2016-05-16 20:11:33 +00:00
|
|
|
package vault
|
|
|
|
|
|
|
|
import (
|
2020-06-02 18:40:54 +00:00
|
|
|
"strings"
|
2016-05-16 20:11:33 +00:00
|
|
|
"testing"
|
|
|
|
"time"
|
|
|
|
|
2020-06-02 18:40:54 +00:00
|
|
|
"github.com/armon/go-metrics"
|
2020-10-26 20:25:56 +00:00
|
|
|
"github.com/go-test/deep"
|
2019-01-09 00:48:57 +00:00
|
|
|
uuid "github.com/hashicorp/go-uuid"
|
2020-10-26 20:25:56 +00:00
|
|
|
"github.com/hashicorp/vault/builtin/credential/approle"
|
2016-07-05 15:46:21 +00:00
|
|
|
credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
|
2018-09-18 03:03:00 +00:00
|
|
|
"github.com/hashicorp/vault/helper/namespace"
|
2019-04-12 21:54:35 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/logical"
|
2016-05-16 20:11:33 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func TestRequestHandling_Wrapping(t *testing.T) {
|
|
|
|
core, _, root := TestCoreUnsealed(t)
|
|
|
|
|
2017-09-15 13:02:29 +00:00
|
|
|
core.logicalBackends["kv"] = PassthroughBackendFactory
|
2016-05-16 20:11:33 +00:00
|
|
|
|
|
|
|
meUUID, _ := uuid.GenerateUUID()
|
2018-09-18 03:03:00 +00:00
|
|
|
err := core.mount(namespace.RootContext(nil), &MountEntry{
|
2016-05-26 16:55:00 +00:00
|
|
|
Table: mountTableType,
|
|
|
|
UUID: meUUID,
|
|
|
|
Path: "wraptest",
|
2017-09-15 13:02:29 +00:00
|
|
|
Type: "kv",
|
2017-05-09 21:51:09 +00:00
|
|
|
})
|
2016-05-16 20:11:33 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// No duration specified
|
|
|
|
req := &logical.Request{
|
|
|
|
Path: "wraptest/foo",
|
|
|
|
ClientToken: root,
|
|
|
|
Operation: logical.UpdateOperation,
|
2016-05-19 03:06:09 +00:00
|
|
|
Data: map[string]interface{}{
|
|
|
|
"zip": "zap",
|
|
|
|
},
|
2016-05-16 20:11:33 +00:00
|
|
|
}
|
2018-09-18 03:03:00 +00:00
|
|
|
resp, err := core.HandleRequest(namespace.RootContext(nil), req)
|
2016-05-16 20:11:33 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
req = &logical.Request{
|
|
|
|
Path: "wraptest/foo",
|
|
|
|
ClientToken: root,
|
2016-05-19 03:06:09 +00:00
|
|
|
Operation: logical.ReadOperation,
|
2017-01-04 21:44:03 +00:00
|
|
|
WrapInfo: &logical.RequestWrapInfo{
|
|
|
|
TTL: time.Duration(15 * time.Second),
|
|
|
|
},
|
2016-05-16 20:11:33 +00:00
|
|
|
}
|
2018-09-18 03:03:00 +00:00
|
|
|
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
|
2016-05-16 20:11:33 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp == nil {
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
}
|
|
|
|
if resp.WrapInfo == nil || resp.WrapInfo.TTL != time.Duration(15*time.Second) {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
}
|
2016-07-05 15:46:21 +00:00
|
|
|
|
|
|
|
func TestRequestHandling_LoginWrapping(t *testing.T) {
|
|
|
|
core, _, root := TestCoreUnsealed(t)
|
|
|
|
|
2018-09-18 03:03:00 +00:00
|
|
|
if err := core.loadMounts(namespace.RootContext(nil)); err != nil {
|
2016-07-05 15:46:21 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
core.credentialBackends["userpass"] = credUserpass.Factory
|
|
|
|
|
|
|
|
// No duration specified
|
|
|
|
req := &logical.Request{
|
|
|
|
Path: "sys/auth/userpass",
|
|
|
|
ClientToken: root,
|
|
|
|
Operation: logical.UpdateOperation,
|
|
|
|
Data: map[string]interface{}{
|
|
|
|
"type": "userpass",
|
|
|
|
},
|
2018-05-21 18:47:28 +00:00
|
|
|
Connection: &logical.Connection{},
|
2016-07-05 15:46:21 +00:00
|
|
|
}
|
2018-09-18 03:03:00 +00:00
|
|
|
resp, err := core.HandleRequest(namespace.RootContext(nil), req)
|
2016-07-05 15:46:21 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
req.Path = "auth/userpass/users/test"
|
|
|
|
req.Data = map[string]interface{}{
|
|
|
|
"password": "foo",
|
|
|
|
"policies": "default",
|
|
|
|
}
|
2018-09-18 03:03:00 +00:00
|
|
|
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
|
2016-07-05 15:46:21 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
2016-07-05 16:11:40 +00:00
|
|
|
req = &logical.Request{
|
2016-07-05 16:54:27 +00:00
|
|
|
Path: "auth/userpass/login/test",
|
|
|
|
Operation: logical.UpdateOperation,
|
2016-07-05 16:11:40 +00:00
|
|
|
Data: map[string]interface{}{
|
|
|
|
"password": "foo",
|
|
|
|
},
|
2018-05-21 18:47:28 +00:00
|
|
|
Connection: &logical.Connection{},
|
2016-07-05 16:11:40 +00:00
|
|
|
}
|
2018-09-18 03:03:00 +00:00
