public async Task ValidateConfigOptions() { int maxTTL = 1800; // 30min int defaultTTL = 600; // 10min string vis = "hidden"; // should not show up in ui lists. string key = _uniqueKeys.GetKey("SYSM"); string desc = "Test Mount DB: " + key + "KeyValue V2"; VaultSysMountConfig config = new VaultSysMountConfig { DefaultLeaseTTL = defaultTTL.ToString(), MaxLeaseTTL = maxTTL.ToString(), VisibilitySetting = vis }; Assert.True(await _vaultSystemBackend.SysMountCreate(key, desc, EnumSecretBackendTypes.KeyValueV2, config), "Unable to create Mount with key name: {0}", key); // Now read back the mount config data. VaultSysMountConfig config2 = await _vaultSystemBackend.SysMountReadConfig(key); Assert.AreEqual(config.DefaultLeaseTTL, config2.DefaultLeaseTTL, "Default Lease TTL's are not the same."); Assert.AreEqual(config.MaxLeaseTTL, config2.MaxLeaseTTL, "Max Lease TTL's are not the same."); Assert.AreEqual(config.VisibilitySetting, config2.VisibilitySetting, "Visibility Settings are not the same."); }
public async Task DeleteMount() { string key = _uniqueKeys.GetKey("SYSM"); string desc = "Test Mount DB: " + key + "KeyValue V2"; VaultSysMountConfig config1 = new VaultSysMountConfig { DefaultLeaseTTL = "6556" }; Assert.True(await _vaultSystemBackend.SysMountCreate(key, desc, EnumSecretBackendTypes.KeyValueV2, config1), "A10:"); // Ensure it was created. VaultSysMountConfig config2 = await _vaultSystemBackend.SysMountReadConfig(key); Assert.AreEqual(config1.DefaultLeaseTTL, config2.DefaultLeaseTTL, "A20: Default Lease TTL's are not the same."); // Delete it. Assert.True(await _vaultSystemBackend.SysMountDelete(key), "A30: Deletion of mount did not complete Successfully."); // Make sure it is gone. Assert.IsFalse(await _vaultSystemBackend.SysMountExists(key), "A40 - SysMount still exists"); VaultInvalidDataException e = Assert.ThrowsAsync <VaultInvalidDataException>(async() => await _vaultSystemBackend.SysMountReadConfig(key), "A50: Error trying to retrieve Mount"); //VaultSysMountConfig config3 = await _vaultSystemBackend.SysMountReadConfig(key); //Assert.IsNull(config3, "A50: SysMount Not Deleted"); }
// ============================================================================================================================================== /// <summary> /// Creates a secret backend of the specified type at the specified mount path. Upon completion it establishes a connection to the backend. /// </summary> /// <param name="secretBackendType">The type of backend you wish to connect to.</param> /// <param name="backendName">The name you wish to refer to this backend by. This is NOT the Vault mount path.</param> /// <param name="backendMountPath">The path to the vault mount point that this backend is located at.</param> /// <param name="description">Description for the backend</param> /// <param name="config">(Optional) A VaultSysMountConfig object that contains the connection configuration you wish to use to connect to the backend. If not specified defaults will be used.</param> /// <returns>True if it was able to create the backend and connect to it. False if it encountered an error.</returns> public async Task <bool> CreateSecretBackendMount(EnumSecretBackendTypes secretBackendType, string backendName, string backendMountPath, string description, VaultSysMountConfig config = null) { VaultSysMountConfig backendConfig; if (config == null) { backendConfig = new VaultSysMountConfig { DefaultLeaseTTL = "30m", MaxLeaseTTL = "90m", VisibilitySetting = "hidden" }; } else { backendConfig = config; } return(await SysMountCreate(backendMountPath, description, secretBackendType, backendConfig)); //if (rc == true) { return ConnectToSecretBackend(secretBackendType, backendName, backendMountPath); } // return null; }
