public async Task AppRoleLoginConnector_Test() { // PRE-Test VaultSystemBackend vaultSystemBackend = new VaultSystemBackend(_vault.TokenID, _vault); string approleMountName = _UK.GetKey("AppAuth"); // Create an AppRole authentication connection. AppRoleAuthEngine appRoleAuthEngine = (AppRoleAuthEngine)_vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, "AppRole", approleMountName); // Create an Authentication method of App Role. - This only needs to be done when the Auth method is created. AuthMethod am = new AuthMethod(approleMountName, EnumAuthMethods.AppRole); bool rc = await vaultSystemBackend.AuthEnable(am); string rName = _UK.GetKey("Role"); AppRole roleA = new AppRole(rName); Assert.True(await appRoleAuthEngine.SaveRole(roleA)); string roleID = await appRoleAuthEngine.ReadRoleID(roleA.Name); // Now create the a secret AppRoleSecret secret_A = await appRoleAuthEngine.GenerateSecretID(roleA.Name); // ACTUAL TEST // Create Login Connector AppRoleLoginConnector loginConnector = new AppRoleLoginConnector(_vault, approleMountName, "Test AppRole", roleID, secret_A.ID); bool result = await loginConnector.Connect(true); Assert.IsTrue(result, "A10: Login Failed"); }
public async Task MountDefaultAppRoleMount_Success() { AppRoleAuthEngine defaultBE = (AppRoleAuthEngine)_vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole); AuthMethod defaultAM = new AuthMethod(defaultBE.MountPoint, EnumAuthMethods.AppRole); try { Assert.True(await _vaultSystemBackend.AuthEnable(defaultAM)); } catch (VaultException e) { if (e.SpecificErrorCode == EnumVaultExceptionCodes.BackendMountAlreadyExists) { // Disable and re-enable to confirm we can do this. Assert.True(await _vaultSystemBackend.AuthDisable(defaultAM)); Assert.True(await _vaultSystemBackend.AuthEnable(defaultAM)); } else { Assert.Fail("Unexpected Vault Error - " + e.Message); } } catch (Exception e) { Assert.Fail("Unexpected error from Vault: " + e.Message); } string name = _uniqueKeys.GetKey("RoleDef"); AppRole ar = new AppRole(name); Assert.True(await _appRoleAuthEngine.SaveRole(ar)); }
public async Task LoginWithValidCredentials_Success() { string roleName_A = _uniqueKeys.GetKey("RLogin"); AppRole roleA = new AppRole(roleName_A); Assert.True(await _appRoleAuthEngine.SaveRole(roleA), "A1: Saving the role failed."); // Read the role ID back. string roleID = await _appRoleAuthEngine.ReadRoleID(roleA.Name); // Now create the a secret AppRoleSecret secret_A = await _appRoleAuthEngine.GenerateSecretID(roleA.Name); // Now attempt to login - We need to create a new vault object or else we will screw with the other tests, since a successful login changes the token. VaultAgentAPI v = new VaultAgentAPI("logintest", VaultServerRef.vaultURI); AppRoleAuthEngine eng1 = (AppRoleAuthEngine)v.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, "Test", _appRoleAuthEngine.MountPoint); Token token = await eng1.Login(roleID, secret_A.ID); /* bool rc; * rc = await _appRoleAuthEngine.Login(roleID, secret_A.ID); * * Assert.True(rc); */ Assert.IsNotNull(token, "A1: A token was not returned. The login failed."); Assert.IsNotEmpty(token.ID, "A2: A token was returned, but it did not have an ID value."); }
/// <summary> /// Performs tasks that the Role1 user would do. Creating the actual application folders. /// </summary> /// <param name="role"></param> /// <returns></returns> public async Task PerformRole1Tasks() { try { // Here we will create the AppA and B folders in both the path1 and the appData paths. KV2Secret path1AppA = new KV2Secret(Constants.appName_A, "path1"); KV2Secret path1AppB = new KV2Secret(Constants.appName_B, "path1"); KV2Secret appDataAppA = new KV2Secret(Constants.appName_A, Constants.appData); KV2Secret appDataAppB = new KV2Secret(Constants.appName_B, Constants.appData); KV2Secret appData = new KV2Secret(Constants.appData); // We need to simulate a session as this Role1 User: VaultAgentAPI vault = new VaultAgentAPI("Role1", _vaultAgent.Uri); AppRoleAuthEngine authEngine = (AppRoleAuthEngine)vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, _AppBEName, _AppBEName); KV2SecretEngine secretEngine = (KV2SecretEngine)vault.