public void ValidateVaultInstanceBaseSettings()
{
VaultAgentAPI a = new VaultAgentAPI(name, VaultServerRef.vaultURI);
Assert.AreEqual(name, vault.Name);
Assert.AreEqual(VaultServerRef.vaultURI, vault.Uri);
}
/// <summary>
/// Creates a Vault instance and connects it with either the default testing token or the specified token
/// </summary>
/// <param name="name">Name to be given to this Vault object</param>
/// <param name="overrideToken">The TokenId to use if you do not wish to use the default testing token</param>
/// <returns></returns>
public static async Task <VaultAgentAPI> ConnectVault(string name, string overrideToken = "")
{
vaultURI = new Uri("http://" + ipAddress + ":" + ipPort);
VaultAgentAPI vault = new VaultAgentAPI(name, vaultURI);
string thisToken;
if (overrideToken != string.Empty)
{
thisToken = overrideToken;
}
else
{
thisToken = rootToken;
}
TokenLoginConnector loginConnector = new TokenLoginConnector(vault, "Testing", thisToken, TokenAuthEngine.TOKEN_DEFAULT_MOUNT_NAME);
bool success = await loginConnector.Connect();
if (!success)
{
throw new ApplicationException("Error connecting to the Vault Instance using Token " + thisToken);
}
return(vault);
}
public async Task TokenLogin_InvalidToken()
{
// Load engine and create a token
VaultAgentAPI vault = new VaultAgentAPI("LoginConnVault", VaultServerRef.vaultURI);
// TODO this test is not valid. We kind of already test it, because every Test requires a connection to Vault which we do in the VaultServerSetup Class.
TokenLoginConnector tlc = new TokenLoginConnector(vault, "Token Connector");
tlc.TokenId = "bbnbb";
bool success = await tlc.Connect();
Assert.IsFalse(success);
/*
*
*
* TokenAuthEngine tokenAuthEngine = (TokenAuthEngine)_vault.ConnectAuthenticationBackend(EnumBackendTypes.A_Token);
*
* TokenNewSettings tokenSettings = new TokenNewSettings();
* tokenSettings.Name = "Test";
* tokenSettings.IsRenewable = false;
* tokenSettings.NumberOfUses = 4;
*
* Token token = await tokenAuthEngine.CreateToken(tokenSettings);
* TokenLoginConnector lc = new TokenLoginConnector(_vault,tokenAuthEngine.MountPoint,tokenAuthEngine.Name);
* lc.TokenId = token.ID;
* Assert.IsTrue(await lc.Connect());
*/
Assert.IsTrue(true);
}
public async Task RevokeSelfTokenSucceeds()
{
VaultAgentAPI v1 = await VaultServerRef.ConnectVault("TempVault");
//new VaultAgentAPI("TempVault", VaultServerRef.ipAddress, VaultServerRef.ipPort, VaultServerRef.rootToken);
string tokenName = UK.GetKey("tmpTok");
// Create a new token.
TokenNewSettings tokenNewSettings = new TokenNewSettings()
{
Name = tokenName,
};
Token token = await _tokenAuthEngine.CreateToken(tokenNewSettings);
Assert.NotNull(token, "A1: Error creating a new token - expected to receive the new token back, instead we received a null value.");
// Now set vault to use the new token.
v1.Token = token;
Assert.AreNotEqual(VaultServerRef.rootToken, token.ID, "A2: Expected the Vault object to have a different token. But was still set at initial token.");
// And then revoke.
Assert.IsTrue(await v1.RevokeActiveToken());
Assert.IsNull(v1.Token);
// Now try and reset the Vault to use the old token. It should fail.
v1.Token = token;
Assert.ThrowsAsync <VaultForbiddenException> (async() => await v1.RefreshActiveToken());
}
// ==============================================================================================================================================
/// <summary>
/// Constructor. Initializes the connection to Vault and stores the token.
/// </summary>
/// <param name="backendName">The name of the secret backend to mount. This is purely cosmetic.</param>
/// <param name="backendMountPoint">
/// The actual mount point that the secret is mounted to. Exclude and prefix such as /v1/
/// and exclude trailing slash.
