,`
			`)`
AppRole: Cleanup accessor indexes and dangling accessor indexes (#3924) * Cleanup accessor indexes and dangling accessor indexes * Add a test that exercises the accessor cleanup 2018-02-06 20:44:48 +00:00
Add an idle timeout for the server (#4760) * Add an idle timeout for the server Because tidy operations can be long-running, this also changes all tidy operations to behave the same operationally (kick off the process, get a warning back, log errors to server log) and makes them all run in a goroutine. This could mean a sort of hard stop if Vault gets sealed because the function won't have the read lock. This should generally be okay (running tidy again should pick back up where it left off), but future work could use cleanup funcs to trigger the functions to stop. * Fix up tidy test * Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server 2018-06-16 22:21:33 +00:00			`// It runs async so we give it a bit of time to run`
			`time.Sleep(10 * time.Second)`

AppRole: Cleanup accessor indexes and dangling accessor indexes (#3924) * Cleanup accessor indexes and dangling accessor indexes * Add a test that exercises the accessor cleanup 2018-02-06 20:44:48 +00:00			`accessorHashes, err = storage.List(context.Background(), "accessor/")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if len(accessorHashes) != 1 {`
			`t.Fatalf("bad: len(accessorHashes); expect 1, got %d", len(accessorHashes))`
			`}`
			`}`
Modify approle tidy to validate dangling accessors (#4981) 2018-07-24 21:00:53 +00:00
			`func TestAppRole_TidyDanglingAccessors_RaceTest(t *testing.T) {`
			`b, storage := createBackendWithStorage(t)`

			`// Create a role`
			`createRole(t, b, storage, "role1", "a,b,c")`

			`// Create an initial entry`
			`roleSecretIDReq := &logical.Request{`
			`Operation: logical.UpdateOperation,`
			`Path: "role/role1/secret-id",`
			`Storage: storage,`
			`}`
Refactor approle response validation tests (#19188) 2023-02-15 17:29:15 +00:00			`_ = b.requestNoErr(t, roleSecretIDReq)`

Modify approle tidy to validate dangling accessors (#4981) 2018-07-24 21:00:53 +00:00			`count := 1`

Update path_tidy_user_id_test.go 2018-07-25 07:37:24 +00:00			`wg := &sync.WaitGroup{}`
Reduce blocking in approle tidy by grabbing only one lock at a time. (#8418) Revamp race test to make it aware of when tidies start/stop, and to generate dangling accessors that need cleaning up. Also run for longer but with slightly less concurrency to ensure the writes and the cleanup actually overlap. 2020-03-03 21:43:24 +00:00			`start := time.Now()`
			`for time.Now().Sub(start) < 10*time.Second {`
			`if time.Now().Sub(start) > 100*time.Millisecond && atomic.LoadUint32(b.tidySecretIDCASGuard) == 0 {`
Add approle's remaining response schema definitions (#18772) 2023-01-24 18:12:41 +00:00			`secret, err := b.tidySecretID(context.Background(), &logical.Request{`
Modify approle tidy to validate dangling accessors (#4981) 2018-07-24 21:00:53 +00:00			`Storage: storage,`
			`})`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
Add approle's remaining response schema definitions (#18772) 2023-01-24 18:12:41 +00:00			`schema.ValidateResponse(`
			`t,`
Refactor approle response validation tests (#19188) 2023-02-15 17:29:15 +00:00			`schema.GetResponseSchema(t, pathTidySecretID(b), logical.UpdateOperation),`
Add approle's remaining response schema definitions (#18772) 2023-01-24 18:12:41 +00:00			`secret,`
			`true,`
			`)`
Modify approle tidy to validate dangling accessors (#4981) 2018-07-24 21:00:53 +00:00			`}`
Call wg.Add(1) outside of goroutine (#5716) 2018-11-07 00:36:13 +00:00			`wg.Add(1)`
Modify approle tidy to validate dangling accessors (#4981) 2018-07-24 21:00:53 +00:00			`go func() {`
			`defer wg.Done()`
			`roleSecretIDReq := &logical.Request{`
			`Operation: logical.UpdateOperation,`
			`Path: "role/role1/secret-id",`
			`Storage: storage,`
			`}`
Refactor approle response validation tests (#19188) 2023-02-15 17:29:15 +00:00			`_ = b.requestNoErr(t, roleSecretIDReq)`
Modify approle tidy to validate dangling accessors (#4981) 2018-07-24 21:00:53 +00:00			`}()`
Reduce blocking in approle tidy by grabbing only one lock at a time. (#8418) Revamp race test to make it aware of when tidies start/stop, and to generate dangling accessors that need cleaning up. Also run for longer but with slightly less concurrency to ensure the writes and the cleanup actually overlap. 2020-03-03 21:43:24 +00:00
			`entry, err := logical.StorageEntryJSON(`
			`fmt.Sprintf("accessor/invalid%d", count),`
			`&secretIDAccessorStorageEntry{`
			`SecretIDHMAC: "samplesecretidhmac",`
			`},`
			`)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

builtin/credential/approle: fix dropped test errors (#11990) 2021-07-05 15:00:12 +00:00			`if err := storage.Put(context.Background(), entry); err != nil {`
			`t.Fatal(err)`
			`}`