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, "Sheakley KV2 Secrets", _beKV2Name); // Now login. Token token = await authEngine.Login(role1.RoleID, _SIDRole1.ID); // Create the secrets if they do not exist. We can attempt to Read the Secret on the path1 paths as we have full control var result = await secretEngine.TryReadSecret(appData); if (!result.IsSuccess) { await secretEngine.SaveSecret(appData, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist); } result = await secretEngine.TryReadSecret(path1AppA); if (!result.IsSuccess) { await secretEngine.SaveSecret(path1AppA, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist); } result = await secretEngine.TryReadSecret(path1AppB); if (!result.IsSuccess) { await secretEngine.SaveSecret(path1AppB, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist); } // We have to list the "folders" or secrets on the AppData path as we only have create and List permissions. List <string> appFolders = await secretEngine.ListSecretsAtPath(appData); if (!appFolders.Contains(Constants.appName_A)) { await secretEngine.SaveSecret(appDataAppA, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist); } if (!appFolders.Contains(Constants.appName_B)) { await secretEngine.SaveSecret(appDataAppB, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist); } } catch (VaultForbiddenException e) { Console.WriteLine("The role does not have permission to perform the requested operation. - Original Error - {0}", e.Message); } catch (Exception e) { Console.WriteLine("Error detected in routine - PerformRole1Tasks - Error is - {0}", e.Message); } }
public async Task PerformRoleATasks() { // We need to simulate a session as this Role1 User: VaultAgentAPI vault = new VaultAgentAPI("Role2", _vaultAgent.Uri); AppRoleAuthEngine authEngine = (AppRoleAuthEngine)vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, _AppBEName, _AppBEName); KV2SecretEngine secretEngine = (KV2SecretEngine)vault.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, "KV2 Secrets", _beKV2Name); // Now login. Token token = await authEngine.Login(roleAppA.RoleID, _SIDRoleAppA.ID); // Read existing secrets. string rootPath = Constants.appData + "/" + Constants.appName_A + "/"; KV2Secret secretA1 = new KV2Secret("Database", rootPath); bool readSuccess = false; (readSuccess, secretA1) = await secretEngine.TryReadSecret <KV2Secret>(secretA1, 0); // If it did not exist then create it. if (!readSuccess) { secretA1 = new KV2Secret("Database", rootPath); // Create Some Secrets. secretA1.Attributes.Add("username", "abcUser"); secretA1.Attributes.Add("password", "passEncrypted"); secretA1.Attributes.Add("Connection", "db=1.2.3.4:4706/iInstance"); await secretEngine.SaveSecret(secretA1, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist, 0); } // Try to read the parent secret - should fail KV2Secret secretParent = new KV2Secret(Constants.appData); (readSuccess, secretParent) = await secretEngine.TryReadSecret <KV2Secret>(secretParent, 0); // Lets try and read an AppB secret. Should fail. try { // Lets try and read an AppA secret. Should fail. string rootBPath = Constants.appData + "/" + Constants.appName_B + "/"; KV2Secret secretB1 = new KV2Secret("Database", rootBPath); (readSuccess, secretB1) = await secretEngine.TryReadSecret <KV2Secret>(secretB1, 0); } catch (VaultForbiddenException) { Console.WriteLine("[SUCCESS-EXPECTED RESULT: User A does not have access to read from User B's secret store."); } // Lets update the secret. string passwd = secretA1.Attributes["password"]; passwd = passwd + DateTime.Now.Hour; secretA1.Attributes["password"] = passwd; //secretEngine.SaveSecret(secretA1,) }
