2015-03-18 20:19:19 +00:00
|
|
|
package vault
|
|
|
|
|
|
|
|
import (
|
2016-03-01 17:33:35 +00:00
|
|
|
"fmt"
|
2015-03-18 20:19:19 +00:00
|
|
|
"reflect"
|
2016-03-01 17:33:35 +00:00
|
|
|
"strings"
|
2015-03-18 20:19:19 +00:00
|
|
|
"testing"
|
2015-03-24 22:10:46 +00:00
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/hashicorp/vault/logical"
|
2015-03-18 20:19:19 +00:00
|
|
|
)
|
|
|
|
|
2015-09-04 20:58:12 +00:00
|
|
|
func getBackendConfig(c *Core) *logical.BackendConfig {
|
|
|
|
return &logical.BackendConfig{
|
|
|
|
Logger: c.logger,
|
|
|
|
System: logical.StaticSystemView{
|
|
|
|
DefaultLeaseTTLVal: time.Hour * 24,
|
|
|
|
MaxLeaseTTLVal: time.Hour * 24 * 30,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-02-29 19:13:09 +00:00
|
|
|
func testMakeToken(t *testing.T, ts *TokenStore, root, client, ttl string, policy []string) {
|
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "create")
|
|
|
|
req.ClientToken = root
|
|
|
|
req.Data["id"] = client
|
|
|
|
req.Data["policies"] = policy
|
|
|
|
req.Data["ttl"] = ttl
|
|
|
|
|
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp.Auth.ClientToken != client {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func testCoreMakeToken(t *testing.T, c *Core, root, client, ttl string, policy []string) {
|
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "auth/token/create")
|
|
|
|
req.ClientToken = root
|
|
|
|
req.Data["id"] = client
|
|
|
|
req.Data["policies"] = policy
|
|
|
|
req.Data["ttl"] = ttl
|
|
|
|
|
|
|
|
resp, err := c.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp.Auth.ClientToken != client {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-03-09 17:50:26 +00:00
|
|
|
func TestTokenStore_AccessorIndex(t *testing.T) {
|
|
|
|
_, ts, _, _ := TestCoreWithTokenStore(t)
|
|
|
|
|
|
|
|
ent := &TokenEntry{Path: "test", Policies: []string{"dev", "ops"}}
|
|
|
|
if err := ts.create(ent); err != nil {
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
out, err := ts.Lookup(ent.ID)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Ensure that accessor is created
|
|
|
|
if out == nil || out.Accessor == "" {
|
|
|
|
t.Fatalf("bad: %#v", out)
|
|
|
|
}
|
|
|
|
|
|
|
|
token, err := ts.lookupByAccessor(out.Accessor)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Verify that the value returned from the index matches the token ID
|
|
|
|
if token != ent.ID {
|
|
|
|
t.Fatalf("bad: got\n%s\nexpected\n%s\n", token, ent.ID)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestTokenStore_HandleRequest_LookupAccessor(t *testing.T) {
|
|
|
|
_, ts, _, root := TestCoreWithTokenStore(t)
|
|
|
|
testMakeToken(t, ts, root, "tokenid", "", []string{"foo"})
|
|
|
|
out, err := ts.Lookup("tokenid")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
|
|
|
if out == nil {
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
|
|
|
|
2016-03-09 19:54:52 +00:00
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "lookup-accessor/"+out.Accessor)
|
2016-03-09 17:50:26 +00:00
|
|
|
|
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
|
|
|
if resp.Data == nil {
|
|
|
|
t.Fatalf("response should contain data")
|
|
|
|
}
|
|
|
|
|
|
|
|
if resp.Data["accessor"].(string) == "" {
|
|
|
|
t.Fatalf("accessor should not be empty")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Verify that the lookup-accessor operation does not return the token ID
|
|
|
|
if resp.Data["id"].(string) != "" {
|
|
|
|
t.Fatalf("token ID should not be returned")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestTokenStore_HandleRequest_RevokeAccessor(t *testing.T) {
|
|
|
|
_, ts, _, root := TestCoreWithTokenStore(t)
|
|
|
|
testMakeToken(t, ts, root, "tokenid", "", []string{"foo"})
|
|
|
|
out, err := ts.Lookup("tokenid")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
|
|
|
if out == nil {
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
|
|
|
|
2016-03-09 18:08:37 +00:00
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "revoke-accessor/"+out.Accessor)
|
2016-03-09 17:50:26 +00:00
|
|
|
|
|
|
|
_, err = ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
out, err = ts.Lookup("tokenid")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if out != nil {
|
|
|
|
t.Fatalf("bad:\ngot %#v\nexpected: nil\n", out)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-03-24 00:16:37 +00:00
|
|
|
func TestTokenStore_RootToken(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
_, ts, _, _ := TestCoreWithTokenStore(t)
|
2015-03-24 00:16:37 +00:00
|
|
|
|
2016-01-20 00:44:33 +00:00
|
|
|
te, err := ts.rootToken()
|
2015-03-24 00:16:37 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if te.ID == "" {
|
|
|
|
t.Fatalf("missing ID")
|
|
|
|
}
|
|
|
|
|
|
|
|
out, err := ts.Lookup(te.ID)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if !reflect.DeepEqual(out, te) {
|
|
|
|
t.Fatalf("bad: %#v", out)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-03-18 20:19:19 +00:00
|
|
|
func TestTokenStore_CreateLookup(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
c, ts, _, _ := TestCoreWithTokenStore(t)
|
2015-03-18 20:19:19 +00:00
|
|
|
|
2015-03-23 20:39:43 +00:00
|
|
|
ent := &TokenEntry{Path: "test", Policies: []string{"dev", "ops"}}
|
2015-10-30 14:59:26 +00:00
|
|
|
if err := ts.create(ent); err != nil {
|
2015-03-18 20:19:19 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if ent.ID == "" {
|
|
|
|
t.Fatalf("missing ID")
|
|
|
|
}
|
|
|
|
|
|
|
|
out, err := ts.Lookup(ent.ID)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if !reflect.DeepEqual(out, ent) {
|
2015-03-24 21:22:50 +00:00
|
|
|
t.Fatalf("bad: %#v", out)
|
|
|
|
}
|
|
|
|
|
|
|
|
// New store should share the salt
|
2015-09-04 20:58:12 +00:00
|
|
|
ts2, err := NewTokenStore(c, getBackendConfig(c))
|
2015-03-24 21:22:50 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Should still match
|
|
|
|
out, err = ts2.Lookup(ent.ID)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if !reflect.DeepEqual(out, ent) {
|
|
|
|
t.Fatalf("bad: %#v", out)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestTokenStore_CreateLookup_ProvidedID(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
c, ts, _, _ := TestCoreWithTokenStore(t)
|
2015-03-24 21:22:50 +00:00
|
|
|
|
|
|
|
ent := &TokenEntry{
|
|
|
|
ID: "foobarbaz",
|
|
|
|
Path: "test",
|
|
|
|
Policies: []string{"dev", "ops"},
|
|
|
|
}
|
2015-10-30 14:59:26 +00:00
|
|
|
if err := ts.create(ent); err != nil {
|
2015-03-24 21:22:50 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if ent.ID != "foobarbaz" {
|
|
|
|
t.Fatalf("bad: %#v", ent)
|
|
|
|
}
|
|
|
|
|
|
|
|
out, err := ts.Lookup(ent.ID)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if !reflect.DeepEqual(out, ent) {
|
2015-03-18 20:19:19 +00:00
|
|
|
t.Fatalf("bad: %#v", out)
|
|
|
|
}
|
|
|
|
|
|
|
|
// New store should share the salt
|
2015-09-04 20:58:12 +00:00
|
|
|
ts2, err := NewTokenStore(c, getBackendConfig(c))
|
2015-03-18 20:19:19 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Should still match
|
|
|
|
out, err = ts2.Lookup(ent.ID)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if !reflect.DeepEqual(out, ent) {
|
|
|
|
t.Fatalf("bad: %#v", out)
|
|
|
|
}
|
|
|
|
}
|
2015-03-18 20:50:36 +00:00
|
|
|
|
2015-04-17 18:51:04 +00:00
|
|
|
func TestTokenStore_UseToken(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
_, ts, _, root := TestCoreWithTokenStore(t)
|
2015-04-17 18:51:04 +00:00
|
|
|
|
|
|
|
// Lookup the root token
|
|
|
|
ent, err := ts.Lookup(root)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Root is an unlimited use token, should be a no-op
|
2016-05-02 07:11:14 +00:00
|
|
|
te, err := ts.UseToken(ent)
|
2015-04-17 18:51:04 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2016-05-02 07:11:14 +00:00
|
|
|
if te == nil {
|
|
|
|
t.Fatalf("token entry after use was nil")
|
|
|
|
}
|
2015-04-17 18:51:04 +00:00
|
|
|
|
|
|
|
// Lookup the root token again
|
|
|
|
ent2, err := ts.Lookup(root)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if !reflect.DeepEqual(ent, ent2) {
|
|
|
|
