open-vault/command/server/config_test.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package server

import (
	"fmt"
	"reflect"
	"strings"
	"testing"

	"github.com/stretchr/testify/require"
)

func TestLoadConfigFile(t *testing.T) {
	testLoadConfigFile(t)
}

func TestLoadConfigFile_json(t *testing.T) {
	testLoadConfigFile_json(t)
}

func TestLoadConfigFileIntegerAndBooleanValues(t *testing.T) {
	testLoadConfigFileIntegerAndBooleanValues(t)
}

func TestLoadConfigFileIntegerAndBooleanValuesJson(t *testing.T) {
	testLoadConfigFileIntegerAndBooleanValuesJson(t)
}

func TestLoadConfigFileWithLeaseMetricTelemetry(t *testing.T) {
	testLoadConfigFileLeaseMetrics(t)
}

func TestLoadConfigDir(t *testing.T) {
	testLoadConfigDir(t)
}

func TestConfig_Sanitized(t *testing.T) {
	testConfig_Sanitized(t)
}

func TestParseListeners(t *testing.T) {
	testParseListeners(t)
}

func TestParseUserLockouts(t *testing.T) {
	testParseUserLockouts(t)
}

func TestParseSockaddrTemplate(t *testing.T) {
	testParseSockaddrTemplate(t)
}

func TestConfigRaftRetryJoin(t *testing.T) {
	testConfigRaftRetryJoin(t)
}

func TestParseSeals(t *testing.T) {
	testParseSeals(t)
}

func TestParseStorage(t *testing.T) {
	testParseStorageTemplate(t)
}

// TestConfigWithAdministrativeNamespace tests that .hcl and .json configurations are correctly parsed when the administrative_namespace_path is present.
func TestConfigWithAdministrativeNamespace(t *testing.T) {
	testConfigWithAdministrativeNamespaceHcl(t)
	testConfigWithAdministrativeNamespaceJson(t)
}

func TestUnknownFieldValidation(t *testing.T) {
	testUnknownFieldValidation(t)
}

func TestUnknownFieldValidationJson(t *testing.T) {
	testUnknownFieldValidationJson(t)
}

func TestUnknownFieldValidationHcl(t *testing.T) {
	testUnknownFieldValidationHcl(t)
}

func TestUnknownFieldValidationListenerAndStorage(t *testing.T) {
	testUnknownFieldValidationStorageAndListener(t)
}

func TestExperimentsConfigParsing(t *testing.T) {
	const envKey = "VAULT_EXPERIMENTS"
	originalValue := validExperiments
	validExperiments = []string{"foo", "bar", "baz"}
	t.Cleanup(func() {
		validExperiments = originalValue
	})

	for name, tc := range map[string]struct {
		fromConfig    []string
		fromEnv       []string
		fromCLI       []string
		expected      []string
		expectedError string
	}{
		// Multiple sources.
		"duplication":  {[]string{"foo"}, []string{"foo"}, []string{"foo"}, []string{"foo"}, ""},
		"disjoint set": {[]string{"foo"}, []string{"bar"}, []string{"baz"}, []string{"foo", "bar", "baz"}, ""},

		// Single source.
		"config only": {[]string{"foo"}, nil, nil, []string{"foo"}, ""},
		"env only":    {nil, []string{"foo"}, nil, []string{"foo"}, ""},
		"CLI only":    {nil, nil, []string{"foo"}, []string{"foo"}, ""},

		// Validation errors.
		"config invalid": {[]string{"invalid"}, nil, nil, nil, "from config"},
		"env invalid":    {nil, []string{"invalid"}, nil, nil, "from environment variable"},
		"CLI invalid":    {nil, nil, []string{"invalid"}, nil, "from command line flag"},
	} {
		t.Run(name, func(t *testing.T) {
			var configString string
			t.Setenv(envKey, strings.Join(tc.fromEnv, ","))
			if len(tc.fromConfig) != 0 {
				configString = fmt.Sprintf("experiments = [\"%s\"]", strings.Join(tc.fromConfig, "\", \""))
			}
			config, err := ParseConfig(configString, "")
			if err == nil {
				err = ExperimentsFromEnvAndCLI(config, envKey, tc.fromCLI)
			}

			switch tc.expectedError {
			case "":
				if err != nil {
					t.Fatal(err)
				}

			default:
				if err == nil || !strings.Contains(err.Error(), tc.expectedError) {
					t.Fatalf("Expected error to contain %q, but got: %s", tc.expectedError, err)
				}
			}
		})
	}
}

func TestValidate(t *testing.T) {
	originalValue := validExperiments
	for name, tc := range map[string]struct {
		validSet    []string
		input       []string
		expectError bool
	}{
		// Valid cases
		"minimal valid": {[]string{"foo"}, []string{"foo"}, false},
		"valid subset":  {[]string{"foo", "bar"}, []string{"bar"}, false},
		"repeated":      {[]string{"foo"}, []string{"foo", "foo"}, false},

