Backend plugin system (#2874)
* Add backend plugin changes
* Fix totp backend plugin tests
* Fix logical/plugin InvalidateKey test
* Fix plugin catalog CRUD test, fix NoopBackend
* Clean up commented code block
* Fix system backend mount test
* Set plugin_name to omitempty, fix handleMountTable config parsing
* Clean up comments, keep shim connections alive until cleanup
* Include pluginClient, disallow LookupPlugin call from within a plugin
* Add wrapper around backendPluginClient for proper cleanup
* Add logger shim tests
* Add logger, storage, and system shim tests
* Use pointer receivers for system view shim
* Use plugin name if no path is provided on mount
* Enable plugins for auth backends
* Add backend type attribute, move builtin/plugin/package
* Fix merge conflict
* Fix missing plugin name in mount config
* Add integration tests on enabling auth backend plugins
* Remove dependency cycle on mock-plugin
* Add passthrough backend plugin, use logical.BackendType to determine lease generation
* Remove vault package dependency on passthrough package
* Add basic impl test for passthrough plugin
* Incorporate feedback; set b.backend after shims creation on backendPluginServer
* Fix totp plugin test
* Add plugin backends docs
* Fix tests
* Fix builtin/plugin tests
* Remove flatten from PluginRunner fields
* Move mock plugin to logical/plugin, remove totp and passthrough plugins
* Move pluginMap into newPluginClient
* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck
* Change shim logger's Fatal to no-op
* Change BackendType to uint32, match UX backend types
* Change framework.Backend Setup signature
* Add Setup func to logical.Backend interface
* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments
* Remove commented var in plugin package
* RegisterLicense on logical.Backend interface (#3017)
* Add RegisterLicense to logical.Backend interface
* Update RegisterLicense to use callback func on framework.Backend
* Refactor framework.Backend.RegisterLicense
* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs
* plugin: Revert BackendType to remove TypePassthrough and related references
* Fix typo in plugin backends docs
2017-07-20 17:28:40 +00:00
|
|
|
package vault_test
|
|
|
|
|
|
|
|
import (
|
2017-08-08 04:18:59 +00:00
|
|
|
"fmt"
|
Backend plugin system (#2874)
* Add backend plugin changes
* Fix totp backend plugin tests
* Fix logical/plugin InvalidateKey test
* Fix plugin catalog CRUD test, fix NoopBackend
* Clean up commented code block
* Fix system backend mount test
* Set plugin_name to omitempty, fix handleMountTable config parsing
* Clean up comments, keep shim connections alive until cleanup
* Include pluginClient, disallow LookupPlugin call from within a plugin
* Add wrapper around backendPluginClient for proper cleanup
* Add logger shim tests
* Add logger, storage, and system shim tests
* Use pointer receivers for system view shim
* Use plugin name if no path is provided on mount
* Enable plugins for auth backends
* Add backend type attribute, move builtin/plugin/package
* Fix merge conflict
* Fix missing plugin name in mount config
* Add integration tests on enabling auth backend plugins
* Remove dependency cycle on mock-plugin
* Add passthrough backend plugin, use logical.BackendType to determine lease generation
* Remove vault package dependency on passthrough package
* Add basic impl test for passthrough plugin
* Incorporate feedback; set b.backend after shims creation on backendPluginServer
* Fix totp plugin test
* Add plugin backends docs
* Fix tests
* Fix builtin/plugin tests
* Remove flatten from PluginRunner fields
* Move mock plugin to logical/plugin, remove totp and passthrough plugins
* Move pluginMap into newPluginClient
* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck
* Change shim logger's Fatal to no-op
* Change BackendType to uint32, match UX backend types
* Change framework.Backend Setup signature
* Add Setup func to logical.Backend interface
* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments
* Remove commented var in plugin package
* RegisterLicense on logical.Backend interface (#3017)
* Add RegisterLicense to logical.Backend interface
* Update RegisterLicense to use callback func on framework.Backend
* Refactor framework.Backend.RegisterLicense
* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs
* plugin: Revert BackendType to remove TypePassthrough and related references
* Fix typo in plugin backends docs
2017-07-20 17:28:40 +00:00
|
|
|
"testing"
|
2017-09-01 05:02:03 +00:00
|
|
|
"time"
|
Backend plugin system (#2874)
* Add backend plugin changes
* Fix totp backend plugin tests
* Fix logical/plugin InvalidateKey test
* Fix plugin catalog CRUD test, fix NoopBackend
* Clean up commented code block
* Fix system backend mount test
* Set plugin_name to omitempty, fix handleMountTable config parsing
* Clean up comments, keep shim connections alive until cleanup
* Include pluginClient, disallow LookupPlugin call from within a plugin
* Add wrapper around backendPluginClient for proper cleanup
* Add logger shim tests
* Add logger, storage, and system shim tests
* Use pointer receivers for system view shim
* Use plugin name if no path is provided on mount
* Enable plugins for auth backends
* Add backend type attribute, move builtin/plugin/package
* Fix merge conflict
* Fix missing plugin name in mount config
* Add integration tests on enabling auth backend plugins
* Remove dependency cycle on mock-plugin
* Add passthrough backend plugin, use logical.BackendType to determine lease generation
* Remove vault package dependency on passthrough package
* Add basic impl test for passthrough plugin
* Incorporate feedback; set b.backend after shims creation on backendPluginServer
* Fix totp plugin test
* Add plugin backends docs
* Fix tests
* Fix builtin/plugin tests
* Remove flatten from PluginRunner fields
* Move mock plugin to logical/plugin, remove totp and passthrough plugins
* Move pluginMap into newPluginClient
* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck
* Change shim logger's Fatal to no-op
* Change BackendType to uint32, match UX backend types
* Change framework.Backend Setup signature
* Add Setup func to logical.Backend interface
* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments
* Remove commented var in plugin package
* RegisterLicense on logical.Backend interface (#3017)
* Add RegisterLicense to logical.Backend interface
* Update RegisterLicense to use callback func on framework.Backend
* Refactor framework.Backend.RegisterLicense
* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs
* plugin: Revert BackendType to remove TypePassthrough and related references
* Fix typo in plugin backends docs
2017-07-20 17:28:40 +00:00
|
|
|
|
2018-04-20 18:19:04 +00:00
|
|
|
"github.com/go-test/deep"
|
2021-11-30 19:49:58 +00:00
|
|
|
"github.com/hashicorp/go-hclog"
|
2018-04-20 18:19:04 +00:00
|
|
|
"github.com/hashicorp/vault/api"
|
2017-07-31 15:28:06 +00:00
|
|
|
vaulthttp "github.com/hashicorp/vault/http"
|
2021-11-30 19:49:58 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/helper/logging"
|
|
|
|
"github.com/hashicorp/vault/sdk/physical"
|
|
|
|
"github.com/hashicorp/vault/sdk/physical/inmem"
|
Backend plugin system (#2874)
* Add backend plugin changes
* Fix totp backend plugin tests
* Fix logical/plugin InvalidateKey test
* Fix plugin catalog CRUD test, fix NoopBackend
* Clean up commented code block
* Fix system backend mount test
* Set plugin_name to omitempty, fix handleMountTable config parsing
* Clean up comments, keep shim connections alive until cleanup
* Include pluginClient, disallow LookupPlugin call from within a plugin
* Add wrapper around backendPluginClient for proper cleanup
* Add logger shim tests
* Add logger, storage, and system shim tests
* Use pointer receivers for system view shim
* Use plugin name if no path is provided on mount
* Enable plugins for auth backends
* Add backend type attribute, move builtin/plugin/package
* Fix merge conflict
* Fix missing plugin name in mount config
* Add integration tests on enabling auth backend plugins
* Remove dependency cycle on mock-plugin
* Add passthrough backend plugin, use logical.BackendType to determine lease generation
* Remove vault package dependency on passthrough package
* Add basic impl test for passthrough plugin
* Incorporate feedback; set b.backend after shims creation on backendPluginServer
* Fix totp plugin test
* Add plugin backends docs
* Fix tests
* Fix builtin/plugin tests
* Remove flatten from PluginRunner fields
