1package vault 2 3import ( 4 "context" 5 "reflect" 6 "testing" 7 "time" 8 9 "github.com/go-test/deep" 10 "github.com/hashicorp/errwrap" 11 log "github.com/hashicorp/go-hclog" 12 "github.com/hashicorp/go-uuid" 13 "github.com/hashicorp/vault/audit" 14 "github.com/hashicorp/vault/helper/namespace" 15 "github.com/hashicorp/vault/sdk/helper/consts" 16 "github.com/hashicorp/vault/sdk/helper/logging" 17 "github.com/hashicorp/vault/sdk/logical" 18 "github.com/hashicorp/vault/sdk/physical" 19 "github.com/hashicorp/vault/sdk/physical/inmem" 20) 21 22var ( 23 // invalidKey is used to test Unseal 24 invalidKey = []byte("abcdefghijklmnopqrstuvwxyz")[:17] 25) 26 27func TestNewCore_badRedirectAddr(t *testing.T) { 28 logger = logging.NewVaultLogger(log.Trace) 29 30 inm, err := inmem.NewInmem(nil, logger) 31 if err != nil { 32 t.Fatal(err) 33 } 34 35 conf := &CoreConfig{ 36 RedirectAddr: "127.0.0.1:8200", 37 Physical: inm, 38 DisableMlock: true, 39 } 40 _, err = NewCore(conf) 41 if err == nil { 42 t.Fatal("should error") 43 } 44} 45 46func TestSealConfig_Invalid(t *testing.T) { 47 s := &SealConfig{ 48 SecretShares: 2, 49 SecretThreshold: 1, 50 } 51 err := s.Validate() 52 if err == nil { 53 t.Fatalf("expected err") 54 } 55} 56 57func TestCore_Unseal_MultiShare(t *testing.T) { 58 c := TestCore(t) 59 60 _, err := TestCoreUnseal(c, invalidKey) 61 if err != ErrNotInit { 62 t.Fatalf("err: %v", err) 63 } 64 65 sealConf := &SealConfig{ 66 SecretShares: 5, 67 SecretThreshold: 3, 68 } 69 res, err := c.Initialize(namespace.RootContext(nil), &InitParams{ 70 BarrierConfig: sealConf, 71 RecoveryConfig: nil, 72 }) 73 if err != nil { 74 t.Fatalf("err: %v", err) 75 } 76 77 if !c.Sealed() { 78 t.Fatalf("should be sealed") 79 } 80 81 if prog, _ := c.SecretProgress(); prog != 0 { 82 t.Fatalf("bad progress: %d", prog) 83 } 84 85 for i := 0; i < 5; i++ { 86 unseal, err := TestCoreUnseal(c, res.SecretShares[i]) 87 if err != nil { 88 t.Fatalf("err: %v", err) 89 } 90 91 // Ignore redundant 92 _, err = TestCoreUnseal(c, res.SecretShares[i]) 93 if err != nil { 94 t.Fatalf("err: %v", err) 95 } 96 if i >= 2 { 97 if !unseal { 98 t.Fatalf("should be unsealed") 99 } 100 if prog, _ := c.SecretProgress(); prog != 0 { 101 t.Fatalf("bad progress: %d", prog) 102 } 103 } else { 104 if unseal { 105 t.Fatalf("should not be unsealed") 106 } 107 if prog, _ := c.SecretProgress(); prog != i+1 { 108 t.Fatalf("bad progress: %d", prog) 109 } 110 } 111 } 112 113 if c.Sealed() { 114 t.Fatalf("should not be sealed") 115 } 116 117 err = c.Seal(res.RootToken) 118 if err != nil { 119 t.Fatalf("err: %v", err) 120 } 121 122 // Ignore redundant 123 err = c.Seal(res.RootToken) 124 if err != nil { 125 t.Fatalf("err: %v", err) 126 } 127 128 if !c.Sealed() { 129 t.Fatalf("should be sealed") 130 } 131} 132 133func TestCore_Unseal_Single(t *testing.T) { 134 c := TestCore(t) 135 136 _, err := TestCoreUnseal(c, invalidKey) 137 if err != ErrNotInit { 138 t.Fatalf("err: %v", err) 139 } 140 141 sealConf := &SealConfig{ 142 SecretShares: 1, 143 SecretThreshold: 1, 144 } 145 res, err := c.Initialize(namespace.RootContext(nil), &InitParams{ 146 BarrierConfig: sealConf, 147 RecoveryConfig: nil, 148 }) 149 if err != nil { 150 t.Fatalf("err: %v", err) 151 } 152 153 if !c.Sealed() { 154 t.Fatalf("should be sealed") 155 } 156 157 if prog, _ := c.SecretProgress(); prog != 0 { 158 t.Fatalf("bad progress: %d", prog) 159 } 160 161 unseal, err := TestCoreUnseal(c, res.SecretShares[0]) 162 if err != nil { 163 t.Fatalf("err: %v", err) 164 } 165 166 if !unseal { 167 t.Fatalf("should be unsealed") 168 } 169 if prog, _ := c.SecretProgress(); prog != 0 { 170 t.Fatalf("bad progress: %d", prog) 171 } 172 173 if c.Sealed() { 174 t.Fatalf("should not be sealed") 175 } 176} 177 178func TestCore_Route_Sealed(t *testing.T) { 179 c := TestCore(t) 180 sealConf := &SealConfig{ 181 SecretShares: 1, 182 SecretThreshold: 1, 183 } 184 185 ctx := namespace.RootContext(nil) 186 187 // Should not route anything 188 req := &logical.Request{ 189 Operation: logical.ReadOperation, 190 Path: "sys/mounts", 191 } 192 _, err := c.HandleRequest(ctx, req) 193 if err != consts.ErrSealed { 194 t.Fatalf("err: %v", err) 195 } 196 197 res, err := c.Initialize(ctx, &InitParams{ 198 BarrierConfig: sealConf, 199 RecoveryConfig: nil, 200 }) 201 if err != nil { 202 t.Fatalf("err: %v", err) 203 } 204 205 unseal, err := TestCoreUnseal(c, res.SecretShares[0]) 206 if err != nil { 207 t.Fatalf("err: %v", err) 208 } 209 if !unseal { 210 t.Fatalf("should be unsealed") 211 } 212 213 // Should not error after unseal 214 req.ClientToken = res.RootToken 215 _, err = c.HandleRequest(ctx, req) 216 if err != nil { 217 t.Fatalf("err: %v", err) 218 } 219} 220 221// Attempt to unseal after doing a first seal 222func TestCore_SealUnseal(t *testing.T) { 223 c, keys, root := TestCoreUnsealed(t) 224 if err := c.Seal(root); err != nil { 225 t.Fatalf("err: %v", err) 226 } 227 for i, key := range keys { 228 unseal, err := TestCoreUnseal(c, key) 229 if err != nil { 230 t.Fatalf("err: %v", err) 231 } 232 if i+1 == len(keys) && !unseal { 233 t.Fatalf("err: should be unsealed") 234 } 235 } 236} 237 238// Attempt to shutdown after unseal 239func TestCore_Shutdown(t *testing.T) { 240 c, _, _ := TestCoreUnsealed(t) 241 if err := c.Shutdown(); err != nil { 242 t.Fatalf("err: %v", err) 243 } 244 if !c.Sealed() { 245 t.Fatal("wasn't sealed") 246 } 247} 248 249// Attempt to seal bad token 250func TestCore_Seal_BadToken(t *testing.T) { 251 c, _, _ := TestCoreUnsealed(t) 252 if err := c.Seal("foo"); err == nil { 253 t.Fatalf("err: %v", err) 254 } 255 if c.Sealed() { 256 t.Fatal("was sealed") 257 } 258} 259 260// GH-3497 261func TestCore_Seal_SingleUse(t *testing.T) { 262 c, keys, _ := TestCoreUnsealed(t) 263 c.tokenStore.create(namespace.RootContext(nil), &logical.TokenEntry{ 264 ID: "foo", 265 NumUses: 1, 266 Policies: []string{"root"}, 267 NamespaceID: namespace.RootNamespaceID, 268 }) 269 if err := c.Seal("foo"); err != nil { 270 t.Fatalf("err: %v", err) 271 } 272 if !c.Sealed() { 273 t.Fatal("not sealed") 274 } 275 for i, key := range keys { 276 unseal, err := TestCoreUnseal(c, key) 277 if err != nil { 278 t.Fatalf("err: %v", err) 279 } 280 if i+1 == len(keys) && !unseal { 281 t.Fatalf("err: should be unsealed") 282 } 283 } 284 if err := c.Seal("foo"); err == nil { 285 t.Fatal("expected error from revoked token") 286 } 287 te, err := c.tokenStore.Lookup(namespace.RootContext(nil), "foo") 288 if err != nil { 289 t.Fatal(err) 290 } 291 if te != nil { 292 t.Fatalf("expected nil token entry, got %#v", *te) 293 } 294} 295 296// Ensure we get a LeaseID 297func TestCore_HandleRequest_Lease(t *testing.T) { 298 c, _, root := TestCoreUnsealed(t) 299 300 req := &logical.Request{ 301 Operation: logical.UpdateOperation, 302 Path: "secret/test", 303 Data: map[string]interface{}{ 304 "foo": "bar", 305 "lease": "1h", 306 }, 307 ClientToken: root, 308 } 309 ctx := namespace.RootContext(nil) 310 resp, err := c.HandleRequest(ctx, req) 311 if err != nil { 312 t.Fatalf("err: %v", err) 313 } 314 if resp != nil { 315 t.Fatalf("bad: %#v", resp) 316 } 317 318 // Read the key 319 req.Operation = logical.ReadOperation 320 req.Data = nil 321 req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) 322 resp, err = c.HandleRequest(ctx, req) 323 if err != nil { 324 t.Fatalf("err: %v", err) 325 } 326 if resp == nil || resp.Secret == nil || resp.Data == nil { 327 t.Fatalf("bad: %#v", resp) 328 } 329 if resp.Secret.TTL != time.Hour { 330 t.Fatalf("bad: %#v", resp.Secret) 331 } 332 if resp.Secret.LeaseID == "" { 333 t.Fatalf("bad: %#v", resp.Secret) 334 } 335 if resp.Data["foo"] != "bar" { 336 t.Fatalf("bad: %#v", resp.Data) 337 } 338} 339 340func TestCore_HandleRequest_Lease_MaxLength(t *testing.T) { 341 c, _, root := TestCoreUnsealed(t) 342 343 req := &logical.Request{ 344 Operation: logical.UpdateOperation, 345 Path: "secret/test", 346 Data: map[string]interface{}{ 347 "foo": "bar", 348 "lease": "1000h", 349 }, 350 ClientToken: root, 351 } 352 ctx := namespace.RootContext(nil) 353 resp, err := c.HandleRequest(ctx, req) 354 if err != nil { 355 t.Fatalf("err: %v", err) 356 } 357 if resp != nil { 358 t.Fatalf("bad: %#v", resp) 359 } 360 361 // Read the key 362 req.Operation = logical.ReadOperation 