public async Task CreateTokenWithSettingsObject() { string tokenID = UK.GetKey("token"); int numUses = 19; string tokenName = "Name" + tokenID.ToString(); bool parent = true; TokenNewSettings tokenNewSettings = new TokenNewSettings() { ID = tokenID, Name = tokenName, NumberOfUses = numUses, NoParentToken = parent }; Token token = await _tokenAuthEngine.CreateToken(tokenNewSettings); Assert.NotNull(token, "A1: Expected to receive the new token back, instead we received a null value."); //Assert.True(await _tokenAuthEngine.CreateToken(tokenNewSettings)); // Read the token we just created. //Token token = await _tokenAuthEngine.GetTokenWithID(tokenID); Assert.IsNotNull(token, "M1: No Token returned. Was expecting one."); // Vault seems to prepend the auth backends name to the display name. Assert.AreEqual("token-" + tokenName, token.DisplayName, "M2: Token names are not equal"); Assert.AreEqual(tokenID, token.ID, "M3: Token ID's are not equal"); Assert.AreEqual(numUses, token.NumberOfUses, "M4: Token number of uses are not equal"); Assert.AreEqual(parent, token.IsOrphan, "M5: Token parent setting is not the same as IsOrphan"); }
public async Task RevokeSelfTokenSucceeds() { VaultAgentAPI v1 = await VaultServerRef.ConnectVault("TempVault"); //new VaultAgentAPI("TempVault", VaultServerRef.ipAddress, VaultServerRef.ipPort, VaultServerRef.rootToken); string tokenName = UK.GetKey("tmpTok"); // Create a new token. TokenNewSettings tokenNewSettings = new TokenNewSettings() { Name = tokenName, }; Token token = await _tokenAuthEngine.CreateToken(tokenNewSettings); Assert.NotNull(token, "A1: Error creating a new token - expected to receive the new token back, instead we received a null value."); // Now set vault to use the new token. v1.Token = token; Assert.AreNotEqual(VaultServerRef.rootToken, token.ID, "A2: Expected the Vault object to have a different token. But was still set at initial token."); // And then revoke. Assert.IsTrue(await v1.RevokeActiveToken()); Assert.IsNull(v1.Token); // Now try and reset the Vault to use the old token. It should fail. v1.Token = token; Assert.ThrowsAsync <VaultForbiddenException> (async() => await v1.RefreshActiveToken()); }
public async Task CreateToken() { // SETUP // We need our own vault since we will be manipulating the token value VaultAgentAPI ourVault = await VaultServerRef.ConnectVault("TokenTest"); TokenAuthEngine ourTokenAuthEngine = (TokenAuthEngine)ourVault.ConnectAuthenticationBackend(EnumBackendTypes.A_Token); // Need a Token Role so we can autogenerate a token TokenRole tokenRole = new TokenRole(); tokenRole.Name = UK.GetKey(); await ourTokenAuthEngine.SaveTokenRole(tokenRole); string tokenName = "Name" + tokenRole.Name; TokenNewSettings tokenNewSettings = new TokenNewSettings() { Name = tokenName, NumberOfUses = 6, NoParentToken = true, RoleName = tokenRole.Name }; Token token = await ourTokenAuthEngine.CreateToken(tokenNewSettings); Assert.NotNull(token, "A10: Expected to receive the new token back, instead we received a null value."); // Read the token we just created. //Token token = await _tokenAuthEngine.GetTokenWithID(tokenID); Assert.IsNotNull(token, "A20: No Token returned. Was expecting one."); ourVault.TokenID = token.ID; Assert.AreEqual(ourVault.TokenID, token.ID, "A30: Vault did not store token correctly"); }
public async Task RenewToken_Success() { string tokenID = UK.GetKey("tok"); int numUses = 19; string tokenName = "Name" + tokenID.ToString(); TokenNewSettings tokenNewSettings = new TokenNewSettings() { ID = tokenID, Name = tokenName, NumberOfUses = numUses, IsRenewable = true, RenewalPeriod = "1800" }; Token token = await _tokenAuthEngine.CreateToken(tokenNewSettings); Assert.NotNull(token, "A1: Error creating a new token - expected to receive the new token back, instead we received a null value."); // Vault seems to prepend the auth backends name to the display name. Assert.AreEqual("token-" + tokenName, token.DisplayName, "M2: Token names are not equal"); Assert.AreEqual(tokenID, token.ID, "M3: Token ID's are not equal"); Assert.AreEqual(numUses, token.NumberOfUses, "M4: Token number of uses are not equal"); Assert.IsTrue(token.IsRenewable); // Renew token //TODO - is this correct test? bool result = await _tokenAuthEngine.RenewToken(token.ID); Assert.IsTrue(result, "Token was unable to be renewed."); }
