public async Task AuthToken_CreateWithPolicies_ReturnsTokenWithPolicies()
{
using (var server = new VaultTestServer())
{
var client = server.TestClient();
var policyName = Guid.NewGuid().ToString();
var policy = "path \"*\" {\n" +
" policy = \"sudo\"\n" +
"}\n";
await client.Sys.PutPolicy(policyName, policy);
var tokenRequest = new CreateRequest
{
Policies = new List <string> {
policyName
}
};
var result = await client.Auth.Write <CreateRequest, NoData>("token/create", tokenRequest);
Assert.NotNull(result.Auth);
Assert.NotNull(result.Auth.ClientToken);
Assert.Contains(policyName, result.Auth.Policies);
}
}
public async Task AuthUserPass_LoginWithNewClient_LogsInSuccessfully()
{
using (var server = new VaultTestServer())
{
var client = server.TestClient();
var mountPoint = Guid.NewGuid().ToString();
await client.Sys.EnableAuth(mountPoint, "userpass", "Userpass Mount");
var username = Guid.NewGuid().ToString();
var password = Guid.NewGuid().ToString();
var usersRequest = new UsersRequest
{
Password = password,
Policies = new List <string> {
"default"
},
Ttl = "1h",
MaxTtl = "2h"
};
await client.Auth.Write($"{mountPoint}/users/{username}", usersRequest);
var loginRequest = new LoginRequest
{
Password = usersRequest.Password
};
var newClient = new VaultClient(new UriBuilder(server.ListenAddress).Uri);
var loginResponse = await newClient.Auth.Write <LoginRequest, NoData>($"{mountPoint}/login/{username}", loginRequest);
Assert.Equal(username, loginResponse.Auth.Metadata["username"]);
Assert.Equal(usersRequest.Policies, loginResponse.Auth.Policies);
Assert.NotNull(loginResponse.Auth.ClientToken);
}
}
public async Task GenericWrapRead_SecretExists_ReturnsSecretWrappedInformation()
{
using (var server = new VaultTestServer())
{
var client = server.TestClient();
var secretPath = "secret/data";
var expected = new Dictionary <string, string> {
{ "abc", "123" }
};
var mountPoint = Guid.NewGuid().ToString();
await client.Sys.Mount(mountPoint, new MountInfo { Type = "generic" });
await client.Secret.Write($"{mountPoint}/{secretPath}", expected);
var secret = await client.Secret.Read($"{mountPoint}/{secretPath}", TimeSpan.FromSeconds(120));
Assert.NotNull(secret);
Assert.NotNull(secret.WrapInfo);
var unwrappedSecret = await client.Secret.Unwrap <Dictionary <string, string> >(secret.WrapInfo.Token);
Assert.NotNull(unwrappedSecret);
Assert.NotNull(unwrappedSecret.Data);
Assert.Equal(expected, unwrappedSecret.Data);
}
}
public async Task GenericDelete_SecretRemoved_ReturnsNullSecretData()
{
using (var server = new VaultTestServer())
{
var client = server.TestClient();
var secretPath = "secret/data";
var expected = new Dictionary <string, string> {
{ "abc", "123" }
};
var mountPoint = Guid.NewGuid().ToString();
await client.Sys.Mount(mountPoint, new MountInfo { Type = "generic" });
await client.Secret.Write($"{mountPoint}/{secretPath}", expected);
var secret = await client.Secret.Read <Dictionary <string, string> >($"{mountPoint}/{secretPath}");
Assert.NotNull(secret);
Assert.NotNull(secret.Data);
Assert.Equal(expected, secret.Data);
await client.Secret.Delete($"{mountPoint}/{secretPath}");
secret = await client.Secret.Read <Dictionary <string, string> >($"{mountPoint}/{secretPath}");
Assert.NotNull(secret);
Assert.Null(secret.Data);
}
}
public async Task GenericList_OneSecret_ReturnsListOfSecretKeys()
{
using (var server = new VaultTestServer())
{
var client = server.TestClient();
var secretPath = "secret/data";
var data = new Dictionary <string, string> {
{ "abc", "123" }
};
var mountPoint = Guid.NewGuid().ToString();