		// Error cases
		"partially valid":      {[]string{"foo", "bar"}, []string{"foo", "baz"}, true},
		"empty":                {[]string{"foo"}, []string{""}, true},
		"no valid experiments": {[]string{}, []string{"foo"}, true},
	} {
		t.Run(name, func(t *testing.T) {
			t.Cleanup(func() {
				validExperiments = originalValue
			})

			validExperiments = tc.validSet
			err := validateExperiments(tc.input)
			if tc.expectError && err == nil {
				t.Fatal("Expected error but got none")
			}
			if !tc.expectError && err != nil {
				t.Fatal("Did not expect error but got", err)
			}
		})
	}
}

func TestMerge(t *testing.T) {
	for name, tc := range map[string]struct {
		left     []string
		right    []string
		expected []string
	}{
		"disjoint":    {[]string{"foo"}, []string{"bar"}, []string{"foo", "bar"}},
		"empty left":  {[]string{}, []string{"foo"}, []string{"foo"}},
		"empty right": {[]string{"foo"}, []string{}, []string{"foo"}},
		"overlapping": {[]string{"foo", "bar"}, []string{"foo", "baz"}, []string{"foo", "bar", "baz"}},
	} {
		t.Run(name, func(t *testing.T) {
			result := mergeExperiments(tc.left, tc.right)
			if !reflect.DeepEqual(tc.expected, result) {
				t.Fatalf("Expected %v but got %v", tc.expected, result)
			}
		})
	}
}

// Test_parseDevTLSConfig verifies that both Windows and Unix directories are correctly escaped when creating a dev TLS
// configuration in HCL
func Test_parseDevTLSConfig(t *testing.T) {
	tests := []struct {
		name          string
		certDirectory string
	}{
		{
			name:          "windows path",
			certDirectory: `C:\Users\ADMINI~1\AppData\Local\Temp\2\vault-tls4169358130`,
		},
		{
			name:          "unix path",
			certDirectory: "/tmp/vault-tls4169358130",
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			cfg, err := parseDevTLSConfig("file", tt.certDirectory)
			require.NoError(t, err)
			require.Equal(t, fmt.Sprintf("%s/%s", tt.certDirectory, VaultDevCertFilename), cfg.Listeners[0].TLSCertFile)
			require.Equal(t, fmt.Sprintf("%s/%s", tt.certDirectory, VaultDevKeyFilename), cfg.Listeners[0].TLSKeyFile)
		})
	}
}
adding copyright header (#19555) * adding copyright header * fix fmt and a test 2023-03-15 16:00:52 +00:00			`// Copyright (c) HashiCorp, Inc.`
			`// SPDX-License-Identifier: MPL-2.0`

command/server: add config loading 2015-03-12 22:21:11 +00:00			`package server`

			`import (`
Add experiment system + events experiment (#18682) 2023-01-16 16:07:18 +00:00			`"fmt"`
			`"reflect"`
			`"strings"`
command/server: add config loading 2015-03-12 22:21:11 +00:00			`"testing"`
VAULT-15668: fix windows issues with -dev-tls flag (#20257) * fix -dev-tls flag on windows * changelog * fix only hcl config * fix import * fmt 2023-04-21 08:54:38 +00:00
			`"github.com/stretchr/testify/require"`
command/server: add config loading 2015-03-12 22:21:11 +00:00			`)`

			`func TestLoadConfigFile(t *testing.T) {`
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable 2019-10-17 17:33:00 +00:00			`testLoadConfigFile(t)`
command/server: add config loading 2015-03-12 22:21:11 +00:00			`}`

			`func TestLoadConfigFile_json(t *testing.T) {`
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable 2019-10-17 17:33:00 +00:00			`testLoadConfigFile_json(t)`
command/server: add config loading 2015-03-12 22:21:11 +00:00			`}`

Fix JSON encoding adding newlines. (#8928) Fix JSON encoding adding newlines. This manifested itself when encoding config values, which all map to strings. An extra new line would get added by json.Encode, which caused other things to break with confusing error messagges. Switching to json.Marshal seems to solve the problem. 2020-05-19 23:13:05 +00:00			`func TestLoadConfigFileIntegerAndBooleanValues(t *testing.T) {`
			`testLoadConfigFileIntegerAndBooleanValues(t)`
			`}`

