public void ValidateVaultInstanceBaseSettings() { VaultAgentAPI a = new VaultAgentAPI(name, VaultServerRef.vaultURI); Assert.AreEqual(name, vault.Name); Assert.AreEqual(VaultServerRef.vaultURI, vault.Uri); }
/// <summary> /// Creates a Vault instance and connects it with either the default testing token or the specified token /// </summary> /// <param name="name">Name to be given to this Vault object</param> /// <param name="overrideToken">The TokenId to use if you do not wish to use the default testing token</param> /// <returns></returns> public static async Task <VaultAgentAPI> ConnectVault(string name, string overrideToken = "") { vaultURI = new Uri("http://" + ipAddress + ":" + ipPort); VaultAgentAPI vault = new VaultAgentAPI(name, vaultURI); string thisToken; if (overrideToken != string.Empty) { thisToken = overrideToken; } else { thisToken = rootToken; } TokenLoginConnector loginConnector = new TokenLoginConnector(vault, "Testing", thisToken, TokenAuthEngine.TOKEN_DEFAULT_MOUNT_NAME); bool success = await loginConnector.Connect(); if (!success) { throw new ApplicationException("Error connecting to the Vault Instance using Token " + thisToken); } return(vault); }
public async Task TokenLogin_InvalidToken() { // Load engine and create a token VaultAgentAPI vault = new VaultAgentAPI("LoginConnVault", VaultServerRef.vaultURI); // TODO this test is not valid. We kind of already test it, because every Test requires a connection to Vault which we do in the VaultServerSetup Class. TokenLoginConnector tlc = new TokenLoginConnector(vault, "Token Connector"); tlc.TokenId = "bbnbb"; bool success = await tlc.Connect(); Assert.IsFalse(success); /* * * * TokenAuthEngine tokenAuthEngine = (TokenAuthEngine)_vault.ConnectAuthenticationBackend(EnumBackendTypes.A_Token); * * TokenNewSettings tokenSettings = new TokenNewSettings(); * tokenSettings.Name = "Test"; * tokenSettings.IsRenewable = false; * tokenSettings.NumberOfUses = 4; * * Token token = await tokenAuthEngine.CreateToken(tokenSettings); * TokenLoginConnector lc = new TokenLoginConnector(_vault,tokenAuthEngine.MountPoint,tokenAuthEngine.Name); * lc.TokenId = token.ID; * Assert.IsTrue(await lc.Connect()); */ Assert.IsTrue(true); }
public async Task RevokeSelfTokenSucceeds() { VaultAgentAPI v1 = await VaultServerRef.ConnectVault("TempVault"); //new VaultAgentAPI("TempVault", VaultServerRef.ipAddress, VaultServerRef.ipPort, VaultServerRef.rootToken); string tokenName = UK.GetKey("tmpTok"); // Create a new token. TokenNewSettings tokenNewSettings = new TokenNewSettings() { Name = tokenName, }; Token token = await _tokenAuthEngine.CreateToken(tokenNewSettings); Assert.NotNull(token, "A1: Error creating a new token - expected to receive the new token back, instead we received a null value."); // Now set vault to use the new token. v1.Token = token; Assert.AreNotEqual(VaultServerRef.rootToken, token.ID, "A2: Expected the Vault object to have a different token. But was still set at initial token."); // And then revoke. Assert.IsTrue(await v1.RevokeActiveToken()); Assert.IsNull(v1.Token); // Now try and reset the Vault to use the old token. It should fail. v1.Token = token; Assert.ThrowsAsync <VaultForbiddenException> (async() => await v1.RefreshActiveToken()); }
// ============================================================================================================================================== /// <summary> /// Constructor. Initializes the connection to Vault and stores the token. /// </summary> /// <param name="backendName">The name of the secret backend to mount. This is purely cosmetic.</param> /// <param name="backendMountPoint"> /// The actual mount point that the secret is mounted to. Exclude and prefix such as /v1/ /// and exclude trailing slash. /// </param> /// <param name="vaultAgentAPI">The Vault API Agent Object that contains connectivity information for authenticating and connecting to the Vault</param> public KV2SecretEngine(string backendName, string backendMountPoint, VaultAgentAPI vaultAgentAPI) : base( backendName, backendMountPoint, vaultAgentAPI) { Type = EnumBackendTypes.KeyValueV2; IsSecretBackend = true; }
public void Setup() { _vault = new VaultAgentAPI("LoginConnVault", VaultServerRef.vaultURI); _vault.TokenID = VaultServerRef.rootToken; // _vault = new VaultAgentAPI("LoginConnVault", VaultServerRef.ipAddress, VaultServerRef.ipPort, VaultServerRef.rootToken, true); }
public async Task TokenEngineSetup() { // Build Connection to Vault. vault = await VaultServerRef.ConnectVault("TokenEng"); _tokenAuthEngine = (TokenAuthEngine)vault.ConnectAuthenticationBackend(EnumBackendTypes.A_Token); }
public async Task Setup() { // Build Connection to Vault. _vault = await VaultServerRef.ConnectVault("AppRoleVault"); //_vault = new VaultAgentAPI ("AppRoleVault", VaultServerRef.ipAddress, VaultServerRef.ipPort, VaultServerRef.rootToken, true); _vaultSystemBackend = new VaultSystemBackend(_vault.TokenID, _vault); _ldapMountName = _uniqueKeys.GetKey("LDAP"); // Define the engine. _ldapAuthEngine = (LdapAuthEngine)_vault.ConnectAuthenticationBackend(EnumBackendTypes.A_LDAP, "ldap_test", _ldapMountName); // Now create the Mount point. AuthMethod authMethod = new AuthMethod(_ldapMountName, EnumAuthMethods.LDAP); authMethod.Description = "Ldap Test"; Assert.True(await _vaultSystemBackend.AuthEnable(authMethod), "A10: Expected the LDAP Backend to have been enabled."); // Now build the LDAP Backend. _origConfig = _ldapAuthEngine.GetLDAPConfigFromFile(@"C:\a_Dev\Configs\LDAP_Test.json"); SetLDAPConfig(_ldapMountName, _origConfig); // Save the Config. We do this here so the SetLDAPConfig can be used for multiple engines. Assert.True(await _ldapAuthEngine.ConfigureLDAPBackend(_origConfig), "A100: Expected the LDAP Configuration method to return True"); // Initialize the LDAP Login Connector. _ldapLoginConnector = new LDAPLoginConnector(_vault, _ldapAuthEngine.MountPoint, "Test LDAP Backend"); // Load the Test Data Object LoadTestData(); }
public async Task CreateToken() { // SETUP // We need our own vault since we will be manipulating the token value VaultAgentAPI ourVault = await VaultServerRef.ConnectVault("TokenTest"); TokenAuthEngine ourTokenAuthEngine = (TokenAuthEngine)ourVault.ConnectAuthenticationBackend(EnumBackendTypes.A_Token); // Need a Token Role so we can autogenerate a token TokenRole tokenRole = new TokenRole(); tokenRole.Name = UK.GetKey(); await ourTokenAuthEngine.SaveTokenRole(tokenRole); string tokenName = "Name" + tokenRole.Name; TokenNewSettings tokenNewSettings = new TokenNewSettings() { Name = tokenName, NumberOfUses = 6, NoParentToken = true, RoleName = tokenRole.Name }; Token token = await ourTokenAuthEngine.CreateToken(tokenNewSettings); Assert.NotNull(token, "A10: Expected to receive the new token back, instead we received a null value."); // Read the token we just created. //Token token = await _tokenAuthEngine.GetTokenWithID(tokenID); Assert.IsNotNull(token, "A20: No Token returned. Was expecting one."); ourVault.TokenID = token.ID; Assert.AreEqual(ourVault.TokenID, token.ID, "A30: Vault did not store token correctly"); }
