luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity
open-vault/vault/token_store_test.go

1213 lines
28 KiB
Go
Raw Normal View History

vault: First pass token store
2015-03-18 20:19:19 +00:00
package vault
import (
"reflect"
"testing"
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
"time"
"github.com/hashicorp/vault/logical"
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
"github.com/mitchellh/mapstructure"
vault: First pass token store
2015-03-18 20:19:19 +00:00
)
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests.
2015-09-04 20:58:12 +00:00
func getBackendConfig(c *Core) *logical.BackendConfig {
return &logical.BackendConfig{
Logger: c.logger,
System: logical.StaticSystemView{
DefaultLeaseTTLVal: time.Hour * 24,
MaxLeaseTTLVal: time.Hour * 24 * 30,
},
}
}
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
func testMakeToken(t *testing.T, ts *TokenStore, root, client, ttl string, policy []string) {
req := logical.TestRequest(t, logical.UpdateOperation, "create")
req.ClientToken = root
req.Data["id"] = client
req.Data["policies"] = policy
req.Data["ttl"] = ttl
resp, err := ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
if resp.Auth.ClientToken != client {
t.Fatalf("bad: %#v", resp)
}
}
func testCoreMakeToken(t *testing.T, c *Core, root, client, ttl string, policy []string) {
req := logical.TestRequest(t, logical.UpdateOperation, "auth/token/create")
req.ClientToken = root
req.Data["id"] = client
req.Data["policies"] = policy
req.Data["ttl"] = ttl
resp, err := c.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
if resp.Auth.ClientToken != client {
t.Fatalf("bad: %#v", resp)
}
}
vault: Adding method to generate root token
2015-03-24 00:16:37 +00:00
func TestTokenStore_RootToken(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
_, ts, _, _ := TestCoreWithTokenStore(t)
vault: Adding method to generate root token
2015-03-24 00:16:37 +00:00
Pull out setting the root token ID; use the new ParseUUID method in go-uuid instead, and revoke if there is an error.
2016-01-20 00:44:33 +00:00
te, err := ts.rootToken()
vault: Adding method to generate root token
2015-03-24 00:16:37 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
if te.ID == "" {
t.Fatalf("missing ID")
}
out, err := ts.Lookup(te.ID)
if err != nil {
t.Fatalf("err: %v", err)
}
if !reflect.DeepEqual(out, te) {
t.Fatalf("bad: %#v", out)
}
}
vault: First pass token store
2015-03-18 20:19:19 +00:00
func TestTokenStore_CreateLookup(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
c, ts, _, _ := TestCoreWithTokenStore(t)
vault: First pass token store
2015-03-18 20:19:19 +00:00
vault: token tracks generation path and meta data
2015-03-23 20:39:43 +00:00
ent := &TokenEntry{Path: "test", Policies: []string{"dev", "ops"}}
Make the token store's Create and RootToken functions non-exported. Nothing requires them to be exported, and I don't want anything in the future to think it's okay to simply create a root token when it likes.
2015-10-30 14:59:26 +00:00
if err := ts.create(ent); err != nil {
vault: First pass token store
2015-03-18 20:19:19 +00:00
t.Fatalf("err: %v", err)
}
if ent.ID == "" {
t.Fatalf("missing ID")
}
out, err := ts.Lookup(ent.ID)
if err != nil {
t.Fatalf("err: %v", err)
}
if !reflect.DeepEqual(out, ent) {
vault: Allow providing token ID during creation
2015-03-24 21:22:50 +00:00
t.Fatalf("bad: %#v", out)
}
// New store should share the salt
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests.
2015-09-04 20:58:12 +00:00
ts2, err := NewTokenStore(c, getBackendConfig(c))
vault: Allow providing token ID during creation
2015-03-24 21:22:50 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
// Should still match
out, err = ts2.Lookup(ent.ID)
if err != nil {
t.Fatalf("err: %v", err)
}
if !reflect.DeepEqual(out, ent) {
t.Fatalf("bad: %#v", out)
}
}
func TestTokenStore_CreateLookup_ProvidedID(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
c, ts, _, _ := TestCoreWithTokenStore(t)
vault: Allow providing token ID during creation
2015-03-24 21:22:50 +00:00
ent := &TokenEntry{
ID: "foobarbaz",
Path: "test",
Policies: []string{"dev", "ops"},
}
Make the token store's Create and RootToken functions non-exported. Nothing requires them to be exported, and I don't want anything in the future to think it's okay to simply create a root token when it likes.
2015-10-30 14:59:26 +00:00
if err := ts.create(ent); err != nil {
vault: Allow providing token ID during creation
2015-03-24 21:22:50 +00:00
t.Fatalf("err: %v", err)
}
if ent.ID != "foobarbaz" {
t.Fatalf("bad: %#v", ent)
}
out, err := ts.Lookup(ent.ID)
if err != nil {
t.Fatalf("err: %v", err)
}
if !reflect.DeepEqual(out, ent) {
vault: First pass token store
2015-03-18 20:19:19 +00:00
t.Fatalf("bad: %#v", out)
}
// New store should share the salt
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests.
2015-09-04 20:58:12 +00:00
ts2, err := NewTokenStore(c, getBackendConfig(c))
vault: First pass token store
2015-03-18 20:19:19 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
// Should still match
out, err = ts2.Lookup(ent.ID)
if err != nil {
t.Fatalf("err: %v", err)
}
if !reflect.DeepEqual(out, ent) {
t.Fatalf("bad: %#v", out)
}
}
vault: testing token revocation
2015-03-18 20:50:36 +00:00
vault: Adding method to consume a limited use token
2015-04-17 18:51:04 +00:00
func TestTokenStore_UseToken(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
_, ts, _, root := TestCoreWithTokenStore(t)
vault: Adding method to consume a limited use token
2015-04-17 18:51:04 +00:00
// Lookup the root token
ent, err := ts.Lookup(root)
if err != nil {
t.Fatalf("err: %v", err)
}
// Root is an unlimited use token, should be a no-op
err = ts.UseToken(ent)
if err != nil {
t.Fatalf("err: %v", err)
}
// Lookup the root token again
ent2, err := ts.Lookup(root)
if err != nil {
t.Fatalf("err: %v", err)
}
if !reflect.DeepEqual(ent, ent2) {
t.Fatalf("bad: %#v %#v", ent, ent2)
}
// Create a retstricted token
ent = &TokenEntry{Path: "test", Policies: []string{"dev", "ops"}, NumUses: 2}
Make the token store's Create and RootToken functions non-exported. Nothing requires them to be exported, and I don't want anything in the future to think it's okay to simply create a root token when it likes.
