Change auth helper interface to api.Secret. (#3263)

This allows us to properly handle wrapped responses. Fixes #3217
2025-11-02 03:27:54 +00:00 · 2017-08-31 16:57:00 -04:00
parent a125e902c4
commit 79b63deaf5
8 changed files with 262 additions and 49 deletions
--- a/command/auth_test.go
+++ b/command/auth_test.go
@@ -9,6 +9,9 @@ import (
 	"strings"
 	"testing"

+	credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
+	"github.com/hashicorp/vault/logical"
+
 	"github.com/hashicorp/vault/api"
 	"github.com/hashicorp/vault/http"
 	"github.com/hashicorp/vault/meta"
@@ -84,6 +87,155 @@ func TestAuth_token(t *testing.T) {
 	}
 }

+func TestAuth_wrapping(t *testing.T) {
+	baseConfig := &vault.CoreConfig{
+		CredentialBackends: map[string]logical.Factory{
+			"userpass": credUserpass.Factory,
+		},
+	}
+	cluster := vault.NewTestCluster(t, baseConfig, &vault.TestClusterOptions{
+		HandlerFunc:       http.Handler,
+		BaseListenAddress: "127.0.0.1:8200",
+	})
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	testAuthInit(t)
+
+	client := cluster.Cores[0].Client
+	err := client.Sys().EnableAuthWithOptions("userpass", &api.EnableAuthOptions{
+		Type: "userpass",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	_, err = client.Logical().Write("auth/userpass/users/foo", map[string]interface{}{
+		"password": "bar",
+		"policies": "zip,zap",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	ui := new(cli.MockUi)
+	c := &AuthCommand{
+		Meta: meta.Meta{
+			Ui:          ui,
+			TokenHelper: DefaultTokenHelper,
+		},
+		Handlers: map[string]AuthHandler{
+			"userpass": &credUserpass.CLIHandler{DefaultMount: "userpass"},
+		},
+	}
+
+	args := []string{
+		"-address",
+		"https://127.0.0.1:8200",
+		"-tls-skip-verify",
+		"-method",
+		"userpass",
+		"username=foo",
+		"password=bar",
+	}
+	if code := c.Run(args); code != 0 {
+		t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
+	}
+
+	// Test again with wrapping
+	ui = new(cli.MockUi)
+	c = &AuthCommand{
+		Meta: meta.Meta{
+			Ui:          ui,
+			TokenHelper: DefaultTokenHelper,
+		},
+		Handlers: map[string]AuthHandler{
+			"userpass": &credUserpass.CLIHandler{DefaultMount: "userpass"},
+		},
+	}
+
+	args = []string{
+		"-address",
+		"https://127.0.0.1:8200",
+		"-tls-skip-verify",
+		"-wrap-ttl",
+		"5m",
+		"-method",
+		"userpass",
+		"username=foo",
+		"password=bar",
+	}
+	if code := c.Run(args); code != 0 {
+		t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
+	}
+
+	// Test again with no-store
+	ui = new(cli.MockUi)
+	c = &AuthCommand{
+		Meta: meta.Meta{
+			Ui:          ui,
+			TokenHelper: DefaultTokenHelper,
+		},
+		Handlers: map[string]AuthHandler{
+			"userpass": &credUserpass.CLIHandler{DefaultMount: "userpass"},
+		},
+	}
+
+	args = []string{
+		"-address",
+		"https://127.0.0.1:8200",
+		"-tls-skip-verify",
+		"-wrap-ttl",
+		"5m",
+		"-no-store",
+		"-method",
+		"userpass",
+		"username=foo",
+		"password=bar",
+	}
+	if code := c.Run(args); code != 0 {
+		t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
+	}
+
+	// Test again with wrapping and token-only
+	ui = new(cli.MockUi)
+	c = &AuthCommand{
+		Meta: meta.Meta{
+			Ui:          ui,
+			TokenHelper: DefaultTokenHelper,
+		},
+		Handlers: map[string]AuthHandler{
+			"userpass": &credUserpass.CLIHandler{DefaultMount: "userpass"},
+		},
+	}
+
+	args = []string{
+		"-address",
+		"https://127.0.0.1:8200",
+		"-tls-skip-verify",
+		"-wrap-ttl",
+		"5m",
+		"-token-only",
+		"-method",
+		"userpass",
+		"username=foo",
+		"password=bar",
+	}
+	if code := c.Run(args); code != 0 {
+		t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
+	}
+	token := strings.TrimSpace(ui.OutputWriter.String())
+	if token == "" {
+		t.Fatal("expected to find token in output")
+	}
+	secret, err := client.Logical().Unwrap(token)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if secret.Auth.ClientToken == "" {
+		t.Fatal("no client token found")
+	}
+}
+
 func TestAuth_token_nostore(t *testing.T) {
 	core, _, token := vault.TestCoreUnsealed(t)
 	ln, addr := http.TestServer(t, core)
@@ -237,8 +389,12 @@ func testAuthInit(t *testing.T) {

 type testAuthHandler struct{}

-func (h *testAuthHandler) Auth(c *api.Client, m map[string]string) (string, error) {
-	return m["foo"], nil
+func (h *testAuthHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, error) {
+	return &api.Secret{
+		Auth: &api.SecretAuth{
+			ClientToken: m["foo"],
+		},
+	}, nil
 }

 func (h *testAuthHandler) Help() string { return "" }