luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity
open-vault/http/logical_test.go

762 lines
20 KiB
Go
Raw Normal View History

http: generic read/write endpoint for secrets
2015-03-16 02:34:47 +00:00
package http
import (
vault: testing raw responses
2015-05-27 21:19:12 +00:00
"bytes"
audit: log invalid wrapping token request/response (#6541) * audit: log invalid wrapping token request/response * Update helper/consts/error.go Co-Authored-By: calvn <cleung2010@gmail.com> * update error comments * Update vault/wrapping.go Co-Authored-By: calvn <cleung2010@gmail.com> * update comment * move validateWrappingToken out of http and into logical * minor refactor, add test cases * comment rewording * refactor validateWrappingToken to perform audit logging * move ValidateWrappingToken back to wrappingVerificationFunc * Fix tests * Review feedback
2019-07-05 21:15:14 +00:00
"context"
Added JSON Decode and Encode helpers. Changed all the occurances of Unmarshal to use the helpers. Fixed http/ package tests.
2016-07-06 16:25:40 +00:00
"encoding/json"
vault: testing raw responses
2015-05-27 21:19:12 +00:00
"io"
http: Add a method for returning a 404 with data (#3994) * Add a method for returning a 404 with data * Pass the full resp object through to respond raw * Add comment * Refactor so it works across plugin gRPC * Handle some review comments * Pass request object instead of request ID
2018-02-21 22:22:21 +00:00
"io/ioutil"
Internally append trailing slash for all LIST operations. (#2390) Fixes #2385
2017-02-17 04:23:32 +00:00
"net/http"
http: Add a method for returning a 404 with data (#3994) * Add a method for returning a 404 with data * Pass the full resp object through to respond raw * Add comment * Refactor so it works across plugin gRPC * Handle some review comments * Pass request object instead of request ID
2018-02-21 22:22:21 +00:00
"net/http/httptest"
http: generic read/write endpoint for secrets
2015-03-16 02:34:47 +00:00
"reflect"
Added JSON Decode and Encode helpers. Changed all the occurances of Unmarshal to use the helpers. Fixed http/ package tests.
2016-07-06 16:25:40 +00:00
"strconv"
Internally append trailing slash for all LIST operations. (#2390) Fixes #2385
2017-02-17 04:23:32 +00:00
"strings"
http: generic read/write endpoint for secrets
2015-03-16 02:34:47 +00:00
"testing"
http: fix tests
2015-04-05 00:42:19 +00:00
"time"
http: generic read/write endpoint for secrets
2015-03-16 02:34:47 +00:00
Add remote_port in the audit logs when it is available (#12790) * Add remote_port in the audit logs when it is available The `request.remote_port` field is now present in the audit log when it is available: ``` { "time": "2021-10-10T13:53:51.760039Z", "type": "response", "auth": { "client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf", "accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43", "display_name": "root", "policies": [ "root" ], "token_policies": [ "root" ], "token_type": "service", "token_issue_time": "2021-10-10T15:53:44+02:00" }, "request": { "id": "829c04a1-0352-2d9d-9bc9-00b928d33df5", "operation": "update", "mount_type": "system", "client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf", "client_token_accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43", "namespace": { "id": "root" }, "path": "sys/audit/file", "data": { "description": "hmac-sha256:321a1d105f8c6fd62be4f34c4da4f0e6d1cdee9eb2ff4af0b59e1410950fe86b", "local": false, "options": { "file_path": "hmac-sha256:2421b5bf8dab1f9775b2e6e66e58d7bca99ab729f3f311782fda50717eee55b3" }, "type": "hmac-sha256:30dff9607b4087e3ae6808b4a3aa395b1fc064e467748c55c25ddf0e9b150fcc" }, "remote_address": "127.0.0.1", "remote_port": 54798 }, "response": { "mount_type": "system" } } ``` Closes https://github.com/hashicorp/vault/issues/7716 * Add changelog entry * Empty commit to trigger CI * Add test and explicit error handling * Change temporary file pattern in test
2022-01-26 23:47:15 +00:00
kv "github.com/hashicorp/vault-plugin-secrets-kv"
"github.com/hashicorp/vault/api"
auditFile "github.com/hashicorp/vault/builtin/audit/file"
treat logical.ErrRelativePath as 400 instead of 500 (#14328) * treat logical.ErrRelativePath as 400 instead of 500 * add changelog entry * return UserError for logical.ErrRelativePath
2022-03-30 13:08:02 +00:00
credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
Shutdown Test Cores when Tests Complete (#10912) * Shutdown Test Cores when Tests Complete * go mod vendor
2021-02-12 20:04:48 +00:00
"github.com/hashicorp/vault/internalshared/configutil"
"github.com/hashicorp/vault/sdk/helper/consts"
"github.com/hashicorp/vault/sdk/helper/logging"
"github.com/hashicorp/vault/sdk/logical"
"github.com/hashicorp/vault/sdk/physical"
"github.com/hashicorp/vault/sdk/physical/inmem"
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
"github.com/go-test/deep"
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 00:46:59 +00:00
log "github.com/hashicorp/go-hclog"
Convert to logxi
2016-08-19 20:45:17 +00:00
audit: log invalid wrapping token request/response (#6541) * audit: log invalid wrapping token request/response * Update helper/consts/error.go Co-Authored-By: calvn <cleung2010@gmail.com> * update error comments * Update vault/wrapping.go Co-Authored-By: calvn <cleung2010@gmail.com> * update comment * move validateWrappingToken out of http and into logical * minor refactor, add test cases * comment rewording * refactor validateWrappingToken to perform audit logging * move ValidateWrappingToken back to wrappingVerificationFunc * Fix tests * Review feedback
2019-07-05 21:15:14 +00:00
"github.com/hashicorp/vault/audit"
Switch to go modules (#6585) * Switch to go modules * Make fmt
2019-04-13 07:44:06 +00:00
"github.com/hashicorp/vault/helper/namespace"
http: generic read/write endpoint for secrets
2015-03-16 02:34:47 +00:00
"github.com/hashicorp/vault/vault"
)
func TestLogical(t *testing.T) {
http: support auth
2015-03-29 23:14:54 +00:00
core, _, token := vault.TestCoreUnsealed(t)
http: generic read/write endpoint for secrets
2015-03-16 02:34:47 +00:00
ln, addr := TestServer(t, core)
defer ln.Close()
http: support auth
2015-03-29 23:14:54 +00:00
TestServerAuth(t, addr, token)
http: generic read/write endpoint for secrets
2015-03-16 02:34:47 +00:00
http: logical delete support
2015-04-07 18:04:06 +00:00
// WRITE
Remove cookie authentication.
