open-vault/command/agent/aws_end_to_end_test.go

package agent

import (
	"context"
	"io/ioutil"
	"os"
	"testing"
	"time"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/credentials"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/sts"
	hclog "github.com/hashicorp/go-hclog"
	uuid "github.com/hashicorp/go-uuid"
	"github.com/hashicorp/vault/api"
	vaultaws "github.com/hashicorp/vault/builtin/credential/aws"
	"github.com/hashicorp/vault/command/agent/auth"
	agentaws "github.com/hashicorp/vault/command/agent/auth/aws"
	"github.com/hashicorp/vault/command/agent/sink"
	"github.com/hashicorp/vault/command/agent/sink/file"
	vaulthttp "github.com/hashicorp/vault/http"
	"github.com/hashicorp/vault/sdk/helper/logging"
	"github.com/hashicorp/vault/sdk/logical"
	"github.com/hashicorp/vault/vault"
)

const (
	// These are the access key and secret that should be used when calling "AssumeRole"
	// for the given AWS_TEST_ROLE_ARN.
	envVarAwsTestAccessKey = "AWS_TEST_ACCESS_KEY"
	envVarAwsTestSecretKey = "AWS_TEST_SECRET_KEY"
	envVarAwsTestRoleArn   = "AWS_TEST_ROLE_ARN"

	// The AWS SDK doesn't export its standard env vars so they're captured here.
	// These are used for the duration of the test to make sure the agent is able to
	// pick up creds from the env.
	//
	// To run this test, do not set these. Only the above ones need to be set.
	envVarAwsAccessKey    = "AWS_ACCESS_KEY_ID"
	envVarAwsSecretKey    = "AWS_SECRET_ACCESS_KEY"
	envVarAwsSessionToken = "AWS_SESSION_TOKEN"
)

func TestAWSEndToEnd(t *testing.T) {
	if !runAcceptanceTests {
		t.SkipNow()
	}

	logger := logging.NewVaultLogger(hclog.Trace)
	coreConfig := &vault.CoreConfig{
		Logger: logger,
		CredentialBackends: map[string]logical.Factory{
			"aws": vaultaws.Factory,
		},
	}
	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
		HandlerFunc: vaulthttp.Handler,
	})
	cluster.Start()
	defer cluster.Cleanup()

	vault.TestWaitActive(t, cluster.Cores[0].Core)
	client := cluster.Cores[0].Client

	// Setup Vault
	if err := client.Sys().EnableAuthWithOptions("aws", &api.EnableAuthOptions{
		Type: "aws",
	}); err != nil {
		t.Fatal(err)
	}

	if _, err := client.Logical().Write("auth/aws/role/test", map[string]interface{}{
		"auth_type": "iam",
		"policies":  "default",
		// Retain thru the account number of the given arn and wildcard the rest.
		"bound_iam_principal_arn": os.Getenv(envVarAwsTestRoleArn)[:25] + "*",
	}); err != nil {
		t.Fatal(err)
	}

	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)

	// We're going to feed aws auth creds via env variables.
	if err := setAwsEnvCreds(); err != nil {
		t.Fatal(err)
	}
	defer func() {
		if err := unsetAwsEnvCreds(); err != nil {
			t.Fatal(err)
		}
	}()

	am, err := agentaws.NewAWSAuthMethod(&auth.AuthConfig{
		Logger:    logger.Named("auth.aws"),
		MountPath: "auth/aws",
		Config: map[string]interface{}{
			"role":                     "test",
			"type":                     "iam",
			"credential_poll_interval": 1,
		},
	})
	if err != nil {
		t.Fatal(err)
	}

	ahConfig := &auth.AuthHandlerConfig{
		Logger: logger.Named("auth.handler"),
		Client: client,
	}

	ah := auth.NewAuthHandler(ahConfig)
	errCh := make(chan error)
	go func() {
		errCh <- ah.Run(ctx, am)
	}()
	defer func() {
		select {
		case <-ctx.Done():
		case err := <-errCh:
			if err != nil {
				t.Fatal(err)
			}
		}
	}()

	tmpFile, err := ioutil.TempFile("", "auth.tokensink.test.")
	if err != nil {
		t.Fatal(err)
	}
	tokenSinkFileName := tmpFile.Name()
	tmpFile.Close()
	os.Remove(tokenSinkFileName)
	t.Logf("output: %s", tokenSinkFileName)

	config := &sink.SinkConfig{
		Logger: logger.Named("sink.file"),
		Config: map[string]interface{}{
			"path": tokenSinkFileName,
		},
		WrapTTL: 10 * time.Second,
	}

	fs, err := file.NewFileSink(config)
	if err != nil {
		t.Fatal(err)
	}
	config.Sink = fs

	ss := sink.NewSinkServer(&sink.SinkServerConfig{
		Logger: logger.Named("sink.server"),
		Client: client,
	})
	go func() {
		errCh <- ss.Run(ctx, ah.OutputCh, []*sink.SinkConfig{config})
	}()
	defer func() {
		select {
		case <-ctx.Done():
		case err := <-errCh:
			if err != nil {
				t.Fatal(err)
			}
		}
	}()

	// This has to be after the other defers so it happens first. It allows
	// successful test runs to immediately cancel all of the runner goroutines
	// and unblock any of the blocking defer calls by the runner's DoneCh that
	// comes before this and avoid successful tests from taking the entire
	// timeout duration.
	defer cancel()

	if stat, err := os.Lstat(tokenSinkFileName); err == nil {
		t.Fatalf("expected err but got %s", stat)
	} else if !os.IsNotExist(err) {
		t.Fatal("expected notexist err")
	}

	// Wait 2 seconds for the env variables to be detected and an auth to be generated.
	time.Sleep(time.Second * 2)

	token, err := readToken(tokenSinkFileName)
	if err != nil {
		t.Fatal(err)
	}

	if token.Token == "" {
		t.Fatal("expected token but didn't receive it")
	}
}

func setAwsEnvCreds() error {
	cfg := &aws.Config{
		Credentials: credentials.NewStaticCredentials(os.Getenv(envVarAwsTestAccessKey), os.Getenv(envVarAwsTestSecretKey), ""),
	}
	sess, err := session.NewSession(cfg)
	if err != nil {
		return err
	}
	client := sts.New(sess)

	roleArn := os.Getenv(envVarAwsTestRoleArn)
	uid, err := uuid.GenerateUUID()
	if err != nil {
		return err
	}

	input := &sts.AssumeRoleInput{
		RoleArn:         &roleArn,
		RoleSessionName: &uid,
	}
	output, err := client.AssumeRole(input)
	if err != nil {
		return err
	}

	if err := os.Setenv(envVarAwsAccessKey, *output.Credentials.AccessKeyId); err != nil {
		return err
	}
	if err := os.Setenv(envVarAwsSecretKey, *output.Credentials.SecretAccessKey); err != nil {
		return err
	}
	return os.Setenv(envVarAwsSessionToken, *output.Credentials.SessionToken)
}

func unsetAwsEnvCreds() error {
	if err := os.Unsetenv(envVarAwsAccessKey); err != nil {
		return err
	}
	if err := os.Unsetenv(envVarAwsSecretKey); err != nil {
		return err
	}
	return os.Unsetenv(envVarAwsSessionToken)
}
Poll for new creds in the AWS auth agent (#5300) 2018-09-12 20:30:57 +00:00			`package agent`

			`import (`
			`"context"`
			`"io/ioutil"`
			`"os"`
			`"testing"`
			`"time"`

			`"github.com/aws/aws-sdk-go/aws"`
			`"github.com/aws/aws-sdk-go/aws/credentials"`
			`"github.com/aws/aws-sdk-go/aws/session"`
			`"github.com/aws/aws-sdk-go/service/sts"`
Run goimports across the repository (#6010) The result will still pass gofmtcheck and won't trigger additional changes if someone isn't using goimports, but it will avoid the piecemeal imports changes we've been seeing. 2019-01-09 00:48:57 +00:00			`hclog "github.com/hashicorp/go-hclog"`
			`uuid "github.com/hashicorp/go-uuid"`
Poll for new creds in the AWS auth agent (#5300) 2018-09-12 20:30:57 +00:00			`"github.com/hashicorp/vault/api"`
			`vaultaws "github.com/hashicorp/vault/builtin/credential/aws"`
			`"github.com/hashicorp/vault/command/agent/auth"`
			`agentaws "github.com/hashicorp/vault/command/agent/auth/aws"`
			`"github.com/hashicorp/vault/command/agent/sink"`
			`"github.com/hashicorp/vault/command/agent/sink/file"`
			`vaulthttp "github.com/hashicorp/vault/http"`
Switch to go modules (#6585) * Switch to go modules * Make fmt 2019-04-13 07:44:06 +00:00			`"github.com/hashicorp/vault/sdk/helper/logging"`
Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`"github.com/hashicorp/vault/sdk/logical"`
Poll for new creds in the AWS auth agent (#5300) 2018-09-12 20:30:57 +00:00			`"github.com/hashicorp/vault/vault"`
			`)`

