Vault SSH: TLS client creation test

api/ssh_agent_test.go

@@ -0,0 +1,30 @@
+package api
+
+import (
+	"fmt"
+	"testing"
+)
+
+func TestSSH_CreateTLSClient(t *testing.T) {
+	// load the default configuration
+	config, err := LoadSSHAgentConfig("./test-fixtures/agent_config.hcl")
+	if err != nil {
+		panic(fmt.Sprintf("error loading agent's config file: %s", err))
+	}
+
+	client, err := config.NewClient()
+	if err != nil {
+		panic(fmt.Sprintf("error creating the client: %s", err))
+	}
+
+	// Provide a certificate and enforce setting of transport
+	config.CACert = "./test-fixtures/vault.crt"
+
+	client, err = config.NewClient()
+	if err != nil {
+		panic(fmt.Sprintf("error creating the client: %s", err))
+	}
+	if client.config.HttpClient.Transport == nil {
+		panic(fmt.Sprintf("error creating client with TLS transport"))
+	}
+}

api/test-fixtures/vault.crt

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEEjCCAvqgAwIBAgIJAM7PFmA6Y+KeMA0GCSqGSIb3DQEBCwUAMIGWMQswCQYD
+VQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxFDASBgNVBAcMC1N0b255IEJyb29r
+MRIwEAYDVQQKDAlIYXNoaUNvcnAxDjAMBgNVBAsMBVZhdWx0MRUwEwYDVQQDDAxW
+aXNoYWwgTmF5YWsxIzAhBgkqhkiG9w0BCQEWFHZpc2hhbEBoYXNoaWNvcnAuY29t
+MB4XDTE1MDgwNzE5MTk1OFoXDTE1MDkwNjE5MTk1OFowgZYxCzAJBgNVBAYTAlVT
+MREwDwYDVQQIDAhOZXcgWW9yazEUMBIGA1UEBwwLU3RvbnkgQnJvb2sxEjAQBgNV
+BAoMCUhhc2hpQ29ycDEOMAwGA1UECwwFVmF1bHQxFTATBgNVBAMMDFZpc2hhbCBO
+YXlhazEjMCEGCSqGSIb3DQEJARYUdmlzaGFsQGhhc2hpY29ycC5jb20wggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcGlPKIrsq5sDJAUB7mtLjnjbcfR0b
+dX1sDHUaTdT+2YBq0JvtoLZOmKw1iVwsMBhaLeXwnKP/O/n67sE8zvZPsuU3REw1
+NTjPof8IbepkENWNxR68KoSB2Vn5r4KiO3ux+KbkXssrZB62+k9khj0e7qIiwyZP
+y5+RQPOL2ESmX5DznX+90vH4mzAEF654PbXFI/qOBZcWvWZJ37i+lHkeyCqcB+sm
+5o5+zd1ua8jVlN0eLjyqa7FDvIuXPAFEX+r5DVQgIvS2++YaFRqTFCIxRXdDQXdw
+1xDMCuG1w4PGVWf3TtlpHeGSIU07DdrCgXsvIRYfW++aZ2pvXwJYCr8hAgMBAAGj
+YTBfMA8GA1UdEQQIMAaHBKwYFugwHQYDVR0OBBYEFPl+AkButpRfbblZE9Jb3xNj
+AyhkMB8GA1UdIwQYMBaAFPl+AkButpRfbblZE9Jb3xNjAyhkMAwGA1UdEwQFMAMB
+Af8wDQYJKoZIhvcNAQELBQADggEBADdIyyBJ3BVghW1shhxYsqQgg/gj2TagpO1P
+ulGNzS0aCfB4tzMD4MGWm7cTlL6QW9W6r9OuWKCd1ADherIX9j0gtVWgIMtWGx+i
+NbHrYin1xHr4rkB7/f6veCiJ3CtzBC9P/rEI6keyfOn1BfQBsOxfo3oGe/HDlSzD
+lpu0GlQECjTXD7dd4jrD0T/wdRQI0BmxcYjn9cZLgoJHtLHZwaS16TGVmKs4iRAW
+V9Aw5hLK4jJ59IID830/ly+Ndfc//QGgdE5PM44OrvVFO3Q8+zs7pwr1ql7uQWew
+MSuDfbL7EcEGajD/o085sj2u4xVUfkVBW+3TQvs4/pHYOxlhPjI=
+-----END CERTIFICATE-----

builtin/logical/ssh/path_roles.go

@@ -41,14 +41,14 @@ func pathRoles(b *backend) *framework.Path {
 			"key": &framework.FieldSchema{
 				Type: framework.TypeString,
 				Description: `
-				[Required for dynamic type] [Not applicable for otp type]
+				[Required for Dynamic type] [Not applicable for OTP type]
 				Name of the registered key in Vault. Before creating the role, use the
 				'keys/' endpoint to create a named key.`,
 			},
 			"admin_user": &framework.FieldSchema{
 				Type: framework.TypeString,
 				Description: `
-				[Required for dynamic type] [Not applicable for otp type]
+				[Required for Dynamic type] [Not applicable for OTP type]
 				Admin user at remote host. The shared key being registered should be
 				for this user and should have root privileges. Everytime a dynamic 
 				credential is being generated for other users, Vault uses this admin
@@ -89,13 +89,13 @@ func pathRoles(b *backend) *framework.Path {
 			"key_bits": &framework.FieldSchema{
 				Type: framework.TypeInt,
 				Description: `
-				[Optional for dynamic type] [Not applicable for otp type]
+				[Optional for Dynamic type] [Not applicable for OTP type]
 				Length of the RSA dynamic key in bits. It can be one of 1024, 2048 or 4096.`,
 			},
 			"install_script": &framework.FieldSchema{
 				Type: framework.TypeString,
 				Description: `
-				[Optional for dynamic type][Not-applicable for otp type]
+				[Optional for Dynamic type][Not-applicable for OTP type]
 				Script used to install and uninstall public keys in the target machine.
 				The inbuilt default install script will be for Linux hosts. For sample
 				script, refer the project documentation website.`,
@@ -130,7 +130,7 @@ func (b *backend) pathRoleWrite(req *logical.Request, d *framework.FieldData) (*
 		return logical.ErrorResponse("Missing role name"), nil
 	}
 
-	// Allowed users is an optional field, applicable for both otp and dynamic types.
+	// Allowed users is an optional field, applicable for both OTP and Dynamic types.
 	allowedUsers := d.Get("allowed_users").(string)
 
 	defaultUser := d.Get("default_user").(string)

command/ssh.go

@@ -47,13 +47,13 @@ func (c *SSHCommand) Run(args []string) int {
 	args = flags.Args()
 	if len(args) < 1 {
 		c.Ui.Error("ssh expects at least one argument")
-		return 2
+		return 1
 	}
 
 	client, err := c.Client()
 	if err != nil {
 		c.Ui.Error(fmt.Sprintf("Error initializing client: %s", err))
-		return 2
+		return 1
 	}
 
 	// split the parameter username@ip
@@ -77,7 +77,7 @@ func (c *SSHCommand) Run(args []string) int {
 		ipAddr = input[1]
 	} else {
 		c.Ui.Error(fmt.Sprintf("Invalid parameter: %s", args[0]))
-		return 2
+		return 1
 	}
 
 	// Resolving domain names to IP address on the client side.
@@ -85,7 +85,7 @@ func (c *SSHCommand) Run(args []string) int {
 	ip, err := net.ResolveIPAddr("ip", ipAddr)
 	if err != nil {
 		c.Ui.Error(fmt.Sprintf("Error resolving IP Address: %s", err))
-		return 2
+		return 1
 	}
 
 	// Credentials are generated only against a registered role. If user
@@ -113,7 +113,7 @@ func (c *SSHCommand) Run(args []string) int {
 	keySecret, err := client.SSHWithMountPoint(mountPoint).Credential(role, data)
 	if err != nil {
 		c.Ui.Error(fmt.Sprintf("Error getting key for SSH session:%s", err))
-		return 2
+		return 1
 	}
 
 	// if no-exec was chosen, just print out the secret and return.
@@ -132,7 +132,7 @@ func (c *SSHCommand) Run(args []string) int {
 	if resp.KeyType == ssh.KeyTypeDynamic {
 		if len(resp.Key) == 0 {
 			c.Ui.Error(fmt.Sprintf("Invalid key"))
-			return 2
+			return 1
 		}
 		sshDynamicKeyFileName = fmt.Sprintf("vault_ssh_%s_%s", username, ip.String())
 		err = ioutil.WriteFile(sshDynamicKeyFileName, []byte(resp.Key), 0600)