b6c05fae33
* enable registering backend muxed plugins in plugin catalog * set the sysview on the pluginconfig to allow enabling secrets/auth plugins * store backend instances in map * store single implementations in the instances map cleanup instance map and ensure we don't deadlock * fix system backend unit tests move GetMultiplexIDFromContext to pluginutil package fix pluginutil test fix dbplugin ut * return error(s) if we can't get the plugin client update comments * refactor/move GetMultiplexIDFromContext test * add changelog * remove unnecessary field on pluginClient * add unit tests to PluginCatalog for secrets/auth plugins * fix comment * return pluginClient from TestRunTestPlugin * add multiplexed backend test * honor metadatamode value in newbackend pluginconfig * check that connection exists on cleanup * add automtls to secrets/auth plugins * don't remove apiclientmeta parsing * use formatting directive for fmt.Errorf * fix ut: remove tls provider func * remove tlsproviderfunc from backend plugin tests * use env var to prevent test plugin from running as a unit test * WIP: remove lazy loading * move non lazy loaded backend to new package * use version wrapper for backend plugin factory * remove backendVersionWrapper type * implement getBackendPluginType for plugin catalog * handle backend plugin v4 registration * add plugin automtls env guard * modify plugin factory to determine the backend to use * remove old pluginsets from v5 and log pid in plugin catalog * add reload mechanism via context * readd v3 and v4 to pluginset * call cleanup from reload if non-muxed * move v5 backend code to new package * use context reload for for ErrPluginShutdown case * add wrapper on v5 backend * fix run config UTs * fix unit tests - use v4/v5 mapping for plugin versions - fix test build err - add reload method on fakePluginClient - add multiplexed cases for integration tests * remove comment and update AutoMTLS field in test * remove comment * remove errwrap and unused context * only support metadatamode false for v5 backend plugins * update plugin catalog errors * use const for env variables * rename locks and remove unused * remove unneeded nil check * improvements based on staticcheck recommendations * use const for single implementation string * use const for context key * use info default log level * move pid to pluginClient struct * remove v3 and v4 from multiplexed plugin set * return from reload when non-multiplexed * update automtls env string * combine getBackend and getBrokeredClient * update comments for plugin reload, Backend return val and log * revert Backend return type * allow non-muxed plugins to serve v5 * move v5 code to existing sdk plugin package * do next export sdk fields now that we have removed extra plugin pkg * set TLSProvider in ServeMultiplex for backwards compat * use bool to flag multiplexing support on grpc backend server * revert userpass main.go * refactor plugin sdk - update comments - make use of multiplexing boolean and single implementation ID const * update comment and use multierr * attempt v4 if dispense fails on getPluginTypeForUnknown * update comments on sdk plugin backend
