mirror of
https://github.com/optim-enterprises-bv/vault.git
synced 2025-11-02 03:27:54 +00:00
VAULT-13056 fix leasecache usage, add test coverage (#18922)
* VAULT-13056 fix leasecache usage, add test coverage * VAULT-13056 remove deprecated ioutil functions * VAULT-13056 some test clean-up * VAULT-13056 re-add environment variable thing * VAULT-13056 add comment for clarity
This commit is contained in:
Violet Hynes
@@ -5,7 +5,7 @@ import (
|
||||
"crypto/x509"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"io"
|
||||
"net"
|
||||
"net/http"
|
||||
"os"
|
||||
@@ -146,7 +146,7 @@ func testAgentExitAfterAuth(t *testing.T, viaFlag bool) {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
inf, err := ioutil.TempFile("", "auth.jwt.test.")
|
||||
inf, err := os.CreateTemp("", "auth.jwt.test.")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
@@ -155,7 +155,7 @@ func testAgentExitAfterAuth(t *testing.T, viaFlag bool) {
|
||||
os.Remove(in)
|
||||
t.Logf("input: %s", in)
|
||||
|
||||
sink1f, err := ioutil.TempFile("", "sink1.jwt.test.")
|
||||
sink1f, err := os.CreateTemp("", "sink1.jwt.test.")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
@@ -164,7 +164,7 @@ func testAgentExitAfterAuth(t *testing.T, viaFlag bool) {
|
||||
os.Remove(sink1)
|
||||
t.Logf("sink1: %s", sink1)
|
||||
|
||||
sink2f, err := ioutil.TempFile("", "sink2.jwt.test.")
|
||||
sink2f, err := os.CreateTemp("", "sink2.jwt.test.")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
@@ -173,7 +173,7 @@ func testAgentExitAfterAuth(t *testing.T, viaFlag bool) {
|
||||
os.Remove(sink2)
|
||||
t.Logf("sink2: %s", sink2)
|
||||
|
||||
conff, err := ioutil.TempFile("", "conf.jwt.test.")
|
||||
conff, err := os.CreateTemp("", "conf.jwt.test.")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
@@ -183,7 +183,7 @@ func testAgentExitAfterAuth(t *testing.T, viaFlag bool) {
|
||||
t.Logf("config: %s", conf)
|
||||
|
||||
jwtToken, _ := agent.GetTestJWT(t)
|
||||
if err := ioutil.WriteFile(in, []byte(jwtToken), 0o600); err != nil {
|
||||
if err := os.WriteFile(in, []byte(jwtToken), 0o600); err != nil {
|
||||
t.Fatal(err)
|
||||
} else {
|
||||
logger.Trace("wrote test jwt", "path", in)
|
||||
@@ -222,7 +222,7 @@ auto_auth {
|
||||
`
|
||||
|
||||
config = fmt.Sprintf(config, exitAfterAuthTemplText, in, sink1, sink2)
|
||||
if err := ioutil.WriteFile(conf, []byte(config), 0o600); err != nil {
|
||||
if err := os.WriteFile(conf, []byte(config), 0o600); err != nil {
|
||||
t.Fatal(err)
|
||||
} else {
|
||||
logger.Trace("wrote test config", "path", conf)
|
||||
@@ -254,7 +254,7 @@ auto_auth {
|
||||
t.Fatal("timeout reached while waiting for agent to exit")
|
||||
}
|
||||
|
||||
sink1Bytes, err := ioutil.ReadFile(sink1)
|
||||
sink1Bytes, err := os.ReadFile(sink1)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
@@ -262,7 +262,7 @@ auto_auth {
|
||||
t.Fatal("got no output from sink 1")
|
||||
}
|
||||
|
||||
sink2Bytes, err := ioutil.ReadFile(sink2)
|
||||
sink2Bytes, err := os.ReadFile(sink2)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
@@ -612,7 +612,7 @@ func TestAgent_Template_Basic(t *testing.T) {
|
||||
|
||||
// make a temp directory to hold renders. Each test will create a temp dir
|
||||
// inside this one
|
||||
tmpDirRoot, err := ioutil.TempDir("", "agent-test-renders")
|
||||
tmpDirRoot, err := os.MkdirTemp("", "agent-test-renders")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
@@ -642,7 +642,7 @@ func TestAgent_Template_Basic(t *testing.T) {
|
||||
for tcname, tc := range testCases {
|
||||
t.Run(tcname, func(t *testing.T) {
|
||||
// create temp dir for this test run
|
||||
tmpDir, err := ioutil.TempDir(tmpDirRoot, tcname)
|
||||
tmpDir, err := os.MkdirTemp(tmpDirRoot, tcname)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
@@ -651,7 +651,7 @@ func TestAgent_Template_Basic(t *testing.T) {
|
||||
var templatePaths []string
|
||||
for i := 0; i < tc.templateCount; i++ {
|
||||
fileName := filepath.Join(tmpDir, fmt.Sprintf("render_%d.tmpl", i))
|
||||
if err := ioutil.WriteFile(fileName, []byte(templateContents(i)), 0o600); err != nil {
|
||||
if err := os.WriteFile(fileName, []byte(templateContents(i)), 0o600); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
