1package vault 2 3import ( 4 "context" 5 "reflect" 6 "testing" 7 "time" 8 9 "github.com/go-test/deep" 10 "github.com/hashicorp/errwrap" 11 log "github.com/hashicorp/go-hclog" 12 uuid "github.com/hashicorp/go-uuid" 13 "github.com/hashicorp/vault/audit" 14 "github.com/hashicorp/vault/helper/consts" 15 "github.com/hashicorp/vault/helper/logging" 16 "github.com/hashicorp/vault/helper/namespace" 17 "github.com/hashicorp/vault/logical" 18 "github.com/hashicorp/vault/physical" 19 "github.com/hashicorp/vault/physical/inmem" 20) 21 22var ( 23 // invalidKey is used to test Unseal 24 invalidKey = []byte("abcdefghijklmnopqrstuvwxyz")[:17] 25) 26 27func TestNewCore_badRedirectAddr(t *testing.T) { 28 logger = logging.NewVaultLogger(log.Trace) 29 30 inm, err := inmem.NewInmem(nil, logger) 31 if err != nil { 32 t.Fatal(err) 33 } 34 35 conf := &CoreConfig{ 36 RedirectAddr: "127.0.0.1:8200", 37 Physical: inm, 38 DisableMlock: true, 39 } 40 _, err = NewCore(conf) 41 if err == nil { 42 t.Fatal("should error") 43 } 44} 45 46func TestSealConfig_Invalid(t *testing.T) { 47 s := &SealConfig{ 48 SecretShares: 2, 49 SecretThreshold: 1, 50 } 51 err := s.Validate() 52 if err == nil { 53 t.Fatalf("expected err") 54 } 55} 56 57func TestCore_Unseal_MultiShare(t *testing.T) { 58 c := TestCore(t) 59 60 _, err := TestCoreUnseal(c, invalidKey) 61 if err != ErrNotInit { 62 t.Fatalf("err: %v", err) 63 } 64 65 sealConf := &SealConfig{ 66 SecretShares: 5, 67 SecretThreshold: 3, 68 } 69 res, err := c.Initialize(namespace.RootContext(nil), &InitParams{ 70 BarrierConfig: sealConf, 71 RecoveryConfig: nil, 72 }) 73 if err != nil { 74 t.Fatalf("err: %v", err) 75 } 76 77 if !c.Sealed() { 78 t.Fatalf("should be sealed") 79 } 80 81 if prog, _ := c.SecretProgress(); prog != 0 { 82 t.Fatalf("bad progress: %d", prog) 83 } 84 85 for i := 0; i < 5; i++ { 86 unseal, err := TestCoreUnseal(c, res.SecretShares[i]) 87 if err != nil { 88 t.Fatalf("err: %v", err) 89 } 90 91 // Ignore redundant 92 _, err = TestCoreUnseal(c, res.SecretShares[i]) 93 if err != nil { 94 t.Fatalf("err: %v", err) 95 } 96 if i >= 2 { 97 if !unseal { 98 t.Fatalf("should be unsealed") 99 } 100 if prog, _ := c.SecretProgress(); prog != 0 { 101 t.Fatalf("bad progress: %d", prog) 102 } 103 } else { 104 if unseal { 105 t.Fatalf("should not be unsealed") 106 } 107 if prog, _ := c.SecretProgress(); prog != i+1 { 108 t.Fatalf("bad progress: %d", prog) 109 } 110 } 111 } 112 113 if c.Sealed() { 114 t.Fatalf("should not be sealed") 115 } 116 117 err = c.Seal(res.RootToken) 118 if err != nil { 119 t.Fatalf("err: %v", err) 120 } 121 122 // Ignore redundant 123 err = c.Seal(res.RootToken) 124 if err != nil { 125 t.Fatalf("err: %v", err) 126 } 127 128 if !c.Sealed() { 129 t.Fatalf("should be sealed") 130 } 131} 132 133func TestCore_Unseal_Single(t *testing.T) { 134 c := TestCore(t) 135 136 _, err := TestCoreUnseal(c, invalidKey) 137 if err != ErrNotInit { 138 t.Fatalf("err: %v", err) 139 } 140 141 sealConf := &SealConfig{ 142 SecretShares: 1, 143 SecretThreshold: 1, 144 } 145 res, err := c.Initialize(namespace.RootContext(nil), &InitParams{ 146 BarrierConfig: sealConf, 147 RecoveryConfig: nil, 148 }) 149 if err != nil { 150 t.Fatalf("err: %v", err) 151 } 152 153 if !c.Sealed() { 154 t.Fatalf("should be sealed") 155 } 156 157 if prog, _ := c.SecretProgress(); prog != 0 { 158 t.Fatalf("bad progress: %d", prog) 159 } 160 161 unseal, err := TestCoreUnseal(c, res.SecretShares[0]) 162 if err != nil { 163 t.Fatalf("err: %v", err) 164 } 165 166 if !unseal { 167 t.Fatalf("should be unsealed") 168 } 169 if prog, _ := c.SecretProgress(); prog != 0 { 170 t.Fatalf("bad progress: %d", prog) 171 } 172 173 if c.Sealed() { 174 t.Fatalf("should not be sealed") 175 } 176} 177 178func TestCore_Route_Sealed(t *testing.T) { 179 c := TestCore(t) 180 sealConf := &SealConfig{ 181 SecretShares: 1, 182 SecretThreshold: 1, 183 } 184 185 ctx := namespace.RootContext(nil) 186 187 // Should not route anything 188 req := &logical.Request{ 189 Operation: logical.ReadOperation, 190 Path: "sys/mounts", 191 } 192 _, err := c.HandleRequest(ctx, req) 193 if err != consts.ErrSealed { 194 t.Fatalf("err: %v", err) 195 } 196 197 res, err := c.Initialize(ctx, &InitParams{ 198 BarrierConfig: sealConf, 199 RecoveryConfig: nil, 200 }) 201 if err != nil { 202 t.Fatalf("err: %v", err) 203 } 204 205 unseal, err := TestCoreUnseal(c, res.SecretShares[0]) 206 if err != nil { 207 t.Fatalf("err: %v", err) 208 } 209 if !unseal { 210 t.Fatalf("should be unsealed") 211 } 212 213 // Should not error after unseal 214 req.ClientToken = res.RootToken 215 _, err = c.HandleRequest(ctx, req) 216 if err != nil { 217 t.Fatalf("err: %v", err) 218 } 219} 220 221// Attempt to unseal after doing a first seal 222func TestCore_SealUnseal(t *testing.T) { 223 c, keys, root := TestCoreUnsealed(t) 224 if err := c.Seal(root); err != nil { 225 t.Fatalf("err: %v", err) 226 } 227 for i, key := range keys { 228 unseal, err := TestCoreUnseal(c, key) 229 if err != nil { 230 t.Fatalf("err: %v", err) 231 } 232 if i+1 == len(keys) && !unseal { 233 t.Fatalf("err: should be unsealed") 234 } 235 } 236} 237 238// Attempt to shutdown after unseal 239func TestCore_Shutdown(t *testing.T) { 240 c, _, _ := TestCoreUnsealed(t) 241 if err := c.Shutdown(); err != nil { 242 t.Fatalf("err: %v", err) 243 } 244 if !c.Sealed() { 245 t.Fatal("wasn't sealed") 246 } 247} 248 249// Attempt to seal bad token 250func TestCore_Seal_BadToken(t *testing.T) { 251 c, _, _ := TestCoreUnsealed(t) 252 if err := c.Seal("foo"); err == nil { 253 t.Fatalf("err: %v", err) 254 } 255 if c.Sealed() { 256 t.Fatal("was sealed") 257 } 258} 259 260// GH-3497 261func TestCore_Seal_SingleUse(t *testing.T) { 262 c, keys, _ := TestCoreUnsealed(t) 263 c.tokenStore.create(namespace.RootContext(nil), &logical.TokenEntry{ 264 ID: "foo", 265 NumUses: 1, 266 Policies: []string{"root"}, 267 NamespaceID: namespace.RootNamespaceID, 268 }) 269 if err := c.Seal("foo"); err != nil { 270 t.Fatalf("err: %v", err) 271 } 272 if !c.Sealed() { 273 t.Fatal("not sealed") 274 } 275 for i, key := range keys { 276 unseal, err := TestCoreUnseal(c, key) 277 if err != nil { 278 t.Fatalf("err: %v", err) 279 } 280 if i+1 == len(keys) && !unseal { 281 t.Fatalf("err: should be unsealed") 282 } 283 } 284 if err := c.Seal("foo"); err == nil { 285 t.Fatal("expected error from revoked token") 286 } 287 te, err := c.tokenStore.Lookup(namespace.RootContext(nil), "foo") 288 if err != nil { 289 t.Fatal(err) 290 } 291 if te != nil { 292 t.Fatalf("expected nil token entry, got %#v", *te) 293 } 294} 295 296// Ensure we get a LeaseID 297func TestCore_HandleRequest_Lease(t *testing.T) { 298 c, _, root := TestCoreUnsealed(t) 299 300 req := &logical.Request{ 301 Operation: logical.UpdateOperation, 302 Path: "secret/test", 303 Data: map[string]interface{}{ 304 "foo": "bar", 305 "lease": "1h", 306 }, 307 ClientToken: root, 308 } 309 ctx := namespace.RootContext(nil) 310 resp, err := c.HandleRequest(ctx, req) 311 if err != nil { 312 t.Fatalf("err: %v", err) 313 } 314 if resp != nil { 315 t.Fatalf("bad: %#v", resp) 316 } 317 318 // Read the key 319 req.Operation = logical.ReadOperation 320 req.Data = nil 321 req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) 322 resp, err = c.HandleRequest(ctx, req) 323 if err != nil { 324 t.Fatalf("err: %v", err) 325 } 326 if resp == nil || resp.Secret == nil || resp.Data == nil { 327 t.Fatalf("bad: %#v", resp) 328 } 329 if resp.Secret.TTL != time.Hour { 330 t.Fatalf("bad: %#v", resp.Secret) 331 } 332 if resp.Secret.LeaseID == "" { 333 t.Fatalf("bad: %#v", resp.Secret) 334 } 335 if resp.Data["foo"] != "bar" { 336 t.Fatalf("bad: %#v", resp.Data) 337 } 338} 339 340func TestCore_HandleRequest_Lease_MaxLength(t *testing.T) { 341 c, _, root := TestCoreUnsealed(t) 342 343 req := &logical.Request{ 344 Operation: logical.UpdateOperation, 345 Path: "secret/test", 346 Data: map[string]interface{}{ 347 "foo": "bar", 348 "lease": "1000h", 349 }, 350 ClientToken: root, 351 } 352 ctx := namespace.RootContext(nil) 353 resp, err := c.HandleRequest(ctx, req) 354 if err != nil { 355 t.Fatalf("err: %v", err) 356 } 357 if resp != nil { 358 t.Fatalf("bad: %#v", resp) 359 } 360 361 // Read the key 362 req.Operation = logical.ReadOperation 363 req.Data = nil 364 req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) 365 resp, err = c.HandleRequest(ctx, req) 366 if err != nil { 367 t.Fatalf("err: %v", err) 368 } 369 if resp == nil || resp.Secret == nil || resp.Data == nil { 370 t.Fatalf("bad: %#v", resp) 371 } 372 if resp.Secret.TTL != c.maxLeaseTTL { 373 t.Fatalf("bad: %#v, %d", resp.Secret, c.maxLeaseTTL) 374 } 375 if resp.Secret.LeaseID == "" { 376 t.Fatalf("bad: %#v", resp.Secret) 377 } 378 if resp.Data["foo"] != "bar" { 379 t.Fatalf("bad: %#v", resp.Data) 380 } 381} 382 383func TestCore_HandleRequest_Lease_DefaultLength(t *testing.T) { 384 c, _, root := TestCoreUnsealed(t) 385 386 req := &logical.Request{ 387 Operation: logical.UpdateOperation, 388 Path: "secret/test", 389 Data: map[string]interface{}{ 390 "foo": "bar", 391 "lease": "0h", 392 }, 393 ClientToken: root, 394 } 395 ctx := namespace.RootContext(nil) 396 resp, err := c.HandleRequest(ctx, req) 397 if err != nil { 398 t.Fatalf("err: %v", err) 399 } 400 if resp != nil { 401 t.Fatalf("bad: %#v", resp) 402 } 403 404 // Read the key 405 req.Operation = logical.ReadOperation 406 req.Data = nil 407 req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) 408 resp, err = c.HandleRequest(ctx, req) 409 if err != nil { 410 t.Fatalf("err: %v", err) 411 } 412 if resp == nil || resp.Secret == nil || resp.Data == nil { 413 t.Fatalf("bad: %#v", resp) 414 } 415 if resp.Secret.TTL != c.defaultLeaseTTL { 416 t.Fatalf("bad: %d, %d", resp.Secret.TTL/time.Second, c.defaultLeaseTTL/time.Second) 417 } 418 if resp.Secret.LeaseID == "" { 419 t.Fatalf("bad: %#v", resp.Secret) 420 } 421 if resp.Data["foo"] != "bar" { 422 t.Fatalf("bad: %#v", resp.Data) 423 } 424} 425 426func TestCore_HandleRequest_MissingToken(t *testing.T) { 427 c, _, _ := TestCoreUnsealed(t) 428 429 req := &logical.Request{ 430 Operation: logical.UpdateOperation, 431 Path: "secret/test", 432 Data: map[string]interface{}{ 433 "foo": "bar", 434 "lease": "1h", 435 }, 436 } 437 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 438 if err == nil || !errwrap.Contains(err, logical.ErrInvalidRequest.Error()) { 439 t.Fatalf("err: %v", err) 440 } 441 if resp.Data["error"] != "missing client token" { 442 t.Fatalf("bad: %#v", resp) 443 } 444} 445 446func TestCore_HandleRequest_InvalidToken(t *testing.T) { 447 c, _, _ := TestCoreUnsealed(t) 448 449 req := &logical.Request{ 450 Operation: logical.UpdateOperation, 451 Path: "secret/test", 452 Data: map[string]interface{}{ 453 "foo": "bar", 454 "lease": "1h", 455 }, 456 ClientToken: "foobarbaz", 457 } 458 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 459 if err == nil || !errwrap.Contains(err, logical.ErrPermissionDenied.Error()) { 460 t.Fatalf("err: %v", err) 461 } 462 if resp.Data["error"] != "permission denied" { 463 t.Fatalf("bad: %#v", resp) 464 } 465} 466 467// Check that standard permissions work 468func TestCore_HandleRequest_NoSlash(t *testing.T) { 469 c, _, root := TestCoreUnsealed(t) 470 471 req := &logical.Request{ 472 Operation: logical.HelpOperation, 473 Path: "secret", 474 ClientToken: root, 475 } 476 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 477 if err != nil { 478 t.Fatalf("err: %v, resp: %v", err, resp) 479 } 480 if _, ok := resp.Data["help"]; !ok { 481 t.Fatalf("resp: %v", resp) 482 } 483} 484 485// Test a root path is denied if non-root 486func TestCore_HandleRequest_RootPath(t *testing.T) { 487 c, _, root := TestCoreUnsealed(t) 488 testMakeServiceTokenViaCore(t, c, root, "child", "", []string{"test"}) 489 490 req := &logical.Request{ 491 Operation: logical.ReadOperation, 492 Path: "sys/policy", // root protected! 493 ClientToken: "child", 494 } 495 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 496 if err == nil || !errwrap.Contains(err, logical.ErrPermissionDenied.Error()) { 497 t.Fatalf("err: %v, resp: %v", err, resp) 498 } 499} 500 501// Test a root path is allowed if non-root but with sudo 502func TestCore_HandleRequest_RootPath_WithSudo(t *testing.T) { 503 c, _, root := TestCoreUnsealed(t) 504 505 // Set the 'test' policy object to permit access to sys/policy 506 req := &logical.Request{ 507 Operation: logical.UpdateOperation, 508 Path: "sys/policy/test", // root protected! 509 Data: map[string]interface{}{ 510 "rules": `path "sys/policy" { policy = "sudo" }`, 511 }, 512 ClientToken: root, 513 } 514 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 515 if err != nil { 516 t.Fatalf("err: %v", err) 517 } 518 if resp != nil && (resp.IsError() || len(resp.Data) > 0) { 519 t.Fatalf("bad: %#v", resp) 520 } 521 522 // Child token (non-root) but with 'test' policy should have access 523 testMakeServiceTokenViaCore(t, c, root, "child", "", []string{"test"}) 524 req = &logical.Request{ 525 Operation: logical.ReadOperation, 526 Path: "sys/policy", // root protected! 527 ClientToken: "child", 528 } 529 resp, err = c.HandleRequest(namespace.RootContext(nil), req) 530 if err != nil { 531 t.Fatalf("err: %v", err) 532 } 533 if resp == nil { 534 t.Fatalf("bad: %#v", resp) 535 } 536} 537 538// Check that standard permissions work 539func TestCore_HandleRequest_PermissionDenied(t *testing.T) { 540 c, _, root := TestCoreUnsealed(t) 541 testMakeServiceTokenViaCore(t, c, root, "child", "", []string{"test"}) 542 543 req := &logical.Request{ 544 Operation: logical.UpdateOperation, 545 Path: "secret/test", 546 Data: map[string]interface{}{ 547 "foo": "bar", 548 "lease": "1h", 549 }, 550 ClientToken: "child", 551 } 552 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 553 if err == nil || !errwrap.Contains(err, logical.ErrPermissionDenied.Error()) { 554 t.Fatalf("err: %v, resp: %v", err, resp) 555 } 556} 557 558// Check that standard permissions work 559func TestCore_HandleRequest_PermissionAllowed(t *testing.T) { 560 c, _, root := TestCoreUnsealed(t) 561 testMakeServiceTokenViaCore(t, c, root, "child", "", []string{"test"}) 562 563 // Set the 'test' policy object to permit access to secret/ 564 req := &logical.Request{ 565 Operation: logical.UpdateOperation, 566 Path: "sys/policy/test", 567 Data: map[string]interface{}{ 568 "rules": `path "secret/*" { policy = "write" }`, 569 }, 570 ClientToken: root, 571 } 572 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 573 if err != nil { 574 t.Fatalf("err: %v", err) 575 } 576 if resp != nil && (resp.IsError() || len(resp.Data) > 0) { 577 t.Fatalf("bad: %#v", resp) 578 } 579 580 // Write should work now 581 req = &logical.Request{ 582 Operation: logical.UpdateOperation, 583 Path: "secret/test", 584 Data: map[string]interface{}{ 585 "foo": "bar", 586 "lease": "1h", 587 }, 588 ClientToken: "child", 589 } 590 resp, err = c.HandleRequest(namespace.RootContext(nil), req) 591 if err != nil { 592 t.Fatalf("err: %v", err) 593 } 594 if resp != nil { 595 t.Fatalf("bad: %#v", resp) 596 } 597} 598 599func TestCore_HandleRequest_NoClientToken(t *testing.T) { 600 noop := &NoopBackend{ 601 Response: &logical.Response{}, 602 } 603 c, _, root := TestCoreUnsealed(t) 604 c.logicalBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) { 605 return noop, nil 606 } 607 608 // Enable the logical backend 609 req := logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/foo") 610 req.Data["type"] = "noop" 611 req.Data["description"] = "foo" 612 req.ClientToken = root 613 _, err := c.HandleRequest(namespace.RootContext(nil), req) 614 if err != nil { 615 t.Fatalf("err: %v", err) 616 } 617 618 // Attempt to request with connection data 619 req = &logical.Request{ 620 Path: "foo/login", 621 } 622 req.ClientToken = root 623 if _, err := c.HandleRequest(namespace.RootContext(nil), req); err != nil { 624 t.Fatalf("err: %v", err) 625 } 626 627 ct := noop.Requests[0].ClientToken 628 if ct == "" || ct == root { 629 t.Fatalf("bad: %#v", noop.Requests) 630 } 631} 632 633func TestCore_HandleRequest_ConnOnLogin(t *testing.T) { 634 noop := &NoopBackend{ 635 Login: []string{"login"}, 636 Response: &logical.Response{}, 637 BackendType: logical.TypeCredential, 638 } 639 c, _, root := TestCoreUnsealed(t) 640 c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) { 641 return noop, nil 642 } 643 644 // Enable the credential backend 645 req := logical.TestRequest(t, logical.UpdateOperation, "sys/auth/foo") 646 req.Data["type"] = "noop" 647 req.ClientToken = root 