Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add additional functional tests to AWS auth #4031

Merged
merged 1 commit into from
Feb 23, 2018

Conversation

joelthompson
Copy link
Contributor

The upstream pkcs7 dependency has been updated, and in a more robust way than the forked copy of pkcs7, so reverting #4024 and updating to the latest pcks7 dependency. Also extending the AWS auth functional test suite to test both methods of authenticating with the EC2 auth method.

@joelthompson
Copy link
Contributor Author

The functional test suite passes:

$ make testacc TEST=./builtin/credential/aws/
==> Checking that code complies with gofmt requirements...
==> Checking that build is using go version >= 1.10...
go generate
VAULT_ACC=1 go test -tags='vault' ./builtin/credential/aws/ -v  -timeout 45m
=== RUN   TestBackend_CreateParseVerifyRoleTag
--- PASS: TestBackend_CreateParseVerifyRoleTag (0.00s)
=== RUN   TestBackend_prepareRoleTagPlaintextValue
--- PASS: TestBackend_prepareRoleTagPlaintextValue (0.00s)
=== RUN   TestBackend_CreateRoleTagNonce
--- PASS: TestBackend_CreateRoleTagNonce (0.00s)
=== RUN   TestBackend_ConfigTidyIdentities
--- PASS: TestBackend_ConfigTidyIdentities (0.00s)
=== RUN   TestBackend_ConfigTidyRoleTags
--- PASS: TestBackend_ConfigTidyRoleTags (0.00s)
=== RUN   TestBackend_TidyIdentities
--- PASS: TestBackend_TidyIdentities (0.00s)
=== RUN   TestBackend_TidyRoleTags
--- PASS: TestBackend_TidyRoleTags (0.00s)
=== RUN   TestBackend_ConfigClient
<snip>
--- PASS: TestBackend_ConfigClient (0.02s)
=== RUN   TestBackend_pathConfigCertificate
--- PASS: TestBackend_pathConfigCertificate (0.00s)
=== RUN   TestBackend_parseAndVerifyRoleTagValue
--- PASS: TestBackend_parseAndVerifyRoleTagValue (0.00s)
=== RUN   TestBackend_PathRoleTag
--- PASS: TestBackend_PathRoleTag (0.00s)
=== RUN   TestBackend_PathBlacklistRoleTag
--- PASS: TestBackend_PathBlacklistRoleTag (0.00s)
=== RUN   TestBackendAcc_LoginWithInstanceIdentityDocAndWhitelistIdentity
--- PASS: TestBackendAcc_LoginWithInstanceIdentityDocAndWhitelistIdentity (0.70s)
=== RUN   TestBackend_pathStsConfig
--- PASS: TestBackend_pathStsConfig (0.00s)
=== RUN   TestBackendAcc_LoginWithCallerIdentity
--- PASS: TestBackendAcc_LoginWithCallerIdentity (0.15s)
=== RUN   TestBackend_pathConfigClient
--- PASS: TestBackend_pathConfigClient (0.00s)
=== RUN   TestBackend_pathLogin_getCallerIdentityResponse
--- PASS: TestBackend_pathLogin_getCallerIdentityResponse (0.00s)
=== RUN   TestBackend_pathLogin_parseIamArn
--- PASS: TestBackend_pathLogin_parseIamArn (0.00s)
=== RUN   TestBackend_validateVaultHeaderValue
--- PASS: TestBackend_validateVaultHeaderValue (0.00s)
=== RUN   TestBackend_pathLogin_parseIamRequestHeaders
--- PASS: TestBackend_pathLogin_parseIamRequestHeaders (0.00s)
=== RUN   TestBackend_pathRoleEc2
--- PASS: TestBackend_pathRoleEc2 (0.00s)
=== RUN   Test_enableIamIDResolution
--- PASS: Test_enableIamIDResolution (0.00s)
=== RUN   TestBackend_pathIam
--- PASS: TestBackend_pathIam (0.00s)
=== RUN   TestBackend_pathRoleMixedTypes
--- PASS: TestBackend_pathRoleMixedTypes (0.96s)
=== RUN   TestAwsEc2_RoleCrud
--- PASS: TestAwsEc2_RoleCrud (0.00s)
=== RUN   TestAwsEc2_RoleDurationSeconds
--- PASS: TestAwsEc2_RoleDurationSeconds (0.00s)
PASS
ok      github.com/hashicorp/vault/builtin/credential/aws       (cached)

And a manual smoke test does as well:

