open-vault/vault/logical_system_integ_test.go

package vault_test

import (
	"io/ioutil"
	"os"
	"testing"
	"time"

	"github.com/hashicorp/vault/builtin/plugin"
	"github.com/hashicorp/vault/helper/logformat"
	"github.com/hashicorp/vault/helper/pluginutil"
	"github.com/hashicorp/vault/http"
	"github.com/hashicorp/vault/logical"
	lplugin "github.com/hashicorp/vault/logical/plugin"
	"github.com/hashicorp/vault/logical/plugin/mock"
	"github.com/hashicorp/vault/vault"
	log "github.com/mgutz/logxi/v1"
)

func TestSystemBackend_enableAuth_plugin(t *testing.T) {
	coreConfig := &vault.CoreConfig{
		CredentialBackends: map[string]logical.Factory{
			"plugin": plugin.Factory,
		},
	}

	cluster := vault.NewTestCluster(t, coreConfig, true)
	cluster.StartListeners()
	defer cluster.CloseListeners()
	cores := cluster.Cores

	cores[0].Handler.Handle("/", http.Handler(cores[0].Core))
	cores[1].Handler.Handle("/", http.Handler(cores[1].Core))
	cores[2].Handler.Handle("/", http.Handler(cores[2].Core))

	core := cores[0]

	b := vault.NewSystemBackend(core.Core)
	logger := logformat.NewVaultLogger(log.LevelTrace)
	bc := &logical.BackendConfig{
		Logger: logger,
		System: logical.StaticSystemView{
			DefaultLeaseTTLVal: time.Hour * 24,
			MaxLeaseTTLVal:     time.Hour * 24 * 32,
		},
	}

	err := b.Backend.Setup(bc)
	if err != nil {
		t.Fatal(err)
	}

	vault.TestAddTestPlugin(t, core.Core, "mock-plugin", "TestBackend_PluginMain")

	req := logical.TestRequest(t, logical.UpdateOperation, "auth/mock-plugin")
	req.Data["type"] = "plugin"
	req.Data["plugin_name"] = "mock-plugin"

	resp, err := b.HandleRequest(req)
	if err != nil {
		t.Fatalf("err: %v", err)
	}
	if resp != nil {
		t.Fatalf("bad: %v", resp)
	}
}

func TestBackend_PluginMain(t *testing.T) {
	if os.Getenv(pluginutil.PluginUnwrapTokenEnv) == "" {
		return
	}

	content := []byte(vault.TestClusterCACert)
	tmpfile, err := ioutil.TempFile("", "test-cacert")
	if err != nil {
		t.Fatal(err)
	}

	defer os.Remove(tmpfile.Name()) // clean up

	if _, err := tmpfile.Write(content); err != nil {
		t.Fatal(err)
	}
	if err := tmpfile.Close(); err != nil {
		t.Fatal(err)
	}

	factoryFunc := mock.FactoryType(logical.TypeCredential)

	args := []string{"--ca-cert=" + tmpfile.Name()}

	apiClientMeta := &pluginutil.APIClientMeta{}
	flags := apiClientMeta.FlagSet()
	flags.Parse(args)
	tlsConfig := apiClientMeta.GetTLSConfig()
	tlsProviderFunc := pluginutil.VaultPluginTLSProvider(tlsConfig)
	err = lplugin.Serve(&lplugin.ServeOpts{
		BackendFactoryFunc: factoryFunc,
		TLSProviderFunc:    tlsProviderFunc,
	})
	if err != nil {
		t.Fatal(err)
	}
}
Backend plugin system (#2874) * Add backend plugin changes * Fix totp backend plugin tests * Fix logical/plugin InvalidateKey test * Fix plugin catalog CRUD test, fix NoopBackend * Clean up commented code block * Fix system backend mount test * Set plugin_name to omitempty, fix handleMountTable config parsing * Clean up comments, keep shim connections alive until cleanup * Include pluginClient, disallow LookupPlugin call from within a plugin * Add wrapper around backendPluginClient for proper cleanup * Add logger shim tests * Add logger, storage, and system shim tests * Use pointer receivers for system view shim * Use plugin name if no path is provided on mount * Enable plugins for auth backends * Add backend type attribute, move builtin/plugin/package * Fix merge conflict * Fix missing plugin name in mount config * Add integration tests on enabling auth backend plugins * Remove dependency cycle on mock-plugin * Add passthrough backend plugin, use logical.BackendType to determine lease generation * Remove vault package dependency on passthrough package * Add basic impl test for passthrough plugin * Incorporate feedback; set b.backend after shims creation on backendPluginServer * Fix totp plugin test * Add plugin backends docs * Fix tests * Fix builtin/plugin tests * Remove flatten from PluginRunner fields * Move mock plugin to logical/plugin, remove totp and passthrough plugins * Move pluginMap into newPluginClient * Do not create storage RPC connection on HandleRequest and HandleExistenceCheck * Change shim logger's Fatal to no-op * Change BackendType to uint32, match UX backend types * Change framework.Backend Setup signature * Add Setup func to logical.Backend interface * Move OptionallyEnableMlock call into plugin.Serve, update docs and comments * Remove commented var in plugin package * RegisterLicense on logical.Backend interface (#3017) * Add RegisterLicense to logical.Backend interface * Update RegisterLicense to use callback func on framework.Backend * Refactor framework.Backend.RegisterLicense * plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs * plugin: Revert BackendType to remove TypePassthrough and related references * Fix typo in plugin backends docs 2017-07-20 17:28:40 +00:00			`package vault_test`

			`import (`
			`"io/ioutil"`
			`"os"`
			`"testing"`
			`"time"`

			`"github.com/hashicorp/vault/builtin/plugin"`
			`"github.com/hashicorp/vault/helper/logformat"`
			`"github.com/hashicorp/vault/helper/pluginutil"`
			`"github.com/hashicorp/vault/http"`
			`"github.com/hashicorp/vault/logical"`
			`lplugin "github.com/hashicorp/vault/logical/plugin"`
			`"github.com/hashicorp/vault/logical/plugin/mock"`
			`"github.com/hashicorp/vault/vault"`
			`log "github.com/mgutz/logxi/v1"`
			`)`

			`func TestSystemBackend_enableAuth_plugin(t *testing.T) {`
			`coreConfig := &vault.CoreConfig{`
			`CredentialBackends: map[string]logical.Factory{`
			`"plugin": plugin.Factory,`
			`},`
			`}`

			`cluster := vault.NewTestCluster(t, coreConfig, true)`
			`cluster.StartListeners()`
			`defer cluster.CloseListeners()`
			`cores := cluster.Cores`

			`cores[0].Handler.Handle("/", http.Handler(cores[0].Core))`
			`cores[1].Handler.Handle("/", http.Handler(cores[1].Core))`
			`cores[2].Handler.Handle("/", http.Handler(cores[2].Core))`

			`core := cores[0]`

			`b := vault.NewSystemBackend(core.Core)`
			`logger := logformat.NewVaultLogger(log.LevelTrace)`
			`bc := &logical.BackendConfig{`
			`Logger: logger,`
			`System: logical.StaticSystemView{`
			`DefaultLeaseTTLVal: time.Hour * 24,`
			`MaxLeaseTTLVal: time.Hour * 24 * 32,`
			`},`
			`}`

			`err := b.Backend.Setup(bc)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`vault.TestAddTestPlugin(t, core.Core, "mock-plugin", "TestBackend_PluginMain")`

			`req := logical.TestRequest(t, logical.UpdateOperation, "auth/mock-plugin")`
			`req.Data["type"] = "plugin"`
			`req.Data["plugin_name"] = "mock-plugin"`

			`resp, err := b.HandleRequest(req)`
			`if err != nil {`
			`t.Fatalf("err: %v", err)`
			`}`
			`if resp != nil {`
			`t.Fatalf("bad: %v", resp)`
			`}`
			`}`

			`func TestBackend_PluginMain(t *testing.T) {`
			`if os.Getenv(pluginutil.PluginUnwrapTokenEnv) == "" {`
			`return`
			`}`

			`content := []byte(vault.TestClusterCACert)`
			`tmpfile, err := ioutil.TempFile("", "test-cacert")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`defer os.Remove(tmpfile.Name()) // clean up`

			`if _, err := tmpfile.Write(content); err != nil {`
			`t.Fatal(err)`
			`}`
			`if err := tmpfile.Close(); err != nil {`
			`t.Fatal(err)`
			`}`

			`factoryFunc := mock.FactoryType(logical.TypeCredential)`

			`args := []string{"--ca-cert=" + tmpfile.Name()}`

			`apiClientMeta := &pluginutil.APIClientMeta{}`
			`flags := apiClientMeta.FlagSet()`
			`flags.Parse(args)`
			`tlsConfig := apiClientMeta.GetTLSConfig()`
			`tlsProviderFunc := pluginutil.VaultPluginTLSProvider(tlsConfig)`
			`err = lplugin.Serve(&lplugin.ServeOpts{`
			`BackendFactoryFunc: factoryFunc,`
			`TLSProviderFunc: tlsProviderFunc,`
			`})`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`}`