agent/caching: enable caching of leases generated by autoauth token (#6293)

* agent/caching: enable caching of leases generated by autoauth token

* add test for auth/token/create path

* update error message log

* Some minor updates

* add sleep timer for renewal logic to process

command/agent/cache_end_to_end_test.go

@@ -3,7 +3,6 @@ package agent
 import (
 	"context"
 	"fmt"
-	"github.com/hashicorp/vault/helper/consts"
 	"io/ioutil"
 	"net"
 	"net/http"
@@ -21,12 +20,23 @@ import (
 	"github.com/hashicorp/vault/command/agent/sink"
 	"github.com/hashicorp/vault/command/agent/sink/file"
 	"github.com/hashicorp/vault/command/agent/sink/inmem"
+	"github.com/hashicorp/vault/helper/consts"
 	"github.com/hashicorp/vault/helper/logging"
 	vaulthttp "github.com/hashicorp/vault/http"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/vault"
 )
 
+const policyAutoAuthAppRole = `
+path "/kv/*" {
+	capabilities = ["sudo", "create", "read", "update", "delete", "list"]
+}
+
+path "/auth/token/create" {
+	capabilities = ["create", "update"]
+}
+`
+
 func TestCache_UsingAutoAuthToken(t *testing.T) {
 	var err error
 	logger := logging.NewVaultLogger(log.Trace)
@@ -34,6 +44,9 @@ func TestCache_UsingAutoAuthToken(t *testing.T) {
 		DisableMlock: true,
 		DisableCache: true,
 		Logger:       log.NewNullLogger(),
+		LogicalBackends: map[string]logical.Factory{
+			"kv": vault.LeasedPassthroughBackendFactory,
+		},
 		CredentialBackends: map[string]logical.Factory{
 			"approle": credAppRole.Factory,
 		},
@@ -58,6 +71,28 @@ func TestCache_UsingAutoAuthToken(t *testing.T) {
 	defer os.Setenv(api.EnvVaultCACert, os.Getenv(api.EnvVaultCACert))
 	os.Setenv(api.EnvVaultCACert, fmt.Sprintf("%s/ca_cert.pem", cluster.TempDir))
 
+	err = client.Sys().Mount("kv", &api.MountInput{
+		Type: "kv",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Create a secret in the backend
+	_, err = client.Logical().Write("kv/foo", map[string]interface{}{
+		"value": "bar",
+		"ttl":   "1h",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Add an kv-admin policy
+	if err := client.Sys().PutPolicy("test-autoauth", policyAutoAuthAppRole); err != nil {
+		t.Fatal(err)
+	}
+
+	// Enable approle
 	err = client.Sys().EnableAuthWithOptions("approle", &api.EnableAuthOptions{
 		Type: "approle",
 	})
@@ -69,6 +104,7 @@ func TestCache_UsingAutoAuthToken(t *testing.T) {
 		"bind_secret_id": "true",
 		"token_ttl":      "3s",
 		"token_max_ttl":  "10s",
+		"policies":       []string{"test-autoauth"},
 	})
 	if err != nil {
 		t.Fatal(err)
@@ -127,6 +163,29 @@ func TestCache_UsingAutoAuthToken(t *testing.T) {
 		"remove_secret_id_file_after_reading": true,
 	}
 
+	cacheLogger := logging.NewVaultLogger(hclog.Trace).Named("cache")
+
+	// Create the API proxier
+	apiProxy, err := cache.NewAPIProxy(&cache.APIProxyConfig{
+		Client: client,
+		Logger: cacheLogger.Named("apiproxy"),
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Create the lease cache proxier and set its underlying proxier to
+	// the API proxier.
+	leaseCache, err := cache.NewLeaseCache(&cache.LeaseCacheConfig{
+		Client:      client,
+		BaseContext: ctx,
+		Proxier:     apiProxy,
+		Logger:      cacheLogger.Named("leasecache"),
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
 	am, err := agentapprole.NewApproleAuthMethod(&auth.AuthConfig{
 		Logger:    logger.Named("auth.approle"),
 		MountPath: "auth/approle",
@@ -166,7 +225,7 @@ func TestCache_UsingAutoAuthToken(t *testing.T) {
 		Logger: logger.Named("sink.inmem"),
 	}
 
-	inmemSink, err := inmem.New(inmemSinkConfig)
+	inmemSink, err := inmem.New(inmemSinkConfig, leaseCache)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -239,29 +298,6 @@ func TestCache_UsingAutoAuthToken(t *testing.T) {
 
 	defer listener.Close()
 
-	cacheLogger := logging.NewVaultLogger(hclog.Trace).Named("cache")
-
-	// Create the API proxier
-	apiProxy, err := cache.NewAPIProxy(&cache.APIProxyConfig{
-		Client: client,
-		Logger: cacheLogger.Named("apiproxy"),
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Create the lease cache proxier and set its underlying proxier to
-	// the API proxier.
-	leaseCache, err := cache.NewLeaseCache(&cache.LeaseCacheConfig{
-		Client:      client,
-		BaseContext: ctx,
-		Proxier:     apiProxy,
-		Logger:      cacheLogger.Named("leasecache"),
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
 	// Create a muxer and add paths relevant for the lease cache layer
 	mux := http.NewServeMux()
 	mux.Handle(consts.AgentPathCacheClear, leaseCache.HandleCacheClear(ctx))
@@ -295,4 +331,51 @@ func TestCache_UsingAutoAuthToken(t *testing.T) {
 	if resp == nil {
 		t.Fatalf("failed to use the auto-auth token to perform lookup-self")
 	}
+
+	// The following block tests lease creation caching using the auto-auth token.
+	{
+		resp, err = testClient.Logical().Read("kv/foo")
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		origReqID := resp.RequestID
+
+		resp, err = testClient.Logical().Read("kv/foo")
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		// Sleep for a bit to allow renewer logic to kick in
+		time.Sleep(20 * time.Millisecond)
+
+		cacheReqID := resp.RequestID
+
+		if origReqID != cacheReqID {
+			t.Fatalf("request ID  mismatch, expected second request to be a cached response: %s != %s", origReqID, cacheReqID)
+		}
+	}
+
+	// The following block tests auth token creation caching (child, non-orphan
+	// tokens) using the auto-auth token.
+	{
+		resp, err = testClient.Logical().Write("auth/token/create", nil)
+		if err != nil {
+			t.Fatal(err)
+		}
+		origReqID := resp.RequestID
+
+		// Sleep for a bit to allow renewer logic to kick in
+		time.Sleep(20 * time.Millisecond)
+
+		resp, err = testClient.Logical().Write("auth/token/create", nil)
+		if err != nil {
+			t.Fatal(err)
+		}
+		cacheReqID := resp.RequestID
+
+		if origReqID != cacheReqID {
+			t.Fatalf("request ID mismatch, expected second request to be a cached response: %s != %s", origReqID, cacheReqID)
+		}
+	}
 }