public async Task AuthenticateWithUserPassKeyValueV2_GetNotFoundSecret_Fails()
{
// Arrange
string secretPath = "mysecret";
string secretName = "my-value";
string expected = "s3cr3t";
string userName = "******";
string password = "******";
using (HashiCorpVaultTestServer server = await StartServerWithUserPassAsync(userName, password, DefaultDevMountPoint))
{
await server.KeyValueV2.WriteSecretAsync(
mountPoint : DefaultDevMountPoint,
path : secretPath,
data : new Dictionary <string, object> {
["unknown-prefix-" + secretName] = expected
});
var authentication = new UserPassAuthMethodInfo(userName, password);
var settings = new VaultClientSettings(server.ListenAddress.ToString(), authentication);
var provider = new HashiCorpSecretProvider(settings, secretPath, new HashiCorpVaultOptions
{
KeyValueMountPoint = DefaultDevMountPoint,
KeyValueVersion = VaultKeyValueSecretEngineVersion.V2
}, NullLogger <HashiCorpSecretProvider> .Instance);
// Act
string actual = await provider.GetRawSecretAsync(secretName);
// Assert
Assert.Null(actual);
}
}
public async Task AddHashiCorpVaultWithUserPass_WithWrongMutation_Fails()
{
// Arrange
string secretPath = "secretpath";
string secretKey = "my-value", expected = "s3cr3t";
string userName = "******", password = "******";
var builder = new HostBuilder();
using (HashiCorpVaultTestServer server = await StartServerWithUserPassAsync(userName, password, DefaultDevMountPoint))
{
await server.KeyValueV2.WriteSecretAsync(
mountPoint : DefaultDevMountPoint,
path : secretPath,
data : new Dictionary <string, object> {
[secretKey] = expected
});
// Act
builder.ConfigureSecretStore((config, stores) =>
{
stores.AddHashiCorpVaultWithUserPass(
server.ListenAddress.ToString(), userName, password, secretPath,
configureOptions: options => options.KeyValueMountPoint = DefaultDevMountPoint,
mutateSecretName: secretName => "Test-" + secretName,
name: null);
});
// Assert
IHost host = builder.Build();
var provider = host.Services.GetRequiredService <ISecretProvider>();
await Assert.ThrowsAsync <SecretNotFoundException>(() => provider.GetRawSecretAsync(secretKey));
}
}
public async Task AuthenticateWithInvalidUserPassPasswordKeyValue_GetSecret_Fails(bool trackDependency)
{
// Arrange
string secretPath = "mysecret";
string secretName = "my-value";
string expected = "s3cr3t";
string userName = _config["Arcus:HashiCorp:UserPass:UserName"];
string password = _config["Arcus:HashiCorp:UserPass:Password"];
string invalidPassword = Guid.NewGuid().ToString();
const string policyName = "my-policy";
var builder = new HostBuilder();
builder.UseSerilog(Logger);
using (var server = await HashiCorpVaultTestServer.StartServerAsync(_config, _logger))
{
await server.AddPolicyAsync(policyName, DefaultDevMountPoint, new[] { "read" });
await server.EnableAuthenticationTypeAsync(AuthMethodDefaultPaths.UserPass, "Authenticating with username and password");
await server.AddUserPassUserAsync(userName, password, policyName);
await server.KeyValueV2.WriteSecretAsync(
mountPoint : DefaultDevMountPoint,
path : secretPath,
data : new Dictionary <string, object> {
[secretName] = expected
});
// Act
builder.ConfigureSecretStore((config, stores) =>
{
stores.AddHashiCorpVaultWithUserPass(server.ListenAddress.ToString(), userName, invalidPassword, secretPath, options =>
{
options.KeyValueMountPoint = secretPath;
options.TrackDependency = trackDependency;
});
});
// Assert
using (IHost host = builder.Build())
{
var provider = host.Services.GetRequiredService <ISecretProvider>();
var exception = await Assert.ThrowsAsync <VaultApiException>(() => provider.GetRawSecretAsync(secretName));
Assert.Equal(HttpStatusCode.BadRequest, exception.HttpStatusCode);
}
AssertTrackedHashiCorpVaultDependency(trackDependency);
}
}
private async Task <HashiCorpVaultTestServer> StartServerWithUserPassAsync(string userName, string password, string availableSecretMountPoint)
{
const string policyName = "my-policy";
var server = await HashiCorpVaultTestServer.StartServerAsync(_config, _logger);
await server.AddPolicyAsync(policyName, availableSecretMountPoint, new[] { "read" });
await server.EnableAuthenticationTypeAsync(AuthMethodDefaultPaths.UserPass, "Authenticating with username and password");
await server.AddUserPassUserAsync(userName, password, policyName);
return(server);
}
public async Task AddHashiCorpVault_WithMutationToRemovePrefix_Succeeds()
{
// Arrange
string secretPath = "secretpath";
string secretKey = "my-value", expected = "s3cr3t";
string userName = _config["Arcus:HashiCorp:UserPass:UserName"];
string password = _config["Arcus:HashiCorp:UserPass:Password"];
const string secretNamePrefix = "Test-";
var builder = new HostBuilder();
using (HashiCorpVaultTestServer server = await StartServerWithUserPassAsync(userName, password, DefaultDevMountPoint))
{
await server.KeyValueV2.WriteSecretAsync(
mountPoint : DefaultDevMountPoint,
path : secretPath,
data : new Dictionary <string, object> {
[secretKey] = expected
});
var authentication = new UserPassAuthMethodInfo(userName, password);
var settings = new VaultClientSettings(server.ListenAddress.ToString(), authentication);
// Act
builder.ConfigureSecretStore((config, stores) =>
{
stores.AddHashiCorpVault(settings, secretPath,
options => options.KeyValueMountPoint = DefaultDevMountPoint,
mutateSecretName: secretName => secretName.Remove(0, secretNamePrefix.Length),
name: null);
});
// Assert
IHost host = builder.Build();
var provider = host.Services.GetRequiredService <ISecretProvider>();
string actual = await provider.GetRawSecretAsync(secretNamePrefix + secretKey);
Assert.Equal(expected, actual);
}
}
public async Task AuthenticateWithUserPassKeyValueV1_GetSecret_Succeeds()
{
// Arrange
string secretPath = "mysecret";
string secretName = "my-value";
string expected = "s3cr3t";
string userName = "******";
string password = "******";
const string mountPoint = "secret-v1";
const VaultKeyValueSecretEngineVersion keyValueVersion = VaultKeyValueSecretEngineVersion.V1;
using (HashiCorpVaultTestServer server = await StartServerWithUserPassAsync(userName, password, mountPoint))
{
await server.MountKeyValueAsync(mountPoint, keyValueVersion);
await server.KeyValueV1.WriteSecretAsync(
mountPoint : mountPoint,
path : secretPath,
values : new Dictionary <string, object> {
[secretName] = expected
});
var authentication = new UserPassAuthMethodInfo(userName, password);
var settings = new VaultClientSettings(server.ListenAddress.ToString(), authentication);
var provider = new HashiCorpSecretProvider(settings, secretPath, new HashiCorpVaultOptions
{
KeyValueMountPoint = mountPoint,
KeyValueVersion = keyValueVersion
}, NullLogger <HashiCorpSecretProvider> .Instance);
// Act
string actual = await provider.GetRawSecretAsync(secretName);
// Assert
Assert.Equal(expected, actual);
}
}
