open-vault/builtin/credential/aws/backend_e2e_test.go

package awsauth

import (
	"context"
	"testing"
	"time"

	hclog "github.com/hashicorp/go-hclog"
	"github.com/hashicorp/vault/api"
	vaulthttp "github.com/hashicorp/vault/http"
	"github.com/hashicorp/vault/sdk/helper/logging"
	"github.com/hashicorp/vault/sdk/logical"
	"github.com/hashicorp/vault/vault"
)

func TestBackend_E2E_Initialize(t *testing.T) {
	ctx := context.Background()

	// Set up the cluster.  This will trigger an Initialize(); we sleep briefly
	// awaiting its completion.
	cluster := setupAwsTestCluster(t, ctx)
	defer cluster.Cleanup()
	time.Sleep(time.Second)
	core := cluster.Cores[0]

	// Fetch the aws auth's path in storage.  This is a uuid that is different
	// every time we run the test
	authUuids, err := core.UnderlyingStorage.List(ctx, "auth/")
	if err != nil {
		t.Fatal(err)
	}
	if len(authUuids) != 1 {
		t.Fatalf("expected exactly one auth path")
	}
	awsPath := "auth/" + authUuids[0]

	// Make sure that the upgrade happened, by fishing the 'config/version'
	// entry out of storage.  We can't use core.Client.Logical().Read() to do
	// this, because 'config/version' hasn't been exposed as a path.
	version, err := core.UnderlyingStorage.Get(ctx, awsPath+"config/version")
	if err != nil {
		t.Fatal(err)
	}
	if version == nil {
		t.Fatalf("no config found")
	}

	// Nuke the version, so we can pretend that Initialize() has never been run
	if err := core.UnderlyingStorage.Delete(ctx, awsPath+"config/version"); err != nil {
		t.Fatal(err)
	}
	version, err = core.UnderlyingStorage.Get(ctx, awsPath+"config/version")
	if err != nil {
		t.Fatal(err)
	}
	if version != nil {
		t.Fatalf("version found")
	}

	// Create a role
	data := map[string]interface{}{
		"auth_type":       "ec2",
		"policies":        "default",
		"bound_subnet_id": "subnet-abcdef",
	}
	if _, err := core.Client.Logical().Write("auth/aws/role/test-role", data); err != nil {
		t.Fatal(err)
	}
	role, err := core.Client.Logical().Read("auth/aws/role/test-role")
	if err != nil {
		t.Fatal(err)
	}
	if role == nil {
		t.Fatalf("no role found")
	}

	// There should _still_ be no config version
	version, err = core.UnderlyingStorage.Get(ctx, awsPath+"config/version")
	if err != nil {
		t.Fatal(err)
	}
	if version != nil {
		t.Fatalf("version found")
	}

	// Seal, and then Unseal. This will once again trigger an Initialize(),
	// only this time there will be a role present during the upgrade.
	core.Seal(t)
	cluster.UnsealCores(t)
	time.Sleep(time.Second)

	// Now the config version should be there again
	version, err = core.UnderlyingStorage.Get(ctx, awsPath+"config/version")
	if err != nil {
		t.Fatal(err)
	}
	if version == nil {
		t.Fatalf("no version found")
	}
}

func setupAwsTestCluster(t *testing.T, _ context.Context) *vault.TestCluster {
	// create a cluster with the aws auth backend built-in
	logger := logging.NewVaultLogger(hclog.Trace)
	coreConfig := &vault.CoreConfig{
		Logger: logger,
		CredentialBackends: map[string]logical.Factory{
			"aws": Factory,
		},
	}
	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
		NumCores:    1,
		HandlerFunc: vaulthttp.Handler,
	})

	cluster.Start()
	if len(cluster.Cores) != 1 {
		t.Fatalf("expected exactly one core")
	}
	core := cluster.Cores[0]
	vault.TestWaitActive(t, core.Core)

	// load the auth plugin
	if err := core.Client.Sys().EnableAuthWithOptions("aws", &api.EnableAuthOptions{
		Type: "aws",
	}); err != nil {
		t.Fatal(err)
	}