			`func TestLoadConfigFileIntegerAndBooleanValuesJson(t *testing.T) {`
			`testLoadConfigFileIntegerAndBooleanValuesJson(t)`
			`}`

Port: Telemetry For Lease Expiration Times (#10375) * port lease metrics * go mod vendor * caught a bug 2020-11-13 18:26:58 +00:00			`func TestLoadConfigFileWithLeaseMetricTelemetry(t *testing.T) {`
			`testLoadConfigFileLeaseMetrics(t)`
			`}`

command/server: add config loading 2015-03-12 22:21:11 +00:00			`func TestLoadConfigDir(t *testing.T) {`
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable 2019-10-17 17:33:00 +00:00			`testLoadConfigDir(t)`
command/server: add config loading 2015-03-12 22:21:11 +00:00			`}`
Print errors on extra keys in server config This does NOT apply to the backend config, since each backend config could have a variation of options that differ based off of the configured backend itself. This may be an optimization that can be made in the future, but I think each backend should be responsible for performing its own configuration validation instead of overloading the config itself with this functionality. 2016-03-09 23:59:44 +00:00
sys/config: config state endpoint (#7424) * sys/config: initial work on adding config state endpoint * server/config: add tests, fix Sanitized method * thread config through NewTestCluster's config to avoid panic on dev modes * properly guard endpoint against request forwarding * add http tests, guard against panics on nil RawConfig * ensure non-nil rawConfig on NewTestCluster cores * update non-forwarding logic * fix imports; use no-forward handler * add missing config test fixture; update gitignore * return sanitized config as a map * fix test, use deep.Equal to check for equality * fix http test * minor comment fix * config: change Sanitized to return snake-cased keys, update tests * core: hold rlock when reading config; add docstring * update docstring 2019-10-08 17:57:15 +00:00			`func TestConfig_Sanitized(t *testing.T) {`
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable 2019-10-17 17:33:00 +00:00			`testConfig_Sanitized(t)`
sys/config: config state endpoint (#7424) * sys/config: initial work on adding config state endpoint * server/config: add tests, fix Sanitized method * thread config through NewTestCluster's config to avoid panic on dev modes * properly guard endpoint against request forwarding * add http tests, guard against panics on nil RawConfig * ensure non-nil rawConfig on NewTestCluster cores * update non-forwarding logic * fix imports; use no-forward handler * add missing config test fixture; update gitignore * return sanitized config as a map * fix test, use deep.Equal to check for equality * fix http test * minor comment fix * config: change Sanitized to return snake-cased keys, update tests * core: hold rlock when reading config; add docstring * update docstring 2019-10-08 17:57:15 +00:00			`}`

tls_client_ca_file option for verifying client (#3034) 2017-08-03 11:33:06 +00:00			`func TestParseListeners(t *testing.T) {`
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable 2019-10-17 17:33:00 +00:00			`testParseListeners(t)`
tls_client_ca_file option for verifying client (#3034) 2017-08-03 11:33:06 +00:00			`}`
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable 2019-10-17 17:33:00 +00:00
Vault 8305 Prevent Brute Forcing in Auth methods : Setting user lockout configuration (#17338) * config file changes * lockout config changes * auth tune r/w and auth tune * removing changes at enable * removing q.Q * go mod tidy * removing comments * changing struct name for config file * fixing mount tune * adding test file for user lockout * fixing comments and add changelog * addressing comments * fixing mount table updates * updating consts in auth_tune * small fixes * adding hcl parse test * fixing config compare * fixing github comments * optimize userlockouts.go * fixing test * minor changes * adding comments * adding sort to flaky test * fix flaky test 2022-11-01 18:02:07 +00:00			`func TestParseUserLockouts(t *testing.T) {`
			`testParseUserLockouts(t)`
			`}`

Add support for go-sockaddr templated addresses in config. (#9109) 2021-10-21 14:10:48 +00:00			`func TestParseSockaddrTemplate(t *testing.T) {`
			`testParseSockaddrTemplate(t)`
			`}`

