2040 lines
39 KiB
Go
2040 lines
39 KiB
Go
package api_test
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"reflect"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/hashicorp/vault/api"
|
|
)
|
|
|
|
func TestParseSecret(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
raw := strings.TrimSpace(`
|
|
{
|
|
"lease_id": "foo",
|
|
"renewable": true,
|
|
"lease_duration": 10,
|
|
"data": {
|
|
"key": "value"
|
|
},
|
|
"warnings": [
|
|
"a warning!"
|
|
],
|
|
"wrap_info": {
|
|
"token": "token",
|
|
"ttl": 60,
|
|
"creation_time": "2016-06-07T15:52:10-04:00",
|
|
"wrapped_accessor": "abcd1234"
|
|
}
|
|
}`)
|
|
|
|
rawTime, _ := time.Parse(time.RFC3339, "2016-06-07T15:52:10-04:00")
|
|
|
|
secret, err := api.ParseSecret(strings.NewReader(raw))
|
|
if err != nil {
|
|
t.Fatalf("err: %s", err)
|
|
}
|
|
|
|
expected := &api.Secret{
|
|
LeaseID: "foo",
|
|
Renewable: true,
|
|
LeaseDuration: 10,
|
|
Data: map[string]interface{}{
|
|
"key": "value",
|
|
},
|
|
Warnings: []string{
|
|
"a warning!",
|
|
},
|
|
WrapInfo: &api.SecretWrapInfo{
|
|
Token: "token",
|
|
TTL: 60,
|
|
CreationTime: rawTime,
|
|
WrappedAccessor: "abcd1234",
|
|
},
|
|
}
|
|
if !reflect.DeepEqual(secret, expected) {
|
|
t.Fatalf("bad:\ngot\n%#v\nexpected\n%#v\n", secret, expected)
|
|
}
|
|
}
|
|
|
|
func TestSecret_TokenID(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
cases := []struct {
|
|
name string
|
|
secret *api.Secret
|
|
exp string
|
|
}{
|
|
{
|
|
"nil",
|
|
nil,
|
|
"",
|
|
},
|
|
{
|
|
"nil_auth",
|
|
&api.Secret{
|
|
Auth: nil,
|
|
},
|
|
"",
|
|
},
|
|
{
|
|
"empty_auth_client_token",
|
|
&api.Secret{
|
|
Auth: &api.SecretAuth{
|
|
ClientToken: "",
|
|
},
|
|
},
|
|
"",
|
|
},
|
|
{
|
|
"real_auth_client_token",
|
|
&api.Secret{
|
|
Auth: &api.SecretAuth{
|
|
ClientToken: "my-token",
|
|
},
|
|
},
|
|
"my-token",
|
|
},
|
|
{
|
|
"nil_data",
|
|
&api.Secret{
|
|
Data: nil,
|
|
},
|
|
"",
|
|
},
|
|
{
|
|
"empty_data",
|
|
&api.Secret{
|
|
Data: map[string]interface{}{},
|
|
},
|
|
"",
|
|
},
|
|
{
|
|
"data_not_string",
|
|
&api.Secret{
|
|
Data: map[string]interface{}{
|
|
"id": 123,
|
|
},
|
|
},
|
|
"",
|
|
},
|
|
{
|
|
"data_string",
|
|
&api.Secret{
|
|
Data: map[string]interface{}{
|
|
"id": "my-token",
|
|
},
|
|
},
|
|
"my-token",
|
|
},
|
|
}
|
|
|
|
for _, tc := range cases {
|
|
tc := tc
|
|
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
act := tc.secret.TokenID()
|
|
if act != tc.exp {
|
|
t.Errorf("expected %q to be %q", act, tc.exp)
|
|
}
|
|
})
|
|
}
|
|
|
|
t.Run("auth", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
if err := client.Sys().EnableAuth("userpass", "userpass", ""); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if _, err := client.Logical().Write("auth/userpass/users/test", map[string]interface{}{
|
|
"password": "test",
|
|
"policies": "default",
|
|
}); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
secret, err := client.Logical().Write("auth/userpass/login/test", map[string]interface{}{
|
|
"password": "test",
|
|
})
|
|
if err != nil || secret == nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
if secret.TokenID() != token {
|
|
t.Errorf("expected %q to be %q", secret.TokenID(), token)
|
|
}
|
|
})
|
|
|
|
t.Run("token-create", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
if secret.TokenID() != token {
|
|
t.Errorf("expected %q to be %q", secret.TokenID(), token)
|
|
}
|
|
})
|
|
|
|
t.Run("token-lookup", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
secret, err = client.Auth().Token().Lookup(token)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if secret.TokenID() != token {
|
|
t.Errorf("expected %q to be %q", secret.TokenID(), token)
|
|
}
|
|
})
|
|
|
|
t.Run("token-lookup-self", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
client.SetToken(token)
|
|
secret, err = client.Auth().Token().LookupSelf()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if secret.TokenID() != token {
|
|
t.Errorf("expected %q to be %q", secret.TokenID(), token)
|
|
}
|
|
})
|
|
|
|
t.Run("token-renew", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
secret, err = client.Auth().Token().Renew(token, 0)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if secret.TokenID() != token {
|
|
t.Errorf("expected %q to be %q", secret.TokenID(), token)
|
|
}
|
|
})
|
|
|
|
t.Run("token-renew-self", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
client.SetToken(token)
|
|
secret, err = client.Auth().Token().RenewSelf(0)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if secret.TokenID() != token {
|
|
t.Errorf("expected %q to be %q", secret.TokenID(), token)
|
|
}
|
|
})
|
|
}
|
|
|
|
func TestSecret_TokenAccessor(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
cases := []struct {
|
|
name string
|
|
secret *api.Secret
|
|
exp string
|
|
}{
|
|
{
|
|
"nil",
|
|
nil,
|
|
"",
|
|
},
|
|
{
|
|
"nil_auth",
|
|
&api.Secret{
|
|
Auth: nil,
|
|
},
|
|
"",
|
|
},
|
|
{
|
|
"empty_auth_accessor",
|
|
&api.Secret{
|
|
Auth: &api.SecretAuth{
|
|
Accessor: "",
|
|
},
|
|
},
|
|
"",
|
|
},
|
|
{
|
|
"real_auth_accessor",
|
|
&api.Secret{
|
|
Auth: &api.SecretAuth{
|
|
Accessor: "my-accessor",
|
|
},
|
|
},
|
|
"my-accessor",
|
|
},
|
|
{
|
|
"nil_data",
|
|
&api.Secret{
|
|
Data: nil,
|
|
},
|
|
"",
|
|
},
|
|
{
|
|
"empty_data",
|
|
&api.Secret{
|
|
Data: map[string]interface{}{},
|
|
},
|
|
"",
|
|
},
|
|
{
|
|
"data_not_string",
|
|
&api.Secret{
|
|
Data: map[string]interface{}{
|
|
"accessor": 123,
|
|
},
|
|
},
|
|
"",
|
|
},
|
|
{
|
|
"data_string",
|
|
&api.Secret{
|
|
Data: map[string]interface{}{
|
|
"accessor": "my-accessor",
|
|
},
|
|
},
|
|
"my-accessor",
|
|
},
|
|
}
|
|
|
|
for _, tc := range cases {
|
|
tc := tc
|
|
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
act := tc.secret.TokenAccessor()
|
|
if act != tc.exp {
|
|
t.Errorf("expected %q to be %q", act, tc.exp)
|
|
}
|
|
})
|
|
}
|
|
|
|
t.Run("auth", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
if err := client.Sys().EnableAuth("userpass", "userpass", ""); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if _, err := client.Logical().Write("auth/userpass/users/test", map[string]interface{}{
|
|
"password": "test",
|
|
"policies": "default",
|
|
}); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
secret, err := client.Logical().Write("auth/userpass/login/test", map[string]interface{}{
|
|
"password": "test",
|
|
})
|
|
if err != nil || secret == nil {
|
|
t.Fatal(err)
|
|
}
|
|
_, accessor := secret.Auth.ClientToken, secret.Auth.Accessor
|
|
|
|
if secret.TokenAccessor() != accessor {
|
|
t.Errorf("expected %q to be %q", secret.TokenAccessor(), accessor)
|
|
}
|
|
})
|
|
|
|
t.Run("token-create", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
_, accessor := secret.Auth.ClientToken, secret.Auth.Accessor
|
|
|
|
if secret.TokenAccessor() != accessor {
|
|
t.Errorf("expected %q to be %q", secret.TokenAccessor(), accessor)
|
|
}
|
|
})
|
|
|
|
t.Run("token-lookup", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token, accessor := secret.Auth.ClientToken, secret.Auth.Accessor
|
|
|
|
secret, err = client.Auth().Token().Lookup(token)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if secret.TokenAccessor() != accessor {
|
|
t.Errorf("expected %q to be %q", secret.TokenAccessor(), accessor)
|
|
}
|
|
})
|
|
|
|
t.Run("token-lookup-self", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token, accessor := secret.Auth.ClientToken, secret.Auth.Accessor
|
|
|
|
client.SetToken(token)
|
|
secret, err = client.Auth().Token().LookupSelf()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if secret.TokenAccessor() != accessor {
|
|
t.Errorf("expected %q to be %q", secret.TokenAccessor(), accessor)
|
|
}
|
|
})
|
|
|
|
t.Run("token-renew", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token, accessor := secret.Auth.ClientToken, secret.Auth.Accessor
|
|
|
|
secret, err = client.Auth().Token().Renew(token, 0)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if secret.TokenAccessor() != accessor {
|
|
t.Errorf("expected %q to be %q", secret.TokenAccessor(), accessor)
|
|
}
|
|
})
|
|
|
|
t.Run("token-renew-self", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token, accessor := secret.Auth.ClientToken, secret.Auth.Accessor
|
|
|
|
client.SetToken(token)
|
|
secret, err = client.Auth().Token().RenewSelf(0)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if secret.TokenAccessor() != accessor {
|
|
t.Errorf("expected %q to be %q", secret.TokenAccessor(), accessor)
|
|
}
|
|
})
|
|
}
|
|
|
|
func TestSecret_TokenRemainingUses(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
cases := []struct {
|
|
name string
|
|
secret *api.Secret
|
|
exp int
|
|
}{
|
|
{
|
|
"nil",
|
|
nil,
|
|
0,
|
|
},
|
|
{
|
|
"nil_data",
|
|
&api.Secret{
|
|
Data: nil,
|
|
},
|
|
0,
|
|
},
|
|
{
|
|
"empty_data",
|
|
&api.Secret{
|
|
Data: map[string]interface{}{},
|
|
},
|
|
0,
|
|
},
|
|
{
|
|
"data_not_json_number",
|
|
&api.Secret{
|
|
Data: map[string]interface{}{
|
|
"num_uses": 123,
|
|
},
|
|
},
|
|
0,
|
|
},
|
|
{
|
|
"data_json_number",
|
|
&api.Secret{
|
|