363 req.Data = nil 364 req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) 365 resp, err = c.HandleRequest(ctx, req) 366 if err != nil { 367 t.Fatalf("err: %v", err) 368 } 369 if resp == nil || resp.Secret == nil || resp.Data == nil { 370 t.Fatalf("bad: %#v", resp) 371 } 372 if resp.Secret.TTL != c.maxLeaseTTL { 373 t.Fatalf("bad: %#v, %d", resp.Secret, c.maxLeaseTTL) 374 } 375 if resp.Secret.LeaseID == "" { 376 t.Fatalf("bad: %#v", resp.Secret) 377 } 378 if resp.Data["foo"] != "bar" { 379 t.Fatalf("bad: %#v", resp.Data) 380 } 381} 382 383func TestCore_HandleRequest_Lease_DefaultLength(t *testing.T) { 384 c, _, root := TestCoreUnsealed(t) 385 386 req := &logical.Request{ 387 Operation: logical.UpdateOperation, 388 Path: "secret/test", 389 Data: map[string]interface{}{ 390 "foo": "bar", 391 "lease": "0h", 392 }, 393 ClientToken: root, 394 } 395 ctx := namespace.RootContext(nil) 396 resp, err := c.HandleRequest(ctx, req) 397 if err != nil { 398 t.Fatalf("err: %v", err) 399 } 400 if resp != nil { 401 t.Fatalf("bad: %#v", resp) 402 } 403 404 // Read the key 405 req.Operation = logical.ReadOperation 406 req.Data = nil 407 req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) 408 resp, err = c.HandleRequest(ctx, req) 409 if err != nil { 410 t.Fatalf("err: %v", err) 411 } 412 if resp == nil || resp.Secret == nil || resp.Data == nil { 413 t.Fatalf("bad: %#v", resp) 414 } 415 if resp.Secret.TTL != c.defaultLeaseTTL { 416 t.Fatalf("bad: %d, %d", resp.Secret.TTL/time.Second, c.defaultLeaseTTL/time.Second) 417 } 418 if resp.Secret.LeaseID == "" { 419 t.Fatalf("bad: %#v", resp.Secret) 420 } 421 if resp.Data["foo"] != "bar" { 422 t.Fatalf("bad: %#v", resp.Data) 423 } 424} 425 426func TestCore_HandleRequest_MissingToken(t *testing.T) { 427 c, _, _ := TestCoreUnsealed(t) 428 429 req := &logical.Request{ 430 Operation: logical.UpdateOperation, 431 Path: "secret/test", 432 Data: map[string]interface{}{ 433 "foo": "bar", 434 "lease": "1h", 435 }, 436 } 437 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 438 if err == nil || !errwrap.Contains(err, logical.ErrInvalidRequest.Error()) { 439 t.Fatalf("err: %v", err) 440 } 441 if resp.Data["error"] != "missing client token" { 442 t.Fatalf("bad: %#v", resp) 443 } 444} 445 446func TestCore_HandleRequest_InvalidToken(t *testing.T) { 447 c, _, _ := TestCoreUnsealed(t) 448 449 req := &logical.Request{ 450 Operation: logical.UpdateOperation, 451 Path: "secret/test", 452 Data: map[string]interface{}{ 453 "foo": "bar", 454 "lease": "1h", 455 }, 456 ClientToken: "foobarbaz", 457 } 458 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 459 if err == nil || !errwrap.Contains(err, logical.ErrPermissionDenied.Error()) { 460 t.Fatalf("err: %v", err) 461 } 462 if resp.Data["error"] != "permission denied" { 463 t.Fatalf("bad: %#v", resp) 464 } 465} 466 467// Check that standard permissions work 468func TestCore_HandleRequest_NoSlash(t *testing.T) { 469 c, _, root := TestCoreUnsealed(t) 470 471 req := &logical.Request{ 472 Operation: logical.HelpOperation, 473 Path: "secret", 474 ClientToken: root, 475 } 476 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 477 if err != nil { 478 t.Fatalf("err: %v, resp: %v", err, resp) 479 } 480 if _, ok := resp.Data["help"]; !ok { 481 t.Fatalf("resp: %v", resp) 482 } 483} 484 485// Test a root path is denied if non-root 486func TestCore_HandleRequest_RootPath(t *testing.T) { 487 c, _, root := TestCoreUnsealed(t) 488 testMakeServiceTokenViaCore(t, c, root, "child", "", []string{"test"}) 489 490 req := &logical.Request{ 491 Operation: logical.ReadOperation, 492 Path: "sys/policy", // root protected! 493 ClientToken: "child", 494 } 495 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 496 if err == nil || !errwrap.Contains(err, logical.ErrPermissionDenied.Error()) { 497 t.Fatalf("err: %v, resp: %v", err, resp) 498 } 499} 500 501// Test a root path is allowed if non-root but with sudo 502func TestCore_HandleRequest_RootPath_WithSudo(t *testing.T) { 503 c, _, root := TestCoreUnsealed(t) 504 505 // Set the 'test' policy object to permit access to sys/policy 506 req := &logical.Request{ 507 Operation: logical.UpdateOperation, 508 Path: "sys/policy/test", // root protected! 509 Data: map[string]interface{}{ 510 "rules": `path "sys/policy" { policy = "sudo" }`, 511 }, 512 ClientToken: root, 513 } 514 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 515 if err != nil { 516 t.Fatalf("err: %v", err) 517 } 518 if resp != nil && (resp.IsError() || len(resp.Data) > 0) { 519 t.Fatalf("bad: %#v", resp) 520 } 521 522 // Child token (non-root) but with 'test' policy should have access 523 testMakeServiceTokenViaCore(t, c, root, "child", "", []string{"test"}) 524 req = &logical.Request{ 525 Operation: logical.ReadOperation, 526 Path: "sys/policy", // root protected! 527 ClientToken: "child", 528 } 529 resp, err = c.HandleRequest(namespace.RootContext(nil), req) 530 if err != nil { 531 t.Fatalf("err: %v", err) 532 } 533 if resp == nil { 534 t.Fatalf("bad: %#v", resp) 535 } 536} 537 538// Check that standard permissions work 539func TestCore_HandleRequest_PermissionDenied(t *testing.T) { 540 c, _, root := TestCoreUnsealed(t) 541 testMakeServiceTokenViaCore(t, c, root, "child", "", []string{"test"}) 542 543 req := &logical.Request{ 544 Operation: logical.UpdateOperation, 545 Path: "secret/test", 546 Data: map[string]interface{}{ 547 "foo": "bar", 548 "lease": "1h", 549 }, 550 ClientToken: "child", 551 } 552 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 553 if err == nil || !errwrap.Contains(err, logical.ErrPermissionDenied.Error()) { 554 t.Fatalf("err: %v, resp: %v", err, resp) 555 } 556} 557 558// Check that standard permissions work 559func TestCore_HandleRequest_PermissionAllowed(t *testing.T) { 560 c, _, root := TestCoreUnsealed(t) 561 testMakeServiceTokenViaCore(t, c, root, "child", "", []string{"test"}) 562 563 // Set the 'test' policy object to permit access to secret/ 564 req := &logical.Request{ 565 Operation: logical.UpdateOperation, 566 Path: "sys/policy/test", 567 Data: map[string]interface{}{ 568 "rules": `path "secret/*" { policy = "write" }`, 569 }, 570 ClientToken: root, 571 } 572 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 573 if err != nil { 574 t.Fatalf("err: %v", err) 575 } 576 if resp != nil && (resp.IsError() || len(resp.Data) > 0) { 577 t.Fatalf("bad: %#v", resp) 578 } 579 580 // Write should work now 581 req = &logical.Request{ 582 Operation: logical.UpdateOperation, 583 Path: "secret/test", 584 Data: map[string]interface{}{ 585 "foo": "bar", 586 "lease": "1h", 587 }, 588 ClientToken: "child", 589 } 590 resp, err = c.HandleRequest(namespace.RootContext(nil), req) 591 if err != nil { 592 t.Fatalf("err: %v", err) 593 } 594 if resp != nil { 595 t.Fatalf("bad: %#v", resp) 596 } 597} 598 599func TestCore_HandleRequest_NoClientToken(t *testing.T) { 600 noop := &NoopBackend{ 601 Response: &logical.Response{}, 602 } 603 c, _, root := TestCoreUnsealed(t) 604 c.logicalBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) { 605 return noop, nil 606 } 607 608 // Enable the logical backend 609 req := logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/foo") 610 req.Data["type"] = "noop" 611 req.Data["description"] = "foo" 612 req.ClientToken = root 613 _, err := c.HandleRequest(namespace.RootContext(nil), req) 614 if err != nil { 615 t.Fatalf("err: %v", err) 616 } 617 618 // Attempt to request with connection data 619 req = &logical.Request{ 620 Path: "foo/login", 621 } 622 req.ClientToken = root 623 if _, err := c.HandleRequest(namespace.RootContext(nil), req); err != nil { 624 t.Fatalf("err: %v", err) 625 } 626 627 ct := noop.Requests[0].ClientToken 628 if ct == "" || ct == root { 629 t.Fatalf("bad: %#v", noop.Requests) 630 } 631} 632 633func TestCore_HandleRequest_ConnOnLogin(t *testing.T) { 634 noop := &NoopBackend{ 635 Login: []string{"login"}, 636 Response: &logical.Response{}, 637 BackendType: logical.TypeCredential, 638 } 639 c, _, root := TestCoreUnsealed(t) 640 c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) { 641 return noop, nil 642 } 643 644 // Enable the credential backend 645 req := logical.TestRequest(t, logical.UpdateOperation, "sys/auth/foo") 646 req.Data["type"] = "noop" 647 req.ClientToken = root 648 _, err := c.HandleRequest(namespace.RootContext(nil), req) 649 if err != nil { 650 t.Fatalf("err: %v", err) 651 } 652 653 // Attempt to request with connection data 654 req = &logical.Request{ 655 Path: "auth/foo/login", 656 Connection: &logical.Connection{}, 657 } 658 if _, err := c.HandleRequest(namespace.RootContext(nil), req); err != nil { 659 t.Fatalf("err: %v", err) 660 } 661 if noop.Requests[0].Connection == nil { 662 t.Fatalf("bad: %#v", noop.Requests) 663 } 664} 665 666// Ensure we get a client token 667func TestCore_HandleLogin_Token(t *testing.T) { 668 noop := &NoopBackend{ 669 Login: []string{"login"}, 670 Response: &logical.Response{ 671 Auth: &logical.Auth{ 672 Policies: []string{"foo", "bar"}, 673 Metadata: map[string]string{ 674 "user": "armon", 675 }, 676 DisplayName: "armon", 677 }, 678 }, 679 BackendType: logical.TypeCredential, 680 } 681 c, _, root := TestCoreUnsealed(t) 682 c.credentialBackends["noop"] = func(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) { 683 return noop, nil 684 } 685 686 // Enable the credential backend 687 req := logical.TestRequest(t, logical.UpdateOperation, "sys/auth/foo") 688 req.Data["type"] = "noop" 689 req.ClientToken = root 690 _, err := c.HandleRequest(namespace.RootContext(nil), req) 691 if err != nil { 692 t.Fatalf("err: %v", err) 693 } 694 695 // Attempt to login 696 lreq := &logical.Request{ 697 Path: "auth/foo/login", 698 } 699 lresp, err := c.HandleRequest(namespace.RootContext(nil), lreq) 700 if err != nil { 701 t.Fatalf("err: %v", err) 702 } 703 704 // Ensure we got a client token back 705 clientToken := lresp.Auth.ClientToken 706 if clientToken == "" { 707 t.Fatalf("bad: %#v", lresp) 708 } 709 710 // Check the policy and metadata 711 te, err := c.tokenStore.Lookup(namespace.RootContext(nil), clientToken) 712 if err != nil { 713 t.Fatalf("err: %v", err) 714 } 715 expect := &logical.TokenEntry{ 716 ID: clientToken, 717 Accessor: te.Accessor, 718 Parent: "", 719 Policies: []string{"bar", "default", "foo"}, 720 Path: "auth/foo/login", 721 Meta: map[string]string{ 722 "user": "armon", 723 }, 724 DisplayName: "foo-armon", 725 TTL: time.Hour * 24, 726 CreationTime: te.CreationTime, 727 NamespaceID: namespace.RootNamespaceID, 728 CubbyholeID: te.CubbyholeID, 729 Type: logical.TokenTypeService, 730 } 731 732 if diff := deep.Equal(te, expect); diff != nil { 733 t.Fatal(diff) 734 } 735 736 // Check that we have a lease with default duration 737 if lresp.Auth.TTL != noop.System().DefaultLeaseTTL() { 738 t.Fatalf("bad: %#v, defaultLeaseTTL: %#v", lresp.Auth, c.defaultLeaseTTL) 739 } 740} 741 742func TestCore_HandleRequest_AuditTrail(t *testing.T) { 743 // Create a noop audit backend 744 noop := &NoopAudit{} 745 c, _, root := TestCoreUnsealed(t) 746 c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) { 747 noop = &NoopAudit{ 748 Config: config, 749 } 750 return noop, nil 751 } 752 753 // Enable the audit backend 754 req := logical.TestRequest(t, logical.UpdateOperation, "sys/audit/noop") 755 req.Data["type"] = "noop" 756 req.ClientToken = root 757 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 758 if err != nil { 759 t.Fatalf("err: %v", err) 760 } 761 762 // Make a request 763 req = &logical.Request{ 764 Operation: logical.UpdateOperation, 765 Path: "secret/test", 766 Data: map[string]interface{}{ 767 "foo": "bar", 768 "lease": "1h", 769 }, 770 ClientToken: root, 771 } 772 req.ClientToken = root 773 if _, err := c.HandleRequest(namespace.RootContext(nil), req); err != nil { 774 t.Fatalf("err: %v", err) 775 } 776 777 // Check the audit trail on request and response 778 if len(noop.ReqAuth) != 1 { 779 t.Fatalf("bad: %#v", noop) 780 } 781 auth := noop.ReqAuth[0] 782 if auth.ClientToken != root { 783 t.Fatalf("bad client token: %#v", auth) 784 } 785 if len(auth.Policies) != 1 || auth.Policies[0] != "root" { 786 t.Fatalf("bad: %#v", auth) 787 } 788 if len(noop.Req) != 1 || !reflect.DeepEqual(noop.Req[0], req) { 789 t.Fatalf("Bad: %#v", noop.Req[0]) 790 } 791 792 if len(noop.RespAuth) != 2 { 793 t.Fatalf("bad: %#v", noop) 794 } 795 if !reflect.DeepEqual(noop.RespAuth[1], auth) { 796 t.Fatalf("bad: %#v", auth) 797 } 798 if len(noop.RespReq) != 2 || !reflect.DeepEqual(noop.RespReq[1], req) { 799 t.Fatalf("Bad: %#v", noop.RespReq[1]) 800 } 801 if len(noop.Resp) != 2 || !reflect.DeepEqual(noop.Resp[1], resp) { 802 t.Fatalf("Bad: %#v", noop.Resp[1]) 803 } 804} 805 806func TestCore_HandleRequest_AuditTrail_noHMACKeys(t *testing.T) { 807 // Create a noop audit backend 808 var noop *NoopAudit 809 c, _, root := TestCoreUnsealed(t) 810 c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) { 811 noop = &NoopAudit{ 812 Config: config, 813 } 814 return noop, nil 815 } 816 817 // Specify some keys to not HMAC 818 req := logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/secret/tune") 819 req.Data["audit_non_hmac_request_keys"] = "foo" 820 req.ClientToken = root 821 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 822 if err != nil { 823 t.Fatalf("err: %v", err) 824 } 825 826 req = logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/secret/tune") 827 req.Data["audit_non_hmac_response_keys"] = "baz" 828 req.ClientToken = root 829 resp, err = c.HandleRequest(namespace.RootContext(nil), req) 830 if err != nil { 831 t.Fatalf("err: %v", err) 832 } 833 834 // Enable the audit backend 835 req = logical.TestRequest(t, logical.UpdateOperation, "sys/audit/noop") 836 req.Data["type"] = "noop" 837 req.ClientToken = root 838 resp, err = c.HandleRequest(namespace.RootContext(nil), req) 839 if err != nil { 840 t.Fatalf("err: %v", err) 841 } 842 843 // Make a request 844 req = &logical.Request{ 845 Operation: logical.UpdateOperation, 846 Path: "secret/test", 847 Data: map[string]interface{}{ 848 "foo": "bar", 849 }, 850 ClientToken: root, 851 } 852 req.ClientToken = root 853 if _, err := c.HandleRequest(namespace.RootContext(nil), req); err != nil { 854 t.Fatalf("err: %v", err) 855 } 856 857 // Check the audit trail on request and response 858 if len(noop.ReqAuth) != 1 { 859 t.Fatalf("bad: %#v", noop) 860 } 861 auth := noop.ReqAuth[0] 862 if auth.ClientToken != root { 863 t.Fatalf("bad client token: %#v", auth) 864 } 865 if len(auth.Policies) != 1 || auth.Policies[0] != "root" { 866 t.Fatalf("bad: %#v", auth) 867 } 868 if len(noop.Req) != 1 || !reflect.DeepEqual(noop.Req[0], req) { 869 t.Fatalf("Bad: %#v", noop.Req[0]) 870 } 871 if len(noop.ReqNonHMACKeys) != 1 || noop.ReqNonHMACKeys[0] != "foo" { 872 t.Fatalf("Bad: %#v", noop.ReqNonHMACKeys) 873 } 874 if len(noop.RespAuth) != 2 { 875 t.Fatalf("bad: %#v", noop) 876 } 877 if !reflect.DeepEqual(noop.RespAuth[1], auth) { 878 t.Fatalf("bad: %#v", auth) 879 } 880 if len(noop.RespReq) != 2 || !reflect.DeepEqual(noop.RespReq[1], req) { 881 t.Fatalf("Bad: %#v", noop.RespReq[1]) 882 } 883 if len(noop.Resp) != 2 || !reflect.DeepEqual(noop.Resp[1], resp) { 884 t.Fatalf("Bad: %#v", noop.Resp[1]) 885 } 886 887 // Test for response keys 888 // Make a request 889 req = &logical.Request{ 890 Operation: logical.ReadOperation, 891 Path: "secret/test", 892 ClientToken: root, 893 } 894 req.ClientToken = root 895 req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) 896 if _, err := c.HandleRequest(namespace.RootContext(nil), req); err != nil { 897 t.Fatalf("err: %v", err) 898 } 899 if len(noop.RespNonHMACKeys) != 1 || noop.RespNonHMACKeys[0] != "baz" { 900 t.Fatalf("Bad: %#v", noop.RespNonHMACKeys) 901 } 902 if len(noop.RespReqNonHMACKeys) != 1 || noop.RespReqNonHMACKeys[0] != "foo" { 903 t.Fatalf("Bad: %#v", noop.RespReqNonHMACKeys) 904 } 905} 906 907func TestCore_HandleLogin_AuditTrail(t *testing.T) { 908 // Create a badass credential backend that always logs in as armon 909 noop := &NoopAudit{} 910 noopBack := &NoopBackend{ 911 Login: []string{"login"}, 912 Response: &logical.Response{ 913 Auth: &logical.Auth{ 914 LeaseOptions: logical.LeaseOptions{ 915 TTL: time.Hour, 916 }, 917 Policies: []string{"foo", "bar"}, 918 Metadata: map[string]string{ 919 "user": "armon", 920 }, 921 }, 922 }, 923 BackendType: logical.TypeCredential, 924 } 925 c, _, root := TestCoreUnsealed(t) 926 c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) { 927 return noopBack, nil 928 } 929 