Agent auto auth wrapping new config checks (#6479)

* Simplify Run(): the function that was being sent over a channel doesn't
need to close over anything except latestToken, and we don't need to
create a new one each iteration.  Instead just pass the relevant items,
namely the token and sink to work on.

* Disallow the following config combinations:
1. auto_auth.method.wrap_ttl > 0 and multiple file sinks
2. auto_auth.method.wrap_ttl > 0 and single file sink with wrap_ttl > 0
3. auto_auth.method.wrap_ttl > 0 and cache.use_auto_auth_token = true

* Expose errors that occur when APIProxy is forwarding request to Vault.

* Fix merge issues.

command/agent/config/config_test.go

@@ -22,7 +22,6 @@ func TestLoadConfigFile_AgentCache(t *testing.T) {
 		AutoAuth: &AutoAuth{
 			Method: &Method{
 				Type:      "aws",
-				WrapTTL:   300 * time.Second,
 				MountPath: "auth/aws",
 				Config: map[string]interface{}{
 					"role": "foobar",
@@ -110,7 +109,6 @@ func TestLoadConfigFile(t *testing.T) {
 		AutoAuth: &AutoAuth{
 			Method: &Method{
 				Type:      "aws",
-				WrapTTL:   300 * time.Second,
 				MountPath: "auth/aws",
 				Config: map[string]interface{}{
 					"role": "foobar",
@@ -155,6 +153,41 @@ func TestLoadConfigFile(t *testing.T) {
 	}
 }
 
+func TestLoadConfigFile_Method_Wrapping(t *testing.T) {
+	logger := logging.NewVaultLogger(log.Debug)
+
+	config, err := LoadConfig("./test-fixtures/config-method-wrapping.hcl", logger)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	expected := &Config{
+		AutoAuth: &AutoAuth{
+			Method: &Method{
+				Type:      "aws",
+				MountPath: "auth/aws",
+				WrapTTL:   5 * time.Minute,
+				Config: map[string]interface{}{
+					"role": "foobar",
+				},
+			},
+			Sinks: []*Sink{
+				&Sink{
+					Type: "file",
+					Config: map[string]interface{}{
+						"path": "/tmp/file-foo",
+					},
+				},
+			},
+		},
+		PidFile: "./pidfile",
+	}
+
+	if diff := deep.Equal(config, expected); diff != nil {
+		t.Fatal(diff)
+	}
+}
+
 func TestLoadConfigFile_AgentCache_NoAutoAuth(t *testing.T) {
 	logger := logging.NewVaultLogger(log.Debug)
 
@@ -200,6 +233,33 @@ func TestLoadConfigFile_Bad_AgentCache_NoListeners(t *testing.T) {
 	}
 }
 
+func TestLoadConfigFile_Bad_AutoAuth_Wrapped_Multiple_Sinks(t *testing.T) {
+	logger := logging.NewVaultLogger(log.Debug)
+
+	_, err := LoadConfig("./test-fixtures/bad-config-auto_auth-wrapped-multiple-sinks", logger)
+	if err == nil {
+		t.Fatal("LoadConfig should return an error when auth_auth.method.wrap_ttl nonzero and multiple sinks defined")
+	}
+}
+
+func TestLoadConfigFile_Bad_AutoAuth_Both_Wrapping_Types(t *testing.T) {
+	logger := logging.NewVaultLogger(log.Debug)
+
+	_, err := LoadConfig("./test-fixtures/bad-config-method-wrapping-and-sink-wrapping.hcl", logger)
+	if err == nil {
+		t.Fatal("LoadConfig should return an error when auth_auth.method.wrap_ttl nonzero and sinks.wrap_ttl nonzero")
+	}
+}
+
+func TestLoadConfigFile_Bad_AgentCache_AutoAuth_Method_wrapping(t *testing.T) {
+	logger := logging.NewVaultLogger(log.Debug)
+
+	_, err := LoadConfig("./test-fixtures/bad-config-cache-auto_auth-method-wrapping.hcl", logger)
+	if err == nil {
+		t.Fatal("LoadConfig should return an error when auth_auth.method.wrap_ttl nonzero and cache.use_auto_auth_token=true")
+	}
+}
+
 func TestLoadConfigFile_AgentCache_AutoAuth_NoSink(t *testing.T) {
 	logger := logging.NewVaultLogger(log.Debug)
 
@@ -212,7 +272,6 @@ func TestLoadConfigFile_AgentCache_AutoAuth_NoSink(t *testing.T) {
 		AutoAuth: &AutoAuth{
 			Method: &Method{
 				Type:      "aws",
-				WrapTTL:   300 * time.Second,
 				MountPath: "auth/aws",
 				Config: map[string]interface{}{
 					"role": "foobar",