3f1c510bc9
* Fix a deadlock if a panic happens during request handling During request handling, if a panic is created, deferred functions are run but otherwise execution stops. #5889 changed some locks to non-defers but had the side effect of causing the read lock to not be released if the request panicked. This fixes that and addresses a few other potential places where things could go wrong: 1) In sealInitCommon we always now defer a function that unlocks the read lock if it hasn't been unlocked already 2) In StepDown we defer the RUnlock but we also had two error cases that were calling it manually. These are unlikely to be hit but if they were I believe would cause a panic. * Add panic recovery test
480 lines
12 KiB
Go
480 lines
12 KiB
Go
package vault
|
|
|
|
import (
|
|
"reflect"
|
|
"strings"
|
|
"testing"
|
|
|
|
uuid "github.com/hashicorp/go-uuid"
|
|
"github.com/hashicorp/vault/helper/namespace"
|
|
"github.com/hashicorp/vault/sdk/logical"
|
|
)
|
|
|
|
func TestRouter_Mount(t *testing.T) {
|
|
r := NewRouter()
|
|
_, barrier, _ := mockBarrier(t)
|
|
view := NewBarrierView(barrier, "logical/")
|
|
|
|
meUUID, err := uuid.GenerateUUID()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
mountEntry := &MountEntry{
|
|
Path: "prod/aws/",
|
|
UUID: meUUID,
|
|
Accessor: "awsaccessor",
|
|
NamespaceID: namespace.RootNamespaceID,
|
|
namespace: namespace.RootNamespace,
|
|
}
|
|
|
|
n := &NoopBackend{}
|
|
err = r.Mount(n, "prod/aws/", mountEntry, view)
|
|
if err != nil {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
|
|
meUUID, err = uuid.GenerateUUID()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
err = r.Mount(n, "prod/aws/", &MountEntry{UUID: meUUID, NamespaceID: namespace.RootNamespaceID, namespace: namespace.RootNamespace}, view)
|
|
if !strings.Contains(err.Error(), "cannot mount under existing mount") {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
|
|
meUUID, err = uuid.GenerateUUID()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if path := r.MatchingMount(namespace.RootContext(nil), "prod/aws/foo"); path != "prod/aws/" {
|
|
t.Fatalf("bad: %s", path)
|
|
}
|
|
|
|
if v := r.MatchingStorageByAPIPath(namespace.RootContext(nil), "prod/aws/foo"); v.(*BarrierView) != view {
|
|
t.Fatalf("bad: %v", v)
|
|
}
|
|
|
|
if path := r.MatchingMount(namespace.RootContext(nil), "stage/aws/foo"); path != "" {
|
|
t.Fatalf("bad: %s", path)
|
|
}
|
|
|
|
if v := r.MatchingStorageByAPIPath(namespace.RootContext(nil), "stage/aws/foo"); v != nil {
|
|
t.Fatalf("bad: %v", v)
|
|
}
|
|
|
|
mountEntryFetched := r.MatchingMountByUUID(mountEntry.UUID)
|
|
if mountEntryFetched == nil || !reflect.DeepEqual(mountEntry, mountEntryFetched) {
|
|
t.Fatalf("failed to fetch mount entry using its ID; expected: %#v\n actual: %#v\n", mountEntry, mountEntryFetched)
|
|
}
|
|
|
|
_, mount, prefix, ok := r.MatchingAPIPrefixByStoragePath(namespace.RootContext(nil), "logical/foo")
|
|
if !ok {
|
|
t.Fatalf("missing storage prefix")
|
|
}
|
|
if mount != "prod/aws/" || prefix != "logical/" {
|
|
t.Fatalf("Bad: %v - %v", mount, prefix)
|
|
}
|
|
|
|
req := &logical.Request{
|
|
Path: "prod/aws/foo",
|
|
}
|
|
req.SetTokenEntry(&logical.TokenEntry{
|
|
ID: "foo",
|
|
})
|
|
resp, err := r.Route(namespace.RootContext(nil), req)
|
|
if err != nil {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
if resp != nil {
|
|
t.Fatalf("bad: %v", resp)
|
|
}
|
|
if req.TokenEntry() == nil || req.TokenEntry().ID != "foo" {
|
|
t.Fatalf("unexpected value for token entry: %v", req.TokenEntry())
|
|
}
|
|
|
|
// Verify the path
|
|
if len(n.Paths) != 1 || n.Paths[0] != "foo" {
|
|
t.Fatalf("bad: %v", n.Paths)
|
|
}
|
|
|
|
subMountEntry := &MountEntry{
|
|
Path: "prod/",
|
|
UUID: meUUID,
|
|
Accessor: "prodaccessor",
|
|
NamespaceID: namespace.RootNamespaceID,
|
|
namespace: namespace.RootNamespace,
|
|
}
|
|
|
|
if r.MountConflict(namespace.RootContext(nil), "prod/aws/") == "" {
|
|
t.Fatalf("bad: prod/aws/")
|
|
}
|
|
|
|
// No error is shown here because MountConflict is checked before Mount
|
|
err = r.Mount(n, "prod/", subMountEntry, view)
|
|
if err != nil {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
if r.MountConflict(namespace.RootContext(nil), "prod/test") == "" {
|
|
t.Fatalf("bad: prod/test/")
|
|
}
|
|
}
|
|
|
|
func TestRouter_MountCredential(t *testing.T) {
|
|
r := NewRouter()
|
|
_, barrier, _ := mockBarrier(t)
|
|
view := NewBarrierView(barrier, credentialBarrierPrefix)
|
|
|
|
meUUID, err := uuid.GenerateUUID()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
mountEntry := &MountEntry{
|
|
Path: "aws",
|
|
UUID: meUUID,
|
|
Accessor: "awsaccessor",
|
|
NamespaceID: namespace.RootNamespaceID,
|
|
namespace: namespace.RootNamespace,
|
|
}
|
|
|
|
n := &NoopBackend{}
|
|
err = r.Mount(n, "auth/aws/", mountEntry, view)
|
|
if err != nil {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
|
|
meUUID, err = uuid.GenerateUUID()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
err = r.Mount(n, "auth/aws/", &MountEntry{UUID: meUUID, NamespaceID: namespace.RootNamespaceID, namespace: namespace.RootNamespace}, view)
|
|
if !strings.Contains(err.Error(), "cannot mount under existing mount") {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
|
|
if path := r.MatchingMount(namespace.RootContext(nil), "auth/aws/foo"); path != "auth/aws/" {
|
|
t.Fatalf("bad: %s", path)
|
|
}
|
|
|
|
if v := r.MatchingStorageByAPIPath(namespace.RootContext(nil), "auth/aws/foo"); v.(*BarrierView) != view {
|
|
t.Fatalf("bad: %v", v)
|
|
}
|
|
|
|
if path := r.MatchingMount(namespace.RootContext(nil), "auth/stage/aws/foo"); path != "" {
|
|
t.Fatalf("bad: %s", path)
|
|
}
|
|
|
|
if v := r.MatchingStorageByAPIPath(namespace.RootContext(nil), "auth/stage/aws/foo"); v != nil {
|
|
t.Fatalf("bad: %v", v)
|
|
}
|
|
|
|
mountEntryFetched := r.MatchingMountByUUID(mountEntry.UUID)
|
|
if mountEntryFetched == nil || !reflect.DeepEqual(mountEntry, mountEntryFetched) {
|
|
t.Fatalf("failed to fetch mount entry using its ID; expected: %#v\n actual: %#v\n", mountEntry, mountEntryFetched)
|
|
}
|
|
|
|
_, mount, prefix, ok := r.MatchingAPIPrefixByStoragePath(namespace.RootContext(nil), "auth/foo")
|
|
if !ok {
|
|
t.Fatalf("missing storage prefix")
|
|
}
|
|
if mount != "auth/aws" || prefix != credentialBarrierPrefix {
|
|
t.Fatalf("Bad: %v - %v", mount, prefix)
|
|
}
|
|
|
|
req := &logical.Request{
|
|
Path: "auth/aws/foo",
|
|
}
|
|
resp, err := r.Route(namespace.RootContext(nil), req)
|
|
if err != nil {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
if resp != nil {
|
|
t.Fatalf("bad: %v", resp)
|
|
}
|
|
|
|
// Verify the path
|
|
if len(n.Paths) != 1 || n.Paths[0] != "foo" {
|
|
t.Fatalf("bad: %v", n.Paths)
|
|
}
|
|
}
|
|
|
|
func TestRouter_Unmount(t *testing.T) {
|
|
r := NewRouter()
|
|
_, barrier, _ := mockBarrier(t)
|
|
view := NewBarrierView(barrier, "logical/")
|
|
|
|
meUUID, err := uuid.GenerateUUID()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
n := &NoopBackend{}
|
|
err = r.Mount(n, "prod/aws/", &MountEntry{Path: "prod/aws/", UUID: meUUID, Accessor: "awsaccessor", NamespaceID: namespace.RootNamespaceID, namespace: namespace.RootNamespace}, view)
|
|