c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) { 930 noop = &NoopAudit{ 931 Config: config, 932 } 933 return noop, nil 934 } 935 936 // Enable the credential backend 937 req := logical.TestRequest(t, logical.UpdateOperation, "sys/auth/foo") 938 req.Data["type"] = "noop" 939 req.ClientToken = root 940 _, err := c.HandleRequest(namespace.RootContext(nil), req) 941 if err != nil { 942 t.Fatalf("err: %v", err) 943 } 944 945 // Enable the audit backend 946 req = logical.TestRequest(t, logical.UpdateOperation, "sys/audit/noop") 947 req.Data["type"] = "noop" 948 req.ClientToken = root 949 _, err = c.HandleRequest(namespace.RootContext(nil), req) 950 if err != nil { 951 t.Fatalf("err: %v", err) 952 } 953 954 // Attempt to login 955 lreq := &logical.Request{ 956 Path: "auth/foo/login", 957 } 958 lresp, err := c.HandleRequest(namespace.RootContext(nil), lreq) 959 if err != nil { 960 t.Fatalf("err: %v", err) 961 } 962 963 // Ensure we got a client token back 964 clientToken := lresp.Auth.ClientToken 965 if clientToken == "" { 966 t.Fatalf("bad: %#v", lresp) 967 } 968 969 // Check the audit trail on request and response 970 if len(noop.ReqAuth) != 1 { 971 t.Fatalf("bad: %#v", noop) 972 } 973 if len(noop.Req) != 1 || !reflect.DeepEqual(noop.Req[0], lreq) { 974 t.Fatalf("Bad: %#v %#v", noop.Req[0], lreq) 975 } 976 977 if len(noop.RespAuth) != 2 { 978 t.Fatalf("bad: %#v", noop) 979 } 980 auth := noop.RespAuth[1] 981 if auth.ClientToken != clientToken { 982 t.Fatalf("bad client token: %#v", auth) 983 } 984 if len(auth.Policies) != 3 || auth.Policies[0] != "bar" || auth.Policies[1] != "default" || auth.Policies[2] != "foo" { 985 t.Fatalf("bad: %#v", auth) 986 } 987 if len(noop.RespReq) != 2 || !reflect.DeepEqual(noop.RespReq[1], lreq) { 988 t.Fatalf("Bad: %#v", noop.RespReq[1]) 989 } 990 if len(noop.Resp) != 2 || !reflect.DeepEqual(noop.Resp[1], lresp) { 991 t.Fatalf("Bad: %#v %#v", noop.Resp[1], lresp) 992 } 993} 994 995// Check that we register a lease for new tokens 996func TestCore_HandleRequest_CreateToken_Lease(t *testing.T) { 997 c, _, root := TestCoreUnsealed(t) 998 999 // Create a new credential 1000 req := logical.TestRequest(t, logical.UpdateOperation, "auth/token/create") 1001 req.ClientToken = root 1002 req.Data["policies"] = []string{"foo"} 1003 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 1004 if err != nil { 1005 t.Fatalf("err: %v", err) 1006 } 1007 1008 // Ensure we got a new client token back 1009 if resp.IsError() { 1010 t.Fatalf("err: %v %v", err, *resp) 1011 } 1012 clientToken := resp.Auth.ClientToken 1013 if clientToken == "" { 1014 t.Fatalf("bad: %#v", resp) 1015 } 1016 1017 // Check the policy and metadata 1018 te, err := c.tokenStore.Lookup(namespace.RootContext(nil), clientToken) 1019 if err != nil { 1020 t.Fatalf("err: %v", err) 1021 } 1022 expect := &logical.TokenEntry{ 1023 ID: clientToken, 1024 Accessor: te.Accessor, 1025 Parent: root, 1026 Policies: []string{"default", "foo"}, 1027 Path: "auth/token/create", 1028 DisplayName: "token", 1029 CreationTime: te.CreationTime, 1030 TTL: time.Hour * 24 * 32, 1031 NamespaceID: namespace.RootNamespaceID, 1032 CubbyholeID: te.CubbyholeID, 1033 Type: logical.TokenTypeService, 1034 } 1035 if diff := deep.Equal(te, expect); diff != nil { 1036 t.Fatal(diff) 1037 } 1038 1039 // Check that we have a lease with default duration 1040 if resp.Auth.TTL != c.defaultLeaseTTL { 1041 t.Fatalf("bad: %#v", resp.Auth) 1042 } 1043} 1044 1045// Check that we handle excluding the default policy 1046func TestCore_HandleRequest_CreateToken_NoDefaultPolicy(t *testing.T) { 1047 c, _, root := TestCoreUnsealed(t) 1048 1049 // Create a new credential 1050 req := logical.TestRequest(t, logical.UpdateOperation, "auth/token/create") 1051 req.ClientToken = root 1052 req.Data["policies"] = []string{"foo"} 1053 req.Data["no_default_policy"] = true 1054 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 1055 if err != nil { 1056 t.Fatalf("err: %v", err) 1057 } 1058 1059 // Ensure we got a new client token back 1060 clientToken := resp.Auth.ClientToken 1061 if clientToken == "" { 1062 t.Fatalf("bad: %#v", resp) 1063 } 1064 1065 // Check the policy and metadata 1066 te, err := c.tokenStore.Lookup(namespace.RootContext(nil), clientToken) 1067 if err != nil { 1068 t.Fatalf("err: %v", err) 1069 } 1070 expect := &logical.TokenEntry{ 1071 ID: clientToken, 1072 Accessor: te.Accessor, 1073 Parent: root, 1074 Policies: []string{"foo"}, 1075 Path: "auth/token/create", 1076 DisplayName: "token", 1077 CreationTime: te.CreationTime, 1078 TTL: time.Hour * 24 * 32, 1079 NamespaceID: namespace.RootNamespaceID, 1080 CubbyholeID: te.CubbyholeID, 1081 Type: logical.TokenTypeService, 1082 } 1083 if diff := deep.Equal(te, expect); diff != nil { 1084 t.Fatal(diff) 1085 } 1086} 1087 1088func TestCore_LimitedUseToken(t *testing.T) { 1089 c, _, root := TestCoreUnsealed(t) 1090 1091 // Create a new credential 1092 req := logical.TestRequest(t, logical.UpdateOperation, "auth/token/create") 1093 req.ClientToken = root 1094 req.Data["num_uses"] = "1" 1095 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 1096 if err != nil { 1097 t.Fatalf("err: %v", err) 1098 } 1099 1100 // Put a secret 1101 req = &logical.Request{ 1102 Operation: logical.UpdateOperation, 1103 Path: "secret/foo", 1104 Data: map[string]interface{}{ 1105 "foo": "bar", 1106 }, 1107 ClientToken: resp.Auth.ClientToken, 1108 } 1109 _, err = c.HandleRequest(namespace.RootContext(nil), req) 1110 if err != nil { 1111 t.Fatalf("err: %v", err) 1112 } 1113 1114 // Second operation should fail 1115 _, err = c.HandleRequest(namespace.RootContext(nil), req) 1116 if err == nil || !errwrap.Contains(err, logical.ErrPermissionDenied.Error()) { 1117 t.Fatalf("err: %v", err) 1118 } 1119} 1120 1121func TestCore_Standby_Seal(t *testing.T) { 1122 // Create the first core and initialize it 1123 logger = logging.NewVaultLogger(log.Trace) 1124 1125 inm, err := inmem.NewInmemHA(nil, logger) 1126 if err != nil { 1127 t.Fatal(err) 1128 } 1129 inmha, err := inmem.NewInmemHA(nil, logger) 1130 if err != nil { 1131 t.Fatal(err) 1132 } 1133 1134 redirectOriginal := "http://127.0.0.1:8200" 1135 core, err := NewCore(&CoreConfig{ 1136 Physical: inm, 1137 HAPhysical: inmha.(physical.HABackend), 1138 RedirectAddr: redirectOriginal, 1139 DisableMlock: true, 1140 }) 1141 if err != nil { 1142 t.Fatalf("err: %v", err) 1143 } 1144 keys, root := TestCoreInit(t, core) 1145 for _, key := range keys { 1146 if _, err := TestCoreUnseal(core, TestKeyCopy(key)); err != nil { 1147 t.Fatalf("unseal err: %s", err) 1148 } 1149 } 1150 1151 // Verify unsealed 1152 if core.Sealed() { 1153 t.Fatal("should not be sealed") 1154 } 1155 1156 // Wait for core to become active 1157 TestWaitActive(t, core) 1158 1159 // Check the leader is local 1160 isLeader, advertise, _, err := core.Leader() 1161 if err != nil { 1162 t.Fatalf("err: %v", err) 1163 } 1164 if !isLeader { 1165 t.Fatalf("should be leader") 1166 } 1167 if advertise != redirectOriginal { 1168 t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal) 1169 } 1170 1171 // Create the second core and initialize it 1172 redirectOriginal2 := "http://127.0.0.1:8500" 1173 core2, err := NewCore(&CoreConfig{ 1174 Physical: inm, 1175 HAPhysical: inmha.(physical.HABackend), 1176 RedirectAddr: redirectOriginal2, 1177 DisableMlock: true, 1178 }) 1179 if err != nil { 1180 t.Fatalf("err: %v", err) 1181 } 1182 for _, key := range keys { 1183 if _, err := TestCoreUnseal(core2, TestKeyCopy(key)); err != nil { 1184 t.Fatalf("unseal err: %s", err) 1185 } 1186 } 1187 1188 // Verify unsealed 1189 if core2.Sealed() { 1190 t.Fatal("should not be sealed") 1191 } 1192 1193 // Core2 should be in standby 1194 standby, err := core2.Standby() 1195 if err != nil { 1196 t.Fatalf("err: %v", err) 1197 } 1198 if !standby { 1199 t.Fatalf("should be standby") 1200 } 1201 1202 // Check the leader is not local 1203 isLeader, advertise, _, err = core2.Leader() 1204 if err != nil { 1205 t.Fatalf("err: %v", err) 1206 } 1207 if isLeader { 1208 t.Fatalf("should not be leader") 1209 } 1210 if advertise != redirectOriginal { 1211 t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal) 1212 } 1213 1214 // Seal the standby core with the correct token. Shouldn't go down 1215 err = core2.Seal(root) 1216 if err == nil { 1217 t.Fatal("should not be sealed") 1218 } 1219 1220 keyUUID, err := uuid.GenerateUUID() 1221 if err != nil { 1222 t.Fatal(err) 1223 } 1224 // Seal the standby core with an invalid token. Shouldn't go down 1225 err = core2.Seal(keyUUID) 1226 if err == nil { 1227 t.Fatal("should not be sealed") 1228 } 1229} 1230 1231func TestCore_StepDown(t *testing.T) { 1232 // Create the first core and initialize it 1233 logger = logging.NewVaultLogger(log.Trace) 1234 1235 inm, err := inmem.NewInmemHA(nil, logger) 1236 if err != nil { 1237 t.Fatal(err) 1238 } 1239 inmha, err := inmem.NewInmemHA(nil, logger) 1240 if err != nil { 1241 t.Fatal(err) 1242 } 1243 1244 redirectOriginal := "http://127.0.0.1:8200" 1245 core, err := NewCore(&CoreConfig{ 1246 Physical: inm, 1247 HAPhysical: inmha.