f59069c22f
* Don't call LeaseExtend on login renewal paths when period is provided * WIP tests * NoopBackend accept backend ttl values * Test period value on credentials backend * Use t.Fatalf instead * Remove mockCoreExpiration * Add login renewal test for approle backend * Add resp.Auth.Period check on aws and cert backend tests * Pass in approle's period via role's period * Correctly set period in valid-role's role * Add period renewal test using TestCluster and approle backend * Check for ttl values after renewals on test
169 lines
3.8 KiB
Go
169 lines
3.8 KiB
Go
package vault_test
|
|
|
|
import (
|
|
"encoding/json"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/hashicorp/vault/api"
|
|
"github.com/hashicorp/vault/builtin/credential/approle"
|
|
vaulthttp "github.com/hashicorp/vault/http"
|
|
"github.com/hashicorp/vault/logical"
|
|
"github.com/hashicorp/vault/vault"
|
|
)
|
|
|
|
func TestExpiration_RenewToken_TestCluster(t *testing.T) {
|
|
// Use a TestCluster and the approle backend to test renewal
|
|
coreConfig := &vault.CoreConfig{
|
|
CredentialBackends: map[string]logical.Factory{
|
|
"approle": approle.Factory,
|
|
},
|
|
}
|
|
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
|
|
HandlerFunc: vaulthttp.Handler,
|
|
})
|
|
cluster.Start()
|
|
defer cluster.Cleanup()
|
|
|
|
core := cluster.Cores[0].Core
|
|
vault.TestWaitActive(t, core)
|
|
client := cluster.Cores[0].Client
|
|
|
|
// Mount the auth backend
|
|
err := client.Sys().EnableAuthWithOptions("approle", &api.EnableAuthOptions{
|
|
Type: "approle",
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// Tune the mount
|
|
err = client.Sys().TuneMount("auth/approle", api.MountConfigInput{
|
|
DefaultLeaseTTL: "5s",
|
|
MaxLeaseTTL: "5s",
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// Create role
|
|
resp, err := client.Logical().Write("auth/approle/role/role-period", map[string]interface{}{
|
|
"period": "5s",
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// Get role_id
|
|
resp, err = client.Logical().Read("auth/approle/role/role-period/role-id")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if resp == nil {
|
|
t.Fatal("expected a response for fetching the role-id")
|
|
}
|
|
roleID := resp.Data["role_id"]
|
|
|
|
// Get secret_id
|
|
resp, err = client.Logical().Write("auth/approle/role/role-period/secret-id", map[string]interface{}{})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if resp == nil {
|
|
t.Fatal("expected a response for fetching the secret-id")
|
|
}
|
|
secretID := resp.Data["secret_id"]
|
|
|
|
// Login
|
|
resp, err = client.Logical().Write("auth/approle/login", map[string]interface{}{
|
|
"role_id": roleID,
|
|
"secret_id": secretID,
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if resp == nil {
|
|
t.Fatal("expected a response for login")
|
|
}
|
|
if resp.Auth == nil {
|
|
t.Fatal("expected auth object from response")
|
|
}
|
|
if resp.Auth.ClientToken == "" {
|
|
t.Fatal("expected a client token")
|
|
}
|
|
|
|
roleToken := resp.Auth.ClientToken
|
|
// Wait 3 seconds
|
|
time.Sleep(3 * time.Second)
|
|
|
|
// Renew
|
|
resp, err = client.Logical().Write("auth/token/renew", map[string]interface{}{
|
|
"token": roleToken,
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if resp == nil {
|
|
t.Fatal("expected a response for renew")
|
|
}
|
|
|
|
// Perform token lookup and verify TTL
|
|
resp, err = client.Auth().Token().Lookup(roleToken)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if resp == nil {
|
|
t.Fatal("expected a response for token lookup")
|
|
}
|
|
|
|
ttlRaw, ok := resp.Data["ttl"].(json.Number)
|
|
if !ok {
|
|
t.Fatal("no ttl value found in data object")
|
|
}
|
|
ttlInt, err := ttlRaw.Int64()
|
|
if err != nil {
|
|
t.Fatalf("unable to convert ttl to int: %s", err)
|
|
}
|
|
ttl := time.Duration(ttlInt) * time.Second
|
|
if ttl < 4*time.Second {
|
|
t.Fatal("expected ttl value to be around 5s")
|
|
}
|
|
|
|
// Wait 3 seconds
|
|
time.Sleep(3 * time.Second)
|
|
|
|
// Do a second renewal to ensure that period can be renewed past sys/mount max_ttl
|
|
resp, err = client.Logical().Write("auth/token/renew", map[string]interface{}{
|
|
"token": roleToken,
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if resp == nil {
|
|
t.Fatal("expected a response for renew")
|
|
}
|
|
|
|
// Perform token lookup and verify TTL
|
|
resp, err = client.Auth().Token().Lookup(roleToken)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if resp == nil {
|
|
t.Fatal("expected a response for token lookup")
|
|
}
|
|
|
|
ttlRaw, ok = resp.Data["ttl"].(json.Number)
|
|
if !ok {
|
|
t.Fatal("no ttl value found in data object")
|
|
}
|
|
ttlInt, err = ttlRaw.Int64()
|
|
if err != nil {
|
|
t.Fatalf("unable to convert ttl to int: %s", err)
|
|
}
|
|
ttl = time.Duration(ttlInt) * time.Second
|
|
if ttl < 4*time.Second {
|
|
t.Fatal("expected ttl value to be around 5s")
|
|
}
|
|
|
|
}
|