public VC_AppRoleAuthEngine(VaultAgentAPI vaultAgent) { UniqueKeys uniqueKeys = new UniqueKeys(); // We will create a unique App Role Authentication Engine with the given name. _AppBEName = "BEAppRole"; _vaultAgent = vaultAgent; _vaultSystemBackend = new VaultSystemBackend(_vaultAgent.TokenID, _vaultAgent); _appRoleAuthEngine = (AppRoleAuthEngine)vaultAgent.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, _AppBEName, _AppBEName); _idEngine = (IdentitySecretEngine)vaultAgent.ConnectToSecretBackend(EnumSecretBackendTypes.Identity); }
public async Task Run() { await CreateBackendMounts(); _appRoleAuthEngine = (AppRoleAuthEngine)_vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, _beAuthName, _beAuthName); _idEngine = (IdentitySecretEngine)_vault.ConnectToSecretBackend(EnumSecretBackendTypes.Identity); _kv2SecretEngine = (KV2SecretEngine)_vault.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, "KV2 Secrets", _beKV2Name); await AppRoleBE_UpdateRoleID(); Console.WriteLine("Finished With Optimization Run. Press any key to continue."); Console.ReadKey(); }
public async Task EnablingABackendTwice_ProducesExpectedError() { string engineName = _uniqueKeys.GetKey("engA"); AppRoleAuthEngine engA = (AppRoleAuthEngine)_vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, engineName, engineName); AuthMethod authMethodA = new AuthMethod(engA.MountPoint, EnumAuthMethods.AppRole); // First time should succed. Second should fail. for (int i = 0; i < 2; i++) { try { Assert.True((await _vaultSystemBackend.AuthEnable(authMethodA))); } catch (VaultException e) { Assert.AreEqual(e.SpecificErrorCode, EnumVaultExceptionCodes.BackendMountAlreadyExists); } } }
public async Task PerformRoleBTasks() { // We need to simulate a session as this Role1 User: VaultAgentAPI vault = new VaultAgentAPI("Role2", _vaultAgent.Uri); AppRoleAuthEngine authEngine = (AppRoleAuthEngine)vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, _AppBEName, _AppBEName); KV2SecretEngine secretEngine = (KV2SecretEngine)vault.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, "KV2 Secrets", _beKV2Name); // Now login. Token token = await authEngine.Login(roleAppB.RoleID, _SIDRoleAppB.ID); // Read existing secrets. string rootPath = Constants.appData + "/" + Constants.appName_B + "/"; KV2Secret secretB1 = new KV2Secret("Database", rootPath); bool readSuccess = false; (readSuccess, secretB1) = await secretEngine.TryReadSecret(secretB1, 0); if (!readSuccess) { secretB1 = new KV2Secret("Database", rootPath); // Create Some Secrets. secretB1.Attributes.Add("username", "Buser"); secretB1.Attributes.Add("password", "Bpassword"); secretB1.Attributes.Add("Connection", "db=99.100.101.102:0/iBInstance"); await secretEngine.SaveSecret(secretB1, KV2EnumSecretSaveOptions.OnlyIfKeyDoesNotExist, 0); } try { // Lets try and read an AppA secret. Should fail. string rootAPath = Constants.appData + "/" + Constants.appName_A + "/"; KV2Secret secretA1 = new KV2Secret("Database", rootAPath); (readSuccess, secretB1) = await secretEngine.TryReadSecret(secretA1, 0); } catch (VaultForbiddenException) { Console.WriteLine("[SUCCESS-EXPECTED RESULT: User B does not have access to read from User A's secret store."); } int bb = 0; bb++; }
/// <summary> /// Start The Scenario /// </summary> /// <returns></returns> public async Task Run() { // Create the mounts and policies and store in Vault await CreateBackendMounts(); await CreatePolicies(); // Mount the Secret Engine _secretEngine = (KV2SecretEngine)_masterVaultAgent.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, _beKV2Name, _beKV2Name); // Mount the Authentication Engine, so roles can login _appRoleAuthEngine = (AppRoleAuthEngine)_masterVaultAgent.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, _AppBEName, _AppBEName); // Create the roles - assigning policies to the roles roleMother = await CreateRole("roleMother", _policyHouse_Full.Name); roleFather = await CreateRole("roleFather", _policyHouse_Full.Name); roleTeenager = await CreateRole("roleTeenager", _policyTeenagerBedroom_Full.Name, _policyKitchenRefrigerator_Write.Name, _policyHouseOnly_Read.Name, _policyKitchen_Write.Name); roleToddler = await CreateRole("roleToddler", _policyToddlerBedroom_Full.Name); // Create Login SIDS for each role _sidMother = await _appRoleAuthEngine.CreateSecretID(roleMother.Name); _sidFather = await _appRoleAuthEngine.CreateSecretID(roleFather.Name); _sidTeenager = await _appRoleAuthEngine.CreateSecretID(roleTeenager.Name); _sidToddler = await _appRoleAuthEngine.CreateSecretID(roleToddler.Name); // Set the Mother role to have full access. KV2Secret a = new KV2Secret(HOUSE.HOUSE_PATH); await SaveSecret(_secretEngine, a); // It's important to note: Up to now we have been using the Master token to create objects, secret stores, policies and the initial House Secret. From here forward each // user will login and perform the actions under their user ID. await Perform_MotherTasks(); await Perform_TeenTasks(); }
/// <summary> /// Performs tasks that the teen wants to to. /// </summary> /// <returns></returns> private async Task Perform_TeenTasks() { // We cannot use the Vault Agent _masterVaultAgent, since it has the Master Token tied to it. We will create a new VaultAgent and SecretEngine for use during this Task, which will have our // Mother role token AND not the master Token. // So, we wire up a new Vault, AppRole and Secret Engines AND use them throughout this routine. VaultAgentAPI vault = new VaultAgentAPI("TeenConnector", _masterVaultAgent.Uri); AppRoleAuthEngine authEngine = (AppRoleAuthEngine)vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, _AppBEName, _AppBEName); KV2SecretEngine secretEngine = (KV2SecretEngine)vault.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, _beKV2Name, _beKV2Name); // Login. Token token = await authEngine.Login(roleTeenager.RoleID, _sidTeenager.ID); // Should be able to load the House Secret. But not updated it. KV2Secret a = await secretEngine.ReadSecret <KV2Secret>(HOUSE.HOUSE_PATH); a.Attributes["Electric"] = "No"; // Should Fail bool rc = await SaveSecret(secretEngine, a); // Should NOT be able to read anything in the Toddler's Bedroom (bool rcB, KV2Secret b) = await ReadSecret(secretEngine, HOUSE.TODDLER_BEDROOM); // Should be able to read and update the Kitchen secret (bool rcK, KV2Secret k) = await ReadSecret(secretEngine, HOUSE.KITCHEN); k.Attributes["Carrots"] = "Need"; rcK = await SaveSecret(secretEngine, k); // Should be able to read and update the Fridge (bool rcR, KV2Secret r) = await ReadSecret(secretEngine, HOUSE.REFRIGERATOR); k.Attributes["Cold"] = "True"; rcR = await SaveSecret(secretEngine, r); // Should have no writes to the Dishwasher (bool rcD, KV2Secret d) = await ReadSecret(secretEngine, HOUSE.DISHWASHER); }
public async Task AppRoleAuthEngineSetup() { // Build Connection to Vault. _vault = await VaultServerRef.ConnectVault("AppRoleVault"); //_vault = new VaultAgentAPI("AppRoleVault", VaultServerRef.ipAddress, VaultServerRef.ipPort); //, VaultServerRef.rootToken,true); _vaultSystemBackend = new VaultSystemBackend(_vault.TokenID, _vault); string approleMountName = _uniqueKeys.GetKey("AppAuth"); // Create an AppRole authentication connection. _appRoleAuthEngine = (AppRoleAuthEngine)_vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, "AppRole", approleMountName); // Create an Authentication method of App Role. - This only needs to be done when the Auth method is created. AuthMethod am = new AuthMethod(approleMountName, EnumAuthMethods.AppRole); bool rc = await _vaultSystemBackend.AuthEnable(am); }
public async Task Setup() { string rootToken = "tokenA"; string ip = "127.0.0.1"; int port = 47002; Uri vaultURI = new Uri("http://" + ip + ":" + port); // Connect to Vault, add an authentication backend of AppRole. _vaultAgent = new VaultAgentAPI("Vault", vaultURI); TokenLoginConnector loginConnector = new TokenLoginConnector(_vaultAgent, "Token Authenticator", rootToken); await CreateBackendMounts(); _appRoleAuthEngine = (AppRoleAuthEngine)_vaultAgent.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, _beAuthName, _beAuthName); _secretEngine = (KV2SecretEngine)_vaultAgent.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, "Benchmarking KV2 Secrets", _beKV2Name); await SetupRoles(); }
