Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Expose secret_id_accessor as WrappedAccessor when wrapping secret-id …
…creation. (#12425) * Expose secret_id_accessor as WrappedAccessor when wrapping secret-id creation. * Add changelog. * Minor updates as suggested. * Adding external test for wrapped accessor. * Add check that mounttype is approle. * Update changelog text to use improvement
- Loading branch information
1 parent
8c8cafd
commit db8cc30
Showing
4 changed files
with
131 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
```release-note:improvement | ||
auth/approle: expose secret_id_accessor as WrappedAccessor when creating wrapped secret-id. | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,121 @@ | ||
package approle | ||
|
||
import ( | ||
"testing" | ||
|
||
log "github.com/hashicorp/go-hclog" | ||
"github.com/hashicorp/vault/api" | ||
credAppRole "github.com/hashicorp/vault/builtin/credential/approle" | ||
vaulthttp "github.com/hashicorp/vault/http" | ||
"github.com/hashicorp/vault/sdk/logical" | ||
"github.com/hashicorp/vault/vault" | ||
"github.com/stretchr/testify/require" | ||
) | ||
|
||
func TestApproleSecretId_Wrapped(t *testing.T) { | ||
|
||
var err error | ||
coreConfig := &vault.CoreConfig{ | ||
DisableMlock: true, | ||
DisableCache: true, | ||
Logger: log.NewNullLogger(), | ||
CredentialBackends: map[string]logical.Factory{ | ||
"approle": credAppRole.Factory, | ||
}, | ||
} | ||
|
||
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{ | ||
HandlerFunc: vaulthttp.Handler, | ||
}) | ||
|
||
cluster.Start() | ||
defer cluster.Cleanup() | ||
|
||
cores := cluster.Cores | ||
|
||
vault.TestWaitActive(t, cores[0].Core) | ||
|
||
client := cores[0].Client | ||
client.SetToken(cluster.RootToken) | ||
|
||
err = client.Sys().EnableAuthWithOptions("approle", &api.EnableAuthOptions{ | ||
Type: "approle", | ||
}) | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
|
||
_, err = client.Logical().Write("auth/approle/role/test-role-1", map[string]interface{}{ | ||
"name": "test-role-1", | ||
}) | ||
require.NoError(t, err) | ||
|
||
client.SetWrappingLookupFunc(func(operation, path string) string { | ||
return "5m" | ||
}) | ||
|
||
resp, err := client.Logical().Write("/auth/approle/role/test-role-1/secret-id", map[string]interface{}{}) | ||
require.NoError(t, err) | ||
|
||
wrappedAccessor := resp.WrapInfo.WrappedAccessor | ||
wrappingToken := resp.WrapInfo.Token | ||
|
||
client.SetWrappingLookupFunc(func(operation, path string) string { | ||
return api.DefaultWrappingLookupFunc(operation, path) | ||
}) | ||
|
||
unwrappedSecretid, err := client.Logical().Unwrap(wrappingToken) | ||
unwrappedAccessor := unwrappedSecretid.Data["secret_id_accessor"].(string) | ||
|
||
if wrappedAccessor != unwrappedAccessor { | ||
t.Fatalf("Expected wrappedAccessor (%v) to match wrapped secret_id_accessor (%v)", wrappedAccessor, unwrappedAccessor) | ||
} | ||
|
||
} | ||
|
||
func TestApproleSecretId_NotWrapped(t *testing.T) { | ||
|
||
var err error | ||
coreConfig := &vault.CoreConfig{ | ||
DisableMlock: true, | ||
DisableCache: true, | ||
Logger: log.NewNullLogger(), | ||
CredentialBackends: map[string]logical.Factory{ | ||
"approle": credAppRole.Factory, | ||
}, | ||
} | ||
|
||
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{ | ||
HandlerFunc: vaulthttp.Handler, | ||
}) | ||
|
||
cluster.Start() | ||
defer cluster.Cleanup() | ||
|
||
cores := cluster.Cores | ||
|
||
vault.TestWaitActive(t, cores[0].Core) | ||
|
||
client := cores[0].Client | ||
client.SetToken(cluster.RootToken) | ||
|
||
err = client.Sys().EnableAuthWithOptions("approle", &api.EnableAuthOptions{ | ||
Type: "approle", | ||
}) | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
|
||
_, err = client.Logical().Write("auth/approle/role/test-role-1", map[string]interface{}{ | ||
"name": "test-role-1", | ||
}) | ||
require.NoError(t, err) | ||
|
||
resp, err := client.Logical().Write("/auth/approle/role/test-role-1/secret-id", map[string]interface{}{}) | ||
require.NoError(t, err) | ||
|
||
if resp.WrapInfo != nil && resp.WrapInfo.WrappedAccessor != "" { | ||
t.Fatalf("WrappedAccessor unexpectedly set") | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters