public async Task CreateTokenWithSettingsObject()
{
string tokenID = UK.GetKey("token");
int numUses = 19;
string tokenName = "Name" + tokenID.ToString();
bool parent = true;
TokenNewSettings tokenNewSettings = new TokenNewSettings()
{
ID = tokenID,
Name = tokenName,
NumberOfUses = numUses,
NoParentToken = parent
};
Token token = await _tokenAuthEngine.CreateToken(tokenNewSettings);
Assert.NotNull(token, "A1: Expected to receive the new token back, instead we received a null value.");
//Assert.True(await _tokenAuthEngine.CreateToken(tokenNewSettings));
// Read the token we just created.
//Token token = await _tokenAuthEngine.GetTokenWithID(tokenID);
Assert.IsNotNull(token, "M1: No Token returned. Was expecting one.");
// Vault seems to prepend the auth backends name to the display name.
Assert.AreEqual("token-" + tokenName, token.DisplayName, "M2: Token names are not equal");
Assert.AreEqual(tokenID, token.ID, "M3: Token ID's are not equal");
Assert.AreEqual(numUses, token.NumberOfUses, "M4: Token number of uses are not equal");
Assert.AreEqual(parent, token.IsOrphan, "M5: Token parent setting is not the same as IsOrphan");
}
public async Task RevokeSelfTokenSucceeds()
{
VaultAgentAPI v1 = await VaultServerRef.ConnectVault("TempVault");
//new VaultAgentAPI("TempVault", VaultServerRef.ipAddress, VaultServerRef.ipPort, VaultServerRef.rootToken);
string tokenName = UK.GetKey("tmpTok");
// Create a new token.
TokenNewSettings tokenNewSettings = new TokenNewSettings()
{
Name = tokenName,
};
Token token = await _tokenAuthEngine.CreateToken(tokenNewSettings);
Assert.NotNull(token, "A1: Error creating a new token - expected to receive the new token back, instead we received a null value.");
// Now set vault to use the new token.
v1.Token = token;
Assert.AreNotEqual(VaultServerRef.rootToken, token.ID, "A2: Expected the Vault object to have a different token. But was still set at initial token.");
// And then revoke.
Assert.IsTrue(await v1.RevokeActiveToken());
Assert.IsNull(v1.Token);
// Now try and reset the Vault to use the old token. It should fail.
v1.Token = token;
Assert.ThrowsAsync <VaultForbiddenException> (async() => await v1.RefreshActiveToken());
}
public async Task CreateToken()
{
// SETUP
// We need our own vault since we will be manipulating the token value
VaultAgentAPI ourVault = await VaultServerRef.ConnectVault("TokenTest");
TokenAuthEngine ourTokenAuthEngine = (TokenAuthEngine)ourVault.ConnectAuthenticationBackend(EnumBackendTypes.A_Token);
// Need a Token Role so we can autogenerate a token
TokenRole tokenRole = new TokenRole();
tokenRole.Name = UK.GetKey();
await ourTokenAuthEngine.SaveTokenRole(tokenRole);
string tokenName = "Name" + tokenRole.Name;
TokenNewSettings tokenNewSettings = new TokenNewSettings()
{
Name = tokenName,
NumberOfUses = 6,
NoParentToken = true,
RoleName = tokenRole.Name
};
Token token = await ourTokenAuthEngine.CreateToken(tokenNewSettings);
Assert.NotNull(token, "A10: Expected to receive the new token back, instead we received a null value.");
// Read the token we just created.
//Token token = await _tokenAuthEngine.GetTokenWithID(tokenID);
Assert.IsNotNull(token, "A20: No Token returned. Was expecting one.");
ourVault.TokenID = token.ID;
Assert.AreEqual(ourVault.TokenID, token.ID, "A30: Vault did not store token correctly");
}
public async Task RenewToken_Success()
{
string tokenID = UK.GetKey("tok");
int numUses = 19;
string tokenName = "Name" + tokenID.ToString();
TokenNewSettings tokenNewSettings = new TokenNewSettings()
{
ID = tokenID,
Name = tokenName,
NumberOfUses = numUses,
IsRenewable = true,
RenewalPeriod = "1800"
};
Token token = await _tokenAuthEngine.CreateToken(tokenNewSettings);
Assert.NotNull(token, "A1: Error creating a new token - expected to receive the new token back, instead we received a null value.");
// Vault seems to prepend the auth backends name to the display name.
Assert.AreEqual("token-" + tokenName, token.DisplayName, "M2: Token names are not equal");
Assert.AreEqual(tokenID, token.ID, "M3: Token ID's are not equal");
Assert.AreEqual(numUses, token.NumberOfUses, "M4: Token number of uses are not equal");
Assert.IsTrue(token.IsRenewable);
// Renew token
//TODO - is this correct test?
bool result = await _tokenAuthEngine.RenewToken(token.ID);
Assert.IsTrue(result, "Token was unable to be renewed.");
}
public async Task AccessTokenViaInvalidAccessor_Fails()
{
string tokenID = UK.GetKey("tokenAcc");
int numUses = 19;
string tokenName = "N" + tokenID.ToString();
bool parent = true;
TokenNewSettings tokenNewSettings = new TokenNewSettings()
{
ID = tokenID,
Name = tokenName,
NumberOfUses = numUses,
NoParentToken = parent
};
Token token = await _tokenAuthEngine.CreateToken(tokenNewSettings);
Assert.NotNull(token, "A1: Error creating a new token - expected to receive the new token back, instead we received a null value.");
string tDisplayName = "token-" + tokenName;
Assert.AreEqual(tDisplayName, token.DisplayName, "M3: Token Display name is not what was expected. Expected {0}, but got {1}", tDisplayName, token.DisplayName);
// Now try and retrieve via the accessor.
Token tokenAcc = await _tokenAuthEngine.GetTokenViaAccessor("z");
Assert.IsNull(tokenAcc, "M3: Expected to receive a null token, but instead received a token");
}
public async Task CreateOrphanToken_WithSettingsObject()
{
string tokenID = UK.GetKey("otok");
int numUses = 19;
string tokenName = "Name" + tokenID.ToString();
TokenNewSettings tokenNewSettings = new TokenNewSettings()
{
ID = tokenID,
Name = tokenName,
NumberOfUses = numUses
};
Assert.IsNotNull(await _tokenAuthEngine.CreateOrphanToken(tokenNewSettings));
// Read the token we just created.
Token token = await _tokenAuthEngine.GetTokenWithID(tokenID);
Assert.IsNotNull(token, "M1: No Token returned. Was expecting one.");
// Vault seems to prepend the auth backends name to the display name.
Assert.AreEqual("token-" + tokenName, token.DisplayName, "M2: Token names are not equal");
Assert.AreEqual(tokenID, token.ID, "M3: Token ID's are not equal");
Assert.AreEqual(numUses, token.NumberOfUses, "M4: Token number of uses are not equal");
Assert.IsTrue(token.IsOrphan, "Was expecting the created token to have the IsOrphan property set to true. It was false instead.");
}
public async Task AccessTokenViaAccessor_Success()
{
string tokenID = UK.GetKey("tokenAcc");
int numUses = 19;
string tokenName = "N" + tokenID.ToString();
bool parent = true;
TokenNewSettings tokenNewSettings = new TokenNewSettings()
{
ID = tokenID,
Name = tokenName,
NumberOfUses = numUses,
NoParentToken = parent
};
Token token = await _tokenAuthEngine.CreateToken(tokenNewSettings);
Assert.NotNull(token, "A1: Error creating a new token - expected to receive the new token back, instead we received a null value.");
// Read the token we just created.
Assert.IsNotNull(token, "M2: No Token returned. Was expecting one.");
string tDisplayName = "token-" + tokenName;
Assert.AreEqual(tDisplayName, token.DisplayName, "M3: Token Display name is not what was expected. Expected {0}, but got {1}", tDisplayName, token.DisplayName);
// Now try and retrieve via the accessor.
Token tokenAcc = await _tokenAuthEngine.GetTokenViaAccessor(token.AccessorTokenID);
Assert.NotNull(tokenAcc, "M4: Token accessor did not find the token.");
Assert.AreEqual(token.DisplayName, tokenAcc.DisplayName, "M5: Token Accessor did not retrieve the correct token. Something bad happened.");
}
public async Task MetadataOnToken_IsSet()
{
string tokenID = UK.GetKey("token");
int numUses = 19;
string tokenName = "Name" + tokenID.ToString();
bool parent = true;
TokenNewSettings tokenNewSettings = new TokenNewSettings()
{
ID = tokenID,
Name = tokenName,
NumberOfUses = numUses,
NoParentToken = parent
};
tokenNewSettings.MetaData.Add("country", "US");
tokenNewSettings.MetaData.Add("state", "OH");
tokenNewSettings.MetaData.Add("Territory", "midwest");
Token token = await _tokenAuthEngine.CreateToken(tokenNewSettings);
Assert.NotNull(token, "A10: Expected to receive the new token back, instead we received a null value.");
// Read the token we just created.
//Token tokenNew = await _tokenAuthEngine.GetTokenWithID(tokenID);
Assert.IsNotNull(token, "A20: No Token returned. Was expecting one.");
Assert.AreEqual(tokenNewSettings.MetaData.Count, token.Metadata.Count);
CollectionAssert.AreEquivalent(tokenNewSettings.MetaData, token.Metadata, "A30: Was expected the Metadata dictionary on the token to be the same values as what we put in the TokenNewSettings object. They are different.");
}
public async Task ChangingToken_ChangesHTTPHeaders()
{
// Get current token:
Token currentToken = await vault.RefreshActiveToken();
// We will need to create a new token.
TokenAuthEngine _tokenAuthEngine = (TokenAuthEngine)vault.ConnectAuthenticationBackend(EnumBackendTypes.A_Token);
TokenNewSettings tokenNewSettings = new TokenNewSettings();
tokenNewSettings.Name = "NewToken";
tokenNewSettings.MaxTTL = "60s";
tokenNewSettings.NumberOfUses = 14;
Token newToken = await _tokenAuthEngine.CreateToken(tokenNewSettings);
Assert.NotNull(newToken, "A1: Created a token, expected it to not be null.");
Assert.AreNotEqual(currentToken.ID, newToken.ID);
// Now set token.
vault.Token = newToken;
// Now retrieve the current token. This will force it to go back to the Vault instance with the new token. should be the same as newToken.
Token newCurrentToken = await vault.RefreshActiveToken();
Assert.AreEqual(newToken.ID, newCurrentToken.ID);
Assert.AreNotEqual(currentToken.ID, newCurrentToken.ID);
}
// Create the token engines for a successful test and then the control test.
private async Task <(KV2SecretEngine engKV2OK, KV2SecretEngine engKV2FAIL)> SetupTokenEngines(string policyWithPermission)
{
// Get connection to Token Engine so we can create tokens.
TokenAuthEngine tokenEng = (TokenAuthEngine)_vaultAgentAPI.ConnectAuthenticationBackend(EnumBackendTypes.A_Token);
// AA - The token that will have the policy.
TokenNewSettings tokenASettings = new TokenNewSettings();
tokenASettings.Policies.Add(policyWithPermission);
Token tokenOK = await tokenEng.CreateToken(tokenASettings);
// AB - The token that will not have the policy.
TokenNewSettings tokenBSettings = new TokenNewSettings();
tokenBSettings.Policies.Add("default");
Token tokenFAIL = await tokenEng.CreateToken(tokenBSettings);
// AC - Create 2 Vault Instances that will use each Token.
VaultAgentAPI vaultOK = await VaultServerRef.ConnectVault("OKVault", tokenOK.ID);
VaultAgentAPI vaultFail = await VaultServerRef.ConnectVault("FailVault", tokenFAIL.ID);
//VaultAgentAPI vaultOK = new VaultAgentAPI("OKToken", _vaultAgentAPI.IP, _vaultAgentAPI.Port, tokenOK.ID);
//VaultAgentAPI vaultFail = new VaultAgentAPI("FAILToken", _vaultAgentAPI.IP, _vaultAgentAPI.Port, tokenFAIL.ID);
_vaultAgents.Add(vaultOK);
_vaultAgents.Add(vaultFail);
// AD - Create the KeyValue Engines for each Token
KV2SecretEngine engKV2OK = (KV2SecretEngine)vaultOK.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, _beName, _beName);
KV2SecretEngine engKV2FAIL = (KV2SecretEngine)vaultFail.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, _beName, _beName);
return(engKV2OK, engKV2FAIL);
}
public async Task RevokeTokenWithChildren_ChildrenOrphaned()
{
// Create a new token.
string tokenName = UK.GetKey("ParentOrp");
TokenNewSettings tokenNewSettings = new TokenNewSettings()
{
Name = tokenName,
};
Token parent = await _tokenAuthEngine.CreateToken(tokenNewSettings);
Assert.NotNull(parent, "A1: Error creating the parent token - expected to receive the new token back, instead we received a null value.");
VaultAgentAPI v1 = await VaultServerRef.ConnectVault("TokenAuth2", parent.ID);
TokenAuthEngine TAE = (TokenAuthEngine)v1.ConnectAuthenticationBackend(EnumBackendTypes.A_Token);
// Now create 3 child tokens.
Token token1 = await TAE.CreateToken(tokenNewSettings);
Assert.NotNull(token1, "A2: Error creating a new token - expected to receive the new token back, instead we received a null value.");
// Token 2.
tokenNewSettings.Name = "Token2";
Token token2 = await TAE.CreateToken(tokenNewSettings);
Assert.NotNull(token2, "A3: Error creating a new token - expected to receive the new token back, instead we received a null value.");
// Token 3.
tokenNewSettings.Name = "Token3";
Token token3 = await TAE.CreateToken(tokenNewSettings);
Assert.NotNull(token3, "A4: Error creating a new token - expected to receive the new token back, instead we received a null value.");
// Now revoke the Parent token.
Assert.IsTrue(await _tokenAuthEngine.RevokeToken(parent.ID, false), "A5: Revocation of parent token was not successful.");
Token parent2 = await _tokenAuthEngine.GetTokenWithID(parent.ID);
Assert.IsNull(parent2, "A6: The parent token should have been revoked. But it still exists.");
// Validate that each of the child tokens is revoked as well.
Token a1 = await _tokenAuthEngine.GetTokenWithID(token1.ID);
Token a2 = await _tokenAuthEngine.GetTokenWithID(token2.ID);
Token a3 = await _tokenAuthEngine.GetTokenWithID(token3.ID);
Assert.IsNotNull(a1, "A7: Expected the child token to still exist. But it is null");
Assert.IsNotNull(a2, "A8: Expected the child token to still exist. But it is null");
Assert.IsNotNull(a3, "A9: Expected the child token to still exist. But it is null");
Assert.IsTrue(a1.IsOrphan, "A10: Expected token to be marked as an orphan.");
Assert.IsTrue(a2.IsOrphan, "A11: Expected token to be marked as an orphan.");
Assert.IsTrue(a3.IsOrphan, "A12: Expected token to be marked as an orphan.");
}
/// <summary>
/// Creates an orphan token (a token with no parent)
/// </summary>
/// <param name="tokenSettings">A TokenNewSettings object with the options you would like the new token to have. </param>
/// <returns>True if token was created successfully.</returns>
public async Task <Token> CreateOrphanToken(TokenNewSettings tokenSettings)
{
string path = MountPointPath + "create-orphan";
string json = JsonConvert.SerializeObject(tokenSettings, Formatting.None);
VaultDataResponseObjectB vdro = await ParentVault._httpConnector.PostAsync_B(path, "CreateOrphanToken", json);
if (vdro.Success)
{
LoginResponse loginResponse = await vdro.GetDotNetObject <LoginResponse>("auth");
// Now read the token.back.
return(await this.GetTokenWithID(loginResponse.ClientToken));
}
throw new ApplicationException("TokenAuthEngine: CreateOrphanToken returned an unexpected error.");
}
public async Task NormalLogin()
{
// SETUP
// We need our own vault since we will be manipulating the token value
VaultAgentAPI ourVault = await VaultServerRef.ConnectVault("TokenTest");
TokenAuthEngine ourTokenAuthEngine = (TokenAuthEngine)ourVault.ConnectAuthenticationBackend(EnumBackendTypes.A_Token);
// Need a Token Role so we can autogenerate a token
TokenRole tokenRole = new TokenRole();
UniqueKeys UK = new UniqueKeys("", ""); // Unique Key generator
tokenRole.Name = UK.GetKey();
await ourTokenAuthEngine.SaveTokenRole(tokenRole);
string tokenName = "Name" + tokenRole.Name;
TokenNewSettings tokenNewSettings = new TokenNewSettings()
{
Name = tokenName,
NumberOfUses = 6,
NoParentToken = true,
RoleName = tokenRole.Name
};
Token token = await ourTokenAuthEngine.CreateToken(tokenNewSettings);
Assert.NotNull(token, "A10: Expected to receive the new token back, instead we received a null value.");
// Read the token we just created.
//Token token = await _tokenAuthEngine.GetTokenWithID(tokenID);
Assert.IsNotNull(token, "A20: No Token returned. Was expecting one.");
VaultAgentAPI vault2 = await VaultServerRef.ConnectVault("TokenLoginTest");
TokenLoginConnector loginConnector = new TokenLoginConnector(vault2, "test");
loginConnector.TokenId = token.ID;
Assert.IsTrue(await loginConnector.Connect(), "A30: Login Failed");
}
/// <summary>
/// Creates a token that is a child of the calling token. Note, IF you do not specify any Policies, it will have the same policies as the token
/// being used to call this routine. This could mean it has root access! Best to always set at least 1 policy. Use default if you need.
/// </summary>
/// <param name="tokenSettings">A TokenNewSettings object with the options you would like the new token to have. </param>
/// <returns>True if token was created successfully.</returns>
public async Task <Token> CreateToken(TokenNewSettings tokenSettings)
{
string path = MountPointPath + "create";
string json = JsonConvert.SerializeObject(tokenSettings, Formatting.None);
VaultDataResponseObjectB vdro = await ParentVault._httpConnector.PostAsync_B(path, "CreateToken", json);
if (vdro.Success)
{
LoginResponse loginResponse = await vdro.GetDotNetObject <LoginResponse>("auth");
// Now read the token.back.
return(await this.GetTokenWithID(loginResponse.ClientToken));
}
else
{
return(null);
}
}
public async Task RenewTokenWithLease_Success()
{
string tokenID = UK.GetKey("tok");
int numUses = 19;
string tokenName = "Name" + tokenID.ToString();
TokenNewSettings tokenNewSettings = new TokenNewSettings()
{
ID = tokenID,
Name = tokenName,
NumberOfUses = numUses,
IsRenewable = true,
MaxTTL = "86400"
};
Token token = await _tokenAuthEngine.CreateToken(tokenNewSettings);
Assert.NotNull(token, "A1: Error creating a new token - expected to receive the new token back, instead we received a null value.");
// Vault seems to prepend the auth backends name to the display name.
Assert.AreEqual("token-" + tokenName, token.DisplayName, "M2: Token names are not equal");
Assert.AreEqual(tokenID, token.ID, "M3: Token ID's are not equal");
Assert.AreEqual(numUses, token.NumberOfUses, "M4: Token number of uses are not equal");
Assert.IsTrue(token.IsRenewable);
// Renew token
TimeUnit timeUnit12Hrs = new TimeUnit("12h");
bool result = await _tokenAuthEngine.RenewToken(token.ID, timeUnit12Hrs);
Assert.IsTrue(result, "M5: Token was unable to be renewed successfully.");
// Retrieve token and validate lease time.
Token token2 = await _tokenAuthEngine.GetTokenWithID(tokenID);
// Token should be very close to 12 hrs.
Assert.LessOrEqual(token2.TTL, 43200, "M6: Token lease was not set to expected value.");
Assert.GreaterOrEqual(token2.TTL, 43190, "M7: Token lease was not close to 12hours.");
}
public async Task RevokeTokenViaAccessor_Succeeds()
{
string tokenID = UK.GetKey("Rev");
string tokenName = "Name" + tokenID.ToString();
TokenNewSettings tokenNewSettings = new TokenNewSettings()
{
ID = tokenID,
Name = tokenName,
};
Token token = await _tokenAuthEngine.CreateToken(tokenNewSettings);
Assert.NotNull(token, "A1: Error creating a new token - expected to receive the new token back, instead we received a null value.");
// Revoke and validate it is gone.
Assert.True(await _tokenAuthEngine.RevokeTokenViaAccessor(token.AccessorTokenID), "M2: Revocation of token failed.");
// If token is null then it has been revoked successfully.
Token token2 = await _tokenAuthEngine.GetTokenWithID(tokenID);
Assert.IsNull(token2);
}