	return cluster
}
AWS upgrade role entries (#7025) * upgrade aws roles * test upgrade aws roles * Initialize aws credential backend at mount time * add a TODO * create end-to-end test for builtin/credential/aws * fix bug in initializer * improve comments * add Initialize() to logical.Backend * use Initialize() in Core.enableCredentialInternal() * use InitializeRequest to call Initialize() * improve unit testing for framework.Backend * call logical.Backend.Initialize() from all of the places that it needs to be called. * implement backend.proto changes for logical.Backend.Initialize() * persist current role storage version when upgrading aws roles * format comments correctly * improve comments * use postUnseal funcs to initialize backends * simplify test suite * improve test suite * simplify logic in aws role upgrade * simplify aws credential initialization logic * simplify logic in aws role upgrade * use the core's activeContext for initialization * refactor builtin/plugin/Backend * use a goroutine to upgrade the aws roles * misc improvements and cleanup * do not run AWS role upgrade on DR Secondary * always call logical.Backend.Initialize() when loading a plugin. * improve comments * on standbys and DR secondaries we do not want to run any kind of upgrade logic * fix awsVersion struct * clarify aws version upgrade * make the upgrade logic for aws auth more explicit * aws upgrade is now called from a switch * fix fallthrough bug * simplify logic * simplify logic * rename things * introduce currentAwsVersion const to track aws version * improve comments * rearrange things once more * conglomerate things into one function * stub out aws auth initialize e2e test * improve aws auth initialize e2e test * finish aws auth initialize e2e test * tinker with aws auth initialize e2e test * tinker with aws auth initialize e2e test * tinker with aws auth initialize e2e test * fix typo in test suite * simplify logic a tad * rearrange assignment * Fix a few lifecycle related issues in #7025 (#7075) * Fix panic when plugin fails to load 2019-07-05 23:55:40 +00:00			`package awsauth`

			`import (`
			`"context"`
			`"testing"`
			`"time"`

			`hclog "github.com/hashicorp/go-hclog"`
			`"github.com/hashicorp/vault/api"`
			`vaulthttp "github.com/hashicorp/vault/http"`
			`"github.com/hashicorp/vault/sdk/helper/logging"`
			`"github.com/hashicorp/vault/sdk/logical"`
			`"github.com/hashicorp/vault/vault"`
			`)`

			`func TestBackend_E2E_Initialize(t *testing.T) {`
			`ctx := context.Background()`

			`// Set up the cluster. This will trigger an Initialize(); we sleep briefly`
			`// awaiting its completion.`
			`cluster := setupAwsTestCluster(t, ctx)`
			`defer cluster.Cleanup()`
			`time.Sleep(time.Second)`
			`core := cluster.Cores[0]`

			`// Fetch the aws auth's path in storage. This is a uuid that is different`
			`// every time we run the test`
			`authUuids, err := core.UnderlyingStorage.List(ctx, "auth/")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if len(authUuids) != 1 {`
			`t.Fatalf("expected exactly one auth path")`
			`}`
			`awsPath := "auth/" + authUuids[0]`

			`// Make sure that the upgrade happened, by fishing the 'config/version'`
			`// entry out of storage. We can't use core.Client.Logical().Read() to do`
			`// this, because 'config/version' hasn't been exposed as a path.`
			`version, err := core.UnderlyingStorage.Get(ctx, awsPath+"config/version")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if version == nil {`
			`t.Fatalf("no config found")`
			`}`

			`// Nuke the version, so we can pretend that Initialize() has never been run`
			`if err := core.UnderlyingStorage.Delete(ctx, awsPath+"config/version"); err != nil {`
			`t.Fatal(err)`
			`}`
			`version, err = core.UnderlyingStorage.Get(ctx, awsPath+"config/version")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if version != nil {`
			`t.Fatalf("version found")`
			`}`

			`// Create a role`
			`data := map[string]interface{}{`
			`"auth_type": "ec2",`
			`"policies": "default",`
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor 2021-04-08 16:43:39 +00:00			`"bound_subnet_id": "subnet-abcdef",`
			`}`
AWS upgrade role entries (#7025) * upgrade aws roles * test upgrade aws roles * Initialize aws credential backend at mount time * add a TODO * create end-to-end test for builtin/credential/aws * fix bug in initializer * improve comments * add Initialize() to logical.Backend * use Initialize() in Core.enableCredentialInternal() * use InitializeRequest to call Initialize() * improve unit testing for framework.Backend * call logical.Backend.Initialize() from all of the places that it needs to be called. * implement backend.proto changes for logical.Backend.Initialize() * persist current role storage version when upgrading aws roles * format comments correctly * improve comments * use postUnseal funcs to initialize backends * simplify test suite * improve test suite * simplify logic in aws role upgrade * simplify aws credential initialization logic * simplify logic in aws role upgrade * use the core's activeContext for initialization * refactor builtin/plugin/Backend * use a goroutine to upgrade the aws roles * misc improvements and cleanup * do not run AWS role upgrade on DR Secondary * always call logical.Backend.Initialize() when loading a plugin. * improve comments * on standbys and DR secondaries we do not want to run any kind of upgrade logic * fix awsVersion struct * clarify aws version upgrade * make the upgrade logic for aws auth more explicit * aws upgrade is now called from a switch * fix fallthrough bug * simplify logic * simplify logic * rename things * introduce currentAwsVersion const to track aws version * improve comments * rearrange things once more * conglomerate things into one function * stub out aws auth initialize e2e test * improve aws auth initialize e2e test * finish aws auth initialize e2e test * tinker with aws auth initialize e2e test * tinker with aws auth initialize e2e test * tinker with aws auth initialize e2e test * fix typo in test suite * simplify logic a tad * rearrange assignment * Fix a few lifecycle related issues in #7025 (#7075) * Fix panic when plugin fails to load 2019-07-05 23:55:40 +00:00			`if _, err := core.Client.Logical().Write("auth/aws/role/test-role", data); err != nil {`
			`t.Fatal(err)`
			`}`
			`role, err := core.Client.Logical().Read("auth/aws/role/test-role")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if role == nil {`
			`t.Fatalf("no role found")`
			`}`