2015-08-22 00:36:19 +00:00
resp := testHttpPut(t, token, addr+"/v1/secret/foo", map[string]interface{}{
http: generic read/write endpoint for secrets
2015-03-16 02:34:47 +00:00
"data": "bar",
})
testResponseStatus(t, resp, 204)
http: logical delete support
2015-04-07 18:04:06 +00:00
// READ
Fix up error detection regression to return correct status codes
2016-06-22 21:47:05 +00:00
// Bad token should return a 403
resp = testHttpGet(t, token+"bad", addr+"/v1/secret/foo")
testResponseStatus(t, resp, 403)
http: generic read/write endpoint for secrets
2015-03-16 02:34:47 +00:00
Fix up error detection regression to return correct status codes
2016-06-22 21:47:05 +00:00
resp = testHttpGet(t, token, addr+"/v1/secret/foo")
http: generic read/write endpoint for secrets
2015-03-16 02:34:47 +00:00
var actual map[string]interface{}
Add unit tests
2015-10-07 21:21:41 +00:00
var nilWarnings interface{}
http: generic read/write endpoint for secrets
2015-03-16 02:34:47 +00:00
expected := map[string]interface{}{
all: Removing fields from Lease
2015-03-16 20:29:51 +00:00
"renewable": false,
Change default TTL from 30 to 32 to accommodate monthly operations (#1942)
2016-09-28 22:32:49 +00:00
"lease_duration": json.Number(strconv.Itoa(int((32 * 24 * time.Hour) / time.Second))),
http: generic read/write endpoint for secrets
2015-03-16 02:34:47 +00:00
"data": map[string]interface{}{
"data": "bar",
},
Add wrapping through core and change to use TTL instead of Duration.
2016-05-02 04:08:07 +00:00
"auth": nil,
"wrap_info": nil,
"warnings": nilWarnings,
http: generic read/write endpoint for secrets
2015-03-16 02:34:47 +00:00
}
testResponseStatus(t, resp, 200)
testResponseBody(t, resp, &actual)
Replace VaultID with LeaseID for terminology simplification
2015-04-08 20:35:32 +00:00
delete(actual, "lease_id")
Fix request_id test failures
2016-07-26 22:30:13 +00:00
expected["request_id"] = actual["request_id"]
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if diff := deep.Equal(actual, expected); diff != nil {
t.Fatal(diff)
http: generic read/write endpoint for secrets
2015-03-16 02:34:47 +00:00
}
http: logical delete support
2015-04-07 18:04:06 +00:00
// DELETE
Remove cookie authentication.
2015-08-22 00:36:19 +00:00
resp = testHttpDelete(t, token, addr+"/v1/secret/foo")
http: logical delete support
2015-04-07 18:04:06 +00:00
testResponseStatus(t, resp, 204)
Remove cookie authentication.
2015-08-22 00:36:19 +00:00
resp = testHttpGet(t, token, addr+"/v1/secret/foo")
http: logical delete support
2015-04-07 18:04:06 +00:00
testResponseStatus(t, resp, 404)
http: generic read/write endpoint for secrets
2015-03-16 02:34:47 +00:00
}
http: 404 if reading secret that doesn't exist
2015-03-16 02:42:24 +00:00
func TestLogical_noExist(t *testing.T) {
http: support auth
2015-03-29 23:14:54 +00:00
core, _, token := vault.TestCoreUnsealed(t)
http: 404 if reading secret that doesn't exist
2015-03-16 02:42:24 +00:00
ln, addr := TestServer(t, core)
defer ln.Close()
http: support auth
2015-03-29 23:14:54 +00:00
TestServerAuth(t, addr, token)
http: 404 if reading secret that doesn't exist
2015-03-16 02:42:24 +00:00
Remove cookie authentication.
2015-08-22 00:36:19 +00:00
resp := testHttpGet(t, token, addr+"/v1/secret/foo")
http: 404 if reading secret that doesn't exist
2015-03-16 02:42:24 +00:00
testResponseStatus(t, resp, 404)
}
http: support standby redirects
2015-04-19 20:18:09 +00:00
func TestLogical_StandbyRedirect(t *testing.T) {
ln1, addr1 := TestListener(t)
defer ln1.Close()
ln2, addr2 := TestListener(t)
defer ln2.Close()
// Create an HA Vault
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 00:46:59 +00:00
logger := logging.NewVaultLogger(log.Debug)
Convert to logxi
2016-08-19 20:45:17 +00:00
Migrate physical backends into separate packages (#3106)
2017-08-03 17:24:27 +00:00
inmha, err := inmem.NewInmemHA(nil, logger)
if err != nil {
t.Fatal(err)
}
Disable mlock in tests
2015-04-29 01:12:57 +00:00
conf := &vault.CoreConfig{
Request forwarding (#1721) Add request forwarding.
2016-08-15 13:42:42 +00:00
Physical: inmha,
Migrate physical backends into separate packages (#3106)
2017-08-03 17:24:27 +00:00
HAPhysical: inmha.(physical.HABackend),
Request forwarding (#1721) Add request forwarding.
2016-08-15 13:42:42 +00:00
RedirectAddr: addr1,
DisableMlock: true,
Disable mlock in tests
2015-04-29 01:12:57 +00:00
}
http: support standby redirects
2015-04-19 20:18:09 +00:00
core1, err := vault.NewCore(conf)
if err != nil {
t.Fatalf("err: %v", err)
}
Shutdown Test Cores when Tests Complete (#10912) * Shutdown Test Cores when Tests Complete * go mod vendor
2021-02-12 20:04:48 +00:00
defer core1.Shutdown()
Multi value test seal (#2281)
2017-01-17 20:43:10 +00:00
keys, root := vault.TestCoreInit(t, core1)
for _, key := range keys {
if _, err := core1.Unseal(vault.TestKeyCopy(key)); err != nil {
t.Fatalf("unseal err: %s", err)
}
http: support standby redirects
2015-04-19 20:18:09 +00:00
}
Add a sleep in the RedirectStandby test to try to fix raciness
2016-03-02 17:06:16 +00:00
// Attempt to fix raciness in this test by giving the first core a chance
// to grab the lock
Port some replication bits to OSS (#2386)
2017-02-16 20:15:02 +00:00
time.Sleep(2 * time.Second)
Add a sleep in the RedirectStandby test to try to fix raciness
2016-03-02 17:06:16 +00:00
http: support standby redirects
2015-04-19 20:18:09 +00:00
// Create a second HA Vault
Disable mlock in tests
2015-04-29 01:12:57 +00:00
conf2 := &vault.CoreConfig{
Request forwarding (#1721) Add request forwarding.
2016-08-15 13:42:42 +00:00
Physical: inmha,
Migrate physical backends into separate packages (#3106)
2017-08-03 17:24:27 +00:00
HAPhysical: inmha.(physical.HABackend),
Request forwarding (#1721) Add request forwarding.
