2018-06-13 08:40:03 +00:00
package ca
import (
2019-11-01 13:20:26 +00:00
"crypto/x509"
2020-09-09 23:36:37 +00:00
"encoding/json"
2018-06-14 21:20:10 +00:00
"fmt"
2022-11-10 16:26:01 +00:00
"io"
2022-03-28 14:58:16 +00:00
"sync/atomic"
2018-06-13 08:40:03 +00:00
"testing"
2018-06-14 21:20:10 +00:00
"time"
2018-06-13 08:40:03 +00:00
2020-09-09 23:36:37 +00:00
"github.com/hashicorp/go-hclog"
2018-06-14 17:56:17 +00:00
vaultapi "github.com/hashicorp/vault/api"
2021-11-05 16:42:28 +00:00
vaultconst "github.com/hashicorp/vault/sdk/helper/consts"
2018-06-13 08:40:03 +00:00
"github.com/stretchr/testify/require"
2021-06-21 21:51:37 +00:00
"github.com/hashicorp/consul/agent/connect"
"github.com/hashicorp/consul/agent/structs"
2022-12-05 21:39:21 +00:00
"github.com/hashicorp/consul/sdk/testutil"
2021-06-21 21:51:37 +00:00
"github.com/hashicorp/consul/sdk/testutil/retry"
2018-06-13 08:40:03 +00:00
)
2022-09-08 08:11:19 +00:00
const pkiTestPolicy = `
2022-10-18 17:17:27 +00:00
path "sys/mounts"
2022-09-08 08:11:19 +00:00
{
2022-10-18 17:17:27 +00:00
capabilities = [ "read" ]
}
path "sys/mounts/pki-root"
{
capabilities = [ "create" , "read" , "update" , "delete" , "list" ]
}
path "sys/mounts/pki-intermediate"
{
capabilities = [ "create" , "read" , "update" , "delete" , "list" ]
}
path "sys/mounts/pki-intermediate/tune"
{
capabilities = [ "update" ]
}
path "pki-root/*"
{
capabilities = [ "create" , "read" , "update" , "delete" , "list" ]
2022-09-08 08:11:19 +00:00
}
path "pki-intermediate/*"
{
2022-10-18 17:17:27 +00:00
capabilities = [ "create" , "read" , "update" , "delete" , "list" ]
2022-09-08 08:11:19 +00:00
} `
2021-11-18 20:15:28 +00:00
func TestVaultCAProvider_ParseVaultCAConfig ( t * testing . T ) {
cases := map [ string ] struct {
rawConfig map [ string ] interface { }
expConfig * structs . VaultCAProviderConfig
expError string
} {
"no token and no auth method provided" : {
rawConfig : map [ string ] interface { } { } ,
expError : "must provide a Vault token or configure a Vault auth method" ,
} ,
"both token and auth method provided" : {
rawConfig : map [ string ] interface { } { "Token" : "test" , "AuthMethod" : map [ string ] interface { } { "Type" : "test" } } ,
expError : "only one of Vault token or Vault auth method can be provided, but not both" ,
} ,
"no root PKI path" : {
rawConfig : map [ string ] interface { } { "Token" : "test" } ,
expError : "must provide a valid path to a root PKI backend" ,
} ,
"no root intermediate path" : {
rawConfig : map [ string ] interface { } { "Token" : "test" , "RootPKIPath" : "test" } ,
expError : "must provide a valid path for the intermediate PKI backend" ,
} ,
"adds a slash to RootPKIPath and IntermediatePKIPath" : {
rawConfig : map [ string ] interface { } { "Token" : "test" , "RootPKIPath" : "test" , "IntermediatePKIPath" : "test" } ,
expConfig : & structs . VaultCAProviderConfig {
CommonCAProviderConfig : defaultCommonConfig ( ) ,
Token : "test" ,
RootPKIPath : "test/" ,
IntermediatePKIPath : "test/" ,
} ,
} ,
}
for name , c := range cases {
t . Run ( name , func ( t * testing . T ) {
config , err := ParseVaultCAConfig ( c . rawConfig )
if c . expError != "" {
require . EqualError ( t , err , c . expError )
} else {
require . NoError ( t , err )
require . Equal ( t , c . expConfig , config )
}
} )
}
}
func TestVaultCAProvider_configureVaultAuthMethod ( t * testing . T ) {
cases := map [ string ] struct {
expLoginPath string
params map [ string ] interface { }
expError string
} {
"alicloud" : { expLoginPath : "auth/alicloud/login" } ,
"approle" : { expLoginPath : "auth/approle/login" } ,
"aws" : { expLoginPath : "auth/aws/login" } ,
"azure" : { expLoginPath : "auth/azure/login" } ,
"cf" : { expLoginPath : "auth/cf/login" } ,
"github" : { expLoginPath : "auth/github/login" } ,
"gcp" : { expLoginPath : "auth/gcp/login" } ,
"jwt" : { expLoginPath : "auth/jwt/login" } ,
"kerberos" : { expLoginPath : "auth/kerberos/login" } ,
"kubernetes" : { expLoginPath : "auth/kubernetes/login" , params : map [ string ] interface { } { "jwt" : "fake" } } ,
"ldap" : { expLoginPath : "auth/ldap/login/foo" , params : map [ string ] interface { } { "username" : "foo" } } ,
"oci" : { expLoginPath : "auth/oci/login/foo" , params : map [ string ] interface { } { "role" : "foo" } } ,
"okta" : { expLoginPath : "auth/okta/login/foo" , params : map [ string ] interface { } { "username" : "foo" } } ,
"radius" : { expLoginPath : "auth/radius/login/foo" , params : map [ string ] interface { } { "username" : "foo" } } ,
"cert" : { expLoginPath : "auth/cert/login" } ,
"token" : { expError : "'token' auth method is not supported via auth method configuration; please provide the token with the 'token' parameter in the CA configuration" } ,
"userpass" : { expLoginPath : "auth/userpass/login/foo" , params : map [ string ] interface { } { "username" : "foo" } } ,
"unsupported" : { expError : "auth method \"unsupported\" is not supported" } ,
}
for authMethodType , c := range cases {
t . Run ( authMethodType , func ( t * testing . T ) {
loginPath , err := configureVaultAuthMethod ( & structs . VaultAuthMethod {
Type : authMethodType ,
Params : c . params ,
} )
if c . expError == "" {
require . NoError ( t , err )
require . Equal ( t , c . expLoginPath , loginPath )
} else {
require . EqualError ( t , err , c . expError )
}
} )
}
}
2019-01-08 16:09:22 +00:00
func TestVaultCAProvider_VaultTLSConfig ( t * testing . T ) {
config := & structs . VaultCAProviderConfig {
CAFile : "/capath/ca.pem" ,
CAPath : "/capath/" ,
CertFile : "/certpath/cert.pem" ,
KeyFile : "/certpath/key.pem" ,
TLSServerName : "server.name" ,
TLSSkipVerify : true ,
}
tlsConfig := vaultTLSConfig ( config )
bulk rewrite using this script
set -euo pipefail
unset CDPATH
cd "$(dirname "$0")"
for f in $(git grep '\brequire := require\.New(' | cut -d':' -f1 | sort -u); do
echo "=== require: $f ==="
sed -i '/require := require.New(t)/d' $f
# require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\([^tr]\)/require.\1(t,\2/g' $f
# require.XXX(tblah) but not require.XXX(t, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/require.\1(t,\2/g' $f
# require.XXX(rblah) but not require.XXX(r, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/require.\1(t,\2/g' $f
gofmt -s -w $f
done
for f in $(git grep '\bassert := assert\.New(' | cut -d':' -f1 | sort -u); do
echo "=== assert: $f ==="
sed -i '/assert := assert.New(t)/d' $f
# assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\([^tr]\)/assert.\1(t,\2/g' $f
# assert.XXX(tblah) but not assert.XXX(t, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/assert.\1(t,\2/g' $f
# assert.XXX(rblah) but not assert.XXX(r, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/assert.\1(t,\2/g' $f
gofmt -s -w $f
done
2022-01-20 16:46:23 +00:00
require . Equal ( t , config . CAFile , tlsConfig . CACert )
require . Equal ( t , config . CAPath , tlsConfig . CAPath )
require . Equal ( t , config . CertFile , tlsConfig . ClientCert )
require . Equal ( t , config . KeyFile , tlsConfig . ClientKey )
require . Equal ( t , config . TLSServerName , tlsConfig . TLSServerName )
require . Equal ( t , config . TLSSkipVerify , tlsConfig . Insecure )
2019-01-08 16:09:22 +00:00
}
2021-11-05 16:42:28 +00:00
func TestVaultCAProvider_Configure ( t * testing . T ) {
SkipIfVaultNotPresent ( t )
testcases := [ ] struct {
name string
rawConfig map [ string ] interface { }
expectedValue func ( t * testing . T , v * VaultProvider )
} {
{
name : "DefaultConfig" ,
rawConfig : map [ string ] interface { } { } ,
expectedValue : func ( t * testing . T , v * VaultProvider ) {
headers := v . client . Headers ( )
require . Equal ( t , "" , headers . Get ( vaultconst . NamespaceHeaderName ) )
require . Equal ( t , "pki-root/" , v . config . RootPKIPath )
require . Equal ( t , "pki-intermediate/" , v . config . IntermediatePKIPath )
} ,
} ,
{
name : "TestConfigWithNamespace" ,
rawConfig : map [ string ] interface { } { "namespace" : "ns1" } ,
expectedValue : func ( t * testing . T , v * VaultProvider ) {
h := v . client . Headers ( )
require . Equal ( t , "ns1" , h . Get ( vaultconst . NamespaceHeaderName ) )
} ,
} ,
}
for _ , testcase := range testcases {
t . Run ( testcase . name , func ( t * testing . T ) {
provider , _ := testVaultProviderWithConfig ( t , true , testcase . rawConfig )
testcase . expectedValue ( t , provider )
} )
}
return
}
2020-06-05 19:36:22 +00:00
func TestVaultCAProvider_SecondaryActiveIntermediate ( t * testing . T ) {
2020-10-09 12:02:18 +00:00
SkipIfVaultNotPresent ( t )
2020-06-05 19:36:22 +00:00
provider , testVault := testVaultProviderWithConfig ( t , false , nil )
defer testVault . Stop ( )
cert , err := provider . ActiveIntermediate ( )
bulk rewrite using this script
set -euo pipefail
unset CDPATH
cd "$(dirname "$0")"
for f in $(git grep '\brequire := require\.New(' | cut -d':' -f1 | sort -u); do
echo "=== require: $f ==="
sed -i '/require := require.New(t)/d' $f
# require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\([^tr]\)/require.\1(t,\2/g' $f
# require.XXX(tblah) but not require.XXX(t, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/require.\1(t,\2/g' $f
# require.XXX(rblah) but not require.XXX(r, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/require.\1(t,\2/g' $f
gofmt -s -w $f
done
for f in $(git grep '\bassert := assert\.New(' | cut -d':' -f1 | sort -u); do
echo "=== assert: $f ==="
sed -i '/assert := assert.New(t)/d' $f
# assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\([^tr]\)/assert.\1(t,\2/g' $f
# assert.XXX(tblah) but not assert.XXX(t, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/assert.\1(t,\2/g' $f
# assert.XXX(rblah) but not assert.XXX(r, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/assert.\1(t,\2/g' $f
gofmt -s -w $f
done
2022-01-20 16:46:23 +00:00
require . Empty ( t , cert )
require . NoError ( t , err )
2020-06-05 19:36:22 +00:00
}
2020-09-09 23:36:37 +00:00
func TestVaultCAProvider_RenewToken ( t * testing . T ) {
2021-07-01 00:48:29 +00:00
2020-10-09 12:02:18 +00:00
SkipIfVaultNotPresent ( t )
2020-09-09 23:36:37 +00:00
2020-09-11 15:41:05 +00:00
testVault , err := runTestVault ( t )
require . NoError ( t , err )
2020-09-09 23:36:37 +00:00
testVault . WaitUntilReady ( t )
// Create a token with a short TTL to be renewed by the provider.
ttl := 1 * time . Second
tcr := & vaultapi . TokenCreateRequest {
TTL : ttl . String ( ) ,
}
secret , err := testVault . client . Auth ( ) . Token ( ) . Create ( tcr )
2020-09-11 15:41:05 +00:00
require . NoError ( t , err )
2020-09-09 23:36:37 +00:00
providerToken := secret . Auth . ClientToken
2020-09-30 19:31:21 +00:00
_ , err = createVaultProvider ( t , true , testVault . Addr , providerToken , nil )
2020-09-11 15:41:05 +00:00
require . NoError ( t , err )
2020-09-09 23:36:37 +00:00
// Check the last renewal time.
secret , err = testVault . client . Auth ( ) . Token ( ) . Lookup ( providerToken )
2020-09-11 15:41:05 +00:00
require . NoError ( t , err )
2020-09-09 23:36:37 +00:00
firstRenewal , err := secret . Data [ "last_renewal_time" ] . ( json . Number ) . Int64 ( )
2020-09-11 15:41:05 +00:00
require . NoError ( t , err )
2020-09-09 23:36:37 +00:00
// Wait past the TTL and make sure the token has been renewed.
2020-09-11 15:41:05 +00:00
retry . Run ( t , func ( r * retry . R ) {
secret , err = testVault . client . Auth ( ) . Token ( ) . Lookup ( providerToken )
require . NoError ( r , err )
lastRenewal , err := secret . Data [ "last_renewal_time" ] . ( json . Number ) . Int64 ( )
require . NoError ( r , err )
require . Greater ( r , lastRenewal , firstRenewal )
} )
2020-09-09 23:36:37 +00:00
}
2022-03-28 14:58:16 +00:00
func TestVaultCAProvider_RenewTokenStopWatcherOnConfigure ( t * testing . T ) {
SkipIfVaultNotPresent ( t )
testVault , err := runTestVault ( t )
require . NoError ( t , err )
testVault . WaitUntilReady ( t )
// Create a token with a short TTL to be renewed by the provider.
ttl := 1 * time . Second
tcr := & vaultapi . TokenCreateRequest {
TTL : ttl . String ( ) ,
}
secret , err := testVault . client . Auth ( ) . Token ( ) . Create ( tcr )
require . NoError ( t , err )
providerToken := secret . Auth . ClientToken
provider , err := createVaultProvider ( t , true , testVault . Addr , providerToken , nil )
require . NoError ( t , err )
var gotStopped = uint32 ( 0 )
provider . stopWatcher = func ( ) {
atomic . StoreUint32 ( & gotStopped , 1 )
}
// Check the last renewal time.
secret , err = testVault . client . Auth ( ) . Token ( ) . Lookup ( providerToken )
require . NoError ( t , err )
firstRenewal , err := secret . Data [ "last_renewal_time" ] . ( json . Number ) . Int64 ( )
require . NoError ( t , err )
// Wait past the TTL and make sure the token has been renewed.
retry . Run ( t , func ( r * retry . R ) {
secret , err = testVault . client . Auth ( ) . Token ( ) . Lookup ( providerToken )
require . NoError ( r , err )
lastRenewal , err := secret . Data [ "last_renewal_time" ] . ( json . Number ) . Int64 ( )
require . NoError ( r , err )
require . Greater ( r , lastRenewal , firstRenewal )
} )
providerConfig := vaultProviderConfig ( t , testVault . Addr , providerToken , nil )
require . NoError ( t , provider . Configure ( providerConfig ) )
require . Equal ( t , uint32 ( 1 ) , atomic . LoadUint32 ( & gotStopped ) )
}
2018-06-13 08:40:03 +00:00
func TestVaultCAProvider_Bootstrap ( t * testing . T ) {
2020-10-09 12:02:18 +00:00
SkipIfVaultNotPresent ( t )
2019-09-23 17:04:40 +00:00
2021-11-02 18:02:10 +00:00
providerWDefaultRootCertTtl , testvault1 := testVaultProviderWithConfig ( t , true , map [ string ] interface { } {
"LeafCertTTL" : "1h" ,
} )
defer testvault1 . Stop ( )
client1 := testvault1 . client
providerCustomRootCertTtl , testvault2 := testVaultProviderWithConfig ( t , true , map [ string ] interface { } {
"LeafCertTTL" : "1h" ,
"RootCertTTL" : "8761h" ,
} )
defer testvault2 . Stop ( )
client2 := testvault2 . client
2019-09-23 17:04:40 +00:00
2018-06-13 08:40:03 +00:00
cases := [ ] struct {
2021-11-02 18:02:10 +00:00
certFunc func ( ) ( string , error )
backendPath string
rootCaCreation bool
provider * VaultProvider
client * vaultapi . Client
expectedRootCertTTL string
2018-06-13 08:40:03 +00:00
} {
{
2021-12-01 20:39:20 +00:00
certFunc : func ( ) ( string , error ) {
root , err := providerWDefaultRootCertTtl . GenerateRoot ( )
return root . PEM , err
} ,
2021-11-02 18:02:10 +00:00
backendPath : "pki-root/" ,
rootCaCreation : true ,
client : client1 ,
provider : providerWDefaultRootCertTtl ,
expectedRootCertTTL : structs . DefaultRootCertTTL ,
2018-06-13 08:40:03 +00:00
} ,
{
2021-11-02 18:02:10 +00:00
certFunc : providerCustomRootCertTtl . ActiveIntermediate ,
backendPath : "pki-intermediate/" ,
rootCaCreation : false ,
provider : providerCustomRootCertTtl ,
client : client2 ,
expectedRootCertTTL : "8761h" ,
2018-06-13 08:40:03 +00:00
} ,
}
// Verify the root and intermediate certs match the ones in the vault backends
for _ , tc := range cases {
2021-11-02 18:02:10 +00:00
provider := tc . provider
client := tc . client
2018-06-13 08:40:03 +00:00
cert , err := tc . certFunc ( )
bulk rewrite using this script
set -euo pipefail
unset CDPATH
cd "$(dirname "$0")"
for f in $(git grep '\brequire := require\.New(' | cut -d':' -f1 | sort -u); do
echo "=== require: $f ==="
sed -i '/require := require.New(t)/d' $f
# require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\([^tr]\)/require.\1(t,\2/g' $f
# require.XXX(tblah) but not require.XXX(t, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/require.\1(t,\2/g' $f
# require.XXX(rblah) but not require.XXX(r, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/require.\1(t,\2/g' $f
gofmt -s -w $f
done
for f in $(git grep '\bassert := assert\.New(' | cut -d':' -f1 | sort -u); do
echo "=== assert: $f ==="
sed -i '/assert := assert.New(t)/d' $f
# assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\([^tr]\)/assert.\1(t,\2/g' $f
# assert.XXX(tblah) but not assert.XXX(t, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/assert.\1(t,\2/g' $f
# assert.XXX(rblah) but not assert.XXX(r, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/assert.\1(t,\2/g' $f
gofmt -s -w $f
done
2022-01-20 16:46:23 +00:00
require . NoError ( t , err )
2018-06-14 17:56:17 +00:00
req := client . NewRequest ( "GET" , "/v1/" + tc . backendPath + "ca/pem" )
2018-06-13 08:40:03 +00:00
resp , err := client . RawRequest ( req )
bulk rewrite using this script
set -euo pipefail
unset CDPATH
cd "$(dirname "$0")"
for f in $(git grep '\brequire := require\.New(' | cut -d':' -f1 | sort -u); do
echo "=== require: $f ==="
sed -i '/require := require.New(t)/d' $f
# require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\([^tr]\)/require.\1(t,\2/g' $f
# require.XXX(tblah) but not require.XXX(t, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/require.\1(t,\2/g' $f
# require.XXX(rblah) but not require.XXX(r, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/require.\1(t,\2/g' $f
gofmt -s -w $f
done
for f in $(git grep '\bassert := assert\.New(' | cut -d':' -f1 | sort -u); do
echo "=== assert: $f ==="
sed -i '/assert := assert.New(t)/d' $f
# assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\([^tr]\)/assert.\1(t,\2/g' $f
# assert.XXX(tblah) but not assert.XXX(t, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/assert.\1(t,\2/g' $f
# assert.XXX(rblah) but not assert.XXX(r, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/assert.\1(t,\2/g' $f
gofmt -s -w $f
done
2022-01-20 16:46:23 +00:00
require . NoError ( t , err )
2022-11-10 16:26:01 +00:00
bytes , err := io . ReadAll ( resp . Body )
bulk rewrite using this script
set -euo pipefail
unset CDPATH
cd "$(dirname "$0")"
for f in $(git grep '\brequire := require\.New(' | cut -d':' -f1 | sort -u); do
echo "=== require: $f ==="
sed -i '/require := require.New(t)/d' $f
# require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\([^tr]\)/require.\1(t,\2/g' $f
# require.XXX(tblah) but not require.XXX(t, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/require.\1(t,\2/g' $f
# require.XXX(rblah) but not require.XXX(r, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/require.\1(t,\2/g' $f
gofmt -s -w $f
done
for f in $(git grep '\bassert := assert\.New(' | cut -d':' -f1 | sort -u); do
echo "=== assert: $f ==="
sed -i '/assert := assert.New(t)/d' $f
# assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\([^tr]\)/assert.\1(t,\2/g' $f
# assert.XXX(tblah) but not assert.XXX(t, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/assert.\1(t,\2/g' $f
# assert.XXX(rblah) but not assert.XXX(r, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/assert.\1(t,\2/g' $f
gofmt -s -w $f
