forked from TrueCloudLab/certificates
feat: enhance options and fix revoke plus more tests
This commit is contained in:
parent
8ef3abf6d9
commit
b49ac2501b
2 changed files with 467 additions and 29 deletions
|
@ -26,7 +26,7 @@ func init() {
|
||||||
|
|
||||||
type VaultOptions struct {
|
type VaultOptions struct {
|
||||||
PKI string `json:"pki,omitempty"`
|
PKI string `json:"pki,omitempty"`
|
||||||
PKIRole string `json:"pkiRole,omitempty"`
|
PKIRoleDefault string `json:"PKIRoleDefault,omitempty"`
|
||||||
PKIRoleRSA string `json:"pkiRoleRSA,omitempty"`
|
PKIRoleRSA string `json:"pkiRoleRSA,omitempty"`
|
||||||
PKIRoleEC string `json:"pkiRoleEC,omitempty"`
|
PKIRoleEC string `json:"pkiRoleEC,omitempty"`
|
||||||
PKIRoleEd25519 string `json:"PKIRoleEd25519,omitempty"`
|
PKIRoleEd25519 string `json:"PKIRoleEd25519,omitempty"`
|
||||||
|
@ -43,45 +43,38 @@ type VaultCAS struct {
|
||||||
fingerprint string
|
fingerprint string
|
||||||
}
|
}
|
||||||
|
|
||||||
func loadOptions(config json.RawMessage) (vc VaultOptions, err error) {
|
func loadOptions(config json.RawMessage) (*VaultOptions, error) {
|
||||||
err = json.Unmarshal(config, &vc)
|
var vc *VaultOptions
|
||||||
|
|
||||||
|
err := json.Unmarshal(config, &vc)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return vc, errors.Wrap(err, "error decoding vaultCAS config")
|
return nil, errors.Wrap(err, "error decoding vaultCAS config")
|
||||||
}
|
}
|
||||||
|
|
||||||
if vc.PKI == "" {
|
if vc.PKI == "" {
|
||||||
vc.PKI = "pki" // use default pki vault name
|
vc.PKI = "pki" // use default pki vault name
|
||||||
}
|
}
|
||||||
|
|
||||||
// pkirole or per key type must be defined
|
if vc.PKIRoleDefault == "" {
|
||||||
if vc.PKIRole == "" && vc.PKIRoleRSA == "" && vc.PKIRoleEC == "" && vc.PKIRoleEd25519 == "" {
|
vc.PKIRoleDefault = "default" // use default pki role name
|
||||||
return vc, errors.New("vaultCAS config options must define `pkiRole`")
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// if pkirole is empty all others keys must be set
|
|
||||||
if vc.PKIRole == "" && (vc.PKIRoleRSA == "" || vc.PKIRoleEC == "" || vc.PKIRoleEd25519 == "") {
|
|
||||||
return vc, errors.New("vaultCAS config options must include a `pkiRole` or `pkiRoleRSA`, `pkiRoleEC` and `PKIRoleEd25519`")
|
|
||||||
}
|
|
||||||
|
|
||||||
// if pkirole is not empty, use it as default for unset keys
|
|
||||||
if vc.PKIRole != "" {
|
|
||||||
if vc.PKIRoleRSA == "" {
|
if vc.PKIRoleRSA == "" {
|
||||||
vc.PKIRoleRSA = vc.PKIRole
|
vc.PKIRoleRSA = vc.PKIRoleDefault
|
||||||
}
|
}
|
||||||
if vc.PKIRoleEC == "" {
|
if vc.PKIRoleEC == "" {
|
||||||
vc.PKIRoleEC = vc.PKIRole
|
vc.PKIRoleEC = vc.PKIRoleDefault
|
||||||
}
|
}
|
||||||
if vc.PKIRoleEd25519 == "" {
|
if vc.PKIRoleEd25519 == "" {
|
||||||
vc.PKIRoleEd25519 = vc.PKIRole
|
vc.PKIRoleEd25519 = vc.PKIRoleDefault
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if vc.RoleID == "" {
|
if vc.RoleID == "" {