648 _, err := c.HandleRequest(namespace.RootContext(nil), req) 649 if err != nil { 650 t.Fatalf("err: %v", err) 651 } 652 653 // Attempt to request with connection data 654 req = &logical.Request{ 655 Path: "auth/foo/login", 656 Connection: &logical.Connection{}, 657 } 658 if _, err := c.HandleRequest(namespace.RootContext(nil), req); err != nil { 659 t.Fatalf("err: %v", err) 660 } 661 if noop.Requests[0].Connection == nil { 662 t.Fatalf("bad: %#v", noop.Requests) 663 } 664} 665 666// Ensure we get a client token 667func TestCore_HandleLogin_Token(t *testing.T) { 668 noop := &NoopBackend{ 669 Login: []string{"login"}, 670 Response: &logical.Response{ 671 Auth: &logical.Auth{ 672 Policies: []string{"foo", "bar"}, 673 Metadata: map[string]string{ 674 "user": "armon", 675 }, 676 DisplayName: "armon", 677 }, 678 }, 679 BackendType: logical.TypeCredential, 680 } 681 c, _, root := TestCoreUnsealed(t) 682 c.credentialBackends["noop"] = func(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) { 683 return noop, nil 684 } 685 686 // Enable the credential backend 687 req := logical.TestRequest(t, logical.UpdateOperation, "sys/auth/foo") 688 req.Data["type"] = "noop" 689 req.ClientToken = root 690 _, err := c.HandleRequest(namespace.RootContext(nil), req) 691 if err != nil { 692 t.Fatalf("err: %v", err) 693 } 694 695 // Attempt to login 696 lreq := &logical.Request{ 697 Path: "auth/foo/login", 698 } 699 lresp, err := c.HandleRequest(namespace.RootContext(nil), lreq) 700 if err != nil { 701 t.Fatalf("err: %v", err) 702 } 703 704 // Ensure we got a client token back 705 clientToken := lresp.Auth.ClientToken 706 if clientToken == "" { 707 t.Fatalf("bad: %#v", lresp) 708 } 709 710 // Check the policy and metadata 711 te, err := c.tokenStore.Lookup(namespace.RootContext(nil), clientToken) 712 if err != nil { 713 t.Fatalf("err: %v", err) 714 } 715 expect := &logical.TokenEntry{ 716 ID: clientToken, 717 Accessor: te.Accessor, 718 Parent: "", 719 Policies: []string{"bar", "default", "foo"}, 720 Path: "auth/foo/login", 721 Meta: map[string]string{ 722 "user": "armon", 723 }, 724 DisplayName: "foo-armon", 725 TTL: time.Hour * 24, 726 CreationTime: te.CreationTime, 727 NamespaceID: namespace.RootNamespaceID, 728 CubbyholeID: te.CubbyholeID, 729 Type: logical.TokenTypeService, 730 } 731 732 if diff := deep.Equal(te, expect); diff != nil { 733 t.Fatal(diff) 734 } 735 736 // Check that we have a lease with default duration 737 if lresp.Auth.TTL != noop.System().DefaultLeaseTTL() { 738 t.Fatalf("bad: %#v, defaultLeaseTTL: %#v", lresp.Auth, c.defaultLeaseTTL) 739 } 740} 741 742func TestCore_HandleRequest_AuditTrail(t *testing.T) { 743 // Create a noop audit backend 744 noop := &NoopAudit{} 745 c, _, root := TestCoreUnsealed(t) 746 c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) { 747 noop = &NoopAudit{ 748 Config: config, 749 } 750 return noop, nil 751 } 752 753 // Enable the audit backend 754 req := logical.TestRequest(t, logical.UpdateOperation, "sys/audit/noop") 755 req.Data["type"] = "noop" 756 req.ClientToken = root 757 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 758 if err != nil { 759 t.Fatalf("err: %v", err) 760 } 761 762 // Make a request 763 req = &logical.Request{ 764 Operation: logical.UpdateOperation, 765 Path: "secret/test", 766 Data: map[string]interface{}{ 767 "foo": "bar", 768 "lease": "1h", 769 }, 770 ClientToken: root, 771 } 772 req.ClientToken = root 773 if _, err := c.HandleRequest(namespace.RootContext(nil), req); err != nil { 774 t.Fatalf("err: %v", err) 775 } 776 777 // Check the audit trail on request and response 778 if len(noop.ReqAuth) != 1 { 779 t.Fatalf("bad: %#v", noop) 780 } 781 auth := noop.ReqAuth[0] 782 if auth.ClientToken != root { 783 t.Fatalf("bad client token: %#v", auth) 784 } 785 if len(auth.Policies) != 1 || auth.Policies[0] != "root" { 786 t.Fatalf("bad: %#v", auth) 787 } 788 if len(noop.Req) != 1 || !reflect.DeepEqual(noop.Req[0], req) { 789 t.Fatalf("Bad: %#v", noop.Req[0]) 790 } 791 792 if len(noop.RespAuth) != 2 { 793 t.Fatalf("bad: %#v", noop) 794 } 795 if !reflect.DeepEqual(noop.RespAuth[1], auth) { 796 t.Fatalf("bad: %#v", auth) 797 } 798 if len(noop.RespReq) != 2 || !reflect.DeepEqual(noop.RespReq[1], req) { 799 t.Fatalf("Bad: %#v", noop.RespReq[1]) 800 } 801 if len(noop.Resp) != 2 || !reflect.DeepEqual(noop.Resp[1], resp) { 802 t.Fatalf("Bad: %#v", noop.Resp[1]) 803 } 804} 805 806func TestCore_HandleRequest_AuditTrail_noHMACKeys(t *testing.T) { 807 // Create a noop audit backend 808 var noop *NoopAudit 809 c, _, root := TestCoreUnsealed(t) 810 c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) { 811 noop = &NoopAudit{ 812 Config: config, 813 } 814 return noop, nil 815 } 816 817 // Specify some keys to not HMAC 818 req := logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/secret/tune") 819 req.Data["audit_non_hmac_request_keys"] = "foo" 820 req.ClientToken = root 821 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 822 if err != nil { 823 t.Fatalf("err: %v", err) 824 } 825 826 req = logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/secret/tune") 827 req.Data["audit_non_hmac_response_keys"] = "baz" 828 req.ClientToken = root 829 resp, err = c.HandleRequest(namespace.RootContext(nil), req) 830 if err != nil { 831 t.Fatalf("err: %v", err) 832 } 833 834 // Enable the audit backend 835 req = logical.TestRequest(t, logical.UpdateOperation, "sys/audit/noop") 836 req.Data["type"] = "noop" 837 req.ClientToken = root 838 resp, err = c.HandleRequest(namespace.RootContext(nil), req) 839 if err != nil { 840 t.Fatalf("err: %v", err) 841 } 842 843 // Make a request 844 req = &logical.Request{ 845 Operation: logical.UpdateOperation, 846 Path: "secret/test", 847 Data: map[string]interface{}{ 848 "foo": "bar", 849 }, 850 ClientToken: root, 851 } 852 req.ClientToken = root 853 if _, err := c.HandleRequest(namespace.RootContext(nil), req); err != nil { 854 t.Fatalf("err: %v", err) 855 } 856 857 // Check the audit trail on request and response 858 if len(noop.ReqAuth) != 1 { 859 t.Fatalf("bad: %#v", noop) 860 } 861 auth := noop.ReqAuth[0] 862 if auth.ClientToken != root { 863 t.Fatalf("bad client token: %#v", auth) 864 } 865 if len(auth.Policies) != 1 || auth.Policies[0] != "root" { 866 t.Fatalf("bad: %#v", auth) 867 } 868 if len(noop.Req) != 1 || !reflect.DeepEqual(noop.Req[0], req) { 869 t.Fatalf("Bad: %#v", noop.Req[0]) 870 } 871 if len(noop.ReqNonHMACKeys) != 1 || noop.ReqNonHMACKeys[0] != "foo" { 872 t.Fatalf("Bad: %#v", noop.ReqNonHMACKeys) 873 } 874 if len(noop.RespAuth) != 2 { 875 t.Fatalf("bad: %#v", noop) 876 } 877 if !reflect.DeepEqual(noop.RespAuth[1], auth) { 878 t.Fatalf("bad: %#v", auth) 879 } 880 if len(noop.RespReq) != 2 || !reflect.DeepEqual(noop.RespReq[1], req) { 881 t.Fatalf("Bad: %#v", noop.RespReq[1]) 882 } 883 if len(noop.Resp) != 2 || !reflect.DeepEqual(noop.Resp[1], resp) { 884 t.Fatalf("Bad: %#v", noop.Resp[1]) 885 } 886 887 // Test for response keys 888 // Make a request 889 req = &logical.Request{ 890 Operation: logical.ReadOperation, 891 Path: "secret/test", 892 ClientToken: root, 893 } 894 req.ClientToken = root 895 req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) 896 if _, err := c.HandleRequest(namespace.RootContext(nil), req); err != nil { 897 t.Fatalf("err: %v", err) 898 } 899 if len(noop.RespNonHMACKeys) != 1 || noop.RespNonHMACKeys[0] != "baz" { 900 t.Fatalf("Bad: %#v", noop.RespNonHMACKeys) 901 } 902 if len(noop.RespReqNonHMACKeys) != 1 || noop.RespReqNonHMACKeys[0] != "foo" { 903 t.Fatalf("Bad: %#v", noop.RespReqNonHMACKeys) 904 } 905} 906 907// Ensure we get a client token 908func TestCore_HandleLogin_AuditTrail(t *testing.T) { 909 // Create a badass credential backend that always logs in as armon 910 noop := &NoopAudit{} 911 noopBack := &NoopBackend{ 912 Login: []string{"login"}, 913 Response: &logical.Response{ 914 Auth: &logical.Auth{ 915 LeaseOptions: logical.LeaseOptions{ 916 TTL: time.Hour, 917 }, 918 Policies: []string{"foo", "bar"}, 919 Metadata: map[string]string{ 920 "user": "armon", 921 }, 922 }, 923 }, 924 BackendType: logical.TypeCredential, 925 } 926 c, _, root := TestCoreUnsealed(t) 927 c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) { 928 return noopBack, nil 929 } 930 