/// </param>
/// <param name="vaultAgentAPI">The Vault API Agent Object that contains connectivity information for authenticating and connecting to the Vault</param>
public KV2SecretEngine(string backendName, string backendMountPoint, VaultAgentAPI vaultAgentAPI) : base(
backendName, backendMountPoint,
vaultAgentAPI)
{
Type = EnumBackendTypes.KeyValueV2;
IsSecretBackend = true;
}
public void Setup()
{
_vault = new VaultAgentAPI("LoginConnVault", VaultServerRef.vaultURI);
_vault.TokenID = VaultServerRef.rootToken;
// _vault = new VaultAgentAPI("LoginConnVault", VaultServerRef.ipAddress, VaultServerRef.ipPort, VaultServerRef.rootToken, true);
}
public async Task TokenEngineSetup()
{
// Build Connection to Vault.
vault = await VaultServerRef.ConnectVault("TokenEng");
_tokenAuthEngine = (TokenAuthEngine)vault.ConnectAuthenticationBackend(EnumBackendTypes.A_Token);
}
public async Task Setup()
{
// Build Connection to Vault.
_vault = await VaultServerRef.ConnectVault("AppRoleVault");
//_vault = new VaultAgentAPI ("AppRoleVault", VaultServerRef.ipAddress, VaultServerRef.ipPort, VaultServerRef.rootToken, true);
_vaultSystemBackend = new VaultSystemBackend(_vault.TokenID, _vault);
_ldapMountName = _uniqueKeys.GetKey("LDAP");
// Define the engine.
_ldapAuthEngine = (LdapAuthEngine)_vault.ConnectAuthenticationBackend(EnumBackendTypes.A_LDAP, "ldap_test", _ldapMountName);
// Now create the Mount point.
AuthMethod authMethod = new AuthMethod(_ldapMountName, EnumAuthMethods.LDAP);
authMethod.Description = "Ldap Test";
Assert.True(await _vaultSystemBackend.AuthEnable(authMethod), "A10: Expected the LDAP Backend to have been enabled.");
// Now build the LDAP Backend.
_origConfig = _ldapAuthEngine.GetLDAPConfigFromFile(@"C:\a_Dev\Configs\LDAP_Test.json");
SetLDAPConfig(_ldapMountName, _origConfig);
// Save the Config. We do this here so the SetLDAPConfig can be used for multiple engines.
Assert.True(await _ldapAuthEngine.ConfigureLDAPBackend(_origConfig), "A100: Expected the LDAP Configuration method to return True");
// Initialize the LDAP Login Connector.
_ldapLoginConnector = new LDAPLoginConnector(_vault, _ldapAuthEngine.MountPoint, "Test LDAP Backend");
// Load the Test Data Object
LoadTestData();
}
public async Task CreateToken()
{
// SETUP
// We need our own vault since we will be manipulating the token value
VaultAgentAPI ourVault = await VaultServerRef.ConnectVault("TokenTest");
TokenAuthEngine ourTokenAuthEngine = (TokenAuthEngine)ourVault.ConnectAuthenticationBackend(EnumBackendTypes.A_Token);
// Need a Token Role so we can autogenerate a token
TokenRole tokenRole = new TokenRole();
tokenRole.Name = UK.GetKey();
await ourTokenAuthEngine.SaveTokenRole(tokenRole);
string tokenName = "Name" + tokenRole.Name;
TokenNewSettings tokenNewSettings = new TokenNewSettings()
{
Name = tokenName,
NumberOfUses = 6,
NoParentToken = true,
RoleName = tokenRole.Name
};
Token token = await ourTokenAuthEngine.CreateToken(tokenNewSettings);
Assert.NotNull(token, "A10: Expected to receive the new token back, instead we received a null value.");
// Read the token we just created.
//Token token = await _tokenAuthEngine.GetTokenWithID(tokenID);
Assert.IsNotNull(token, "A20: No Token returned. Was expecting one.");
ourVault.TokenID = token.ID;
Assert.AreEqual(ourVault.TokenID, token.ID, "A30: Vault did not store token correctly");
}
public async Task Transit_Init()
{
if (_vaultAgentAPI != null)
{
return;
}
// Build Connection to Vault.
