luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity
open-vault/vault/token_store_test.go

5744 lines
161 KiB
Go
Raw Normal View History

vault: First pass token store
2015-03-18 20:19:19 +00:00
package vault
import (
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers
2018-01-08 18:31:38 +00:00
"context"
Added unit tests for token entry upgrade
2016-09-26 22:17:50 +00:00
"encoding/json"
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
"fmt"
ExpirationManager restoration to load in the background (#3260)
2017-09-05 15:09:00 +00:00
"path"
vault: First pass token store
2015-03-18 20:19:19 +00:00
"reflect"
Add tidy expiration test
2016-12-16 21:46:29 +00:00
"sort"
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
"strings"
Fix revocation of leases when num_uses goes to 0 (#2190)
2016-12-16 18:11:55 +00:00
"sync"
Use an atomic store in expiration loading test to fix race detector
2017-11-01 19:52:59 +00:00
"sync/atomic"
vault: First pass token store
2015-03-18 20:19:19 +00:00
"testing"
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
"time"
Token creation counters (#9052) * Add token creation counters. * Created a utility to change TTL to bucket name. * Add counter covering token creation for response wrapping. * Fix namespace label, with a new utility function.
2020-06-02 18:40:54 +00:00
"github.com/armon/go-metrics"
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
"github.com/go-test/deep"
"github.com/hashicorp/errwrap"
Token identity support (#6267) * Implemented token backend support for identity * Fixed tests * Refactored a few checks for the token entity overwrite. Fixed tests. * Moved entity alias check up so that the entity and entity alias is only created when it has been specified in allowed_entity_aliases list * go mod vendor * Added glob pattern * Optimized allowed entity alias check * Added test for asterisk only * Changed to glob pattern anywhere * Changed response code in case of failure. Changed globbing pattern check. Added docs. * Added missing token role get parameter. Added more samples * Fixed failing tests * Corrected some cosmetical review points * Changed response code for invalid provided entity alias * Fixed minor things * Fixed failing test
2019-07-01 09:39:54 +00:00
"github.com/hashicorp/go-hclog"
"github.com/hashicorp/go-sockaddr"
"github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/helper/identity"
Token creation counters (#9052) * Add token creation counters. * Created a utility to change TTL to bucket name. * Add counter covering token creation for response wrapping. * Fix namespace label, with a new utility function.
2020-06-02 18:40:54 +00:00
"github.com/hashicorp/vault/helper/metricsutil"
The big one (#5346)
2018-09-18 03:03:00 +00:00
"github.com/hashicorp/vault/helper/namespace"
Switch to go modules (#6585) * Switch to go modules * Make fmt
2019-04-13 07:44:06 +00:00
"github.com/hashicorp/vault/sdk/helper/locksutil"
Tokenhelper v2 (#6662) This provides an sdk util for common token fields and parsing and plumbs it into token store roles.
2019-06-14 14:17:04 +00:00
"github.com/hashicorp/vault/sdk/helper/parseutil"
"github.com/hashicorp/vault/sdk/helper/tokenutil"
Create sdk/ and api/ submodules (#6583)
2019-04-12 21:54:35 +00:00
"github.com/hashicorp/vault/sdk/logical"
Token identity support (#6267) * Implemented token backend support for identity * Fixed tests * Refactored a few checks for the token entity overwrite. Fixed tests. * Moved entity alias check up so that the entity and entity alias is only created when it has been specified in allowed_entity_aliases list * go mod vendor * Added glob pattern * Optimized allowed entity alias check * Added test for asterisk only * Changed to glob pattern anywhere * Changed response code in case of failure. Changed globbing pattern check. Added docs. * Added missing token role get parameter. Added more samples * Fixed failing tests * Corrected some cosmetical review points * Changed response code for invalid provided entity alias * Fixed minor things * Fixed failing test
2019-07-01 09:39:54 +00:00
"github.com/mitchellh/mapstructure"
vault: First pass token store
2015-03-18 20:19:19 +00:00
)
Set orphan status in the token creation response (#6320)
2019-03-01 23:55:58 +00:00
func TestTokenStore_CreateOrphanResponse(t *testing.T) {
c, _, root := TestCoreUnsealed(t)
resp, err := c.HandleRequest(namespace.RootContext(nil), &logical.Request{
Operation: logical.UpdateOperation,
Path: "auth/token/create-orphan",
ClientToken: root,
Data: map[string]interface{}{
"policies": "default",
},
})
if err != nil && (resp != nil && resp.IsError()) {
t.Fatalf("bad: err: %v, resp: %#v", err, resp)
}
if !resp.Auth.Orphan {
t.Fatalf("failed to set orphan as true in the response")
}
}
Cubbyhole cleanup (#6006) * fix cubbyhole deletion * Fix error handling * Move the cubbyhole tidy logic to token store and track the revocation count * Move fetching of cubby keys before the tidy loop * Fix context getting cancelled * Test the cubbyhole cleanup logic * Add progress counter for cubbyhole cleanup * Minor polish * Use map instead of slice for faster computation * Add test for cubbyhole deletion * Add a log statement for deletion * Add SHA1 hashed tokens into the mix
2019-01-09 18:53:41 +00:00
func TestTokenStore_CubbyholeDeletion(t *testing.T) {
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
for i := 0; i < 10; i++ {
// Create a token
tokenReq := &logical.Request{
Operation: logical.UpdateOperation,
Path: "create",
ClientToken: root,
Don't allow registering a non-root zero TTL token lease (#7524) * Don't allow registering a non-root zero TTL token lease This is defense-in-depth in that such a token was not allowed to be used; however it's also a bug fix in that this would then cause no lease to be generated but the token entry to be written, meaning the token entry would stick around until it was attempted to be used or tidied (in both cases the internal lookup would see that this was invalid and do a revoke on the spot). * Fix tests * tidy
2019-11-05 21:11:13 +00:00
Data: map[string]interface{}{
"ttl": "600s",
},
Cubbyhole cleanup (#6006) * fix cubbyhole deletion * Fix error handling * Move the cubbyhole tidy logic to token store and track the revocation count * Move fetching of cubby keys before the tidy loop * Fix context getting cancelled * Test the cubbyhole cleanup logic * Add progress counter for cubbyhole cleanup * Minor polish * Use map instead of slice for faster computation * Add test for cubbyhole deletion * Add a log statement for deletion * Add SHA1 hashed tokens into the mix
2019-01-09 18:53:41 +00:00
}
// Supplying token ID forces SHA1 hashing to be used
if i%2 == 0 {
tokenReq.Data = map[string]interface{}{
Don't allow registering a non-root zero TTL token lease (#7524) * Don't allow registering a non-root zero TTL token lease This is defense-in-depth in that such a token was not allowed to be used; however it's also a bug fix in that this would then cause no lease to be generated but the token entry to be written, meaning the token entry would stick around until it was attempted to be used or tidied (in both cases the internal lookup would see that this was invalid and do a revoke on the spot). * Fix tests * tidy
2019-11-05 21:11:13 +00:00
"id": "testroot",
"ttl": "600s",
Cubbyhole cleanup (#6006) * fix cubbyhole deletion * Fix error handling * Move the cubbyhole tidy logic to token store and track the revocation count * Move fetching of cubby keys before the tidy loop * Fix context getting cancelled * Test the cubbyhole cleanup logic * Add progress counter for cubbyhole cleanup * Minor polish * Use map instead of slice for faster computation * Add test for cubbyhole deletion * Add a log statement for deletion * Add SHA1 hashed tokens into the mix
2019-01-09 18:53:41 +00:00
}
}
resp := testMakeTokenViaRequest(t, ts, tokenReq)
token := resp.Auth.ClientToken
// Write data in the token's cubbyhole
resp, err := c.HandleRequest(namespace.RootContext(nil), &logical.Request{
ClientToken: token,
Operation: logical.UpdateOperation,
Path: "cubbyhole/sample/data",
Data: map[string]interface{}{
"foo": "bar",
},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
// Revoke the token
resp, err = ts.HandleRequest(namespace.RootContext(nil), &logical.Request{
ClientToken: token,
Path: "revoke-self",
Operation: logical.UpdateOperation,
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
}
// List the cubbyhole keys
cubbyholeKeys, err := ts.cubbyholeBackend.storageView.List(namespace.RootContext(nil), "")
if err != nil {
t.Fatal(err)
}
// There should be no entries
if len(cubbyholeKeys) != 0 {
t.Fatalf("bad: len(cubbyholeKeys); expected: 0, actual: %d", len(cubbyholeKeys))
}
}
func TestTokenStore_CubbyholeTidy(t *testing.T) {
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
for i := 1; i <= 20; i++ {
// Create 20 tokens
tokenReq := &logical.Request{
Operation: logical.UpdateOperation,
Path: "create",
ClientToken: root,
Don't allow registering a non-root zero TTL token lease (#7524) * Don't allow registering a non-root zero TTL token lease This is defense-in-depth in that such a token was not allowed to be used; however it's also a bug fix in that this would then cause no lease to be generated but the token entry to be written, meaning the token entry would stick around until it was attempted to be used or tidied (in both cases the internal lookup would see that this was invalid and do a revoke on the spot). * Fix tests * tidy
2019-11-05 21:11:13 +00:00
Data: map[string]interface{}{
"ttl": "600s",
},
Cubbyhole cleanup (#6006) * fix cubbyhole deletion * Fix error handling * Move the cubbyhole tidy logic to token store and track the revocation count * Move fetching of cubby keys before the tidy loop * Fix context getting cancelled * Test the cubbyhole cleanup logic * Add progress counter for cubbyhole cleanup * Minor polish * Use map instead of slice for faster computation * Add test for cubbyhole deletion * Add a log statement for deletion * Add SHA1 hashed tokens into the mix
2019-01-09 18:53:41 +00:00
}
resp := testMakeTokenViaRequest(t, ts, tokenReq)
token := resp.Auth.ClientToken
// Supplying token ID forces SHA1 hashing to be used
if i%3 == 0 {
tokenReq.Data = map[string]interface{}{
Don't allow registering a non-root zero TTL token lease (#7524) * Don't allow registering a non-root zero TTL token lease This is defense-in-depth in that such a token was not allowed to be used; however it's also a bug fix in that this would then cause no lease to be generated but the token entry to be written, meaning the token entry would stick around until it was attempted to be used or tidied (in both cases the internal lookup would see that this was invalid and do a revoke on the spot). * Fix tests * tidy
2019-11-05 21:11:13 +00:00
"id": "testroot",
"ttl": "600s",
Cubbyhole cleanup (#6006) * fix cubbyhole deletion * Fix error handling * Move the cubbyhole tidy logic to token store and track the revocation count * Move fetching of cubby keys before the tidy loop * Fix context getting cancelled * Test the cubbyhole cleanup logic * Add progress counter for cubbyhole cleanup * Minor polish * Use map instead of slice for faster computation * Add test for cubbyhole deletion * Add a log statement for deletion * Add SHA1 hashed tokens into the mix
2019-01-09 18:53:41 +00:00
}
}
// Create 4 junk cubbyhole entries
if i%5 == 0 {
invalidToken, err := uuid.GenerateUUID()
if err != nil {
t.Fatal(err)
}
resp, err := ts.cubbyholeBackend.HandleRequest(namespace.RootContext(nil), &logical.Request{
ClientToken: invalidToken,
Operation: logical.UpdateOperation,
Path: "cubbyhole/sample/data",
Data: map[string]interface{}{
"foo": "bar",
},
Storage: ts.cubbyholeBackend.storageView,
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
}
// Write into cubbyholes of 10 tokens
if i%2 == 0 {
continue
}
resp, err := c.HandleRequest(namespace.RootContext(nil), &logical.Request{
ClientToken: token,
Operation: logical.UpdateOperation,
Path: "cubbyhole/sample/data",
Data: map[string]interface{}{
"foo": "bar",
},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
}
// Tidy cubbyhole storage
resp, err := ts.HandleRequest(namespace.RootContext(nil), &logical.Request{
Path: "tidy",
Operation: logical.UpdateOperation,
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
// Wait for tidy operation to complete
time.Sleep(2 * time.Second)
// List all the cubbyhole storage keys
cubbyholeKeys, err := ts.cubbyholeBackend.storageView.List(namespace.RootContext(nil), "")
if err != nil {
t.Fatal(err)
}
// The junk entries must have been cleaned up
if len(cubbyholeKeys) != 10 {
t.Fatalf("bad: len(cubbyholeKeys); expected: 10, actual: %d", len(cubbyholeKeys))
}
}
Deprecate SHA1 in token store (#770) * Deprecate SHA1 in token store * Fallback to SHA1 for user selected IDs * Fix existing tests * Added warning * Address some review feedback and remove root token prefix * Tests for service token prefixing * Salting utility tests * Adjust OTP length for root token generation * Fix tests * Address review feedback
2018-10-17 20:23:04 +00:00
func TestTokenStore_Salting(t *testing.T) {
c, _, _ := TestCoreUnsealed(t)
ts := c.tokenStore
saltedID, err := ts.SaltID(namespace.RootContext(nil), "foo")
if err != nil {
t.Fatal(err)
}
if strings.HasPrefix(saltedID, "h") {
t.Fatalf("expected sha1 hash; got sha2-256 hmac")
}
saltedID, err = ts.SaltID(namespace.RootContext(nil), "s.foo")
if err != nil {
t.Fatal(err)
}
if !strings.HasPrefix(saltedID, "h") {
t.Fatalf("expected sha2-256 hmac; got sha1 hash")
}
Migrate built in auto seal to go-kms-wrapping (#8118)
2020-01-11 01:39:52 +00:00
nsCtx := namespace.ContextWithNamespace(context.Background(), &namespace.Namespace{ID: "testid", Path: "ns1"})
Deprecate SHA1 in token store (#770) * Deprecate SHA1 in token store * Fallback to SHA1 for user selected IDs * Fix existing tests * Added warning * Address some review feedback and remove root token prefix * Tests for service token prefixing * Salting utility tests * Adjust OTP length for root token generation * Fix tests * Address review feedback
2018-10-17 20:23:04 +00:00
saltedID, err = ts.SaltID(nsCtx, "foo")
if err != nil {
t.Fatal(err)
}
if !strings.HasPrefix(saltedID, "h") {
t.Fatalf("expected sha2-256 hmac; got sha1 hash")
}
saltedID, err = ts.SaltID(nsCtx, "s.foo")
if err != nil {
t.Fatal(err)
}
if !strings.HasPrefix(saltedID, "h") {
t.Fatalf("expected sha2-256 hmac; got sha1 hash")
}
}
Added unit tests for token entry upgrade
2016-09-26 22:17:50 +00:00
type TokenEntryOld struct {
ID string
Accessor string
Parent string
Policies []string
Path string
Meta map[string]string
DisplayName string
NumUses int
CreationTime int64
TTL time.Duration
ExplicitMaxTTL time.Duration
Role string
Period time.Duration
}
func TestTokenStore_TokenEntryUpgrade(t *testing.T) {
var err error
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, _ := TestCoreUnsealed(t)
ts := c.tokenStore
Added unit tests for token entry upgrade
2016-09-26 22:17:50 +00:00
// Use a struct that does not have struct tags to store the items and
// check if the lookup code handles them properly while reading back
entry := &TokenEntryOld{
DisplayName: "test-display-name",
Path: "test",
Policies: []string{"dev", "ops"},
CreationTime: time.Now().Unix(),
ExplicitMaxTTL: 100,
NumUses: 10,
}
entry.ID, err = uuid.GenerateUUID()
if err != nil {
t.Fatal(err)
}
enc, err := json.Marshal(entry)
if err != nil {
t.Fatal(err)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
saltedID, err := ts.SaltID(namespace.RootContext(nil), entry.ID)
Dynamically load and invalidate the token store salt (#3021) * Dynaically load and invalidate the token store salt * Pass salt function into the router
2017-07-18 16:02:03 +00:00
if err != nil {
t.Fatal(err)
}
Added unit tests for token entry upgrade
2016-09-26 22:17:50 +00:00
le := &logical.StorageEntry{
The big one (#5346)
2018-09-18 03:03:00 +00:00
Key: saltedID,
Added unit tests for token entry upgrade
2016-09-26 22:17:50 +00:00
Value: enc,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
if err := ts.idView(namespace.RootNamespace).Put(namespace.RootContext(nil), le); err != nil {
Added unit tests for token entry upgrade
2016-09-26 22:17:50 +00:00
t.Fatal(err)
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
// Register with exp manager so lookup works
auth := &logical.Auth{
DisplayName: entry.DisplayName,
CreationPath: entry.Path,
Policies: entry.Policies,
ExplicitMaxTTL: entry.ExplicitMaxTTL,
NumUses: entry.NumUses,
LeaseOptions: logical.LeaseOptions{
TTL: time.Hour,
},
ClientToken: entry.ID,
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
// Same as entry from TokenEntryOld, but used for RegisterAuth
registryEntry := &logical.TokenEntry{
DisplayName: entry.DisplayName,
Path: entry.Path,
Policies: entry.Policies,
CreationTime: entry.CreationTime,
ExplicitMaxTTL: entry.ExplicitMaxTTL,
NumUses: entry.NumUses,
NamespaceID: namespace.RootNamespaceID,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
if err := ts.expiration.RegisterAuth(namespace.RootContext(nil), registryEntry, auth); err != nil {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
t.Fatal(err)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err := ts.Lookup(namespace.RootContext(nil), entry.ID)
Added unit tests for token entry upgrade
2016-09-26 22:17:50 +00:00
if err != nil {
t.Fatalf("err: %s", err)
}
if out.DisplayName != "test-display-name" {
t.Fatalf("bad: display_name: expected: test-display-name, actual: %s", out.DisplayName)
}
if out.CreationTime == 0 {
t.Fatal("bad: expected a non-zero creation time")
}
if out.ExplicitMaxTTL != 100 {
t.Fatalf("bad: explicit_max_ttl: expected: 100, actual: %d", out.ExplicitMaxTTL)
}
if out.NumUses != 10 {
t.Fatalf("bad: num_uses: expected: 10, actual: %d", out.NumUses)
}
// Test the default case to ensure there are no regressions
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
ent := &logical.TokenEntry{
Added unit tests for token entry upgrade
2016-09-26 22:17:50 +00:00
DisplayName: "test-display-name",
Path: "test",
Policies: []string{"dev", "ops"},
CreationTime: time.Now().Unix(),
ExplicitMaxTTL: 100,
NumUses: 10,
The big one (#5346)
2018-09-18 03:03:00 +00:00
NamespaceID: namespace.RootNamespaceID,
Added unit tests for token entry upgrade
2016-09-26 22:17:50 +00:00
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
if err := ts.create(namespace.RootContext(nil), ent); err != nil {
Added unit tests for token entry upgrade
2016-09-26 22:17:50 +00:00
t.Fatalf("err: %s", err)
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
auth = &logical.Auth{
DisplayName: ent.DisplayName,
CreationPath: ent.Path,
Policies: ent.Policies,
ExplicitMaxTTL: ent.ExplicitMaxTTL,
NumUses: ent.NumUses,
LeaseOptions: logical.LeaseOptions{
TTL: time.Hour,
},
ClientToken: ent.ID,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
if err := ts.expiration.RegisterAuth(namespace.RootContext(nil), ent, auth); err != nil {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
t.Fatal(err)
}
Added unit tests for token entry upgrade
2016-09-26 22:17:50 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err = ts.Lookup(namespace.RootContext(nil), ent.ID)
Added unit tests for token entry upgrade
2016-09-26 22:17:50 +00:00
if err != nil {
t.Fatalf("err: %s", err)
}
if out.DisplayName != "test-display-name" {
t.Fatalf("bad: display_name: expected: test-display-name, actual: %s", out.DisplayName)
}
if out.CreationTime == 0 {
t.Fatal("bad: expected a non-zero creation time")
}
if out.ExplicitMaxTTL != 100 {
t.Fatalf("bad: explicit_max_ttl: expected: 100, actual: %d", out.ExplicitMaxTTL)
}
if out.NumUses != 10 {
t.Fatalf("bad: num_uses: expected: 10, actual: %d", out.NumUses)
}
// Fill in the deprecated fields and read out from proper fields
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
ent = &logical.TokenEntry{
Added unit tests for token entry upgrade
2016-09-26 22:17:50 +00:00
Path: "test",
Policies: []string{"dev", "ops"},
DisplayNameDeprecated: "test-display-name",
CreationTimeDeprecated: time.Now().Unix(),
ExplicitMaxTTLDeprecated: 100,
NumUsesDeprecated: 10,
The big one (#5346)
2018-09-18 03:03:00 +00:00
NamespaceID: namespace.RootNamespaceID,
Added unit tests for token entry upgrade
2016-09-26 22:17:50 +00:00
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
if err := ts.create(namespace.RootContext(nil), ent); err != nil {
Added unit tests for token entry upgrade
2016-09-26 22:17:50 +00:00
t.Fatalf("err: %s", err)
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
auth = &logical.Auth{
DisplayName: ent.DisplayName,
CreationPath: ent.Path,
Policies: ent.Policies,
ExplicitMaxTTL: ent.ExplicitMaxTTL,
NumUses: ent.NumUses,
LeaseOptions: logical.LeaseOptions{
TTL: time.Hour,
},
ClientToken: ent.ID,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
if err := ts.expiration.RegisterAuth(namespace.RootContext(nil), ent, auth); err != nil {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
t.Fatal(err)
}
Added unit tests for token entry upgrade
2016-09-26 22:17:50 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err = ts.Lookup(namespace.RootContext(nil), ent.ID)
Added unit tests for token entry upgrade
2016-09-26 22:17:50 +00:00
if err != nil {
t.Fatalf("err: %s", err)
}
if out.DisplayName != "test-display-name" {
t.Fatalf("bad: display_name: expected: test-display-name, actual: %s", out.DisplayName)
}
if out.CreationTime == 0 {
t.Fatal("bad: expected a non-zero creation time")
}
if out.ExplicitMaxTTL != 100 {
t.Fatalf("bad: explicit_max_ttl: expected: 100, actual: %d", out.ExplicitMaxTTL)
}
if out.NumUses != 10 {
t.Fatalf("bad: num_uses: expected: 10, actual: %d", out.NumUses)
}
// Check if NumUses picks up a lower value
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
ent = &logical.TokenEntry{
Added unit tests for token entry upgrade
2016-09-26 22:17:50 +00:00
Path: "test",
NumUses: 5,
NumUsesDeprecated: 10,
The big one (#5346)
2018-09-18 03:03:00 +00:00
NamespaceID: namespace.RootNamespaceID,
Added unit tests for token entry upgrade
2016-09-26 22:17:50 +00:00
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
if err := ts.create(namespace.RootContext(nil), ent); err != nil {
Added unit tests for token entry upgrade
2016-09-26 22:17:50 +00:00
t.Fatalf("err: %s", err)
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
auth = &logical.Auth{
DisplayName: ent.DisplayName,
CreationPath: ent.Path,
Policies: ent.Policies,
ExplicitMaxTTL: ent.ExplicitMaxTTL,
NumUses: ent.NumUses,
LeaseOptions: logical.LeaseOptions{
TTL: time.Hour,
},
ClientToken: ent.ID,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
if err := ts.expiration.RegisterAuth(namespace.RootContext(nil), ent, auth); err != nil {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
t.Fatal(err)
}
Added unit tests for token entry upgrade
2016-09-26 22:17:50 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err = ts.Lookup(namespace.RootContext(nil), ent.ID)
Added unit tests for token entry upgrade
2016-09-26 22:17:50 +00:00
if err != nil {
t.Fatalf("err: %s", err)
}
if out.NumUses != 5 {
t.Fatalf("bad: num_uses: expected: 5, actual: %d", out.NumUses)
}
// Switch the values from deprecated and proper field and check if the
// lower value is still getting picked up
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
ent = &logical.TokenEntry{
Added unit tests for token entry upgrade
2016-09-26 22:17:50 +00:00
Path: "test",
NumUses: 10,
NumUsesDeprecated: 5,
The big one (#5346)
2018-09-18 03:03:00 +00:00
NamespaceID: namespace.RootNamespaceID,
Added unit tests for token entry upgrade
2016-09-26 22:17:50 +00:00
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
if err := ts.create(namespace.RootContext(nil), ent); err != nil {
Added unit tests for token entry upgrade
2016-09-26 22:17:50 +00:00
t.Fatalf("err: %s", err)
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
auth = &logical.Auth{
DisplayName: ent.DisplayName,
CreationPath: ent.Path,
Policies: ent.Policies,
ExplicitMaxTTL: ent.ExplicitMaxTTL,
NumUses: ent.NumUses,
LeaseOptions: logical.LeaseOptions{
TTL: time.Hour,
},
ClientToken: ent.ID,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
if err := ts.expiration.RegisterAuth(namespace.RootContext(nil), ent, auth); err != nil {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
t.Fatal(err)
}
Added unit tests for token entry upgrade
2016-09-26 22:17:50 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err = ts.Lookup(namespace.RootContext(nil), ent.ID)
Added unit tests for token entry upgrade
2016-09-26 22:17:50 +00:00
if err != nil {
t.Fatalf("err: %s", err)
}
if out.NumUses != 5 {
t.Fatalf("bad: num_uses: expected: 5, actual: %d", out.NumUses)
}
}
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests.
2015-09-04 20:58:12 +00:00
func getBackendConfig(c *Core) *logical.BackendConfig {
return &logical.BackendConfig{
Logger: c.logger,
System: logical.StaticSystemView{
DefaultLeaseTTLVal: time.Hour * 24,
Change default TTL from 30 to 32 to accommodate monthly operations (#1942)
2016-09-28 22:32:49 +00:00
MaxLeaseTTLVal: time.Hour * 24 * 32,
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests.
2015-09-04 20:58:12 +00:00
},
}
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
func testMakeServiceTokenViaBackend(t testing.TB, ts *TokenStore, root, client, ttl string, policy []string) {
Don't allow registering a non-root zero TTL token lease (#7524) * Don't allow registering a non-root zero TTL token lease This is defense-in-depth in that such a token was not allowed to be used; however it's also a bug fix in that this would then cause no lease to be generated but the token entry to be written, meaning the token entry would stick around until it was attempted to be used or tidied (in both cases the internal lookup would see that this was invalid and do a revoke on the spot). * Fix tests * tidy
2019-11-05 21:11:13 +00:00
t.Helper()
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
testMakeTokenViaBackend(t, ts, root, client, ttl, policy, false)
}
func testMakeTokenViaBackend(t testing.TB, ts *TokenStore, root, client, ttl string, policy []string, batch bool) {
Don't allow registering a non-root zero TTL token lease (#7524) * Don't allow registering a non-root zero TTL token lease This is defense-in-depth in that such a token was not allowed to be used; however it's also a bug fix in that this would then cause no lease to be generated but the token entry to be written, meaning the token entry would stick around until it was attempted to be used or tidied (in both cases the internal lookup would see that this was invalid and do a revoke on the spot). * Fix tests * tidy
2019-11-05 21:11:13 +00:00
t.Helper()
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
req.ClientToken = root
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if batch {
req.Data["type"] = "batch"
} else {
req.Data["id"] = client
}
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
req.Data["policies"] = policy
req.Data["ttl"] = ttl
Offline token revocation fix
2018-06-03 22:14:51 +00:00
resp := testMakeTokenViaRequest(t, ts, req)
if resp.Auth.ClientToken != client {
t.Fatalf("bad: %#v", resp)
}
}
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
Offline token revocation fix
2018-06-03 22:14:51 +00:00
func testMakeTokenViaRequest(t testing.TB, ts *TokenStore, req *logical.Request) *logical.Response {
Don't allow registering a non-root zero TTL token lease (#7524) * Don't allow registering a non-root zero TTL token lease This is defense-in-depth in that such a token was not allowed to be used; however it's also a bug fix in that this would then cause no lease to be generated but the token entry to be written, meaning the token entry would stick around until it was attempted to be used or tidied (in both cases the internal lookup would see that this was invalid and do a revoke on the spot). * Fix tests * tidy
2019-11-05 21:11:13 +00:00
t.Helper()
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if err != nil {
t.Fatal(err)
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
if resp == nil {
t.Fatalf("got nil token from create call")
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
// Let the caller handle the error
if resp.IsError() {
return resp
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
The big one (#5346)
2018-09-18 03:03:00 +00:00
te := &logical.TokenEntry{
Path: resp.Auth.CreationPath,
NamespaceID: namespace.RootNamespaceID,
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if resp.Auth.TokenType != logical.TokenTypeBatch {
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
if err := ts.expiration.RegisterAuth(namespace.RootContext(nil), te, resp.Auth); err != nil {
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
t.Fatal(err)
}
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err = ts.Lookup(namespace.RootContext(nil), resp.Auth.ClientToken)
The big one (#5346)
2018-09-18 03:03:00 +00:00
if err != nil {
t.Fatal(err)
}
if te == nil {
t.Fatal("token entry was nil")
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
return resp
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
}
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
func testMakeTokenDirectly(t testing.TB, ts *TokenStore, te *logical.TokenEntry) {
The big one (#5346)
2018-09-18 03:03:00 +00:00
if te.NamespaceID == "" {
te.NamespaceID = namespace.RootNamespaceID
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if te.CreationTime == 0 {
te.CreationTime = time.Now().Unix()
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
if err := ts.create(namespace.RootContext(nil), te); err != nil {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
t.Fatal(err)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if te.Type == logical.TokenTypeDefault {
te.Type = logical.TokenTypeService
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
auth := &logical.Auth{
NumUses: te.NumUses,
DisplayName: te.DisplayName,
Policies: te.Policies,
Metadata: te.Meta,
LeaseOptions: logical.LeaseOptions{
TTL: te.TTL,
Renewable: te.TTL > 0,
},
ClientToken: te.ID,
Accessor: te.Accessor,
EntityID: te.EntityID,
Period: te.Period,
ExplicitMaxTTL: te.ExplicitMaxTTL,
CreationPath: te.Path,
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
TokenType: te.Type,
Offline token revocation fix
2018-06-03 22:14:51 +00:00
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err := ts.expiration.RegisterAuth(namespace.RootContext(nil), te, auth)
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
switch err {
case nil:
if te.Type == logical.TokenTypeBatch {
t.Fatal("expected error from trying to register auth with batch token")
}
default:
if te.Type != logical.TokenTypeBatch {
t.Fatal(err)
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
}
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
func testMakeServiceTokenViaCore(t testing.TB, c *Core, root, client, ttl string, policy []string) {
testMakeTokenViaCore(t, c, root, client, ttl, policy, false, nil)
}
func testMakeTokenViaCore(t testing.TB, c *Core, root, client, ttl string, policy []string, batch bool, outAuth *logical.Auth) {
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "auth/token/create")
req.ClientToken = root
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if batch {
req.Data["type"] = "batch"
} else {
req.Data["id"] = client
}
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
req.Data["policies"] = policy
req.Data["ttl"] = ttl
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := c.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Sync
2017-10-23 18:59:37 +00:00
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if !batch {
if resp.Auth.ClientToken != client {
t.Fatalf("bad: %#v", *resp)
}
}
if outAuth != nil && resp != nil && resp.Auth != nil {
*outAuth = *resp.Auth
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
}
}
Added tests for lookup-accessor and revoke-accessor endpoints
2016-03-09 17:50:26 +00:00
func TestTokenStore_AccessorIndex(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, _ := TestCoreUnsealed(t)
ts := c.tokenStore
Added tests for lookup-accessor and revoke-accessor endpoints
2016-03-09 17:50:26 +00:00
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
ent := &logical.TokenEntry{
The big one (#5346)
2018-09-18 03:03:00 +00:00
Path: "test",
Policies: []string{"dev", "ops"},
TTL: time.Hour,
NamespaceID: namespace.RootNamespaceID,
Added tests for lookup-accessor and revoke-accessor endpoints
2016-03-09 17:50:26 +00:00
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
testMakeTokenDirectly(t, ts, ent)
Added tests for lookup-accessor and revoke-accessor endpoints
2016-03-09 17:50:26 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err := ts.Lookup(namespace.RootContext(nil), ent.ID)
Added tests for lookup-accessor and revoke-accessor endpoints
2016-03-09 17:50:26 +00:00
if err != nil {
t.Fatalf("err: %s", err)
}
// Ensure that accessor is created
if out == nil || out.Accessor == "" {
t.Fatalf("bad: %#v", out)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
aEntry, err := ts.lookupByAccessor(namespace.RootContext(nil), out.Accessor, false, false)
Added tests for lookup-accessor and revoke-accessor endpoints
2016-03-09 17:50:26 +00:00
if err != nil {
t.Fatalf("err: %s", err)
}
// Verify that the value returned from the index matches the token ID
Add accessor list function to token store
2016-07-29 22:20:38 +00:00
if aEntry.TokenID != ent.ID {
t.Fatalf("bad: got\n%s\nexpected\n%s\n", aEntry.TokenID, ent.ID)
Added tests for lookup-accessor and revoke-accessor endpoints
2016-03-09 17:50:26 +00:00
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
// Make sure a batch token doesn't get an accessor
ent.Type = logical.TokenTypeBatch
testMakeTokenDirectly(t, ts, ent)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err = ts.Lookup(namespace.RootContext(nil), ent.ID)
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if err != nil {
t.Fatalf("err: %s", err)
}
// Ensure that accessor is created
if out == nil || out.Accessor != "" {
t.Fatalf("bad: %#v", out)
}
Added tests for lookup-accessor and revoke-accessor endpoints
2016-03-09 17:50:26 +00:00
}
func TestTokenStore_HandleRequest_LookupAccessor(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
Don't allow registering a non-root zero TTL token lease (#7524) * Don't allow registering a non-root zero TTL token lease This is defense-in-depth in that such a token was not allowed to be used; however it's also a bug fix in that this would then cause no lease to be generated but the token entry to be written, meaning the token entry would stick around until it was attempted to be used or tidied (in both cases the internal lookup would see that this was invalid and do a revoke on the spot). * Fix tests * tidy
2019-11-05 21:11:13 +00:00
testMakeServiceTokenViaBackend(t, ts, root, "tokenid", "60s", []string{"foo"})
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err := ts.Lookup(namespace.RootContext(nil), "tokenid")
Added tests for lookup-accessor and revoke-accessor endpoints
2016-03-09 17:50:26 +00:00
if err != nil {
t.Fatalf("err: %s", err)
}
if out == nil {
t.Fatalf("err: %s", err)
}
Don't allow tokens in paths. (#1783)
2016-08-24 19:59:43 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "lookup-accessor")
req.Data = map[string]interface{}{
"accessor": out.Accessor,
}
Added tests for lookup-accessor and revoke-accessor endpoints
2016-03-09 17:50:26 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
Added tests for lookup-accessor and revoke-accessor endpoints
2016-03-09 17:50:26 +00:00
if err != nil {
t.Fatalf("err: %s", err)
}
if resp.Data == nil {
t.Fatalf("response should contain data")
}
if resp.Data["accessor"].(string) == "" {
t.Fatalf("accessor should not be empty")
}
// Verify that the lookup-accessor operation does not return the token ID
if resp.Data["id"].(string) != "" {
t.Fatalf("token ID should not be returned")
}
}
Add accessor list function to token store
2016-07-29 22:20:38 +00:00
func TestTokenStore_HandleRequest_ListAccessors(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
Add accessor list function to token store
2016-07-29 22:20:38 +00:00
testKeys := []string{"token1", "token2", "token3", "token4"}
for _, key := range testKeys {
Don't allow registering a non-root zero TTL token lease (#7524) * Don't allow registering a non-root zero TTL token lease This is defense-in-depth in that such a token was not allowed to be used; however it's also a bug fix in that this would then cause no lease to be generated but the token entry to be written, meaning the token entry would stick around until it was attempted to be used or tidied (in both cases the internal lookup would see that this was invalid and do a revoke on the spot). * Fix tests * tidy
2019-11-05 21:11:13 +00:00
testMakeServiceTokenViaBackend(t, ts, root, key, "60s", []string{"foo"})
Add accessor list function to token store
2016-07-29 22:20:38 +00:00
}
// Revoke root to make the number of accessors match
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
salted, err := ts.SaltID(namespace.RootContext(nil), root)
Dynamically load and invalidate the token store salt (#3021) * Dynaically load and invalidate the token store salt * Pass salt function into the router
2017-07-18 16:02:03 +00:00
if err != nil {
t.Fatal(err)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
ts.revokeInternal(namespace.RootContext(nil), salted, false)
Add accessor list function to token store
2016-07-29 22:20:38 +00:00
Update tests to use the real accessors listing path
2018-03-26 18:21:36 +00:00
req := logical.TestRequest(t, logical.ListOperation, "accessors/")
Add accessor list function to token store
2016-07-29 22:20:38 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
Add accessor list function to token store
2016-07-29 22:20:38 +00:00
if err != nil {
t.Fatalf("err: %s", err)
}
if resp.Data == nil {
t.Fatalf("response should contain data")
}
if resp.Data["keys"] == nil {
t.Fatalf("keys should not be empty")
}
keys := resp.Data["keys"].([]string)
if len(keys) != len(testKeys) {
t.Fatalf("wrong number of accessors found")
}
Allow accessing Warnings directly in Response. (#2806) A change in copystructure has caused some panics due to the custom copy function. I'm more nervous about production panics than I am about keeping some bad code wiping out some existing warnings, so remove the custom copy function and just allow direct setting of Warnings.
2017-06-05 14:52:43 +00:00
if len(resp.Warnings) != 0 {
t.Fatalf("got warnings:\n%#v", resp.Warnings)
Add some extra safety checking in accessor listing and update website docs.
2016-08-01 17:07:41 +00:00
}
Add accessor list function to token store
2016-07-29 22:20:38 +00:00
// Test upgrade from old struct method of accessor storage (of token id)
for _, accessor := range keys {
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
aEntry, err := ts.lookupByAccessor(namespace.RootContext(nil), accessor, false, false)
Add accessor list function to token store
2016-07-29 22:20:38 +00:00
if err != nil {
t.Fatal(err)
}
if aEntry.TokenID == "" || aEntry.AccessorID == "" {
t.Fatalf("error, accessor entry looked up is empty, but no error thrown")
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
saltID, err := ts.SaltID(namespace.RootContext(nil), accessor)
Dynamically load and invalidate the token store salt (#3021) * Dynaically load and invalidate the token store salt * Pass salt function into the router
2017-07-18 16:02:03 +00:00
if err != nil {
t.Fatal(err)
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
le := &logical.StorageEntry{Key: saltID, Value: []byte(aEntry.TokenID)}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
if err := ts.accessorView(namespace.RootNamespace).Put(namespace.RootContext(nil), le); err != nil {
Add accessor list function to token store
2016-07-29 22:20:38 +00:00
t.Fatalf("failed to persist accessor index entry: %v", err)
}
}
// Do the lookup again, should get same result
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), req)
Add accessor list function to token store
2016-07-29 22:20:38 +00:00
if err != nil {
t.Fatalf("err: %s", err)
}
if resp.Data == nil {
t.Fatalf("response should contain data")
}
if resp.Data["keys"] == nil {
t.Fatalf("keys should not be empty")
}
keys2 := resp.Data["keys"].([]string)
if len(keys) != len(testKeys) {
t.Fatalf("wrong number of accessors found")
}
Allow accessing Warnings directly in Response. (#2806) A change in copystructure has caused some panics due to the custom copy function. I'm more nervous about production panics than I am about keeping some bad code wiping out some existing warnings, so remove the custom copy function and just allow direct setting of Warnings.
2017-06-05 14:52:43 +00:00
if len(resp.Warnings) != 0 {
t.Fatalf("got warnings:\n%#v", resp.Warnings)
Add some extra safety checking in accessor listing and update website docs.
2016-08-01 17:07:41 +00:00
}
Add accessor list function to token store
2016-07-29 22:20:38 +00:00
for _, accessor := range keys2 {
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
aEntry, err := ts.lookupByAccessor(namespace.RootContext(nil), accessor, false, false)
Add accessor list function to token store
2016-07-29 22:20:38 +00:00
if err != nil {
t.Fatal(err)
}
if aEntry.TokenID == "" || aEntry.AccessorID == "" {
t.Fatalf("error, accessor entry looked up is empty, but no error thrown")
}
}
}
Add ability to renew by accessor (#7817) * Add renewing by accessor * Add accessor renewing test and fix bug * Update website docs * Remove extra newline * Add command-level test
2019-11-08 16:32:01 +00:00
func TestTokenStore_HandleRequest_Renew_Revoke_Accessor(t *testing.T) {
Fix two failing tests due to the fact that the expiration manager now needs to be running to properly revoke tests.
2018-05-10 22:22:04 +00:00
exp := mockExpiration(t)
ts := exp.tokenStore
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
rootToken, err := ts.rootToken(namespace.RootContext(nil))
Fix token_store_test.go (#7490) * vault: fix dropped error in test goroutine * vault: fix dropped test errors
2019-09-18 21:18:08 +00:00
if err != nil {
t.Fatal(err)
}
Fix two failing tests due to the fact that the expiration manager now needs to be running to properly revoke tests.
2018-05-10 22:22:04 +00:00
root := rootToken.ID
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
testMakeServiceTokenViaBackend(t, ts, root, "tokenid", "", []string{"foo"})
Fix two failing tests due to the fact that the expiration manager now needs to be running to properly revoke tests.
2018-05-10 22:22:04 +00:00
auth := &logical.Auth{
ClientToken: "tokenid",
LeaseOptions: logical.LeaseOptions{
TTL: time.Hour,
Renewable: true,
},
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err := ts.Lookup(namespace.RootContext(nil), "tokenid")
The big one (#5346)
2018-09-18 03:03:00 +00:00
if err != nil {
t.Fatal(err)
}
if te == nil {
t.Fatal("token entry was nil")
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err = exp.RegisterAuth(namespace.RootContext(nil), te, auth)
Fix two failing tests due to the fact that the expiration manager now needs to be running to properly revoke tests.
2018-05-10 22:22:04 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err := ts.Lookup(namespace.RootContext(nil), "tokenid")
Added tests for lookup-accessor and revoke-accessor endpoints
2016-03-09 17:50:26 +00:00
if err != nil {
t.Fatalf("err: %s", err)
}
if out == nil {
t.Fatalf("err: %s", err)
}
Add ability to renew by accessor (#7817) * Add renewing by accessor * Add accessor renewing test and fix bug * Update website docs * Remove extra newline * Add command-level test
2019-11-08 16:32:01 +00:00
lookupAccessor := func() int64 {
req := logical.TestRequest(t, logical.UpdateOperation, "lookup-accessor")
req.Data = map[string]interface{}{
"accessor": out.Accessor,
}
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
if resp.Data == nil {
t.Fatal("response should contain data")
}
if resp.Data["accessor"].(string) == "" {
t.Fatal("accessor should not be empty")
}
ttl := resp.Data["ttl"].(int64)
if ttl == 0 {
t.Fatal("ttl was zero")
}
return ttl
}
firstTTL := lookupAccessor()
// Sleep so we can verify renew behavior
time.Sleep(10 * time.Second)
secondTTL := lookupAccessor()
if secondTTL >= firstTTL {
t.Fatalf("second TTL %d was greater than first %d", secondTTL, firstTTL)
}
req := logical.TestRequest(t, logical.UpdateOperation, "renew-accessor")
req.Data = map[string]interface{}{
"accessor": out.Accessor,
}
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %s", err)
}
if resp.Auth == nil {
t.Fatal("resp auth is nil")
}
if resp.Auth.ClientToken != "" {
t.Fatal("client token found in response")
}
thirdTTL := lookupAccessor()
if thirdTTL <= secondTTL {
t.Fatalf("third TTL %d was not greater than second %d", thirdTTL, secondTTL)
}
req = logical.TestRequest(t, logical.UpdateOperation, "revoke-accessor")
Don't allow tokens in paths. (#1783)
2016-08-24 19:59:43 +00:00
req.Data = map[string]interface{}{
"accessor": out.Accessor,
}
Added tests for lookup-accessor and revoke-accessor endpoints
2016-03-09 17:50:26 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
_, err = ts.HandleRequest(namespace.RootContext(nil), req)
Added tests for lookup-accessor and revoke-accessor endpoints
2016-03-09 17:50:26 +00:00
if err != nil {
t.Fatalf("err: %s", err)
}
Token store tests (#4549) * Expand revocation test to cover non-registered tokens case * Bump sleep times back down a bit
2018-05-11 16:12:44 +00:00
time.Sleep(200 * time.Millisecond)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err = ts.Lookup(namespace.RootContext(nil), "tokenid")
Token store tests (#4549) * Expand revocation test to cover non-registered tokens case * Bump sleep times back down a bit
2018-05-11 16:12:44 +00:00
if err != nil {
t.Fatalf("err: %s", err)
}
if out != nil {
t.Fatalf("bad:\ngot %#v\nexpected: nil\n", out)
}
// Now test without registering the token through the expiration manager
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
testMakeServiceTokenViaBackend(t, ts, root, "tokenid", "", []string{"foo"})
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err = ts.Lookup(namespace.RootContext(nil), "tokenid")
Token store tests (#4549) * Expand revocation test to cover non-registered tokens case * Bump sleep times back down a bit
2018-05-11 16:12:44 +00:00
if err != nil {
t.Fatalf("err: %s", err)
}
if out == nil {
t.Fatalf("err: %s", err)
}
req = logical.TestRequest(t, logical.UpdateOperation, "revoke-accessor")
req.Data = map[string]interface{}{
"accessor": out.Accessor,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
_, err = ts.HandleRequest(namespace.RootContext(nil), req)
Token store tests (#4549) * Expand revocation test to cover non-registered tokens case * Bump sleep times back down a bit
2018-05-11 16:12:44 +00:00
if err != nil {
t.Fatalf("err: %s", err)
}
time.Sleep(200 * time.Millisecond)
Token revocation refactor (#4512) * Hand off lease expiration to expiration manager via timers * Use sync.Map as the cache to track token deletion state * Add CreateOrFetchRevocationLeaseByToken to hand off token revocation to exp manager * Update revoke and revoke-self handlers * Fix tests * revokeSalted: Move token entry deletion into the deferred func * Fix test race * Add blocking lease revocation test * Remove test log * Add HandlerFunc on NoopBackend, adjust locks, and add test * Add sleep to allow for revocations to settle * Various updates * Rename some functions and variables to be more clear * Change step-down and seal to use expmgr for revoke functionality like during request handling * Attempt to WAL the token as being invalid as soon as possible so that further usage will fail even if revocation does not fully complete * Address feedback * Return invalid lease on negative TTL * Revert "Return invalid lease on negative TTL" This reverts commit a39597ecdc23cf7fc69fe003eef9f10d533551d8. * Extend sleep on tests
2018-05-10 19:50:02 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err = ts.Lookup(namespace.RootContext(nil), "tokenid")
Added tests for lookup-accessor and revoke-accessor endpoints
2016-03-09 17:50:26 +00:00
if err != nil {
t.Fatalf("err: %s", err)
}
if out != nil {
t.Fatalf("bad:\ngot %#v\nexpected: nil\n", out)
}
}
vault: Adding method to generate root token
2015-03-24 00:16:37 +00:00
func TestTokenStore_RootToken(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, _ := TestCoreUnsealed(t)
ts := c.tokenStore
vault: Adding method to generate root token
2015-03-24 00:16:37 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err := ts.rootToken(namespace.RootContext(nil))
vault: Adding method to generate root token
2015-03-24 00:16:37 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if te.ID == "" {
t.Fatalf("missing ID")
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err := ts.Lookup(namespace.RootContext(nil), te.ID)
vault: Adding method to generate root token
2015-03-24 00:16:37 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if !reflect.DeepEqual(out, te) {
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-07 21:44:14 +00:00
t.Fatalf("bad: expected:%#v\nactual:%#v", te, out)
vault: Adding method to generate root token
2015-03-24 00:16:37 +00:00
}
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
func TestTokenStore_NoRootBatch(t *testing.T) {
c, _, root := TestCoreUnsealed(t)
req := logical.TestRequest(t, logical.UpdateOperation, "auth/token/create")
req.ClientToken = root
req.Data["type"] = "batch"
req.Data["policies"] = "root"
req.Data["ttl"] = "5m"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := c.HandleRequest(namespace.RootContext(nil), req)
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if err != nil {
t.Fatal(err)
}
if resp == nil {
t.Fatal("expected response")
}
if !resp.IsError() {
t.Fatalf("expected error, got %#v", *resp)
}
}
vault: First pass token store
2015-03-18 20:19:19 +00:00
func TestTokenStore_CreateLookup(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, _ := TestCoreUnsealed(t)
ts := c.tokenStore
vault: First pass token store
2015-03-18 20:19:19 +00:00
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
ent := &logical.TokenEntry{
The big one (#5346)
2018-09-18 03:03:00 +00:00
NamespaceID: namespace.RootNamespaceID,
Path: "test",
Policies: []string{"dev", "ops"},
TTL: time.Hour,
vault: First pass token store
2015-03-18 20:19:19 +00:00
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
testMakeTokenDirectly(t, ts, ent)
vault: First pass token store
2015-03-18 20:19:19 +00:00
if ent.ID == "" {
t.Fatalf("missing ID")
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err := ts.Lookup(namespace.RootContext(nil), ent.ID)
vault: First pass token store
2015-03-18 20:19:19 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if !reflect.DeepEqual(out, ent) {
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-07 21:44:14 +00:00
t.Fatalf("bad: expected:%#v\nactual:%#v", ent, out)
vault: Allow providing token ID during creation
2015-03-24 21:22:50 +00:00
}
// New store should share the salt
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
ts2, err := NewTokenStore(namespace.RootContext(nil), hclog.New(&hclog.LoggerOptions{}), c, getBackendConfig(c))
vault: Allow providing token ID during creation
2015-03-24 21:22:50 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
ExpirationManager restoration to load in the background (#3260)
2017-09-05 15:09:00 +00:00
ts2.SetExpirationManager(c.expiration)
vault: Allow providing token ID during creation
2015-03-24 21:22:50 +00:00
// Should still match
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err = ts2.Lookup(namespace.RootContext(nil), ent.ID)
vault: Allow providing token ID during creation
2015-03-24 21:22:50 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if !reflect.DeepEqual(out, ent) {
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-07 21:44:14 +00:00
t.Fatalf("bad: expected:%#v\nactual:%#v", ent, out)
vault: Allow providing token ID during creation
2015-03-24 21:22:50 +00:00
}
}
func TestTokenStore_CreateLookup_ProvidedID(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, _ := TestCoreUnsealed(t)
ts := c.tokenStore
vault: Allow providing token ID during creation
2015-03-24 21:22:50 +00:00
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
ent := &logical.TokenEntry{
The big one (#5346)
2018-09-18 03:03:00 +00:00
ID: "foobarbaz",
NamespaceID: namespace.RootNamespaceID,
Path: "test",
Policies: []string{"dev", "ops"},
TTL: time.Hour,
vault: Allow providing token ID during creation
2015-03-24 21:22:50 +00:00
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
testMakeTokenDirectly(t, ts, ent)
vault: Allow providing token ID during creation
2015-03-24 21:22:50 +00:00
if ent.ID != "foobarbaz" {
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-07 21:44:14 +00:00
t.Fatalf("bad: ent.ID: expected:\"foobarbaz\"\n actual:%s", ent.ID)
vault: Allow providing token ID during creation
2015-03-24 21:22:50 +00:00
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
if err := ts.create(namespace.RootContext(nil), ent); err == nil {
Don't allow overriding token ID with the same token ID (#2917) Fixes #2916
2017-06-24 00:52:48 +00:00
t.Fatal("expected error creating token with the same ID")
}
vault: Allow providing token ID during creation
2015-03-24 21:22:50 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err := ts.Lookup(namespace.RootContext(nil), ent.ID)
vault: Allow providing token ID during creation
2015-03-24 21:22:50 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if !reflect.DeepEqual(out, ent) {
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-07 21:44:14 +00:00
t.Fatalf("bad: expected:%#v\nactual:%#v", ent, out)
vault: First pass token store
2015-03-18 20:19:19 +00:00
}
// New store should share the salt
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
ts2, err := NewTokenStore(namespace.RootContext(nil), hclog.New(&hclog.LoggerOptions{}), c, getBackendConfig(c))
vault: First pass token store
2015-03-18 20:19:19 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
ExpirationManager restoration to load in the background (#3260)
2017-09-05 15:09:00 +00:00
ts2.SetExpirationManager(c.expiration)
vault: First pass token store
2015-03-18 20:19:19 +00:00
// Should still match
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err = ts2.Lookup(namespace.RootContext(nil), ent.ID)
vault: First pass token store
2015-03-18 20:19:19 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if !reflect.DeepEqual(out, ent) {
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-07 21:44:14 +00:00
t.Fatalf("bad: expected:%#v\nactual:%#v", ent, out)
vault: First pass token store
2015-03-18 20:19:19 +00:00
}
}
vault: testing token revocation
2015-03-18 20:50:36 +00:00
ExpirationManager restoration to load in the background (#3260)
2017-09-05 15:09:00 +00:00
func TestTokenStore_CreateLookup_ExpirationInRestoreMode(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, _ := TestCoreUnsealed(t)
ts := c.tokenStore
ExpirationManager restoration to load in the background (#3260)
2017-09-05 15:09:00 +00:00
The big one (#5346)
2018-09-18 03:03:00 +00:00
ent := &logical.TokenEntry{
NamespaceID: namespace.RootNamespaceID,
Path: "test",
Policies: []string{"dev", "ops"},
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
if err := ts.create(namespace.RootContext(nil), ent); err != nil {
ExpirationManager restoration to load in the background (#3260)
2017-09-05 15:09:00 +00:00
t.Fatalf("err: %v", err)
}
if ent.ID == "" {
t.Fatalf("missing ID")
}
// Replace the lease with a lease with an expire time in the past
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
saltedID, err := ts.SaltID(namespace.RootContext(nil), ent.ID)
ExpirationManager restoration to load in the background (#3260)
2017-09-05 15:09:00 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
// Create a lease entry
leaseID := path.Join(ent.Path, saltedID)
le := &leaseEntry{
LeaseID: leaseID,
ClientToken: ent.ID,
Path: ent.Path,
IssueTime: time.Now(),
ExpireTime: time.Now().Add(1 * time.Hour),
The big one (#5346)
2018-09-18 03:03:00 +00:00
namespace: namespace.RootNamespace,
ExpirationManager restoration to load in the background (#3260)
2017-09-05 15:09:00 +00:00
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
if err := ts.expiration.persistEntry(namespace.RootContext(nil), le); err != nil {
ExpirationManager restoration to load in the background (#3260)
2017-09-05 15:09:00 +00:00
t.Fatalf("err: %v", err)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err := ts.Lookup(namespace.RootContext(nil), ent.ID)
ExpirationManager restoration to load in the background (#3260)
2017-09-05 15:09:00 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if !reflect.DeepEqual(out, ent) {
t.Fatalf("bad: expected:%#v\nactual:%#v", ent, out)
}
// Set to expired lease time
le.ExpireTime = time.Now().Add(-1 * time.Hour)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
if err := ts.expiration.persistEntry(namespace.RootContext(nil), le); err != nil {
ExpirationManager restoration to load in the background (#3260)
2017-09-05 15:09:00 +00:00
t.Fatalf("err: %v", err)
}
err = ts.expiration.Stop()
if err != nil {
t.Fatal(err)
}
// Reset expiration manager to restore mode
ts.expiration.restoreModeLock.Lock()
Some atomic cleanup (#4732) Taking inspiration from https://github.com/golang/go/issues/17604#issuecomment-256384471 suggests that taking the address of a stack variable for use in atomics works (at least, the race detector doesn't complain) but is doing it wrong. The only other change is a change in Leader() detecting if HA is enabled to fast-path out. This value never changes after NewCore, so we don't need to grab the read lock to check it.
2018-06-09 19:35:22 +00:00
atomic.StoreInt32(ts.expiration.restoreMode, 1)
ExpirationManager restoration to load in the background (#3260)
2017-09-05 15:09:00 +00:00
ts.expiration.restoreLocks = locksutil.CreateLocks()
ts.expiration.restoreModeLock.Unlock()
// Test that the token lookup does not return the token entry due to the
// expired lease
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err = ts.Lookup(namespace.RootContext(nil), ent.ID)
ExpirationManager restoration to load in the background (#3260)
2017-09-05 15:09:00 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if out != nil {
t.Fatalf("lease expired, no token expected: %#v", out)
}
}
vault: Adding method to consume a limited use token
2015-04-17 18:51:04 +00:00
func TestTokenStore_UseToken(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
vault: Adding method to consume a limited use token
2015-04-17 18:51:04 +00:00
// Lookup the root token
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
ent, err := ts.Lookup(namespace.RootContext(nil), root)
vault: Adding method to consume a limited use token
2015-04-17 18:51:04 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
// Root is an unlimited use token, should be a no-op
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err := ts.UseToken(namespace.RootContext(nil), ent)
vault: Adding method to consume a limited use token
2015-04-17 18:51:04 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Change UseToken mechanics. Add locking around UseToken and Lookup. Have UseToken flag an entry that needs to be revoked so that it can be done at the appropriate time, but so that Lookup in the interm doesn't return a value. The locking is a map of 4096 locks keyed off of the first three characters of the token ID which should provide good distribution.
2016-05-02 07:11:14 +00:00
if te == nil {
t.Fatalf("token entry after use was nil")
}
vault: Adding method to consume a limited use token
2015-04-17 18:51:04 +00:00
// Lookup the root token again
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
ent2, err := ts.Lookup(namespace.RootContext(nil), root)
vault: Adding method to consume a limited use token
2015-04-17 18:51:04 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if !reflect.DeepEqual(ent, ent2) {
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-07 21:44:14 +00:00
t.Fatalf("bad: ent:%#v ent2:%#v", ent, ent2)
vault: Adding method to consume a limited use token
2015-04-17 18:51:04 +00:00
}
Spelling (#4119)
2018-03-20 18:54:10 +00:00
// Create a restricted token
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
ent = &logical.TokenEntry{
The big one (#5346)
2018-09-18 03:03:00 +00:00
Path: "test",
Policies: []string{"dev", "ops"},
NumUses: 2,
TTL: time.Hour,
NamespaceID: namespace.RootNamespaceID,
vault: Adding method to consume a limited use token
2015-04-17 18:51:04 +00:00
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
testMakeTokenDirectly(t, ts, ent)
vault: Adding method to consume a limited use token
2015-04-17 18:51:04 +00:00
// Use the token
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err = ts.UseToken(namespace.RootContext(nil), ent)
vault: Adding method to consume a limited use token
2015-04-17 18:51:04 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Change UseToken mechanics. Add locking around UseToken and Lookup. Have UseToken flag an entry that needs to be revoked so that it can be done at the appropriate time, but so that Lookup in the interm doesn't return a value. The locking is a map of 4096 locks keyed off of the first three characters of the token ID which should provide good distribution.
2016-05-02 07:11:14 +00:00
if te == nil {
t.Fatalf("token entry for use #1 was nil")
}
vault: Adding method to consume a limited use token
2015-04-17 18:51:04 +00:00
// Lookup the token
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
ent2, err = ts.Lookup(namespace.RootContext(nil), ent.ID)
vault: Adding method to consume a limited use token
2015-04-17 18:51:04 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
// Should be reduced
if ent2.NumUses != 1 {
t.Fatalf("bad: %#v", ent2)
}
// Use the token
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err = ts.UseToken(namespace.RootContext(nil), ent)
vault: Adding method to consume a limited use token
2015-04-17 18:51:04 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Change UseToken mechanics. Add locking around UseToken and Lookup. Have UseToken flag an entry that needs to be revoked so that it can be done at the appropriate time, but so that Lookup in the interm doesn't return a value. The locking is a map of 4096 locks keyed off of the first three characters of the token ID which should provide good distribution.
2016-05-02 07:11:14 +00:00
if te == nil {
t.Fatalf("token entry for use #2 was nil")
}
Token revocation refactor (#4512) * Hand off lease expiration to expiration manager via timers * Use sync.Map as the cache to track token deletion state * Add CreateOrFetchRevocationLeaseByToken to hand off token revocation to exp manager * Update revoke and revoke-self handlers * Fix tests * revokeSalted: Move token entry deletion into the deferred func * Fix test race * Add blocking lease revocation test * Remove test log * Add HandlerFunc on NoopBackend, adjust locks, and add test * Add sleep to allow for revocations to settle * Various updates * Rename some functions and variables to be more clear * Change step-down and seal to use expmgr for revoke functionality like during request handling * Attempt to WAL the token as being invalid as soon as possible so that further usage will fail even if revocation does not fully complete * Address feedback * Return invalid lease on negative TTL * Revert "Return invalid lease on negative TTL" This reverts commit a39597ecdc23cf7fc69fe003eef9f10d533551d8. * Extend sleep on tests
2018-05-10 19:50:02 +00:00
if te.NumUses != tokenRevocationPending {
Change UseToken mechanics. Add locking around UseToken and Lookup. Have UseToken flag an entry that needs to be revoked so that it can be done at the appropriate time, but so that Lookup in the interm doesn't return a value. The locking is a map of 4096 locks keyed off of the first three characters of the token ID which should provide good distribution.
2016-05-02 07:11:14 +00:00
t.Fatalf("token entry after use #2 did not have revoke flag")
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
ts.revokeOrphan(namespace.RootContext(nil), te.ID)
vault: Adding method to consume a limited use token
2015-04-17 18:51:04 +00:00
// Lookup the token
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
ent2, err = ts.Lookup(namespace.RootContext(nil), ent.ID)
vault: Adding method to consume a limited use token
2015-04-17 18:51:04 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
// Should be revoked
if ent2 != nil {
t.Fatalf("bad: %#v", ent2)
}
}
vault: testing token revocation
2015-03-18 20:50:36 +00:00
func TestTokenStore_Revoke(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, _ := TestCoreUnsealed(t)
ts := c.tokenStore
vault: testing token revocation
2015-03-18 20:50:36 +00:00
The big one (#5346)
2018-09-18 03:03:00 +00:00
ent := &logical.TokenEntry{Path: "test", Policies: []string{"dev", "ops"}, NamespaceID: namespace.RootNamespaceID}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
if err := ts.create(namespace.RootContext(nil), ent); err != nil {
vault: testing token revocation
2015-03-18 20:50:36 +00:00
t.Fatalf("err: %v", err)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err := ts.revokeOrphan(namespace.RootContext(nil), "")
vault: testing token revocation
2015-03-18 20:50:36 +00:00
if err.Error() != "cannot revoke blank token" {
t.Fatalf("err: %v", err)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err = ts.revokeOrphan(namespace.RootContext(nil), ent.ID)
vault: testing token revocation
2015-03-18 20:50:36 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err := ts.Lookup(namespace.RootContext(nil), ent.ID)
vault: testing token revocation
2015-03-18 20:50:36 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if out != nil {
t.Fatalf("bad: %#v", out)
}
}
vault: revoking a token should revoke all secrets it has generated
2015-04-10 22:12:04 +00:00
func TestTokenStore_Revoke_Leases(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, _ := TestCoreUnsealed(t)
ts := c.tokenStore
Adding interface methods to logical.Backend for parity (#2242)
2017-01-07 23:18:22 +00:00
view := NewBarrierView(c.barrier, "noop/")
vault: revoking a token should revoke all secrets it has generated
2015-04-10 22:12:04 +00:00
// Mount a noop backend
noop := &NoopBackend{}
The big one (#5346)
2018-09-18 03:03:00 +00:00
err := ts.expiration.router.Mount(noop, "noop/", &MountEntry{UUID: "noopuuid", Accessor: "noopaccessor", namespace: namespace.RootNamespace}, view)
fix token store tests
2017-07-01 20:06:15 +00:00
if err != nil {
t.Fatal(err)
}
vault: revoking a token should revoke all secrets it has generated
2015-04-10 22:12:04 +00:00
The big one (#5346)
2018-09-18 03:03:00 +00:00
ent := &logical.TokenEntry{Path: "test", Policies: []string{"dev", "ops"}, NamespaceID: namespace.RootNamespaceID}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
if err := ts.create(namespace.RootContext(nil), ent); err != nil {
vault: revoking a token should revoke all secrets it has generated
2015-04-10 22:12:04 +00:00
t.Fatalf("err: %v", err)
}
// Register a lease
req := &logical.Request{
Operation: logical.ReadOperation,
fix token store tests
2017-07-01 20:06:15 +00:00
Path: "noop/foo",
vault: revoking a token should revoke all secrets it has generated
2015-04-10 22:12:04 +00:00
ClientToken: ent.ID,
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
req.SetTokenEntry(ent)
vault: revoking a token should revoke all secrets it has generated
2015-04-10 22:12:04 +00:00
resp := &logical.Response{
Secret: &logical.Secret{
LeaseOptions: logical.LeaseOptions{
Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod
2015-08-21 00:47:17 +00:00
TTL: 20 * time.Millisecond,
vault: revoking a token should revoke all secrets it has generated
2015-04-10 22:12:04 +00:00
},
},
Data: map[string]interface{}{
"access_key": "xyz",
"secret_key": "abcd",
},
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
leaseID, err := ts.expiration.Register(namespace.RootContext(nil), req, resp)
vault: revoking a token should revoke all secrets it has generated
2015-04-10 22:12:04 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
// Revoke the token
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err = ts.revokeOrphan(namespace.RootContext(nil), ent.ID)
vault: revoking a token should revoke all secrets it has generated
2015-04-10 22:12:04 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Token store tests (#4549) * Expand revocation test to cover non-registered tokens case * Bump sleep times back down a bit
2018-05-11 16:12:44 +00:00
time.Sleep(200 * time.Millisecond)
Token revocation refactor (#4512) * Hand off lease expiration to expiration manager via timers * Use sync.Map as the cache to track token deletion state * Add CreateOrFetchRevocationLeaseByToken to hand off token revocation to exp manager * Update revoke and revoke-self handlers * Fix tests * revokeSalted: Move token entry deletion into the deferred func * Fix test race * Add blocking lease revocation test * Remove test log * Add HandlerFunc on NoopBackend, adjust locks, and add test * Add sleep to allow for revocations to settle * Various updates * Rename some functions and variables to be more clear * Change step-down and seal to use expmgr for revoke functionality like during request handling * Attempt to WAL the token as being invalid as soon as possible so that further usage will fail even if revocation does not fully complete * Address feedback * Return invalid lease on negative TTL * Revert "Return invalid lease on negative TTL" This reverts commit a39597ecdc23cf7fc69fe003eef9f10d533551d8. * Extend sleep on tests
2018-05-10 19:50:02 +00:00
vault: revoking a token should revoke all secrets it has generated
2015-04-10 22:12:04 +00:00
// Verify the lease is gone
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err := ts.expiration.loadEntry(namespace.RootContext(nil), leaseID)
vault: revoking a token should revoke all secrets it has generated
2015-04-10 22:12:04 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if out != nil {
t.Fatalf("bad: %#v", out)
}
}
vault: testing token revocation
2015-03-18 20:50:36 +00:00
func TestTokenStore_Revoke_Orphan(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, _ := TestCoreUnsealed(t)
ts := c.tokenStore
vault: testing token revocation
2015-03-18 20:50:36 +00:00
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
ent := &logical.TokenEntry{
The big one (#5346)
2018-09-18 03:03:00 +00:00
NamespaceID: namespace.RootNamespaceID,
Path: "test",
Policies: []string{"dev", "ops"},
TTL: time.Hour,
vault: testing token revocation
2015-03-18 20:50:36 +00:00
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
testMakeTokenDirectly(t, ts, ent)
vault: testing token revocation
2015-03-18 20:50:36 +00:00
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
ent2 := &logical.TokenEntry{
The big one (#5346)
2018-09-18 03:03:00 +00:00
NamespaceID: namespace.RootNamespaceID,
Parent: ent.ID,
TTL: time.Hour,
vault: testing token revocation
2015-03-18 20:50:36 +00:00
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
testMakeTokenDirectly(t, ts, ent2)
vault: testing token revocation
2015-03-18 20:50:36 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err := ts.revokeOrphan(namespace.RootContext(nil), ent.ID)
vault: testing token revocation
2015-03-18 20:50:36 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err := ts.Lookup(namespace.RootContext(nil), ent2.ID)
vault: testing token revocation
2015-03-18 20:50:36 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Token store deleted parent (#4193) * Handle removal of parent index on revoke-orphan and tidy operations * Refactor handleTidy to use same for loop children deletion of invalid parent entry * Update comments * Add logic for revoke-orphan and tidy to turn no-parent tokens into orphans * Add orphan check to test * Update test comments * Fix TestTokenStore_Revoke_Orphan test * Address feedback, add explicit delete when parent prefix is empty * Revert explicit delete, add comment on why it's not done * Update comment to indicate ok on marking token as orphan * Fix test
2018-03-27 15:12:06 +00:00
// Unset the expected token parent's ID
ent2.Parent = ""
vault: testing token revocation
2015-03-18 20:50:36 +00:00
if !reflect.DeepEqual(out, ent2) {
The big one (#5346)
2018-09-18 03:03:00 +00:00
t.Fatalf("bad:\nexpected:%#v\nactual:%#v", ent2, out)
vault: testing token revocation
2015-03-18 20:50:36 +00:00
}
}
Non-recursive DFS token tree revoke (#2478)
2017-12-11 21:51:37 +00:00
// This was the original function name, and now it just calls
// the non recursive version for a variety of depths.
vault: testing token revocation
2015-03-18 20:50:36 +00:00
func TestTokenStore_RevokeTree(t *testing.T) {
Detect and bypass cycles during token revocation (#5364) Fixes #4803
2018-09-20 21:56:38 +00:00
testTokenStore_RevokeTree_NonRecursive(t, 1, false)
testTokenStore_RevokeTree_NonRecursive(t, 2, false)
testTokenStore_RevokeTree_NonRecursive(t, 10, false)
// corrupted trees with cycles
testTokenStore_RevokeTree_NonRecursive(t, 1, true)
testTokenStore_RevokeTree_NonRecursive(t, 10, true)
Non-recursive DFS token tree revoke (#2478)
2017-12-11 21:51:37 +00:00
}
vault: testing token revocation
2015-03-18 20:50:36 +00:00
Non-recursive DFS token tree revoke (#2478)
2017-12-11 21:51:37 +00:00
// Revokes a given Token Store tree non recursively.
// The second parameter refers to the depth of the tree.
Detect and bypass cycles during token revocation (#5364) Fixes #4803
2018-09-20 21:56:38 +00:00
func testTokenStore_RevokeTree_NonRecursive(t testing.TB, depth uint64, injectCycles bool) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, _ := TestCoreUnsealed(t)
ts := c.tokenStore
Non-recursive DFS token tree revoke (#2478)
2017-12-11 21:51:37 +00:00
root, children := buildTokenTree(t, ts, depth)
Detect and bypass cycles during token revocation (#5364) Fixes #4803
2018-09-20 21:56:38 +00:00
var cyclePaths []string
if injectCycles {
// Make the root the parent of itself
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
saltedRoot, _ := ts.SaltID(namespace.RootContext(nil), root.ID)
Detect and bypass cycles during token revocation (#5364) Fixes #4803
2018-09-20 21:56:38 +00:00
key := fmt.Sprintf("%s/%s", saltedRoot, saltedRoot)
cyclePaths = append(cyclePaths, key)
le := &logical.StorageEntry{Key: key}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
if err := ts.parentView(namespace.RootNamespace).Put(namespace.RootContext(nil), le); err != nil {
Detect and bypass cycles during token revocation (#5364) Fixes #4803
2018-09-20 21:56:38 +00:00
t.Fatalf("err: %v", err)
}
// Make a deep child the parent of a shallow child
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
shallow, _ := ts.SaltID(namespace.RootContext(nil), children[0].ID)
deep, _ := ts.SaltID(namespace.RootContext(nil), children[len(children)-1].ID)
Detect and bypass cycles during token revocation (#5364) Fixes #4803
2018-09-20 21:56:38 +00:00
key = fmt.Sprintf("%s/%s", deep, shallow)
cyclePaths = append(cyclePaths, key)
le = &logical.StorageEntry{Key: key}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
if err := ts.parentView(namespace.RootNamespace).Put(namespace.RootContext(nil), le); err != nil {
Detect and bypass cycles during token revocation (#5364) Fixes #4803
2018-09-20 21:56:38 +00:00
t.Fatalf("err: %v", err)
}
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err := ts.revokeTree(namespace.RootContext(nil), &leaseEntry{})
Non-recursive DFS token tree revoke (#2478)
2017-12-11 21:51:37 +00:00
if err.Error() != "cannot tree-revoke blank token" {
The big one (#5346)
2018-09-18 03:03:00 +00:00
t.Fatal(err)
vault: testing token revocation
2015-03-18 20:50:36 +00:00
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
saltCtx := namespace.RootContext(nil)
The big one (#5346)
2018-09-18 03:03:00 +00:00
saltedID, err := c.tokenStore.SaltID(saltCtx, root.ID)
if err != nil {
t.Fatal(err)
}
tokenLeaseID := path.Join(root.Path, saltedID)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
tokenLease, err := ts.expiration.loadEntry(namespace.RootContext(nil), tokenLeaseID)
The big one (#5346)
2018-09-18 03:03:00 +00:00
if err != nil || tokenLease == nil {
t.Fatalf("err: %v, tokenLease: %#v", err, tokenLease)
}
vault: testing token revocation
2015-03-18 20:50:36 +00:00
The big one (#5346)
2018-09-18 03:03:00 +00:00
// Nuke tree non recursively.
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err = ts.revokeTree(namespace.RootContext(nil), tokenLease)
vault: testing token revocation
2015-03-18 20:50:36 +00:00
if err != nil {
The big one (#5346)
2018-09-18 03:03:00 +00:00
t.Fatal(err)
vault: testing token revocation
2015-03-18 20:50:36 +00:00
}
Non-recursive DFS token tree revoke (#2478)
2017-12-11 21:51:37 +00:00
// Append the root to ensure it was successfully
// deleted.
children = append(children, root)
for _, entry := range children {
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err := ts.Lookup(namespace.RootContext(nil), entry.ID)
vault: testing token revocation
2015-03-18 20:50:36 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if out != nil {
t.Fatalf("bad: %#v", out)
}
}
Detect and bypass cycles during token revocation (#5364) Fixes #4803
2018-09-20 21:56:38 +00:00
for _, path := range cyclePaths {
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
entry, err := ts.parentView(namespace.RootNamespace).Get(namespace.RootContext(nil), path)
Detect and bypass cycles during token revocation (#5364) Fixes #4803
2018-09-20 21:56:38 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if entry != nil {
t.Fatalf("expected reference to be deleted: %v", entry)
}
}
vault: testing token revocation
2015-03-18 20:50:36 +00:00
}
Non-recursive DFS token tree revoke (#2478)
2017-12-11 21:51:37 +00:00
// A benchmark function that tests testTokenStore_RevokeTree_NonRecursive
// for a variety of different depths.
func BenchmarkTokenStore_RevokeTree(b *testing.B) {
benchmarks := []uint64{0, 1, 2, 4, 8, 16, 20}
for _, depth := range benchmarks {
b.Run(fmt.Sprintf("Tree of Depth %d", depth), func(b *testing.B) {
for i := 0; i < b.N; i++ {
Detect and bypass cycles during token revocation (#5364) Fixes #4803
2018-09-20 21:56:38 +00:00
testTokenStore_RevokeTree_NonRecursive(b, depth, false)
Non-recursive DFS token tree revoke (#2478)
2017-12-11 21:51:37 +00:00
}
})
}
}
// Builds a TokenTree of a specified depth, so that
// we may run revoke tests on it.
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
func buildTokenTree(t testing.TB, ts *TokenStore, depth uint64) (root *logical.TokenEntry, children []*logical.TokenEntry) {
root = &logical.TokenEntry{
The big one (#5346)
2018-09-18 03:03:00 +00:00
NamespaceID: namespace.RootNamespaceID,
TTL: time.Hour,
Non-recursive DFS token tree revoke (#2478)
2017-12-11 21:51:37 +00:00
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
testMakeTokenDirectly(t, ts, root)
Non-recursive DFS token tree revoke (#2478)
2017-12-11 21:51:37 +00:00
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
frontier := []*logical.TokenEntry{root}
Non-recursive DFS token tree revoke (#2478)
2017-12-11 21:51:37 +00:00
current := uint64(0)
for current < depth {
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
next := make([]*logical.TokenEntry, 0, 2*len(frontier))
Non-recursive DFS token tree revoke (#2478)
2017-12-11 21:51:37 +00:00
for _, node := range frontier {
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
left := &logical.TokenEntry{
The big one (#5346)
2018-09-18 03:03:00 +00:00
Parent: node.ID,
TTL: time.Hour,
NamespaceID: namespace.RootNamespaceID,
Non-recursive DFS token tree revoke (#2478)
2017-12-11 21:51:37 +00:00
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
testMakeTokenDirectly(t, ts, left)
Non-recursive DFS token tree revoke (#2478)
2017-12-11 21:51:37 +00:00
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
right := &logical.TokenEntry{
The big one (#5346)
2018-09-18 03:03:00 +00:00
Parent: node.ID,
TTL: time.Hour,
NamespaceID: namespace.RootNamespaceID,
Non-recursive DFS token tree revoke (#2478)
2017-12-11 21:51:37 +00:00
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
testMakeTokenDirectly(t, ts, right)
Non-recursive DFS token tree revoke (#2478)
2017-12-11 21:51:37 +00:00
children = append(children, left, right)
next = append(next, left, right)
}
frontier = next
current++
}
return root, children
}
Add revoke-self endpoint. Fixes #620.
2015-09-17 17:22:30 +00:00
func TestTokenStore_RevokeSelf(t *testing.T) {
Use a token store with an initialized exp mananger in TestTokenStore_RevokeSelf (#4590)
2018-05-18 19:13:37 +00:00
exp := mockExpiration(t)
ts := exp.tokenStore
Add revoke-self endpoint. Fixes #620.
2015-09-17 17:22:30 +00:00
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
ent1 := &logical.TokenEntry{
The big one (#5346)
2018-09-18 03:03:00 +00:00
TTL: time.Hour,
NamespaceID: namespace.RootNamespaceID,
Add revoke-self endpoint. Fixes #620.
2015-09-17 17:22:30 +00:00
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
testMakeTokenDirectly(t, ts, ent1)
Add revoke-self endpoint. Fixes #620.
2015-09-17 17:22:30 +00:00
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
ent2 := &logical.TokenEntry{
The big one (#5346)
2018-09-18 03:03:00 +00:00
Parent: ent1.ID,
TTL: time.Hour,
NamespaceID: namespace.RootNamespaceID,
Add revoke-self endpoint. Fixes #620.
2015-09-17 17:22:30 +00:00
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
testMakeTokenDirectly(t, ts, ent2)
Add revoke-self endpoint. Fixes #620.
2015-09-17 17:22:30 +00:00
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
ent3 := &logical.TokenEntry{
The big one (#5346)
2018-09-18 03:03:00 +00:00
Parent: ent2.ID,
TTL: time.Hour,
NamespaceID: namespace.RootNamespaceID,
Add revoke-self endpoint. Fixes #620.
2015-09-17 17:22:30 +00:00
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
testMakeTokenDirectly(t, ts, ent3)
Add revoke-self endpoint. Fixes #620.
2015-09-17 17:22:30 +00:00
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
ent4 := &logical.TokenEntry{
The big one (#5346)
2018-09-18 03:03:00 +00:00
Parent: ent2.ID,
TTL: time.Hour,
NamespaceID: namespace.RootNamespaceID,
Add revoke-self endpoint. Fixes #620.
2015-09-17 17:22:30 +00:00
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
testMakeTokenDirectly(t, ts, ent4)
Add revoke-self endpoint. Fixes #620.
2015-09-17 17:22:30 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "revoke-self")
Add revoke-self endpoint. Fixes #620.
2015-09-17 17:22:30 +00:00
req.ClientToken = ent1.ID
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add revoke-self endpoint. Fixes #620.
2015-09-17 17:22:30 +00:00
}
lookup := []string{ent1.ID, ent2.ID, ent3.ID, ent4.ID}
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
var out *logical.TokenEntry
Add revoke-self endpoint. Fixes #620.
2015-09-17 17:22:30 +00:00
for _, id := range lookup {
Give the token store revoke-self test more breathing room as Travis timings are too tight
2018-05-30 12:41:55 +00:00
var found bool
for i := 0; i < 10; i++ {
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err = ts.Lookup(namespace.RootContext(nil), id)
Give the token store revoke-self test more breathing room as Travis timings are too tight
2018-05-30 12:41:55 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if out == nil {
found = true
break
}
time.Sleep(1000 * time.Millisecond)
Add revoke-self endpoint. Fixes #620.
2015-09-17 17:22:30 +00:00
}
Give the token store revoke-self test more breathing room as Travis timings are too tight
2018-05-30 12:41:55 +00:00
if !found {
Add revoke-self endpoint. Fixes #620.
2015-09-17 17:22:30 +00:00
t.Fatalf("bad: %#v", out)
}
}
}
Add test for non-assignable policies
2016-07-25 19:59:02 +00:00
func TestTokenStore_HandleRequest_NonAssignable(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
Add test for non-assignable policies
2016-07-25 19:59:02 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
req.ClientToken = root
req.Data["policies"] = []string{"default", "foo"}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add test for non-assignable policies
2016-07-25 19:59:02 +00:00
}
Wrapping enhancements (#1927)
2016-09-29 04:01:28 +00:00
req.Data["policies"] = []string{"default", "foo", responseWrappingPolicyName}
Add test for non-assignable policies
2016-07-25 19:59:02 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), req)
Add test for non-assignable policies
2016-07-25 19:59:02 +00:00
if err != nil {
t.Fatal(err)
}
if resp == nil {
t.Fatal("got a nil response")
}
if !resp.IsError() {
t.Fatalf("expected error; response is %#v", *resp)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
// Batch tokens too
req.Data["type"] = "batch"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), req)
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if err != nil {
t.Fatal(err)
}
if resp == nil {
t.Fatal("got a nil response")
}
if !resp.IsError() {
t.Fatalf("expected error; response is %#v", *resp)
}
Add test for non-assignable policies
2016-07-25 19:59:02 +00:00
}
vault: token store allows specifying display_name
2015-04-15 21:24:07 +00:00
func TestTokenStore_HandleRequest_CreateToken_DisplayName(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
vault: token store allows specifying display_name
2015-04-15 21:24:07 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: token store allows specifying display_name
2015-04-15 21:24:07 +00:00
req.ClientToken = root
req.Data["display_name"] = "foo_bar.baz!"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
vault: token store allows specifying display_name
2015-04-15 21:24:07 +00:00
}
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
expected := &logical.TokenEntry{
vault: token store allows specifying display_name
2015-04-15 21:24:07 +00:00
ID: resp.Auth.ClientToken,
The big one (#5346)
2018-09-18 03:03:00 +00:00
NamespaceID: namespace.RootNamespaceID,
fix all the broken tests
2016-03-09 18:45:36 +00:00
Accessor: resp.Auth.Accessor,
vault: token store allows specifying display_name
2015-04-15 21:24:07 +00:00
Parent: root,
Policies: []string{"root"},
Path: "auth/token/create",
DisplayName: "token-foo-bar-baz",
Store token creation time and TTL. This can be used to properly populate fields in 'lookup-self'. Importantly, this also makes credential backends use the SystemView per-backend TTL values and fixes unit tests to expect this. Fully fixes #527
2015-09-18 20:33:52 +00:00
TTL: 0,
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
Type: logical.TokenTypeService,
vault: token store allows specifying display_name
2015-04-15 21:24:07 +00:00
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err := ts.Lookup(namespace.RootContext(nil), resp.Auth.ClientToken)
vault: token store allows specifying display_name
2015-04-15 21:24:07 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Store token creation time and TTL. This can be used to properly populate fields in 'lookup-self'. Importantly, this also makes credential backends use the SystemView per-backend TTL values and fixes unit tests to expect this. Fully fixes #527
2015-09-18 20:33:52 +00:00
expected.CreationTime = out.CreationTime
Deprecate SHA1 in token store (#770) * Deprecate SHA1 in token store * Fallback to SHA1 for user selected IDs * Fix existing tests * Added warning * Address some review feedback and remove root token prefix * Tests for service token prefixing * Salting utility tests * Adjust OTP length for root token generation * Fix tests * Address review feedback
2018-10-17 20:23:04 +00:00
expected.CubbyholeID = out.CubbyholeID
vault: token store allows specifying display_name
2015-04-15 21:24:07 +00:00
if !reflect.DeepEqual(out, expected) {
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-07 21:44:14 +00:00
t.Fatalf("bad: expected:%#v\nactual:%#v", expected, out)
vault: token store allows specifying display_name
2015-04-15 21:24:07 +00:00
}
}
vault: Tokens can have a use count specified
2015-04-17 18:34:25 +00:00
func TestTokenStore_HandleRequest_CreateToken_NumUses(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
vault: Tokens can have a use count specified
2015-04-17 18:34:25 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: Tokens can have a use count specified
2015-04-17 18:34:25 +00:00
req.ClientToken = root
req.Data["num_uses"] = "1"
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
// Make sure batch tokens can't do limited use counts
req.Data["type"] = "batch"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if resp == nil || !resp.IsError() {
t.Fatalf("expected error: resp: %#v", resp)
}
delete(req.Data, "type")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
vault: Tokens can have a use count specified
2015-04-17 18:34:25 +00:00
}
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
expected := &logical.TokenEntry{
vault: Tokens can have a use count specified
2015-04-17 18:34:25 +00:00
ID: resp.Auth.ClientToken,
The big one (#5346)
2018-09-18 03:03:00 +00:00
NamespaceID: namespace.RootNamespaceID,
fix all the broken tests
2016-03-09 18:45:36 +00:00
Accessor: resp.Auth.Accessor,
vault: Tokens can have a use count specified
2015-04-17 18:34:25 +00:00
Parent: root,
Policies: []string{"root"},
Path: "auth/token/create",
DisplayName: "token",
NumUses: 1,
Store token creation time and TTL. This can be used to properly populate fields in 'lookup-self'. Importantly, this also makes credential backends use the SystemView per-backend TTL values and fixes unit tests to expect this. Fully fixes #527
2015-09-18 20:33:52 +00:00
TTL: 0,
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
Type: logical.TokenTypeService,
vault: Tokens can have a use count specified
2015-04-17 18:34:25 +00:00
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err := ts.Lookup(namespace.RootContext(nil), resp.Auth.ClientToken)
vault: Tokens can have a use count specified
2015-04-17 18:34:25 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Store token creation time and TTL. This can be used to properly populate fields in 'lookup-self'. Importantly, this also makes credential backends use the SystemView per-backend TTL values and fixes unit tests to expect this. Fully fixes #527
2015-09-18 20:33:52 +00:00
expected.CreationTime = out.CreationTime
Deprecate SHA1 in token store (#770) * Deprecate SHA1 in token store * Fallback to SHA1 for user selected IDs * Fix existing tests * Added warning * Address some review feedback and remove root token prefix * Tests for service token prefixing * Salting utility tests * Adjust OTP length for root token generation * Fix tests * Address review feedback
2018-10-17 20:23:04 +00:00
expected.CubbyholeID = out.CubbyholeID
vault: Tokens can have a use count specified
2015-04-17 18:34:25 +00:00
if !reflect.DeepEqual(out, expected) {
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-07 21:44:14 +00:00
t.Fatalf("bad: expected:%#v\nactual:%#v", expected, out)
vault: Tokens can have a use count specified
2015-04-17 18:34:25 +00:00
}
}
func TestTokenStore_HandleRequest_CreateToken_NumUses_Invalid(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
vault: Tokens can have a use count specified
2015-04-17 18:34:25 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: Tokens can have a use count specified
2015-04-17 18:34:25 +00:00
req.ClientToken = root
req.Data["num_uses"] = "-1"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
vault: Tokens can have a use count specified
2015-04-17 18:34:25 +00:00
if err != logical.ErrInvalidRequest {
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
t.Fatalf("err: %v resp: %#v", err, resp)
vault: Tokens can have a use count specified
2015-04-17 18:34:25 +00:00
}
}
func TestTokenStore_HandleRequest_CreateToken_NumUses_Restricted(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
vault: Tokens can have a use count specified
2015-04-17 18:34:25 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: Tokens can have a use count specified
2015-04-17 18:34:25 +00:00
req.ClientToken = root
req.Data["num_uses"] = "1"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
vault: Tokens can have a use count specified
2015-04-17 18:34:25 +00:00
}
// We should NOT be able to use the restricted token to create a new token
req.ClientToken = resp.Auth.ClientToken
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
_, err = ts.HandleRequest(namespace.RootContext(nil), req)
vault: Tokens can have a use count specified
2015-04-17 18:34:25 +00:00
if err != logical.ErrInvalidRequest {
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
t.Fatalf("err: %v resp: %#v", err, resp)
vault: Tokens can have a use count specified
2015-04-17 18:34:25 +00:00
}
}
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
func TestTokenStore_HandleRequest_CreateToken_NoPolicy(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
req.ClientToken = root
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
// Make sure batch tokens won't automatically assign root
req.Data["type"] = "batch"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if resp == nil || !resp.IsError() {
t.Fatalf("expected error: resp: %#v", resp)
}
delete(req.Data, "type")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
}
vault: token store inehrits policies by default
2015-04-07 21:19:52 +00:00
Move TokenEntry into logical. (#4729) This allows the HTTP logicalAuth handler to cache the value in the logical.Request, avoiding a lookup later when performing acl checks/counting a use.
2018-06-08 21:24:27 +00:00
expected := &logical.TokenEntry{
vault: token store allows specifying display_name
2015-04-15 21:24:07 +00:00
ID: resp.Auth.ClientToken,
The big one (#5346)
2018-09-18 03:03:00 +00:00
NamespaceID: namespace.RootNamespaceID,
fix all the broken tests
2016-03-09 18:45:36 +00:00
Accessor: resp.Auth.Accessor,
vault: token store allows specifying display_name
2015-04-15 21:24:07 +00:00
Parent: root,
Policies: []string{"root"},
Path: "auth/token/create",
DisplayName: "token",
Store token creation time and TTL. This can be used to properly populate fields in 'lookup-self'. Importantly, this also makes credential backends use the SystemView per-backend TTL values and fixes unit tests to expect this. Fully fixes #527
2015-09-18 20:33:52 +00:00
TTL: 0,
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
Type: logical.TokenTypeService,
vault: token store inehrits policies by default
2015-04-07 21:19:52 +00:00
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err := ts.Lookup(namespace.RootContext(nil), resp.Auth.ClientToken)
vault: token store inehrits policies by default
2015-04-07 21:19:52 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Store token creation time and TTL. This can be used to properly populate fields in 'lookup-self'. Importantly, this also makes credential backends use the SystemView per-backend TTL values and fixes unit tests to expect this. Fully fixes #527
2015-09-18 20:33:52 +00:00
expected.CreationTime = out.CreationTime
Deprecate SHA1 in token store (#770) * Deprecate SHA1 in token store * Fallback to SHA1 for user selected IDs * Fix existing tests * Added warning * Address some review feedback and remove root token prefix * Tests for service token prefixing * Salting utility tests * Adjust OTP length for root token generation * Fix tests * Address review feedback
2018-10-17 20:23:04 +00:00
expected.CubbyholeID = out.CubbyholeID
vault: token store inehrits policies by default
2015-04-07 21:19:52 +00:00
if !reflect.DeepEqual(out, expected) {
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-07 21:44:14 +00:00
t.Fatalf("bad: expected:%#v\nactual:%#v", expected, out)
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
}
}
func TestTokenStore_HandleRequest_CreateToken_BadParent(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, _ := TestCoreUnsealed(t)
ts := c.tokenStore
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
req.ClientToken = "random"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
if err != logical.ErrInvalidRequest {
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
t.Fatalf("err: %v resp: %#v", err, resp)
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
}
Return ts.Lookup error on handleCreateCommon (#4587) * Return ts.Lookup error on handleCreateCommon * Fix test
2018-05-18 16:30:03 +00:00
if resp.Data["error"] != "parent token lookup failed: no parent found" {
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
t.Fatalf("bad: %#v", resp)
}
}
func TestTokenStore_HandleRequest_CreateToken(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
req.ClientToken = root
req.Data["policies"] = []string{"foo"}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
}
vault: get rid of HangleLogin
2015-03-31 03:26:39 +00:00
if resp.Auth.ClientToken == "" {
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
t.Fatalf("bad: %#v", resp)
}
}
func TestTokenStore_HandleRequest_CreateToken_RootID(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
req.ClientToken = root
req.Data["id"] = "foobar"
req.Data["policies"] = []string{"foo"}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
}
vault: get rid of HangleLogin
2015-03-31 03:26:39 +00:00
if resp.Auth.ClientToken != "foobar" {
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
t.Fatalf("bad: %#v", resp)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
// Retry with batch; batch should not actually accept a custom ID
req.Data["type"] = "batch"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), req)
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, _ := ts.Lookup(namespace.RootContext(nil), resp.Auth.ClientToken)
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if out.ID == "foobar" {
t.Fatalf("bad: %#v", out)
}
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
}
func TestTokenStore_HandleRequest_CreateToken_NonRootID(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
testMakeServiceTokenViaBackend(t, ts, root, "client", "", []string{"foo"})
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
req.ClientToken = "client"
req.Data["id"] = "foobar"
req.Data["policies"] = []string{"foo"}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
if err != logical.ErrInvalidRequest {
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
t.Fatalf("err: %v resp: %#v", err, resp)
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
}
fix broken tests
2015-09-19 16:33:52 +00:00
if resp.Data["error"] != "root or sudo privileges required to specify token id" {
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
t.Fatalf("bad: %#v", resp)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
// Retry with batch
req.Data["type"] = "batch"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), req)
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v resp: %#v", err, resp)
}
if resp.Data["error"] != "root or sudo privileges required to specify token id" {
t.Fatalf("bad: %#v", resp)
}
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
}
func TestTokenStore_HandleRequest_CreateToken_NonRoot_Subset(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
testMakeServiceTokenViaBackend(t, ts, root, "client", "", []string{"foo", "bar"})
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
req.ClientToken = "client"
req.Data["policies"] = []string{"foo"}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
}
vault: get rid of HangleLogin
2015-03-31 03:26:39 +00:00
if resp.Auth.ClientToken == "" {
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
t.Fatalf("bad: %#v", resp)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
ent := &logical.TokenEntry{
NamespaceID: namespace.RootNamespaceID,
Path: "test",
Policies: []string{"foo", "bar"},
TTL: time.Hour,
}
testMakeTokenDirectly(t, ts, ent)
req.ClientToken = ent.ID
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), req)
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
}
if resp.Auth.ClientToken == "" {
t.Fatalf("bad: %#v", resp)
}
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
}
func TestTokenStore_HandleRequest_CreateToken_NonRoot_InvalidSubset(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
testMakeServiceTokenViaBackend(t, ts, root, "client", "", []string{"foo", "bar"})
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
req.ClientToken = "client"
req.Data["policies"] = []string{"foo", "bar", "baz"}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
if err != logical.ErrInvalidRequest {
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
t.Fatalf("err: %v resp: %#v", err, resp)
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
}
vault: Passthrough of client token to token store
2015-03-24 22:12:52 +00:00
if resp.Data["error"] != "child policies must be subset of parent" {
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
t.Fatalf("bad: %#v", resp)
}
}
initial commit for minor update to token-store
2016-08-03 18:32:17 +00:00
func TestTokenStore_HandleRequest_CreateToken_NonRoot_RootChild(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
core, _, root := TestCoreUnsealed(t)
ts := core.tokenStore
test updates based on feedback
2016-08-05 22:56:22 +00:00
ps := core.policyStore
The big one (#5346)
2018-09-18 03:03:00 +00:00
policy, _ := ParseACLPolicy(namespace.RootNamespace, tokenCreationPolicy)
test updates based on feedback
2016-08-05 22:56:22 +00:00
policy.Name = "test1"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
if err := ps.SetPolicy(namespace.RootContext(nil), policy); err != nil {
test updates based on feedback
2016-08-05 22:56:22 +00:00
t.Fatal(err)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
testMakeServiceTokenViaBackend(t, ts, root, "sudoClient", "", []string{"test1"})
initial commit for minor update to token-store
2016-08-03 18:32:17 +00:00
addresses feedback, but tests broken
2016-08-05 14:04:02 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
fix an error, tests still broken
2016-08-05 21:58:48 +00:00
req.ClientToken = "sudoClient"
Fix broken test case
2016-08-06 00:07:18 +00:00
req.MountPoint = "auth/token/"
Minor changes to test cases
2016-08-06 00:22:07 +00:00
req.Data["policies"] = []string{"root"}
addresses feedback, but tests broken
2016-08-05 14:04:02 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
initial commit for minor update to token-store
2016-08-03 18:32:17 +00:00
if err != logical.ErrInvalidRequest {
Minor changes to test cases
2016-08-06 00:22:07 +00:00
t.Fatalf("err: %v; resp: %#v", err, resp)
Fix broken test case
2016-08-06 00:07:18 +00:00
}
if resp == nil || resp.Data == nil {
t.Fatalf("expected a response")
initial commit for minor update to token-store
2016-08-03 18:32:17 +00:00
}
test updates based on feedback
2016-08-05 22:56:22 +00:00
if resp.Data["error"].(string) != "root tokens may not be created without parent token being root" {
initial commit for minor update to token-store
2016-08-03 18:32:17 +00:00
t.Fatalf("bad: %#v", resp)
}
}
Don't allow a root token that expires to create one that doesn't
2016-08-10 00:32:40 +00:00
func TestTokenStore_HandleRequest_CreateToken_Root_RootChild_NoExpiry_Expiry(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
Don't allow a root token that expires to create one that doesn't
2016-08-10 00:32:40 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
req.ClientToken = root
req.Data = map[string]interface{}{
"ttl": "5m",
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
Don't allow a root token that expires to create one that doesn't
2016-08-10 00:32:40 +00:00
if err != nil {
t.Fatalf("err: %v; resp: %#v", err, resp)
}
if resp == nil || resp.Auth == nil {
t.Fatalf("failed to create a root token using another root token")
}
if !reflect.DeepEqual(resp.Auth.Policies, []string{"root"}) {
t.Fatalf("bad: policies: expected: root; actual: %s", resp.Auth.Policies)
}
if resp.Auth.TTL.Seconds() != 300 {
t.Fatalf("bad: expected 300 second ttl, got %v", resp.Auth.TTL.Seconds())
}
req.ClientToken = resp.Auth.ClientToken
req.Data = map[string]interface{}{
"ttl": "0",
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), req)
Don't allow a root token that expires to create one that doesn't
2016-08-10 00:32:40 +00:00
if err == nil {
t.Fatalf("expected error")
}
}
addresses feedback, but tests broken
2016-08-05 14:04:02 +00:00
func TestTokenStore_HandleRequest_CreateToken_Root_RootChild(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
addresses feedback, but tests broken
2016-08-05 14:04:02 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
req.ClientToken = root
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
addresses feedback, but tests broken
2016-08-05 14:04:02 +00:00
if err != nil {
Minor changes to test cases
2016-08-06 00:22:07 +00:00
t.Fatalf("err: %v; resp: %#v", err, resp)
}
if resp == nil || resp.Auth == nil {
t.Fatalf("failed to create a root token using another root token")
}
if !reflect.DeepEqual(resp.Auth.Policies, []string{"root"}) {
t.Fatalf("bad: policies: expected: root; actual: %s", resp.Auth.Policies)
addresses feedback, but tests broken
2016-08-05 14:04:02 +00:00
}
}
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
func TestTokenStore_HandleRequest_CreateToken_NonRoot_NoParent(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
testMakeServiceTokenViaBackend(t, ts, root, "client", "", []string{"foo"})
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
req.ClientToken = "client"
req.Data["no_parent"] = true
req.Data["policies"] = []string{"foo"}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
if err != logical.ErrInvalidRequest {
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
t.Fatalf("err: %v resp: %#v", err, resp)
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
}
fix broken tests
2015-09-19 16:33:52 +00:00
if resp.Data["error"] != "root or sudo privileges required to create orphan token" {
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
t.Fatalf("bad: %#v", resp)
}
}
func TestTokenStore_HandleRequest_CreateToken_Root_NoParent(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
req.ClientToken = root
req.Data["no_parent"] = true
req.Data["policies"] = []string{"foo"}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
resp := testMakeTokenViaRequest(t, ts, req)
Add ability to create orphan tokens from the API
2015-11-03 20:10:46 +00:00
if resp.Auth.ClientToken == "" {
t.Fatalf("bad: %#v", resp)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, _ := ts.Lookup(namespace.RootContext(nil), resp.Auth.ClientToken)
Add ability to create orphan tokens from the API
2015-11-03 20:10:46 +00:00
if out.Parent != "" {
t.Fatalf("bad: %#v", out)
}
}
func TestTokenStore_HandleRequest_CreateToken_PathBased_NoParent(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
Add ability to create orphan tokens from the API
2015-11-03 20:10:46 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create-orphan")
Add ability to create orphan tokens from the API
2015-11-03 20:10:46 +00:00
req.ClientToken = root
req.Data["policies"] = []string{"foo"}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
resp := testMakeTokenViaRequest(t, ts, req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
vault: get rid of HangleLogin
2015-03-31 03:26:39 +00:00
if resp.Auth.ClientToken == "" {
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
t.Fatalf("bad: %#v", resp)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, _ := ts.Lookup(namespace.RootContext(nil), resp.Auth.ClientToken)
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
if out.Parent != "" {
t.Fatalf("bad: %#v", out)
}
}
func TestTokenStore_HandleRequest_CreateToken_Metadata(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
req.ClientToken = root
req.Data["policies"] = []string{"foo"}
vault: get rid of HangleLogin
2015-03-31 03:26:39 +00:00
meta := map[string]string{
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
"user": "armon",
"source": "github",
}
req.Data["meta"] = meta
Offline token revocation fix
2018-06-03 22:14:51 +00:00
resp := testMakeTokenViaRequest(t, ts, req)
vault: get rid of HangleLogin
2015-03-31 03:26:39 +00:00
if resp.Auth.ClientToken == "" {
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
t.Fatalf("bad: %#v", resp)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, _ := ts.Lookup(namespace.RootContext(nil), resp.Auth.ClientToken)
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
if !reflect.DeepEqual(out.Meta, meta) {
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-07 21:44:14 +00:00
t.Fatalf("bad: expected:%#v\nactual:%#v", meta, out.Meta)
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
// Test with batch tokens
req.Data["type"] = "batch"
resp = testMakeTokenViaRequest(t, ts, req)
if resp.Auth.ClientToken == "" {
t.Fatalf("bad: %#v", resp)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, _ = ts.Lookup(namespace.RootContext(nil), resp.Auth.ClientToken)
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if !reflect.DeepEqual(out.Meta, meta) {
t.Fatalf("bad: expected:%#v\nactual:%#v", meta, out.Meta)
}
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
}
func TestTokenStore_HandleRequest_CreateToken_Lease(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
req.ClientToken = root
req.Data["policies"] = []string{"foo"}
req.Data["lease"] = "1h"
Offline token revocation fix
2018-06-03 22:14:51 +00:00
resp := testMakeTokenViaRequest(t, ts, req)
vault: get rid of HangleLogin
2015-03-31 03:26:39 +00:00
if resp.Auth.ClientToken == "" {
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
t.Fatalf("bad: %#v", resp)
}
Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod
2015-08-21 00:47:17 +00:00
if resp.Auth.TTL != time.Hour {
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
t.Fatalf("bad: %#v", resp)
}
vault: Use Auth for lease and renewable
2015-04-03 21:04:50 +00:00
if !resp.Auth.Renewable {
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
t.Fatalf("bad: %#v", resp)
}
}
Switch per-mount values to strings going in and seconds coming out, like other commands. Indicate deprecation of 'lease' in the token backend.
2015-09-25 13:46:20 +00:00
func TestTokenStore_HandleRequest_CreateToken_TTL(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
Switch per-mount values to strings going in and seconds coming out, like other commands. Indicate deprecation of 'lease' in the token backend.
2015-09-25 13:46:20 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
Switch per-mount values to strings going in and seconds coming out, like other commands. Indicate deprecation of 'lease' in the token backend.
2015-09-25 13:46:20 +00:00
req.ClientToken = root
req.Data["policies"] = []string{"foo"}
req.Data["ttl"] = "1h"
Offline token revocation fix
2018-06-03 22:14:51 +00:00
resp := testMakeTokenViaRequest(t, ts, req)
Switch per-mount values to strings going in and seconds coming out, like other commands. Indicate deprecation of 'lease' in the token backend.
2015-09-25 13:46:20 +00:00
if resp.Auth.ClientToken == "" {
t.Fatalf("bad: %#v", resp)
}
if resp.Auth.TTL != time.Hour {
t.Fatalf("bad: %#v", resp)
}
if !resp.Auth.Renewable {
t.Fatalf("bad: %#v", resp)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
// Test batch tokens
req.Data["type"] = "batch"
resp = testMakeTokenViaRequest(t, ts, req)
if resp.Auth.ClientToken == "" {
t.Fatalf("bad: %#v", resp)
}
if resp.Auth.TTL != time.Hour {
t.Fatalf("bad: %#v", resp)
}
if resp.Auth.Renewable {
t.Fatalf("bad: %#v", resp)
}
Switch per-mount values to strings going in and seconds coming out, like other commands. Indicate deprecation of 'lease' in the token backend.
2015-09-25 13:46:20 +00:00
}
Token creation counters (#9052) * Add token creation counters. * Created a utility to change TTL to bucket name. * Add counter covering token creation for response wrapping. * Fix namespace label, with a new utility function.
2020-06-02 18:40:54 +00:00
func TestTokenStore_HandleRequest_CreateToken_Metric(t *testing.T) {
Replaced ClusterMetricSink's cluster name with an atomic.Value. (#9252) * Replaced ClusterMetricSink's cluster name with an atomic.Value. This should permit go-race tests to pass which seal and unseal the core. * Replace metric sink before unseal to avoid data races.
2020-06-18 17:55:50 +00:00
c := TestCore(t)
Token creation counters (#9052) * Add token creation counters. * Created a utility to change TTL to bucket name. * Add counter covering token creation for response wrapping. * Fix namespace label, with a new utility function.
2020-06-02 18:40:54 +00:00
Replaced ClusterMetricSink's cluster name with an atomic.Value. (#9252) * Replaced ClusterMetricSink's cluster name with an atomic.Value. This should permit go-race tests to pass which seal and unseal the core. * Replace metric sink before unseal to avoid data races.
2020-06-18 17:55:50 +00:00
// Replace metricSink before unsealing
Token creation counters (#9052) * Add token creation counters. * Created a utility to change TTL to bucket name. * Add counter covering token creation for response wrapping. * Fix namespace label, with a new utility function.
2020-06-02 18:40:54 +00:00
inmemSink := metrics.NewInmemSink(
1000000*time.Hour,
2000000*time.Hour)
Replaced ClusterMetricSink's cluster name with an atomic.Value. (#9252) * Replaced ClusterMetricSink's cluster name with an atomic.Value. This should permit go-race tests to pass which seal and unseal the core. * Replace metric sink before unseal to avoid data races.
