public async Task ValidateConfigOptions()
{
int maxTTL = 1800; // 30min
int defaultTTL = 600; // 10min
string vis = "hidden"; // should not show up in ui lists.
string key = _uniqueKeys.GetKey("SYSM");
string desc = "Test Mount DB: " + key + "KeyValue V2";
VaultSysMountConfig config = new VaultSysMountConfig {
DefaultLeaseTTL = defaultTTL.ToString(),
MaxLeaseTTL = maxTTL.ToString(),
VisibilitySetting = vis
};
Assert.True(await _vaultSystemBackend.SysMountCreate(key, desc, EnumSecretBackendTypes.KeyValueV2, config), "Unable to create Mount with key name: {0}", key);
// Now read back the mount config data.
VaultSysMountConfig config2 = await _vaultSystemBackend.SysMountReadConfig(key);
Assert.AreEqual(config.DefaultLeaseTTL, config2.DefaultLeaseTTL, "Default Lease TTL's are not the same.");
Assert.AreEqual(config.MaxLeaseTTL, config2.MaxLeaseTTL, "Max Lease TTL's are not the same.");
Assert.AreEqual(config.VisibilitySetting, config2.VisibilitySetting, "Visibility Settings are not the same.");
}
public async Task DeleteMount()
{
string key = _uniqueKeys.GetKey("SYSM");
string desc = "Test Mount DB: " + key + "KeyValue V2";
VaultSysMountConfig config1 = new VaultSysMountConfig {
DefaultLeaseTTL = "6556"
};
Assert.True(await _vaultSystemBackend.SysMountCreate(key, desc, EnumSecretBackendTypes.KeyValueV2, config1), "A10:");
// Ensure it was created.
VaultSysMountConfig config2 = await _vaultSystemBackend.SysMountReadConfig(key);
Assert.AreEqual(config1.DefaultLeaseTTL, config2.DefaultLeaseTTL, "A20: Default Lease TTL's are not the same.");
// Delete it.
Assert.True(await _vaultSystemBackend.SysMountDelete(key), "A30: Deletion of mount did not complete Successfully.");
// Make sure it is gone.
Assert.IsFalse(await _vaultSystemBackend.SysMountExists(key), "A40 - SysMount still exists");
VaultInvalidDataException e = Assert.ThrowsAsync <VaultInvalidDataException>(async() => await _vaultSystemBackend.SysMountReadConfig(key), "A50: Error trying to retrieve Mount");
//VaultSysMountConfig config3 = await _vaultSystemBackend.SysMountReadConfig(key);
//Assert.IsNull(config3, "A50: SysMount Not Deleted");
}
// ==============================================================================================================================================
/// <summary>
/// Creates a secret backend of the specified type at the specified mount path. Upon completion it establishes a connection to the backend.
/// </summary>
/// <param name="secretBackendType">The type of backend you wish to connect to.</param>
/// <param name="backendName">The name you wish to refer to this backend by. This is NOT the Vault mount path.</param>
/// <param name="backendMountPath">The path to the vault mount point that this backend is located at.</param>
/// <param name="description">Description for the backend</param>
/// <param name="config">(Optional) A VaultSysMountConfig object that contains the connection configuration you wish to use to connect to the backend. If not specified defaults will be used.</param>
/// <returns>True if it was able to create the backend and connect to it. False if it encountered an error.</returns>
public async Task <bool> CreateSecretBackendMount(EnumSecretBackendTypes secretBackendType,
string backendName,
string backendMountPath,
string description,
VaultSysMountConfig config = null)
{
VaultSysMountConfig backendConfig;
if (config == null)
{
backendConfig = new VaultSysMountConfig
{
DefaultLeaseTTL = "30m",
MaxLeaseTTL = "90m",
VisibilitySetting = "hidden"
};
}
else
{
backendConfig = config;
}
return(await SysMountCreate(backendMountPath, description, secretBackendType, backendConfig));
//if (rc == true) { return ConnectToSecretBackend(secretBackendType, backendName, backendMountPath); }
// return null;
}
public async Task Backend_Init()
{
if (_vaultSystemBackend != null)
{
return;
}
// Build Connection to Vault.
_vaultAgentAPI = await VaultServerRef.ConnectVault("PolicyBE");
// Create a new system Backend Mount for this series of tests.
_vaultSystemBackend = new VaultSystemBackend(_vaultAgentAPI.TokenID, _vaultAgentAPI);
// Create the backend.
_beName = _uniqueKeys.GetKey("beP");
VaultSysMountConfig testBE = new VaultSysMountConfig();
Assert.True(await _vaultSystemBackend.SysMountCreate(_beName, "KeyValue2 Policy Testing Backend", EnumSecretBackendTypes.KeyValueV2),
"A10: Enabling backend " + _beName + " failed.");
// Create the Root Engine that we will use
//_vaultRootAgentAPI = new VaultAgentAPI("Root", _vaultAgentAPI.IP, _vaultAgentAPI.Port, _vaultAgentAPI.Token.ID);
_vaultRootAgentAPI = await VaultServerRef.ConnectVault("PolicyBE_Alt");
_rootEng = (KV2SecretEngine)_vaultRootAgentAPI.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, _beName, _beName);
_vaultAgents = new List <VaultAgentAPI>();
}
public async Task Setup()
{
if (_vaultAgentAPI != null)
{
return;
}
// Build Connection to Vault.
_vaultAgentAPI = await VaultServerRef.ConnectVault("VaultSecretEntry");
//_vaultAgentAPI = new VaultAgentAPI("testa", VaultServerRef.ipAddress, VaultServerRef.ipPort, VaultServerRef.rootToken, true);
// We will create 3 KV2 mounts in the Vault instance. One for testing with CAS on, one with CAS off, and then a generic default (CAS off).
string noCasMountName = _uniqueKey.GetKey("NoCas");
string casMountName = _uniqueKey.GetKey("CAS");
// Config settings for all the mounts.
VaultSysMountConfig config = new VaultSysMountConfig
{
DefaultLeaseTTL = "30m",
MaxLeaseTTL = "90m",
VisibilitySetting = "hidden"
};
// Get Connection to Vault System backend
_systemBackend = new VaultSystemBackend(_vaultAgentAPI.TokenID, _vaultAgentAPI);
Assert.IsTrue(await _systemBackend.CreateSecretBackendMount(EnumSecretBackendTypes.KeyValueV2, noCasMountName, noCasMountName,
"No CAS Mount Test", config), "Failed to Create the NOCas KV2 secret backend");
_noCASMount = (KV2SecretEngine)_vaultAgentAPI.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, noCasMountName, noCasMountName);
Assert.IsTrue(await _systemBackend.CreateSecretBackendMount(EnumSecretBackendTypes.KeyValueV2, casMountName, casMountName,
"CAS Mount Test", config), "Failed to create the CAS Mount KV2 Secret Backend");
_casMount = (KV2SecretEngine)_vaultAgentAPI.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, casMountName, casMountName);
Assert.NotNull(_noCASMount);
Assert.NotNull(_casMount);
// This is required as of Vault 1.0 It now seems to take a second or 2 to upgrade the mount from KV1 to KV2.
Thread.Sleep(2500);
// Set backend mount config.
Assert.True(await _noCASMount.SetBackendConfiguration(8, false));
Assert.True(await _casMount.SetBackendConfiguration(8, false));
// Setup the DateTimeOffset Fields
_theDate = DateTimeOffset.FromUnixTimeSeconds(_unixEpochTime);
}
public void ChangeConfigInvalidMountName_ThrowsError()
{
string key = _uniqueKeys.GetKey("SYSM");
string desc = "Test Mount DB: " + key + "KeyValue V2";
// This mount should not exist as it was never created.
// Now change the config.
VaultSysMountConfig config = new VaultSysMountConfig {
DefaultLeaseTTL = "56",
MaxLeaseTTL = "106",
VisibilitySetting = "unauth"
};
//Assert.True(await _vaultSystemBackend.SysMountUpdateConfig(key, config, "changed"), "Unable to successfully change the config of {0} with config3 settings", key);
Assert.That(() => _vaultSystemBackend.SysMountUpdateConfig(key, config, "changed"),
Throws.Exception
.TypeOf <VaultInvalidDataException>()
);
}
/// <summary>
/// Updates the configuration of a given system mount point. If description is null then it will not be updated.
/// </summary>
/// <param name="Name">The name of the mount to update</param>
/// <param name="config"><see cref="VaultSysMountConfig"/>The backend's configuration changes</param>
/// <param name="description">If set, the description will be updated. </param>
/// <returns>True if successfull. False otherwise.</returns>
public async Task <bool> SysMountUpdateConfig(string Name, VaultSysMountConfig config, string description = null)
{
string path = MountPointPath + pathMounts + Name + "/tune";
Dictionary <string, string> content = new Dictionary <string, string>
{
{ "default_lease_ttl", config.DefaultLeaseTTL },
{ "max_lease_ttl", config.MaxLeaseTTL },
{ "audit_non_hmac_request_keys", config.RequestKeysToNotAuditViaHMAC },
{ "audit_non_hmac_response_keys", config.ResponseKeysToNotAuditViaHMAC },
{ "listing_visibility", config.VisibilitySetting },
{ "passthrough_request_headers", config.PassThruRequestHeaders }
};
if (description != null)
{
content.Add("description", description);
}
VaultDataResponseObjectB vdro = await ParentVault._httpConnector.PostAsync_B(path, "SysMountUpdateConfig", content, false);
return(vdro.Success);
}
/// <summary>
/// Creates (Enables in Vault terminology) a new backend secrets engine with the given name, type and configuration settings.
/// Throws: [VaultInvalidDataException] when the mount point already exists. SpecificErrorCode will be set to: [BackendMountAlreadyExists]
/// <param name="mountPath">The root path to this secrets engine that it will be mounted at. Is a part of every URL to this backend.</param>
/// <param name="description">Brief human friendly name for the mount.</param>
/// <param name="backendType">The type of secrets backend this mount is. </param>
/// <param name="config">The configuration to be applied to this mount.</param>
/// <returns>Bool: True if successful in creating the backend mount point. False otherwise.</returns>
/// </summary>
public async Task <bool> SysMountCreate(string mountPath, string description, EnumSecretBackendTypes backendType, VaultSysMountConfig config = null)
{
// The keyname forms the last part of the path
string path = MountPointPath + pathMounts + mountPath;
// Build out the parameters dictionary.
Dictionary <string, object> createParams = new Dictionary <string, object>();
// Build Options Dictionary
Dictionary <string, string> options = new Dictionary <string, string>();
string typeName = "";
switch (backendType)
{
case EnumSecretBackendTypes.Transit:
typeName = "transit";
break;
case EnumSecretBackendTypes.Secret:
typeName = "kv";
break;
case EnumSecretBackendTypes.AWS:
typeName = "aws";
throw new NotImplementedException();
case EnumSecretBackendTypes.CubbyHole:
typeName = "cubbyhole";
throw new NotImplementedException();
case EnumSecretBackendTypes.Generic:
typeName = "generic";
throw new NotImplementedException();
case EnumSecretBackendTypes.PKI:
typeName = "pki";
throw new NotImplementedException();
case EnumSecretBackendTypes.SSH:
typeName = "ssh";
throw new NotImplementedException();
case EnumSecretBackendTypes.KeyValueV2:
// It is the same type as a version 1, but it has an additional config value.
typeName = "kv";
options.Add("version", "2");
break;
}
createParams.Add("type", typeName);
createParams.Add("description", description);
createParams.Add("options", options);
if (config != null)
{
createParams.Add("config", config);
}
try {
VaultDataResponseObjectB vdro = await ParentVault._httpConnector.PostAsync_B(path, "SysMountEnable", createParams, false);
if (vdro.HttpStatusCode == 204)
{
return(true);
}
else
{
return(false);
}
}
catch (VaultInvalidDataException e) {
if (e.Message.Contains("path is already in use"))
{
e.SpecificErrorCode = EnumVaultExceptionCodes.BackendMountAlreadyExists;
}
throw e;
}
}