done
2022-01-20 16:46:23 +00:00
require . NoError ( t , err )
require . Equal ( t , cert , string ( bytes ) + "\n" )
2018-06-13 08:40:03 +00:00
2018-06-14 17:56:17 +00:00
// Should be a valid CA cert
2018-06-13 08:40:03 +00:00
parsed , err := connect . ParseCert ( cert )
bulk rewrite using this script
set -euo pipefail
unset CDPATH
cd "$(dirname "$0")"
for f in $(git grep '\brequire := require\.New(' | cut -d':' -f1 | sort -u); do
echo "=== require: $f ==="
sed -i '/require := require.New(t)/d' $f
# require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\([^tr]\)/require.\1(t,\2/g' $f
# require.XXX(tblah) but not require.XXX(t, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/require.\1(t,\2/g' $f
# require.XXX(rblah) but not require.XXX(r, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/require.\1(t,\2/g' $f
gofmt -s -w $f
done
for f in $(git grep '\bassert := assert\.New(' | cut -d':' -f1 | sort -u); do
echo "=== assert: $f ==="
sed -i '/assert := assert.New(t)/d' $f
# assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\([^tr]\)/assert.\1(t,\2/g' $f
# assert.XXX(tblah) but not assert.XXX(t, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/assert.\1(t,\2/g' $f
# assert.XXX(rblah) but not assert.XXX(r, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/assert.\1(t,\2/g' $f
gofmt -s -w $f
done
2022-01-20 16:46:23 +00:00
require . NoError ( t , err )
require . True ( t , parsed . IsCA )
require . Len ( t , parsed . URIs , 1 )
require . Equal ( t , fmt . Sprintf ( "spiffe://%s.consul" , provider . clusterID ) , parsed . URIs [ 0 ] . String ( ) )
2021-11-02 18:02:10 +00:00
// test that the root cert ttl as applied
if tc . rootCaCreation {
rootCertTTL , err := time . ParseDuration ( tc . expectedRootCertTTL )
bulk rewrite using this script
set -euo pipefail
unset CDPATH
cd "$(dirname "$0")"
for f in $(git grep '\brequire := require\.New(' | cut -d':' -f1 | sort -u); do
echo "=== require: $f ==="
sed -i '/require := require.New(t)/d' $f
# require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\([^tr]\)/require.\1(t,\2/g' $f
# require.XXX(tblah) but not require.XXX(t, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/require.\1(t,\2/g' $f
# require.XXX(rblah) but not require.XXX(r, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/require.\1(t,\2/g' $f
gofmt -s -w $f
done
for f in $(git grep '\bassert := assert\.New(' | cut -d':' -f1 | sort -u); do
echo "=== assert: $f ==="
sed -i '/assert := assert.New(t)/d' $f
# assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\([^tr]\)/assert.\1(t,\2/g' $f
# assert.XXX(tblah) but not assert.XXX(t, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/assert.\1(t,\2/g' $f
# assert.XXX(rblah) but not assert.XXX(r, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/assert.\1(t,\2/g' $f
gofmt -s -w $f
done
2022-01-20 16:46:23 +00:00
require . NoError ( t , err )
2021-11-02 18:02:10 +00:00
expectedNotAfter := time . Now ( ) . Add ( rootCertTTL ) . UTC ( )
bulk rewrite using this script
set -euo pipefail
unset CDPATH
cd "$(dirname "$0")"
for f in $(git grep '\brequire := require\.New(' | cut -d':' -f1 | sort -u); do
echo "=== require: $f ==="
sed -i '/require := require.New(t)/d' $f
# require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\([^tr]\)/require.\1(t,\2/g' $f
# require.XXX(tblah) but not require.XXX(t, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/require.\1(t,\2/g' $f
# require.XXX(rblah) but not require.XXX(r, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/require.\1(t,\2/g' $f
gofmt -s -w $f
done
for f in $(git grep '\bassert := assert\.New(' | cut -d':' -f1 | sort -u); do
echo "=== assert: $f ==="
sed -i '/assert := assert.New(t)/d' $f
# assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\([^tr]\)/assert.\1(t,\2/g' $f
# assert.XXX(tblah) but not assert.XXX(t, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/assert.\1(t,\2/g' $f
# assert.XXX(rblah) but not assert.XXX(r, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/assert.\1(t,\2/g' $f
gofmt -s -w $f
done
2022-01-20 16:46:23 +00:00
require . WithinDuration ( t , expectedNotAfter , parsed . NotAfter , 10 * time . Minute , "expected parsed cert ttl to be the same as the value configured" )
2021-11-02 18:02:10 +00:00
}
2018-06-14 21:20:10 +00:00
}
}
2019-11-01 13:20:26 +00:00
func assertCorrectKeyType ( t * testing . T , want , certPEM string ) {
t . Helper ( )
2018-06-14 21:20:10 +00:00
2019-11-01 13:20:26 +00:00
cert , err := connect . ParseCert ( certPEM )
require . NoError ( t , err )
2018-06-14 21:20:10 +00:00
2019-11-01 13:20:26 +00:00
switch want {
case "ec" :
require . Equal ( t , x509 . ECDSA , cert . PublicKeyAlgorithm )
case "rsa" :
require . Equal ( t , x509 . RSA , cert . PublicKeyAlgorithm )
default :
t . Fatal ( "test doesn't support key type" )
2018-06-14 21:20:10 +00:00
}
2019-11-01 13:20:26 +00:00
}
2018-06-14 21:20:10 +00:00
2019-11-01 13:20:26 +00:00
func TestVaultCAProvider_SignLeaf ( t * testing . T ) {
2018-06-14 21:20:10 +00:00
2020-10-09 12:02:18 +00:00
SkipIfVaultNotPresent ( t )
2018-06-14 21:20:10 +00:00
2019-11-01 13:20:26 +00:00
for _ , tc := range KeyTestCases {
tc := tc
t . Run ( tc . Desc , func ( t * testing . T ) {
provider , testVault := testVaultProviderWithConfig ( t , true , map [ string ] interface { } {
"LeafCertTTL" : "1h" ,
"PrivateKeyType" : tc . KeyType ,
"PrivateKeyBits" : tc . KeyBits ,
} )
defer testVault . Stop ( )
spiffeService := & connect . SpiffeIDService {
Host : "node1" ,
Namespace : "default" ,
Datacenter : "dc1" ,
Service : "foo" ,
}
2021-12-01 20:39:20 +00:00
root , err := provider . GenerateRoot ( )
bulk rewrite using this script
set -euo pipefail
unset CDPATH
cd "$(dirname "$0")"
for f in $(git grep '\brequire := require\.New(' | cut -d':' -f1 | sort -u); do
echo "=== require: $f ==="
sed -i '/require := require.New(t)/d' $f
# require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\([^tr]\)/require.\1(t,\2/g' $f
# require.XXX(tblah) but not require.XXX(t, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/require.\1(t,\2/g' $f
# require.XXX(rblah) but not require.XXX(r, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/require.\1(t,\2/g' $f
gofmt -s -w $f
done
for f in $(git grep '\bassert := assert\.New(' | cut -d':' -f1 | sort -u); do
echo "=== assert: $f ==="
sed -i '/assert := assert.New(t)/d' $f
# assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\([^tr]\)/assert.\1(t,\2/g' $f
# assert.XXX(tblah) but not assert.XXX(t, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/assert.\1(t,\2/g' $f
# assert.XXX(rblah) but not assert.XXX(r, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/assert.\1(t,\2/g' $f
gofmt -s -w $f
done
2022-01-20 16:46:23 +00:00
require . NoError ( t , err )
2021-12-01 20:39:20 +00:00
rootPEM := root . PEM
2019-11-01 13:20:26 +00:00
assertCorrectKeyType ( t , tc . KeyType , rootPEM )
intPEM , err := provider . ActiveIntermediate ( )
bulk rewrite using this script
set -euo pipefail
unset CDPATH
cd "$(dirname "$0")"
for f in $(git grep '\brequire := require\.New(' | cut -d':' -f1 | sort -u); do
echo "=== require: $f ==="
sed -i '/require := require.New(t)/d' $f
# require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\([^tr]\)/require.\1(t,\2/g' $f
# require.XXX(tblah) but not require.XXX(t, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/require.\1(t,\2/g' $f
# require.XXX(rblah) but not require.XXX(r, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/require.\1(t,\2/g' $f
gofmt -s -w $f
done
for f in $(git grep '\bassert := assert\.New(' | cut -d':' -f1 | sort -u); do
echo "=== assert: $f ==="
sed -i '/assert := assert.New(t)/d' $f
# assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\([^tr]\)/assert.\1(t,\2/g' $f
# assert.XXX(tblah) but not assert.XXX(t, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/assert.\1(t,\2/g' $f
# assert.XXX(rblah) but not assert.XXX(r, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/assert.\1(t,\2/g' $f
gofmt -s -w $f
done
2022-01-20 16:46:23 +00:00
require . NoError ( t , err )
2019-11-01 13:20:26 +00:00
assertCorrectKeyType ( t , tc . KeyType , intPEM )
// Generate a leaf cert for the service.