2020-06-18 17:55:50 +00:00
c.metricSink = metricsutil.NewClusterMetricSink("test-cluster", inmemSink)
_, _, root := testCoreUnsealed(t, c)
ts := c.tokenStore
Token creation counters (#9052) * Add token creation counters. * Created a utility to change TTL to bucket name. * Add counter covering token creation for response wrapping. * Fix namespace label, with a new utility function.
2020-06-02 18:40:54 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
req.ClientToken = root
req.Data["ttl"] = "3h"
req.Data["policies"] = []string{"foo"}
req.MountPoint = "test/mount"
resp := testMakeTokenViaRequest(t, ts, req)
if resp.Auth.ClientToken == "" {
t.Fatalf("bad: %#v", resp)
}
intervals := inmemSink.Data()
// Test crossed an interval boundary, don't try to deal with it.
if len(intervals) > 1 {
t.Skip("Detected interval crossing.")
}
keyPrefix := "token.creation"
var counter *metrics.SampledValue = nil
for _, c := range intervals[0].Counters {
if strings.HasPrefix(c.Name, keyPrefix) {
counter = &c
break
}
}
if counter == nil {
t.Fatal("No token.creation counter found.")
}
if counter.Count != 1 {
t.Errorf("Counter number of samples %v is not 1.", counter.Count)
}
if counter.Sum != 1.0 {
t.Errorf("Counter sum %v is not 1.", counter.Sum)
}
labels := make(map[string]string)
for _, l := range counter.Labels {
labels[l.Name] = l.Value
}
expected := map[string]string{
"cluster": "test-cluster",
"namespace": "root",
"auth_method": "token",
"mount_point": req.MountPoint,
"creation_ttl": "1d",
"token_type": "service",
}
for expected_label, expected_val := range expected {
if v, ok := labels[expected_label]; ok {
if v != expected_val {
t.Errorf("Label %q incorrect, expected %q, got %q", expected_label, expected_val, v)
}
} else {
t.Errorf("Label %q missing", expected_label)
}
}
}
vault: adding auth/token/revoke/ and auth/token/revoke-orphan/
2015-03-24 22:30:09 +00:00
func TestTokenStore_HandleRequest_Revoke(t *testing.T) {
Fix two failing tests due to the fact that the expiration manager now needs to be running to properly revoke tests.
2018-05-10 22:22:04 +00:00
exp := mockExpiration(t)
ts := exp.tokenStore
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
rootToken, err := ts.rootToken(namespace.RootContext(nil))
Fix token_store_test.go (#7490) * vault: fix dropped error in test goroutine * vault: fix dropped test errors
2019-09-18 21:18:08 +00:00
if err != nil {
t.Fatal(err)
}
Fix two failing tests due to the fact that the expiration manager now needs to be running to properly revoke tests.
2018-05-10 22:22:04 +00:00
root := rootToken.ID
Don't allow registering a non-root zero TTL token lease (#7524) * Don't allow registering a non-root zero TTL token lease This is defense-in-depth in that such a token was not allowed to be used; however it's also a bug fix in that this would then cause no lease to be generated but the token entry to be written, meaning the token entry would stick around until it was attempted to be used or tidied (in both cases the internal lookup would see that this was invalid and do a revoke on the spot). * Fix tests * tidy
2019-11-05 21:11:13 +00:00
testMakeServiceTokenViaBackend(t, ts, root, "child", "60s", []string{"root", "foo"})
Fix two failing tests due to the fact that the expiration manager now needs to be running to properly revoke tests.
2018-05-10 22:22:04 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err := ts.Lookup(namespace.RootContext(nil), "child")
The big one (#5346)
2018-09-18 03:03:00 +00:00
if err != nil {
t.Fatal(err)
}
if te == nil {
t.Fatal("token entry was nil")
}
Fix two failing tests due to the fact that the expiration manager now needs to be running to properly revoke tests.
2018-05-10 22:22:04 +00:00
auth := &logical.Auth{
ClientToken: "child",
LeaseOptions: logical.LeaseOptions{
TTL: time.Hour,
Renewable: true,
},
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err = exp.RegisterAuth(namespace.RootContext(nil), te, auth)
Fix two failing tests due to the fact that the expiration manager now needs to be running to properly revoke tests.
2018-05-10 22:22:04 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Don't allow registering a non-root zero TTL token lease (#7524) * Don't allow registering a non-root zero TTL token lease This is defense-in-depth in that such a token was not allowed to be used; however it's also a bug fix in that this would then cause no lease to be generated but the token entry to be written, meaning the token entry would stick around until it was attempted to be used or tidied (in both cases the internal lookup would see that this was invalid and do a revoke on the spot). * Fix tests * tidy
2019-11-05 21:11:13 +00:00
testMakeServiceTokenViaBackend(t, ts, "child", "sub-child", "50s", []string{"foo"})
vault: adding auth/token/revoke/ and auth/token/revoke-orphan/
2015-03-24 22:30:09 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err = ts.Lookup(namespace.RootContext(nil), "sub-child")
The big one (#5346)
2018-09-18 03:03:00 +00:00
if err != nil {
t.Fatal(err)
}
if te == nil {
t.Fatal("token entry was nil")
}
Fix two failing tests due to the fact that the expiration manager now needs to be running to properly revoke tests.
2018-05-10 22:22:04 +00:00
auth = &logical.Auth{
ClientToken: "sub-child",
LeaseOptions: logical.LeaseOptions{
TTL: time.Hour,
Renewable: true,
},
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err = exp.RegisterAuth(namespace.RootContext(nil), te, auth)
Fix two failing tests due to the fact that the expiration manager now needs to be running to properly revoke tests.
2018-05-10 22:22:04 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Don't allow tokens in paths. (#1783)
2016-08-24 19:59:43 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "revoke")
req.Data = map[string]interface{}{
"token": "child",
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
vault: adding auth/token/revoke/ and auth/token/revoke-orphan/
2015-03-24 22:30:09 +00:00
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
Token store tests (#4549) * Expand revocation test to cover non-registered tokens case * Bump sleep times back down a bit
2018-05-11 16:12:44 +00:00
time.Sleep(200 * time.Millisecond)
Token revocation refactor (#4512) * Hand off lease expiration to expiration manager via timers * Use sync.Map as the cache to track token deletion state * Add CreateOrFetchRevocationLeaseByToken to hand off token revocation to exp manager * Update revoke and revoke-self handlers * Fix tests * revokeSalted: Move token entry deletion into the deferred func * Fix test race * Add blocking lease revocation test * Remove test log * Add HandlerFunc on NoopBackend, adjust locks, and add test * Add sleep to allow for revocations to settle * Various updates * Rename some functions and variables to be more clear * Change step-down and seal to use expmgr for revoke functionality like during request handling * Attempt to WAL the token as being invalid as soon as possible so that further usage will fail even if revocation does not fully complete * Address feedback * Return invalid lease on negative TTL * Revert "Return invalid lease on negative TTL" This reverts commit a39597ecdc23cf7fc69fe003eef9f10d533551d8. * Extend sleep on tests
2018-05-10 19:50:02 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err := ts.Lookup(namespace.RootContext(nil), "child")
vault: adding auth/token/revoke/ and auth/token/revoke-orphan/
2015-03-24 22:30:09 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if out != nil {
Fix two failing tests due to the fact that the expiration manager now needs to be running to properly revoke tests.
2018-05-10 22:22:04 +00:00
t.Fatalf("bad: %#v", out)
vault: adding auth/token/revoke/ and auth/token/revoke-orphan/
2015-03-24 22:30:09 +00:00
}
// Sub-child should not exist
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err = ts.Lookup(namespace.RootContext(nil), "sub-child")
vault: adding auth/token/revoke/ and auth/token/revoke-orphan/
2015-03-24 22:30:09 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if out != nil {
t.Fatalf("bad: %v", out)
}
Token store tests (#4549) * Expand revocation test to cover non-registered tokens case * Bump sleep times back down a bit
2018-05-11 16:12:44 +00:00
// Now test without registering the tokens through the expiration manager
Don't allow registering a non-root zero TTL token lease (#7524) * Don't allow registering a non-root zero TTL token lease This is defense-in-depth in that such a token was not allowed to be used; however it's also a bug fix in that this would then cause no lease to be generated but the token entry to be written, meaning the token entry would stick around until it was attempted to be used or tidied (in both cases the internal lookup would see that this was invalid and do a revoke on the spot). * Fix tests * tidy
2019-11-05 21:11:13 +00:00
testMakeServiceTokenViaBackend(t, ts, root, "child", "60s", []string{"root", "foo"})
testMakeServiceTokenViaBackend(t, ts, "child", "sub-child", "50s", []string{"foo"})
Token store tests (#4549) * Expand revocation test to cover non-registered tokens case * Bump sleep times back down a bit
2018-05-11 16:12:44 +00:00
req = logical.TestRequest(t, logical.UpdateOperation, "revoke")
req.Data = map[string]interface{}{
"token": "child",
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), req)
Token store tests (#4549) * Expand revocation test to cover non-registered tokens case * Bump sleep times back down a bit
2018-05-11 16:12:44 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
time.Sleep(200 * time.Millisecond)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err = ts.Lookup(namespace.RootContext(nil), "child")
Token store tests (#4549) * Expand revocation test to cover non-registered tokens case * Bump sleep times back down a bit
2018-05-11 16:12:44 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if out != nil {
t.Fatalf("bad: %#v", out)
}
// Sub-child should not exist
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err = ts.Lookup(namespace.RootContext(nil), "sub-child")
Token store tests (#4549) * Expand revocation test to cover non-registered tokens case * Bump sleep times back down a bit
2018-05-11 16:12:44 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if out != nil {
t.Fatalf("bad: %v", out)
}
vault: adding auth/token/revoke/ and auth/token/revoke-orphan/
2015-03-24 22:30:09 +00:00
}
func TestTokenStore_HandleRequest_RevokeOrphan(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
Don't allow registering a non-root zero TTL token lease (#7524) * Don't allow registering a non-root zero TTL token lease This is defense-in-depth in that such a token was not allowed to be used; however it's also a bug fix in that this would then cause no lease to be generated but the token entry to be written, meaning the token entry would stick around until it was attempted to be used or tidied (in both cases the internal lookup would see that this was invalid and do a revoke on the spot). * Fix tests * tidy
2019-11-05 21:11:13 +00:00
testMakeServiceTokenViaBackend(t, ts, root, "child", "60s", []string{"root", "foo"})
testMakeServiceTokenViaBackend(t, ts, "child", "sub-child", "50s", []string{"foo"})
vault: adding auth/token/revoke/ and auth/token/revoke-orphan/
2015-03-24 22:30:09 +00:00
Don't allow tokens in paths. (#1783)
2016-08-24 19:59:43 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "revoke-orphan")
req.Data = map[string]interface{}{
"token": "child",
}
Restrict orphan revocation to root tokens
2015-09-16 13:22:15 +00:00
req.ClientToken = root
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
vault: adding auth/token/revoke/ and auth/token/revoke-orphan/
2015-03-24 22:30:09 +00:00
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
Token store tests (#4549) * Expand revocation test to cover non-registered tokens case * Bump sleep times back down a bit
2018-05-11 16:12:44 +00:00
time.Sleep(200 * time.Millisecond)
Token revocation refactor (#4512) * Hand off lease expiration to expiration manager via timers * Use sync.Map as the cache to track token deletion state * Add CreateOrFetchRevocationLeaseByToken to hand off token revocation to exp manager * Update revoke and revoke-self handlers * Fix tests * revokeSalted: Move token entry deletion into the deferred func * Fix test race * Add blocking lease revocation test * Remove test log * Add HandlerFunc on NoopBackend, adjust locks, and add test * Add sleep to allow for revocations to settle * Various updates * Rename some functions and variables to be more clear * Change step-down and seal to use expmgr for revoke functionality like during request handling * Attempt to WAL the token as being invalid as soon as possible so that further usage will fail even if revocation does not fully complete * Address feedback * Return invalid lease on negative TTL * Revert "Return invalid lease on negative TTL" This reverts commit a39597ecdc23cf7fc69fe003eef9f10d533551d8. * Extend sleep on tests
2018-05-10 19:50:02 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err := ts.Lookup(namespace.RootContext(nil), "child")
vault: adding auth/token/revoke/ and auth/token/revoke-orphan/
2015-03-24 22:30:09 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if out != nil {
t.Fatalf("bad: %v", out)
}
Token store deleted parent (#4193) * Handle removal of parent index on revoke-orphan and tidy operations * Refactor handleTidy to use same for loop children deletion of invalid parent entry * Update comments * Add logic for revoke-orphan and tidy to turn no-parent tokens into orphans * Add orphan check to test * Update test comments * Fix TestTokenStore_Revoke_Orphan test * Address feedback, add explicit delete when parent prefix is empty * Revert explicit delete, add comment on why it's not done * Update comment to indicate ok on marking token as orphan * Fix test
2018-03-27 15:12:06 +00:00
// Check that the parent entry is properly cleaned up
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
saltedID, err := ts.SaltID(namespace.RootContext(nil), "child")
Token store deleted parent (#4193) * Handle removal of parent index on revoke-orphan and tidy operations * Refactor handleTidy to use same for loop children deletion of invalid parent entry * Update comments * Add logic for revoke-orphan and tidy to turn no-parent tokens into orphans * Add orphan check to test * Update test comments * Fix TestTokenStore_Revoke_Orphan test * Address feedback, add explicit delete when parent prefix is empty * Revert explicit delete, add comment on why it's not done * Update comment to indicate ok on marking token as orphan * Fix test
2018-03-27 15:12:06 +00:00
if err != nil {
t.Fatal(err)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
children, err := ts.idView(namespace.RootNamespace).List(namespace.RootContext(nil), parentPrefix+saltedID+"/")
Token store deleted parent (#4193) * Handle removal of parent index on revoke-orphan and tidy operations * Refactor handleTidy to use same for loop children deletion of invalid parent entry * Update comments * Add logic for revoke-orphan and tidy to turn no-parent tokens into orphans * Add orphan check to test * Update test comments * Fix TestTokenStore_Revoke_Orphan test * Address feedback, add explicit delete when parent prefix is empty * Revert explicit delete, add comment on why it's not done * Update comment to indicate ok on marking token as orphan * Fix test
2018-03-27 15:12:06 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if len(children) != 0 {
t.Fatalf("bad: %v", children)
}
vault: adding auth/token/revoke/ and auth/token/revoke-orphan/
2015-03-24 22:30:09 +00:00
// Sub-child should exist!
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err = ts.Lookup(namespace.RootContext(nil), "sub-child")
vault: adding auth/token/revoke/ and auth/token/revoke-orphan/
2015-03-24 22:30:09 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if out == nil {
t.Fatalf("bad: %v", out)
}
}
Restrict orphan revocation to root tokens
2015-09-16 13:22:15 +00:00
func TestTokenStore_HandleRequest_RevokeOrphan_NonRoot(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
Don't allow registering a non-root zero TTL token lease (#7524) * Don't allow registering a non-root zero TTL token lease This is defense-in-depth in that such a token was not allowed to be used; however it's also a bug fix in that this would then cause no lease to be generated but the token entry to be written, meaning the token entry would stick around until it was attempted to be used or tidied (in both cases the internal lookup would see that this was invalid and do a revoke on the spot). * Fix tests * tidy
2019-11-05 21:11:13 +00:00
testMakeServiceTokenViaBackend(t, ts, root, "child", "60s", []string{"foo"})
Restrict orphan revocation to root tokens
2015-09-16 13:22:15 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err := ts.Lookup(namespace.RootContext(nil), "child")
Restrict orphan revocation to root tokens
2015-09-16 13:22:15 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if out == nil {
t.Fatalf("bad: %v", out)
}
Don't allow tokens in paths. (#1783)
2016-08-24 19:59:43 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "revoke-orphan")
req.Data = map[string]interface{}{
"token": "child",
}
Restrict orphan revocation to root tokens
2015-09-16 13:22:15 +00:00
req.ClientToken = "child"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
Restrict orphan revocation to root tokens
2015-09-16 13:22:15 +00:00
if err != logical.ErrInvalidRequest {
t.Fatalf("did not get error when non-root revoking itself with orphan flag; resp is %#v", resp)
}
Token store tests (#4549) * Expand revocation test to cover non-registered tokens case * Bump sleep times back down a bit
2018-05-11 16:12:44 +00:00
time.Sleep(200 * time.Millisecond)
Token revocation refactor (#4512) * Hand off lease expiration to expiration manager via timers * Use sync.Map as the cache to track token deletion state * Add CreateOrFetchRevocationLeaseByToken to hand off token revocation to exp manager * Update revoke and revoke-self handlers * Fix tests * revokeSalted: Move token entry deletion into the deferred func * Fix test race * Add blocking lease revocation test * Remove test log * Add HandlerFunc on NoopBackend, adjust locks, and add test * Add sleep to allow for revocations to settle * Various updates * Rename some functions and variables to be more clear * Change step-down and seal to use expmgr for revoke functionality like during request handling * Attempt to WAL the token as being invalid as soon as possible so that further usage will fail even if revocation does not fully complete * Address feedback * Return invalid lease on negative TTL * Revert "Return invalid lease on negative TTL" This reverts commit a39597ecdc23cf7fc69fe003eef9f10d533551d8. * Extend sleep on tests
2018-05-10 19:50:02 +00:00
Restrict orphan revocation to root tokens
2015-09-16 13:22:15 +00:00
// Should still exist
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err = ts.Lookup(namespace.RootContext(nil), "child")
Restrict orphan revocation to root tokens
2015-09-16 13:22:15 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if out == nil {
t.Fatalf("bad: %v", out)
}
}
vault: adding auth/token/lookup/ support
2015-03-24 22:39:33 +00:00
func TestTokenStore_HandleRequest_Lookup(t *testing.T) {
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
testTokenStore_HandleRequest_Lookup(t, false)
testTokenStore_HandleRequest_Lookup(t, true)
}
func testTokenStore_HandleRequest_Lookup(t *testing.T, batch bool) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
Don't allow tokens in paths. (#1783)
2016-08-24 19:59:43 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "lookup")
req.Data = map[string]interface{}{
"token": root,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
vault: adding auth/token/lookup/ support
2015-03-24 22:39:33 +00:00
}
if resp == nil {
t.Fatalf("bad: %#v", resp)
}
exp := map[string]interface{}{
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
"id": root,
"accessor": resp.Data["accessor"].(string),
"policies": []string{"root"},
"path": "auth/token/root",
"meta": map[string]string(nil),
"display_name": "root",
"orphan": true,
"num_uses": 0,
"creation_ttl": int64(0),
"ttl": int64(0),
"explicit_max_ttl": int64(0),
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
"expire_time": nil,
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
"entity_id": "",
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
"type": "service",
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
}
Revert 'risky' changes
2016-07-12 20:28:27 +00:00
if resp.Data["creation_time"].(int64) == 0 {
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
t.Fatalf("creation time was zero")
vault: lookup without a token looks up self
2015-03-31 19:50:07 +00:00
}
Store token creation time and TTL. This can be used to properly populate fields in 'lookup-self'. Importantly, this also makes credential backends use the SystemView per-backend TTL values and fixes unit tests to expect this. Fully fixes #527
2015-09-18 20:33:52 +00:00
delete(resp.Data, "creation_time")
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
vault: lookup without a token looks up self
2015-03-31 19:50:07 +00:00
if !reflect.DeepEqual(resp.Data, exp) {
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-07 21:44:14 +00:00
t.Fatalf("bad: expected:%#v\nactual:%#v", exp, resp.Data)
Display whether a token is an orphan on lookup.
2015-11-09 18:19:59 +00:00
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
outAuth := new(logical.Auth)
testMakeTokenViaCore(t, c, root, "client", "3600s", []string{"foo"}, batch, outAuth)
tokenType := "service"
expID := "client"
if batch {
tokenType = "batch"
expID = outAuth.ClientToken
}
Display whether a token is an orphan on lookup.
2015-11-09 18:19:59 +00:00
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
// Test via POST
Don't allow tokens in paths. (#1783)
2016-08-24 19:59:43 +00:00
req = logical.TestRequest(t, logical.UpdateOperation, "lookup")
req.Data = map[string]interface{}{
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
"token": expID,
Don't allow tokens in paths. (#1783)
2016-08-24 19:59:43 +00:00
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Display whether a token is an orphan on lookup.
2015-11-09 18:19:59 +00:00
}
if resp == nil {
t.Fatalf("bad: %#v", resp)
}
exp = map[string]interface{}{
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
"id": expID,
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
"accessor": resp.Data["accessor"],
"policies": []string{"default", "foo"},
"path": "auth/token/create",
"meta": map[string]string(nil),
"display_name": "token",
"orphan": false,
"num_uses": 0,
"creation_ttl": int64(3600),
"ttl": int64(3600),
"explicit_max_ttl": int64(0),
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
"renewable": !batch,
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
"entity_id": "",
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
"type": tokenType,
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
}
Revert 'risky' changes
2016-07-12 20:28:27 +00:00
if resp.Data["creation_time"].(int64) == 0 {
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
t.Fatalf("creation time was zero")
Display whether a token is an orphan on lookup.
2015-11-09 18:19:59 +00:00
}
delete(resp.Data, "creation_time")
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if resp.Data["issue_time"].(time.Time).IsZero() {
t.Fatal("issue time is default time")
}
delete(resp.Data, "issue_time")
if resp.Data["expire_time"].(time.Time).IsZero() {
t.Fatal("expire time is default time")
}
delete(resp.Data, "expire_time")
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
Make "ttl" reflect the actual TTL of the token in lookup calls. Add a new value "creation_ttl" which holds the value at creation time. Fixes #986
2016-02-01 16:16:32 +00:00
// Depending on timing of the test this may have ticked down, so accept 3599
if resp.Data["ttl"].(int64) == 3599 {
resp.Data["ttl"] = int64(3600)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if diff := deep.Equal(resp.Data, exp); diff != nil {
t.Fatal(diff)
vault: lookup without a token looks up self
2015-03-31 19:50:07 +00:00
}
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
Fix fetching parameters in token store when it's optionally in the URL
2016-04-28 19:15:37 +00:00
// Test via POST
req = logical.TestRequest(t, logical.UpdateOperation, "lookup")
req.Data = map[string]interface{}{
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
"token": expID,
Fix fetching parameters in token store when it's optionally in the URL
2016-04-28 19:15:37 +00:00
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Fix fetching parameters in token store when it's optionally in the URL
2016-04-28 19:15:37 +00:00
}
if resp == nil {
t.Fatalf("bad: %#v", resp)
}
exp = map[string]interface{}{
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
"id": expID,
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
"accessor": resp.Data["accessor"],
"policies": []string{"default", "foo"},
"path": "auth/token/create",
"meta": map[string]string(nil),
"display_name": "token",
"orphan": false,
"num_uses": 0,
"creation_ttl": int64(3600),
"ttl": int64(3600),
"explicit_max_ttl": int64(0),
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
"renewable": !batch,
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
"entity_id": "",
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
"type": tokenType,
Fix fetching parameters in token store when it's optionally in the URL
2016-04-28 19:15:37 +00:00
}
Revert 'risky' changes
2016-07-12 20:28:27 +00:00
if resp.Data["creation_time"].(int64) == 0 {
Fix fetching parameters in token store when it's optionally in the URL
2016-04-28 19:15:37 +00:00
t.Fatalf("creation time was zero")
}
delete(resp.Data, "creation_time")
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if resp.Data["issue_time"].(time.Time).IsZero() {
t.Fatal("issue time is default time")
}
delete(resp.Data, "issue_time")
if resp.Data["expire_time"].(time.Time).IsZero() {
t.Fatal("expire time is default time")
}
delete(resp.Data, "expire_time")
Fix fetching parameters in token store when it's optionally in the URL
2016-04-28 19:15:37 +00:00
// Depending on timing of the test this may have ticked down, so accept 3599
if resp.Data["ttl"].(int64) == 3599 {
resp.Data["ttl"] = int64(3600)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if diff := deep.Equal(resp.Data, exp); diff != nil {
t.Fatal(diff)
Fix fetching parameters in token store when it's optionally in the URL
2016-04-28 19:15:37 +00:00
}
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
// Test last_renewal_time functionality
Don't allow tokens in paths. (#1783)
2016-08-24 19:59:43 +00:00
req = logical.TestRequest(t, logical.UpdateOperation, "renew")
req.Data = map[string]interface{}{
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
"token": expID,
Don't allow tokens in paths. (#1783)
2016-08-24 19:59:43 +00:00
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), req)
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if err != nil {
t.Fatal(err)
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
}
if resp == nil {
t.Fatalf("bad: %#v", resp)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if batch && !resp.IsError() || !batch && resp.IsError() {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Don't allow tokens in paths. (#1783)
2016-08-24 19:59:43 +00:00
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
req.Path = "lookup"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
}
if resp == nil {
t.Fatalf("bad: %#v", resp)
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if !batch {
if resp.Data["last_renewal_time"].(int64) == 0 {
t.Fatalf("last_renewal_time was zero")
}
} else if _, ok := resp.Data["last_renewal_time"]; ok {
t.Fatal("expected zero last renewal time")
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
}
vault: lookup without a token looks up self
2015-03-31 19:50:07 +00:00
}
func TestTokenStore_HandleRequest_LookupSelf(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
testMakeServiceTokenViaCore(t, c, root, "client", "3600s", []string{"foo"})
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
vault: lookup-self for TokenStore to look up your own store
2015-03-31 19:51:00 +00:00
req := logical.TestRequest(t, logical.ReadOperation, "lookup-self")
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
req.ClientToken = "client"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
vault: lookup without a token looks up self
2015-03-31 19:50:07 +00:00
}
if resp == nil {
t.Fatalf("bad: %#v", resp)
}
exp := map[string]interface{}{
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
"id": "client",
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
"accessor": resp.Data["accessor"],
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
"policies": []string{"default", "foo"},
"path": "auth/token/create",
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
"meta": map[string]string(nil),
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
"display_name": "token",
"orphan": false,
"renewable": true,
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
"num_uses": 0,
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
"creation_ttl": int64(3600),
"ttl": int64(3600),
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
"explicit_max_ttl": int64(0),
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
"entity_id": "",
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
"type": "service",
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
}
Revert 'risky' changes
2016-07-12 20:28:27 +00:00
if resp.Data["creation_time"].(int64) == 0 {
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
t.Fatalf("creation time was zero")
vault: adding auth/token/lookup/ support
2015-03-24 22:39:33 +00:00
}
Store token creation time and TTL. This can be used to properly populate fields in 'lookup-self'. Importantly, this also makes credential backends use the SystemView per-backend TTL values and fixes unit tests to expect this. Fully fixes #527
2015-09-18 20:33:52 +00:00
delete(resp.Data, "creation_time")
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
if resp.Data["issue_time"].(time.Time).IsZero() {
t.Fatalf("creation time was zero")
}
delete(resp.Data, "issue_time")
if resp.Data["expire_time"].(time.Time).IsZero() {
t.Fatalf("expire time was zero")
}
delete(resp.Data, "expire_time")
// Depending on timing of the test this may have ticked down, so accept 3599
if resp.Data["ttl"].(int64) == 3599 {
resp.Data["ttl"] = int64(3600)
}
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
vault: adding auth/token/lookup/ support
2015-03-24 22:39:33 +00:00
if !reflect.DeepEqual(resp.Data, exp) {
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-07 21:44:14 +00:00
t.Fatalf("bad: expected:%#v\nactual:%#v", exp, resp.Data)
vault: adding auth/token/lookup/ support
2015-03-24 22:39:33 +00:00
}
}
vault: Adding auth/token/renew endpoint
2015-04-03 19:11:49 +00:00
func TestTokenStore_HandleRequest_Renew(t *testing.T) {
exp := mockExpiration(t)
ts := exp.tokenStore
// Create new token
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
root, err := ts.rootToken(namespace.RootContext(nil))
vault: Adding auth/token/renew endpoint
2015-04-03 19:11:49 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
// Create a new token
auth := &logical.Auth{
ClientToken: root.ID,
logical: Refactor LeaseOptions to share between Secret and Auth
2015-04-09 19:14:04 +00:00
LeaseOptions: logical.LeaseOptions{
Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod
2015-08-21 00:47:17 +00:00
TTL: time.Hour,
logical: Refactor LeaseOptions to share between Secret and Auth
2015-04-09 19:14:04 +00:00
Renewable: true,
},
vault: Adding auth/token/renew endpoint
2015-04-03 19:11:49 +00:00
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err = exp.RegisterAuth(namespace.RootContext(nil), root, auth)
vault: Adding auth/token/renew endpoint
2015-04-03 19:11:49 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
vault: the expiration time should be relative to the issue time
2015-04-11 04:21:06 +00:00
// Get the original expire time to compare
originalExpire := auth.ExpirationTime()
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-07 21:44:14 +00:00
beforeRenew := time.Now()
Don't allow tokens in paths. (#1783)
2016-08-24 19:59:43 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "renew")
req.Data = map[string]interface{}{
"token": root.ID,
"increment": "3600s",
}
vault: allow increment to be duration string. Fixes #340
2015-06-17 22:58:20 +00:00
req.Data["increment"] = "3600s"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
vault: Adding auth/token/renew endpoint
2015-04-03 19:11:49 +00:00
}
vault: the expiration time should be relative to the issue time
2015-04-11 04:21:06 +00:00
// Get the new expire time
newExpire := resp.Auth.ExpirationTime()
vault: fixing issues with token renewal
2015-06-17 21:28:13 +00:00
if newExpire.Before(originalExpire) {
Add renew-self endpoint. Fixes #455.
2015-10-07 16:49:13 +00:00
t.Fatalf("should expire later: %s %s", newExpire, originalExpire)
}
if newExpire.Before(beforeRenew.Add(time.Hour)) {
t.Fatalf("should have at least an hour: %s %s", newExpire, beforeRenew)
}
}
Token identity support (#6267) * Implemented token backend support for identity * Fixed tests * Refactored a few checks for the token entity overwrite. Fixed tests. * Moved entity alias check up so that the entity and entity alias is only created when it has been specified in allowed_entity_aliases list * go mod vendor * Added glob pattern * Optimized allowed entity alias check * Added test for asterisk only * Changed to glob pattern anywhere * Changed response code in case of failure. Changed globbing pattern check. Added docs. * Added missing token role get parameter. Added more samples * Fixed failing tests * Corrected some cosmetical review points * Changed response code for invalid provided entity alias * Fixed minor things * Fixed failing test
2019-07-01 09:39:54 +00:00
func TestTokenStore_HandleRequest_CreateToken_ExistingEntityAlias(t *testing.T) {
core, _, root := TestCoreUnsealed(t)
i := core.identityStore
ctx := namespace.RootContext(nil)
testPolicyName := "testpolicy"
entityAliasName := "testentityalias"
testRoleName := "test"
// Create manually an entity
resp, err := i.HandleRequest(ctx, &logical.Request{
Path: "entity",
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"name": "testentity",
"policies": []string{testPolicyName},
},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
}
entityID := resp.Data["id"].(string)
// Find mount accessor
resp, err = core.systemBackend.HandleRequest(namespace.RootContext(nil), &logical.Request{
Path: "auth",
Operation: logical.ReadOperation,
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
tokenMountAccessor := resp.Data["token/"].(map[string]interface{})["accessor"].(string)
// Create manually an entity alias
resp, err = i.HandleRequest(ctx, &logical.Request{
Path: "entity-alias",
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"name": entityAliasName,
"canonical_id": entityID,
"mount_accessor": tokenMountAccessor,
},
})
Fix token_store_test.go (#7490) * vault: fix dropped error in test goroutine * vault: fix dropped test errors
2019-09-18 21:18:08 +00:00
if err != nil {
t.Fatalf("error handling request: %v", err)
}
Token identity support (#6267) * Implemented token backend support for identity * Fixed tests * Refactored a few checks for the token entity overwrite. Fixed tests. * Moved entity alias check up so that the entity and entity alias is only created when it has been specified in allowed_entity_aliases list * go mod vendor * Added glob pattern * Optimized allowed entity alias check * Added test for asterisk only * Changed to glob pattern anywhere * Changed response code in case of failure. Changed globbing pattern check. Added docs. * Added missing token role get parameter. Added more samples * Fixed failing tests * Corrected some cosmetical review points * Changed response code for invalid provided entity alias * Fixed minor things * Fixed failing test
2019-07-01 09:39:54 +00:00
// Create token role
resp, err = core.HandleRequest(ctx, &logical.Request{
Path: "auth/token/roles/" + testRoleName,
ClientToken: root,
Operation: logical.CreateOperation,
Data: map[string]interface{}{
"orphan": true,
"period": "72h",
"path_suffix": "happenin",
"bound_cidrs": []string{"0.0.0.0/0"},
"allowed_entity_aliases": []string{"test1", "test2", entityAliasName},
},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
}
resp, err = core.HandleRequest(ctx, &logical.Request{
Path: "auth/token/create/" + testRoleName,
Operation: logical.UpdateOperation,
ClientToken: root,
Data: map[string]interface{}{
"entity_alias": entityAliasName,
},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
if resp == nil {
t.Fatal("expected a response")
}
if resp.Auth.EntityID != entityID {
t.Fatalf("expected '%s' got '%s'", entityID, resp.Auth.EntityID)
}
policyFound := false
for _, policy := range resp.Auth.IdentityPolicies {
if policy == testPolicyName {
policyFound = true
}
}
if !policyFound {
t.Fatalf("Policy '%s' not derived by entity but should be. Auth %#v", testPolicyName, resp.Auth)
}
}
func TestTokenStore_HandleRequest_CreateToken_NonExistingEntityAlias(t *testing.T) {
core, _, root := TestCoreUnsealed(t)
i := core.identityStore
ctx := namespace.RootContext(nil)
entityAliasName := "testentityalias"
testRoleName := "test"
// Create token role
resp, err := core.HandleRequest(ctx, &logical.Request{
Path: "auth/token/roles/" + testRoleName,
ClientToken: root,
Operation: logical.CreateOperation,
Data: map[string]interface{}{
"period": "72h",
"path_suffix": "happenin",
"bound_cidrs": []string{"0.0.0.0/0"},
"allowed_entity_aliases": []string{"test1", "test2", entityAliasName},
},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
}
// Create token with non existing entity alias
resp, err = core.HandleRequest(ctx, &logical.Request{
Path: "auth/token/create/" + testRoleName,
Operation: logical.UpdateOperation,
ClientToken: root,
Data: map[string]interface{}{
"entity_alias": entityAliasName,
},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
if resp == nil {
t.Fatal("expected a response")
}
// Read the new entity
resp, err = i.HandleRequest(ctx, &logical.Request{
Path: "entity/id/" + resp.Auth.EntityID,
Operation: logical.ReadOperation,
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
// Get the attached alias information
aliases := resp.Data["aliases"].([]interface{})
if len(aliases) != 1 {
t.Fatalf("expected only one alias but got %d; Aliases: %#v", len(aliases), aliases)
}
alias := &identity.Alias{}
if err := mapstructure.Decode(aliases[0], alias); err != nil {
t.Fatal(err)
}
// Validate
if alias.Name != entityAliasName {
t.Fatalf("alias name should be '%s' but is '%s'", entityAliasName, alias.Name)
}
}
func TestTokenStore_HandleRequest_CreateToken_GlobPatternWildcardEntityAlias(t *testing.T) {
core, _, root := TestCoreUnsealed(t)
i := core.identityStore
ctx := namespace.RootContext(nil)
testRoleName := "test"
tests := []struct {
name string
globPattern string
aliasName string
}{
{
name: "prefix-asterisk",
globPattern: "*-web",
aliasName: "department-web",
},
{
name: "suffix-asterisk",
globPattern: "web-*",
aliasName: "web-department",
},
{
name: "middle-asterisk",
globPattern: "web-*-web",
aliasName: "web-department-web",
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
// Create token role
resp, err := core.HandleRequest(ctx, &logical.Request{
Path: "auth/token/roles/" + testRoleName,
ClientToken: root,
Operation: logical.CreateOperation,
Data: map[string]interface{}{
"period": "72h",
"path_suffix": "happening",
"bound_cidrs": []string{"0.0.0.0/0"},
"allowed_entity_aliases": []string{"test1", "test2", test.globPattern},
},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
}
// Create token with non existing entity alias
resp, err = core.HandleRequest(ctx, &logical.Request{
Path: "auth/token/create/" + testRoleName,
Operation: logical.UpdateOperation,
ClientToken: root,
Data: map[string]interface{}{
"entity_alias": test.aliasName,
},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
if resp == nil {
t.Fatal("expected a response")
}
// Read the new entity
resp, err = i.HandleRequest(ctx, &logical.Request{
Path: "entity/id/" + resp.Auth.EntityID,
Operation: logical.ReadOperation,
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
// Get the attached alias information
aliases := resp.Data["aliases"].([]interface{})
if len(aliases) != 1 {
t.Fatalf("expected only one alias but got %d; Aliases: %#v", len(aliases), aliases)
}
alias := &identity.Alias{}
if err := mapstructure.Decode(aliases[0], alias); err != nil {
t.Fatal(err)
}
// Validate
if alias.Name != test.aliasName {
t.Fatalf("alias name should be '%s' but is '%s'", test.aliasName, alias.Name)
}
})
}
}
func TestTokenStore_HandleRequest_CreateToken_NotAllowedEntityAlias(t *testing.T) {
core, _, root := TestCoreUnsealed(t)
i := core.identityStore
ctx := namespace.RootContext(nil)
testPolicyName := "testpolicy"
entityAliasName := "testentityalias"
testRoleName := "test"
// Create manually an entity
resp, err := i.HandleRequest(ctx, &logical.Request{
Path: "entity",
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"name": "testentity",
"policies": []string{testPolicyName},
},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
}
entityID := resp.Data["id"].(string)
// Find mount accessor
resp, err = core.systemBackend.HandleRequest(ctx, &logical.Request{
Path: "auth",
Operation: logical.ReadOperation,
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
tokenMountAccessor := resp.Data["token/"].(map[string]interface{})["accessor"].(string)
// Create manually an entity alias
resp, err = i.HandleRequest(ctx, &logical.Request{
Path: "entity-alias",
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"name": entityAliasName,
"canonical_id": entityID,
"mount_accessor": tokenMountAccessor,
},
})
vault: fix dropped error in TestTokenStore_HandleRequest_CreateToken_NotAllowedEntityAlias(). (#7934)
2019-12-02 18:03:24 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
}
Token identity support (#6267) * Implemented token backend support for identity * Fixed tests * Refactored a few checks for the token entity overwrite. Fixed tests. * Moved entity alias check up so that the entity and entity alias is only created when it has been specified in allowed_entity_aliases list * go mod vendor * Added glob pattern * Optimized allowed entity alias check * Added test for asterisk only * Changed to glob pattern anywhere * Changed response code in case of failure. Changed globbing pattern check. Added docs. * Added missing token role get parameter. Added more samples * Fixed failing tests * Corrected some cosmetical review points * Changed response code for invalid provided entity alias * Fixed minor things * Fixed failing test
2019-07-01 09:39:54 +00:00
// Create token role
resp, err = core.HandleRequest(ctx, &logical.Request{
Path: "auth/token/roles/" + testRoleName,
ClientToken: root,
Operation: logical.CreateOperation,
Data: map[string]interface{}{
"period": "72h",
"allowed_entity_aliases": []string{"test1", "test2", "testentityaliasn"},
},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
}
resp, _ = core.HandleRequest(ctx, &logical.Request{
Path: "auth/token/create/" + testRoleName,
Operation: logical.UpdateOperation,
ClientToken: root,
Data: map[string]interface{}{
"entity_alias": entityAliasName,
},
})
if resp == nil || resp.Data == nil {
t.Fatal("expected a response")
}
if resp.Data["error"] != "invalid 'entity_alias' value" {
t.Fatalf("wrong error returned. Err: %s", resp.Data["error"])
}
}
func TestTokenStore_HandleRequest_CreateToken_NoRoleEntityAlias(t *testing.T) {
core, _, root := TestCoreUnsealed(t)
ctx := namespace.RootContext(nil)
entityAliasName := "testentityalias"
resp, _ := core.HandleRequest(ctx, &logical.Request{
Path: "auth/token/create",
Operation: logical.UpdateOperation,
ClientToken: root,
Data: map[string]interface{}{
"entity_alias": entityAliasName,
},
})
if resp == nil || resp.Data == nil {
t.Fatal("expected a response")
}
if resp.Data["error"] != "'entity_alias' is only allowed in combination with token role" {
t.Fatalf("wrong error returned. Err: %s", resp.Data["error"])
}
}
Add renew-self endpoint. Fixes #455.
