From 5207099042dff39f515f9d5461d55e5b485b5f7f Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Sun, 3 Jun 2018 18:14:51 -0400 Subject: [PATCH] Offline token revocation fix --- CHANGELOG.md | 13 + logical/auth.go | 6 + logical/testing.go | 6 +- vault/capabilities_test.go | 11 +- vault/core_test.go | 8 +- vault/expiration.go | 43 +-- vault/expiration_test.go | 15 +- vault/identity_store_test.go | 21 +- vault/logical_system_test.go | 29 +- vault/request_handling.go | 11 +- vault/testing.go | 55 +--- vault/token_store.go | 58 +++- vault/token_store_ext_test.go | 154 ++++++++++ vault/token_store_test.go | 533 ++++++++++++++++++++-------------- 14 files changed, 578 insertions(+), 385 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 40d94cf36..ac723e2d7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,18 @@ ## 0.10.2 (Unreleased) +SECURITY: + + * The Vault team identified a race condition that could occur if a token's + lease expired while Vault was not running. In this case, when Vault came + back online, sometimes it would properly revoke the lease but other times it + would not, leading to a Vault token that no longer had an expiration and had + essentially unlimited lifetime. This race was per-token, not all-or-nothing + for all tokens that may have expired during Vault's downtime. We have fixed + the behavior and put extra checks in place to help prevent any similar + future issues. In addition, the logic we have put in place ensures that such + lease-less tokens can no longer be used (unless they are root tokens that + never had an expiration to begin with). + DEPRECATIONS/CHANGES: * PKI duration return types: The PKI backend now returns durations (e.g. when diff --git a/logical/auth.go b/logical/auth.go index 144b5467a..59975b73f 100644 --- a/logical/auth.go +++ b/logical/auth.go @@ -74,6 +74,12 @@ type Auth struct { // The set of CIDRs that this token can be used with BoundCIDRs []*sockaddr.SockAddrMarshaler `json:"bound_cidrs"` + + // CreationPath is a path that the backend can return to use in the lease. + // This is currently only supported for the token store where roles may + // change the perceived path of the lease, even though they don't change + // the request path itself. + CreationPath string `json:"creation_path"` } func (a *Auth) GoString() string { diff --git a/logical/testing.go b/logical/testing.go index f93f65b43..7c7738996 100644 --- a/logical/testing.go +++ b/logical/testing.go @@ -3,15 +3,15 @@ package logical import ( "context" "reflect" - "testing" "time" log "github.com/hashicorp/go-hclog" "github.com/hashicorp/vault/helper/logging" + "github.com/mitchellh/go-testing-interface" ) // TestRequest is a helper to create a purely in-memory Request struct. -func TestRequest(t *testing.T, op Operation, path string) *Request { +func TestRequest(t testing.T, op Operation, path string) *Request { return &Request{ Operation: op, Path: path, @@ -22,7 +22,7 @@ func TestRequest(t *testing.T, op Operation, path string) *Request { // TestStorage is a helper that can be used from unit tests to verify // the behavior of a Storage impl. -func TestStorage(t *testing.T, s Storage) { +func TestStorage(t testing.T, s Storage) { keys, err := s.List(context.Background(), "") if err != nil { t.Fatalf("list error: %s", err) diff --git a/vault/capabilities_test.go b/vault/capabilities_test.go index 41bd90817..40111af0a 100644 --- a/vault/capabilities_test.go +++ b/vault/capabilities_test.go @@ -5,6 +5,7 @@ import ( "reflect" "sort" "testing" + "time" "github.com/hashicorp/vault/logical" ) @@ -73,10 +74,9 @@ path "secret/sample" { Path: "secret/sample", Policies: []string{"policy2"}, EntityID: entityID, + TTL: time.Hour, } - if err := c.tokenStore.create(context.Background(), ent); err != nil { - t.Fatalf("err: %v", err) - } + testMakeTokenDirectly(t, c.tokenStore, ent) actual, err := c.Capabilities(context.Background(), "capabilitiestoken", "secret/sample") if err != nil { @@ -139,10 +139,9 @@ func TestCapabilities(t *testing.T) { ID: "capabilitiestoken", Path: "testpath", Policies: []string{"dev"}, + TTL: time.Hour, } - if err := c.tokenStore.create(context.Background(), ent); err != nil { - t.Fatalf("err: %v", err) - } + testMakeTokenDirectly(t, c.tokenStore, ent) actual, err = c.Capabilities(context.Background(), "capabilitiestoken", "foo/bar") if err != nil { diff --git a/vault/core_test.go b/vault/core_test.go index bd3591d3d..efb37cb4d 100644 --- a/vault/core_test.go +++ b/vault/core_test.go @@ -494,7 +494,7 @@ func TestCore_HandleRequest_NoSlash(t *testing.T) { // Test a root path is denied if non-root func TestCore_HandleRequest_RootPath(t *testing.T) { c, _, root := TestCoreUnsealed(t) - testCoreMakeToken(t, c, root, "child", "", []string{"test"}) + testMakeTokenViaCore(t, c, root, "child", "", []string{"test"}) req := &logical.Request{ Operation: logical.ReadOperation, @@ -529,7 +529,7 @@ func TestCore_HandleRequest_RootPath_WithSudo(t *testing.T) { } // Child token (non-root) but with 'test' policy should have access - testCoreMakeToken(t, c, root, "child", "", []string{"test"}) + testMakeTokenViaCore(t, c, root, "child", "", []string{"test"}) req = &logical.Request{ Operation: logical.ReadOperation, Path: "sys/policy", // root protected! @@ -547,7 +547,7 @@ func TestCore_HandleRequest_RootPath_WithSudo(t *testing.T) { // Check that standard permissions work func TestCore_HandleRequest_PermissionDenied(t *testing.T) { c, _, root := TestCoreUnsealed(t) - testCoreMakeToken(t, c, root, "child", "", []string{"test"}) + testMakeTokenViaCore(t, c, root, "child", "", []string{"test"}) req := &logical.Request{ Operation: logical.UpdateOperation, @@ -567,7 +567,7 @@ func TestCore_HandleRequest_PermissionDenied(t *testing.T) { // Check that standard permissions work func TestCore_HandleRequest_PermissionAllowed(t *testing.T) { c, _, root := TestCoreUnsealed(t) - testCoreMakeToken(t, c, root, "child", "", []string{"test"}) + testMakeTokenViaCore(t, c, root, "child", "", []string{"test"}) // Set the 'test' policy object to permit access to secret/ req := &logical.Request{ diff --git a/vault/expiration.go b/vault/expiration.go index 362604541..66b069d47 100644 --- a/vault/expiration.go +++ b/vault/expiration.go @@ -624,9 +624,8 @@ func (m *ExpirationManager) revokePrefixCommon(prefix string, force bool) error return errwrap.Wrapf(fmt.Sprintf("failed to revoke %q: {{err}}", prefix), err) } return nil - } else { - prefix = prefix + "/" } + prefix = prefix + "/" } // Accumulate existing leases @@ -719,45 +718,6 @@ func (m *ExpirationManager) Renew(leaseID string, increment time.Duration) (*log return resp, nil } -// RestoreSaltedTokenCheck verifies that the token is not expired while running -// in restore mode. If we are not in restore mode, the lease has already been -// restored or the lease still has time left, it returns true. -func (m *ExpirationManager) RestoreSaltedTokenCheck(source string, saltedID string) (bool, error) { - defer metrics.MeasureSince([]string{"expire", "restore-token-check"}, time.Now()) - - // Return immediately if we are not in restore mode, expiration manager is - // already loaded - if !m.inRestoreMode() { - return true, nil - } - - m.restoreModeLock.RLock() - defer m.restoreModeLock.RUnlock() - - // Check again after we obtain the lock - if !m.inRestoreMode() { - return true, nil - } - - leaseID := path.Join(source, saltedID) - - m.lockLease(leaseID) - defer m.unlockLease(leaseID) - - le, err := m.loadEntryInternal(leaseID, true, true) - if err != nil { - return false, err - } - if le != nil && !le.ExpireTime.IsZero() { - expires := le.ExpireTime.Sub(time.Now()) - if expires <= 0 { - return false, nil - } - } - - return true, nil -} - // RenewToken is used to renew a token which does not need to // invoke a logical backend. func (m *ExpirationManager) RenewToken(req *logical.Request, source string, token string, @@ -947,6 +907,7 @@ func (m *ExpirationManager) RegisterAuth(source string, auth *logical.Auth) erro // Setup revocation timer m.updatePending(&le, auth.LeaseTotal()) + return nil } diff --git a/vault/expiration_test.go b/vault/expiration_test.go index 823a65099..e0650f17d 100644 --- a/vault/expiration_test.go +++ b/vault/expiration_test.go @@ -25,13 +25,13 @@ var ( // mockExpiration returns a mock expiration manager func mockExpiration(t testing.TB) *ExpirationManager { - _, ts, _, _ := TestCoreWithTokenStore(t) - return ts.expiration + c, _, _ := TestCoreUnsealed(t) + return c.expiration } func mockBackendExpiration(t testing.TB, backend physical.Backend) (*Core, *ExpirationManager) { - c, ts, _, _ := TestCoreWithBackendTokenStore(t, backend) - return c, ts.expiration + c, _, _ := TestCoreUnsealedBackend(t, backend) + return c, c.expiration } func TestExpiration_Tidy(t *testing.T) { @@ -293,7 +293,8 @@ func BenchmarkExpiration_Restore_InMem(b *testing.B) { } func benchmarkExpirationBackend(b *testing.B, physicalBackend physical.Backend, numLeases int) { - c, exp := mockBackendExpiration(b, physicalBackend) + c, _, _ := TestCoreUnsealedBackend(b, physicalBackend) + exp := c.expiration noop := &NoopBackend{} view := NewBarrierView(c.barrier, "logical/") meUUID, err := uuid.GenerateUUID() @@ -1603,7 +1604,7 @@ func TestLeaseEntry(t *testing.T) { } func TestExpiration_RevokeForce(t *testing.T) { - core, _, _, root := TestCoreWithTokenStore(t) + core, _, root := TestCoreUnsealed(t) core.logicalBackends["badrenew"] = badRenewFactory me := &MountEntry{ @@ -1651,7 +1652,7 @@ func TestExpiration_RevokeForce(t *testing.T) { } func TestExpiration_RevokeForceSingle(t *testing.T) { - core, _, _, root := TestCoreWithTokenStore(t) + core, _, root := TestCoreUnsealed(t) core.logicalBackends["badrenew"] = badRenewFactory me := &MountEntry{ diff --git a/vault/identity_store_test.go b/vault/identity_store_test.go index bc418a4a5..8cae25f55 100644 --- a/vault/identity_store_test.go +++ b/vault/identity_store_test.go @@ -225,11 +225,9 @@ func TestIdentityStore_WrapInfoInheritance(t *testing.T) { Path: "test", Policies: []string{"default", responseWrappingPolicyName}, EntityID: entityID, + TTL: time.Hour, } - - if err := ts.create(context.Background(), te); err != nil { - t.Fatal(err) - } + testMakeTokenDirectly(t, ts, te) wrapReq := &logical.Request{ Path: "sys/wrapping/wrap", @@ -258,18 +256,17 @@ func TestIdentityStore_WrapInfoInheritance(t *testing.T) { } func TestIdentityStore_TokenEntityInheritance(t *testing.T) { - _, ts, _, _ := TestCoreWithTokenStore(t) + c, _, _ := TestCoreUnsealed(t) + ts := c.tokenStore // Create a token which has EntityID set te := &TokenEntry{ Path: "test", Policies: []string{"dev", "prod"}, EntityID: "testentityid", + TTL: time.Hour, } - - if err := ts.create(context.Background(), te); err != nil { - t.Fatal(err) - } + testMakeTokenDirectly(t, ts, te) // Create a child token; this should inherit the EntityID tokenReq := &logical.Request{ @@ -301,14 +298,12 @@ func TestIdentityStore_TokenEntityInheritance(t *testing.T) { func testCoreWithIdentityTokenGithub(t *testing.T) (*Core, *IdentityStore, *TokenStore, string) { is, ghAccessor, core := testIdentityStoreWithGithubAuth(t) - ts := testTokenStore(t, core) - return core, is, ts, ghAccessor + return core, is, core.tokenStore, ghAccessor } func testCoreWithIdentityTokenGithubRoot(t *testing.T) (*Core, *IdentityStore, *TokenStore, string, string) { is, ghAccessor, core, root := testIdentityStoreWithGithubAuthRoot(t) - ts := testTokenStore(t, core) - return core, is, ts, ghAccessor, root + return core, is, core.tokenStore, ghAccessor, root } func testIdentityStoreWithGithubAuth(t *testing.T) (*IdentityStore, string, *Core) { diff --git a/vault/logical_system_test.go b/vault/logical_system_test.go index 98409fa83..6b203f029 100644 --- a/vault/logical_system_test.go +++ b/vault/logical_system_test.go @@ -442,7 +442,7 @@ func TestSystemBackend_PathCapabilities(t *testing.T) { rootCheckFunc(t, resp) // Create a non-root token - testMakeToken(t, core.tokenStore, rootToken, "tokenid", "", []string{"test"}) + testMakeTokenViaBackend(t, core.tokenStore, rootToken, "tokenid", "", []string{"test"}) nonRootCheckFunc := func(t *testing.T, resp *logical.Response) { expected1 := []string{"create", "sudo", "update"} @@ -544,7 +544,7 @@ func testCapabilities(t *testing.T, endpoint string) { t.Fatalf("err: %v", err) } - testMakeToken(t, core.tokenStore, rootToken, "tokenid", "", []string{"test"}) + testMakeTokenViaBackend(t, core.tokenStore, rootToken, "tokenid", "", []string{"test"}) req = logical.TestRequest(t, logical.UpdateOperation, endpoint) if endpoint == "capabilities-self" { req.ClientToken = "tokenid" @@ -600,7 +600,7 @@ func TestSystemBackend_CapabilitiesAccessor_BC(t *testing.T) { t.Fatalf("err: %v", err) } - testMakeToken(t, core.tokenStore, rootToken, "tokenid", "", []string{"test"}) + testMakeTokenViaBackend(t, core.tokenStore, rootToken, "tokenid", "", []string{"test"}) te, err = core.tokenStore.Lookup(context.Background(), "tokenid") if err != nil { @@ -1264,8 +1264,10 @@ func TestSystemBackend_revokePrefix_origUrl(t *testing.T) { } } -func TestSystemBackend_revokePrefixAuth(t *testing.T) { - core, ts, _, _ := TestCoreWithTokenStore(t) +func TestSystemBackend_revokePrefixAuth_newUrl(t *testing.T) { + core, _, _ := TestCoreUnsealed(t) + + ts := core.tokenStore bc := &logical.BackendConfig{ Logger: core.logger, System: logical.StaticSystemView{ @@ -1284,11 +1286,9 @@ func TestSystemBackend_revokePrefixAuth(t *testing.T) { te := &TokenEntry{ ID: "foo", Path: "auth/github/login/bar", + TTL: time.Hour, } - err = ts.create(context.Background(), te) - if err != nil { - t.Fatal(err) - } + testMakeTokenDirectly(t, ts, te) te, err = ts.Lookup(context.Background(), "foo") if err != nil { @@ -1329,7 +1329,8 @@ func TestSystemBackend_revokePrefixAuth(t *testing.T) { } func TestSystemBackend_revokePrefixAuth_origUrl(t *testing.T) { - core, ts, _, _ := TestCoreWithTokenStore(t) + core, _, _ := TestCoreUnsealed(t) + ts := core.tokenStore bc := &logical.BackendConfig{ Logger: core.logger, System: logical.StaticSystemView{ @@ -1348,11 +1349,9 @@ func TestSystemBackend_revokePrefixAuth_origUrl(t *testing.T) { te := &TokenEntry{ ID: "foo", Path: "auth/github/login/bar", + TTL: time.Hour, } - err = ts.create(context.Background(), te) - if err != nil { - t.Fatal(err) - } + testMakeTokenDirectly(t, ts, te) te, err = ts.Lookup(context.Background(), "foo") if err != nil { @@ -2396,7 +2395,7 @@ func TestSystemBackend_InternalUIMount(t *testing.T) { t.Fatalf("Bad Response: %#v", resp) } - testMakeToken(t, core.tokenStore, rootToken, "tokenid", "", []string{"secret"}) + testMakeTokenViaBackend(t, core.tokenStore, rootToken, "tokenid", "", []string{"secret"}) req = logical.TestRequest(t, logical.ReadOperation, "internal/ui/mounts/kv") req.ClientToken = "tokenid" diff --git a/vault/request_handling.go b/vault/request_handling.go index adcc309ab..cfde6f485 100644 --- a/vault/request_handling.go +++ b/vault/request_handling.go @@ -610,16 +610,7 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp return nil, auth, retErr } - // Register with the expiration manager. We use the token's actual path - // here because roles allow suffixes. - te, err := c.tokenStore.Lookup(ctx, resp.Auth.ClientToken) - if err != nil { - c.logger.Error("failed to look up token", "error", err) - retErr = multierror.Append(retErr, ErrInternalError) - return nil, auth, retErr - } - - if err := c.expiration.RegisterAuth(te.Path, resp.Auth); err != nil { + if err := c.expiration.RegisterAuth(resp.Auth.CreationPath, resp.Auth); err != nil { c.tokenStore.revokeOrphan(ctx, te.ID) c.logger.Error("failed to register token lease", "request_path", req.Path, "error", err) retErr = multierror.Append(retErr, ErrInternalError) diff --git a/vault/testing.go b/vault/testing.go index 42169947e..da8985e81 100644 --- a/vault/testing.go +++ b/vault/testing.go @@ -33,7 +33,6 @@ import ( "golang.org/x/net/http2" cleanhttp "github.com/hashicorp/go-cleanhttp" - "github.com/hashicorp/go-uuid" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/audit" "github.com/hashicorp/vault/helper/logging" @@ -305,58 +304,6 @@ func TestCoreUnsealedBackend(t testing.T, backend physical.Backend) (*Core, [][] return core, keys, token } -func testTokenStore(t testing.T, c *Core) *TokenStore { - me := &MountEntry{ - Table: credentialTableType, - Path: "token/", - Type: "token", - Description: "token based credentials", - } - - meUUID, err := uuid.GenerateUUID() - if err != nil { - t.Fatal(err) - } - me.UUID = meUUID - - view := NewBarrierView(c.barrier, credentialBarrierPrefix+me.UUID+"/") - sysView := c.mountEntrySysView(me) - - tokenstore, _ := c.newCredentialBackend(context.Background(), me, sysView, view) - ts := tokenstore.