|
||||||
return vc, errors.New("vaultCAS config options must define `roleID`")
|
return nil, errors.New("vaultCAS config options must define `roleID`")
|
||||||
}
|
}
|
||||||
|
|
||||||
if vc.SecretID.FromEnv == "" && vc.SecretID.FromFile == "" && vc.SecretID.FromString == "" {
|
if vc.SecretID.FromEnv == "" && vc.SecretID.FromFile == "" && vc.SecretID.FromString == "" {
|
||||||
return vc, errors.New("vaultCAS config options must define `secretID` object with one of `FromEnv`, `FromFile` or `FromString`")
|
return nil, errors.New("vaultCAS config options must define `secretID` object with one of `FromEnv`, `FromFile` or `FromString`")
|
||||||
}
|
}
|
||||||
|
|
||||||
if vc.PKI == "" {
|
if vc.PKI == "" {
|
||||||
|
@ -237,7 +230,7 @@ func New(ctx context.Context, opts apiv1.Options) (*VaultCAS, error) {
|
||||||
|
|
||||||
return &VaultCAS{
|
return &VaultCAS{
|
||||||
client: client,
|
client: client,
|
||||||
config: vc,
|
config: *vc,
|
||||||
fingerprint: opts.CertificateAuthorityFingerprint,
|
fingerprint: opts.CertificateAuthorityFingerprint,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
@ -326,7 +319,11 @@ func (v *VaultCAS) RevokeCertificate(req *apiv1.RevokeCertificateRequest) (*apiv
|
||||||
|
|
||||||
serialNumberDash := certutil.GetHexFormatted(serialNumber, "-")
|
serialNumberDash := certutil.GetHexFormatted(serialNumber, "-")
|
||||||
|
|
||||||
_, err := v.client.Logical().Write(v.config.PKI+"/revoke/"+serialNumberDash, nil)
|
y := map[string]interface{}{
|
||||||
|
"serial_number": serialNumberDash,
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err := v.client.Logical().Write(v.config.PKI+"/revoke/", y)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errors.Wrap(err, "unable to revoke certificate")
|
return nil, errors.Wrap(err, "unable to revoke certificate")
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
package vaultcas
|
package vaultcas
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"bytes"
|
||||||
"context"
|
"context"
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
|
@ -60,7 +61,17 @@ pV/v53oR/ewbtrkHZQkN/amFMLagITAfBgkqhkiG9w0BCQ4xEjAQMA4GA1UdEQQH
|
||||||
MAWCA09LUDAFBgMrZXADQQDJi47MAgl/WKAz+V/kDu1k/zbKk1nrHHAUonbofHUW
|
MAWCA09LUDAFBgMrZXADQQDJi47MAgl/WKAz+V/kDu1k/zbKk1nrHHAUonbofHUW
|
||||||
M6ihSD43+awq3BPeyPbToeH5orSH9l3MuTfbxPb5BVEH
|
M6ihSD43+awq3BPeyPbToeH5orSH9l3MuTfbxPb5BVEH
|
||||||
-----END CERTIFICATE REQUEST-----`
|
-----END CERTIFICATE REQUEST-----`
|
||||||
testRootFingerprint = `e7678acf0d8de731262bce2fe792c48f19547285f5976805125a40867c77464e`
|
testRootCertificate = `-----BEGIN CERTIFICATE-----
|
||||||
|
MIIBeDCCAR+gAwIBAgIQcXWWjtSZ/PAyH8D1Ou4L9jAKBggqhkjOPQQDAjAbMRkw
|
||||||
|
FwYDVQQDExBDbG91ZENBUyBSb290IENBMB4XDTIwMTAyNzIyNTM1NFoXDTMwMTAy
|
||||||
|
NzIyNTM1NFowGzEZMBcGA1UEAxMQQ2xvdWRDQVMgUm9vdCBDQTBZMBMGByqGSM49
|
||||||
|
AgEGCCqGSM49AwEHA0IABIySHA4b78Yu4LuGhZIlv/PhNwXz4ZoV1OUZQ0LrK3vj
|
||||||
|
