-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add additional functional tests to AWS auth #4031
Conversation
The functional test suite passes: $ make testacc TEST=./builtin/credential/aws/
==> Checking that code complies with gofmt requirements...
==> Checking that build is using go version >= 1.10...
go generate
VAULT_ACC=1 go test -tags='vault' ./builtin/credential/aws/ -v -timeout 45m
=== RUN TestBackend_CreateParseVerifyRoleTag
--- PASS: TestBackend_CreateParseVerifyRoleTag (0.00s)
=== RUN TestBackend_prepareRoleTagPlaintextValue
--- PASS: TestBackend_prepareRoleTagPlaintextValue (0.00s)
=== RUN TestBackend_CreateRoleTagNonce
--- PASS: TestBackend_CreateRoleTagNonce (0.00s)
=== RUN TestBackend_ConfigTidyIdentities
--- PASS: TestBackend_ConfigTidyIdentities (0.00s)
=== RUN TestBackend_ConfigTidyRoleTags
--- PASS: TestBackend_ConfigTidyRoleTags (0.00s)
=== RUN TestBackend_TidyIdentities
--- PASS: TestBackend_TidyIdentities (0.00s)
=== RUN TestBackend_TidyRoleTags
--- PASS: TestBackend_TidyRoleTags (0.00s)
=== RUN TestBackend_ConfigClient
<snip>
--- PASS: TestBackend_ConfigClient (0.02s)
=== RUN TestBackend_pathConfigCertificate
--- PASS: TestBackend_pathConfigCertificate (0.00s)
=== RUN TestBackend_parseAndVerifyRoleTagValue
--- PASS: TestBackend_parseAndVerifyRoleTagValue (0.00s)
=== RUN TestBackend_PathRoleTag
--- PASS: TestBackend_PathRoleTag (0.00s)
=== RUN TestBackend_PathBlacklistRoleTag
--- PASS: TestBackend_PathBlacklistRoleTag (0.00s)
=== RUN TestBackendAcc_LoginWithInstanceIdentityDocAndWhitelistIdentity
--- PASS: TestBackendAcc_LoginWithInstanceIdentityDocAndWhitelistIdentity (0.70s)
=== RUN TestBackend_pathStsConfig
--- PASS: TestBackend_pathStsConfig (0.00s)
=== RUN TestBackendAcc_LoginWithCallerIdentity
--- PASS: TestBackendAcc_LoginWithCallerIdentity (0.15s)
=== RUN TestBackend_pathConfigClient
--- PASS: TestBackend_pathConfigClient (0.00s)
=== RUN TestBackend_pathLogin_getCallerIdentityResponse
--- PASS: TestBackend_pathLogin_getCallerIdentityResponse (0.00s)
=== RUN TestBackend_pathLogin_parseIamArn
--- PASS: TestBackend_pathLogin_parseIamArn (0.00s)
=== RUN TestBackend_validateVaultHeaderValue
--- PASS: TestBackend_validateVaultHeaderValue (0.00s)
=== RUN TestBackend_pathLogin_parseIamRequestHeaders
--- PASS: TestBackend_pathLogin_parseIamRequestHeaders (0.00s)
=== RUN TestBackend_pathRoleEc2
--- PASS: TestBackend_pathRoleEc2 (0.00s)
=== RUN Test_enableIamIDResolution
--- PASS: Test_enableIamIDResolution (0.00s)
=== RUN TestBackend_pathIam
--- PASS: TestBackend_pathIam (0.00s)
=== RUN TestBackend_pathRoleMixedTypes
--- PASS: TestBackend_pathRoleMixedTypes (0.96s)
=== RUN TestAwsEc2_RoleCrud
--- PASS: TestAwsEc2_RoleCrud (0.00s)
=== RUN TestAwsEc2_RoleDurationSeconds
--- PASS: TestAwsEc2_RoleDurationSeconds (0.00s)
PASS
ok github.com/hashicorp/vault/builtin/credential/aws (cached) And a manual smoke test does as well: $ make dev
$ vault server -dev &
$ export VAULT_ADDR='http://127.0.0.1:8200'
$ vault auth enable aws
2018/02/23 01:34:44.864223 [INFO ] core: enabled credential backend: path=aws/ type=aws
Success! Enabled aws auth method at: aws/
$ vault write auth/aws/role/test auth_type=ec2 bound_ami_id=ami-c58c1dd3
Success! Data written to: auth/aws/role/test
$ vault write auth/aws/login role=test pkcs7="$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7 | tr -d '\n')"
Key Value
--- -----
