From c3426917cbe8fb9adbe8e7da2a7a9f5eafb6962a Mon Sep 17 00:00:00 2001 From: Joel Thompson Date: Thu, 22 Feb 2018 01:44:46 -0500 Subject: [PATCH] Fix acceptance test to use identity doc and RSA sig Acceptance tests were failing due to #4014 so, as a workaround for now, passing in the identity document and the RSA signature rather than the PKCS7 document. --- builtin/credential/aws/backend_test.go | 50 +++++++++++++++++--------- builtin/credential/aws/path_login.go | 4 +-- 2 files changed, 35 insertions(+), 19 deletions(-) diff --git a/builtin/credential/aws/backend_test.go b/builtin/credential/aws/backend_test.go index 438de50f472f..6c90ab526761 100644 --- a/builtin/credential/aws/backend_test.go +++ b/builtin/credential/aws/backend_test.go @@ -958,18 +958,29 @@ func TestBackend_PathBlacklistRoleTag(t *testing.T) { } } -// This is an acceptance test. -// Requires the following env vars: -// TEST_AWS_EC2_PKCS7 -// TEST_AWS_EC2_AMI_ID -// TEST_AWS_EC2_ACCOUNT_ID -// TEST_AWS_EC2_IAM_ROLE_ARN -// -// If the test is not being run on an EC2 instance that has access to -// credentials using EC2RoleProvider, on top of the above vars, following -// needs to be set: -// TEST_AWS_SECRET_KEY -// TEST_AWS_ACCESS_KEY +/* This is an acceptance test. + Requires the following env vars: + TEST_AWS_EC2_IDENTITY_DOCUMENT + TEST_AWS_EC2_IDENTITY_DOCUMENT_SIG + TEST_AWS_EC2_AMI_ID + TEST_AWS_EC2_ACCOUNT_ID + TEST_AWS_EC2_IAM_ROLE_ARN + + If this is being run on an EC2 instance, you can set the environment vars using this bash snippet: + + export TEST_AWS_EC2_IDENTITY_DOCUMENT=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | base64 -w 0) + export TEST_AWS_EC2_IDENTITY_DOCUMENT_SIG=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/signature | tr -d '\n') + export TEST_AWS_EC2_AMI_ID=$(curl -s http://169.254.169.254/latest/meta-data/ami-id) + export TEST_AWS_EC2_IAM_ROLE_ARN=$(aws iam get-role --role-name $(curl -q http://169.254.169.254/latest/meta-data/iam/security-credentials/ -S -s) --query Role.Arn --output text) + export TEST_AWS_EC2_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) + make testacc TEST=./builtin/credential/aws/ + + If the test is not being run on an EC2 instance that has access to + credentials using EC2RoleProvider, on top of the above vars, following + needs to be set: + TEST_AWS_SECRET_KEY + TEST_AWS_ACCESS_KEY +*/ func TestBackendAcc_LoginWithInstanceIdentityDocAndWhitelistIdentity(t *testing.T) { // This test case should be run only when certain env vars are set and // executed as an acceptance test. @@ -978,9 +989,13 @@ func TestBackendAcc_LoginWithInstanceIdentityDocAndWhitelistIdentity(t *testing. return } - pkcs7 := os.Getenv("TEST_AWS_EC2_PKCS7") - if pkcs7 == "" { - t.Fatalf("env var TEST_AWS_EC2_PKCS7 not set") + identityDoc := os.Getenv("TEST_AWS_EC2_IDENTITY_DOCUMENT") + if identityDoc == "" { + t.Fatalf("env var TEST_AWS_EC2_IDENTITY_DOCUMENT not set") + } + identityDocSig := os.Getenv("TEST_AWS_EC2_IDENTITY_DOCUMENT_SIG") + if identityDoc == "" { + t.Fatalf("env var TEST_AWS_EC2_IDENTITY_DOCUMENT_SIG not set") } amiID := os.Getenv("TEST_AWS_EC2_AMI_ID") @@ -1044,8 +1059,9 @@ func TestBackendAcc_LoginWithInstanceIdentityDocAndWhitelistIdentity(t *testing. } loginInput := map[string]interface{}{ - "pkcs7": pkcs7, - "nonce": "vault-client-nonce", + "identity": identityDoc, + "signature": identityDocSig, + "nonce": "vault-client-nonce", } // Perform the login operation with a AMI ID that is not matching diff --git a/builtin/credential/aws/path_login.go b/builtin/credential/aws/path_login.go index f59e4f119091..2e2d120921c5 100644 --- a/builtin/credential/aws/path_login.go +++ b/builtin/credential/aws/path_login.go @@ -330,8 +330,8 @@ func (b *backend) parseIdentityDocument(ctx context.Context, s logical.Storage, // Verify extracts the authenticated attributes in the PKCS#7 signature, and verifies // the authenticity of the content using 'dsa.PublicKey' embedded in the public certificate. - if pkcs7Data.Verify() != nil { - return nil, fmt.Errorf("failed to verify the signature") + if err = pkcs7Data.Verify(); err != nil { + return nil, fmt.Errorf("failed to verify the signature: %v", err) } // Check if the signature has content inside of it