B13O12DLZC5uj1z3kxdQzXUttSbtRv49clMpBiTpsZKjRTBDMA4GA1UdDwEB/wQE
|
||||||
|
AwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBSZ+t9RMHbFTl5BatM3
|
||||||
|
5bJlHPOu3DAKBggqhkjOPQQDAgNHADBEAiASah6gg0tVM3WI0meCQ4SEKk7Mjhbv
|
||||||
|
+SmhuZHWV1QlXQIgRXNyWcpVUrAoG6Uy1KQg07LDpF5dFeK9InrDxSJAkVo=
|
||||||
|
-----END CERTIFICATE-----`
|
||||||
|
testRootFingerprint = `62e816cbac5c501b7705e18415503852798dfbcd67062f06bcb4af67c290e3c8`
|
||||||
)
|
)
|
||||||
|
|
||||||
func mustParseCertificate(t *testing.T, pemCert string) *x509.Certificate {
|
func mustParseCertificate(t *testing.T, pemCert string) *x509.Certificate {
|
||||||
|
@ -112,6 +123,30 @@ func testCAHelper(t *testing.T) (*url.URL, *vault.Client) {
|
||||||
cert := map[string]interface{}{"data": map[string]interface{}{"certificate": testCertificateSigned}}
|
cert := map[string]interface{}{"data": map[string]interface{}{"certificate": testCertificateSigned}}
|
||||||
writeJSON(w, cert)
|
writeJSON(w, cert)
|
||||||
return
|
return
|
||||||
|
case r.RequestURI == "/v1/pki/cert/ca":
|
||||||
|
w.WriteHeader(http.StatusOK)
|
||||||
|
cert := map[string]interface{}{"data": map[string]interface{}{"certificate": testRootCertificate}}
|
||||||
|
writeJSON(w, cert)
|
||||||
|
return
|
||||||
|
case r.RequestURI == "/v1/pki/revoke":
|
||||||
|
buf := new(bytes.Buffer)
|
||||||
|
buf.ReadFrom(r.Body)
|
||||||
|
m := make(map[string]string)
|
||||||
|
json.Unmarshal(buf.Bytes(), &m)
|
||||||
|
switch {
|
||||||
|
case m["serial_number"] == "1c-71-6e-18-cc-f4-70-29-5f-75-ee-64-a8-fe-69-ad":
|
||||||
|
w.WriteHeader(http.StatusOK)
|
||||||
|
return
|
||||||
|
case m["serial_number"] == "01-e2-40":
|
||||||
|
w.WriteHeader(http.StatusOK)
|
||||||
|
return
|
||||||
|
// both
|
||||||
|
case m["serial_number"] == "01-34-3e":
|
||||||
|
w.WriteHeader(http.StatusOK)
|
||||||
|
return
|
||||||
|
default:
|
||||||
|
w.WriteHeader(http.StatusNotFound)
|
||||||
|
}
|
||||||
default:
|
default:
|
||||||
w.WriteHeader(http.StatusNotFound)
|
w.WriteHeader(http.StatusNotFound)
|
||||||
fmt.Fprintf(w, `{"error":"not found"}`)
|
fmt.Fprintf(w, `{"error":"not found"}`)
|
||||||
|
@ -151,7 +186,7 @@ func TestNew_register(t *testing.T) {
|
||||||
CertificateAuthorityFingerprint: testRootFingerprint,
|
CertificateAuthorityFingerprint: testRootFingerprint,
|
||||||
Config: json.RawMessage(`{
|
Config: json.RawMessage(`{
|
||||||
"PKI": "pki",
|
"PKI": "pki",
|
||||||
"PKIRole": "pki-role",
|
"PKIRoleDefault": "pki-role",
|
||||||
"RoleID": "roleID",
|
"RoleID": "roleID",
|
||||||
"SecretID": {"FromString": "secretID"},
|
"SecretID": {"FromString": "secretID"},
|
||||||
"IsWrappingToken": false
|
"IsWrappingToken": false
|
||||||
|
@ -169,7 +204,7 @@ func TestVaultCAS_CreateCertificate(t *testing.T) {
|
||||||
|
|
||||||
options := VaultOptions{
|
options := VaultOptions{
|
||||||
PKI: "pki",
|
PKI: "pki",
|
||||||
PKIRole: "role",
|
PKIRoleDefault: "role",
|
||||||
PKIRoleRSA: "rsa",