token e350ee6e-26f2-f634-c472-8ae6aa43e430
token_accessor 6d64b48c-7102-f683-c4c7-39444cb7f2f1
token_duration 768h
token_renewable true
token_policies [default]
token_meta_account_id 123456789012
token_meta_ami_id ami-c58c1dd3
token_meta_instance_id i-XXXXXXXXXXXXXXXXX
token_meta_nonce 36462ecb-679d-603e-0d68-309c2a69408d
token_meta_region us-east-1
token_meta_role test
token_meta_role_tag_max_ttl 0s
$ vault write auth/aws/login role=test pkcs7="$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7 | tr -d '\n')" nonce=36462ecb-679d-603e-0d68-309c2a69408d
Key Value
--- -----
token 07b4e21f-9157-00f0-9f04-8cd8b36b6304
token_accessor a3b0b638-2c35-4a52-c6b6-a22d9312ec34
token_duration 768h
token_renewable true
token_policies [default]
token_meta_role test
token_meta_role_tag_max_ttl 0s
token_meta_account_id 123456789012
token_meta_ami_id ami-c58c1dd3
token_meta_instance_id i-XXXXXXXXXXXXXXXXX
token_meta_region us-east-1
$ vault write auth/aws/login role=test identity=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | base64 -w 0) signature=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/signature | tr -d '\n') nonce=36462ecb-679d-603e-0d68-309c2a69408d
Key Value
--- -----
token cb9c30eb-9222-2c41-feb0-45f712f04f00
token_accessor d73b8405-3497-9712-85a5-27f4094128a0
token_duration 768h
token_renewable true
token_policies [default]
token_meta_account_id 123456789012
token_meta_ami_id ami-c58c1dd3
token_meta_instance_id i-XXXXXXXXXXXXXXXXX
token_meta_region us-east-1
token_meta_role test
token_meta_role_tag_max_ttl 0s |
Previously the functional test was only testing the PCKS7-signed identity document, not the detached RSA signature, so adding a test for that in the functional test suite.
1fa6b0e
to
e65633f
Compare
The dep was already updated. Do you want me to merge in the test changes? |
@jefferai -- looks like we had the same ideas :) I've dropped the duplicated commits and left just the one in place that adds the additional tests so it should merge cleaner. |
Yes, please :) |
LGTM then. Thanks for doing this! |
This reverts commit c342691. The underlying issue causing the need for the workaround has been fixed, and additional testing changes have been added in hashicorp#4031 so this is no longer necessary.
* oss/master: (35 commits) helper/gpgkeys: fix for vault 1.10 (#4038) Move local cluster parameters to atomic values to fix some potential data races (#4036) Port some replicated cluster changes from ent (#4037) Add core object to policy store for some ent uses changelog++ Configurable Consul Service Address (#3971) Fix certutil test Fixed a broken link (#4032) Update comment to replication consts Add a helpful comment to replication consts changelog++ auth/aws: Add functional test for detached RSA signature (#4031) Change Go min version check changelog++ Revert Go dep to 1.9 *Partially* revert "Remove now-unneeded PKCS8 code and update certutil tests for Go 1.10" Revert "Remove unneeded looping since Go 1.10 cover it already (#4010)" Bump pkcs7 library version to fix #4024 Revert "Switch to a forked copy of pkcs7 to fix aws pkcs7 verification error (#4024)" changelog++ ...
The upstream pkcs7 dependency has been updated, and in a more robust way than the forked copy of pkcs7, so reverting #4024 and updating to the latest pcks7 dependency. Also extending the AWS auth functional test suite to test both methods of authenticating with the EC2 auth method.