Fix tests

hashicorp · Jul 5, 2019 · d7df2b2 · d7df2b2
1 parent 732d3b5
commit d7df2b2
Show file tree

Hide file tree

Showing 8 changed files with 182 additions and 231 deletions.
diff --git a/http/handler.go b/http/handler.go
@@ -308,7 +308,7 @@ func wrappingVerificationFunc(ctx context.Context, core *vault.Core, req *logica
 		return errwrap.Wrapf("error validating wrapping token: {{err}}", err)
 	}
 	if !valid {
-		return fmt.Errorf("wrapping token is not valid or does not exist")
+		return consts.ErrInvalidWrappingToken
 	}
 
 	return nil

diff --git a/http/logical.go b/http/logical.go
@@ -217,6 +217,7 @@ func handleLogicalInternal(core *vault.Core, injectDataIntoTopLevel bool) http.H
 					} else {
 						respondError(w, http.StatusBadRequest, err)
 					}
+					return
 				}
 
 			// The -self paths have no meaning outside of the token NS, so

diff --git a/http/logical_test.go b/http/logical_test.go
@@ -2,6 +2,7 @@ package http
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"io"
 	"io/ioutil"
@@ -16,6 +17,7 @@ import (
 	"github.com/go-test/deep"
 	log "github.com/hashicorp/go-hclog"
 
+	"github.com/hashicorp/vault/audit"
 	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/helper/logging"
@@ -347,3 +349,91 @@ func TestLogical_RespondWithStatusCode(t *testing.T) {
 		t.Fatalf("bad response: %s", string(bodyRaw[:]))
 	}
 }
+
+func TestLogical_Audit_invalidWrappingToken(t *testing.T) {
+	// Create a noop audit backend
+	var noop *vault.NoopAudit
+	c, _, root := vault.TestCoreUnsealedWithConfig(t, &vault.CoreConfig{
+		AuditBackends: map[string]audit.Factory{
+			"noop": func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
+				noop = &vault.NoopAudit{
+					Config: config,
+				}
+				return noop, nil
+			},
+		},
+	})
+	ln, addr := TestServer(t, c)
+	defer ln.Close()
+
+	// Enable the audit backend
+
+	resp := testHttpPost(t, root, addr+"/v1/sys/audit/noop", map[string]interface{}{
+		"type": "noop",
+	})
+	testResponseStatus(t, resp, 204)
+
+	{
+		// Make a wrapping/unwrap request with an invalid token
+		resp := testHttpPost(t, root, addr+"/v1/sys/wrapping/unwrap", map[string]interface{}{
+			"token": "foo",
+		})
+		testResponseStatus(t, resp, 400)
+		body := map[string][]string{}
+		testResponseBody(t, resp, &body)
+		if body["errors"][0] != "wrapping token is not valid or does not exist" {
+			t.Fatal(body)
+		}
+
+		// Check the audit trail on request and response
+		if len(noop.ReqAuth) != 1 {
+			t.Fatalf("bad: %#v", noop)
+		}
+		auth := noop.ReqAuth[0]
+		if auth.ClientToken != root {
+			t.Fatalf("bad client token: %#v", auth)
+		}
+		if len(noop.Req) != 1 || noop.Req[0].Path != "sys/wrapping/unwrap" {
+			t.Fatalf("bad:\ngot:\n%#v", noop.Req[0])
+		}
+
+		if len(noop.ReqErrs) != 1 {
+			t.Fatalf("bad: %#v", noop.RespErrs)
+		}
+		if noop.ReqErrs[0] != consts.ErrInvalidWrappingToken {
+			t.Fatalf("bad: %#v", noop.ReqErrs)
+		}
+	}
+
+	{
+		// Make a wrapping/unwrap request with an invalid token
+		resp := testHttpPost(t, root, addr+"/v1/sys/wrapping/unwrap", map[string]interface{}{
+			"token": "foo",
+		})
+		testResponseStatus(t, resp, 400)
+		body := map[string][]string{}
+		testResponseBody(t, resp, &body)
+		if body["errors"][0] != "wrapping token is not valid or does not exist" {
+			t.Fatal(body)
+		}
+
+		// Check the audit trail on request and response
+		if len(noop.ReqAuth) != 2 {
+			t.Fatalf("bad: %#v", noop)
+		}
+		auth := noop.ReqAuth[1]
+		if auth.ClientToken != root {
+			t.Fatalf("bad client token: %#v", auth)
+		}
+		if len(noop.Req) != 2 || noop.Req[1].Path != "sys/wrapping/unwrap" {
+			t.Fatalf("bad:\ngot:\n%#v", noop.Req[1])
+		}
+
+		if len(noop.ReqErrs) != 2 {
+			t.Fatalf("bad: %#v", noop.RespErrs)
+		}
+		if noop.ReqErrs[1] != consts.ErrInvalidWrappingToken {
+			t.Fatalf("bad: %#v", noop.ReqErrs)
+		}
+	}
+}
diff --git a/vault/audit_test.go b/vault/audit_test.go
@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"reflect"
 	"strings"
-	"sync"
 	"testing"
 	"time"
 