			`// There should _still_ be no config version`
			`version, err = core.UnderlyingStorage.Get(ctx, awsPath+"config/version")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if version != nil {`
			`t.Fatalf("version found")`
			`}`

			`// Seal, and then Unseal. This will once again trigger an Initialize(),`
			`// only this time there will be a role present during the upgrade.`
			`core.Seal(t)`
			`cluster.UnsealCores(t)`
			`time.Sleep(time.Second)`

			`// Now the config version should be there again`
			`version, err = core.UnderlyingStorage.Get(ctx, awsPath+"config/version")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if version == nil {`
			`t.Fatalf("no version found")`
			`}`
			`}`

AWS credential plugin maintenance (#7114) 2019-07-31 23:11:35 +00:00			`func setupAwsTestCluster(t testing.T, _ context.Context) vault.TestCluster {`
AWS upgrade role entries (#7025) * upgrade aws roles * test upgrade aws roles * Initialize aws credential backend at mount time * add a TODO * create end-to-end test for builtin/credential/aws * fix bug in initializer * improve comments * add Initialize() to logical.Backend * use Initialize() in Core.enableCredentialInternal() * use InitializeRequest to call Initialize() * improve unit testing for framework.Backend * call logical.Backend.Initialize() from all of the places that it needs to be called. * implement backend.proto changes for logical.Backend.Initialize() * persist current role storage version when upgrading aws roles * format comments correctly * improve comments * use postUnseal funcs to initialize backends * simplify test suite * improve test suite * simplify logic in aws role upgrade * simplify aws credential initialization logic * simplify logic in aws role upgrade * use the core's activeContext for initialization * refactor builtin/plugin/Backend * use a goroutine to upgrade the aws roles * misc improvements and cleanup * do not run AWS role upgrade on DR Secondary * always call logical.Backend.Initialize() when loading a plugin. * improve comments * on standbys and DR secondaries we do not want to run any kind of upgrade logic * fix awsVersion struct * clarify aws version upgrade * make the upgrade logic for aws auth more explicit * aws upgrade is now called from a switch * fix fallthrough bug * simplify logic * simplify logic * rename things * introduce currentAwsVersion const to track aws version * improve comments * rearrange things once more * conglomerate things into one function * stub out aws auth initialize e2e test * improve aws auth initialize e2e test * finish aws auth initialize e2e test * tinker with aws auth initialize e2e test * tinker with aws auth initialize e2e test * tinker with aws auth initialize e2e test * fix typo in test suite * simplify logic a tad * rearrange assignment * Fix a few lifecycle related issues in #7025 (#7075) * Fix panic when plugin fails to load 2019-07-05 23:55:40 +00:00			`// create a cluster with the aws auth backend built-in`
			`logger := logging.NewVaultLogger(hclog.Trace)`
			`coreConfig := &vault.CoreConfig{`
			`Logger: logger,`
			`CredentialBackends: map[string]logical.Factory{`
			`"aws": Factory,`
			`},`
			`}`
			`cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{`
			`NumCores: 1,`
			`HandlerFunc: vaulthttp.Handler,`
			`})`

			`cluster.Start()`
			`if len(cluster.Cores) != 1 {`
			`t.Fatalf("expected exactly one core")`
			`}`
			`core := cluster.Cores[0]`
			`vault.TestWaitActive(t, core.Core)`

			`// load the auth plugin`
			`if err := core.Client.Sys().EnableAuthWithOptions("aws", &api.EnableAuthOptions{`
			`Type: "aws",`
			`}); err != nil {`
			`t.Fatal(err)`
			`}`

			`return cluster`
			`}`