/// <summary> /// Performs tasks that the Role1 user would do. Creating the actual application folders. /// </summary> /// <param name="role"></param> /// <returns></returns> public async Task PerformRole2Tasks() { try { // We just try and read secrets off path1/ folders. // We need to simulate a session as this Role1 User: VaultAgentAPI vault = new VaultAgentAPI("Role2", _vaultAgent.Uri); AppRoleAuthEngine authEngine = (AppRoleAuthEngine)vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, _AppBEName, _AppBEName); KV2SecretEngine secretEngine = (KV2SecretEngine)vault.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, "Sheakley KV2 Secrets", _beKV2Name); // Now login. Token token = await authEngine.Login(role2.RoleID, _SIDRole2.ID); // Try and read a secret. } catch (VaultForbiddenException e) { Console.WriteLine("The role does not have permission to perform the requested operation. - Original Error - {0}", e.Message); } catch (Exception e) { Console.WriteLine("Error detected in routine - PerformRole1Tasks - Error is - {0}", e.Message); } }
/// <summary> /// Perform tasks the mother wants to do /// </summary> /// <returns></returns> private async Task Perform_MotherTasks() { // We cannot use the Vault Agent _masterVaultAgent, since it has the Master Token tied to it. We will create a new VaultAgent and SecretEngine for use during this Task, which will have our // Mother role token AND not the master Token. // So, we wire up a new Vault, AppRole and Secret Engines AND use them throughout this routine. VaultAgentAPI vault = new VaultAgentAPI("MotherConnector", _masterVaultAgent.Uri); AppRoleAuthEngine authEngine = (AppRoleAuthEngine)vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, _AppBEName, _AppBEName); KV2SecretEngine secretEngine = (KV2SecretEngine)vault.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, _beKV2Name, _beKV2Name); // Login. Token token = await authEngine.Login(roleMother.RoleID, _sidMother.ID); // Load the house secret, modify it and save it. KV2Secret a = await secretEngine.ReadSecret <KV2Secret>(HOUSE.HOUSE_PATH); a.Attributes.Add("Electric", "Yes"); await SaveSecret(secretEngine, a); // Create the Kitchen KV2Secret b = new KV2Secret(HOUSE.KITCHEN); b.Attributes.Add("Dishwasher", "Yes"); await SaveSecret(secretEngine, b); // Refrigerator KV2Secret c = new KV2Secret(HOUSE.REFRIGERATOR); c.Attributes.Add("Milk", "Chocolate"); c.Attributes.Add("Cheese", "American"); await SaveSecret(secretEngine, c); // DishWasher KV2Secret c1 = new KV2Secret(HOUSE.DISHWASHER); c1.Attributes.Add("Drawers", "3"); await SaveSecret(secretEngine, c1); // Garage KV2Secret d = new KV2Secret(HOUSE.GARAGE); d.Attributes.Add("Car", "Porsche"); await SaveSecret(secretEngine, d); // Master Bedroom KV2Secret e = new KV2Secret(HOUSE.MASTER_BEDROOM); e.Attributes.Add("Safe", "Yes"); await SaveSecret(secretEngine, e); // Teen Bedroom KV2Secret f = new KV2Secret(HOUSE.TEEN_BEDROOM); f.Attributes.Add("CarPoster", "Yes"); await SaveSecret(secretEngine, f); // Toddler Bedroom KV2Secret g = new KV2Secret(HOUSE.TODDLER_BEDROOM); g.Attributes.Add("BabyMonitor", "On"); await SaveSecret(secretEngine, g); }
public async Task TestCapabilitiesFunctionality() { string appBE = _uniqueKeys.GetKey("appBE"); string kv2BE = _uniqueKeys.GetKey("kv2BE"); // 1 - Setup backends needed for testing. // We need to setup a KV2 Secrets engine and also an AppRole Backend. // Create an Authentication method of App Role. - This only needs to be done when the Auth method is created. AuthMethod am = new AuthMethod(appBE, EnumAuthMethods.AppRole); await _vaultSystemBackend.AuthEnable(am); // Create a KV2 Secret Mount if it does not exist. await _vaultSystemBackend.SysMountCreate(kv2BE, "ClientTest KeyValue 2 Secrets", EnumSecretBackendTypes.KeyValueV2); // Now we create secret backend VaultAgentAPI vault = await VaultServerRef.ConnectVault("PolicyBeCapa2"); AppRoleAuthEngine authEngine = (AppRoleAuthEngine)vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, appBE, appBE); KV2SecretEngine secretEngine = (KV2SecretEngine)vault.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, "KV2 Secrets", kv2BE); // 2. Setup the policy to provide the permissions to test against. VaultPolicyContainer policyContainer = new VaultPolicyContainer("capa"); VaultPolicyPathItem vppi1 = new VaultPolicyPathItem(kv2BE, "data/app/appA/*"); VaultPolicyPathItem vppi2 = new VaultPolicyPathItem(kv2BE + "data/app/appA/subItem/*"); VaultPolicyPathItem vppi3 = new VaultPolicyPathItem(kv2BE + "metadata/app/appA/*"); VaultPolicyPathItem vppi4 = new VaultPolicyPathItem(kv2BE + "data/shared/*"); vppi1.FullControl = true; vppi2.FullControl = true; vppi3.ReadAllowed = true; vppi4.ReadAllowed = true; policyContainer.AddPolicyPathObject(vppi1); policyContainer.AddPolicyPathObject(vppi2); policyContainer.AddPolicyPathObject(vppi3); policyContainer.AddPolicyPathObject(vppi4); await _vaultSystemBackend.SysPoliciesACLCreate(policyContainer); // 3. Now create an App Role & Secret ID string roleName = _uniqueKeys.GetKey("role"); AppRole appRole = new AppRole(roleName); appRole.Policies.Add(policyContainer.Name); appRole = await authEngine.SaveRoleAndReturnRoleObject(appRole); AppRoleSecret secretID = await authEngine.CreateSecretID(appRole.Name); // 4. Now we can create a token against that Token token = await authEngine.Login(appRole.RoleID, secretID.ID); // 5. Now we can finally test the capabilities of that token. List <string> paths = new List <string>(); string path1 = kv2BE + "/data/app/appA/subItem"; string path2 = kv2BE + "/data/app/appB/subItem"; string path3 = kv2BE + "/noaccess/app/appA"; string path4 = kv2BE + "/data/noaccess/app/appA/subItem"; paths.Add(path1); paths.Add(path2); paths.Add(path3); paths.Add(path4); Dictionary <string, List <string> > permissions; permissions = await _vaultSystemBackend.GetTokenCapabilityOnPaths(token.ID, paths); // 6. Validate the results. Assert.AreEqual(4, permissions.Count, "A10: Expected to receive 4 permission objects back."); Assert.AreEqual(6, permissions[path1].Count, "A20: Expected the item: " + path1 + " to contain 6 permissions."); Assert.AreEqual(1, permissions[path2].Count, "A30: Expected the item: " + path2 + " to contain 1 deny permission."); CollectionAssert.Contains(permissions[path2], "deny", "A35: Expected the permission to be deny for path: " + path2); Assert.AreEqual(1, permissions[path3].Count, "A40: Expected the item: " + path3 + " to contain 1 deny permission."); CollectionAssert.Contains(permissions[path3], "deny", "A35: Expected the permission to be deny for path: " + path3); Assert.AreEqual(1, permissions[path4].Count, "A40: Expected the item: " + path4 + " to contain 1 deny permission."); CollectionAssert.Contains(permissions[path4], "deny", "A35: Expected the permission to be deny for path: " + path4); }
public async Task TestTemplatedPolicies() { string appBE = _uniqueKeys.GetKey("appTE"); string kv2BE = _uniqueKeys.GetKey("kv2TE"); // 1A - Setup backends needed for testing. // We need to setup a KV2 Secrets engine and also an AppRole Backend. // Create an Authentication method of App Role. - This only needs to be done when the Auth method is created. AuthMethod am = new AuthMethod(appBE, EnumAuthMethods.AppRole); await _vaultSystemBackend.AuthEnable(am); // Create a KV2 Secret Mount if it does not exist. VaultSystemBackend vaultSystemBackend = new VaultSystemBackend(_vaultAgentAPI.TokenID, _vaultAgentAPI); await vaultSystemBackend.SysMountCreate(kv2BE, "ClientTest KeyValue 2 Secrets", EnumSecretBackendTypes.KeyValueV2); // 1B. Now we can connect to the backends. VaultAgentAPI vault = await VaultServerRef.ConnectVault("PolicyBECapa"); //new VaultAgentAPI("capability", _vaultAgentAPI.IP, _vaultAgentAPI.Port, _vaultAgentAPI.TokenID); AppRoleAuthEngine authEngine = (AppRoleAuthEngine)vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, appBE, appBE); KV2SecretEngine secretEngine = (KV2SecretEngine)vault.