2015-03-30 17:25:24 +00:00
|
|
|
package command
|
|
|
|
|
2015-04-01 02:21:02 +00:00
|
|
|
import (
|
2017-09-05 03:58:18 +00:00
|
|
|
"context"
|
|
|
|
"encoding/base64"
|
|
|
|
"net"
|
|
|
|
"net/http"
|
|
|
|
"strings"
|
2015-04-01 02:21:02 +00:00
|
|
|
"testing"
|
2017-09-05 03:58:18 +00:00
|
|
|
"time"
|
2015-04-01 02:21:02 +00:00
|
|
|
|
2018-04-03 00:46:59 +00:00
|
|
|
log "github.com/hashicorp/go-hclog"
|
2019-01-09 00:48:57 +00:00
|
|
|
kv "github.com/hashicorp/vault-plugin-secrets-kv"
|
2015-04-01 02:21:02 +00:00
|
|
|
"github.com/hashicorp/vault/api"
|
2017-09-05 03:58:18 +00:00
|
|
|
"github.com/hashicorp/vault/audit"
|
2017-08-28 20:45:20 +00:00
|
|
|
"github.com/hashicorp/vault/builtin/logical/pki"
|
2017-09-05 03:58:18 +00:00
|
|
|
"github.com/hashicorp/vault/builtin/logical/ssh"
|
2017-08-28 20:45:20 +00:00
|
|
|
"github.com/hashicorp/vault/builtin/logical/transit"
|
2018-11-07 01:21:24 +00:00
|
|
|
"github.com/hashicorp/vault/helper/builtinplugins"
|
2020-05-21 20:07:50 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/helper/logging"
|
2019-04-12 21:54:35 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/logical"
|
|
|
|
"github.com/hashicorp/vault/sdk/physical/inmem"
|
2017-08-28 20:45:20 +00:00
|
|
|
"github.com/hashicorp/vault/vault"
|
2017-09-05 03:58:18 +00:00
|
|
|
"github.com/mitchellh/cli"
|
2017-08-28 20:45:20 +00:00
|
|
|
|
2017-09-05 03:58:18 +00:00
|
|
|
auditFile "github.com/hashicorp/vault/builtin/audit/file"
|
|
|
|
credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
|
2017-08-28 20:45:20 +00:00
|
|
|
vaulthttp "github.com/hashicorp/vault/http"
|
2015-04-01 02:21:02 +00:00
|
|
|
)
|
|
|
|
|
2017-09-05 03:58:18 +00:00
|
|
|
var (
|
2018-04-03 00:46:59 +00:00
|
|
|
defaultVaultLogger = log.NewNullLogger()
|
2017-09-05 03:58:18 +00:00
|
|
|
|
|
|
|
defaultVaultCredentialBackends = map[string]logical.Factory{
|
|
|
|
"userpass": credUserpass.Factory,
|
|
|
|
}
|
|
|
|
|
|
|
|
defaultVaultAuditBackends = map[string]audit.Factory{
|
|
|
|
"file": auditFile.Factory,
|
|
|
|
}
|
|
|
|
|
|
|
|
defaultVaultLogicalBackends = map[string]logical.Factory{
|
|
|
|
"generic-leased": vault.LeasedPassthroughBackendFactory,
|
|
|
|
"pki": pki.Factory,
|
|
|
|
"ssh": ssh.Factory,
|
|
|
|
"transit": transit.Factory,
|
2018-04-23 22:00:02 +00:00
|
|
|
"kv": kv.Factory,
|
2017-09-05 03:58:18 +00:00
|
|
|
}
|
|
|
|
)
|
|
|
|
|
|
|
|
// assertNoTabs asserts the CLI help has no tab characters.
|
|
|
|
func assertNoTabs(tb testing.TB, c cli.Command) {
|
|
|
|
tb.Helper()
|
|
|
|
|
|
|
|
if strings.ContainsRune(c.Help(), '\t') {
|
|
|
|
tb.Errorf("%#v help output contains tabs", c)
|
|
|
|
}
|
2017-08-28 20:45:20 +00:00
|
|
|
}
|
|
|
|
|
2017-09-05 03:58:18 +00:00
|
|
|
// testVaultServer creates a test vault cluster and returns a configured API
|
|
|
|
// client and closer function.
|
|
|
|
func testVaultServer(tb testing.TB) (*api.Client, func()) {
|
|
|
|
tb.Helper()
|
|
|
|
|
|
|
|
client, _, closer := testVaultServerUnseal(tb)
|
|
|
|
return client, closer
|
2017-08-28 20:45:20 +00:00
|
|
|
}
|
|
|
|
|
2018-02-01 16:30:04 +00:00
|
|
|
func testVaultServerAllBackends(tb testing.TB) (*api.Client, func()) {
|
|
|
|
tb.Helper()
|
|
|
|
|
|
|
|
client, _, closer := testVaultServerCoreConfig(tb, &vault.CoreConfig{
|
|
|
|
DisableMlock: true,
|
|
|
|
DisableCache: true,
|
|
|
|
Logger: defaultVaultLogger,
|
|
|
|
CredentialBackends: credentialBackends,
|
|
|
|
AuditBackends: auditBackends,
|
|
|
|
LogicalBackends: logicalBackends,
|
2018-11-07 01:21:24 +00:00
|
|
|
BuiltinRegistry: builtinplugins.Registry,
|
2018-02-01 16:30:04 +00:00
|
|
|
})
|
|
|
|
return client, closer
|
|
|
|
}
|
|
|
|
|
2017-09-05 03:58:18 +00:00
|
|
|
// testVaultServerUnseal creates a test vault cluster and returns a configured
|
|
|
|
// API client, list of unseal keys (as strings), and a closer function.