(physical.HABackend), 1248 RedirectAddr: redirectOriginal, 1249 DisableMlock: true, 1250 }) 1251 if err != nil { 1252 t.Fatalf("err: %v", err) 1253 } 1254 keys, root := TestCoreInit(t, core) 1255 for _, key := range keys { 1256 if _, err := TestCoreUnseal(core, TestKeyCopy(key)); err != nil { 1257 t.Fatalf("unseal err: %s", err) 1258 } 1259 } 1260 1261 // Verify unsealed 1262 if core.Sealed() { 1263 t.Fatal("should not be sealed") 1264 } 1265 1266 // Wait for core to become active 1267 TestWaitActive(t, core) 1268 1269 // Check the leader is local 1270 isLeader, advertise, _, err := core.Leader() 1271 if err != nil { 1272 t.Fatalf("err: %v", err) 1273 } 1274 if !isLeader { 1275 t.Fatalf("should be leader") 1276 } 1277 if advertise != redirectOriginal { 1278 t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal) 1279 } 1280 1281 // Create the second core and initialize it 1282 redirectOriginal2 := "http://127.0.0.1:8500" 1283 core2, err := NewCore(&CoreConfig{ 1284 Physical: inm, 1285 HAPhysical: inmha.(physical.HABackend), 1286 RedirectAddr: redirectOriginal2, 1287 DisableMlock: true, 1288 }) 1289 if err != nil { 1290 t.Fatalf("err: %v", err) 1291 } 1292 for _, key := range keys { 1293 if _, err := TestCoreUnseal(core2, TestKeyCopy(key)); err != nil { 1294 t.Fatalf("unseal err: %s", err) 1295 } 1296 } 1297 1298 // Verify unsealed 1299 if core2.Sealed() { 1300 t.Fatal("should not be sealed") 1301 } 1302 1303 // Core2 should be in standby 1304 standby, err := core2.Standby() 1305 if err != nil { 1306 t.Fatalf("err: %v", err) 1307 } 1308 if !standby { 1309 t.Fatalf("should be standby") 1310 } 1311 1312 // Check the leader is not local 1313 isLeader, advertise, _, err = core2.Leader() 1314 if err != nil { 1315 t.Fatalf("err: %v", err) 1316 } 1317 if isLeader { 1318 t.Fatalf("should not be leader") 1319 } 1320 if advertise != redirectOriginal { 1321 t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal) 1322 } 1323 1324 req := &logical.Request{ 1325 ClientToken: root, 1326 Path: "sys/step-down", 1327 } 1328 1329 // Create an identifier for the request 1330 req.ID, err = uuid.GenerateUUID() 1331 if err != nil { 1332 t.Fatalf("failed to generate identifier for the request: path: %s err: %v", req.Path, err) 1333 } 1334 1335 // Step down core 1336 err = core.StepDown(namespace.RootContext(nil), req) 1337 if err != nil { 1338 t.Fatal("error stepping down core 1") 1339 } 1340 1341 // Give time to switch leaders 1342 time.Sleep(5 * time.Second) 1343 1344 // Core1 should be in standby 1345 standby, err = core.Standby() 1346 if err != nil { 1347 t.Fatalf("err: %v", err) 1348 } 1349 if !standby { 1350 t.Fatalf("should be standby") 1351 } 1352 1353 // Check the leader is core2 1354 isLeader, advertise, _, err = core2.Leader() 1355 if err != nil { 1356 t.Fatalf("err: %v", err) 1357 } 1358 if !isLeader { 1359 t.Fatalf("should be leader") 1360 } 1361 if advertise != redirectOriginal2 { 1362 t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal2) 1363 } 1364 1365 // Check the leader is not local 1366 isLeader, advertise, _, err = core.Leader() 1367 if err != nil { 1368 t.Fatalf("err: %v", err) 1369 } 1370 if isLeader { 1371 t.Fatalf("should not be leader") 1372 } 1373 if advertise != redirectOriginal2 { 1374 t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal2) 1375 } 1376 1377 // Step down core2 1378 err = core2.StepDown(namespace.RootContext(nil), req) 1379 if err != nil { 1380 t.Fatal("error stepping down core 1") 1381 } 1382 1383 // Give time to switch leaders -- core 1 will still be waiting on its 1384 // cooling off period so give it a full 10 seconds to recover 1385 time.Sleep(10 * time.Second) 1386 1387 // Core2 should be in standby 1388 standby, err = core2.Standby() 1389 if err != nil { 1390 t.Fatalf("err: %v", err) 1391 } 1392 if !standby { 1393 t.Fatalf("should be standby") 1394 } 1395 1396 // Check the leader is core1 1397 isLeader, advertise, _, err = core.Leader() 1398 if err != nil { 1399 t.Fatalf("err: %v", err) 1400 } 1401 if !isLeader { 1402 t.Fatalf("should be leader") 1403 } 1404 if advertise != redirectOriginal { 1405 t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal) 1406 } 1407 1408 // Check the leader is not local 1409 isLeader, advertise, _, err = core2.Leader() 1410 if err != nil { 1411 t.Fatalf("err: %v", err) 1412 } 1413 if isLeader { 1414 t.Fatalf("should not be leader") 1415 } 1416 if advertise != redirectOriginal { 1417 t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal) 1418 } 1419} 1420 1421func TestCore_CleanLeaderPrefix(t *testing.T) { 1422 // Create the first core and initialize it 1423 logger = logging.NewVaultLogger(log.Trace) 1424 1425 inm, err := inmem.NewInmemHA(nil, logger) 1426 if err != nil { 1427 t.Fatal(err) 1428 } 1429 inmha, err := inmem.NewInmemHA(nil, logger) 1430 if err != nil { 1431 t.Fatal(err) 1432 } 1433 1434 redirectOriginal := "http://127.0.0.1:8200" 1435 core, err := NewCore(&CoreConfig{ 1436 Physical: inm, 1437 HAPhysical: inmha.(physical.HABackend), 1438 RedirectAddr: redirectOriginal, 1439 DisableMlock: true, 1440 }) 1441 if err != nil { 1442 t.Fatalf("err: %v", err) 1443 } 1444 keys, root := TestCoreInit(t, core) 1445 for _, key := range keys { 1446 if _, err := TestCoreUnseal(core, TestKeyCopy(key)); err != nil { 1447 t.Fatalf("unseal err: %s", err) 1448 } 1449 } 1450 1451 // Verify unsealed 1452 if core.Sealed() { 1453 t.Fatal("should not be sealed") 1454 } 1455 1456 // Wait for core to become active 1457 TestWaitActive(t, core) 1458 1459 // Ensure that the original clean function has stopped running 1460 time.Sleep(2 * time.Second) 1461 1462 // Put several random entries 1463 for i := 0; i < 5; i++ { 1464 keyUUID, err := uuid.GenerateUUID() 1465 if err != nil { 1466 t.Fatal(err) 1467 } 1468 valueUUID, err := uuid.GenerateUUID() 1469 if err != nil { 1470 t.Fatal(err) 1471 } 1472 core.barrier.Put(namespace.RootContext(nil), &logical.StorageEntry{ 1473 Key: coreLeaderPrefix + keyUUID, 1474 Value: []byte(valueUUID), 1475 }) 1476 } 1477 1478 entries, err := core.barrier.List(namespace.RootContext(nil), coreLeaderPrefix) 1479 if err != nil { 1480 t.Fatalf("err: %v", err) 1481 } 1482 if len(entries) != 6 { 1483 t.Fatalf("wrong number of core leader prefix entries, got %d", len(entries)) 1484 } 1485 1486 // Check the leader is local 1487 isLeader, advertise, _, err := core.Leader() 1488 if err != nil { 1489 t.Fatalf("err: %v", err) 1490 } 1491 if !isLeader { 1492 t.Fatalf("should be leader") 1493 } 1494 if advertise != redirectOriginal { 1495 t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal) 1496 } 1497 1498 // Create a second core, attached to same in-memory store 1499 redirectOriginal2 := "http://127.0.0.1:8500" 1500 core2, err := NewCore(&CoreConfig{ 1501 Physical: inm, 1502 HAPhysical: inmha.(physical.HABackend), 1503 RedirectAddr: redirectOriginal2, 1504 DisableMlock: true, 1505 }) 1506 if err != nil { 1507 t.Fatalf("err: %v", err) 1508 } 1509 for _, key := range keys { 1510 if _, err := TestCoreUnseal(core2, TestKeyCopy(key)); err != nil { 1511 t.Fatalf("unseal err: %s", err) 1512 } 1513 } 1514 1515 // Verify unsealed 1516 if core2.Sealed() { 1517 t.Fatal("should not be sealed") 1518 } 1519 1520 // Core2 should be in standby 1521 standby, err := core2.Standby() 1522 if err != nil { 1523 t.Fatalf("err: %v", err) 1524 } 1525 if !standby { 1526 t.Fatalf("should be standby") 1527 } 1528 1529 // Check the leader is not local 1530 isLeader, advertise, _, err = core2.Leader() 1531 if err != nil { 1532 t.Fatalf("err: %v", err) 1533 } 1534 if isLeader { 1535 t.Fatalf("should not be leader") 1536 } 1537 if advertise != redirectOriginal { 1538 t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal) 1539 } 1540 1541 // Seal the first core, should step down 1542 err = core.Seal(root) 1543 if err != nil { 1544 t.Fatalf("err: %v", err) 1545 } 1546 1547 // Core should be in standby 1548 standby, err = core.Standby() 1549 if err != nil { 1550 t.Fatalf("err: %v", err) 1551 } 1552 if !standby { 1553 t.Fatalf("should be standby") 1554 } 1555 1556 // Wait for core2 to become active 1557 TestWaitActive(t, core2) 1558 1559 // Check the leader is local 1560 isLeader, advertise, _, err = core2.Leader() 1561 if err != nil { 1562 t.Fatalf("err: %v", err) 1563 } 1564 if !isLeader { 1565 t.Fatalf("should be leader") 1566 } 1567 if advertise != redirectOriginal2 { 1568 t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal2) 1569 } 1570 1571 // Give time for the entries to clear out; it is conservative at 1/second 1572 time.Sleep(10 * leaderPrefixCleanDelay) 1573 1574 entries, err = core2.barrier.List(namespace.RootContext(nil), coreLeaderPrefix) 1575 if err != nil { 1576 t.Fatalf("err: %v", err) 1577 } 1578 if len(entries) != 1 { 1579 t.Fatalf("wrong number of core leader prefix entries, got %d", len(entries)) 1580 } 1581} 1582 1583func TestCore_Standby(t *testing.T) { 1584 logger = logging.NewVaultLogger(log.Trace) 1585 1586 inmha, err := inmem.NewInmemHA(nil, logger) 1587 if err != nil { 1588 t.Fatal(err) 1589 } 1590 1591 testCore_Standby_Common(t, inmha, inmha.(physical.HABackend)) 1592} 1593 1594func TestCore_Standby_SeparateHA(t *testing.T) { 1595 logger = logging.NewVaultLogger(log.Trace) 1596 1597 inmha, err := inmem.NewInmemHA(nil, logger) 1598 if err != nil { 1599 t.Fatal(err) 1600 } 1601 inmha2, err := inmem.NewInmemHA(nil, logger) 1602 if err != nil { 1603 t.Fatal(err) 1604 } 1605 1606 testCore_Standby_Common(t, inmha, inmha2.(physical.HABackend)) 1607} 1608 1609func testCore_Standby_Common(t *testing.T, inm physical.Backend, inmha physical.HABackend) { 1610 // Create the first core and initialize it 1611 redirectOriginal := "http://127.0.0.1:8200" 1612 core, err := NewCore(&CoreConfig{ 1613 Physical: inm, 1614 HAPhysical: inmha, 1615 RedirectAddr: redirectOriginal, 1616 DisableMlock: true, 1617 }) 1618 if err != nil { 1619 t.Fatalf("err: %v", err) 1620 } 1621 keys, root := TestCoreInit(t, core) 1622 for _, key := range keys { 1623 if _, err := TestCoreUnseal(core, TestKeyCopy(key)); err != nil { 1624 t.Fatalf("unseal err: %s", err) 1625 } 1626 } 1627 1628 // Verify unsealed 1629 if core.Sealed() { 1630 t.Fatal("should not be sealed") 1631 } 1632 1633 // Wait for core to become active 1634 TestWaitActive(t, core) 1635 1636 testCoreAddSecretMount(t, core, root) 1637 1638 // Put a secret 1639 req := &logical.Request{ 1640 Operation: logical.UpdateOperation, 1641 Path: "secret/foo", 1642 Data: map[string]interface{}{ 1643 "foo": "bar", 1644 }, 1645 ClientToken: root, 1646 } 1647 _, err = core.HandleRequest(namespace.RootContext(nil), req) 1648 if err != nil { 1649 t.Fatalf("err: %v", err) 1650 } 1651 1652 // Check the leader is local 1653 isLeader, advertise, _, err := core.Leader() 1654 if err != nil { 1655 t.Fatalf("err: %v", err) 1656 } 1657 if !isLeader { 1658 t.Fatalf("should be leader") 1659 } 1660 if advertise != redirectOriginal { 1661 t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal) 1662 } 1663 1664 // Create a second core, attached to same in-memory store 1665 redirectOriginal2 := "http://127.0.0.1:8500" 1666 core2, err := NewCore(&CoreConfig{ 1667 Physical: inm, 1668 HAPhysical: inmha, 1669 RedirectAddr: redirectOriginal2, 1670 DisableMlock: true, 1671 }) 1672 if err != nil { 1673 t.Fatalf("err: %v", err) 1674 } 1675 for _, key := range keys { 1676 if _, err := TestCoreUnseal(core2, TestKeyCopy(key)); err != nil { 1677 t.Fatalf("unseal err: %s", err) 1678 } 1679 } 1680 1681 // Verify unsealed 1682 if core2.Sealed() { 1683 t.Fatal("should not be sealed") 1684 } 1685 1686 // Core2 should be in standby 1687 standby, err := core2.Standby() 1688 if err != nil { 1689 t.Fatalf("err: %v", err) 1690 } 1691 if !standby { 1692 t.Fatalf("should be standby") 1693 } 1694 1695 // Request should fail in standby mode 1696 _, err = core2.HandleRequest(namespace.RootContext(nil), req) 1697 if err != consts.ErrStandby { 1698 t.Fatalf("err: %v", err) 1699 } 1700 1701 // Check the leader is not local 1702 isLeader, advertise, _, err = core2.Leader() 1703 if err != nil { 1704 t.Fatalf("err: %v", err) 1705 } 1706 if isLeader { 1707 t.Fatalf("should not be leader") 1708 } 1709 if advertise != redirectOriginal { 1710 t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal) 1711 } 1712 1713 // Seal the first core, should step down 1714 err = core.Seal(root) 1715 if err != nil { 1716 t.Fatalf("err: %v", err) 1717 } 1718 1719 // Core should be in standby 1720 standby, err = core.Standby() 1721 if err != nil { 1722 t.Fatalf("err: %v", err) 1723 } 1724 if !standby { 1725 t.Fatalf("should be standby") 1726 } 1727 1728 // Wait for core2 to become active 1729 TestWaitActive(t, core2) 1730 1731 // Read the secret 1732 req = &logical.Request{ 1733 Operation: logical.ReadOperation, 1734 Path: "secret/foo", 1735 ClientToken: root, 1736 } 1737 resp, err := core2.HandleRequest(namespace.RootContext(nil), req) 1738 if err != nil { 1739 t.Fatalf("err: %v", err) 1740 } 1741 1742 // Verify the response 1743 if resp.Data["foo"] != "bar" { 1744 t.Fatalf("bad: %#v", resp) 1745 } 1746 1747 // Check the leader is local 1748 isLeader, advertise, _, err = core2.Leader() 1749 if err != nil { 1750 t.Fatalf("err: %v", err) 1751 } 1752 if !isLeader { 1753 t.Fatalf("should be leader") 1754 } 1755 if advertise != redirectOriginal2 { 1756 t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal2) 1757 } 1758 1759 if inm.(*inmem.InmemHABackend) == inmha.(*inmem.InmemHABackend) { 1760 lockSize := inm.(*inmem.InmemHABackend).LockMapSize() 1761 if lockSize == 0 { 1762 t.Fatalf("locks not used with only one HA backend") 1763 } 1764 } else { 1765 lockSize := inmha.(*inmem.InmemHABackend).LockMapSize() 1766 if lockSize == 0 { 1767 t.Fatalf("locks not used with expected HA backend") 1768 } 1769 1770 lockSize = inm.(*inmem.InmemHABackend).LockMapSize() 1771 if lockSize != 0 { 1772 t.Fatalf("locks used with unexpected HA backend") 1773 } 1774 } 1775} 1776 1777// Ensure that InternalData is never returned 1778func TestCore_HandleRequest_Login_InternalData(t *testing.T) { 1779 noop := &NoopBackend{ 1780 Login: []string{"login"}, 1781 Response: &logical.Response{ 1782 Auth: &logical.Auth{ 1783 Policies: []string{"foo", "bar"}, 1784 InternalData: map[string]interface{}{ 1785 "foo": "bar", 1786 }, 1787 }, 1788 }, 1789 BackendType: logical.TypeCredential, 1790 } 1791 1792 c, _, root := TestCoreUnsealed(t) 1793 c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) { 1794 return noop, nil 1795 } 1796 1797 // Enable the credential backend 1798 req := logical.TestRequest(t, logical.UpdateOperation, "sys/auth/foo") 1799 req.Data["type"] = "noop" 1800 req.ClientToken = root 1801 _, err := c.HandleRequest(namespace.RootContext(nil), req) 1802 if err != nil { 1803 t.Fatalf("err: %v", err) 1804 } 1805 1806 // Attempt to login 1807 lreq := &logical.Request{ 1808 Path: "auth/foo/login", 1809 } 1810 lresp, err := c.HandleRequest(namespace.RootContext(nil), lreq) 1811 if err != nil { 1812 t.Fatalf("err: %v", err) 1813 } 1814 1815 // Ensure we do not get the internal data 1816 if lresp.Auth.InternalData != nil { 1817 t.Fatalf("bad: %#v", lresp) 1818 } 1819} 1820 1821// Ensure that InternalData is never returned 1822func TestCore_HandleRequest_InternalData(t *testing.T) { 1823 noop := &NoopBackend{ 1824 Response: &logical.Response{ 1825 Secret: &logical.Secret{ 1826 InternalData: map[string]interface{}{ 1827 "foo": "bar", 1828 }, 1829 }, 1830 Data: map[string]interface{}{ 1831 "foo": "bar", 1832 }, 1833 }, 1834 } 1835 1836 c, _, root := TestCoreUnsealed(t) 1837 c.logicalBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) { 1838 return noop, nil 1839 } 1840 1841 // Enable the credential backend 1842 req := logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/foo") 1843 req.Data["type"] = "noop" 1844 req.ClientToken = root 1845 _, err := c.HandleRequest(namespace.RootContext(nil), req) 1846 if err != nil { 1847 t.Fatalf("err: %v", err) 1848 } 1849 1850 // Attempt to read 1851 lreq := &logical.Request{ 1852 Operation: logical.ReadOperation, 1853 Path: "foo/test", 1854 ClientToken: root, 1855 } 1856 lreq.