2016-08-15 13:42:42 +00:00
RedirectAddr: addr2,
DisableMlock: true,
Disable mlock in tests
2015-04-29 01:12:57 +00:00
}
http: support standby redirects
2015-04-19 20:18:09 +00:00
core2, err := vault.NewCore(conf2)
if err != nil {
t.Fatalf("err: %v", err)
}
Shutdown Test Cores when Tests Complete (#10912) * Shutdown Test Cores when Tests Complete * go mod vendor
2021-02-12 20:04:48 +00:00
defer core2.Shutdown()
Multi value test seal (#2281)
2017-01-17 20:43:10 +00:00
for _, key := range keys {
if _, err := core2.Unseal(vault.TestKeyCopy(key)); err != nil {
t.Fatalf("unseal err: %s", err)
}
http: support standby redirects
2015-04-19 20:18:09 +00:00
}
TestServerWithListener(t, ln1, addr1, core1)
TestServerWithListener(t, ln2, addr2, core2)
TestServerAuth(t, addr1, root)
// WRITE to STANDBY
Multi value test seal (#2281)
2017-01-17 20:43:10 +00:00
resp := testHttpPutDisableRedirect(t, root, addr2+"/v1/secret/foo", map[string]interface{}{
http: support standby redirects
2015-04-19 20:18:09 +00:00
"data": "bar",
})
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 00:46:59 +00:00
logger.Debug("307 test one starting")
http: support standby redirects
2015-04-19 20:18:09 +00:00
testResponseStatus(t, resp, 307)
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 00:46:59 +00:00
logger.Debug("307 test one stopping")
http: support standby redirects
2015-04-19 20:18:09 +00:00
//// READ to standby
Remove cookie authentication.
2015-08-22 00:36:19 +00:00
resp = testHttpGet(t, root, addr2+"/v1/auth/token/lookup-self")
http: support standby redirects
2015-04-19 20:18:09 +00:00
var actual map[string]interface{}
Add unit tests
2015-10-07 21:21:41 +00:00
var nilWarnings interface{}
http: support standby redirects
2015-04-19 20:18:09 +00:00
expected := map[string]interface{}{
"renewable": false,
Added JSON Decode and Encode helpers. Changed all the occurances of Unmarshal to use the helpers. Fixed http/ package tests.
2016-07-06 16:25:40 +00:00
"lease_duration": json.Number("0"),
http: support standby redirects
2015-04-19 20:18:09 +00:00
"data": map[string]interface{}{
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
"meta": nil,
Added JSON Decode and Encode helpers. Changed all the occurances of Unmarshal to use the helpers. Fixed http/ package tests.
2016-07-06 16:25:40 +00:00
"num_uses": json.Number("0"),
Add explicit maximum TTLs to token store roles.
2016-05-11 20:51:18 +00:00
"path": "auth/token/root",
"policies": []interface{}{"root"},
"display_name": "root",
"orphan": true,
"id": root,
Added JSON Decode and Encode helpers. Changed all the occurances of Unmarshal to use the helpers. Fixed http/ package tests.
2016-07-06 16:25:40 +00:00
"ttl": json.Number("0"),
"creation_ttl": json.Number("0"),
"explicit_max_ttl": json.Number("0"),
Add the ability to view and list of leases metadata (#2650)
2017-05-04 02:03:42 +00:00
"expire_time": nil,
Porting identity store (#3419) * porting identity to OSS * changes that glue things together * add testing bits * wrapped entity id * fix mount error * some more changes to core * fix storagepacker tests * fix some more tests * fix mount tests * fix http mount tests * audit changes for identity * remove upgrade structs on the oss side * added go-memdb to vendor
2017-10-11 17:21:20 +00:00
"entity_id": "",
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
"type": "service",
http: support standby redirects
2015-04-19 20:18:09 +00:00
},
Add wrapping through core and change to use TTL instead of Duration.
2016-05-02 04:08:07 +00:00
"warnings": nilWarnings,
"wrap_info": nil,
"auth": nil,
http: support standby redirects
2015-04-19 20:18:09 +00:00
}
Remove cookie authentication.
2015-08-22 00:36:19 +00:00
http: support standby redirects
2015-04-19 20:18:09 +00:00
testResponseStatus(t, resp, 200)
testResponseBody(t, resp, &actual)
Store token creation time and TTL. This can be used to properly populate fields in 'lookup-self'. Importantly, this also makes credential backends use the SystemView per-backend TTL values and fixes unit tests to expect this. Fully fixes #527
2015-09-18 20:33:52 +00:00
actualDataMap := actual["data"].(map[string]interface{})
delete(actualDataMap, "creation_time")
fix all the broken tests
2016-03-09 18:45:36 +00:00
delete(actualDataMap, "accessor")
Store token creation time and TTL. This can be used to properly populate fields in 'lookup-self'. Importantly, this also makes credential backends use the SystemView per-backend TTL values and fixes unit tests to expect this. Fully fixes #527
2015-09-18 20:33:52 +00:00
actual["data"] = actualDataMap
Fix request_id test failures
2016-07-26 22:30:13 +00:00
expected["request_id"] = actual["request_id"]
http: support standby redirects
2015-04-19 20:18:09 +00:00
delete(actual, "lease_id")
Batch tokens (#755)
2018-10-15 16:56:24 +00:00
if diff := deep.Equal(actual, expected); diff != nil {
t.Fatal(diff)
http: support standby redirects
2015-04-19 20:18:09 +00:00
}
//// DELETE to standby
Multi value test seal (#2281)
2017-01-17 20:43:10 +00:00
resp = testHttpDeleteDisableRedirect(t, root, addr2+"/v1/secret/foo")
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 00:46:59 +00:00
logger.Debug("307 test two starting")
http: support standby redirects
2015-04-19 20:18:09 +00:00
testResponseStatus(t, resp, 307)
Move to "github.com/hashicorp/go-hclog" (#4227) * logbridge with hclog and identical output * Initial search & replace This compiles, but there is a fair amount of TODO and commented out code, especially around the plugin logclient/logserver code. * strip logbridge * fix majority of tests * update logxi aliases * WIP fixing tests * more test fixes * Update test to hclog * Fix format * Rename hclog -> log * WIP making hclog and logxi love each other * update logger_test.go * clean up merged comments * Replace RawLogger interface with a Logger * Add some logger names * Replace Trace with Debug * update builtin logical logging patterns * Fix build errors * More log updates * update log approach in command and builtin * More log updates * update helper, http, and logical directories * Update loggers * Log updates * Update logging * Update logging * Update logging * Update logging * update logging in physical * prefixing and lowercase * Update logging * Move phyisical logging name to server command * Fix som tests * address jims feedback so far * incorporate brians feedback so far * strip comments * move vault.go to logging package * update Debug to Trace * Update go-plugin deps * Update logging based on review comments * Updates from review * Unvendor logxi * Remove null_logger.go
2018-04-03 00:46:59 +00:00
logger.Debug("307 test two stopping")
http: support standby redirects
2015-04-19 20:18:09 +00:00
}
http: avoid authenticating as new token for auth/token/create
2015-04-27 22:17:59 +00:00
func TestLogical_CreateToken(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := TestServer(t, core)
defer ln.Close()
TestServerAuth(t, addr, token)
// WRITE
Remove cookie authentication.
