open-vault/command/auth_test.go

401 lines
7.6 KiB
Go
Raw Normal View History

2015-03-29 23:42:45 +00:00
package command
import (
"fmt"
"io"
2015-03-30 17:55:41 +00:00
"io/ioutil"
"os"
"path/filepath"
2015-04-02 00:01:10 +00:00
"strings"
2015-03-29 23:42:45 +00:00
"testing"
credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
"github.com/hashicorp/vault/logical"
2015-04-06 16:53:43 +00:00
"github.com/hashicorp/vault/api"
2015-03-31 22:15:08 +00:00
"github.com/hashicorp/vault/http"
2016-04-01 17:16:05 +00:00
"github.com/hashicorp/vault/meta"
2015-03-31 22:15:08 +00:00
"github.com/hashicorp/vault/vault"
2015-03-29 23:42:45 +00:00
"github.com/mitchellh/cli"
)
2015-04-02 00:01:10 +00:00
func TestAuth_methods(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
testAuthInit(t)
ui := new(cli.MockUi)
c := &AuthCommand{
2016-04-01 17:16:05 +00:00
Meta: meta.Meta{
2015-04-02 00:01:10 +00:00
ClientToken: token,
Ui: ui,
2016-04-01 18:23:15 +00:00
TokenHelper: DefaultTokenHelper,
2015-04-02 00:01:10 +00:00
},
}
args := []string{
"-address", addr,
"-methods",
}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
output := ui.OutputWriter.String()
if !strings.Contains(output, "token") {
t.Fatalf("bad: %#v", output)
}
}
2015-03-30 17:55:41 +00:00
func TestAuth_token(t *testing.T) {
2015-03-31 22:15:08 +00:00
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
2015-03-30 17:55:41 +00:00
testAuthInit(t)
ui := new(cli.MockUi)
c := &AuthCommand{
2016-04-01 17:16:05 +00:00
Meta: meta.Meta{
2016-04-01 18:23:15 +00:00
Ui: ui,
TokenHelper: DefaultTokenHelper,
2015-03-30 17:55:41 +00:00
},
}
args := []string{
2015-03-31 22:15:08 +00:00
"-address", addr,
token,
2015-03-30 17:55:41 +00:00
}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
helper, err := c.TokenHelper()
2015-03-30 17:55:41 +00:00
if err != nil {
t.Fatalf("err: %s", err)
}
actual, err := helper.Get()
if err != nil {
t.Fatalf("err: %s", err)
}
2015-03-31 22:15:08 +00:00
if actual != token {
2015-03-30 17:55:41 +00:00
t.Fatalf("bad: %s", actual)
}
}
func TestAuth_wrapping(t *testing.T) {
baseConfig := &vault.CoreConfig{
CredentialBackends: map[string]logical.Factory{
"userpass": credUserpass.Factory,
},
}
cluster := vault.NewTestCluster(t, baseConfig, &vault.TestClusterOptions{
HandlerFunc: http.Handler,
BaseListenAddress: "127.0.0.1:8200",
})
cluster.Start()
defer cluster.Cleanup()
testAuthInit(t)
client := cluster.Cores[0].Client
err := client.Sys().EnableAuthWithOptions("userpass", &api.EnableAuthOptions{
Type: "userpass",
})
if err != nil {
t.Fatal(err)
}
_, err = client.Logical().Write("auth/userpass/users/foo", map[string]interface{}{
"password": "bar",
"policies": "zip,zap",
})
if err != nil {
t.Fatal(err)
}
ui := new(cli.MockUi)
c := &AuthCommand{
Meta: meta.Meta{
Ui: ui,
TokenHelper: DefaultTokenHelper,
},
Handlers: map[string]AuthHandler{
"userpass": &credUserpass.CLIHandler{DefaultMount: "userpass"},
},
}
args := []string{
"-address",
"https://127.0.0.1:8200",
"-tls-skip-verify",
"-method",
"userpass",
"username=foo",
"password=bar",
}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
// Test again with wrapping
ui = new(cli.MockUi)
c = &AuthCommand{
Meta: meta.Meta{
Ui: ui,
TokenHelper: DefaultTokenHelper,
},
Handlers: map[string]AuthHandler{
"userpass": &credUserpass.CLIHandler{DefaultMount: "userpass"},
},
}
args = []string{
"-address",
"https://127.0.0.1:8200",
"-tls-skip-verify",
"-wrap-ttl",
"5m",
"-method",
"userpass",
"username=foo",
"password=bar",
}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
// Test again with no-store
ui = new(cli.MockUi)
c = &AuthCommand{
Meta: meta.Meta{
Ui: ui,
TokenHelper: DefaultTokenHelper,
},
Handlers: map[string]AuthHandler{
"userpass": &credUserpass.CLIHandler{DefaultMount: "userpass"},
},
}
args = []string{
