open-vault/builtin/credential/aws/path_config_rotate_root_test.go

package awsauth

import (
	"context"
	"testing"
	"time"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/iam"
	"github.com/aws/aws-sdk-go/service/iam/iamiface"
	"github.com/hashicorp/go-hclog"
	"github.com/hashicorp/vault/sdk/helper/awsutil"
	"github.com/hashicorp/vault/sdk/logical"
)

func TestPathConfigRotateRoot(t *testing.T) {
	getIAMClient = func(sess *session.Session) iamiface.IAMAPI {
		return &awsutil.MockIAM{
			CreateAccessKeyOutput: &iam.CreateAccessKeyOutput{
				AccessKey: &iam.AccessKey{
					AccessKeyId:     aws.String("fizz2"),
					SecretAccessKey: aws.String("buzz2"),
				},
			},
			DeleteAccessKeyOutput: &iam.DeleteAccessKeyOutput{},
			GetUserOutput: &iam.GetUserOutput{
				User: &iam.User{
					UserName: aws.String("ellen"),
				},
			},
		}
	}

	ctx := context.Background()
	storage := &logical.InmemStorage{}
	b, err := Factory(ctx, &logical.BackendConfig{
		StorageView: storage,
		Logger:      hclog.Default(),
		System: &logical.StaticSystemView{
			DefaultLeaseTTLVal: time.Hour,
			MaxLeaseTTLVal:     time.Hour,
		},
	})
	if err != nil {
		t.Fatal(err)
	}

	clientConf := &clientConfig{
		AccessKey: "fizz1",
		SecretKey: "buzz1",
	}
	entry, err := logical.StorageEntryJSON("config/client", clientConf)
	if err != nil {
		t.Fatal(err)
	}
	if err := storage.Put(ctx, entry); err != nil {
		t.Fatal(err)
	}

	req := &logical.Request{
		Operation: logical.UpdateOperation,
		Path:      "config/rotate-root",
		Storage:   storage,
	}
	resp, err := b.HandleRequest(ctx, req)
	if err != nil || (resp != nil && resp.IsError()) {
		t.Fatalf("bad: resp: %#v\nerr:%v", resp, err)
	}
	if resp == nil {
		t.Fatal("expected nil response to represent a 204")
	}
	if resp.Data == nil {
		t.Fatal("expected resp.Data")
	}
	if resp.Data["access_key"].(string) != "fizz2" {
		t.Fatalf("expected new access key buzz2 but received %s", resp.Data["access_key"])
	}
}
5844 AWS Root Credential Rotation (#9921) * strip redundant field type declarations * root credential rotation for aws creds plugin * Change location of mocks awsutil and update methods that no longer exist * Update website/pages/docs/auth/aws.mdx Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com> * Update sdk version to get the awsutil mock file * Re-vendor modules to pass CI * Use write lock for the entirety of AWS root cred rotation * Update docs for AWS root cred rotation for clarity Co-authored-by: Becca Petrin <beccapetrin@gmail.com> Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com> 2020-09-15 22:26:56 +00:00			`package awsauth`

			`import (`
			`"context"`
			`"testing"`
			`"time"`

			`"github.com/aws/aws-sdk-go/aws"`
			`"github.com/aws/aws-sdk-go/aws/session"`
			`"github.com/aws/aws-sdk-go/service/iam"`
			`"github.com/aws/aws-sdk-go/service/iam/iamiface"`
			`"github.com/hashicorp/go-hclog"`
			`"github.com/hashicorp/vault/sdk/helper/awsutil"`
			`"github.com/hashicorp/vault/sdk/logical"`
			`)`

			`func TestPathConfigRotateRoot(t *testing.T) {`
			`getIAMClient = func(sess *session.Session) iamiface.IAMAPI {`
			`return &awsutil.MockIAM{`
			`CreateAccessKeyOutput: &iam.CreateAccessKeyOutput{`
			`AccessKey: &iam.AccessKey{`
			`AccessKeyId: aws.String("fizz2"),`
			`SecretAccessKey: aws.String("buzz2"),`
			`},`
			`},`
			`DeleteAccessKeyOutput: &iam.DeleteAccessKeyOutput{},`
			`GetUserOutput: &iam.GetUserOutput{`
			`User: &iam.User{`
			`UserName: aws.String("ellen"),`
			`},`
			`},`
			`}`
			`}`

			`ctx := context.Background()`
			`storage := &logical.InmemStorage{}`
			`b, err := Factory(ctx, &logical.BackendConfig{`
			`StorageView: storage,`
			`Logger: hclog.Default(),`
			`System: &logical.StaticSystemView{`
			`DefaultLeaseTTLVal: time.Hour,`
			`MaxLeaseTTLVal: time.Hour,`
			`},`
			`})`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`clientConf := &clientConfig{`
			`AccessKey: "fizz1",`
			`SecretKey: "buzz1",`
			`}`
			`entry, err := logical.StorageEntryJSON("config/client", clientConf)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if err := storage.Put(ctx, entry); err != nil {`
			`t.Fatal(err)`
			`}`

			`req := &logical.Request{`
			`Operation: logical.UpdateOperation,`
			`Path: "config/rotate-root",`
			`Storage: storage,`
			`}`
			`resp, err := b.HandleRequest(ctx, req)`
			`if err != nil \|\| (resp != nil && resp.IsError()) {`
			`t.Fatalf("bad: resp: %#v\nerr:%v", resp, err)`
			`}`
			`if resp == nil {`
			`t.Fatal("expected nil response to represent a 204")`
			`}`
			`if resp.Data == nil {`
			`t.Fatal("expected resp.Data")`
			`}`
			`if resp.Data["access_key"].(string) != "fizz2" {`
			`t.Fatalf("expected new access key buzz2 but received %s", resp.Data["access_key"])`
			`}`
			`}`