Data: map[string]interface{}{
|
|
"num_uses": json.Number("123"),
|
|
},
|
|
},
|
|
123,
|
|
},
|
|
}
|
|
|
|
for _, tc := range cases {
|
|
tc := tc
|
|
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
act := tc.secret.TokenRemainingUses()
|
|
if act != tc.exp {
|
|
t.Errorf("expected %d to be %d", act, tc.exp)
|
|
}
|
|
})
|
|
}
|
|
|
|
t.Run("auth", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
uses := 5
|
|
|
|
if err := client.Sys().EnableAuth("userpass", "userpass", ""); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if _, err := client.Logical().Write("auth/userpass/users/test", map[string]interface{}{
|
|
"password": "test",
|
|
"policies": "default",
|
|
"num_uses": uses,
|
|
}); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
secret, err := client.Logical().Write("auth/userpass/login/test", map[string]interface{}{
|
|
"password": "test",
|
|
})
|
|
if err != nil || secret == nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// Remaining uses is not returned from this API
|
|
uses = 0
|
|
if secret.TokenRemainingUses() != uses {
|
|
t.Errorf("expected %d to be %d", secret.TokenRemainingUses(), uses)
|
|
}
|
|
})
|
|
|
|
t.Run("token-create", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
uses := 5
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
NumUses: uses,
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// /auth/token/create does not return the number of uses
|
|
uses = 0
|
|
if secret.TokenRemainingUses() != uses {
|
|
t.Errorf("expected %d to be %d", secret.TokenRemainingUses(), uses)
|
|
}
|
|
})
|
|
|
|
t.Run("token-lookup", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
uses := 5
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
NumUses: uses,
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
secret, err = client.Auth().Token().Lookup(token)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if secret.TokenRemainingUses() != uses {
|
|
t.Errorf("expected %d to be %d", secret.TokenRemainingUses(), uses)
|
|
}
|
|
})
|
|
|
|
t.Run("token-lookup-self", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
uses := 5
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
NumUses: uses,
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
client.SetToken(token)
|
|
secret, err = client.Auth().Token().LookupSelf()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
uses = uses - 1 // we just used it
|
|
if secret.TokenRemainingUses() != uses {
|
|
t.Errorf("expected %d to be %d", secret.TokenRemainingUses(), uses)
|
|
}
|
|
})
|
|
|
|
t.Run("token-renew", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
uses := 5
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
NumUses: uses,
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
secret, err = client.Auth().Token().Renew(token, 0)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// /auth/token/renew does not return the number of uses
|
|
uses = 0
|
|
if secret.TokenRemainingUses() != uses {
|
|
t.Errorf("expected %d to be %d", secret.TokenRemainingUses(), uses)
|
|
}
|
|
})
|
|
|
|
t.Run("token-renew-self", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
uses := 5
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
NumUses: uses,
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
client.SetToken(token)
|
|
secret, err = client.Auth().Token().RenewSelf(0)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// /auth/token/renew-self does not return the number of uses
|
|
uses = 0
|
|
if secret.TokenRemainingUses() != uses {
|
|
t.Errorf("expected %d to be %d", secret.TokenRemainingUses(), uses)
|
|
}
|
|
})
|
|
}
|
|
|
|
func TestSecret_TokenPolicies(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
cases := []struct {
|
|
name string
|
|
secret *api.Secret
|
|
exp []string
|
|
}{
|
|
{
|
|
"nil",
|
|
nil,
|
|
nil,
|
|
},
|
|
{
|
|
"nil_auth",
|
|
&api.Secret{
|
|
Auth: nil,
|
|
},
|
|
nil,
|
|
},
|
|
{
|
|
"nil_auth_policies",
|
|
&api.Secret{
|
|
Auth: &api.SecretAuth{
|
|
Policies: nil,
|
|
},
|
|
},
|
|
nil,
|
|
},
|
|
{
|
|
"empty_auth_policies",
|
|
&api.Secret{
|
|
Auth: &api.SecretAuth{
|
|
Policies: []string{},
|
|
},
|
|
},
|
|
nil,
|
|
},
|
|
{
|
|
"real_auth_policies",
|
|
&api.Secret{
|
|
Auth: &api.SecretAuth{
|
|
Policies: []string{"foo"},
|
|
},
|
|
},
|
|
[]string{"foo"},
|
|
},
|
|
{
|
|
"nil_data",
|
|
&api.Secret{
|
|
Data: nil,
|
|
},
|
|
nil,
|
|
},
|
|
{
|
|
"empty_data",
|
|
&api.Secret{
|
|
Data: map[string]interface{}{},
|
|
},
|
|
nil,
|
|
},
|
|
{
|
|
"data_not_slice",
|
|
&api.Secret{
|
|
Data: map[string]interface{}{
|
|
"policies": 123,
|
|
},
|
|
},
|
|
nil,
|
|
},
|
|
{
|
|
"data_slice",
|
|
&api.Secret{
|
|
Data: map[string]interface{}{
|
|
"policies": []interface{}{"foo"},
|
|
},
|
|
},
|
|
[]string{"foo"},
|
|
},
|
|
}
|
|
|
|
for _, tc := range cases {
|
|
tc := tc
|
|
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
act := tc.secret.TokenPolicies()
|
|
if !reflect.DeepEqual(act, tc.exp) {
|
|
t.Errorf("expected %#v to be %#v", act, tc.exp)
|
|
}
|
|
})
|
|
}
|
|
|
|
t.Run("auth", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
policies := []string{"bar", "default", "foo"}
|
|
|
|
if err := client.Sys().EnableAuth("userpass", "userpass", ""); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if _, err := client.Logical().Write("auth/userpass/users/test", map[string]interface{}{
|
|
"password": "test",
|
|
"policies": strings.Join(policies, ","),
|
|
}); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
secret, err := client.Logical().Write("auth/userpass/login/test", map[string]interface{}{
|
|
"password": "test",
|
|
})
|
|
if err != nil || secret == nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if !reflect.DeepEqual(secret.TokenPolicies(), policies) {
|
|
t.Errorf("expected %#v to be %#v", secret.TokenPolicies(), policies)
|
|
}
|
|
})
|
|
|
|
t.Run("token-create", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
policies := []string{"bar", "default", "foo"}
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: policies,
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if !reflect.DeepEqual(secret.TokenPolicies(), policies) {
|
|
t.Errorf("expected %#v to be %#v", secret.TokenPolicies(), policies)
|
|
}
|
|
})
|
|
|
|
t.Run("token-lookup", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
policies := []string{"bar", "default", "foo"}
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: policies,
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
secret, err = client.Auth().Token().Lookup(token)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if !reflect.DeepEqual(secret.TokenPolicies(), policies) {
|
|
t.Errorf("expected %#v to be %#v", secret.TokenPolicies(), policies)
|
|
}
|
|
})
|
|
|
|
t.Run("token-lookup-self", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
policies := []string{"bar", "default", "foo"}
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: policies,
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
client.SetToken(token)
|
|
secret, err = client.Auth().Token().LookupSelf()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if !reflect.DeepEqual(secret.TokenPolicies(), policies) {
|
|
t.Errorf("expected %#v to be %#v", secret.TokenPolicies(), policies)
|
|
}
|
|
})
|
|
|
|
t.Run("token-renew", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
policies := []string{"bar", "default", "foo"}
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: policies,
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
secret, err = client.Auth().Token().Renew(token, 0)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if !reflect.DeepEqual(secret.TokenPolicies(), policies) {
|
|
t.Errorf("expected %#v to be %#v", secret.TokenPolicies(), policies)
|
|
}
|
|
})
|
|
|
|
t.Run("token-renew-self", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
policies := []string{"bar", "default", "foo"}
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: policies,
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
client.SetToken(token)
|
|
secret, err = client.Auth().Token().RenewSelf(0)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if !reflect.DeepEqual(secret.TokenPolicies(), policies) {
|
|
t.Errorf("expected %#v to be %#v", secret.TokenPolicies(), policies)
|
|
}
|
|
})
|
|
}
|
|
|
|
func TestSecret_TokenMetadata(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
cases := []struct {
|
|
name string
|
|
secret *api.Secret
|
|
exp map[string]string
|
|
}{
|
|
{
|
|
"nil",
|
|
nil,
|
|
nil,
|
|
},
|
|
{
|
|
"nil_auth",
|
|
&api.Secret{
|
|
Auth: nil,
|
|
},
|
|
nil,
|
|
},
|
|
{
|
|
"nil_auth_metadata",
|
|
&api.Secret{
|
|
Auth: &api.SecretAuth{
|
|
Metadata: nil,
|
|
},
|
|
},
|
|
nil,
|
|
},
|
|
{
|
|
"empty_auth_metadata",
|
|
&api.Secret{
|
|
Auth: &api.SecretAuth{
|
|
Metadata: map[string]string{},
|
|
},
|
|
},
|
|
nil,
|
|
},
|
|
{
|
|
"real_auth_metdata",
|
|
&api.Secret{
|
|
Auth: &api.SecretAuth{
|
|
Metadata: map[string]string{"foo": "bar"},
|
|
},
|
|
},
|
|
map[string]string{"foo": "bar"},
|
|
},
|
|
{
|
|
"nil_data",
|
|
&api.Secret{
|
|
Data: nil,
|
|
},
|
|
nil,
|
|
},
|
|
{
|
|
"empty_data",
|
|
&api.Secret{
|
|
Data: map[string]interface{}{},
|
|
},
|
|
nil,
|
|
},
|
|
{
|
|
"data_not_map",
|
|
&api.Secret{
|
|
Data: map[string]interface{}{
|
|
"metadata": 123,
|
|
},
|
|
},
|
|
nil,
|
|
},
|
|
{
|
|
"data_map",
|
|
&api.Secret{
|
|
Data: map[string]interface{}{
|
|
"metadata": map[string]interface{}{"foo": "bar"},
|
|
},
|
|
},
|
|
map[string]string{"foo": "bar"},
|
|
},
|
|
{
|
|
"data_map_bad_type",
|
|
&api.Secret{
|
|
Data: map[string]interface{}{
|
|
"metadata": map[string]interface{}{"foo": 123},
|
|
},
|
|
},
|
|
nil,
|
|
},
|
|
}
|
|
|
|
for _, tc := range cases {
|
|
tc := tc
|
|
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
act := tc.secret.TokenMetadata()
|
|
if !reflect.DeepEqual(act, tc.exp) {
|
|
t.Errorf("expected %#v to be %#v", act, tc.exp)
|
|
}
|
|
})
|
|
}
|
|
|
|
t.Run("auth", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
metadata := map[string]string{"username": "test"}
|
|
|
|
if err := client.Sys().EnableAuth("userpass", "userpass", ""); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if _, err := client.Logical().Write("auth/userpass/users/test", map[string]interface{}{
|
|
"password": "test",
|
|
"policies": "default",
|
|
}); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
secret, err := client.Logical().Write("auth/userpass/login/test", map[string]interface{}{
|
|
"password": "test",
|
|
})
|
|
if err != nil || secret == nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if !reflect.DeepEqual(secret.TokenMetadata(), metadata) {
|
|
t.Errorf("expected %#v to be %#v", secret.TokenMetadata(), metadata)
|
|
}
|
|
})
|
|
|
|
t.Run("token-create", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
metadata := map[string]string{"username": "test"}
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Metadata: metadata,
|
|
Policies: []string{"default"},
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if !reflect.DeepEqual(secret.TokenMetadata(), metadata) {
|
|
t.Errorf("expected %#v to be %#v", secret.TokenMetadata(), metadata)
|
|
}
|
|
})
|
|
|
|
t.Run("token-lookup", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
metadata := map[string]string{"username": "test"}
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Metadata: metadata,
|
|
Policies: []string{"default"},
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
secret, err = client.Auth().Token().Lookup(token)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if !reflect.DeepEqual(secret.TokenMetadata(), metadata) {
|
|
t.Errorf("expected %#v to be %#v", secret.TokenMetadata(), metadata)
|
|
}
|
|
})
|
|
|
|
t.Run("token-lookup-self", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
metadata := map[string]string{"username": "test"}
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Metadata: metadata,
|
|
Policies: []string{"default"},
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
client.SetToken(token)
|
|
secret, err = client.Auth().Token().LookupSelf()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if !reflect.DeepEqual(secret.TokenMetadata(), metadata) {
|
|
t.Errorf("expected %#v to be %#v", secret.TokenMetadata(), metadata)
|
|
}
|
|
})
|
|
|
|
t.Run("token-renew", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
metadata := map[string]string{"username": "test"}
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Metadata: metadata,
|
|
Policies: []string{"default"},
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
secret, err = client.Auth().Token().Renew(token, 0)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if !reflect.DeepEqual(secret.TokenMetadata(), metadata) {
|
|
t.Errorf("expected %#v to be %#v", secret.TokenMetadata(), metadata)
|
|
}
|
|
})
|
|
|
|
t.Run("token-renew-self", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
metadata := map[string]string{"username": "test"}
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Metadata: metadata,
|
|
Policies: []string{"default"},
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
client.SetToken(token)
|
|
secret, err = client.Auth().Token().RenewSelf(0)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if !reflect.DeepEqual(secret.TokenMetadata(), metadata) {
|
|
t.Errorf("expected %#v to be %#v", secret.TokenMetadata(), metadata)
|
|
}
|
|
})
|
|
}
|
|
|
|
func TestSecret_TokenIsRenewable(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
cases := []struct {
|
|
name string
|
|
secret *api.Secret
|
|
exp bool
|
|
}{
|
|
{
|
|
"nil",
|
|
nil,
|
|
false,
|
|
},
|
|
{
|
|
"nil_auth",
|
|
&api.Secret{
|
|