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) 1857 lresp, err := c.HandleRequest(namespace.RootContext(nil), lreq) 1858 if err != nil { 1859 t.Fatalf("err: %v", err) 1860 } 1861 1862 // Ensure we do not get the internal data 1863 if lresp.Secret.InternalData != nil { 1864 t.Fatalf("bad: %#v", lresp) 1865 } 1866} 1867 1868// Ensure login does not return a secret 1869func TestCore_HandleLogin_ReturnSecret(t *testing.T) { 1870 // Create a badass credential backend that always logs in as armon 1871 noopBack := &NoopBackend{ 1872 Login: []string{"login"}, 1873 Response: &logical.Response{ 1874 Secret: &logical.Secret{}, 1875 Auth: &logical.Auth{ 1876 Policies: []string{"foo", "bar"}, 1877 }, 1878 }, 1879 BackendType: logical.TypeCredential, 1880 } 1881 c, _, root := TestCoreUnsealed(t) 1882 c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) { 1883 return noopBack, nil 1884 } 1885 1886 // Enable the credential backend 1887 req := logical.TestRequest(t, logical.UpdateOperation, "sys/auth/foo") 1888 req.Data["type"] = "noop" 1889 req.ClientToken = root 1890 _, err := c.HandleRequest(namespace.RootContext(nil), req) 1891 if err != nil { 1892 t.Fatalf("err: %v", err) 1893 } 1894 1895 // Attempt to login 1896 lreq := &logical.Request{ 1897 Path: "auth/foo/login", 1898 } 1899 _, err = c.HandleRequest(namespace.RootContext(nil), lreq) 1900 if err != ErrInternalError { 1901 t.Fatalf("err: %v", err) 1902 } 1903} 1904 1905// Renew should return the same lease back 1906func TestCore_RenewSameLease(t *testing.T) { 1907 c, _, root := TestCoreUnsealed(t) 1908 1909 // Create a leasable secret 1910 req := &logical.Request{ 1911 Operation: logical.UpdateOperation, 1912 Path: "secret/test", 1913 Data: map[string]interface{}{ 1914 "foo": "bar", 1915 "lease": "1h", 1916 }, 1917 ClientToken: root, 1918 } 1919 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 1920 if err != nil { 1921 t.Fatalf("err: %v", err) 1922 } 1923 if resp != nil { 1924 t.Fatalf("bad: %#v", resp) 1925 } 1926 1927 // Read the key 1928 req.Operation = logical.ReadOperation 1929 req.Data = nil 1930 req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) 1931 resp, err = c.HandleRequest(namespace.RootContext(nil), req) 1932 if err != nil { 1933 t.Fatalf("err: %v", err) 1934 } 1935 if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" { 1936 t.Fatalf("bad: %#v", resp.Secret) 1937 } 1938 original := resp.Secret.LeaseID 1939 1940 // Renew the lease 1941 req = logical.TestRequest(t, logical.UpdateOperation, "sys/renew/"+resp.Secret.LeaseID) 1942 req.ClientToken = root 1943 resp, err = c.HandleRequest(namespace.RootContext(nil), req) 1944 if err != nil { 1945 t.Fatalf("err: %v", err) 1946 } 1947 1948 // Verify the lease did not change 1949 if resp.Secret.LeaseID != original { 1950 t.Fatalf("lease id changed: %s %s", original, resp.Secret.LeaseID) 1951 } 1952 1953 // Renew the lease (alternate path) 1954 req = logical.TestRequest(t, logical.UpdateOperation, "sys/leases/renew/"+resp.Secret.LeaseID) 1955 req.ClientToken = root 1956 resp, err = c.HandleRequest(namespace.RootContext(nil), req) 1957 if err != nil { 1958 t.Fatalf("err: %v", err) 1959 } 1960 1961 // Verify the lease did not change 1962 if resp.Secret.LeaseID != original { 1963 t.Fatalf("lease id changed: %s %s", original, resp.Secret.LeaseID) 1964 } 1965} 1966 1967// Renew of a token should not create a new lease 1968func TestCore_RenewToken_SingleRegister(t *testing.T) { 1969 c, _, root := TestCoreUnsealed(t) 1970 1971 // Create a new token 1972 req := &logical.Request{ 1973 Operation: logical.UpdateOperation, 1974 Path: "auth/token/create", 1975 Data: map[string]interface{}{ 1976 "lease": "1h", 1977 }, 1978 ClientToken: root, 1979 } 1980 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 1981 if err != nil { 1982 t.Fatalf("err: %v", err) 1983 } 1984 newClient := resp.Auth.ClientToken 1985 1986 // Renew the token 1987 req = logical.TestRequest(t, logical.UpdateOperation, "auth/token/renew") 1988 req.ClientToken = newClient 1989 req.Data = map[string]interface{}{ 1990 "token": newClient, 1991 } 1992 resp, err = c.HandleRequest(namespace.RootContext(nil), req) 1993 if err != nil { 1994 t.Fatalf("err: %v", err) 1995 } 1996 1997 // Revoke using the renew prefix 1998 req = logical.TestRequest(t, logical.UpdateOperation, "sys/revoke-prefix/auth/token/renew/") 1999 req.ClientToken = root 2000 resp, err = c.HandleRequest(namespace.RootContext(nil), req) 2001 if err != nil { 2002 t.Fatalf("err: %v", err) 2003 } 2004 2005 // Verify our token is still valid (e.g. we did not get invalidated by the revoke) 2006 req = logical.TestRequest(t, logical.UpdateOperation, "auth/token/lookup") 2007 req.Data = map[string]interface{}{ 2008 "token": newClient, 2009 } 2010 req.ClientToken = newClient 2011 resp, err = c.HandleRequest(namespace.RootContext(nil), req) 2012 if err != nil { 2013 t.Fatalf("err: %v", err) 2014 } 2015 2016 // Verify the token exists 2017 if resp.Data["id"] != newClient { 2018 t.Fatalf("bad: %#v", resp.Data) 2019 } 2020} 2021 2022// Based on bug GH-203, attempt to disable a credential backend with leased secrets 2023func TestCore_EnableDisableCred_WithLease(t *testing.T) { 2024 noopBack := &NoopBackend{ 2025 Login: []string{"login"}, 2026 Response: &logical.Response{ 2027 Auth: &logical.Auth{ 2028 Policies: []string{"root"}, 2029 }, 2030 }, 2031 BackendType: logical.TypeCredential, 2032 } 2033 2034 c, _, root := TestCoreUnsealed(t) 2035 c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) { 2036 return noopBack, nil 2037 } 2038 2039 var secretWritingPolicy = ` 2040name = "admins" 2041path "secret/*" { 2042 capabilities = ["update", "create", "read"] 2043} 2044` 2045 2046 ps := c.policyStore 2047 policy, _ := ParseACLPolicy(namespace.RootNamespace, secretWritingPolicy) 2048 if err := ps.SetPolicy(namespace.RootContext(nil), policy); err != nil { 2049 t.Fatal(err) 2050 } 2051 2052 // Enable the credential backend 2053 req := logical.TestRequest(t, logical.UpdateOperation, "sys/auth/foo") 2054 req.Data["type"] = "noop" 2055 req.ClientToken = root 2056 _, err := c.HandleRequest(namespace.RootContext(nil), req) 2057 if err != nil { 2058 t.Fatalf("err: %v", err) 2059 } 2060 2061 // Attempt to login -- should fail because we don't allow root to be returned 2062 lreq := &logical.Request{ 2063 Path: "auth/foo/login", 2064 } 2065 lresp, err := c.HandleRequest(namespace.RootContext(nil), lreq) 2066 if err == nil || lresp == nil || !lresp.IsError() { 2067 t.Fatalf("expected error trying to auth and receive root policy") 2068 } 2069 2070 // Fix and try again 2071 noopBack.Response.Auth.Policies = []string{"admins"} 2072 lreq = &logical.Request{ 2073 Path: "auth/foo/login", 2074 } 2075 lresp, err = c.HandleRequest(namespace.RootContext(nil), lreq) 2076 if err != nil { 2077 t.Fatalf("err: %v", err) 2078 } 2079 2080 // Create a leasable secret 2081 req = &logical.Request{ 2082 Operation: logical.UpdateOperation, 2083 Path: "secret/test", 2084 Data: map[string]interface{}{ 2085 "foo": "bar", 2086 "lease": "1h", 2087 }, 2088 ClientToken: lresp.Auth.ClientToken, 2089 } 2090 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 2091 if err != nil { 2092 t.Fatalf("err: %v", err) 2093 } 2094 if resp != nil { 2095 t.Fatalf("bad: %#v", resp) 2096 } 2097 2098 // Read the key 2099 req.Operation = logical.ReadOperation 2100 req.Data = nil 2101 req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) 2102 resp, err = c.HandleRequest(namespace.RootContext(nil), req) 2103 if err != nil { 2104 t.Fatalf("err: %v", err) 2105 } 2106 if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" { 2107 t.Fatalf("bad: %#v", resp.Secret) 2108 } 2109 2110 // Renew the lease 2111 req = logical.TestRequest(t, logical.UpdateOperation, "sys/leases/renew") 2112 req.Data = map[string]interface{}{ 