t.Fatalf("bad: %#v %#v", ent, ent2)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Create a retstricted token
|
|
|
|
ent = &TokenEntry{Path: "test", Policies: []string{"dev", "ops"}, NumUses: 2}
|
2015-10-30 14:59:26 +00:00
|
|
|
if err := ts.create(ent); err != nil {
|
2015-04-17 18:51:04 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Use the token
|
2016-05-02 07:11:14 +00:00
|
|
|
te, err = ts.UseToken(ent)
|
2015-04-17 18:51:04 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2016-05-02 07:11:14 +00:00
|
|
|
if te == nil {
|
|
|
|
t.Fatalf("token entry for use #1 was nil")
|
|
|
|
}
|
2015-04-17 18:51:04 +00:00
|
|
|
|
|
|
|
// Lookup the token
|
|
|
|
ent2, err = ts.Lookup(ent.ID)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Should be reduced
|
|
|
|
if ent2.NumUses != 1 {
|
|
|
|
t.Fatalf("bad: %#v", ent2)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Use the token
|
2016-05-02 07:11:14 +00:00
|
|
|
te, err = ts.UseToken(ent)
|
2015-04-17 18:51:04 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2016-05-02 07:11:14 +00:00
|
|
|
if te == nil {
|
|
|
|
t.Fatalf("token entry for use #2 was nil")
|
|
|
|
}
|
|
|
|
if te.NumUses != -1 {
|
|
|
|
t.Fatalf("token entry after use #2 did not have revoke flag")
|
|
|
|
}
|
|
|
|
ts.Revoke(te.ID)
|
2015-04-17 18:51:04 +00:00
|
|
|
|
|
|
|
// Lookup the token
|
|
|
|
ent2, err = ts.Lookup(ent.ID)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Should be revoked
|
|
|
|
if ent2 != nil {
|
|
|
|
t.Fatalf("bad: %#v", ent2)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-03-18 20:50:36 +00:00
|
|
|
func TestTokenStore_Revoke(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
_, ts, _, _ := TestCoreWithTokenStore(t)
|
2015-03-18 20:50:36 +00:00
|
|
|
|
2015-03-23 20:39:43 +00:00
|
|
|
ent := &TokenEntry{Path: "test", Policies: []string{"dev", "ops"}}
|
2015-10-30 14:59:26 +00:00
|
|
|
if err := ts.create(ent); err != nil {
|
2015-03-18 20:50:36 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
err := ts.Revoke("")
|
|
|
|
if err.Error() != "cannot revoke blank token" {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
err = ts.Revoke(ent.ID)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
out, err := ts.Lookup(ent.ID)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if out != nil {
|
|
|
|
t.Fatalf("bad: %#v", out)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-04-10 22:12:04 +00:00
|
|
|
func TestTokenStore_Revoke_Leases(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
_, ts, _, _ := TestCoreWithTokenStore(t)
|
2015-04-10 22:12:04 +00:00
|
|
|
|
|
|
|
// Mount a noop backend
|
|
|
|
noop := &NoopBackend{}
|
2015-09-04 20:58:12 +00:00
|
|
|
ts.expiration.router.Mount(noop, "", &MountEntry{UUID: ""}, nil)
|
2015-04-10 22:12:04 +00:00
|
|
|
|
|
|
|
ent := &TokenEntry{Path: "test", Policies: []string{"dev", "ops"}}
|
2015-10-30 14:59:26 +00:00
|
|
|
if err := ts.create(ent); err != nil {
|
2015-04-10 22:12:04 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Register a lease
|
|
|
|
req := &logical.Request{
|
|
|
|
Operation: logical.ReadOperation,
|
|
|
|
Path: "secret/foo",
|
|
|
|
ClientToken: ent.ID,
|
|
|
|
}
|
|
|
|
resp := &logical.Response{
|
|
|
|
Secret: &logical.Secret{
|
|
|
|
LeaseOptions: logical.LeaseOptions{
|
2015-08-21 00:47:17 +00:00
|
|
|
TTL: 20 * time.Millisecond,
|
2015-04-10 22:12:04 +00:00
|
|
|
},
|
|
|
|
},
|
|
|
|
Data: map[string]interface{}{
|
|
|
|
"access_key": "xyz",
|
|
|
|
"secret_key": "abcd",
|
|
|
|
},
|
|
|
|
}
|
|
|
|
leaseID, err := ts.expiration.Register(req, resp)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Revoke the token
|
|
|
|
err = ts.Revoke(ent.ID)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Verify the lease is gone
|
|
|
|
out, err := ts.expiration.loadEntry(leaseID)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if out != nil {
|
|
|
|
t.Fatalf("bad: %#v", out)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-03-18 20:50:36 +00:00
|
|
|
func TestTokenStore_Revoke_Orphan(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
_, ts, _, _ := TestCoreWithTokenStore(t)
|
2015-03-18 20:50:36 +00:00
|
|
|
|
2015-03-23 20:39:43 +00:00
|
|
|
ent := &TokenEntry{Path: "test", Policies: []string{"dev", "ops"}}
|
2015-10-30 14:59:26 +00:00
|
|
|
if err := ts.create(ent); err != nil {
|
2015-03-18 20:50:36 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
ent2 := &TokenEntry{Parent: ent.ID}
|
2015-10-30 14:59:26 +00:00
|
|
|
if err := ts.create(ent2); err != nil {
|
2015-03-18 20:50:36 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
err := ts.Revoke(ent.ID)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
out, err := ts.Lookup(ent2.ID)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if !reflect.DeepEqual(out, ent2) {
|
|
|
|
t.Fatalf("bad: %#v", out)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestTokenStore_RevokeTree(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
_, ts, _, _ := TestCoreWithTokenStore(t)
|
2015-03-18 20:50:36 +00:00
|
|
|
|
|
|
|
ent1 := &TokenEntry{}
|
2015-10-30 14:59:26 +00:00
|
|
|
if err := ts.create(ent1); err != nil {
|
2015-03-18 20:50:36 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
ent2 := &TokenEntry{Parent: ent1.ID}
|
2015-10-30 14:59:26 +00:00
|
|
|
if err := ts.create(ent2); err != nil {
|
2015-03-18 20:50:36 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
ent3 := &TokenEntry{Parent: ent2.ID}
|
2015-10-30 14:59:26 +00:00
|
|
|
if err := ts.create(ent3); err != nil {
|
2015-03-18 20:50:36 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
ent4 := &TokenEntry{Parent: ent2.ID}
|
2015-10-30 14:59:26 +00:00
|
|
|
if err := ts.create(ent4); err != nil {
|
2015-03-18 20:50:36 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
err := ts.RevokeTree("")
|
|
|
|
if err.Error() != "cannot revoke blank token" {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
err = ts.RevokeTree(ent1.ID)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
lookup := []string{ent1.ID, ent2.ID, ent3.ID, ent4.ID}
|
|
|
|
for _, id := range lookup {
|
|
|
|
out, err := ts.Lookup(id)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if out != nil {
|
|
|
|
t.Fatalf("bad: %#v", out)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-09-17 17:22:30 +00:00
|
|
|
func TestTokenStore_RevokeSelf(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
_, ts, _, _ := TestCoreWithTokenStore(t)
|
2015-09-17 17:22:30 +00:00
|
|
|
|
|
|
|
ent1 := &TokenEntry{}
|
2015-10-30 14:59:26 +00:00
|
|
|
if err := ts.create(ent1); err != nil {
|
2015-09-17 17:22:30 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
ent2 := &TokenEntry{Parent: ent1.ID}
|
2015-10-30 14:59:26 +00:00
|
|
|
if err := ts.create(ent2); err != nil {
|
2015-09-17 17:22:30 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
ent3 := &TokenEntry{Parent: ent2.ID}
|
2015-10-30 14:59:26 +00:00
|
|
|
if err := ts.create(ent3); err != nil {
|
2015-09-17 17:22:30 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
ent4 := &TokenEntry{Parent: ent2.ID}
|
2015-10-30 14:59:26 +00:00
|
|
|
if err := ts.create(ent4); err != nil {
|
2015-09-17 17:22:30 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
2016-01-07 15:30:47 +00:00
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "revoke-self")
|
2015-09-17 17:22:30 +00:00
|
|
|
req.ClientToken = ent1.ID
|
|
|
|
|
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
lookup := []string{ent1.ID, ent2.ID, ent3.ID, ent4.ID}
|
|
|
|
for _, id := range lookup {
|
|
|
|
out, err := ts.Lookup(id)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if out != nil {
|
|
|
|
t.Fatalf("bad: %#v", out)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-04-15 21:24:07 +00:00
|
|
|
func TestTokenStore_HandleRequest_CreateToken_DisplayName(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
_, ts, _, root := TestCoreWithTokenStore(t)
|
2015-04-15 21:24:07 +00:00
|
|
|
|
2016-01-07 15:30:47 +00:00
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "create")
|
2015-04-15 21:24:07 +00:00
|
|
|
req.ClientToken = root
|
|
|
|
req.Data["display_name"] = "foo_bar.baz!"
