1package config 2 3import ( 4 "os" 5 "testing" 6 "time" 7 8 "github.com/go-test/deep" 9 log "github.com/hashicorp/go-hclog" 10 "github.com/hashicorp/vault/sdk/helper/logging" 11) 12 13func TestLoadConfigFile_AgentCache(t *testing.T) { 14 logger := logging.NewVaultLogger(log.Debug) 15 16 config, err := LoadConfig("./test-fixtures/config-cache.hcl", logger) 17 if err != nil { 18 t.Fatal(err) 19 } 20 21 expected := &Config{ 22 AutoAuth: &AutoAuth{ 23 Method: &Method{ 24 Type: "aws", 25 MountPath: "auth/aws", 26 Config: map[string]interface{}{ 27 "role": "foobar", 28 }, 29 }, 30 Sinks: []*Sink{ 31 &Sink{ 32 Type: "file", 33 DHType: "curve25519", 34 DHPath: "/tmp/file-foo-dhpath", 35 AAD: "foobar", 36 Config: map[string]interface{}{ 37 "path": "/tmp/file-foo", 38 }, 39 }, 40 }, 41 }, 42 Cache: &Cache{ 43 UseAutoAuthToken: true, 44 }, 45 Listeners: []*Listener{ 46 &Listener{ 47 Type: "unix", 48 Config: map[string]interface{}{ 49 "address": "/path/to/socket", 50 "tls_disable": true, 51 "socket_mode": "configmode", 52 "socket_user": "configuser", 53 "socket_group": "configgroup", 54 }, 55 }, 56 &Listener{ 57 Type: "tcp", 58 Config: map[string]interface{}{ 59 "address": "127.0.0.1:8300", 60 "tls_disable": true, 61 }, 62 }, 63 &Listener{ 64 Type: "tcp", 65 Config: map[string]interface{}{ 66 "address": "127.0.0.1:8400", 67 "tls_key_file": "/path/to/cakey.pem", 68 "tls_cert_file": "/path/to/cacert.pem", 69 }, 70 }, 71 }, 72 Vault: &Vault{ 73 Address: "http://127.0.0.1:1111", 74 CACert: "config_ca_cert", 75 CAPath: "config_ca_path", 76 TLSSkipVerifyRaw: interface{}("true"), 77 TLSSkipVerify: true, 78 ClientCert: "config_client_cert", 79 ClientKey: "config_client_key", 80 }, 81 PidFile: "./pidfile", 82 } 83 84 if diff := deep.Equal(config, expected); diff != nil { 85 t.Fatal(diff) 86 } 87 88 config, err = LoadConfig("./test-fixtures/config-cache-embedded-type.hcl", logger) 89 if err != nil { 90 t.Fatal(err) 91 } 92 expected.Vault.TLSSkipVerifyRaw = interface{}(true) 93 94 if diff := deep.Equal(config, expected); diff != nil { 95 t.Fatal(diff) 96 } 97} 98 99func TestLoadConfigFile(t *testing.T) { 100 logger := logging.NewVaultLogger(log.Debug) 101 102 os.Setenv("TEST_AAD_ENV", "aad") 103 defer os.Unsetenv("TEST_AAD_ENV") 104 105 config, err := LoadConfig("./test-fixtures/config.hcl", logger) 106 if err != nil { 107 t.Fatalf("err: %s", err) 108 } 109 110 expected := &Config{ 111 AutoAuth: &AutoAuth{ 112 Method: &Method{ 113 Type: "aws", 114 MountPath: "auth/aws", 115 Namespace: "my-namespace/", 116 Config: map[string]interface{}{ 117 "role": "foobar", 118 }, 119 }, 120 Sinks: []*Sink{ 121 &Sink{ 122 Type: "file", 123 DHType: "curve25519", 124 DHPath: "/tmp/file-foo-dhpath", 125 AAD: "foobar", 126 Config: map[string]interface{}{ 127 "path": "/tmp/file-foo", 128 }, 129 }, 130 &Sink{ 131 Type: "file", 132 WrapTTL: 5 * time.Minute, 133 DHType: "curve25519", 134 DHPath: "/tmp/file-foo-dhpath2", 135 AAD: "aad", 136 Config: map[string]interface{}{ 137 "path": "/tmp/file-bar", 138 }, 139 }, 140 }, 141 }, 142 PidFile: "./pidfile", 143 } 144 145 if diff := deep.Equal(config, expected); diff != nil { 146 t.Fatal(diff) 147 } 148 149 config, err = LoadConfig("./test-fixtures/config-embedded-type.hcl", logger) 150 if err != nil { 151 t.Fatalf("err: %s", err) 152 } 153 154 if diff := deep.Equal(config, expected); diff != nil { 155 t.Fatal(diff) 156 } 157} 158 159func TestLoadConfigFile_Method_Wrapping(t *testing.T) { 160 logger := logging.NewVaultLogger(log.Debug) 161 162 config, err := LoadConfig("./test-fixtures/config-method-wrapping.hcl", logger) 163 if err != nil { 164 t.Fatalf("err: %s", err) 165 } 166 167 expected := &Config{ 168 AutoAuth: &AutoAuth{ 169 Method: &Method{ 170 Type: "aws", 171 MountPath: "auth/aws", 172 WrapTTL: 5 * time.Minute, 173 Config: map[string]interface{}{ 174 "role": "foobar", 175 }, 176 }, 177 Sinks: []*Sink{ 178 &Sink{ 179 Type: "file", 180 Config: map[string]interface{}{ 181 "path": "/tmp/file-foo", 182 }, 183 }, 184 }, 185 }, 186 PidFile: "./pidfile", 187 } 188 189 if diff := deep.Equal(config, expected); diff != nil { 190 t.Fatal(diff) 191 } 192} 193 194func TestLoadConfigFile_AgentCache_NoAutoAuth(t *testing.T) { 195 logger := logging.NewVaultLogger(log.Debug) 196 197 config, err := LoadConfig("./test-fixtures/config-cache-no-auto_auth.hcl", logger) 198 if err != nil { 199 t.Fatalf("err: %s", err) 200 } 201 202 expected := &Config{ 203 Cache: &Cache{}, 204 Listeners: []*Listener{ 205 &Listener{ 206 Type: "tcp", 207 Config: map[string]interface{}{ 208 "address": "127.0.0.1:8300", 209 "tls_disable": true, 210 }, 211 }, 212 }, 213 PidFile: "./pidfile", 214 } 215 216 if diff := deep.Equal(config, expected); diff != nil { 217 t.Fatal(diff) 218 } 219} 220 221func TestLoadConfigFile_Bad_AgentCache_InconsisentAutoAuth(t *testing.T) { 222 logger := logging.NewVaultLogger(log.Debug) 223 224 _, err := LoadConfig("./test-fixtures/bad-config-cache-inconsistent-auto_auth.hcl", logger) 225 if err == nil { 226 t.Fatal("LoadConfig should return an error when use_auto_auth_token=true and no auto_auth section present") 227 } 228} 229 230func TestLoadConfigFile_Bad_AgentCache_NoListeners(t *testing.T) { 231 logger := logging.NewVaultLogger(log.Debug) 232 233 _, err := LoadConfig("./test-fixtures/bad-config-cache-no-listeners.hcl", logger) 234 if err == nil { 235 t.Fatal("LoadConfig should return an error when cache section present and no listeners present") 236 } 237} 238 239func TestLoadConfigFile_Bad_AutoAuth_Wrapped_Multiple_Sinks(t *testing.T) { 240 logger := logging.NewVaultLogger(log.Debug) 241 242 _, err := LoadConfig("./test-fixtures/bad-config-auto_auth-wrapped-multiple-sinks", logger) 243 if err == nil { 244 t.Fatal("LoadConfig should return an error when auth_auth.method.wrap_ttl nonzero and multiple sinks defined") 245 } 246} 247 248func TestLoadConfigFile_Bad_AutoAuth_Both_Wrapping_Types(t *testing.T) { 249 logger := logging.NewVaultLogger(log.Debug) 250 251 _, err := LoadConfig("./test-fixtures/bad-config-method-wrapping-and-sink-wrapping.hcl", logger) 252 if err == nil { 253 t.Fatal("LoadConfig should return an error when auth_auth.method.wrap_ttl nonzero and sinks.wrap_ttl nonzero") 254 } 255} 256 257func TestLoadConfigFile_Bad_AgentCache_AutoAuth_Method_wrapping(t *testing.T) { 258 logger := logging.NewVaultLogger(log.Debug) 259 260 _, err := LoadConfig("./test-fixtures/bad-config-cache-auto_auth-method-wrapping.hcl", logger) 261 if err == nil { 262 t.Fatal("LoadConfig should return an error when auth_auth.method.wrap_ttl nonzero and cache.use_auto_auth_token=true") 263 } 264} 265 266func TestLoadConfigFile_AgentCache_AutoAuth_NoSink(t *testing.T) { 267 logger := logging.NewVaultLogger(log.Debug) 268 269 config, err := LoadConfig("./test-fixtures/config-cache-auto_auth-no-sink.hcl", logger) 270 if err != nil { 271 t.Fatalf("err: %s", err) 272 } 273 274 expected := &Config{ 275 AutoAuth: &AutoAuth{ 276 Method: &Method{ 277 Type: "aws", 278 MountPath: "auth/aws", 279 Config: map[string]interface{}{ 280 "role": "foobar", 281 }, 282 }, 283 }, 284 Cache: &Cache{ 285 UseAutoAuthToken: true, 286 }, 287 Listeners: []*Listener{ 288 &Listener{ 289 Type: "tcp", 290 Config: map[string]interface{}{ 291 "address": "127.0.0.1:8300", 292 "tls_disable": true, 293 }, 294 }, 295 }, 296 PidFile: "./pidfile", 297 } 298 299 if diff := deep.Equal(config, expected); diff != nil { 300 t.Fatal(diff) 301 } 302} 303