forked from damomurf/systemd-credentials-vault
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain_test.go
193 lines (164 loc) · 4.71 KB
/
main_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
package main
import (
"context"
"fmt"
"net"
"os"
"testing"
"time"
"github.com/hashicorp/vault/api"
)
func setupVaultServer(t *testing.T) (*api.Client, string, string) {
// Set up a Vault client and create necessary roles and secrets for testing
config := api.DefaultConfig()
client, err := api.NewClient(config)
if err != nil {
t.Fatalf("failed to create Vault client: %v", err)
}
// Enable AppRole auth method
err = client.Sys().EnableAuthWithOptions("approle-test", &api.EnableAuthOptions{Type: "approle"})
if err != nil {
t.Fatalf("failed to enable AppRole auth method: %v", err)
}
// Create AppRole
roleName := "test-role"
_, err = client.Logical().Write(fmt.Sprintf("auth/approle-test/role/%s", roleName), map[string]interface{}{
"secret_id_ttl": "1m",
"token_ttl": "2m",
"token_max_ttl": "3m",
})
if err != nil {
t.Fatalf("failed to create AppRole: %v", err)
}
// Get Role ID
secret, err := client.Logical().Read(fmt.Sprintf("auth/approle-test/role/%s/role-id", roleName))
if err != nil {
t.Fatalf("failed to read Role ID: %v", err)
}
roleID, ok := secret.Data["role_id"].(string)
if !ok {
t.Fatalf("role_id not found in response")
}
// Create Secret ID
secret, err = client.Logical().Write(fmt.Sprintf("auth/approle-test/role/%s/secret-id", roleName), nil)
if err != nil {
t.Fatalf("failed to create Secret ID: %v", err)
}
secretID, ok := secret.Data["secret_id"].(string)
if !ok {
t.Fatalf("secret_id not found in response")
}
// Create Service Secret
err = client.Sys().Mount("secrets-test", &api.MountInput{Type: "kv-v2"})
if err != nil {
t.Fatalf("failed to create secrets engine: %v", err)
}
_, err = client.KVv2("secrets-test").Put(context.Background(), "test-secret", map[string]interface{}{"foo": "bar"})
if err != nil {
t.Fatalf("failed to write secret: %v", err)
}
return client, roleID, secretID
}
func testRoleId(t *testing.T, conn net.Conn, expected string) error {
// Send a request for role-id
_, err := conn.Write([]byte("test-role.role-id"))
if err != nil {
t.Fatalf("failed to send request: %v", err)
}
// Read the response
buf := make([]byte, 1024)
n, err := conn.Read(buf)
if err != nil {
t.Fatalf("failed to read response: %v", err)
}
response := string(buf[:n])
if response != expected {
t.Fatalf("expected role ID %s, got %s", expected, response)
}
return nil
}
func testSecretId(t *testing.T, conn net.Conn) error {
// Send a request for role-id
_, err := conn.Write([]byte("test-role.secret-id"))
if err != nil {
t.Fatalf("failed to send request: %v", err)
}
// Read the response
buf := make([]byte, 1024)
n, err := conn.Read(buf)
if err != nil {
t.Fatalf("failed to read response: %v", err)
}
response := string(buf[:n])
if response == "" {
t.Fatalf("expected role ID, got %s", response)
}
return nil
}
func testKVSecret(t *testing.T, conn net.Conn) error {
// Send a request for a secret
_, err := conn.Write([]byte("secrets-test.test-secret.foo"))
if err != nil {
t.Fatalf("failed to send request: %v", err)
}
// Read the response
buf := make([]byte, 1024)
n, err := conn.Read(buf)
if err != nil {
t.Fatalf("failed to read response: %v", err)
}
response := string(buf[:n])
if response != "bar" {
t.Fatalf("expected bar, got %s", response)
}
return nil
}
func TestVaultCredentialServer(t *testing.T) {
// Set up Vault server for testing
client, roleID, secretID := setupVaultServer(t)
defer client.Sys().DisableAuth("approle-test")
defer client.KVv2("secrets-test").Delete(context.Background(), "test-secret")
defer client.Sys().Unmount("secrets-test")
// Create temporary Unix socket
socketPath := "/tmp/test_socket"
server, err := NewVaultCredentialServer(&Config{
VaultServer: &client.CloneConfig().Address,
VaultApprole: "approle-test",
SocketLocation: socketPath,
RoleId: roleID,
SecretIdPath: secretID,
})
if err != nil {
t.Fatalf("failed to create VaultCredentialServer: %v", err)
}
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
go func() {
if err := server.Run(ctx); err != nil {
t.Fatalf("server error: %v", err)
}
defer server.shutdown()
}()
// Give the server some time to start
time.Sleep(2 * time.Second)
// Connect to the Unix socket
defer os.Remove(socketPath)
conn, err := net.Dial("unix", socketPath)
if err != nil {
t.Fatalf("failed to connect to Unix socket: %v", err)
}
testRoleId(t, conn, roleID)
conn.Close()
conn, err = net.Dial("unix", socketPath)
if err != nil {
t.Fatalf("failed to connect to Unix socket: %v", err)
}
testSecretId(t, conn)
conn.Close()
conn, err = net.Dial("unix", socketPath)
if err != nil {
t.Fatalf("failed to connect to Unix socket: %v", err)
}
testKVSecret(t, conn)
conn.Close()
}