templatePaths = append(templatePaths, fileName)
|
||||
@@ -765,7 +765,7 @@ auto_auth {
|
||||
for i := range templatePaths {
|
||||
fileName := filepath.Join(tmpDir, fmt.Sprintf("render_%d.json", i))
|
||||
var c []byte
|
||||
c, err = ioutil.ReadFile(fileName)
|
||||
c, err = os.ReadFile(fileName)
|
||||
if err != nil {
|
||||
continue
|
||||
}
|
||||
@@ -782,7 +782,7 @@ auto_auth {
|
||||
|
||||
for i := 0; i < tc.templateCount; i++ {
|
||||
fileName := filepath.Join(tmpDir, fmt.Sprintf("render_%d.tmpl", i))
|
||||
if err := ioutil.WriteFile(fileName, []byte(templateContents(i)+"{}"), 0o600); err != nil {
|
||||
if err := os.WriteFile(fileName, []byte(templateContents(i)+"{}"), 0o600); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
}
|
||||
@@ -795,7 +795,7 @@ auto_auth {
|
||||
func testListFiles(t *testing.T, dir, extension string) int {
|
||||
t.Helper()
|
||||
|
||||
files, err := ioutil.ReadDir(dir)
|
||||
files, err := os.ReadDir(dir)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
@@ -925,14 +925,14 @@ func TestAgent_Template_ExitCounter(t *testing.T) {
|
||||
|
||||
// make a temp directory to hold renders. Each test will create a temp dir
|
||||
// inside this one
|
||||
tmpDirRoot, err := ioutil.TempDir("", "agent-test-renders")
|
||||
tmpDirRoot, err := os.MkdirTemp("", "agent-test-renders")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
defer os.RemoveAll(tmpDirRoot)
|
||||
|
||||
// create temp dir for this test run
|
||||
tmpDir, err := ioutil.TempDir(tmpDirRoot, "agent-test")
|
||||
tmpDir, err := os.MkdirTemp(tmpDirRoot, "agent-test")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
@@ -1014,7 +1014,7 @@ exit_after_auth = true
|
||||
// Perform the tests
|
||||
//----------------------------------------------------
|
||||
|
||||
files, err := ioutil.ReadDir(tmpDir)
|
||||
files, err := os.ReadDir(tmpDir)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
@@ -1077,7 +1077,7 @@ func request(t *testing.T, client *api.Client, req *api.Request, expectedStatusC
|
||||
t.Fatalf("expected status code %d, not %d", expectedStatusCode, resp.StatusCode)
|
||||
}
|
||||
|
||||
bytes, err := ioutil.ReadAll(resp.Body)
|
||||
bytes, err := io.ReadAll(resp.Body)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
@@ -1096,7 +1096,7 @@ func request(t *testing.T, client *api.Client, req *api.Request, expectedStatusC
|
||||
// makeTempFile creates a temp file and populates it.
|
||||
func makeTempFile(t *testing.T, name, contents string) string {
|
||||
t.Helper()
|
||||
f, err := ioutil.TempFile("", name)
|
||||
f, err := os.CreateTemp("", name)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
@@ -1211,7 +1211,7 @@ func TestAgent_Template_Retry(t *testing.T) {
|
||||
|
||||
// make a temp directory to hold renders. Each test will create a temp dir
|
||||
// inside this one
|
||||
tmpDirRoot, err := ioutil.TempDir("", "agent-test-renders")
|
||||
tmpDirRoot, err := os.MkdirTemp("", "agent-test-renders")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
@@ -1259,14 +1259,14 @@ func TestAgent_Template_Retry(t *testing.T) {
|
||||
h.failCount = 6
|
||||
|
||||
// create temp dir for this test run
|
||||
tmpDir, err := ioutil.TempDir(tmpDirRoot, tcname)
|
||||
tmpDir, err := os.MkdirTemp(tmpDirRoot, tcname)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
// make some template files
|
||||
templatePath := filepath.Join(tmpDir, "render_0.tmpl")
|
||||
if err := ioutil.WriteFile(templatePath, []byte(templateContents(0)), 0o600); err != nil {
|
||||
if err := os.WriteFile(templatePath, []byte(templateContents(0)), 0o600); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
templateConfig := fmt.Sprintf(templateConfigString, templatePath, tmpDir, "render_0.json")
|
||||
@@ -1340,7 +1340,7 @@ template_config {
|
||||
|
||||
fileName := filepath.Join(tmpDir, "render_0.json")
|
||||
var c []byte
|
||||
c, err = ioutil.ReadFile(fileName)
|
||||
c, err = os.ReadFile(fileName)
|
||||
if err != nil {
|
||||
continue
|
||||
}
|
||||
@@ -1438,7 +1438,112 @@ auto_auth {
|
||||
return config, cleanup
|
||||
}
|
||||
|
||||
func TestAgent_Cache_Retry(t *testing.T) {
|
||||
func TestAgent_Cache_DynamicSecret(t *testing.T) {
|
||||
logger := logging.NewVaultLogger(hclog.Trace)
