Add a test for token renewal

2020-09-09 16:36:37 -07:00 · 2020-09-09 16:36:37 -07:00 · 411b6537ef
parent 97f1f341d6
commit 411b6537ef
3 changed files with 81 additions and 13 deletions
--- a/agent/connect/ca/provider_vault.go
+++ b/agent/connect/ca/provider_vault.go
@ -94,8 +94,9 @@ func (v *VaultProvider) Configure(cfg ProviderConfig) error {
 		renewer, err := client.NewRenewer(&vaultapi.RenewerInput{
 			Secret: &vaultapi.Secret{
 				Auth: &vaultapi.SecretAuth{
-					ClientToken: config.Token,
+					ClientToken:   config.Token,
-					Renewable:   renewable,
+					Renewable:     renewable,
 					LeaseDuration: secret.LeaseDuration,
 				},
 			},
 			Increment: int(increment),
@ -121,7 +122,7 @@ func (v *VaultProvider) renewToken(renewer *vaultapi.Renewer) {
 		case err := <-renewer.DoneCh():
 			if err != nil {
-				v.logger.Error(fmt.Sprint("Error renewing token for Vault provider: %v", err))
+				v.logger.Error(fmt.Sprintf("Error renewing token for Vault provider: %v", err))
 			}
 		case <-renewer.RenewCh():
--- a/agent/connect/ca/provider_vault_test.go
+++ b/agent/connect/ca/provider_vault_test.go
@ -2,6 +2,7 @@ package ca
 import (
 	"crypto/x509"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
 	"os"
@ -14,6 +15,7 @@ import (
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/hashicorp/consul/sdk/freeport"
 	"github.com/hashicorp/consul/sdk/testutil/retry"
 	"github.com/hashicorp/go-hclog"
 	vaultapi "github.com/hashicorp/vault/api"
 	"github.com/stretchr/testify/require"
 )
@ -51,6 +53,46 @@ func TestVaultCAProvider_SecondaryActiveIntermediate(t *testing.T) {
 	require.NoError(err)
 }
 func TestVaultCAProvider_RenewToken(t *testing.T) {
 	t.Parallel()
 	require := require.New(t)
 	skipIfVaultNotPresent(t)
 	testVault, err := runTestVault()
 	if err != nil {
 		t.Fatalf("err: %v", err)
 	}
 	testVault.WaitUntilReady(t)
 	// Create a token with a short TTL to be renewed by the provider.
 	ttl := 1 * time.Second
 	tcr := &vaultapi.TokenCreateRequest{
 		TTL: ttl.String(),
 	}
 	secret, err := testVault.client.Auth().Token().Create(tcr)
 	require.NoError(err)
 	providerToken := secret.Auth.ClientToken
 	_, err = createVaultProvider(true, testVault.addr, providerToken, nil)
 	require.NoError(err)
 	// Check the last renewal time.
 	secret, err = testVault.client.Auth().Token().Lookup(providerToken)
 	require.NoError(err)
 	firstRenewal, err := secret.Data["last_renewal_time"].(json.Number).Int64()
 	require.NoError(err)
 	time.Sleep(ttl * 2)
 	// Wait past the TTL and make sure the token has been renewed.
 	secret, err = testVault.client.Auth().Token().Lookup(providerToken)
 	require.NoError(err)
 	lastRenewal, err := secret.Data["last_renewal_time"].(json.Number).Int64()
 	require.NoError(err)
 	require.Greater(lastRenewal, firstRenewal)
 }
 func TestVaultCAProvider_Bootstrap(t *testing.T) {
 	t.Parallel()
@ -356,9 +398,18 @@ func testVaultProviderWithConfig(t *testing.T, isPrimary bool, rawConf map[strin
 	testVault.WaitUntilReady(t)
 	provider, err := createVaultProvider(isPrimary, testVault.addr, testVault.rootToken, rawConf)
 	if err != nil {
 		testVault.Stop()
 		t.Fatalf("err: %v", err)
 	}
 	return provider, testVault
 }
 func createVaultProvider(isPrimary bool, addr, token string, rawConf map[string]interface{}) (*VaultProvider, error) {
 	conf := map[string]interface{}{
-		"Address":             testVault.addr,
+		"Address":             addr,
-		"Token":               testVault.rootToken,
+		"Token":               token,
 		"RootPKIPath":         "pki-root/",
 		"IntermediatePKIPath": "pki-intermediate/",
 		// Tests duration parsing after msgpack type mangling during raft apply.
@ -377,26 +428,29 @@ func testVaultProviderWithConfig(t *testing.T, isPrimary bool, rawConf map[strin
 		RawConfig:  conf,
 	}
 	logger := hclog.New(&hclog.LoggerOptions{
 		Output: ioutil.Discard,
 	})
 	provider.SetLogger(logger)
 	if !isPrimary {
 		cfg.IsPrimary = false
 		cfg.Datacenter = "dc2"
 	}
 	if err := provider.Configure(cfg); err != nil {
-		testVault.Stop()
+		return nil, err
 		t.Fatalf("err: %v", err)
 	}
 	if isPrimary {
-		if err = provider.GenerateRoot(); err != nil {
+		if err := provider.GenerateRoot(); err != nil {
-			testVault.Stop()
+			return nil, err
 			t.Fatalf("err: %v", err)
 		}
 		if _, err := provider.GenerateIntermediate(); err != nil {
-			testVault.Stop()
+			return nil, err
 			t.Fatalf("err: %v", err)
 		}
 	}
-	return provider, testVault
+
 	return provider, nil
 }
 // skipIfVaultNotPresent skips the test if the vault binary is not in PATH.
--- a/agent/consul/connect_ca_endpoint.go
+++ b/agent/consul/connect_ca_endpoint.go
@ -152,6 +152,17 @@ func (s *ConnectCA) ConfigurationSet(
 	if err := newProvider.Configure(pCfg); err != nil {
 		return fmt.Errorf("error configuring provider: %v", err)
 	}
 	// Set up a defer to clean up the new provider if we exit early due to an error.
 	cleanupNewProvider := true
 	defer func() {
 		if cleanupNewProvider {
 			if err := newProvider.Cleanup(); err != nil {
 				s.logger.Warn("failed to clean up temporary new CA provider", "provider", newProvider)
 			}
 		}
 	}()
 	if err := newProvider.GenerateRoot(); err != nil {
 		return fmt.Errorf("error generating CA root certificate: %v", err)
 	}
@ -195,6 +206,7 @@ func (s *ConnectCA) ConfigurationSet(
 		}
 		// If the config has been committed, update the local provider instance
 		cleanupNewProvider = false
 		s.srv.setCAProvider(newProvider, newActiveRoot)
 		s.logger.Info("CA provider config updated")
@ -291,6 +303,7 @@ func (s *ConnectCA) ConfigurationSet(
 	// If the config has been committed, update the local provider instance
 	// and call teardown on the old provider
 	cleanupNewProvider = false
 	s.srv.setCAProvider(newProvider, newActiveRoot)
 	if err := oldProvider.Cleanup(); err != nil {