await client.Sys.Mount(mountPoint, new MountInfo { Type = "generic" });
await client.Secret.Write($"{mountPoint}/{secretPath}", data);
await client.Secret.Write($"{mountPoint}/{secretPath}/subdata", data);
var secret = await client.Secret.List($"{mountPoint}/secret/");
var expected = new List <string>
{
"data",
"data/"
};
Assert.NotNull(secret);
Assert.Equal(expected, secret.Data.Keys);
}
}
public async Task SecretPki_SetUpRootCA_CanIssueCertificatesWithAltNames()
{
using (var server = new VaultTestServer())
{
var client = server.TestClient();
var mountPoint = Guid.NewGuid().ToString();
await client.Sys.Mount(mountPoint, new MountInfo { Type = "pki" });
var mountConfig = new MountConfig
{
MaxLeaseTtl = "87600h"
};
await client.Sys.TuneMount(mountPoint, mountConfig);
var rootCaConfig = new RootGenerateRequest
{
CommonName = "Vault Testing Root Certificate Authority",
Ttl = "87600h"
};
await client.Secret.Write($"{mountPoint}/root/generate/internal", rootCaConfig);
var roleName = Guid.NewGuid().ToString();
var role = new RolesRequest
{
AllowAnyDomain = true,
EnforceHostnames = false,
MaxTtl = "1h"
};
await client.Secret.Write($"{mountPoint}/roles/{roleName}", role);
var commonName = Guid.NewGuid().ToString();
var certRequest = new IssueRequest
{
CommonName = commonName,
AltNames = new List <string> {
"example.com", "test.example.com"
},
Format = CertificateFormat.Der
};
var cert =
await
client.Secret.Write <IssueRequest, IssueResponse>($"{mountPoint}/issue/{roleName}",
certRequest);
Assert.NotNull(cert.Data);
Assert.NotNull(cert.Data.Certificate);
Assert.NotNull(cert.Data.PrivateKey);
var x509Cert = new X509Certificate2(Encoding.UTF8.GetBytes(cert.Data.Certificate));
Assert.Equal($"CN={commonName}", x509Cert.SubjectName.Name);
}
}
public async Task Seal_ReturnsStatus()
{
using (var server = new VaultTestServer())
{
var client = server.TestClient();
var status = await client.Sys.SealStatus();
Assert.NotNull(status);
Assert.False(status.Sealed);
}
}
public async Task AuthToken_Create_ReturnsToken()
{
using (var server = new VaultTestServer())
{
var client = server.TestClient();
var tokenRequest = new CreateRequest();
var result = await client.Auth.Write <CreateRequest, NoData>("token/create", tokenRequest);
Assert.NotNull(result.Auth);
Assert.NotNull(result.Auth.ClientToken);
}
}
public async Task Leader_Call_ReturnsLeader()
{
using (var server = new VaultTestServer())
{
var client = server.TestClient();
var leader = await client.Sys.Leader();
Assert.NotNull(leader);
Assert.False(leader.IsSelf);
Assert.False(leader.HaEnables);
Assert.NotNull(leader.LeaderAddress);
}
}
public async Task GenericRead_NonExistentSecret_ReturnsNullData()
{
using (var server = new VaultTestServer())
{
var client = server.TestClient();
var mountPoint = Guid.NewGuid().ToString();
await client.Sys.Mount(mountPoint, new MountInfo { Type = "generic" });
var secret = await client.Secret.Read <Dictionary <string, string> >($"{mountPoint}/bogus/token");
Assert.NotNull(secret);
Assert.Null(secret.Data);
}
}
public async Task GenericList_NoSecret_ReturnsNullData()
{
using (var server = new VaultTestServer())
{
var client = server.TestClient();
var secretPath = "secret/data";
var mountPoint = Guid.NewGuid().ToString();
await client.Sys.Mount(mountPoint, new MountInfo { Type = "generic" });
var secret = await client.Secret.List($"{mountPoint}/{secretPath}");
Assert.NotNull(secret);
Assert.Null(secret.Data);
}
}
public async Task SecretPki_SetUpRootCA_CanIssueCertificates()
{
using (var server = new VaultTestServer())
{