|
|
|
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
|
2016-07-05 16:11:40 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp == nil {
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
}
|
|
|
|
if resp.WrapInfo != nil {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
2016-07-05 15:46:21 +00:00
|
|
|
req = &logical.Request{
|
|
|
|
Path: "auth/userpass/login/test",
|
|
|
|
Operation: logical.UpdateOperation,
|
2017-01-04 21:44:03 +00:00
|
|
|
WrapInfo: &logical.RequestWrapInfo{
|
|
|
|
TTL: time.Duration(15 * time.Second),
|
|
|
|
},
|
2016-07-05 15:46:21 +00:00
|
|
|
Data: map[string]interface{}{
|
|
|
|
"password": "foo",
|
|
|
|
},
|
2018-05-21 18:47:28 +00:00
|
|
|
Connection: &logical.Connection{},
|
2016-07-05 15:46:21 +00:00
|
|
|
}
|
2018-09-18 03:03:00 +00:00
|
|
|
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
|
2016-07-05 15:46:21 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp == nil {
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
}
|
|
|
|
if resp.WrapInfo == nil || resp.WrapInfo.TTL != time.Duration(15*time.Second) {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
}
|
2020-06-02 18:40:54 +00:00
|
|
|
|
2020-10-26 20:25:56 +00:00
|
|
|
func TestRequestHandling_Login_PeriodicToken(t *testing.T) {
|
|
|
|
core, _, root := TestCoreUnsealed(t)
|
|
|
|
|
|
|
|
if err := core.loadMounts(namespace.RootContext(nil)); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
core.credentialBackends["approle"] = approle.Factory
|
|
|
|
|
|
|
|
// Enable approle
|
|
|
|
req := &logical.Request{
|
|
|
|
Path: "sys/auth/approle",
|
|
|
|
ClientToken: root,
|
|
|
|
Operation: logical.UpdateOperation,
|
|
|
|
Data: map[string]interface{}{
|
|
|
|
"type": "approle",
|
|
|
|
},
|
|
|
|
Connection: &logical.Connection{},
|
|
|
|
}
|
|
|
|
resp, err := core.HandleRequest(namespace.RootContext(nil), req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Create role
|
|
|
|
req.Path = "auth/approle/role/role-period"
|
|
|
|
req.Data = map[string]interface{}{
|
|
|
|
"period": "5s",
|
|
|
|
}
|
|
|
|
_, err = core.HandleRequest(namespace.RootContext(nil), req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Get role ID
|
|
|
|
req.Path = "auth/approle/role/role-period/role-id"
|
|
|
|
req.Operation = logical.ReadOperation
|
|
|
|
req.Data = nil
|
|
|
|
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp == nil || resp.Data == nil {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
roleID := resp.Data["role_id"]
|
|
|
|
|
|
|
|
// Get secret ID
|
|
|
|
req.Path = "auth/approle/role/role-period/secret-id"
|
|
|
|
req.Operation = logical.UpdateOperation
|
|
|
|
req.Data = nil
|
|
|
|
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp == nil || resp.Data == nil {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
secretID := resp.Data["secret_id"]
|
|
|
|
|
|
|
|
// Perform login
|
|
|
|
req = &logical.Request{
|
|
|
|
Path: "auth/approle/login",
|
|
|
|
Operation: logical.UpdateOperation,
|
|
|
|
Data: map[string]interface{}{
|
|
|
|
"role_id": roleID,
|
|
|
|
"secret_id": secretID,
|
|
|
|
},
|
|
|
|
Connection: &logical.Connection{},
|
|
|
|
}
|
|
|
|
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp == nil || resp.Auth == nil {
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
}
|
|
|
|
loginToken := resp.Auth.ClientToken
|
|
|
|
entityID := resp.Auth.EntityID
|
|
|
|
accessor := resp.Auth.Accessor
|
|
|
|
|
|
|
|
// Perform token lookup on the generated token
|
|
|
|
req = &logical.Request{
|
|
|
|
Path: "auth/token/lookup",
|
|
|
|
Operation: logical.UpdateOperation,
|
|
|
|
ClientToken: root,
|
|
|
|
Data: map[string]interface{}{
|
|
|
|
"token": loginToken,
|
|
|
|
},
|
|
|
|
Connection: &logical.Connection{},
|
|
|
|
}
|
|
|
|
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp == nil {
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
}
|
|
|
|
if resp.Data == nil {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
if resp.Data["creation_time"].(int64) == 0 {
|
|
|
|
t.Fatal("creation time was zero")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Depending on timing of the test this may have ticked down, so reset it
|
|
|
|
// back to the original value as long as it's not expired.
