open-vault/builtin/logical/consul/backend_test.go

1614 lines
40 KiB
Go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
package consul
import (
"context"
"encoding/base64"
"fmt"
"log"
"os"
"reflect"
"strings"
"testing"
"time"
consulapi "github.com/hashicorp/consul/api"
"github.com/hashicorp/vault/helper/testhelpers/consul"
logicaltest "github.com/hashicorp/vault/helper/testhelpers/logical"
"github.com/hashicorp/vault/sdk/logical"
"github.com/mitchellh/mapstructure"
)
func TestBackend_Config_Access(t *testing.T) {
t.Run("config_access", func(t *testing.T) {
t.Parallel()
t.Run("pre-1.4.0", func(t *testing.T) {
t.Parallel()
testBackendConfigAccess(t, "1.3.1", true)
})
t.Run("post-1.4.0", func(t *testing.T) {
t.Parallel()
testBackendConfigAccess(t, "", true)
})
t.Run("pre-1.4.0 automatic-bootstrap", func(t *testing.T) {
t.Parallel()
testBackendConfigAccess(t, "1.3.1", false)
})
t.Run("post-1.4.0 automatic-bootstrap", func(t *testing.T) {
t.Parallel()
testBackendConfigAccess(t, "", false)
})
})
}
func testBackendConfigAccess(t *testing.T, version string, autoBootstrap bool) {
config := logical.TestBackendConfig()
config.StorageView = &logical.InmemStorage{}
b, err := Factory(context.Background(), config)
if err != nil {
t.Fatal(err)
}
cleanup, consulConfig := consul.PrepareTestContainer(t, version, false, autoBootstrap)
defer cleanup()
connData := map[string]interface{}{
"address": consulConfig.Address(),
}
if autoBootstrap || strings.HasPrefix(version, "1.3") {
connData["token"] = consulConfig.Token
}
confReq := &logical.Request{
Operation: logical.UpdateOperation,
Path: "config/access",
Storage: config.StorageView,
Data: connData,
}
resp, err := b.HandleRequest(context.Background(), confReq)
if err != nil || (resp != nil && resp.IsError()) || resp != nil {
t.Fatalf("failed to write configuration: resp:%#v err:%s", resp, err)
}
confReq.Operation = logical.ReadOperation
resp, err = b.HandleRequest(context.Background(), confReq)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("failed to write configuration: resp:%#v err:%s", resp, err)
}
expected := map[string]interface{}{
"address": connData["address"].(string),
"scheme": "http",
}
if !reflect.DeepEqual(expected, resp.Data) {
t.Fatalf("bad: expected:%#v\nactual:%#v\n", expected, resp.Data)
}
if resp.Data["token"] != nil {
t.Fatalf("token should not be set in the response")
}
}
func TestBackend_Renew_Revoke(t *testing.T) {
t.Run("renew_revoke", func(t *testing.T) {
t.Parallel()
t.Run("pre-1.4.0", func(t *testing.T) {
t.Parallel()
testBackendRenewRevoke(t, "1.3.1")
})
t.Run("post-1.4.0", func(t *testing.T) {
t.Parallel()
t.Run("legacy", func(t *testing.T) {
t.Parallel()
testBackendRenewRevoke(t, "1.4.4")
})
t.Run("param-policies", func(t *testing.T) {
t.Parallel()
testBackendRenewRevoke14(t, "", "policies")
})
t.Run("param-consul_policies", func(t *testing.T) {
t.Parallel()
testBackendRenewRevoke14(t, "", "consul_policies")
})
t.Run("both-params", func(t *testing.T) {
t.Parallel()
testBackendRenewRevoke14(t, "", "both")
})
})
})
}
func testBackendRenewRevoke(t *testing.T, version string) {
config := logical.TestBackendConfig()
config.StorageView = &logical.InmemStorage{}
b, err := Factory(context.Background(), config)
if err != nil {
t.Fatal(err)
}
cleanup, consulConfig := consul.PrepareTestContainer(t, version, false, true)
defer cleanup()
connData := map[string]interface{}{
"address": consulConfig.Address(),
"token": consulConfig.Token,
}
req := &logical.Request{
Storage: config.StorageView,
Operation: logical.UpdateOperation,
Path: "config/access",
Data: connData,
}
_, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
req.Path = "roles/test"
req.Data = map[string]interface{}{
"policy": base64.StdEncoding.EncodeToString([]byte(testPolicy)),
"lease": "6h",
}
_, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
req.Operation = logical.ReadOperation
req.Path = "creds/test"
resp, err := b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
if resp == nil {
t.Fatal("resp nil")
}
if resp.IsError() {
t.Fatalf("resp is error: %v", resp.Error())
}
generatedSecret := resp.Secret
generatedSecret.TTL = 6 * time.Hour
var d struct {
Token string `mapstructure:"token"`
}
if err := mapstructure.Decode(resp.Data, &d); err != nil {
t.Fatal(err)
}
// Build a client and verify that the credentials work
consulapiConfig := consulapi.DefaultConfig()
consulapiConfig.Address = connData["address"].(string)
consulapiConfig.Token = d.Token
client, err := consulapi.NewClient(consulapiConfig)
if err != nil {
t.Fatal(err)
}
_, err = client.KV().Put(&consulapi.KVPair{
Key: "foo",
Value: []byte("bar"),
}, nil)
if err != nil {
t.Fatal(err)
}
req.Operation = logical.RenewOperation
req.Secret = generatedSecret
resp, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