(*TokenStore) - - err = c.router.Unmount(context.Background(), "auth/token/") - if err != nil { - t.Fatal(err) - } - err = c.router.Mount(ts, "auth/token/", &MountEntry{Table: credentialTableType, UUID: "authtokenuuid", Path: "auth/token", Accessor: "authtokenaccessor"}, ts.view) - if err != nil { - t.Fatal(err) - } - - ts.SetExpirationManager(c.expiration) - - return ts -} - -// TestCoreWithTokenStore returns an in-memory core that has a token store -// mounted, so that logical token functions can be used -func TestCoreWithTokenStore(t testing.T) (*Core, *TokenStore, [][]byte, string) { - c, keys, root := TestCoreUnsealed(t) - - return c, c.tokenStore, keys, root -} - -// TestCoreWithBackendTokenStore returns a core that has a token store -// mounted and used the provided physical backend, so that logical token -// functions can be used -func TestCoreWithBackendTokenStore(t testing.T, backend physical.Backend) (*Core, *TokenStore, [][]byte, string) { - c, keys, root := TestCoreUnsealedBackend(t, backend) - ts := testTokenStore(t, c) - - return c, ts, keys, root -} - // TestKeyCopy is a silly little function to just copy the key so that // it can be used with Unseal easily. func TestKeyCopy(key []byte) []byte { @@ -1205,6 +1152,7 @@ func NewTestCluster(t testing.T, base *CoreConfig, opts *TestClusterOptions) *Te ClusterAddr: fmt.Sprintf("https://127.0.0.1:%d", listeners[0][0].Address.Port+105), DisableMlock: true, EnableUI: true, + EnableRaw: true, } if base != nil { @@ -1216,6 +1164,7 @@ func NewTestCluster(t testing.T, base *CoreConfig, opts *TestClusterOptions) *Te coreConfig.PluginDirectory = base.PluginDirectory coreConfig.Seal = base.Seal coreConfig.DevToken = base.DevToken + coreConfig.EnableRaw = base.EnableRaw if !coreConfig.DisableMlock { base.DisableMlock = false diff --git a/vault/token_store.go b/vault/token_store.go index 186bd9fd1..349a8696d 100644 --- a/vault/token_store.go +++ b/vault/token_store.go @@ -1028,19 +1028,6 @@ func (ts *TokenStore) lookupSalted(ctx context.Context, saltedID string, tainted return nil, nil } - // If we are still restoring the expiration manager, we want to ensure the - // token is not expired - if ts.expiration == nil { - return nil, errors.New("expiration manager is nil on tokenstore") - } - check, err := ts.expiration.RestoreSaltedTokenCheck(entry.Path, saltedID) - if err != nil { - return nil, errwrap.Wrapf("failed to check token in restore mode: {{err}}", err) - } - if !check { - return nil, nil - } - persistNeeded := false // Upgrade the deprecated fields @@ -1076,6 +1063,48 @@ func (ts *TokenStore) lookupSalted(ctx context.Context, saltedID string, tainted persistNeeded = true } + // Perform these checks on upgraded fields, but before persisting + + // If we are still restoring the expiration manager, we want to ensure the + // token is not expired + if ts.expiration == nil { + return nil, errors.New("expiration manager is nil on tokenstore") + } + le, err := ts.expiration.FetchLeaseTimesByToken(entry.Path, entry.ID) + if err != nil { + return nil, errwrap.Wrapf("failed to fetch lease times: {{err}}", err) + } + + var ret *TokenEntry + + switch { + // It's a root token with unlimited creation TTL (so never had an + // expiration); this may or may not have a lease (based on when it was + // generated, for later revocation purposes) but it doesn't matter, it's + // allowed + case len(entry.Policies) == 1 && entry.Policies[0] == "root" && entry.TTL == 0: + ret = entry + + // It's any kind of expiring token with no lease, immediately delete it + case le == nil: + leaseID, err := ts.expiration.CreateOrFetchRevocationLeaseByToken(entry) + if err != nil { + return nil, err + } + + err = ts.expiration.Revoke(leaseID) + if err != nil { + return nil, err + } + + // Only return if we're not past lease expiration (or if tainted is true), + // otherwise assume expmgr is working on revocation + default: + if !le.ExpireTime.Before(time.Now()) || tainted { + ret = entry + } + } + // If fields are getting upgraded, store the changes if persistNeeded { if err := ts.store(ctx, entry); err != nil { @@ -1083,7 +1112,7 @@ func (ts *TokenStore) lookupSalted(ctx context.Context, saltedID string, tainted } } - return entry, nil + return ret, nil } // Revoke is used to invalidate a given token, any child tokens @@ -2070,6 +2099,7 @@ func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Reque EntityID: te.EntityID, Period: periodToUse, ExplicitMaxTTL: explicitMaxTTLToUse, + CreationPath: te.Path, } if ts.policyLookupFunc != nil { diff --git a/vault/token_store_ext_test.go b/vault/token_store_ext_test.go index 1ff6abd14..64e78d276 100644 --- a/vault/token_store_ext_test.go +++ b/vault/token_store_ext_test.go @@ -1,13 +1,16 @@ package vault_test import ( + "encoding/base64" "reflect" "sort" "strings" "testing" + "time" "github.com/hashicorp/vault/api" credLdap "github.com/hashicorp/vault/builtin/credential/ldap" + "github.com/hashicorp/vault/helper/jsonutil" vaulthttp "github.com/hashicorp/vault/http" "github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/vault" @@ -336,3 +339,154 @@ func TestTokenStore_CIDRBlocks(t *testing.T) { t.Fatalf("unexpected error: %v", err) } } + +func TestTokenStore_RevocationOnStartup(t *testing.T) { + cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{ + HandlerFunc: vaulthttp.Handler, + NumCores: 1, + }) + cluster.Start() + defer cluster.Cleanup() + + core := cluster.Cores[0].Core + vault.TestWaitActive(t, core) + client := cluster.Cores[0].Client + rootToken := client.Token() + + type leaseEntry struct { + LeaseID string `json:"lease_id"` + ClientToken string `json:"client_token"` + Path string `json:"path"` + Data map[string]interface{} `json:"data"` + Secret *logical.Secret `json:"secret"` + Auth *logical.Auth `json:"auth"` + IssueTime time.Time `json:"issue_time"` + ExpireTime time.Time `json:"expire_time"` + LastRenewalTime time.Time `json:"last_renewal_time"` + } + + var secret *api.Secret + var err error + var tokens []string + // Create tokens + for i := 0; i < 500; i++ { + secret, err = client.Auth().Token().Create(&api.TokenCreateRequest{ + Policies: []string{"default"}, + }) + if err != nil { + t.Fatal(err) + } + tokens = append(tokens, secret.Auth.ClientToken) + } + + const tokenPath string = "sys/raw/sys/token/id/" + secret, err = client.Logical().List(tokenPath) + if err != nil { + t.Fatal(err) + } + totalTokens := len(secret.Data["keys"].([]interface{})) + + // Get the list of leases + const leasePath string = "sys/raw/sys/expire/id/auth/token/create/" + secret, err = client.Logical().List(leasePath) + if err != nil { + t.Fatal(err) + } + leases := secret.Data["keys"].([]interface{}) + if len(leases) != 500 { + t.Fatalf("unexpected number of leases: %d", len(leases)) + } + + // Holds non-root leases + var validLeases []string + // Fake times in the past + for _, lease := range leases { + secret, err = client.Logical().Read(leasePath + lease.(string)) + var entry leaseEntry + if err := jsonutil.DecodeJSON([]byte(secret.Data["value"].(string)), &entry); err != nil { + t.Fatal(err) + } + if entry.ExpireTime.IsZero() { + continue + } + validLeases = append(validLeases, lease.(string)) + entry.IssueTime = entry.IssueTime.Add(-1 * time.Hour * 24 * 365) + entry.ExpireTime = entry.ExpireTime.Add(-1 * time.Hour * 24 * 365) + jsonEntry, err := jsonutil.EncodeJSON(&entry) + if err != nil { + t.Fatal(err) + } + if _, err := client.Logical().Write(leasePath+lease.(string), map[string]interface{}{ + "value": string(jsonEntry), + }); err != nil { + t.Fatal(err) + } + } + + if err := client.Sys().Seal(); err != nil { + t.Fatal(err) + } + + var status *api.SealStatusResponse + for i := 0; i < len(cluster.BarrierKeys); i++ { + status, err = client.Sys().Unseal(string(base64.StdEncoding.EncodeToString(cluster.BarrierKeys[i]))) + if err != nil { + t.Fatal(err) + } + if !status.Sealed { + break + } + } + if status.Sealed { + t.Fatal("did not unseal properly") + } + + // Give lease loading some time to process + time.Sleep(5 * time.Second) + + for i, token := range tokens { + client.SetToken(token) + _, err := client.Logical().Write("cubbyhole/foo", map[string]interface{}{ + "value": "bar", + }) + if err == nil { + t.Errorf("expected error but did not get one, token num %d", i) + } + } + + expectedLeases := len(leases) - len(validLeases) + + client.SetToken(rootToken) + secret, err = client.Logical().List(leasePath) + if err != nil { + t.Fatal(err) + } + + switch { + case secret == nil: + if expectedLeases != 0 { + t.Fatalf("nil secret back but expected %d leases", expectedLeases) + } + + case secret.Data == nil: + if expectedLeases != 0 { + t.Fatalf("nil secret data back but expected %d leases, secret is %#v", expectedLeases, *secret) + } + + default: + leasesLeft := len(secret.Data["keys"].