_vaultAgentAPI = await VaultServerRef.ConnectVault("TransitSecEng");
//new VaultAgentAPI("transitVault", VaultServerRef.ipAddress, VaultServerRef.ipPort, VaultServerRef.rootToken, true);
// Create unique name for the transit Backend we will use to test with.
string transitMountName = _uniqueKeys.GetKey("TRANsit");
// Get Connection to Vault System backend
_systemBackend = new VaultSystemBackend(_vaultAgentAPI.TokenID, _vaultAgentAPI);
Assert.IsTrue(await _systemBackend.CreateSecretBackendMount(EnumSecretBackendTypes.Transit, transitMountName, transitMountName,
"Transit Bckend Testing"), "A10: Failed to Create the Transit Backend");
_transitSecretEngine = (TransitSecretEngine)_vaultAgentAPI.ConnectToSecretBackend(EnumSecretBackendTypes.Transit, transitMountName, transitMountName);
// _transitSecretEngine =
// (TransitSecretEngine) await _vaultAgentAPI.CreateSecretBackendMount(EnumSecretBackendTypes.Transit, transitMountName, transitMountName,
// "Transit Bckend Testing");
Assert.NotNull(_transitSecretEngine, "Transit Backend was returned null upon creation.");
}
public async Task Backend_Init()
{
if (_vaultSystemBackend != null)
{
return;
}
// Build Connection to Vault.
_vaultAgentAPI = await VaultServerRef.ConnectVault("PolicyBE");
// Create a new system Backend Mount for this series of tests.
_vaultSystemBackend = new VaultSystemBackend(_vaultAgentAPI.TokenID, _vaultAgentAPI);
// Create the backend.
_beName = _uniqueKeys.GetKey("beP");
VaultSysMountConfig testBE = new VaultSysMountConfig();
Assert.True(await _vaultSystemBackend.SysMountCreate(_beName, "KeyValue2 Policy Testing Backend", EnumSecretBackendTypes.KeyValueV2),
"A10: Enabling backend " + _beName + " failed.");
// Create the Root Engine that we will use
//_vaultRootAgentAPI = new VaultAgentAPI("Root", _vaultAgentAPI.IP, _vaultAgentAPI.Port, _vaultAgentAPI.Token.ID);
_vaultRootAgentAPI = await VaultServerRef.ConnectVault("PolicyBE_Alt");
_rootEng = (KV2SecretEngine)_vaultRootAgentAPI.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, _beName, _beName);
_vaultAgents = new List <VaultAgentAPI>();
}
// Create the token engines for a successful test and then the control test.
private async Task <(KV2SecretEngine engKV2OK, KV2SecretEngine engKV2FAIL)> SetupTokenEngines(string policyWithPermission)
{
// Get connection to Token Engine so we can create tokens.
TokenAuthEngine tokenEng = (TokenAuthEngine)_vaultAgentAPI.ConnectAuthenticationBackend(EnumBackendTypes.A_Token);
// AA - The token that will have the policy.
TokenNewSettings tokenASettings = new TokenNewSettings();
tokenASettings.Policies.Add(policyWithPermission);
Token tokenOK = await tokenEng.CreateToken(tokenASettings);
// AB - The token that will not have the policy.
TokenNewSettings tokenBSettings = new TokenNewSettings();
tokenBSettings.Policies.Add("default");
Token tokenFAIL = await tokenEng.CreateToken(tokenBSettings);
// AC - Create 2 Vault Instances that will use each Token.
VaultAgentAPI vaultOK = await VaultServerRef.ConnectVault("OKVault", tokenOK.ID);
VaultAgentAPI vaultFail = await VaultServerRef.ConnectVault("FailVault", tokenFAIL.ID);
//VaultAgentAPI vaultOK = new VaultAgentAPI("OKToken", _vaultAgentAPI.IP, _vaultAgentAPI.Port, tokenOK.ID);
//VaultAgentAPI vaultFail = new VaultAgentAPI("FAILToken", _vaultAgentAPI.IP, _vaultAgentAPI.Port, tokenFAIL.ID);
_vaultAgents.Add(vaultOK);
_vaultAgents.Add(vaultFail);
// AD - Create the KeyValue Engines for each Token
KV2SecretEngine engKV2OK = (KV2SecretEngine)vaultOK.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, _beName, _beName);
KV2SecretEngine engKV2FAIL = (KV2SecretEngine)vaultFail.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, _beName, _beName);
return(engKV2OK, engKV2FAIL);
}
public async Task LoginWithValidCredentials_Success()
{
string roleName_A = _uniqueKeys.GetKey("RLogin");
AppRole roleA = new AppRole(roleName_A);
Assert.True(await _appRoleAuthEngine.SaveRole(roleA), "A1: Saving the role failed.");
// Read the role ID back.
string roleID = await _appRoleAuthEngine.ReadRoleID(roleA.Name);
// Now create the a secret
AppRoleSecret secret_A = await _appRoleAuthEngine.GenerateSecretID(roleA.Name);
// Now attempt to login - We need to create a new vault object or else we will screw with the other tests, since a successful login changes the token.
VaultAgentAPI v = new VaultAgentAPI("logintest", VaultServerRef.vaultURI);
AppRoleAuthEngine eng1 = (AppRoleAuthEngine)v.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, "Test", _appRoleAuthEngine.MountPoint);
Token token = await eng1.Login(roleID, secret_A.ID);
/* bool rc;
* rc = await _appRoleAuthEngine.Login(roleID, secret_A.ID);
*
* Assert.True(rc);
*/
Assert.IsNotNull(token, "A1: A token was not returned. The login failed.");
Assert.IsNotEmpty(token.ID, "A2: A token was returned, but it did not have an ID value.");
}
public async Task VaultAgentTest_OneTimeSetup()
{
_uk = new UniqueKeys();
name = _uk.GetKey("vlt");
vault = await VaultServerRef.ConnectVault(name);
//new VaultAgentAPI(name, VaultServerRef.ipAddress, VaultServerRef.ipPort, VaultServerRef.rootToken);
}
/// <summary>
/// Performs tasks that the Role1 user would do. Creating the actual application folders.
/// </summary>
/// <param name="role"></param>
/// <returns></returns>
public async Task PerformRole1Tasks()
{
try {
// Here we will create the AppA and B folders in both the path1 and the appData paths.
KV2Secret path1AppA = new KV2Secret(Constants.appName_A, "path1");
KV2Secret path1AppB = new KV2Secret(Constants.appName_B, "path1");
KV2Secret appDataAppA = new KV2Secret(Constants.appName_A, Constants.appData);
KV2Secret appDataAppB = new KV2Secret(Constants.appName_B, Constants.appData);
KV2Secret appData = new KV2Secret(Constants.appData);
// We need to simulate a session as this Role1 User:
VaultAgentAPI vault = new VaultAgentAPI("Role1", _vaultAgent.Uri);
AppRoleAuthEngine authEngine = (AppRoleAuthEngine)vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, _AppBEName, _AppBEName);
KV2SecretEngine secretEngine =
(KV2SecretEngine)vault.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, "Sheakley KV2 Secrets", _beKV2Name);
// Now login.
Token token = await authEngine.Login(role1.RoleID, _SIDRole1.ID);
// Create the secrets if they do not exist. We can attempt to Read the Secret on the path1 paths as we have full control
var result = await secretEngine.TryReadSecret(appData);
if (!result.IsSuccess)
{
await secretEngine.SaveSecret(appData, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist);
}
result = await secretEngine.TryReadSecret(path1AppA);
if (!result.IsSuccess)
{
await secretEngine.SaveSecret(path1AppA, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist);
}
result = await secretEngine.TryReadSecret(path1AppB);
if (!result.IsSuccess)
{
await secretEngine.SaveSecret(path1AppB, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist);
}
// We have to list the "folders" or secrets on the AppData path as we only have create and List permissions.
List <string> appFolders = await secretEngine.ListSecretsAtPath(appData);
if (!appFolders.Contains(Constants.appName_A))
{
await secretEngine.SaveSecret(appDataAppA, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist);
}
if (!appFolders.Contains(Constants.appName_B))
{
await secretEngine.SaveSecret(appDataAppB, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist);
}
}
catch (VaultForbiddenException e) { Console.WriteLine("The role does not have permission to perform the requested operation. - Original Error - {0}", e.Message); }
catch (Exception e) { Console.WriteLine("Error detected in routine - PerformRole1Tasks - Error is - {0}", e.Message); }
}
public async Task RevokeTokenWithChildren_ChildrenOrphaned()
{
// Create a new token.
string tokenName = UK.GetKey("ParentOrp");
TokenNewSettings tokenNewSettings = new TokenNewSettings()
{
Name = tokenName,
};
Token parent = await _tokenAuthEngine.CreateToken(tokenNewSettings);
Assert.NotNull(parent, "A1: Error creating the parent token - expected to receive the new token back, instead we received a null value.");
VaultAgentAPI v1 = await VaultServerRef.ConnectVault("TokenAuth2", parent.ID);
TokenAuthEngine TAE = (TokenAuthEngine)v1.ConnectAuthenticationBackend(EnumBackendTypes.A_Token);
// Now create 3 child tokens.
Token token1 = await TAE.CreateToken(tokenNewSettings);
Assert.NotNull(token1, "A2: Error creating a new token - expected to receive the new token back, instead we received a null value.");
// Token 2.
tokenNewSettings.Name = "Token2";
Token token2 = await TAE.CreateToken(tokenNewSettings);
Assert.NotNull(token2, "A3: Error creating a new token - expected to receive the new token back, instead we received a null value.");
// Token 3.
tokenNewSettings.Name = "Token3";
Token token3 = await TAE.CreateToken(tokenNewSettings);
Assert.NotNull(token3, "A4: Error creating a new token - expected to receive the new token back, instead we received a null value.");
// Now revoke the Parent token.
Assert.IsTrue(await _tokenAuthEngine.RevokeToken(parent.ID, false), "A5: Revocation of parent token was not successful.");
Token parent2 = await _tokenAuthEngine.GetTokenWithID(parent.ID);
Assert.IsNull(parent2, "A6: The parent token should have been revoked. But it still exists.");
// Validate that each of the child tokens is revoked as well.
Token a1 = await _tokenAuthEngine.GetTokenWithID(token1.ID);
Token a2 = await _tokenAuthEngine.GetTokenWithID(token2.ID);
Token a3 = await _tokenAuthEngine.GetTokenWithID(token3.ID);
Assert.IsNotNull(a1, "A7: Expected the child token to still exist. But it is null");
Assert.IsNotNull(a2, "A8: Expected the child token to still exist. But it is null");
Assert.IsNotNull(a3, "A9: Expected the child token to still exist. But it is null");
Assert.IsTrue(a1.IsOrphan, "A10: Expected token to be marked as an orphan.");
Assert.IsTrue(a2.IsOrphan, "A11: Expected token to be marked as an orphan.");
Assert.IsTrue(a3.IsOrphan, "A12: Expected token to be marked as an orphan.");
}
public async Task PerformRoleATasks()
{
// We need to simulate a session as this Role1 User:
VaultAgentAPI vault = new VaultAgentAPI("Role2", _vaultAgent.Uri);
AppRoleAuthEngine authEngine = (AppRoleAuthEngine)vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, _AppBEName, _AppBEName);
KV2SecretEngine secretEngine =
(KV2SecretEngine)vault.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, "KV2 Secrets", _beKV2Name);
// Now login.
Token token = await authEngine.Login(roleAppA.RoleID, _SIDRoleAppA.ID);
// Read existing secrets.
string rootPath = Constants.appData + "/" + Constants.appName_A + "/";
KV2Secret secretA1 = new KV2Secret("Database", rootPath);
bool readSuccess = false;
(readSuccess, secretA1) = await secretEngine.TryReadSecret <KV2Secret>(secretA1, 0);
// If it did not exist then create it.
if (!readSuccess)
{
secretA1 = new KV2Secret("Database", rootPath);
// Create Some Secrets.
secretA1.Attributes.Add("username", "abcUser");
secretA1.Attributes.Add("password", "passEncrypted");
secretA1.Attributes.Add("Connection", "db=1.2.3.4:4706/iInstance");
await secretEngine.SaveSecret(secretA1, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist, 0);
}
// Try to read the parent secret - should fail
KV2Secret secretParent = new KV2Secret(Constants.appData);
(readSuccess, secretParent) = await secretEngine.TryReadSecret <KV2Secret>(secretParent, 0);
// Lets try and read an AppB secret. Should fail.
try {
// Lets try and read an AppA secret. Should fail.
string rootBPath = Constants.appData + "/" + Constants.appName_B + "/";
KV2Secret secretB1 = new KV2Secret("Database", rootBPath);
(readSuccess, secretB1) = await secretEngine.TryReadSecret <KV2Secret>(secretB1, 0);
}
catch (VaultForbiddenException) {
Console.WriteLine("[SUCCESS-EXPECTED RESULT: User A does not have access to read from User B's secret store.");
}
// Lets update the secret.