Auth: nil,
|
|
},
|
|
false,
|
|
},
|
|
{
|
|
"auth_renewable_false",
|
|
&api.Secret{
|
|
Auth: &api.SecretAuth{
|
|
Renewable: false,
|
|
},
|
|
},
|
|
false,
|
|
},
|
|
{
|
|
"auth_renewable_true",
|
|
&api.Secret{
|
|
Auth: &api.SecretAuth{
|
|
Renewable: true,
|
|
},
|
|
},
|
|
true,
|
|
},
|
|
{
|
|
"nil_data",
|
|
&api.Secret{
|
|
Data: nil,
|
|
},
|
|
false,
|
|
},
|
|
{
|
|
"empty_data",
|
|
&api.Secret{
|
|
Data: map[string]interface{}{},
|
|
},
|
|
false,
|
|
},
|
|
{
|
|
"data_not_bool",
|
|
&api.Secret{
|
|
Data: map[string]interface{}{
|
|
"renewable": 123,
|
|
},
|
|
},
|
|
false,
|
|
},
|
|
{
|
|
"data_bool_true",
|
|
&api.Secret{
|
|
Data: map[string]interface{}{
|
|
"renewable": true,
|
|
},
|
|
},
|
|
true,
|
|
},
|
|
{
|
|
"data_bool_false",
|
|
&api.Secret{
|
|
Data: map[string]interface{}{
|
|
"renewable": true,
|
|
},
|
|
},
|
|
true,
|
|
},
|
|
}
|
|
|
|
for _, tc := range cases {
|
|
tc := tc
|
|
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
act := tc.secret.TokenIsRenewable()
|
|
if act != tc.exp {
|
|
t.Errorf("expected %t to be %t", act, tc.exp)
|
|
}
|
|
})
|
|
}
|
|
|
|
t.Run("auth", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
renewable := true
|
|
|
|
if err := client.Sys().EnableAuth("userpass", "userpass", ""); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if _, err := client.Logical().Write("auth/userpass/users/test", map[string]interface{}{
|
|
"password": "test",
|
|
"policies": "default",
|
|
}); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
secret, err := client.Logical().Write("auth/userpass/login/test", map[string]interface{}{
|
|
"password": "test",
|
|
})
|
|
if err != nil || secret == nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if secret.TokenIsRenewable() != renewable {
|
|
t.Errorf("expected %t to be %t", secret.TokenIsRenewable(), renewable)
|
|
}
|
|
})
|
|
|
|
t.Run("token-create", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
renewable := true
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
Renewable: &renewable,
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if secret.TokenIsRenewable() != renewable {
|
|
t.Errorf("expected %t to be %t", secret.TokenIsRenewable(), renewable)
|
|
}
|
|
})
|
|
|
|
t.Run("token-lookup", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
renewable := true
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
Renewable: &renewable,
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
secret, err = client.Auth().Token().Lookup(token)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if secret.TokenIsRenewable() != renewable {
|
|
t.Errorf("expected %t to be %t", secret.TokenIsRenewable(), renewable)
|
|
}
|
|
})
|
|
|
|
t.Run("token-lookup-self", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
renewable := true
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
Renewable: &renewable,
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
client.SetToken(token)
|
|
secret, err = client.Auth().Token().LookupSelf()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if secret.TokenIsRenewable() != renewable {
|
|
t.Errorf("expected %t to be %t", secret.TokenIsRenewable(), renewable)
|
|
}
|
|
})
|
|
|
|
t.Run("token-renew", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
renewable := true
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
Renewable: &renewable,
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
secret, err = client.Auth().Token().Renew(token, 0)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if secret.TokenIsRenewable() != renewable {
|
|
t.Errorf("expected %t to be %t", secret.TokenIsRenewable(), renewable)
|
|
}
|
|
})
|
|
|
|
t.Run("token-renew-self", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
renewable := true
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
Renewable: &renewable,
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
client.SetToken(token)
|
|
secret, err = client.Auth().Token().RenewSelf(0)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if secret.TokenIsRenewable() != renewable {
|
|
t.Errorf("expected %t to be %t", secret.TokenIsRenewable(), renewable)
|
|
}
|
|
})
|
|
}
|
|
|
|
func TestSecret_TokenTTLInt(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
cases := []struct {
|
|
name string
|
|
secret *api.Secret
|
|
exp int
|
|
}{
|
|
{
|
|
"nil",
|
|
nil,
|
|
0,
|
|
},
|
|
{
|
|
"nil_auth",
|
|
&api.Secret{
|
|
Auth: nil,
|
|
},
|
|
0,
|
|
},
|
|
{
|
|
"nil_auth_lease_duration",
|
|
&api.Secret{
|
|
Auth: &api.SecretAuth{
|
|
LeaseDuration: 0,
|
|
},
|
|
},
|
|
0,
|
|
},
|
|
{
|
|
"real_auth_lease_duration",
|
|
&api.Secret{
|
|
Auth: &api.SecretAuth{
|
|
LeaseDuration: 3600,
|
|
},
|
|
},
|
|
3600,
|
|
},
|
|
{
|
|
"nil_data",
|
|
&api.Secret{
|
|
Data: nil,
|
|
},
|
|
0,
|
|
},
|
|
{
|
|
"empty_data",
|
|
&api.Secret{
|
|
Data: map[string]interface{}{},
|
|
},
|
|
0,
|
|
},
|
|
{
|
|
"data_not_json_number",
|
|
&api.Secret{
|
|
Data: map[string]interface{}{
|
|
"ttl": 123,
|
|
},
|
|
},
|
|
0,
|
|
},
|
|
{
|
|
"data_json_number",
|
|
&api.Secret{
|
|
Data: map[string]interface{}{
|
|
"ttl": json.Number("3600"),
|
|
},
|
|
},
|
|
3600,
|
|
},
|
|
}
|
|
|
|
for _, tc := range cases {
|
|
tc := tc
|
|
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
act := tc.secret.TokenTTLInt()
|
|
if act != tc.exp {
|
|
t.Errorf("expected %d to be %d", act, tc.exp)
|
|
}
|
|
})
|
|
}
|
|
|
|
t.Run("auth", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
ttl := 3600
|
|
|
|
if err := client.Sys().EnableAuth("userpass", "userpass", ""); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if _, err := client.Logical().Write("auth/userpass/users/test", map[string]interface{}{
|
|
"password": "test",
|
|
"policies": "default",
|
|
"ttl": fmt.Sprintf("%ds", ttl),
|
|
"explicit_max_ttl": fmt.Sprintf("%ds", ttl),
|
|
}); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
secret, err := client.Logical().Write("auth/userpass/login/test", map[string]interface{}{
|
|
"password": "test",
|
|
})
|
|
if err != nil || secret == nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if secret.TokenTTLInt() == 0 || secret.TokenTTLInt() > ttl {
|
|
t.Errorf("expected %q to non-zero and less than %q", secret.TokenTTL(), ttl)
|
|
}
|
|
})
|
|
|
|
t.Run("token-create", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
ttl := 3600
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
TTL: fmt.Sprintf("%ds", ttl),
|
|
ExplicitMaxTTL: fmt.Sprintf("%ds", ttl),
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if secret.TokenTTLInt() == 0 || secret.TokenTTLInt() > ttl {
|
|
t.Errorf("expected %q to non-zero and less than %q", secret.TokenTTLInt(), ttl)
|
|
}
|
|
})
|
|
|
|
t.Run("token-lookup", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
ttl := 3600
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
TTL: fmt.Sprintf("%ds", ttl),
|
|
ExplicitMaxTTL: fmt.Sprintf("%ds", ttl),
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
secret, err = client.Auth().Token().Lookup(token)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if secret.TokenTTLInt() == 0 || secret.TokenTTLInt() > ttl {
|
|
t.Errorf("expected %q to non-zero and less than %q", secret.TokenTTLInt(), ttl)
|
|
}
|
|
})
|
|
|
|
t.Run("token-lookup-self", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
ttl := 3600
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
TTL: fmt.Sprintf("%ds", ttl),
|
|
ExplicitMaxTTL: fmt.Sprintf("%ds", ttl),
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
client.SetToken(token)
|
|
secret, err = client.Auth().Token().LookupSelf()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if secret.TokenTTLInt() == 0 || secret.TokenTTLInt() > ttl {
|
|
t.Errorf("expected %q to non-zero and less than %q", secret.TokenTTLInt(), ttl)
|
|
}
|
|
})
|
|
|
|
t.Run("token-renew", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
ttl := 3600
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
TTL: fmt.Sprintf("%ds", ttl),
|
|
ExplicitMaxTTL: fmt.Sprintf("%ds", ttl),
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
secret, err = client.Auth().Token().Renew(token, 0)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if secret.TokenTTLInt() == 0 || secret.TokenTTLInt() > ttl {
|
|
t.Errorf("expected %q to non-zero and less than %q", secret.TokenTTLInt(), ttl)
|
|
}
|
|
})
|
|
|
|
t.Run("token-renew-self", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
ttl := 3600
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
TTL: fmt.Sprintf("%ds", ttl),
|
|
ExplicitMaxTTL: fmt.Sprintf("%ds", ttl),
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
client.SetToken(token)
|
|
secret, err = client.Auth().Token().RenewSelf(0)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if secret.TokenTTLInt() == 0 || secret.TokenTTLInt() > ttl {
|
|
t.Errorf("expected %q to non-zero and less than %q", secret.TokenTTLInt(), ttl)
|
|
}
|
|
})
|
|
}
|
|
|
|
func TestSecret_TokenTTL(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
cases := []struct {
|
|
name string
|
|
secret *api.Secret
|
|
exp time.Duration
|
|
}{
|
|
{
|
|
"nil",
|
|
nil,
|
|