c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) { 931 noop = &NoopAudit{ 932 Config: config, 933 } 934 return noop, nil 935 } 936 937 // Enable the credential backend 938 req := logical.TestRequest(t, logical.UpdateOperation, "sys/auth/foo") 939 req.Data["type"] = "noop" 940 req.ClientToken = root 941 _, err := c.HandleRequest(namespace.RootContext(nil), req) 942 if err != nil { 943 t.Fatalf("err: %v", err) 944 } 945 946 // Enable the audit backend 947 req = logical.TestRequest(t, logical.UpdateOperation, "sys/audit/noop") 948 req.Data["type"] = "noop" 949 req.ClientToken = root 950 _, err = c.HandleRequest(namespace.RootContext(nil), req) 951 if err != nil { 952 t.Fatalf("err: %v", err) 953 } 954 955 // Attempt to login 956 lreq := &logical.Request{ 957 Path: "auth/foo/login", 958 } 959 lresp, err := c.HandleRequest(namespace.RootContext(nil), lreq) 960 if err != nil { 961 t.Fatalf("err: %v", err) 962 } 963 964 // Ensure we got a client token back 965 clientToken := lresp.Auth.ClientToken 966 if clientToken == "" { 967 t.Fatalf("bad: %#v", lresp) 968 } 969 970 // Check the audit trail on request and response 971 if len(noop.ReqAuth) != 1 { 972 t.Fatalf("bad: %#v", noop) 973 } 974 if len(noop.Req) != 1 || !reflect.DeepEqual(noop.Req[0], lreq) { 975 t.Fatalf("Bad: %#v %#v", noop.Req[0], lreq) 976 } 977 978 if len(noop.RespAuth) != 2 { 979 t.Fatalf("bad: %#v", noop) 980 } 981 auth := noop.RespAuth[1] 982 if auth.ClientToken != clientToken { 983 t.Fatalf("bad client token: %#v", auth) 984 } 985 if len(auth.Policies) != 3 || auth.Policies[0] != "bar" || auth.Policies[1] != "default" || auth.Policies[2] != "foo" { 986 t.Fatalf("bad: %#v", auth) 987 } 988 if len(noop.RespReq) != 2 || !reflect.DeepEqual(noop.RespReq[1], lreq) { 989 t.Fatalf("Bad: %#v", noop.RespReq[1]) 990 } 991 if len(noop.Resp) != 2 || !reflect.DeepEqual(noop.Resp[1], lresp) { 992 t.Fatalf("Bad: %#v %#v", noop.Resp[1], lresp) 993 } 994} 995 996// Check that we register a lease for new tokens 997func TestCore_HandleRequest_CreateToken_Lease(t *testing.T) { 998 c, _, root := TestCoreUnsealed(t) 999 1000 // Create a new credential 1001 req := logical.TestRequest(t, logical.UpdateOperation, "auth/token/create") 1002 req.ClientToken = root 1003 req.Data["policies"] = []string{"foo"} 1004 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 1005 if err != nil { 1006 t.Fatalf("err: %v", err) 1007 } 1008 1009 // Ensure we got a new client token back 1010 if resp.IsError() { 1011 t.Fatalf("err: %v %v", err, *resp) 1012 } 1013 clientToken := resp.Auth.ClientToken 1014 if clientToken == "" { 1015 t.Fatalf("bad: %#v", resp) 1016 } 1017 1018 // Check the policy and metadata 1019 te, err := c.tokenStore.Lookup(namespace.RootContext(nil), clientToken) 1020 if err != nil { 1021 t.Fatalf("err: %v", err) 1022 } 1023 expect := &logical.TokenEntry{ 1024 ID: clientToken, 1025 Accessor: te.Accessor, 1026 Parent: root, 1027 Policies: []string{"default", "foo"}, 1028 Path: "auth/token/create", 1029 DisplayName: "token", 1030 CreationTime: te.CreationTime, 1031 TTL: time.Hour * 24 * 32, 1032 NamespaceID: namespace.RootNamespaceID, 1033 CubbyholeID: te.CubbyholeID, 1034 Type: logical.TokenTypeService, 1035 } 1036 if diff := deep.Equal(te, expect); diff != nil { 1037 t.Fatal(diff) 1038 } 1039 1040 // Check that we have a lease with default duration 1041 if resp.Auth.TTL != c.defaultLeaseTTL { 1042 t.Fatalf("bad: %#v", resp.Auth) 1043 } 1044} 1045 1046// Check that we handle excluding the default policy 1047func TestCore_HandleRequest_CreateToken_NoDefaultPolicy(t *testing.T) { 1048 c, _, root := TestCoreUnsealed(t) 1049 1050 // Create a new credential 1051 req := logical.TestRequest(t, logical.UpdateOperation, "auth/token/create") 1052 req.ClientToken = root 1053 req.Data["policies"] = []string{"foo"} 1054 req.Data["no_default_policy"] = true 1055 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 1056 if err != nil { 1057 t.Fatalf("err: %v", err) 1058 } 1059 1060 // Ensure we got a new client token back 1061 clientToken := resp.Auth.ClientToken 1062 if clientToken == "" { 1063 t.Fatalf("bad: %#v", resp) 1064 } 1065 1066 // Check the policy and metadata 1067 te, err := c.tokenStore.Lookup(namespace.RootContext(nil), clientToken) 1068 if err != nil { 1069 t.Fatalf("err: %v", err) 1070 } 1071 expect := &logical.TokenEntry{ 1072 ID: clientToken, 1073 Accessor: te.Accessor, 1074 Parent: root, 1075 Policies: []string{"foo"}, 1076 Path: "auth/token/create", 1077 DisplayName: "token", 1078 CreationTime: te.CreationTime, 1079 TTL: time.Hour * 24 * 32, 1080 NamespaceID: namespace.RootNamespaceID, 1081 CubbyholeID: te.CubbyholeID, 1082 Type: logical.TokenTypeService, 1083 } 1084 if diff := deep.Equal(te, expect); diff != nil { 1085 t.Fatal(diff) 1086 } 1087} 1088 1089func TestCore_LimitedUseToken(t *testing.T) { 1090 c, _, root := TestCoreUnsealed(t) 1091 1092 // Create a new credential 1093 req := logical.TestRequest(t, logical.UpdateOperation, "auth/token/create") 1094 req.ClientToken = root 1095 req.Data["num_uses"] = "1" 1096 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 1097 if err != nil { 1098 t.Fatalf("err: %v", err) 1099 } 1100 1101 // Put a secret 1102 req = &logical.Request{ 1103 Operation: logical.UpdateOperation, 1104 Path: "secret/foo", 1105 Data: map[string]interface{}{ 1106 "foo": "bar", 1107 }, 1108 ClientToken: resp.Auth.ClientToken, 1109 } 1110 _, err = c.HandleRequest(namespace.RootContext(nil), req) 1111 if err != nil { 1112 t.Fatalf("err: %v", err) 1113 } 1114 1115 // Second operation should fail 1116 _, err = c.HandleRequest(namespace.RootContext(nil), req) 1117 if err == nil || !errwrap.Contains(err, logical.ErrPermissionDenied.Error()) { 1118 t.Fatalf("err: %v", err) 1119 } 1120} 1121 1122func TestCore_Standby_Seal(t *testing.T) { 1123 // Create the first core and initialize it 1124 logger = logging.NewVaultLogger(log.Trace) 1125 1126 inm, err := inmem.NewInmemHA(nil, logger) 1127 if err != nil { 1128 t.Fatal(err) 1129 } 1130 inmha, err := inmem.NewInmemHA(nil, logger) 1131 if err != nil { 1132 t.Fatal(err) 1133 } 1134 1135 redirectOriginal := "http://127.0.0.1:8200" 1136 core, err := NewCore(&CoreConfig{ 1137 Physical: inm, 1138 HAPhysical: inmha.(physical.HABackend), 1139 RedirectAddr: redirectOriginal, 1140 DisableMlock: true, 1141 }) 1142 if err != nil { 1143 t.Fatalf("err: %v", err) 1144 } 1145 keys, root := TestCoreInit(t, core) 1146 for _, key := range keys { 1147 if _, err := TestCoreUnseal(core, TestKeyCopy(key)); err != nil { 1148 t.Fatalf("unseal err: %s", err) 1149 } 1150 } 1151 1152 // Verify unsealed 1153 if core.Sealed() { 1154 t.Fatal("should not be sealed") 1155 } 1156 1157 // Wait for core to become active 1158 TestWaitActive(t, core) 1159 1160 // Check the leader is local 1161 isLeader, advertise, _, err := core.Leader() 1162 if err != nil { 1163 t.Fatalf("err: %v", err) 1164 } 1165 if !isLeader { 1166 t.Fatalf("should be leader") 1167 } 1168 if advertise != redirectOriginal { 1169 t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal) 1170 } 1171 1172 // Create the second core and initialize it 1173 redirectOriginal2 := "http://127.0.0.1:8500" 1174 core2, err := NewCore(&CoreConfig{ 1175 Physical: inm, 1176 HAPhysical: inmha.(physical.HABackend), 1177 RedirectAddr: redirectOriginal2, 1178 DisableMlock: true, 1179 }) 1180 if err != nil { 1181 t.Fatalf("err: %v", err) 1182 } 1183 for _, key := range keys { 1184 if _, err := TestCoreUnseal(core2, TestKeyCopy(key)); err != nil { 1185 t.Fatalf("unseal err: %s", err) 1186 } 1187 } 1188 1189 // Verify unsealed 1190 if core2.Sealed() { 1191 t.Fatal("should not be sealed") 1192 } 1193 1194 // Core2 should be in standby 1195 standby, err := core2.Standby() 1196 if err != nil { 1197 t.Fatalf("err: %v", err) 1198 } 1199 if !standby { 1200 t.Fatalf("should be standby") 1201 } 1202 1203 // Check the leader is not local 1204 isLeader, advertise, _, err = core2.Leader() 1205 if err != nil { 1206 t.Fatalf("err: %v", err) 1207 } 1208 if isLeader { 1209 t.Fatalf("should not be leader") 1210 } 1211 if advertise != redirectOriginal { 1212 t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal) 1213 } 1214 1215 // Seal the standby core with the correct token. Shouldn't go down 1216 err = core2.Seal(root) 1217 if err == nil { 1218 t.Fatal("should not be sealed") 1219 } 1220 1221 keyUUID, err := uuid.GenerateUUID() 1222 if err != nil { 1223 t.Fatal(err) 1224 } 1225 // Seal the standby core with an invalid token. Shouldn't go down 1226 err = core2.Seal(keyUUID) 1227 if err == nil { 1228 t.Fatal("should not be sealed") 1229 } 1230} 1231 1232func TestCore_StepDown(t *testing.T) { 1233 // Create the first core and initialize it 1234 logger = logging.NewVaultLogger(log.Trace) 1235 1236 inm, err := inmem.NewInmemHA(nil, logger) 1237 if err != nil { 1238 t.Fatal(err) 1239 } 1240 inmha, err := inmem.NewInmemHA(nil, logger) 1241 if err != nil { 1242 t.Fatal(err) 1243 } 1244 1245 redirectOriginal := "http://127.0.0.1:8200" 1246 core, err := NewCore(&CoreConfig{ 1247 Physical: inm, 1248 HAPhysical: inmha.(physical.HABackend), 1249 RedirectAddr: redirectOriginal, 1250 DisableMlock: true, 1251 }) 1252 if err != nil { 1253 t.Fatalf("err: %v", err) 1254 } 1255 keys, root := TestCoreInit(t, core) 1256 for _, key := range keys { 1257 if _, err := TestCoreUnseal(core, TestKeyCopy(key)); err != nil { 1258 t.Fatalf("unseal err: %s", err) 1259 } 1260 } 1261 1262 // Verify unsealed 1263 if core.Sealed() { 1264 t.Fatal("should not be sealed") 1265 } 1266 1267 // Wait for core to become active 1268 TestWaitActive(t, core) 1269 1270 // Check the leader is local 1271 isLeader, advertise, _, err := core.Leader() 1272 if err != nil { 1273 t.Fatalf("err: %v", err) 1274 } 1275 if !isLeader { 1276 t.Fatalf("should be leader") 1277 } 1278 if advertise != redirectOriginal { 1279 t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal) 1280 } 1281 1282 // Create the second core and initialize it 1283 redirectOriginal2 := "http://127.0.0.1:8500" 1284 core2, err := NewCore(&CoreConfig{ 1285 Physical: inm, 1286 HAPhysical: inmha.(physical.HABackend), 1287 RedirectAddr: redirectOriginal2, 1288 DisableMlock: true, 1289 }) 1290 if err != nil { 1291 t.Fatalf("err: %v", err) 1292 } 1293 for _, key := range keys { 1294 if _, err := TestCoreUnseal(core2, TestKeyCopy(key)); err != nil { 1295 t.Fatalf("unseal err: %s", err) 1296 } 1297 } 1298 1299 // Verify unsealed 1300 if core2.Sealed() { 1301 t.Fatal("should not be sealed") 1302 } 1303 1304 // Core2 should be in standby 1305 standby, err := core2.Standby() 1306 if err != nil { 1307 t.Fatalf("err: %v", err) 1308 } 1309 if !standby { 1310 t.Fatalf("should be standby") 1311 } 1312 1313 // Check the leader is not local 1314 isLeader, advertise, _, err = core2.Leader() 1315 if err != nil { 1316 t.Fatalf("err: %v", err) 1317 } 1318 if isLeader { 1319 t.Fatalf("should not be leader") 1320 } 1321 if advertise != redirectOriginal { 1322 t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal) 1323 } 1324 1325 req := &logical.Request{ 1326 ClientToken: root, 1327 Path: "sys/step-down", 1328 } 1329 1330 // Create an identifier for the request 1331 req.ID, err = uuid.GenerateUUID() 1332 if err != nil { 1333 t.Fatalf("failed to generate identifier for the request: path: %s err: %v", req.Path, err) 1334 } 1335 1336 // Step down core 1337 err = core.StepDown(namespace.RootContext(nil), req) 1338 if err != nil { 1339 t.Fatal("error stepping down core 1") 1340 } 1341 1342 // Give time to switch leaders 1343 time.Sleep(5 * time.Second) 1344 1345 // Core1 should be in standby 1346 standby, err = core.Standby() 1347 if err != nil { 1348 t.Fatalf("err: %v", err) 1349 } 1350 if !standby { 1351 t.Fatalf("should be standby") 1352 } 1353 1354 // Check the leader is core2 1355 isLeader, advertise, _, err = core2.Leader() 1356 if err != nil { 1357 t.Fatalf("err: %v", err) 1358 } 1359 if !isLeader { 1360 t.Fatalf("should be leader") 1361 } 1362 if advertise != redirectOriginal2 { 1363 t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal2) 1364 } 1365 1366 // Check the leader is not local 1367 isLeader, advertise, _, err = core.Leader() 1368 if err != nil { 1369 t.Fatalf("err: %v", err) 1370 } 1371 if isLeader { 1372 t.Fatalf("should not be leader") 1373 } 1374 if advertise != redirectOriginal2 { 1375 t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal2) 1376 } 1377 1378 // Step down core2 1379 err = core2.StepDown(namespace.RootContext(nil), req) 1380 if err != nil { 1381 t.Fatal("error stepping down core 1") 1382 } 1383 1384 // Give time to switch leaders -- core 1 will still be waiting on its 1385 // cooling off period so give it a full 10 seconds to recover 1386 time.Sleep(10 * time.Second) 1387 1388 // Core2 should be in standby 1389 standby, err = core2.Standby() 1390 if err != nil { 1391 t.Fatalf("err: %v", err) 1392 } 1393 if !standby { 1394 t.Fatalf("should be standby") 1395 } 1396 1397 // Check the leader is core1 1398 isLeader, advertise, _, err = core.Leader() 1399 if err != nil { 1400 t.Fatalf("err: %v", err) 1401 } 1402 if !isLeader { 1403 t.Fatalf("should be leader") 1404 } 1405 if advertise != redirectOriginal { 1406 t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal) 1407 } 1408 1409 // Check the leader is not local 1410 isLeader, advertise, _, err = core2.Leader() 1411 if err != nil { 1412 t.Fatalf("err: %v", err) 1413 } 1414 if isLeader { 1415 t.Fatalf("should not be leader") 1416 } 1417 if advertise != redirectOriginal { 1418 t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal) 1419 } 1420} 1421 1422func TestCore_CleanLeaderPrefix(t *testing.T) { 1423 // Create the first core and initialize it 1424 logger = logging.NewVaultLogger(log.Trace) 1425 1426 inm, err := inmem.NewInmemHA(nil, logger) 1427 if err != nil { 1428 t.Fatal(err) 1429 } 1430 inmha, err := inmem.NewInmemHA(nil, logger) 1431 if err != nil { 1432 t.Fatal(err) 1433 } 1434 1435 redirectOriginal := "http://127.0.0.1:8200" 1436 core, err := NewCore(&CoreConfig{ 1437 Physical: inm, 1438 HAPhysical: inmha.(physical.HABackend), 1439 RedirectAddr: redirectOriginal, 1440 DisableMlock: true, 1441 }) 1442 if err != nil { 1443 t.Fatalf("err: %v", err) 1444 } 1445 keys, root := TestCoreInit(t, core) 1446 for _, key := range keys { 1447 if _, err := TestCoreUnseal(core, TestKeyCopy(key)); err != nil { 1448 t.Fatalf("unseal err: %s", err) 1449 } 1450 } 1451 1452 // Verify unsealed 1453 if core.Sealed() { 1454 t.Fatal("should not be sealed") 1455 } 1456 1457 // Wait for core to become active 1458 TestWaitActive(t, core) 1459 1460 // Ensure that the original clean function has stopped running 1461 time.Sleep(2 * time.Second) 1462 1463 // Put several random entries 1464 for i := 0; i < 5; i++ { 1465 keyUUID, err := uuid.GenerateUUID() 1466 if err != nil { 1467 t.Fatal(err) 1468 } 1469 valueUUID, err := uuid.GenerateUUID() 1470 if err != nil { 1471 t.Fatal(err) 1472 } 1473 core.barrier.Put(namespace.RootContext(nil), &logical.StorageEntry{ 1474 Key: coreLeaderPrefix + keyUUID, 1475 Value: []byte(valueUUID), 1476 }) 1477 } 1478 1479 entries, err := core.barrier.List(namespace.RootContext(nil), coreLeaderPrefix) 1480 if err != nil { 1481 t.Fatalf("err: %v", err) 1482 } 1483 if len(entries) != 6 { 1484 t.Fatalf("wrong number of core leader prefix entries, got %d", len(entries)) 1485 } 1486 1487 // Check the leader is local 1488 isLeader, advertise, _, err := core.Leader() 1489 if err != nil { 1490 t.Fatalf("err: %v", err) 1491 } 1492 if !isLeader { 1493 t.Fatalf("should be leader") 1494 } 1495 if advertise != redirectOriginal { 1496 t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal) 1497 } 1498 1499 // Create a second core, attached to same in-memory store 1500 redirectOriginal2 := "http://127.0.0.1:8500" 1501 core2, err := NewCore(&CoreConfig{ 1502 Physical: inm, 1503 HAPhysical: inmha.