From 9dc0e8d738ecd466ad6761d580a41cbe463b1126 Mon Sep 17 00:00:00 2001 From: Mahmood Ali Date: Tue, 16 Jul 2019 14:59:53 +0800 Subject: [PATCH] add a test for anonymous access of pki ca cert --- dependency/vault_read_test.go | 60 +++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/dependency/vault_read_test.go b/dependency/vault_read_test.go index f4e63aee4..2d6c0eca6 100644 --- a/dependency/vault_read_test.go +++ b/dependency/vault_read_test.go @@ -3,6 +3,8 @@ package dependency import ( "fmt" "net/url" + "reflect" + "strings" "testing" "time" @@ -400,6 +402,64 @@ func TestVaultReadQuery_Fetch_KVv2(t *testing.T) { } } +// TestVaultReadQuery_Fetch_PKI_Anonymous asserts that vault.read can fetch a +// pki ca public cert even even when running unauthenticated client. +func TestVaultReadQuery_Fetch_PKI_Anonymous(t *testing.T) { + t.Parallel() + + clients, vault := testVaultServer(t) + defer vault.Stop() + + err := clients.Vault().Sys().Mount("pki", &api.MountInput{ + Type: "pki", + }) + if err != nil { + t.Fatal(err) + } + + vc := clients.Vault() + _, err = vc.Logical().Write("sys/policies/acl/secrets-only", map[string]interface{}{ + "policy": `path "secret/*" { capabilities = ["create", "read"] }`, + }) + if err != nil { + t.Fatal(err) + } + + _, err = vc.Logical().Write("pki/root/generate/internal", map[string]interface{}{ + "common_name": "example.com", + "ttl": "24h", + }) + + anonClient := NewClientSet() + anonClient.CreateVaultClient(&CreateVaultClientInput{ + Address: vault.Address, + Token: "", + }) + _, err = anonClient.vault.client.Auth().Token().LookupSelf() + if err == nil || !strings.Contains(err.Error(), "missing client token") { + t.Fatalf("expected a missing client token error but found: %v", err) + } + + d, err := NewVaultReadQuery("pki/cert/ca") + if err != nil { + t.Fatal(err) + } + + act, _, err := d.Fetch(anonClient, nil) + if err != nil { + t.Fatal(err) + } + + sec, ok := act.(*Secret) + if !ok { + t.Fatalf("expected secret but found %v", reflect.TypeOf(act)) + } + cert, ok := sec.Data["certificate"].(string) + if !ok || !strings.Contains(cert, "BEGIN") { + t.Fatalf("expected a cert but found: %v", cert) + } +} + func TestVaultReadQuery_String(t *testing.T) { t.Parallel()