var client = server.TestClient();
var mountPoint = Guid.NewGuid().ToString();
await client.Sys.Mount(mountPoint, new MountInfo { Type = "pki" });
var mountConfig = new MountConfig
{
MaxLeaseTtl = "87600h"
};
await client.Sys.TuneMount(mountPoint, mountConfig);
var rootCaConfig = new RootGenerateRequest
{
CommonName = "Vault Testing Root Certificate Authority",
Ttl = "87600h"
};
await client.Secret.Write($"{mountPoint}/root/generate/internal", rootCaConfig);
var roleName = Guid.NewGuid().ToString();
var role = new RolesRequest
{
AllowAnyDomain = true,
EnforceHostnames = false,
MaxTtl = "1h"
};
await client.Secret.Write($"{mountPoint}/roles/{roleName}", role);
var certRequest = new IssueRequest
{
CommonName = "Test Cert"
};
var cert =
await
client.Secret.Write <IssueRequest, IssueResponse>($"{mountPoint}/issue/{roleName}",
certRequest);
Assert.NotNull(cert.Data);
Assert.NotNull(cert.Data.Certificate);
Assert.NotNull(cert.Data.PrivateKey);
}
}
public async Task AuthUserPass_SwitchToLoginToken_HasDefaultPermissions()
{
using (var server = new VaultTestServer())
{
var client = server.TestClient();
var mountPoint = Guid.NewGuid().ToString();
await client.Sys.EnableAuth(mountPoint, "userpass", "Userpass Mount");
var username = Guid.NewGuid().ToString();
var usersRequest = new UsersRequest
{
Password = Guid.NewGuid().ToString(),
Policies = new List <string> {
"default"
},
Ttl = "1h",
MaxTtl = "2h"
};
await client.Auth.Write($"{mountPoint}/users/{username}", usersRequest);
var loginRequest = new LoginRequest
{
Password = usersRequest.Password
};
var loginResponse =
await client.Auth.Write <LoginRequest, NoData>($"{mountPoint}/login/{username}", loginRequest);
client.Token = loginResponse.Auth.ClientToken;
try
{
var ex = await Assert.ThrowsAsync <VaultRequestException>(() =>
client.Auth.Read <UsersResponse>($"{mountPoint}/users/{username}"));
Assert.Equal(ex.StatusCode, HttpStatusCode.Forbidden);
}
catch (AssertActualExpectedException exception)
{
Assert.Equal("(No exception was thrown)", exception.Actual);
}
}
}
public async Task AuthUserPass_MountAndCreateUser_RetrieveUserSuccessfully()
{
using (var server = new VaultTestServer())
{
var client = server.TestClient();
var mountPoint = Guid.NewGuid().ToString();
await client.Sys.EnableAuth(mountPoint, "userpass", "Userpass Mount");
var username = Guid.NewGuid().ToString();
var usersRequest = new UsersRequest
{
Password = Guid.NewGuid().ToString(),
Policies = new List <string> {
"default"
},
Ttl = "1h",
MaxTtl = "2h"
};
await client.Auth.Write($"{mountPoint}/users/{username}", usersRequest);
var loginRequest = new LoginRequest
{
Password = usersRequest.Password
};
var loginResponse =
await client.Auth.Write <LoginRequest, NoData>($"{mountPoint}/login/{username}", loginRequest);
Assert.Equal(username, loginResponse.Auth.Metadata["username"]);
Assert.Equal(usersRequest.Policies, loginResponse.Auth.Policies);
Assert.NotNull(loginResponse.Auth.ClientToken);
var usersResponse = await client.Auth.Read <UsersResponse>($"{mountPoint}/users/{username}");
Assert.Equal(usersRequest.Policies, usersResponse.Data.Policies);
}
}
public async Task SecretPki_SetUpRootCA_ReadCaCertificate()
{
using (var server = new VaultTestServer())
{
var client = server.TestClient();
var mountPoint = Guid.NewGuid().ToString();
await client.Sys.Mount(mountPoint, new MountInfo { Type = "pki" });
var mountConfig = new MountConfig
{
MaxLeaseTtl = "87600h"
};
await client.Sys.TuneMount(mountPoint, mountConfig);
var rootCaConfig = new RootGenerateRequest
{
CommonName = "Vault Testing Root Certificate Authority",