2015-08-22 00:36:19 +00:00
resp := testHttpPut(t, token, addr+"/v1/auth/token/create", map[string]interface{}{
http: avoid authenticating as new token for auth/token/create
2015-04-27 22:17:59 +00:00
"data": "bar",
})
var actual map[string]interface{}
expected := map[string]interface{}{
"lease_id": "",
"renewable": false,
Added JSON Decode and Encode helpers. Changed all the occurances of Unmarshal to use the helpers. Fixed http/ package tests.
2016-07-06 16:25:40 +00:00
"lease_duration": json.Number("0"),
http: avoid authenticating as new token for auth/token/create
2015-04-27 22:17:59 +00:00
"data": nil,
Add wrapping through core and change to use TTL instead of Duration.
2016-05-02 04:08:07 +00:00
"wrap_info": nil,
http: avoid authenticating as new token for auth/token/create
2015-04-27 22:17:59 +00:00
"auth": map[string]interface{}{
Login MFA (#14025) * Login MFA * ENT OSS segragation (#14088) * Delete method id if not used in an MFA enforcement config (#14063) * Delete an MFA methodID only if it is not used by an MFA enforcement config * Fixing a bug: mfa/validate is an unauthenticated path, and goes through the handleLoginRequest path * adding use_passcode field to DUO config (#14059) * add changelog * preventing replay attack on MFA passcodes (#14056) * preventing replay attack on MFA passcodes * using %w instead of %s for error * Improve CLI command for login mfa (#14106) CLI prints a warning message indicating the login request needs to get validated * adding the validity period of a passcode to error messages (#14115) * PR feedback * duo to handle preventing passcode reuse Co-authored-by: hghaf099 <83242695+hghaf099@users.noreply.github.com> Co-authored-by: hamid ghaf <hamid@hashicorp.com>
2022-02-17 21:08:51 +00:00
"policies": []interface{}{"root"},
"token_policies": []interface{}{"root"},
"metadata": nil,
"lease_duration": json.Number("0"),
"renewable": false,
"entity_id": "",
"token_type": "service",
"orphan": false,
"mfa_requirement": nil,
"num_uses": json.Number("0"),
http: avoid authenticating as new token for auth/token/create
2015-04-27 22:17:59 +00:00
},
}
testResponseStatus(t, resp, 200)
testResponseBody(t, resp, &actual)
delete(actual["auth"].(map[string]interface{}), "client_token")
fix all the broken tests
2016-03-09 18:45:36 +00:00
delete(actual["auth"].(map[string]interface{}), "accessor")
Warnings indicating ignored and replaced parameters (#14962) * Warnings indicating ignored and replaced parameters * Avoid additional var creation * Add warnings only if the response is non-nil * Return the response even when error is non-nil * Fix tests * Rearrange comments * Print warning in the log * Fix another test * Add CL
2022-04-11 13:57:12 +00:00
delete(actual, "warnings")
Fix request_id test failures
2016-07-26 22:30:13 +00:00
expected["request_id"] = actual["request_id"]
http: avoid authenticating as new token for auth/token/create
2015-04-27 22:17:59 +00:00
if !reflect.DeepEqual(actual, expected) {
Add unit tests
2015-10-07 21:21:41 +00:00
t.Fatalf("bad:\nexpected:\n%#v\nactual:\n%#v", expected, actual)
http: avoid authenticating as new token for auth/token/create
2015-04-27 22:17:59 +00:00
}
}
vault: testing raw responses
2015-05-27 21:19:12 +00:00
func TestLogical_RawHTTP(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := TestServer(t, core)
defer ln.Close()
TestServerAuth(t, addr, token)
Remove cookie authentication.
2015-08-22 00:36:19 +00:00
resp := testHttpPost(t, token, addr+"/v1/sys/mounts/foo", map[string]interface{}{
vault: testing raw responses
2015-05-27 21:19:12 +00:00
"type": "http",
})
testResponseStatus(t, resp, 204)
// Get the raw response
Remove cookie authentication.
2015-08-22 00:36:19 +00:00
resp = testHttpGet(t, token, addr+"/v1/foo/raw")
vault: testing raw responses
2015-05-27 21:19:12 +00:00
testResponseStatus(t, resp, 200)
// Test the headers
if resp.Header.Get("Content-Type") != "plain/text" {
t.Fatalf("Bad: %#v", resp.Header)
}
// Get the body
body := new(bytes.Buffer)
io.Copy(body, resp.Body)
if string(body.Bytes()) != "hello world" {
t.Fatalf("Bad: %s", body.Bytes())
}
}
http: limit maximum request size
2016-11-17 20:06:43 +00:00
func TestLogical_RequestSizeLimit(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := TestServer(t, core)
defer ln.Close()
TestServerAuth(t, addr, token)
Create configutil and move some common config and setup functions there (#8362)
2020-05-14 13:19:27 +00:00
// Write a very large object, should fail. This test works because Go will
// convert the byte slice to base64, which makes it significantly larger
// than the default max request size.
http: limit maximum request size
2016-11-17 20:06:43 +00:00
resp := testHttpPut(t, token, addr+"/v1/secret/foo", map[string]interface{}{
Allow max request size to be user-specified (#4824) * Allow max request size to be user-specified This turned out to be way more impactful than I'd expected because I felt like the right granularity was per-listener, since an org may want to treat external clients differently from internal clients. It's pretty straightforward though. This also introduces actually using request contexts for values, which so far we have not done (using our own logical.Request struct instead), but this allows non-logical methods to still get this benefit. * Switch to ioutil.ReadAll()
2018-07-06 19:44:56 +00:00
"data": make([]byte, DefaultMaxRequestSize),
http: limit maximum request size
2016-11-17 20:06:43 +00:00
})
Fix: handle max_request_size<=0 (#10072) * Fix: handle max_request_size<=0 Signed-off-by: guacamole <gunjanwalecha@gmail.com> * created test cases for listener Signed-off-by: guacamole <gunjanwalecha@gmail.com> * added test case for negative value of MaxRequestSize Signed-off-by: guacamole <gunjanwalecha@gmail.com> Co-authored-by: Hridoy Roy <roy@hashicorp.com>
2021-01-19 19:28:28 +00:00
testResponseStatus(t, resp, http.StatusRequestEntityTooLarge)
http: limit maximum request size
2016-11-17 20:06:43 +00:00
}
Run a more strict formatter over the code (#11312) * Update tooling * Run gofumpt * go mod vendor
2021-04-08 16:43:39 +00:00
Fix: handle max_request_size<=0 (#10072) * Fix: handle max_request_size<=0 Signed-off-by: guacamole <gunjanwalecha@gmail.com> * created test cases for listener Signed-off-by: guacamole <gunjanwalecha@gmail.com> * added test case for negative value of MaxRequestSize Signed-off-by: guacamole <gunjanwalecha@gmail.com> Co-authored-by: Hridoy Roy <roy@hashicorp.com>
2021-01-19 19:28:28 +00:00
func TestLogical_RequestSizeDisableLimit(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := TestListener(t)
props := &vault.HandlerProperties{
Core: core,
ListenerConfig: &configutil.Listener{
MaxRequestSize: -1,
Shutdown Test Cores when Tests Complete (#10912) * Shutdown Test Cores when Tests Complete * go mod vendor
2021-02-12 20:04:48 +00:00
Address: "127.0.0.1",
TLSDisable: true,
Fix: handle max_request_size<=0 (#10072) * Fix: handle max_request_size<=0 Signed-off-by: guacamole <gunjanwalecha@gmail.com> * created test cases for listener Signed-off-by: guacamole <gunjanwalecha@gmail.com> * added test case for negative value of MaxRequestSize Signed-off-by: guacamole <gunjanwalecha@gmail.com> Co-authored-by: Hridoy Roy <roy@hashicorp.com>
2021-01-19 19:28:28 +00:00
},
}
TestServerWithListenerAndProperties(t, ln, addr, core, props)
defer ln.Close()
TestServerAuth(t, addr, token)
// Write a very large object, should pass as MaxRequestSize set to -1/Negative value
resp := testHttpPut(t, token, addr+"/v1/secret/foo", map[string]interface{}{
"data": make([]byte, DefaultMaxRequestSize),
})
Shutdown Test Cores when Tests Complete (#10912) * Shutdown Test Cores when Tests Complete * go mod vendor
2021-02-12 20:04:48 +00:00
testResponseStatus(t, resp, http.StatusNoContent)
Fix: handle max_request_size<=0 (#10072) * Fix: handle max_request_size<=0 Signed-off-by: guacamole <gunjanwalecha@gmail.com> * created test cases for listener Signed-off-by: guacamole <gunjanwalecha@gmail.com> * added test case for negative value of MaxRequestSize Signed-off-by: guacamole <gunjanwalecha@gmail.com> Co-authored-by: Hridoy Roy <roy@hashicorp.com>
2021-01-19 19:28:28 +00:00
}
Internally append trailing slash for all LIST operations. (#2390) Fixes #2385
2017-02-17 04:23:32 +00:00
func TestLogical_ListSuffix(t *testing.T) {
The big one (#5346)
2018-09-18 03:03:00 +00:00
core, _, rootToken := vault.TestCoreUnsealed(t)
Internally append trailing slash for all LIST operations. (#2390) Fixes #2385
2017-02-17 04:23:32 +00:00
req, _ := http.NewRequest("GET", "http://127.0.0.1:8200/v1/secret/foo", nil)
The big one (#5346)
2018-09-18 03:03:00 +00:00
req = req.WithContext(namespace.RootContext(nil))
req.Header.Add(consts.AuthHeaderName, rootToken)
Resource Quotas: Rate Limiting (#9330)
2020-06-26 21:13:16 +00:00
Merge PR #9390: http: revert resource quota changes
2020-07-07 04:05:28 +00:00
lreq, _, status, err := buildLogicalRequest(core, nil, req)
Internally append trailing slash for all LIST operations. (#2390) Fixes #2385
2017-02-17 04:23:32 +00:00
if err != nil {
t.Fatal(err)
}
if status != 0 {
t.Fatalf("got status %d", status)
}
if strings.HasSuffix(lreq.Path, "/") {
t.Fatal("trailing slash found on path")
}
req, _ = http.NewRequest("GET", "http://127.0.0.1:8200/v1/secret/foo?list=true", nil)
The big one (#5346)
2018-09-18 03:03:00 +00:00
req = req.WithContext(namespace.RootContext(nil))
req.Header.Add(consts.AuthHeaderName, rootToken)
Merge PR #9390: http: revert resource quota changes
2020-07-07 04:05:28 +00:00
lreq, _, status, err = buildLogicalRequest(core, nil, req)
Internally append trailing slash for all LIST operations. (#2390) Fixes #2385
2017-02-17 04:23:32 +00:00
if err != nil {
t.Fatal(err)
}
if status != 0 {
t.Fatalf("got status %d", status)
}
if !strings.HasSuffix(lreq.Path, "/") {
t.Fatal("trailing slash not found on path")
}
req, _ = http.NewRequest("LIST", "http://127.0.0.1:8200/v1/secret/foo", nil)
The big one (#5346)
2018-09-18 03:03:00 +00:00
req = req.WithContext(namespace.RootContext(nil))
req.Header.Add(consts.AuthHeaderName, rootToken)
Merge PR #9390: http: revert resource quota changes
2020-07-07 04:05:28 +00:00
_, _, status, err = buildLogicalRequestNoAuth(core.PerfStandby(), nil, req)
Resource Quotas: Rate Limiting (#9330)
2020-06-26 21:13:16 +00:00
if err != nil || status != 0 {
t.Fatal(err)
}
Merge PR #9390: http: revert resource quota changes
2020-07-07 04:05:28 +00:00
lreq, _, status, err = buildLogicalRequest(core, nil, req)
Internally append trailing slash for all LIST operations. (#2390) Fixes #2385
2017-02-17 04:23:32 +00:00
if err != nil {
t.Fatal(err)
}
if status != 0 {
t.Fatalf("got status %d", status)
}
if !strings.HasSuffix(lreq.Path, "/") {
t.Fatal("trailing slash not found on path")
}
}
http: Add a method for returning a 404 with data (#3994) * Add a method for returning a 404 with data * Pass the full resp object through to respond raw * Add comment * Refactor so it works across plugin gRPC * Handle some review comments * Pass request object instead of request ID
2018-02-21 22:22:21 +00:00
