From 43e211d17b4316b43c83d2e431e8c9142ec9e165 Mon Sep 17 00:00:00 2001
From: Max Schwenk <maschwenk@gmail.com>
Date: Sat, 3 Feb 2018 22:16:49 -0800
Subject: [PATCH] Properly test iam header check

---
 spec/integration/api/auth_spec.rb | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/spec/integration/api/auth_spec.rb b/spec/integration/api/auth_spec.rb
index a497e676..c08c23e2 100644
--- a/spec/integration/api/auth_spec.rb
+++ b/spec/integration/api/auth_spec.rb
@@ -213,10 +213,10 @@ module Vault
       end
     end
 
-    describe "#aws_iam" do
+    describe "#aws_iam", vault: "> 0.7.3" do
       before(:context) do
         vault_test_client.sys.enable_auth("aws", "aws", nil)
-        vault_test_client.sys.put_auth_tune("aws", "iam_server_id_header_value" => "iam_header_canary")
+        vault_test_client.post("/v1/auth/aws/config/client", JSON.fast_generate("iam_server_id_header_value" => "iam_header_canary"))
       end
 
       after(:context) do
@@ -236,7 +236,18 @@ module Vault
         subject.token = old_token
       end
 
-      it "authenticates and saves the token on the client", vault: "> 0.7.3" do
+      it "does not authenticate if iam_server_id_header_value does not match" do
+        expect(::Aws::Sigv4::Signer).to(
+          receive(:new).with(
+            service: 'sts', region: 'cn-north-1', credentials_provider: credentials_provider
+          ).and_call_original
+        )
+        expect do
+          subject.auth.aws_iam('a_rolename', credentials_provider, 'mismatched_iam_header', 'https://sts.cn-north-1.amazonaws.com.cn') 
+        end.to raise_error(Vault::HTTPClientError, /expected iam_header_canary but got mismatched_iam_header/)
+      end
+
+      it "authenticates and saves the token on the client" do
         expect(subject).to receive(:post).and_return 'huzzah!'
         expect(Secret).to receive(:decode).and_return secret
         expect(::Aws::Sigv4::Signer).to(
@@ -244,7 +255,7 @@ module Vault
             service: 'sts', region: 'cn-north-1', credentials_provider: credentials_provider
           ).and_call_original
         )
-        subject.auth.aws_iam('yabba', credentials_provider, 'iam_header_canary', 'https://sts.cn-north-1.amazonaws.com.cn')
+        subject.auth.aws_iam('a_rolename', credentials_provider, 'iam_header_canary', 'https://sts.cn-north-1.amazonaws.com.cn')
       end
     end
   end