public async Task AccessTokenViaInvalidAccessor_Fails() { string tokenID = UK.GetKey("tokenAcc"); int numUses = 19; string tokenName = "N" + tokenID.ToString(); bool parent = true; TokenNewSettings tokenNewSettings = new TokenNewSettings() { ID = tokenID, Name = tokenName, NumberOfUses = numUses, NoParentToken = parent }; Token token = await _tokenAuthEngine.CreateToken(tokenNewSettings); Assert.NotNull(token, "A1: Error creating a new token - expected to receive the new token back, instead we received a null value."); string tDisplayName = "token-" + tokenName; Assert.AreEqual(tDisplayName, token.DisplayName, "M3: Token Display name is not what was expected. Expected {0}, but got {1}", tDisplayName, token.DisplayName); // Now try and retrieve via the accessor. Token tokenAcc = await _tokenAuthEngine.GetTokenViaAccessor("z"); Assert.IsNull(tokenAcc, "M3: Expected to receive a null token, but instead received a token"); }
public async Task CreateOrphanToken_WithSettingsObject() { string tokenID = UK.GetKey("otok"); int numUses = 19; string tokenName = "Name" + tokenID.ToString(); TokenNewSettings tokenNewSettings = new TokenNewSettings() { ID = tokenID, Name = tokenName, NumberOfUses = numUses }; Assert.IsNotNull(await _tokenAuthEngine.CreateOrphanToken(tokenNewSettings)); // Read the token we just created. Token token = await _tokenAuthEngine.GetTokenWithID(tokenID); Assert.IsNotNull(token, "M1: No Token returned. Was expecting one."); // Vault seems to prepend the auth backends name to the display name. Assert.AreEqual("token-" + tokenName, token.DisplayName, "M2: Token names are not equal"); Assert.AreEqual(tokenID, token.ID, "M3: Token ID's are not equal"); Assert.AreEqual(numUses, token.NumberOfUses, "M4: Token number of uses are not equal"); Assert.IsTrue(token.IsOrphan, "Was expecting the created token to have the IsOrphan property set to true. It was false instead."); }
public async Task AccessTokenViaAccessor_Success() { string tokenID = UK.GetKey("tokenAcc"); int numUses = 19; string tokenName = "N" + tokenID.ToString(); bool parent = true; TokenNewSettings tokenNewSettings = new TokenNewSettings() { ID = tokenID, Name = tokenName, NumberOfUses = numUses, NoParentToken = parent }; Token token = await _tokenAuthEngine.CreateToken(tokenNewSettings); Assert.NotNull(token, "A1: Error creating a new token - expected to receive the new token back, instead we received a null value."); // Read the token we just created. Assert.IsNotNull(token, "M2: No Token returned. Was expecting one."); string tDisplayName = "token-" + tokenName; Assert.AreEqual(tDisplayName, token.DisplayName, "M3: Token Display name is not what was expected. Expected {0}, but got {1}", tDisplayName, token.DisplayName); // Now try and retrieve via the accessor. Token tokenAcc = await _tokenAuthEngine.GetTokenViaAccessor(token.AccessorTokenID); Assert.NotNull(tokenAcc, "M4: Token accessor did not find the token."); Assert.AreEqual(token.DisplayName, tokenAcc.DisplayName, "M5: Token Accessor did not retrieve the correct token. Something bad happened."); }