Parse query parameters for GET request turned in logical.ListOperation (#16991) * Parse query parameters for GET requests turned in logical.ListOperation * adds test cases
2022-09-02 21:21:25 +00:00
func TestLogical_ListWithQueryParameters(t *testing.T) {
core, _, rootToken := vault.TestCoreUnsealed(t)
tests := []struct {
name string
requestMethod string
url string
expectedData map[string]interface{}
}{
{
name: "LIST request method parses query parameter",
requestMethod: "LIST",
url: "http://127.0.0.1:8200/v1/secret/foo?key1=value1",
expectedData: map[string]interface{}{
"key1": "value1",
},
},
{
name: "LIST request method parses query multiple parameters",
requestMethod: "LIST",
url: "http://127.0.0.1:8200/v1/secret/foo?key1=value1&key2=value2",
expectedData: map[string]interface{}{
"key1": "value1",
"key2": "value2",
},
},
{
name: "GET request method with list=true parses query parameter",
requestMethod: "GET",
url: "http://127.0.0.1:8200/v1/secret/foo?list=true&key1=value1",
expectedData: map[string]interface{}{
"key1": "value1",
},
},
{
name: "GET request method with list=true parses multiple query parameters",
requestMethod: "GET",
url: "http://127.0.0.1:8200/v1/secret/foo?list=true&key1=value1&key2=value2",
expectedData: map[string]interface{}{
"key1": "value1",
"key2": "value2",
},
},
{
name: "GET request method with alternate order list=true parses multiple query parameters",
requestMethod: "GET",
url: "http://127.0.0.1:8200/v1/secret/foo?key1=value1&list=true&key2=value2",
expectedData: map[string]interface{}{
"key1": "value1",
"key2": "value2",
},
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
req, _ := http.NewRequest(tc.requestMethod, tc.url, nil)
req = req.WithContext(namespace.RootContext(nil))
req.Header.Add(consts.AuthHeaderName, rootToken)
lreq, _, status, err := buildLogicalRequest(core, nil, req)
if err != nil {
t.Fatal(err)
}
if status != 0 {
t.Fatalf("got status %d", status)
}
if !strings.HasSuffix(lreq.Path, "/") {
t.Fatal("trailing slash not found on path")
}
if lreq.Operation != logical.ListOperation {
t.Fatalf("expected logical.ListOperation, got %v", lreq.Operation)
}
if !reflect.DeepEqual(tc.expectedData, lreq.Data) {
t.Fatalf("expected query parameter data %v, got %v", tc.expectedData, lreq.Data)
}
})
}
}
http: Add a method for returning a 404 with data (#3994) * Add a method for returning a 404 with data * Pass the full resp object through to respond raw * Add comment * Refactor so it works across plugin gRPC * Handle some review comments * Pass request object instead of request ID
2018-02-21 22:22:21 +00:00
func TestLogical_RespondWithStatusCode(t *testing.T) {
resp := &logical.Response{
Data: map[string]interface{}{
"test-data": "foo",
},
}
resp404, err := logical.RespondWithStatusCode(resp, &logical.Request{ID: "id"}, http.StatusNotFound)
if err != nil {
t.Fatal(err)
}
w := httptest.NewRecorder()
OSS parts of the new client controlled consistency feature (#10974)
2021-02-24 11:58:10 +00:00
respondLogical(nil, w, nil, nil, resp404, false)
http: Add a method for returning a 404 with data (#3994) * Add a method for returning a 404 with data * Pass the full resp object through to respond raw * Add comment * Refactor so it works across plugin gRPC * Handle some review comments * Pass request object instead of request ID
2018-02-21 22:22:21 +00:00
if w.Code != 404 {
t.Fatalf("Bad Status code: %d", w.Code)
}
bodyRaw, err := ioutil.ReadAll(w.Body)
if err != nil {
t.Fatal(err)
}
expected := `{"request_id":"id","lease_id":"","renewable":false,"lease_duration":0,"data":{"test-data":"foo"},"wrap_info":null,"warnings":null,"auth":null}`
if string(bodyRaw[:]) != strings.Trim(expected, "\n") {
t.Fatalf("bad response: %s", string(bodyRaw[:]))
}
}
audit: log invalid wrapping token request/response (#6541) * audit: log invalid wrapping token request/response * Update helper/consts/error.go Co-Authored-By: calvn <cleung2010@gmail.com> * update error comments * Update vault/wrapping.go Co-Authored-By: calvn <cleung2010@gmail.com> * update comment * move validateWrappingToken out of http and into logical * minor refactor, add test cases * comment rewording * refactor validateWrappingToken to perform audit logging * move ValidateWrappingToken back to wrappingVerificationFunc * Fix tests * Review feedback
2019-07-05 21:15:14 +00:00
func TestLogical_Audit_invalidWrappingToken(t *testing.T) {
// Create a noop audit backend
var noop *vault.NoopAudit
c, _, root := vault.TestCoreUnsealedWithConfig(t, &vault.CoreConfig{
AuditBackends: map[string]audit.Factory{
"noop": func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
noop = &vault.NoopAudit{
Config: config,
}
return noop, nil
},
},
})
ln, addr := TestServer(t, c)
defer ln.Close()
// Enable the audit backend
resp := testHttpPost(t, root, addr+"/v1/sys/audit/noop", map[string]interface{}{
"type": "noop",
})
testResponseStatus(t, resp, 204)
{
// Make a wrapping/unwrap request with an invalid token
resp := testHttpPost(t, root, addr+"/v1/sys/wrapping/unwrap", map[string]interface{}{
"token": "foo",
})
testResponseStatus(t, resp, 400)
body := map[string][]string{}
testResponseBody(t, resp, &body)
if body["errors"][0] != "wrapping token is not valid or does not exist" {
t.Fatal(body)
}
// Check the audit trail on request and response
if len(noop.ReqAuth) != 1 {
t.Fatalf("bad: %#v", noop)
}
auth := noop.ReqAuth[0]
if auth.ClientToken != root {
t.Fatalf("bad client token: %#v", auth)
}
if len(noop.Req) != 1 || noop.Req[0].Path != "sys/wrapping/unwrap" {
t.Fatalf("bad:\ngot:\n%#v", noop.Req[0])
}
if len(noop.ReqErrs) != 1 {
t.Fatalf("bad: %#v", noop.RespErrs)
}
if noop.ReqErrs[0] != consts.ErrInvalidWrappingToken {
t.Fatalf("bad: %#v", noop.ReqErrs)
}
}
{
resp := testHttpPostWrapped(t, root, addr+"/v1/auth/token/create", nil, 10*time.Second)
testResponseStatus(t, resp, 200)
body := map[string]interface{}{}
testResponseBody(t, resp, &body)
wrapToken := body["wrap_info"].(map[string]interface{})["token"].(string)
// Make a wrapping/unwrap request with an invalid token
resp = testHttpPost(t, root, addr+"/v1/sys/wrapping/unwrap", map[string]interface{}{
"token": wrapToken,
})
testResponseStatus(t, resp, 200)
// Check the audit trail on request and response
if len(noop.ReqAuth) != 3 {
t.Fatalf("bad: %#v", noop)
}
auth := noop.ReqAuth[2]
if auth.ClientToken != root {
t.Fatalf("bad client token: %#v", auth)
}
if len(noop.Req) != 3 || noop.Req[2].Path != "sys/wrapping/unwrap" {
t.Fatalf("bad:\ngot:\n%#v", noop.Req[2])
}
// Make sure there is only one error in the logs
if noop.ReqErrs[1] != nil || noop.ReqErrs[2] != nil {