var firstSerial uint64
{
raw , _ := connect . TestCSR ( t , spiffeService )
csr , err := connect . ParseCSR ( raw )
bulk rewrite using this script
set -euo pipefail
unset CDPATH
cd "$(dirname "$0")"
for f in $(git grep '\brequire := require\.New(' | cut -d':' -f1 | sort -u); do
echo "=== require: $f ==="
sed -i '/require := require.New(t)/d' $f
# require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\([^tr]\)/require.\1(t,\2/g' $f
# require.XXX(tblah) but not require.XXX(t, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/require.\1(t,\2/g' $f
# require.XXX(rblah) but not require.XXX(r, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/require.\1(t,\2/g' $f
gofmt -s -w $f
done
for f in $(git grep '\bassert := assert\.New(' | cut -d':' -f1 | sort -u); do
echo "=== assert: $f ==="
sed -i '/assert := assert.New(t)/d' $f
# assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\([^tr]\)/assert.\1(t,\2/g' $f
# assert.XXX(tblah) but not assert.XXX(t, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/assert.\1(t,\2/g' $f
# assert.XXX(rblah) but not assert.XXX(r, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/assert.\1(t,\2/g' $f
gofmt -s -w $f
done
2022-01-20 16:46:23 +00:00
require . NoError ( t , err )
2019-11-01 13:20:26 +00:00
cert , err := provider . Sign ( csr )
bulk rewrite using this script
set -euo pipefail
unset CDPATH
cd "$(dirname "$0")"
for f in $(git grep '\brequire := require\.New(' | cut -d':' -f1 | sort -u); do
echo "=== require: $f ==="
sed -i '/require := require.New(t)/d' $f
# require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\([^tr]\)/require.\1(t,\2/g' $f
# require.XXX(tblah) but not require.XXX(t, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/require.\1(t,\2/g' $f
# require.XXX(rblah) but not require.XXX(r, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/require.\1(t,\2/g' $f
gofmt -s -w $f
done
for f in $(git grep '\bassert := assert\.New(' | cut -d':' -f1 | sort -u); do
echo "=== assert: $f ==="
sed -i '/assert := assert.New(t)/d' $f
# assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\([^tr]\)/assert.\1(t,\2/g' $f
# assert.XXX(tblah) but not assert.XXX(t, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/assert.\1(t,\2/g' $f
# assert.XXX(rblah) but not assert.XXX(r, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/assert.\1(t,\2/g' $f
gofmt -s -w $f
done
2022-01-20 16:46:23 +00:00
require . NoError ( t , err )
2019-11-01 13:20:26 +00:00
parsed , err := connect . ParseCert ( cert )
bulk rewrite using this script
set -euo pipefail
unset CDPATH
cd "$(dirname "$0")"
for f in $(git grep '\brequire := require\.New(' | cut -d':' -f1 | sort -u); do
echo "=== require: $f ==="
sed -i '/require := require.New(t)/d' $f
# require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\([^tr]\)/require.\1(t,\2/g' $f
# require.XXX(tblah) but not require.XXX(t, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/require.\1(t,\2/g' $f
# require.XXX(rblah) but not require.XXX(r, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/require.\1(t,\2/g' $f
gofmt -s -w $f
done
for f in $(git grep '\bassert := assert\.New(' | cut -d':' -f1 | sort -u); do
echo "=== assert: $f ==="
sed -i '/assert := assert.New(t)/d' $f
# assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\([^tr]\)/assert.\1(t,\2/g' $f
# assert.XXX(tblah) but not assert.XXX(t, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/assert.\1(t,\2/g' $f
# assert.XXX(rblah) but not assert.XXX(r, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/assert.\1(t,\2/g' $f
gofmt -s -w $f
done
2022-01-20 16:46:23 +00:00
require . NoError ( t , err )
require . Equal ( t , parsed . URIs [ 0 ] , spiffeService . URI ( ) )
2019-11-01 13:20:26 +00:00
firstSerial = parsed . SerialNumber . Uint64 ( )
// Ensure the cert is valid now and expires within the correct limit.
now := time . Now ( )
bulk rewrite using this script
set -euo pipefail
unset CDPATH
cd "$(dirname "$0")"
for f in $(git grep '\brequire := require\.New(' | cut -d':' -f1 | sort -u); do
echo "=== require: $f ==="
sed -i '/require := require.New(t)/d' $f
# require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\([^tr]\)/require.\1(t,\2/g' $f
# require.XXX(tblah) but not require.XXX(t, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/require.\1(t,\2/g' $f
# require.XXX(rblah) but not require.XXX(r, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/require.\1(t,\2/g' $f
gofmt -s -w $f
done
for f in $(git grep '\bassert := assert\.New(' | cut -d':' -f1 | sort -u); do
echo "=== assert: $f ==="
sed -i '/assert := assert.New(t)/d' $f
# assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\([^tr]\)/assert.\1(t,\2/g' $f
# assert.XXX(tblah) but not assert.XXX(t, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/assert.\1(t,\2/g' $f
# assert.XXX(rblah) but not assert.XXX(r, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/assert.\1(t,\2/g' $f
gofmt -s -w $f
done
2022-01-20 16:46:23 +00:00
require . True ( t , parsed . NotAfter . Sub ( now ) < time . Hour )
require . True ( t , parsed . NotBefore . Before ( now ) )
2019-11-01 13:20:26 +00:00
// Make sure we can validate the cert as expected.
bulk rewrite using this script
set -euo pipefail
unset CDPATH
cd "$(dirname "$0")"
for f in $(git grep '\brequire := require\.New(' | cut -d':' -f1 | sort -u); do
echo "=== require: $f ==="
sed -i '/require := require.New(t)/d' $f
# require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\([^tr]\)/require.\1(t,\2/g' $f
# require.XXX(tblah) but not require.XXX(t, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/require.\1(t,\2/g' $f
# require.XXX(rblah) but not require.XXX(r, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/require.\1(t,\2/g' $f
gofmt -s -w $f
done
for f in $(git grep '\bassert := assert\.New(' | cut -d':' -f1 | sort -u); do
echo "=== assert: $f ==="
sed -i '/assert := assert.New(t)/d' $f
# assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\([^tr]\)/assert.\1(t,\2/g' $f
# assert.XXX(tblah) but not assert.XXX(t, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/assert.\1(t,\2/g' $f
# assert.XXX(rblah) but not assert.XXX(r, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/assert.\1(t,\2/g' $f
gofmt -s -w $f
done
2022-01-20 16:46:23 +00:00
require . NoError ( t , connect . ValidateLeaf ( rootPEM , cert , [ ] string { intPEM } ) )
2021-07-01 00:48:29 +00:00
requireTrailingNewline ( t , cert )
2019-11-01 13:20:26 +00:00
}
// Generate a new cert for another service and make sure
// the serial number is unique.