if resp == nil {
t.Fatal("got nil response from renew")
}
req.Operation = logical.RevokeOperation
_, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
_, err = client.KV().Put(&consulapi.KVPair{
Key: "foo",
Value: []byte("bar"),
}, nil)
if err == nil {
t.Fatal("err: expected error")
}
}
func testBackendRenewRevoke14(t *testing.T, version string, policiesParam string) {
config := logical.TestBackendConfig()
config.StorageView = &logical.InmemStorage{}
b, err := Factory(context.Background(), config)
if err != nil {
t.Fatal(err)
}
cleanup, consulConfig := consul.PrepareTestContainer(t, version, false, true)
defer cleanup()
connData := map[string]interface{}{
"address": consulConfig.Address(),
"token": consulConfig.Token,
}
req := &logical.Request{
Storage: config.StorageView,
Operation: logical.UpdateOperation,
Path: "config/access",
Data: connData,
}
_, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
req.Path = "roles/test"
req.Data = map[string]interface{}{
"lease": "6h",
}
if policiesParam == "both" {
req.Data["policies"] = []string{"wrong-name"}
req.Data["consul_policies"] = []string{"test"}
} else {
req.Data[policiesParam] = []string{"test"}
}
_, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
read := &logical.Request{
Storage: config.StorageView,
Operation: logical.ReadOperation,
Path: "roles/test",
Data: connData,
}
roleResp, err := b.HandleRequest(context.Background(), read)
expectExtract := roleResp.Data["consul_policies"]
respExtract := roleResp.Data[policiesParam]
if respExtract != nil {
if expectExtract.([]string)[0] != respExtract.([]string)[0] {
t.Errorf("mismatch: response consul_policies '%s' does not match '[test]'", roleResp.Data["consul_policies"])
}
}
req.Operation = logical.ReadOperation
req.Path = "creds/test"
resp, err := b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
if resp == nil {
t.Fatal("resp nil")
}
if resp.IsError() {
t.Fatalf("resp is error: %v", resp.Error())
}
generatedSecret := resp.Secret
generatedSecret.TTL = 6 * time.Hour
var d struct {
Token string `mapstructure:"token"`
Accessor string `mapstructure:"accessor"`
}
if err := mapstructure.Decode(resp.Data, &d); err != nil {
t.Fatal(err)
}
// Build a client and verify that the credentials work
consulapiConfig := consulapi.DefaultNonPooledConfig()
consulapiConfig.Address = connData["address"].(string)
consulapiConfig.Token = d.Token
client, err := consulapi.NewClient(consulapiConfig)
if err != nil {
t.Fatal(err)
}
_, err = client.Catalog(), nil
if err != nil {
t.Fatal(err)
}
req.Operation = logical.RenewOperation
req.Secret = generatedSecret
resp, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
if resp == nil {
t.Fatal("got nil response from renew")
}
req.Operation = logical.RevokeOperation
_, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
// Build a management client and verify that the token does not exist anymore
consulmgmtConfig := consulapi.DefaultNonPooledConfig()
consulmgmtConfig.Address = connData["address"].(string)
consulmgmtConfig.Token = connData["token"].(string)
mgmtclient, err := consulapi.NewClient(consulmgmtConfig)
if err != nil {
t.Fatal(err)
}
q := &consulapi.QueryOptions{
Datacenter: "DC1",
}
_, _, err = mgmtclient.ACL().TokenRead(d.Accessor, q)
if err == nil {
t.Fatal("err: expected error")
}
}
func TestBackend_LocalToken(t *testing.T) {
config := logical.TestBackendConfig()
config.StorageView = &logical.InmemStorage{}
b, err := Factory(context.Background(), config)
if err != nil {
t.Fatal(err)
}
cleanup, consulConfig := consul.PrepareTestContainer(t, "", false, true)
defer cleanup()
connData := map[string]interface{}{
"address": consulConfig.Address(),
"token": consulConfig.Token,
}
req := &logical.Request{
Storage: config.StorageView,
Operation: logical.UpdateOperation,
Path: "config/access",
Data: connData,
}
_, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
req.Path = "roles/test"
req.Data = map[string]interface{}{
"consul_policies": []string{"test"},
"ttl": "6h",
"local": false,
}
_, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
req.Path = "roles/test_local"
req.Data = map[string]interface{}{
"consul_policies": []string{"test"},
"ttl": "6h",
"local": true,
}
_, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
req.Operation = logical.ReadOperation
req.Path = "creds/test"
resp, err := b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
if resp == nil {
t.Fatal("resp nil")
}
if resp.IsError() {
t.Fatalf("resp is error: %v", resp.Error())
}
var d struct {
Token string `mapstructure:"token"`
Accessor string `mapstructure:"accessor"`
Local bool `mapstructure:"local"`
}
if err := mapstructure.Decode(resp.Data, &d); err != nil {
t.Fatal(err)
}
if d.Local {
t.Fatalf("requested global token, got local one")