t.Fatalf("bad: %#v", noop.RespErrs)
}
}
}
Support processing parameters sent as a URL-encoded form (#8325)
2020-02-12 22:20:22 +00:00
func TestLogical_ShouldParseForm(t *testing.T) {
const formCT = "application/x-www-form-urlencoded"
tests := map[string]struct {
prefix string
contentType string
isForm bool
}{
"JSON": {`{"a":42}`, formCT, false},
"JSON 2": {`[42]`, formCT, false},
"JSON w/leading space": {" \n\n\r\t [42] ", formCT, false},
"Form": {"a=42&b=dog", formCT, true},
"Form w/wrong CT": {"a=42&b=dog", "application/json", false},
}
for name, test := range tests {
isForm := isForm([]byte(test.prefix), test.contentType)
if isForm != test.isForm {
t.Fatalf("%s fail: expected isForm %t, got %t", name, test.isForm, isForm)
}
}
}
Add remote_port in the audit logs when it is available (#12790) * Add remote_port in the audit logs when it is available The `request.remote_port` field is now present in the audit log when it is available: ``` { "time": "2021-10-10T13:53:51.760039Z", "type": "response", "auth": { "client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf", "accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43", "display_name": "root", "policies": [ "root" ], "token_policies": [ "root" ], "token_type": "service", "token_issue_time": "2021-10-10T15:53:44+02:00" }, "request": { "id": "829c04a1-0352-2d9d-9bc9-00b928d33df5", "operation": "update", "mount_type": "system", "client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf", "client_token_accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43", "namespace": { "id": "root" }, "path": "sys/audit/file", "data": { "description": "hmac-sha256:321a1d105f8c6fd62be4f34c4da4f0e6d1cdee9eb2ff4af0b59e1410950fe86b", "local": false, "options": { "file_path": "hmac-sha256:2421b5bf8dab1f9775b2e6e66e58d7bca99ab729f3f311782fda50717eee55b3" }, "type": "hmac-sha256:30dff9607b4087e3ae6808b4a3aa395b1fc064e467748c55c25ddf0e9b150fcc" }, "remote_address": "127.0.0.1", "remote_port": 54798 }, "response": { "mount_type": "system" } } ``` Closes https://github.com/hashicorp/vault/issues/7716 * Add changelog entry * Empty commit to trigger CI * Add test and explicit error handling * Change temporary file pattern in test
2022-01-26 23:47:15 +00:00
func TestLogical_AuditPort(t *testing.T) {
coreConfig := &vault.CoreConfig{
LogicalBackends: map[string]logical.Factory{
"kv": kv.VersionedKVFactory,
},
AuditBackends: map[string]audit.Factory{
"file": auditFile.Factory,
},
}
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
HandlerFunc: Handler,
})
cluster.Start()
defer cluster.Cleanup()
cores := cluster.Cores
core := cores[0].Core
c := cluster.Cores[0].Client
vault.TestWaitActive(t, core)
if err := c.Sys().Mount("kv/", &api.MountInput{
Type: "kv-v2",
}); err != nil {
t.Fatalf("kv-v2 mount attempt failed - err: %#v\n", err)
}
auditLogFile, err := ioutil.TempFile("", "auditport")
if err != nil {
t.Fatal(err)
}
err = c.Sys().EnableAuditWithOptions("file", &api.EnableAuditOptions{
Type: "file",
Options: map[string]string{
"file_path": auditLogFile.Name(),
},
})
if err != nil {
t.Fatalf("failed to enable audit file, err: %#v\n", err)
}
writeData := map[string]interface{}{
"data": map[string]interface{}{
"bar": "a",
},
}
Address test flakiness in TestLogical_AuditPort (#16546) - Based on group test fixing session from July 29, 2022 - Leverage the RetryUntil to catch and re-attempt a kv store creation if the test receives an error about upgrading the KV store - Update the expected audit log entries accordingly along with the captured failures if any - Fix up a copy/paste error within the test error message if the remote_address field is not of the expected type.
2022-08-03 14:14:17 +00:00
// workaround kv-v2 initialization upgrade errors
numFailures := 0
vault.RetryUntil(t, 10*time.Second, func() error {
resp, err := c.Logical().Write("kv/data/foo", writeData)
if err != nil {
if strings.Contains(err.Error(), "Upgrading from non-versioned to versioned data") {
t.Logf("Retrying fetch KV data due to upgrade error")
time.Sleep(100 * time.Millisecond)
numFailures += 1
return err
}
t.Fatalf("write request failed, err: %#v, resp: %#v\n", err, resp)
}
return nil
})
Add remote_port in the audit logs when it is available (#12790) * Add remote_port in the audit logs when it is available The `request.remote_port` field is now present in the audit log when it is available: ``` { "time": "2021-10-10T13:53:51.760039Z", "type": "response", "auth": { "client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf", "accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43", "display_name": "root", "policies": [ "root" ], "token_policies": [ "root" ], "token_type": "service", "token_issue_time": "2021-10-10T15:53:44+02:00" }, "request": { "id": "829c04a1-0352-2d9d-9bc9-00b928d33df5", "operation": "update", "mount_type": "system", "client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf", "client_token_accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43", "namespace": { "id": "root" }, "path": "sys/audit/file", "data": { "description": "hmac-sha256:321a1d105f8c6fd62be4f34c4da4f0e6d1cdee9eb2ff4af0b59e1410950fe86b", "local": false, "options": { "file_path": "hmac-sha256:2421b5bf8dab1f9775b2e6e66e58d7bca99ab729f3f311782fda50717eee55b3" }, "type": "hmac-sha256:30dff9607b4087e3ae6808b4a3aa395b1fc064e467748c55c25ddf0e9b150fcc" }, "remote_address": "127.0.0.1", "remote_port": 54798 }, "response": { "mount_type": "system" } } ``` Closes https://github.com/hashicorp/vault/issues/7716 * Add changelog entry * Empty commit to trigger CI * Add test and explicit error handling * Change temporary file pattern in test
2022-01-26 23:47:15 +00:00
decoder := json.NewDecoder(auditLogFile)
var auditRecord map[string]interface{}
count := 0
for decoder.Decode(&auditRecord) == nil {
count += 1
// Skip the first line
if count == 1 {
continue
}
auditRequest := map[string]interface{}{}
if req, ok := auditRecord["request"]; ok {
auditRequest = req.(map[string]interface{})
}
if _, ok := auditRequest["remote_address"].(string); !ok {
Address test flakiness in TestLogical_AuditPort (#16546) - Based on group test fixing session from July 29, 2022 - Leverage the RetryUntil to catch and re-attempt a kv store creation if the test receives an error about upgrading the KV store - Update the expected audit log entries accordingly along with the captured failures if any - Fix up a copy/paste error within the test error message if the remote_address field is not of the expected type.