if err != nil {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
|
|
err = r.Unmount(namespace.RootContext(nil), "prod/aws/")
|
|
if err != nil {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
|
|
req := &logical.Request{
|
|
Path: "prod/aws/foo",
|
|
}
|
|
_, err = r.Route(namespace.RootContext(nil), req)
|
|
if !strings.Contains(err.Error(), "unsupported path") {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
|
|
if _, _, _, ok := r.MatchingAPIPrefixByStoragePath(namespace.RootContext(nil), "logical/foo"); ok {
|
|
t.Fatalf("should not have matching storage prefix")
|
|
}
|
|
}
|
|
|
|
func TestRouter_Remount(t *testing.T) {
|
|
r := NewRouter()
|
|
_, barrier, _ := mockBarrier(t)
|
|
view := NewBarrierView(barrier, "logical/")
|
|
|
|
meUUID, err := uuid.GenerateUUID()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
n := &NoopBackend{}
|
|
me := &MountEntry{Path: "prod/aws/", UUID: meUUID, Accessor: "awsaccessor", NamespaceID: namespace.RootNamespaceID, namespace: namespace.RootNamespace}
|
|
err = r.Mount(n, "prod/aws/", me, view)
|
|
if err != nil {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
|
|
me.Path = "stage/aws/"
|
|
err = r.Remount(namespace.RootContext(nil), "prod/aws/", "stage/aws/")
|
|
if err != nil {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
|
|
err = r.Remount(namespace.RootContext(nil), "prod/aws/", "stage/aws/")
|
|
if !strings.Contains(err.Error(), "no mount at") {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
|
|
req := &logical.Request{
|
|
Path: "prod/aws/foo",
|
|
}
|
|
_, err = r.Route(namespace.RootContext(nil), req)
|
|
if !strings.Contains(err.Error(), "unsupported path") {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
|
|
req = &logical.Request{
|
|
Path: "stage/aws/foo",
|
|
}
|
|
_, err = r.Route(namespace.RootContext(nil), req)
|
|
if err != nil {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
|
|
// Verify the path
|
|
if len(n.Paths) != 1 || n.Paths[0] != "foo" {
|
|
t.Fatalf("bad: %v", n.Paths)
|
|
}
|
|
|
|
// Check the resolve from storage still works
|
|
_, mount, prefix, _ := r.MatchingAPIPrefixByStoragePath(namespace.RootContext(nil), "logical/foobar")
|
|
if mount != "stage/aws/" {
|
|
t.Fatalf("bad mount: %s", mount)
|
|
}
|
|
if prefix != "logical/" {
|
|
t.Fatalf("Bad prefix: %s", prefix)
|
|
}
|
|
}
|
|
|
|
func TestRouter_RootPath(t *testing.T) {
|
|
r := NewRouter()
|
|
_, barrier, _ := mockBarrier(t)
|
|
view := NewBarrierView(barrier, "logical/")
|
|
|
|
meUUID, err := uuid.GenerateUUID()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
n := &NoopBackend{
|
|
Root: []string{
|
|
"root",
|
|
"policy/*",
|
|
},
|
|
}
|
|
err = r.Mount(n, "prod/aws/", &MountEntry{UUID: meUUID, Accessor: "awsaccessor", NamespaceID: namespace.RootNamespaceID, namespace: namespace.RootNamespace}, view)
|
|
if err != nil {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
|
|
type tcase struct {
|
|
path string
|
|
expect bool
|
|
}
|
|
tcases := []tcase{
|
|
{"random", false},
|
|
{"prod/aws/foo", false},
|
|
{"prod/aws/root", true},
|
|
{"prod/aws/root-more", false},
|
|
{"prod/aws/policy", false},
|
|
{"prod/aws/policy/", true},
|
|
{"prod/aws/policy/ops", true},
|
|
}
|
|
|
|
for _, tc := range tcases {
|
|
out := r.RootPath(namespace.RootContext(nil), tc.path)
|
|
if out != tc.expect {
|
|
t.Fatalf("bad: path: %s expect: %v got %v", tc.path, tc.expect, out)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestRouter_LoginPath(t *testing.T) {
|
|
r := NewRouter()
|
|
_, barrier, _ := mockBarrier(t)
|
|
view := NewBarrierView(barrier, "auth/")
|
|
|
|
