2023-03-15 16:00:52 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
|
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
|
2019-07-05 23:55:40 +00:00
|
|
|
package awsauth
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"testing"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
hclog "github.com/hashicorp/go-hclog"
|
|
|
|
"github.com/hashicorp/vault/api"
|
|
|
|
vaulthttp "github.com/hashicorp/vault/http"
|
|
|
|
"github.com/hashicorp/vault/sdk/helper/logging"
|
|
|
|
"github.com/hashicorp/vault/sdk/logical"
|
|
|
|
"github.com/hashicorp/vault/vault"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestBackend_E2E_Initialize(t *testing.T) {
|
|
|
|
ctx := context.Background()
|
|
|
|
|
|
|
|
// Set up the cluster. This will trigger an Initialize(); we sleep briefly
|
|
|
|
// awaiting its completion.
|
|
|
|
cluster := setupAwsTestCluster(t, ctx)
|
|
|
|
defer cluster.Cleanup()
|
|
|
|
time.Sleep(time.Second)
|
|
|
|
core := cluster.Cores[0]
|
|
|
|
|
|
|
|
// Fetch the aws auth's path in storage. This is a uuid that is different
|
|
|
|
// every time we run the test
|
|
|
|
authUuids, err := core.UnderlyingStorage.List(ctx, "auth/")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
if len(authUuids) != 1 {
|
|
|
|
t.Fatalf("expected exactly one auth path")
|
|
|
|
}
|
|
|
|
awsPath := "auth/" + authUuids[0]
|
|
|
|
|
|
|
|
// Make sure that the upgrade happened, by fishing the 'config/version'
|
|
|
|
// entry out of storage. We can't use core.Client.Logical().Read() to do
|
|
|
|
// this, because 'config/version' hasn't been exposed as a path.
|
|
|
|
version, err := core.UnderlyingStorage.Get(ctx, awsPath+"config/version")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
if version == nil {
|
|
|
|
t.Fatalf("no config found")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Nuke the version, so we can pretend that Initialize() has never been run
|
|
|
|
if err := core.UnderlyingStorage.Delete(ctx, awsPath+"config/version"); err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
version, err = core.UnderlyingStorage.Get(ctx, awsPath+"config/version")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
if version != nil {
|
|
|
|
t.Fatalf("version found")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Create a role
|
|
|
|
data := map[string]interface{}{
|
|
|
|
"auth_type": "ec2",
|
|
|
|
"policies": "default",
|
2021-04-08 16:43:39 +00:00
|
|
|
"bound_subnet_id": "subnet-abcdef",
|
|
|
|
}
|
2022-04-07 19:12:58 +00:00
|
|
|
if _, err := core.Client.Logical().Write("auth/aws/role/test-role", data); err != nil {
|
2019-07-05 23:55:40 +00:00
|
|
|
t.Fatal(err)
|
|
|
|
}
|
2022-04-07 19:12:58 +00:00
|
|
|
role, err := core.Client.Logical().Read("auth/aws/role/test-role")
|
2019-07-05 23:55:40 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
if role == nil {
|
|
|
|
t.Fatalf("no role found")
|
|
|
|
}
|
|
|
|
|
|
|
|
// There should _still_ be no config version
|
|
|
|
version, err = core.UnderlyingStorage.Get(ctx, awsPath+"config/version")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
if version != nil {
|
|
|
|
t.Fatalf("version found")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Seal, and then Unseal. This will once again trigger an Initialize(),
|
|
|
|
// only this time there will be a role present during the upgrade.
|
|
|
|
core.Seal(t)
|
|
|
|
cluster.UnsealCores(t)
|
|
|
|
time.Sleep(time.Second)
|
|
|
|
|
|
|
|
// Now the config version should be there again
|
|
|
|
version, err = core.UnderlyingStorage.Get(ctx, awsPath+"config/version")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
if version == nil {
|
|
|
|
t.Fatalf("no version found")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-07-31 23:11:35 +00:00
|
|
|
func setupAwsTestCluster(t *testing.T, _ context.Context) *vault.TestCluster {
|
2019-07-05 23:55:40 +00:00
|
|
|
// create a cluster with the aws auth backend built-in
|
|
|
|
logger := logging.NewVaultLogger(hclog.Trace)
|
|
|
|
coreConfig := &vault.CoreConfig{
|
|
|
|
Logger: logger,
|
|
|
|
CredentialBackends: map[string]logical.Factory{
|
|
|
|
"aws": Factory,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
|
|
|
|
NumCores: 1,
|
|
|
|
HandlerFunc: vaulthttp.Handler,
|
|
|
|
})
|
|
|
|
|
|
|
|
cluster.Start()
|
|
|
|
if len(cluster.Cores) != 1 {
|
|
|
|
t.Fatalf("expected exactly one core")
|
|
|
|
}
|
|
|
|
core := cluster.Cores[0]
|
|
|
|
vault.TestWaitActive(t, core.Core)
|
|
|
|
|
|
|
|
// load the auth plugin
|
|
|
|
if err := core.Client.Sys().EnableAuthWithOptions("aws", &api.EnableAuthOptions{
|
|
|
|
Type: "aws",
|
|
|
|
}); err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return cluster
|
|
|
|
}
|