2022-08-03 14:14:17 +00:00
t.Fatalf("remote_address should be a string, not %T", auditRequest["remote_address"])
Add remote_port in the audit logs when it is available (#12790) * Add remote_port in the audit logs when it is available The `request.remote_port` field is now present in the audit log when it is available: ``` { "time": "2021-10-10T13:53:51.760039Z", "type": "response", "auth": { "client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf", "accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43", "display_name": "root", "policies": [ "root" ], "token_policies": [ "root" ], "token_type": "service", "token_issue_time": "2021-10-10T15:53:44+02:00" }, "request": { "id": "829c04a1-0352-2d9d-9bc9-00b928d33df5", "operation": "update", "mount_type": "system", "client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf", "client_token_accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43", "namespace": { "id": "root" }, "path": "sys/audit/file", "data": { "description": "hmac-sha256:321a1d105f8c6fd62be4f34c4da4f0e6d1cdee9eb2ff4af0b59e1410950fe86b", "local": false, "options": { "file_path": "hmac-sha256:2421b5bf8dab1f9775b2e6e66e58d7bca99ab729f3f311782fda50717eee55b3" }, "type": "hmac-sha256:30dff9607b4087e3ae6808b4a3aa395b1fc064e467748c55c25ddf0e9b150fcc" }, "remote_address": "127.0.0.1", "remote_port": 54798 }, "response": { "mount_type": "system" } } ``` Closes https://github.com/hashicorp/vault/issues/7716 * Add changelog entry * Empty commit to trigger CI * Add test and explicit error handling * Change temporary file pattern in test
2022-01-26 23:47:15 +00:00
}
if _, ok := auditRequest["remote_port"].(float64); !ok {
t.Fatalf("remote_port should be a number, not %T", auditRequest["remote_port"])
}
}
Address test flakiness in TestLogical_AuditPort (#16546) - Based on group test fixing session from July 29, 2022 - Leverage the RetryUntil to catch and re-attempt a kv store creation if the test receives an error about upgrading the KV store - Update the expected audit log entries accordingly along with the captured failures if any - Fix up a copy/paste error within the test error message if the remote_address field is not of the expected type.
2022-08-03 14:14:17 +00:00
// We expect the following items in the audit log:
// audit log header + an entry for updating sys/audit/file
// + request/response per failure (if any) + request/response for creating kv
numExpectedEntries := (numFailures * 2) + 4
if count != numExpectedEntries {
t.Fatalf("wrong number of audit entries expected: %d got: %d", numExpectedEntries, count)
Add remote_port in the audit logs when it is available (#12790) * Add remote_port in the audit logs when it is available The `request.remote_port` field is now present in the audit log when it is available: ``` { "time": "2021-10-10T13:53:51.760039Z", "type": "response", "auth": { "client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf", "accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43", "display_name": "root", "policies": [ "root" ], "token_policies": [ "root" ], "token_type": "service", "token_issue_time": "2021-10-10T15:53:44+02:00" }, "request": { "id": "829c04a1-0352-2d9d-9bc9-00b928d33df5", "operation": "update", "mount_type": "system", "client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf", "client_token_accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43", "namespace": { "id": "root" }, "path": "sys/audit/file", "data": { "description": "hmac-sha256:321a1d105f8c6fd62be4f34c4da4f0e6d1cdee9eb2ff4af0b59e1410950fe86b", "local": false, "options": { "file_path": "hmac-sha256:2421b5bf8dab1f9775b2e6e66e58d7bca99ab729f3f311782fda50717eee55b3" }, "type": "hmac-sha256:30dff9607b4087e3ae6808b4a3aa395b1fc064e467748c55c25ddf0e9b150fcc" }, "remote_address": "127.0.0.1", "remote_port": 54798 }, "response": { "mount_type": "system" } } ``` Closes https://github.com/hashicorp/vault/issues/7716 * Add changelog entry * Empty commit to trigger CI * Add test and explicit error handling * Change temporary file pattern in test
2022-01-26 23:47:15 +00:00
}
}
treat logical.ErrRelativePath as 400 instead of 500 (#14328) * treat logical.ErrRelativePath as 400 instead of 500 * add changelog entry * return UserError for logical.ErrRelativePath
2022-03-30 13:08:02 +00:00
func TestLogical_ErrRelativePath(t *testing.T) {
coreConfig := &vault.CoreConfig{
CredentialBackends: map[string]logical.Factory{
"userpass": credUserpass.Factory,
},
}
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
HandlerFunc: Handler,
})
cluster.Start()
defer cluster.Cleanup()
cores := cluster.Cores
core := cores[0].Core
c := cluster.Cores[0].Client
vault.TestWaitActive(t, core)
err := c.Sys().EnableAuthWithOptions("userpass", &api.EnableAuthOptions{
Type: "userpass",
})
if err != nil {
t.Fatalf("failed to enable userpass, err: %v", err)
}
resp, err := c.Logical().Read("auth/userpass/users/user..aaa")
if err == nil || resp != nil {
t.Fatalf("expected read request to fail, resp: %#v, err: %v", resp, err)
}
respErr, ok := err.(*api.ResponseError)
if !ok {
t.Fatalf("unexpected error type, err: %#v", err)
}
if respErr.StatusCode != 400 {
t.Errorf("expected 400 response for read, actual: %d", respErr.StatusCode)
}
if !strings.Contains(respErr.Error(), logical.ErrRelativePath.Error()) {
t.Errorf("expected response for read to include %q", logical.ErrRelativePath.Error())
}
data := map[string]interface{}{
"password": "abc123",
}
resp, err = c.Logical().Write("auth/userpass/users/user..aaa", data)
if err == nil || resp != nil {
t.Fatalf("expected write request to fail, resp: %#v, err: %v", resp, err)
}
respErr, ok = err.(*api.ResponseError)
if !ok {
t.Fatalf("unexpected error type, err: %#v", err)
}
if respErr.StatusCode != 400 {
t.Errorf("expected 400 response for write, actual: %d", respErr.StatusCode)
}
if !strings.Contains(respErr.Error(), logical.ErrRelativePath.Error()) {
t.Errorf("expected response for write to include %q", logical.ErrRelativePath.Error())
}
}