|
|
|
|
|
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
expected := &TokenEntry{
|
|
|
|
ID: resp.Auth.ClientToken,
|
2016-03-09 18:45:36 +00:00
|
|
|
Accessor: resp.Auth.Accessor,
|
2015-04-15 21:24:07 +00:00
|
|
|
Parent: root,
|
|
|
|
Policies: []string{"root"},
|
|
|
|
Path: "auth/token/create",
|
|
|
|
DisplayName: "token-foo-bar-baz",
|
2015-09-18 20:33:52 +00:00
|
|
|
TTL: 0,
|
2015-04-15 21:24:07 +00:00
|
|
|
}
|
|
|
|
out, err := ts.Lookup(resp.Auth.ClientToken)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2015-09-18 20:33:52 +00:00
|
|
|
expected.CreationTime = out.CreationTime
|
2015-04-15 21:24:07 +00:00
|
|
|
if !reflect.DeepEqual(out, expected) {
|
2016-04-07 15:39:46 +00:00
|
|
|
t.Fatalf("bad:\ngot:\n%#v\nexpected:\n%#v\n", out, expected)
|
2015-04-15 21:24:07 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-04-17 18:34:25 +00:00
|
|
|
func TestTokenStore_HandleRequest_CreateToken_NumUses(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
_, ts, _, root := TestCoreWithTokenStore(t)
|
2015-04-17 18:34:25 +00:00
|
|
|
|
2016-01-07 15:30:47 +00:00
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "create")
|
2015-04-17 18:34:25 +00:00
|
|
|
req.ClientToken = root
|
|
|
|
req.Data["num_uses"] = "1"
|
|
|
|
|
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
expected := &TokenEntry{
|
|
|
|
ID: resp.Auth.ClientToken,
|
2016-03-09 18:45:36 +00:00
|
|
|
Accessor: resp.Auth.Accessor,
|
2015-04-17 18:34:25 +00:00
|
|
|
Parent: root,
|
|
|
|
Policies: []string{"root"},
|
|
|
|
Path: "auth/token/create",
|
|
|
|
DisplayName: "token",
|
|
|
|
NumUses: 1,
|
2015-09-18 20:33:52 +00:00
|
|
|
TTL: 0,
|
2015-04-17 18:34:25 +00:00
|
|
|
}
|
|
|
|
out, err := ts.Lookup(resp.Auth.ClientToken)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2015-09-18 20:33:52 +00:00
|
|
|
expected.CreationTime = out.CreationTime
|
2015-04-17 18:34:25 +00:00
|
|
|
if !reflect.DeepEqual(out, expected) {
|
|
|
|
t.Fatalf("bad: %#v", out)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestTokenStore_HandleRequest_CreateToken_NumUses_Invalid(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
_, ts, _, root := TestCoreWithTokenStore(t)
|
2015-04-17 18:34:25 +00:00
|
|
|
|
2016-01-07 15:30:47 +00:00
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "create")
|
2015-04-17 18:34:25 +00:00
|
|
|
req.ClientToken = root
|
|
|
|
req.Data["num_uses"] = "-1"
|
|
|
|
|
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != logical.ErrInvalidRequest {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestTokenStore_HandleRequest_CreateToken_NumUses_Restricted(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
_, ts, _, root := TestCoreWithTokenStore(t)
|
2015-04-17 18:34:25 +00:00
|
|
|
|
2016-01-07 15:30:47 +00:00
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "create")
|
2015-04-17 18:34:25 +00:00
|
|
|
req.ClientToken = root
|
|
|
|
req.Data["num_uses"] = "1"
|
|
|
|
|
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
// We should NOT be able to use the restricted token to create a new token
|
|
|
|
req.ClientToken = resp.Auth.ClientToken
|
|
|
|
_, err = ts.HandleRequest(req)
|
|
|
|
if err != logical.ErrInvalidRequest {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-03-24 22:10:46 +00:00
|
|
|
func TestTokenStore_HandleRequest_CreateToken_NoPolicy(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
_, ts, _, root := TestCoreWithTokenStore(t)
|
2015-03-24 22:10:46 +00:00
|
|
|
|
2016-01-07 15:30:47 +00:00
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "create")
|
2015-03-24 22:10:46 +00:00
|
|
|
req.ClientToken = root
|
|
|
|
|
|
|
|
resp, err := ts.HandleRequest(req)
|
2015-04-07 21:19:52 +00:00
|
|
|
if err != nil {
|
2015-03-24 22:10:46 +00:00
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
2015-04-07 21:19:52 +00:00
|
|
|
|
|
|
|
expected := &TokenEntry{
|
2015-04-15 21:24:07 +00:00
|
|
|
ID: resp.Auth.ClientToken,
|
2016-03-09 18:45:36 +00:00
|
|
|
Accessor: resp.Auth.Accessor,
|
2015-04-15 21:24:07 +00:00
|
|
|
Parent: root,
|
|
|
|
Policies: []string{"root"},
|
|
|
|
Path: "auth/token/create",
|
|
|
|
DisplayName: "token",
|
2015-09-18 20:33:52 +00:00
|
|
|
TTL: 0,
|
2015-04-07 21:19:52 +00:00
|
|
|
}
|
|
|
|
out, err := ts.Lookup(resp.Auth.ClientToken)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2015-09-18 20:33:52 +00:00
|
|
|
expected.CreationTime = out.CreationTime
|
2015-04-07 21:19:52 +00:00
|
|
|
if !reflect.DeepEqual(out, expected) {
|
|
|
|
t.Fatalf("bad: %#v", out)
|
2015-03-24 22:10:46 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestTokenStore_HandleRequest_CreateToken_BadParent(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
_, ts, _, _ := TestCoreWithTokenStore(t)
|
2015-03-24 22:10:46 +00:00
|
|
|
|
2016-01-07 15:30:47 +00:00
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "create")
|
2015-03-24 22:10:46 +00:00
|
|
|
req.ClientToken = "random"
|
|
|
|
|
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != logical.ErrInvalidRequest {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp.Data["error"] != "parent token lookup failed" {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestTokenStore_HandleRequest_CreateToken(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
_, ts, _, root := TestCoreWithTokenStore(t)
|
2015-03-24 22:10:46 +00:00
|
|
|
|
2016-01-07 15:30:47 +00:00
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "create")
|
2015-03-24 22:10:46 +00:00
|
|
|
req.ClientToken = root
|
|
|
|
req.Data["policies"] = []string{"foo"}
|
|
|
|
|
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
2015-03-31 03:26:39 +00:00
|
|
|
if resp.Auth.ClientToken == "" {
|
2015-03-24 22:10:46 +00:00
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestTokenStore_HandleRequest_CreateToken_RootID(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
_, ts, _, root := TestCoreWithTokenStore(t)
|
2015-03-24 22:10:46 +00:00
|
|
|
|
2016-01-07 15:30:47 +00:00
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "create")
|
2015-03-24 22:10:46 +00:00
|
|
|
req.ClientToken = root
|
|
|
|
req.Data["id"] = "foobar"
|
|
|
|
req.Data["policies"] = []string{"foo"}
|
|
|
|
|
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
2015-03-31 03:26:39 +00:00
|
|
|
if resp.Auth.ClientToken != "foobar" {
|
2015-03-24 22:10:46 +00:00
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestTokenStore_HandleRequest_CreateToken_NonRootID(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
_, ts, _, root := TestCoreWithTokenStore(t)
|
2015-12-30 19:30:02 +00:00
|
|
|
testMakeToken(t, ts, root, "client", "", []string{"foo"})
|
2015-03-24 22:10:46 +00:00
|
|
|
|
2016-01-07 15:30:47 +00:00
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "create")
|
2015-03-24 22:10:46 +00:00
|
|
|
req.ClientToken = "client"
|
|
|
|
req.Data["id"] = "foobar"
|
|
|
|
req.Data["policies"] = []string{"foo"}
|
|
|
|
|
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != logical.ErrInvalidRequest {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
2015-09-19 16:33:52 +00:00
|
|
|
if resp.Data["error"] != "root or sudo privileges required to specify token id" {
|
2015-03-24 22:10:46 +00:00
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestTokenStore_HandleRequest_CreateToken_NonRoot_Subset(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
_, ts, _, root := TestCoreWithTokenStore(t)
|
2015-12-30 19:30:02 +00:00
|
|
|
testMakeToken(t, ts, root, "client", "", []string{"foo", "bar"})
|
2015-03-24 22:10:46 +00:00
|
|
|
|
2016-01-07 15:30:47 +00:00
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "create")
|
2015-03-24 22:10:46 +00:00
|
|
|
req.ClientToken = "client"
|
|
|
|
req.Data["policies"] = []string{"foo"}
|
|
|
|
|
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
2015-03-31 03:26:39 +00:00
|
|
|
if resp.Auth.ClientToken == "" {