|
|
|
|
func testVaultServerUnseal(tb testing.TB) (*api.Client, []string, func()) {
|
|
|
|
tb.Helper()
|
2020-05-21 20:07:50 +00:00
|
|
|
logger := log.NewInterceptLogger(&log.LoggerOptions{
|
|
|
|
Output: log.DefaultOutput,
|
|
|
|
Level: log.Debug,
|
|
|
|
JSONFormat: logging.ParseEnvLogFormat() == logging.JSONFormat,
|
|
|
|
})
|
2017-09-05 03:58:18 +00:00
|
|
|
|
|
|
|
return testVaultServerCoreConfig(tb, &vault.CoreConfig{
|
|
|
|
DisableMlock: true,
|
|
|
|
DisableCache: true,
|
2020-05-21 20:07:50 +00:00
|
|
|
Logger: logger,
|
2017-09-05 03:58:18 +00:00
|
|
|
CredentialBackends: defaultVaultCredentialBackends,
|
|
|
|
AuditBackends: defaultVaultAuditBackends,
|
|
|
|
LogicalBackends: defaultVaultLogicalBackends,
|
2018-11-07 01:21:24 +00:00
|
|
|
BuiltinRegistry: builtinplugins.Registry,
|
2017-09-05 03:58:18 +00:00
|
|
|
})
|
|
|
|
}
|
2017-08-28 20:45:20 +00:00
|
|
|
|
2018-07-13 17:35:08 +00:00
|
|
|
// testVaultServerUnseal creates a test vault cluster and returns a configured
|
|
|
|
// API client, list of unseal keys (as strings), and a closer function
|
|
|
|
// configured with the given plugin directory.
|
|
|
|
func testVaultServerPluginDir(tb testing.TB, pluginDir string) (*api.Client, []string, func()) {
|
|
|
|
tb.Helper()
|
|
|
|
|
|
|
|
return testVaultServerCoreConfig(tb, &vault.CoreConfig{
|
|
|
|
DisableMlock: true,
|
|
|
|
DisableCache: true,
|
|
|
|
Logger: defaultVaultLogger,
|
|
|
|
CredentialBackends: defaultVaultCredentialBackends,
|
|
|
|
AuditBackends: defaultVaultAuditBackends,
|
|
|
|
LogicalBackends: defaultVaultLogicalBackends,
|
|
|
|
PluginDirectory: pluginDir,
|
2018-11-07 01:21:24 +00:00
|
|
|
BuiltinRegistry: builtinplugins.Registry,
|
2018-07-13 17:35:08 +00:00
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2017-09-05 03:58:18 +00:00
|
|
|
// testVaultServerCoreConfig creates a new vault cluster with the given core
|
|
|
|
// configuration. This is a lower-level test helper.
|
|
|
|
func testVaultServerCoreConfig(tb testing.TB, coreConfig *vault.CoreConfig) (*api.Client, []string, func()) {
|
|
|
|
tb.Helper()
|
|
|
|
|
|
|
|
cluster := vault.NewTestCluster(tb, coreConfig, &vault.TestClusterOptions{
|
2017-08-28 20:45:20 +00:00
|
|
|
HandlerFunc: vaulthttp.Handler,
|
2017-09-05 03:58:18 +00:00
|
|
|
NumCores: 1, // Default is 3, but we don't need that many
|
2017-08-28 20:45:20 +00:00
|
|
|
})
|
|
|
|
cluster.Start()
|
|
|
|
|
2017-09-05 03:58:18 +00:00
|
|
|
// Make it easy to get access to the active
|
2017-08-28 20:45:20 +00:00
|
|
|
core := cluster.Cores[0].Core
|
2017-09-05 03:58:18 +00:00
|
|
|
vault.TestWaitActive(tb, core)
|
2017-08-28 20:45:20 +00:00
|
|
|
|
2017-09-05 03:58:18 +00:00
|
|
|
// Get the client already setup for us!
|
2017-08-28 20:45:20 +00:00
|
|
|
client := cluster.Cores[0].Client
|
|
|
|
client.SetToken(cluster.RootToken)
|
|
|
|
|
2017-09-05 03:58:18 +00:00
|
|
|
// Convert the unseal keys to base64 encoded, since these are how the user
|
|
|
|
// will get them.
|
|
|
|
unsealKeys := make([]string, len(cluster.BarrierKeys))
|
|
|
|
for i := range unsealKeys {
|
|
|
|
unsealKeys[i] = base64.StdEncoding.EncodeToString(cluster.BarrierKeys[i])
|
|
|
|
}
|
|
|
|
|
|
|
|
return client, unsealKeys, func() { defer cluster.Cleanup() }
|
|
|
|
}
|
|
|
|
|
|
|
|
// testVaultServerUninit creates an uninitialized server.
|
|
|
|
func testVaultServerUninit(tb testing.TB) (*api.Client, func()) {
|
|
|
|
tb.Helper()
|
|
|
|
|
|
|
|
inm, err := inmem.NewInmem(nil, defaultVaultLogger)
|
|
|
|
if err != nil {
|
|
|
|
tb.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
core, err := vault.NewCore(&vault.CoreConfig{
|
|
|
|
DisableMlock: true,
|
|
|
|
DisableCache: true,
|
|
|
|
Logger: defaultVaultLogger,
|
|
|
|
Physical: inm,
|
|
|
|
CredentialBackends: defaultVaultCredentialBackends,
|
|
|
|
AuditBackends: defaultVaultAuditBackends,
|
|
|
|
LogicalBackends: defaultVaultLogicalBackends,
|
2018-11-07 01:21:24 +00:00
|
|
|
BuiltinRegistry: builtinplugins.Registry,
|
2017-09-05 03:58:18 +00:00
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
tb.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
ln, addr := vaulthttp.TestServer(tb, core)
|
|
|
|
|
|
|
|
client, err := api.NewClient(&api.Config{
|
|
|
|
Address: addr,
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
tb.Fatal(err)
|
|
|
|
}
|
|
|
|
|
2021-02-12 20:04:48 +00:00
|
|
|
closer := func() {
|
|
|
|
core.Shutdown()
|
|
|
|
ln.Close()
|
|
|
|
}
|
|
|
|
|
|
|
|
return client, closer
|
2017-09-05 03:58:18 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// testVaultServerBad creates an http server that returns a 500 on each request
|
|
|
|
// to simulate failures.
|
|
|
|
func testVaultServerBad(tb testing.TB) (*api.Client, func()) {
|
|
|
|
tb.Helper()
|
|
|
|
|
|
|
|
listener, err := net.Listen("tcp", "127.0.0.1:0")
|
|
|
|
if err != nil {
|
|
|
|
tb.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
server := &http.Server{
|
|
|
|
Addr: "127.0.0.1:0",
|
|
|
|
Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
http.Error(w, "500 internal server error", http.StatusInternalServerError)
|
|
|
|
}),
|
|
|
|
ReadTimeout: 1 * time.Second,
|
|
|
|
ReadHeaderTimeout: 1 * time.Second,
|
|
|
|
WriteTimeout: 1 * time.Second,
|
|
|
|
IdleTimeout: 1 * time.Second,
|
|
|
|
}
|
|
|
|
|
|
|
|
go func() {
|
|
|
|
if err := server.Serve(listener); err != nil && err != http.ErrServerClosed {
|
|
|
|
tb.Fatal(err)
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
|
|
|
|
client, err := api.NewClient(&api.Config{
|
|
|
|
Address: "http://" + listener.Addr().String(),
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
tb.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return client, func() {
|
|
|
|
ctx, done := context.WithTimeout(context.Background(), 5*time.Second)
|
|
|
|
defer done()
|
|
|
|
|
|
|
|
server.Shutdown(ctx)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// testTokenAndAccessor creates a new authentication token capable of being renewed with
|
|
|
|
// the default policy attached. It returns the token and it's accessor.
|
|
|
|
func testTokenAndAccessor(tb testing.TB, client *api.Client) (string, string) {
|
|
|
|
tb.Helper()
|
|
|
|
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
|
|
Policies: []string{"default"},
|
|
|
|
TTL: "30m",
|
|
|
|
})
|
2017-08-28 20:45:20 +00:00
|
|
|
if err != nil {
|
2017-09-05 03:58:18 +00:00
|
|
|
tb.Fatal(err)
|
2017-08-28 20:45:20 +00:00
|
|
|
}
|
2017-09-05 03:58:18 +00:00
|
|
|
if secret == nil || secret.Auth == nil || secret.Auth.ClientToken == "" {
|
|
|
|
tb.Fatalf("missing auth data: %#v", secret)
|
2017-08-28 20:45:20 +00:00
|
|
|
}
|
2017-09-05 03:58:18 +00:00
|
|
|
return secret.Auth.ClientToken, secret.Auth.Accessor
|
2017-08-28 20:45:20 +00:00
|
|
|
}
|
|
|
|
|
2017-09-05 03:58:18 +00:00
|
|
|
func testClient(tb testing.TB, addr string, token string) *api.Client {
|
|
|
|
tb.Helper()
|
2015-04-01 02:21:02 +00:00
|
|
|
config := api.DefaultConfig()
|
|
|
|
config.Address = addr
|
|
|
|
client, err := api.NewClient(config)
|
|
|
|
if err != nil {
|
2017-09-05 03:58:18 +00:00
|
|
|
tb.Fatal(err)
|
2015-04-01 02:21:02 +00:00
|
|
|
}
|
|
|
|
client.SetToken(token)
|
|
|
|
|
|
|
|
return client
|
|
|
|
}
|