$ make dev
$ vault server -dev &
$ export VAULT_ADDR='http://127.0.0.1:8200'
$ vault auth enable aws
2018/02/23 01:34:44.864223 [INFO ] core: enabled credential backend: path=aws/ type=aws
Success! Enabled aws auth method at: aws/
$ vault write auth/aws/role/test auth_type=ec2 bound_ami_id=ami-c58c1dd3
Success! Data written to: auth/aws/role/test
$ vault write auth/aws/login role=test pkcs7="$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7 | tr -d '\n')"
Key                            Value
---                            -----
token                          e350ee6e-26f2-f634-c472-8ae6aa43e430
token_accessor                 6d64b48c-7102-f683-c4c7-39444cb7f2f1
token_duration                 768h
token_renewable                true
token_policies                 [default]
token_meta_account_id          123456789012
token_meta_ami_id              ami-c58c1dd3
token_meta_instance_id         i-XXXXXXXXXXXXXXXXX
token_meta_nonce               36462ecb-679d-603e-0d68-309c2a69408d
token_meta_region              us-east-1
token_meta_role                test
token_meta_role_tag_max_ttl    0s
$ vault write auth/aws/login role=test pkcs7="$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7 | tr -d '\n')" nonce=36462ecb-679d-603e-0d68-309c2a69408d
Key                            Value
---                            -----
token                          07b4e21f-9157-00f0-9f04-8cd8b36b6304
token_accessor                 a3b0b638-2c35-4a52-c6b6-a22d9312ec34
token_duration                 768h
token_renewable                true
token_policies                 [default]
token_meta_role                test
token_meta_role_tag_max_ttl    0s
token_meta_account_id          123456789012
token_meta_ami_id              ami-c58c1dd3
token_meta_instance_id         i-XXXXXXXXXXXXXXXXX
token_meta_region              us-east-1
$ vault write auth/aws/login role=test identity=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | base64 -w 0) signature=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/signature | tr -d '\n') nonce=36462ecb-679d-603e-0d68-309c2a69408d
Key                            Value
---                            -----
token                          cb9c30eb-9222-2c41-feb0-45f712f04f00
token_accessor                 d73b8405-3497-9712-85a5-27f4094128a0
token_duration                 768h
token_renewable                true
token_policies                 [default]
token_meta_account_id          123456789012
token_meta_ami_id              ami-c58c1dd3
token_meta_instance_id         i-XXXXXXXXXXXXXXXXX
token_meta_region              us-east-1
token_meta_role                test
token_meta_role_tag_max_ttl    0s

Previously the functional test was only testing the PCKS7-signed identity
document, not the detached RSA signature, so adding a test for that in the
functional test suite.
@jefferai
Copy link
Member

The dep was already updated. Do you want me to merge in the test changes?

@joelthompson
Copy link
Contributor Author

@jefferai -- looks like we had the same ideas :) I've dropped the duplicated commits and left just the one in place that adds the additional tests so it should merge cleaner.

@joelthompson joelthompson changed the title Update pkcs7 dependency Add additional functional tests to AWS auth Feb 23, 2018
@joelthompson
Copy link
Contributor Author

The dep was already updated. Do you want me to merge in the test changes?

Yes, please :)

@jefferai
Copy link
Member

LGTM then. Thanks for doing this!

@jefferai jefferai merged commit e4eccb3 into hashicorp:master Feb 23, 2018
@jefferai jefferai added this to the 0.9.5 milestone Feb 23, 2018
@joelthompson joelthompson deleted the update_pkcs7_dep branch February 23, 2018 01:57
joelthompson added a commit to joelthompson/vault that referenced this pull request Feb 23, 2018
This reverts commit c342691.

The underlying issue causing the need for the workaround has been fixed,
and additional testing changes have been added in hashicorp#4031 so this is no
longer necessary.
chrishoffman pushed a commit that referenced this pull request Feb 23, 2018
* oss/master: (35 commits)
  helper/gpgkeys: fix for vault 1.10 (#4038)
  Move local cluster parameters to atomic values to fix some potential data races (#4036)
  Port some replicated cluster changes from ent (#4037)
  Add core object to policy store for some ent uses
  changelog++
  Configurable Consul Service Address (#3971)
  Fix certutil test
  Fixed a broken link (#4032)
  Update comment to replication consts
  Add a helpful comment to replication consts
  changelog++
  auth/aws: Add functional test for detached RSA signature (#4031)
  Change Go min version check
  changelog++
  Revert Go dep to 1.9
  *Partially* revert "Remove now-unneeded PKCS8 code and update certutil tests for Go 1.10"
  Revert "Remove unneeded looping since Go 1.10 cover it already (#4010)"
  Bump pkcs7 library version to fix #4024
  Revert "Switch to a forked copy of pkcs7 to fix aws pkcs7 verification error (#4024)"
  changelog++
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants