mirror of
https://github.com/hashicorp/vault.git
synced 2025-11-09 21:01:27 +01:00
5b2f37614c
* Fix unsetting sys tunable values (on ent). * Remove commented test, add GoDoc for test. * Handle empty slices better (PR feedback). * Fetch Auth endpoint without listing (PR feedback). * Fatal vs. Error * Add GetAuth instead of ListAuth * Fix error format error. Oops! * One more list->get auth. Remove extra check. * Updated TuneMountWithContextAllowNil to use a struct (with all pointers). * Allow setting empty values for userLockoutConfig too - use new struct. * Extra pointer. * Remove useless functions. * Simple test to ensure any field we can set we can update and vice-versa. * Add json tag checks. Co-authored-by: Kit Haines <khaines@mit.edu>
437 lines
13 KiB
Go
437 lines
13 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package command
|
|
|
|
import (
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/go-test/deep"
|
|
"github.com/hashicorp/cli"
|
|
"github.com/hashicorp/vault/api"
|
|
"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
|
|
"github.com/hashicorp/vault/helper/testhelpers/minimal"
|
|
)
|
|
|
|
func testAuthTuneCommand(tb testing.TB) (*cli.MockUi, *AuthTuneCommand) {
|
|
tb.Helper()
|
|
|
|
ui := cli.NewMockUi()
|
|
return ui, &AuthTuneCommand{
|
|
BaseCommand: &BaseCommand{
|
|
UI: ui,
|
|
},
|
|
}
|
|
}
|
|
|
|
func TestAuthTuneCommand_Run(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
cases := []struct {
|
|
name string
|
|
args []string
|
|
out string
|
|
code int
|
|
}{
|
|
{
|
|
"not_enough_args",
|
|
[]string{},
|
|
"Not enough arguments",
|
|
1,
|
|
},
|
|
{
|
|
"too_many_args",
|
|
[]string{"foo", "bar"},
|
|
"Too many arguments",
|
|
1,
|
|
},
|
|
}
|
|
|
|
t.Run("validations", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
for _, tc := range cases {
|
|
tc := tc
|
|
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
ui, cmd := testAuthTuneCommand(t)
|
|
cmd.client = client
|
|
|
|
code := cmd.Run(tc.args)
|
|
if code != tc.code {
|
|
t.Errorf("expected %d to be %d", code, tc.code)
|
|
}
|
|
|
|
combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
|
|
if !strings.Contains(combined, tc.out) {
|
|
t.Errorf("expected %q to contain %q", combined, tc.out)
|
|
}
|
|
})
|
|
}
|
|
})
|
|
|
|
t.Run("integration", func(t *testing.T) {
|
|
t.Run("flags_all", func(t *testing.T) {
|
|
t.Parallel()
|
|
pluginDir := corehelpers.MakeTestPluginDir(t)
|
|
|
|
client, _, closer := testVaultServerPluginDir(t, pluginDir)
|
|
defer closer()
|
|
|
|
ui, cmd := testAuthTuneCommand(t)
|
|
cmd.client = client
|
|
|
|
// Mount
|
|
if err := client.Sys().EnableAuthWithOptions("my-auth", &api.EnableAuthOptions{
|
|
Type: "userpass",
|
|
}); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
auths, err := client.Sys().ListAuth()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
mountInfo, ok := auths["my-auth/"]
|
|
if !ok {
|
|
t.Fatalf("expected mount to exist: %#v", auths)
|
|
}
|
|
|
|
if exp := ""; mountInfo.PluginVersion != exp {
|
|
t.Errorf("expected %q to be %q", mountInfo.PluginVersion, exp)
|
|
}
|
|
|
|
_, _, version := testPluginCreateAndRegisterVersioned(t, client, pluginDir, "userpass", api.PluginTypeCredential)
|
|
|
|
code := cmd.Run([]string{
|
|
"-description", "new description",
|
|
"-default-lease-ttl", "30m",
|
|
"-max-lease-ttl", "1h",
|
|
"-audit-non-hmac-request-keys", "foo,bar",
|
|
"-audit-non-hmac-response-keys", "foo,bar",
|
|
"-passthrough-request-headers", "authorization",
|
|
"-passthrough-request-headers", "www-authentication",
|
|
"-allowed-response-headers", "authorization,www-authentication",
|
|
"-listing-visibility", "unauth",
|
|
