public async Task CreateToken()
{
// SETUP
// We need our own vault since we will be manipulating the token value
VaultAgentAPI ourVault = await VaultServerRef.ConnectVault("TokenTest");
TokenAuthEngine ourTokenAuthEngine = (TokenAuthEngine)ourVault.ConnectAuthenticationBackend(EnumBackendTypes.A_Token);
// Need a Token Role so we can autogenerate a token
TokenRole tokenRole = new TokenRole();
tokenRole.Name = UK.GetKey();
await ourTokenAuthEngine.SaveTokenRole(tokenRole);
string tokenName = "Name" + tokenRole.Name;
TokenNewSettings tokenNewSettings = new TokenNewSettings()
{
Name = tokenName,
NumberOfUses = 6,
NoParentToken = true,
RoleName = tokenRole.Name
};
Token token = await ourTokenAuthEngine.CreateToken(tokenNewSettings);
Assert.NotNull(token, "A10: Expected to receive the new token back, instead we received a null value.");
// Read the token we just created.
//Token token = await _tokenAuthEngine.GetTokenWithID(tokenID);
Assert.IsNotNull(token, "A20: No Token returned. Was expecting one.");
ourVault.TokenID = token.ID;
Assert.AreEqual(ourVault.TokenID, token.ID, "A30: Vault did not store token correctly");
}
public async Task TokenEngineSetup()
{
// Build Connection to Vault.
vault = await VaultServerRef.ConnectVault("TokenEng");
_tokenAuthEngine = (TokenAuthEngine)vault.ConnectAuthenticationBackend(EnumBackendTypes.A_Token);
}
public async Task ChangingToken_ChangesHTTPHeaders()
{
// Get current token:
Token currentToken = await vault.RefreshActiveToken();
// We will need to create a new token.
TokenAuthEngine _tokenAuthEngine = (TokenAuthEngine)vault.ConnectAuthenticationBackend(EnumBackendTypes.A_Token);
TokenNewSettings tokenNewSettings = new TokenNewSettings();
tokenNewSettings.Name = "NewToken";
tokenNewSettings.MaxTTL = "60s";
tokenNewSettings.NumberOfUses = 14;
Token newToken = await _tokenAuthEngine.CreateToken(tokenNewSettings);
Assert.NotNull(newToken, "A1: Created a token, expected it to not be null.");
Assert.AreNotEqual(currentToken.ID, newToken.ID);
// Now set token.
vault.Token = newToken;
// Now retrieve the current token. This will force it to go back to the Vault instance with the new token. should be the same as newToken.
Token newCurrentToken = await vault.RefreshActiveToken();
Assert.AreEqual(newToken.ID, newCurrentToken.ID);
Assert.AreNotEqual(currentToken.ID, newCurrentToken.ID);
}
// Create the token engines for a successful test and then the control test.
private async Task <(KV2SecretEngine engKV2OK, KV2SecretEngine engKV2FAIL)> SetupTokenEngines(string policyWithPermission)
{
// Get connection to Token Engine so we can create tokens.
TokenAuthEngine tokenEng = (TokenAuthEngine)_vaultAgentAPI.ConnectAuthenticationBackend(EnumBackendTypes.A_Token);
// AA - The token that will have the policy.
TokenNewSettings tokenASettings = new TokenNewSettings();
tokenASettings.Policies.Add(policyWithPermission);
Token tokenOK = await tokenEng.CreateToken(tokenASettings);
// AB - The token that will not have the policy.
TokenNewSettings tokenBSettings = new TokenNewSettings();
tokenBSettings.Policies.Add("default");
Token tokenFAIL = await tokenEng.CreateToken(tokenBSettings);
// AC - Create 2 Vault Instances that will use each Token.
VaultAgentAPI vaultOK = await VaultServerRef.ConnectVault("OKVault", tokenOK.ID);
VaultAgentAPI vaultFail = await VaultServerRef.ConnectVault("FailVault", tokenFAIL.ID);
//VaultAgentAPI vaultOK = new VaultAgentAPI("OKToken", _vaultAgentAPI.IP, _vaultAgentAPI.Port, tokenOK.ID);
//VaultAgentAPI vaultFail = new VaultAgentAPI("FAILToken", _vaultAgentAPI.IP, _vaultAgentAPI.Port, tokenFAIL.ID);
_vaultAgents.Add(vaultOK);
_vaultAgents.Add(vaultFail);
// AD - Create the KeyValue Engines for each Token
KV2SecretEngine engKV2OK = (KV2SecretEngine)vaultOK.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, _beName, _beName);
KV2SecretEngine engKV2FAIL = (KV2SecretEngine)vaultFail.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, _beName, _beName);
return(engKV2OK, engKV2FAIL);
}
/// <summary>
/// Sets up the vault
/// </summary>
/// <param name="name"></param>
/// <param name="vaultUri"></param>
public void Initialize(string name, Uri vaultUri)
{
Name = name;
Uri = vaultUri;
_vaultAccessTokenID = string.Empty;
// Create the Secret Backend list.
_secretBackends = new Dictionary <string, VaultSecretBackend>();
// Create the Authentication backends Dictionary
_authenticationBackends = new Dictionary <string, VaultAuthenticationBackend>();
try
{
// Create HTTP Connector object
_httpConnector = new VaultAPI_Http(vaultUri);
// Establish a connection to the token backend.
_tokenEngine = (TokenAuthEngine)ConnectAuthenticationBackend(EnumBackendTypes.A_Token);
}
catch (Exception e)
{
if (e.InnerException != null)
{
if (e.InnerException.Message.StartsWith("No connection"))
{
throw new ApplicationException("Unable to establish connection to remote Vault Server.");
}
}
throw e;
}
}
public async Task RevokeTokenWithChildren_ChildrenOrphaned()
{
// Create a new token.
string tokenName = UK.GetKey("ParentOrp");
TokenNewSettings tokenNewSettings = new TokenNewSettings()
{
Name = tokenName,
};
Token parent = await _tokenAuthEngine.CreateToken(tokenNewSettings);
Assert.NotNull(parent, "A1: Error creating the parent token - expected to receive the new token back, instead we received a null value.");
VaultAgentAPI v1 = await VaultServerRef.ConnectVault("TokenAuth2", parent.ID);
TokenAuthEngine TAE = (TokenAuthEngine)v1.ConnectAuthenticationBackend(EnumBackendTypes.A_Token);
// Now create 3 child tokens.
Token token1 = await TAE.CreateToken(tokenNewSettings);
Assert.NotNull(token1, "A2: Error creating a new token - expected to receive the new token back, instead we received a null value.");
// Token 2.
tokenNewSettings.Name = "Token2";
Token token2 = await TAE.CreateToken(tokenNewSettings);
Assert.NotNull(token2, "A3: Error creating a new token - expected to receive the new token back, instead we received a null value.");
// Token 3.
tokenNewSettings.Name = "Token3";
Token token3 = await TAE.CreateToken(tokenNewSettings);
Assert.NotNull(token3, "A4: Error creating a new token - expected to receive the new token back, instead we received a null value.");
// Now revoke the Parent token.
Assert.IsTrue(await _tokenAuthEngine.RevokeToken(parent.ID, false), "A5: Revocation of parent token was not successful.");
Token parent2 = await _tokenAuthEngine.GetTokenWithID(parent.ID);
Assert.IsNull(parent2, "A6: The parent token should have been revoked. But it still exists.");
// Validate that each of the child tokens is revoked as well.
Token a1 = await _tokenAuthEngine.GetTokenWithID(token1.ID);
Token a2 = await _tokenAuthEngine.GetTokenWithID(token2.ID);
Token a3 = await _tokenAuthEngine.GetTokenWithID(token3.ID);
Assert.IsNotNull(a1, "A7: Expected the child token to still exist. But it is null");
Assert.IsNotNull(a2, "A8: Expected the child token to still exist. But it is null");
Assert.IsNotNull(a3, "A9: Expected the child token to still exist. But it is null");
Assert.IsTrue(a1.IsOrphan, "A10: Expected token to be marked as an orphan.");
Assert.IsTrue(a2.IsOrphan, "A11: Expected token to be marked as an orphan.");
Assert.IsTrue(a3.IsOrphan, "A12: Expected token to be marked as an orphan.");
}
public async Task NormalLogin()
{
// SETUP
// We need our own vault since we will be manipulating the token value
VaultAgentAPI ourVault = await VaultServerRef.ConnectVault("TokenTest");
TokenAuthEngine ourTokenAuthEngine = (TokenAuthEngine)ourVault.ConnectAuthenticationBackend(EnumBackendTypes.A_Token);
// Need a Token Role so we can autogenerate a token
TokenRole tokenRole = new TokenRole();
UniqueKeys UK = new UniqueKeys("", ""); // Unique Key generator
tokenRole.Name = UK.GetKey();
await ourTokenAuthEngine.SaveTokenRole(tokenRole);
string tokenName = "Name" + tokenRole.Name;
TokenNewSettings tokenNewSettings = new TokenNewSettings()
{
Name = tokenName,
NumberOfUses = 6,
NoParentToken = true,
RoleName = tokenRole.Name
};
Token token = await ourTokenAuthEngine.CreateToken(tokenNewSettings);
Assert.NotNull(token, "A10: Expected to receive the new token back, instead we received a null value.");
// Read the token we just created.
//Token token = await _tokenAuthEngine.GetTokenWithID(tokenID);
Assert.IsNotNull(token, "A20: No Token returned. Was expecting one.");
VaultAgentAPI vault2 = await VaultServerRef.ConnectVault("TokenLoginTest");
TokenLoginConnector loginConnector = new TokenLoginConnector(vault2, "test");
loginConnector.TokenId = token.ID;
Assert.IsTrue(await loginConnector.Connect(), "A30: Login Failed");
}
/// <summary>
/// Creates a TokenLoginConnector object which enables logging in with a Vault Token
/// </summary>
/// <param name="vaultAgent">The Vault instance to connect to</param>
/// <param name="description">Descriptive name for this Token Connector</param>
/// <param name="tokenId">The token ID you wish to use to connect with</param>
/// <param name="authenticatorMountName">The actual name of the Vault Token Backend you wish to connect to</param>
public TokenLoginConnector(VaultAgentAPI vaultAgent, string description, string tokenId, string authenticatorMountName = TokenAuthEngine.TOKEN_DEFAULT_MOUNT_NAME) : base(
vaultAgent, authenticatorMountName, description)
{
_tokenAuthEngine = new TokenAuthEngine(vaultAgent);
TokenId = tokenId;
}