* Move mock plugin to logical/plugin, remove totp and passthrough plugins
* Move pluginMap into newPluginClient
* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck
* Change shim logger's Fatal to no-op
* Change BackendType to uint32, match UX backend types
* Change framework.Backend Setup signature
* Add Setup func to logical.Backend interface
* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments
* Remove commented var in plugin package
* RegisterLicense on logical.Backend interface (#3017)
* Add RegisterLicense to logical.Backend interface
* Update RegisterLicense to use callback func on framework.Backend
* Refactor framework.Backend.RegisterLicense
* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs
* plugin: Revert BackendType to remove TypePassthrough and related references
* Fix typo in plugin backends docs
2017-07-20 17:28:40 +00:00
|
|
|
"github.com/hashicorp/vault/vault"
|
2022-12-07 18:29:51 +00:00
|
|
|
"github.com/hashicorp/vault/version"
|
Backend plugin system (#2874)
* Add backend plugin changes
* Fix totp backend plugin tests
* Fix logical/plugin InvalidateKey test
* Fix plugin catalog CRUD test, fix NoopBackend
* Clean up commented code block
* Fix system backend mount test
* Set plugin_name to omitempty, fix handleMountTable config parsing
* Clean up comments, keep shim connections alive until cleanup
* Include pluginClient, disallow LookupPlugin call from within a plugin
* Add wrapper around backendPluginClient for proper cleanup
* Add logger shim tests
* Add logger, storage, and system shim tests
* Use pointer receivers for system view shim
* Use plugin name if no path is provided on mount
* Enable plugins for auth backends
* Add backend type attribute, move builtin/plugin/package
* Fix merge conflict
* Fix missing plugin name in mount config
* Add integration tests on enabling auth backend plugins
* Remove dependency cycle on mock-plugin
* Add passthrough backend plugin, use logical.BackendType to determine lease generation
* Remove vault package dependency on passthrough package
* Add basic impl test for passthrough plugin
* Incorporate feedback; set b.backend after shims creation on backendPluginServer
* Fix totp plugin test
* Add plugin backends docs
* Fix tests
* Fix builtin/plugin tests
* Remove flatten from PluginRunner fields
* Move mock plugin to logical/plugin, remove totp and passthrough plugins
* Move pluginMap into newPluginClient
* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck
* Change shim logger's Fatal to no-op
* Change BackendType to uint32, match UX backend types
* Change framework.Backend Setup signature
* Add Setup func to logical.Backend interface
* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments
* Remove commented var in plugin package
* RegisterLicense on logical.Backend interface (#3017)
* Add RegisterLicense to logical.Backend interface
* Update RegisterLicense to use callback func on framework.Backend
* Refactor framework.Backend.RegisterLicense
* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs
* plugin: Revert BackendType to remove TypePassthrough and related references
* Fix typo in plugin backends docs
2017-07-20 17:28:40 +00:00
|
|
|
)
|
|
|
|
|
2018-04-20 18:19:04 +00:00
|
|
|
func TestSystemBackend_InternalUIResultantACL(t *testing.T) {
|
2022-09-16 13:53:16 +00:00
|
|
|
t.Parallel()
|
2018-04-20 18:19:04 +00:00
|
|
|
cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
|
|
|
|
HandlerFunc: vaulthttp.Handler,
|
2022-09-16 13:53:16 +00:00
|
|
|
NumCores: 1,
|
2018-04-20 18:19:04 +00:00
|
|
|
})
|
|
|
|
cluster.Start()
|
|
|
|
defer cluster.Cleanup()
|
|
|
|
client := cluster.Cores[0].Client
|
|
|
|
|
2022-04-07 19:12:58 +00:00
|
|
|
resp, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
2018-04-20 18:19:04 +00:00
|
|
|
Policies: []string{"default"},
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
if resp == nil {
|
|
|
|
t.Fatal("nil response")
|
|
|
|
}
|
|
|
|
if resp.Auth == nil {
|
|
|
|
t.Fatal("nil auth")
|
|
|
|
}
|
|
|
|
if resp.Auth.ClientToken == "" {
|
|
|
|
t.Fatal("empty client token")
|
|
|
|
}
|
|
|
|
|
|
|
|
client.SetToken(resp.Auth.ClientToken)
|
|
|
|
|
2022-04-07 19:12:58 +00:00
|
|
|
resp, err = client.Logical().Read("sys/internal/ui/resultant-acl")
|
2018-04-20 18:19:04 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
if resp == nil {
|
|
|
|
t.Fatal("nil response")
|
|
|
|
}
|
|
|
|
if resp.Data == nil {
|
|
|
|
t.Fatal("nil data")
|
|
|
|
}
|
|
|
|
|
|
|
|
exp := map[string]interface{}{
|
|
|
|
"exact_paths": map[string]interface{}{
|
|
|
|
"auth/token/lookup-self": map[string]interface{}{
|
|
|
|
"capabilities": []interface{}{
|
|
|
|
"read",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
"auth/token/renew-self": map[string]interface{}{
|
|
|
|
"capabilities": []interface{}{
|
|
|
|
"update",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
"auth/token/revoke-self": map[string]interface{}{
|
|
|
|
"capabilities": []interface{}{
|
|
|
|
"update",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
"sys/capabilities-self": map[string]interface{}{
|
|
|
|
"capabilities": []interface{}{
|
|
|
|
"update",
|
|
|
|
},
|
|
|
|
},
|
2018-07-12 14:18:50 +00:00
|
|
|
"sys/control-group/request": map[string]interface{}{
|
|
|
|
"capabilities": []interface{}{
|
|
|
|
"update",
|
|
|
|
},
|
|
|
|
},
|
2018-04-20 18:19:04 +00:00
|
|
|
"sys/internal/ui/resultant-acl": map[string]interface{}{
|
|
|
|
"capabilities": []interface{}{
|
|
|
|
"read",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
"sys/leases/lookup": map[string]interface{}{
|
|
|
|
"capabilities": []interface{}{
|
|
|
|
"update",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
"sys/leases/renew": map[string]interface{}{
|
|
|
|
"capabilities": []interface{}{
|
|
|
|
"update",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
"sys/renew": map[string]interface{}{
|
|
|
|
"capabilities": []interface{}{
|
|
|
|
"update",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
"sys/tools/hash": map[string]interface{}{
|
|
|
|
"capabilities": []interface{}{
|
|
|
|
"update",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
"sys/wrapping/lookup": map[string]interface{}{
|
|
|
|
"capabilities": []interface{}{
|
|
|
|
"update",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
"sys/wrapping/unwrap": map[string]interface{}{
|
|
|
|
"capabilities": []interface{}{
|
|
|
|
"update",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
"sys/wrapping/wrap": map[string]interface{}{
|
|
|
|
"capabilities": []interface{}{
|
|
|
|
"update",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
"glob_paths": map[string]interface{}{
|
|
|
|
"cubbyhole/": map[string]interface{}{
|
|
|
|
"capabilities": []interface{}{
|
|
|
|
"create",
|
|
|
|
"delete",
|
|
|
|
"list",
|
|
|
|
"read",
|
|
|
|
"update",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
"sys/tools/hash/": map[string]interface{}{
|
|
|
|
"capabilities": []interface{}{
|
|
|
|
"update",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
"root": false,
|
|
|
|
}
|
|
|
|
|
|
|
|
if diff := deep.Equal(resp.Data, exp); diff != nil {
|
|
|
|
t.Fatal(diff)
|
|
|
|
}
|
|
|
|
}
|
2021-11-30 19:49:58 +00:00
|
|
|
|
|
|
|
func TestSystemBackend_HAStatus(t *testing.T) {
|
|
|
|
logger := logging.NewVaultLogger(hclog.Trace)
|
|
|
|
inm, err := inmem.NewTransactionalInmem(nil, logger)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
inmha, err := inmem.NewInmemHA(nil, logger)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
conf := &vault.CoreConfig{
|
|
|
|
Physical: inm,
|
|
|
|
HAPhysical: inmha.(physical.HABackend),
|
|
|
|
}
|
|
|
|
opts := &vault.TestClusterOptions{
|
|
|
|
HandlerFunc: vaulthttp.Handler,
|
|
|
|
}
|
|
|
|
cluster := vault.NewTestCluster(t, conf, opts)
|
|
|
|
cluster.Start()
|
|
|
|
defer cluster.Cleanup()
|
|
|
|
|
|
|
|
vault.RetryUntil(t, 15*time.Second, func() error {
|
|
|
|
// Use standby deliberately to make sure it forwards
|
|
|
|
client := cluster.Cores[1].Client
|
2022-04-07 19:12:58 +00:00
|
|
|
resp, err := client.Sys().HAStatus()
|
2021-11-30 19:49:58 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(resp.Nodes) != len(cluster.Cores) {
|
|
|
|
return fmt.Errorf("expected %d nodes, got %d", len(cluster.Cores), len(resp.Nodes))
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
})
|
|
|
|
}
|
2022-02-14 20:26:57 +00:00
|
|
|
|
|
|
|
// TestSystemBackend_VersionHistory_unauthenticated tests the sys/version-history
|
|
|
|
// endpoint without providing a token. Requests to the endpoint must be
|
|
|
|
// authenticated and thus a 403 response is expected.