"-address",
"https://127.0.0.1:8200",
"-tls-skip-verify",
"-wrap-ttl",
"5m",
"-no-store",
"-method",
"userpass",
"username=foo",
"password=bar",
}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
// Test again with wrapping and token-only
ui = new(cli.MockUi)
c = &AuthCommand{
Meta: meta.Meta{
Ui: ui,
TokenHelper: DefaultTokenHelper,
},
Handlers: map[string]AuthHandler{
"userpass": &credUserpass.CLIHandler{DefaultMount: "userpass"},
},
}
args = []string{
"-address",
"https://127.0.0.1:8200",
"-tls-skip-verify",
"-wrap-ttl",
"5m",
"-token-only",
"-method",
"userpass",
"username=foo",
"password=bar",
}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
token := strings.TrimSpace(ui.OutputWriter.String())
if token == "" {
t.Fatal("expected to find token in output")
}
secret, err := client.Logical().Unwrap(token)
if err != nil {
t.Fatal(err)
}
if secret.Auth.ClientToken == "" {
t.Fatal("no client token found")
}
}
func TestAuth_token_nostore(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
testAuthInit(t)
ui := new(cli.MockUi)
c := &AuthCommand{
Meta: meta.Meta{
Ui: ui,
TokenHelper: DefaultTokenHelper,
},
}
args := []string{
"-address", addr,
"-no-store",
token,
}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
helper, err := c.TokenHelper()
if err != nil {
t.Fatalf("err: %s", err)
}
actual, err := helper.Get()
if err != nil {
t.Fatalf("err: %s", err)
}
if actual != "" {
t.Fatalf("bad: %s", actual)
}
}
func TestAuth_stdin(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
testAuthInit(t)
stdinR, stdinW := io.Pipe()
ui := new(cli.MockUi)
c := &AuthCommand{
2016-04-01 17:16:05 +00:00
Meta: meta.Meta{
2016-04-01 18:23:15 +00:00
Ui: ui,
TokenHelper: DefaultTokenHelper,
},
testStdin: stdinR,
}
go func() {
stdinW.Write([]byte(token))
stdinW.Close()
}()
args := []string{
"-address", addr,
"-",
}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
}
func TestAuth_badToken(t *testing.T) {
core, _, _ := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
testAuthInit(t)
ui := new(cli.MockUi)
c := &AuthCommand{
2016-04-01 17:16:05 +00:00
Meta: meta.Meta{
2016-04-01 18:23:15 +00:00
Ui: ui,
TokenHelper: DefaultTokenHelper,
},
}
args := []string{
"-address", addr,
"not-a-valid-token",
}
if code := c.Run(args); code != 1 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
}
2015-04-06 16:40:47 +00:00
func TestAuth_method(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
testAuthInit(t)
ui := new(cli.MockUi)
c := &AuthCommand{
Handlers: map[string]AuthHandler{
"test": &testAuthHandler{},
},
2016-04-01 17:16:05 +00:00
Meta: meta.Meta{
2016-04-01 18:23:15 +00:00
Ui: ui,
TokenHelper: DefaultTokenHelper,
2015-04-06 16:40:47 +00:00
},
}
args := []string{
"-address", addr,
"-method=test",
2015-04-08 06:29:49 +00:00
"foo=" + token,
2015-04-06 16:40:47 +00:00
}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
helper, err := c.TokenHelper()
2015-04-06 16:40:47 +00:00
if err != nil {
t.Fatalf("err: %s", err)
}
actual, err := helper.Get()
if err != nil {
t.Fatalf("err: %s", err)
}
if actual != token {
t.Fatalf("bad: %s", actual)
}
}
2015-03-30 17:55:41 +00:00
func testAuthInit(t *testing.T) {
td, err := ioutil.TempDir("", "vault")
if err != nil {
t.Fatalf("err: %s", err)
}
// Set the HOME env var so we get that right
2015-03-30 17:55:41 +00:00
os.Setenv("HOME", td)
// Write a .vault config to use our custom token helper
config := fmt.Sprintf(
"token_helper = \"\"\n")
ioutil.WriteFile(filepath.Join(td, ".vault"), []byte(config), 0644)
}
2015-04-06 16:40:47 +00:00
type testAuthHandler struct{}
func (h *testAuthHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, error) {
return &api.Secret{
Auth: &api.SecretAuth{
ClientToken: m["foo"],
},
}, nil
2015-04-06 16:40:47 +00:00
}
func (h *testAuthHandler) Help() string { return "" }