string passwd = secretA1.Attributes["password"];
passwd = passwd + DateTime.Now.Hour;
secretA1.Attributes["password"] = passwd;
//secretEngine.SaveSecret(secretA1,)
}
public VaultClient_SystemBackend(string token, string ip, int port)
{
Uri vaultURI = new Uri("http://" + ip + ":" + port);
_vault = new VaultAgentAPI("VaultClient", vaultURI);
//_vault = new VaultAgentAPI("VaultSys",ip,port,token);
_token = token;
//_vaultSystemBackend = _vault.System;
}
public InitiateVault(VaultAgentAPI vaultAgent)
{
_vault = vaultAgent;
_vaultSystemBackend = new VaultSystemBackend(_vault.TokenID, _vault);
_ldapAuthEngine = (LdapAuthEngine)_vault.ConnectAuthenticationBackend(EnumBackendTypes.A_LDAP, LDAP_MOUNTNAME, LDAP_MOUNTNAME);
_authMethod = new AuthMethod(LDAP_MOUNTNAME, EnumAuthMethods.LDAP);
_authMethod.Description = LDAP_MOUNTNAME;
}
public async Task TokenPropertiesSet_WhenPassedValidToken()
{
VaultAgentAPI v1 = await VaultServerRef.ConnectVault(name);
//new VaultAgentAPI(name, VaultServerRef.ipAddress, VaultServerRef.ipPort, VaultServerRef.rootToken);
// Vault instance was created in one time setup.
Assert.AreEqual(VaultServerRef.rootToken, v1.Token.ID);
Assert.IsNotEmpty(v1.Token.APIPath);
Assert.Greater(v1.Token.CreationTime, 1);
}
public VC_AppRoleAuthEngine(VaultAgentAPI vaultAgent)
{
UniqueKeys uniqueKeys = new UniqueKeys();
// We will create a unique App Role Authentication Engine with the given name.
_AppBEName = "BEAppRole";
_vaultAgent = vaultAgent;
_vaultSystemBackend = new VaultSystemBackend(_vaultAgent.TokenID, _vaultAgent);
_appRoleAuthEngine = (AppRoleAuthEngine)vaultAgent.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, _AppBEName, _AppBEName);
_idEngine = (IdentitySecretEngine)vaultAgent.ConnectToSecretBackend(EnumSecretBackendTypes.Identity);
}
public VaultClient_TransitBackend(string token, string ip, int port, string db)
{
Uri vaultURI = new Uri("http://" + ip + ":" + port);
_vault = new VaultAgentAPI("VaultClient", vaultURI);
//_vault = new VaultAgentAPI("VaultClientTra", ip, port);
//_vault = new VaultAgentAPI("TransitVault", ip, port, token);
//TB = new TransitSecretEngine(ip, port, token,db);
}
public async Task Setup()
{
if (_vaultAgentAPI != null)
{
return;
}
// Build Connection to Vault.
_vaultAgentAPI = await VaultServerRef.ConnectVault("VaultSecretEntry");
//_vaultAgentAPI = new VaultAgentAPI("testa", VaultServerRef.ipAddress, VaultServerRef.ipPort, VaultServerRef.rootToken, true);
// We will create 3 KV2 mounts in the Vault instance. One for testing with CAS on, one with CAS off, and then a generic default (CAS off).
string noCasMountName = _uniqueKey.GetKey("NoCas");
string casMountName = _uniqueKey.GetKey("CAS");
// Config settings for all the mounts.
VaultSysMountConfig config = new VaultSysMountConfig
{
DefaultLeaseTTL = "30m",
MaxLeaseTTL = "90m",
VisibilitySetting = "hidden"
};
// Get Connection to Vault System backend
_systemBackend = new VaultSystemBackend(_vaultAgentAPI.TokenID, _vaultAgentAPI);
Assert.IsTrue(await _systemBackend.CreateSecretBackendMount(EnumSecretBackendTypes.KeyValueV2, noCasMountName, noCasMountName,
"No CAS Mount Test", config), "Failed to Create the NOCas KV2 secret backend");
_noCASMount = (KV2SecretEngine)_vaultAgentAPI.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, noCasMountName, noCasMountName);
Assert.IsTrue(await _systemBackend.CreateSecretBackendMount(EnumSecretBackendTypes.KeyValueV2, casMountName, casMountName,
"CAS Mount Test", config), "Failed to create the CAS Mount KV2 Secret Backend");
_casMount = (KV2SecretEngine)_vaultAgentAPI.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, casMountName, casMountName);
Assert.NotNull(_noCASMount);
Assert.NotNull(_casMount);
// This is required as of Vault 1.0 It now seems to take a second or 2 to upgrade the mount from KV1 to KV2.
