Modify approle tidy to validate dangling accessors (#4981)

2025-10-30 02:02:43 +00:00 · 2018-07-24 17:00:53 -04:00
parent 8d2d9fd8bd
commit 77e61243d0
3 changed files with 170 additions and 10 deletions
--- a/builtin/credential/approle/path_tidy_user_id_test.go
+++ b/builtin/credential/approle/path_tidy_user_id_test.go
@@ -2,13 +2,15 @@ package approle

 import (
 	"context"
+	"fmt"
+	"sync"
 	"testing"
 	"time"

 	"github.com/hashicorp/vault/logical"
 )

-func TestAppRole_TidyDanglingAccessors(t *testing.T) {
+func TestAppRole_TidyDanglingAccessors_Normal(t *testing.T) {
 	var resp *logical.Response
 	var err error
 	b, storage := createBackendWithStorage(t)
@@ -83,3 +85,93 @@ func TestAppRole_TidyDanglingAccessors(t *testing.T) {
 		t.Fatalf("bad: len(accessorHashes); expect 1, got %d", len(accessorHashes))
 	}
 }
+
+func TestAppRole_TidyDanglingAccessors_RaceTest(t *testing.T) {
+	var resp *logical.Response
+	var err error
+	b, storage := createBackendWithStorage(t)
+
+	b.testTidyDelay = 300 * time.Millisecond
+
+	// Create a role
+	createRole(t, b, storage, "role1", "a,b,c")
+
+	// Create an initial entry
+	roleSecretIDReq := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "role/role1/secret-id",
+		Storage:   storage,
+	}
+	resp, err = b.HandleRequest(context.Background(), roleSecretIDReq)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("err:%v resp:%#v", err, resp)
+	}
+	count := 1
+
+	wg := sync.WaitGroup{}
+	now := time.Now()
+	started := false
+	for {
+		if time.Now().Sub(now) > 700*time.Millisecond {
+			break
+		}
+		if time.Now().Sub(now) > 100*time.Millisecond && !started {
+			started = true
+			_, err = b.tidySecretID(context.Background(), &logical.Request{
+				Storage: storage,
+			})
+			if err != nil {
+				t.Fatal(err)
+			}
+		}
+		go func() {
+			wg.Add(1)
+			defer wg.Done()
+			roleSecretIDReq := &logical.Request{
+				Operation: logical.UpdateOperation,
+				Path:      "role/role1/secret-id",
+				Storage:   storage,
+			}
+			resp, err = b.HandleRequest(context.Background(), roleSecretIDReq)
+			if err != nil || (resp != nil && resp.IsError()) {
+				t.Fatalf("err:%v resp:%#v", err, resp)
+			}
+		}()
+		count++
+	}
+
+	t.Logf("wrote %d entries", count)
+
+	wg.Wait()
+	// Let tidy finish
+	time.Sleep(1 * time.Second)
+
+	// Run tidy again
+	_, err = b.tidySecretID(context.Background(), &logical.Request{
+		Storage: storage,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	time.Sleep(2 * time.Second)
+
+	accessorHashes, err := storage.List(context.Background(), "accessor/")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(accessorHashes) != count {
+		t.Fatalf("bad: len(accessorHashes); expect %d, got %d", count, len(accessorHashes))
+	}
+
+	roleHMACs, err := storage.List(context.Background(), secretIDPrefix)
+	if err != nil {
+		t.Fatal(err)
+	}
+	secretIDs, err := storage.List(context.Background(), fmt.Sprintf("%s%s", secretIDPrefix, roleHMACs[0]))
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(secretIDs) != count {
+		t.Fatalf("bad: len(secretIDs); expect %d, got %d", count, len(secretIDs))
+	}
+}