added tests, nil validations and doccumentation
This commit is contained in:
Ivan Fuyivara
parent
2c5a8fb39f
commit
0ffbef0ccd
|
|
@ -1056,7 +1056,7 @@ func TestBackend_PathBlacklistRoleTag(t *testing.T) {
|
|||
}
|
||||
|
||||
// This is an acceptance test.
|
||||
// Requires TEST_AWS_EC2_PKCS7, TEST_AWS_EC2_AMI_ID to be set.
|
||||
// Requires TEST_AWS_EC2_PKCS7, TEST_AWS_EC2_AMI_ID, TEST_AWS_EC2_IAM_ROLE_ARN to be set.
|
||||
// If the test is not being run on an EC2 instance that has access to credentials using EC2RoleProvider,
|
||||
// then TEST_AWS_SECRET_KEY and TEST_AWS_ACCESS_KEY env vars are also required.
|
||||
func TestBackendAcc_LoginAndWhitelistIdentity(t *testing.T) {
|
||||
|
|
@ -1077,6 +1077,11 @@ func TestBackendAcc_LoginAndWhitelistIdentity(t *testing.T) {
|
|||
t.Fatalf("env var TEST_AWS_EC2_AMI_ID not set")
|
||||
}
|
||||
|
||||
iamARN := os.Getenv("TEST_AWS_EC2_IAM_ROLE_ARN")
|
||||
if iamARN == "" {
|
||||
t.Fatalf("env var TEST_AWS_EC2_IAM_ROLE_ARN not set")
|
||||
}
|
||||
|
||||
roleName := amiID
|
||||
|
||||
// create the backend
|
||||
|
|
@ -1126,6 +1131,7 @@ func TestBackendAcc_LoginAndWhitelistIdentity(t *testing.T) {
|
|||
"policies": "root",
|
||||
"max_ttl": "120s",
|
||||
"bound_ami_id": "wrong_ami_id",
|
||||
"bound_iam_role_arn" : "wront_iam_role_arn",
|
||||
}
|
||||
|
||||
roleReq := &logical.Request{
|
||||
|
|
@ -1163,12 +1169,14 @@ func TestBackendAcc_LoginAndWhitelistIdentity(t *testing.T) {
|
|||
|
||||
// Place the correct AMI ID on the role
|
||||
data["bound_ami_id"] = amiID
|
||||
// Place the correct IAM Role ARN on the role
|
||||
data["bound_iam_role_arn"] = iamARN
|
||||
resp, err = b.HandleRequest(roleReq)
|
||||
if err != nil || (resp != nil && resp.IsError()) {
|
||||
t.Fatalf("bad: failed to create role: resp:%#v\nerr:%v", resp, err)
|
||||
}
|
||||
|
||||
// Try to login after the role has a matching AMI ID
|
||||
// Try to login after the role has a matching AMI ID and matching IAM Role ARN
|
||||
resp, err = b.HandleRequest(loginRequest)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
|
|
|
|||
|
|
@ -253,10 +253,18 @@ func (b *backend) pathLoginUpdate(
|
|||
|
||||
// Check if the IAM Role ARN of the instance trying to login matches the
|
||||
// IAM Role ARN specified as a constraint on the role.
|
||||
iamRoleArn := ""
|
||||
iamRoleArn = *instanceDesc.Reservations[0].Instances[0].IamInstanceProfile.Arn
|
||||
if roleEntry.BoundIamARN != "" && iamRoleArn != roleEntry.BoundIamARN {
|
||||
return logical.ErrorResponse(fmt.Sprintf("IAM Role ARN %s does not belong to role %s", iamRoleArn, roleName)), nil
|
||||
if roleEntry.BoundIamARN != "" {
|
||||
if instanceDesc.Reservations[0].Instances[0].IamInstanceProfile == nil {
|
||||
return nil, fmt.Errorf("Iam instance profile in instance description is nil")
|
||||
}
|
||||
if instanceDesc.Reservations[0].Instances[0].IamInstanceProfile.Arn == nil {
|
||||
return nil, fmt.Errorf("ARN in instance description is nil")
|
||||
}
|
||||
iamRoleArn := ""
|
||||
iamRoleArn = *instanceDesc.Reservations[0].Instances[0].IamInstanceProfile.Arn
|
||||
if iamRoleArn != roleEntry.BoundIamARN {
|
||||
return logical.ErrorResponse(fmt.Sprintf("IAM Role ARN %s does not belong to role %s", iamRoleArn, roleName)), nil
|
||||
}
|
||||
}
|
||||
|
||||
// Get the entry from the identity whitelist, if there is one.
|
||||
|
|
|
|||
|
|
@ -92,7 +92,7 @@ Subsequent authentication attempts by the client require the nonce to match;
|
|||
since only the original client knows the nonce, only the original client is
|
||||
allowed to reauthenticate. (This is the reason that this is a whitelist rather
|
||||
than a blacklist; by default, it's keeping track of clients allowed to
|
||||
reauthenticate, rather than those that are not.)
|
||||
reauthenticate, rather than those that are not.)
|
||||
|
||||
It is up to the client to behave correctly with respect to the nonce; if the
|
||||
client stores the nonce on disk it can survive reboots, but could also give
|
||||
|
|
@ -405,7 +405,7 @@ The response will be in JSON. For example:
|
|||
<dt>Description</dt>
|
||||
Returns the previously configured AWS access credentials.
|
||||
<dd>
|
||||
|
||||
|
||||
</dd>
|
||||
|
||||
<dt>Method</dt>
|
||||
|
|
@ -818,6 +818,11 @@ The response will be in JSON. For example:
|
|||
<span class="param-flags">required</span>
|
||||
If set, defines a constraint on the EC2 instances that they should be using the AMI ID specified by this parameter.
|
||||
</li>
|
||||
<li>
|
||||
<span class="param">bound_iam_role_arn</span>
|
||||
<span class="param-flags">optional</span>
|
||||
If set, defines a constraint on the EC2 instances that they should be using the IAM Role ARN specified by this parameter.
|
||||
</li>
|
||||
</ul>
|
||||
<ul>
|
||||
<li>
|
||||
|
|
|
|||
Loading…
Reference in a new issue