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, "KV2 Secrets", kv2BE); IdentitySecretEngine idEngine = (IdentitySecretEngine)_vaultAgentAPI.ConnectToSecretBackend(EnumSecretBackendTypes.Identity); // 1C - Write out some values. TestContext.WriteLine("App Role Auth Backend: {0}", authEngine.Name); TestContext.WriteLine("KV2 Secret Backend: {0}", secretEngine.Name); // 2. Setup the policy to provide the permissions to test against. VaultPolicyContainer policyContainer = new VaultPolicyContainer("capa"); // 3. Now create an App Role & Secret ID. The app role in this case has no policies - it will get them from the Entity. string roleName = _uniqueKeys.GetKey("role"); AppRole appRole = new AppRole(roleName); appRole = await authEngine.SaveRoleAndReturnRoleObject(appRole); AppRoleSecret secretID = await authEngine.CreateSecretID(appRole.Name); // 4. Create an Entity and Entity Alias. // 4A. Get Authentication backend accessor. Dictionary <string, AuthMethod> authMethods = await vaultSystemBackend.AuthListAll(); AuthMethod authMethod = authMethods[authEngine.Name + "/"]; Assert.IsNotNull(authMethod, "B10: Expected to find the authentication backend. But did not."); string mountAccessor = authMethod.Accessor; // 4B. Create an entity for the app role. string name = _uniqueKeys.GetKey("EAR"); Entity entity = new Entity(roleName); entity.Policies.Add(policyContainer.Name); // 4C. Now save entity entity = await idEngine.SaveEntity(entity); Assert.IsNotNull(entity, "B20: Expected to receive an Entity object"); // 4D. Write out some values TestContext.WriteLine("Entity Name: {0}", entity.Name); TestContext.WriteLine("Entity ID: {0}", entity.Id); // 5. Create an alias that ties the Entity we just created to the AppRole in the authentication backend. Guid roleID = new Guid(appRole.RoleID); Guid aliasGuid = await idEngine.SaveAlias(entity.Id, mountAccessor, appRole.RoleID); Assert.AreNotEqual(aliasGuid.ToString(), Guid.Empty.ToString()); // 5B. Re-read the entity - it should now contain the alias. Entity fullEntity = await idEngine.ReadEntity(entity.Id); Assert.AreEqual(1, fullEntity.Aliases.Count, "B30: Expected the full entity to now contain the alias ID."); // 6. Now define the policy and save to Vault. policyContainer.PolicyPaths.Clear(); string appPath1 = "app/{{identity.entity.aliases." + mountAccessor + ".name}}/*"; VaultPolicyPathItem vppi1 = new VaultPolicyPathItem(kv2BE, "data/" + appPath1); VaultPolicyPathItem vppi2 = new VaultPolicyPathItem(kv2BE, "data/app/appA/subItem/*"); VaultPolicyPathItem vppi3 = new VaultPolicyPathItem(kv2BE, "data/shared/common/*"); VaultPolicyPathItem vppi4 = new VaultPolicyPathItem(kv2BE, "data/shared/info/*"); vppi1.FullControl = true; vppi2.FullControl = true; vppi3.CRUDAllowed = true; vppi4.ReadAllowed = true; policyContainer.AddPolicyPathObject(vppi1); policyContainer.AddPolicyPathObject(vppi2); policyContainer.AddPolicyPathObject(vppi3); policyContainer.AddPolicyPathObject(vppi4); await _vaultSystemBackend.SysPoliciesACLCreate(policyContainer); // 7. Now we can login to get a token.. Validate the entity policy has been set on token. Token token = await authEngine.Login(appRole.RoleID, secretID.ID); Assert.IsNotNull("B40: A valid token was not received."); CollectionAssert.Contains(token.IdentityPolicies, policyContainer.Name, "B100: Did not find the policy that should have been applied from the entity."); // 8. Now we can finally test the capabilities of that token. List <string> paths = new List <string>(); string pathBase = kv2BE + "/data/app/" + fullEntity.Aliases[0].Name + "/config"; string metaBase = kv2BE + "/metadata/app" + fullEntity.Aliases[0].Name + "/config"; string path1 = pathBase; string path2 = pathBase + "/subItem"; string path3 = kv2BE + "/data/shared/common/testEntry"; paths.Add(path1); paths.Add(path2); paths.Add(path3); Dictionary <string, List <string> > permissions; permissions = await _vaultSystemBackend.GetTokenCapabilityOnPaths(token.ID, paths); // 9. Validate the permission results. Assert.AreEqual(3, permissions.Count, "B130: Expected to receive 3 permission objects back."); Assert.AreEqual(6, permissions[path1].Count, "B140: Expected the item: " + path1 + " to contain 6 permissions."); Assert.AreEqual(6, permissions[path2].Count, "B150: Expected the item: " + path2 + " to contain 6 permissions."); Assert.AreEqual(4, permissions[path3].Count, "B160: Expected the item: " + path3 + " to contain 3 permissions."); CollectionAssert.Contains(permissions[path3], "create", "B170: Expected the permission to be create for path: " + path3); CollectionAssert.Contains(permissions[path3], "read", "B171: Expected the permission to be read for path: " + path3); CollectionAssert.Contains(permissions[path3], "update", "B172: Expected the permission to be update for path: " + path3); CollectionAssert.Contains(permissions[path3], "delete", "B173: Expected the permission to be read for path: " + path3); // 10. Try to create a secret at path 1 string secName1 = _uniqueKeys.GetKey("sec1"); KV2Secret secret1 = new KV2Secret("config", "app/" + fullEntity.Aliases[0].Name); secret1.Attributes.Add("version", "v12.2"); Assert.True(await secretEngine.SaveSecret(secret1, KV2EnumSecretSaveOptions.AlwaysAllow), "B200: Save of secret did not work. Check permissions."); // 11. Create and delete a secret at path3. KV2Secret secret2 = new KV2Secret("options", "shared/common/testEntry"); secret2.Attributes.Add("color", "blue"); secret2.Attributes.Add("size", "Large"); Assert.True(await secretEngine.SaveSecret(secret2, KV2EnumSecretSaveOptions.AlwaysAllow), "B210: Save of secret2 failed."); // Now delete it. Assert.True(await secretEngine.DeleteSecretVersion(secret2)); }
public async Task SetupAliasTestConditions() { lock (locking) { while (bLocking == true) { Thread.Sleep(100); } // Set lock to true. bLocking = true; } string AppRoleEngine = "appRoleTST"; try { // If already done this during this test run, then no need to do again. if (_appRoleAccessor != "") { return; } // We need A role based Auth engine so we can test the Alias functionality. This is a constant value. If we can't find it then we create it. AuthMethod authMethod = null; while (authMethod == null) { VaultSystemBackend vaultSystemBackend = new VaultSystemBackend(_vaultAgentAPI.TokenID, _vaultAgentAPI); Dictionary <string, AuthMethod> authMethods = await vaultSystemBackend.AuthListAll(); // See if the AppRole Backend exists. We need to add a trailing slash because vault returns the key with a trailing slash. Swallow exception not found. try { authMethod = authMethods[AppRoleEngine + "/"]; } catch (KeyNotFoundException) { } if (authMethod == null) { AuthMethod am = new AuthMethod(AppRoleEngine, EnumAuthMethods.AppRole); bool rc = await vaultSystemBackend.AuthEnable(am); Thread.Sleep(60); } } // Connect the AppRole Authentication engine. _appRoleAuthEngine = (AppRoleAuthEngine)_vaultAgentAPI.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, AppRoleEngine, AppRoleEngine); // Store the accessor for use in entity-alias tests and to alert that we completed this setup task. _appRoleAccessor = authMethod.Accessor; } catch (Exception) { Assert.False(true, "[SetupAliasTestConditions] Try block errored"); } finally { lock (locking) { bLocking = false; } } //TestContext.WriteLine("Role Name: {0}", _theRole.Name); //TestContext.WriteLine("Role ID: {0}", _theRole.RoleID); TestContext.WriteLine("Role Backend: {0}", AppRoleEngine); TestContext.WriteLine("Role Accessor: {0}", _appRoleAccessor); }