2015-10-07 16:49:13 +00:00
func TestTokenStore_HandleRequest_RenewSelf(t *testing.T) {
exp := mockExpiration(t)
ts := exp.tokenStore
// Create new token
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
root, err := ts.rootToken(namespace.RootContext(nil))
Add renew-self endpoint. Fixes #455.
2015-10-07 16:49:13 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
// Create a new token
auth := &logical.Auth{
ClientToken: root.ID,
LeaseOptions: logical.LeaseOptions{
TTL: time.Hour,
Renewable: true,
},
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err = exp.RegisterAuth(namespace.RootContext(nil), root, auth)
Add renew-self endpoint. Fixes #455.
2015-10-07 16:49:13 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
// Get the original expire time to compare
originalExpire := auth.ExpirationTime()
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-07 21:44:14 +00:00
beforeRenew := time.Now()
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "renew-self")
Add renew-self endpoint. Fixes #455.
2015-10-07 16:49:13 +00:00
req.ClientToken = auth.ClientToken
req.Data["increment"] = "3600s"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add renew-self endpoint. Fixes #455.
2015-10-07 16:49:13 +00:00
}
// Get the new expire time
newExpire := resp.Auth.ExpirationTime()
if newExpire.Before(originalExpire) {
vault: fixing issues with token renewal
2015-06-17 21:28:13 +00:00
t.Fatalf("should expire later: %s %s", newExpire, originalExpire)
}
if newExpire.Before(beforeRenew.Add(time.Hour)) {
t.Fatalf("should have at least an hour: %s %s", newExpire, beforeRenew)
vault: Adding auth/token/renew endpoint
2015-04-03 19:11:49 +00:00
}
}
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
func TestTokenStore_RoleCRUD(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
core, _, root := TestCoreUnsealed(t)
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
Address final feedback
2016-03-09 16:59:54 +00:00
req := logical.TestRequest(t, logical.ReadOperation, "auth/token/roles/test")
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
req.ClientToken = root
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
}
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
if resp != nil {
t.Fatalf("should not see a role")
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
}
vault: testing root privilege restrictions
2015-03-24 22:52:07 +00:00
Address final feedback
2016-03-09 16:59:54 +00:00
// First test creation
req.Operation = logical.CreateOperation
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
req.Data = map[string]interface{}{
"orphan": true,
"period": "72h",
"allowed_policies": "test1,test2",
Address first round of feedback
2016-03-01 20:30:37 +00:00
"path_suffix": "happenin",
Fixed ignored empty value set on token role update call (#6314) * Fixed ignored empty value set on token role update call * Made a pre-check a bit more elegant. Updated tests
2019-03-04 17:39:29 +00:00
"bound_cidrs": []string{"0.0.0.0/0"},
Tokenhelper v2 (#6662) This provides an sdk util for common token fields and parsing and plumbs it into token store roles.
2019-06-14 14:17:04 +00:00
"explicit_max_ttl": "2h",
"token_num_uses": 123,
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
}
vault: testing root privilege restrictions
2015-03-24 22:52:07 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
vault: testing root privilege restrictions
2015-03-24 22:52:07 +00:00
}
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
if resp != nil {
t.Fatalf("expected a nil response")
}
req.Operation = logical.ReadOperation
req.Data = map[string]interface{}{}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
}
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
if resp == nil {
t.Fatalf("got a nil response")
}
Register the token entry's path instead of the request path, to handle role suffixes correctly
2016-04-14 11:56:09 +00:00
expected := map[string]interface{}{
Tokenhelper v2 (#6662) This provides an sdk util for common token fields and parsing and plumbs it into token store roles.
2019-06-14 14:17:04 +00:00
"name": "test",
"orphan": true,
"token_period": int64(259200),
"period": int64(259200),
"allowed_policies": []string{"test1", "test2"},
"disallowed_policies": []string{},
"path_suffix": "happenin",
"explicit_max_ttl": int64(7200),
"token_explicit_max_ttl": int64(7200),
"renewable": true,
"token_type": "default-service",
"token_num_uses": 123,
Token identity support (#6267) * Implemented token backend support for identity * Fixed tests * Refactored a few checks for the token entity overwrite. Fixed tests. * Moved entity alias check up so that the entity and entity alias is only created when it has been specified in allowed_entity_aliases list * go mod vendor * Added glob pattern * Optimized allowed entity alias check * Added test for asterisk only * Changed to glob pattern anywhere * Changed response code in case of failure. Changed globbing pattern check. Added docs. * Added missing token role get parameter. Added more samples * Fixed failing tests * Corrected some cosmetical review points * Changed response code for invalid provided entity alias * Fixed minor things * Fixed failing test
2019-07-01 09:39:54 +00:00
"allowed_entity_aliases": []string(nil),
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
}
Fix failing TokenStore test
2019-03-05 01:44:00 +00:00
if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "0.0.0.0/0" {
t.Fatal("unexpected bound cidrs")
}
delete(resp.Data, "bound_cidrs")
Tokenhelper v2 (#6662) This provides an sdk util for common token fields and parsing and plumbs it into token store roles.
2019-06-14 14:17:04 +00:00
if resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "0.0.0.0/0" {
t.Fatal("unexpected bound cidrs")
}
delete(resp.Data, "token_bound_cidrs")
Fix failing TokenStore test
2019-03-05 01:44:00 +00:00
Add `default-service`/`default-batch` to token store roles (#5711)
2018-11-07 14:45:09 +00:00
if diff := deep.Equal(expected, resp.Data); diff != nil {
t.Fatal(diff)
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
}
Address final feedback
2016-03-09 16:59:54 +00:00
// Now test updating; this should be set to an UpdateOperation
// automatically due to the existence check
req.Operation = logical.CreateOperation
req.Data = map[string]interface{}{
"period": "79h",
"allowed_policies": "test3",
"path_suffix": "happenin",
Add renewable flag to token store roles
2016-06-08 19:17:22 +00:00
"renewable": false,
Tokenhelper v2 (#6662) This provides an sdk util for common token fields and parsing and plumbs it into token store roles.
2019-06-14 14:17:04 +00:00
"explicit_max_ttl": "80h",
"token_num_uses": 0,
Address final feedback
2016-03-09 16:59:54 +00:00
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Address final feedback
2016-03-09 16:59:54 +00:00
}
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
Address final feedback
2016-03-09 16:59:54 +00:00
if resp != nil {
t.Fatalf("expected a nil response")
}
req.Operation = logical.ReadOperation
req.Data = map[string]interface{}{}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Address final feedback
2016-03-09 16:59:54 +00:00
}
if resp == nil {
t.Fatalf("got a nil response")
}
Register the token entry's path instead of the request path, to handle role suffixes correctly
2016-04-14 11:56:09 +00:00
expected = map[string]interface{}{
Tokenhelper v2 (#6662) This provides an sdk util for common token fields and parsing and plumbs it into token store roles.
2019-06-14 14:17:04 +00:00
"name": "test",
"orphan": true,
"period": int64(284400),
"token_period": int64(284400),
"allowed_policies": []string{"test3"},
"disallowed_policies": []string{},
"path_suffix": "happenin",
"token_explicit_max_ttl": int64(288000),
"explicit_max_ttl": int64(288000),
"renewable": false,
"token_type": "default-service",
Token identity support (#6267) * Implemented token backend support for identity * Fixed tests * Refactored a few checks for the token entity overwrite. Fixed tests. * Moved entity alias check up so that the entity and entity alias is only created when it has been specified in allowed_entity_aliases list * go mod vendor * Added glob pattern * Optimized allowed entity alias check * Added test for asterisk only * Changed to glob pattern anywhere * Changed response code in case of failure. Changed globbing pattern check. Added docs. * Added missing token role get parameter. Added more samples * Fixed failing tests * Corrected some cosmetical review points * Changed response code for invalid provided entity alias * Fixed minor things * Fixed failing test
2019-07-01 09:39:54 +00:00
"allowed_entity_aliases": []string(nil),
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
}
Fix failing TokenStore test
2019-03-05 01:44:00 +00:00
if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "0.0.0.0/0" {
t.Fatal("unexpected bound cidrs")
}
delete(resp.Data, "bound_cidrs")
Tokenhelper v2 (#6662) This provides an sdk util for common token fields and parsing and plumbs it into token store roles.
2019-06-14 14:17:04 +00:00
if resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "0.0.0.0/0" {
t.Fatal("unexpected bound cidrs")
}
delete(resp.Data, "token_bound_cidrs")
Fix failing TokenStore test
2019-03-05 01:44:00 +00:00
Add `default-service`/`default-batch` to token store roles (#5711)
2018-11-07 14:45:09 +00:00
if diff := deep.Equal(expected, resp.Data); diff != nil {
t.Fatal(diff)
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
}
// Now set explicit max ttl and clear the period
req.Operation = logical.CreateOperation
req.Data = map[string]interface{}{
"explicit_max_ttl": "5",
"period": "0s",
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
}
req.Operation = logical.ReadOperation
req.Data = map[string]interface{}{}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
}
if resp == nil {
t.Fatalf("got a nil response")
}
expected = map[string]interface{}{
Tokenhelper v2 (#6662) This provides an sdk util for common token fields and parsing and plumbs it into token store roles.
2019-06-14 14:17:04 +00:00
"name": "test",
"orphan": true,
"explicit_max_ttl": int64(5),
"token_explicit_max_ttl": int64(5),
"allowed_policies": []string{"test3"},
"disallowed_policies": []string{},
"path_suffix": "happenin",
"period": int64(0),
"token_period": int64(0),
"renewable": false,
"token_type": "default-service",
Token identity support (#6267) * Implemented token backend support for identity * Fixed tests * Refactored a few checks for the token entity overwrite. Fixed tests. * Moved entity alias check up so that the entity and entity alias is only created when it has been specified in allowed_entity_aliases list * go mod vendor * Added glob pattern * Optimized allowed entity alias check * Added test for asterisk only * Changed to glob pattern anywhere * Changed response code in case of failure. Changed globbing pattern check. Added docs. * Added missing token role get parameter. Added more samples * Fixed failing tests * Corrected some cosmetical review points * Changed response code for invalid provided entity alias * Fixed minor things * Fixed failing test
2019-07-01 09:39:54 +00:00
"allowed_entity_aliases": []string(nil),
Fixed ignored empty value set on token role update call (#6314) * Fixed ignored empty value set on token role update call * Made a pre-check a bit more elegant. Updated tests
2019-03-04 17:39:29 +00:00
}
Fix failing TokenStore test
2019-03-05 01:44:00 +00:00
if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "0.0.0.0/0" {
t.Fatal("unexpected bound cidrs")
}
delete(resp.Data, "bound_cidrs")
Tokenhelper v2 (#6662) This provides an sdk util for common token fields and parsing and plumbs it into token store roles.
2019-06-14 14:17:04 +00:00
if resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "0.0.0.0/0" {
t.Fatal("unexpected bound cidrs")
}
delete(resp.Data, "token_bound_cidrs")
Fix failing TokenStore test
2019-03-05 01:44:00 +00:00
Fixed ignored empty value set on token role update call (#6314) * Fixed ignored empty value set on token role update call * Made a pre-check a bit more elegant. Updated tests
2019-03-04 17:39:29 +00:00
if diff := deep.Equal(expected, resp.Data); diff != nil {
t.Fatal(diff)
}
// Update path_suffix and bound_cidrs with empty values
req.Operation = logical.CreateOperation
req.Data = map[string]interface{}{
"path_suffix": "",
"bound_cidrs": []string{},
}
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
}
req.Operation = logical.ReadOperation
req.Data = map[string]interface{}{}
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
}
if resp == nil {
t.Fatalf("got a nil response")
}
expected = map[string]interface{}{
Tokenhelper v2 (#6662) This provides an sdk util for common token fields and parsing and plumbs it into token store roles.
2019-06-14 14:17:04 +00:00
"name": "test",
"orphan": true,
"token_explicit_max_ttl": int64(5),
"explicit_max_ttl": int64(5),
"allowed_policies": []string{"test3"},
"disallowed_policies": []string{},
"path_suffix": "",
"period": int64(0),
"token_period": int64(0),
"renewable": false,
"token_type": "default-service",
Token identity support (#6267) * Implemented token backend support for identity * Fixed tests * Refactored a few checks for the token entity overwrite. Fixed tests. * Moved entity alias check up so that the entity and entity alias is only created when it has been specified in allowed_entity_aliases list * go mod vendor * Added glob pattern * Optimized allowed entity alias check * Added test for asterisk only * Changed to glob pattern anywhere * Changed response code in case of failure. Changed globbing pattern check. Added docs. * Added missing token role get parameter. Added more samples * Fixed failing tests * Corrected some cosmetical review points * Changed response code for invalid provided entity alias * Fixed minor things * Fixed failing test
2019-07-01 09:39:54 +00:00
"allowed_entity_aliases": []string(nil),
Address final feedback
2016-03-09 16:59:54 +00:00
}
Add `default-service`/`default-batch` to token store roles (#5711)
2018-11-07 14:45:09 +00:00
if diff := deep.Equal(expected, resp.Data); diff != nil {
t.Fatal(diff)
Address final feedback
2016-03-09 16:59:54 +00:00
}
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
req.Operation = logical.ListOperation
Address final feedback
2016-03-09 16:59:54 +00:00
req.Path = "auth/token/roles"
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
req.Data = map[string]interface{}{}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
}
if resp == nil {
t.Fatalf("got a nil response")
}
keysInt, ok := resp.Data["keys"]
if !ok {
t.Fatalf("did not find keys in response")
}
keys, ok := keysInt.([]string)
if !ok {
t.Fatalf("could not convert keys interface to key list")
}
if len(keys) != 1 {
t.Fatalf("unexpected number of keys: %d", len(keys))
}
if keys[0] != "test" {
t.Fatalf("expected \"test\", got \"%s\"", keys[0])
}
req.Operation = logical.DeleteOperation
Address final feedback
2016-03-09 16:59:54 +00:00
req.Path = "auth/token/roles/test"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
}
if resp != nil {
t.Fatalf("expected a nil response")
}
req.Operation = logical.ReadOperation
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
}
if resp != nil {
t.Fatalf("expected a nil response")
vault: testing root privilege restrictions
2015-03-24 22:52:07 +00:00
}
}
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
Don't sanitize disallowed_policies on token role
2017-01-18 02:34:14 +00:00
func TestTokenStore_RoleDisallowedPoliciesWithRoot(t *testing.T) {
var resp *logical.Response
var err error
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
Don't sanitize disallowed_policies on token role
2017-01-18 02:34:14 +00:00
// Don't set disallowed_policies. Verify that a read on the role does return a non-nil value.
roleReq := &logical.Request{
Operation: logical.UpdateOperation,
Path: "roles/role1",
Data: map[string]interface{}{
"disallowed_policies": "root,testpolicy",
},
ClientToken: root,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), roleReq)
Don't sanitize disallowed_policies on token role
2017-01-18 02:34:14 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%v", err, resp)
}
roleReq.Operation = logical.ReadOperation
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), roleReq)
Don't sanitize disallowed_policies on token role
2017-01-18 02:34:14 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%v", err, resp)
}
expected := []string{"root", "testpolicy"}
if !reflect.DeepEqual(resp.Data["disallowed_policies"], expected) {
t.Fatalf("bad: expected: %#v, actual: %#v", expected, resp.Data["disallowed_policies"])
}
}
Added tests for disallowed_policies
2016-08-02 19:21:15 +00:00
func TestTokenStore_RoleDisallowedPolicies(t *testing.T) {
var req *logical.Request
var resp *logical.Response
var err error
Offline token revocation fix
2018-06-03 22:14:51 +00:00
core, _, root := TestCoreUnsealed(t)
ts := core.tokenStore
Added tests for disallowed_policies
2016-08-02 19:21:15 +00:00
ps := core.policyStore
// Create 3 different policies
The big one (#5346)
2018-09-18 03:03:00 +00:00
policy, _ := ParseACLPolicy(namespace.RootNamespace, tokenCreationPolicy)
Added tests for disallowed_policies
2016-08-02 19:21:15 +00:00
policy.Name = "test1"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
if err := ps.SetPolicy(namespace.RootContext(nil), policy); err != nil {
Added tests for disallowed_policies
2016-08-02 19:21:15 +00:00
t.Fatal(err)
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
policy, _ = ParseACLPolicy(namespace.RootNamespace, tokenCreationPolicy)
Added tests for disallowed_policies
2016-08-02 19:21:15 +00:00
policy.Name = "test2"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
if err := ps.SetPolicy(namespace.RootContext(nil), policy); err != nil {
Added tests for disallowed_policies
2016-08-02 19:21:15 +00:00
t.Fatal(err)
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
policy, _ = ParseACLPolicy(namespace.RootNamespace, tokenCreationPolicy)
Added tests for disallowed_policies
2016-08-02 19:21:15 +00:00
policy.Name = "test3"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
if err := ps.SetPolicy(namespace.RootContext(nil), policy); err != nil {
Added tests for disallowed_policies
2016-08-02 19:21:15 +00:00
t.Fatal(err)
}
// Create roles with different disallowed_policies configuration
req = logical.TestRequest(t, logical.UpdateOperation, "roles/test1")
req.ClientToken = root
req.Data = map[string]interface{}{
"disallowed_policies": "test1",
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), req)
Added tests for disallowed_policies
2016-08-02 19:21:15 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%v", err, resp)
}
req = logical.TestRequest(t, logical.UpdateOperation, "roles/test23")
req.ClientToken = root
req.Data = map[string]interface{}{
"disallowed_policies": "test2,test3",
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), req)
Added tests for disallowed_policies
2016-08-02 19:21:15 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%v", err, resp)
}
req = logical.TestRequest(t, logical.UpdateOperation, "roles/test123")
req.ClientToken = root
req.Data = map[string]interface{}{
"disallowed_policies": "test1,test2,test3",
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), req)
Added tests for disallowed_policies
2016-08-02 19:21:15 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%v", err, resp)
}
// Create a token that has all the policies defined above
req = logical.TestRequest(t, logical.UpdateOperation, "create")
req.ClientToken = root
req.Data["policies"] = []string{"test1", "test2", "test3"}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
resp = testMakeTokenViaRequest(t, ts, req)
Added tests for disallowed_policies
2016-08-02 19:21:15 +00:00
if resp == nil || resp.Auth == nil {
t.Fatal("got nil response")
}
if resp.Auth.ClientToken == "" {
t.Fatalf("bad: ClientToken; resp:%#v", resp)
}
parentToken := resp.Auth.ClientToken
req = logical.TestRequest(t, logical.UpdateOperation, "create/test1")
req.ClientToken = parentToken
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), req)
Added tests for disallowed_policies
2016-08-02 19:21:15 +00:00
if err == nil || resp != nil && !resp.IsError() {
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
t.Fatalf("expected an error response, got %#v", resp)
Added tests for disallowed_policies
2016-08-02 19:21:15 +00:00
}
req = logical.TestRequest(t, logical.UpdateOperation, "create/test23")
req.ClientToken = parentToken
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), req)
Added tests for disallowed_policies
2016-08-02 19:21:15 +00:00
if err == nil || resp != nil && !resp.IsError() {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
t.Fatalf("expected an error response, got %#v", resp)
Added tests for disallowed_policies
2016-08-02 19:21:15 +00:00
}
req = logical.TestRequest(t, logical.UpdateOperation, "create/test123")
req.ClientToken = parentToken
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), req)
Added tests for disallowed_policies
2016-08-02 19:21:15 +00:00
if err == nil || resp != nil && !resp.IsError() {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
t.Fatalf("expected an error response, got %#v", resp)
Added tests for disallowed_policies
2016-08-02 19:21:15 +00:00
}
Fix regression in 0.6.4 where token store roles could not properly wo… (#2286)
2017-01-18 21:11:25 +00:00
// Disallowed should act as a blacklist so make sure we can still make
// something with other policies in the request
req = logical.TestRequest(t, logical.UpdateOperation, "create/test123")
req.Data["policies"] = []string{"foo", "bar"}
req.ClientToken = parentToken
Offline token revocation fix
2018-06-03 22:14:51 +00:00
testMakeTokenViaRequest(t, ts, req)
Fix regression in 0.6.4 where token store roles could not properly wo… (#2286)
2017-01-18 21:11:25 +00:00
Added tests for disallowed_policies
2016-08-02 19:21:15 +00:00
// Create a role to have 'default' policy disallowed
req = logical.TestRequest(t, logical.UpdateOperation, "roles/default")
req.ClientToken = root
req.Data = map[string]interface{}{
"disallowed_policies": "default",
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), req)
Added tests for disallowed_policies
2016-08-02 19:21:15 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%v", err, resp)
}
req = logical.TestRequest(t, logical.UpdateOperation, "create/default")
req.ClientToken = parentToken
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), req)
Added tests for disallowed_policies
2016-08-02 19:21:15 +00:00
if err == nil || resp != nil && !resp.IsError() {
t.Fatal("expected an error response")
}
}
Address review feedback and fix existing tests
2016-08-02 17:33:03 +00:00
func TestTokenStore_RoleAllowedPolicies(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "roles/test")
req.ClientToken = root
req.Data = map[string]interface{}{
"allowed_policies": "test1,test2",
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
}
if resp != nil {
t.Fatalf("expected a nil response")
}
req.Data = map[string]interface{}{}
req.Path = "create/test"
req.Data["policies"] = []string{"foo"}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), req)
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
if err == nil {
t.Fatalf("expected error")
}
req.Data["policies"] = []string{"test2"}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
resp = testMakeTokenViaRequest(t, ts, req)
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
if resp.Auth.ClientToken == "" {
t.Fatalf("bad: %#v", resp)
}
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
// When allowed_policies is blank, should fall back to a subset of the parent policies
req = logical.TestRequest(t, logical.UpdateOperation, "roles/test")
req.ClientToken = root
req.Data = map[string]interface{}{
"allowed_policies": "",
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
}
if resp != nil {
t.Fatalf("expected a nil response")
}
req = logical.TestRequest(t, logical.UpdateOperation, "create")
req.ClientToken = root
req.Data["policies"] = []string{"test1", "test2", "test3"}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
resp = testMakeTokenViaRequest(t, ts, req)
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
if resp == nil || resp.Auth == nil {
t.Fatal("got nil response")
}
if resp.Auth.ClientToken == "" {
t.Fatalf("bad: ClientToken; resp:%#v", resp)
}
if !reflect.DeepEqual(resp.Auth.Policies, []string{"default", "test1", "test2", "test3"}) {
t.Fatalf("bad: %#v", resp.Auth.Policies)
}
parentToken := resp.Auth.ClientToken
req.Data = map[string]interface{}{}
req.ClientToken = parentToken
req.Path = "create/test"
req.Data["policies"] = []string{"foo"}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), req)
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
if err == nil {
t.Fatalf("expected error")
}
req.Data["policies"] = []string{"test2"}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
resp = testMakeTokenViaRequest(t, ts, req)
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
if resp.Auth.ClientToken == "" {
t.Fatalf("bad: %#v", resp)
}
delete(req.Data, "policies")
Offline token revocation fix
2018-06-03 22:14:51 +00:00
resp = testMakeTokenViaRequest(t, ts, req)
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
if resp.Auth.ClientToken == "" {
t.Fatalf("bad: %#v", resp)
}
if !reflect.DeepEqual(resp.Auth.Policies, []string{"default", "test1", "test2", "test3"}) {
t.Fatalf("bad: %#v", resp.Auth.Policies)
}
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
}
func TestTokenStore_RoleOrphan(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "roles/test")
req.ClientToken = root
req.Data = map[string]interface{}{
"orphan": true,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
}
if resp != nil {
t.Fatalf("expected a nil response")
}
req.Path = "create/test"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
}
if resp.Auth.ClientToken == "" {
t.Fatalf("bad: %#v", resp)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err := ts.Lookup(namespace.RootContext(nil), resp.Auth.ClientToken)
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if out.Parent != "" {
t.Fatalf("expected orphan token, but found a parent")
}
if !strings.HasPrefix(out.Path, "auth/token/create/test") {
t.Fatalf("expected role in path but did not find it")
}
}
Address first round of feedback
2016-03-01 20:30:37 +00:00
func TestTokenStore_RolePathSuffix(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
req := logical.TestRequest(t, logical.CreateOperation, "roles/test")
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
req.ClientToken = root
req.Data = map[string]interface{}{
Address first round of feedback
2016-03-01 20:30:37 +00:00
"path_suffix": "happenin",
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
}
if resp != nil {
t.Fatalf("expected a nil response")
}
req.Path = "create/test"
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
req.Operation = logical.UpdateOperation
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
}
if resp.Auth.ClientToken == "" {
t.Fatalf("bad: %#v", resp)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
out, err := ts.Lookup(namespace.RootContext(nil), resp.Auth.ClientToken)
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
Address first round of feedback
2016-03-01 20:30:37 +00:00
if out.Path != "auth/token/create/test/happenin" {
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
t.Fatalf("expected role in path but did not find it")
}
}
func TestTokenStore_RolePeriod(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
core, _, root := TestCoreUnsealed(t)
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
Fix some more too-tight timing in the token store tests
2016-07-01 15:59:39 +00:00
core.defaultLeaseTTL = 10 * time.Second
core.maxLeaseTTL = 10 * time.Second
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
// Note: these requests are sent to Core since Core handles registration
// with the expiration manager and we need the storage to be consistent
req := logical.TestRequest(t, logical.UpdateOperation, "auth/token/roles/test")
req.ClientToken = root
req.Data = map[string]interface{}{
Add logic for using Auth.Period when handling auth login/renew requests (#3677) * Add logic for using Auth.Period when handling auth login/renew requests * Set auth.TTL if not set in handleLoginRequest * Always set auth.TTL = te.TTL on handleLoginRequest, check TTL and period against sys values on RenewToken * Get sysView from le.Path, revert tests * Add back auth.Policies * Fix TokenStore tests, add resp warning when capping values * Use switch for ttl/period check on RenewToken * Move comments around
2017-12-15 18:30:05 +00:00
"period": 5,
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
}
if resp != nil {
t.Fatalf("expected a nil response")
}
// This first set of logic is to verify that a normal non-root token will
Fix some more too-tight timing in the token store tests
2016-07-01 15:59:39 +00:00
// be given a TTL of 10 seconds, and that renewing will not cause the TTL to
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
// increase since that's the configured backend max. Then we verify that
// increment works.
{
req.Path = "auth/token/create"
req.Data = map[string]interface{}{
"policies": []string{"default"},
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
}
if resp.Auth.ClientToken == "" {
t.Fatalf("bad: %#v", resp)
}
req.ClientToken = resp.Auth.ClientToken
req.Operation = logical.ReadOperation
req.Path = "auth/token/lookup-self"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
ttl := resp.Data["ttl"].(int64)
Fix some more too-tight timing in the token store tests
2016-07-01 15:59:39 +00:00
if ttl > 10 {
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
t.Fatalf("TTL too large")
}
Fix some more too-tight timing in the token store tests
2016-07-01 15:59:39 +00:00
// Let the TTL go down a bit to 8 seconds
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
time.Sleep(2 * time.Second)
req.Operation = logical.UpdateOperation
req.Path = "auth/token/renew-self"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
}
req.Operation = logical.ReadOperation
req.Path = "auth/token/lookup-self"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
ttl = resp.Data["ttl"].(int64)
Fix some more too-tight timing in the token store tests
2016-07-01 15:59:39 +00:00
if ttl > 8 {
Core handling of TTLs (#4230) * govet cleanup in token store * adding general ttl handling to login requests * consolidating TTL calculation to system view * deprecate LeaseExtend * deprecate LeaseExtend * set the increment to the correct value * move calculateTTL out of SystemView * remove unused value * add back clearing of lease id * implement core ttl in some backends * removing increment and issue time from lease options * adding ttl tests, fixing some compile issue * adding ttl tests * fixing some explicit max TTL logic * fixing up some tests * removing unneeded test * off by one errors... * adding back some logic for bc * adding period to return on renewal * tweaking max ttl capping slightly * use the appropriate precision for ttl calculation * deprecate proto fields instead of delete * addressing feedback * moving TTL handling for backends to core * mongo is a secret backend not auth * adding estimated ttl for backends that also manage the expiration time * set the estimate values before calling the renew request * moving calculate TTL to framework, revert removal of increment and issue time from logical * minor edits * addressing feedback * address more feedback
2018-04-03 16:20:20 +00:00
t.Fatalf("TTL too large: %d", ttl)
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
}
Fix some more too-tight timing in the token store tests
2016-07-01 15:59:39 +00:00
// Renewing should not have the increment increase since we've hit the
// max
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
req.Operation = logical.UpdateOperation
req.Path = "auth/token/renew-self"
req.Data = map[string]interface{}{
"increment": 1,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
}
req.Operation = logical.ReadOperation
req.Path = "auth/token/lookup-self"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
ttl = resp.Data["ttl"].(int64)
Fix some more too-tight timing in the token store tests
2016-07-01 15:59:39 +00:00
if ttl > 8 {
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
t.Fatalf("TTL too large")
}
}
// Now we create a token against the role. We should be able to renew;
// increment should be ignored as well.
{
req.ClientToken = root
req.Operation = logical.UpdateOperation
req.Path = "auth/token/create/test"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
}
if resp == nil {
t.Fatal("response was nil")
}
if resp.Auth == nil {
all: test: Fix govet warnings Fix calls to t.Fatal() with formatting. Fixed some calls to Fatalf() with wrong formatting
2016-12-21 18:08:27 +00:00
t.Fatalf(fmt.Sprintf("response auth was nil, resp is %#v", *resp))
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
}
if resp.Auth.ClientToken == "" {
t.Fatalf("bad: %#v", resp)
}
req.ClientToken = resp.Auth.ClientToken
req.Operation = logical.ReadOperation
req.Path = "auth/token/lookup-self"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
ttl := resp.Data["ttl"].(int64)
Add logic for using Auth.Period when handling auth login/renew requests (#3677) * Add logic for using Auth.Period when handling auth login/renew requests * Set auth.TTL if not set in handleLoginRequest * Always set auth.TTL = te.TTL on handleLoginRequest, check TTL and period against sys values on RenewToken * Get sysView from le.Path, revert tests * Add back auth.Policies * Fix TokenStore tests, add resp warning when capping values * Use switch for ttl/period check on RenewToken * Move comments around
2017-12-15 18:30:05 +00:00
if ttl > 5 {
t.Fatalf("TTL too large (expected %d, got %d", 5, ttl)
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
}
// Let the TTL go down a bit to 3 seconds
Ensure we don't use a token entry period of 0 in role comparisons. When we added support for generating periodic tokens for root/sudo in auth/token/create we used the token entry's period value to store the shortest period found to eventually populate the TTL. The problem was that we then assumed later that this value would be populated for periodic tokens, when it wouldn't have been in the upgrade case. Instead, use a temp var to store the proper value to use; populate te.Period only if actually given; and check that it's not zero before comparing against role value during renew.
2016-08-16 20:47:46 +00:00
time.Sleep(3 * time.Second)
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
req.Operation = logical.UpdateOperation
req.Path = "auth/token/renew-self"
req.Data = map[string]interface{}{
"increment": 1,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
}
req.Operation = logical.ReadOperation
req.Path = "auth/token/lookup-self"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
ttl = resp.Data["ttl"].(int64)
Add logic for using Auth.Period when handling auth login/renew requests (#3677) * Add logic for using Auth.Period when handling auth login/renew requests * Set auth.TTL if not set in handleLoginRequest * Always set auth.TTL = te.TTL on handleLoginRequest, check TTL and period against sys values on RenewToken * Get sysView from le.Path, revert tests * Add back auth.Policies * Fix TokenStore tests, add resp warning when capping values * Use switch for ttl/period check on RenewToken * Move comments around
2017-12-15 18:30:05 +00:00
if ttl > 5 {
t.Fatalf("TTL too large (expected %d, got %d", 5, ttl)
Add other token role unit tests and some minor other changes.
2016-03-01 17:33:35 +00:00
}
}
}
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
func TestTokenStore_RoleExplicitMaxTTL(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
core, _, root := TestCoreUnsealed(t)
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
core.defaultLeaseTTL = 5 * time.Second
core.maxLeaseTTL = 5 * time.Hour
// Note: these requests are sent to Core since Core handles registration
// with the expiration manager and we need the storage to be consistent
Fix bug around disallowing explicit max greater than sysview max
2016-05-11 22:46:55 +00:00
// Make sure we can't make it larger than the system/mount max; we should get a warning on role write and an error on token creation
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "auth/token/roles/test")
req.ClientToken = root
req.Data = map[string]interface{}{
Fix bug around disallowing explicit max greater than sysview max
2016-05-11 22:46:55 +00:00
"explicit_max_ttl": "100h",
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
}
Fix bug around disallowing explicit max greater than sysview max
2016-05-11 22:46:55 +00:00
if resp == nil {
t.Fatalf("expected a warning")
}
req.Operation = logical.UpdateOperation
req.Path = "auth/token/create/test"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Make out-of-bounds explicit max a cap+warning instead of an error
2016-06-08 19:25:17 +00:00
if err != nil {
Fix bug around disallowing explicit max greater than sysview max
2016-05-11 22:46:55 +00:00
t.Fatalf("expected an error")
}
Allow accessing Warnings directly in Response. (#2806) A change in copystructure has caused some panics due to the custom copy function. I'm more nervous about production panics than I am about keeping some bad code wiping out some existing warnings, so remove the custom copy function and just allow direct setting of Warnings.
2017-06-05 14:52:43 +00:00
if len(resp.Warnings) == 0 {
Make out-of-bounds explicit max a cap+warning instead of an error
2016-06-08 19:25:17 +00:00
t.Fatalf("expected a warning")
}
Fix bug around disallowing explicit max greater than sysview max
2016-05-11 22:46:55 +00:00
// Reset to a good explicit max
req = logical.TestRequest(t, logical.UpdateOperation, "auth/token/roles/test")
req.ClientToken = root
req.Data = map[string]interface{}{
Fix timing in explicit max ttl test
2016-07-01 15:37:27 +00:00
"explicit_max_ttl": "10s",
Fix bug around disallowing explicit max greater than sysview max
2016-05-11 22:46:55 +00:00
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Fix bug around disallowing explicit max greater than sysview max
2016-05-11 22:46:55 +00:00
}
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
if resp != nil {
t.Fatalf("expected a nil response")
}
// This first set of logic is to verify that a normal non-root token will
// be given a TTL of 5 seconds, and that renewing will cause the TTL to
// increase
{
req.Path = "auth/token/create"
req.Data = map[string]interface{}{
"policies": []string{"default"},
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
}
if resp.Auth.ClientToken == "" {
t.Fatalf("bad: %#v", resp)
}
req.ClientToken = resp.Auth.ClientToken
req.Operation = logical.ReadOperation
req.Path = "auth/token/lookup-self"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
ttl := resp.Data["ttl"].(int64)
if ttl > 5 {
t.Fatalf("TTL too large")
}
// Let the TTL go down a bit to 3 seconds
time.Sleep(2 * time.Second)
req.Operation = logical.UpdateOperation
req.Path = "auth/token/renew-self"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
}
req.Operation = logical.ReadOperation
req.Path = "auth/token/lookup-self"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
ttl = resp.Data["ttl"].(int64)
if ttl < 4 {
t.Fatalf("TTL too small after renewal")
}
}
// Now we create a token against the role. After renew our max should still
// be the same.
{
req.ClientToken = root
req.Operation = logical.UpdateOperation
req.Path = "auth/token/create/test"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
}
if resp == nil {
t.Fatal("response was nil")
}
if resp.Auth == nil {
all: test: Fix govet warnings Fix calls to t.Fatal() with formatting. Fixed some calls to Fatalf() with wrong formatting
2016-12-21 18:08:27 +00:00
t.Fatalf(fmt.Sprintf("response auth was nil, resp is %#v", *resp))
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
}
if resp.Auth.ClientToken == "" {
t.Fatalf("bad: %#v", resp)
}
req.ClientToken = resp.Auth.ClientToken
req.Operation = logical.ReadOperation
req.Path = "auth/token/lookup-self"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
ttl := resp.Data["ttl"].(int64)
Fix timing in explicit max ttl test
2016-07-01 15:37:27 +00:00
if ttl > 10 {
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
t.Fatalf("TTL too big")
}
Core handling of TTLs (#4230) * govet cleanup in token store * adding general ttl handling to login requests * consolidating TTL calculation to system view * deprecate LeaseExtend * deprecate LeaseExtend * set the increment to the correct value * move calculateTTL out of SystemView * remove unused value * add back clearing of lease id * implement core ttl in some backends * removing increment and issue time from lease options * adding ttl tests, fixing some compile issue * adding ttl tests * fixing some explicit max TTL logic * fixing up some tests * removing unneeded test * off by one errors... * adding back some logic for bc * adding period to return on renewal * tweaking max ttl capping slightly * use the appropriate precision for ttl calculation * deprecate proto fields instead of delete * addressing feedback * moving TTL handling for backends to core * mongo is a secret backend not auth * adding estimated ttl for backends that also manage the expiration time * set the estimate values before calling the renew request * moving calculate TTL to framework, revert removal of increment and issue time from logical * minor edits * addressing feedback * address more feedback
2018-04-03 16:20:20 +00:00
// explicit max ttl is stored in the role so not returned here
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
maxTTL := resp.Data["explicit_max_ttl"].(int64)
Core handling of TTLs (#4230) * govet cleanup in token store * adding general ttl handling to login requests * consolidating TTL calculation to system view * deprecate LeaseExtend * deprecate LeaseExtend * set the increment to the correct value * move calculateTTL out of SystemView * remove unused value * add back clearing of lease id * implement core ttl in some backends * removing increment and issue time from lease options * adding ttl tests, fixing some compile issue * adding ttl tests * fixing some explicit max TTL logic * fixing up some tests * removing unneeded test * off by one errors... * adding back some logic for bc * adding period to return on renewal * tweaking max ttl capping slightly * use the appropriate precision for ttl calculation * deprecate proto fields instead of delete * addressing feedback * moving TTL handling for backends to core * mongo is a secret backend not auth * adding estimated ttl for backends that also manage the expiration time * set the estimate values before calling the renew request * moving calculate TTL to framework, revert removal of increment and issue time from logical * minor edits * addressing feedback * address more feedback
2018-04-03 16:20:20 +00:00
if maxTTL != 0 {
t.Fatalf("expected 0 for explicit max TTL, got %d", maxTTL)
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
}
Fix timing in explicit max ttl test
2016-07-01 15:37:27 +00:00
// Let the TTL go down a bit to ~7 seconds (8 against explicit max)
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
time.Sleep(2 * time.Second)
req.Operation = logical.UpdateOperation
req.Path = "auth/token/renew-self"
req.Data = map[string]interface{}{
"increment": 300,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
}
req.Operation = logical.ReadOperation
req.Path = "auth/token/lookup-self"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
ttl = resp.Data["ttl"].(int64)
Fix timing in explicit max ttl test
2016-07-01 15:37:27 +00:00
if ttl > 8 {
Core handling of TTLs (#4230) * govet cleanup in token store * adding general ttl handling to login requests * consolidating TTL calculation to system view * deprecate LeaseExtend * deprecate LeaseExtend * set the increment to the correct value * move calculateTTL out of SystemView * remove unused value * add back clearing of lease id * implement core ttl in some backends * removing increment and issue time from lease options * adding ttl tests, fixing some compile issue * adding ttl tests * fixing some explicit max TTL logic * fixing up some tests * removing unneeded test * off by one errors... * adding back some logic for bc * adding period to return on renewal * tweaking max ttl capping slightly * use the appropriate precision for ttl calculation * deprecate proto fields instead of delete * addressing feedback * moving TTL handling for backends to core * mongo is a secret backend not auth * adding estimated ttl for backends that also manage the expiration time * set the estimate values before calling the renew request * moving calculate TTL to framework, revert removal of increment and issue time from logical * minor edits * addressing feedback * address more feedback
2018-04-03 16:20:20 +00:00
t.Fatalf("TTL too big: %d", ttl)
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
}
Fix timing in explicit max ttl test
2016-07-01 15:37:27 +00:00
// Let the TTL go down a bit more to ~5 seconds (6 against explicit max)
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
time.Sleep(2 * time.Second)
req.Operation = logical.UpdateOperation
req.Path = "auth/token/renew-self"
req.Data = map[string]interface{}{
"increment": 300,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
}
req.Operation = logical.ReadOperation
req.Path = "auth/token/lookup-self"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
ttl = resp.Data["ttl"].(int64)
Fix timing in explicit max ttl test
2016-07-01 15:37:27 +00:00
if ttl > 6 {
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
t.Fatalf("TTL too big")
}
// It should expire
Fix timing in explicit max ttl test
2016-07-01 15:37:27 +00:00
time.Sleep(8 * time.Second)
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
req.Operation = logical.UpdateOperation
req.Path = "auth/token/renew-self"
req.Data = map[string]interface{}{
"increment": 300,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
if err == nil {
t.Fatalf("expected error")
}
ExpirationManager restoration to load in the background (#3260)
2017-09-05 15:09:00 +00:00
time.Sleep(2 * time.Second)
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
req.Operation = logical.ReadOperation
req.Path = "auth/token/lookup-self"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
ExpirationManager restoration to load in the background (#3260)
2017-09-05 15:09:00 +00:00
if resp != nil && err == nil {
t.Fatalf("expected error, response is %#v", *resp)
}
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
if err == nil {
t.Fatalf("expected error")
}
}
}
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
Tokenhelper v2 (#6662) This provides an sdk util for common token fields and parsing and plumbs it into token store roles.
2019-06-14 14:17:04 +00:00
func TestTokenStore_RoleTokenFields(t *testing.T) {
c, _, _ := TestCoreUnsealed(t)
//c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
rootContext := namespace.RootContext(context.Background())
boundCIDRs, err := parseutil.ParseAddrs([]string{"127.0.0.1/32"})
if err != nil {
t.Fatal(err)
}
// First test the upgrade case. Create a role with values and ensure they
// are reflected properly on read.
{
roleEntry := &tsRoleEntry{
Name: "test",
TokenParams: tokenutil.TokenParams{
TokenType: logical.TokenTypeBatch,
},
Period: time.Second,
ExplicitMaxTTL: time.Hour,
}
roleEntry.BoundCIDRs = boundCIDRs
ns := namespace.RootNamespace
jsonEntry, err := logical.StorageEntryJSON("test", roleEntry)
if err != nil {
t.Fatal(err)
}
if err := ts.rolesView(ns).Put(rootContext, jsonEntry); err != nil {
t.Fatal(err)
}
// Read it back
roleEntry, err = ts.tokenStoreRole(rootContext, "test")
if err != nil {
t.Fatal(err)
}
expRoleEntry := &tsRoleEntry{
Name: "test",
TokenParams: tokenutil.TokenParams{
TokenPeriod: time.Second,
TokenExplicitMaxTTL: time.Hour,
TokenBoundCIDRs: boundCIDRs,
TokenType: logical.TokenTypeBatch,
},
Period: time.Second,
ExplicitMaxTTL: time.Hour,
BoundCIDRs: boundCIDRs,
}
if diff := deep.Equal(expRoleEntry, roleEntry); diff != nil {
t.Fatal(diff)
}
}
// Now, read that back through the API and verify we see what we expect
{
req := logical.TestRequest(t, logical.ReadOperation, "roles/test")
resp, err := ts.HandleRequest(rootContext, req)
if err != nil {
t.Fatalf("err: %v", err)
}
expected := map[string]interface{}{
"name": "test",
"orphan": false,
"period": int64(1),
"token_period": int64(1),
"allowed_policies": []string(nil),
"disallowed_policies": []string(nil),
"path_suffix": "",
"token_explicit_max_ttl": int64(3600),
"explicit_max_ttl": int64(3600),
"renewable": false,
"token_type": "batch",
Token identity support (#6267) * Implemented token backend support for identity * Fixed tests * Refactored a few checks for the token entity overwrite. Fixed tests. * Moved entity alias check up so that the entity and entity alias is only created when it has been specified in allowed_entity_aliases list * go mod vendor * Added glob pattern * Optimized allowed entity alias check * Added test for asterisk only * Changed to glob pattern anywhere * Changed response code in case of failure. Changed globbing pattern check. Added docs. * Added missing token role get parameter. Added more samples * Fixed failing tests * Corrected some cosmetical review points * Changed response code for invalid provided entity alias * Fixed minor things * Fixed failing test
2019-07-01 09:39:54 +00:00
"allowed_entity_aliases": []string(nil),
Tokenhelper v2 (#6662) This provides an sdk util for common token fields and parsing and plumbs it into token store roles.
2019-06-14 14:17:04 +00:00
}
if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" {
t.Fatalf("unexpected bound cidrs: %s", resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String())
}
delete(resp.Data, "bound_cidrs")
if resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" {
t.Fatalf("unexpected token bound cidrs: %s", resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String())
}
delete(resp.Data, "token_bound_cidrs")
if diff := deep.Equal(expected, resp.Data); diff != nil {
t.Fatal(diff)
}
}
// Put values in just the old locations, but through the API
{
req := logical.TestRequest(t, logical.UpdateOperation, "roles/test")
req.Data = map[string]interface{}{
"explicit_max_ttl": 7200,
Fix tests
2019-07-01 01:03:36 +00:00
"token_type": "default-service",
Tokenhelper v2 (#6662) This provides an sdk util for common token fields and parsing and plumbs it into token store roles.
2019-06-14 14:17:04 +00:00
"period": 5,
"bound_cidrs": boundCIDRs[0].String(),
}
resp, err := ts.HandleRequest(rootContext, req)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
}
if resp != nil {
t.Fatalf("expected a nil response")
}
req = logical.TestRequest(t, logical.ReadOperation, "roles/test")
resp, err = ts.HandleRequest(rootContext, req)
if err != nil {
t.Fatalf("err: %v", err)
}
expected := map[string]interface{}{
"name": "test",
"orphan": false,
"period": int64(5),
"token_period": int64(5),
"allowed_policies": []string(nil),
"disallowed_policies": []string(nil),
"path_suffix": "",
"token_explicit_max_ttl": int64(7200),
"explicit_max_ttl": int64(7200),
"renewable": false,
Fix tests
2019-07-01 01:03:36 +00:00
"token_type": "default-service",
Token identity support (#6267) * Implemented token backend support for identity * Fixed tests * Refactored a few checks for the token entity overwrite. Fixed tests. * Moved entity alias check up so that the entity and entity alias is only created when it has been specified in allowed_entity_aliases list * go mod vendor * Added glob pattern * Optimized allowed entity alias check * Added test for asterisk only * Changed to glob pattern anywhere * Changed response code in case of failure. Changed globbing pattern check. Added docs. * Added missing token role get parameter. Added more samples * Fixed failing tests * Corrected some cosmetical review points * Changed response code for invalid provided entity alias * Fixed minor things * Fixed failing test
2019-07-01 09:39:54 +00:00
"allowed_entity_aliases": []string(nil),
Tokenhelper v2 (#6662) This provides an sdk util for common token fields and parsing and plumbs it into token store roles.
2019-06-14 14:17:04 +00:00
}
if resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" {
t.Fatalf("unexpected bound cidrs: %s", resp.Data["bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String())
}
delete(resp.Data, "bound_cidrs")
if resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" {
t.Fatalf("unexpected token bound cidrs: %s", resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String())
}
delete(resp.Data, "token_bound_cidrs")
if diff := deep.Equal(expected, resp.Data); diff != nil {
t.Fatal(diff)
}
}
// Same thing for just the new locations
{
req := logical.TestRequest(t, logical.UpdateOperation, "roles/test")
req.Data = map[string]interface{}{
"token_explicit_max_ttl": 5200,
"token_type": "default-service",
"token_period": 7,
"token_bound_cidrs": boundCIDRs[0].String(),
}
resp, err := ts.HandleRequest(rootContext, req)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
}
if resp != nil {
t.Fatalf("expected a nil response")
}
req = logical.TestRequest(t, logical.ReadOperation, "roles/test")
resp, err = ts.HandleRequest(rootContext, req)
if err != nil {
t.Fatalf("err: %v", err)
}
expected := map[string]interface{}{
"name": "test",
"orphan": false,
"period": int64(0),
"token_period": int64(7),
"allowed_policies": []string(nil),
"disallowed_policies": []string(nil),
"path_suffix": "",
"token_explicit_max_ttl": int64(5200),
"explicit_max_ttl": int64(0),
"renewable": false,
"token_type": "default-service",
Token identity support (#6267) * Implemented token backend support for identity * Fixed tests * Refactored a few checks for the token entity overwrite. Fixed tests. * Moved entity alias check up so that the entity and entity alias is only created when it has been specified in allowed_entity_aliases list * go mod vendor * Added glob pattern * Optimized allowed entity alias check * Added test for asterisk only * Changed to glob pattern anywhere * Changed response code in case of failure. Changed globbing pattern check. Added docs. * Added missing token role get parameter. Added more samples * Fixed failing tests * Corrected some cosmetical review points * Changed response code for invalid provided entity alias * Fixed minor things * Fixed failing test
2019-07-01 09:39:54 +00:00
"allowed_entity_aliases": []string(nil),
Tokenhelper v2 (#6662) This provides an sdk util for common token fields and parsing and plumbs it into token store roles.
2019-06-14 14:17:04 +00:00
}
if resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" {
t.Fatalf("unexpected token bound cidrs: %s", resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String())
}
delete(resp.Data, "token_bound_cidrs")
if diff := deep.Equal(expected, resp.Data); diff != nil {
t.Fatal(diff)
}
}
// Put values in both locations
{
req := logical.TestRequest(t, logical.UpdateOperation, "roles/test")
req.Data = map[string]interface{}{
"token_explicit_max_ttl": 7200,
"explicit_max_ttl": 5200,
"token_type": "service",
"token_period": 5,
"period": 1,
"token_bound_cidrs": boundCIDRs[0].String(),
"bound_cidrs": boundCIDRs[0].String(),
}
resp, err := ts.HandleRequest(rootContext, req)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
}
if resp == nil {
t.Fatalf("expected a non-nil response")
}
if len(resp.Warnings) != 3 {
t.Fatalf("expected 3 warnings, got %#v", resp.Warnings)
}
req = logical.TestRequest(t, logical.ReadOperation, "roles/test")
resp, err = ts.HandleRequest(rootContext, req)
if err != nil {
t.Fatalf("err: %v", err)
}
expected := map[string]interface{}{
"name": "test",
"orphan": false,
"period": int64(0),
"token_period": int64(5),
"allowed_policies": []string(nil),
"disallowed_policies": []string(nil),
"path_suffix": "",
"token_explicit_max_ttl": int64(7200),
"explicit_max_ttl": int64(0),
"renewable": false,
"token_type": "service",
Token identity support (#6267) * Implemented token backend support for identity * Fixed tests * Refactored a few checks for the token entity overwrite. Fixed tests. * Moved entity alias check up so that the entity and entity alias is only created when it has been specified in allowed_entity_aliases list * go mod vendor * Added glob pattern * Optimized allowed entity alias check * Added test for asterisk only * Changed to glob pattern anywhere * Changed response code in case of failure. Changed globbing pattern check. Added docs. * Added missing token role get parameter. Added more samples * Fixed failing tests * Corrected some cosmetical review points * Changed response code for invalid provided entity alias * Fixed minor things * Fixed failing test
2019-07-01 09:39:54 +00:00
"allowed_entity_aliases": []string(nil),
Tokenhelper v2 (#6662) This provides an sdk util for common token fields and parsing and plumbs it into token store roles.
2019-06-14 14:17:04 +00:00
}
if resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String() != "127.0.0.1" {
t.Fatalf("unexpected token bound cidrs: %s", resp.Data["token_bound_cidrs"].([]*sockaddr.SockAddrMarshaler)[0].String())
}
delete(resp.Data, "token_bound_cidrs")
if diff := deep.Equal(expected, resp.Data); diff != nil {
t.Fatal(diff)
}
}
}
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
func TestTokenStore_Periodic(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
core, _, root := TestCoreUnsealed(t)
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
core.defaultLeaseTTL = 10 * time.Second
core.maxLeaseTTL = 10 * time.Second
// Note: these requests are sent to Core since Core handles registration
// with the expiration manager and we need the storage to be consistent
req := logical.TestRequest(t, logical.UpdateOperation, "auth/token/roles/test")
req.ClientToken = root
req.Data = map[string]interface{}{
Add logic for using Auth.Period when handling auth login/renew requests (#3677) * Add logic for using Auth.Period when handling auth login/renew requests * Set auth.TTL if not set in handleLoginRequest * Always set auth.TTL = te.TTL on handleLoginRequest, check TTL and period against sys values on RenewToken * Get sysView from le.Path, revert tests * Add back auth.Policies * Fix TokenStore tests, add resp warning when capping values * Use switch for ttl/period check on RenewToken * Move comments around
2017-12-15 18:30:05 +00:00
"period": 5,
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
}
if resp != nil {
t.Fatalf("expected a nil response")
}
// First make one directly and verify on renew it uses the period.
{
req.ClientToken = root
req.Operation = logical.UpdateOperation
req.Path = "auth/token/create"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
if err != nil {
t.Fatal(err)
}
if resp == nil {
t.Fatal("response was nil")
}
if resp.Auth == nil {
all: test: Fix govet warnings Fix calls to t.Fatal() with formatting. Fixed some calls to Fatalf() with wrong formatting
2016-12-21 18:08:27 +00:00
t.Fatalf(fmt.Sprintf("response auth was nil, resp is %#v", *resp))
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
}
if resp.Auth.ClientToken == "" {
t.Fatalf("bad: %#v", resp)
}
req.ClientToken = resp.Auth.ClientToken
req.Operation = logical.ReadOperation
req.Path = "auth/token/lookup-self"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
ttl := resp.Data["ttl"].(int64)
Add logic for using Auth.Period when handling auth login/renew requests (#3677) * Add logic for using Auth.Period when handling auth login/renew requests * Set auth.TTL if not set in handleLoginRequest * Always set auth.TTL = te.TTL on handleLoginRequest, check TTL and period against sys values on RenewToken * Get sysView from le.Path, revert tests * Add back auth.Policies * Fix TokenStore tests, add resp warning when capping values * Use switch for ttl/period check on RenewToken * Move comments around
2017-12-15 18:30:05 +00:00
if ttl > 5 {
t.Fatalf("TTL too large (expected %d, got %d)", 5, ttl)
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
}
Add another test and fix some output
2016-08-14 11:17:14 +00:00
// Let the TTL go down a bit
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
time.Sleep(2 * time.Second)
req.Operation = logical.UpdateOperation
req.Path = "auth/token/renew-self"
req.Data = map[string]interface{}{
"increment": 1,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
}
req.Operation = logical.ReadOperation
req.Path = "auth/token/lookup-self"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
ttl = resp.Data["ttl"].(int64)
Add logic for using Auth.Period when handling auth login/renew requests (#3677) * Add logic for using Auth.Period when handling auth login/renew requests * Set auth.TTL if not set in handleLoginRequest * Always set auth.TTL = te.TTL on handleLoginRequest, check TTL and period against sys values on RenewToken * Get sysView from le.Path, revert tests * Add back auth.Policies * Fix TokenStore tests, add resp warning when capping values * Use switch for ttl/period check on RenewToken * Move comments around
2017-12-15 18:30:05 +00:00
if ttl > 5 {
t.Fatalf("TTL too large (expected %d, got %d)", 5, ttl)
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
}
}
Core handling of TTLs (#4230) * govet cleanup in token store * adding general ttl handling to login requests * consolidating TTL calculation to system view * deprecate LeaseExtend * deprecate LeaseExtend * set the increment to the correct value * move calculateTTL out of SystemView * remove unused value * add back clearing of lease id * implement core ttl in some backends * removing increment and issue time from lease options * adding ttl tests, fixing some compile issue * adding ttl tests * fixing some explicit max TTL logic * fixing up some tests * removing unneeded test * off by one errors... * adding back some logic for bc * adding period to return on renewal * tweaking max ttl capping slightly * use the appropriate precision for ttl calculation * deprecate proto fields instead of delete * addressing feedback * moving TTL handling for backends to core * mongo is a secret backend not auth * adding estimated ttl for backends that also manage the expiration time * set the estimate values before calling the renew request * moving calculate TTL to framework, revert removal of increment and issue time from logical * minor edits * addressing feedback * address more feedback
2018-04-03 16:20:20 +00:00
// Now we create a token against the role and also set the te value
// directly. We should use the smaller of the two and be able to renew;
// increment should be ignored as well.
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
{
req.ClientToken = root
req.Operation = logical.UpdateOperation
Core handling of TTLs (#4230) * govet cleanup in token store * adding general ttl handling to login requests * consolidating TTL calculation to system view * deprecate LeaseExtend * deprecate LeaseExtend * set the increment to the correct value * move calculateTTL out of SystemView * remove unused value * add back clearing of lease id * implement core ttl in some backends * removing increment and issue time from lease options * adding ttl tests, fixing some compile issue * adding ttl tests * fixing some explicit max TTL logic * fixing up some tests * removing unneeded test * off by one errors... * adding back some logic for bc * adding period to return on renewal * tweaking max ttl capping slightly * use the appropriate precision for ttl calculation * deprecate proto fields instead of delete * addressing feedback * moving TTL handling for backends to core * mongo is a secret backend not auth * adding estimated ttl for backends that also manage the expiration time * set the estimate values before calling the renew request * moving calculate TTL to framework, revert removal of increment and issue time from logical * minor edits * addressing feedback * address more feedback
2018-04-03 16:20:20 +00:00
req.Path = "auth/token/create/test"
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
req.Data = map[string]interface{}{
Core handling of TTLs (#4230) * govet cleanup in token store * adding general ttl handling to login requests * consolidating TTL calculation to system view * deprecate LeaseExtend * deprecate LeaseExtend * set the increment to the correct value * move calculateTTL out of SystemView * remove unused value * add back clearing of lease id * implement core ttl in some backends * removing increment and issue time from lease options * adding ttl tests, fixing some compile issue * adding ttl tests * fixing some explicit max TTL logic * fixing up some tests * removing unneeded test * off by one errors... * adding back some logic for bc * adding period to return on renewal * tweaking max ttl capping slightly * use the appropriate precision for ttl calculation * deprecate proto fields instead of delete * addressing feedback * moving TTL handling for backends to core * mongo is a secret backend not auth * adding estimated ttl for backends that also manage the expiration time * set the estimate values before calling the renew request * moving calculate TTL to framework, revert removal of increment and issue time from logical * minor edits * addressing feedback * address more feedback
2018-04-03 16:20:20 +00:00
"period": 5,
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
}
if resp == nil {
t.Fatal("response was nil")
}
if resp.Auth == nil {
all: test: Fix govet warnings Fix calls to t.Fatal() with formatting. Fixed some calls to Fatalf() with wrong formatting
2016-12-21 18:08:27 +00:00
t.Fatalf(fmt.Sprintf("response auth was nil, resp is %#v", *resp))
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
}
if resp.Auth.ClientToken == "" {
t.Fatalf("bad: %#v", resp)
}
req.ClientToken = resp.Auth.ClientToken
req.Operation = logical.ReadOperation
req.Path = "auth/token/lookup-self"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
ttl := resp.Data["ttl"].(int64)
Core handling of TTLs (#4230) * govet cleanup in token store * adding general ttl handling to login requests * consolidating TTL calculation to system view * deprecate LeaseExtend * deprecate LeaseExtend * set the increment to the correct value * move calculateTTL out of SystemView * remove unused value * add back clearing of lease id * implement core ttl in some backends * removing increment and issue time from lease options * adding ttl tests, fixing some compile issue * adding ttl tests * fixing some explicit max TTL logic * fixing up some tests * removing unneeded test * off by one errors... * adding back some logic for bc * adding period to return on renewal * tweaking max ttl capping slightly * use the appropriate precision for ttl calculation * deprecate proto fields instead of delete * addressing feedback * moving TTL handling for backends to core * mongo is a secret backend not auth * adding estimated ttl for backends that also manage the expiration time * set the estimate values before calling the renew request * moving calculate TTL to framework, revert removal of increment and issue time from logical * minor edits * addressing feedback * address more feedback
2018-04-03 16:20:20 +00:00
if ttl < 4 || ttl > 5 {
t.Fatalf("TTL bad (expected %d, got %d)", 4, ttl)
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
}
Add another test and fix some output
2016-08-14 11:17:14 +00:00
// Let the TTL go down a bit
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
time.Sleep(2 * time.Second)
req.Operation = logical.UpdateOperation
req.Path = "auth/token/renew-self"
req.Data = map[string]interface{}{
Core handling of TTLs (#4230) * govet cleanup in token store * adding general ttl handling to login requests * consolidating TTL calculation to system view * deprecate LeaseExtend * deprecate LeaseExtend * set the increment to the correct value * move calculateTTL out of SystemView * remove unused value * add back clearing of lease id * implement core ttl in some backends * removing increment and issue time from lease options * adding ttl tests, fixing some compile issue * adding ttl tests * fixing some explicit max TTL logic * fixing up some tests * removing unneeded test * off by one errors... * adding back some logic for bc * adding period to return on renewal * tweaking max ttl capping slightly * use the appropriate precision for ttl calculation * deprecate proto fields instead of delete * addressing feedback * moving TTL handling for backends to core * mongo is a secret backend not auth * adding estimated ttl for backends that also manage the expiration time * set the estimate values before calling the renew request * moving calculate TTL to framework, revert removal of increment and issue time from logical * minor edits * addressing feedback * address more feedback
2018-04-03 16:20:20 +00:00
"increment": 1,
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
}
req.Operation = logical.ReadOperation
req.Path = "auth/token/lookup-self"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
ttl = resp.Data["ttl"].(int64)
Core handling of TTLs (#4230) * govet cleanup in token store * adding general ttl handling to login requests * consolidating TTL calculation to system view * deprecate LeaseExtend * deprecate LeaseExtend * set the increment to the correct value * move calculateTTL out of SystemView * remove unused value * add back clearing of lease id * implement core ttl in some backends * removing increment and issue time from lease options * adding ttl tests, fixing some compile issue * adding ttl tests * fixing some explicit max TTL logic * fixing up some tests * removing unneeded test * off by one errors... * adding back some logic for bc * adding period to return on renewal * tweaking max ttl capping slightly * use the appropriate precision for ttl calculation * deprecate proto fields instead of delete * addressing feedback * moving TTL handling for backends to core * mongo is a secret backend not auth * adding estimated ttl for backends that also manage the expiration time * set the estimate values before calling the renew request * moving calculate TTL to framework, revert removal of increment and issue time from logical * minor edits * addressing feedback * address more feedback
2018-04-03 16:20:20 +00:00
if ttl > 5 {
t.Fatalf("TTL bad (expected less than %d, got %d)", 5, ttl)
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
}
}
Core handling of TTLs (#4230) * govet cleanup in token store * adding general ttl handling to login requests * consolidating TTL calculation to system view * deprecate LeaseExtend * deprecate LeaseExtend * set the increment to the correct value * move calculateTTL out of SystemView * remove unused value * add back clearing of lease id * implement core ttl in some backends * removing increment and issue time from lease options * adding ttl tests, fixing some compile issue * adding ttl tests * fixing some explicit max TTL logic * fixing up some tests * removing unneeded test * off by one errors... * adding back some logic for bc * adding period to return on renewal * tweaking max ttl capping slightly * use the appropriate precision for ttl calculation * deprecate proto fields instead of delete * addressing feedback * moving TTL handling for backends to core * mongo is a secret backend not auth * adding estimated ttl for backends that also manage the expiration time * set the estimate values before calling the renew request * moving calculate TTL to framework, revert removal of increment and issue time from logical * minor edits * addressing feedback * address more feedback
2018-04-03 16:20:20 +00:00
}
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
Tokenhelper v2 (#6662) This provides an sdk util for common token fields and parsing and plumbs it into token store roles.
