open-vault/vault/external_tests/approle/wrapped_secretid_test.go
Michael Ward c15ac1053f
Expose secret_id_accessor as WrappedAccessor when wrapping secret-id creation. (#12425)
* Expose secret_id_accessor as WrappedAccessor when wrapping secret-id creation.

* Add changelog.

* Minor updates as suggested.

* Adding external test for wrapped accessor.

* Add check that mounttype is approle.

* Update changelog text to use improvement
2021-09-16 10:47:49 -07:00

122 lines
3 KiB
Go

package approle
import (
"testing"
log "github.com/hashicorp/go-hclog"
"github.com/hashicorp/vault/api"
credAppRole "github.com/hashicorp/vault/builtin/credential/approle"
vaulthttp "github.com/hashicorp/vault/http"
"github.com/hashicorp/vault/sdk/logical"
"github.com/hashicorp/vault/vault"
"github.com/stretchr/testify/require"
)
func TestApproleSecretId_Wrapped(t *testing.T) {
var err error
coreConfig := &vault.CoreConfig{
DisableMlock: true,
DisableCache: true,
Logger: log.NewNullLogger(),
CredentialBackends: map[string]logical.Factory{
"approle": credAppRole.Factory,
},
}
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
HandlerFunc: vaulthttp.Handler,
})
cluster.Start()
defer cluster.Cleanup()
cores := cluster.Cores
vault.TestWaitActive(t, cores[0].Core)
client := cores[0].Client
client.SetToken(cluster.RootToken)
err = client.Sys().EnableAuthWithOptions("approle", &api.EnableAuthOptions{
Type: "approle",
})
if err != nil {
t.Fatal(err)
}
_, err = client.Logical().Write("auth/approle/role/test-role-1", map[string]interface{}{
"name": "test-role-1",
})
require.NoError(t, err)
client.SetWrappingLookupFunc(func(operation, path string) string {
return "5m"
})
resp, err := client.Logical().Write("/auth/approle/role/test-role-1/secret-id", map[string]interface{}{})
require.NoError(t, err)
wrappedAccessor := resp.WrapInfo.WrappedAccessor
wrappingToken := resp.WrapInfo.Token
client.SetWrappingLookupFunc(func(operation, path string) string {
return api.DefaultWrappingLookupFunc(operation, path)
})
unwrappedSecretid, err := client.Logical().Unwrap(wrappingToken)
unwrappedAccessor := unwrappedSecretid.Data["secret_id_accessor"].(string)
if wrappedAccessor != unwrappedAccessor {
t.Fatalf("Expected wrappedAccessor (%v) to match wrapped secret_id_accessor (%v)", wrappedAccessor, unwrappedAccessor)
}
}
func TestApproleSecretId_NotWrapped(t *testing.T) {
var err error
coreConfig := &vault.CoreConfig{
DisableMlock: true,
DisableCache: true,
Logger: log.NewNullLogger(),
CredentialBackends: map[string]logical.Factory{
"approle": credAppRole.Factory,
},
}
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
HandlerFunc: vaulthttp.Handler,
})
cluster.Start()
defer cluster.Cleanup()
cores := cluster.Cores
vault.TestWaitActive(t, cores[0].Core)
client := cores[0].Client
client.SetToken(cluster.RootToken)
err = client.Sys().EnableAuthWithOptions("approle", &api.EnableAuthOptions{
Type: "approle",
})
if err != nil {
t.Fatal(err)
}
_, err = client.Logical().Write("auth/approle/role/test-role-1", map[string]interface{}{
"name": "test-role-1",
})
require.NoError(t, err)
resp, err := client.Logical().Write("/auth/approle/role/test-role-1/secret-id", map[string]interface{}{})
require.NoError(t, err)
if resp.WrapInfo != nil && resp.WrapInfo.WrappedAccessor != "" {
t.Fatalf("WrappedAccessor unexpectedly set")
}
}