1package config
2
3import (
4	"os"
5	"testing"
6	"time"
7
8	"github.com/go-test/deep"
9	log "github.com/hashicorp/go-hclog"
10	"github.com/hashicorp/vault/sdk/helper/logging"
11)
12
13func TestLoadConfigFile_AgentCache(t *testing.T) {
14	logger := logging.NewVaultLogger(log.Debug)
15
16	config, err := LoadConfig("./test-fixtures/config-cache.hcl", logger)
17	if err != nil {
18		t.Fatal(err)
19	}
20
21	expected := &Config{
22		AutoAuth: &AutoAuth{
23			Method: &Method{
24				Type:      "aws",
25				MountPath: "auth/aws",
26				Config: map[string]interface{}{
27					"role": "foobar",
28				},
29			},
30			Sinks: []*Sink{
31				&Sink{
32					Type:   "file",
33					DHType: "curve25519",
34					DHPath: "/tmp/file-foo-dhpath",
35					AAD:    "foobar",
36					Config: map[string]interface{}{
37						"path": "/tmp/file-foo",
38					},
39				},
40			},
41		},
42		Cache: &Cache{
43			UseAutoAuthToken: true,
44		},
45		Listeners: []*Listener{
46			&Listener{
47				Type: "unix",
48				Config: map[string]interface{}{
49					"address":      "/path/to/socket",
50					"tls_disable":  true,
51					"socket_mode":  "configmode",
52					"socket_user":  "configuser",
53					"socket_group": "configgroup",
54				},
55			},
56			&Listener{
57				Type: "tcp",
58				Config: map[string]interface{}{
59					"address":     "127.0.0.1:8300",
60					"tls_disable": true,
61				},
62			},
63			&Listener{
64				Type: "tcp",
65				Config: map[string]interface{}{
66					"address":       "127.0.0.1:8400",
67					"tls_key_file":  "/path/to/cakey.pem",
68					"tls_cert_file": "/path/to/cacert.pem",
69				},
70			},
71		},
72		Vault: &Vault{
73			Address:          "http://127.0.0.1:1111",
74			CACert:           "config_ca_cert",
75			CAPath:           "config_ca_path",
76			TLSSkipVerifyRaw: interface{}("true"),
77			TLSSkipVerify:    true,
78			ClientCert:       "config_client_cert",
79			ClientKey:        "config_client_key",
80		},
81		PidFile: "./pidfile",
82	}
83
84	if diff := deep.Equal(config, expected); diff != nil {
85		t.Fatal(diff)
86	}
87
88	config, err = LoadConfig("./test-fixtures/config-cache-embedded-type.hcl", logger)
89	if err != nil {
90		t.Fatal(err)
91	}
92	expected.Vault.TLSSkipVerifyRaw = interface{}(true)
93
94	if diff := deep.Equal(config, expected); diff != nil {
95		t.Fatal(diff)
96	}
97}
98
99func TestLoadConfigFile(t *testing.T) {
100	logger := logging.NewVaultLogger(log.Debug)
101
102	os.Setenv("TEST_AAD_ENV", "aad")
103	defer os.Unsetenv("TEST_AAD_ENV")
104
105	config, err := LoadConfig("./test-fixtures/config.hcl", logger)
106	if err != nil {
107		t.Fatalf("err: %s", err)
108	}
109
110	expected := &Config{
111		AutoAuth: &AutoAuth{
112			Method: &Method{
113				Type:      "aws",
114				MountPath: "auth/aws",
115				Namespace: "my-namespace/",
116				Config: map[string]interface{}{
117					"role": "foobar",
118				},
119			},
120			Sinks: []*Sink{
121				&Sink{
122					Type:   "file",
123					DHType: "curve25519",
124					DHPath: "/tmp/file-foo-dhpath",
125					AAD:    "foobar",
126					Config: map[string]interface{}{
127						"path": "/tmp/file-foo",
128					},
129				},
130				&Sink{
131					Type:    "file",
132					WrapTTL: 5 * time.Minute,
133					DHType:  "curve25519",
134					DHPath:  "/tmp/file-foo-dhpath2",
135					AAD:     "aad",
136					Config: map[string]interface{}{
137						"path": "/tmp/file-bar",
138					},
139				},
140			},
141		},
142		PidFile: "./pidfile",
143	}
144
145	if diff := deep.Equal(config, expected); diff != nil {
146		t.Fatal(diff)
147	}
148
149	config, err = LoadConfig("./test-fixtures/config-embedded-type.hcl", logger)
150	if err != nil {
151		t.Fatalf("err: %s", err)
152	}
153
154	if diff := deep.Equal(config, expected); diff != nil {
155		t.Fatal(diff)
156	}
157}
158
159func TestLoadConfigFile_Method_Wrapping(t *testing.T) {
160	logger := logging.NewVaultLogger(log.Debug)
161
162	config, err := LoadConfig("./test-fixtures/config-method-wrapping.hcl", logger)
163	if err != nil {