public async Task Backend_Init() { if (_vaultSystemBackend != null) { return; } // Build Connection to Vault. _vaultAgentAPI = await VaultServerRef.ConnectVault("PolicyBE"); // Create a new system Backend Mount for this series of tests. _vaultSystemBackend = new VaultSystemBackend(_vaultAgentAPI.TokenID, _vaultAgentAPI); // Create the backend. _beName = _uniqueKeys.GetKey("beP"); VaultSysMountConfig testBE = new VaultSysMountConfig(); Assert.True(await _vaultSystemBackend.SysMountCreate(_beName, "KeyValue2 Policy Testing Backend", EnumSecretBackendTypes.KeyValueV2), "A10: Enabling backend " + _beName + " failed."); // Create the Root Engine that we will use //_vaultRootAgentAPI = new VaultAgentAPI("Root", _vaultAgentAPI.IP, _vaultAgentAPI.Port, _vaultAgentAPI.Token.ID); _vaultRootAgentAPI = await VaultServerRef.ConnectVault("PolicyBE_Alt"); _rootEng = (KV2SecretEngine)_vaultRootAgentAPI.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, _beName, _beName); _vaultAgents = new List <VaultAgentAPI>(); }
public async Task Setup() { if (_vaultAgentAPI != null) { return; } // Build Connection to Vault. _vaultAgentAPI = await VaultServerRef.ConnectVault("VaultSecretEntry"); //_vaultAgentAPI = new VaultAgentAPI("testa", VaultServerRef.ipAddress, VaultServerRef.ipPort, VaultServerRef.rootToken, true); // We will create 3 KV2 mounts in the Vault instance. One for testing with CAS on, one with CAS off, and then a generic default (CAS off). string noCasMountName = _uniqueKey.GetKey("NoCas"); string casMountName = _uniqueKey.GetKey("CAS"); // Config settings for all the mounts. VaultSysMountConfig config = new VaultSysMountConfig { DefaultLeaseTTL = "30m", MaxLeaseTTL = "90m", VisibilitySetting = "hidden" }; // Get Connection to Vault System backend _systemBackend = new VaultSystemBackend(_vaultAgentAPI.TokenID, _vaultAgentAPI); Assert.IsTrue(await _systemBackend.CreateSecretBackendMount(EnumSecretBackendTypes.KeyValueV2, noCasMountName, noCasMountName, "No CAS Mount Test", config), "Failed to Create the NOCas KV2 secret backend"); _noCASMount = (KV2SecretEngine)_vaultAgentAPI.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, noCasMountName, noCasMountName); Assert.IsTrue(await _systemBackend.CreateSecretBackendMount(EnumSecretBackendTypes.KeyValueV2, casMountName, casMountName, "CAS Mount Test", config), "Failed to create the CAS Mount KV2 Secret Backend"); _casMount = (KV2SecretEngine)_vaultAgentAPI.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, casMountName, casMountName); Assert.NotNull(_noCASMount); Assert.NotNull(_casMount); // This is required as of Vault 1.0 It now seems to take a second or 2 to upgrade the mount from KV1 to KV2. Thread.Sleep(2500); // Set backend mount config. Assert.True(await _noCASMount.SetBackendConfiguration(8, false)); Assert.True(await _casMount.SetBackendConfiguration(8, false)); // Setup the DateTimeOffset Fields _theDate = DateTimeOffset.FromUnixTimeSeconds(_unixEpochTime); }
public void ChangeConfigInvalidMountName_ThrowsError() { string key = _uniqueKeys.GetKey("SYSM"); string desc = "Test Mount DB: " + key + "KeyValue V2"; // This mount should not exist as it was never created. // Now change the config. VaultSysMountConfig config = new VaultSysMountConfig { DefaultLeaseTTL = "56", MaxLeaseTTL = "106", VisibilitySetting = "unauth" }; //Assert.True(await _vaultSystemBackend.SysMountUpdateConfig(key, config, "changed"), "Unable to successfully change the config of {0} with config3 settings", key); Assert.That(() => _vaultSystemBackend.SysMountUpdateConfig(key, config, "changed"), Throws.Exception .TypeOf <VaultInvalidDataException>() ); }