@@ -18,93 +17,10 @@ import (
 	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/hashicorp/vault/sdk/helper/jsonutil"
 	"github.com/hashicorp/vault/sdk/helper/logging"
-	"github.com/hashicorp/vault/sdk/helper/salt"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/mitchellh/copystructure"
 )
 
-type NoopAudit struct {
-	Config         *audit.BackendConfig
-	ReqErr         error
-	ReqAuth        []*logical.Auth
-	Req            []*logical.Request
-	ReqHeaders     []map[string][]string
-	ReqNonHMACKeys []string
-	ReqErrs        []error
-
-	RespErr            error
-	RespAuth           []*logical.Auth
-	RespReq            []*logical.Request
-	Resp               []*logical.Response
-	RespNonHMACKeys    []string
-	RespReqNonHMACKeys []string
-	RespErrs           []error
-
-	salt      *salt.Salt
-	saltMutex sync.RWMutex
-}
-
-func (n *NoopAudit) LogRequest(ctx context.Context, in *logical.LogInput) error {
-	n.ReqAuth = append(n.ReqAuth, in.Auth)
-	n.Req = append(n.Req, in.Request)
-	n.ReqHeaders = append(n.ReqHeaders, in.Request.Headers)
-	n.ReqNonHMACKeys = in.NonHMACReqDataKeys
-	n.ReqErrs = append(n.ReqErrs, in.OuterErr)
-	return n.ReqErr
-}
-
-func (n *NoopAudit) LogResponse(ctx context.Context, in *logical.LogInput) error {
-	n.RespAuth = append(n.RespAuth, in.Auth)
-	n.RespReq = append(n.RespReq, in.Request)
-	n.Resp = append(n.Resp, in.Response)
-	n.RespErrs = append(n.RespErrs, in.OuterErr)
-
-	if in.Response != nil {
-		n.RespNonHMACKeys = in.NonHMACRespDataKeys
-		n.RespReqNonHMACKeys = in.NonHMACReqDataKeys
-	}
-
-	return n.RespErr
-}
-
-func (n *NoopAudit) Salt(ctx context.Context) (*salt.Salt, error) {
-	n.saltMutex.RLock()
-	if n.salt != nil {
-		defer n.saltMutex.RUnlock()
-		return n.salt, nil
-	}
-	n.saltMutex.RUnlock()
-	n.saltMutex.Lock()
-	defer n.saltMutex.Unlock()
-	if n.salt != nil {
-		return n.salt, nil
-	}
-	salt, err := salt.NewSalt(ctx, n.Config.SaltView, n.Config.SaltConfig)
-	if err != nil {
-		return nil, err
-	}
-	n.salt = salt
-	return salt, nil
-}
-
-func (n *NoopAudit) GetHash(ctx context.Context, data string) (string, error) {
-	salt, err := n.Salt(ctx)
-	if err != nil {
-		return "", err
-	}
-	return salt.GetIdentifiedHMAC(data), nil
-}
-
-func (n *NoopAudit) Reload(ctx context.Context) error {
-	return nil
-}
-
-func (n *NoopAudit) Invalidate(ctx context.Context) {
-	n.saltMutex.Lock()
-	defer n.saltMutex.Unlock()
-	n.salt = nil
-}
-
 func TestAudit_ReadOnlyViewDuringMount(t *testing.T) {
 	c, _, _ := TestCoreUnsealed(t)
 	c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {

diff --git a/vault/core_test.go b/vault/core_test.go
@@ -904,150 +904,6 @@ func TestCore_HandleRequest_AuditTrail_noHMACKeys(t *testing.T) {
 	}
 }
 
-func TestCore_HandleRequest_AuditTrail_invalidWrappingToken(t *testing.T) {
-	// Create a noop audit backend
-	var noop *NoopAudit
-	c, _, root := TestCoreUnsealed(t)
-	c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
-		noop = &NoopAudit{
-			Config: config,
-		}
-		return noop, nil
-	}
-
-	// Enable the audit backend
-	req := logical.TestRequest(t, logical.UpdateOperation, "sys/audit/noop")
-	req.Data["type"] = "noop"
-	req.ClientToken = root
-	_, err := c.HandleRequest(namespace.RootContext(nil), req)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	{
-		// Make a wrapping/unwrap request with an invalid token
-		req := &logical.Request{
-			Operation: logical.UpdateOperation,
-			Path:      "sys/wrapping/unwrap",
-			Data: map[string]interface{}{
-				"token": "foo",
-			},
-			ClientToken: root,
-		}
-		resp, err := c.HandleRequest(namespace.RootContext(nil), req)
-		if err == nil {
-			t.Fatal("expected invalid request error")
-		}
-
-		// Check the audit trail on request and response
-		if len(noop.ReqAuth) != 1 {
-			t.Fatalf("bad: %#v", noop)
-		}
-		auth := noop.ReqAuth[0]
-		if auth.ClientToken != root {
-			t.Fatalf("bad client token: %#v", auth)
-		}
-		if len(noop.Req) != 1 || !reflect.DeepEqual(req, noop.Req[0]) {
-			t.Fatalf("bad:\nexpected:\n%#v\ngot:\n%#v", req, noop.Req[0])
-		}
-
-		if len(noop.RespAuth) != 2 {
-			t.Fatalf("bad: %#v", noop)
-		}
-		if !reflect.DeepEqual(auth, noop.RespAuth[1]) {
-			t.Fatalf("bad:\nexpected:\n%#v\ngot:\n%#v", auth, noop.RespAuth[1])
-		}
-		if len(noop.RespReq) != 2 || !reflect.DeepEqual(req, noop.RespReq[1]) {
-			t.Fatalf("bad:\nexpected:\n%#v\ngot:\n%#v", req, noop.RespReq[1])
-		}
-		if len(noop.Resp) != 2 || !reflect.DeepEqual(resp, noop.Resp[1]) {
-			t.Fatalf("bad:\nexpected:\n%#v\ngot:\n%#v", resp, noop.Resp[1])
-		}
-	}
-
-	{
-		// Make a wrapping/rewrap request with an invalid token
-		req := &logical.Request{
-			Operation: logical.UpdateOperation,
-			Path:      "sys/wrapping/rewrap",
-			Data: map[string]interface{}{
-				"token": "foo",
-			},
-			ClientToken: root,
-		}
-		resp, err := c.HandleRequest(namespace.RootContext(nil), req)
-		if err == nil {
-			t.Fatal("expected invalid request error")
-		}
-
-		// Check the audit trail on request and response
-		if len(noop.ReqAuth) != 2 {
-			t.Fatalf("bad: %#v", noop)
-		}
-		auth := noop.ReqAuth[1]
-		if auth.ClientToken != root {
-			t.Fatalf("bad client token: %#v", auth)
-		}
-		if len(noop.Req) != 2 || !reflect.DeepEqual(req, noop.Req[1]) {