0,
|
|
},
|
|
{
|
|
"nil_auth",
|
|
&api.Secret{
|
|
Auth: nil,
|
|
},
|
|
0,
|
|
},
|
|
{
|
|
"nil_auth_lease_duration",
|
|
&api.Secret{
|
|
Auth: &api.SecretAuth{
|
|
LeaseDuration: 0,
|
|
},
|
|
},
|
|
0,
|
|
},
|
|
{
|
|
"real_auth_lease_duration",
|
|
&api.Secret{
|
|
Auth: &api.SecretAuth{
|
|
LeaseDuration: 3600,
|
|
},
|
|
},
|
|
1 * time.Hour,
|
|
},
|
|
{
|
|
"nil_data",
|
|
&api.Secret{
|
|
Data: nil,
|
|
},
|
|
0,
|
|
},
|
|
{
|
|
"empty_data",
|
|
&api.Secret{
|
|
Data: map[string]interface{}{},
|
|
},
|
|
0,
|
|
},
|
|
{
|
|
"data_not_json_number",
|
|
&api.Secret{
|
|
Data: map[string]interface{}{
|
|
"ttl": 123,
|
|
},
|
|
},
|
|
0,
|
|
},
|
|
{
|
|
"data_json_number",
|
|
&api.Secret{
|
|
Data: map[string]interface{}{
|
|
"ttl": json.Number("3600"),
|
|
},
|
|
},
|
|
1 * time.Hour,
|
|
},
|
|
}
|
|
|
|
for _, tc := range cases {
|
|
tc := tc
|
|
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
act := tc.secret.TokenTTL()
|
|
if act != tc.exp {
|
|
t.Errorf("expected %q to be %q", act, tc.exp)
|
|
}
|
|
})
|
|
}
|
|
|
|
t.Run("auth", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
ttl := 30 * time.Minute
|
|
|
|
if err := client.Sys().EnableAuth("userpass", "userpass", ""); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if _, err := client.Logical().Write("auth/userpass/users/test", map[string]interface{}{
|
|
"password": "test",
|
|
"policies": "default",
|
|
"ttl": ttl.String(),
|
|
"explicit_max_ttl": ttl.String(),
|
|
}); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
secret, err := client.Logical().Write("auth/userpass/login/test", map[string]interface{}{
|
|
"password": "test",
|
|
})
|
|
if err != nil || secret == nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if secret.TokenTTL() == 0 || secret.TokenTTL() > ttl {
|
|
t.Errorf("expected %q to non-zero and less than %q", secret.TokenTTL(), ttl)
|
|
}
|
|
})
|
|
|
|
t.Run("token-create", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
ttl := 30 * time.Minute
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
TTL: ttl.String(),
|
|
ExplicitMaxTTL: ttl.String(),
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if secret.TokenTTL() == 0 || secret.TokenTTL() > ttl {
|
|
t.Errorf("expected %q to non-zero and less than %q", secret.TokenTTL(), ttl)
|
|
}
|
|
})
|
|
|
|
t.Run("token-lookup", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
ttl := 30 * time.Minute
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
TTL: ttl.String(),
|
|
ExplicitMaxTTL: ttl.String(),
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
secret, err = client.Auth().Token().Lookup(token)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if secret.TokenTTL() == 0 || secret.TokenTTL() > ttl {
|
|
t.Errorf("expected %q to non-zero and less than %q", secret.TokenTTL(), ttl)
|
|
}
|
|
})
|
|
|
|
t.Run("token-lookup-self", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
ttl := 30 * time.Minute
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
TTL: ttl.String(),
|
|
ExplicitMaxTTL: ttl.String(),
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
client.SetToken(token)
|
|
secret, err = client.Auth().Token().LookupSelf()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if secret.TokenTTL() == 0 || secret.TokenTTL() > ttl {
|
|
t.Errorf("expected %q to non-zero and less than %q", secret.TokenTTL(), ttl)
|
|
}
|
|
})
|
|
|
|
t.Run("token-renew", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
ttl := 30 * time.Minute
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
TTL: ttl.String(),
|
|
ExplicitMaxTTL: ttl.String(),
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
secret, err = client.Auth().Token().Renew(token, 0)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if secret.TokenTTL() == 0 || secret.TokenTTL() > ttl {
|
|
t.Errorf("expected %q to non-zero and less than %q", secret.TokenTTL(), ttl)
|
|
}
|
|
})
|
|
|
|
t.Run("token-renew-self", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
ttl := 30 * time.Minute
|
|
|
|
secret, err := client.Auth().Token().Create(&api.TokenCreateRequest{
|
|
Policies: []string{"default"},
|
|
TTL: ttl.String(),
|
|
ExplicitMaxTTL: ttl.String(),
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
token := secret.Auth.ClientToken
|
|
|
|
client.SetToken(token)
|
|
secret, err = client.Auth().Token().RenewSelf(0)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
if secret.TokenTTL() == 0 || secret.TokenTTL() > ttl {
|
|
t.Errorf("expected %q to non-zero and less than %q", secret.TokenTTL(), ttl)
|
|
}
|
|
})
|
|
}
|