Thread.Sleep(2500);
// Set backend mount config.
Assert.True(await _noCASMount.SetBackendConfiguration(8, false));
Assert.True(await _casMount.SetBackendConfiguration(8, false));
// Setup the DateTimeOffset Fields
_theDate = DateTimeOffset.FromUnixTimeSeconds(_unixEpochTime);
}
public async Task Identity_Init()
{
if (_vaultAgentAPI != null)
{
return;
}
// Build Connection to Vault.
_vaultAgentAPI = await VaultServerRef.ConnectVault("IdTest");
//new VaultAgentAPI("IdentityTest", VaultServerRef.ipAddress, VaultServerRef.ipPort, VaultServerRef.rootToken, true);
_idEngine = (IdentitySecretEngine)_vaultAgentAPI.ConnectToSecretBackend(EnumSecretBackendTypes.Identity);
}
public async Task Backend_Init()
{
if (_vaultSystemBackend != null)
{
return;
}
// Build Connection to Vault.
_vaultAgentAPI = await VaultServerRef.ConnectVault("TransitVault");
//new VaultAgentAPI("transitVault", VaultServerRef.ipAddress, VaultServerRef.ipPort, VaultServerRef.rootToken, true);
// Create a new system Backend Mount for this series of tests.
_vaultSystemBackend = new VaultSystemBackend(_vaultAgentAPI.TokenID, _vaultAgentAPI);
}
public async Task PerformRoleBTasks()
{
// We need to simulate a session as this Role1 User:
VaultAgentAPI vault = new VaultAgentAPI("Role2", _vaultAgent.Uri);
AppRoleAuthEngine authEngine = (AppRoleAuthEngine)vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, _AppBEName, _AppBEName);
KV2SecretEngine secretEngine =
(KV2SecretEngine)vault.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, "KV2 Secrets", _beKV2Name);
// Now login.
Token token = await authEngine.Login(roleAppB.RoleID, _SIDRoleAppB.ID);
// Read existing secrets.
string rootPath = Constants.appData + "/" + Constants.appName_B + "/";
KV2Secret secretB1 = new KV2Secret("Database", rootPath);
bool readSuccess = false;
(readSuccess, secretB1) = await secretEngine.TryReadSecret(secretB1, 0);
if (!readSuccess)
{
secretB1 = new KV2Secret("Database", rootPath);
// Create Some Secrets.
secretB1.Attributes.Add("username", "Buser");
secretB1.Attributes.Add("password", "Bpassword");
secretB1.Attributes.Add("Connection", "db=99.100.101.102:0/iBInstance");
await secretEngine.SaveSecret(secretB1, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist, 0);
}
try {
// Lets try and read an AppA secret. Should fail.
string rootAPath = Constants.appData + "/" + Constants.appName_A + "/";
KV2Secret secretA1 = new KV2Secret("Database", rootAPath);
(readSuccess, secretB1) = await secretEngine.TryReadSecret(secretA1, 0);
}
catch (VaultForbiddenException) {
Console.WriteLine("[SUCCESS-EXPECTED RESULT: User B does not have access to read from User A's secret store.");
}
int bb = 0;
bb++;
}
public async Task NormalLogin()
{
// SETUP
// We need our own vault since we will be manipulating the token value
VaultAgentAPI ourVault = await VaultServerRef.ConnectVault("TokenTest");
TokenAuthEngine ourTokenAuthEngine = (TokenAuthEngine)ourVault.ConnectAuthenticationBackend(EnumBackendTypes.A_Token);
// Need a Token Role so we can autogenerate a token
TokenRole tokenRole = new TokenRole();
UniqueKeys UK = new UniqueKeys("", ""); // Unique Key generator
tokenRole.Name = UK.GetKey();
await ourTokenAuthEngine.SaveTokenRole(tokenRole);
string tokenName = "Name" + tokenRole.Name;
TokenNewSettings tokenNewSettings = new TokenNewSettings()
{
Name = tokenName,
NumberOfUses = 6,
NoParentToken = true,
RoleName = tokenRole.Name
};
Token token = await ourTokenAuthEngine.CreateToken(tokenNewSettings);
Assert.NotNull(token, "A10: Expected to receive the new token back, instead we received a null value.");
// Read the token we just created.