|
||||
cluster := vault.NewTestCluster(t, nil, &vault.TestClusterOptions{
|
||||
HandlerFunc: vaulthttp.Handler,
|
||||
})
|
||||
cluster.Start()
|
||||
defer cluster.Cleanup()
|
||||
|
||||
serverClient := cluster.Cores[0].Client
|
||||
|
||||
// Unset the environment variable so that agent picks up the right test
|
||||
// cluster address
|
||||
defer os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
|
||||
os.Unsetenv(api.EnvVaultAddress)
|
||||
|
||||
cacheConfig := `
|
||||
cache {
|
||||
}
|
||||
`
|
||||
listenAddr := generateListenerAddress(t)
|
||||
listenConfig := fmt.Sprintf(`
|
||||
listener "tcp" {
|
||||
address = "%s"
|
||||
tls_disable = true
|
||||
}
|
||||
`, listenAddr)
|
||||
|
||||
config := fmt.Sprintf(`
|
||||
vault {
|
||||
address = "%s"
|
||||
tls_skip_verify = true
|
||||
}
|
||||
%s
|
||||
%s
|
||||
`, serverClient.Address(), cacheConfig, listenConfig)
|
||||
configPath := makeTempFile(t, "config.hcl", config)
|
||||
defer os.Remove(configPath)
|
||||
|
||||
// Start the agent
|
||||
_, cmd := testAgentCommand(t, logger)
|
||||
cmd.startedCh = make(chan struct{})
|
||||
|
||||
wg := &sync.WaitGroup{}
|
||||
wg.Add(1)
|
||||
go func() {
|
||||
cmd.Run([]string{"-config", configPath})
|
||||
wg.Done()
|
||||
}()
|
||||
|
||||
select {
|
||||
case <-cmd.startedCh:
|
||||
case <-time.After(5 * time.Second):
|
||||
t.Errorf("timeout")
|
||||
}
|
||||
|
||||
agentClient, err := api.NewClient(api.DefaultConfig())
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
agentClient.SetToken(serverClient.Token())
|
||||
agentClient.SetMaxRetries(0)
|
||||
err = agentClient.SetAddress("http://" + listenAddr)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
renewable := true
|
||||
tokenCreateRequest := &api.TokenCreateRequest{
|
||||
Policies: []string{"default"},
|
||||
TTL: "30m",
|
||||
Renewable: &renewable,
|
||||
}
|
||||
|
||||
// This was the simplest test I could find to trigger the caching behaviour,
|
||||
// i.e. the most concise I could make the test that I can tell
|
||||
// creating an orphan token returns Auth, is renewable, and isn't a token
|
||||
// that's managed elsewhere (since it's an orphan)
|
||||
secret, err := agentClient.Auth().Token().CreateOrphan(tokenCreateRequest)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if secret == nil || secret.Auth == nil {
|
||||
t.Fatalf("secret not as expected: %v", secret)
|
||||
}
|
||||
|
||||
token := secret.Auth.ClientToken
|
||||
|
||||
secret, err = agentClient.Auth().Token().CreateOrphan(tokenCreateRequest)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if secret == nil || secret.Auth == nil {
|
||||
t.Fatalf("secret not as expected: %v", secret)
|
||||
}
|
||||
|
||||
token2 := secret.Auth.ClientToken
|
||||
|
||||
if token != token2 {
|
||||
t.Fatalf("token create response not cached when it should have been, as tokens differ")
|
||||
}
|
||||
|
||||
close(cmd.ShutdownCh)
|
||||
wg.Wait()
|
||||
}
|
||||
|
||||
func TestAgent_ApiProxy_Retry(t *testing.T) {
|
||||
//----------------------------------------------------
|
||||
// Start the server and agent
|
||||
//----------------------------------------------------
|
||||
@@ -1646,7 +1751,7 @@ func TestAgent_TemplateConfig_ExitOnRetryFailure(t *testing.T) {
|
||||
|
||||
// make a temp directory to hold renders. Each test will create a temp dir
|
||||
// inside this one
|
||||
tmpDirRoot, err := ioutil.TempDir("", "agent-test-renders")
|
||||
tmpDirRoot, err := os.MkdirTemp("", "agent-test-renders")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
@@ -1750,7 +1855,7 @@ func TestAgent_TemplateConfig_ExitOnRetryFailure(t *testing.T) {
|
||||
for tcName, tc := range testCases {
|
||||
t.Run(tcName, func(t *testing.T) {
|
||||
// create temp dir for this test run
|
||||
tmpDir, err := ioutil.TempDir(tmpDirRoot, tcName)
|
||||
tmpDir, err := os.MkdirTemp(tmpDirRoot, tcName)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
@@ -1859,7 +1964,7 @@ vault {
|
||||
|
||||
fileName := filepath.Join(tmpDir, "render_0.json")
|
||||
var c []byte
|
||||
c, err = ioutil.ReadFile(fileName)
|
||||
c, err = os.ReadFile(fileName)
|
||||
if err != nil {
|
||||
continue
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user