public async Task Transit_Init() { if (_vaultAgentAPI != null) { return; } // Build Connection to Vault. _vaultAgentAPI = await VaultServerRef.ConnectVault("TransitSecEng"); //new VaultAgentAPI("transitVault", VaultServerRef.ipAddress, VaultServerRef.ipPort, VaultServerRef.rootToken, true); // Create unique name for the transit Backend we will use to test with. string transitMountName = _uniqueKeys.GetKey("TRANsit"); // Get Connection to Vault System backend _systemBackend = new VaultSystemBackend(_vaultAgentAPI.TokenID, _vaultAgentAPI); Assert.IsTrue(await _systemBackend.CreateSecretBackendMount(EnumSecretBackendTypes.Transit, transitMountName, transitMountName, "Transit Bckend Testing"), "A10: Failed to Create the Transit Backend"); _transitSecretEngine = (TransitSecretEngine)_vaultAgentAPI.ConnectToSecretBackend(EnumSecretBackendTypes.Transit, transitMountName, transitMountName); // _transitSecretEngine = // (TransitSecretEngine) await _vaultAgentAPI.CreateSecretBackendMount(EnumSecretBackendTypes.Transit, transitMountName, transitMountName, // "Transit Bckend Testing"); Assert.NotNull(_transitSecretEngine, "Transit Backend was returned null upon creation."); }
public async Task Backend_Init() { if (_vaultSystemBackend != null) { return; } // Build Connection to Vault. _vaultAgentAPI = await VaultServerRef.ConnectVault("PolicyBE"); // Create a new system Backend Mount for this series of tests. _vaultSystemBackend = new VaultSystemBackend(_vaultAgentAPI.TokenID, _vaultAgentAPI); // Create the backend. _beName = _uniqueKeys.GetKey("beP"); VaultSysMountConfig testBE = new VaultSysMountConfig(); Assert.True(await _vaultSystemBackend.SysMountCreate(_beName, "KeyValue2 Policy Testing Backend", EnumSecretBackendTypes.KeyValueV2), "A10: Enabling backend " + _beName + " failed."); // Create the Root Engine that we will use //_vaultRootAgentAPI = new VaultAgentAPI("Root", _vaultAgentAPI.IP, _vaultAgentAPI.Port, _vaultAgentAPI.Token.ID); _vaultRootAgentAPI = await VaultServerRef.ConnectVault("PolicyBE_Alt"); _rootEng = (KV2SecretEngine)_vaultRootAgentAPI.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, _beName, _beName); _vaultAgents = new List <VaultAgentAPI>(); }
// Create the token engines for a successful test and then the control test. private async Task <(KV2SecretEngine engKV2OK, KV2SecretEngine engKV2FAIL)> SetupTokenEngines(string policyWithPermission) { // Get connection to Token Engine so we can create tokens. TokenAuthEngine tokenEng = (TokenAuthEngine)_vaultAgentAPI.ConnectAuthenticationBackend(EnumBackendTypes.A_Token); // AA - The token that will have the policy. TokenNewSettings tokenASettings = new TokenNewSettings(); tokenASettings.Policies.Add(policyWithPermission); Token tokenOK = await tokenEng.CreateToken(tokenASettings); // AB - The token that will not have the policy. TokenNewSettings tokenBSettings = new TokenNewSettings(); tokenBSettings.Policies.Add("default"); Token tokenFAIL = await tokenEng.CreateToken(tokenBSettings); // AC - Create 2 Vault Instances that will use each Token. VaultAgentAPI vaultOK = await VaultServerRef.ConnectVault("OKVault", tokenOK.ID); VaultAgentAPI vaultFail = await VaultServerRef.ConnectVault("FailVault", tokenFAIL.ID); //VaultAgentAPI vaultOK = new VaultAgentAPI("OKToken", _vaultAgentAPI.IP, _vaultAgentAPI.Port, tokenOK.ID); //VaultAgentAPI vaultFail = new VaultAgentAPI("FAILToken", _vaultAgentAPI.IP, _vaultAgentAPI.Port, tokenFAIL.ID); _vaultAgents.Add(vaultOK); _vaultAgents.Add(vaultFail); // AD - Create the KeyValue Engines for each Token KV2SecretEngine engKV2OK = (KV2SecretEngine)vaultOK.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, _beName, _beName); KV2SecretEngine engKV2FAIL = (KV2SecretEngine)vaultFail.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, _beName, _beName); return(engKV2OK, engKV2FAIL); }
public async Task LoginWithValidCredentials_Success() { string roleName_A = _uniqueKeys.GetKey("RLogin"); AppRole roleA = new AppRole(roleName_A); Assert.True(await _appRoleAuthEngine.SaveRole(roleA), "A1: Saving the role failed."); // Read the role ID back. string roleID = await _appRoleAuthEngine.ReadRoleID(roleA.Name); // Now create the a secret AppRoleSecret secret_A = await _appRoleAuthEngine.GenerateSecretID(roleA.Name); // Now attempt to login - We need to create a new vault object or else we will screw with the other tests, since a successful login changes the token. VaultAgentAPI v = new VaultAgentAPI("logintest", VaultServerRef.vaultURI); AppRoleAuthEngine eng1 = (AppRoleAuthEngine)v.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, "Test", _appRoleAuthEngine.MountPoint); Token token = await eng1.Login(roleID, secret_A.ID); /* bool rc; * rc = await _appRoleAuthEngine.Login(roleID, secret_A.ID); * * Assert.True(rc); */ Assert.IsNotNull(token, "A1: A token was not returned. The login failed."); Assert.IsNotEmpty(token.ID, "A2: A token was returned, but it did not have an ID value."); }
public async Task VaultAgentTest_OneTimeSetup() { _uk = new UniqueKeys(); name = _uk.GetKey("vlt"); vault = await VaultServerRef.ConnectVault(name); //new VaultAgentAPI(name, VaultServerRef.ipAddress, VaultServerRef.ipPort, VaultServerRef.rootToken); }
/// <summary> /// Performs tasks that the Role1 user would do. Creating the actual application folders. /// </summary> /// <param name="role"></param> /// <returns></returns> public async Task PerformRole1Tasks() { try { // Here we will create the AppA and B folders in both the path1 and the appData paths. KV2Secret path1AppA = new KV2Secret(Constants.appName_A, "path1"); KV2Secret path1AppB = new KV2Secret(Constants.appName_B, "path1"); KV2Secret appDataAppA = new KV2Secret(Constants.appName_A, Constants.appData); KV2Secret appDataAppB = new KV2Secret(Constants.appName_B, Constants.appData); KV2Secret appData = new KV2Secret(Constants.appData); // We need to simulate a session as this Role1 User: VaultAgentAPI vault = new VaultAgentAPI("Role1", _vaultAgent.Uri); AppRoleAuthEngine authEngine = (AppRoleAuthEngine)vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, _AppBEName, _AppBEName); KV2SecretEngine secretEngine = (KV2SecretEngine)vault.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, "Sheakley KV2 Secrets", _beKV2Name); // Now login. Token token = await authEngine.Login(role1.RoleID, _SIDRole1.ID); // Create the secrets if they do not exist. We can attempt to Read the Secret on the path1 paths as we have full control var result = await secretEngine.TryReadSecret(appData); if (!result.IsSuccess) { await secretEngine.SaveSecret(appData, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist); } result = await secretEngine.TryReadSecret(path1AppA); if (!result.IsSuccess) { await secretEngine.SaveSecret(path1AppA, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist); } result = await secretEngine.TryReadSecret(path1AppB); if (!result.IsSuccess) { await secretEngine.SaveSecret(path1AppB, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist); } // We have to list the "folders" or secrets on the AppData path as we only have create and List permissions. List <string> appFolders = await secretEngine.ListSecretsAtPath(appData); if (!appFolders.Contains(Constants.appName_A)) { await secretEngine.SaveSecret(appDataAppA, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist); } if (!appFolders.Contains(Constants.appName_B)) { await secretEngine.SaveSecret(appDataAppB, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist); } } catch (VaultForbiddenException e) { Console.WriteLine("The role does not have permission to perform the requested operation. - Original Error - {0}", e.Message); } catch (Exception e) { Console.WriteLine("Error detected in routine - PerformRole1Tasks - Error is - {0}", e.Message); } }
public async Task RevokeTokenWithChildren_ChildrenOrphaned() { // Create a new token. string tokenName = UK.GetKey("ParentOrp"); TokenNewSettings tokenNewSettings = new TokenNewSettings() { Name = tokenName, }; Token parent = await _tokenAuthEngine.CreateToken(tokenNewSettings); Assert.NotNull(parent, "A1: Error creating the parent token - expected to receive the new token back, instead we received a null value."); VaultAgentAPI v1 = await VaultServerRef.ConnectVault("TokenAuth2", parent.ID); TokenAuthEngine TAE = (TokenAuthEngine)v1.ConnectAuthenticationBackend(EnumBackendTypes.A_Token); // Now create 3 child tokens. Token token1 = await TAE.CreateToken(tokenNewSettings); Assert.NotNull(token1, "A2: Error creating a new token - expected to receive the new token back, instead we received a null value."); // Token 2. tokenNewSettings.Name = "Token2"; Token token2 = await TAE.CreateToken(tokenNewSettings); Assert.NotNull(token2, "A3: Error creating a new token - expected to receive the new token back, instead we received a null value."); // Token 3. tokenNewSettings.Name = "Token3"; Token token3 = await TAE.CreateToken(tokenNewSettings); Assert.NotNull(token3, "A4: Error creating a new token - expected to receive the new token back, instead we received a null value."); // Now revoke the Parent token. Assert.IsTrue(await _tokenAuthEngine.RevokeToken(parent.ID, false), "A5: Revocation of parent token was not successful."); Token parent2 = await _tokenAuthEngine.GetTokenWithID(parent.ID); Assert.IsNull(parent2, "A6: The parent token should have been revoked. But it still exists."); // Validate that each of the child tokens is revoked as well. Token a1 = await _tokenAuthEngine.GetTokenWithID(token1.ID); Token a2 = await _tokenAuthEngine.GetTokenWithID(token2.ID); Token a3 = await _tokenAuthEngine.GetTokenWithID(token3.ID); Assert.IsNotNull(a1, "A7: Expected the child token to still exist. But it is null"); Assert.IsNotNull(a2, "A8: Expected the child token to still exist. But it is null"); Assert.IsNotNull(a3, "A9: Expected the child token to still exist. But it is null"); Assert.IsTrue(a1.IsOrphan, "A10: Expected token to be marked as an orphan."); Assert.IsTrue(a2.IsOrphan, "A11: Expected token to be marked as an orphan."); Assert.IsTrue(a3.IsOrphan, "A12: Expected token to be marked as an orphan."); }
public async Task PerformRoleATasks() { // We need to simulate a session as this Role1 User: VaultAgentAPI vault = new VaultAgentAPI("Role2", _vaultAgent.Uri); AppRoleAuthEngine authEngine = (AppRoleAuthEngine)vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, _AppBEName, _AppBEName); KV2SecretEngine secretEngine = (KV2SecretEngine)vault.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, "KV2 Secrets", _beKV2Name); // Now login. Token token = await authEngine.Login(roleAppA.RoleID, _SIDRoleAppA.ID); // Read existing secrets. string rootPath = Constants.appData + "/" + Constants.appName_A + "/"; KV2Secret secretA1 = new KV2Secret("Database", rootPath); bool readSuccess = false; (readSuccess, secretA1) = await secretEngine.TryReadSecret <KV2Secret>(secretA1, 0); // If it did not exist then create it. if (!readSuccess) { secretA1 = new KV2Secret("Database", rootPath); // Create Some Secrets. secretA1.Attributes.Add("username", "abcUser"); secretA1.Attributes.Add("password", "passEncrypted"); secretA1.Attributes.Add("Connection", "db=1.2.3.4:4706/iInstance"); await secretEngine.SaveSecret(secretA1, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist, 0); } // Try to read the parent secret - should fail KV2Secret secretParent = new KV2Secret(Constants.appData); (readSuccess, secretParent) = await secretEngine.TryReadSecret <KV2Secret>(secretParent, 0); // Lets try and read an AppB secret. Should fail. try { // Lets try and read an AppA secret. Should fail. string rootBPath = Constants.appData + "/" + Constants.appName_B + "/"; KV2Secret secretB1 = new KV2Secret("Database", rootBPath); (readSuccess, secretB1) = await secretEngine.TryReadSecret <KV2Secret>(secretB1, 0); } catch (VaultForbiddenException) { Console.WriteLine("[SUCCESS-EXPECTED RESULT: User A does not have access to read from User B's secret store."); } // Lets update the secret. string passwd = secretA1.Attributes["password"]; passwd = passwd + DateTime.Now.Hour; secretA1.Attributes["password"] = passwd; //secretEngine.SaveSecret(secretA1,) }