}
// Build a client and verify that the credentials work
consulapiConfig := consulapi.DefaultNonPooledConfig()
consulapiConfig.Address = connData["address"].(string)
consulapiConfig.Token = d.Token
client, err := consulapi.NewClient(consulapiConfig)
if err != nil {
t.Fatal(err)
}
_, err = client.Catalog(), nil
if err != nil {
t.Fatal(err)
}
req.Operation = logical.ReadOperation
req.Path = "creds/test_local"
resp, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
if resp == nil {
t.Fatal("resp nil")
}
if resp.IsError() {
t.Fatalf("resp is error: %v", resp.Error())
}
if err := mapstructure.Decode(resp.Data, &d); err != nil {
t.Fatal(err)
}
if !d.Local {
t.Fatalf("requested local token, got global one")
}
// Build a client and verify that the credentials work
consulapiConfig = consulapi.DefaultNonPooledConfig()
consulapiConfig.Address = connData["address"].(string)
consulapiConfig.Token = d.Token
client, err = consulapi.NewClient(consulapiConfig)
if err != nil {
t.Fatal(err)
}
_, err = client.Catalog(), nil
if err != nil {
t.Fatal(err)
}
}
func TestBackend_Management(t *testing.T) {
t.Run("management", func(t *testing.T) {
t.Parallel()
t.Run("pre-1.4.0", func(t *testing.T) {
t.Parallel()
testBackendManagement(t, "1.3.1")
})
t.Run("post-1.4.0", func(t *testing.T) {
t.Parallel()
testBackendManagement(t, "1.4.4")
})
testBackendManagement(t, "1.10.8")
})
}
func testBackendManagement(t *testing.T, version string) {
config := logical.TestBackendConfig()
config.StorageView = &logical.InmemStorage{}
b, err := Factory(context.Background(), config)
if err != nil {
t.Fatal(err)
}
cleanup, consulConfig := consul.PrepareTestContainer(t, version, false, true)
defer cleanup()
connData := map[string]interface{}{
"address": consulConfig.Address(),
"token": consulConfig.Token,
}
logicaltest.Test(t, logicaltest.TestCase{
LogicalBackend: b,
Steps: []logicaltest.TestStep{
testAccStepConfig(t, connData),
testAccStepWriteManagementPolicy(t, "test", ""),
testAccStepReadManagementToken(t, "test", connData),
},
})
}
func TestBackend_Basic(t *testing.T) {
t.Run("basic", func(t *testing.T) {
t.Parallel()
t.Run("pre-1.4.0", func(t *testing.T) {
t.Parallel()
testBackendBasic(t, "1.3.1")
})
t.Run("post-1.4.0", func(t *testing.T) {
t.Parallel()
t.Run("legacy", func(t *testing.T) {
t.Parallel()
testBackendBasic(t, "1.4.4")
})
testBackendBasic(t, "1.10.8")
})
})
}
func testBackendBasic(t *testing.T, version string) {
config := logical.TestBackendConfig()
config.StorageView = &logical.InmemStorage{}
b, err := Factory(context.Background(), config)
if err != nil {
t.Fatal(err)
}
cleanup, consulConfig := consul.PrepareTestContainer(t, version, false, true)
defer cleanup()
connData := map[string]interface{}{
"address": consulConfig.Address(),
"token": consulConfig.Token,
}
logicaltest.Test(t, logicaltest.TestCase{
LogicalBackend: b,
Steps: []logicaltest.TestStep{
testAccStepConfig(t, connData),
testAccStepWritePolicy(t, "test", testPolicy, ""),
testAccStepReadToken(t, "test", connData),
},
})
}
func TestBackend_crud(t *testing.T) {
b, _ := Factory(context.Background(), logical.TestBackendConfig())
logicaltest.Test(t, logicaltest.TestCase{
LogicalBackend: b,
Steps: []logicaltest.TestStep{
testAccStepWritePolicy(t, "test", testPolicy, ""),
testAccStepWritePolicy(t, "test2", testPolicy, ""),
testAccStepWritePolicy(t, "test3", testPolicy, ""),
testAccStepReadPolicy(t, "test", testPolicy, 0),
testAccStepListPolicy(t, []string{"test", "test2", "test3"}),
testAccStepDeletePolicy(t, "test"),
},
})
}
func TestBackend_role_lease(t *testing.T) {
b, _ := Factory(context.Background(), logical.TestBackendConfig())
logicaltest.Test(t, logicaltest.TestCase{
LogicalBackend: b,
Steps: []logicaltest.TestStep{
testAccStepWritePolicy(t, "test", testPolicy, "6h"),
testAccStepReadPolicy(t, "test", testPolicy, 6*time.Hour),
testAccStepDeletePolicy(t, "test"),
},
})
}
func testAccStepConfig(t *testing.T, config map[string]interface{}) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.UpdateOperation,
Path: "config/access",
Data: config,
}
}
func testAccStepReadToken(t *testing.T, name string, conf map[string]interface{}) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.ReadOperation,
Path: "creds/" + name,
Check: func(resp *logical.Response) error {
var d struct {
Token string `mapstructure:"token"`
}
if err := mapstructure.Decode(resp.Data, &d); err != nil {
return err
}
log.Printf("[WARN] Generated token: %s", d.Token)
// Build a client and verify that the credentials work
config := consulapi.DefaultConfig()
config.Address = conf["address"].(string)
config.Token = d.Token
client, err := consulapi.NewClient(config)
if err != nil {
return err
}
log.Printf("[WARN] Verifying that the generated token works...")