164		t.Fatalf("err: %s", err)
165	}
166
167	expected := &Config{
168		AutoAuth: &AutoAuth{
169			Method: &Method{
170				Type:      "aws",
171				MountPath: "auth/aws",
172				WrapTTL:   5 * time.Minute,
173				Config: map[string]interface{}{
174					"role": "foobar",
175				},
176			},
177			Sinks: []*Sink{
178				&Sink{
179					Type: "file",
180					Config: map[string]interface{}{
181						"path": "/tmp/file-foo",
182					},
183				},
184			},
185		},
186		PidFile: "./pidfile",
187	}
188
189	if diff := deep.Equal(config, expected); diff != nil {
190		t.Fatal(diff)
191	}
192}
193
194func TestLoadConfigFile_AgentCache_NoAutoAuth(t *testing.T) {
195	logger := logging.NewVaultLogger(log.Debug)
196
197	config, err := LoadConfig("./test-fixtures/config-cache-no-auto_auth.hcl", logger)
198	if err != nil {
199		t.Fatalf("err: %s", err)
200	}
201
202	expected := &Config{
203		Cache: &Cache{},
204		Listeners: []*Listener{
205			&Listener{
206				Type: "tcp",
207				Config: map[string]interface{}{
208					"address":     "127.0.0.1:8300",
209					"tls_disable": true,
210				},
211			},
212		},
213		PidFile: "./pidfile",
214	}
215
216	if diff := deep.Equal(config, expected); diff != nil {
217		t.Fatal(diff)
218	}
219}
220
221func TestLoadConfigFile_Bad_AgentCache_InconsisentAutoAuth(t *testing.T) {
222	logger := logging.NewVaultLogger(log.Debug)
223
224	_, err := LoadConfig("./test-fixtures/bad-config-cache-inconsistent-auto_auth.hcl", logger)
225	if err == nil {
226		t.Fatal("LoadConfig should return an error when use_auto_auth_token=true and no auto_auth section present")
227	}
228}
229
230func TestLoadConfigFile_Bad_AgentCache_NoListeners(t *testing.T) {
231	logger := logging.NewVaultLogger(log.Debug)
232
233	_, err := LoadConfig("./test-fixtures/bad-config-cache-no-listeners.hcl", logger)
234	if err == nil {
235		t.Fatal("LoadConfig should return an error when cache section present and no listeners present")
236	}
237}
238
239func TestLoadConfigFile_Bad_AutoAuth_Wrapped_Multiple_Sinks(t *testing.T) {
240	logger := logging.NewVaultLogger(log.Debug)
241
242	_, err := LoadConfig("./test-fixtures/bad-config-auto_auth-wrapped-multiple-sinks", logger)
243	if err == nil {
244		t.Fatal("LoadConfig should return an error when auth_auth.method.wrap_ttl nonzero and multiple sinks defined")
245	}
246}
247
248func TestLoadConfigFile_Bad_AutoAuth_Both_Wrapping_Types(t *testing.T) {
249	logger := logging.NewVaultLogger(log.Debug)
250
251	_, err := LoadConfig("./test-fixtures/bad-config-method-wrapping-and-sink-wrapping.hcl", logger)
252	if err == nil {
253		t.Fatal("LoadConfig should return an error when auth_auth.method.wrap_ttl nonzero and sinks.wrap_ttl nonzero")
254	}
255}
256
257func TestLoadConfigFile_Bad_AgentCache_AutoAuth_Method_wrapping(t *testing.T) {
258	logger := logging.NewVaultLogger(log.Debug)
259
260	_, err := LoadConfig("./test-fixtures/bad-config-cache-auto_auth-method-wrapping.hcl", logger)
261	if err == nil {
262		t.Fatal("LoadConfig should return an error when auth_auth.method.wrap_ttl nonzero and cache.use_auto_auth_token=true")
263	}
264}
265
266func TestLoadConfigFile_AgentCache_AutoAuth_NoSink(t *testing.T) {
267	logger := logging.NewVaultLogger(log.Debug)
268
269	config, err := LoadConfig("./test-fixtures/config-cache-auto_auth-no-sink.hcl", logger)
270	if err != nil {
271		t.Fatalf("err: %s", err)
272	}
273
274	expected := &Config{
275		AutoAuth: &AutoAuth{
276			Method: &Method{
277				Type:      "aws",
278				MountPath: "auth/aws",
279				Config: map[string]interface{}{
280					"role": "foobar",
281				},
282			},
283		},
284		Cache: &Cache{
285			UseAutoAuthToken: true,
286		},
287		Listeners: []*Listener{
288			&Listener{
289				Type: "tcp",
290				Config: map[string]interface{}{
291					"address":     "127.0.0.1:8300",
292					"tls_disable": true,
293				},
294			},
295		},
296		PidFile: "./pidfile",
297	}
298
299	if diff := deep.Equal(config, expected); diff != nil {
300		t.Fatal(diff)
301	}
302}
303