|
2015-03-24 22:10:46 +00:00
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestTokenStore_HandleRequest_CreateToken_NonRoot_InvalidSubset(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
_, ts, _, root := TestCoreWithTokenStore(t)
|
2015-12-30 19:30:02 +00:00
|
|
|
testMakeToken(t, ts, root, "client", "", []string{"foo", "bar"})
|
2015-03-24 22:10:46 +00:00
|
|
|
|
2016-01-07 15:30:47 +00:00
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "create")
|
2015-03-24 22:10:46 +00:00
|
|
|
req.ClientToken = "client"
|
|
|
|
req.Data["policies"] = []string{"foo", "bar", "baz"}
|
|
|
|
|
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != logical.ErrInvalidRequest {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
2015-03-24 22:12:52 +00:00
|
|
|
if resp.Data["error"] != "child policies must be subset of parent" {
|
2015-03-24 22:10:46 +00:00
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestTokenStore_HandleRequest_CreateToken_NonRoot_NoParent(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
_, ts, _, root := TestCoreWithTokenStore(t)
|
2015-12-30 19:30:02 +00:00
|
|
|
testMakeToken(t, ts, root, "client", "", []string{"foo"})
|
2015-03-24 22:10:46 +00:00
|
|
|
|
2016-01-07 15:30:47 +00:00
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "create")
|
2015-03-24 22:10:46 +00:00
|
|
|
req.ClientToken = "client"
|
|
|
|
req.Data["no_parent"] = true
|
|
|
|
req.Data["policies"] = []string{"foo"}
|
|
|
|
|
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != logical.ErrInvalidRequest {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
2015-09-19 16:33:52 +00:00
|
|
|
if resp.Data["error"] != "root or sudo privileges required to create orphan token" {
|
2015-03-24 22:10:46 +00:00
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestTokenStore_HandleRequest_CreateToken_Root_NoParent(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
_, ts, _, root := TestCoreWithTokenStore(t)
|
2015-03-24 22:10:46 +00:00
|
|
|
|
2016-01-07 15:30:47 +00:00
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "create")
|
2015-03-24 22:10:46 +00:00
|
|
|
req.ClientToken = root
|
|
|
|
req.Data["no_parent"] = true
|
|
|
|
req.Data["policies"] = []string{"foo"}
|
|
|
|
|
2015-11-03 20:10:46 +00:00
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp.Auth.ClientToken == "" {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
out, _ := ts.Lookup(resp.Auth.ClientToken)
|
|
|
|
if out.Parent != "" {
|
|
|
|
t.Fatalf("bad: %#v", out)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestTokenStore_HandleRequest_CreateToken_PathBased_NoParent(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
_, ts, _, root := TestCoreWithTokenStore(t)
|
2015-11-03 20:10:46 +00:00
|
|
|
|
2016-01-07 15:30:47 +00:00
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "create-orphan")
|
2015-11-03 20:10:46 +00:00
|
|
|
req.ClientToken = root
|
|
|
|
req.Data["policies"] = []string{"foo"}
|
|
|
|
|
2015-03-24 22:10:46 +00:00
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
2015-03-31 03:26:39 +00:00
|
|
|
if resp.Auth.ClientToken == "" {
|
2015-03-24 22:10:46 +00:00
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
2015-03-31 03:26:39 +00:00
|
|
|
out, _ := ts.Lookup(resp.Auth.ClientToken)
|
2015-03-24 22:10:46 +00:00
|
|
|
if out.Parent != "" {
|
|
|
|
t.Fatalf("bad: %#v", out)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestTokenStore_HandleRequest_CreateToken_Metadata(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
_, ts, _, root := TestCoreWithTokenStore(t)
|
2015-03-24 22:10:46 +00:00
|
|
|
|
2016-01-07 15:30:47 +00:00
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "create")
|
2015-03-24 22:10:46 +00:00
|
|
|
req.ClientToken = root
|
|
|
|
req.Data["policies"] = []string{"foo"}
|
2015-03-31 03:26:39 +00:00
|
|
|
meta := map[string]string{
|
2015-03-24 22:10:46 +00:00
|
|
|
"user": "armon",
|
|
|
|
"source": "github",
|
|
|
|
}
|
|
|
|
req.Data["meta"] = meta
|
|
|
|
|
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
2015-03-31 03:26:39 +00:00
|
|
|
if resp.Auth.ClientToken == "" {
|
2015-03-24 22:10:46 +00:00
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
2015-03-31 03:26:39 +00:00
|
|
|
out, _ := ts.Lookup(resp.Auth.ClientToken)
|
2015-03-24 22:10:46 +00:00
|
|
|
if !reflect.DeepEqual(out.Meta, meta) {
|
|
|
|
t.Fatalf("bad: %#v", out)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestTokenStore_HandleRequest_CreateToken_Lease(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
_, ts, _, root := TestCoreWithTokenStore(t)
|
2015-03-24 22:10:46 +00:00
|
|
|
|
2016-01-07 15:30:47 +00:00
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "create")
|
2015-03-24 22:10:46 +00:00
|
|
|
req.ClientToken = root
|
|
|
|
req.Data["policies"] = []string{"foo"}
|
|
|
|
req.Data["lease"] = "1h"
|
|
|
|
|
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
2015-03-31 03:26:39 +00:00
|
|
|
if resp.Auth.ClientToken == "" {
|
2015-03-24 22:10:46 +00:00
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
2015-08-21 00:47:17 +00:00
|
|
|
if resp.Auth.TTL != time.Hour {
|
2015-03-24 22:10:46 +00:00
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
2015-04-03 21:04:50 +00:00
|
|
|
if !resp.Auth.Renewable {
|
2015-03-24 22:10:46 +00:00
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-09-25 13:46:20 +00:00
|
|
|
func TestTokenStore_HandleRequest_CreateToken_TTL(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
_, ts, _, root := TestCoreWithTokenStore(t)
|
2015-09-25 13:46:20 +00:00
|
|
|
|
2016-01-07 15:30:47 +00:00
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "create")
|
2015-09-25 13:46:20 +00:00
|
|
|
req.ClientToken = root
|
|
|
|
req.Data["policies"] = []string{"foo"}
|
|
|
|
req.Data["ttl"] = "1h"
|
|
|
|
|
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp.Auth.ClientToken == "" {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
if resp.Auth.TTL != time.Hour {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
if !resp.Auth.Renewable {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-03-24 22:30:09 +00:00
|
|
|
func TestTokenStore_HandleRequest_Revoke(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
_, ts, _, root := TestCoreWithTokenStore(t)
|
2015-12-30 19:30:02 +00:00
|
|
|
testMakeToken(t, ts, root, "child", "", []string{"root", "foo"})
|
|
|
|
testMakeToken(t, ts, "child", "sub-child", "", []string{"foo"})
|
2015-03-24 22:30:09 +00:00
|
|
|
|
2016-01-07 15:30:47 +00:00
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "revoke/child")
|
2015-03-24 22:30:09 +00:00
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
out, err := ts.Lookup("child")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if out != nil {
|
|
|
|
t.Fatalf("bad: %v", out)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Sub-child should not exist
|
|
|
|
out, err = ts.Lookup("sub-child")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if out != nil {
|
|
|
|
t.Fatalf("bad: %v", out)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestTokenStore_HandleRequest_RevokeOrphan(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
_, ts, _, root := TestCoreWithTokenStore(t)
|
2015-12-30 19:30:02 +00:00
|
|
|
testMakeToken(t, ts, root, "child", "", []string{"root", "foo"})
|
|
|
|
testMakeToken(t, ts, "child", "sub-child", "", []string{"foo"})
|
2015-03-24 22:30:09 +00:00
|
|
|
|
2016-01-07 15:30:47 +00:00
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "revoke-orphan/child")
|
2015-09-16 13:22:15 +00:00
|
|
|
req.ClientToken = root
|
2015-03-24 22:30:09 +00:00
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
out, err := ts.Lookup("child")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if out != nil {
|
|
|
|
t.Fatalf("bad: %v", out)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Sub-child should exist!