Raft retry join (#7856) * Raft retry join * update * Make retry join work with shamir seal * Return upon context completion * Update vault/raft.go Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com> * Address some review comments * send leader information slice as a parameter * Make retry join work properly with Shamir case. This commit has a blocking issue * Fix join goroutine exiting before the job is done * Polishing changes * Don't return after a successful join during unseal * Added config parsing test * Add test and fix bugs * minor changes * Address review comments * Fix build error Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com> 2020-01-14 01:02:16 +00:00			`func TestConfigRaftRetryJoin(t *testing.T) {`
			`testConfigRaftRetryJoin(t)`
			`}`
Fix 1.5 regression that meant non-string values in the seal stanza would fail config parsing, preventing startup. (#9555) 2020-07-23 17:53:00 +00:00
			`func TestParseSeals(t *testing.T) {`
			`testParseSeals(t)`
			`}`
Expose unknown fields and duplicate sections as diagnose warnings (#11455) * Expose unknown fields and duplicate sections as diagnose warnings * section counts not needed, already handled * Address PR feedback * Prune more of the new fields before tests call deep.Equals * Update go.mod 2021-05-04 19:47:56 +00:00
Parse ha_storage in config (#15900) * parsing values in config ha_storage * adding changelog * adding test to parse storage 2022-06-09 22:55:49 +00:00			`func TestParseStorage(t *testing.T) {`
			`testParseStorageTemplate(t)`
			`}`

backport of commit 4c1a7b53d362ee733707de2fa3280596e35d7f03 (#21609) Co-authored-by: Bianca Moreira <48203644+biazmoreira@users.noreply.github.com> 2023-07-06 10:05:43 +00:00			`// TestConfigWithAdministrativeNamespace tests that .hcl and .json configurations are correctly parsed when the administrative_namespace_path is present.`
			`func TestConfigWithAdministrativeNamespace(t *testing.T) {`
			`testConfigWithAdministrativeNamespaceHcl(t)`
			`testConfigWithAdministrativeNamespaceJson(t)`
			`}`

Expose unknown fields and duplicate sections as diagnose warnings (#11455) * Expose unknown fields and duplicate sections as diagnose warnings * section counts not needed, already handled * Address PR feedback * Prune more of the new fields before tests call deep.Equals * Update go.mod 2021-05-04 19:47:56 +00:00			`func TestUnknownFieldValidation(t *testing.T) {`
			`testUnknownFieldValidation(t)`
			`}`
report listener and storage types as found keys (#15383) * report listener and storage types as found keys * changelog 2022-05-12 16:04:56 +00:00
VAULT-8519 fix spurious "unknown or unsupported fields" warnings for JSON config (#17660) * VAULT-8519 add tests for HCL unknown field bug * VAULT-8519 upversion hcl * VAULT-8519 include correct comitts in tag * VAULT-8519 Add changelog 2022-10-27 14:28:03 +00:00			`func TestUnknownFieldValidationJson(t *testing.T) {`
			`testUnknownFieldValidationJson(t)`
			`}`

			`func TestUnknownFieldValidationHcl(t *testing.T) {`
			`testUnknownFieldValidationHcl(t)`
			`}`

report listener and storage types as found keys (#15383) * report listener and storage types as found keys * changelog 2022-05-12 16:04:56 +00:00			`func TestUnknownFieldValidationListenerAndStorage(t *testing.T) {`
			`testUnknownFieldValidationStorageAndListener(t)`
			`}`
Add experiment system + events experiment (#18682) 2023-01-16 16:07:18 +00:00
			`func TestExperimentsConfigParsing(t *testing.T) {`
			`const envKey = "VAULT_EXPERIMENTS"`
			`originalValue := validExperiments`
			`validExperiments = []string{"foo", "bar", "baz"}`
			`t.Cleanup(func() {`
			`validExperiments = originalValue`
			`})`

			`for name, tc := range map[string]struct {`
			`fromConfig []string`
			`fromEnv []string`
			`fromCLI []string`
			`expected []string`
			`expectedError string`
			`}{`
			`// Multiple sources.`
			`"duplication": {[]string{"foo"}, []string{"foo"}, []string{"foo"}, []string{"foo"}, ""},`
			`"disjoint set": {[]string{"foo"}, []string{"bar"}, []string{"baz"}, []string{"foo", "bar", "baz"}, ""},`

			`// Single source.`
			`"config only": {[]string{"foo"}, nil, nil, []string{"foo"}, ""},`
			`"env only": {nil, []string{"foo"}, nil, []string{"foo"}, ""},`
			`"CLI only": {nil, nil, []string{"foo"}, []string{"foo"}, ""},`