2019-06-14 14:17:04 +00:00
func testTokenStore_NumUses_ErrorCheckHelper(t *testing.T, resp *logical.Response, err error) {
if err != nil {
t.Fatal(err)
}
if resp == nil {
t.Fatal("response was nil")
}
if resp.Auth == nil {
t.Fatalf(fmt.Sprintf("response auth was nil, resp is %#v", *resp))
}
if resp.Auth.ClientToken == "" {
t.Fatalf("bad: %#v", resp)
}
}
func testTokenStore_NumUses_SelfLookupHelper(t *testing.T, core *Core, clientToken string, expectedNumUses int) {
req := logical.TestRequest(t, logical.ReadOperation, "auth/token/lookup-self")
req.ClientToken = clientToken
resp, err := core.HandleRequest(namespace.RootContext(nil), req)
if err != nil {
t.Fatalf("err: %v", err)
}
// Just used the token, this should decrement the num_uses counter
expectedNumUses = expectedNumUses - 1
actualNumUses := resp.Data["num_uses"].(int)
if actualNumUses != expectedNumUses {
t.Fatalf("num_uses mismatch (expected %d, got %d)", expectedNumUses, actualNumUses)
}
}
func TestTokenStore_NumUses(t *testing.T) {
core, _, root := TestCoreUnsealed(t)
roleNumUses := 10
lesserNumUses := 5
greaterNumUses := 15
// Create a test role with limited token_num_uses
req := logical.TestRequest(t, logical.UpdateOperation, "auth/token/roles/test-limited-uses")
req.ClientToken = root
req.Data = map[string]interface{}{
"token_num_uses": roleNumUses,
}
resp, err := core.HandleRequest(namespace.RootContext(nil), req)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
}
if resp != nil {
t.Fatalf("expected a nil response")
}
// Create a test role with unlimited token_num_uses
req.Path = "auth/token/roles/test-unlimited-uses"
req.Data = map[string]interface{}{}
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
}
if resp != nil {
t.Fatalf("expected a nil response")
}
// Generate some tokens from the test roles
req.Path = "auth/token/create/test-limited-uses"
// first token, num_uses is expected to come from the limited uses role
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
testTokenStore_NumUses_ErrorCheckHelper(t, resp, err)
noOverrideToken := resp.Auth.ClientToken
// second token, override num_uses with a lesser value, this should become the value
// applied to the token
req.Data = map[string]interface{}{
"num_uses": lesserNumUses,
}
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
testTokenStore_NumUses_ErrorCheckHelper(t, resp, err)
lesserOverrideToken := resp.Auth.ClientToken
// third token, override num_uses with a greater value, the value
// applied to the token should come from the limited uses role
req.Data = map[string]interface{}{
"num_uses": greaterNumUses,
}
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
testTokenStore_NumUses_ErrorCheckHelper(t, resp, err)
greaterOverrideToken := resp.Auth.ClientToken
// fourth token, override num_uses with a zero value, a num_uses value of zero
// has an internal meaning of unlimited so num_uses == 1 is actually less than
// num_uses == 0. In this case, the lesser value of the limited-uses role should be applied.
req.Data = map[string]interface{}{
"num_uses": 0,
}
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
testTokenStore_NumUses_ErrorCheckHelper(t, resp, err)
zeroOverrideToken := resp.Auth.ClientToken
// fifth token, override num_uses with a value from a role that has unlimited num_uses. num_uses
// should be the specified num_uses parameter at the create endpoint
req.Path = "auth/token/create/test-unlimited-uses"
req.Data = map[string]interface{}{
"num_uses": lesserNumUses,
}
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
testTokenStore_NumUses_ErrorCheckHelper(t, resp, err)
unlimitedRoleOverrideToken := resp.Auth.ClientToken
testTokenStore_NumUses_SelfLookupHelper(t, core, noOverrideToken, roleNumUses)
testTokenStore_NumUses_SelfLookupHelper(t, core, lesserOverrideToken, lesserNumUses)
testTokenStore_NumUses_SelfLookupHelper(t, core, greaterOverrideToken, roleNumUses)
testTokenStore_NumUses_SelfLookupHelper(t, core, zeroOverrideToken, roleNumUses)
testTokenStore_NumUses_SelfLookupHelper(t, core, unlimitedRoleOverrideToken, lesserNumUses)
}
Core handling of TTLs (#4230) * govet cleanup in token store * adding general ttl handling to login requests * consolidating TTL calculation to system view * deprecate LeaseExtend * deprecate LeaseExtend * set the increment to the correct value * move calculateTTL out of SystemView * remove unused value * add back clearing of lease id * implement core ttl in some backends * removing increment and issue time from lease options * adding ttl tests, fixing some compile issue * adding ttl tests * fixing some explicit max TTL logic * fixing up some tests * removing unneeded test * off by one errors... * adding back some logic for bc * adding period to return on renewal * tweaking max ttl capping slightly * use the appropriate precision for ttl calculation * deprecate proto fields instead of delete * addressing feedback * moving TTL handling for backends to core * mongo is a secret backend not auth * adding estimated ttl for backends that also manage the expiration time * set the estimate values before calling the renew request * moving calculate TTL to framework, revert removal of increment and issue time from logical * minor edits * addressing feedback * address more feedback
2018-04-03 16:20:20 +00:00
func TestTokenStore_Periodic_ExplicitMax(t *testing.T) {
Offline token revocation fix
2018-06-03 22:14:51 +00:00
core, _, root := TestCoreUnsealed(t)
Core handling of TTLs (#4230) * govet cleanup in token store * adding general ttl handling to login requests * consolidating TTL calculation to system view * deprecate LeaseExtend * deprecate LeaseExtend * set the increment to the correct value * move calculateTTL out of SystemView * remove unused value * add back clearing of lease id * implement core ttl in some backends * removing increment and issue time from lease options * adding ttl tests, fixing some compile issue * adding ttl tests * fixing some explicit max TTL logic * fixing up some tests * removing unneeded test * off by one errors... * adding back some logic for bc * adding period to return on renewal * tweaking max ttl capping slightly * use the appropriate precision for ttl calculation * deprecate proto fields instead of delete * addressing feedback * moving TTL handling for backends to core * mongo is a secret backend not auth * adding estimated ttl for backends that also manage the expiration time * set the estimate values before calling the renew request * moving calculate TTL to framework, revert removal of increment and issue time from logical * minor edits * addressing feedback * address more feedback
2018-04-03 16:20:20 +00:00
core.defaultLeaseTTL = 10 * time.Second
core.maxLeaseTTL = 10 * time.Second
// Note: these requests are sent to Core since Core handles registration
// with the expiration manager and we need the storage to be consistent
req := logical.TestRequest(t, logical.UpdateOperation, "auth/token/roles/test")
req.ClientToken = root
req.Data = map[string]interface{}{
"period": 5,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Core handling of TTLs (#4230) * govet cleanup in token store * adding general ttl handling to login requests * consolidating TTL calculation to system view * deprecate LeaseExtend * deprecate LeaseExtend * set the increment to the correct value * move calculateTTL out of SystemView * remove unused value * add back clearing of lease id * implement core ttl in some backends * removing increment and issue time from lease options * adding ttl tests, fixing some compile issue * adding ttl tests * fixing some explicit max TTL logic * fixing up some tests * removing unneeded test * off by one errors... * adding back some logic for bc * adding period to return on renewal * tweaking max ttl capping slightly * use the appropriate precision for ttl calculation * deprecate proto fields instead of delete * addressing feedback * moving TTL handling for backends to core * mongo is a secret backend not auth * adding estimated ttl for backends that also manage the expiration time * set the estimate values before calling the renew request * moving calculate TTL to framework, revert removal of increment and issue time from logical * minor edits * addressing feedback * address more feedback
2018-04-03 16:20:20 +00:00
}
if resp != nil {
t.Fatalf("expected a nil response")
}
// First make one directly and verify on renew it uses the period.
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
{
req.ClientToken = root
req.Operation = logical.UpdateOperation
Core handling of TTLs (#4230) * govet cleanup in token store * adding general ttl handling to login requests * consolidating TTL calculation to system view * deprecate LeaseExtend * deprecate LeaseExtend * set the increment to the correct value * move calculateTTL out of SystemView * remove unused value * add back clearing of lease id * implement core ttl in some backends * removing increment and issue time from lease options * adding ttl tests, fixing some compile issue * adding ttl tests * fixing some explicit max TTL logic * fixing up some tests * removing unneeded test * off by one errors... * adding back some logic for bc * adding period to return on renewal * tweaking max ttl capping slightly * use the appropriate precision for ttl calculation * deprecate proto fields instead of delete * addressing feedback * moving TTL handling for backends to core * mongo is a secret backend not auth * adding estimated ttl for backends that also manage the expiration time * set the estimate values before calling the renew request * moving calculate TTL to framework, revert removal of increment and issue time from logical * minor edits * addressing feedback * address more feedback
2018-04-03 16:20:20 +00:00
req.Path = "auth/token/create"
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
req.Data = map[string]interface{}{
Core handling of TTLs (#4230) * govet cleanup in token store * adding general ttl handling to login requests * consolidating TTL calculation to system view * deprecate LeaseExtend * deprecate LeaseExtend * set the increment to the correct value * move calculateTTL out of SystemView * remove unused value * add back clearing of lease id * implement core ttl in some backends * removing increment and issue time from lease options * adding ttl tests, fixing some compile issue * adding ttl tests * fixing some explicit max TTL logic * fixing up some tests * removing unneeded test * off by one errors... * adding back some logic for bc * adding period to return on renewal * tweaking max ttl capping slightly * use the appropriate precision for ttl calculation * deprecate proto fields instead of delete * addressing feedback * moving TTL handling for backends to core * mongo is a secret backend not auth * adding estimated ttl for backends that also manage the expiration time * set the estimate values before calling the renew request * moving calculate TTL to framework, revert removal of increment and issue time from logical * minor edits * addressing feedback * address more feedback
2018-04-03 16:20:20 +00:00
"period": 5,
"explicit_max_ttl": 4,
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
if err != nil {
Core handling of TTLs (#4230) * govet cleanup in token store * adding general ttl handling to login requests * consolidating TTL calculation to system view * deprecate LeaseExtend * deprecate LeaseExtend * set the increment to the correct value * move calculateTTL out of SystemView * remove unused value * add back clearing of lease id * implement core ttl in some backends * removing increment and issue time from lease options * adding ttl tests, fixing some compile issue * adding ttl tests * fixing some explicit max TTL logic * fixing up some tests * removing unneeded test * off by one errors... * adding back some logic for bc * adding period to return on renewal * tweaking max ttl capping slightly * use the appropriate precision for ttl calculation * deprecate proto fields instead of delete * addressing feedback * moving TTL handling for backends to core * mongo is a secret backend not auth * adding estimated ttl for backends that also manage the expiration time * set the estimate values before calling the renew request * moving calculate TTL to framework, revert removal of increment and issue time from logical * minor edits * addressing feedback * address more feedback
2018-04-03 16:20:20 +00:00
t.Fatal(err)
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
}
if resp == nil {
t.Fatal("response was nil")
}
if resp.Auth == nil {
all: test: Fix govet warnings Fix calls to t.Fatal() with formatting. Fixed some calls to Fatalf() with wrong formatting
2016-12-21 18:08:27 +00:00
t.Fatalf(fmt.Sprintf("response auth was nil, resp is %#v", *resp))
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
}
if resp.Auth.ClientToken == "" {
t.Fatalf("bad: %#v", resp)
}
req.ClientToken = resp.Auth.ClientToken
req.Operation = logical.ReadOperation
req.Path = "auth/token/lookup-self"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
ttl := resp.Data["ttl"].(int64)
Core handling of TTLs (#4230) * govet cleanup in token store * adding general ttl handling to login requests * consolidating TTL calculation to system view * deprecate LeaseExtend * deprecate LeaseExtend * set the increment to the correct value * move calculateTTL out of SystemView * remove unused value * add back clearing of lease id * implement core ttl in some backends * removing increment and issue time from lease options * adding ttl tests, fixing some compile issue * adding ttl tests * fixing some explicit max TTL logic * fixing up some tests * removing unneeded test * off by one errors... * adding back some logic for bc * adding period to return on renewal * tweaking max ttl capping slightly * use the appropriate precision for ttl calculation * deprecate proto fields instead of delete * addressing feedback * moving TTL handling for backends to core * mongo is a secret backend not auth * adding estimated ttl for backends that also manage the expiration time * set the estimate values before calling the renew request * moving calculate TTL to framework, revert removal of increment and issue time from logical * minor edits * addressing feedback * address more feedback
2018-04-03 16:20:20 +00:00
if ttl < 3 || ttl > 4 {
t.Fatalf("TTL bad (expected %d, got %d)", 3, ttl)
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
}
Add another test and fix some output
2016-08-14 11:17:14 +00:00
// Let the TTL go down a bit
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
time.Sleep(2 * time.Second)
req.Operation = logical.UpdateOperation
req.Path = "auth/token/renew-self"
req.Data = map[string]interface{}{
Core handling of TTLs (#4230) * govet cleanup in token store * adding general ttl handling to login requests * consolidating TTL calculation to system view * deprecate LeaseExtend * deprecate LeaseExtend * set the increment to the correct value * move calculateTTL out of SystemView * remove unused value * add back clearing of lease id * implement core ttl in some backends * removing increment and issue time from lease options * adding ttl tests, fixing some compile issue * adding ttl tests * fixing some explicit max TTL logic * fixing up some tests * removing unneeded test * off by one errors... * adding back some logic for bc * adding period to return on renewal * tweaking max ttl capping slightly * use the appropriate precision for ttl calculation * deprecate proto fields instead of delete * addressing feedback * moving TTL handling for backends to core * mongo is a secret backend not auth * adding estimated ttl for backends that also manage the expiration time * set the estimate values before calling the renew request * moving calculate TTL to framework, revert removal of increment and issue time from logical * minor edits * addressing feedback * address more feedback
2018-04-03 16:20:20 +00:00
"increment": 76,
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
}
req.Operation = logical.ReadOperation
req.Path = "auth/token/lookup-self"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
ttl = resp.Data["ttl"].(int64)
Core handling of TTLs (#4230) * govet cleanup in token store * adding general ttl handling to login requests * consolidating TTL calculation to system view * deprecate LeaseExtend * deprecate LeaseExtend * set the increment to the correct value * move calculateTTL out of SystemView * remove unused value * add back clearing of lease id * implement core ttl in some backends * removing increment and issue time from lease options * adding ttl tests, fixing some compile issue * adding ttl tests * fixing some explicit max TTL logic * fixing up some tests * removing unneeded test * off by one errors... * adding back some logic for bc * adding period to return on renewal * tweaking max ttl capping slightly * use the appropriate precision for ttl calculation * deprecate proto fields instead of delete * addressing feedback * moving TTL handling for backends to core * mongo is a secret backend not auth * adding estimated ttl for backends that also manage the expiration time * set the estimate values before calling the renew request * moving calculate TTL to framework, revert removal of increment and issue time from logical * minor edits * addressing feedback * address more feedback
2018-04-03 16:20:20 +00:00
if ttl > 2 {
t.Fatalf("TTL bad (expected less than %d, got %d)", 2, ttl)
Add another test and fix some output
2016-08-14 11:17:14 +00:00
}
}
Core handling of TTLs (#4230) * govet cleanup in token store * adding general ttl handling to login requests * consolidating TTL calculation to system view * deprecate LeaseExtend * deprecate LeaseExtend * set the increment to the correct value * move calculateTTL out of SystemView * remove unused value * add back clearing of lease id * implement core ttl in some backends * removing increment and issue time from lease options * adding ttl tests, fixing some compile issue * adding ttl tests * fixing some explicit max TTL logic * fixing up some tests * removing unneeded test * off by one errors... * adding back some logic for bc * adding period to return on renewal * tweaking max ttl capping slightly * use the appropriate precision for ttl calculation * deprecate proto fields instead of delete * addressing feedback * moving TTL handling for backends to core * mongo is a secret backend not auth * adding estimated ttl for backends that also manage the expiration time * set the estimate values before calling the renew request * moving calculate TTL to framework, revert removal of increment and issue time from logical * minor edits * addressing feedback * address more feedback
2018-04-03 16:20:20 +00:00
// Now we create a token against the role and also set the te value
// directly. We should use the smaller of the two and be able to renew;
// increment should be ignored as well.
Add another test and fix some output
2016-08-14 11:17:14 +00:00
{
req.Path = "auth/token/roles/test"
req.ClientToken = root
Add logic for using Auth.Period when handling auth login/renew requests (#3677) * Add logic for using Auth.Period when handling auth login/renew requests * Set auth.TTL if not set in handleLoginRequest * Always set auth.TTL = te.TTL on handleLoginRequest, check TTL and period against sys values on RenewToken * Get sysView from le.Path, revert tests * Add back auth.Policies * Fix TokenStore tests, add resp warning when capping values * Use switch for ttl/period check on RenewToken * Move comments around
2017-12-15 18:30:05 +00:00
req.Operation = logical.UpdateOperation
Add another test and fix some output
2016-08-14 11:17:14 +00:00
req.Data = map[string]interface{}{
Add logic for using Auth.Period when handling auth login/renew requests (#3677) * Add logic for using Auth.Period when handling auth login/renew requests * Set auth.TTL if not set in handleLoginRequest * Always set auth.TTL = te.TTL on handleLoginRequest, check TTL and period against sys values on RenewToken * Get sysView from le.Path, revert tests * Add back auth.Policies * Fix TokenStore tests, add resp warning when capping values * Use switch for ttl/period check on RenewToken * Move comments around
2017-12-15 18:30:05 +00:00
"period": 5,
"explicit_max_ttl": 4,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add logic for using Auth.Period when handling auth login/renew requests (#3677) * Add logic for using Auth.Period when handling auth login/renew requests * Set auth.TTL if not set in handleLoginRequest * Always set auth.TTL = te.TTL on handleLoginRequest, check TTL and period against sys values on RenewToken * Get sysView from le.Path, revert tests * Add back auth.Policies * Fix TokenStore tests, add resp warning when capping values * Use switch for ttl/period check on RenewToken * Move comments around
2017-12-15 18:30:05 +00:00
}
if resp != nil {
t.Fatalf("expected a nil response")
Add another test and fix some output
2016-08-14 11:17:14 +00:00
}
req.ClientToken = root
req.Operation = logical.UpdateOperation
req.Path = "auth/token/create/test"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add another test and fix some output
2016-08-14 11:17:14 +00:00
}
if resp == nil {
t.Fatal("response was nil")
}
if resp.Auth == nil {
all: test: Fix govet warnings Fix calls to t.Fatal() with formatting. Fixed some calls to Fatalf() with wrong formatting
2016-12-21 18:08:27 +00:00
t.Fatalf(fmt.Sprintf("response auth was nil, resp is %#v", *resp))
Add another test and fix some output
2016-08-14 11:17:14 +00:00
}
if resp.Auth.ClientToken == "" {
t.Fatalf("bad: %#v", resp)
}
req.ClientToken = resp.Auth.ClientToken
req.Operation = logical.ReadOperation
req.Path = "auth/token/lookup-self"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add another test and fix some output
2016-08-14 11:17:14 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
ttl := resp.Data["ttl"].(int64)
Add logic for using Auth.Period when handling auth login/renew requests (#3677) * Add logic for using Auth.Period when handling auth login/renew requests * Set auth.TTL if not set in handleLoginRequest * Always set auth.TTL = te.TTL on handleLoginRequest, check TTL and period against sys values on RenewToken * Get sysView from le.Path, revert tests * Add back auth.Policies * Fix TokenStore tests, add resp warning when capping values * Use switch for ttl/period check on RenewToken * Move comments around
2017-12-15 18:30:05 +00:00
if ttl < 3 || ttl > 4 {
t.Fatalf("TTL bad (expected %d, got %d)", 3, ttl)
Add another test and fix some output
2016-08-14 11:17:14 +00:00
}
// Let the TTL go down a bit
Add logic for using Auth.Period when handling auth login/renew requests (#3677) * Add logic for using Auth.Period when handling auth login/renew requests * Set auth.TTL if not set in handleLoginRequest * Always set auth.TTL = te.TTL on handleLoginRequest, check TTL and period against sys values on RenewToken * Get sysView from le.Path, revert tests * Add back auth.Policies * Fix TokenStore tests, add resp warning when capping values * Use switch for ttl/period check on RenewToken * Move comments around
2017-12-15 18:30:05 +00:00
time.Sleep(2 * time.Second)
Add another test and fix some output
2016-08-14 11:17:14 +00:00
req.Operation = logical.UpdateOperation
req.Path = "auth/token/renew-self"
req.Data = map[string]interface{}{
"increment": 1,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add another test and fix some output
2016-08-14 11:17:14 +00:00
}
req.Operation = logical.ReadOperation
req.Path = "auth/token/lookup-self"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Add another test and fix some output
2016-08-14 11:17:14 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
ttl = resp.Data["ttl"].(int64)
Add logic for using Auth.Period when handling auth login/renew requests (#3677) * Add logic for using Auth.Period when handling auth login/renew requests * Set auth.TTL if not set in handleLoginRequest * Always set auth.TTL = te.TTL on handleLoginRequest, check TTL and period against sys values on RenewToken * Get sysView from le.Path, revert tests * Add back auth.Policies * Fix TokenStore tests, add resp warning when capping values * Use switch for ttl/period check on RenewToken * Move comments around
2017-12-15 18:30:05 +00:00
if ttl > 2 {
t.Fatalf("TTL bad (expected less than %d, got %d)", 2, ttl)
Add some tests and fix some bugs
2016-08-13 18:03:22 +00:00
}
}
}
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
func TestTokenStore_NoDefaultPolicy(t *testing.T) {
var resp *logical.Response
var err error
Offline token revocation fix
2018-06-03 22:14:51 +00:00
core, _, root := TestCoreUnsealed(t)
ts := core.tokenStore
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
ps := core.policyStore
The big one (#5346)
2018-09-18 03:03:00 +00:00
policy, _ := ParseACLPolicy(namespace.RootNamespace, tokenCreationPolicy)
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
policy.Name = "policy1"
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
if err := ps.SetPolicy(namespace.RootContext(nil), policy); err != nil {
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
t.Fatal(err)
}
// Root token creates a token with desired policy. The created token
// should also have 'default' attached to it.
tokenData := map[string]interface{}{
"policies": []string{"policy1"},
}
tokenReq := &logical.Request{
Path: "create",
ClientToken: root,
Operation: logical.UpdateOperation,
Data: tokenData,
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
resp = testMakeTokenViaRequest(t, ts, tokenReq)
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
if !reflect.DeepEqual(resp.Auth.Policies, []string{"default", "policy1"}) {
t.Fatalf("bad: policies: expected: [policy, default]; actual: %s", resp.Auth.Policies)
}
newToken := resp.Auth.ClientToken
// Root token creates a token with desired policy, but also requests
// that the token to not have 'default' policy. The resulting token
// should not have 'default' policy on it.
tokenData["no_default_policy"] = true
Offline token revocation fix
2018-06-03 22:14:51 +00:00
resp = testMakeTokenViaRequest(t, ts, tokenReq)
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
if !reflect.DeepEqual(resp.Auth.Policies, []string{"policy1"}) {
t.Fatalf("bad: policies: expected: [policy1]; actual: %s", resp.Auth.Policies)
}
// A non-root token which has 'default' policy attached requests for a
// child token. Child token should also have 'default' policy attached.
tokenReq.ClientToken = newToken
tokenReq.Data = nil
Offline token revocation fix
2018-06-03 22:14:51 +00:00
resp = testMakeTokenViaRequest(t, ts, tokenReq)
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
if !reflect.DeepEqual(resp.Auth.Policies, []string{"default", "policy1"}) {
t.Fatalf("bad: policies: expected: [default policy1]; actual: %s", resp.Auth.Policies)
}
Handle period's zero value in token store's token creation (#3880) * Handle period's zero value on handleCreateCommon * Add test for period zero value
2018-02-01 17:01:46 +00:00
// A non-root token which has 'default' policy attached and period explicitly
// set to its zero value requests for a child token. Child token should be
// successfully created and have 'default' policy attached.
tokenReq.Data = map[string]interface{}{
"period": "0s",
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
resp = testMakeTokenViaRequest(t, ts, tokenReq)
Handle period's zero value in token store's token creation (#3880) * Handle period's zero value on handleCreateCommon * Add test for period zero value
2018-02-01 17:01:46 +00:00
if !reflect.DeepEqual(resp.Auth.Policies, []string{"default", "policy1"}) {
t.Fatalf("bad: policies: expected: [default policy1]; actual: %s", resp.Auth.Policies)
}
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
// A non-root token which has 'default' policy attached, request for a
// child token to not have 'default' policy while not sending a list
tokenReq.Data = map[string]interface{}{
"no_default_policy": true,
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
resp = testMakeTokenViaRequest(t, ts, tokenReq)
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
if !reflect.DeepEqual(resp.Auth.Policies, []string{"policy1"}) {
t.Fatalf("bad: policies: expected: [policy1]; actual: %s", resp.Auth.Policies)
}
// In this case "default" shouldn't exist because we are not inheriting
// parent policies
tokenReq.Data = map[string]interface{}{
"policies": []string{"policy1"},
"no_default_policy": true,
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
resp = testMakeTokenViaRequest(t, ts, tokenReq)
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
if !reflect.DeepEqual(resp.Auth.Policies, []string{"policy1"}) {
t.Fatalf("bad: policies: expected: [policy1]; actual: %s", resp.Auth.Policies)
}
// This is a non-root token which does not have 'default' policy
// attached
newToken = resp.Auth.ClientToken
tokenReq.Data = nil
tokenReq.ClientToken = newToken
Offline token revocation fix
2018-06-03 22:14:51 +00:00
resp = testMakeTokenViaRequest(t, ts, tokenReq)
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
if !reflect.DeepEqual(resp.Auth.Policies, []string{"policy1"}) {
t.Fatalf("bad: policies: expected: [policy1]; actual: %s", resp.Auth.Policies)
}
roleReq := &logical.Request{
ClientToken: root,
Path: "roles/role1",
Operation: logical.CreateOperation,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), roleReq)
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v, resp: %v", err, resp)
}
tokenReq.Path = "create/role1"
tokenReq.Data = map[string]interface{}{
"policies": []string{"policy1"},
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), tokenReq)
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v, resp: %v", err, resp)
}
if !reflect.DeepEqual(resp.Auth.Policies, []string{"policy1"}) {
t.Fatalf("bad: policies: expected: [policy1]; actual: %s", resp.Auth.Policies)
}
// If 'allowed_policies' in role does not have 'default' in it, the
// tokens generated using that role should still have the 'default' policy
// attached to them.
roleReq.Operation = logical.UpdateOperation
roleReq.Data = map[string]interface{}{
"allowed_policies": "policy1",
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), roleReq)
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v, resp: %v", err, resp)
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
resp = testMakeTokenViaRequest(t, ts, tokenReq)
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
if !reflect.DeepEqual(resp.Auth.Policies, []string{"default", "policy1"}) {
t.Fatalf("bad: policies: expected: [default policy1]; actual: %s", resp.Auth.Policies)
}
// If 'allowed_policies' in role does not have 'default' in it, the
// tokens generated using that role should not have 'default' policy
// attached to them if disallowed_policies contains "default"
roleReq.Operation = logical.UpdateOperation
roleReq.Data = map[string]interface{}{
"allowed_policies": "policy1",
"disallowed_policies": "default",
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), roleReq)
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v, resp: %v", err, resp)
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
resp = testMakeTokenViaRequest(t, ts, tokenReq)
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
if !reflect.DeepEqual(resp.Auth.Policies, []string{"policy1"}) {
t.Fatalf("bad: policies: expected: [policy1]; actual: %s", resp.Auth.Policies)
}
roleReq.Data = map[string]interface{}{
"allowed_policies": "",
"disallowed_policies": "default",
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), roleReq)
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v, resp: %v", err, resp)
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
resp = testMakeTokenViaRequest(t, ts, tokenReq)
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
if !reflect.DeepEqual(resp.Auth.Policies, []string{"policy1"}) {
t.Fatalf("bad: policies: expected: [policy1]; actual: %s", resp.Auth.Policies)
}
// Ensure that if default is in both allowed and disallowed, disallowed wins
roleReq.Data = map[string]interface{}{
"allowed_policies": "default",
"disallowed_policies": "default",
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), roleReq)
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v, resp: %v", err, resp)
}
delete(tokenReq.Data, "policies")
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), tokenReq)
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
if err == nil || (resp != nil && !resp.IsError()) {
t.Fatalf("err: %v, resp: %v", err, resp)
}
}
func TestTokenStore_AllowedDisallowedPolicies(t *testing.T) {
var resp *logical.Response
var err error
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
roleReq := &logical.Request{
ClientToken: root,
Path: "roles/role1",
Operation: logical.CreateOperation,
Data: map[string]interface{}{
"allowed_policies": "allowed1,allowed2",
"disallowed_policies": "disallowed1,disallowed2",
},
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), roleReq)
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v, resp: %v", err, resp)
}
tokenReq := &logical.Request{
Path: "create/role1",
ClientToken: root,
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"policies": []string{"allowed1"},
},
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), tokenReq)
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%v", err, resp)
}
expected := []string{"allowed1", "default"}
if !reflect.DeepEqual(resp.Auth.Policies, expected) {
t.Fatalf("bad: expected:%#v actual:%#v", expected, resp.Auth.Policies)
}
// Try again with automatic default adding turned off
tokenReq = &logical.Request{
Path: "create/role1",
ClientToken: root,
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"policies": []string{"allowed1"},
"no_default_policy": true,
},
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), tokenReq)
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%v", err, resp)
}
expected = []string{"allowed1"}
if !reflect.DeepEqual(resp.Auth.Policies, expected) {
t.Fatalf("bad: expected:%#v actual:%#v", expected, resp.Auth.Policies)
}
tokenReq.Data = map[string]interface{}{
"policies": []string{"disallowed1"},
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), tokenReq)
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
if err == nil {
t.Fatalf("expected an error")
}
roleReq.Operation = logical.UpdateOperation
roleReq.Data = map[string]interface{}{
"allowed_policies": "allowed1,common",
"disallowed_policies": "disallowed1,common",
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), roleReq)
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v, resp: %v", err, resp)
}
tokenReq.Data = map[string]interface{}{
"policies": []string{"allowed1", "common"},
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), tokenReq)
Don't add default policy to child token if parent does not have it (#2164)
2016-12-16 05:36:39 +00:00
if err == nil {
t.Fatalf("expected an error")
}
}
Fix revocation of leases when num_uses goes to 0 (#2190)
2016-12-16 18:11:55 +00:00
// Issue 2189
func TestTokenStore_RevokeUseCountToken(t *testing.T) {
var resp *logical.Response
var err error
cubbyFuncLock := &sync.RWMutex{}
cubbyFuncLock.Lock()
exp := mockExpiration(t)
ts := exp.tokenStore
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
root, _ := exp.tokenStore.rootToken(namespace.RootContext(nil))
Fix revocation of leases when num_uses goes to 0 (#2190)
2016-12-16 18:11:55 +00:00
tokenReq := &logical.Request{
Path: "create",
ClientToken: root.ID,
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"num_uses": 1,
},
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), tokenReq)
Fix revocation of leases when num_uses goes to 0 (#2190)
2016-12-16 18:11:55 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%v", err, resp)
}
tut := resp.Auth.ClientToken
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
saltTut, err := ts.SaltID(namespace.RootContext(nil), tut)
Dynamically load and invalidate the token store salt (#3021) * Dynaically load and invalidate the token store salt * Pass salt function into the router
2017-07-18 16:02:03 +00:00
if err != nil {
t.Fatal(err)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err := ts.lookupInternal(namespace.RootContext(nil), saltTut, true, false)
Fix revocation of leases when num_uses goes to 0 (#2190)
2016-12-16 18:11:55 +00:00
if err != nil {
t.Fatal(err)
}
if te == nil {
t.Fatal("nil entry")
}
if te.NumUses != 1 {
t.Fatalf("bad: %d", te.NumUses)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err = ts.UseToken(namespace.RootContext(nil), te)
Fix revocation of leases when num_uses goes to 0 (#2190)
2016-12-16 18:11:55 +00:00
if err != nil {
t.Fatal(err)
}
if te == nil {
t.Fatal("nil entry")
}
Token revocation refactor (#4512) * Hand off lease expiration to expiration manager via timers * Use sync.Map as the cache to track token deletion state * Add CreateOrFetchRevocationLeaseByToken to hand off token revocation to exp manager * Update revoke and revoke-self handlers * Fix tests * revokeSalted: Move token entry deletion into the deferred func * Fix test race * Add blocking lease revocation test * Remove test log * Add HandlerFunc on NoopBackend, adjust locks, and add test * Add sleep to allow for revocations to settle * Various updates * Rename some functions and variables to be more clear * Change step-down and seal to use expmgr for revoke functionality like during request handling * Attempt to WAL the token as being invalid as soon as possible so that further usage will fail even if revocation does not fully complete * Address feedback * Return invalid lease on negative TTL * Revert "Return invalid lease on negative TTL" This reverts commit a39597ecdc23cf7fc69fe003eef9f10d533551d8. * Extend sleep on tests
2018-05-10 19:50:02 +00:00
if te.NumUses != tokenRevocationPending {
Fix revocation of leases when num_uses goes to 0 (#2190)
2016-12-16 18:11:55 +00:00
t.Fatalf("bad: %d", te.NumUses)
}
// Should return no entry because it's tainted
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err = ts.lookupInternal(namespace.RootContext(nil), saltTut, true, false)
Fix revocation of leases when num_uses goes to 0 (#2190)
2016-12-16 18:11:55 +00:00
if err != nil {
t.Fatal(err)
}
if te != nil {
t.Fatalf("%#v", te)
}
// But it should show up in an API lookup call
req := &logical.Request{
Path: "lookup-self",
ClientToken: tut,
Operation: logical.UpdateOperation,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), req)
Fix revocation of leases when num_uses goes to 0 (#2190)
2016-12-16 18:11:55 +00:00
if err != nil {
t.Fatal(err)
}
if resp == nil || resp.Data == nil || resp.Data["num_uses"] == nil {
t.Fatal("nil resp or data")
}
if resp.Data["num_uses"].(int) != -1 {
t.Fatalf("bad: %v", resp.Data["num_uses"])
}
// Should return tainted entries
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err = ts.lookupInternal(namespace.RootContext(nil), saltTut, true, true)
Fix revocation of leases when num_uses goes to 0 (#2190)
2016-12-16 18:11:55 +00:00
if err != nil {
t.Fatal(err)
}
if te == nil {
t.Fatal("nil entry")
}
Token revocation refactor (#4512) * Hand off lease expiration to expiration manager via timers * Use sync.Map as the cache to track token deletion state * Add CreateOrFetchRevocationLeaseByToken to hand off token revocation to exp manager * Update revoke and revoke-self handlers * Fix tests * revokeSalted: Move token entry deletion into the deferred func * Fix test race * Add blocking lease revocation test * Remove test log * Add HandlerFunc on NoopBackend, adjust locks, and add test * Add sleep to allow for revocations to settle * Various updates * Rename some functions and variables to be more clear * Change step-down and seal to use expmgr for revoke functionality like during request handling * Attempt to WAL the token as being invalid as soon as possible so that further usage will fail even if revocation does not fully complete * Address feedback * Return invalid lease on negative TTL * Revert "Return invalid lease on negative TTL" This reverts commit a39597ecdc23cf7fc69fe003eef9f10d533551d8. * Extend sleep on tests
2018-05-10 19:50:02 +00:00
if te.NumUses != tokenRevocationPending {
Fix revocation of leases when num_uses goes to 0 (#2190)
2016-12-16 18:11:55 +00:00
t.Fatalf("bad: %d", te.NumUses)
}
origDestroyCubbyhole := ts.cubbyholeDestroyer
The big one (#5346)
2018-09-18 03:03:00 +00:00
ts.cubbyholeDestroyer = func(context.Context, *TokenStore, *logical.TokenEntry) error {
Fix revocation of leases when num_uses goes to 0 (#2190)
2016-12-16 18:11:55 +00:00
return fmt.Errorf("keep it frosty")
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err = ts.revokeInternal(namespace.RootContext(nil), saltTut, false)
Fix revocation of leases when num_uses goes to 0 (#2190)
2016-12-16 18:11:55 +00:00
if err == nil {
t.Fatalf("expected err")
}
Token revocation refactor (#4512) * Hand off lease expiration to expiration manager via timers * Use sync.Map as the cache to track token deletion state * Add CreateOrFetchRevocationLeaseByToken to hand off token revocation to exp manager * Update revoke and revoke-self handlers * Fix tests * revokeSalted: Move token entry deletion into the deferred func * Fix test race * Add blocking lease revocation test * Remove test log * Add HandlerFunc on NoopBackend, adjust locks, and add test * Add sleep to allow for revocations to settle * Various updates * Rename some functions and variables to be more clear * Change step-down and seal to use expmgr for revoke functionality like during request handling * Attempt to WAL the token as being invalid as soon as possible so that further usage will fail even if revocation does not fully complete * Address feedback * Return invalid lease on negative TTL * Revert "Return invalid lease on negative TTL" This reverts commit a39597ecdc23cf7fc69fe003eef9f10d533551d8. * Extend sleep on tests
2018-05-10 19:50:02 +00:00
// Since revocation failed we should still be able to get a token
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err = ts.lookupInternal(namespace.RootContext(nil), saltTut, true, true)
Fix revocation of leases when num_uses goes to 0 (#2190)
2016-12-16 18:11:55 +00:00
if err != nil {
t.Fatal(err)
}
if te == nil {
Token revocation refactor (#4512) * Hand off lease expiration to expiration manager via timers * Use sync.Map as the cache to track token deletion state * Add CreateOrFetchRevocationLeaseByToken to hand off token revocation to exp manager * Update revoke and revoke-self handlers * Fix tests * revokeSalted: Move token entry deletion into the deferred func * Fix test race * Add blocking lease revocation test * Remove test log * Add HandlerFunc on NoopBackend, adjust locks, and add test * Add sleep to allow for revocations to settle * Various updates * Rename some functions and variables to be more clear * Change step-down and seal to use expmgr for revoke functionality like during request handling * Attempt to WAL the token as being invalid as soon as possible so that further usage will fail even if revocation does not fully complete * Address feedback * Return invalid lease on negative TTL * Revert "Return invalid lease on negative TTL" This reverts commit a39597ecdc23cf7fc69fe003eef9f10d533551d8. * Extend sleep on tests
2018-05-10 19:50:02 +00:00
t.Fatal("nil token entry")
Fix revocation of leases when num_uses goes to 0 (#2190)
2016-12-16 18:11:55 +00:00
}
// Check the race condition situation by making the process sleep
The big one (#5346)
2018-09-18 03:03:00 +00:00
ts.cubbyholeDestroyer = func(context.Context, *TokenStore, *logical.TokenEntry) error {
Fix revocation of leases when num_uses goes to 0 (#2190)
2016-12-16 18:11:55 +00:00
time.Sleep(1 * time.Second)
return fmt.Errorf("keep it frosty")
}
cubbyFuncLock.Unlock()
Fix token_store_test.go (#7490) * vault: fix dropped error in test goroutine * vault: fix dropped test errors
2019-09-18 21:18:08 +00:00
errCh := make(chan error)
defer close(errCh)
Fix revocation of leases when num_uses goes to 0 (#2190)
2016-12-16 18:11:55 +00:00
go func() {
cubbyFuncLock.RLock()
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err := ts.revokeInternal(namespace.RootContext(nil), saltTut, false)
Fix revocation of leases when num_uses goes to 0 (#2190)
2016-12-16 18:11:55 +00:00
cubbyFuncLock.RUnlock()
Fix token_store_test.go (#7490) * vault: fix dropped error in test goroutine * vault: fix dropped test errors
2019-09-18 21:18:08 +00:00
errCh <- err
Fix revocation of leases when num_uses goes to 0 (#2190)
2016-12-16 18:11:55 +00:00
}()
// Give time for the function to start and grab locks
time.Sleep(200 * time.Millisecond)
Fix token_store_test.go (#7490) * vault: fix dropped error in test goroutine * vault: fix dropped test errors
2019-09-18 21:18:08 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err = ts.lookupInternal(namespace.RootContext(nil), saltTut, true, true)
Fix revocation of leases when num_uses goes to 0 (#2190)
2016-12-16 18:11:55 +00:00
if err != nil {
t.Fatal(err)
}
if te == nil {
Token revocation refactor (#4512) * Hand off lease expiration to expiration manager via timers * Use sync.Map as the cache to track token deletion state * Add CreateOrFetchRevocationLeaseByToken to hand off token revocation to exp manager * Update revoke and revoke-self handlers * Fix tests * revokeSalted: Move token entry deletion into the deferred func * Fix test race * Add blocking lease revocation test * Remove test log * Add HandlerFunc on NoopBackend, adjust locks, and add test * Add sleep to allow for revocations to settle * Various updates * Rename some functions and variables to be more clear * Change step-down and seal to use expmgr for revoke functionality like during request handling * Attempt to WAL the token as being invalid as soon as possible so that further usage will fail even if revocation does not fully complete * Address feedback * Return invalid lease on negative TTL * Revert "Return invalid lease on negative TTL" This reverts commit a39597ecdc23cf7fc69fe003eef9f10d533551d8. * Extend sleep on tests
2018-05-10 19:50:02 +00:00
t.Fatal("nil token entry")
Fix revocation of leases when num_uses goes to 0 (#2190)
2016-12-16 18:11:55 +00:00
}
Fix token_store_test.go (#7490) * vault: fix dropped error in test goroutine * vault: fix dropped test errors
2019-09-18 21:18:08 +00:00
err = <-errCh
if err == nil {
t.Fatal("expected error on ts.revokeInternal() in anonymous goroutine")
}
Fix revocation of leases when num_uses goes to 0 (#2190)
2016-12-16 18:11:55 +00:00
// Put back to normal
cubbyFuncLock.Lock()
defer cubbyFuncLock.Unlock()
ts.cubbyholeDestroyer = origDestroyCubbyhole
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err = ts.revokeInternal(namespace.RootContext(nil), saltTut, false)
Fix revocation of leases when num_uses goes to 0 (#2190)
2016-12-16 18:11:55 +00:00
if err != nil {
t.Fatal(err)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err = ts.lookupInternal(namespace.RootContext(nil), saltTut, true, true)
Fix revocation of leases when num_uses goes to 0 (#2190)
2016-12-16 18:11:55 +00:00
if err != nil {
t.Fatal(err)
}
if te != nil {
t.Fatal("found entry")
}
}
TokenStore: Added tidy endpoint (#2192)
2016-12-16 20:29:27 +00:00
// Create a token, delete the token entry while leaking accessors, invoke tidy
// and check if the dangling accessor entry is getting removed
func TestTokenStore_HandleTidyCase1(t *testing.T) {
var resp *logical.Response
var err error
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
TokenStore: Added tidy endpoint (#2192)
2016-12-16 20:29:27 +00:00
// List the number of accessors. Since there is only root token
// present, the list operation should return only one key.
