Add exit-after-auth functionality to agent (#5013)

This allows it to authenticate once, then exit once all sinks have reported success. Useful for things like an init container vs. a sidecard container. Also adds command-level testing of it.
2025-11-01 19:17:58 +00:00 · 2018-07-30 10:37:04 -04:00
parent cd63f3e6ef
commit c1a3e599ca
7 changed files with 297 additions and 79 deletions
--- a/command/agent/jwt_end_to_end_test.go
+++ b/command/agent/jwt_end_to_end_test.go
@@ -2,10 +2,7 @@ package agent

 import (
 	"context"
-	"crypto/ecdsa"
-	"crypto/x509"
 	"encoding/json"
-	"encoding/pem"
 	"io/ioutil"
 	"os"
 	"testing"
@@ -24,50 +21,8 @@ import (
 	vaulthttp "github.com/hashicorp/vault/http"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/vault"
-	jose "gopkg.in/square/go-jose.v2"
-	"gopkg.in/square/go-jose.v2/jwt"
 )

-func getTestJWT(t *testing.T) (string, *ecdsa.PrivateKey) {
-	t.Helper()
-	cl := jwt.Claims{
-		Subject:   "r3qXcK2bix9eFECzsU3Sbmh0K16fatW6@clients",
-		Issuer:    "https://team-vault.auth0.com/",
-		NotBefore: jwt.NewNumericDate(time.Now().Add(-5 * time.Second)),
-		Audience:  jwt.Audience{"https://vault.plugin.auth.jwt.test"},
-	}
-
-	privateCl := struct {
-		User   string   `json:"https://vault/user"`
-		Groups []string `json:"https://vault/groups"`
-	}{
-		"jeff",
-		[]string{"foo", "bar"},
-	}
-
-	var key *ecdsa.PrivateKey
-	block, _ := pem.Decode([]byte(ecdsaPrivKey))
-	if block != nil {
-		var err error
-		key, err = x509.ParseECPrivateKey(block.Bytes)
-		if err != nil {
-			t.Fatal(err)
-		}
-	}
-
-	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: key}, (&jose.SignerOptions{}).WithType("JWT"))
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	raw, err := jwt.Signed(sig).Claims(cl).Claims(privateCl).CompactSerialize()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	return raw, key
-}
-
 func TestJWTEndToEnd(t *testing.T) {
 	testJWTEndToEnd(t, false)
 	testJWTEndToEnd(t, true)
@@ -100,7 +55,7 @@ func testJWTEndToEnd(t *testing.T, ahWrapping bool) {

 	_, err = client.Logical().Write("auth/jwt/config", map[string]interface{}{
 		"bound_issuer":           "https://team-vault.auth0.com/",
-		"jwt_validation_pubkeys": ecdsaPubKey,
+		"jwt_validation_pubkeys": TestECDSAPubKey,
 	})
 	if err != nil {
 		t.Fatal(err)
@@ -248,7 +203,7 @@ func testJWTEndToEnd(t *testing.T, ahWrapping bool) {
 	}

 	// Get a token
-	jwtToken, _ := getTestJWT(t)
+	jwtToken, _ := GetTestJWT(t)
 	if err := ioutil.WriteFile(in, []byte(jwtToken), 0600); err != nil {
 		t.Fatal(err)
 	} else {
@@ -355,7 +310,7 @@ func testJWTEndToEnd(t *testing.T, ahWrapping bool) {

 	// Get another token to test the backend pushing the need to authenticate
 	// to the handler
-	jwtToken, _ = getTestJWT(t)
+	jwtToken, _ = GetTestJWT(t)
 	if err := ioutil.WriteFile(in, []byte(jwtToken), 0600); err != nil {
 		t.Fatal(err)
 	}
@@ -394,16 +349,3 @@ func testJWTEndToEnd(t *testing.T, ahWrapping bool) {
 		}
 	}
 }
-
-const (
-	ecdsaPrivKey string = `-----BEGIN EC PRIVATE KEY-----
-MHcCAQEEIKfldwWLPYsHjRL9EVTsjSbzTtcGRu6icohNfIqcb6A+oAoGCCqGSM49
-AwEHoUQDQgAE4+SFvPwOy0miy/FiTT05HnwjpEbSq+7+1q9BFxAkzjgKnlkXk5qx
-hzXQvRmS4w9ZsskoTZtuUI+XX7conJhzCQ==
-----END EC PRIVATE KEY-----`
-
-	ecdsaPubKey string = `-----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4+SFvPwOy0miy/FiTT05HnwjpEbS
-q+7+1q9BFxAkzjgKnlkXk5qxhzXQvRmS4w9ZsskoTZtuUI+XX7conJhzCQ==
-----END PUBLIC KEY-----`
-)