//Token token = await _tokenAuthEngine.GetTokenWithID(tokenID);
Assert.IsNotNull(token, "A20: No Token returned. Was expecting one.");
VaultAgentAPI vault2 = await VaultServerRef.ConnectVault("TokenLoginTest");
TokenLoginConnector loginConnector = new TokenLoginConnector(vault2, "test");
loginConnector.TokenId = token.ID;
Assert.IsTrue(await loginConnector.Connect(), "A30: Login Failed");
}
/// <summary>
/// Performs tasks that the teen wants to to.
/// </summary>
/// <returns></returns>
private async Task Perform_TeenTasks()
{
// We cannot use the Vault Agent _masterVaultAgent, since it has the Master Token tied to it. We will create a new VaultAgent and SecretEngine for use during this Task, which will have our
// Mother role token AND not the master Token.
// So, we wire up a new Vault, AppRole and Secret Engines AND use them throughout this routine.
VaultAgentAPI vault = new VaultAgentAPI("TeenConnector", _masterVaultAgent.Uri);
AppRoleAuthEngine authEngine = (AppRoleAuthEngine)vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, _AppBEName, _AppBEName);
KV2SecretEngine secretEngine =
(KV2SecretEngine)vault.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, _beKV2Name, _beKV2Name);
// Login.
Token token = await authEngine.Login(roleTeenager.RoleID, _sidTeenager.ID);
// Should be able to load the House Secret. But not updated it.
KV2Secret a = await secretEngine.ReadSecret <KV2Secret>(HOUSE.HOUSE_PATH);
a.Attributes["Electric"] = "No";
// Should Fail
bool rc = await SaveSecret(secretEngine, a);
// Should NOT be able to read anything in the Toddler's Bedroom
(bool rcB, KV2Secret b) = await ReadSecret(secretEngine, HOUSE.TODDLER_BEDROOM);
// Should be able to read and update the Kitchen secret
(bool rcK, KV2Secret k) = await ReadSecret(secretEngine, HOUSE.KITCHEN);
k.Attributes["Carrots"] = "Need";
rcK = await SaveSecret(secretEngine, k);
// Should be able to read and update the Fridge
(bool rcR, KV2Secret r) = await ReadSecret(secretEngine, HOUSE.REFRIGERATOR);
k.Attributes["Cold"] = "True";
rcR = await SaveSecret(secretEngine, r);
// Should have no writes to the Dishwasher
(bool rcD, KV2Secret d) = await ReadSecret(secretEngine, HOUSE.DISHWASHER);
}
public async Task AppRoleAuthEngineSetup()
{
// Build Connection to Vault.
_vault = await VaultServerRef.ConnectVault("AppRoleVault");
//_vault = new VaultAgentAPI("AppRoleVault", VaultServerRef.ipAddress, VaultServerRef.ipPort); //, VaultServerRef.rootToken,true);
_vaultSystemBackend = new VaultSystemBackend(_vault.TokenID, _vault);
string approleMountName = _uniqueKeys.GetKey("AppAuth");
// Create an AppRole authentication connection.
_appRoleAuthEngine = (AppRoleAuthEngine)_vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, "AppRole", approleMountName);
// Create an Authentication method of App Role. - This only needs to be done when the Auth method is created.
AuthMethod am = new AuthMethod(approleMountName, EnumAuthMethods.AppRole);
bool rc = await _vaultSystemBackend.AuthEnable(am);
}
/// <summary>
/// Performs tasks that the Role1 user would do. Creating the actual application folders.
/// </summary>
/// <param name="role"></param>
/// <returns></returns>
public async Task PerformRole2Tasks()
{
try {
// We just try and read secrets off path1/ folders.
// We need to simulate a session as this Role1 User:
VaultAgentAPI vault = new VaultAgentAPI("Role2", _vaultAgent.Uri);
AppRoleAuthEngine authEngine = (AppRoleAuthEngine)vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, _AppBEName, _AppBEName);
KV2SecretEngine secretEngine =
(KV2SecretEngine)vault.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, "Sheakley KV2 Secrets", _beKV2Name);
// Now login.
Token token = await authEngine.Login(role2.RoleID, _SIDRole2.ID);
// Try and read a secret.
}
catch (VaultForbiddenException e) { Console.WriteLine("The role does not have permission to perform the requested operation. - Original Error - {0}", e.Message); }
catch (Exception e) { Console.WriteLine("Error detected in routine - PerformRole1Tasks - Error is - {0}", e.Message); }
}