|
|
|
|
func TestSystemBackend_VersionHistory_unauthenticated(t *testing.T) {
|
2022-09-16 13:53:16 +00:00
|
|
|
t.Parallel()
|
2022-02-14 20:26:57 +00:00
|
|
|
cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
|
|
|
|
HandlerFunc: vaulthttp.Handler,
|
2022-09-16 13:53:16 +00:00
|
|
|
NumCores: 1,
|
2022-02-14 20:26:57 +00:00
|
|
|
})
|
|
|
|
cluster.Start()
|
|
|
|
defer cluster.Cleanup()
|
|
|
|
client := cluster.Cores[0].Client
|
|
|
|
|
|
|
|
client.SetToken("")
|
2022-04-07 19:12:58 +00:00
|
|
|
resp, err := client.Logical().List("sys/version-history")
|
2022-02-14 20:26:57 +00:00
|
|
|
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("expected nil response, resp: %#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
respErr, ok := err.(*api.ResponseError)
|
|
|
|
if !ok {
|
|
|
|
t.Fatalf("unexpected error type: err: %#v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if respErr.StatusCode != 403 {
|
|
|
|
t.Fatalf("expected response status to be 403, actual: %d", respErr.StatusCode)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// TestSystemBackend_VersionHistory_authenticated tests the sys/version-history
|
|
|
|
// endpoint with authentication. Without synthetically altering the underlying
|
|
|
|
// core/versions storage entries, a single version entry should exist.
|
|
|
|
func TestSystemBackend_VersionHistory_authenticated(t *testing.T) {
|
2022-09-16 13:53:16 +00:00
|
|
|
t.Parallel()
|
2022-02-14 20:26:57 +00:00
|
|
|
cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
|
|
|
|
HandlerFunc: vaulthttp.Handler,
|
2022-09-16 13:53:16 +00:00
|
|
|
NumCores: 1,
|
2022-02-14 20:26:57 +00:00
|
|
|
})
|
|
|
|
cluster.Start()
|
|
|
|
defer cluster.Cleanup()
|
|
|
|
client := cluster.Cores[0].Client
|
|
|
|
|
2022-04-07 19:12:58 +00:00
|
|
|
resp, err := client.Logical().List("sys/version-history")
|
2022-02-14 20:26:57 +00:00
|
|
|
if err != nil || resp == nil {
|
|
|
|
t.Fatalf("request failed, err: %v, resp: %#v", err, resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
var ok bool
|
|
|
|
var keys []interface{}
|
|
|
|
var keyInfo map[string]interface{}
|
|
|
|
|
|
|
|
if keys, ok = resp.Data["keys"].([]interface{}); !ok {
|
|
|
|
t.Fatalf("expected keys to be array, actual: %#v", resp.Data["keys"])
|
|
|
|
}
|
|
|
|
|
|
|
|
if keyInfo, ok = resp.Data["key_info"].(map[string]interface{}); !ok {
|
|
|
|
t.Fatalf("expected key_info to be map, actual: %#v", resp.Data["key_info"])
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(keys) != 1 {
|
|
|
|
t.Fatalf("expected single version history entry for %q", version.Version)
|
|
|
|
}
|
|
|
|
|
|
|
|
if keyInfo[version.Version] == nil {
|
|
|
|
t.Fatalf("expected version %s to be present in key_info, actual: %#v", version.Version, keyInfo)
|
|
|
|
}
|
2022-02-14 23:06:02 +00:00
|
|
|
}
|