([]interface{})) + if leasesLeft != expectedLeases { + t.Fatalf("found %d leases left, expected %d", leasesLeft, expectedLeases) + } + } + + expectedTokens := totalTokens - len(validLeases) + secret, err = client.Logical().List(tokenPath) + if err != nil { + t.Fatal(err) + } + tokensLeft := len(secret.Data["keys"].([]interface{})) + if tokensLeft != expectedTokens { + t.Fatalf("found %d tokens left, expected %d", tokensLeft, expectedTokens) + } +} diff --git a/vault/token_store_test.go b/vault/token_store_test.go index dec1c527c..21b188fbf 100644 --- a/vault/token_store_test.go +++ b/vault/token_store_test.go @@ -37,7 +37,8 @@ type TokenEntryOld struct { func TestTokenStore_TokenEntryUpgrade(t *testing.T) { var err error - _, ts, _, _ := TestCoreWithTokenStore(t) + c, _, _ := TestCoreUnsealed(t) + ts := c.tokenStore // Use a struct that does not have struct tags to store the items and // check if the lookup code handles them properly while reading back @@ -73,6 +74,22 @@ func TestTokenStore_TokenEntryUpgrade(t *testing.T) { t.Fatal(err) } + // Register with exp manager so lookup works + auth := &logical.Auth{ + DisplayName: entry.DisplayName, + CreationPath: entry.Path, + Policies: entry.Policies, + ExplicitMaxTTL: entry.ExplicitMaxTTL, + NumUses: entry.NumUses, + LeaseOptions: logical.LeaseOptions{ + TTL: time.Hour, + }, + ClientToken: entry.ID, + } + if err := ts.expiration.RegisterAuth(entry.Path, auth); err != nil { + t.Fatal(err) + } + out, err := ts.Lookup(context.Background(), entry.ID) if err != nil { t.Fatalf("err: %s", err) @@ -102,6 +119,20 @@ func TestTokenStore_TokenEntryUpgrade(t *testing.T) { if err := ts.create(context.Background(), ent); err != nil { t.Fatalf("err: %s", err) } + auth = &logical.Auth{ + DisplayName: ent.DisplayName, + CreationPath: ent.Path, + Policies: ent.Policies, + ExplicitMaxTTL: ent.ExplicitMaxTTL, + NumUses: ent.NumUses, + LeaseOptions: logical.LeaseOptions{ + TTL: time.Hour, + }, + ClientToken: ent.ID, + } + if err := ts.expiration.RegisterAuth(ent.Path, auth); err != nil { + t.Fatal(err) + } out, err = ts.Lookup(context.Background(), ent.ID) if err != nil { @@ -132,6 +163,20 @@ func TestTokenStore_TokenEntryUpgrade(t *testing.T) { if err := ts.create(context.Background(), ent); err != nil { t.Fatalf("err: %s", err) } + auth = &logical.Auth{ + DisplayName: ent.DisplayName, + CreationPath: ent.Path, + Policies: ent.Policies, + ExplicitMaxTTL: ent.ExplicitMaxTTL, + NumUses: ent.NumUses, + LeaseOptions: logical.LeaseOptions{ + TTL: time.Hour, + }, + ClientToken: ent.ID, + } + if err := ts.expiration.RegisterAuth(ent.Path, auth); err != nil { + t.Fatal(err) + } out, err = ts.Lookup(context.Background(), ent.ID) if err != nil { @@ -159,6 +204,20 @@ func TestTokenStore_TokenEntryUpgrade(t *testing.T) { if err := ts.create(context.Background(), ent); err != nil { t.Fatalf("err: %s", err) } + auth = &logical.Auth{ + DisplayName: ent.DisplayName, + CreationPath: ent.Path, + Policies: ent.Policies, + ExplicitMaxTTL: ent.ExplicitMaxTTL, + NumUses: ent.NumUses, + LeaseOptions: logical.LeaseOptions{ + TTL: time.Hour, + }, + ClientToken: ent.ID, + } + if err := ts.expiration.RegisterAuth(ent.Path, auth); err != nil { + t.Fatal(err) + } out, err = ts.Lookup(context.Background(), ent.ID) if err != nil { @@ -178,6 +237,20 @@ func TestTokenStore_TokenEntryUpgrade(t *testing.T) { if err := ts.create(context.Background(), ent); err != nil { t.Fatalf("err: %s", err) } + auth = &logical.Auth{ + DisplayName: ent.DisplayName, + CreationPath: ent.Path, + Policies: ent.Policies, + ExplicitMaxTTL: ent.ExplicitMaxTTL, + NumUses: ent.NumUses, + LeaseOptions: logical.LeaseOptions{ + TTL: time.Hour, + }, + ClientToken: ent.ID, + } + if err := ts.expiration.RegisterAuth(ent.Path, auth); err != nil { + t.Fatal(err) + } out, err = ts.Lookup(context.Background(), ent.ID) if err != nil { @@ -198,23 +271,62 @@ func getBackendConfig(c *Core) *logical.BackendConfig { } } -func testMakeToken(t *testing.T, ts *TokenStore, root, client, ttl string, policy []string) { +func testMakeTokenViaBackend(t testing.TB, ts *TokenStore, root, client, ttl string, policy []string) { req := logical.TestRequest(t, logical.UpdateOperation, "create") req.ClientToken = root req.Data["id"] = client req.Data["policies"] = policy req.Data["ttl"] = ttl + resp := testMakeTokenViaRequest(t, ts, req) - resp, err := ts.HandleRequest(context.Background(), req) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err: %v\nresp: %#v", err, resp) - } if resp.Auth.ClientToken != client { t.Fatalf("bad: %#v", resp) } } -func testCoreMakeToken(t *testing.T, c *Core, root, client, ttl string, policy []string) { +func testMakeTokenViaRequest(t testing.TB, ts *TokenStore, req *logical.Request) *logical.Response { + resp, err := ts.HandleRequest(context.Background(), req) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("err: %v\nresp: %#v", err, resp) + } + + if resp == nil { + t.Fatalf("got nil token from create call") + } + + if err := ts.expiration.RegisterAuth(resp.Auth.CreationPath, resp.Auth); err != nil { + t.Fatal(err) + } + + return resp +} + +func testMakeTokenDirectly(t testing.TB, ts *TokenStore, te *TokenEntry) { + if err := ts.create(context.Background(), te); err != nil { + t.Fatal(err) + } + auth := &logical.Auth{ + NumUses: te.NumUses, + DisplayName: te.DisplayName, + Policies: te.Policies, + Metadata: te.Meta, + LeaseOptions: logical.LeaseOptions{ + TTL: te.TTL, + Renewable: te.TTL > 0, + }, + ClientToken: te.ID, + Accessor: te.Accessor, + EntityID: te.EntityID, + Period: te.Period, + ExplicitMaxTTL: te.ExplicitMaxTTL, + CreationPath: te.Path, + } + if err := ts.expiration.RegisterAuth(te.Path, auth); err != nil { + t.Fatal(err) + } +} + +func testMakeTokenViaCore(t testing.TB, c *Core, root, client, ttl string, policy []string) { req := logical.TestRequest(t, logical.UpdateOperation, "auth/token/create") req.ClientToken = root req.Data["id"] = client @@ -231,12 +343,15 @@ func testCoreMakeToken(t *testing.T, c *Core, root, client, ttl string, policy [ } func TestTokenStore_AccessorIndex(t *testing.T) { - _, ts, _, _ := TestCoreWithTokenStore(t) + c, _, _ := TestCoreUnsealed(t) + ts := c.tokenStore - ent := &TokenEntry{Path: "test", Policies: []string{"dev", "ops"}} - if err := ts.create(context.Background(), ent); err != nil { - t.Fatalf("err: %s", err) + ent := &TokenEntry{ + Path: "test", + Policies: []string{"dev", "ops"}, + TTL: time.Hour, } + testMakeTokenDirectly(t, ts, ent) out, err := ts.Lookup(context.Background(), ent.ID) if err != nil { @@ -260,8 +375,10 @@ func TestTokenStore_AccessorIndex(t *testing.T) { } func TestTokenStore_HandleRequest_LookupAccessor(t *testing.T) { - _, ts, _, root := TestCoreWithTokenStore(t) - testMakeToken(t, ts, root, "tokenid", "", []string{"foo"}) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore + + testMakeTokenViaBackend(t, ts, root, "tokenid", "", []string{"foo"}) out, err := ts.Lookup(context.Background(), "tokenid") if err != nil { t.Fatalf("err: %s", err) @@ -294,11 +411,12 @@ func TestTokenStore_HandleRequest_LookupAccessor(t *testing.T) { } func TestTokenStore_HandleRequest_ListAccessors(t *testing.T) { - _, ts, _, root := TestCoreWithTokenStore(t) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore testKeys := []string{"token1", "token2", "token3", "token4"} for _, key := range testKeys { - testMakeToken(t, ts, root, key, "", []string{"foo"}) + testMakeTokenViaBackend(t, ts, root, key, "", []string{"foo"}) } // Revoke root to make the number of accessors match @@ -385,7 +503,7 @@ func TestTokenStore_HandleRequest_RevokeAccessor(t *testing.T) { rootToken, err := ts.rootToken(context.Background()) root := rootToken.ID - testMakeToken(t, ts, root, "tokenid", "", []string{"foo"}) + testMakeTokenViaBackend(t, ts, root, "tokenid", "", []string{"foo"}) auth := &logical.Auth{ ClientToken: "tokenid", @@ -429,7 +547,7 @@ func TestTokenStore_HandleRequest_RevokeAccessor(t *testing.T) { } // Now test without registering the token through the expiration manager - testMakeToken(t, ts, root, "tokenid", "", []string{"foo"}) + testMakeTokenViaBackend(t, ts, root, "tokenid", "", []string{"foo"}) out, err = ts.Lookup(context.Background(), "tokenid") if err != nil { t.Fatalf("err: %s", err) @@ -461,7 +579,8 @@ func TestTokenStore_HandleRequest_RevokeAccessor(t *testing.T) { } func TestTokenStore_RootToken(t *testing.T) { - _, ts, _, _ := TestCoreWithTokenStore(t) + c, _, _ := TestCoreUnsealed(t) + ts := c.tokenStore te, err := ts.rootToken(context.Background()) if err != nil { @@ -481,12 +600,15 @@ func TestTokenStore_RootToken(t *testing.T) { } func TestTokenStore_CreateLookup(t *testing.T) { - c, ts, _, _ := TestCoreWithTokenStore(t) + c, _, _ := TestCoreUnsealed(t) + ts := c.tokenStore - ent := &TokenEntry{Path: "test", Policies: []string{"dev", "ops"}} - if err := ts.create(context.Background(), ent); err != nil { - t.Fatalf("err: %v", err) + ent := &TokenEntry{ + Path: "test", + Policies: []string{"dev", "ops"}, + TTL: time.Hour, } + testMakeTokenDirectly(t, ts, ent) if ent.ID == "" { t.Fatalf("missing ID") } @@ -517,16 +639,16 @@ func TestTokenStore_CreateLookup(t *testing.T) { } func TestTokenStore_CreateLookup_ProvidedID(t *testing.T) { - c, ts, _, _ := TestCoreWithTokenStore(t) + c, _, _ := TestCoreUnsealed(t) + ts := c.tokenStore ent := &TokenEntry{ ID: "foobarbaz", Path: "test", Policies: []string{"dev", "ops"}, + TTL: time.Hour, } - if err := ts.create(context.Background(), ent); err != nil { - t.Fatalf("err: %v", err) - } + testMakeTokenDirectly(t, ts, ent) if ent.ID != "foobarbaz" { t.Fatalf("bad: ent.ID: expected:\"foobarbaz\"\n actual:%s", ent.ID) } @@ -560,7 +682,8 @@ func TestTokenStore_CreateLookup_ProvidedID(t *testing.T) { } func TestTokenStore_CreateLookup_ExpirationInRestoreMode(t *testing.T) { - _, ts, _, _ := TestCoreWithTokenStore(t) + c, _, _ := TestCoreUnsealed(t) + ts := c.tokenStore ent := &TokenEntry{Path: "test", Policies: []string{"dev", "ops"}} if err := ts.create(context.Background(), ent); err != nil { @@ -626,7 +749,8 @@ func TestTokenStore_CreateLookup_ExpirationInRestoreMode(t *testing.T) { } func TestTokenStore_UseToken(t *testing.T) { - _, ts, _, root := TestCoreWithTokenStore(t) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore // Lookup the root token ent, err := ts.Lookup(context.Background(), root) @@ -654,10 +778,13 @@ func TestTokenStore_UseToken(t *testing.T) { } // Create a restricted token - ent = &TokenEntry{Path: "test", Policies: []string{"dev", "ops"}, NumUses: 2} - if err := ts.create(context.Background(), ent); err != nil { - t.Fatalf("err: %v", err) + ent = &TokenEntry{ + Path: "test", + Policies: []string{"dev", "ops"}, + NumUses: 2, + TTL: time.Hour, } + testMakeTokenDirectly(t, ts, ent) // Use the token te, err = ts.UseToken(context.Background(), ent) @@ -705,7 +832,8 @@ func TestTokenStore_UseToken(t *testing.T) { } func TestTokenStore_Revoke(t *testing.T) { - _, ts, _, _ := TestCoreWithTokenStore(t) + c, _, _ := TestCoreUnsealed(t) + ts := c.tokenStore ent := &TokenEntry{Path: "test", Policies: []string{"dev", "ops"}} if err := ts.create(context.Background(), ent); err != nil { @@ -731,7 +859,8 @@ func TestTokenStore_Revoke(t *testing.T) { } func TestTokenStore_Revoke_Leases(t *testing.T) { - c, ts, _, _ := TestCoreWithTokenStore(t) + c, _, _ := TestCoreUnsealed(t) + ts := c.tokenStore view := NewBarrierView(c.barrier, "noop/") @@ -788,17 +917,21 @@ func TestTokenStore_Revoke_Leases(t *testing.T) { } func TestTokenStore_Revoke_Orphan(t *testing.T) { - _, ts, _, _ := TestCoreWithTokenStore(t) + c, _, _ := TestCoreUnsealed(t) + ts := c.tokenStore - ent := &TokenEntry{Path: "test", Policies: []string{"dev", "ops"}} - if err := ts.create(context.Background(), ent); err != nil { - t.Fatalf("err: %v", err) + ent := &TokenEntry{ + Path: "test", + Policies: []string{"dev", "ops"}, + TTL: time.Hour, } + testMakeTokenDirectly(t, ts, ent) - ent2 := &TokenEntry{Parent: ent.ID} - if err := ts.create(context.Background(), ent2); err != nil { - t.Fatalf("err: %v", err) + ent2 := &TokenEntry{ + Parent: ent.ID, + TTL: time.Hour, } + testMakeTokenDirectly(t, ts, ent2) err := ts.revokeOrphan(context.Background(), ent.ID) if err != nil { @@ -829,7 +962,8 @@ func TestTokenStore_RevokeTree(t *testing.T) { // Revokes a given Token Store tree non recursively. // The second parameter refers to the depth of the tree. func testTokenStore_RevokeTree_NonRecursive(t testing.TB, depth uint64) { - _, ts, _, _ := TestCoreWithTokenStore(t) + c, _, _ := TestCoreUnsealed(t) + ts := c.tokenStore root, children := buildTokenTree(t, ts, depth) err := ts.revokeTree(context.Background(), "") @@ -873,25 +1007,27 @@ func BenchmarkTokenStore_RevokeTree(b *testing.B) { // Builds a TokenTree of a specified depth, so that // we may run revoke tests on it. func buildTokenTree(t testing.TB, ts *TokenStore, depth uint64) (root *TokenEntry, children []*TokenEntry) { - root = &TokenEntry{} - if err := ts.create(context.Background(), root); err != nil { - t.Fatalf("err: %v", err) + root = &TokenEntry{ + TTL: time.Hour, } + testMakeTokenDirectly(t, ts, root) frontier := []*TokenEntry{root} current := uint64(0) for current < depth { next := make([]*TokenEntry, 0, 2*len(frontier)) for _, node := range frontier { - left := &TokenEntry{Parent: node.ID} - if err := ts.create(context.Background(), left); err != nil { - t.Fatalf("err: %v", err) + left := &TokenEntry{ + Parent: node.ID, + TTL: time.Hour, } + testMakeTokenDirectly(t, ts, left) - right := &TokenEntry{Parent: node.ID} - if err := ts.create(context.Background(), right); err != nil { - t.Fatalf("err: %v", err) + right := &TokenEntry{ + Parent: node.ID, + TTL: time.Hour, } + testMakeTokenDirectly(t, ts, right) children = append(children, left, right) next = append(next, left, right) @@ -907,25 +1043,28 @@ func TestTokenStore_RevokeSelf(t *testing.T) { exp := mockExpiration(t) ts := exp.tokenStore - ent1 := &TokenEntry{} - if err := ts.create(context.Background(), ent1); err != nil { - t.Fatalf("err: %v", err) + ent1 := &TokenEntry{ + TTL: time.Hour, } + testMakeTokenDirectly(t, ts, ent1) - ent2 := &TokenEntry{Parent: ent1.ID} - if err := ts.create(context.Background(), ent2); err != nil { - t.Fatalf("err: %v", err) + ent2 := &TokenEntry{ + Parent: ent1.ID, + TTL: time.Hour, } + testMakeTokenDirectly(t, ts, ent2) - ent3 := &TokenEntry{Parent: ent2.ID} - if err := ts.create(context.Background(), ent3); err != nil { - t.Fatalf("err: %v", err) + ent3 := &TokenEntry{ + Parent: ent2.ID, + TTL: time.Hour, } + testMakeTokenDirectly(t, ts, ent3) - ent4 := &TokenEntry{Parent: ent2.ID} - if err := ts.create(context.Background(), ent4); err != nil { - t.Fatalf("err: %v", err) + ent4 := &TokenEntry{ + Parent: ent2.ID, + TTL: time.Hour, } + testMakeTokenDirectly(t, ts, ent4) req := logical.TestRequest(t, logical.UpdateOperation, "revoke-self") req.ClientToken = ent1.ID @@ -957,7 +1096,8 @@ func TestTokenStore_RevokeSelf(t *testing.T) { } func TestTokenStore_HandleRequest_NonAssignable(t *testing.T) { - _, ts, _, root := TestCoreWithTokenStore(t) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore req := logical.TestRequest(t, logical.UpdateOperation, "create") req.ClientToken = root @@ -983,7 +1123,8 @@ func TestTokenStore_HandleRequest_NonAssignable(t *testing.T) { } func TestTokenStore_HandleRequest_CreateToken_DisplayName(t *testing.T) { - _, ts, _, root := TestCoreWithTokenStore(t) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore req := logical.TestRequest(t, logical.UpdateOperation, "create") req.ClientToken = root @@ -1014,7 +1155,8 @@ func TestTokenStore_HandleRequest_CreateToken_DisplayName(t *testing.T) { } func TestTokenStore_HandleRequest_CreateToken_NumUses(t *testing.T) { - _, ts, _, root := TestCoreWithTokenStore(t) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore req := logical.TestRequest(t, logical.UpdateOperation, "create") req.ClientToken = root @@ -1046,7 +1188,8 @@ func TestTokenStore_HandleRequest_CreateToken_NumUses(t *testing.T) { } func TestTokenStore_HandleRequest_CreateToken_NumUses_Invalid(t *testing.T) { - _, ts, _, root := TestCoreWithTokenStore(t) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore req := logical.TestRequest(t, logical.UpdateOperation, "create") req.ClientToken = root @@ -1059,7 +1202,8 @@ func TestTokenStore_HandleRequest_CreateToken_NumUses_Invalid(t *testing.T) { } func TestTokenStore_HandleRequest_CreateToken_NumUses_Restricted(t *testing.T) { - _, ts, _, root := TestCoreWithTokenStore(t) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore req := logical.TestRequest(t, logical.UpdateOperation, "create") req.ClientToken = root @@ -1079,7 +1223,8 @@ func TestTokenStore_HandleRequest_CreateToken_NumUses_Restricted(t *testing.T) { } func TestTokenStore_HandleRequest_CreateToken_NoPolicy(t *testing.T) { - _, ts, _, root := TestCoreWithTokenStore(t) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore req := logical.TestRequest(t, logical.UpdateOperation, "create") req.ClientToken = root @@ -1109,7 +1254,8 @@ func TestTokenStore_HandleRequest_CreateToken_NoPolicy(t *testing.T) { } func TestTokenStore_HandleRequest_CreateToken_BadParent(t *testing.T) { - _, ts, _, _ := TestCoreWithTokenStore(t) + c, _, _ := TestCoreUnsealed(t) + ts := c.tokenStore req := logical.TestRequest(t, logical.UpdateOperation, "create") req.ClientToken = "random" @@ -1124,7 +1270,8 @@ func TestTokenStore_HandleRequest_CreateToken_BadParent(t *testing.T) { } func TestTokenStore_HandleRequest_CreateToken(t *testing.T) { - _, ts, _, root := TestCoreWithTokenStore(t) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore req := logical.TestRequest(t, logical.UpdateOperation, "create") req.ClientToken = root @@ -1140,7 +1287,8 @@ func TestTokenStore_HandleRequest_CreateToken(t *testing.T) { } func TestTokenStore_HandleRequest_CreateToken_RootID(t *testing.T) { - _, ts, _, root := TestCoreWithTokenStore(t) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore req := logical.TestRequest(t, logical.UpdateOperation, "create") req.ClientToken = root @@ -1158,8 +1306,9 @@ func TestTokenStore_HandleRequest_CreateToken_RootID(t *testing.T) { } func TestTokenStore_HandleRequest_CreateToken_NonRootID(t *testing.T) { - _, ts, _, root := TestCoreWithTokenStore(t) - testMakeToken(t, ts, root, "client", "", []string{"foo"}) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore + testMakeTokenViaBackend(t, ts, root, "client", "", []string{"foo"}) req := logical.TestRequest(t, logical.UpdateOperation, "create") req.ClientToken = "client" @@ -1176,8 +1325,9 @@ func TestTokenStore_HandleRequest_CreateToken_NonRootID(t *testing.T) { } func TestTokenStore_HandleRequest_CreateToken_NonRoot_Subset(t *testing.T) { - _, ts, _, root := TestCoreWithTokenStore(t) - testMakeToken(t, ts, root, "client", "", []string{"foo", "bar"}) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore + testMakeTokenViaBackend(t, ts, root, "client", "", []string{"foo", "bar"}) req := logical.TestRequest(t, logical.UpdateOperation, "create") req.ClientToken = "client" @@ -1193,8 +1343,9 @@ func TestTokenStore_HandleRequest_CreateToken_NonRoot_Subset(t *testing.T) { } func TestTokenStore_HandleRequest_CreateToken_NonRoot_InvalidSubset(t *testing.T) { - _, ts, _, root := TestCoreWithTokenStore(t) - testMakeToken(t, ts, root, "client", "", []string{"foo", "bar"}) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore + testMakeTokenViaBackend(t, ts, root, "client", "", []string{"foo", "bar"}) req := logical.TestRequest(t, logical.UpdateOperation, "create") req.ClientToken = "client" @@ -1210,7 +1361,8 @@ func TestTokenStore_HandleRequest_CreateToken_NonRoot_InvalidSubset(t *testing.T } func TestTokenStore_HandleRequest_CreateToken_NonRoot_RootChild(t *testing.T) { - core, ts, _, root := TestCoreWithTokenStore(t) + core, _, root := TestCoreUnsealed(t) + ts := core.tokenStore ps := core.policyStore policy, _ := ParseACLPolicy(tokenCreationPolicy) @@ -1219,7 +1371,7 @@ func TestTokenStore_HandleRequest_CreateToken_NonRoot_RootChild(t *testing.T) { t.Fatal(err) } - testMakeToken(t, ts, root, "sudoClient", "", []string{"test1"}) + testMakeTokenViaBackend(t, ts, root, "sudoClient", "", []string{"test1"}) req := logical.TestRequest(t, logical.UpdateOperation, "create") req.ClientToken = "sudoClient" @@ -1239,7 +1391,8 @@ func TestTokenStore_HandleRequest_CreateToken_NonRoot_RootChild(t *testing.T) { } func TestTokenStore_HandleRequest_CreateToken_Root_RootChild_NoExpiry_Expiry(t *testing.T) { - _, ts, _, root := TestCoreWithTokenStore(t) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore req := logical.TestRequest(t, logical.UpdateOperation, "create") req.ClientToken = root @@ -1272,7 +1425,8 @@ func TestTokenStore_HandleRequest_CreateToken_Root_RootChild_NoExpiry_Expiry(t * } func TestTokenStore_HandleRequest_CreateToken_Root_RootChild(t *testing.T) { - _, ts, _, root := TestCoreWithTokenStore(t) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore req := logical.TestRequest(t, logical.UpdateOperation, "create") req.ClientToken = root @@ -1290,8 +1444,9 @@ func TestTokenStore_HandleRequest_CreateToken_Root_RootChild(t *testing.T) { } func TestTokenStore_HandleRequest_CreateToken_NonRoot_NoParent(t *testing.T) { - _, ts, _, root := TestCoreWithTokenStore(t) - testMakeToken(t, ts, root, "client", "", []string{"foo"}) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore + testMakeTokenViaBackend(t, ts, root, "client", "", []string{"foo"}) req := logical.TestRequest(t, logical.UpdateOperation, "create") req.ClientToken = "client" @@ -1308,17 +1463,15 @@ func TestTokenStore_HandleRequest_CreateToken_NonRoot_NoParent(t *testing.T) { } func TestTokenStore_HandleRequest_CreateToken_Root_NoParent(t *testing.T) { - _, ts, _, root := TestCoreWithTokenStore(t) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore req := logical.TestRequest(t, logical.UpdateOperation, "create") req.ClientToken = root req.Data["no_parent"] = true req.Data["policies"] = []string{"foo"} - resp, err := ts.HandleRequest(context.Background(), req) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err: %v\nresp: %#v", err, resp) - } + resp := testMakeTokenViaRequest(t, ts, req) if resp.Auth.ClientToken == "" { t.Fatalf("bad: %#v", resp) } @@ -1330,16 +1483,14 @@ func TestTokenStore_HandleRequest_CreateToken_Root_NoParent(t *testing.T) { } func TestTokenStore_HandleRequest_CreateToken_PathBased_NoParent(t *testing.T) { - _, ts, _, root := TestCoreWithTokenStore(t) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore req := logical.TestRequest(t, logical.UpdateOperation, "create-orphan") req.ClientToken = root req.Data["policies"] = []string{"foo"} - resp, err := ts.HandleRequest(context.Background(), req) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err: %v\nresp: %#v", err, resp) - } + resp := testMakeTokenViaRequest(t, ts, req) if resp.Auth.ClientToken == "" { t.Fatalf("bad: %#v", resp) @@ -1352,7 +1503,8 @@ func TestTokenStore_HandleRequest_CreateToken_PathBased_NoParent(t *testing.T) { } func TestTokenStore_HandleRequest_CreateToken_Metadata(t *testing.T) { - _, ts, _, root := TestCoreWithTokenStore(t) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore req := logical.TestRequest(t, logical.UpdateOperation, "create") req.ClientToken = root @@ -1363,10 +1515,7 @@ func TestTokenStore_HandleRequest_CreateToken_Metadata(t *testing.T) { } req.Data["meta"] = meta - resp, err := ts.HandleRequest(context.Background(), req) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err: %v\nresp: %#v", err, resp) - } + resp := testMakeTokenViaRequest(t, ts, req) if resp.Auth.ClientToken == "" { t.Fatalf("bad: %#v", resp) } @@ -1378,17 +1527,15 @@ func TestTokenStore_HandleRequest_CreateToken_Metadata(t *testing.T) { } func TestTokenStore_HandleRequest_CreateToken_Lease(t *testing.T) { - _, ts, _, root := TestCoreWithTokenStore(t) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore req := logical.TestRequest(t, logical.UpdateOperation, "create") req.ClientToken = root req.Data["policies"] = []string{"foo"} req.Data["lease"] = "1h" - resp, err := ts.HandleRequest(context.Background(), req) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err: %v\nresp: %#v", err, resp) - } + resp := testMakeTokenViaRequest(t, ts, req) if resp.Auth.ClientToken == "" { t.Fatalf("bad: %#v", resp) } @@ -1401,17 +1548,15 @@ func TestTokenStore_HandleRequest_CreateToken_Lease(t *testing.T) { } func TestTokenStore_HandleRequest_CreateToken_TTL(t *testing.T) { - _, ts, _, root := TestCoreWithTokenStore(t) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore req := logical.TestRequest(t, logical.UpdateOperation, "create") req.ClientToken = root req.Data["policies"] = []string{"foo"} req.Data["ttl"] = "1h" - resp, err := ts.HandleRequest(context.Background(), req) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err: %v\nresp: %#v", err, resp) - } + resp := testMakeTokenViaRequest(t, ts, req) if resp.Auth.ClientToken == "" { t.Fatalf("bad: %#v", resp) } @@ -1430,7 +1575,7 @@ func TestTokenStore_HandleRequest_Revoke(t *testing.T) { rootToken, err := ts.rootToken(context.Background()) root := rootToken.ID - testMakeToken(t, ts, root, "child", "", []string{"root", "foo"}) + testMakeTokenViaBackend(t, ts, root, "child", "", []string{"root", "foo"}) auth := &logical.Auth{ ClientToken: "child", @@ -1444,7 +1589,7 @@ func TestTokenStore_HandleRequest_Revoke(t *testing.T) { t.Fatalf("err: %v", err) } - testMakeToken(t, ts, "child", "sub-child", "", []string{"foo"}) + testMakeTokenViaBackend(t, ts, "child", "sub-child", "", []string{"foo"}) auth = &logical.Auth{ ClientToken: "sub-child", @@ -1490,8 +1635,8 @@ func TestTokenStore_HandleRequest_Revoke(t *testing.T) { } // Now test without registering the tokens through the expiration manager - testMakeToken(t, ts, root, "child", "", []string{"root", "foo"}) - testMakeToken(t, ts, "child", "sub-child", "", []string{"foo"}) + testMakeTokenViaBackend(t, ts, root, "child", "", []string{"root", "foo"}) + testMakeTokenViaBackend(t, ts, "child", "sub-child", "", []string{"foo"}) req = logical.TestRequest(t, logical.UpdateOperation, "revoke") req.Data = map[string]interface{}{ @@ -1526,9 +1671,10 @@ func TestTokenStore_HandleRequest_Revoke(t *testing.T) { } func TestTokenStore_HandleRequest_RevokeOrphan(t *testing.T) { - _, ts, _, root := TestCoreWithTokenStore(t) - testMakeToken(t, ts, root, "child", "", []string{"root", "foo"}) - testMakeToken(t, ts, "child", "sub-child", "", []string{"foo"}) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore + testMakeTokenViaBackend(t, ts, root, "child", "", []string{"root", "foo"}) + testMakeTokenViaBackend(t, ts, "child", "sub-child", "", []string{"foo"}) req := logical.TestRequest(t, logical.UpdateOperation, "revoke-orphan") req.Data = map[string]interface{}{ @@ -1577,8 +1723,9 @@ func TestTokenStore_HandleRequest_RevokeOrphan(t *testing.T) { } func TestTokenStore_HandleRequest_RevokeOrphan_NonRoot(t *testing.T) { - _, ts, _, root := TestCoreWithTokenStore(t) - testMakeToken(t, ts, root, "child", "", []string{"foo"}) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore + testMakeTokenViaBackend(t, ts, root, "child", "", []string{"foo"}) out, err := ts.Lookup(context.Background(), "child") if err != nil { @@ -1611,7 +1758,8 @@ func TestTokenStore_HandleRequest_RevokeOrphan_NonRoot(t *testing.T) { } func TestTokenStore_HandleRequest_Lookup(t *testing.T) { - c, ts, _, root := TestCoreWithTokenStore(t) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore req := logical.TestRequest(t, logical.UpdateOperation, "lookup") req.Data = map[string]interface{}{ "token": root, @@ -1649,7 +1797,7 @@ func TestTokenStore_HandleRequest_Lookup(t *testing.T) { t.Fatalf("bad: expected:%#v\nactual:%#v", exp, resp.Data) } - testCoreMakeToken(t, c, root, "client", "3600s", []string{"foo"}) + testMakeTokenViaCore(t, c, root, "client", "3600s", []string{"foo"}) // Test via GET req = logical.TestRequest(t, logical.UpdateOperation, "lookup") @@ -1784,8 +1932,9 @@ func TestTokenStore_HandleRequest_Lookup(t *testing.T) { } func TestTokenStore_HandleRequest_LookupSelf(t *testing.T) { - c, ts, _, root := TestCoreWithTokenStore(t) - testCoreMakeToken(t, c, root, "client", "3600s", []string{"foo"}) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore + testMakeTokenViaCore(t, c, root, "client", "3600s", []string{"foo"}) req := logical.TestRequest(t, logical.ReadOperation, "lookup-self") req.ClientToken = "client" @@ -1931,7 +2080,7 @@ func TestTokenStore_HandleRequest_RenewSelf(t *testing.T) { } func TestTokenStore_RoleCRUD(t *testing.T) { - core, _, _, root := TestCoreWithTokenStore(t) + core, _, root := TestCoreUnsealed(t) req := logical.TestRequest(t, logical.ReadOperation, "auth/token/roles/test") req.ClientToken = root @@ -2120,7 +2269,8 @@ func TestTokenStore_RoleDisallowedPoliciesWithRoot(t *testing.T) { var resp *logical.Response var err error - _, ts, _, root := TestCoreWithTokenStore(t) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore // Don't set disallowed_policies. Verify that a read on the role does return a non-nil value. roleReq := &logical.Request{ @@ -2153,7 +2303,8 @@ func TestTokenStore_RoleDisallowedPolicies(t *testing.T) { var resp *logical.Response var err error - core, ts, _, root := TestCoreWithTokenStore(t) + core, _, root := TestCoreUnsealed(t) + ts := core.tokenStore ps := core.policyStore // Create 3 different policies @@ -2210,10 +2361,7 @@ func TestTokenStore_RoleDisallowedPolicies(t *testing.T) { req = logical.TestRequest(t, logical.UpdateOperation, "create") req.ClientToken = root req.Data["policies"] = []string{"test1", "test2", "test3"} - resp, err = ts.HandleRequest(context.Background(), req) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err:%v resp:%v", err, resp) - } + resp = testMakeTokenViaRequest(t, ts, req) if resp == nil || resp.Auth == nil { t.Fatal("got nil response") } @@ -2233,14 +2381,14 @@ func TestTokenStore_RoleDisallowedPolicies(t *testing.T) { req.ClientToken = parentToken resp, err = ts.HandleRequest(context.Background(), req) if err == nil || resp != nil && !resp.IsError() { - t.Fatal("expected an error response") + t.Fatalf("expected an error response, got %#v", resp) } req = logical.TestRequest(t, logical.UpdateOperation, "create/test123") req.ClientToken = parentToken resp, err = ts.HandleRequest(context.Background(), req) if err == nil || resp != nil && !resp.IsError() { - t.Fatal("expected an error response") + t.Fatalf("expected an error response, got %#v", resp) } // Disallowed should act as a blacklist so make sure we can still make @@ -2248,10 +2396,7 @@ func TestTokenStore_RoleDisallowedPolicies(t *testing.T) { req = logical.TestRequest(t, logical.UpdateOperation, "create/test123") req.Data["policies"] = []string{"foo", "bar"} req.ClientToken = parentToken - resp, err = ts.HandleRequest(context.Background(), req) - if err != nil || resp == nil || resp.IsError() { - t.Fatalf("err:%v resp:%v", err, resp) - } + testMakeTokenViaRequest(t, ts, req) // Create a role to have 'default' policy disallowed req = logical.TestRequest(t, logical.UpdateOperation, "roles/default") @@ -2273,7 +2418,8 @@ func TestTokenStore_RoleDisallowedPolicies(t *testing.T) { } func TestTokenStore_RoleAllowedPolicies(t *testing.T) { - _, ts, _, root := TestCoreWithTokenStore(t) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore req := logical.TestRequest(t, logical.UpdateOperation, "roles/test") req.ClientToken = root @@ -2299,10 +2445,7 @@ func TestTokenStore_RoleAllowedPolicies(t *testing.T) { } req.Data["policies"] = []string{"test2"} - resp, err = ts.HandleRequest(context.Background(), req) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err: %v\nresp: %#v", err, resp) - } + resp = testMakeTokenViaRequest(t, ts, req) if resp.Auth.ClientToken == "" { t.Fatalf("bad: %#v", resp) } @@ -2324,10 +2467,7 @@ func TestTokenStore_RoleAllowedPolicies(t *testing.T) { req = logical.TestRequest(t, logical.UpdateOperation, "create") req.ClientToken = root req.Data["policies"] = []string{"test1", "test2", "test3"} - resp, err = ts.HandleRequest(context.Background(), req) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err:%v resp:%v", err, resp) - } + resp = testMakeTokenViaRequest(t, ts, req) if resp == nil || resp.Auth == nil { t.Fatal("got nil response") } @@ -2350,19 +2490,13 @@ func TestTokenStore_RoleAllowedPolicies(t *testing.T) { } req.Data["policies"] = []string{"test2"} - resp, err = ts.HandleRequest(context.Background(), req) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err: %v\nresp: %#v", err, resp) - } + resp = testMakeTokenViaRequest(t, ts, req) if resp.Auth.ClientToken == "" { t.Fatalf("bad: %#v", resp) } delete(req.Data, "policies") - resp, err = ts.HandleRequest(context.Background(), req) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err: %v\nresp: %#v", err, resp) - } + resp = testMakeTokenViaRequest(t, ts, req) if resp.Auth.ClientToken == "" { t.Fatalf("bad: %#v", resp) } @@ -2372,7 +2506,8 @@ func TestTokenStore_RoleAllowedPolicies(t *testing.T) { } func TestTokenStore_RoleOrphan(t *testing.T) { - _, ts, _, root := TestCoreWithTokenStore(t) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore req := logical.TestRequest(t, logical.UpdateOperation, "roles/test") req.ClientToken = root @@ -2412,7 +2547,8 @@ func TestTokenStore_RoleOrphan(t *testing.T) { } func TestTokenStore_RolePathSuffix(t *testing.T) { - _, ts, _, root := TestCoreWithTokenStore(t) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore req := logical.TestRequest(t, logical.UpdateOperation, "roles/test") req.ClientToken = root @@ -2448,7 +2584,7 @@ func TestTokenStore_RolePathSuffix(t *testing.T) { } func TestTokenStore_RolePeriod(t *testing.T) { - core, _, _, root := TestCoreWithTokenStore(t) + core, _, root := TestCoreUnsealed(t) core.defaultLeaseTTL = 10 * time.Second core.maxLeaseTTL = 10 * time.Second @@ -2603,7 +2739,7 @@ func TestTokenStore_RolePeriod(t *testing.T) { } func TestTokenStore_RoleExplicitMaxTTL(t *testing.T) { - core, _, _, root := TestCoreWithTokenStore(t) + core, _, root := TestCoreUnsealed(t) core.defaultLeaseTTL = 5 * time.Second core.maxLeaseTTL = 5 * time.Hour @@ -2814,7 +2950,7 @@ func TestTokenStore_RoleExplicitMaxTTL(t *testing.T) { } func TestTokenStore_Periodic(t *testing.T) { - core, _, _, root := TestCoreWithTokenStore(t) + core, _, root := TestCoreUnsealed(t) core.defaultLeaseTTL = 10 * time.Second core.maxLeaseTTL = 10 * time.Second @@ -2955,7 +3091,7 @@ func TestTokenStore_Periodic(t *testing.T) { } func TestTokenStore_Periodic_ExplicitMax(t *testing.T) { - core, _, _, root := TestCoreWithTokenStore(t) + core, _, root := TestCoreUnsealed(t) core.defaultLeaseTTL = 10 * time.Second core.maxLeaseTTL = 10 * time.Second @@ -3116,7 +3252,8 @@ func TestTokenStore_NoDefaultPolicy(t *testing.T) { var resp *logical.Response var err error - core, ts, _, root := TestCoreWithTokenStore(t) + core, _, root := TestCoreUnsealed(t) + ts := core.tokenStore ps := core.policyStore policy, _ := ParseACLPolicy(tokenCreationPolicy) policy.Name = "policy1" @@ -3135,10 +3272,7 @@ func TestTokenStore_NoDefaultPolicy(t *testing.T) { Operation: logical.UpdateOperation, Data: tokenData, } - resp, err = ts.HandleRequest(context.Background(), tokenReq) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err: %v, resp: %v", err, resp) - } + resp = testMakeTokenViaRequest(t, ts, tokenReq) if !reflect.DeepEqual(resp.Auth.Policies, []string{"default", "policy1"}) { t.Fatalf("bad: policies: expected: [policy, default]; actual: %s", resp.Auth.Policies) } @@ -3149,11 +3283,7 @@ func TestTokenStore_NoDefaultPolicy(t *testing.T) { // that the token to not have 'default' policy. The resulting token // should not have 'default' policy on it. tokenData["no_default_policy"] = true - resp, err = ts.HandleRequest(context.Background(), tokenReq) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err: %v, resp: %v", err, resp) - } - + resp = testMakeTokenViaRequest(t, ts, tokenReq) if !reflect.DeepEqual(resp.Auth.Policies, []string{"policy1"}) { t.Fatalf("bad: policies: expected: [policy1]; actual: %s", resp.Auth.Policies) } @@ -3162,11 +3292,7 @@ func TestTokenStore_NoDefaultPolicy(t *testing.T) { // child token. Child token should also have 'default' policy attached. tokenReq.ClientToken = newToken tokenReq.Data = nil - resp, err = ts.HandleRequest(context.Background(), tokenReq) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err: %v, resp: %v", err, resp) - } - + resp = testMakeTokenViaRequest(t, ts, tokenReq) if !reflect.DeepEqual(resp.Auth.Policies, []string{"default", "policy1"}) { t.Fatalf("bad: policies: expected: [default policy1]; actual: %s", resp.Auth.Policies) } @@ -3177,11 +3303,7 @@ func TestTokenStore_NoDefaultPolicy(t *testing.T) { tokenReq.Data = map[string]interface{}{ "period": "0s", } - resp, err = ts.HandleRequest(context.Background(), tokenReq) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err: %v, resp: %v", err, resp) - } - + resp = testMakeTokenViaRequest(t, ts, tokenReq) if !reflect.DeepEqual(resp.Auth.Policies, []string{"default", "policy1"}) { t.Fatalf("bad: policies: expected: [default policy1]; actual: %s", resp.Auth.Policies) } @@ -3191,11 +3313,7 @@ func TestTokenStore_NoDefaultPolicy(t *testing.T) { tokenReq.Data = map[string]interface{}{ "no_default_policy": true, } - resp, err = ts.HandleRequest(context.Background(), tokenReq) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err: %v, resp: %v", err, resp) - } - + resp = testMakeTokenViaRequest(t, ts, tokenReq) if !reflect.DeepEqual(resp.Auth.Policies, []string{"policy1"}) { t.Fatalf("bad: policies: expected: [policy1]; actual: %s", resp.Auth.Policies) } @@ -3206,11 +3324,7 @@ func TestTokenStore_NoDefaultPolicy(t *testing.T) { "policies": []string{"policy1"}, "no_default_policy": true, } - resp, err = ts.HandleRequest(context.Background(), tokenReq) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err: %v, resp: %v", err, resp) - } - + resp = testMakeTokenViaRequest(t, ts, tokenReq) if !reflect.DeepEqual(resp.Auth.Policies, []string{"policy1"}) { t.Fatalf("bad: policies: expected: [policy1]; actual: %s", resp.Auth.Policies) } @@ -3220,11 +3334,7 @@ func TestTokenStore_NoDefaultPolicy(t *testing.T) { newToken = resp.Auth.ClientToken tokenReq.Data = nil tokenReq.ClientToken = newToken - resp, err = ts.HandleRequest(context.Background(), tokenReq) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err: %v, resp: %v", err, resp) - } - + resp = testMakeTokenViaRequest(t, ts, tokenReq) if !reflect.DeepEqual(resp.Auth.Policies, []string{"policy1"}) { t.Fatalf("bad: policies: expected: [policy1]; actual: %s", resp.Auth.Policies) } @@ -3262,10 +3372,7 @@ func TestTokenStore_NoDefaultPolicy(t *testing.T) { t.Fatalf("err: %v, resp: %v", err, resp) } - resp, err = ts.HandleRequest(context.Background(), tokenReq) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err: %v, resp: %v", err, resp) - } + resp = testMakeTokenViaRequest(t, ts, tokenReq) if !reflect.DeepEqual(resp.Auth.Policies, []string{"default", "policy1"}) { t.Fatalf("bad: policies: expected: [default policy1]; actual: %s", resp.Auth.Policies) } @@ -3283,10 +3390,7 @@ func TestTokenStore_NoDefaultPolicy(t *testing.T) { t.Fatalf("err: %v, resp: %v", err, resp) } - resp, err = ts.HandleRequest(context.Background(), tokenReq) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err: %v, resp: %v", err, resp) - } + resp = testMakeTokenViaRequest(t, ts, tokenReq) if !reflect.DeepEqual(resp.Auth.Policies, []string{"policy1"}) { t.Fatalf("bad: policies: expected: [policy1]; actual: %s", resp.Auth.Policies) } @@ -3300,10 +3404,7 @@ func TestTokenStore_NoDefaultPolicy(t *testing.T) { t.Fatalf("err: %v, resp: %v", err, resp) } - resp, err = ts.HandleRequest(context.Background(), tokenReq) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err: %v, resp: %v", err, resp) - } + resp = testMakeTokenViaRequest(t, ts, tokenReq) if !reflect.DeepEqual(resp.Auth.Policies, []string{"policy1"}) { t.Fatalf("bad: policies: expected: [policy1]; actual: %s", resp.Auth.Policies) } @@ -3329,7 +3430,8 @@ func TestTokenStore_AllowedDisallowedPolicies(t *testing.T) { var resp *logical.Response var err error - _, ts, _, root := TestCoreWithTokenStore(t) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore roleReq := &logical.Request{ ClientToken: root, @@ -3573,7 +3675,8 @@ func TestTokenStore_HandleTidyCase1(t *testing.T) { var resp *logical.Response var err error - _, ts, _, root := TestCoreWithTokenStore(t) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore // List the number of accessors. Since there is only root token // present, the list operation should return only one key. @@ -3602,10 +3705,7 @@ func TestTokenStore_HandleTidyCase1(t *testing.T) { "policies": []string{"policy1"}, }, } - resp, err = ts.HandleRequest(context.Background(), tokenReq) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err:%v resp:%v", err, resp) - } + resp := testMakeTokenViaRequest(t, ts, tokenReq) tut := resp.Auth.ClientToken // Creation of another token should end up with incrementing @@ -3697,7 +3797,8 @@ func TestTokenStore_HandleTidy_parentCleanup(t *testing.T) { var resp *logical.Response var err error - _, ts, _, root := TestCoreWithTokenStore(t) + c, _, root := TestCoreUnsealed(t) + ts := c.tokenStore // List the number of accessors. Since there is only root token // present, the list operation should return only one key. @@ -3726,10 +3827,7 @@ func TestTokenStore_HandleTidy_parentCleanup(t *testing.T) { "policies": []string{"policy1"}, }, } - resp, err = ts.HandleRequest(context.Background(), tokenReq) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err:%v resp:%v", err, resp) - } + resp := testMakeTokenViaRequest(t, ts, tokenReq) tut := resp.Auth.ClientToken // Create a child token @@ -3741,10 +3839,7 @@ func TestTokenStore_HandleTidy_parentCleanup(t *testing.T) { "policies": []string{"policy1"}, }, } - resp, err = ts.HandleRequest(context.Background(), tokenReq) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err:%v resp:%v", err, resp) - } + testMakeTokenViaRequest(t, ts, tokenReq) // Creation of another token should end up with incrementing the number of // accessors the storage