2113 "lease_id": resp.Secret.LeaseID, 2114 } 2115 req.ClientToken = lresp.Auth.ClientToken 2116 _, err = c.HandleRequest(namespace.RootContext(nil), req) 2117 if err != nil { 2118 t.Fatalf("err: %v", err) 2119 } 2120 2121 // Disable the credential backend 2122 req = logical.TestRequest(t, logical.DeleteOperation, "sys/auth/foo") 2123 req.ClientToken = root 2124 resp, err = c.HandleRequest(namespace.RootContext(nil), req) 2125 if err != nil { 2126 t.Fatalf("err: %v %#v", err, resp) 2127 } 2128} 2129 2130func TestCore_HandleRequest_MountPointType(t *testing.T) { 2131 noop := &NoopBackend{ 2132 Response: &logical.Response{}, 2133 } 2134 c, _, root := TestCoreUnsealed(t) 2135 c.logicalBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) { 2136 return noop, nil 2137 } 2138 2139 // Enable the logical backend 2140 req := logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/foo") 2141 req.Data["type"] = "noop" 2142 req.Data["description"] = "foo" 2143 req.ClientToken = root 2144 _, err := c.HandleRequest(namespace.RootContext(nil), req) 2145 if err != nil { 2146 t.Fatalf("err: %v", err) 2147 } 2148 2149 // Attempt to request 2150 req = &logical.Request{ 2151 Operation: logical.ReadOperation, 2152 Path: "foo/test", 2153 Connection: &logical.Connection{}, 2154 } 2155 req.ClientToken = root 2156 if _, err := c.HandleRequest(namespace.RootContext(nil), req); err != nil { 2157 t.Fatalf("err: %v", err) 2158 } 2159 2160 // Verify Path, MountPoint, and MountType 2161 if noop.Requests[0].Path != "test" { 2162 t.Fatalf("bad: %#v", noop.Requests) 2163 } 2164 if noop.Requests[0].MountPoint != "foo/" { 2165 t.Fatalf("bad: %#v", noop.Requests) 2166 } 2167 if noop.Requests[0].MountType != "noop" { 2168 t.Fatalf("bad: %#v", noop.Requests) 2169 } 2170} 2171 2172func TestCore_Standby_Rotate(t *testing.T) { 2173 // Create the first core and initialize it 2174 logger = logging.NewVaultLogger(log.Trace) 2175 2176 inm, err := inmem.NewInmemHA(nil, logger) 2177 if err != nil { 2178 t.Fatal(err) 2179 } 2180 inmha, err := inmem.NewInmemHA(nil, logger) 2181 if err != nil { 2182 t.Fatal(err) 2183 } 2184 2185 redirectOriginal := "http://127.0.0.1:8200" 2186 core, err := NewCore(&CoreConfig{ 2187 Physical: inm, 2188 HAPhysical: inmha.(physical.HABackend), 2189 RedirectAddr: redirectOriginal, 2190 DisableMlock: true, 2191 }) 2192 if err != nil { 2193 t.Fatalf("err: %v", err) 2194 } 2195 keys, root := TestCoreInit(t, core) 2196 for _, key := range keys { 2197 if _, err := TestCoreUnseal(core, TestKeyCopy(key)); err != nil { 2198 t.Fatalf("unseal err: %s", err) 2199 } 2200 } 2201 2202 // Wait for core to become active 2203 TestWaitActive(t, core) 2204 2205 // Create a second core, attached to same in-memory store 2206 redirectOriginal2 := "http://127.0.0.1:8500" 2207 core2, err := NewCore(&CoreConfig{ 2208 Physical: inm, 2209 HAPhysical: inmha.(physical.HABackend), 2210 RedirectAddr: redirectOriginal2, 2211 DisableMlock: true, 2212 }) 2213 if err != nil { 2214 t.Fatalf("err: %v", err) 2215 } 2216 for _, key := range keys { 2217 if _, err := TestCoreUnseal(core2, TestKeyCopy(key)); err != nil { 2218 t.Fatalf("unseal err: %s", err) 2219 } 2220 } 2221 2222 // Rotate the encryption key 2223 req := &logical.Request{ 2224 Operation: logical.UpdateOperation, 2225 Path: "sys/rotate", 2226 ClientToken: root, 2227 } 2228 _, err = core.HandleRequest(namespace.RootContext(nil), req) 2229 if err != nil { 2230 t.Fatalf("err: %v", err) 2231 } 2232 2233 // Seal the first core, should step down 2234 err = core.Seal(root) 2235 if err != nil { 2236 t.Fatalf("err: %v", err) 2237 } 2238 2239 // Wait for core2 to become active 2240 TestWaitActive(t, core2) 2241 2242 // Read the key status 2243 req = &logical.Request{ 2244 Operation: logical.ReadOperation, 2245 Path: "sys/key-status", 2246 ClientToken: root, 2247 } 2248 resp, err := core2.HandleRequest(namespace.RootContext(nil), req) 2249 if err != nil { 2250 t.Fatalf("err: %v", err) 2251 } 2252 2253 // Verify the response 2254 if resp.Data["term"] != 2 { 2255 t.Fatalf("bad: %#v", resp) 2256 } 2257} 2258 2259func TestCore_HandleRequest_Headers(t *testing.T) { 2260 noop := &NoopBackend{ 2261 Response: &logical.Response{ 2262 Data: map[string]interface{}{}, 2263 }, 2264 } 2265 2266 c, _, root := TestCoreUnsealed(t) 2267 c.logicalBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) { 2268 return noop, nil 2269 } 2270 2271 // Enable the backend 2272 req := logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/foo") 2273 req.Data["type"] = "noop" 2274 req.ClientToken = root 2275 _, err := c.HandleRequest(namespace.RootContext(nil), req) 2276 if err != nil { 2277 t.Fatalf("err: %v", err) 2278 } 2279 2280 // Mount tune 2281 req = logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/foo/tune") 2282 req.Data["passthrough_request_headers"] = []string{"Should-Passthrough", "should-passthrough-case-insensitive"} 2283 req.ClientToken = root 2284 _, err = c.HandleRequest(namespace.RootContext(nil), req) 2285 if err != nil { 2286 t.Fatalf("err: %v", err) 2287 } 2288 2289 // Attempt to read 2290 lreq := &logical.Request{ 2291 Operation: logical.ReadOperation, 2292 Path: "foo/test", 2293 ClientToken: root, 2294 Headers: map[string][]string{ 2295 "Should-Passthrough": []string{"foo"}, 2296 "Should-Passthrough-Case-Insensitive": []string{"baz"}, 2297 "Should-Not-Passthrough": []string{"bar"}, 2298 consts.AuthHeaderName: []string{"nope"}, 2299 }, 2300 } 2301 _, err = c.HandleRequest(namespace.RootContext(nil), lreq) 2302 if err != nil { 2303 t.Fatalf("err: %v", err) 2304 } 2305 2306 // Check the headers 2307 headers := noop.Requests[0].Headers 2308 2309 // Test passthrough values 2310 if val, ok := headers["Should-Passthrough"]; ok { 2311 expected := []string{"foo"} 2312 if !reflect.DeepEqual(val, expected) { 2313 t.Fatalf("expected: %v, got: %v", expected, val) 2314 } 2315 } else { 2316 t.Fatalf("expected 'Should-Passthrough' to be present in the headers map") 2317 } 2318 2319 if val, ok := headers["Should-Passthrough-Case-Insensitive"]; ok { 2320 expected := []string{"baz"} 2321 if !reflect.DeepEqual(val, expected) { 2322 t.Fatalf("expected: %v, got: %v", expected, val) 2323 } 2324 } else { 2325 t.Fatal("expected 'Should-Passthrough-Case-Insensitive' to be present in the headers map") 2326 } 2327 2328 if _, ok := headers["Should-Not-Passthrough"]; ok { 2329 t.Fatal("did not expect 'Should-Not-Passthrough' to be in the headers map") 2330 } 2331 2332 if _, ok := headers[consts.AuthHeaderName]; ok { 2333 t.Fatalf("did not expect %q to be in the headers map", consts.AuthHeaderName) 2334 } 2335} 2336 2337func TestCore_HandleRequest_Headers_denyList(t *testing.T) { 2338 noop := &NoopBackend{ 2339 Response: &logical.Response{ 2340 Data: map[string]interface{}{}, 2341 }, 2342 } 2343 2344 c, _, root := TestCoreUnsealed(t) 2345 c.logicalBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) { 2346 return noop, nil 2347 } 2348 2349 // Enable the backend 2350 req := logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/foo") 2351 req.Data["type"] = "noop" 2352 req.ClientToken = root 2353 _, err := c.HandleRequest(namespace.RootContext(nil), req) 2354 if err != nil { 2355 t.Fatalf("err: %v", err) 2356 } 2357 2358 // Mount tune 2359 req = logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/foo/tune") 2360 req.Data["passthrough_request_headers"] = []string{"Authorization", consts.AuthHeaderName} 2361 req.ClientToken = root 2362 _, err = c.HandleRequest(namespace.RootContext(nil), req) 2363 if err != nil { 2364 t.Fatalf("err: %v", err) 2365 } 2366 2367 // Attempt to read 2368 lreq := &logical.Request{ 2369 Operation: logical.ReadOperation, 2370 Path: "foo/test", 2371 ClientToken: root, 2372 Headers: map[string][]string{ 2373 consts.AuthHeaderName: []string{"foo"}, 2374 }, 2375 } 2376 _, err = c.HandleRequest(namespace.RootContext(nil), lreq) 2377 if err != nil { 2378 t.Fatalf("err: %v", err) 2379 } 2380 2381 // Check the headers 2382 headers := noop.Requests[0].Headers 2383 2384 // Test passthrough values, they should not be present in the backend 2385 if _, ok := headers[consts.AuthHeaderName]; ok { 2386 t.Fatalf("did not expect %q to be in the headers map", consts.AuthHeaderName) 2387 } 2388} 2389