github.com/hairyhenderson/gomplate/v4@v4.0.0-pre-2.0.20240520121557-362f058f0c93/internal/tests/integration/datasources_vault_ec2_test.go (about) 1 //go:build !windows 2 // +build !windows 3 4 package integration 5 6 import ( 7 "encoding/pem" 8 "io" 9 "net/http" 10 "net/http/httptest" 11 "testing" 12 13 "github.com/stretchr/testify/require" 14 "gotest.tools/v3/fs" 15 ) 16 17 func setupDatasourcesVaultEc2Test(t *testing.T) (*fs.Dir, *vaultClient, *httptest.Server, []byte) { 18 t.Helper() 19 20 priv, der, _ := certificateGenerate() 21 cert := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der}) 22 23 mux := http.NewServeMux() 24 mux.HandleFunc("/latest/dynamic/instance-identity/pkcs7", pkcsHandler(priv, der)) 25 mux.HandleFunc("/latest/dynamic/instance-identity/document", instanceDocumentHandler) 26 mux.HandleFunc("/latest/api/token", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 27 var b []byte 28 if r.Body != nil { 29 var err error 30 b, err = io.ReadAll(r.Body) 31 require.NoError(t, err) 32 defer r.Body.Close() 33 } 34 t.Logf("IMDS Token request: %s %s: %s", r.Method, r.URL, b) 35 36 w.Write([]byte("testtoken")) 37 })) 38 mux.HandleFunc("/latest/meta-data/instance-id", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 39 t.Logf("IMDS request: %s %s", r.Method, r.URL) 40 w.Write([]byte("i-00000000")) 41 })) 42 mux.HandleFunc("/sts/", stsHandler) 43 mux.HandleFunc("/ec2/", ec2Handler) 44 mux.HandleFunc("/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 45 t.Logf("unhandled request: %s %s", r.Method, r.URL) 46 w.WriteHeader(http.StatusNotFound) 47 })) 48 49 srv := httptest.NewServer(mux) 50 t.Cleanup(srv.Close) 51 52 tmpDir, v := startVault(t) 53 54 err := v.vc.Sys().PutPolicy("writepol", `path "*" { 55 policy = "write" 56 }`) 57 require.NoError(t, err) 58 err = v.vc.Sys().PutPolicy("readpol", `path "*" { 59 policy = "read" 60 }`) 61 require.NoError(t, err) 62 63 return tmpDir, v, srv, cert 64 } 65 66 func TestDatasources_VaultEc2(t *testing.T) { 67 tmpDir, v, srv, cert := setupDatasourcesVaultEc2Test(t) 68 69 v.vc.Logical().Write("secret/foo", map[string]interface{}{"value": "bar"}) 70 defer v.vc.Logical().Delete("secret/foo") 71 72 err := v.vc.Sys().EnableAuth("aws", "aws", "") 73 require.NoError(t, err) 74 defer v.vc.Sys().DisableAuth("aws") 75 76 _, err = v.vc.Logical().Write("auth/aws/config/client", map[string]interface{}{ 77 "secret_key": "secret", "access_key": "access", 78 "endpoint": srv.URL + "/ec2", 79 "iam_endpoint": srv.URL + "/iam", 80 "sts_endpoint": srv.URL + "/sts", 81 "sts_region": "us-east-1", 82 }) 83 require.NoError(t, err) 84 85 _, err = v.vc.Logical().Write("auth/aws/config/certificate/testcert", map[string]interface{}{ 86 "type": "pkcs7", "aws_public_cert": string(cert), 87 }) 88 require.NoError(t, err) 89 90 _, err = v.vc.Logical().Write("auth/aws/role/ami-00000000", map[string]interface{}{ 91 "auth_type": "ec2", "bound_ami_id": "ami-00000000", 92 "policies": "readpol", 93 }) 94 require.NoError(t, err) 95 96 o, e, err := cmd(t, "-d", "vault=vault:///secret/", 97 "-i", `{{(ds "vault" "foo").value}}`). 98 withEnv("HOME", tmpDir.Join("home")). 99 withEnv("VAULT_ADDR", "http://"+v.addr). 100 withEnv("AWS_EC2_METADATA_SERVICE_ENDPOINT", srv.URL). 101 run() 102 assertSuccess(t, o, e, err, "bar") 103 }