From aeb6d14ebd15b47b29bc6626de49896177e50a97 Mon Sep 17 00:00:00 2001 From: Violet Hynes Date: Mon, 23 Oct 2023 11:20:22 -0400 Subject: [PATCH] Update the default kv factory to kv.Factory (#23584) * Update the default kv mount to kv.Factory * Imports * Set some tests that care about leaseapssthroughbackend to use it * extra newline * More test updates * Test updates * Refactor KV mounting in tests * Re-add comment --- http/sys_lease_test.go | 8 ++++- http/sys_mount_test.go | 8 ++++- vault/core.go | 5 +-- vault/core_test.go | 47 +++++++++++++++++++++---- vault/logical_system_test.go | 64 ++++++++++++++++++++++++++++------ vault/request_handling_test.go | 7 +++- vault/testing.go | 42 ++++++++-------------- 7 files changed, 131 insertions(+), 50 deletions(-) diff --git a/http/sys_lease_test.go b/http/sys_lease_test.go index 9db9cb0d02..2b1025b06a 100644 --- a/http/sys_lease_test.go +++ b/http/sys_lease_test.go @@ -7,11 +7,17 @@ import ( "testing" "github.com/hashicorp/vault/sdk/helper/jsonutil" + "github.com/hashicorp/vault/sdk/logical" "github.com/hashicorp/vault/vault" ) func TestSysRenew(t *testing.T) { - core, _, token := vault.TestCoreUnsealed(t) + coreConfig := &vault.CoreConfig{ + LogicalBackends: map[string]logical.Factory{ + "kv": vault.LeasedPassthroughBackendFactory, + }, + } + core, _, token := vault.TestCoreUnsealedWithConfig(t, coreConfig) ln, addr := TestServer(t, core) defer ln.Close() TestServerAuth(t, addr, token) diff --git a/http/sys_mount_test.go b/http/sys_mount_test.go index 302441ca11..9db7fed374 100644 --- a/http/sys_mount_test.go +++ b/http/sys_mount_test.go @@ -15,6 +15,7 @@ import ( "github.com/hashicorp/vault/helper/testhelpers/corehelpers" "github.com/hashicorp/vault/helper/versions" "github.com/hashicorp/vault/sdk/helper/consts" + "github.com/hashicorp/vault/sdk/logical" "github.com/hashicorp/vault/vault" ) @@ -994,7 +995,12 @@ func TestSysTuneMount_Options(t *testing.T) { } func TestSysTuneMount(t *testing.T) { - core, _, token := vault.TestCoreUnsealed(t) + coreConfig := &vault.CoreConfig{ + LogicalBackends: map[string]logical.Factory{ + "kv": vault.LeasedPassthroughBackendFactory, + }, + } + core, _, token := vault.TestCoreUnsealedWithConfig(t, coreConfig) ln, addr := TestServer(t, core) defer ln.Close() TestServerAuth(t, addr, token) diff --git a/vault/core.go b/vault/core.go index 2ff0276b76..15d3deeaf7 100644 --- a/vault/core.go +++ b/vault/core.go @@ -26,7 +26,7 @@ import ( "sync/atomic" "time" - "github.com/hashicorp/go-secure-stdlib/parseutil" + kv "github.com/hashicorp/vault-plugin-secrets-kv" "github.com/armon/go-metrics" "github.com/hashicorp/errwrap" @@ -36,6 +36,7 @@ import ( "github.com/hashicorp/go-kms-wrapping/wrappers/awskms/v2" "github.com/hashicorp/go-multierror" "github.com/hashicorp/go-secure-stdlib/mlock" + "github.com/hashicorp/go-secure-stdlib/parseutil" "github.com/hashicorp/go-secure-stdlib/reloadutil" "github.com/hashicorp/go-secure-stdlib/strutil" "github.com/hashicorp/go-secure-stdlib/tlsutil" @@ -1325,7 +1326,7 @@ func (c *Core) configureLogicalBackends(backends map[string]logical.Factory, log // KV _, ok := logicalBackends[mountTypeKV] if !ok { - logicalBackends[mountTypeKV] = PassthroughBackendFactory + logicalBackends[mountTypeKV] = kv.Factory } // Cubbyhole diff --git a/vault/core_test.go b/vault/core_test.go index fe57d58449..d52ae907f7 100644 --- a/vault/core_test.go +++ b/vault/core_test.go @@ -468,7 +468,12 @@ func TestCore_Unseal_MultiShare(t *testing.T) { // TestCore_UseSSCTokenToggleOn will check that the root SSC // token can be used even when disableSSCTokens is toggled on func TestCore_UseSSCTokenToggleOn(t *testing.T) { - c, _, root := TestCoreUnsealed(t) + coreConfig := &CoreConfig{ + LogicalBackends: map[string]logical.Factory{ + "kv": LeasedPassthroughBackendFactory, + }, + } + c, _, root := TestCoreUnsealedWithConfig(t, coreConfig) c.disableSSCTokens = true req := &logical.Request{ Operation: logical.UpdateOperation, @@ -519,6 +524,9 @@ func TestCore_UseSSCTokenToggleOn(t *testing.T) { func TestCore_UseNonSSCTokenToggleOff(t *testing.T) { coreConfig := &CoreConfig{ DisableSSCTokens: true, + LogicalBackends: map[string]logical.Factory{ + "kv": LeasedPassthroughBackendFactory, + }, } c, _, root := TestCoreUnsealedWithConfig(t, coreConfig) if len(root) > TokenLength+OldTokenPrefixLength || !strings.HasPrefix(root, consts.LegacyServiceTokenPrefix) { @@ -981,7 +989,12 @@ func TestCore_Seal_SingleUse(t *testing.T) { // Ensure we get a LeaseID func TestCore_HandleRequest_Lease(t *testing.T) { - c, _, root := TestCoreUnsealed(t) + coreConfig := &CoreConfig{ + LogicalBackends: map[string]logical.Factory{ + "kv": LeasedPassthroughBackendFactory, + }, + } + c, _, root := TestCoreUnsealedWithConfig(t, coreConfig) req := &logical.Request{ Operation: logical.UpdateOperation, @@ -1027,7 +1040,12 @@ func TestCore_HandleRequest_Lease(t *testing.T) { } func TestCore_HandleRequest_Lease_MaxLength(t *testing.T) { - c, _, root := TestCoreUnsealed(t) + coreConfig := &CoreConfig{ + LogicalBackends: map[string]logical.Factory{ + "kv": LeasedPassthroughBackendFactory, + }, + } + c, _, root := TestCoreUnsealedWithConfig(t, coreConfig) req := &logical.Request{ Operation: logical.UpdateOperation, @@ -1073,7 +1091,12 @@ func TestCore_HandleRequest_Lease_MaxLength(t *testing.T) { } func TestCore_HandleRequest_Lease_DefaultLength(t *testing.T) { - c, _, root := TestCoreUnsealed(t) + coreConfig := &CoreConfig{ + LogicalBackends: map[string]logical.Factory{ + "kv": LeasedPassthroughBackendFactory, + }, + } + c, _, root := TestCoreUnsealedWithConfig(t, coreConfig) req := &logical.Request{ Operation: logical.UpdateOperation, @@ -2358,7 +2381,7 @@ func testCore_Standby_Common(t *testing.T, inm physical.Backend, inmha physical. // Wait for core to become active TestWaitActive(t, core) - testCoreAddSecretMount(t, core, root) + testCoreAddSecretMount(t, core, root, "1") // Put a secret req := &logical.Request{ @@ -2630,7 +2653,12 @@ func TestCore_HandleLogin_ReturnSecret(t *testing.T) { // Renew should return the same lease back func TestCore_RenewSameLease(t *testing.T) { - c, _, root := TestCoreUnsealed(t) + coreConfig := &CoreConfig{ + LogicalBackends: map[string]logical.Factory{ + "kv": LeasedPassthroughBackendFactory, + }, + } + c, _, root := TestCoreUnsealedWithConfig(t, coreConfig) // Create a leasable secret req := &logical.Request{ @@ -2761,7 +2789,12 @@ func TestCore_EnableDisableCred_WithLease(t *testing.T) { BackendType: logical.TypeCredential, } - c, _, root := TestCoreUnsealed(t) + coreConfig := &CoreConfig{ + LogicalBackends: map[string]logical.Factory{ + "kv": LeasedPassthroughBackendFactory, + }, + } + c, _, root := TestCoreUnsealedWithConfig(t, coreConfig) c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) { return noopBack, nil } diff --git a/vault/logical_system_test.go b/vault/logical_system_test.go index 401d023769..99cdc037ff 100644 --- a/vault/logical_system_test.go +++ b/vault/logical_system_test.go @@ -1146,7 +1146,13 @@ func TestSystemBackend_remount_trailingSpacesInToPath(t *testing.T) { } func TestSystemBackend_leases(t *testing.T) { - core, b, root := testCoreSystemBackend(t) + coreConfig := &CoreConfig{ + LogicalBackends: map[string]logical.Factory{ + "kv": LeasedPassthroughBackendFactory, + }, + } + core, _, root := TestCoreUnsealedWithConfig(t, coreConfig) + b := core.systemBackend // Create a key with a lease req := logical.TestRequest(t, logical.UpdateOperation, "secret/foo") @@ -1186,7 +1192,7 @@ func TestSystemBackend_leases(t *testing.T) { // validate the response structure for Update schema.ValidateResponse( t, - schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation), + schema.GetResponseSchema(t, b.Route(req.Path), req.Operation), resp, true, ) @@ -1205,7 +1211,13 @@ func TestSystemBackend_leases(t *testing.T) { } func TestSystemBackend_leases_list(t *testing.T) { - core, b, root := testCoreSystemBackend(t) + coreConfig := &CoreConfig{ + LogicalBackends: map[string]logical.Factory{ + "kv": LeasedPassthroughBackendFactory, + }, + } + core, _, root := TestCoreUnsealedWithConfig(t, coreConfig) + b := core.systemBackend // Create a key with a lease req := logical.TestRequest(t, logical.UpdateOperation, "secret/foo") @@ -1244,7 +1256,7 @@ func TestSystemBackend_leases_list(t *testing.T) { // validate the response body for list schema.ValidateResponse( t, - schema.GetResponseSchema(t, b.(*SystemBackend).Route(req.Path), req.Operation), + schema.GetResponseSchema(t, b.Route(req.Path), req.Operation), resp, true, ) @@ -1370,7 +1382,13 @@ func TestSystemBackend_leases_list(t *testing.T) { } func TestSystemBackend_renew(t *testing.T) { - core, b, root := testCoreSystemBackend(t) + coreConfig := &CoreConfig{ + LogicalBackends: map[string]logical.Factory{ + "kv": LeasedPassthroughBackendFactory, + }, + } + core, _, root := TestCoreUnsealedWithConfig(t, coreConfig) + b := core.systemBackend // Create a key with a lease req := logical.TestRequest(t, logical.UpdateOperation, "secret/foo") @@ -1409,7 +1427,7 @@ func TestSystemBackend_renew(t *testing.T) { // Validate lease renewal response structure schema.ValidateResponse( t, - schema.GetResponseSchema(t, b.(*SystemBackend).Route(req2.Path), req2.Operation), + schema.GetResponseSchema(t, b.Route(req2.Path), req2.Operation), resp, true, ) @@ -1549,7 +1567,13 @@ func TestSystemBackend_renew_invalidID_origUrl(t *testing.T) { } func TestSystemBackend_revoke(t *testing.T) { - core, b, root := testCoreSystemBackend(t) + coreConfig := &CoreConfig{ + LogicalBackends: map[string]logical.Factory{ + "kv": LeasedPassthroughBackendFactory, + }, + } + core, _, root := TestCoreUnsealedWithConfig(t, coreConfig) + b := core.systemBackend // Create a key with a lease req := logical.TestRequest(t, logical.UpdateOperation, "secret/foo") @@ -1712,7 +1736,13 @@ func TestSystemBackend_revoke_invalidID_origUrl(t *testing.T) { } func TestSystemBackend_revokePrefix(t *testing.T) { - core, b, root := testCoreSystemBackend(t) + coreConfig := &CoreConfig{ + LogicalBackends: map[string]logical.Factory{ + "kv": LeasedPassthroughBackendFactory, + }, + } + core, _, root := TestCoreUnsealedWithConfig(t, coreConfig) + b := core.systemBackend // Create a key with a lease req := logical.TestRequest(t, logical.UpdateOperation, "secret/foo") @@ -1752,7 +1782,7 @@ func TestSystemBackend_revokePrefix(t *testing.T) { // validate the response structure for lease revoke-prefix schema.ValidateResponse( t, - schema.GetResponseSchema(t, b.(*SystemBackend).Route(req2.Path), req2.Operation), + schema.GetResponseSchema(t, b.Route(req2.Path), req2.Operation), resp, true, ) @@ -1769,7 +1799,13 @@ func TestSystemBackend_revokePrefix(t *testing.T) { } func TestSystemBackend_revokePrefix_origUrl(t *testing.T) { - core, b, root := testCoreSystemBackend(t) + coreConfig := &CoreConfig{ + LogicalBackends: map[string]logical.Factory{ + "kv": LeasedPassthroughBackendFactory, + }, + } + core, _, root := TestCoreUnsealedWithConfig(t, coreConfig) + b := core.systemBackend // Create a key with a lease req := logical.TestRequest(t, logical.UpdateOperation, "secret/foo") @@ -4096,7 +4132,13 @@ func TestSystemBackend_InternalUIMount(t *testing.T) { } func TestSystemBackend_OpenAPI(t *testing.T) { - _, b, rootToken := testCoreSystemBackend(t) + coreConfig := &CoreConfig{ + LogicalBackends: map[string]logical.Factory{ + "kv": LeasedPassthroughBackendFactory, + }, + } + c, _, rootToken := TestCoreUnsealedWithConfig(t, coreConfig) + b := c.systemBackend // Ensure no paths are reported if there is no token { diff --git a/vault/request_handling_test.go b/vault/request_handling_test.go index 70df607a85..6bbde873a7 100644 --- a/vault/request_handling_test.go +++ b/vault/request_handling_test.go @@ -434,7 +434,12 @@ func TestRequestHandling_LoginMetric(t *testing.T) { } func TestRequestHandling_SecretLeaseMetric(t *testing.T) { - core, _, root, sink := TestCoreUnsealedWithMetrics(t) + coreConfig := &CoreConfig{ + LogicalBackends: map[string]logical.Factory{ + "kv": LeasedPassthroughBackendFactory, + }, + } + core, _, root, sink := TestCoreUnsealedWithMetricsAndConfig(t, coreConfig) // Create a key with a lease req := logical.TestRequest(t, logical.UpdateOperation, "secret/foo") diff --git a/vault/testing.go b/vault/testing.go index 7e0e0b718f..1989d321f4 100644 --- a/vault/testing.go +++ b/vault/testing.go @@ -36,6 +36,7 @@ import ( log "github.com/hashicorp/go-hclog" "github.com/hashicorp/go-secure-stdlib/reloadutil" raftlib "github.com/hashicorp/raft" + kv "github.com/hashicorp/vault-plugin-secrets-kv" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/audit" auditFile "github.com/hashicorp/vault/builtin/audit/file" @@ -296,7 +297,7 @@ func testCoreConfig(t testing.T, physicalBackend physical.Backend, logger log.Lo logicalBackends[backendName] = backendFactory } - logicalBackends["kv"] = LeasedPassthroughBackendFactory + logicalBackends["kv"] = kv.Factory for backendName, backendFactory := range testLogicalBackends { logicalBackends[backendName] = backendFactory } @@ -395,6 +396,14 @@ func TestCoreUnsealedWithMetrics(t testing.T) (*Core, [][]byte, string, *metrics return core, keys, root, sink } +func TestCoreUnsealedWithMetricsAndConfig(t testing.T, conf *CoreConfig) (*Core, [][]byte, string, *metrics.InmemSink) { + t.Helper() + conf.BuiltinRegistry = corehelpers.NewMockBuiltinRegistry() + sink := SetupMetrics(conf) + core, keys, root := TestCoreUnsealedWithConfig(t, conf) + return core, keys, root, sink +} + // TestCoreUnsealedRaw returns a pure in-memory core that is already // initialized, unsealed, and with raw endpoints enabled. func TestCoreUnsealedRaw(t testing.T) (*Core, [][]byte, string) { @@ -415,7 +424,7 @@ func testCoreUnsealed(t testing.T, core *Core) (*Core, [][]byte, string) { t.Helper() token, keys := TestInitUnsealCore(t, core) - testCoreAddSecretMount(t, core, token) + testCoreAddSecretMount(t, core, token, "1") return core, keys, token } @@ -433,7 +442,7 @@ func TestInitUnsealCore(t testing.T, core *Core) (string, [][]byte) { return token, keys } -func testCoreAddSecretMount(t testing.T, core *Core, token string) { +func testCoreAddSecretMount(t testing.T, core *Core, token, kvVersion string) { kvReq := &logical.Request{ Operation: logical.UpdateOperation, ClientToken: token, @@ -443,7 +452,7 @@ func testCoreAddSecretMount(t testing.T, core *Core, token string) { "path": "secret/", "description": "key/value secret storage", "options": map[string]string{ - "version": "1", + "version": kvVersion, }, }, } @@ -2136,28 +2145,7 @@ func (tc *TestCluster) initCores(t testing.T, opts *TestClusterOptions, addAudit kvVersion = opts.KVVersion } - // Existing tests rely on this; we can make a toggle to disable it - // later if we want - kvReq := &logical.Request{ - Operation: logical.UpdateOperation, - ClientToken: tc.RootToken, - Path: "sys/mounts/secret", - Data: map[string]interface{}{ - "type": "kv", - "path": "secret/", - "description": "key/value secret storage", - "options": map[string]string{ - "version": kvVersion, - }, - }, - } - resp, err := leader.Core.HandleRequest(namespace.RootContext(ctx), kvReq) - if err != nil { - t.Fatal(err) - } - if resp.IsError() { - t.Fatal(err) - } + testCoreAddSecretMount(t, leader.Core, tc.RootToken, kvVersion) cfg, err := leader.Core.seal.BarrierConfig(ctx) if err != nil { @@ -2217,7 +2205,7 @@ func (tc *TestCluster) initCores(t testing.T, opts *TestClusterOptions, addAudit "type": "noop", }, } - resp, err = leader.Core.HandleRequest(namespace.RootContext(ctx), auditReq) + resp, err := leader.Core.HandleRequest(namespace.RootContext(ctx), auditReq) if err != nil { t.Fatal(err) }