			`const (`
			`// These are the access key and secret that should be used when calling "AssumeRole"`
			`// for the given AWS_TEST_ROLE_ARN.`
			`envVarAwsTestAccessKey = "AWS_TEST_ACCESS_KEY"`
			`envVarAwsTestSecretKey = "AWS_TEST_SECRET_KEY"`
			`envVarAwsTestRoleArn = "AWS_TEST_ROLE_ARN"`

			`// The AWS SDK doesn't export its standard env vars so they're captured here.`
			`// These are used for the duration of the test to make sure the agent is able to`
			`// pick up creds from the env.`
			`//`
			`// To run this test, do not set these. Only the above ones need to be set.`
			`envVarAwsAccessKey = "AWS_ACCESS_KEY_ID"`
			`envVarAwsSecretKey = "AWS_SECRET_ACCESS_KEY"`
			`envVarAwsSessionToken = "AWS_SESSION_TOKEN"`
			`)`

			`func TestAWSEndToEnd(t *testing.T) {`
			`if !runAcceptanceTests {`
			`t.SkipNow()`
			`}`

			`logger := logging.NewVaultLogger(hclog.Trace)`
			`coreConfig := &vault.CoreConfig{`
			`Logger: logger,`
			`CredentialBackends: map[string]logical.Factory{`
			`"aws": vaultaws.Factory,`
			`},`
			`}`
			`cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{`
			`HandlerFunc: vaulthttp.Handler,`
			`})`
			`cluster.Start()`
			`defer cluster.Cleanup()`

			`vault.TestWaitActive(t, cluster.Cores[0].Core)`
			`client := cluster.Cores[0].Client`

			`// Setup Vault`
			`if err := client.Sys().EnableAuthWithOptions("aws", &api.EnableAuthOptions{`
			`Type: "aws",`
			`}); err != nil {`
			`t.Fatal(err)`
			`}`

			`if _, err := client.Logical().Write("auth/aws/role/test", map[string]interface{}{`
			`"auth_type": "iam",`
			`"policies": "default",`
			`// Retain thru the account number of the given arn and wildcard the rest.`
			`"bound_iam_principal_arn": os.Getenv(envVarAwsTestRoleArn)[:25] + "*",`
			`}); err != nil {`
			`t.Fatal(err)`
			`}`

agent: return a non-zero exit code on error (#9670) * agent: return a non-zero exit code on error * agent/template: always return on template server error, add case for error_on_missing_key * agent: fix tests by updating Run params to use an errCh * agent/template: add permission denied test case, clean up test var * agent: use unbuffered errCh, emit fatal errors directly to the UI output * agent: use oklog's run.Group to schedule subsystem runners (#9761) * agent: use oklog's run.Group to schedule subsystem runners * agent: clean up unused DoneCh, clean up agent's main Run func * agent/template: use ts.stopped.CAS to atomically swap value * fix tests * fix tests * agent/template: add timeout on TestRunServer * agent: output error via logs and return a generic error on non-zero exit * fix TestAgent_ExitAfterAuth * agent/template: do not restart ct runner on new incoming token if exit_after_auth is set to true * agent: drain ah.OutputCh after sink exits to avoid blocking on the channel * use context.WithTimeout, expand comments around ordering of defer cancel() 2020-09-30 01:03:09 +00:00			`ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)`
Poll for new creds in the AWS auth agent (#5300) 2018-09-12 20:30:57 +00:00
			`// We're going to feed aws auth creds via env variables.`
			`if err := setAwsEnvCreds(); err != nil {`
			`t.Fatal(err)`
			`}`
			`defer func() {`
			`if err := unsetAwsEnvCreds(); err != nil {`
			`t.Fatal(err)`
			`}`
			`}()`

			`am, err := agentaws.NewAWSAuthMethod(&auth.AuthConfig{`
			`Logger: logger.Named("auth.aws"),`
			`MountPath: "auth/aws",`
			`Config: map[string]interface{}{`
The big one (#5346) 2018-09-18 03:03:00 +00:00			`"role": "test",`
			`"type": "iam",`
Poll for new creds in the AWS auth agent (#5300) 2018-09-12 20:30:57 +00:00			`"credential_poll_interval": 1,`
			`},`
			`})`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`ahConfig := &auth.AuthHandlerConfig{`
			`Logger: logger.Named("auth.handler"),`
			`Client: client,`
			`}`