public VaultClient_SystemBackend(string token, string ip, int port) { Uri vaultURI = new Uri("http://" + ip + ":" + port); _vault = new VaultAgentAPI("VaultClient", vaultURI); //_vault = new VaultAgentAPI("VaultSys",ip,port,token); _token = token; //_vaultSystemBackend = _vault.System; }
public InitiateVault(VaultAgentAPI vaultAgent) { _vault = vaultAgent; _vaultSystemBackend = new VaultSystemBackend(_vault.TokenID, _vault); _ldapAuthEngine = (LdapAuthEngine)_vault.ConnectAuthenticationBackend(EnumBackendTypes.A_LDAP, LDAP_MOUNTNAME, LDAP_MOUNTNAME); _authMethod = new AuthMethod(LDAP_MOUNTNAME, EnumAuthMethods.LDAP); _authMethod.Description = LDAP_MOUNTNAME; }
public async Task TokenPropertiesSet_WhenPassedValidToken() { VaultAgentAPI v1 = await VaultServerRef.ConnectVault(name); //new VaultAgentAPI(name, VaultServerRef.ipAddress, VaultServerRef.ipPort, VaultServerRef.rootToken); // Vault instance was created in one time setup. Assert.AreEqual(VaultServerRef.rootToken, v1.Token.ID); Assert.IsNotEmpty(v1.Token.APIPath); Assert.Greater(v1.Token.CreationTime, 1); }
public VC_AppRoleAuthEngine(VaultAgentAPI vaultAgent) { UniqueKeys uniqueKeys = new UniqueKeys(); // We will create a unique App Role Authentication Engine with the given name. _AppBEName = "BEAppRole"; _vaultAgent = vaultAgent; _vaultSystemBackend = new VaultSystemBackend(_vaultAgent.TokenID, _vaultAgent); _appRoleAuthEngine = (AppRoleAuthEngine)vaultAgent.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, _AppBEName, _AppBEName); _idEngine = (IdentitySecretEngine)vaultAgent.ConnectToSecretBackend(EnumSecretBackendTypes.Identity); }
public VaultClient_TransitBackend(string token, string ip, int port, string db) { Uri vaultURI = new Uri("http://" + ip + ":" + port); _vault = new VaultAgentAPI("VaultClient", vaultURI); //_vault = new VaultAgentAPI("VaultClientTra", ip, port); //_vault = new VaultAgentAPI("TransitVault", ip, port, token); //TB = new TransitSecretEngine(ip, port, token,db); }
public async Task Setup() { if (_vaultAgentAPI != null) { return; } // Build Connection to Vault. _vaultAgentAPI = await VaultServerRef.ConnectVault("VaultSecretEntry"); //_vaultAgentAPI = new VaultAgentAPI("testa", VaultServerRef.ipAddress, VaultServerRef.ipPort, VaultServerRef.rootToken, true); // We will create 3 KV2 mounts in the Vault instance. One for testing with CAS on, one with CAS off, and then a generic default (CAS off). string noCasMountName = _uniqueKey.GetKey("NoCas"); string casMountName = _uniqueKey.GetKey("CAS"); // Config settings for all the mounts. VaultSysMountConfig config = new VaultSysMountConfig { DefaultLeaseTTL = "30m", MaxLeaseTTL = "90m", VisibilitySetting = "hidden" }; // Get Connection to Vault System backend _systemBackend = new VaultSystemBackend(_vaultAgentAPI.TokenID, _vaultAgentAPI); Assert.IsTrue(await _systemBackend.CreateSecretBackendMount(EnumSecretBackendTypes.KeyValueV2, noCasMountName, noCasMountName, "No CAS Mount Test", config), "Failed to Create the NOCas KV2 secret backend"); _noCASMount = (KV2SecretEngine)_vaultAgentAPI.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, noCasMountName, noCasMountName); Assert.IsTrue(await _systemBackend.CreateSecretBackendMount(EnumSecretBackendTypes.KeyValueV2, casMountName, casMountName, "CAS Mount Test", config), "Failed to create the CAS Mount KV2 Secret Backend"); _casMount = (KV2SecretEngine)_vaultAgentAPI.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, casMountName, casMountName); Assert.NotNull(_noCASMount); Assert.NotNull(_casMount); // This is required as of Vault 1.0 It now seems to take a second or 2 to upgrade the mount from KV1 to KV2. Thread.Sleep(2500); // Set backend mount config. Assert.True(await _noCASMount.SetBackendConfiguration(8, false)); Assert.True(await _casMount.SetBackendConfiguration(8, false)); // Setup the DateTimeOffset Fields _theDate = DateTimeOffset.FromUnixTimeSeconds(_unixEpochTime); }
public async Task Identity_Init() { if (_vaultAgentAPI != null) { return; } // Build Connection to Vault. _vaultAgentAPI = await VaultServerRef.ConnectVault("IdTest"); //new VaultAgentAPI("IdentityTest", VaultServerRef.ipAddress, VaultServerRef.ipPort, VaultServerRef.rootToken, true); _idEngine = (IdentitySecretEngine)_vaultAgentAPI.ConnectToSecretBackend(EnumSecretBackendTypes.Identity); }
public async Task Backend_Init() { if (_vaultSystemBackend != null) { return; } // Build Connection to Vault. _vaultAgentAPI = await VaultServerRef.ConnectVault("TransitVault"); //new VaultAgentAPI("transitVault", VaultServerRef.ipAddress, VaultServerRef.ipPort, VaultServerRef.rootToken, true); // Create a new system Backend Mount for this series of tests. _vaultSystemBackend = new VaultSystemBackend(_vaultAgentAPI.TokenID, _vaultAgentAPI); }
public async Task PerformRoleBTasks() { // We need to simulate a session as this Role1 User: VaultAgentAPI vault = new VaultAgentAPI("Role2", _vaultAgent.Uri); AppRoleAuthEngine authEngine = (AppRoleAuthEngine)vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, _AppBEName, _AppBEName); KV2SecretEngine secretEngine = (KV2SecretEngine)vault.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, "KV2 Secrets", _beKV2Name); // Now login. Token token = await authEngine.Login(roleAppB.RoleID, _SIDRoleAppB.ID); // Read existing secrets. string rootPath = Constants.appData + "/" + Constants.appName_B + "/"; KV2Secret secretB1 = new KV2Secret("Database", rootPath); bool readSuccess = false; (readSuccess, secretB1) = await secretEngine.TryReadSecret(secretB1, 0); if (!readSuccess) { secretB1 = new KV2Secret("Database", rootPath); // Create Some Secrets. secretB1.Attributes.Add("username", "Buser"); secretB1.Attributes.Add("password", "Bpassword"); secretB1.Attributes.Add("Connection", "db=99.100.101.102:0/iBInstance"); await secretEngine.SaveSecret(secretB1, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist, 0); } try { // Lets try and read an AppA secret. Should fail. string rootAPath = Constants.appData + "/" + Constants.appName_A + "/"; KV2Secret secretA1 = new KV2Secret("Database", rootAPath); (readSuccess, secretB1) = await secretEngine.TryReadSecret(secretA1, 0); } catch (VaultForbiddenException) { Console.WriteLine("[SUCCESS-EXPECTED RESULT: User B does not have access to read from User A's secret store."); } int bb = 0; bb++; }
public async Task NormalLogin() { // SETUP // We need our own vault since we will be manipulating the token value VaultAgentAPI ourVault = await VaultServerRef.ConnectVault("TokenTest"); TokenAuthEngine ourTokenAuthEngine = (TokenAuthEngine)ourVault.ConnectAuthenticationBackend(EnumBackendTypes.A_Token); // Need a Token Role so we can autogenerate a token TokenRole tokenRole = new TokenRole(); UniqueKeys UK = new UniqueKeys("", ""); // Unique Key generator tokenRole.Name = UK.GetKey(); await ourTokenAuthEngine.SaveTokenRole(tokenRole); string tokenName = "Name" + tokenRole.Name; TokenNewSettings tokenNewSettings = new TokenNewSettings() { Name = tokenName, NumberOfUses = 6, NoParentToken = true, RoleName = tokenRole.Name }; Token token = await ourTokenAuthEngine.CreateToken(tokenNewSettings); Assert.NotNull(token, "A10: Expected to receive the new token back, instead we received a null value."); // Read the token we just created. //Token token = await _tokenAuthEngine.GetTokenWithID(tokenID); Assert.IsNotNull(token, "A20: No Token returned. Was expecting one."); VaultAgentAPI vault2 = await VaultServerRef.ConnectVault("TokenLoginTest"); TokenLoginConnector loginConnector = new TokenLoginConnector(vault2, "test"); loginConnector.TokenId = token.ID; Assert.IsTrue(await loginConnector.Connect(), "A30: Login Failed"); }