|
|
|
|
out, err = ts.Lookup("sub-child")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if out == nil {
|
|
|
|
t.Fatalf("bad: %v", out)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-09-16 13:22:15 +00:00
|
|
|
func TestTokenStore_HandleRequest_RevokeOrphan_NonRoot(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
_, ts, _, root := TestCoreWithTokenStore(t)
|
2015-12-30 19:30:02 +00:00
|
|
|
testMakeToken(t, ts, root, "child", "", []string{"foo"})
|
2015-09-16 13:22:15 +00:00
|
|
|
|
|
|
|
out, err := ts.Lookup("child")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if out == nil {
|
|
|
|
t.Fatalf("bad: %v", out)
|
|
|
|
}
|
|
|
|
|
2016-01-07 15:30:47 +00:00
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "revoke-orphan/child")
|
2015-09-16 13:22:15 +00:00
|
|
|
req.ClientToken = "child"
|
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != logical.ErrInvalidRequest {
|
|
|
|
t.Fatalf("did not get error when non-root revoking itself with orphan flag; resp is %#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Should still exist
|
|
|
|
out, err = ts.Lookup("child")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if out == nil {
|
|
|
|
t.Fatalf("bad: %v", out)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-03-24 22:39:33 +00:00
|
|
|
func TestTokenStore_HandleRequest_Lookup(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
c, ts, _, root := TestCoreWithTokenStore(t)
|
2015-03-24 22:39:33 +00:00
|
|
|
req := logical.TestRequest(t, logical.ReadOperation, "lookup/"+root)
|
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp == nil {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
exp := map[string]interface{}{
|
2016-05-11 20:51:18 +00:00
|
|
|
"id": root,
|
|
|
|
"accessor": resp.Data["accessor"].(string),
|
|
|
|
"policies": []string{"root"},
|
|
|
|
"path": "auth/token/root",
|
|
|
|
"meta": map[string]string(nil),
|
|
|
|
"display_name": "root",
|
|
|
|
"orphan": true,
|
|
|
|
"num_uses": 0,
|
|
|
|
"creation_ttl": int64(0),
|
|
|
|
"ttl": int64(0),
|
|
|
|
"role": "",
|
|
|
|
"explicit_max_ttl": int64(0),
|
2015-12-30 19:30:02 +00:00
|
|
|
}
|
|
|
|
|
2016-01-04 22:11:22 +00:00
|
|
|
if resp.Data["creation_time"].(int64) == 0 {
|
2015-12-30 19:30:02 +00:00
|
|
|
t.Fatalf("creation time was zero")
|
2015-03-31 19:50:07 +00:00
|
|
|
}
|
2015-09-18 20:33:52 +00:00
|
|
|
delete(resp.Data, "creation_time")
|
2015-12-30 19:30:02 +00:00
|
|
|
|
2015-03-31 19:50:07 +00:00
|
|
|
if !reflect.DeepEqual(resp.Data, exp) {
|
2015-11-09 18:19:59 +00:00
|
|
|
t.Fatalf("bad:\n%#v\nexp:\n%#v\n", resp.Data, exp)
|
|
|
|
}
|
|
|
|
|
2015-12-30 19:30:02 +00:00
|
|
|
testCoreMakeToken(t, c, root, "client", "3600s", []string{"foo"})
|
2015-11-09 18:19:59 +00:00
|
|
|
|
2016-04-28 19:15:37 +00:00
|
|
|
// Test via GET
|
2015-11-09 18:19:59 +00:00
|
|
|
req = logical.TestRequest(t, logical.ReadOperation, "lookup/client")
|
|
|
|
resp, err = ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp == nil {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
exp = map[string]interface{}{
|
2016-05-11 20:51:18 +00:00
|
|
|
"id": "client",
|
|
|
|
"accessor": resp.Data["accessor"],
|
|
|
|
"policies": []string{"default", "foo"},
|
|
|
|
"path": "auth/token/create",
|
|
|
|
"meta": map[string]string(nil),
|
|
|
|
"display_name": "token",
|
|
|
|
"orphan": false,
|
|
|
|
"num_uses": 0,
|
|
|
|
"creation_ttl": int64(3600),
|
|
|
|
"ttl": int64(3600),
|
|
|
|
"role": "",
|
|
|
|
"explicit_max_ttl": int64(0),
|
2016-06-01 21:30:31 +00:00
|
|
|
"renewable": true,
|
2015-12-30 19:30:02 +00:00
|
|
|
}
|
|
|
|
|
2016-01-04 22:11:22 +00:00
|
|
|
if resp.Data["creation_time"].(int64) == 0 {
|
2015-12-30 19:30:02 +00:00
|
|
|
t.Fatalf("creation time was zero")
|
2015-11-09 18:19:59 +00:00
|
|
|
}
|
|
|
|
delete(resp.Data, "creation_time")
|
2015-12-30 19:30:02 +00:00
|
|
|
|
2016-02-01 16:16:32 +00:00
|
|
|
// Depending on timing of the test this may have ticked down, so accept 3599
|
|
|
|
if resp.Data["ttl"].(int64) == 3599 {
|
|
|
|
resp.Data["ttl"] = int64(3600)
|
|
|
|
}
|
|
|
|
|
2015-11-09 18:19:59 +00:00
|
|
|
if !reflect.DeepEqual(resp.Data, exp) {
|
|
|
|
t.Fatalf("bad:\n%#v\nexp:\n%#v\n", resp.Data, exp)
|
2015-03-31 19:50:07 +00:00
|
|
|
}
|
2015-12-30 19:30:02 +00:00
|
|
|
|
2016-04-28 19:15:37 +00:00
|
|
|
// Test via POST
|
|
|
|
req = logical.TestRequest(t, logical.UpdateOperation, "lookup")
|
|
|
|
req.Data = map[string]interface{}{
|
|
|
|
"token": "client",
|
|
|
|
}
|
|
|
|
resp, err = ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp == nil {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
exp = map[string]interface{}{
|
2016-05-11 20:51:18 +00:00
|
|
|
"id": "client",
|
|
|
|
"accessor": resp.Data["accessor"],
|
|
|
|
"policies": []string{"default", "foo"},
|
|
|
|
"path": "auth/token/create",
|
|
|
|
"meta": map[string]string(nil),
|
|
|
|
"display_name": "token",
|
|
|
|
"orphan": false,
|
|
|
|
"num_uses": 0,
|
|
|
|
"creation_ttl": int64(3600),
|
|
|
|
"ttl": int64(3600),
|
|
|
|
"role": "",
|
|
|
|
"explicit_max_ttl": int64(0),
|
2016-06-01 21:30:31 +00:00
|
|
|
"renewable": true,
|
2016-04-28 19:15:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if resp.Data["creation_time"].(int64) == 0 {
|
|
|
|
t.Fatalf("creation time was zero")
|
|
|
|
}
|
|
|
|
delete(resp.Data, "creation_time")
|
|
|
|
|
|
|
|
// Depending on timing of the test this may have ticked down, so accept 3599
|
|
|
|
if resp.Data["ttl"].(int64) == 3599 {
|
|
|
|
resp.Data["ttl"] = int64(3600)
|
|
|
|
}
|
|
|
|
|
|
|
|
if !reflect.DeepEqual(resp.Data, exp) {
|
|
|
|
t.Fatalf("bad:\n%#v\nexp:\n%#v\n", resp.Data, exp)
|
|
|
|
}
|
|
|
|
|
2015-12-30 19:30:02 +00:00
|
|
|
// Test last_renewal_time functionality
|
2016-01-07 15:30:47 +00:00
|
|
|
req = logical.TestRequest(t, logical.UpdateOperation, "renew/client")
|
2015-12-30 19:30:02 +00:00
|
|
|
resp, err = ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp == nil {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
req = logical.TestRequest(t, logical.ReadOperation, "lookup/client")
|
|
|
|
resp, err = ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp == nil {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
2016-01-04 21:43:07 +00:00
|
|
|
if resp.Data["last_renewal_time"].(int64) == 0 {
|
2015-12-30 19:30:02 +00:00
|
|
|
t.Fatalf("last_renewal_time was zero")
|
|
|
|
}
|
2015-03-31 19:50:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestTokenStore_HandleRequest_LookupSelf(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
_, ts, _, root := TestCoreWithTokenStore(t)
|
2015-03-31 19:51:00 +00:00
|
|
|
req := logical.TestRequest(t, logical.ReadOperation, "lookup-self")
|
2015-03-31 19:50:07 +00:00
|
|
|
req.ClientToken = root
|
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp == nil {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
exp := map[string]interface{}{
|
2016-05-11 20:51:18 +00:00
|
|
|
"id": root,
|
|
|
|
"accessor": resp.Data["accessor"],
|
|
|
|
"policies": []string{"root"},
|
|
|
|
"path": "auth/token/root",
|
|
|
|
"meta": map[string]string(nil),
|
|
|
|
"display_name": "root",
|
|
|
|
"orphan": true,
|
|
|
|
"num_uses": 0,
|
|
|
|
"creation_ttl": int64(0),
|
|
|
|
"ttl": int64(0),
|
|
|
|
"role": "",
|
|
|
|
"explicit_max_ttl": int64(0),
|
2015-12-30 19:30:02 +00:00
|
|
|
}
|
|
|
|
|
2016-01-04 22:11:22 +00:00
|
|
|
if resp.Data["creation_time"].(int64) == 0 {
|
2015-12-30 19:30:02 +00:00
|
|
|
t.Fatalf("creation time was zero")
|
2015-03-24 22:39:33 +00:00
|
|
|
}
|
2015-09-18 20:33:52 +00:00
|
|
|
delete(resp.Data, "creation_time")
|
2015-12-30 19:30:02 +00:00
|
|
|
|
2015-03-24 22:39:33 +00:00
|
|
|
if !reflect.DeepEqual(resp.Data, exp) {
|
2016-01-04 21:43:07 +00:00
|
|
|
