469555ef1a
* agent/auth/kerberos: add disable_fast_negotiation * simplify test * Update command/agent/auth/kerberos/kerberos_test.go Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com> * simplify tests Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
85 lines
2.4 KiB
Go
85 lines
2.4 KiB
Go
package kerberos
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/hashicorp/go-hclog"
|
|
"github.com/hashicorp/vault/command/agent/auth"
|
|
)
|
|
|
|
func TestNewKerberosAuthMethod(t *testing.T) {
|
|
if _, err := NewKerberosAuthMethod(nil); err == nil {
|
|
t.Fatal("err should be returned for nil input")
|
|
}
|
|
if _, err := NewKerberosAuthMethod(&auth.AuthConfig{}); err == nil {
|
|
t.Fatal("err should be returned for nil config map")
|
|
}
|
|
|
|
authConfig := simpleAuthConfig()
|
|
delete(authConfig.Config, "username")
|
|
if _, err := NewKerberosAuthMethod(authConfig); err == nil {
|
|
t.Fatal("err should be returned for missing username")
|
|
}
|
|
|
|
authConfig = simpleAuthConfig()
|
|
delete(authConfig.Config, "service")
|
|
if _, err := NewKerberosAuthMethod(authConfig); err == nil {
|
|
t.Fatal("err should be returned for missing service")
|
|
}
|
|
|
|
authConfig = simpleAuthConfig()
|
|
delete(authConfig.Config, "realm")
|
|
if _, err := NewKerberosAuthMethod(authConfig); err == nil {
|
|
t.Fatal("err should be returned for missing realm")
|
|
}
|
|
|
|
authConfig = simpleAuthConfig()
|
|
delete(authConfig.Config, "keytab_path")
|
|
if _, err := NewKerberosAuthMethod(authConfig); err == nil {
|
|
t.Fatal("err should be returned for missing keytab_path")
|
|
}
|
|
|
|
authConfig = simpleAuthConfig()
|
|
delete(authConfig.Config, "krb5conf_path")
|
|
if _, err := NewKerberosAuthMethod(authConfig); err == nil {
|
|
t.Fatal("err should be returned for missing krb5conf_path")
|
|
}
|
|
|
|
authConfig = simpleAuthConfig()
|
|
authMethod, err := NewKerberosAuthMethod(authConfig)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// False by default
|
|
if actual := authMethod.(*kerberosMethod).loginCfg.DisableFASTNegotiation; actual {
|
|
t.Fatalf("disable_fast_negotation should be false, it wasn't: %t", actual)
|
|
}
|
|
|
|
authConfig.Config["disable_fast_negotiation"] = "true"
|
|
authMethod, err = NewKerberosAuthMethod(authConfig)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// True from override
|
|
if actual := authMethod.(*kerberosMethod).loginCfg.DisableFASTNegotiation; !actual {
|
|
t.Fatalf("disable_fast_negotation should be true, it wasn't: %t", actual)
|
|
}
|
|
}
|
|
|
|
func simpleAuthConfig() *auth.AuthConfig {
|
|
return &auth.AuthConfig{
|
|
Logger: hclog.NewNullLogger(),
|
|
MountPath: "kerberos",
|
|
WrapTTL: 20,
|
|
Config: map[string]interface{}{
|
|
"username": "grace",
|
|
"service": "HTTP/05a65fad28ef.matrix.lan:8200",
|
|
"realm": "MATRIX.LAN",
|
|
"keytab_path": "grace.keytab",
|
|
"krb5conf_path": "krb5.conf",
|
|
},
|
|
}
|
|
}
|