356 lines
9.2 KiB
Go
356 lines
9.2 KiB
Go
package pluginutil
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"os/exec"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/hashicorp/vault/sdk/version"
|
|
|
|
"github.com/hashicorp/go-hclog"
|
|
"github.com/hashicorp/go-plugin"
|
|
"github.com/hashicorp/vault/sdk/helper/wrapping"
|
|
"github.com/stretchr/testify/mock"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestMakeConfig(t *testing.T) {
|
|
type testCase struct {
|
|
rc runConfig
|
|
|
|
responseWrapInfo *wrapping.ResponseWrapInfo
|
|
responseWrapInfoErr error
|
|
responseWrapInfoTimes int
|
|
|
|
mlockEnabled bool
|
|
mlockEnabledTimes int
|
|
|
|
expectedConfig *plugin.ClientConfig
|
|
expectTLSConfig bool
|
|
}
|
|
|
|
tests := map[string]testCase{
|
|
"metadata mode, not-AutoMTLS": {
|
|
rc: runConfig{
|
|
command: "echo",
|
|
args: []string{"foo", "bar"},
|
|
sha256: []byte("some_sha256"),
|
|
env: []string{"initial=true"},
|
|
PluginClientConfig: PluginClientConfig{
|
|
PluginSets: map[int]plugin.PluginSet{
|
|
1: {
|
|
"bogus": nil,
|
|
},
|
|
},
|
|
HandshakeConfig: plugin.HandshakeConfig{
|
|
ProtocolVersion: 1,
|
|
MagicCookieKey: "magic_cookie_key",
|
|
MagicCookieValue: "magic_cookie_value",
|
|
},
|
|
Logger: hclog.NewNullLogger(),
|
|
IsMetadataMode: true,
|
|
AutoMTLS: false,
|
|
},
|
|
},
|
|
|
|
responseWrapInfoTimes: 0,
|
|
|
|
mlockEnabled: false,
|
|
mlockEnabledTimes: 1,
|
|
|
|
expectedConfig: &plugin.ClientConfig{
|
|
HandshakeConfig: plugin.HandshakeConfig{
|
|
ProtocolVersion: 1,
|
|
MagicCookieKey: "magic_cookie_key",
|
|
MagicCookieValue: "magic_cookie_value",
|
|
},
|
|
VersionedPlugins: map[int]plugin.PluginSet{
|
|
1: {
|
|
"bogus": nil,
|
|
},
|
|
},
|
|
Cmd: commandWithEnv(
|
|
"echo",
|
|
[]string{"foo", "bar"},
|
|
[]string{
|
|
"initial=true",
|
|
fmt.Sprintf("%s=%s", PluginVaultVersionEnv, version.GetVersion().Version),
|
|
fmt.Sprintf("%s=%t", PluginMetadataModeEnv, true),
|
|
fmt.Sprintf("%s=%t", PluginAutoMTLSEnv, false),
|
|
},
|
|
),
|
|
SecureConfig: &plugin.SecureConfig{
|
|
Checksum: []byte("some_sha256"),
|
|
// Hash is generated
|
|
},
|
|
AllowedProtocols: []plugin.Protocol{
|
|
plugin.ProtocolNetRPC,
|
|
plugin.ProtocolGRPC,
|
|
},
|
|
Logger: hclog.NewNullLogger(),
|
|
AutoMTLS: false,
|
|
},
|
|
expectTLSConfig: false,
|
|
},
|
|
"non-metadata mode, not-AutoMTLS": {
|
|
rc: runConfig{
|
|
command: "echo",
|
|
args: []string{"foo", "bar"},
|
|
sha256: []byte("some_sha256"),
|
|
env: []string{"initial=true"},
|
|
PluginClientConfig: PluginClientConfig{
|
|
PluginSets: map[int]plugin.PluginSet{
|
|
1: {
|
|
"bogus": nil,
|
|
},
|
|
},
|
|
HandshakeConfig: plugin.HandshakeConfig{
|
|
ProtocolVersion: 1,
|
|
MagicCookieKey: "magic_cookie_key",
|
|
MagicCookieValue: "magic_cookie_value",
|
|
},
|
|
Logger: hclog.NewNullLogger(),
|
|
IsMetadataMode: false,
|
|
AutoMTLS: false,
|
|
},
|
|
},
|
|
|
|
responseWrapInfo: &wrapping.ResponseWrapInfo{
|
|
Token: "testtoken",
|
|
},
|
|
responseWrapInfoTimes: 1,
|
|
|
|
mlockEnabled: true,
|
|
mlockEnabledTimes: 1,
|
|
|
|
expectedConfig: &plugin.ClientConfig{
|
|
HandshakeConfig: plugin.HandshakeConfig{