|
PKIRoleRSA: "rsa",
|
||||||
PKIRoleEC: "ec",
|
PKIRoleEC: "ec",
|
||||||
PKIRoleEd25519: "ed25519",
|
PKIRoleEd25519: "ed25519",
|
||||||
|
@ -216,6 +251,14 @@ func TestVaultCAS_CreateCertificate(t *testing.T) {
|
||||||
Certificate: mustParseCertificate(t, testCertificateSigned),
|
Certificate: mustParseCertificate(t, testCertificateSigned),
|
||||||
CertificateChain: []*x509.Certificate{},
|
CertificateChain: []*x509.Certificate{},
|
||||||
}, false},
|
}, false},
|
||||||
|
{"fail CSR", fields{client, options}, args{&apiv1.CreateCertificateRequest{
|
||||||
|
CSR: nil,
|
||||||
|
Lifetime: time.Hour,
|
||||||
|
}}, nil, true},
|
||||||
|
{"fail lifetime", fields{client, options}, args{&apiv1.CreateCertificateRequest{
|
||||||
|
CSR: mustParseCertificateRequest(t, testCertificateCsrEc),
|
||||||
|
Lifetime: 0,
|
||||||
|
}}, nil, true},
|
||||||
}
|
}
|
||||||
for _, tt := range tests {
|
for _, tt := range tests {
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
|
@ -234,3 +277,401 @@ func TestVaultCAS_CreateCertificate(t *testing.T) {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestVaultCAS_GetCertificateAuthority(t *testing.T) {
|
||||||
|
caURL, client := testCAHelper(t)
|
||||||
|
|
||||||
|
type fields struct {
|
||||||
|
client *vault.Client
|
||||||
|
options VaultOptions
|
||||||
|
fingerprint string
|
||||||
|
}
|
||||||
|
|
||||||
|
type args struct {
|
||||||
|
req *apiv1.GetCertificateAuthorityRequest
|
||||||
|
}
|
||||||
|
|
||||||
|
options := VaultOptions{
|
||||||
|
PKI: "pki",
|
||||||
|
}
|
||||||
|
|
||||||
|
rootCert, _ := parseCertificate(testRootCertificate)
|
||||||
|
|
||||||
|
tests := []struct {
|
||||||
|
name string
|
||||||
|
fields fields
|
||||||
|
args args
|
||||||
|
want *apiv1.GetCertificateAuthorityResponse
|
||||||
|
wantErr bool
|
||||||
|
}{
|
||||||
|
{"ok", fields{client, options, testRootFingerprint}, args{&apiv1.GetCertificateAuthorityRequest{
|
||||||
|
Name: caURL.String(),
|
||||||
|
}}, &apiv1.GetCertificateAuthorityResponse{
|
||||||
|
RootCertificate: rootCert,
|
||||||
|
}, false},
|
||||||
|
{"fail fingerprint", fields{client, options, "fail"}, args{&apiv1.GetCertificateAuthorityRequest{
|
||||||
|
Name: caURL.String(),
|
||||||
|
}}, nil, true},
|
||||||
|
}
|
||||||
|
for _, tt := range tests {
|
||||||
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
|
s := &VaultCAS{
|
||||||
|
client: tt.fields.client,
|
||||||
|
fingerprint: tt.fields.fingerprint,
|
||||||
|
config: tt.fields.options,
|
||||||
|
}
|
||||||
|
got, err := s.GetCertificateAuthority(tt.args.req)
|
||||||
|
if (err != nil) != tt.wantErr {
|
||||||
|
t.Errorf("VaultCAS.GetCertificateAuthority() error = %v, wantErr %v", err, tt.wantErr)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if !reflect.DeepEqual(got, tt.want) {
|
||||||
|
t.Errorf("VaultCAS.GetCertificateAuthority() = %v, want %v", got, tt.want)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestVaultCAS_RevokeCertificate(t *testing.T) {
|
||||||
|
_, client := testCAHelper(t)
|
||||||
|
|
||||||
|
options := VaultOptions{
|
||||||
|
PKI: "pki",
|
||||||
|
PKIRoleDefault: "role",
|
||||||
|
PKIRoleRSA: "rsa",
|
||||||
|
PKIRoleEC: "ec",
|
||||||
|
PKIRoleEd25519: "ed25519",
|
||||||
|
RoleID: "roleID",
|
||||||
|
SecretID: auth.SecretID{FromString: "secretID"},
|
||||||
|
AppRole: "approle",
|
||||||
|
IsWrappingToken: false,
|
||||||
|
}
|
||||||
|
|
||||||
|
type fields struct {
|
||||||
|
client *vault.Client
|
||||||
|
options VaultOptions
|
||||||
|
}
|
||||||
|
|
||||||
|
type args struct {
|
||||||
|
req *apiv1.RevokeCertificateRequest
|
||||||
|
}
|
||||||
|
|
||||||
|
testCrt, _ := parseCertificate(testCertificateSigned)
|
||||||
|
|
||||||
|
tests := []struct {
|
||||||
|
name string
|
||||||
|
fields fields
|
||||||
|
args args
|
||||||
|
want *apiv1.RevokeCertificateResponse
|
||||||
|
wantErr bool
|
||||||
|
}{
|
||||||
|
{"ok serial number", fields{client, options}, args{&apiv1.RevokeCertificateRequest{
|
||||||
|
SerialNumber: "123456",
|
||||||
|
Certificate: nil,
|
||||||
|
}}, &apiv1.RevokeCertificateResponse{}, false},
|
||||||
|
{"ok certificate", fields{client, options}, args{&apiv1.RevokeCertificateRequest{
|
||||||
|
SerialNumber: "",
|
||||||
|
Certificate: testCrt,
|
||||||
|
}}, &apiv1.RevokeCertificateResponse{
|
||||||
|
Certificate: testCrt,
|
||||||
|
}, false},
|
||||||
|
{"ok both", fields{client, options}, args{&apiv1.RevokeCertificateRequest{
|
||||||
|
SerialNumber: "78910",
|
||||||
|
Certificate: testCrt,
|
||||||
|
}}, &apiv1.RevokeCertificateResponse{
|
||||||
|
Certificate: testCrt,
|
||||||
|
}, false},
|
||||||
|
{"fail serial string", fields{client, options}, args{&apiv1.RevokeCertificateRequest{
|
||||||
|
SerialNumber: "fail",
|
||||||
|
Certificate: nil,
|
||||||
|
}}, nil, true},
|
||||||
|
}
|
||||||
|
for _, tt := range tests {
|
||||||
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
|
s := &VaultCAS{
|
||||||
|
client: tt.fields.client,
|
||||||
|
config: tt.fields.options,
|
||||||
|
}
|
||||||
|
got, err := s.RevokeCertificate(tt.args.req)
|
||||||
|
if (err != nil) != tt.wantErr {
|
||||||
|
t.Errorf("VaultCAS.RevokeCertificate() error = %v, wantErr %v", err, tt.wantErr)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if !reflect.DeepEqual(got, tt.want) {
|
||||||
|
t.Errorf("VaultCAS.RevokeCertificate() = %v, want %v", got, tt.want)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestVaultCAS_RenewCertificate(t *testing.T) {
|
||||||
|
_, client := testCAHelper(t)
|
||||||
|
|
||||||
|
options := VaultOptions{
|
||||||
|
PKI: "pki",
|
||||||
|
PKIRoleDefault: "role",
|
||||||
|
PKIRoleRSA: "rsa",
|
||||||
|
PKIRoleEC: "ec",
|
||||||
|
PKIRoleEd25519: "ed25519",
|
||||||
|
RoleID: "roleID",
|
||||||
|
SecretID: auth.SecretID{FromString: "secretID"},
|
||||||
|
AppRole: "approle",
|
||||||
|
IsWrappingToken: false,
|
||||||
|
}
|
||||||
|
|
||||||
|
type fields struct {
|
||||||
|
client *vault.Client
|
||||||
|
options VaultOptions
|
||||||
|
}
|
||||||
|
|
||||||
|
type args struct {
|
||||||
|
req *apiv1.RenewCertificateRequest
|
||||||
|
}
|
||||||
|
|
||||||
|
tests := []struct {
|
||||||
|
name string
|
||||||
|
fields fields
|
||||||
|
args args
|
||||||
|
want *apiv1.RenewCertificateResponse
|
||||||
|
wantErr bool
|
||||||
|
}{
|
||||||
|
{"not implemented", fields{client, options}, args{&apiv1.RenewCertificateRequest{
|
||||||
|
CSR: mustParseCertificateRequest(t, testCertificateCsrEc),
|
||||||
|
Lifetime: time.Hour,
|
||||||
|
}}, nil, true},
|
||||||
|
}
|
||||||
|
for _, tt := range tests {
|
||||||
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
|
s := &VaultCAS{
|
||||||
|
client: tt.fields.client,
|
||||||
|
config: tt.fields.options,
|
||||||
|
}
|
||||||
|
got, err := s.RenewCertificate(tt.args.req)
|
||||||
|
if (err != nil) != tt.wantErr {
|
||||||
|
t.Errorf("VaultCAS.RenewCertificate() error = %v, wantErr %v", err, tt.wantErr)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if !reflect.DeepEqual(got, tt.want) {
|
||||||
|
t.Errorf("VaultCAS.RenewCertificate() = %v, want %v", got, tt.want)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestVaultCAS_loadOptions(t *testing.T) {
|
||||||
|
tests := []struct {
|
||||||
|
name string
|
||||||
|
raw string
|
||||||
|
want *VaultOptions
|
||||||
|
wantErr bool
|
||||||
|
}{
|
||||||
|
{
|
||||||
|
"ok mandatory with SecretID FromString",
|
||||||
|
`{"RoleID": "roleID", "SecretID": {"FromString": "secretID"}}`,
|
||||||
|
&VaultOptions{
|
||||||
|
PKI: "pki",
|
||||||
|
PKIRoleDefault: "default",
|
||||||
|
PKIRoleRSA: "default",
|
||||||
|
PKIRoleEC: "default",
|
||||||
|
PKIRoleEd25519: "default",
|
||||||
|
RoleID: "roleID",
|
||||||
|
SecretID: auth.SecretID{FromString: "secretID"},
|
||||||
|
AppRole: "auth/approle",
|
||||||
|
IsWrappingToken: false,
|
||||||
|
},
|
||||||
|
false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"ok mandatory with SecretID FromFile",
|
||||||
|
`{"RoleID": "roleID", "SecretID": {"FromFile": "secretID"}}`,
|
||||||
|
&VaultOptions{
|
||||||
|
PKI: "pki",
|
||||||
|
PKIRoleDefault: "default",
|
||||||
|
PKIRoleRSA: "default",
|
||||||
|
PKIRoleEC: "default",
|
||||||
|
PKIRoleEd25519: "default",
|
||||||
|
RoleID: "roleID",
|
||||||
|
SecretID: auth.SecretID{FromFile: "secretID"},
|
||||||
|
AppRole: "auth/approle",
|
||||||
|
IsWrappingToken: false,
|
||||||
|
},
|
||||||
|
false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"ok mandatory with SecretID FromEnv",
|
||||||
|
`{"RoleID": "roleID", "SecretID": {"FromEnv": "secretID"}}`,
|
||||||
|
&VaultOptions{
|
||||||
|
PKI: "pki",
|
||||||
|
PKIRoleDefault: "default",
|
||||||
|
PKIRoleRSA: "default",
|
||||||
|
PKIRoleEC: "default",
|
||||||
|
PKIRoleEd25519: "default",
|
||||||
|
RoleID: "roleID",
|
||||||
|
SecretID: auth.SecretID{FromEnv: "secretID"},
|
||||||
|
AppRole: "auth/approle",
|
||||||
|
IsWrappingToken: false,
|
||||||
|
},
|
||||||
|
false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"ok mandatory PKIRole PKIRoleEd25519",
|
||||||
|
`{"PKIRoleDefault": "role", "PKIRoleEd25519": "ed25519" , "RoleID": "roleID", "SecretID": {"FromEnv": "secretID"}}`,
|
||||||
|
&VaultOptions{
|
||||||
|
PKI: "pki",
|
||||||
|
PKIRoleDefault: "role",
|
||||||
|
PKIRoleRSA: "role",
|
||||||
|
PKIRoleEC: "role",
|
||||||
|
PKIRoleEd25519: "ed25519",
|
||||||
|
RoleID: "roleID",
|
||||||
|
SecretID: auth.SecretID{FromEnv: "secretID"},
|
||||||
|
AppRole: "auth/approle",
|
||||||
|
IsWrappingToken: false,
|
||||||
|
},
|
||||||
|
false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"ok mandatory PKIRole PKIRoleEC",
|
||||||
|
`{"PKIRoleDefault": "role", "PKIRoleEC": "ec" , "RoleID": "roleID", "SecretID": {"FromEnv": "secretID"}}`,
|
||||||
|
&VaultOptions{
|
||||||
|
PKI: "pki",
|
||||||
|
PKIRoleDefault: "role",
|
||||||
|
PKIRoleRSA: "role",
|
||||||
|
PKIRoleEC: "ec",
|
||||||
|
PKIRoleEd25519: "role",
|
||||||
|
RoleID: "roleID",
|
||||||
|
SecretID: auth.SecretID{FromEnv: "secretID"},
|
||||||
|
AppRole: "auth/approle",
|
||||||
|
IsWrappingToken: false,
|
||||||
|
},
|
||||||
|
false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"ok mandatory PKIRole PKIRoleRSA",
|
||||||
|
`{"PKIRoleDefault": "role", "PKIRoleRSA": "rsa" , "RoleID": "roleID", "SecretID": {"FromEnv": "secretID"}}`,
|
||||||
|
&VaultOptions{
|
||||||
|
PKI: "pki",
|
||||||
|
PKIRoleDefault: "role",
|
||||||
|
PKIRoleRSA: "rsa",
|
||||||
|
PKIRoleEC: "role",
|
||||||
|
PKIRoleEd25519: "role",
|
||||||
|
RoleID: "roleID",
|
||||||
|
SecretID: auth.SecretID{FromEnv: "secretID"},
|
||||||
|
AppRole: "auth/approle",
|
||||||
|
IsWrappingToken: false,
|
||||||
|
},
|
||||||
|
false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"ok mandatory PKIRoleRSA PKIRoleEC PKIRoleEd25519",
|
||||||
|
`{"PKIRoleRSA": "rsa", "PKIRoleEC": "ec", "PKIRoleEd25519": "ed25519", "RoleID": "roleID", "SecretID": {"FromEnv": "secretID"}}`,
|
||||||
|
&VaultOptions{
|
||||||
|
PKI: "pki",
|
||||||
|
PKIRoleDefault: "default",
|
||||||
|
PKIRoleRSA: "rsa",
|
||||||
|
PKIRoleEC: "ec",
|
||||||
|
PKIRoleEd25519: "ed25519",
|
||||||
|
RoleID: "roleID",
|
||||||
|
SecretID: auth.SecretID{FromEnv: "secretID"},
|
||||||
|
AppRole: "auth/approle",
|
||||||
|
IsWrappingToken: false,
|
||||||
|
},
|
||||||
|
false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"ok mandatory PKIRoleRSA PKIRoleEC PKIRoleEd25519 with useless PKIRoleDefault",
|
||||||
|
`{"PKIRoleDefault": "role", "PKIRoleRSA": "rsa", "PKIRoleEC": "ec", "PKIRoleEd25519": "ed25519", "RoleID": "roleID", "SecretID": {"FromEnv": "secretID"}}`,
|
||||||
|
&VaultOptions{
|
||||||
|
PKI: "pki",
|
||||||
|
PKIRoleDefault: "role",
|
||||||
|
PKIRoleRSA: "rsa",
|
||||||
|
PKIRoleEC: "ec",
|
||||||
|
PKIRoleEd25519: "ed25519",
|
||||||
|
RoleID: "roleID",
|
||||||
|
SecretID: auth.SecretID{FromEnv: "secretID"},
|
||||||
|
AppRole: "auth/approle",
|
||||||
|
IsWrappingToken: false,
|
||||||
|
},
|
||||||
|
false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"ok mandatory with AppRole",
|
||||||
|
`{"AppRole": "test", "RoleID": "roleID", "SecretID": {"FromString": "secretID"}}`,
|
||||||
|
&VaultOptions{
|
||||||
|
PKI: "pki",
|
||||||
|
PKIRoleDefault: "default",
|
||||||
|
PKIRoleRSA: "default",
|
||||||
|
PKIRoleEC: "default",
|
||||||
|
PKIRoleEd25519: "default",
|
||||||
|
RoleID: "roleID",
|
||||||
|
SecretID: auth.SecretID{FromString: "secretID"},
|
||||||
|
AppRole: "test",
|
||||||
|
IsWrappingToken: false,
|
||||||
|
},
|
||||||
|
false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"ok mandatory with IsWrappingToken",
|
||||||
|
`{"IsWrappingToken": true, "RoleID": "roleID", "SecretID": {"FromString": "secretID"}}`,
|
||||||
|
&VaultOptions{
|
||||||
|
PKI: "pki",
|
||||||
|
PKIRoleDefault: "default",
|
||||||
|
PKIRoleRSA: "default",
|
||||||
|
PKIRoleEC: "default",
|
||||||
|
PKIRoleEd25519: "default",
|
||||||
|
RoleID: "roleID",
|
||||||
|
SecretID: auth.SecretID{FromString: "secretID"},
|
||||||
|
AppRole: "auth/approle",
|
||||||
|
IsWrappingToken: true,
|
||||||
|
},
|
||||||
|
false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"fail with SecretID FromFail",
|
||||||
|
`{"RoleID": "roleID", "SecretID": {"FromFail": "secretID"}}`,
|
||||||
|
nil,
|
||||||
|
true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"fail with SecretID empty FromEnv",
|
||||||
|
`{"RoleID": "roleID", "SecretID": {"FromEnv": ""}}`,
|
||||||
|
nil,
|
||||||
|
true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"fail with SecretID empty FromFile",
|
||||||
|
`{"RoleID": "roleID", "SecretID": {"FromFile": ""}}`,
|
||||||
|
nil,
|
||||||
|
true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"fail with SecretID empty FromString",
|
||||||
|
`{"RoleID": "roleID", "SecretID": {"FromString": ""}}`,
|
||||||
|
nil,
|
||||||
|
true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"fail mandatory with SecretID FromFail",
|
||||||
|
`{"RoleID": "roleID", "SecretID": {"FromFail": "secretID"}}`,
|
||||||
|
nil,
|
||||||
|
true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"fail missing RoleID",
|
||||||
|
`{"SecretID": {"FromString": "secretID"}}`,
|
||||||
|
nil,
|
||||||
|
true,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
for _, tt := range tests {
|
||||||
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
|
got, err := loadOptions(json.RawMessage(tt.raw))
|
||||||
|
if (err != nil) != tt.wantErr {
|
||||||
|
t.Errorf("VaultCAS.loadOptions() error = %v, wantErr %v", err, tt.wantErr)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if !reflect.DeepEqual(got, tt.want) {
|
||||||
|
t.Errorf("VaultCAS.loadOptions() = %v, want %v", got, tt.want)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue