diff --git a/api/client_test.go b/api/client_test.go index a20add005..5058b2e4a 100644 --- a/api/client_test.go +++ b/api/client_test.go @@ -107,16 +107,19 @@ func TestClientEnvSettings(t *testing.T) { oldClientCert := os.Getenv(EnvVaultClientCert) oldClientKey := os.Getenv(EnvVaultClientKey) oldSkipVerify := os.Getenv(EnvVaultInsecure) + oldWrapTTL := os.Getenv(EnvVaultWrapTTL) os.Setenv("VAULT_CACERT", cwd+"/test-fixtures/keys/cert.pem") os.Setenv("VAULT_CAPATH", cwd+"/test-fixtures/keys") os.Setenv("VAULT_CLIENT_CERT", cwd+"/test-fixtures/keys/cert.pem") os.Setenv("VAULT_CLIENT_KEY", cwd+"/test-fixtures/keys/key.pem") os.Setenv("VAULT_SKIP_VERIFY", "true") + os.Setenv("VAULT_WRAP_TTL", "60") defer os.Setenv("VAULT_CACERT", oldCACert) defer os.Setenv("VAULT_CAPATH", oldCAPath) defer os.Setenv("VAULT_CLIENT_CERT", oldClientCert) defer os.Setenv("VAULT_CLIENT_KEY", oldClientKey) defer os.Setenv("VAULT_SKIP_VERIFY", oldSkipVerify) + defer os.Setenv("VAULT_WRAP_TTL", oldWrapTTL) config := DefaultConfig() if err := config.ReadEnvironment(); err != nil { @@ -133,4 +136,8 @@ func TestClientEnvSettings(t *testing.T) { if tlsConfig.InsecureSkipVerify != true { t.Fatalf("bad: %v", tlsConfig.InsecureSkipVerify) } + + if config.WrapTTL != "60" { + t.Fatalf("bad: %v", config.WrapTTL) + } } diff --git a/api/secret_test.go b/api/secret_test.go index 511333342..b5688aa31 100644 --- a/api/secret_test.go +++ b/api/secret_test.go @@ -17,7 +17,11 @@ func TestParseSecret(t *testing.T) { }, "warnings": [ "a warning!" - ] + ], + "wrap_info": { + "token": "token", + "ttl": 60 + } }`) secret, err := ParseSecret(strings.NewReader(raw)) @@ -35,6 +39,10 @@ func TestParseSecret(t *testing.T) { Warnings: []string{ "a warning!", }, + WrapInfo: &SecretWrapInfo{ + Token: "token", + TTL: 60, + }, } if !reflect.DeepEqual(secret, expected) { t.Fatalf("bad: %#v %#v", secret, expected) diff --git a/audit/format_json_test.go b/audit/format_json_test.go index b6f01ad60..87845eb15 100644 --- a/audit/format_json_test.go +++ b/audit/format_json_test.go @@ -5,6 +5,7 @@ import ( "encoding/json" "strings" "testing" + "time" "errors" @@ -26,6 +27,7 @@ func TestFormatJSON_formatRequest(t *testing.T) { Connection: &logical.Connection{ RemoteAddr: "127.0.0.1", }, + WrapTTL: 60 * time.Second, }, errors.New("this is an error"), testFormatJSONReqBasicStr, @@ -64,5 +66,5 @@ func TestFormatJSON_formatRequest(t *testing.T) { } } -const testFormatJSONReqBasicStr = `{"time":"2015-08-05T13:45:46Z","type":"request","auth":{"display_name":"","policies":["root"],"metadata":null},"request":{"operation":"update","path":"/foo","data":null,"remote_address":"127.0.0.1"},"error":"this is an error"} +const testFormatJSONReqBasicStr = `{"time":"2015-08-05T13:45:46Z","type":"request","auth":{"display_name":"","policies":["root"],"metadata":null},"request":{"operation":"update","path":"/foo","data":null,"wrap_ttl":60,"remote_address":"127.0.0.1"},"error":"this is an error"} ` diff --git a/audit/hashstructure_test.go b/audit/hashstructure_test.go index e0404048c..7593b92ac 100644 --- a/audit/hashstructure_test.go +++ b/audit/hashstructure_test.go @@ -44,6 +44,7 @@ func TestCopy_request(t *testing.T) { Data: map[string]interface{}{ "foo": "bar", }, + WrapTTL: 60 * time.Second, } arg := expected @@ -66,6 +67,10 @@ func TestCopy_response(t *testing.T) { Data: map[string]interface{}{ "foo": "bar", }, + WrapInfo: &logical.WrapInfo{ + TTL: 60, + Token: "foo", + }, } arg := expected @@ -131,11 +136,19 @@ func TestHash(t *testing.T) { Data: map[string]interface{}{ "foo": "bar", }, + WrapInfo: &logical.WrapInfo{ + TTL: 60, + Token: "bar", + }, }, &logical.Response{ Data: map[string]interface{}{ "foo": "hmac-sha256:f9320baf0249169e73850cd6156ded0106e2bb6ad8cab01b7bbbebe6d1065317", }, + WrapInfo: &logical.WrapInfo{ + TTL: 60, + Token: "hmac-sha256:f9320baf0249169e73850cd6156ded0106e2bb6ad8cab01b7bbbebe6d1065317", + }, }, }, { diff --git a/http/handler_test.go b/http/handler_test.go index 89167a2ac..0c43297fb 100644 --- a/http/handler_test.go +++ b/http/handler_test.go @@ -1,10 +1,12 @@ package http import ( + "bytes" "errors" "net/http" "net/http/httptest" "reflect" + "strings" "testing" "github.com/hashicorp/go-cleanhttp" @@ -64,6 +66,33 @@ func TestSysMounts_headerAuth(t *testing.T) { } } +// We use this test to verify header auth wrapping +func TestSysMounts_headerAuth_Wrapped(t *testing.T) { + core, _, token := vault.TestCoreUnsealed(t) + ln, addr := TestServer(t, core) + defer ln.Close() + + req, err := http.NewRequest("GET", addr+"/v1/sys/mounts", nil) + if err != nil { + t.Fatalf("err: %s", err) + } + req.Header.Set(AuthHeaderName, token) + req.Header.Set(WrapTTLHeaderName, "60s") + + client := cleanhttp.DefaultClient() + resp, err := client.Do(req) + if err != nil { + t.Fatalf("err: %s", err) + } + + testResponseStatus(t, resp, 200) + buf := bytes.NewBuffer(nil) + buf.ReadFrom(resp.Body) + if strings.TrimSpace(buf.String()) != "null" { + t.Fatalf("bad: %v", buf.String()) + } +} + func TestHandler_sealed(t *testing.T) { core, _, token := vault.TestCoreUnsealed(t) ln, addr := TestServer(t, core)