github.com/zhizhiboom/nomad@v0.8.5-0.20180907175415-f28fd3a1a056/client/vaultclient/vaultclient_test.go (about) 1 package vaultclient 2 3 import ( 4 "strings" 5 "testing" 6 "time" 7 8 "github.com/hashicorp/nomad/client/config" 9 "github.com/hashicorp/nomad/helper/testlog" 10 "github.com/hashicorp/nomad/testutil" 11 vaultapi "github.com/hashicorp/vault/api" 12 ) 13 14 func TestVaultClient_TokenRenewals(t *testing.T) { 15 t.Parallel() 16 v := testutil.NewTestVault(t) 17 defer v.Stop() 18 19 logger := testlog.Logger(t) 20 v.Config.ConnectionRetryIntv = 100 * time.Millisecond 21 v.Config.TaskTokenTTL = "4s" 22 c, err := NewVaultClient(v.Config, logger, nil) 23 if err != nil { 24 t.Fatalf("failed to build vault client: %v", err) 25 } 26 27 c.Start() 28 defer c.Stop() 29 30 // Sleep a little while to ensure that the renewal loop is active 31 time.Sleep(time.Duration(testutil.TestMultiplier()) * time.Second) 32 33 tcr := &vaultapi.TokenCreateRequest{ 34 Policies: []string{"foo", "bar"}, 35 TTL: "2s", 36 DisplayName: "derived-for-task", 37 Renewable: new(bool), 38 } 39 *tcr.Renewable = true 40 41 num := 5 42 tokens := make([]string, num) 43 for i := 0; i < num; i++ { 44 c.client.SetToken(v.Config.Token) 45 46 if err := c.client.SetAddress(v.Config.Addr); err != nil { 47 t.Fatal(err) 48 } 49 50 secret, err := c.client.Auth().Token().Create(tcr) 51 if err != nil { 52 t.Fatalf("failed to create vault token: %v", err) 53 } 54 55 if secret == nil || secret.Auth == nil || secret.Auth.ClientToken == "" { 56 t.Fatal("failed to derive a wrapped vault token") 57 } 58 59 tokens[i] = secret.Auth.ClientToken 60 61 errCh, err := c.RenewToken(tokens[i], secret.Auth.LeaseDuration) 62 if err != nil { 63 t.Fatalf("Unexpected error: %v", err) 64 } 65 66 go func(errCh <-chan error) { 67 for { 68 select { 69 case err := <-errCh: 70 if err != nil { 71 t.Fatalf("error while renewing the token: %v", err) 72 } 73 } 74 } 75 }(errCh) 76 } 77 78 if c.heap.Length() != num { 79 t.Fatalf("bad: heap length: expected: %d, actual: %d", num, c.heap.Length()) 80 } 81 82 time.Sleep(time.Duration(testutil.TestMultiplier()) * time.Second) 83 84 for i := 0; i < num; i++ { 85 if err := c.StopRenewToken(tokens[i]); err != nil { 86 t.Fatal(err) 87 } 88 } 89 90 if c.heap.Length() != 0 { 91 t.Fatalf("bad: heap length: expected: 0, actual: %d", c.heap.Length()) 92 } 93 } 94 95 func TestVaultClient_Heap(t *testing.T) { 96 t.Parallel() 97 tr := true 98 conf := config.DefaultConfig() 99 conf.VaultConfig.Enabled = &tr 100 conf.VaultConfig.Token = "testvaulttoken" 101 conf.VaultConfig.TaskTokenTTL = "10s" 102 103 logger := testlog.Logger(t) 104 c, err := NewVaultClient(conf.VaultConfig, logger, nil) 105 if err != nil { 106 t.Fatal(err) 107 } 108 if c == nil { 109 t.Fatal("failed to create vault client") 110 } 111 112 now := time.Now() 113 114 renewalReq1 := &vaultClientRenewalRequest{ 115 errCh: make(chan error, 1), 116 id: "id1", 117 increment: 10, 118 } 119 if err := c.heap.Push(renewalReq1, now.Add(50*time.Second)); err != nil { 120 t.Fatal(err) 121 } 122 if !c.isTracked("id1") { 123 t.Fatalf("id1 should have been tracked") 124 } 125 126 renewalReq2 := &vaultClientRenewalRequest{ 127 errCh: make(chan error, 1), 128 id: "id2", 129 increment: 10, 130 } 131 if err := c.heap.Push(renewalReq2, now.Add(40*time.Second)); err != nil { 132 t.Fatal(err) 133 } 134 if !c.isTracked("id2") { 135 t.Fatalf("id2 should have been tracked") 136 } 137 138 renewalReq3 := &vaultClientRenewalRequest{ 139 errCh: make(chan error, 1), 140 id: "id3", 141 increment: 10, 142 } 143 if err := c.heap.Push(renewalReq3, now.Add(60*time.Second)); err != nil { 144 t.Fatal(err) 145 } 146 if !c.isTracked("id3") { 147 t.Fatalf("id3 should have been tracked") 148 } 149 150 // Reading elements should yield id2, id1 and id3 in order 151 req, _ := c.nextRenewal() 152 if req != renewalReq2 { 153 t.Fatalf("bad: expected: %#v, actual: %#v", renewalReq2, req) 154 } 155 if err := c.heap.Update(req, now.Add(70*time.Second)); err != nil { 156 t.Fatal(err) 157 } 158 159 req, _ = c.nextRenewal() 160 if req != renewalReq1 { 161 t.Fatalf("bad: expected: %#v, actual: %#v", renewalReq1, req) 162 } 163 if err := c.heap.Update(req, now.Add(80*time.Second)); err != nil { 164 t.Fatal(err) 165 } 166 167 req, _ = c.nextRenewal() 168 if req != renewalReq3 { 169 t.Fatalf("bad: expected: %#v, actual: %#v", renewalReq3, req) 170 } 171 if err := c.heap.Update(req, now.Add(90*time.Second)); err != nil { 172 t.Fatal(err) 173 } 174 175 if err := c.StopRenewToken("id1"); err != nil { 176 t.Fatal(err) 177 } 178 179 if err := c.StopRenewToken("id2"); err != nil { 180 t.Fatal(err) 181 } 182 183 if err := c.StopRenewToken("id3"); err != nil { 184 t.Fatal(err) 185 } 186 187 if c.isTracked("id1") { 188 t.Fatalf("id1 should not have been tracked") 189 } 190 191 if c.isTracked("id1") { 192 t.Fatalf("id1 should not have been tracked") 193 } 194 195 if c.isTracked("id1") { 196 t.Fatalf("id1 should not have been tracked") 197 } 198 199 } 200 201 func TestVaultClient_RenewNonRenewableLease(t *testing.T) { 202 t.Parallel() 203 v := testutil.NewTestVault(t) 204 defer v.Stop() 205 206 logger := testlog.Logger(t) 207 v.Config.ConnectionRetryIntv = 100 * time.Millisecond 208 v.Config.TaskTokenTTL = "4s" 209 c, err := NewVaultClient(v.Config, logger, nil) 210 if err != nil { 211 t.Fatalf("failed to build vault client: %v", err) 212 } 213 214 c.Start() 215 defer c.Stop() 216 217 // Sleep a little while to ensure that the renewal loop is active 218 time.Sleep(time.Duration(testutil.TestMultiplier()) * time.Second) 219 220 tcr := &vaultapi.TokenCreateRequest{ 221 Policies: []string{"foo", "bar"}, 222 TTL: "2s", 223 DisplayName: "derived-for-task", 224 Renewable: new(bool), 225 } 226 227 c.client.SetToken(v.Config.Token) 228 229 if err := c.client.SetAddress(v.Config.Addr); err != nil { 230 t.Fatal(err) 231 } 232 233 secret, err := c.client.Auth().Token().Create(tcr) 234 if err != nil { 235 t.Fatalf("failed to create vault token: %v", err) 236 } 237 238 if secret == nil || secret.Auth == nil || secret.Auth.ClientToken == "" { 239 t.Fatal("failed to derive a wrapped vault token") 240 } 241 242 _, err = c.RenewToken(secret.Auth.ClientToken, secret.Auth.LeaseDuration) 243 if err == nil { 244 t.Fatalf("expected error, got nil") 245 } else if !strings.Contains(err.Error(), "lease is not renewable") { 246 t.Fatalf("expected \"%s\" in error message, got \"%v\"", "lease is not renewable", err) 247 } 248 } 249 250 func TestVaultClient_RenewNonexistentLease(t *testing.T) { 251 t.Parallel() 252 v := testutil.NewTestVault(t) 253 defer v.Stop() 254 255 logger := testlog.Logger(t) 256 v.Config.ConnectionRetryIntv = 100 * time.Millisecond 257 v.Config.TaskTokenTTL = "4s" 258 c, err := NewVaultClient(v.Config, logger, nil) 259 if err != nil { 260 t.Fatalf("failed to build vault client: %v", err) 261 } 262 263 c.Start() 264 defer c.Stop() 265 266 // Sleep a little while to ensure that the renewal loop is active 267 time.Sleep(time.Duration(testutil.TestMultiplier()) * time.Second) 268 269 c.client.SetToken(v.Config.Token) 270 271 if err := c.client.SetAddress(v.Config.Addr); err != nil { 272 t.Fatal(err) 273 } 274 275 _, err = c.RenewToken(c.client.Token(), 10) 276 if err == nil { 277 t.Fatalf("expected error, got nil") 278 } else if !strings.Contains(err.Error(), "lease not found") { 279 t.Fatalf("expected \"%s\" in error message, got \"%v\"", "lease not found", err) 280 } 281 }