-
Notifications
You must be signed in to change notification settings - Fork 4.1k
/
wrapped_secretid_test.go
121 lines (91 loc) · 2.96 KB
/
wrapped_secretid_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
package approle
import (
"testing"
log "github.com/hashicorp/go-hclog"
"github.com/hashicorp/vault/api"
credAppRole "github.com/hashicorp/vault/builtin/credential/approle"
vaulthttp "github.com/hashicorp/vault/http"
"github.com/hashicorp/vault/sdk/logical"
"github.com/hashicorp/vault/vault"
"github.com/stretchr/testify/require"
)
func TestApproleSecretId_Wrapped(t *testing.T) {
var err error
coreConfig := &vault.CoreConfig{
DisableMlock: true,
DisableCache: true,
Logger: log.NewNullLogger(),
CredentialBackends: map[string]logical.Factory{
"approle": credAppRole.Factory,
},
}
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
HandlerFunc: vaulthttp.Handler,
})
cluster.Start()
defer cluster.Cleanup()
cores := cluster.Cores
vault.TestWaitActive(t, cores[0].Core)
client := cores[0].Client
client.SetToken(cluster.RootToken)
err = client.Sys().EnableAuthWithOptions("approle", &api.EnableAuthOptions{
Type: "approle",
})
if err != nil {
t.Fatal(err)
}
_, err = client.Logical().Write("auth/approle/role/test-role-1", map[string]interface{}{
"name": "test-role-1",
})
require.NoError(t, err)
client.SetWrappingLookupFunc(func(operation, path string) string {
return "5m"
})
resp, err := client.Logical().Write("/auth/approle/role/test-role-1/secret-id", map[string]interface{}{})
require.NoError(t, err)
wrappedAccessor := resp.WrapInfo.WrappedAccessor
wrappingToken := resp.WrapInfo.Token
client.SetWrappingLookupFunc(func(operation, path string) string {
return api.DefaultWrappingLookupFunc(operation, path)
})
unwrappedSecretid, err := client.Logical().Unwrap(wrappingToken)
unwrappedAccessor := unwrappedSecretid.Data["secret_id_accessor"].(string)
if wrappedAccessor != unwrappedAccessor {
t.Fatalf("Expected wrappedAccessor (%v) to match wrapped secret_id_accessor (%v)", wrappedAccessor, unwrappedAccessor)
}
}
func TestApproleSecretId_NotWrapped(t *testing.T) {
var err error
coreConfig := &vault.CoreConfig{
DisableMlock: true,
DisableCache: true,
Logger: log.NewNullLogger(),
CredentialBackends: map[string]logical.Factory{
"approle": credAppRole.Factory,
},
}
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
HandlerFunc: vaulthttp.Handler,
})
cluster.Start()
defer cluster.Cleanup()
cores := cluster.Cores
vault.TestWaitActive(t, cores[0].Core)
client := cores[0].Client
client.SetToken(cluster.RootToken)
err = client.Sys().EnableAuthWithOptions("approle", &api.EnableAuthOptions{
Type: "approle",
})
if err != nil {
t.Fatal(err)
}
_, err = client.Logical().Write("auth/approle/role/test-role-1", map[string]interface{}{
"name": "test-role-1",
})
require.NoError(t, err)
resp, err := client.Logical().Write("/auth/approle/role/test-role-1/secret-id", map[string]interface{}{})
require.NoError(t, err)
if resp.WrapInfo != nil && resp.WrapInfo.WrappedAccessor != "" {
t.Fatalf("WrappedAccessor unexpectedly set")
}
}