|
|
|
|
if resp.Data["ttl"].(int64) > 0 && resp.Data["ttl"].(int64) < 5 {
|
|
|
|
resp.Data["ttl"] = int64(5)
|
|
|
|
}
|
|
|
|
|
|
|
|
exp := map[string]interface{}{
|
|
|
|
"accessor": accessor,
|
|
|
|
"creation_time": resp.Data["creation_time"].(int64),
|
|
|
|
"creation_ttl": int64(5),
|
|
|
|
"display_name": "approle",
|
|
|
|
"entity_id": entityID,
|
|
|
|
"expire_time": resp.Data["expire_time"].(time.Time),
|
|
|
|
"explicit_max_ttl": int64(0),
|
|
|
|
"id": loginToken,
|
|
|
|
"issue_time": resp.Data["issue_time"].(time.Time),
|
|
|
|
"meta": map[string]string{"role_name": "role-period"},
|
|
|
|
"num_uses": 0,
|
|
|
|
"orphan": true,
|
|
|
|
"path": "auth/approle/login",
|
|
|
|
"period": int64(5),
|
|
|
|
"policies": []string{"default"},
|
|
|
|
"renewable": true,
|
|
|
|
"ttl": int64(5),
|
|
|
|
"type": "service",
|
|
|
|
}
|
|
|
|
|
|
|
|
if diff := deep.Equal(resp.Data, exp); diff != nil {
|
|
|
|
t.Fatal(diff)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-06-02 18:40:54 +00:00
|
|
|
func labelsMatch(actual, expected map[string]string) bool {
|
|
|
|
for expected_label, expected_val := range expected {
|
|
|
|
if v, ok := actual[expected_label]; ok {
|
|
|
|
if v != expected_val {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
func checkCounter(t *testing.T, inmemSink *metrics.InmemSink, keyPrefix string, expectedLabels map[string]string) {
|
|
|
|
t.Helper()
|
|
|
|
|
|
|
|
intervals := inmemSink.Data()
|
|
|
|
if len(intervals) > 1 {
|
|
|
|
t.Skip("Detected interval crossing.")