(physical.HABackend), 1504 RedirectAddr: redirectOriginal2, 1505 DisableMlock: true, 1506 }) 1507 if err != nil { 1508 t.Fatalf("err: %v", err) 1509 } 1510 for _, key := range keys { 1511 if _, err := TestCoreUnseal(core2, TestKeyCopy(key)); err != nil { 1512 t.Fatalf("unseal err: %s", err) 1513 } 1514 } 1515 1516 // Verify unsealed 1517 if core2.Sealed() { 1518 t.Fatal("should not be sealed") 1519 } 1520 1521 // Core2 should be in standby 1522 standby, err := core2.Standby() 1523 if err != nil { 1524 t.Fatalf("err: %v", err) 1525 } 1526 if !standby { 1527 t.Fatalf("should be standby") 1528 } 1529 1530 // Check the leader is not local 1531 isLeader, advertise, _, err = core2.Leader() 1532 if err != nil { 1533 t.Fatalf("err: %v", err) 1534 } 1535 if isLeader { 1536 t.Fatalf("should not be leader") 1537 } 1538 if advertise != redirectOriginal { 1539 t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal) 1540 } 1541 1542 // Seal the first core, should step down 1543 err = core.Seal(root) 1544 if err != nil { 1545 t.Fatalf("err: %v", err) 1546 } 1547 1548 // Core should be in standby 1549 standby, err = core.Standby() 1550 if err != nil { 1551 t.Fatalf("err: %v", err) 1552 } 1553 if !standby { 1554 t.Fatalf("should be standby") 1555 } 1556 1557 // Wait for core2 to become active 1558 TestWaitActive(t, core2) 1559 1560 // Check the leader is local 1561 isLeader, advertise, _, err = core2.Leader() 1562 if err != nil { 1563 t.Fatalf("err: %v", err) 1564 } 1565 if !isLeader { 1566 t.Fatalf("should be leader") 1567 } 1568 if advertise != redirectOriginal2 { 1569 t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal2) 1570 } 1571 1572 // Give time for the entries to clear out; it is conservative at 1/second 1573 time.Sleep(10 * leaderPrefixCleanDelay) 1574 1575 entries, err = core2.barrier.List(namespace.RootContext(nil), coreLeaderPrefix) 1576 if err != nil { 1577 t.Fatalf("err: %v", err) 1578 } 1579 if len(entries) != 1 { 1580 t.Fatalf("wrong number of core leader prefix entries, got %d", len(entries)) 1581 } 1582} 1583 1584func TestCore_Standby(t *testing.T) { 1585 logger = logging.NewVaultLogger(log.Trace) 1586 1587 inmha, err := inmem.NewInmemHA(nil, logger) 1588 if err != nil { 1589 t.Fatal(err) 1590 } 1591 1592 testCore_Standby_Common(t, inmha, inmha.(physical.HABackend)) 1593} 1594 1595func TestCore_Standby_SeparateHA(t *testing.T) { 1596 logger = logging.NewVaultLogger(log.Trace) 1597 1598 inmha, err := inmem.NewInmemHA(nil, logger) 1599 if err != nil { 1600 t.Fatal(err) 1601 } 1602 inmha2, err := inmem.NewInmemHA(nil, logger) 1603 if err != nil { 1604 t.Fatal(err) 1605 } 1606 1607 testCore_Standby_Common(t, inmha, inmha2.(physical.HABackend)) 1608} 1609 1610func testCore_Standby_Common(t *testing.T, inm physical.Backend, inmha physical.HABackend) { 1611 // Create the first core and initialize it 1612 redirectOriginal := "http://127.0.0.1:8200" 1613 core, err := NewCore(&CoreConfig{ 1614 Physical: inm, 1615 HAPhysical: inmha, 1616 RedirectAddr: redirectOriginal, 1617 DisableMlock: true, 1618 }) 1619 if err != nil { 1620 t.Fatalf("err: %v", err) 1621 } 1622 keys, root := TestCoreInit(t, core) 1623 for _, key := range keys { 1624 if _, err := TestCoreUnseal(core, TestKeyCopy(key)); err != nil { 1625 t.Fatalf("unseal err: %s", err) 1626 } 1627 } 1628 1629 // Verify unsealed 1630 if core.Sealed() { 1631 t.Fatal("should not be sealed") 1632 } 1633 1634 // Wait for core to become active 1635 TestWaitActive(t, core) 1636 1637 // Put a secret 1638 req := &logical.Request{ 1639 Operation: logical.UpdateOperation, 1640 Path: "secret/foo", 1641 Data: map[string]interface{}{ 1642 "foo": "bar", 1643 }, 1644 ClientToken: root, 1645 } 1646 _, err = core.HandleRequest(namespace.RootContext(nil), req) 1647 if err != nil { 1648 t.Fatalf("err: %v", err) 1649 } 1650 1651 // Check the leader is local 1652 isLeader, advertise, _, err := core.Leader() 1653 if err != nil { 1654 t.Fatalf("err: %v", err) 1655 } 1656 if !isLeader { 1657 t.Fatalf("should be leader") 1658 } 1659 if advertise != redirectOriginal { 1660 t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal) 1661 } 1662 1663 // Create a second core, attached to same in-memory store 1664 redirectOriginal2 := "http://127.0.0.1:8500" 1665 core2, err := NewCore(&CoreConfig{ 1666 Physical: inm, 1667 HAPhysical: inmha, 1668 RedirectAddr: redirectOriginal2, 1669 DisableMlock: true, 1670 }) 1671 if err != nil { 1672 t.Fatalf("err: %v", err) 1673 } 1674 for _, key := range keys { 1675 if _, err := TestCoreUnseal(core2, TestKeyCopy(key)); err != nil { 1676 t.Fatalf("unseal err: %s", err) 1677 } 1678 } 1679 1680 // Verify unsealed 1681 if core2.Sealed() { 1682 t.Fatal("should not be sealed") 1683 } 1684 1685 // Core2 should be in standby 1686 standby, err := core2.Standby() 1687 if err != nil { 1688 t.Fatalf("err: %v", err) 1689 } 1690 if !standby { 1691 t.Fatalf("should be standby") 1692 } 1693 1694 // Request should fail in standby mode 1695 _, err = core2.HandleRequest(namespace.RootContext(nil), req) 1696 if err != consts.ErrStandby { 1697 t.Fatalf("err: %v", err) 1698 } 1699 1700 // Check the leader is not local 1701 isLeader, advertise, _, err = core2.Leader() 1702 if err != nil { 1703 t.Fatalf("err: %v", err) 1704 } 1705 if isLeader { 1706 t.Fatalf("should not be leader") 1707 } 1708 if advertise != redirectOriginal { 1709 t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal) 1710 } 1711 1712 // Seal the first core, should step down 1713 err = core.Seal(root) 1714 if err != nil { 1715 t.Fatalf("err: %v", err) 1716 } 1717 1718 // Core should be in standby 1719 standby, err = core.Standby() 1720 if err != nil { 1721 t.Fatalf("err: %v", err) 1722 } 1723 if !standby { 1724 t.Fatalf("should be standby") 1725 } 1726 1727 // Wait for core2 to become active 1728 TestWaitActive(t, core2) 1729 1730 // Read the secret 1731 req = &logical.Request{ 1732 Operation: logical.ReadOperation, 1733 Path: "secret/foo", 1734 ClientToken: root, 1735 } 1736 resp, err := core2.HandleRequest(namespace.RootContext(nil), req) 1737 if err != nil { 1738 t.Fatalf("err: %v", err) 1739 } 1740 1741 // Verify the response 1742 if resp.Data["foo"] != "bar" { 1743 t.Fatalf("bad: %#v", resp) 1744 } 1745 1746 // Check the leader is local 1747 isLeader, advertise, _, err = core2.Leader() 1748 if err != nil { 1749 t.Fatalf("err: %v", err) 1750 } 1751 if !isLeader { 1752 t.Fatalf("should be leader") 1753 } 1754 if advertise != redirectOriginal2 { 1755 t.Fatalf("Bad advertise: %v, orig is %v", advertise, redirectOriginal2) 1756 } 1757 1758 if inm.(*inmem.InmemHABackend) == inmha.(*inmem.InmemHABackend) { 1759 lockSize := inm.(*inmem.InmemHABackend).LockMapSize() 1760 if lockSize == 0 { 1761 t.Fatalf("locks not used with only one HA backend") 1762 } 1763 } else { 1764 lockSize := inmha.(*inmem.InmemHABackend).LockMapSize() 1765 if lockSize == 0 { 1766 t.Fatalf("locks not used with expected HA backend") 1767 } 1768 1769 lockSize = inm.(*inmem.InmemHABackend).LockMapSize() 1770 if lockSize != 0 { 1771 t.Fatalf("locks used with unexpected HA backend") 1772 } 1773 } 1774} 1775 1776// Ensure that InternalData is never returned 1777func TestCore_HandleRequest_Login_InternalData(t *testing.T) { 1778 noop := &NoopBackend{ 1779 Login: []string{"login"}, 1780 Response: &logical.Response{ 1781 Auth: &logical.Auth{ 1782 Policies: []string{"foo", "bar"}, 1783 InternalData: map[string]interface{}{ 1784 "foo": "bar", 1785 }, 1786 }, 1787 }, 1788 BackendType: logical.TypeCredential, 1789 } 1790 1791 c, _, root := TestCoreUnsealed(t) 1792 c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) { 1793 return noop, nil 1794 } 1795 1796 // Enable the credential backend 1797 req := logical.TestRequest(t, logical.UpdateOperation, "sys/auth/foo") 1798 req.Data["type"] = "noop" 1799 req.ClientToken = root 1800 _, err := c.HandleRequest(namespace.RootContext(nil), req) 1801 if err != nil { 1802 t.Fatalf("err: %v", err) 1803 } 1804 1805 // Attempt to login 1806 lreq := &logical.Request{ 1807 Path: "auth/foo/login", 1808 } 1809 lresp, err := c.HandleRequest(namespace.RootContext(nil), lreq) 1810 if err != nil { 1811 t.Fatalf("err: %v", err) 1812 } 1813 1814 // Ensure we do not get the internal data 1815 if lresp.Auth.InternalData != nil { 1816 t.Fatalf("bad: %#v", lresp) 1817 } 1818} 1819 1820// Ensure that InternalData is never returned 1821func TestCore_HandleRequest_InternalData(t *testing.T) { 1822 noop := &NoopBackend{ 1823 Response: &logical.Response{ 1824 Secret: &logical.Secret{ 1825 InternalData: map[string]interface{}{ 1826 "foo": "bar", 1827 }, 1828 }, 1829 Data: map[string]interface{}{ 1830 "foo": "bar", 1831 }, 1832 }, 1833 } 1834 1835 c, _, root := TestCoreUnsealed(t) 1836 c.logicalBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) { 1837 return noop, nil 1838 } 1839 1840 // Enable the credential backend 1841 req := logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/foo") 1842 req.Data["type"] = "noop" 1843 req.ClientToken = root 1844 _, err := c.HandleRequest(namespace.RootContext(nil), req) 1845 if err != nil { 1846 t.Fatalf("err: %v", err) 1847 } 1848 1849 // Attempt to read 1850 lreq := &logical.Request{ 1851 Operation: logical.ReadOperation, 1852 Path: "foo/test", 1853 ClientToken: root, 1854 } 1855 lreq.