t.Fatalf("bad:\ngot %#v\nexpected: %#v\n", resp.Data, exp)
|
2015-03-24 22:39:33 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-04-03 19:11:49 +00:00
|
|
|
func TestTokenStore_HandleRequest_Renew(t *testing.T) {
|
|
|
|
exp := mockExpiration(t)
|
|
|
|
ts := exp.tokenStore
|
|
|
|
|
|
|
|
// Create new token
|
2016-01-20 00:44:33 +00:00
|
|
|
root, err := ts.rootToken()
|
2015-04-03 19:11:49 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Create a new token
|
|
|
|
auth := &logical.Auth{
|
|
|
|
ClientToken: root.ID,
|
2015-04-09 19:14:04 +00:00
|
|
|
LeaseOptions: logical.LeaseOptions{
|
2015-08-21 00:47:17 +00:00
|
|
|
TTL: time.Hour,
|
2015-04-09 19:14:04 +00:00
|
|
|
Renewable: true,
|
|
|
|
},
|
2015-04-03 19:11:49 +00:00
|
|
|
}
|
2015-04-09 21:23:37 +00:00
|
|
|
err = exp.RegisterAuth("auth/token/root", auth)
|
2015-04-03 19:11:49 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
2015-04-11 04:21:06 +00:00
|
|
|
// Get the original expire time to compare
|
|
|
|
originalExpire := auth.ExpirationTime()
|
|
|
|
|
2015-06-17 21:28:13 +00:00
|
|
|
beforeRenew := time.Now().UTC()
|
2016-01-07 15:30:47 +00:00
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "renew/"+root.ID)
|
2015-06-17 22:58:20 +00:00
|
|
|
req.Data["increment"] = "3600s"
|
2015-04-03 19:11:49 +00:00
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
2015-04-11 04:21:06 +00:00
|
|
|
|
|
|
|
// Get the new expire time
|
|
|
|
newExpire := resp.Auth.ExpirationTime()
|
2015-06-17 21:28:13 +00:00
|
|
|
if newExpire.Before(originalExpire) {
|
2015-10-07 16:49:13 +00:00
|
|
|
t.Fatalf("should expire later: %s %s", newExpire, originalExpire)
|
|
|
|
}
|
|
|
|
if newExpire.Before(beforeRenew.Add(time.Hour)) {
|
|
|
|
t.Fatalf("should have at least an hour: %s %s", newExpire, beforeRenew)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestTokenStore_HandleRequest_RenewSelf(t *testing.T) {
|
|
|
|
exp := mockExpiration(t)
|
|
|
|
ts := exp.tokenStore
|
|
|
|
|
|
|
|
// Create new token
|
2016-01-20 00:44:33 +00:00
|
|
|
root, err := ts.rootToken()
|
2015-10-07 16:49:13 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Create a new token
|
|
|
|
auth := &logical.Auth{
|
|
|
|
ClientToken: root.ID,
|
|
|
|
LeaseOptions: logical.LeaseOptions{
|
|
|
|
TTL: time.Hour,
|
|
|
|
Renewable: true,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
err = exp.RegisterAuth("auth/token/root", auth)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Get the original expire time to compare
|
|
|
|
originalExpire := auth.ExpirationTime()
|
|
|
|
|
|
|
|
beforeRenew := time.Now().UTC()
|
2016-01-07 15:30:47 +00:00
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "renew-self")
|
2015-10-07 16:49:13 +00:00
|
|
|
req.ClientToken = auth.ClientToken
|
|
|
|
req.Data["increment"] = "3600s"
|
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Get the new expire time
|
|
|
|
newExpire := resp.Auth.ExpirationTime()
|
|
|
|
if newExpire.Before(originalExpire) {
|
2015-06-17 21:28:13 +00:00
|
|
|
t.Fatalf("should expire later: %s %s", newExpire, originalExpire)
|
|
|
|
}
|
|
|
|
if newExpire.Before(beforeRenew.Add(time.Hour)) {
|
|
|
|
t.Fatalf("should have at least an hour: %s %s", newExpire, beforeRenew)
|
2015-04-03 19:11:49 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-02-29 19:13:09 +00:00
|
|
|
func TestTokenStore_RoleCRUD(t *testing.T) {
|
2016-03-09 16:59:54 +00:00
|
|
|
core, _, _, root := TestCoreWithTokenStore(t)
|
2016-02-29 19:13:09 +00:00
|
|
|
|
2016-03-09 16:59:54 +00:00
|
|
|
req := logical.TestRequest(t, logical.ReadOperation, "auth/token/roles/test")
|
2015-03-24 22:10:46 +00:00
|
|
|
req.ClientToken = root
|
|
|
|
|
2016-03-09 16:59:54 +00:00
|
|
|
resp, err := core.HandleRequest(req)
|
2015-03-24 22:10:46 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
2016-02-29 19:13:09 +00:00
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("should not see a role")
|
2015-03-24 22:10:46 +00:00
|
|
|
}
|
2015-03-24 22:52:07 +00:00
|
|
|
|
2016-03-09 16:59:54 +00:00
|
|
|
// First test creation
|
|
|
|
req.Operation = logical.CreateOperation
|
2016-02-29 19:13:09 +00:00
|
|
|
req.Data = map[string]interface{}{
|
|
|
|
"orphan": true,
|
|
|
|
"period": "72h",
|
|
|
|
"allowed_policies": "test1,test2",
|
2016-03-01 20:30:37 +00:00
|
|
|
"path_suffix": "happenin",
|
2016-02-29 19:13:09 +00:00
|
|
|
}
|
2015-03-24 22:52:07 +00:00
|
|
|
|
2016-03-09 16:59:54 +00:00
|
|
|
resp, err = core.HandleRequest(req)
|
2015-03-24 22:52:07 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
2016-02-29 19:13:09 +00:00
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("expected a nil response")
|
|
|
|
}
|
|
|
|
|
|
|
|
req.Operation = logical.ReadOperation
|
|
|
|
req.Data = map[string]interface{}{}
|
|
|
|
|
2016-03-09 16:59:54 +00:00
|
|
|
resp, err = core.HandleRequest(req)
|
2016-02-29 19:13:09 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp == nil {
|
|
|
|
t.Fatalf("got a nil response")
|
|
|
|
}
|
|
|
|
|
2016-04-14 11:56:09 +00:00
|
|
|
expected := map[string]interface{}{
|
|
|
|
"name": "test",
|
|
|
|
"orphan": true,
|
2016-05-11 20:51:18 +00:00
|
|
|
"period": int64(259200),
|
2016-05-13 15:50:00 +00:00
|
|
|
"allowed_policies": []string{"default", "test1", "test2"},
|
2016-04-14 11:56:09 +00:00
|
|
|
"path_suffix": "happenin",
|
2016-05-11 20:51:18 +00:00
|
|
|
"explicit_max_ttl": int64(0),
|
2016-06-08 19:17:22 +00:00
|
|
|
"renewable": true,
|
2016-02-29 19:13:09 +00:00
|
|
|
}
|
|
|
|
|
2016-04-14 11:56:09 +00:00
|
|
|
if !reflect.DeepEqual(expected, resp.Data) {
|
|
|
|
t.Fatalf("expected:\n%v\nactual:\n%v\n", expected, resp.Data)
|
2016-02-29 19:13:09 +00:00
|
|
|
}
|
|
|
|
|
2016-03-09 16:59:54 +00:00
|
|
|
// Now test updating; this should be set to an UpdateOperation
|
|
|
|
// automatically due to the existence check
|
|
|
|
req.Operation = logical.CreateOperation
|
|
|
|
req.Data = map[string]interface{}{
|
|
|
|
"period": "79h",
|
|
|
|
"allowed_policies": "test3",
|
|
|
|
"path_suffix": "happenin",
|
2016-06-08 19:17:22 +00:00
|
|
|
"renewable": false,
|
2016-03-09 16:59:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("expected a nil response")
|
|
|
|
}
|
|
|
|
|
|
|
|
req.Operation = logical.ReadOperation
|
|
|
|
req.Data = map[string]interface{}{}
|
|
|
|
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp == nil {
|
|
|
|
t.Fatalf("got a nil response")
|
|
|
|
}
|
|
|
|
|
2016-04-14 11:56:09 +00:00
|
|
|
expected = map[string]interface{}{
|
|
|
|
"name": "test",
|
|
|
|
"orphan": true,
|
2016-05-11 20:51:18 +00:00
|
|
|
"period": int64(284400),
|
2016-05-13 15:50:00 +00:00
|
|
|
"allowed_policies": []string{"default", "test3"},
|
2016-05-11 20:51:18 +00:00
|
|
|
"path_suffix": "happenin",
|
|
|
|
"explicit_max_ttl": int64(0),
|
2016-06-08 19:17:22 +00:00
|
|
|
"renewable": false,
|
2016-05-11 20:51:18 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if !reflect.DeepEqual(expected, resp.Data) {
|
|
|
|
t.Fatalf("expected:\n%v\nactual:\n%v\n", expected, resp.Data)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Now test setting explicit max ttl at the same time as period, which
|
|
|
|
// should be an error
|
|
|
|
req.Operation = logical.CreateOperation
|
|
|
|
req.Data = map[string]interface{}{
|
|
|
|
"explicit_max_ttl": "5",
|
|
|
|
}
|
|
|
|
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err == nil {
|
|
|
|
t.Fatalf("expected error")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Now set explicit max ttl and clear the period
|
|
|
|
req.Operation = logical.CreateOperation
|
|
|
|
req.Data = map[string]interface{}{
|
|
|
|
"explicit_max_ttl": "5",
|
|
|
|
"period": "0s",
|
|
|
|
}
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
req.Operation = logical.ReadOperation
|
|
|
|
req.Data = map[string]interface{}{}
|
|
|
|
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp == nil {
|
|
|
|
t.Fatalf("got a nil response")
|
|
|
|
}
|
|
|
|
|
|
|
|
expected = map[string]interface{}{
|
|
|
|
"name": "test",
|
|
|
|
"orphan": true,
|
|
|
|
"explicit_max_ttl": int64(5),
|
2016-05-13 15:50:00 +00:00
|
|
|
"allowed_policies": []string{"default", "test3"},
|
2016-04-14 11:56:09 +00:00
|
|
|
"path_suffix": "happenin",
|
2016-05-11 20:51:18 +00:00
|
|
|
"period": int64(0),
|
2016-06-08 19:17:22 +00:00
|
|
|
"renewable": false,
|
2016-03-09 16:59:54 +00:00
|
|
|
}
|
|
|
|
|
2016-04-14 11:56:09 +00:00
|
|
|
if !reflect.DeepEqual(expected, resp.Data) {
|
|
|
|
t.Fatalf("expected:\n%v\nactual:\n%v\n", expected, resp.Data)
|
2016-03-09 16:59:54 +00:00
|
|
|
}
|
|
|
|
|
2016-02-29 19:13:09 +00:00
|
|
|
req.Operation = logical.ListOperation
|
2016-03-09 16:59:54 +00:00
|
|
|
req.Path = "auth/token/roles"
|
2016-02-29 19:13:09 +00:00
|
|
|
req.Data = map[string]interface{}{}
|
2016-03-09 16:59:54 +00:00
|
|
|
resp, err = core.HandleRequest(req)
|
2016-02-29 19:13:09 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp == nil {
|
|
|
|
t.Fatalf("got a nil response")
|
|
|
|
}
|
|
|
|
keysInt, ok := resp.Data["keys"]
|
|
|
|
if !ok {
|
|
|
|
t.Fatalf("did not find keys in response")
|
|
|
|
}
|
|
|
|
keys, ok := keysInt.([]string)
|
|
|
|
if !ok {
|
|
|
|
t.Fatalf("could not convert keys interface to key list")
|
|
|
|
}
|
|
|
|
if len(keys) != 1 {
|
|
|
|
t.Fatalf("unexpected number of keys: %d", len(keys))
|
|
|
|
}
|
|
|
|
if keys[0] != "test" {
|
|
|
|
t.Fatalf("expected \"test\", got \"%s\"", keys[0])
|
|
|
|
}
|
|
|
|
|
|
|
|
req.Operation = logical.DeleteOperation
|
2016-03-09 16:59:54 +00:00
|
|
|
req.Path = "auth/token/roles/test"
|
|
|
|
resp, err = core.HandleRequest(req)
|
2016-02-29 19:13:09 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("expected a nil response")
|
|
|
|
}
|
|
|
|
|
|
|
|
req.Operation = logical.ReadOperation
|
2016-03-09 16:59:54 +00:00
|
|
|
resp, err = core.HandleRequest(req)
|
2016-02-29 19:13:09 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("expected a nil response")
|
2015-03-24 22:52:07 +00:00
|
|
|
}
|
|
|
|
}
|
2016-03-01 17:33:35 +00:00
|
|
|
|
|
|
|
func TestTokenStore_RoleAllowedRoles(t *testing.T) {
|
|
|
|
_, ts, _, root := TestCoreWithTokenStore(t)
|
|
|
|
|
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "roles/test")
|
|
|
|
req.ClientToken = root
|
|
|
|
req.Data = map[string]interface{}{
|
|
|
|
"allowed_policies": "test1,test2",
|
|
|
|
}
|
|
|
|
|
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("expected a nil response")
|
|
|
|
}
|
|
|
|
|
|
|
|
req.Data = map[string]interface{}{}
|
|
|
|
|
|
|
|
req.Path = "create/test"
|
|
|
|
req.Data["policies"] = []string{"foo"}
|
|
|
|
resp, err = ts.HandleRequest(req)
|
|
|
|
if err == nil {
|
|
|
|
t.Fatalf("expected error")
|
|
|
|
}
|
|
|
|
|
|
|
|
req.Data["policies"] = []string{"test2"}
|
|
|
|
resp, err = ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp.Auth.ClientToken == "" {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestTokenStore_RoleOrphan(t *testing.T) {
|
|
|
|
_, ts, _, root := TestCoreWithTokenStore(t)
|
|
|
|
|
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "roles/test")
|
|
|
|
req.ClientToken = root
|
|
|
|
req.Data = map[string]interface{}{
|
|
|
|
"orphan": true,
|
|
|
|
}
|
|
|
|
|
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("expected a nil response")
|
|
|
|
}
|
|
|
|
|
|
|
|
req.Path = "create/test"
|
|
|
|
resp, err = ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp.Auth.ClientToken == "" {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
out, err := ts.Lookup(resp.Auth.ClientToken)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if out.Parent != "" {
|
|
|
|
t.Fatalf("expected orphan token, but found a parent")
|
|
|
|
}
|
|
|
|
|
|
|
|
if !strings.HasPrefix(out.Path, "auth/token/create/test") {
|
|
|
|
t.Fatalf("expected role in path but did not find it")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-03-01 20:30:37 +00:00
|
|
|
func TestTokenStore_RolePathSuffix(t *testing.T) {
|
2016-03-01 17:33:35 +00:00
|
|
|
_, ts, _, root := TestCoreWithTokenStore(t)
|
|
|
|
|
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "roles/test")
|
|
|
|
req.ClientToken = root
|
|
|
|
req.Data = map[string]interface{}{
|
2016-03-01 20:30:37 +00:00
|
|
|
"path_suffix": "happenin",
|
2016-03-01 17:33:35 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("expected a nil response")
|
|
|
|
}
|
|
|
|
|
|
|
|
req.Path = "create/test"
|
|
|
|
resp, err = ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp.Auth.ClientToken == "" {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
out, err := ts.Lookup(resp.Auth.ClientToken)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
2016-03-01 20:30:37 +00:00
|
|
|
if out.Path != "auth/token/create/test/happenin" {
|
2016-03-01 17:33:35 +00:00
|
|
|
t.Fatalf("expected role in path but did not find it")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestTokenStore_RolePeriod(t *testing.T) {
|
|
|
|
core, _, _, root := TestCoreWithTokenStore(t)
|
|
|
|
|
|
|
|
core.defaultLeaseTTL = 5 * time.Second
|
|
|
|
core.maxLeaseTTL = 5 * time.Second
|
|
|
|
|
|
|
|
// Note: these requests are sent to Core since Core handles registration
|
|
|
|
// with the expiration manager and we need the storage to be consistent
|
|
|
|
|
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "auth/token/roles/test")
|
|
|
|
req.ClientToken = root
|
|
|
|
req.Data = map[string]interface{}{
|
|
|
|
"period": 300,
|
|
|
|
}
|
|
|
|
|
|
|
|
resp, err := core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("expected a nil response")
|
|
|
|
}
|
|
|
|
|
|
|
|
// This first set of logic is to verify that a normal non-root token will
|
|
|
|
// be given a TTL of 5 seconds, and that renewing will not cause the TTL to
|
|
|
|
// increase since that's the configured backend max. Then we verify that
|
|
|
|
// increment works.
|
|
|
|
{
|
|
|
|
req.Path = "auth/token/create"
|
|
|
|
req.Data = map[string]interface{}{
|
|
|
|
"policies": []string{"default"},
|
|
|
|
}
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp.Auth.ClientToken == "" {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
req.ClientToken = resp.Auth.ClientToken
|
|
|
|
req.Operation = logical.ReadOperation
|
|
|
|
req.Path = "auth/token/lookup-self"
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
ttl := resp.Data["ttl"].(int64)
|
|
|
|
if ttl > 5 {
|
|
|
|
t.Fatalf("TTL too large")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Let the TTL go down a bit to 3 seconds
|
|
|
|
time.Sleep(2 * time.Second)
|
|
|
|
|
|
|
|
req.Operation = logical.UpdateOperation
|
|
|
|
req.Path = "auth/token/renew-self"
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
req.Operation = logical.ReadOperation
|
|
|
|
req.Path = "auth/token/lookup-self"
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
ttl = resp.Data["ttl"].(int64)
|
|
|
|
if ttl > 3 {
|
|
|
|
t.Fatalf("TTL too large")
|
|
|
|
}
|
|
|
|
|
|
|
|
req.Operation = logical.UpdateOperation
|
|
|
|
req.Path = "auth/token/renew-self"
|
|
|
|
req.Data = map[string]interface{}{
|
|
|
|
"increment": 1,
|
|
|
|
}
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
req.Operation = logical.ReadOperation
|
|
|
|
req.Path = "auth/token/lookup-self"
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
ttl = resp.Data["ttl"].(int64)
|
|
|
|
if ttl > 1 {
|
|
|
|
t.Fatalf("TTL too large")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Now we create a token against the role. We should be able to renew;
|
|
|
|
// increment should be ignored as well.
