From 712640572087655ca17a2bac846d19c8d132aa44 Mon Sep 17 00:00:00 2001 From: Thy Ton Date: Mon, 18 Dec 2023 12:28:54 +0700 Subject: [PATCH 01/10] indicate token reviewer jwt provided on config read --- path_config.go | 6 +++ path_config_test.go | 120 ++++++++++++++++++++++++++++++-------------- 2 files changed, 89 insertions(+), 37 deletions(-) diff --git a/path_config.go b/path_config.go index a61474ba..a5a228a2 100644 --- a/path_config.go +++ b/path_config.go @@ -119,6 +119,11 @@ func (b *kubeAuthBackend) pathConfigRead(ctx context.Context, req *logical.Reque } else if config == nil { return nil, nil } else { + var tokenReviewerJWTSet bool + if config.TokenReviewerJWT != "" { + tokenReviewerJWTSet = true + } + // Create a map of data to be returned resp := &logical.Response{ Data: map[string]interface{}{ @@ -128,6 +133,7 @@ func (b *kubeAuthBackend) pathConfigRead(ctx context.Context, req *logical.Reque "issuer": config.Issuer, "disable_iss_validation": config.DisableISSValidation, "disable_local_ca_jwt": config.DisableLocalCAJwt, + "token_reviewer_jwt_set": tokenReviewerJWTSet, }, } diff --git a/path_config_test.go b/path_config_test.go index ac6145f8..ef071bf8 100644 --- a/path_config_test.go +++ b/path_config_test.go @@ -44,46 +44,92 @@ func setupLocalFiles(t *testing.T, b logical.Backend) func() { } func TestConfig_Read(t *testing.T) { - b, storage := getBackend(t) - - cleanup := setupLocalFiles(t, b) - defer cleanup() - - data := map[string]interface{}{ - "pem_keys": []string{testRSACert, testECCert}, - "kubernetes_host": "host", - "kubernetes_ca_cert": testCACert, - "issuer": "", - "disable_iss_validation": false, - "disable_local_ca_jwt": false, - } - - req := &logical.Request{ - Operation: logical.UpdateOperation, - Path: configPath, - Storage: storage, - Data: data, - } - - resp, err := b.HandleRequest(context.Background(), req) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err:%s resp:%#v\n", err, resp) + type args struct { + data map[string]interface{} } - - req = &logical.Request{ - Operation: logical.ReadOperation, - Path: configPath, - Storage: storage, - Data: nil, - } - - resp, err = b.HandleRequest(context.Background(), req) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err:%s resp:%#v\n", err, resp) + tests := []struct { + name string + args args + want map[string]interface{} + }{ + { + name: "token-review-jwt-is-unset", + args: args{ + data: map[string]interface{}{ + "pem_keys": []string{testRSACert, testECCert}, + "kubernetes_host": "host", + "kubernetes_ca_cert": testCACert, + "issuer": "", + "disable_iss_validation": false, + "disable_local_ca_jwt": false, + }, + }, + want: map[string]interface{}{ + "pem_keys": []string{testRSACert, testECCert}, + "kubernetes_host": "host", + "kubernetes_ca_cert": testCACert, + "issuer": "", + "disable_iss_validation": false, + "disable_local_ca_jwt": false, + "token_reviewer_jwt_set": false, + }, + }, + { + name: "token-review-jwt-is-set", + args: args{ + data: map[string]interface{}{ + "pem_keys": []string{testRSACert, testECCert}, + "kubernetes_host": "host", + "kubernetes_ca_cert": testCACert, + "issuer": "", + "disable_iss_validation": false, + "disable_local_ca_jwt": false, + "token_reviewer_jwt": "test-token-review-jwt", + }, + }, + want: map[string]interface{}{ + "pem_keys": []string{testRSACert, testECCert}, + "kubernetes_host": "host", + "kubernetes_ca_cert": testCACert, + "issuer": "", + "disable_iss_validation": false, + "disable_local_ca_jwt": false, + "token_reviewer_jwt_set": true, + }, + }, } - if !reflect.DeepEqual(resp.Data, data) { - t.Fatalf("Expected did not equal actual: expected %#v\n got %#v\n", data, resp.Data) + for _, tc := range tests { + b, storage := getBackend(t) + cleanup := setupLocalFiles(t, b) + defer cleanup() + req := &logical.Request{ + Operation: logical.UpdateOperation, + Path: configPath, + Storage: storage, + Data: tc.args.data, + } + + resp, err := b.HandleRequest(context.Background(), req) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("err:%s resp:%#v\n", err, resp) + } + + req = &logical.Request{ + Operation: logical.ReadOperation, + Path: configPath, + Storage: storage, + Data: nil, + } + + resp, err = b.HandleRequest(context.Background(), req) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("err:%s resp:%#v\n", err, resp) + } + + if !reflect.DeepEqual(resp.Data, tc.want) { + t.Fatalf("Expected did not equal actual: expected %#v\n got %#v\n", tc.want, resp.Data) + } } } From f175ba1d863afce410e6fa75a87507fe97f5c341 Mon Sep 17 00:00:00 2001 From: Thy Ton Date: Mon, 18 Dec 2023 13:12:37 +0700 Subject: [PATCH 02/10] update CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9eb7ef5e..4d6447ac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,7 @@ ### Improvements * Support bound service account namespace selector [GH-218](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/218) +* Indicate that token reviewer jwt is set on config read [GH-221](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/221) ## 0.17.1 (Sept 7, 2023) From 9800a4b53dfdd5050220b843e325de118da4fcfa Mon Sep 17 00:00:00 2001 From: Thy Ton Date: Tue, 19 Dec 2023 20:43:33 +0700 Subject: [PATCH 03/10] Update CHANGELOG.md Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4d6447ac..d2e2267d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,7 +21,7 @@ ### Improvements * Support bound service account namespace selector [GH-218](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/218) -* Indicate that token reviewer jwt is set on config read [GH-221](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/221) +* Indicate that token reviewer JWT is set on config read [GH-221](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/221) ## 0.17.1 (Sept 7, 2023) From 965806176e816d6af51b33071acb86b38fc0e490 Mon Sep 17 00:00:00 2001 From: Thy Ton Date: Tue, 19 Dec 2023 20:45:25 +0700 Subject: [PATCH 04/10] Update path_config.go Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> --- path_config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/path_config.go b/path_config.go index a5a228a2..60d8d90d 100644 --- a/path_config.go +++ b/path_config.go @@ -133,7 +133,7 @@ func (b *kubeAuthBackend) pathConfigRead(ctx context.Context, req *logical.Reque "issuer": config.Issuer, "disable_iss_validation": config.DisableISSValidation, "disable_local_ca_jwt": config.DisableLocalCAJwt, - "token_reviewer_jwt_set": tokenReviewerJWTSet, + "token_reviewer_jwt_set": config.TokenReviewerJWT != "", }, } From 462303501fff7e58d7c98af37557077319b8c36c Mon Sep 17 00:00:00 2001 From: Thy Ton Date: Tue, 19 Dec 2023 20:45:34 +0700 Subject: [PATCH 05/10] Update path_config.go Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> --- path_config.go | 5 ----- 1 file changed, 5 deletions(-) diff --git a/path_config.go b/path_config.go index 60d8d90d..c2d4d9f9 100644 --- a/path_config.go +++ b/path_config.go @@ -119,11 +119,6 @@ func (b *kubeAuthBackend) pathConfigRead(ctx context.Context, req *logical.Reque } else if config == nil { return nil, nil } else { - var tokenReviewerJWTSet bool - if config.TokenReviewerJWT != "" { - tokenReviewerJWTSet = true - } - // Create a map of data to be returned resp := &logical.Response{ Data: map[string]interface{}{ From 4bf43e60065cb58ff2accf68387cfe66001b1637 Mon Sep 17 00:00:00 2001 From: Thy Ton Date: Fri, 22 Dec 2023 23:11:18 +0700 Subject: [PATCH 06/10] address comments --- path_config_test.go | 102 +++++++++++++++++++++----------------------- 1 file changed, 49 insertions(+), 53 deletions(-) diff --git a/path_config_test.go b/path_config_test.go index ef071bf8..42d2ebce 100644 --- a/path_config_test.go +++ b/path_config_test.go @@ -44,25 +44,20 @@ func setupLocalFiles(t *testing.T, b logical.Backend) func() { } func TestConfig_Read(t *testing.T) { - type args struct { - data map[string]interface{} - } tests := []struct { name string - args args + data map[string]interface{} want map[string]interface{} }{ { name: "token-review-jwt-is-unset", - args: args{ - data: map[string]interface{}{ - "pem_keys": []string{testRSACert, testECCert}, - "kubernetes_host": "host", - "kubernetes_ca_cert": testCACert, - "issuer": "", - "disable_iss_validation": false, - "disable_local_ca_jwt": false, - }, + data: map[string]interface{}{ + "pem_keys": []string{testRSACert, testECCert}, + "kubernetes_host": "host", + "kubernetes_ca_cert": testCACert, + "issuer": "", + "disable_iss_validation": false, + "disable_local_ca_jwt": false, }, want: map[string]interface{}{ "pem_keys": []string{testRSACert, testECCert}, @@ -76,16 +71,14 @@ func TestConfig_Read(t *testing.T) { }, { name: "token-review-jwt-is-set", - args: args{ - data: map[string]interface{}{ - "pem_keys": []string{testRSACert, testECCert}, - "kubernetes_host": "host", - "kubernetes_ca_cert": testCACert, - "issuer": "", - "disable_iss_validation": false, - "disable_local_ca_jwt": false, - "token_reviewer_jwt": "test-token-review-jwt", - }, + data: map[string]interface{}{ + "pem_keys": []string{testRSACert, testECCert}, + "kubernetes_host": "host", + "kubernetes_ca_cert": testCACert, + "issuer": "", + "disable_iss_validation": false, + "disable_local_ca_jwt": false, + "token_reviewer_jwt": "test-token-review-jwt", }, want: map[string]interface{}{ "pem_keys": []string{testRSACert, testECCert}, @@ -100,36 +93,39 @@ func TestConfig_Read(t *testing.T) { } for _, tc := range tests { - b, storage := getBackend(t) - cleanup := setupLocalFiles(t, b) - defer cleanup() - req := &logical.Request{ - Operation: logical.UpdateOperation, - Path: configPath, - Storage: storage, - Data: tc.args.data, - } - - resp, err := b.HandleRequest(context.Background(), req) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err:%s resp:%#v\n", err, resp) - } - - req = &logical.Request{ - Operation: logical.ReadOperation, - Path: configPath, - Storage: storage, - Data: nil, - } - - resp, err = b.HandleRequest(context.Background(), req) - if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err:%s resp:%#v\n", err, resp) - } - - if !reflect.DeepEqual(resp.Data, tc.want) { - t.Fatalf("Expected did not equal actual: expected %#v\n got %#v\n", tc.want, resp.Data) - } + t.Run(tc.name, func(t *testing.T) { + b, storage := getBackend(t) + cleanup := setupLocalFiles(t, b) + t.Cleanup(cleanup) + + req := &logical.Request{ + Operation: logical.UpdateOperation, + Path: configPath, + Storage: storage, + Data: tc.data, + } + + resp, err := b.HandleRequest(context.Background(), req) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("err:%s resp:%#v\n", err, resp) + } + + req = &logical.Request{ + Operation: logical.ReadOperation, + Path: configPath, + Storage: storage, + Data: nil, + } + + resp, err = b.HandleRequest(context.Background(), req) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("err:%s resp:%#v\n", err, resp) + } + + if !reflect.DeepEqual(resp.Data, tc.want) { + t.Fatalf("Expected did not equal actual: expected %#v\n got %#v\n", tc.want, resp.Data) + } + }) } } From 004ed5031d41b829d01dc208a32e02180979dc7c Mon Sep 17 00:00:00 2001 From: Thy Ton Date: Tue, 26 Dec 2023 21:54:45 +0700 Subject: [PATCH 07/10] Update path_config_test.go Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> --- path_config_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/path_config_test.go b/path_config_test.go index 42d2ebce..f6205a0a 100644 --- a/path_config_test.go +++ b/path_config_test.go @@ -119,7 +119,7 @@ func TestConfig_Read(t *testing.T) { resp, err = b.HandleRequest(context.Background(), req) if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err:%s resp:%#v\n", err, resp) + t.Fatalf("got unexpected error %s for resp %#v", err, resp) } if !reflect.DeepEqual(resp.Data, tc.want) { From 29b0077037487450e928fe55cb278f83fa67a788 Mon Sep 17 00:00:00 2001 From: Thy Ton Date: Tue, 26 Dec 2023 21:55:26 +0700 Subject: [PATCH 08/10] Update path_config_test.go Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com> --- path_config_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/path_config_test.go b/path_config_test.go index f6205a0a..c14a710e 100644 --- a/path_config_test.go +++ b/path_config_test.go @@ -123,7 +123,7 @@ func TestConfig_Read(t *testing.T) { } if !reflect.DeepEqual(resp.Data, tc.want) { - t.Fatalf("Expected did not equal actual: expected %#v\n got %#v\n", tc.want, resp.Data) + t.Fatalf("expected %#v, got %#v", tc.want, resp.Data) } }) } From 33dc18fda8aa6a5bcc6a9a46fea97be211c7cb0c Mon Sep 17 00:00:00 2001 From: Thy Ton Date: Tue, 26 Dec 2023 21:58:51 +0700 Subject: [PATCH 09/10] address comments --- path_config_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/path_config_test.go b/path_config_test.go index c14a710e..39b13def 100644 --- a/path_config_test.go +++ b/path_config_test.go @@ -107,9 +107,9 @@ func TestConfig_Read(t *testing.T) { resp, err := b.HandleRequest(context.Background(), req) if err != nil || (resp != nil && resp.IsError()) { - t.Fatalf("err:%s resp:%#v\n", err, resp) + t.Fatalf("got unexpected error %s for resp %#v", err, resp) } - + req = &logical.Request{ Operation: logical.ReadOperation, Path: configPath, From 39ab45d85efae45dd38cd36650994b4f8e8dc6d1 Mon Sep 17 00:00:00 2001 From: Thy Ton Date: Tue, 26 Dec 2023 22:00:41 +0700 Subject: [PATCH 10/10] reformat --- path_config_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/path_config_test.go b/path_config_test.go index 39b13def..d29bc82e 100644 --- a/path_config_test.go +++ b/path_config_test.go @@ -109,7 +109,7 @@ func TestConfig_Read(t *testing.T) { if err != nil || (resp != nil && resp.IsError()) { t.Fatalf("got unexpected error %s for resp %#v", err, resp) } - + req = &logical.Request{ Operation: logical.ReadOperation, Path: configPath,