"-plugin-version", version,
|
|
"-identity-token-key", "default",
|
|
"-trim-request-trailing-slashes=true",
|
|
"my-auth/",
|
|
})
|
|
if exp := 0; code != exp {
|
|
t.Errorf("expected %d to be %d", code, exp)
|
|
}
|
|
|
|
expected := "Success! Tuned the auth method at: my-auth/"
|
|
combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
|
|
if !strings.Contains(combined, expected) {
|
|
t.Errorf("expected %q to contain %q", combined, expected)
|
|
}
|
|
|
|
auths, err = client.Sys().ListAuth()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
mountInfo, ok = auths["my-auth/"]
|
|
if !ok {
|
|
t.Fatalf("expected auth to exist")
|
|
}
|
|
if exp := "new description"; mountInfo.Description != exp {
|
|
t.Errorf("expected %q to be %q", mountInfo.Description, exp)
|
|
}
|
|
if exp := "userpass"; mountInfo.Type != exp {
|
|
t.Errorf("expected %q to be %q", mountInfo.Type, exp)
|
|
}
|
|
if exp := version; mountInfo.PluginVersion != exp {
|
|
t.Errorf("expected %q to be %q", mountInfo.PluginVersion, exp)
|
|
}
|
|
if exp := 1800; mountInfo.Config.DefaultLeaseTTL != exp {
|
|
t.Errorf("expected %d to be %d", mountInfo.Config.DefaultLeaseTTL, exp)
|
|
}
|
|
if exp := 3600; mountInfo.Config.MaxLeaseTTL != exp {
|
|
t.Errorf("expected %d to be %d", mountInfo.Config.MaxLeaseTTL, exp)
|
|
}
|
|
if !mountInfo.Config.TrimRequestTrailingSlashes {
|
|
t.Errorf("expected trim_request_trailing_slashes to be enabled")
|
|
}
|
|
if diff := deep.Equal([]string{"authorization", "www-authentication"}, mountInfo.Config.PassthroughRequestHeaders); len(diff) > 0 {
|
|
t.Errorf("Failed to find expected values in PassthroughRequestHeaders. Difference is: %v", diff)
|
|
}
|
|
if diff := deep.Equal([]string{"authorization,www-authentication"}, mountInfo.Config.AllowedResponseHeaders); len(diff) > 0 {
|
|
t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff)
|
|
}
|
|
if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 {
|
|
t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff)
|
|
}
|
|
if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
|
|
t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
|
|
}
|
|
if diff := deep.Equal("default", mountInfo.Config.IdentityTokenKey); len(diff) > 0 {
|
|
t.Errorf("Failed to find expected values in IdentityTokenKey. Difference is: %v", diff)
|
|
}
|
|
})
|
|
|
|
t.Run("flags_description", func(t *testing.T) {
|
|
t.Parallel()
|
|
t.Run("not_provided", func(t *testing.T) {
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
ui, cmd := testAuthTuneCommand(t)
|
|
cmd.client = client
|
|
|
|
// Mount
|
|
if err := client.Sys().EnableAuthWithOptions("my-auth", &api.EnableAuthOptions{
|
|
Type: "userpass",
|
|
Description: "initial description",
|
|
}); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
code := cmd.Run([]string{
|
|
"-default-lease-ttl", "30m",
|
|
"my-auth/",
|
|
})
|
|
if exp := 0; code != exp {
|
|
t.Errorf("expected %d to be %d", code, exp)
|
|
}
|
|
|
|
expected := "Success! Tuned the auth method at: my-auth/"
|
|
combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
|
|
if !strings.Contains(combined, expected) {
|
|
t.Errorf("expected %q to contain %q", combined, expected)
|
|
}
|
|
|
|
auths, err := client.Sys().ListAuth()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
mountInfo, ok := auths["my-auth/"]
|
|
if !ok {
|
|
t.Fatalf("expected auth to exist")
|
|
}
|
|
if exp := "initial description"; mountInfo.Description != exp {
|
|
t.Errorf("expected %q to be %q", mountInfo.Description, exp)
|
|
}
|
|
})
|
|
|
|
t.Run("provided_empty", func(t *testing.T) {
|
|
client, closer := testVaultServer(t)
|
|
defer closer()
|
|
|
|
ui, cmd := testAuthTuneCommand(t)
|
|
cmd.client = client
|
|
|
|
// Mount
|
|
if err := client.Sys().EnableAuthWithOptions("my-auth", &api.EnableAuthOptions{
|
|
Type: "userpass",
|
|
Description: "initial description",
|
|
}); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
code := cmd.Run([]string{
|
|
"-description", "",
|
|
"my-auth/",
|
|
})
|
|
if exp := 0; code != exp {
|
|
t.Errorf("expected %d to be %d", code, exp)
|
|
}
|
|
|
|
expected := "Success! Tuned the auth method at: my-auth/"
|
|
combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
|
|
if !strings.Contains(combined, expected) {
|
|
t.Errorf("expected %q to contain %q", combined, expected)
|
|
}
|
|
|
|
auths, err := client.Sys().ListAuth()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
mountInfo, ok := auths["my-auth/"]
|
|
if !ok {
|
|
t.Fatalf("expected auth to exist")
|
|
}
|
|
if exp := ""; mountInfo.Description != exp {
|
|
t.Errorf("expected %q to be %q", mountInfo.Description, exp)
|
|
}
|
|
})
|
|
})
|
|
})
|
|
|
|
t.Run("communication_failure", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
client, closer := testVaultServerBad(t)
|
|
defer closer()
|
|
|
|
ui, cmd := testAuthTuneCommand(t)
|
|
cmd.client = client
|
|
|
|
code := cmd.Run([]string{
|
|
"userpass/",
|
|
})
|
|
if exp := 2; code != exp {
|
|
t.Errorf("expected %d to be %d", code, exp)
|
|
}
|
|
|
|
expected := "Error tuning auth method userpass/: "
|
|
combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
|
|
if !strings.Contains(combined, expected) {
|
|
t.Errorf("expected %q to contain %q", combined, expected)
|
|
}
|
|
})
|
|
|
|
t.Run("no_tabs", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
_, cmd := testAuthTuneCommand(t)
|
|
assertNoTabs(t, cmd)
|
|
})
|
|
}
|
|
|
|
// TestUnsetFieldsAuthTune first sets the array and string values on the auth mount, then in a second call sets those
|
|
// fields back to the original empty list or empty string. Then the new values are read to check that they are in fact
|
|
// 'unset' properly. This is a regression test (VAULT-34426).
|
|
func TestUnsetFieldsAuthTune(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
cluster := minimal.NewTestSoloCluster(t, nil)
|
|
client := cluster.Cores[0].Client
|
|
|
|
// Mount
|
|
if err := client.Sys().EnableAuthWithOptions("my-auth", &api.EnableAuthOptions{
|
|
Type: "userpass",
|
|
}); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
mountInfo, err := client.Sys().GetAuth("my-auth/")
|
|
if err != nil {
|
|
t.Fatalf("expected my-auth endpoint to exist: %v", err)
|
|
}
|
|
|
|
ui, cmdSet := testAuthTuneCommand(t)
|
|
cmdSet.client = client
|
|
|
|
code := cmdSet.Run([]string{
|
|
"-description", "new description",
|
|
"-default-lease-ttl", "30m",
|
|
"-max-lease-ttl", "1h",
|
|
"-audit-non-hmac-request-keys", "foo,bar",
|
|
"-audit-non-hmac-response-keys", "foo,bar",
|
|
"-passthrough-request-headers", "authorization",
|
|
"-allowed-response-headers", "authorization,www-authentication",
|
|
"-listing-visibility", "unauth",
|
|
"-identity-token-key", "default",
|
|
"-trim-request-trailing-slashes=true",
|
|
"my-auth/",
|
|
})
|
|
if exp := 0; code != exp {
|
|
t.Fatalf("expected %d to be %d", code, exp)
|
|
}
|
|
|
|
expected := "Success! Tuned the auth method at: my-auth/"
|
|
combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
|
|
if !strings.Contains(combined, expected) {
|
|
t.Fatalf("expected %q to contain %q", combined, expected)
|
|
}
|
|
|
|
mountInfo, err = client.Sys().GetAuth("my-auth/")
|
|
if err != nil {
|
|
t.Fatalf("expected my-auth endpoint to exist: %v", err)
|
|
}
|
|
|
|
if exp := "new description"; mountInfo.Description != exp {
|
|
t.Fatalf("expected %q to be %q", mountInfo.Description, exp)
|
|
}
|
|
if exp := "userpass"; mountInfo.Type != exp {
|
|
t.Fatalf("expected %q to be %q", mountInfo.Type, exp)
|
|
}
|
|
if exp := 1800; mountInfo.Config.DefaultLeaseTTL != exp {
|
|
t.Fatalf("expected %d to be %d", mountInfo.Config.DefaultLeaseTTL, exp)
|
|
}
|
|
if exp := 3600; mountInfo.Config.MaxLeaseTTL != exp {
|
|
t.Fatalf("expected %d to be %d", mountInfo.Config.MaxLeaseTTL, exp)
|
|
}
|
|
if !mountInfo.Config.TrimRequestTrailingSlashes {
|
|
t.Fatalf("expected trim_request_trailing_slashes to be enabled")
|
|
}
|
|
if diff := deep.Equal([]string{"authorization"}, mountInfo.Config.PassthroughRequestHeaders); len(diff) > 0 {
|
|
t.Fatalf("Failed to find expected values in PassthroughRequestHeaders. Difference is: %v", diff)
|
|
}
|
|
if diff := deep.Equal([]string{"authorization,www-authentication"}, mountInfo.Config.AllowedResponseHeaders); len(diff) > 0 {
|
|
t.Fatalf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff)
|
|
}
|
|
if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 {
|
|
t.Fatalf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff)
|
|
}
|
|
if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
|
|
t.Fatalf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
|
|
}
|
|
if diff := deep.Equal("default", mountInfo.Config.IdentityTokenKey); len(diff) > 0 {
|
|
t.Fatalf("Failed to find expected values in IdentityTokenKey. Difference is: %v", diff)
|
|
}
|
|
|
|
uiNew, cmdUnset := testAuthTuneCommand(t)
|
|
cmdUnset.client = client
|
|
|
|
unsetCode := cmdUnset.Run([]string{
|
|
"-description", "",
|
|
"-default-lease-ttl", "30m",
|
|
"-max-lease-ttl", "1h",
|
|
"-audit-non-hmac-request-keys", "",
|
|
"-audit-non-hmac-response-keys", "",
|
|
"-passthrough-request-headers", "",
|
|
"-allowed-response-headers", "",
|
|
"-listing-visibility", "unauth",
|
|
"-identity-token-key", "",
|
|
"-trim-request-trailing-slashes=false",
|
|
"my-auth/",
|
|
})
|
|
if exp := 0; unsetCode != exp {
|
|
t.Fatalf("expected %d to be %d", unsetCode, exp)
|
|
}
|
|
|
|
combined = uiNew.OutputWriter.String() + uiNew.ErrorWriter.String()
|
|
if !strings.Contains(combined, expected) {
|
|
t.Fatalf("expected %q to contain %q", combined, expected)
|
|
}
|
|
|
|
mountInfo, err = client.Sys().GetAuth("my-auth/")
|
|
if err != nil {
|
|
t.Fatalf("expected to be able to fetch auth: %v", err)
|
|
}
|
|
|
|
if exp := ""; mountInfo.Description != exp {
|
|
t.Fatalf("expected %q to be %q", mountInfo.Description, exp)
|
|
}
|
|
if mountInfo.Config.TrimRequestTrailingSlashes {
|
|
t.Fatalf("expected trim_request_trailing_slashes to be disabled")
|
|
}
|
|
if mountInfo.Config.PassthroughRequestHeaders != nil {
|
|
t.Fatalf("Failed to find expected values in PassthroughRequestHeaders. Expected nil slice got: %v", mountInfo.Config.PassthroughRequestHeaders)
|
|
}
|
|
if mountInfo.Config.AllowedResponseHeaders != nil {
|
|
t.Fatalf("Failed to find expected values in AllowedResponseHeaders. Expected nil slice got: %v", mountInfo.Config.AllowedResponseHeaders)
|
|
}
|
|
if mountInfo.Config.AuditNonHMACRequestKeys != nil {
|
|
t.Fatalf("Failed to find expected values in AuditNonHMACRequestKeys. Expected nil slice got: %v", mountInfo.Config.AuditNonHMACRequestKeys)
|
|
}
|
|
if mountInfo.Config.AuditNonHMACResponseKeys != nil {
|
|
t.Fatalf("Failed to find expected values in AuditNonHMACResponseKeys. Expected nil slice got: %v", mountInfo.Config.AuditNonHMACResponseKeys)
|
|
}
|
|
if diff := deep.Equal("", mountInfo.Config.IdentityTokenKey); len(diff) > 0 {
|
|
t.Fatalf("Failed to find expected values in IdentityTokenKey. Difference is: %v", diff)
|
|
}
|
|
}
|