AutoMTLS for secrets/auth plugins (#15671)

* use automtls for v5 secrets/auth plugins * add automtls env guard * start backend without metadata mode * use PluginClientConfig for backend's NewPluginClient param refactor * - fix pluginutil test - do not expect plugin to be unloaded in UT - fix pluginutil tests --need new env var - use require in UT - fix lazy load test * add changelog * prioritize automtls; improve comments * user multierror; refactor pluginSet for v4 unit test * add test cases for v4 and v5 plugin versions * remove unnecessary call to AutoMTLSSupported * update comment on pluginSets * use runconfig directly in sdk newpluginclient * use automtls without metadatamode for v5 backend plugin registration * use multierror for plugin runconfig calls * remove some unnecessary code
2025-10-30 02:02:43 +00:00 · 2022-07-18 16:25:18 -05:00
parent ba56224a2a
commit 39bcd5c715
14 changed files with 736 additions and 435 deletions
--- a/sdk/helper/pluginutil/run_config_test.go
+++ b/sdk/helper/pluginutil/run_config_test.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"os/exec"
-	"reflect"
 	"testing"
 	"time"

@@ -14,6 +13,7 @@ import (
 	"github.com/hashicorp/go-plugin"
 	"github.com/hashicorp/vault/sdk/helper/wrapping"
 	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"
 )

 func TestMakeConfig(t *testing.T) {
@@ -78,6 +78,7 @@ func TestMakeConfig(t *testing.T) {
 						"initial=true",
 						fmt.Sprintf("%s=%s", PluginVaultVersionEnv, version.GetVersion().Version),
 						fmt.Sprintf("%s=%t", PluginMetadataModeEnv, true),
+						fmt.Sprintf("%s=%t", PluginAutoMTLSEnv, false),
 					},
 				),
 				SecureConfig: &plugin.SecureConfig{
@@ -143,6 +144,7 @@ func TestMakeConfig(t *testing.T) {
 						fmt.Sprintf("%s=%t", PluginMlockEnabled, true),
 						fmt.Sprintf("%s=%s", PluginVaultVersionEnv, version.GetVersion().Version),
 						fmt.Sprintf("%s=%t", PluginMetadataModeEnv, false),
+						fmt.Sprintf("%s=%t", PluginAutoMTLSEnv, false),
 						fmt.Sprintf("%s=%s", PluginUnwrapTokenEnv, "testtoken"),
 					},
 				),
@@ -205,6 +207,7 @@ func TestMakeConfig(t *testing.T) {
 						"initial=true",
 						fmt.Sprintf("%s=%s", PluginVaultVersionEnv, version.GetVersion().Version),
 						fmt.Sprintf("%s=%t", PluginMetadataModeEnv, true),
+						fmt.Sprintf("%s=%t", PluginAutoMTLSEnv, true),
 					},
 				),
 				SecureConfig: &plugin.SecureConfig{
@@ -266,6 +269,7 @@ func TestMakeConfig(t *testing.T) {
 						"initial=true",
 						fmt.Sprintf("%s=%s", PluginVaultVersionEnv, version.GetVersion().Version),
 						fmt.Sprintf("%s=%t", PluginMetadataModeEnv, false),
+						fmt.Sprintf("%s=%t", PluginAutoMTLSEnv, true),
 					},
 				),
 				SecureConfig: &plugin.SecureConfig{
@@ -290,7 +294,7 @@ func TestMakeConfig(t *testing.T) {
 				Return(test.responseWrapInfo, test.responseWrapInfoErr)
 			mockWrapper.On("MlockEnabled").
 				Return(test.mlockEnabled)
-			test.rc.wrapper = mockWrapper
+			test.rc.Wrapper = mockWrapper
 			defer mockWrapper.AssertNumberOfCalls(t, "ResponseWrapData", test.responseWrapInfoTimes)
 			defer mockWrapper.AssertNumberOfCalls(t, "MlockEnabled", test.mlockEnabledTimes)

@@ -318,9 +322,7 @@ func TestMakeConfig(t *testing.T) {
 			}
 			config.TLSConfig = nil

-			if !reflect.DeepEqual(config, test.expectedConfig) {
-				t.Fatalf("Actual config: %#v\nExpected config: %#v", config, test.expectedConfig)
-			}
+			require.Equal(t, config, test.expectedConfig)
 		})
 	}
 }