-			t.Fatalf("bad:\nexpected:\n%#v\ngot:\n%#v", req, noop.Req[1])
-		}
-
-		if len(noop.RespAuth) != 3 {
-			t.Fatalf("bad: %#v", noop)
-		}
-		if !reflect.DeepEqual(auth, noop.RespAuth[2]) {
-			t.Fatalf("bad:\nexpected:\n%#v\ngot:\n%#v", auth, noop.RespAuth[2])
-		}
-		if len(noop.RespReq) != 3 || !reflect.DeepEqual(req, noop.RespReq[2]) {
-			t.Fatalf("bad:\nexpected:\n%#v\ngot:\n%#v", req, noop.RespReq[2])
-		}
-		if len(noop.Resp) != 3 || !reflect.DeepEqual(resp, noop.Resp[2]) {
-			t.Fatalf("bad:\nexpected:\n%#v\ngot:\n%#v", resp, noop.Resp[2])
-		}
-	}
-
-	{
-		// Make a wrapping/lookup request with an invalid token
-		req := &logical.Request{
-			Operation: logical.UpdateOperation,
-			Path:      "sys/wrapping/lookup",
-			Data: map[string]interface{}{
-				"token": "foo",
-			},
-			ClientToken: root,
-		}
-		resp, err := c.HandleRequest(namespace.RootContext(nil), req)
-		if err == nil {
-			t.Fatal("expected invalid request error")
-		}
-
-		// Check the audit trail on request and response
-		if len(noop.ReqAuth) != 3 {
-			t.Fatalf("bad: %#v", noop)
-		}
-		auth := noop.ReqAuth[2]
-		if auth.ClientToken != root {
-			t.Fatalf("bad client token: %#v", auth)
-		}
-		if len(noop.Req) != 3 || !reflect.DeepEqual(req, noop.Req[2]) {
-			t.Fatalf("bad:\nexpected:\n%#v\ngot:\n%#v", req, noop.Req[2])
-		}
-
-		if len(noop.RespAuth) != 4 {
-			t.Fatalf("bad: %#v", noop)
-		}
-		if !reflect.DeepEqual(auth, noop.RespAuth[3]) {
-			t.Fatalf("bad:\nexpected:\n%#v\ngot:\n%#v", auth, noop.RespAuth[3])
-		}
-		if len(noop.RespReq) != 4 || !reflect.DeepEqual(req, noop.RespReq[3]) {
-			t.Fatalf("bad:\nexpected:\n%#v\ngot:\n%#v", req, noop.RespReq[3])
-		}
-		if len(noop.Resp) != 4 || !reflect.DeepEqual(resp, noop.Resp[3]) {
-			t.Fatalf("bad:\nexpected:\n%#v\ngot:\n%#v", resp, noop.Resp[3])
-		}
-	}
-}
-
 func TestCore_HandleLogin_AuditTrail(t *testing.T) {
 	// Create a badass credential backend that always logs in as armon
 	noop := &NoopAudit{}

diff --git a/vault/request_handling.go b/vault/request_handling.go
@@ -907,6 +907,8 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp
 func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (retResp *logical.Response, retAuth *logical.Auth, retErr error) {
 	defer metrics.MeasureSince([]string{"core", "handle_login_request"}, time.Now())
 
+	req.Unauthenticated = true
+
 	var nonHMACReqDataKeys []string
 	entry := c.router.MatchingMountEntry(ctx, req.Path)
 	if entry != nil {
@@ -916,8 +918,6 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
 		}
 	}
 
-	req.Unauthenticated = true
-
 	// Do an unauth check. This will cause EGP policies to be checked
 	var auth *logical.Auth
 	var ctErr error