|
|
ProtocolVersion: 1,
|
|
MagicCookieKey: "magic_cookie_key",
|
|
MagicCookieValue: "magic_cookie_value",
|
|
},
|
|
VersionedPlugins: map[int]plugin.PluginSet{
|
|
1: {
|
|
"bogus": nil,
|
|
},
|
|
},
|
|
Cmd: commandWithEnv(
|
|
"echo",
|
|
[]string{"foo", "bar"},
|
|
[]string{
|
|
"initial=true",
|
|
fmt.Sprintf("%s=%t", PluginMlockEnabled, true),
|
|
fmt.Sprintf("%s=%s", PluginVaultVersionEnv, version.GetVersion().Version),
|
|
fmt.Sprintf("%s=%t", PluginMetadataModeEnv, false),
|
|
fmt.Sprintf("%s=%t", PluginAutoMTLSEnv, false),
|
|
fmt.Sprintf("%s=%s", PluginUnwrapTokenEnv, "testtoken"),
|
|
},
|
|
),
|
|
SecureConfig: &plugin.SecureConfig{
|
|
Checksum: []byte("some_sha256"),
|
|
// Hash is generated
|
|
},
|
|
AllowedProtocols: []plugin.Protocol{
|
|
plugin.ProtocolNetRPC,
|
|
plugin.ProtocolGRPC,
|
|
},
|
|
Logger: hclog.NewNullLogger(),
|
|
AutoMTLS: false,
|
|
},
|
|
expectTLSConfig: true,
|
|
},
|
|
"metadata mode, AutoMTLS": {
|
|
rc: runConfig{
|
|
command: "echo",
|
|
args: []string{"foo", "bar"},
|
|
sha256: []byte("some_sha256"),
|
|
env: []string{"initial=true"},
|
|
PluginClientConfig: PluginClientConfig{
|
|
PluginSets: map[int]plugin.PluginSet{
|
|
1: {
|
|
"bogus": nil,
|
|
},
|
|
},
|
|
HandshakeConfig: plugin.HandshakeConfig{
|
|
ProtocolVersion: 1,
|
|
MagicCookieKey: "magic_cookie_key",
|
|
MagicCookieValue: "magic_cookie_value",
|
|
},
|
|
Logger: hclog.NewNullLogger(),
|
|
IsMetadataMode: true,
|
|
AutoMTLS: true,
|
|
},
|
|
},
|
|
|
|
responseWrapInfoTimes: 0,
|
|
|
|
mlockEnabled: false,
|
|
mlockEnabledTimes: 1,
|
|
|
|
expectedConfig: &plugin.ClientConfig{
|
|
HandshakeConfig: plugin.HandshakeConfig{
|
|
ProtocolVersion: 1,
|
|
MagicCookieKey: "magic_cookie_key",
|
|
MagicCookieValue: "magic_cookie_value",
|
|
},
|
|
VersionedPlugins: map[int]plugin.PluginSet{
|
|
1: {
|
|
"bogus": nil,
|
|
},
|
|
},
|
|
Cmd: commandWithEnv(
|
|
"echo",
|
|
[]string{"foo", "bar"},
|
|
[]string{
|
|
"initial=true",
|
|
fmt.Sprintf("%s=%s", PluginVaultVersionEnv, version.GetVersion().Version),
|
|
fmt.Sprintf("%s=%t", PluginMetadataModeEnv, true),
|
|
fmt.Sprintf("%s=%t", PluginAutoMTLSEnv, true),
|
|
},
|
|
),
|
|
SecureConfig: &plugin.SecureConfig{
|
|
Checksum: []byte("some_sha256"),
|
|
// Hash is generated
|
|
},
|
|
AllowedProtocols: []plugin.Protocol{
|
|
plugin.ProtocolNetRPC,
|
|
plugin.ProtocolGRPC,
|
|
},
|
|
Logger: hclog.NewNullLogger(),
|
|
AutoMTLS: true,
|
|
},
|
|
expectTLSConfig: false,
|
|
},
|
|
"not-metadata mode, AutoMTLS": {
|
|
rc: runConfig{
|
|
command: "echo",
|
|
args: []string{"foo", "bar"},
|
|
sha256: []byte("some_sha256"),
|
|
env: []string{"initial=true"},
|
|
PluginClientConfig: PluginClientConfig{
|
|
PluginSets: map[int]plugin.PluginSet{
|
|
1: {
|
|
"bogus": nil,
|
|
},
|
|
},
|
|
HandshakeConfig: plugin.HandshakeConfig{
|
|
ProtocolVersion: 1,
|
|
MagicCookieKey: "magic_cookie_key",
|
|
MagicCookieValue: "magic_cookie_value",
|
|
},
|
|
Logger: hclog.NewNullLogger(),
|
|
IsMetadataMode: false,
|
|
AutoMTLS: true,
|
|
},
|
|
},
|
|
|
|
responseWrapInfoTimes: 0,
|
|
|
|
mlockEnabled: false,
|
|
mlockEnabledTimes: 1,
|
|
|
|
expectedConfig: &plugin.ClientConfig{
|
|
HandshakeConfig: plugin.HandshakeConfig{
|
|
ProtocolVersion: 1,
|
|
MagicCookieKey: "magic_cookie_key",
|
|
MagicCookieValue: "magic_cookie_value",
|
|
},
|
|
VersionedPlugins: map[int]plugin.PluginSet{
|
|
1: {
|
|
"bogus": nil,
|
|
},
|
|
},
|
|
Cmd: commandWithEnv(
|
|
"echo",
|
|
[]string{"foo", "bar"},
|
|
[]string{
|
|
"initial=true",
|
|
fmt.Sprintf("%s=%s", PluginVaultVersionEnv, version.GetVersion().Version),
|
|
fmt.Sprintf("%s=%t", PluginMetadataModeEnv, false),
|
|
fmt.Sprintf("%s=%t", PluginAutoMTLSEnv, true),
|
|
},
|
|
),
|
|
SecureConfig: &plugin.SecureConfig{
|
|
Checksum: []byte("some_sha256"),
|
|
// Hash is generated
|
|
},
|
|
AllowedProtocols: []plugin.Protocol{
|
|
plugin.ProtocolNetRPC,
|
|
plugin.ProtocolGRPC,
|
|
},
|
|
Logger: hclog.NewNullLogger(),
|
|
AutoMTLS: true,
|
|
},
|
|
expectTLSConfig: false,
|
|
},
|
|
}
|
|
|
|
for name, test := range tests {
|
|
t.Run(name, func(t *testing.T) {
|
|
mockWrapper := new(mockRunnerUtil)
|
|
mockWrapper.On("ResponseWrapData", mock.Anything, mock.Anything, mock.Anything, mock.Anything).
|
|
Return(test.responseWrapInfo, test.responseWrapInfoErr)
|
|
mockWrapper.On("MlockEnabled").
|
|
Return(test.mlockEnabled)
|
|
test.rc.Wrapper = mockWrapper
|
|
defer mockWrapper.AssertNumberOfCalls(t, "ResponseWrapData", test.responseWrapInfoTimes)
|
|
defer mockWrapper.AssertNumberOfCalls(t, "MlockEnabled", test.mlockEnabledTimes)
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
|
|
defer cancel()
|
|
|
|
config, err := test.rc.makeConfig(ctx)
|
|
if err != nil {
|
|
t.Fatalf("no error expected, got: %s", err)
|
|
}
|
|
|
|
// The following fields are generated, so we just need to check for existence, not specific value
|
|
// The value must be nilled out before performing a DeepEqual check
|
|
hsh := config.SecureConfig.Hash
|
|
if hsh == nil {
|
|
t.Fatalf("Missing SecureConfig.Hash")
|
|
}
|
|
config.SecureConfig.Hash = nil
|
|
|
|
if test.expectTLSConfig && config.TLSConfig == nil {
|
|
t.Fatalf("TLS config expected, got nil")
|
|
}
|
|
if !test.expectTLSConfig && config.TLSConfig != nil {
|
|
t.Fatalf("no TLS config expected, got: %#v", config.TLSConfig)
|
|
}
|
|
config.TLSConfig = nil
|
|
|
|
require.Equal(t, test.expectedConfig, config)
|
|
})
|
|
}
|
|
}
|
|
|
|
func commandWithEnv(cmd string, args []string, env []string) *exec.Cmd {
|
|
c := exec.Command(cmd, args...)
|
|
c.Env = env
|
|
return c
|
|
}
|
|
|
|
var _ RunnerUtil = &mockRunnerUtil{}
|
|
|
|
type mockRunnerUtil struct {
|
|
mock.Mock
|
|
}
|
|
|
|
func (m *mockRunnerUtil) NewPluginClient(ctx context.Context, config PluginClientConfig) (PluginClient, error) {
|
|
args := m.Called(ctx, config)
|
|
return args.Get(0).(PluginClient), args.Error(1)
|
|
}
|
|
|
|
func (m *mockRunnerUtil) ResponseWrapData(ctx context.Context, data map[string]interface{}, ttl time.Duration, jwt bool) (*wrapping.ResponseWrapInfo, error) {
|
|
args := m.Called(ctx, data, ttl, jwt)
|
|
return args.Get(0).(*wrapping.ResponseWrapInfo), args.Error(1)
|
|
}
|
|
|
|
func (m *mockRunnerUtil) MlockEnabled() bool {
|
|
args := m.Called()
|
|
return args.Bool(0)
|
|
}
|