			`// Validation errors.`
			`"config invalid": {[]string{"invalid"}, nil, nil, nil, "from config"},`
			`"env invalid": {nil, []string{"invalid"}, nil, nil, "from environment variable"},`
			`"CLI invalid": {nil, nil, []string{"invalid"}, nil, "from command line flag"},`
			`} {`
			`t.Run(name, func(t *testing.T) {`
			`var configString string`
			`t.Setenv(envKey, strings.Join(tc.fromEnv, ","))`
			`if len(tc.fromConfig) != 0 {`
			`configString = fmt.Sprintf("experiments = [\"%s\"]", strings.Join(tc.fromConfig, "\", \""))`
			`}`
			`config, err := ParseConfig(configString, "")`
			`if err == nil {`
			`err = ExperimentsFromEnvAndCLI(config, envKey, tc.fromCLI)`
			`}`

			`switch tc.expectedError {`
			`case "":`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`default:`
			`if err == nil \|\| !strings.Contains(err.Error(), tc.expectedError) {`
			`t.Fatalf("Expected error to contain %q, but got: %s", tc.expectedError, err)`
			`}`
			`}`
			`})`
			`}`
			`}`

			`func TestValidate(t *testing.T) {`
			`originalValue := validExperiments`
			`for name, tc := range map[string]struct {`
			`validSet []string`
			`input []string`
			`expectError bool`
			`}{`
			`// Valid cases`
			`"minimal valid": {[]string{"foo"}, []string{"foo"}, false},`
			`"valid subset": {[]string{"foo", "bar"}, []string{"bar"}, false},`
			`"repeated": {[]string{"foo"}, []string{"foo", "foo"}, false},`

			`// Error cases`
			`"partially valid": {[]string{"foo", "bar"}, []string{"foo", "baz"}, true},`
			`"empty": {[]string{"foo"}, []string{""}, true},`
			`"no valid experiments": {[]string{}, []string{"foo"}, true},`
			`} {`
			`t.Run(name, func(t *testing.T) {`
			`t.Cleanup(func() {`
			`validExperiments = originalValue`
			`})`

			`validExperiments = tc.validSet`
			`err := validateExperiments(tc.input)`
			`if tc.expectError && err == nil {`
			`t.Fatal("Expected error but got none")`
			`}`
			`if !tc.expectError && err != nil {`
			`t.Fatal("Did not expect error but got", err)`
			`}`
			`})`
			`}`
			`}`

			`func TestMerge(t *testing.T) {`
			`for name, tc := range map[string]struct {`
			`left []string`
			`right []string`
			`expected []string`
			`}{`
			`"disjoint": {[]string{"foo"}, []string{"bar"}, []string{"foo", "bar"}},`
			`"empty left": {[]string{}, []string{"foo"}, []string{"foo"}},`
			`"empty right": {[]string{"foo"}, []string{}, []string{"foo"}},`
			`"overlapping": {[]string{"foo", "bar"}, []string{"foo", "baz"}, []string{"foo", "bar", "baz"}},`
			`} {`
			`t.Run(name, func(t *testing.T) {`
			`result := mergeExperiments(tc.left, tc.right)`
			`if !reflect.DeepEqual(tc.expected, result) {`
			`t.Fatalf("Expected %v but got %v", tc.expected, result)`
			`}`
			`})`
			`}`
			`}`
VAULT-15668: fix windows issues with -dev-tls flag (#20257) * fix -dev-tls flag on windows * changelog * fix only hcl config * fix import * fmt 2023-04-21 08:54:38 +00:00
			`// Test_parseDevTLSConfig verifies that both Windows and Unix directories are correctly escaped when creating a dev TLS`
			`// configuration in HCL`
			`func Test_parseDevTLSConfig(t *testing.T) {`
			`tests := []struct {`
			`name string`
			`certDirectory string`
			`}{`
			`{`
			`name: "windows path",`
			certDirectory: `C:\Users\ADMINI~1\AppData\Local\Temp\2\vault-tls4169358130`,
			`},`
			`{`
			`name: "unix path",`
			`certDirectory: "/tmp/vault-tls4169358130",`
			`},`
			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`cfg, err := parseDevTLSConfig("file", tt.certDirectory)`
			`require.NoError(t, err)`
			`require.Equal(t, fmt.Sprintf("%s/%s", tt.certDirectory, VaultDevCertFilename), cfg.Listeners[0].TLSCertFile)`
			`require.Equal(t, fmt.Sprintf("%s/%s", tt.certDirectory, VaultDevKeyFilename), cfg.Listeners[0].TLSKeyFile)`
			`})`
			`}`
			`}`