/// <summary> /// Updates the configuration of a given system mount point. If description is null then it will not be updated. /// </summary> /// <param name="Name">The name of the mount to update</param> /// <param name="config"><see cref="VaultSysMountConfig"/>The backend's configuration changes</param> /// <param name="description">If set, the description will be updated. </param> /// <returns>True if successfull. False otherwise.</returns> public async Task <bool> SysMountUpdateConfig(string Name, VaultSysMountConfig config, string description = null) { string path = MountPointPath + pathMounts + Name + "/tune"; Dictionary <string, string> content = new Dictionary <string, string> { { "default_lease_ttl", config.DefaultLeaseTTL }, { "max_lease_ttl", config.MaxLeaseTTL }, { "audit_non_hmac_request_keys", config.RequestKeysToNotAuditViaHMAC }, { "audit_non_hmac_response_keys", config.ResponseKeysToNotAuditViaHMAC }, { "listing_visibility", config.VisibilitySetting }, { "passthrough_request_headers", config.PassThruRequestHeaders } }; if (description != null) { content.Add("description", description); } VaultDataResponseObjectB vdro = await ParentVault._httpConnector.PostAsync_B(path, "SysMountUpdateConfig", content, false); return(vdro.Success); }
/// <summary> /// Creates (Enables in Vault terminology) a new backend secrets engine with the given name, type and configuration settings. /// Throws: [VaultInvalidDataException] when the mount point already exists. SpecificErrorCode will be set to: [BackendMountAlreadyExists] /// <param name="mountPath">The root path to this secrets engine that it will be mounted at. Is a part of every URL to this backend.</param> /// <param name="description">Brief human friendly name for the mount.</param> /// <param name="backendType">The type of secrets backend this mount is. </param> /// <param name="config">The configuration to be applied to this mount.</param> /// <returns>Bool: True if successful in creating the backend mount point. False otherwise.</returns> /// </summary> public async Task <bool> SysMountCreate(string mountPath, string description, EnumSecretBackendTypes backendType, VaultSysMountConfig config = null) { // The keyname forms the last part of the path string path = MountPointPath + pathMounts + mountPath; // Build out the parameters dictionary. Dictionary <string, object> createParams = new Dictionary <string, object>(); // Build Options Dictionary Dictionary <string, string> options = new Dictionary <string, string>(); string typeName = ""; switch (backendType) { case EnumSecretBackendTypes.Transit: typeName = "transit"; break; case EnumSecretBackendTypes.Secret: typeName = "kv"; break; case EnumSecretBackendTypes.AWS: typeName = "aws"; throw new NotImplementedException(); case EnumSecretBackendTypes.CubbyHole: typeName = "cubbyhole"; throw new NotImplementedException(); case EnumSecretBackendTypes.Generic: typeName = "generic"; throw new NotImplementedException(); case EnumSecretBackendTypes.PKI: typeName = "pki"; throw new NotImplementedException(); case EnumSecretBackendTypes.SSH: typeName = "ssh"; throw new NotImplementedException(); case EnumSecretBackendTypes.KeyValueV2: // It is the same type as a version 1, but it has an additional config value. typeName = "kv"; options.Add("version", "2"); break; } createParams.Add("type", typeName); createParams.Add("description", description); createParams.Add("options", options); if (config != null) { createParams.Add("config", config); } try { VaultDataResponseObjectB vdro = await ParentVault._httpConnector.PostAsync_B(path, "SysMountEnable", createParams, false); if (vdro.HttpStatusCode == 204) { return(true); } else { return(false); } } catch (VaultInvalidDataException e) { if (e.Message.Contains("path is already in use")) { e.SpecificErrorCode = EnumVaultExceptionCodes.BackendMountAlreadyExists; } throw e; } }