spiffeService . Service = "bar"
{
raw , _ := connect . TestCSR ( t , spiffeService )
csr , err := connect . ParseCSR ( raw )
bulk rewrite using this script
set -euo pipefail
unset CDPATH
cd "$(dirname "$0")"
for f in $(git grep '\brequire := require\.New(' | cut -d':' -f1 | sort -u); do
echo "=== require: $f ==="
sed -i '/require := require.New(t)/d' $f
# require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\([^tr]\)/require.\1(t,\2/g' $f
# require.XXX(tblah) but not require.XXX(t, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/require.\1(t,\2/g' $f
# require.XXX(rblah) but not require.XXX(r, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/require.\1(t,\2/g' $f
gofmt -s -w $f
done
for f in $(git grep '\bassert := assert\.New(' | cut -d':' -f1 | sort -u); do
echo "=== assert: $f ==="
sed -i '/assert := assert.New(t)/d' $f
# assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\([^tr]\)/assert.\1(t,\2/g' $f
# assert.XXX(tblah) but not assert.XXX(t, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/assert.\1(t,\2/g' $f
# assert.XXX(rblah) but not assert.XXX(r, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/assert.\1(t,\2/g' $f
gofmt -s -w $f
done
2022-01-20 16:46:23 +00:00
require . NoError ( t , err )
2019-11-01 13:20:26 +00:00
cert , err := provider . Sign ( csr )
bulk rewrite using this script
set -euo pipefail
unset CDPATH
cd "$(dirname "$0")"
for f in $(git grep '\brequire := require\.New(' | cut -d':' -f1 | sort -u); do
echo "=== require: $f ==="
sed -i '/require := require.New(t)/d' $f
# require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\([^tr]\)/require.\1(t,\2/g' $f
# require.XXX(tblah) but not require.XXX(t, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/require.\1(t,\2/g' $f
# require.XXX(rblah) but not require.XXX(r, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/require.\1(t,\2/g' $f
gofmt -s -w $f
done
for f in $(git grep '\bassert := assert\.New(' | cut -d':' -f1 | sort -u); do
echo "=== assert: $f ==="
sed -i '/assert := assert.New(t)/d' $f
# assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\([^tr]\)/assert.\1(t,\2/g' $f
# assert.XXX(tblah) but not assert.XXX(t, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/assert.\1(t,\2/g' $f
# assert.XXX(rblah) but not assert.XXX(r, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/assert.\1(t,\2/g' $f
gofmt -s -w $f
done
2022-01-20 16:46:23 +00:00
require . NoError ( t , err )
2019-11-01 13:20:26 +00:00
parsed , err := connect . ParseCert ( cert )
bulk rewrite using this script
set -euo pipefail
unset CDPATH
cd "$(dirname "$0")"
for f in $(git grep '\brequire := require\.New(' | cut -d':' -f1 | sort -u); do
echo "=== require: $f ==="
sed -i '/require := require.New(t)/d' $f
# require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\([^tr]\)/require.\1(t,\2/g' $f
# require.XXX(tblah) but not require.XXX(t, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/require.\1(t,\2/g' $f
# require.XXX(rblah) but not require.XXX(r, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/require.\1(t,\2/g' $f
gofmt -s -w $f
done
for f in $(git grep '\bassert := assert\.New(' | cut -d':' -f1 | sort -u); do
echo "=== assert: $f ==="
sed -i '/assert := assert.New(t)/d' $f
# assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\([^tr]\)/assert.\1(t,\2/g' $f
# assert.XXX(tblah) but not assert.XXX(t, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/assert.\1(t,\2/g' $f
# assert.XXX(rblah) but not assert.XXX(r, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/assert.\1(t,\2/g' $f
gofmt -s -w $f
done
2022-01-20 16:46:23 +00:00
require . NoError ( t , err )
require . Equal ( t , parsed . URIs [ 0 ] , spiffeService . URI ( ) )
require . NotEqual ( t , firstSerial , parsed . SerialNumber . Uint64 ( ) )
2019-11-01 13:20:26 +00:00
// Ensure the cert is valid now and expires within the correct limit.
bulk rewrite using this script
set -euo pipefail
unset CDPATH
cd "$(dirname "$0")"
for f in $(git grep '\brequire := require\.New(' | cut -d':' -f1 | sort -u); do
echo "=== require: $f ==="
sed -i '/require := require.New(t)/d' $f
# require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\([^tr]\)/require.\1(t,\2/g' $f
# require.XXX(tblah) but not require.XXX(t, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/require.\1(t,\2/g' $f
# require.XXX(rblah) but not require.XXX(r, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/require.\1(t,\2/g' $f
gofmt -s -w $f
done
for f in $(git grep '\bassert := assert\.New(' | cut -d':' -f1 | sort -u); do
echo "=== assert: $f ==="
sed -i '/assert := assert.New(t)/d' $f
# assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\([^tr]\)/assert.\1(t,\2/g' $f
# assert.XXX(tblah) but not assert.XXX(t, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/assert.\1(t,\2/g' $f
# assert.XXX(rblah) but not assert.XXX(r, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/assert.\1(t,\2/g' $f
gofmt -s -w $f
done
2022-01-20 16:46:23 +00:00
require . True ( t , time . Until ( parsed . NotAfter ) < time . Hour )
require . True ( t , parsed . NotBefore . Before ( time . Now ( ) ) )
2019-11-01 13:20:26 +00:00
// Make sure we can validate the cert as expected.
bulk rewrite using this script
set -euo pipefail
unset CDPATH
cd "$(dirname "$0")"
for f in $(git grep '\brequire := require\.New(' | cut -d':' -f1 | sort -u); do
echo "=== require: $f ==="
sed -i '/require := require.New(t)/d' $f
# require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\([^tr]\)/require.\1(t,\2/g' $f
# require.XXX(tblah) but not require.XXX(t, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/require.\1(t,\2/g' $f
# require.XXX(rblah) but not require.XXX(r, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/require.\1(t,\2/g' $f
gofmt -s -w $f
done
for f in $(git grep '\bassert := assert\.New(' | cut -d':' -f1 | sort -u); do
echo "=== assert: $f ==="
sed -i '/assert := assert.New(t)/d' $f
# assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\([^tr]\)/assert.\1(t,\2/g' $f
# assert.XXX(tblah) but not assert.XXX(t, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/assert.\1(t,\2/g' $f
# assert.XXX(rblah) but not assert.XXX(r, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/assert.\1(t,\2/g' $f
gofmt -s -w $f
done
2022-01-20 16:46:23 +00:00
require . NoError ( t , connect . ValidateLeaf ( rootPEM , cert , [ ] string { intPEM } ) )
2019-11-01 13:20:26 +00:00
}
} )
2018-06-13 08:40:03 +00:00
}
}
2018-06-15 23:25:53 +00:00
func TestVaultCAProvider_CrossSignCA ( t * testing . T ) {
2020-10-09 12:02:18 +00:00
SkipIfVaultNotPresent ( t )
2019-09-23 17:04:40 +00:00
2019-11-01 13:20:26 +00:00
tests := CASigningKeyTypeCases ( )
for _ , tc := range tests {
tc := tc
t . Run ( tc . Desc , func ( t * testing . T ) {
if tc . SigningKeyType != tc . CSRKeyType {
// See https://github.com/hashicorp/vault/issues/7709
t . Skip ( "Vault doesn't support cross-signing different key types yet." )
}
provider1 , testVault1 := testVaultProviderWithConfig ( t , true , map [ string ] interface { } {
"LeafCertTTL" : "1h" ,
"PrivateKeyType" : tc . SigningKeyType ,
"PrivateKeyBits" : tc . SigningKeyBits ,
} )
defer testVault1 . Stop ( )
{
2021-12-01 20:39:20 +00:00
root , err := provider1 . GenerateRoot ( )
bulk rewrite using this script
set -euo pipefail
unset CDPATH
cd "$(dirname "$0")"
for f in $(git grep '\brequire := require\.New(' | cut -d':' -f1 | sort -u); do
echo "=== require: $f ==="
sed -i '/require := require.New(t)/d' $f
# require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\([^tr]\)/require.\1(t,\2/g' $f
# require.XXX(tblah) but not require.XXX(t, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/require.\1(t,\2/g' $f
# require.XXX(rblah) but not require.XXX(r, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/require.\1(t,\2/g' $f
gofmt -s -w $f
done
for f in $(git grep '\bassert := assert\.New(' | cut -d':' -f1 | sort -u); do
echo "=== assert: $f ==="
sed -i '/assert := assert.New(t)/d' $f
# assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\([^tr]\)/assert.\1(t,\2/g' $f
# assert.XXX(tblah) but not assert.XXX(t, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/assert.\1(t,\2/g' $f
# assert.XXX(rblah) but not assert.XXX(r, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/assert.\1(t,\2/g' $f
gofmt -s -w $f
done
2022-01-20 16:46:23 +00:00
require . NoError ( t , err )
2021-12-01 20:39:20 +00:00
assertCorrectKeyType ( t , tc . SigningKeyType , root . PEM )
2019-11-01 13:20:26 +00:00
intPEM , err := provider1 . ActiveIntermediate ( )
bulk rewrite using this script
set -euo pipefail
unset CDPATH
cd "$(dirname "$0")"
for f in $(git grep '\brequire := require\.New(' | cut -d':' -f1 | sort -u); do
echo "=== require: $f ==="
sed -i '/require := require.New(t)/d' $f
# require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\([^tr]\)/require.\1(t,\2/g' $f
# require.XXX(tblah) but not require.XXX(t, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/require.\1(t,\2/g' $f
# require.XXX(rblah) but not require.XXX(r, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/require.\1(t,\2/g' $f
gofmt -s -w $f
done
for f in $(git grep '\bassert := assert\.New(' | cut -d':' -f1 | sort -u); do
echo "=== assert: $f ==="
sed -i '/assert := assert.New(t)/d' $f
# assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\([^tr]\)/assert.\1(t,\2/g' $f
# assert.XXX(tblah) but not assert.XXX(t, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/assert.\1(t,\2/g' $f
# assert.XXX(rblah) but not assert.XXX(r, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/assert.\1(t,\2/g' $f
gofmt -s -w $f
done
2022-01-20 16:46:23 +00:00
require . NoError ( t , err )
2019-11-01 13:20:26 +00:00
assertCorrectKeyType ( t , tc . SigningKeyType , intPEM )
}
provider2 , testVault2 := testVaultProviderWithConfig ( t , true , map [ string ] interface { } {
"LeafCertTTL" : "1h" ,
"PrivateKeyType" : tc . CSRKeyType ,
"PrivateKeyBits" : tc . CSRKeyBits ,
} )
defer testVault2 . Stop ( )
{
2021-12-01 20:39:20 +00:00
root , err := provider2 . GenerateRoot ( )
bulk rewrite using this script
set -euo pipefail
unset CDPATH
cd "$(dirname "$0")"
for f in $(git grep '\brequire := require\.New(' | cut -d':' -f1 | sort -u); do
echo "=== require: $f ==="
sed -i '/require := require.New(t)/d' $f
# require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\([^tr]\)/require.\1(t,\2/g' $f
# require.XXX(tblah) but not require.XXX(t, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/require.\1(t,\2/g' $f
# require.XXX(rblah) but not require.XXX(r, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/require.\1(t,\2/g' $f
gofmt -s -w $f
done
for f in $(git grep '\bassert := assert\.New(' | cut -d':' -f1 | sort -u); do
echo "=== assert: $f ==="
sed -i '/assert := assert.New(t)/d' $f
# assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\([^tr]\)/assert.\1(t,\2/g' $f
# assert.XXX(tblah) but not assert.XXX(t, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/assert.\1(t,\2/g' $f
# assert.XXX(rblah) but not assert.XXX(r, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/assert.\1(t,\2/g' $f
gofmt -s -w $f
done
2022-01-20 16:46:23 +00:00
require . NoError ( t , err )
2021-12-01 20:39:20 +00:00
assertCorrectKeyType ( t , tc . CSRKeyType , root . PEM )
2019-11-01 13:20:26 +00:00
intPEM , err := provider2 . ActiveIntermediate ( )
bulk rewrite using this script
set -euo pipefail
unset CDPATH
cd "$(dirname "$0")"
for f in $(git grep '\brequire := require\.New(' | cut -d':' -f1 | sort -u); do
echo "=== require: $f ==="
sed -i '/require := require.New(t)/d' $f
# require.XXX(blah) but not require.XXX(tblah) or require.XXX(rblah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\([^tr]\)/require.\1(t,\2/g' $f
# require.XXX(tblah) but not require.XXX(t, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/require.\1(t,\2/g' $f
# require.XXX(rblah) but not require.XXX(r, blah)
sed -i 's/\brequire\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/require.\1(t,\2/g' $f
gofmt -s -w $f
done
for f in $(git grep '\bassert := assert\.New(' | cut -d':' -f1 | sort -u); do
echo "=== assert: $f ==="
sed -i '/assert := assert.New(t)/d' $f
# assert.XXX(blah) but not assert.XXX(tblah) or assert.XXX(rblah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\([^tr]\)/assert.\1(t,\2/g' $f
# assert.XXX(tblah) but not assert.XXX(t, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(t[^,]\)/assert.\1(t,\2/g' $f
# assert.XXX(rblah) but not assert.XXX(r, blah)
sed -i 's/\bassert\.\([a-zA-Z0-9_]*\)(\(r[^,]\)/assert.\1(t,\2/g' $f
gofmt -s -w $f
done
2022-01-20 16:46:23 +00:00
require . NoError ( t , err )
2019-11-01 13:20:26 +00:00
assertCorrectKeyType ( t , tc . CSRKeyType , intPEM )
}
testCrossSignProviders ( t , provider1 , provider2 )
} )
}
2018-06-15 23:25:53 +00:00
}
2018-09-13 20:09:07 +00:00
func TestVaultProvider_SignIntermediate ( t * testing . T ) {
2020-10-09 12:02:18 +00:00
SkipIfVaultNotPresent ( t )
2019-09-23 17:04:40 +00:00
2019-11-01 13:20:26 +00:00
tests := CASigningKeyTypeCases ( )
for _ , tc := range tests {
tc := tc
t . Run ( tc . Desc , func ( t * testing . T ) {
provider1 , testVault1 := testVaultProviderWithConfig ( t , true , map [ string ] interface { } {
"LeafCertTTL" : "1h" ,
"PrivateKeyType" : tc . SigningKeyType ,
"PrivateKeyBits" : tc . SigningKeyBits ,
} )
defer testVault1 . Stop ( )
provider2 , testVault2 := testVaultProviderWithConfig ( t , false , map [ string ] interface { } {
"LeafCertTTL" : "1h" ,
"PrivateKeyType" : tc . CSRKeyType ,
"PrivateKeyBits" : tc . CSRKeyBits ,
} )
defer testVault2 . Stop ( )
testSignIntermediateCrossDC ( t , provider1 , provider2 )
} )
}
2018-09-13 20:09:07 +00:00
}
func TestVaultProvider_SignIntermediateConsul ( t * testing . T ) {
2020-10-09 12:02:18 +00:00
SkipIfVaultNotPresent ( t )
2018-09-13 20:09:07 +00:00
2018-09-14 23:08:54 +00:00
// primary = Vault, secondary = Consul
2019-09-23 17:04:40 +00:00
t . Run ( "pri=vault,sec=consul" , func ( t * testing . T ) {
provider1 , testVault1 := testVaultProviderWithConfig ( t , true , nil )
defer testVault1 . Stop ( )
2018-09-13 20:09:07 +00:00
2018-09-14 23:08:54 +00:00
conf := testConsulCAConfig ( )
delegate := newMockDelegate ( t , conf )
2019-11-11 20:30:01 +00:00
provider2 := TestConsulProvider ( t , delegate )
2019-11-18 14:22:19 +00:00
cfg := testProviderConfig ( conf )
cfg . IsPrimary = false
cfg . Datacenter = "dc2"
require . NoError ( t , provider2 . Configure ( cfg ) )
2018-09-14 23:08:54 +00:00
testSignIntermediateCrossDC ( t , provider1 , provider2 )
2019-09-23 17:04:40 +00:00
} )
2018-09-14 23:08:54 +00:00
// primary = Consul, secondary = Vault
2019-09-23 17:04:40 +00:00
t . Run ( "pri=consul,sec=vault" , func ( t * testing . T ) {
2018-09-14 23:08:54 +00:00
conf := testConsulCAConfig ( )
delegate := newMockDelegate ( t , conf )
2019-11-11 20:30:01 +00:00
provider1 := TestConsulProvider ( t , delegate )
2019-11-18 14:22:19 +00:00
require . NoError ( t , provider1 . Configure ( testProviderConfig ( conf ) ) )
2021-12-01 20:39:20 +00:00
_ , err := provider1 . GenerateRoot ( )
require . NoError ( t , err )
2018-09-14 23:08:54 +00:00
2020-01-21 20:55:21 +00:00
// Ensure that we don't configure vault to try and mint leafs that
// outlive their CA during the test (which hard fails in vault).
intermediateCertTTL := getIntermediateCertTTL ( t , conf )
leafCertTTL := intermediateCertTTL - 4 * time . Hour
overrideConf := map [ string ] interface { } {
"LeafCertTTL" : [ ] uint8 ( leafCertTTL . String ( ) ) ,
}
provider2 , testVault2 := testVaultProviderWithConfig ( t , false , overrideConf )
2019-09-23 17:04:40 +00:00
defer testVault2 . Stop ( )
2018-09-14 23:08:54 +00:00
testSignIntermediateCrossDC ( t , provider1 , provider2 )
2019-09-23 17:04:40 +00:00
} )
}
2021-01-15 18:20:27 +00:00
func TestVaultProvider_Cleanup ( t * testing . T ) {
SkipIfVaultNotPresent ( t )
testVault , err := runTestVault ( t )
require . NoError ( t , err )
testVault . WaitUntilReady ( t )
t . Run ( "provider-change" , func ( t * testing . T ) {
provider , err := createVaultProvider ( t , true , testVault . Addr , testVault . RootToken , nil )
require . NoError ( t , err )
// ensure that the intermediate PKI mount exists
mounts , err := provider . client . Sys ( ) . ListMounts ( )
require . NoError ( t , err )
require . Contains ( t , mounts , provider . config . IntermediatePKIPath )
// call cleanup with a provider change - this should cause removal of the mount
require . NoError ( t , provider . Cleanup ( true , nil ) )
// verify the mount was removed
mounts , err = provider . client . Sys ( ) . ListMounts ( )
require . NoError ( t , err )
require . NotContains ( t , mounts , provider . config . IntermediatePKIPath )
} )
t . Run ( "pki-path-change" , func ( t * testing . T ) {
provider , err := createVaultProvider ( t , true , testVault . Addr , testVault . RootToken , nil )
require . NoError ( t , err )
// ensure that the intermediate PKI mount exists
mounts , err := provider . client . Sys ( ) . ListMounts ( )
require . NoError ( t , err )
require . Contains ( t , mounts , provider . config . IntermediatePKIPath )
// call cleanup with an intermediate pki path change - this should cause removal of the mount
require . NoError ( t , provider . Cleanup ( false , map [ string ] interface { } {
"Address" : testVault . Addr ,
"Token" : testVault . RootToken ,
"RootPKIPath" : "pki-root/" ,
//
"IntermediatePKIPath" : "pki-intermediate2/" ,
// Tests duration parsing after msgpack type mangling during raft apply.
"LeafCertTTL" : [ ] uint8 ( "72h" ) ,
} ) )
// verify the mount was removed
mounts , err = provider . client . Sys ( ) . ListMounts ( )
require . NoError ( t , err )
require . NotContains ( t , mounts , provider . config . IntermediatePKIPath )
} )
t . Run ( "pki-path-unchanged" , func ( t * testing . T ) {
provider , err := createVaultProvider ( t , true , testVault . Addr , testVault . RootToken , nil )
require . NoError ( t , err )
// ensure that the intermediate PKI mount exists
mounts , err := provider . client . Sys ( ) . ListMounts ( )
require . NoError ( t , err )
require . Contains ( t , mounts , provider . config . IntermediatePKIPath )
// call cleanup with no config changes - this should not cause removal of the intermediate pki path
require . NoError ( t , provider . Cleanup ( false , map [ string ] interface { } {
"Address" : testVault . Addr ,
"Token" : testVault . RootToken ,
"RootPKIPath" : "pki-root/" ,
"IntermediatePKIPath" : "pki-intermediate/" ,
// Tests duration parsing after msgpack type mangling during raft apply.
