open-vault/command/agent/testing.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package agent

import (
	"bytes"
	"crypto/ecdsa"
	"crypto/x509"
	"encoding/json"
	"encoding/pem"
	"os"
	"testing"
	"time"

	"github.com/go-jose/go-jose/v3"
	"github.com/go-jose/go-jose/v3/jwt"

	"github.com/hashicorp/vault/sdk/logical"
)

const envVarRunAccTests = "VAULT_ACC"

var runAcceptanceTests = os.Getenv(envVarRunAccTests) == "1"

func GetTestJWT(t *testing.T) (string, *ecdsa.PrivateKey) {
	t.Helper()
	cl := jwt.Claims{
		Subject:   "r3qXcK2bix9eFECzsU3Sbmh0K16fatW6@clients",
		Issuer:    "https://team-vault.auth0.com/",
		NotBefore: jwt.NewNumericDate(time.Now().Add(-5 * time.Second)),
		Audience:  jwt.Audience{"https://vault.plugin.auth.jwt.test"},
	}

	privateCl := struct {
		User   string   `json:"https://vault/user"`
		Groups []string `json:"https://vault/groups"`
	}{
		"jeff",
		[]string{"foo", "bar"},
	}

	var key *ecdsa.PrivateKey
	block, _ := pem.Decode([]byte(TestECDSAPrivKey))
	if block != nil {
		var err error
		key, err = x509.ParseECPrivateKey(block.Bytes)
		if err != nil {
			t.Fatal(err)
		}
	}

	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: key}, (&jose.SignerOptions{}).WithType("JWT"))
	if err != nil {
		t.Fatal(err)
	}

	raw, err := jwt.Signed(sig).Claims(cl).Claims(privateCl).CompactSerialize()
	if err != nil {
		t.Fatal(err)
	}

	return raw, key
}

func readToken(fileName string) (*logical.HTTPWrapInfo, error) {
	b, err := os.ReadFile(fileName)
	if err != nil {
		return nil, err
	}
	wrapper := &logical.HTTPWrapInfo{}
	if err := json.NewDecoder(bytes.NewReader(b)).Decode(wrapper); err != nil {
		return nil, err
	}
	return wrapper, nil
}

const (
	TestECDSAPrivKey string = `-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIKfldwWLPYsHjRL9EVTsjSbzTtcGRu6icohNfIqcb6A+oAoGCCqGSM49
AwEHoUQDQgAE4+SFvPwOy0miy/FiTT05HnwjpEbSq+7+1q9BFxAkzjgKnlkXk5qx
hzXQvRmS4w9ZsskoTZtuUI+XX7conJhzCQ==
-----END EC PRIVATE KEY-----`

	TestECDSAPubKey string = `-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4+SFvPwOy0miy/FiTT05HnwjpEbS
q+7+1q9BFxAkzjgKnlkXk5qxhzXQvRmS4w9ZsskoTZtuUI+XX7conJhzCQ==
-----END PUBLIC KEY-----`
)
adding copyright header (#19555) * adding copyright header * fix fmt and a test 2023-03-15 16:00:52 +00:00			`// Copyright (c) HashiCorp, Inc.`
			`// SPDX-License-Identifier: MPL-2.0`

Add exit-after-auth functionality to agent (#5013) This allows it to authenticate once, then exit once all sinks have reported success. Useful for things like an init container vs. a sidecard container. Also adds command-level testing of it. 2018-07-30 14:37:04 +00:00			`package agent`

			`import (`
Poll for new creds in the AWS auth agent (#5300) 2018-09-12 20:30:57 +00:00			`"bytes"`
Add exit-after-auth functionality to agent (#5013) This allows it to authenticate once, then exit once all sinks have reported success. Useful for things like an init container vs. a sidecard container. Also adds command-level testing of it. 2018-07-30 14:37:04 +00:00			`"crypto/ecdsa"`
			`"crypto/x509"`
Poll for new creds in the AWS auth agent (#5300) 2018-09-12 20:30:57 +00:00			`"encoding/json"`
Add exit-after-auth functionality to agent (#5013) This allows it to authenticate once, then exit once all sinks have reported success. Useful for things like an init container vs. a sidecard container. Also adds command-level testing of it. 2018-07-30 14:37:04 +00:00			`"encoding/pem"`
Poll for new creds in the AWS auth agent (#5300) 2018-09-12 20:30:57 +00:00			`"os"`
Add exit-after-auth functionality to agent (#5013) This allows it to authenticate once, then exit once all sinks have reported success. Useful for things like an init container vs. a sidecard container. Also adds command-level testing of it. 2018-07-30 14:37:04 +00:00			`"testing"`
			`"time"`