/// <summary> /// Performs tasks that the teen wants to to. /// </summary> /// <returns></returns> private async Task Perform_TeenTasks() { // We cannot use the Vault Agent _masterVaultAgent, since it has the Master Token tied to it. We will create a new VaultAgent and SecretEngine for use during this Task, which will have our // Mother role token AND not the master Token. // So, we wire up a new Vault, AppRole and Secret Engines AND use them throughout this routine. VaultAgentAPI vault = new VaultAgentAPI("TeenConnector", _masterVaultAgent.Uri); AppRoleAuthEngine authEngine = (AppRoleAuthEngine)vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, _AppBEName, _AppBEName); KV2SecretEngine secretEngine = (KV2SecretEngine)vault.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, _beKV2Name, _beKV2Name); // Login. Token token = await authEngine.Login(roleTeenager.RoleID, _sidTeenager.ID); // Should be able to load the House Secret. But not updated it. KV2Secret a = await secretEngine.ReadSecret <KV2Secret>(HOUSE.HOUSE_PATH); a.Attributes["Electric"] = "No"; // Should Fail bool rc = await SaveSecret(secretEngine, a); // Should NOT be able to read anything in the Toddler's Bedroom (bool rcB, KV2Secret b) = await ReadSecret(secretEngine, HOUSE.TODDLER_BEDROOM); // Should be able to read and update the Kitchen secret (bool rcK, KV2Secret k) = await ReadSecret(secretEngine, HOUSE.KITCHEN); k.Attributes["Carrots"] = "Need"; rcK = await SaveSecret(secretEngine, k); // Should be able to read and update the Fridge (bool rcR, KV2Secret r) = await ReadSecret(secretEngine, HOUSE.REFRIGERATOR); k.Attributes["Cold"] = "True"; rcR = await SaveSecret(secretEngine, r); // Should have no writes to the Dishwasher (bool rcD, KV2Secret d) = await ReadSecret(secretEngine, HOUSE.DISHWASHER); }
public async Task AppRoleAuthEngineSetup() { // Build Connection to Vault. _vault = await VaultServerRef.ConnectVault("AppRoleVault"); //_vault = new VaultAgentAPI("AppRoleVault", VaultServerRef.ipAddress, VaultServerRef.ipPort); //, VaultServerRef.rootToken,true); _vaultSystemBackend = new VaultSystemBackend(_vault.TokenID, _vault); string approleMountName = _uniqueKeys.GetKey("AppAuth"); // Create an AppRole authentication connection. _appRoleAuthEngine = (AppRoleAuthEngine)_vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, "AppRole", approleMountName); // Create an Authentication method of App Role. - This only needs to be done when the Auth method is created. AuthMethod am = new AuthMethod(approleMountName, EnumAuthMethods.AppRole); bool rc = await _vaultSystemBackend.AuthEnable(am); }
/// <summary> /// Performs tasks that the Role1 user would do. Creating the actual application folders. /// </summary> /// <param name="role"></param> /// <returns></returns> public async Task PerformRole2Tasks() { try { // We just try and read secrets off path1/ folders. // We need to simulate a session as this Role1 User: VaultAgentAPI vault = new VaultAgentAPI("Role2", _vaultAgent.Uri); AppRoleAuthEngine authEngine = (AppRoleAuthEngine)vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, _AppBEName, _AppBEName); KV2SecretEngine secretEngine = (KV2SecretEngine)vault.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, "Sheakley KV2 Secrets", _beKV2Name); // Now login. Token token = await authEngine.Login(role2.RoleID, _SIDRole2.ID); // Try and read a secret. } catch (VaultForbiddenException e) { Console.WriteLine("The role does not have permission to perform the requested operation. - Original Error - {0}", e.Message); } catch (Exception e) { Console.WriteLine("Error detected in routine - PerformRole1Tasks - Error is - {0}", e.Message); } }