2015-10-30 14:59:26 +00:00
if err := ts.create(ent); err != nil {
vault: Adding method to consume a limited use token
2015-04-17 18:51:04 +00:00
t.Fatalf("err: %v", err)
}
// Use the token
err = ts.UseToken(ent)
if err != nil {
t.Fatalf("err: %v", err)
}
// Lookup the token
ent2, err = ts.Lookup(ent.ID)
if err != nil {
t.Fatalf("err: %v", err)
}
// Should be reduced
if ent2.NumUses != 1 {
t.Fatalf("bad: %#v", ent2)
}
// Use the token
err = ts.UseToken(ent)
if err != nil {
t.Fatalf("err: %v", err)
}
// Lookup the token
ent2, err = ts.Lookup(ent.ID)
if err != nil {
t.Fatalf("err: %v", err)
}
// Should be revoked
if ent2 != nil {
t.Fatalf("bad: %#v", ent2)
}
}
vault: testing token revocation
2015-03-18 20:50:36 +00:00
func TestTokenStore_Revoke(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
_, ts, _, _ := TestCoreWithTokenStore(t)
vault: testing token revocation
2015-03-18 20:50:36 +00:00
vault: token tracks generation path and meta data
2015-03-23 20:39:43 +00:00
ent := &TokenEntry{Path: "test", Policies: []string{"dev", "ops"}}
Make the token store's Create and RootToken functions non-exported. Nothing requires them to be exported, and I don't want anything in the future to think it's okay to simply create a root token when it likes.
2015-10-30 14:59:26 +00:00
if err := ts.create(ent); err != nil {
vault: testing token revocation
2015-03-18 20:50:36 +00:00
t.Fatalf("err: %v", err)
}
err := ts.Revoke("")
if err.Error() != "cannot revoke blank token" {
t.Fatalf("err: %v", err)
}
err = ts.Revoke(ent.ID)
if err != nil {
t.Fatalf("err: %v", err)
}
out, err := ts.Lookup(ent.ID)
if err != nil {
t.Fatalf("err: %v", err)
}
if out != nil {
t.Fatalf("bad: %#v", out)
}
}
vault: revoking a token should revoke all secrets it has generated
2015-04-10 22:12:04 +00:00
func TestTokenStore_Revoke_Leases(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
_, ts, _, _ := TestCoreWithTokenStore(t)
vault: revoking a token should revoke all secrets it has generated
2015-04-10 22:12:04 +00:00
// Mount a noop backend
noop := &NoopBackend{}
Push a lot of logic into Router to make a bunch of it nicer and enable a lot of cleanup. Plumb config and calls to framework.Backend.Setup() into logical_system and elsewhere, including tests.
2015-09-04 20:58:12 +00:00
ts.expiration.router.Mount(noop, "", &MountEntry{UUID: ""}, nil)
vault: revoking a token should revoke all secrets it has generated
2015-04-10 22:12:04 +00:00
ent := &TokenEntry{Path: "test", Policies: []string{"dev", "ops"}}
Make the token store's Create and RootToken functions non-exported. Nothing requires them to be exported, and I don't want anything in the future to think it's okay to simply create a root token when it likes.
2015-10-30 14:59:26 +00:00
if err := ts.create(ent); err != nil {
vault: revoking a token should revoke all secrets it has generated
2015-04-10 22:12:04 +00:00
t.Fatalf("err: %v", err)
}
// Register a lease
req := &logical.Request{
Operation: logical.ReadOperation,
Path: "secret/foo",
ClientToken: ent.ID,
}
resp := &logical.Response{
Secret: &logical.Secret{
LeaseOptions: logical.LeaseOptions{
Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod
2015-08-21 00:47:17 +00:00
TTL: 20 * time.Millisecond,
vault: revoking a token should revoke all secrets it has generated
2015-04-10 22:12:04 +00:00
},
},
Data: map[string]interface{}{
"access_key": "xyz",
"secret_key": "abcd",
},
}
leaseID, err := ts.expiration.Register(req, resp)
if err != nil {
t.Fatalf("err: %v", err)
}
// Revoke the token
err = ts.Revoke(ent.ID)
if err != nil {
t.Fatalf("err: %v", err)
}
// Verify the lease is gone
out, err := ts.expiration.loadEntry(leaseID)
if err != nil {
t.Fatalf("err: %v", err)
}
if out != nil {
t.Fatalf("bad: %#v", out)
}
}
vault: testing token revocation
2015-03-18 20:50:36 +00:00
func TestTokenStore_Revoke_Orphan(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
_, ts, _, _ := TestCoreWithTokenStore(t)
vault: testing token revocation
2015-03-18 20:50:36 +00:00
vault: token tracks generation path and meta data
2015-03-23 20:39:43 +00:00
ent := &TokenEntry{Path: "test", Policies: []string{"dev", "ops"}}
Make the token store's Create and RootToken functions non-exported. Nothing requires them to be exported, and I don't want anything in the future to think it's okay to simply create a root token when it likes.
2015-10-30 14:59:26 +00:00
if err := ts.create(ent); err != nil {
vault: testing token revocation
2015-03-18 20:50:36 +00:00
t.Fatalf("err: %v", err)
}
ent2 := &TokenEntry{Parent: ent.ID}
Make the token store's Create and RootToken functions non-exported. Nothing requires them to be exported, and I don't want anything in the future to think it's okay to simply create a root token when it likes.
2015-10-30 14:59:26 +00:00
if err := ts.create(ent2); err != nil {
vault: testing token revocation
2015-03-18 20:50:36 +00:00
t.Fatalf("err: %v", err)
}
err := ts.Revoke(ent.ID)
if err != nil {
t.Fatalf("err: %v", err)
}
out, err := ts.Lookup(ent2.ID)
if err != nil {
t.Fatalf("err: %v", err)
}
if !reflect.DeepEqual(out, ent2) {
t.Fatalf("bad: %#v", out)
}
}
func TestTokenStore_RevokeTree(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
_, ts, _, _ := TestCoreWithTokenStore(t)
vault: testing token revocation
2015-03-18 20:50:36 +00:00
ent1 := &TokenEntry{}
Make the token store's Create and RootToken functions non-exported. Nothing requires them to be exported, and I don't want anything in the future to think it's okay to simply create a root token when it likes.
