github.com/wuhuizuo/gomplate@v3.5.0+incompatible/tests/integration/datasources_vault_ec2_test.go (about) 1 //+build integration 2 //+build !windows 3 4 package integration 5 6 import ( 7 "encoding/pem" 8 "io/ioutil" 9 "net" 10 "net/http" 11 "os" 12 "os/user" 13 "path" 14 "strconv" 15 16 . "gopkg.in/check.v1" 17 18 "github.com/gotestyourself/gotestyourself/fs" 19 "github.com/gotestyourself/gotestyourself/icmd" 20 ) 21 22 type VaultEc2DatasourcesSuite struct { 23 tmpDir *fs.Dir 24 pidDir *fs.Dir 25 vaultAddr string 26 vaultResult *icmd.Result 27 v *vaultClient 28 l *net.TCPListener 29 cert []byte 30 } 31 32 var _ = Suite(&VaultEc2DatasourcesSuite{}) 33 34 func (s *VaultEc2DatasourcesSuite) SetUpSuite(c *C) { 35 var err error 36 s.l, err = net.ListenTCP("tcp", &net.TCPAddr{IP: net.ParseIP("127.0.0.1")}) 37 handle(c, err) 38 priv, der, _ := certificateGenerate() 39 s.cert = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der}) 40 http.HandleFunc("/latest/dynamic/instance-identity/pkcs7", pkcsHandler(priv, der)) 41 http.HandleFunc("/latest/dynamic/instance-identity/document", instanceDocumentHandler) 42 http.HandleFunc("/sts/", stsHandler) 43 http.HandleFunc("/ec2/", ec2Handler) 44 go http.Serve(s.l, nil) 45 46 s.pidDir, s.tmpDir, s.vaultAddr, s.vaultResult = startVault(c) 47 48 s.v, err = createVaultClient(s.vaultAddr, vaultRootToken) 49 handle(c, err) 50 51 err = s.v.vc.Sys().PutPolicy("writepol", `path "*" { 52 policy = "write" 53 }`) 54 handle(c, err) 55 err = s.v.vc.Sys().PutPolicy("readpol", `path "*" { 56 policy = "read" 57 }`) 58 handle(c, err) 59 } 60 61 func (s *VaultEc2DatasourcesSuite) TearDownSuite(c *C) { 62 s.l.Close() 63 64 defer s.tmpDir.Remove() 65 defer s.pidDir.Remove() 66 67 p, err := ioutil.ReadFile(s.pidDir.Join("vault.pid")) 68 handle(c, err) 69 pid, err := strconv.Atoi(string(p)) 70 handle(c, err) 71 process, err := os.FindProcess(pid) 72 handle(c, err) 73 err = process.Kill() 74 handle(c, err) 75 76 // restore old token if it was backed up 77 u, _ := user.Current() 78 homeDir := u.HomeDir 79 tokenFile := path.Join(homeDir, ".vault-token.bak") 80 info, err := os.Stat(tokenFile) 81 if err == nil && info.Mode().IsRegular() { 82 os.Rename(tokenFile, path.Join(homeDir, ".vault-token")) 83 } 84 } 85 86 func (s *VaultEc2DatasourcesSuite) TestEc2Auth(c *C) { 87 s.v.vc.Logical().Write("secret/foo", map[string]interface{}{"value": "bar"}) 88 defer s.v.vc.Logical().Delete("secret/foo") 89 err := s.v.vc.Sys().EnableAuth("aws", "aws", "") 90 handle(c, err) 91 defer s.v.vc.Sys().DisableAuth("aws") 92 _, err = s.v.vc.Logical().Write("auth/aws/config/client", map[string]interface{}{ 93 "secret_key": "secret", "access_key": "access", 94 "endpoint": "http://" + s.l.Addr().String() + "/ec2", 95 "iam_endpoint": "http://" + s.l.Addr().String() + "/iam", 96 "sts_endpoint": "http://" + s.l.Addr().String() + "/sts", 97 }) 98 handle(c, err) 99 100 _, err = s.v.vc.Logical().Write("auth/aws/config/certificate/testcert", map[string]interface{}{ 101 "type": "pkcs7", "aws_public_cert": string(s.cert), 102 }) 103 handle(c, err) 104 105 _, err = s.v.vc.Logical().Write("auth/aws/role/ami-00000000", map[string]interface{}{ 106 "auth_type": "ec2", "bound_ami_id": "ami-00000000", 107 "policies": "readpol", 108 }) 109 handle(c, err) 110 111 result := icmd.RunCmd(icmd.Command(GomplateBin, 112 "-d", "vault=vault:///secret", 113 "-i", `{{(ds "vault" "foo").value}}`, 114 ), func(c *icmd.Cmd) { 115 c.Env = []string{ 116 "HOME=" + s.tmpDir.Join("home"), 117 "VAULT_ADDR=http://" + s.v.addr, 118 "AWS_META_ENDPOINT=http://" + s.l.Addr().String(), 119 } 120 }) 121 result.Assert(c, icmd.Expected{ExitCode: 0, Out: "bar"}) 122 }