Ttl = "87600h"
};
await client.Secret.Write($"{mountPoint}/root/generate/internal", rootCaConfig);
var roleName = Guid.NewGuid().ToString();
var role = new RolesRequest
{
AllowAnyDomain = true,
EnforceHostnames = false,
MaxTtl = "1h"
};
await client.Secret.Write($"{mountPoint}/roles/{roleName}", role);
var caCert = await client.Secret.ReadRaw($"{mountPoint}/ca/pem");
Assert.StartsWith("-----", System.Text.Encoding.Default.GetString(caCert));
}
}
public async Task SecretPki_BuildIntermediateCAChain_CanIssueCertificatesWithChain()
{
using (var server = new VaultTestServer())
{
var client = server.TestClient();
await client.Sys.Mount("pki", new MountInfo { Type = "pki" });
await client.Sys.Mount("pki1", new MountInfo { Type = "pki" });
await client.Sys.Mount("pki2", new MountInfo { Type = "pki" });
await client.Sys.Mount("pki3", new MountInfo { Type = "pki" });
var mountConfig = new MountConfig
{
MaxLeaseTtl = "87600h"
};
await client.Sys.TuneMount("pki", mountConfig);
await client.Sys.TuneMount("pki1", mountConfig);
await client.Sys.TuneMount("pki2", mountConfig);
await client.Sys.TuneMount("pki3", mountConfig);
// Root CA
var rootCaConfig = new RootGenerateRequest
{
CommonName = "Vault Testing Root Certificate Authority",
Ttl = "87600h"
};
await client.Secret.Write($"pki/root/generate/internal", rootCaConfig);
// Intermediate CA
var pki1CaConfig = new IntermediateGenerateRequest
{
CommonName = "Vault Testing Intermediate CA"
};
var pki1Request =
await
client.Secret.Write <IntermediateGenerateRequest, IntermediateGenerateInternalResponse>(
"pki1/intermediate/generate/internal", pki1CaConfig);
var pki1SignRequest = new RootSignIntermediateRequest
{
Csr = pki1Request.Data.Csr,
Format = CertificateFormat.PemBundle,
Ttl = "87500h"
};
var pki1SignResponse =
await
client.Secret.Write <RootSignIntermediateRequest, RootSignIntermediateResponse>(
"pki/root/sign-intermediate", pki1SignRequest);
var pki1SetSigned = new IntermediateSetSignedRequest
{
Certificate = pki1SignResponse.Data.Certificate
};
await client.Secret.Write("pki1/intermediate/set-signed", pki1SetSigned);
// PKI2 - Sub Intermediate CA
var pki2CaConfig = new IntermediateGenerateRequest
{
CommonName = "Vault Testing Sub Intermediate CA"
};
var pki2Request =
await
client.Secret.Write <IntermediateGenerateRequest, IntermediateGenerateInternalResponse>(
"pki2/intermediate/generate/internal", pki2CaConfig);
var pki2SignRequest = new RootSignIntermediateRequest
{
Csr = pki2Request.Data.Csr,
Format = CertificateFormat.PemBundle,
Ttl = "87400h"
};
var pki2SignResponse =
await
client.Secret.Write <RootSignIntermediateRequest, RootSignIntermediateResponse>(
"pki1/root/sign-intermediate", pki2SignRequest);
var pki2SetSigned = new IntermediateSetSignedRequest
{
Certificate = pki2SignResponse.Data.Certificate
};
await client.Secret.Write("pki2/intermediate/set-signed", pki2SetSigned);
var roleName = Guid.NewGuid().ToString();
var role = new RolesRequest
{
AllowAnyDomain = true,
EnforceHostnames = false,
MaxTtl = "1h"
};
await client.Secret.Write($"pki2/roles/{roleName}", role);
var commonName = Guid.NewGuid().ToString();
var certRequest = new IssueRequest
{
CommonName = commonName,
AltNames = new List <string> {
"example.com", "test.example.com"
},
Format = CertificateFormat.Der
};
var cert =
await
client.Secret.Write <IssueRequest, IssueResponse>($"pki2/issue/{roleName}",
certRequest);
Assert.NotNull(cert.Data);
Assert.NotNull(cert.Data.Certificate);
Assert.NotNull(cert.Data.PrivateKey);
Assert.Equal(2, cert.Data.CaChain.Count);
}
}