|
|
|
|
}
|
|
|
|
|
|
|
|
var counter *metrics.SampledValue = nil
|
|
|
|
var labels map[string]string
|
|
|
|
for _, c := range intervals[0].Counters {
|
|
|
|
if !strings.HasPrefix(c.Name, keyPrefix) {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
counter = &c
|
|
|
|
|
|
|
|
labels = make(map[string]string)
|
|
|
|
for _, l := range counter.Labels {
|
|
|
|
labels[l.Name] = l.Value
|
|
|
|
}
|
|
|
|
|
|
|
|
// Distinguish between different label sets
|
|
|
|
if labelsMatch(labels, expectedLabels) {
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if counter == nil {
|
|
|
|
t.Fatalf("No %q counter found with matching labels", keyPrefix)
|
|
|
|
}
|
|
|
|
|
|
|
|
if !labelsMatch(labels, expectedLabels) {
|
|
|
|
t.Errorf("No matching label set, found %v", labels)
|
|
|
|
}
|
|
|
|
|
|
|
|
if counter.Count != 1 {
|
|
|
|
t.Errorf("Counter number of samples %v is not 1.", counter.Count)
|
|
|
|
}
|
|
|
|
|
|
|
|
if counter.Sum != 1.0 {
|
|
|
|
t.Errorf("Counter sum %v is not 1.", counter.Sum)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestRequestHandling_LoginMetric(t *testing.T) {
|
2020-07-22 17:52:10 +00:00
|
|
|
core, _, root, sink := TestCoreUnsealedWithMetrics(t)
|
2020-06-02 18:40:54 +00:00
|
|
|
|
|
|
|
if err := core.loadMounts(namespace.RootContext(nil)); err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
core.credentialBackends["userpass"] = credUserpass.Factory
|
|
|
|
|
|
|
|
// Setup mount
|
|
|
|
req := &logical.Request{
|
|
|
|
Path: "sys/auth/userpass",
|
|
|
|
ClientToken: root,
|
|
|
|
Operation: logical.UpdateOperation,
|
|
|
|
Data: map[string]interface{}{
|
|
|
|
"type": "userpass",
|
|
|
|
},
|
|
|
|
Connection: &logical.Connection{},
|
|
|
|
}
|
|
|
|
resp, err := core.HandleRequest(namespace.RootContext(nil), req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Create user
|
|
|
|
req.Path = "auth/userpass/users/test"
|
|
|
|
req.Data = map[string]interface{}{
|
|
|
|
"password": "foo",
|
|
|
|
"policies": "default",
|
|
|
|
}
|
|
|
|
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Login with response wrapping
|
|
|
|
req = &logical.Request{
|
|
|
|
Path: "auth/userpass/login/test",
|
|
|
|
Operation: logical.UpdateOperation,
|
|
|
|
Data: map[string]interface{}{
|
|
|
|
"password": "foo",
|
|
|
|
},
|
|
|
|
WrapInfo: &logical.RequestWrapInfo{
|
|
|
|
TTL: time.Duration(15 * time.Second),
|
|
|
|
},
|
|
|
|
Connection: &logical.Connection{},
|
|
|
|
}
|
|
|
|
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp == nil {
|
|
|
|
t.Fatalf("bad: %v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
// There should be two counters
|
2020-07-22 17:52:10 +00:00
|
|
|
checkCounter(t, sink, "token.creation",
|
2020-06-02 18:40:54 +00:00
|
|
|
map[string]string{
|
|
|
|
"cluster": "test-cluster",
|
|
|
|
"namespace": "root",
|
|
|
|
"auth_method": "userpass",
|
|
|
|
"mount_point": "auth/userpass/",
|
|
|
|
"creation_ttl": "+Inf",
|
|
|
|
"token_type": "service",
|
|
|
|
},
|
|
|
|
)
|
2020-07-22 17:52:10 +00:00
|
|
|
checkCounter(t, sink, "token.creation",
|
2020-06-02 18:40:54 +00:00
|
|
|
map[string]string{
|
|
|
|
"cluster": "test-cluster",
|
|
|
|
"namespace": "root",
|
|
|
|
"auth_method": "response_wrapping",
|
|
|
|
"mount_point": "auth/userpass/",
|
|
|
|
"creation_ttl": "1m",
|
|
|
|
"token_type": "service",
|
|
|
|
},
|
|
|
|
)
|
|
|
|
}
|
2020-06-18 20:36:21 +00:00
|
|
|
|
|
|
|
func TestRequestHandling_SecretLeaseMetric(t *testing.T) {
|
2020-07-22 17:52:10 +00:00
|
|
|
core, _, root, sink := TestCoreUnsealedWithMetrics(t)
|
2020-06-18 20:36:21 +00:00
|
|
|
|
|
|
|
// Create a key with a lease
|
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "secret/foo")
|
|
|
|
req.Data["foo"] = "bar"
|
|
|
|
req.ClientToken = root
|
|
|
|
resp, err := core.HandleRequest(namespace.RootContext(nil), req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Read a key with a LeaseID
|
|
|
|
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
|
|
|
|
req.ClientToken = root
|
2022-03-01 20:24:45 +00:00
|
|
|
err = core.PopulateTokenEntry(namespace.RootContext(nil), req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
2020-06-18 20:36:21 +00:00
|
|
|
resp, err = core.HandleRequest(namespace.RootContext(nil), req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
2020-07-22 17:52:10 +00:00
|
|
|
checkCounter(t, sink, "secret.lease.creation",
|
2020-06-18 20:36:21 +00:00
|
|
|
map[string]string{
|
|
|
|
"cluster": "test-cluster",
|
|
|
|
"namespace": "root",
|
|
|
|
"secret_engine": "kv",
|
|
|
|
"mount_point": "secret/",
|
|
|
|
"creation_ttl": "+Inf",
|
|
|
|
},
|
|
|
|
)
|
|
|
|
}
|