_, err = client.KV().Put(&consulapi.KVPair{
Key: "foo",
Value: []byte("bar"),
}, nil)
if err != nil {
return err
}
return nil
},
}
}
func testAccStepReadManagementToken(t *testing.T, name string, conf map[string]interface{}) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.ReadOperation,
Path: "creds/" + name,
Check: func(resp *logical.Response) error {
var d struct {
Token string `mapstructure:"token"`
}
if err := mapstructure.Decode(resp.Data, &d); err != nil {
return err
}
log.Printf("[WARN] Generated token: %s", d.Token)
// Build a client and verify that the credentials work
config := consulapi.DefaultConfig()
config.Address = conf["address"].(string)
config.Token = d.Token
client, err := consulapi.NewClient(config)
if err != nil {
return err
}
log.Printf("[WARN] Verifying that the generated token works...")
_, _, err = client.ACL().Create(&consulapi.ACLEntry{
Type: "management",
Name: "test2",
}, nil)
if err != nil {
return err
}
return nil
},
}
}
func testAccStepWritePolicy(t *testing.T, name string, policy string, lease string) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.UpdateOperation,
Path: "roles/" + name,
Data: map[string]interface{}{
"policy": base64.StdEncoding.EncodeToString([]byte(policy)),
"lease": lease,
},
}
}
func testAccStepWriteManagementPolicy(t *testing.T, name string, lease string) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.UpdateOperation,
Path: "roles/" + name,
Data: map[string]interface{}{
"token_type": "management",
"lease": lease,
},
}
}
func testAccStepReadPolicy(t *testing.T, name string, policy string, lease time.Duration) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.ReadOperation,
Path: "roles/" + name,
Check: func(resp *logical.Response) error {
policyRaw := resp.Data["policy"].(string)
out, err := base64.StdEncoding.DecodeString(policyRaw)
if err != nil {
return err
}
if string(out) != policy {
return fmt.Errorf("mismatch: %s %s", out, policy)
}
l := resp.Data["lease"].(int64)
if lease != time.Second*time.Duration(l) {
return fmt.Errorf("mismatch: %v %v", l, lease)
}
return nil
},
}
}
func testAccStepListPolicy(t *testing.T, names []string) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.ListOperation,
Path: "roles/",
Check: func(resp *logical.Response) error {
respKeys := resp.Data["keys"].([]string)
if !reflect.DeepEqual(respKeys, names) {
return fmt.Errorf("mismatch: %#v %#v", respKeys, names)
}
return nil
},
}
}
func testAccStepDeletePolicy(t *testing.T, name string) logicaltest.TestStep {
return logicaltest.TestStep{
Operation: logical.DeleteOperation,
Path: "roles/" + name,
}
}
func TestBackend_Roles(t *testing.T) {
config := logical.TestBackendConfig()
config.StorageView = &logical.InmemStorage{}
b, err := Factory(context.Background(), config)
if err != nil {
t.Fatal(err)
}
cleanup, consulConfig := consul.PrepareTestContainer(t, "", false, true)
defer cleanup()
connData := map[string]interface{}{
"address": consulConfig.Address(),
"token": consulConfig.Token,
}
req := &logical.Request{
Storage: config.StorageView,
Operation: logical.UpdateOperation,
Path: "config/access",
Data: connData,
}
_, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
// Create the consul_roles role
req.Path = "roles/test-consul-roles"
req.Data = map[string]interface{}{
"consul_roles": []string{"role-test"},
"lease": "6h",
}
_, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
req.Operation = logical.ReadOperation
req.Path = "creds/test-consul-roles"
resp, err := b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
if resp == nil {
t.Fatal("resp nil")
}
if resp.IsError() {
t.Fatalf("resp is error: %v", resp.Error())
}
generatedSecret := resp.Secret
generatedSecret.TTL = 6 * time.Hour
var d struct {
Token string `mapstructure:"token"`
Accessor string `mapstructure:"accessor"`
}
if err := mapstructure.Decode(resp.Data, &d); err != nil {
t.Fatal(err)
}
// Build a client and verify that the credentials work
consulapiConfig := consulapi.DefaultNonPooledConfig()
consulapiConfig.Address = connData["address"].(string)
consulapiConfig.Token = d.Token
client, err := consulapi.NewClient(consulapiConfig)
if err != nil {
t.Fatal(err)
}
_, err = client.Catalog(), nil
if err != nil {
t.Fatal(err)
}
req.Operation = logical.RenewOperation
req.Secret = generatedSecret
resp, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
if resp == nil {