2015-10-30 14:59:26 +00:00
if err := ts.create(ent1); err != nil {
vault: testing token revocation
2015-03-18 20:50:36 +00:00
t.Fatalf("err: %v", err)
}
ent2 := &TokenEntry{Parent: ent1.ID}
Make the token store's Create and RootToken functions non-exported. Nothing requires them to be exported, and I don't want anything in the future to think it's okay to simply create a root token when it likes.
2015-10-30 14:59:26 +00:00
if err := ts.create(ent2); err != nil {
vault: testing token revocation
2015-03-18 20:50:36 +00:00
t.Fatalf("err: %v", err)
}
ent3 := &TokenEntry{Parent: ent2.ID}
Make the token store's Create and RootToken functions non-exported. Nothing requires them to be exported, and I don't want anything in the future to think it's okay to simply create a root token when it likes.
2015-10-30 14:59:26 +00:00
if err := ts.create(ent3); err != nil {
vault: testing token revocation
2015-03-18 20:50:36 +00:00
t.Fatalf("err: %v", err)
}
ent4 := &TokenEntry{Parent: ent2.ID}
Make the token store's Create and RootToken functions non-exported. Nothing requires them to be exported, and I don't want anything in the future to think it's okay to simply create a root token when it likes.
2015-10-30 14:59:26 +00:00
if err := ts.create(ent4); err != nil {
vault: testing token revocation
2015-03-18 20:50:36 +00:00
t.Fatalf("err: %v", err)
}
err := ts.RevokeTree("")
if err.Error() != "cannot revoke blank token" {
t.Fatalf("err: %v", err)
}
err = ts.RevokeTree(ent1.ID)
if err != nil {
t.Fatalf("err: %v", err)
}
lookup := []string{ent1.ID, ent2.ID, ent3.ID, ent4.ID}
for _, id := range lookup {
out, err := ts.Lookup(id)
if err != nil {
t.Fatalf("err: %v", err)
}
if out != nil {
t.Fatalf("bad: %#v", out)
}
}
}
Add revoke-self endpoint. Fixes #620.
2015-09-17 17:22:30 +00:00
func TestTokenStore_RevokeSelf(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
_, ts, _, _ := TestCoreWithTokenStore(t)
Add revoke-self endpoint. Fixes #620.
2015-09-17 17:22:30 +00:00
ent1 := &TokenEntry{}
Make the token store's Create and RootToken functions non-exported. Nothing requires them to be exported, and I don't want anything in the future to think it's okay to simply create a root token when it likes.
2015-10-30 14:59:26 +00:00
if err := ts.create(ent1); err != nil {
Add revoke-self endpoint. Fixes #620.
2015-09-17 17:22:30 +00:00
t.Fatalf("err: %v", err)
}
ent2 := &TokenEntry{Parent: ent1.ID}
Make the token store's Create and RootToken functions non-exported. Nothing requires them to be exported, and I don't want anything in the future to think it's okay to simply create a root token when it likes.
2015-10-30 14:59:26 +00:00
if err := ts.create(ent2); err != nil {
Add revoke-self endpoint. Fixes #620.
2015-09-17 17:22:30 +00:00
t.Fatalf("err: %v", err)
}
ent3 := &TokenEntry{Parent: ent2.ID}
Make the token store's Create and RootToken functions non-exported. Nothing requires them to be exported, and I don't want anything in the future to think it's okay to simply create a root token when it likes.
2015-10-30 14:59:26 +00:00
if err := ts.create(ent3); err != nil {
Add revoke-self endpoint. Fixes #620.
2015-09-17 17:22:30 +00:00
t.Fatalf("err: %v", err)
}
ent4 := &TokenEntry{Parent: ent2.ID}
Make the token store's Create and RootToken functions non-exported. Nothing requires them to be exported, and I don't want anything in the future to think it's okay to simply create a root token when it likes.
2015-10-30 14:59:26 +00:00
if err := ts.create(ent4); err != nil {
Add revoke-self endpoint. Fixes #620.
2015-09-17 17:22:30 +00:00
t.Fatalf("err: %v", err)
}
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "revoke-self")
Add revoke-self endpoint. Fixes #620.
2015-09-17 17:22:30 +00:00
req.ClientToken = ent1.ID
resp, err := ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
lookup := []string{ent1.ID, ent2.ID, ent3.ID, ent4.ID}
for _, id := range lookup {
out, err := ts.Lookup(id)
if err != nil {
t.Fatalf("err: %v", err)
}
if out != nil {
t.Fatalf("bad: %#v", out)
}
}
}
vault: token store allows specifying display_name
2015-04-15 21:24:07 +00:00
func TestTokenStore_HandleRequest_CreateToken_DisplayName(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
_, ts, _, root := TestCoreWithTokenStore(t)
vault: token store allows specifying display_name
2015-04-15 21:24:07 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: token store allows specifying display_name
2015-04-15 21:24:07 +00:00
req.ClientToken = root
req.Data["display_name"] = "foo_bar.baz!"