Modify approle tidy to validate dangling accessors (#4981) 2018-07-24 21:00:53 +00:00			`count++`
Reduce blocking in approle tidy by grabbing only one lock at a time. (#8418) Revamp race test to make it aware of when tidies start/stop, and to generate dangling accessors that need cleaning up. Also run for longer but with slightly less concurrency to ensure the writes and the cleanup actually overlap. 2020-03-03 21:43:24 +00:00			`time.Sleep(100 * time.Microsecond)`
Modify approle tidy to validate dangling accessors (#4981) 2018-07-24 21:00:53 +00:00			`}`

Reduce blocking in approle tidy by grabbing only one lock at a time. (#8418) Revamp race test to make it aware of when tidies start/stop, and to generate dangling accessors that need cleaning up. Also run for longer but with slightly less concurrency to ensure the writes and the cleanup actually overlap. 2020-03-03 21:43:24 +00:00			`logger := b.Logger().Named(t.Name())`
			`logger.Info("wrote entries", "count", count)`
Modify approle tidy to validate dangling accessors (#4981) 2018-07-24 21:00:53 +00:00
			`wg.Wait()`
			`// Let tidy finish`
Reduce blocking in approle tidy by grabbing only one lock at a time. (#8418) Revamp race test to make it aware of when tidies start/stop, and to generate dangling accessors that need cleaning up. Also run for longer but with slightly less concurrency to ensure the writes and the cleanup actually overlap. 2020-03-03 21:43:24 +00:00			`for atomic.LoadUint32(b.tidySecretIDCASGuard) != 0 {`
			`time.Sleep(100 * time.Millisecond)`
			`}`

			`logger.Info("running tidy again")`
Modify approle tidy to validate dangling accessors (#4981) 2018-07-24 21:00:53 +00:00
			`// Run tidy again`
Reduce blocking in approle tidy by grabbing only one lock at a time. (#8418) Revamp race test to make it aware of when tidies start/stop, and to generate dangling accessors that need cleaning up. Also run for longer but with slightly less concurrency to ensure the writes and the cleanup actually overlap. 2020-03-03 21:43:24 +00:00			`secret, err := b.tidySecretID(context.Background(), &logical.Request{`
Modify approle tidy to validate dangling accessors (#4981) 2018-07-24 21:00:53 +00:00			`Storage: storage,`
			`})`
Reduce blocking in approle tidy by grabbing only one lock at a time. (#8418) Revamp race test to make it aware of when tidies start/stop, and to generate dangling accessors that need cleaning up. Also run for longer but with slightly less concurrency to ensure the writes and the cleanup actually overlap. 2020-03-03 21:43:24 +00:00			`if err != nil \|\| len(secret.Warnings) > 0 {`
			`t.Fatal(err, secret.Warnings)`
			`}`
Add approle's remaining response schema definitions (#18772) 2023-01-24 18:12:41 +00:00			`schema.ValidateResponse(`
			`t,`
Refactor approle response validation tests (#19188) 2023-02-15 17:29:15 +00:00			`schema.GetResponseSchema(t, pathTidySecretID(b), logical.UpdateOperation),`
Add approle's remaining response schema definitions (#18772) 2023-01-24 18:12:41 +00:00			`secret,`
			`true,`
			`)`
Reduce blocking in approle tidy by grabbing only one lock at a time. (#8418) Revamp race test to make it aware of when tidies start/stop, and to generate dangling accessors that need cleaning up. Also run for longer but with slightly less concurrency to ensure the writes and the cleanup actually overlap. 2020-03-03 21:43:24 +00:00
			`// Wait for tidy to start`
			`for atomic.LoadUint32(b.tidySecretIDCASGuard) == 0 {`
			`time.Sleep(100 * time.Millisecond)`
			`}`

			`// Let tidy finish`
			`for atomic.LoadUint32(b.tidySecretIDCASGuard) != 0 {`
			`time.Sleep(100 * time.Millisecond)`
Modify approle tidy to validate dangling accessors (#4981) 2018-07-24 21:00:53 +00:00			`}`

			`accessorHashes, err := storage.List(context.Background(), "accessor/")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if len(accessorHashes) != count {`
			`t.Fatalf("bad: len(accessorHashes); expect %d, got %d", count, len(accessorHashes))`
			`}`

			`roleHMACs, err := storage.List(context.Background(), secretIDPrefix)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`secretIDs, err := storage.List(context.Background(), fmt.Sprintf("%s%s", secretIDPrefix, roleHMACs[0]))`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if len(secretIDs) != count {`
			`t.Fatalf("bad: len(secretIDs); expect %d, got %d", count, len(secretIDs))`
			`}`
			`}`