Upgrade go-jose library to v3 (#20559) * upgrade go-jose library to v3 Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com> * chore: fix unnecessary import alias Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com> * upgrade go-jose library to v2 in vault Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com> --------- Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com> 2023-05-23 12:25:58 +00:00			`"github.com/go-jose/go-jose/v3"`
			`"github.com/go-jose/go-jose/v3/jwt"`

Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`"github.com/hashicorp/vault/sdk/logical"`
Add exit-after-auth functionality to agent (#5013) This allows it to authenticate once, then exit once all sinks have reported success. Useful for things like an init container vs. a sidecard container. Also adds command-level testing of it. 2018-07-30 14:37:04 +00:00			`)`

Poll for new creds in the AWS auth agent (#5300) 2018-09-12 20:30:57 +00:00			`const envVarRunAccTests = "VAULT_ACC"`

			`var runAcceptanceTests = os.Getenv(envVarRunAccTests) == "1"`

Add exit-after-auth functionality to agent (#5013) This allows it to authenticate once, then exit once all sinks have reported success. Useful for things like an init container vs. a sidecard container. Also adds command-level testing of it. 2018-07-30 14:37:04 +00:00			`func GetTestJWT(t testing.T) (string, ecdsa.PrivateKey) {`
			`t.Helper()`
			`cl := jwt.Claims{`
			`Subject: "r3qXcK2bix9eFECzsU3Sbmh0K16fatW6@clients",`
			`Issuer: "https://team-vault.auth0.com/",`
			`NotBefore: jwt.NewNumericDate(time.Now().Add(-5 * time.Second)),`
			`Audience: jwt.Audience{"https://vault.plugin.auth.jwt.test"},`
			`}`

			`privateCl := struct {`
			User string `json:"https://vault/user"`
			Groups []string `json:"https://vault/groups"`
			`}{`
			`"jeff",`
			`[]string{"foo", "bar"},`
			`}`

			`var key *ecdsa.PrivateKey`
			`block, _ := pem.Decode([]byte(TestECDSAPrivKey))`
			`if block != nil {`
			`var err error`
			`key, err = x509.ParseECPrivateKey(block.Bytes)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`}`

			`sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: key}, (&jose.SignerOptions{}).WithType("JWT"))`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`raw, err := jwt.Signed(sig).Claims(cl).Claims(privateCl).CompactSerialize()`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`return raw, key`
			`}`

Poll for new creds in the AWS auth agent (#5300) 2018-09-12 20:30:57 +00:00			`func readToken(fileName string) (*logical.HTTPWrapInfo, error) {`
VAULT-12798 Correct removal behaviour when JWT is symlink (#18863) * VAULT-12798 testing for jwt symlinks * VAULT-12798 Add testing of jwt removal * VAULT-12798 Update docs for clarity * VAULT-12798 Small change, and changelog * VAULT-12798 Lstat -> Stat * VAULT-12798 remove forgotten comment * VAULT-12798 small refactor, add new config item * VAULT-12798 Require opt-in config for following symlinks for JWT deletion * VAULT-12798 change changelog 2023-03-14 19:44:19 +00:00			`b, err := os.ReadFile(fileName)`
Poll for new creds in the AWS auth agent (#5300) 2018-09-12 20:30:57 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`wrapper := &logical.HTTPWrapInfo{}`
			`if err := json.NewDecoder(bytes.NewReader(b)).Decode(wrapper); err != nil {`
			`return nil, err`
			`}`
			`return wrapper, nil`
			`}`

Add exit-after-auth functionality to agent (#5013) This allows it to authenticate once, then exit once all sinks have reported success. Useful for things like an init container vs. a sidecard container. Also adds command-level testing of it. 2018-07-30 14:37:04 +00:00			`const (`
			TestECDSAPrivKey string = `-----BEGIN EC PRIVATE KEY-----
			`MHcCAQEEIKfldwWLPYsHjRL9EVTsjSbzTtcGRu6icohNfIqcb6A+oAoGCCqGSM49`
			`AwEHoUQDQgAE4+SFvPwOy0miy/FiTT05HnwjpEbSq+7+1q9BFxAkzjgKnlkXk5qx`
			`hzXQvRmS4w9ZsskoTZtuUI+XX7conJhzCQ==`
			-----END EC PRIVATE KEY-----`

			TestECDSAPubKey string = `-----BEGIN PUBLIC KEY-----
			`MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4+SFvPwOy0miy/FiTT05HnwjpEbS`
			`q+7+1q9BFxAkzjgKnlkXk5qxhzXQvRmS4w9ZsskoTZtuUI+XX7conJhzCQ==`
			-----END PUBLIC KEY-----`
			`)`