resp, err := ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
expected := &TokenEntry{
ID: resp.Auth.ClientToken,
Parent: root,
Policies: []string{"root"},
Path: "auth/token/create",
DisplayName: "token-foo-bar-baz",
Store token creation time and TTL. This can be used to properly populate fields in 'lookup-self'. Importantly, this also makes credential backends use the SystemView per-backend TTL values and fixes unit tests to expect this. Fully fixes #527
2015-09-18 20:33:52 +00:00
TTL: 0,
vault: token store allows specifying display_name
2015-04-15 21:24:07 +00:00
}
out, err := ts.Lookup(resp.Auth.ClientToken)
if err != nil {
t.Fatalf("err: %v", err)
}
Store token creation time and TTL. This can be used to properly populate fields in 'lookup-self'. Importantly, this also makes credential backends use the SystemView per-backend TTL values and fixes unit tests to expect this. Fully fixes #527
2015-09-18 20:33:52 +00:00
expected.CreationTime = out.CreationTime
vault: token store allows specifying display_name
2015-04-15 21:24:07 +00:00
if !reflect.DeepEqual(out, expected) {
t.Fatalf("bad: %#v", out)
}
}
vault: Tokens can have a use count specified
2015-04-17 18:34:25 +00:00
func TestTokenStore_HandleRequest_CreateToken_NumUses(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
_, ts, _, root := TestCoreWithTokenStore(t)
vault: Tokens can have a use count specified
2015-04-17 18:34:25 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: Tokens can have a use count specified
2015-04-17 18:34:25 +00:00
req.ClientToken = root
req.Data["num_uses"] = "1"
resp, err := ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
expected := &TokenEntry{
ID: resp.Auth.ClientToken,
Parent: root,
Policies: []string{"root"},
Path: "auth/token/create",
DisplayName: "token",
NumUses: 1,
Store token creation time and TTL. This can be used to properly populate fields in 'lookup-self'. Importantly, this also makes credential backends use the SystemView per-backend TTL values and fixes unit tests to expect this. Fully fixes #527
2015-09-18 20:33:52 +00:00
TTL: 0,
vault: Tokens can have a use count specified
2015-04-17 18:34:25 +00:00
}
out, err := ts.Lookup(resp.Auth.ClientToken)
if err != nil {
t.Fatalf("err: %v", err)
}
Store token creation time and TTL. This can be used to properly populate fields in 'lookup-self'. Importantly, this also makes credential backends use the SystemView per-backend TTL values and fixes unit tests to expect this. Fully fixes #527
2015-09-18 20:33:52 +00:00
expected.CreationTime = out.CreationTime
vault: Tokens can have a use count specified
2015-04-17 18:34:25 +00:00
if !reflect.DeepEqual(out, expected) {
t.Fatalf("bad: %#v", out)
}
}
func TestTokenStore_HandleRequest_CreateToken_NumUses_Invalid(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
_, ts, _, root := TestCoreWithTokenStore(t)
vault: Tokens can have a use count specified
2015-04-17 18:34:25 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: Tokens can have a use count specified
2015-04-17 18:34:25 +00:00
req.ClientToken = root
req.Data["num_uses"] = "-1"
resp, err := ts.HandleRequest(req)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v %v", err, resp)
}
}
func TestTokenStore_HandleRequest_CreateToken_NumUses_Restricted(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
_, ts, _, root := TestCoreWithTokenStore(t)
vault: Tokens can have a use count specified
2015-04-17 18:34:25 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: Tokens can have a use count specified
2015-04-17 18:34:25 +00:00
req.ClientToken = root
req.Data["num_uses"] = "1"
resp, err := ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
// We should NOT be able to use the restricted token to create a new token
req.ClientToken = resp.Auth.ClientToken
_, err = ts.HandleRequest(req)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v %v", err, resp)
}
}
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
func TestTokenStore_HandleRequest_CreateToken_NoPolicy(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
_, ts, _, root := TestCoreWithTokenStore(t)
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
req.ClientToken = root
resp, err := ts.HandleRequest(req)
vault: token store inehrits policies by default
2015-04-07 21:19:52 +00:00
if err != nil {
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
t.Fatalf("err: %v %v", err, resp)
}
vault: token store inehrits policies by default
2015-04-07 21:19:52 +00:00
expected := &TokenEntry{
vault: token store allows specifying display_name
2015-04-15 21:24:07 +00:00
ID: resp.Auth.ClientToken,
Parent: root,
Policies: []string{"root"},
Path: "auth/token/create",
DisplayName: "token",
Store token creation time and TTL. This can be used to properly populate fields in 'lookup-self'. Importantly, this also makes credential backends use the SystemView per-backend TTL values and fixes unit tests to expect this. Fully fixes #527
2015-09-18 20:33:52 +00:00
TTL: 0,
vault: token store inehrits policies by default
2015-04-07 21:19:52 +00:00
}
out, err := ts.Lookup(resp.Auth.ClientToken)
if err != nil {
t.Fatalf("err: %v", err)
}
Store token creation time and TTL. This can be used to properly populate fields in 'lookup-self'. Importantly, this also makes credential backends use the SystemView per-backend TTL values and fixes unit tests to expect this. Fully fixes #527
2015-09-18 20:33:52 +00:00
expected.CreationTime = out.CreationTime
vault: token store inehrits policies by default
2015-04-07 21:19:52 +00:00
if !reflect.DeepEqual(out, expected) {
t.Fatalf("bad: %#v", out)
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
}
}
func TestTokenStore_HandleRequest_CreateToken_BadParent(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
_, ts, _, _ := TestCoreWithTokenStore(t)
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
req.ClientToken = "random"
resp, err := ts.HandleRequest(req)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v %v", err, resp)
}
if resp.Data["error"] != "parent token lookup failed" {
t.Fatalf("bad: %#v", resp)
}
}
func TestTokenStore_HandleRequest_CreateToken(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
_, ts, _, root := TestCoreWithTokenStore(t)
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
req.ClientToken = root
req.Data["policies"] = []string{"foo"}
resp, err := ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
vault: get rid of HangleLogin
2015-03-31 03:26:39 +00:00
if resp.Auth.ClientToken == "" {
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
t.Fatalf("bad: %#v", resp)
}
}
func TestTokenStore_HandleRequest_CreateToken_RootID(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
_, ts, _, root := TestCoreWithTokenStore(t)
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
req.ClientToken = root
req.Data["id"] = "foobar"
req.Data["policies"] = []string{"foo"}
resp, err := ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
vault: get rid of HangleLogin
2015-03-31 03:26:39 +00:00
if resp.Auth.ClientToken != "foobar" {