accessorListReq := &logical.Request{
Operation: logical.ListOperation,
Update tests to use the real accessors listing path
2018-03-26 18:21:36 +00:00
Path: "accessors/",
TokenStore: Added tidy endpoint (#2192)
2016-12-16 20:29:27 +00:00
ClientToken: root,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), accessorListReq)
TokenStore: Added tidy endpoint (#2192)
2016-12-16 20:29:27 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%v", err, resp)
}
numberOfAccessors := len(resp.Data["keys"].([]string))
if numberOfAccessors != 1 {
t.Fatalf("bad: number of accessors. Expected: 1, Actual: %d", numberOfAccessors)
}
TokenStore: Make the testcase dangle 100 accessors and let it tidy up
2016-12-16 20:40:34 +00:00
for i := 1; i <= 100; i++ {
// Create a regular token
tokenReq := &logical.Request{
Operation: logical.UpdateOperation,
Path: "create",
ClientToken: root,
Data: map[string]interface{}{
"policies": []string{"policy1"},
},
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
resp := testMakeTokenViaRequest(t, ts, tokenReq)
TokenStore: Make the testcase dangle 100 accessors and let it tidy up
2016-12-16 20:40:34 +00:00
tut := resp.Auth.ClientToken
TokenStore: Added tidy endpoint (#2192)
2016-12-16 20:29:27 +00:00
TokenStore: Make the testcase dangle 100 accessors and let it tidy up
2016-12-16 20:40:34 +00:00
// Creation of another token should end up with incrementing
// the number of accessors
// the storage
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), accessorListReq)
TokenStore: Make the testcase dangle 100 accessors and let it tidy up
2016-12-16 20:40:34 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%v", err, resp)
}
TokenStore: Added tidy endpoint (#2192)
2016-12-16 20:29:27 +00:00
TokenStore: Make the testcase dangle 100 accessors and let it tidy up
2016-12-16 20:40:34 +00:00
numberOfAccessors = len(resp.Data["keys"].([]string))
if numberOfAccessors != i+1 {
t.Fatalf("bad: number of accessors. Expected: %d, Actual: %d", i+1, numberOfAccessors)
}
TokenStore: Added tidy endpoint (#2192)
2016-12-16 20:29:27 +00:00
TokenStore: Make the testcase dangle 100 accessors and let it tidy up
2016-12-16 20:40:34 +00:00
// Revoke the token while leaking other items associated with the
// token. Do this by doing what revokeSalted used to do before it was
// fixed, i.e., by deleting the storage entry for token and its
// cubbyhole and by not deleting its secondary index, its accessor and
// associated leases.
TokenStore: Added tidy endpoint (#2192)
2016-12-16 20:29:27 +00:00
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
saltedTut, err := ts.SaltID(namespace.RootContext(nil), tut)
Dynamically load and invalidate the token store salt (#3021) * Dynaically load and invalidate the token store salt * Pass salt function into the router
2017-07-18 16:02:03 +00:00
if err != nil {
t.Fatal(err)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err := ts.lookupInternal(namespace.RootContext(nil), saltedTut, true, true)
TokenStore: Make the testcase dangle 100 accessors and let it tidy up
2016-12-16 20:40:34 +00:00
if err != nil {
t.Fatalf("failed to lookup token: %v", err)
}
TokenStore: Added tidy endpoint (#2192)
2016-12-16 20:29:27 +00:00
TokenStore: Make the testcase dangle 100 accessors and let it tidy up
2016-12-16 20:40:34 +00:00
// Destroy the token index
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
if ts.idView(namespace.RootNamespace).Delete(namespace.RootContext(nil), saltedTut); err != nil {
TokenStore: Make the testcase dangle 100 accessors and let it tidy up
2016-12-16 20:40:34 +00:00
t.Fatalf("failed to delete token entry: %v", err)
}
TokenStore: Added tidy endpoint (#2192)
2016-12-16 20:29:27 +00:00
TokenStore: Make the testcase dangle 100 accessors and let it tidy up
2016-12-16 20:40:34 +00:00
// Destroy the cubby space
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err = ts.cubbyholeDestroyer(namespace.RootContext(nil), ts, te)
TokenStore: Make the testcase dangle 100 accessors and let it tidy up
2016-12-16 20:40:34 +00:00
if err != nil {
t.Fatalf("failed to destroyCubbyhole: %v", err)
}
TokenStore: Added tidy endpoint (#2192)
2016-12-16 20:29:27 +00:00
TokenStore: Make the testcase dangle 100 accessors and let it tidy up
2016-12-16 20:40:34 +00:00
// Leaking of accessor should have resulted in no change to the number
// of accessors
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), accessorListReq)
TokenStore: Make the testcase dangle 100 accessors and let it tidy up
2016-12-16 20:40:34 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%v", err, resp)
}
TokenStore: Added tidy endpoint (#2192)
2016-12-16 20:29:27 +00:00
TokenStore: Make the testcase dangle 100 accessors and let it tidy up
2016-12-16 20:40:34 +00:00
numberOfAccessors = len(resp.Data["keys"].([]string))
if numberOfAccessors != i+1 {
t.Fatalf("bad: number of accessors. Expected: %d, Actual: %d", i+1, numberOfAccessors)
}
TokenStore: Added tidy endpoint (#2192)
2016-12-16 20:29:27 +00:00
}
tidyReq := &logical.Request{
Path: "tidy",
Operation: logical.UpdateOperation,
ClientToken: root,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), tidyReq)
TokenStore: Added tidy endpoint (#2192)
2016-12-16 20:29:27 +00:00
if err != nil {
t.Fatal(err)
}
if resp != nil && resp.IsError() {
t.Fatalf("resp: %#v", resp)
}
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%v", err, resp)
}
Add an idle timeout for the server (#4760) * Add an idle timeout for the server Because tidy operations can be long-running, this also changes all tidy operations to behave the same operationally (kick off the process, get a warning back, log errors to server log) and makes them all run in a goroutine. This could mean a sort of hard stop if Vault gets sealed because the function won't have the read lock. This should generally be okay (running tidy again should pick back up where it left off), but future work could use cleanup funcs to trigger the functions to stop. * Fix up tidy test * Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
2018-06-16 22:21:33 +00:00
// Tidy runs async so give it time
time.Sleep(10 * time.Second)
TokenStore: Make the testcase dangle 100 accessors and let it tidy up
2016-12-16 20:40:34 +00:00
// Tidy should have removed all the dangling accessor entries
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), accessorListReq)
TokenStore: Added tidy endpoint (#2192)
2016-12-16 20:29:27 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%v", err, resp)
}
numberOfAccessors = len(resp.Data["keys"].([]string))
if numberOfAccessors != 1 {
t.Fatalf("bad: number of accessors. Expected: 1, Actual: %d", numberOfAccessors)
}
}
Add tidy expiration test
2016-12-16 21:46:29 +00:00
Token store deleted parent (#4193) * Handle removal of parent index on revoke-orphan and tidy operations * Refactor handleTidy to use same for loop children deletion of invalid parent entry * Update comments * Add logic for revoke-orphan and tidy to turn no-parent tokens into orphans * Add orphan check to test * Update test comments * Fix TestTokenStore_Revoke_Orphan test * Address feedback, add explicit delete when parent prefix is empty * Revert explicit delete, add comment on why it's not done * Update comment to indicate ok on marking token as orphan * Fix test
2018-03-27 15:12:06 +00:00
// Create a set of tokens along with a child token for each of them, delete the
// token entry while leaking accessors, invoke tidy and check if the dangling
// accessor entry is getting removed and check if child tokens are still present
// and turned into orphan tokens.
func TestTokenStore_HandleTidy_parentCleanup(t *testing.T) {
var resp *logical.Response
var err error
Offline token revocation fix
2018-06-03 22:14:51 +00:00
c, _, root := TestCoreUnsealed(t)
ts := c.tokenStore
Token store deleted parent (#4193) * Handle removal of parent index on revoke-orphan and tidy operations * Refactor handleTidy to use same for loop children deletion of invalid parent entry * Update comments * Add logic for revoke-orphan and tidy to turn no-parent tokens into orphans * Add orphan check to test * Update test comments * Fix TestTokenStore_Revoke_Orphan test * Address feedback, add explicit delete when parent prefix is empty * Revert explicit delete, add comment on why it's not done * Update comment to indicate ok on marking token as orphan * Fix test
2018-03-27 15:12:06 +00:00
// List the number of accessors. Since there is only root token
// present, the list operation should return only one key.
accessorListReq := &logical.Request{
Operation: logical.ListOperation,
Path: "accessors/",
ClientToken: root,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), accessorListReq)
Token store deleted parent (#4193) * Handle removal of parent index on revoke-orphan and tidy operations * Refactor handleTidy to use same for loop children deletion of invalid parent entry * Update comments * Add logic for revoke-orphan and tidy to turn no-parent tokens into orphans * Add orphan check to test * Update test comments * Fix TestTokenStore_Revoke_Orphan test * Address feedback, add explicit delete when parent prefix is empty * Revert explicit delete, add comment on why it's not done * Update comment to indicate ok on marking token as orphan * Fix test
2018-03-27 15:12:06 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%v", err, resp)
}
numberOfAccessors := len(resp.Data["keys"].([]string))
if numberOfAccessors != 1 {
t.Fatalf("bad: number of accessors. Expected: 1, Actual: %d", numberOfAccessors)
}
for i := 1; i <= 100; i++ {
// Create a token
tokenReq := &logical.Request{
Operation: logical.UpdateOperation,
Path: "create",
ClientToken: root,
Data: map[string]interface{}{
"policies": []string{"policy1"},
},
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
resp := testMakeTokenViaRequest(t, ts, tokenReq)
Token store deleted parent (#4193) * Handle removal of parent index on revoke-orphan and tidy operations * Refactor handleTidy to use same for loop children deletion of invalid parent entry * Update comments * Add logic for revoke-orphan and tidy to turn no-parent tokens into orphans * Add orphan check to test * Update test comments * Fix TestTokenStore_Revoke_Orphan test * Address feedback, add explicit delete when parent prefix is empty * Revert explicit delete, add comment on why it's not done * Update comment to indicate ok on marking token as orphan * Fix test
2018-03-27 15:12:06 +00:00
tut := resp.Auth.ClientToken
// Create a child token
tokenReq = &logical.Request{
Operation: logical.UpdateOperation,
Path: "create",
ClientToken: tut,
Data: map[string]interface{}{
"policies": []string{"policy1"},
},
}
Offline token revocation fix
2018-06-03 22:14:51 +00:00
testMakeTokenViaRequest(t, ts, tokenReq)
Token store deleted parent (#4193) * Handle removal of parent index on revoke-orphan and tidy operations * Refactor handleTidy to use same for loop children deletion of invalid parent entry * Update comments * Add logic for revoke-orphan and tidy to turn no-parent tokens into orphans * Add orphan check to test * Update test comments * Fix TestTokenStore_Revoke_Orphan test * Address feedback, add explicit delete when parent prefix is empty * Revert explicit delete, add comment on why it's not done * Update comment to indicate ok on marking token as orphan * Fix test
2018-03-27 15:12:06 +00:00
// Creation of another token should end up with incrementing the number of
// accessors the storage
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), accessorListReq)
Token store deleted parent (#4193) * Handle removal of parent index on revoke-orphan and tidy operations * Refactor handleTidy to use same for loop children deletion of invalid parent entry * Update comments * Add logic for revoke-orphan and tidy to turn no-parent tokens into orphans * Add orphan check to test * Update test comments * Fix TestTokenStore_Revoke_Orphan test * Address feedback, add explicit delete when parent prefix is empty * Revert explicit delete, add comment on why it's not done * Update comment to indicate ok on marking token as orphan * Fix test
2018-03-27 15:12:06 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%v", err, resp)
}
numberOfAccessors = len(resp.Data["keys"].([]string))
if numberOfAccessors != (i*2)+1 {
t.Fatalf("bad: number of accessors. Expected: %d, Actual: %d", i+1, numberOfAccessors)
}
// Revoke the token while leaking other items associated with the
// token. Do this by doing what revokeSalted used to do before it was
// fixed, i.e., by deleting the storage entry for token and its
// cubbyhole and by not deleting its secondary index, its accessor and
// associated leases.
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
saltedTut, err := ts.SaltID(namespace.RootContext(nil), tut)
Token store deleted parent (#4193) * Handle removal of parent index on revoke-orphan and tidy operations * Refactor handleTidy to use same for loop children deletion of invalid parent entry * Update comments * Add logic for revoke-orphan and tidy to turn no-parent tokens into orphans * Add orphan check to test * Update test comments * Fix TestTokenStore_Revoke_Orphan test * Address feedback, add explicit delete when parent prefix is empty * Revert explicit delete, add comment on why it's not done * Update comment to indicate ok on marking token as orphan * Fix test
2018-03-27 15:12:06 +00:00
if err != nil {
t.Fatal(err)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err := ts.lookupInternal(namespace.RootContext(nil), saltedTut, true, true)
Token store deleted parent (#4193) * Handle removal of parent index on revoke-orphan and tidy operations * Refactor handleTidy to use same for loop children deletion of invalid parent entry * Update comments * Add logic for revoke-orphan and tidy to turn no-parent tokens into orphans * Add orphan check to test * Update test comments * Fix TestTokenStore_Revoke_Orphan test * Address feedback, add explicit delete when parent prefix is empty * Revert explicit delete, add comment on why it's not done * Update comment to indicate ok on marking token as orphan * Fix test
2018-03-27 15:12:06 +00:00
if err != nil {
t.Fatalf("failed to lookup token: %v", err)
}
// Destroy the token index
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
if ts.idView(namespace.RootNamespace).Delete(namespace.RootContext(nil), saltedTut); err != nil {
Token store deleted parent (#4193) * Handle removal of parent index on revoke-orphan and tidy operations * Refactor handleTidy to use same for loop children deletion of invalid parent entry * Update comments * Add logic for revoke-orphan and tidy to turn no-parent tokens into orphans * Add orphan check to test * Update test comments * Fix TestTokenStore_Revoke_Orphan test * Address feedback, add explicit delete when parent prefix is empty * Revert explicit delete, add comment on why it's not done * Update comment to indicate ok on marking token as orphan * Fix test
2018-03-27 15:12:06 +00:00
t.Fatalf("failed to delete token entry: %v", err)
}
// Destroy the cubby space
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err = ts.cubbyholeDestroyer(namespace.RootContext(nil), ts, te)
Token store deleted parent (#4193) * Handle removal of parent index on revoke-orphan and tidy operations * Refactor handleTidy to use same for loop children deletion of invalid parent entry * Update comments * Add logic for revoke-orphan and tidy to turn no-parent tokens into orphans * Add orphan check to test * Update test comments * Fix TestTokenStore_Revoke_Orphan test * Address feedback, add explicit delete when parent prefix is empty * Revert explicit delete, add comment on why it's not done * Update comment to indicate ok on marking token as orphan * Fix test
2018-03-27 15:12:06 +00:00
if err != nil {
t.Fatalf("failed to destroyCubbyhole: %v", err)
}
// Leaking of accessor should have resulted in no change to the number
// of accessors
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), accessorListReq)
Token store deleted parent (#4193) * Handle removal of parent index on revoke-orphan and tidy operations * Refactor handleTidy to use same for loop children deletion of invalid parent entry * Update comments * Add logic for revoke-orphan and tidy to turn no-parent tokens into orphans * Add orphan check to test * Update test comments * Fix TestTokenStore_Revoke_Orphan test * Address feedback, add explicit delete when parent prefix is empty * Revert explicit delete, add comment on why it's not done * Update comment to indicate ok on marking token as orphan * Fix test
2018-03-27 15:12:06 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%v", err, resp)
}
numberOfAccessors = len(resp.Data["keys"].([]string))
if numberOfAccessors != (i*2)+1 {
t.Fatalf("bad: number of accessors. Expected: %d, Actual: %d", (i*2)+1, numberOfAccessors)
}
}
tidyReq := &logical.Request{
Path: "tidy",
Operation: logical.UpdateOperation,
ClientToken: root,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), tidyReq)
Token store deleted parent (#4193) * Handle removal of parent index on revoke-orphan and tidy operations * Refactor handleTidy to use same for loop children deletion of invalid parent entry * Update comments * Add logic for revoke-orphan and tidy to turn no-parent tokens into orphans * Add orphan check to test * Update test comments * Fix TestTokenStore_Revoke_Orphan test * Address feedback, add explicit delete when parent prefix is empty * Revert explicit delete, add comment on why it's not done * Update comment to indicate ok on marking token as orphan * Fix test
2018-03-27 15:12:06 +00:00
if err != nil {
t.Fatal(err)
}
if resp != nil && resp.IsError() {
t.Fatalf("resp: %#v", resp)
}
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%v", err, resp)
}
Add an idle timeout for the server (#4760) * Add an idle timeout for the server Because tidy operations can be long-running, this also changes all tidy operations to behave the same operationally (kick off the process, get a warning back, log errors to server log) and makes them all run in a goroutine. This could mean a sort of hard stop if Vault gets sealed because the function won't have the read lock. This should generally be okay (running tidy again should pick back up where it left off), but future work could use cleanup funcs to trigger the functions to stop. * Fix up tidy test * Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
2018-06-16 22:21:33 +00:00
// Tidy runs async so give it time
time.Sleep(10 * time.Second)
Token store deleted parent (#4193) * Handle removal of parent index on revoke-orphan and tidy operations * Refactor handleTidy to use same for loop children deletion of invalid parent entry * Update comments * Add logic for revoke-orphan and tidy to turn no-parent tokens into orphans * Add orphan check to test * Update test comments * Fix TestTokenStore_Revoke_Orphan test * Address feedback, add explicit delete when parent prefix is empty * Revert explicit delete, add comment on why it's not done * Update comment to indicate ok on marking token as orphan * Fix test
2018-03-27 15:12:06 +00:00
// Tidy should have removed all the dangling accessor entries
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), accessorListReq)
Token store deleted parent (#4193) * Handle removal of parent index on revoke-orphan and tidy operations * Refactor handleTidy to use same for loop children deletion of invalid parent entry * Update comments * Add logic for revoke-orphan and tidy to turn no-parent tokens into orphans * Add orphan check to test * Update test comments * Fix TestTokenStore_Revoke_Orphan test * Address feedback, add explicit delete when parent prefix is empty * Revert explicit delete, add comment on why it's not done * Update comment to indicate ok on marking token as orphan * Fix test
2018-03-27 15:12:06 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%v resp:%v", err, resp)
}
// The number of accessors should be equal to number of valid child tokens
// (100) + the root token (1)
keys := resp.Data["keys"].([]string)
numberOfAccessors = len(keys)
if numberOfAccessors != 101 {
t.Fatalf("bad: number of accessors. Expected: 1, Actual: %d", numberOfAccessors)
}
req := logical.TestRequest(t, logical.UpdateOperation, "lookup-accessor")
for _, accessor := range keys {
req.Data = map[string]interface{}{
"accessor": accessor,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
Token store deleted parent (#4193) * Handle removal of parent index on revoke-orphan and tidy operations * Refactor handleTidy to use same for loop children deletion of invalid parent entry * Update comments * Add logic for revoke-orphan and tidy to turn no-parent tokens into orphans * Add orphan check to test * Update test comments * Fix TestTokenStore_Revoke_Orphan test * Address feedback, add explicit delete when parent prefix is empty * Revert explicit delete, add comment on why it's not done * Update comment to indicate ok on marking token as orphan * Fix test
2018-03-27 15:12:06 +00:00
if err != nil {
t.Fatalf("err: %s", err)
}
if resp.Data == nil {
t.Fatalf("response should contain data")
}
// These tokens should now be orphaned
if resp.Data["orphan"] != true {
t.Fatalf("token should be orphan")
}
}
}
Add tidy expiration test
2016-12-16 21:46:29 +00:00
func TestTokenStore_TidyLeaseRevocation(t *testing.T) {
exp := mockExpiration(t)
ts := exp.tokenStore
noop := &NoopBackend{}
_, barrier, _ := mockBarrier(t)
view := NewBarrierView(barrier, "logical/")
meUUID, err := uuid.GenerateUUID()
if err != nil {
t.Fatal(err)
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
err = exp.router.Mount(noop, "prod/aws/", &MountEntry{UUID: meUUID, Accessor: "awsaccessor", namespace: namespace.RootNamespace}, view)
fix token store tests
2017-07-01 20:06:15 +00:00
if err != nil {
t.Fatal(err)
}
Add tidy expiration test
2016-12-16 21:46:29 +00:00
// Create new token
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
root, err := ts.rootToken(namespace.RootContext(nil))
Add tidy expiration test
2016-12-16 21:46:29 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
// Create a new token
Add tidy expiration test
2016-12-16 21:46:29 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
req.ClientToken = root.ID
req.Data["policies"] = []string{"default"}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err := ts.HandleRequest(namespace.RootContext(nil), req)
update token store error assertions (#4485)
2018-04-29 11:47:42 +00:00
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err: %v\nresp: %#v", err, resp)
Add tidy expiration test
2016-12-16 21:46:29 +00:00
}
auth := &logical.Auth{
ClientToken: resp.Auth.ClientToken,
LeaseOptions: logical.LeaseOptions{
TTL: time.Hour,
Renewable: true,
},
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
te := &logical.TokenEntry{
Path: resp.Auth.CreationPath,
NamespaceID: namespace.RootNamespaceID,
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
err = exp.RegisterAuth(namespace.RootContext(nil), te, auth)
Add tidy expiration test
2016-12-16 21:46:29 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
The big one (#5346)
2018-09-18 03:03:00 +00:00
// Verify token entry through lookup
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
testTokenEntry, err := ts.Lookup(namespace.RootContext(nil), resp.Auth.ClientToken)
The big one (#5346)
2018-09-18 03:03:00 +00:00
if err != nil {
t.Fatal(err)
}
if testTokenEntry == nil {
t.Fatal("token entry was nil")
}
Add tidy expiration test
2016-12-16 21:46:29 +00:00
tut := resp.Auth.ClientToken
req = &logical.Request{
Path: "prod/aws/foo",
ClientToken: tut,
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
req.SetTokenEntry(testTokenEntry)
Add tidy expiration test
2016-12-16 21:46:29 +00:00
resp = &logical.Response{
Secret: &logical.Secret{
LeaseOptions: logical.LeaseOptions{
TTL: time.Hour,
},
},
}
leases := []string{}
for i := 0; i < 10; i++ {
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
leaseID, err := exp.Register(namespace.RootContext(nil), req, resp)
Add tidy expiration test
2016-12-16 21:46:29 +00:00
if err != nil {
t.Fatal(err)
}
Token store tests (#4549) * Expand revocation test to cover non-registered tokens case * Bump sleep times back down a bit
2018-05-11 16:12:44 +00:00
leases = append(leases, leaseID)
Add tidy expiration test
2016-12-16 21:46:29 +00:00
}
sort.Strings(leases)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err = ts.lookupInternal(namespace.RootContext(nil), tut, false, true)
The big one (#5346)
2018-09-18 03:03:00 +00:00
if err != nil {
t.Fatalf("failed to lookup token: %v", err)
}
if te == nil {
t.Fatal("got nil token entry")
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
storedLeases, err := exp.lookupLeasesByToken(namespace.RootContext(nil), te)
Add tidy expiration test
2016-12-16 21:46:29 +00:00
if err != nil {
t.Fatal(err)
}
sort.Strings(storedLeases)
if !reflect.DeepEqual(leases, storedLeases) {
t.Fatalf("bad: %#v vs %#v", leases, storedLeases)
}
// Now, delete the token entry. The leases should still exist.
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
saltedTut, err := ts.SaltID(namespace.RootContext(nil), tut)
Dynamically load and invalidate the token store salt (#3021) * Dynaically load and invalidate the token store salt * Pass salt function into the router
2017-07-18 16:02:03 +00:00
if err != nil {
t.Fatal(err)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err = ts.lookupInternal(namespace.RootContext(nil), saltedTut, true, true)
Add tidy expiration test
2016-12-16 21:46:29 +00:00
if err != nil {
t.Fatalf("failed to lookup token: %v", err)
}
if te == nil {
t.Fatal("got nil token entry")
}
// Destroy the token index
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
if ts.idView(namespace.RootNamespace).Delete(namespace.RootContext(nil), saltedTut); err != nil {
Add tidy expiration test
2016-12-16 21:46:29 +00:00
t.Fatalf("failed to delete token entry: %v", err)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err = ts.lookupInternal(namespace.RootContext(nil), saltedTut, true, true)
Add tidy expiration test
2016-12-16 21:46:29 +00:00
if err != nil {
t.Fatalf("failed to lookup token: %v", err)
}
if te != nil {
t.Fatal("got token entry")
}
// Verify leases still exist
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
storedLeases, err = exp.lookupLeasesByToken(namespace.RootContext(nil), testTokenEntry)
Add tidy expiration test
2016-12-16 21:46:29 +00:00
if err != nil {
t.Fatal(err)
}
sort.Strings(storedLeases)
if !reflect.DeepEqual(leases, storedLeases) {
t.Fatalf("bad: %#v vs %#v", leases, storedLeases)
}
// Call tidy
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
ts.handleTidy(namespace.RootContext(nil), &logical.Request{}, nil)
Add tidy expiration test
2016-12-16 21:46:29 +00:00
Token store tests (#4549) * Expand revocation test to cover non-registered tokens case * Bump sleep times back down a bit
2018-05-11 16:12:44 +00:00
time.Sleep(200 * time.Millisecond)
Token revocation refactor (#4512) * Hand off lease expiration to expiration manager via timers * Use sync.Map as the cache to track token deletion state * Add CreateOrFetchRevocationLeaseByToken to hand off token revocation to exp manager * Update revoke and revoke-self handlers * Fix tests * revokeSalted: Move token entry deletion into the deferred func * Fix test race * Add blocking lease revocation test * Remove test log * Add HandlerFunc on NoopBackend, adjust locks, and add test * Add sleep to allow for revocations to settle * Various updates * Rename some functions and variables to be more clear * Change step-down and seal to use expmgr for revoke functionality like during request handling * Attempt to WAL the token as being invalid as soon as possible so that further usage will fail even if revocation does not fully complete * Address feedback * Return invalid lease on negative TTL * Revert "Return invalid lease on negative TTL" This reverts commit a39597ecdc23cf7fc69fe003eef9f10d533551d8. * Extend sleep on tests
2018-05-10 19:50:02 +00:00
Add tidy expiration test
2016-12-16 21:46:29 +00:00
// Verify leases are gone
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
storedLeases, err = exp.lookupLeasesByToken(namespace.RootContext(nil), testTokenEntry)
Add tidy expiration test
2016-12-16 21:46:29 +00:00
if err != nil {
t.Fatal(err)
}
if len(storedLeases) > 0 {
t.Fatal("found leases")
}
}
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
func TestTokenStore_Batch_CannotCreateChildren(t *testing.T) {
var resp *logical.Response
core, _, root := TestCoreUnsealed(t)
ts := core.tokenStore
req := &logical.Request{
Path: "create",
ClientToken: root,
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"policies": []string{"policy1"},
"type": "batch",
},
}
resp = testMakeTokenViaRequest(t, ts, req)
if !reflect.DeepEqual(resp.Auth.Policies, []string{"default", "policy1"}) {
t.Fatalf("bad: policies: expected: [policy, default]; actual: %s", resp.Auth.Policies)
}
req.ClientToken = resp.Auth.ClientToken
resp = testMakeTokenViaRequest(t, ts, req)
if !resp.IsError() {
t.Fatalf("bad: expected error, got %#v", *resp)
}
}
func TestTokenStore_Batch_CannotRevoke(t *testing.T) {
var resp *logical.Response
var err error
core, _, root := TestCoreUnsealed(t)
ts := core.tokenStore
req := &logical.Request{
Path: "create",
ClientToken: root,
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"policies": []string{"policy1"},
"type": "batch",
},
}
resp = testMakeTokenViaRequest(t, ts, req)
if !reflect.DeepEqual(resp.Auth.Policies, []string{"default", "policy1"}) {
t.Fatalf("bad: policies: expected: [policy, default]; actual: %s", resp.Auth.Policies)
}
req.Path = "revoke"
req.Data["token"] = resp.Auth.ClientToken
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = ts.HandleRequest(namespace.RootContext(nil), req)
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if err != nil {
t.Fatal(err)
}
if !resp.IsError() {
t.Fatalf("bad: expected error, got %#v", *resp)
}
}
func TestTokenStore_Batch_NoCubbyhole(t *testing.T) {
var resp *logical.Response
var err error
core, _, root := TestCoreUnsealed(t)
ts := core.tokenStore
req := &logical.Request{
Path: "create",
ClientToken: root,
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"policies": []string{"policy1"},
"type": "batch",
},
}
resp = testMakeTokenViaRequest(t, ts, req)
if !reflect.DeepEqual(resp.Auth.Policies, []string{"default", "policy1"}) {
t.Fatalf("bad: policies: expected: [policy, default]; actual: %s", resp.Auth.Policies)
}
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
te, err := ts.Lookup(namespace.RootContext(nil), resp.Auth.ClientToken)
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if err != nil {
t.Fatal(err)
}
req.Path = "cubbyhole/foo"
req.Operation = logical.CreateOperation
req.ClientToken = te.ID
req.SetTokenEntry(te)
Remove namespace.TestContext and namespace.TestNamespace (#5682)
2018-11-05 16:11:32 +00:00
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if err != nil && !errwrap.Contains(err, logical.ErrInvalidRequest.Error()) {
t.Fatal(err)
}
if !resp.IsError() {
t.Fatalf("bad: expected error, got %#v", *resp)
}
}
token: disallow periods on custom token IDs (#8646) * token: disallow periods on custom token IDs * docs: update token API docs
2020-04-27 16:39:33 +00:00
func TestTokenStore_TokenID(t *testing.T) {
t.Run("no custom ID provided", func(t *testing.T) {
c, _, initToken := TestCoreUnsealed(t)
ts := c.tokenStore
// Ensure that a regular service token has a "s." prefix
resp, err := ts.HandleRequest(namespace.RootContext(nil), &logical.Request{
ClientToken: initToken,
Path: "create",
Operation: logical.UpdateOperation,
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
if !strings.HasPrefix(resp.Auth.ClientToken, "s.") {
t.Fatalf("token %q does not have a 's.' prefix", resp.Auth.ClientToken)
}
})
t.Run("plain custom ID", func(t *testing.T) {
core, _, root := TestCoreUnsealed(t)
ts := core.tokenStore
resp, err := ts.HandleRequest(namespace.RootContext(nil), &logical.Request{
ClientToken: root,
Path: "create",
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"id": "foobar",
},
})
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("bad: resp: %#v\nerr: %v", resp, err)
}
// Ensure that using a custom token ID results in a warning
expectedWarning := "Supplying a custom ID for the token uses the weaker SHA1 hashing instead of the more secure SHA2-256 HMAC for token obfuscation. SHA1 hashed tokens on the wire leads to less secure lookups."
if resp.Warnings[0] != expectedWarning {
t.Fatalf("expected warning not present")
}
})
t.Run("service token prefix in custom ID", func(t *testing.T) {
c, _, initToken := TestCoreUnsealed(t)
ts := c.tokenStore
// Ensure that custom token ID having a "s." prefix fails
resp, err := ts.HandleRequest(namespace.RootContext(nil), &logical.Request{
ClientToken: initToken,
Path: "create",
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"id": "s.foobar",
},
})
if err == nil {
t.Fatalf("expected an error")
}
if resp.Error().Error() != "custom token ID cannot have the 's.' prefix" {
t.Fatalf("expected input error not present in error response")
}
})
t.Run("period in custom ID", func(t *testing.T) {
core, _, root := TestCoreUnsealed(t)
ts := core.tokenStore
resp, err := ts.HandleRequest(namespace.RootContext(nil), &logical.Request{
ClientToken: root,
Path: "create",
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"id": "foobar.baz",
},
})
if err == nil {
t.Fatalf("expected an error")
}
if resp.Error().Error() != "custom token ID cannot have a '.' in the value" {
t.Fatalf("expected input error not present in error response")
}
})
}