|
|
|
|
{
|
|
|
|
req.ClientToken = root
|
|
|
|
req.Operation = logical.UpdateOperation
|
|
|
|
req.Path = "auth/token/create/test"
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp == nil {
|
|
|
|
t.Fatal("response was nil")
|
|
|
|
}
|
|
|
|
if resp.Auth == nil {
|
|
|
|
t.Fatal(fmt.Sprintf("response auth was nil, resp is %#v", *resp))
|
|
|
|
}
|
|
|
|
if resp.Auth.ClientToken == "" {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
req.ClientToken = resp.Auth.ClientToken
|
|
|
|
req.Operation = logical.ReadOperation
|
|
|
|
req.Path = "auth/token/lookup-self"
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
ttl := resp.Data["ttl"].(int64)
|
|
|
|
if ttl < 299 {
|
2016-06-08 18:49:48 +00:00
|
|
|
t.Fatalf("TTL too small (expected %d, got %d", 299, ttl)
|
2016-03-01 17:33:35 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Let the TTL go down a bit to 3 seconds
|
|
|
|
time.Sleep(2 * time.Second)
|
|
|
|
|
|
|
|
req.Operation = logical.UpdateOperation
|
|
|
|
req.Path = "auth/token/renew-self"
|
|
|
|
req.Data = map[string]interface{}{
|
|
|
|
"increment": 1,
|
|
|
|
}
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
req.Operation = logical.ReadOperation
|
|
|
|
req.Path = "auth/token/lookup-self"
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
ttl = resp.Data["ttl"].(int64)
|
|
|
|
if ttl < 299 {
|
2016-06-08 18:49:48 +00:00
|
|
|
t.Fatalf("TTL too small (expected %d, got %d", 299, ttl)
|
2016-03-01 17:33:35 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2016-05-11 20:51:18 +00:00
|
|
|
|
|
|
|
func TestTokenStore_RoleExplicitMaxTTL(t *testing.T) {
|
|
|
|
core, _, _, root := TestCoreWithTokenStore(t)
|
|
|
|
|
|
|
|
core.defaultLeaseTTL = 5 * time.Second
|
|
|
|
core.maxLeaseTTL = 5 * time.Hour
|
|
|
|
|
|
|
|
// Note: these requests are sent to Core since Core handles registration
|
|
|
|
// with the expiration manager and we need the storage to be consistent
|
|
|
|
|
2016-05-11 22:46:55 +00:00
|
|
|
// Make sure we can't make it larger than the system/mount max; we should get a warning on role write and an error on token creation
|
2016-05-11 20:51:18 +00:00
|
|
|
req := logical.TestRequest(t, logical.UpdateOperation, "auth/token/roles/test")
|
|
|
|
req.ClientToken = root
|
|
|
|
req.Data = map[string]interface{}{
|
2016-05-11 22:46:55 +00:00
|
|
|
"explicit_max_ttl": "100h",
|
2016-05-11 20:51:18 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
resp, err := core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
2016-05-11 22:46:55 +00:00
|
|
|
if resp == nil {
|
|
|
|
t.Fatalf("expected a warning")
|
|
|
|
}
|
|
|
|
|
|
|
|
req.Operation = logical.UpdateOperation
|
|
|
|
req.Path = "auth/token/create/test"
|
|
|
|
resp, err = core.HandleRequest(req)
|
2016-06-08 19:25:17 +00:00
|
|
|
if err != nil {
|
2016-05-11 22:46:55 +00:00
|
|
|
t.Fatalf("expected an error")
|
|
|
|
}
|
2016-06-08 19:25:17 +00:00
|
|
|
if len(resp.Warnings()) == 0 {
|
|
|
|
t.Fatalf("expected a warning")
|
|
|
|
}
|
2016-05-11 22:46:55 +00:00
|
|
|
|
|
|
|
// Reset to a good explicit max
|
|
|
|
req = logical.TestRequest(t, logical.UpdateOperation, "auth/token/roles/test")
|
|
|
|
req.ClientToken = root
|
|
|
|
req.Data = map[string]interface{}{
|
2016-07-01 15:37:27 +00:00
|
|
|
"explicit_max_ttl": "10s",
|
2016-05-11 22:46:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
2016-05-11 20:51:18 +00:00
|
|
|
if resp != nil {
|
|
|
|
t.Fatalf("expected a nil response")
|
|
|
|
}
|
|
|
|
|
|
|
|
// This first set of logic is to verify that a normal non-root token will
|
|
|
|
// be given a TTL of 5 seconds, and that renewing will cause the TTL to
|
|
|
|
// increase
|
|
|
|
{
|
|
|
|
req.Path = "auth/token/create"
|
|
|
|
req.Data = map[string]interface{}{
|
|
|
|
"policies": []string{"default"},
|
|
|
|
}
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp.Auth.ClientToken == "" {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
req.ClientToken = resp.Auth.ClientToken
|
|
|
|
req.Operation = logical.ReadOperation
|
|
|
|
req.Path = "auth/token/lookup-self"
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
ttl := resp.Data["ttl"].(int64)
|
|
|
|
if ttl > 5 {
|
|
|
|
t.Fatalf("TTL too large")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Let the TTL go down a bit to 3 seconds
|
|
|
|
time.Sleep(2 * time.Second)
|
|
|
|
|
|
|
|
req.Operation = logical.UpdateOperation
|
|
|
|
req.Path = "auth/token/renew-self"
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
req.Operation = logical.ReadOperation
|
|
|
|
req.Path = "auth/token/lookup-self"
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
ttl = resp.Data["ttl"].(int64)
|
|
|
|
if ttl < 4 {
|
|
|
|
t.Fatalf("TTL too small after renewal")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Now we create a token against the role. After renew our max should still
|
|
|
|
// be the same.
|
|
|
|
{
|
|
|
|
req.ClientToken = root
|
|
|
|
req.Operation = logical.UpdateOperation
|
|
|
|
req.Path = "auth/token/create/test"
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
if resp == nil {
|
|
|
|
t.Fatal("response was nil")
|
|
|
|
}
|
|
|
|
if resp.Auth == nil {
|
|
|
|
t.Fatal(fmt.Sprintf("response auth was nil, resp is %#v", *resp))
|
|
|
|
}
|
|
|
|
if resp.Auth.ClientToken == "" {
|
|
|
|
t.Fatalf("bad: %#v", resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
req.ClientToken = resp.Auth.ClientToken
|
|
|
|
req.Operation = logical.ReadOperation
|
|
|
|
req.Path = "auth/token/lookup-self"
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
ttl := resp.Data["ttl"].(int64)
|
2016-07-01 15:37:27 +00:00
|
|
|
if ttl > 10 {
|
2016-05-11 20:51:18 +00:00
|
|
|
t.Fatalf("TTL too big")
|
|
|
|
}
|
|
|
|
maxTTL := resp.Data["explicit_max_ttl"].(int64)
|
2016-07-01 15:37:27 +00:00
|
|
|
if maxTTL != 10 {
|
2016-05-11 20:51:18 +00:00
|
|
|
t.Fatalf("expected 6 for explicit max TTL, got %d", maxTTL)
|
|
|
|
}
|
|
|
|
|
2016-07-01 15:37:27 +00:00
|
|
|
// Let the TTL go down a bit to ~7 seconds (8 against explicit max)
|
2016-05-11 20:51:18 +00:00
|
|
|
time.Sleep(2 * time.Second)
|
|
|
|
|
|
|
|
req.Operation = logical.UpdateOperation
|
|
|
|
req.Path = "auth/token/renew-self"
|
|
|
|
req.Data = map[string]interface{}{
|
|
|
|
"increment": 300,
|
|
|
|
}
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
req.Operation = logical.ReadOperation
|
|
|
|
req.Path = "auth/token/lookup-self"
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
ttl = resp.Data["ttl"].(int64)
|
2016-07-01 15:37:27 +00:00
|
|
|
if ttl > 8 {
|
2016-05-11 20:51:18 +00:00
|
|
|
t.Fatalf("TTL too big")
|
|
|
|
}
|
|
|
|
|
2016-07-01 15:37:27 +00:00
|
|
|
// Let the TTL go down a bit more to ~5 seconds (6 against explicit max)
|
2016-05-11 20:51:18 +00:00
|
|
|
time.Sleep(2 * time.Second)
|
|
|
|
|
|
|
|
req.Operation = logical.UpdateOperation
|
|
|
|
req.Path = "auth/token/renew-self"
|
|
|
|
req.Data = map[string]interface{}{
|
|
|
|
"increment": 300,
|
|
|
|
}
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v %v", err, resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
req.Operation = logical.ReadOperation
|
|
|
|
req.Path = "auth/token/lookup-self"
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
ttl = resp.Data["ttl"].(int64)
|
2016-07-01 15:37:27 +00:00
|
|
|
if ttl > 6 {
|
2016-05-11 20:51:18 +00:00
|
|
|
t.Fatalf("TTL too big")
|
|
|
|
}
|
|
|
|
|
|
|
|
// It should expire
|
2016-07-01 15:37:27 +00:00
|
|
|
time.Sleep(8 * time.Second)
|
2016-05-11 20:51:18 +00:00
|
|
|
|
|
|
|
req.Operation = logical.UpdateOperation
|
|
|
|
req.Path = "auth/token/renew-self"
|
|
|
|
req.Data = map[string]interface{}{
|
|
|
|
"increment": 300,
|
|
|
|
}
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err == nil {
|
|
|
|
t.Fatalf("expected error")
|
|
|
|
}
|
|
|
|
|
|
|
|
req.Operation = logical.ReadOperation
|
|
|
|
req.Path = "auth/token/lookup-self"
|
|
|
|
resp, err = core.HandleRequest(req)
|
|
|
|
if err == nil {
|
|
|
|
t.Fatalf("expected error")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|