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
t.Fatalf("bad: %#v", resp)
}
}
func TestTokenStore_HandleRequest_CreateToken_NonRootID(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
_, ts, _, root := TestCoreWithTokenStore(t)
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
testMakeToken(t, ts, root, "client", "", []string{"foo"})
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
req.ClientToken = "client"
req.Data["id"] = "foobar"
req.Data["policies"] = []string{"foo"}
resp, err := ts.HandleRequest(req)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v %v", err, resp)
}
fix broken tests
2015-09-19 16:33:52 +00:00
if resp.Data["error"] != "root or sudo privileges required to specify token id" {
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
t.Fatalf("bad: %#v", resp)
}
}
func TestTokenStore_HandleRequest_CreateToken_NonRoot_Subset(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
_, ts, _, root := TestCoreWithTokenStore(t)
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
testMakeToken(t, ts, root, "client", "", []string{"foo", "bar"})
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
req.ClientToken = "client"
req.Data["policies"] = []string{"foo"}
resp, err := ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
vault: get rid of HangleLogin
2015-03-31 03:26:39 +00:00
if resp.Auth.ClientToken == "" {
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
t.Fatalf("bad: %#v", resp)
}
}
func TestTokenStore_HandleRequest_CreateToken_NonRoot_InvalidSubset(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
_, ts, _, root := TestCoreWithTokenStore(t)
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
testMakeToken(t, ts, root, "client", "", []string{"foo", "bar"})
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
req.ClientToken = "client"
req.Data["policies"] = []string{"foo", "bar", "baz"}
resp, err := ts.HandleRequest(req)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v %v", err, resp)
}
vault: Passthrough of client token to token store
2015-03-24 22:12:52 +00:00
if resp.Data["error"] != "child policies must be subset of parent" {
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
t.Fatalf("bad: %#v", resp)
}
}
func TestTokenStore_HandleRequest_CreateToken_NonRoot_NoParent(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
_, ts, _, root := TestCoreWithTokenStore(t)
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
testMakeToken(t, ts, root, "client", "", []string{"foo"})
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
req.ClientToken = "client"
req.Data["no_parent"] = true
req.Data["policies"] = []string{"foo"}
resp, err := ts.HandleRequest(req)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v %v", err, resp)
}
fix broken tests
2015-09-19 16:33:52 +00:00
if resp.Data["error"] != "root or sudo privileges required to create orphan token" {
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
t.Fatalf("bad: %#v", resp)
}
}
func TestTokenStore_HandleRequest_CreateToken_Root_NoParent(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
_, ts, _, root := TestCoreWithTokenStore(t)
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
req.ClientToken = root
req.Data["no_parent"] = true
req.Data["policies"] = []string{"foo"}
Add ability to create orphan tokens from the API
2015-11-03 20:10:46 +00:00
resp, err := ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
if resp.Auth.ClientToken == "" {
t.Fatalf("bad: %#v", resp)
}
out, _ := ts.Lookup(resp.Auth.ClientToken)
if out.Parent != "" {
t.Fatalf("bad: %#v", out)
}
}
func TestTokenStore_HandleRequest_CreateToken_PathBased_NoParent(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
_, ts, _, root := TestCoreWithTokenStore(t)
Add ability to create orphan tokens from the API
2015-11-03 20:10:46 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create-orphan")
Add ability to create orphan tokens from the API
2015-11-03 20:10:46 +00:00
req.ClientToken = root
req.Data["policies"] = []string{"foo"}
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
resp, err := ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
vault: get rid of HangleLogin
2015-03-31 03:26:39 +00:00
if resp.Auth.ClientToken == "" {
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
t.Fatalf("bad: %#v", resp)
}
vault: get rid of HangleLogin
2015-03-31 03:26:39 +00:00
out, _ := ts.Lookup(resp.Auth.ClientToken)
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
if out.Parent != "" {
t.Fatalf("bad: %#v", out)
}
}
func TestTokenStore_HandleRequest_CreateToken_Metadata(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
_, ts, _, root := TestCoreWithTokenStore(t)
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
req.ClientToken = root
req.Data["policies"] = []string{"foo"}
vault: get rid of HangleLogin
2015-03-31 03:26:39 +00:00
meta := map[string]string{
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
"user": "armon",
"source": "github",
}
req.Data["meta"] = meta
resp, err := ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
vault: get rid of HangleLogin
2015-03-31 03:26:39 +00:00
if resp.Auth.ClientToken == "" {
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
t.Fatalf("bad: %#v", resp)
}
vault: get rid of HangleLogin
2015-03-31 03:26:39 +00:00
out, _ := ts.Lookup(resp.Auth.ClientToken)
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
if !reflect.DeepEqual(out.Meta, meta) {
t.Fatalf("bad: %#v", out)
}
}
func TestTokenStore_HandleRequest_CreateToken_Lease(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
_, ts, _, root := TestCoreWithTokenStore(t)
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
req.ClientToken = root
req.Data["policies"] = []string{"foo"}
req.Data["lease"] = "1h"
resp, err := ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
vault: get rid of HangleLogin
2015-03-31 03:26:39 +00:00
if resp.Auth.ClientToken == "" {
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
t.Fatalf("bad: %#v", resp)
}
Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod
2015-08-21 00:47:17 +00:00
if resp.Auth.TTL != time.Hour {
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
t.Fatalf("bad: %#v", resp)
}
vault: Use Auth for lease and renewable
2015-04-03 21:04:50 +00:00
if !resp.Auth.Renewable {
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
t.Fatalf("bad: %#v", resp)
}
}
Switch per-mount values to strings going in and seconds coming out, like other commands. Indicate deprecation of 'lease' in the token backend.
2015-09-25 13:46:20 +00:00
func TestTokenStore_HandleRequest_CreateToken_TTL(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
_, ts, _, root := TestCoreWithTokenStore(t)
Switch per-mount values to strings going in and seconds coming out, like other commands. Indicate deprecation of 'lease' in the token backend.
2015-09-25 13:46:20 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "create")
Switch per-mount values to strings going in and seconds coming out, like other commands. Indicate deprecation of 'lease' in the token backend.
2015-09-25 13:46:20 +00:00
req.ClientToken = root
req.Data["policies"] = []string{"foo"}
req.Data["ttl"] = "1h"
resp, err := ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
if resp.Auth.ClientToken == "" {
t.Fatalf("bad: %#v", resp)
}
if resp.Auth.TTL != time.Hour {
t.Fatalf("bad: %#v", resp)
}
if !resp.Auth.Renewable {
t.Fatalf("bad: %#v", resp)
}
}
vault: adding auth/token/revoke/ and auth/token/revoke-orphan/
2015-03-24 22:30:09 +00:00
func TestTokenStore_HandleRequest_Revoke(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
_, ts, _, root := TestCoreWithTokenStore(t)
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
testMakeToken(t, ts, root, "child", "", []string{"root", "foo"})
testMakeToken(t, ts, "child", "sub-child", "", []string{"foo"})
vault: adding auth/token/revoke/ and auth/token/revoke-orphan/
2015-03-24 22:30:09 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "revoke/child")
vault: adding auth/token/revoke/ and auth/token/revoke-orphan/
2015-03-24 22:30:09 +00:00
resp, err := ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
out, err := ts.Lookup("child")
if err != nil {
t.Fatalf("err: %v", err)
}
if out != nil {
t.Fatalf("bad: %v", out)
}
// Sub-child should not exist
out, err = ts.Lookup("sub-child")
if err != nil {
t.Fatalf("err: %v", err)
}
if out != nil {
t.Fatalf("bad: %v", out)
}
}
func TestTokenStore_HandleRequest_RevokeOrphan(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
_, ts, _, root := TestCoreWithTokenStore(t)
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
testMakeToken(t, ts, root, "child", "", []string{"root", "foo"})
testMakeToken(t, ts, "child", "sub-child", "", []string{"foo"})
vault: adding auth/token/revoke/ and auth/token/revoke-orphan/
2015-03-24 22:30:09 +00:00
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "revoke-orphan/child")
Restrict orphan revocation to root tokens
2015-09-16 13:22:15 +00:00
req.ClientToken = root
vault: adding auth/token/revoke/ and auth/token/revoke-orphan/
2015-03-24 22:30:09 +00:00
resp, err := ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
out, err := ts.Lookup("child")
if err != nil {
t.Fatalf("err: %v", err)
}
if out != nil {
t.Fatalf("bad: %v", out)
}
// Sub-child should exist!
out, err = ts.Lookup("sub-child")
if err != nil {
t.Fatalf("err: %v", err)
}
if out == nil {
t.Fatalf("bad: %v", out)
}
}
Restrict orphan revocation to root tokens
2015-09-16 13:22:15 +00:00
func TestTokenStore_HandleRequest_RevokeOrphan_NonRoot(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
_, ts, _, root := TestCoreWithTokenStore(t)
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
testMakeToken(t, ts, root, "child", "", []string{"foo"})
Restrict orphan revocation to root tokens
2015-09-16 13:22:15 +00:00
out, err := ts.Lookup("child")
if err != nil {
t.Fatalf("err: %v", err)
}
if out == nil {
t.Fatalf("bad: %v", out)
}
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "revoke-orphan/child")
Restrict orphan revocation to root tokens
2015-09-16 13:22:15 +00:00
req.ClientToken = "child"
resp, err := ts.HandleRequest(req)
if err != logical.ErrInvalidRequest {
t.Fatalf("did not get error when non-root revoking itself with orphan flag; resp is %#v", resp)
}
// Should still exist
out, err = ts.Lookup("child")
if err != nil {
t.Fatalf("err: %v", err)
}
if out == nil {
t.Fatalf("bad: %v", out)
}
}
vault: adding auth/token/lookup/ support
2015-03-24 22:39:33 +00:00
func TestTokenStore_HandleRequest_Lookup(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
c, ts, _, root := TestCoreWithTokenStore(t)
vault: adding auth/token/lookup/ support
2015-03-24 22:39:33 +00:00
req := logical.TestRequest(t, logical.ReadOperation, "lookup/"+root)
resp, err := ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
if resp == nil {
t.Fatalf("bad: %#v", resp)
}
exp := map[string]interface{}{
Address review feedback; move storage of these values to the expiration manager
2016-01-04 21:43:07 +00:00
"id": root,
"policies": []string{"root"},
"path": "auth/token/root",
"meta": map[string]string(nil),
"display_name": "root",
"orphan": true,
"num_uses": 0,
Make "ttl" reflect the actual TTL of the token in lookup calls. Add a new value "creation_ttl" which holds the value at creation time. Fixes #986
2016-02-01 16:16:32 +00:00
"creation_ttl": int64(0),
Use int64 for converting time values, not int (will be float64 in JSON anyways, so no need to lose precision, plus could hit a 32-bit max in some edge cases)
2016-01-04 22:11:22 +00:00
"ttl": int64(0),
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
}
Use int64 for converting time values, not int (will be float64 in JSON anyways, so no need to lose precision, plus could hit a 32-bit max in some edge cases)
2016-01-04 22:11:22 +00:00
if resp.Data["creation_time"].(int64) == 0 {
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
t.Fatalf("creation time was zero")
vault: lookup without a token looks up self
2015-03-31 19:50:07 +00:00
}
Store token creation time and TTL. This can be used to properly populate fields in 'lookup-self'. Importantly, this also makes credential backends use the SystemView per-backend TTL values and fixes unit tests to expect this. Fully fixes #527
2015-09-18 20:33:52 +00:00
delete(resp.Data, "creation_time")
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
vault: lookup without a token looks up self
2015-03-31 19:50:07 +00:00
if !reflect.DeepEqual(resp.Data, exp) {
Display whether a token is an orphan on lookup.
2015-11-09 18:19:59 +00:00
t.Fatalf("bad:\n%#v\nexp:\n%#v\n", resp.Data, exp)
}
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
testCoreMakeToken(t, c, root, "client", "3600s", []string{"foo"})
Display whether a token is an orphan on lookup.
2015-11-09 18:19:59 +00:00
req = logical.TestRequest(t, logical.ReadOperation, "lookup/client")
resp, err = ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
if resp == nil {
t.Fatalf("bad: %#v", resp)
}
exp = map[string]interface{}{
Address review feedback; move storage of these values to the expiration manager
2016-01-04 21:43:07 +00:00
"id": "client",
"policies": []string{"default", "foo"},
"path": "auth/token/create",
"meta": map[string]string(nil),
"display_name": "token",
"orphan": false,
"num_uses": 0,
Make "ttl" reflect the actual TTL of the token in lookup calls. Add a new value "creation_ttl" which holds the value at creation time. Fixes #986
2016-02-01 16:16:32 +00:00
"creation_ttl": int64(3600),
Use int64 for converting time values, not int (will be float64 in JSON anyways, so no need to lose precision, plus could hit a 32-bit max in some edge cases)
2016-01-04 22:11:22 +00:00
"ttl": int64(3600),
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
}
Use int64 for converting time values, not int (will be float64 in JSON anyways, so no need to lose precision, plus could hit a 32-bit max in some edge cases)
2016-01-04 22:11:22 +00:00
if resp.Data["creation_time"].(int64) == 0 {
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
t.Fatalf("creation time was zero")
Display whether a token is an orphan on lookup.
2015-11-09 18:19:59 +00:00
}
delete(resp.Data, "creation_time")
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
Make "ttl" reflect the actual TTL of the token in lookup calls. Add a new value "creation_ttl" which holds the value at creation time. Fixes #986
2016-02-01 16:16:32 +00:00
// Depending on timing of the test this may have ticked down, so accept 3599
if resp.Data["ttl"].(int64) == 3599 {
resp.Data["ttl"] = int64(3600)
}
Display whether a token is an orphan on lookup.
2015-11-09 18:19:59 +00:00
if !reflect.DeepEqual(resp.Data, exp) {
t.Fatalf("bad:\n%#v\nexp:\n%#v\n", resp.Data, exp)
vault: lookup without a token looks up self
2015-03-31 19:50:07 +00:00
}
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
// Test last_renewal_time functionality
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req = logical.TestRequest(t, logical.UpdateOperation, "renew/client")
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
resp, err = ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
if resp == nil {
t.Fatalf("bad: %#v", resp)
}
req = logical.TestRequest(t, logical.ReadOperation, "lookup/client")
resp, err = ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
if resp == nil {
t.Fatalf("bad: %#v", resp)
}
Address review feedback; move storage of these values to the expiration manager
2016-01-04 21:43:07 +00:00
if resp.Data["last_renewal_time"].(int64) == 0 {
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
t.Fatalf("last_renewal_time was zero")
}
vault: lookup without a token looks up self
2015-03-31 19:50:07 +00:00
}
vault: Support prefix based token revocation
2015-04-03 18:40:08 +00:00
func TestTokenStore_HandleRequest_RevokePrefix(t *testing.T) {
exp := mockExpiration(t)
ts := exp.tokenStore
// Create new token
Pull out setting the root token ID; use the new ParseUUID method in go-uuid instead, and revoke if there is an error.
2016-01-20 00:44:33 +00:00
root, err := ts.rootToken()
vault: Support prefix based token revocation
2015-04-03 18:40:08 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
// Create a new token
auth := &logical.Auth{
ClientToken: root.ID,
logical: Refactor LeaseOptions to share between Secret and Auth
2015-04-09 19:14:04 +00:00
LeaseOptions: logical.LeaseOptions{
Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod
2015-08-21 00:47:17 +00:00
TTL: time.Hour,
logical: Refactor LeaseOptions to share between Secret and Auth
2015-04-09 19:14:04 +00:00
},
vault: Support prefix based token revocation
2015-04-03 18:40:08 +00:00
}
err = exp.RegisterAuth("auth/github/login", auth)
if err != nil {
t.Fatalf("err: %v", err)
}
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "revoke-prefix/auth/github/")
vault: Support prefix based token revocation
2015-04-03 18:40:08 +00:00
resp, err := ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
out, err := ts.Lookup(root.ID)
if err != nil {
t.Fatalf("err: %v", err)
}
if out != nil {
t.Fatalf("bad: %v", out)
}
}
vault: lookup without a token looks up self
2015-03-31 19:50:07 +00:00
func TestTokenStore_HandleRequest_LookupSelf(t *testing.T) {
Add the ability to generate root tokens via unseal keys.
2016-01-09 02:21:02 +00:00
_, ts, _, root := TestCoreWithTokenStore(t)
vault: lookup-self for TokenStore to look up your own store
2015-03-31 19:51:00 +00:00
req := logical.TestRequest(t, logical.ReadOperation, "lookup-self")
vault: lookup without a token looks up self
2015-03-31 19:50:07 +00:00
req.ClientToken = root
resp, err := ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
if resp == nil {
t.Fatalf("bad: %#v", resp)
}
exp := map[string]interface{}{
Address review feedback; move storage of these values to the expiration manager
2016-01-04 21:43:07 +00:00
"id": root,
"policies": []string{"root"},
"path": "auth/token/root",
"meta": map[string]string(nil),
"display_name": "root",
"orphan": true,
"num_uses": 0,
Make "ttl" reflect the actual TTL of the token in lookup calls. Add a new value "creation_ttl" which holds the value at creation time. Fixes #986
2016-02-01 16:16:32 +00:00
"creation_ttl": int64(0),
Use int64 for converting time values, not int (will be float64 in JSON anyways, so no need to lose precision, plus could hit a 32-bit max in some edge cases)
2016-01-04 22:11:22 +00:00
"ttl": int64(0),
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
}
Use int64 for converting time values, not int (will be float64 in JSON anyways, so no need to lose precision, plus could hit a 32-bit max in some edge cases)
2016-01-04 22:11:22 +00:00
if resp.Data["creation_time"].(int64) == 0 {
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
t.Fatalf("creation time was zero")
vault: adding auth/token/lookup/ support
2015-03-24 22:39:33 +00:00
}
Store token creation time and TTL. This can be used to properly populate fields in 'lookup-self'. Importantly, this also makes credential backends use the SystemView per-backend TTL values and fixes unit tests to expect this. Fully fixes #527
2015-09-18 20:33:52 +00:00
delete(resp.Data, "creation_time")
Store a last renewal time in the token entry and return it upon lookup of the token. Fixes #889
2015-12-30 19:30:02 +00:00
vault: adding auth/token/lookup/ support
2015-03-24 22:39:33 +00:00
if !reflect.DeepEqual(resp.Data, exp) {
Address review feedback; move storage of these values to the expiration manager
2016-01-04 21:43:07 +00:00
t.Fatalf("bad:\ngot %#v\nexpected: %#v\n", resp.Data, exp)
vault: adding auth/token/lookup/ support
2015-03-24 22:39:33 +00:00
}
}
vault: Adding auth/token/renew endpoint
2015-04-03 19:11:49 +00:00
func TestTokenStore_HandleRequest_Renew(t *testing.T) {
exp := mockExpiration(t)
ts := exp.tokenStore
// Create new token
Pull out setting the root token ID; use the new ParseUUID method in go-uuid instead, and revoke if there is an error.
2016-01-20 00:44:33 +00:00
root, err := ts.rootToken()
vault: Adding auth/token/renew endpoint
2015-04-03 19:11:49 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
// Create a new token
auth := &logical.Auth{
ClientToken: root.ID,
logical: Refactor LeaseOptions to share between Secret and Auth
2015-04-09 19:14:04 +00:00
LeaseOptions: logical.LeaseOptions{
Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod
2015-08-21 00:47:17 +00:00
TTL: time.Hour,
logical: Refactor LeaseOptions to share between Secret and Auth
2015-04-09 19:14:04 +00:00
Renewable: true,
},
vault: Adding auth/token/renew endpoint
2015-04-03 19:11:49 +00:00
}
vault: groundwork to allow auth renew
2015-04-09 21:23:37 +00:00
err = exp.RegisterAuth("auth/token/root", auth)
vault: Adding auth/token/renew endpoint
2015-04-03 19:11:49 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
vault: the expiration time should be relative to the issue time
2015-04-11 04:21:06 +00:00
// Get the original expire time to compare
originalExpire := auth.ExpirationTime()
vault: fixing issues with token renewal
2015-06-17 21:28:13 +00:00
beforeRenew := time.Now().UTC()
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "renew/"+root.ID)
vault: allow increment to be duration string. Fixes #340
2015-06-17 22:58:20 +00:00
req.Data["increment"] = "3600s"
vault: Adding auth/token/renew endpoint
2015-04-03 19:11:49 +00:00
resp, err := ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
vault: the expiration time should be relative to the issue time
2015-04-11 04:21:06 +00:00
// Get the new expire time
newExpire := resp.Auth.ExpirationTime()
vault: fixing issues with token renewal
2015-06-17 21:28:13 +00:00
if newExpire.Before(originalExpire) {
Add renew-self endpoint. Fixes #455.
2015-10-07 16:49:13 +00:00
t.Fatalf("should expire later: %s %s", newExpire, originalExpire)
}
if newExpire.Before(beforeRenew.Add(time.Hour)) {
t.Fatalf("should have at least an hour: %s %s", newExpire, beforeRenew)
}
}
func TestTokenStore_HandleRequest_RenewSelf(t *testing.T) {
exp := mockExpiration(t)
ts := exp.tokenStore
// Create new token
Pull out setting the root token ID; use the new ParseUUID method in go-uuid instead, and revoke if there is an error.
2016-01-20 00:44:33 +00:00
root, err := ts.rootToken()
Add renew-self endpoint. Fixes #455.
2015-10-07 16:49:13 +00:00
if err != nil {
t.Fatalf("err: %v", err)
}
// Create a new token
auth := &logical.Auth{
ClientToken: root.ID,
LeaseOptions: logical.LeaseOptions{
TTL: time.Hour,
Renewable: true,
},
}
err = exp.RegisterAuth("auth/token/root", auth)
if err != nil {
t.Fatalf("err: %v", err)
}
// Get the original expire time to compare
originalExpire := auth.ExpirationTime()
beforeRenew := time.Now().UTC()
WriteOperation -> UpdateOperation
2016-01-07 15:30:47 +00:00
req := logical.TestRequest(t, logical.UpdateOperation, "renew-self")
Add renew-self endpoint. Fixes #455.
2015-10-07 16:49:13 +00:00
req.ClientToken = auth.ClientToken
req.Data["increment"] = "3600s"
resp, err := ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
// Get the new expire time
newExpire := resp.Auth.ExpirationTime()
if newExpire.Before(originalExpire) {
vault: fixing issues with token renewal
2015-06-17 21:28:13 +00:00
t.Fatalf("should expire later: %s %s", newExpire, originalExpire)
}
if newExpire.Before(beforeRenew.Add(time.Hour)) {
t.Fatalf("should have at least an hour: %s %s", newExpire, beforeRenew)
vault: Adding auth/token/renew endpoint
2015-04-03 19:11:49 +00:00
}
}
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
func TestTokenStore_RoleCRUD(t *testing.T) {
_, ts, _, root := TestCoreWithTokenStore(t)
req := logical.TestRequest(t, logical.ReadOperation, "roles/test")
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
req.ClientToken = root
resp, err := ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
if resp != nil {
t.Fatalf("should not see a role")
vault: Adding auth/token/create endpoint
2015-03-24 22:10:46 +00:00
}
vault: testing root privilege restrictions
2015-03-24 22:52:07 +00:00
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
req.Operation = logical.UpdateOperation
req.Data = map[string]interface{}{
"orphan": true,
"period": "72h",
"allowed_policies": "test1,test2",
"prefix": "happenin",
}
vault: testing root privilege restrictions
2015-03-24 22:52:07 +00:00
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
resp, err = ts.HandleRequest(req)
vault: testing root privilege restrictions
2015-03-24 22:52:07 +00:00
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
Add token role CRUD tests
2016-02-29 19:13:09 +00:00
if resp != nil {
t.Fatalf("expected a nil response")
}
req.Operation = logical.ReadOperation
req.Data = map[string]interface{}{}
resp, err = ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
if resp == nil {
t.Fatalf("got a nil response")
}
var actual tsRoleEntry
err = mapstructure.WeakDecode(resp.Data, &actual)
if err != nil {
t.Fatalf("error decoding role json: %v", err)
}
expected := tsRoleEntry{
Name: "test",
Orphan: true,
Period: 72 * time.Hour,
AllowedPolicies: []string{"test1", "test2"},
Prefix: "happenin",
}
if !reflect.DeepEqual(expected, actual) {
t.Fatalf("expected:\n%v\nactual:\n%v\n", expected, actual)
}
req.Operation = logical.ListOperation
req.Path = "roles"
req.Data = map[string]interface{}{}
resp, err = ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
if resp == nil {
t.Fatalf("got a nil response")
}
keysInt, ok := resp.Data["keys"]
if !ok {
t.Fatalf("did not find keys in response")
}
keys, ok := keysInt.([]string)
if !ok {
t.Fatalf("could not convert keys interface to key list")
}
if len(keys) != 1 {
t.Fatalf("unexpected number of keys: %d", len(keys))
}
if keys[0] != "test" {
t.Fatalf("expected \"test\", got \"%s\"", keys[0])
}
req.Operation = logical.DeleteOperation
req.Path = "roles/test"
resp, err = ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
if resp != nil {
t.Fatalf("expected a nil response")
}
req.Operation = logical.ReadOperation
resp, err = ts.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v %v", err, resp)
}
if resp != nil {
t.Fatalf("expected a nil response")
vault: testing root privilege restrictions
2015-03-24 22:52:07 +00:00
}
}