"LeafCertTTL" : [ ] uint8 ( "72h" ) ,
} ) )
// verify the mount was NOT removed
mounts , err = provider . client . Sys ( ) . ListMounts ( )
require . NoError ( t , err )
require . Contains ( t , mounts , provider . config . IntermediatePKIPath )
} )
}
2021-11-18 20:15:28 +00:00
func TestVaultProvider_ConfigureWithAuthMethod ( t * testing . T ) {
SkipIfVaultNotPresent ( t )
cases := [ ] struct {
authMethodType string
configureAuthMethodFunc func ( t * testing . T , vaultClient * vaultapi . Client ) map [ string ] interface { }
} {
{
authMethodType : "userpass" ,
configureAuthMethodFunc : func ( t * testing . T , vaultClient * vaultapi . Client ) map [ string ] interface { } {
_ , err := vaultClient . Logical ( ) . Write ( "/auth/userpass/users/test" ,
2022-09-08 08:11:19 +00:00
map [ string ] interface { } { "password" : "foo" , "policies" : "pki" } )
2021-11-18 20:15:28 +00:00
require . NoError ( t , err )
return map [ string ] interface { } {
"Type" : "userpass" ,
"Params" : map [ string ] interface { } {
"username" : "test" ,
"password" : "foo" ,
} ,
}
} ,
} ,
{
authMethodType : "approle" ,
configureAuthMethodFunc : func ( t * testing . T , vaultClient * vaultapi . Client ) map [ string ] interface { } {
2022-09-08 08:11:19 +00:00
_ , err := vaultClient . Logical ( ) . Write ( "auth/approle/role/my-role" ,
map [ string ] interface { } { "token_policies" : "pki" } )
2021-11-18 20:15:28 +00:00
require . NoError ( t , err )
resp , err := vaultClient . Logical ( ) . Read ( "auth/approle/role/my-role/role-id" )
require . NoError ( t , err )
roleID := resp . Data [ "role_id" ]
resp , err = vaultClient . Logical ( ) . Write ( "auth/approle/role/my-role/secret-id" , nil )
require . NoError ( t , err )
secretID := resp . Data [ "secret_id" ]
return map [ string ] interface { } {
"Type" : "approle" ,
"Params" : map [ string ] interface { } {
"role_id" : roleID ,
"secret_id" : secretID ,
} ,
}
} ,
} ,
}
for _ , c := range cases {
t . Run ( c . authMethodType , func ( t * testing . T ) {
testVault := NewTestVaultServer ( t )
err := testVault . Client ( ) . Sys ( ) . EnableAuthWithOptions ( c . authMethodType , & vaultapi . EnableAuthOptions { Type : c . authMethodType } )
require . NoError ( t , err )
2022-09-08 08:11:19 +00:00
err = testVault . Client ( ) . Sys ( ) . PutPolicy ( "pki" , pkiTestPolicy )
require . NoError ( t , err )
2021-11-18 20:15:28 +00:00
authMethodConf := c . configureAuthMethodFunc ( t , testVault . Client ( ) )
conf := map [ string ] interface { } {
"Address" : testVault . Addr ,
"RootPKIPath" : "pki-root/" ,
"IntermediatePKIPath" : "pki-intermediate/" ,
"AuthMethod" : authMethodConf ,
}
provider := NewVaultProvider ( hclog . New ( nil ) )
cfg := ProviderConfig {
ClusterID : connect . TestClusterID ,
Datacenter : "dc1" ,
IsPrimary : true ,
RawConfig : conf ,
}
t . Cleanup ( provider . Stop )
err = provider . Configure ( cfg )
require . NoError ( t , err )
require . NotEmpty ( t , provider . client . Token ( ) )
} )
}
}
func TestVaultProvider_RotateAuthMethodToken ( t * testing . T ) {
SkipIfVaultNotPresent ( t )
testVault := NewTestVaultServer ( t )
2022-09-08 08:11:19 +00:00
err := testVault . Client ( ) . Sys ( ) . PutPolicy ( "pki" , pkiTestPolicy )
require . NoError ( t , err )
err = testVault . Client ( ) . Sys ( ) . EnableAuthWithOptions ( "approle" , & vaultapi . EnableAuthOptions { Type : "approle" } )
2021-11-18 20:15:28 +00:00
require . NoError ( t , err )
_ , err = testVault . Client ( ) . Logical ( ) . Write ( "auth/approle/role/my-role" ,
2022-09-08 08:11:19 +00:00
map [ string ] interface { } {
"token_ttl" : "2s" ,
"token_explicit_max_ttl" : "2s" ,
"token_policies" : "pki" ,
} )
2021-11-18 20:15:28 +00:00
require . NoError ( t , err )
resp , err := testVault . Client ( ) . Logical ( ) . Read ( "auth/approle/role/my-role/role-id" )
require . NoError ( t , err )
roleID := resp . Data [ "role_id" ]
resp , err = testVault . Client ( ) . Logical ( ) . Write ( "auth/approle/role/my-role/secret-id" , nil )
require . NoError ( t , err )
secretID := resp . Data [ "secret_id" ]
conf := map [ string ] interface { } {
"Address" : testVault . Addr ,
"RootPKIPath" : "pki-root/" ,
"IntermediatePKIPath" : "pki-intermediate/" ,
"AuthMethod" : map [ string ] interface { } {
"Type" : "approle" ,
"Params" : map [ string ] interface { } {
"role_id" : roleID ,
"secret_id" : secretID ,
} ,
} ,
}
provider := NewVaultProvider ( hclog . New ( nil ) )
cfg := ProviderConfig {
ClusterID : connect . TestClusterID ,
Datacenter : "dc1" ,
IsPrimary : true ,
RawConfig : conf ,
}
t . Cleanup ( provider . Stop )
err = provider . Configure ( cfg )
require . NoError ( t , err )
token := provider . client . Token ( )
require . NotEmpty ( t , token )
// Check that the token is rotated after max_ttl time has passed.
require . Eventually ( t , func ( ) bool {
return provider . client . Token ( ) != token
} , 10 * time . Second , 100 * time . Millisecond )
}
2022-10-18 17:17:27 +00:00
func TestVaultProvider_ReconfigureIntermediateTTL ( t * testing . T ) {
SkipIfVaultNotPresent ( t )
// Set up a standard policy without any sys/mounts/pki-intermediate/tune permissions.
policy := `
path "sys/mounts"
{
capabilities = [ "read" ]
}
path "sys/mounts/pki-root"
{
capabilities = [ "create" , "read" , "update" , "delete" , "list" ]
}
path "sys/mounts/pki-intermediate"
{
capabilities = [ "create" , "read" , "update" , "delete" , "list" ]
}
path "pki-root/*"
{
capabilities = [ "create" , "read" , "update" , "delete" , "list" ]
}
path "pki-intermediate/*"
{
capabilities = [ "create" , "read" , "update" , "delete" , "list" ]
} `
testVault := NewTestVaultServer ( t )
err := testVault . Client ( ) . Sys ( ) . PutPolicy ( "pki" , policy )
require . NoError ( t , err )
tcr := & vaultapi . TokenCreateRequest {
Policies : [ ] string { "pki" } ,
}
secret , err := testVault . client . Auth ( ) . Token ( ) . Create ( tcr )
require . NoError ( t , err )
providerToken := secret . Auth . ClientToken
makeProviderConfWithTTL := func ( ttl string ) ProviderConfig {
conf := map [ string ] interface { } {
"Address" : testVault . Addr ,
"RootPKIPath" : "pki-root/" ,
"IntermediatePKIPath" : "pki-intermediate/" ,
"Token" : providerToken ,
"IntermediateCertTTL" : ttl ,
}
cfg := ProviderConfig {
ClusterID : connect . TestClusterID ,
Datacenter : "dc1" ,
IsPrimary : true ,
RawConfig : conf ,
}
return cfg
}
provider := NewVaultProvider ( hclog . New ( nil ) )
// Set up the initial provider config
t . Cleanup ( provider . Stop )
err = provider . Configure ( makeProviderConfWithTTL ( "222h" ) )
require . NoError ( t , err )
_ , err = provider . GenerateRoot ( )
require . NoError ( t , err )
_ , err = provider . GenerateIntermediate ( )
require . NoError ( t , err )
// Attempt to update the ttl without permissions for the tune endpoint - shouldn't
// return an error.
err = provider . Configure ( makeProviderConfWithTTL ( "333h" ) )
require . NoError ( t , err )
// Intermediate TTL shouldn't have changed
mountConfig , err := testVault . Client ( ) . Sys ( ) . MountConfig ( "pki-intermediate" )
require . NoError ( t , err )
require . Equal ( t , 222 * 3600 , mountConfig . MaxLeaseTTL )
// Update the policy and verify we can reconfigure the TTL properly.
policy += `
path "sys/mounts/pki-intermediate/tune"
{
capabilities = [ "update" ]
} `
err = testVault . Client ( ) . Sys ( ) . PutPolicy ( "pki" , policy )
require . NoError ( t , err )
err = provider . Configure ( makeProviderConfWithTTL ( "333h" ) )
require . NoError ( t , err )
mountConfig , err = testVault . Client ( ) . Sys ( ) . MountConfig ( "pki-intermediate" )
require . NoError ( t , err )
require . Equal ( t , 333 * 3600 , mountConfig . MaxLeaseTTL )
}
2022-11-17 21:29:49 +00:00
func TestVaultCAProvider_GenerateIntermediate ( t * testing . T ) {
SkipIfVaultNotPresent ( t )
provider , _ := testVaultProviderWithConfig ( t , true , nil )
orig , err := provider . ActiveIntermediate ( )
require . NoError ( t , err )
// This test was created to ensure that our calls to Vault
// returns a new Intermediate certificate and further calls
// to ActiveIntermediate return the same new cert.