t.Fatal("got nil response from renew")
}
req.Operation = logical.RevokeOperation
_, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
// Build a management client and verify that the token does not exist anymore
consulmgmtConfig := consulapi.DefaultNonPooledConfig()
consulmgmtConfig.Address = connData["address"].(string)
consulmgmtConfig.Token = connData["token"].(string)
mgmtclient, err := consulapi.NewClient(consulmgmtConfig)
if err != nil {
t.Fatal(err)
}
q := &consulapi.QueryOptions{
Datacenter: "DC1",
}
_, _, err = mgmtclient.ACL().TokenRead(d.Accessor, q)
if err == nil {
t.Fatal("err: expected error")
}
}
func TestBackend_Enterprise_Diff_Namespace_Revocation(t *testing.T) {
if _, hasLicense := os.LookupEnv("CONSUL_LICENSE"); !hasLicense {
t.Skip("Skipping: No enterprise license found")
}
testBackendEntDiffNamespaceRevocation(t)
}
func TestBackend_Enterprise_Diff_Partition_Revocation(t *testing.T) {
if _, hasLicense := os.LookupEnv("CONSUL_LICENSE"); !hasLicense {
t.Skip("Skipping: No enterprise license found")
}
testBackendEntDiffPartitionRevocation(t)
}
func TestBackend_Enterprise_Namespace(t *testing.T) {
if _, hasLicense := os.LookupEnv("CONSUL_LICENSE"); !hasLicense {
t.Skip("Skipping: No enterprise license found")
}
testBackendEntNamespace(t)
}
func TestBackend_Enterprise_Partition(t *testing.T) {
if _, hasLicense := os.LookupEnv("CONSUL_LICENSE"); !hasLicense {
t.Skip("Skipping: No enterprise license found")
}
testBackendEntPartition(t)
}
func testBackendEntDiffNamespaceRevocation(t *testing.T) {
config := logical.TestBackendConfig()
config.StorageView = &logical.InmemStorage{}
b, err := Factory(context.Background(), config)
if err != nil {
t.Fatal(err)
}
cleanup, consulConfig := consul.PrepareTestContainer(t, "", true, true)
defer cleanup()
// Perform additional Consul configuration
consulapiConfig := consulapi.DefaultNonPooledConfig()
consulapiConfig.Address = consulConfig.Address()
consulapiConfig.Token = consulConfig.Token
client, err := consulapi.NewClient(consulapiConfig)
if err != nil {
t.Fatal(err)
}
// Create Policy in default namespace to manage ACLs in a different
// namespace
nsPol := &consulapi.ACLPolicy{
Name: "diff-ns-test",
Description: "policy to test management of ACLs in one ns from another",
Rules: `namespace "ns1" {
acl="write"
}
`,
}
pol, _, err := client.ACL().PolicyCreate(nsPol, nil)
if err != nil {
t.Fatal(err)
}
// Create new Token in default namespace with new ACL
cToken, _, err := client.ACL().TokenCreate(
&consulapi.ACLToken{
Policies: []*consulapi.ACLLink{{ID: pol.ID}},
}, nil)
if err != nil {
t.Fatal(err)
}
// Write backend config
connData := map[string]interface{}{
"address": consulConfig.Address(),
"token": cToken.SecretID,
}
req := &logical.Request{
Storage: config.StorageView,
Operation: logical.UpdateOperation,
Path: "config/access",
Data: connData,
}
_, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
// Create the role in namespace "ns1"
req.Path = "roles/test-ns"
req.Data = map[string]interface{}{
"consul_policies": []string{"ns-test"},
"lease": "6h",
"consul_namespace": "ns1",
}
_, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
// Get Token
req.Operation = logical.ReadOperation
req.Path = "creds/test-ns"
resp, err := b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
if resp == nil {
t.Fatal("resp nil")
}
if resp.IsError() {
t.Fatalf("resp is error: %v", resp.Error())
}
generatedSecret := resp.Secret
generatedSecret.TTL = 6 * time.Hour
// Verify Secret
var d struct {
Token string `mapstructure:"token"`
Accessor string `mapstructure:"accessor"`
ConsulNamespace string `mapstructure:"consul_namespace"`
}
if err := mapstructure.Decode(resp.Data, &d); err != nil {
t.Fatal(err)
}
if d.ConsulNamespace != "ns1" {
t.Fatalf("Failed to access namespace")
}
// Revoke the credential
req.Operation = logical.RevokeOperation
req.Secret = generatedSecret
_, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatalf("Revocation failed: %v", err)
}
// Build a management client and verify that the token does not exist anymore
consulmgmtConfig := consulapi.DefaultNonPooledConfig()
consulmgmtConfig.Address = connData["address"].(string)
consulmgmtConfig.Token = connData["token"].(string)
mgmtclient, err := consulapi.NewClient(consulmgmtConfig)
if err != nil {
t.Fatal(err)
}
q := &consulapi.QueryOptions{
Datacenter: "DC1",
Namespace: "ns1",
}
_, _, err = mgmtclient.ACL().TokenRead(d.Accessor, q)
if err == nil {
t.Fatal("err: expected error")
}
}
func testBackendEntDiffPartitionRevocation(t *testing.T) {
config := logical.TestBackendConfig()
config.StorageView = &logical.InmemStorage{}
b, err := Factory(context.Background(), config)
if err != nil {
t.Fatal(err)
}
cleanup, consulConfig := consul.PrepareTestContainer(t, "", true, true)
defer cleanup()
// Perform additional Consul configuration
consulapiConfig := consulapi.DefaultNonPooledConfig()
consulapiConfig.Address = consulConfig.Address()
consulapiConfig.Token = consulConfig.Token
client, err := consulapi.NewClient(consulapiConfig)
if err != nil {
t.Fatal(err)
}
// Create Policy in default partition to manage ACLs in a different
// partition
partPol := &consulapi.ACLPolicy{
Name: "diff-part-test",
Description: "policy to test management of ACLs in one part from another",
Rules: `partition "part1" {
acl="write"
}
`,
}
pol, _, err := client.ACL().PolicyCreate(partPol, nil)
if err != nil {
t.Fatal(err)
}
// Create new Token in default partition with new ACL
cToken, _, err := client.ACL().TokenCreate(
&consulapi.ACLToken{
Policies: []*consulapi.ACLLink{{ID: pol.ID}},
}, nil)
if err != nil {
t.Fatal(err)
}
// Write backend config
connData := map[string]interface{}{
"address": consulConfig.Address(),
"token": cToken.SecretID,
}
req := &logical.Request{
Storage: config.StorageView,
Operation: logical.UpdateOperation,
Path: "config/access",
Data: connData,
}
_, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
// Create the role in partition "part1"
req.Path = "roles/test-part"
req.Data = map[string]interface{}{
"consul_policies": []string{"part-test"},
"lease": "6h",
"partition": "part1",
}
_, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
// Get Token
req.Operation = logical.ReadOperation
req.Path = "creds/test-part"
resp, err := b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
if resp == nil {
t.Fatal("resp nil")
}
if resp.IsError() {
t.Fatalf("resp is error: %v", resp.Error())
}
generatedSecret := resp.Secret
generatedSecret.TTL = 6 * time.Hour
// Verify Secret
var d struct {
Token string `mapstructure:"token"`
Accessor string `mapstructure:"accessor"`
Partition string `mapstructure:"partition"`
}
if err := mapstructure.Decode(resp.Data, &d); err != nil {
t.Fatal(err)
}
if d.Partition != "part1" {
t.Fatalf("Failed to access partition")
}
// Revoke the credential
req.Operation = logical.RevokeOperation
req.Secret = generatedSecret
_, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatalf("Revocation failed: %v", err)
}
// Build a management client and verify that the token does not exist anymore
consulmgmtConfig := consulapi.DefaultNonPooledConfig()
consulmgmtConfig.Address = connData["address"].(string)
consulmgmtConfig.Token = connData["token"].(string)
mgmtclient, err := consulapi.NewClient(consulmgmtConfig)
if err != nil {
t.Fatal(err)
}
q := &consulapi.QueryOptions{
Datacenter: "DC1",
Partition: "part1",
}
_, _, err = mgmtclient.ACL().TokenRead(d.Accessor, q)
if err == nil {
t.Fatal("err: expected error")
}
}
func testBackendEntNamespace(t *testing.T) {
config := logical.TestBackendConfig()
config.StorageView = &logical.InmemStorage{}
b, err := Factory(context.Background(), config)
if err != nil {
t.Fatal(err)
}
cleanup, consulConfig := consul.PrepareTestContainer(t, "", true, true)
defer cleanup()
connData := map[string]interface{}{
"address": consulConfig.Address(),
"token": consulConfig.Token,
}
req := &logical.Request{
Storage: config.StorageView,
Operation: logical.UpdateOperation,
Path: "config/access",
Data: connData,
}
_, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
// Create the role in namespace "ns1"
req.Path = "roles/test-ns"
req.Data = map[string]interface{}{
"consul_policies": []string{"ns-test"},
"lease": "6h",
"consul_namespace": "ns1",
}
_, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
req.Operation = logical.ReadOperation
req.Path = "creds/test-ns"
resp, err := b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
if resp == nil {
t.Fatal("resp nil")
}
if resp.IsError() {
t.Fatalf("resp is error: %v", resp.Error())
}
generatedSecret := resp.Secret
generatedSecret.TTL = 6 * time.Hour
var d struct {
Token string `mapstructure:"token"`
Accessor string `mapstructure:"accessor"`
ConsulNamespace string `mapstructure:"consul_namespace"`
}
if err := mapstructure.Decode(resp.Data, &d); err != nil {
t.Fatal(err)
}
if d.ConsulNamespace != "ns1" {
t.Fatalf("Failed to access namespace")
}
// Build a client and verify that the credentials work
consulapiConfig := consulapi.DefaultNonPooledConfig()
consulapiConfig.Address = connData["address"].(string)
consulapiConfig.Token = d.Token
client, err := consulapi.NewClient(consulapiConfig)
if err != nil {
t.Fatal(err)
}
_, err = client.Catalog(), nil
if err != nil {
t.Fatal(err)
}
req.Operation = logical.RenewOperation
req.Secret = generatedSecret
resp, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
if resp == nil {
t.Fatal("got nil response from renew")
}
req.Operation = logical.RevokeOperation
_, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
// Build a management client and verify that the token does not exist anymore
consulmgmtConfig := consulapi.DefaultNonPooledConfig()
consulmgmtConfig.Address = connData["address"].(string)
consulmgmtConfig.Token = connData["token"].(string)
mgmtclient, err := consulapi.NewClient(consulmgmtConfig)
if err != nil {
t.Fatal(err)
}
q := &consulapi.QueryOptions{
Datacenter: "DC1",
Namespace: "ns1",
}
_, _, err = mgmtclient.ACL().TokenRead(d.Accessor, q)
if err == nil {
t.Fatal("err: expected error")
}
}
func testBackendEntPartition(t *testing.T) {
config := logical.TestBackendConfig()
config.StorageView = &logical.InmemStorage{}
b, err := Factory(context.Background(), config)
if err != nil {
t.Fatal(err)
}
cleanup, consulConfig := consul.PrepareTestContainer(t, "", true, true)
defer cleanup()
connData := map[string]interface{}{
"address": consulConfig.Address(),
"token": consulConfig.Token,
}
req := &logical.Request{
Storage: config.StorageView,
Operation: logical.UpdateOperation,
Path: "config/access",
Data: connData,
}
_, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
// Create the role in partition "part1"
req.Path = "roles/test-part"
req.Data = map[string]interface{}{
"consul_policies": []string{"part-test"},
"lease": "6h",
"partition": "part1",
}
_, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
req.Operation = logical.ReadOperation
req.Path = "creds/test-part"
resp, err := b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
if resp == nil {
t.Fatal("resp nil")
}
if resp.IsError() {
t.Fatalf("resp is error: %v", resp.Error())
}
generatedSecret := resp.Secret
generatedSecret.TTL = 6 * time.Hour
var d struct {
Token string `mapstructure:"token"`
Accessor string `mapstructure:"accessor"`
Partition string `mapstructure:"partition"`
}
if err := mapstructure.Decode(resp.Data, &d); err != nil {
t.Fatal(err)
}
if d.Partition != "part1" {
t.Fatalf("Failed to access partition")
}
// Build a client and verify that the credentials work
consulapiConfig := consulapi.DefaultNonPooledConfig()
consulapiConfig.Address = connData["address"].(string)
consulapiConfig.Token = d.Token
client, err := consulapi.NewClient(consulapiConfig)
if err != nil {
t.Fatal(err)
}
_, err = client.Catalog(), nil
if err != nil {
t.Fatal(err)
}
req.Operation = logical.RenewOperation
req.Secret = generatedSecret
resp, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
if resp == nil {
t.Fatal("got nil response from renew")
}
req.Operation = logical.RevokeOperation
_, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
// Build a management client and verify that the token does not exist anymore
consulmgmtConfig := consulapi.DefaultNonPooledConfig()
consulmgmtConfig.Address = connData["address"].(string)
consulmgmtConfig.Token = connData["token"].(string)
mgmtclient, err := consulapi.NewClient(consulmgmtConfig)
if err != nil {
t.Fatal(err)
}
q := &consulapi.QueryOptions{
Datacenter: "DC1",
Partition: "test1",
}
_, _, err = mgmtclient.ACL().TokenRead(d.Accessor, q)
if err == nil {
t.Fatal("err: expected error")
}
}
func TestBackendRenewRevokeRolesAndIdentities(t *testing.T) {
config := logical.TestBackendConfig()
config.StorageView = &logical.InmemStorage{}
b, err := Factory(context.Background(), config)
if err != nil {
t.Fatal(err)
}
cleanup, consulConfig := consul.PrepareTestContainer(t, "", false, true)
defer cleanup()
connData := map[string]interface{}{
"address": consulConfig.Address(),
"token": consulConfig.Token,
}
req := &logical.Request{
Storage: config.StorageView,
Operation: logical.UpdateOperation,
Path: "config/access",
Data: connData,
}
resp, err := b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
cases := map[string]struct {
RoleName string
RoleData map[string]interface{}
}{
"just role": {
"r",
map[string]interface{}{
"consul_roles": []string{"role-test"},
"lease": "6h",
},
},
"role and policies": {
"rp",
map[string]interface{}{
"consul_policies": []string{"test"},
"consul_roles": []string{"role-test"},
"lease": "6h",
},
},
"service identity": {
"si",
map[string]interface{}{
"service_identities": "service1",
"lease": "6h",
},
},
"service identity and policies": {
"sip",
map[string]interface{}{
"consul_policies": []string{"test"},
"service_identities": "service1",
"lease": "6h",
},
},
"service identity and role": {
"sir",
map[string]interface{}{
"consul_roles": []string{"role-test"},
"service_identities": "service1",
"lease": "6h",
},
},
"service identity and role and policies": {
"sirp",
map[string]interface{}{
"consul_policies": []string{"test"},
"consul_roles": []string{"role-test"},
"service_identities": "service1",
"lease": "6h",
},
},
"node identity": {
"ni",
map[string]interface{}{
"node_identities": []string{"node1:dc1"},
"lease": "6h",
},
},
"node identity and policies": {
"nip",
map[string]interface{}{
"consul_policies": []string{"test"},
"node_identities": []string{"node1:dc1"},
"lease": "6h",
},
},
"node identity and role": {
"nir",
map[string]interface{}{
"consul_roles": []string{"role-test"},
"node_identities": []string{"node1:dc1"},
"lease": "6h",
},
},
"node identity and role and policies": {
"nirp",
map[string]interface{}{
"consul_policies": []string{"test"},
"consul_roles": []string{"role-test"},
"node_identities": []string{"node1:dc1"},
"lease": "6h",
},
},
"node identity and service identity": {
"nisi",
map[string]interface{}{
"service_identities": "service1",
"node_identities": []string{"node1:dc1"},
"lease": "6h",
},
},
"node identity and service identity and policies": {
"nisip",
map[string]interface{}{
"consul_policies": []string{"test"},
"service_identities": "service1",
"node_identities": []string{"node1:dc1"},
"lease": "6h",
},
},
"node identity and service identity and role": {
"nisir",
map[string]interface{}{
"consul_roles": []string{"role-test"},
"service_identities": "service1",
"node_identities": []string{"node1:dc1"},
"lease": "6h",
},
},
"node identity and service identity and role and policies": {
"nisirp",
map[string]interface{}{
"consul_policies": []string{"test"},
"consul_roles": []string{"role-test"},
"service_identities": "service1",
"node_identities": []string{"node1:dc1"},
"lease": "6h",
},
},
}
for description, tc := range cases {
t.Logf("Testing: %s", description)
req.Operation = logical.UpdateOperation
req.Path = fmt.Sprintf("roles/%s", tc.RoleName)
req.Data = tc.RoleData
resp, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
req.Operation = logical.ReadOperation
req.Path = fmt.Sprintf("creds/%s", tc.RoleName)
resp, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
if resp == nil {
t.Fatal("resp nil")
}
if resp.IsError() {
t.Fatalf("resp is error: %v", resp.Error())
}
generatedSecret := resp.Secret
generatedSecret.TTL = 6 * time.Hour
var d struct {
Token string `mapstructure:"token"`
Accessor string `mapstructure:"accessor"`
}
if err := mapstructure.Decode(resp.Data, &d); err != nil {
t.Fatal(err)
}
// Build a client and verify that the credentials work
consulapiConfig := consulapi.DefaultNonPooledConfig()
consulapiConfig.Address = connData["address"].(string)
consulapiConfig.Token = d.Token
client, err := consulapi.NewClient(consulapiConfig)
if err != nil {
t.Fatal(err)
}
_, err = client.Catalog(), nil
if err != nil {
t.Fatal(err)
}
req.Operation = logical.RenewOperation
req.Secret = generatedSecret
resp, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
if resp == nil {
t.Fatal("got nil response from renew")
}
req.Operation = logical.RevokeOperation
resp, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatal(err)
}
// Build a management client and verify that the token does not exist anymore
consulmgmtConfig := consulapi.DefaultNonPooledConfig()
consulmgmtConfig.Address = connData["address"].(string)
consulmgmtConfig.Token = connData["token"].(string)
mgmtclient, err := consulapi.NewClient(consulmgmtConfig)
q := &consulapi.QueryOptions{
Datacenter: "DC1",
}
_, _, err = mgmtclient.ACL().TokenRead(d.Accessor, q)
if err == nil {
t.Fatal("err: expected error")
}
}
}
const testPolicy = `
key "" {
policy = "write"
}`