			`ah := auth.NewAuthHandler(ahConfig)`
agent: return a non-zero exit code on error (#9670) * agent: return a non-zero exit code on error * agent/template: always return on template server error, add case for error_on_missing_key * agent: fix tests by updating Run params to use an errCh * agent/template: add permission denied test case, clean up test var * agent: use unbuffered errCh, emit fatal errors directly to the UI output * agent: use oklog's run.Group to schedule subsystem runners (#9761) * agent: use oklog's run.Group to schedule subsystem runners * agent: clean up unused DoneCh, clean up agent's main Run func * agent/template: use ts.stopped.CAS to atomically swap value * fix tests * fix tests * agent/template: add timeout on TestRunServer * agent: output error via logs and return a generic error on non-zero exit * fix TestAgent_ExitAfterAuth * agent/template: do not restart ct runner on new incoming token if exit_after_auth is set to true * agent: drain ah.OutputCh after sink exits to avoid blocking on the channel * use context.WithTimeout, expand comments around ordering of defer cancel() 2020-09-30 01:03:09 +00:00			`errCh := make(chan error)`
			`go func() {`
			`errCh <- ah.Run(ctx, am)`
			`}()`
Poll for new creds in the AWS auth agent (#5300) 2018-09-12 20:30:57 +00:00			`defer func() {`
agent: return a non-zero exit code on error (#9670) * agent: return a non-zero exit code on error * agent/template: always return on template server error, add case for error_on_missing_key * agent: fix tests by updating Run params to use an errCh * agent/template: add permission denied test case, clean up test var * agent: use unbuffered errCh, emit fatal errors directly to the UI output * agent: use oklog's run.Group to schedule subsystem runners (#9761) * agent: use oklog's run.Group to schedule subsystem runners * agent: clean up unused DoneCh, clean up agent's main Run func * agent/template: use ts.stopped.CAS to atomically swap value * fix tests * fix tests * agent/template: add timeout on TestRunServer * agent: output error via logs and return a generic error on non-zero exit * fix TestAgent_ExitAfterAuth * agent/template: do not restart ct runner on new incoming token if exit_after_auth is set to true * agent: drain ah.OutputCh after sink exits to avoid blocking on the channel * use context.WithTimeout, expand comments around ordering of defer cancel() 2020-09-30 01:03:09 +00:00			`select {`
			`case <-ctx.Done():`
			`case err := <-errCh:`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`}`
Poll for new creds in the AWS auth agent (#5300) 2018-09-12 20:30:57 +00:00			`}()`

			`tmpFile, err := ioutil.TempFile("", "auth.tokensink.test.")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`tokenSinkFileName := tmpFile.Name()`
			`tmpFile.Close()`
			`os.Remove(tokenSinkFileName)`
			`t.Logf("output: %s", tokenSinkFileName)`

			`config := &sink.SinkConfig{`
			`Logger: logger.Named("sink.file"),`
			`Config: map[string]interface{}{`
			`"path": tokenSinkFileName,`
			`},`
			`WrapTTL: 10 * time.Second,`
			`}`

			`fs, err := file.NewFileSink(config)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`config.Sink = fs`

			`ss := sink.NewSinkServer(&sink.SinkServerConfig{`
			`Logger: logger.Named("sink.server"),`
			`Client: client,`
			`})`
agent: return a non-zero exit code on error (#9670) * agent: return a non-zero exit code on error * agent/template: always return on template server error, add case for error_on_missing_key * agent: fix tests by updating Run params to use an errCh * agent/template: add permission denied test case, clean up test var * agent: use unbuffered errCh, emit fatal errors directly to the UI output * agent: use oklog's run.Group to schedule subsystem runners (#9761) * agent: use oklog's run.Group to schedule subsystem runners * agent: clean up unused DoneCh, clean up agent's main Run func * agent/template: use ts.stopped.CAS to atomically swap value * fix tests * fix tests * agent/template: add timeout on TestRunServer * agent: output error via logs and return a generic error on non-zero exit * fix TestAgent_ExitAfterAuth * agent/template: do not restart ct runner on new incoming token if exit_after_auth is set to true * agent: drain ah.OutputCh after sink exits to avoid blocking on the channel * use context.WithTimeout, expand comments around ordering of defer cancel() 2020-09-30 01:03:09 +00:00			`go func() {`
			`errCh <- ss.Run(ctx, ah.OutputCh, []*sink.SinkConfig{config})`
			`}()`
Poll for new creds in the AWS auth agent (#5300) 2018-09-12 20:30:57 +00:00			`defer func() {`
agent: return a non-zero exit code on error (#9670) * agent: return a non-zero exit code on error * agent/template: always return on template server error, add case for error_on_missing_key * agent: fix tests by updating Run params to use an errCh * agent/template: add permission denied test case, clean up test var * agent: use unbuffered errCh, emit fatal errors directly to the UI output * agent: use oklog's run.Group to schedule subsystem runners (#9761) * agent: use oklog's run.Group to schedule subsystem runners * agent: clean up unused DoneCh, clean up agent's main Run func * agent/template: use ts.stopped.CAS to atomically swap value * fix tests * fix tests * agent/template: add timeout on TestRunServer * agent: output error via logs and return a generic error on non-zero exit * fix TestAgent_ExitAfterAuth * agent/template: do not restart ct runner on new incoming token if exit_after_auth is set to true * agent: drain ah.OutputCh after sink exits to avoid blocking on the channel * use context.WithTimeout, expand comments around ordering of defer cancel() 2020-09-30 01:03:09 +00:00			`select {`
			`case <-ctx.Done():`
			`case err := <-errCh:`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`}`
Poll for new creds in the AWS auth agent (#5300) 2018-09-12 20:30:57 +00:00			`}()`

agent: return a non-zero exit code on error (#9670) * agent: return a non-zero exit code on error * agent/template: always return on template server error, add case for error_on_missing_key * agent: fix tests by updating Run params to use an errCh * agent/template: add permission denied test case, clean up test var * agent: use unbuffered errCh, emit fatal errors directly to the UI output * agent: use oklog's run.Group to schedule subsystem runners (#9761) * agent: use oklog's run.Group to schedule subsystem runners * agent: clean up unused DoneCh, clean up agent's main Run func * agent/template: use ts.stopped.CAS to atomically swap value * fix tests * fix tests * agent/template: add timeout on TestRunServer * agent: output error via logs and return a generic error on non-zero exit * fix TestAgent_ExitAfterAuth * agent/template: do not restart ct runner on new incoming token if exit_after_auth is set to true * agent: drain ah.OutputCh after sink exits to avoid blocking on the channel * use context.WithTimeout, expand comments around ordering of defer cancel() 2020-09-30 01:03:09 +00:00			`// This has to be after the other defers so it happens first. It allows`
			`// successful test runs to immediately cancel all of the runner goroutines`
			`// and unblock any of the blocking defer calls by the runner's DoneCh that`
			`// comes before this and avoid successful tests from taking the entire`
			`// timeout duration.`
			`defer cancel()`

Poll for new creds in the AWS auth agent (#5300) 2018-09-12 20:30:57 +00:00			`if stat, err := os.Lstat(tokenSinkFileName); err == nil {`
			`t.Fatalf("expected err but got %s", stat)`
			`} else if !os.IsNotExist(err) {`
			`t.Fatal("expected notexist err")`
			`}`

			`// Wait 2 seconds for the env variables to be detected and an auth to be generated.`
			`time.Sleep(time.Second * 2)`

			`token, err := readToken(tokenSinkFileName)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`if token.Token == "" {`
			`t.Fatal("expected token but didn't receive it")`
			`}`
			`}`

			`func setAwsEnvCreds() error {`
			`cfg := &aws.Config{`
			`Credentials: credentials.NewStaticCredentials(os.Getenv(envVarAwsTestAccessKey), os.Getenv(envVarAwsTestSecretKey), ""),`
			`}`
			`sess, err := session.NewSession(cfg)`
			`if err != nil {`
			`return err`
			`}`
			`client := sts.New(sess)`

			`roleArn := os.Getenv(envVarAwsTestRoleArn)`
			`uid, err := uuid.GenerateUUID()`
			`if err != nil {`
			`return err`
			`}`

			`input := &sts.AssumeRoleInput{`
			`RoleArn: &roleArn,`
			`RoleSessionName: &uid,`
			`}`
			`output, err := client.AssumeRole(input)`
			`if err != nil {`
			`return err`
			`}`

			`if err := os.Setenv(envVarAwsAccessKey, *output.Credentials.AccessKeyId); err != nil {`
			`return err`
			`}`
			`if err := os.Setenv(envVarAwsSecretKey, *output.Credentials.SecretAccessKey); err != nil {`
			`return err`
			`}`
			`return os.Setenv(envVarAwsSessionToken, *output.Credentials.SessionToken)`
			`}`

			`func unsetAwsEnvCreds() error {`
			`if err := os.Unsetenv(envVarAwsAccessKey); err != nil {`
			`return err`
			`}`
			`if err := os.Unsetenv(envVarAwsSecretKey); err != nil {`
			`return err`
			`}`
			`return os.Unsetenv(envVarAwsSessionToken)`
			`}`