new , err := provider . GenerateIntermediate ( )
require . NoError ( t , err )
newActive , err := provider . ActiveIntermediate ( )
require . NoError ( t , err )
require . Equal ( t , new , newActive )
require . NotEqual ( t , orig , new )
}
2022-12-05 21:39:21 +00:00
func TestVaultCAProvider_GenerateIntermediate_inSecondary ( t * testing . T ) {
SkipIfVaultNotPresent ( t )
// Primary DC will be a consul provider.
conf := testConsulCAConfig ( )
delegate := newMockDelegate ( t , conf )
primaryProvider := TestConsulProvider ( t , delegate )
require . NoError ( t , primaryProvider . Configure ( testProviderConfig ( conf ) ) )
_ , err := primaryProvider . GenerateRoot ( )
require . NoError ( t , err )
// Ensure that we don't configure vault to try and mint leafs that
// outlive their CA during the test (which hard fails in vault).
intermediateCertTTL := getIntermediateCertTTL ( t , conf )
leafCertTTL := intermediateCertTTL - 4 * time . Hour
provider , _ := testVaultProviderWithConfig ( t , false , map [ string ] any {
"LeafCertTTL" : [ ] uint8 ( leafCertTTL . String ( ) ) ,
} )
var origIntermediate string
testutil . RunStep ( t , "initialize secondary provider" , func ( t * testing . T ) {
// Get the intermediate CSR from provider.
csrPEM , issuerID , err := provider . GenerateIntermediateCSR ( )
require . NoError ( t , err )
csr , err := connect . ParseCSR ( csrPEM )
require . NoError ( t , err )
// Sign the CSR with primaryProvider.
intermediatePEM , err := primaryProvider . SignIntermediate ( csr )
require . NoError ( t , err )
root , err := primaryProvider . GenerateRoot ( )
require . NoError ( t , err )
rootPEM := root . PEM
// Give the new intermediate to provider to use.
require . NoError ( t , provider . SetIntermediate ( intermediatePEM , rootPEM , issuerID ) )
origIntermediate , err = provider . ActiveIntermediate ( )
require . NoError ( t , err )
} )
testutil . RunStep ( t , "renew secondary provider" , func ( t * testing . T ) {
// Get the intermediate CSR from provider.
csrPEM , issuerID , err := provider . GenerateIntermediateCSR ( )
require . NoError ( t , err )
csr , err := connect . ParseCSR ( csrPEM )
require . NoError ( t , err )
// Sign the CSR with primaryProvider.
intermediatePEM , err := primaryProvider . SignIntermediate ( csr )
require . NoError ( t , err )
root , err := primaryProvider . GenerateRoot ( )
require . NoError ( t , err )
rootPEM := root . PEM
// Give the new intermediate to provider to use.
require . NoError ( t , provider . SetIntermediate ( intermediatePEM , rootPEM , issuerID ) )
// This test was created to ensure that our calls to Vault
// returns a new Intermediate certificate and further calls
// to ActiveIntermediate return the same new cert.
newActiveIntermediate , err := provider . ActiveIntermediate ( )
require . NoError ( t , err )
require . NotEqual ( t , origIntermediate , newActiveIntermediate )
require . Equal ( t , intermediatePEM , newActiveIntermediate )
} )
}
2022-11-28 21:17:58 +00:00
func TestVaultCAProvider_VaultManaged ( t * testing . T ) {
SkipIfVaultNotPresent ( t )
const vaultManagedPKIPolicy = `
path "/pki-root/" {
capabilities = [ "read" ]
}
path "/pki-root/root/sign-intermediate" {
capabilities = [ "update" ]
}
path "/pki-intermediate/*" {
capabilities = [ "create" , "read" , "update" , "delete" , "list" ]
}
path "auth/token/renew-self" {
capabilities = [ "update" ]
}
path "auth/token/lookup-self" {
capabilities = [ "read" ]
}
`
testVault , err := runTestVault ( t )
if err != nil {
t . Fatalf ( "err: %v" , err )
}
testVault . WaitUntilReady ( t )
client := testVault . Client ( )
client . SetToken ( "root" )
// Mount pki root externally
require . NoError ( t , client . Sys ( ) . Mount ( "pki-root" , & vaultapi . MountInput {
Type : "pki" ,
Description : "root CA backend for Consul Connect" ,
Config : vaultapi . MountConfigInput {
MaxLeaseTTL : "12m" ,
} ,
} ) )
_ , err = client . Logical ( ) . Write ( "pki-root/root/generate/internal" , map [ string ] interface { } {
"common_name" : "testconsul" ,
} )
require . NoError ( t , err )
// Mount pki intermediate externally
require . NoError ( t , client . Sys ( ) . Mount ( "pki-intermediate" , & vaultapi . MountInput {
Type : "pki" ,
Description : "intermediate CA backend for Consul Connect" ,
Config : vaultapi . MountConfigInput {
MaxLeaseTTL : "6m" ,
} ,
} ) )
// Generate a policy and token for the VaultProvider to use
require . NoError ( t , client . Sys ( ) . PutPolicy ( "consul-ca" , vaultManagedPKIPolicy ) )
tcr := & vaultapi . TokenCreateRequest {
Policies : [ ] string { "consul-ca" } ,
}
secret , err := testVault . client . Auth ( ) . Token ( ) . Create ( tcr )
require . NoError ( t , err )
providerToken := secret . Auth . ClientToken
// We want to test the provider.Configure() step
_ , err = createVaultProvider ( t , true , testVault . Addr , providerToken , nil )
require . NoError ( t , err )
}
func TestVaultCAProvider_ConsulManaged ( t * testing . T ) {
SkipIfVaultNotPresent ( t )
testVault , err := runTestVault ( t )
if err != nil {
t . Fatalf ( "err: %v" , err )
}
testVault . WaitUntilReady ( t )
client := testVault . Client ( )
client . SetToken ( "root" )
// We do not configure any mounts and instead let Consul
// be responsible for mounting root and intermediate PKI
// Generate a policy and token for the VaultProvider to use
require . NoError ( t , client . Sys ( ) . PutPolicy ( "consul-ca" , pkiTestPolicy ) )
tcr := & vaultapi . TokenCreateRequest {
Policies : [ ] string { "consul-ca" } ,
}
secret , err := testVault . client . Auth ( ) . Token ( ) . Create ( tcr )
require . NoError ( t , err )
providerToken := secret . Auth . ClientToken
// We want to test the provider.Configure() step
_ , err = createVaultProvider ( t , true , testVault . Addr , providerToken , nil )
require . NoError ( t , err )
}
2020-01-21 20:55:21 +00:00
func getIntermediateCertTTL ( t * testing . T , caConf * structs . CAConfiguration ) time . Duration {
t . Helper ( )
require . NotNil ( t , caConf )
require . NotNil ( t , caConf . Config )
iface , ok := caConf . Config [ "IntermediateCertTTL" ]
require . True ( t , ok )
ttlBytes , ok := iface . ( [ ] uint8 )
require . True ( t , ok )
ttlString := string ( ttlBytes )
dur , err := time . ParseDuration ( ttlString )
require . NoError ( t , err )
return dur
}
2020-09-30 19:31:21 +00:00
func testVaultProviderWithConfig ( t * testing . T , isPrimary bool , rawConf map [ string ] interface { } ) ( * VaultProvider , * TestVaultServer ) {
2020-09-11 15:41:05 +00:00
testVault , err := runTestVault ( t )
2019-09-23 17:04:40 +00:00
if err != nil {
t . Fatalf ( "err: %v" , err )
2018-09-14 23:08:54 +00:00
}
2019-09-23 17:04:40 +00:00
testVault . WaitUntilReady ( t )
2020-09-30 19:31:21 +00:00
provider , err := createVaultProvider ( t , isPrimary , testVault . Addr , testVault . RootToken , rawConf )
2020-09-09 23:36:37 +00:00
if err != nil {
testVault . Stop ( )
t . Fatalf ( "err: %v" , err )
}
return provider , testVault
}
2020-09-11 15:41:05 +00:00
func createVaultProvider ( t * testing . T , isPrimary bool , addr , token string , rawConf map [ string ] interface { } ) ( * VaultProvider , error ) {
2022-03-28 14:58:16 +00:00
cfg := vaultProviderConfig ( t , addr , token , rawConf )
provider := NewVaultProvider ( hclog . New ( nil ) )
if ! isPrimary {
cfg . IsPrimary = false
cfg . Datacenter = "dc2"
}
t . Cleanup ( provider . Stop )
require . NoError ( t , provider . Configure ( cfg ) )
if isPrimary {
_ , err := provider . GenerateRoot ( )
require . NoError ( t , err )
_ , err = provider . GenerateIntermediate ( )
require . NoError ( t , err )
}
return provider , nil
}
func vaultProviderConfig ( t * testing . T , addr , token string , rawConf map [ string ] interface { } ) ProviderConfig {
2019-09-23 17:04:40 +00:00
conf := map [ string ] interface { } {
2020-09-09 23:36:37 +00:00
"Address" : addr ,
"Token" : token ,
2019-09-23 17:04:40 +00:00
"RootPKIPath" : "pki-root/" ,
"IntermediatePKIPath" : "pki-intermediate/" ,
// Tests duration parsing after msgpack type mangling during raft apply.
"LeafCertTTL" : [ ] uint8 ( "72h" ) ,
}
for k , v := range rawConf {
conf [ k ] = v
}
2019-11-18 14:22:19 +00:00
cfg := ProviderConfig {
ClusterID : connect . TestClusterID ,
Datacenter : "dc1" ,
IsPrimary : true ,
RawConfig : conf ,
}
2022-03-28 14:58:16 +00:00
return cfg
2019-09-23 17:04:40 +00:00
}