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) 1856 lresp, err := c.HandleRequest(namespace.RootContext(nil), lreq) 1857 if err != nil { 1858 t.Fatalf("err: %v", err) 1859 } 1860 1861 // Ensure we do not get the internal data 1862 if lresp.Secret.InternalData != nil { 1863 t.Fatalf("bad: %#v", lresp) 1864 } 1865} 1866 1867// Ensure login does not return a secret 1868func TestCore_HandleLogin_ReturnSecret(t *testing.T) { 1869 // Create a badass credential backend that always logs in as armon 1870 noopBack := &NoopBackend{ 1871 Login: []string{"login"}, 1872 Response: &logical.Response{ 1873 Secret: &logical.Secret{}, 1874 Auth: &logical.Auth{ 1875 Policies: []string{"foo", "bar"}, 1876 }, 1877 }, 1878 BackendType: logical.TypeCredential, 1879 } 1880 c, _, root := TestCoreUnsealed(t) 1881 c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) { 1882 return noopBack, nil 1883 } 1884 1885 // Enable the credential backend 1886 req := logical.TestRequest(t, logical.UpdateOperation, "sys/auth/foo") 1887 req.Data["type"] = "noop" 1888 req.ClientToken = root 1889 _, err := c.HandleRequest(namespace.RootContext(nil), req) 1890 if err != nil { 1891 t.Fatalf("err: %v", err) 1892 } 1893 1894 // Attempt to login 1895 lreq := &logical.Request{ 1896 Path: "auth/foo/login", 1897 } 1898 _, err = c.HandleRequest(namespace.RootContext(nil), lreq) 1899 if err != ErrInternalError { 1900 t.Fatalf("err: %v", err) 1901 } 1902} 1903 1904// Renew should return the same lease back 1905func TestCore_RenewSameLease(t *testing.T) { 1906 c, _, root := TestCoreUnsealed(t) 1907 1908 // Create a leasable secret 1909 req := &logical.Request{ 1910 Operation: logical.UpdateOperation, 1911 Path: "secret/test", 1912 Data: map[string]interface{}{ 1913 "foo": "bar", 1914 "lease": "1h", 1915 }, 1916 ClientToken: root, 1917 } 1918 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 1919 if err != nil { 1920 t.Fatalf("err: %v", err) 1921 } 1922 if resp != nil { 1923 t.Fatalf("bad: %#v", resp) 1924 } 1925 1926 // Read the key 1927 req.Operation = logical.ReadOperation 1928 req.Data = nil 1929 req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) 1930 resp, err = c.HandleRequest(namespace.RootContext(nil), req) 1931 if err != nil { 1932 t.Fatalf("err: %v", err) 1933 } 1934 if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" { 1935 t.Fatalf("bad: %#v", resp.Secret) 1936 } 1937 original := resp.Secret.LeaseID 1938 1939 // Renew the lease 1940 req = logical.TestRequest(t, logical.UpdateOperation, "sys/renew/"+resp.Secret.LeaseID) 1941 req.ClientToken = root 1942 resp, err = c.HandleRequest(namespace.RootContext(nil), req) 1943 if err != nil { 1944 t.Fatalf("err: %v", err) 1945 } 1946 1947 // Verify the lease did not change 1948 if resp.Secret.LeaseID != original { 1949 t.Fatalf("lease id changed: %s %s", original, resp.Secret.LeaseID) 1950 } 1951 1952 // Renew the lease (alternate path) 1953 req = logical.TestRequest(t, logical.UpdateOperation, "sys/leases/renew/"+resp.Secret.LeaseID) 1954 req.ClientToken = root 1955 resp, err = c.HandleRequest(namespace.RootContext(nil), req) 1956 if err != nil { 1957 t.Fatalf("err: %v", err) 1958 } 1959 1960 // Verify the lease did not change 1961 if resp.Secret.LeaseID != original { 1962 t.Fatalf("lease id changed: %s %s", original, resp.Secret.LeaseID) 1963 } 1964} 1965 1966// Renew of a token should not create a new lease 1967func TestCore_RenewToken_SingleRegister(t *testing.T) { 1968 c, _, root := TestCoreUnsealed(t) 1969 1970 // Create a new token 1971 req := &logical.Request{ 1972 Operation: logical.UpdateOperation, 1973 Path: "auth/token/create", 1974 Data: map[string]interface{}{ 1975 "lease": "1h", 1976 }, 1977 ClientToken: root, 1978 } 1979 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 1980 if err != nil { 1981 t.Fatalf("err: %v", err) 1982 } 1983 newClient := resp.Auth.ClientToken 1984 1985 // Renew the token 1986 req = logical.TestRequest(t, logical.UpdateOperation, "auth/token/renew") 1987 req.ClientToken = newClient 1988 req.Data = map[string]interface{}{ 1989 "token": newClient, 1990 } 1991 resp, err = c.HandleRequest(namespace.RootContext(nil), req) 1992 if err != nil { 1993 t.Fatalf("err: %v", err) 1994 } 1995 1996 // Revoke using the renew prefix 1997 req = logical.TestRequest(t, logical.UpdateOperation, "sys/revoke-prefix/auth/token/renew/") 1998 req.ClientToken = root 1999 resp, err = c.HandleRequest(namespace.RootContext(nil), req) 2000 if err != nil { 2001 t.Fatalf("err: %v", err) 2002 } 2003 2004 // Verify our token is still valid (e.g. we did not get invalidated by the revoke) 2005 req = logical.TestRequest(t, logical.UpdateOperation, "auth/token/lookup") 2006 req.Data = map[string]interface{}{ 2007 "token": newClient, 2008 } 2009 req.ClientToken = newClient 2010 resp, err = c.HandleRequest(namespace.RootContext(nil), req) 2011 if err != nil { 2012 t.Fatalf("err: %v", err) 2013 } 2014 2015 // Verify the token exists 2016 if resp.Data["id"] != newClient { 2017 t.Fatalf("bad: %#v", resp.Data) 2018 } 2019} 2020 2021// Based on bug GH-203, attempt to disable a credential backend with leased secrets 2022func TestCore_EnableDisableCred_WithLease(t *testing.T) { 2023 noopBack := &NoopBackend{ 2024 Login: []string{"login"}, 2025 Response: &logical.Response{ 2026 Auth: &logical.Auth{ 2027 Policies: []string{"root"}, 2028 }, 2029 }, 2030 BackendType: logical.TypeCredential, 2031 } 2032 2033 c, _, root := TestCoreUnsealed(t) 2034 c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) { 2035 return noopBack, nil 2036 } 2037 2038 var secretWritingPolicy = ` 2039name = "admins" 2040path "secret/*" { 2041 capabilities = ["update", "create", "read"] 2042} 2043` 2044 2045 ps := c.policyStore 2046 policy, _ := ParseACLPolicy(namespace.RootNamespace, secretWritingPolicy) 2047 if err := ps.SetPolicy(namespace.RootContext(nil), policy); err != nil { 2048 t.Fatal(err) 2049 } 2050 2051 // Enable the credential backend 2052 req := logical.TestRequest(t, logical.UpdateOperation, "sys/auth/foo") 2053 req.Data["type"] = "noop" 2054 req.ClientToken = root 2055 _, err := c.HandleRequest(namespace.RootContext(nil), req) 2056 if err != nil { 2057 t.Fatalf("err: %v", err) 2058 } 2059 2060 // Attempt to login -- should fail because we don't allow root to be returned 2061 lreq := &logical.Request{ 2062 Path: "auth/foo/login", 2063 } 2064 lresp, err := c.HandleRequest(namespace.RootContext(nil), lreq) 2065 if err == nil || lresp == nil || !lresp.IsError() { 2066 t.Fatalf("expected error trying to auth and receive root policy") 2067 } 2068 2069 // Fix and try again 2070 noopBack.Response.Auth.Policies = []string{"admins"} 2071 lreq = &logical.Request{ 2072 Path: "auth/foo/login", 2073 } 2074 lresp, err = c.HandleRequest(namespace.RootContext(nil), lreq) 2075 if err != nil { 2076 t.Fatalf("err: %v", err) 2077 } 2078 2079 // Create a leasable secret 2080 req = &logical.Request{ 2081 Operation: logical.UpdateOperation, 2082 Path: "secret/test", 2083 Data: map[string]interface{}{ 2084 "foo": "bar", 2085 "lease": "1h", 2086 }, 2087 ClientToken: lresp.Auth.ClientToken, 2088 } 2089 resp, err := c.HandleRequest(namespace.RootContext(nil), req) 2090 if err != nil { 2091 t.Fatalf("err: %v", err) 2092 } 2093 if resp != nil { 2094 t.Fatalf("bad: %#v", resp) 2095 } 2096 2097 // Read the key 2098 req.Operation = logical.ReadOperation 2099 req.Data = nil 2100 req.SetTokenEntry(&logical.TokenEntry{ID: root, NamespaceID: "root", Policies: []string{"root"}}) 2101 resp, err = c.HandleRequest(namespace.RootContext(nil), req) 2102 if err != nil { 2103 t.Fatalf("err: %v", err) 2104 } 2105 if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" { 2106 t.Fatalf("bad: %#v", resp.Secret) 2107 } 2108 2109 // Renew the lease 2110 req = logical.TestRequest(t, logical.UpdateOperation, "sys/leases/renew") 2111 req.Data = map[string]interface{}{ 2112 "lease_id": resp.Secret.LeaseID, 2113 } 2114 req.ClientToken = lresp.Auth.ClientToken 2115 _, err = c.HandleRequest(namespace.RootContext(nil), req) 2116 if err != nil { 2117 t.Fatalf("err: %v", err) 2118 } 2119 2120 // Disable the credential backend 2121 req = logical.TestRequest(t, logical.DeleteOperation, "sys/auth/foo") 2122 req.ClientToken = root 2123 resp, err = c.HandleRequest(namespace.RootContext(nil), req) 2124 if err != nil { 2125 t.Fatalf("err: %v %#v", err, resp) 2126 } 2127} 2128 2129func TestCore_HandleRequest_MountPointType(t *testing.T) { 2130 noop := &NoopBackend{ 2131 Response: &logical.Response{}, 2132 } 2133 c, _, root := TestCoreUnsealed(t) 2134 c.logicalBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) { 2135 return noop, nil 2136 } 2137 2138 // Enable the logical backend 2139 req := logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/foo") 2140 req.Data["type"] = "noop" 2141 req.Data["description"] = "foo" 2142 req.ClientToken = root 2143 _, err := c.HandleRequest(namespace.RootContext(nil), req) 2144 if err != nil { 2145 t.Fatalf("err: %v", err) 2146 } 2147 2148 // Attempt to request 2149 req = &logical.Request{ 2150 Operation: logical.ReadOperation, 2151 Path: "foo/test", 2152 Connection: &logical.Connection{}, 2153 } 2154 req.ClientToken = root 2155 if _, err := c.HandleRequest(namespace.RootContext(nil), req); err != nil { 2156 t.Fatalf("err: %v", err) 2157 } 2158 2159 // Verify Path, MountPoint, and MountType 2160 if noop.Requests[0].Path != "test" { 2161 t.Fatalf("bad: %#v", noop.Requests) 2162 } 2163 if noop.Requests[0].MountPoint != "foo/" { 2164 t.Fatalf("bad: %#v", noop.Requests) 2165 } 2166 if noop.Requests[0].MountType != "noop" { 2167 t.Fatalf("bad: %#v", noop.Requests) 2168 } 2169} 2170 2171func TestCore_Standby_Rotate(t *testing.T) { 2172 // Create the first core and initialize it 2173 logger = logging.NewVaultLogger(log.Trace) 2174 2175 inm, err := inmem.NewInmemHA(nil, logger) 2176 if err != nil { 2177 t.Fatal(err) 2178 } 2179 inmha, err := inmem.NewInmemHA(nil, logger) 2180 if err != nil { 2181 t.Fatal(err) 2182 } 2183 2184 redirectOriginal := "http://127.0.0.1:8200" 2185 core, err := NewCore(&CoreConfig{ 2186 Physical: inm, 2187 HAPhysical: inmha.(physical.HABackend), 2188 RedirectAddr: redirectOriginal, 2189 DisableMlock: true, 2190 }) 2191 if err != nil { 2192 t.Fatalf("err: %v", err) 2193 } 2194 keys, root := TestCoreInit(t, core) 2195 for _, key := range keys { 2196 if _, err := TestCoreUnseal(core, TestKeyCopy(key)); err != nil { 2197 t.Fatalf("unseal err: %s", err) 2198 } 2199 } 2200 2201 // Wait for core to become active 2202 TestWaitActive(t, core) 2203 2204 // Create a second core, attached to same in-memory store 2205 redirectOriginal2 := "http://127.0.0.1:8500" 2206 core2, err := NewCore(&CoreConfig{ 2207 Physical: inm, 2208 HAPhysical: inmha.(physical.HABackend), 2209 RedirectAddr: redirectOriginal2, 2210 DisableMlock: true, 2211 }) 2212 if err != nil { 2213 t.Fatalf("err: %v", err) 2214 } 2215 for _, key := range keys { 2216 if _, err := TestCoreUnseal(core2, TestKeyCopy(key)); err != nil { 2217 t.Fatalf("unseal err: %s", err) 2218 } 2219 } 2220 2221 // Rotate the encryption key 2222 req := &logical.Request{ 2223 Operation: logical.UpdateOperation, 2224 Path: "sys/rotate", 2225 ClientToken: root, 2226 } 2227 _, err = core.HandleRequest(namespace.RootContext(nil), req) 2228 if err != nil { 2229 t.Fatalf("err: %v", err) 2230 } 2231 2232 // Seal the first core, should step down 2233 err = core.Seal(root) 2234 if err != nil { 2235 t.Fatalf("err: %v", err) 2236 } 2237 2238 // Wait for core2 to become active 2239 TestWaitActive(t, core2) 2240 2241 // Read the key status 2242 req = &logical.Request{ 2243 Operation: logical.ReadOperation, 2244 Path: "sys/key-status", 2245 ClientToken: root, 2246 } 2247 resp, err := core2.HandleRequest(namespace.RootContext(nil), req) 2248 if err != nil { 2249 t.Fatalf("err: %v", err) 2250 } 2251 2252 // Verify the response 2253 if resp.Data["term"] != 2 { 2254 t.Fatalf("bad: %#v", resp) 2255 } 2256} 2257 2258func TestCore_HandleRequest_Headers(t *testing.T) { 2259 noop := &NoopBackend{ 2260 Response: &logical.Response{ 2261 Data: map[string]interface{}{}, 2262 }, 2263 } 2264 2265 c, _, root := TestCoreUnsealed(t) 2266 c.logicalBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) { 2267 return noop, nil 2268 } 2269 2270 // Enable the backend 2271 req := logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/foo") 2272 req.Data["type"] = "noop" 2273 req.ClientToken = root 2274 _, err := c.HandleRequest(namespace.RootContext(nil), req) 2275 if err != nil { 2276 t.Fatalf("err: %v", err) 2277 } 2278 2279 // Mount tune 2280 req = logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/foo/tune") 2281 req.Data["passthrough_request_headers"] = []string{"Should-Passthrough", "should-passthrough-case-insensitive"} 2282 req.ClientToken = root 2283 _, err = c.HandleRequest(namespace.RootContext(nil), req) 2284 if err != nil { 2285 t.Fatalf("err: %v", err) 2286 } 2287 2288 // Attempt to read 2289 lreq := &logical.Request{ 2290 Operation: logical.ReadOperation, 2291 Path: "foo/test", 2292 ClientToken: root, 2293 Headers: map[string][]string{ 2294 "Should-Passthrough": []string{"foo"}, 2295 "Should-Passthrough-Case-Insensitive": []string{"baz"}, 2296 "Should-Not-Passthrough": []string{"bar"}, 2297 consts.AuthHeaderName: []string{"nope"}, 2298 }, 2299 } 2300 _, err = c.HandleRequest(namespace.RootContext(nil), lreq) 2301 if err != nil { 2302 t.Fatalf("err: %v", err) 2303 } 2304 2305 // Check the headers 2306 headers := noop.Requests[0].Headers 2307 2308 // Test passthrough values 2309 if val, ok := headers["Should-Passthrough"]; ok { 2310 expected := []string{"foo"} 2311 if !reflect.DeepEqual(val, expected) { 2312 t.Fatalf("expected: %v, got: %v", expected, val) 2313 } 2314 } else { 2315 t.Fatalf("expected 'Should-Passthrough' to be present in the headers map") 2316 } 2317 2318 if val, ok := headers["Should-Passthrough-Case-Insensitive"]; ok { 2319 expected := []string{"baz"} 2320 if !reflect.DeepEqual(val, expected) { 2321 t.Fatalf("expected: %v, got: %v", expected, val) 2322 } 2323 } else { 2324 t.Fatal("expected 'Should-Passthrough-Case-Insensitive' to be present in the headers map") 2325 } 2326 2327 if _, ok := headers["Should-Not-Passthrough"]; ok { 2328 t.Fatal("did not expect 'Should-Not-Passthrough' to be in the headers map") 2329 } 2330 2331 if _, ok := headers[consts.AuthHeaderName]; ok { 2332 t.Fatalf("did not expect %q to be in the headers map", consts.AuthHeaderName) 2333 } 2334} 2335 2336func TestCore_HandleRequest_Headers_denyList(t *testing.T) { 2337 noop := &NoopBackend{ 2338 Response: &logical.Response{ 2339 Data: map[string]interface{}{}, 2340 }, 2341 } 2342 2343 c, _, root := TestCoreUnsealed(t) 2344 c.logicalBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) { 2345 return noop, nil 2346 } 2347 2348 // Enable the backend 2349 req := logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/foo") 2350 req.Data["type"] = "noop" 2351 req.ClientToken = root 2352 _, err := c.HandleRequest(namespace.RootContext(nil), req) 2353 if err != nil { 2354 t.Fatalf("err: %v", err) 2355 } 2356 2357 // Mount tune 2358 req = logical.TestRequest(t, logical.UpdateOperation, "sys/mounts/foo/tune") 2359 req.Data["passthrough_request_headers"] = []string{"Authorization", consts.AuthHeaderName} 2360 req.ClientToken = root 2361 _, err = c.HandleRequest(namespace.RootContext(nil), req) 2362 if err != nil { 2363 t.Fatalf("err: %v", err) 2364 } 2365 2366 // Attempt to read 2367 lreq := &logical.Request{ 2368 Operation: logical.ReadOperation, 2369 Path: "foo/test", 2370 ClientToken: root, 2371 Headers: map[string][]string{ 2372 consts.AuthHeaderName: []string{"foo"}, 2373 }, 2374 } 2375 _, err = c.HandleRequest(namespace.RootContext(nil), lreq) 2376 if err != nil { 2377 t.Fatalf("err: %v", err) 2378 } 2379 2380 // Check the headers 2381 headers := noop.Requests[0].Headers 2382 2383 // Test passthrough values, they should not be present in the backend 2384 if _, ok := headers[consts.AuthHeaderName]; ok { 2385 t.Fatalf("did not expect %q to be in the headers map", consts.AuthHeaderName) 2386 } 2387} 2388