meUUID, err := uuid.GenerateUUID()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
n := &NoopBackend{
|
|
Login: []string{
|
|
"login",
|
|
"oauth/*",
|
|
},
|
|
}
|
|
err = r.Mount(n, "auth/foo/", &MountEntry{UUID: meUUID, Accessor: "authfooaccessor", NamespaceID: namespace.RootNamespaceID, namespace: namespace.RootNamespace}, view)
|
|
if err != nil {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
|
|
type tcase struct {
|
|
path string
|
|
expect bool
|
|
}
|
|
tcases := []tcase{
|
|
{"random", false},
|
|
{"auth/foo/bar", false},
|
|
{"auth/foo/login", true},
|
|
{"auth/foo/oauth", false},
|
|
{"auth/foo/oauth/redirect", true},
|
|
}
|
|
|
|
for _, tc := range tcases {
|
|
out := r.LoginPath(namespace.RootContext(nil), tc.path)
|
|
if out != tc.expect {
|
|
t.Fatalf("bad: path: %s expect: %v got %v", tc.path, tc.expect, out)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestRouter_Taint(t *testing.T) {
|
|
r := NewRouter()
|
|
_, barrier, _ := mockBarrier(t)
|
|
view := NewBarrierView(barrier, "logical/")
|
|
|
|
meUUID, err := uuid.GenerateUUID()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
n := &NoopBackend{}
|
|
err = r.Mount(n, "prod/aws/", &MountEntry{UUID: meUUID, Accessor: "awsaccessor", NamespaceID: namespace.RootNamespaceID, namespace: namespace.RootNamespace}, view)
|
|
if err != nil {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
|
|
err = r.Taint(namespace.RootContext(nil), "prod/aws/")
|
|
if err != nil {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
|
|
req := &logical.Request{
|
|
Operation: logical.ReadOperation,
|
|
Path: "prod/aws/foo",
|
|
}
|
|
_, err = r.Route(namespace.RootContext(nil), req)
|
|
if err.Error() != "unsupported path" {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
|
|
// Rollback and Revoke should work
|
|
req.Operation = logical.RollbackOperation
|
|
_, err = r.Route(namespace.RootContext(nil), req)
|
|
if err != nil {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
|
|
req.Operation = logical.RevokeOperation
|
|
_, err = r.Route(namespace.RootContext(nil), req)
|
|
if err != nil {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestRouter_Untaint(t *testing.T) {
|
|
r := NewRouter()
|
|
_, barrier, _ := mockBarrier(t)
|
|
view := NewBarrierView(barrier, "logical/")
|
|
|
|
meUUID, err := uuid.GenerateUUID()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
n := &NoopBackend{}
|
|
err = r.Mount(n, "prod/aws/", &MountEntry{UUID: meUUID, Accessor: "awsaccessor", NamespaceID: namespace.RootNamespaceID, namespace: namespace.RootNamespace}, view)
|
|
if err != nil {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
|
|
err = r.Taint(namespace.RootContext(nil), "prod/aws/")
|
|
if err != nil {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
|
|
err = r.Untaint(namespace.RootContext(nil), "prod/aws/")
|
|
if err != nil {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
|
|
req := &logical.Request{
|
|
Operation: logical.ReadOperation,
|
|
Path: "prod/aws/foo",
|
|
}
|
|
_, err = r.Route(namespace.RootContext(nil), req)
|
|
if err != nil {
|
|
t.Fatalf("err: %v", err)
|
|
}
|
|
}
|
|
|
|
func TestPathsToRadix(t *testing.T) {
|
|
// Provide real paths
|
|
paths := []string{
|
|
"foo",
|
|
"foo/*",
|
|
"sub/bar*",
|
|
}
|
|
r := pathsToRadix(paths)
|
|
|
|
raw, ok := r.Get("foo")
|
|
if !ok || raw.(bool) != false {
|
|
t.Fatalf("bad: %v (foo)", raw)
|
|
}
|
|
|
|
raw, ok = r.Get("foo/")
|
|
if !ok || raw.(bool) != true {
|
|
t.Fatalf("bad: %v (foo/)", raw)
|
|
}
|
|
|
|
raw, ok = r.Get("sub/bar")
|
|
if !ok || raw.(bool) != true {
|
|
t.Fatalf("bad: %v (sub/bar)", raw)
|
|
}
|
|
}
|