public async Task MetadataOnToken_IsSet() { string tokenID = UK.GetKey("token"); int numUses = 19; string tokenName = "Name" + tokenID.ToString(); bool parent = true; TokenNewSettings tokenNewSettings = new TokenNewSettings() { ID = tokenID, Name = tokenName, NumberOfUses = numUses, NoParentToken = parent }; tokenNewSettings.MetaData.Add("country", "US"); tokenNewSettings.MetaData.Add("state", "OH"); tokenNewSettings.MetaData.Add("Territory", "midwest"); Token token = await _tokenAuthEngine.CreateToken(tokenNewSettings); Assert.NotNull(token, "A10: Expected to receive the new token back, instead we received a null value."); // Read the token we just created. //Token tokenNew = await _tokenAuthEngine.GetTokenWithID(tokenID); Assert.IsNotNull(token, "A20: No Token returned. Was expecting one."); Assert.AreEqual(tokenNewSettings.MetaData.Count, token.Metadata.Count); CollectionAssert.AreEquivalent(tokenNewSettings.MetaData, token.Metadata, "A30: Was expected the Metadata dictionary on the token to be the same values as what we put in the TokenNewSettings object. They are different."); }
public async Task ChangingToken_ChangesHTTPHeaders() { // Get current token: Token currentToken = await vault.RefreshActiveToken(); // We will need to create a new token. TokenAuthEngine _tokenAuthEngine = (TokenAuthEngine)vault.ConnectAuthenticationBackend(EnumBackendTypes.A_Token); TokenNewSettings tokenNewSettings = new TokenNewSettings(); tokenNewSettings.Name = "NewToken"; tokenNewSettings.MaxTTL = "60s"; tokenNewSettings.NumberOfUses = 14; Token newToken = await _tokenAuthEngine.CreateToken(tokenNewSettings); Assert.NotNull(newToken, "A1: Created a token, expected it to not be null."); Assert.AreNotEqual(currentToken.ID, newToken.ID); // Now set token. vault.Token = newToken; // Now retrieve the current token. This will force it to go back to the Vault instance with the new token. should be the same as newToken. Token newCurrentToken = await vault.RefreshActiveToken(); Assert.AreEqual(newToken.ID, newCurrentToken.ID); Assert.AreNotEqual(currentToken.ID, newCurrentToken.ID); }
// Create the token engines for a successful test and then the control test. private async Task <(KV2SecretEngine engKV2OK, KV2SecretEngine engKV2FAIL)> SetupTokenEngines(string policyWithPermission) { // Get connection to Token Engine so we can create tokens. TokenAuthEngine tokenEng = (TokenAuthEngine)_vaultAgentAPI.ConnectAuthenticationBackend(EnumBackendTypes.A_Token); // AA - The token that will have the policy. TokenNewSettings tokenASettings = new TokenNewSettings(); tokenASettings.Policies.Add(policyWithPermission); Token tokenOK = await tokenEng.CreateToken(tokenASettings); // AB - The token that will not have the policy. TokenNewSettings tokenBSettings = new TokenNewSettings(); tokenBSettings.Policies.Add("default"); Token tokenFAIL = await tokenEng.CreateToken(tokenBSettings); // AC - Create 2 Vault Instances that will use each Token. VaultAgentAPI vaultOK = await VaultServerRef.ConnectVault("OKVault", tokenOK.ID); VaultAgentAPI vaultFail = await VaultServerRef.ConnectVault("FailVault", tokenFAIL.ID); //VaultAgentAPI vaultOK = new VaultAgentAPI("OKToken", _vaultAgentAPI.IP, _vaultAgentAPI.Port, tokenOK.ID); //VaultAgentAPI vaultFail = new VaultAgentAPI("FAILToken", _vaultAgentAPI.IP, _vaultAgentAPI.Port, tokenFAIL.ID); _vaultAgents.Add(vaultOK); _vaultAgents.Add(vaultFail); // AD - Create the KeyValue Engines for each Token KV2SecretEngine engKV2OK = (KV2SecretEngine)vaultOK.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, _beName, _beName); KV2SecretEngine engKV2FAIL = (KV2SecretEngine)vaultFail.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, _beName, _beName); return(engKV2OK, engKV2FAIL); }
public async Task RevokeTokenWithChildren_ChildrenOrphaned() { // Create a new token. string tokenName = UK.GetKey("ParentOrp"); TokenNewSettings tokenNewSettings = new TokenNewSettings() { Name = tokenName, }; Token parent = await _tokenAuthEngine.CreateToken(tokenNewSettings); Assert.NotNull(parent, "A1: Error creating the parent token - expected to receive the new token back, instead we received a null value."); VaultAgentAPI v1 = await VaultServerRef.ConnectVault("TokenAuth2", parent.ID); TokenAuthEngine TAE = (TokenAuthEngine)v1.ConnectAuthenticationBackend(EnumBackendTypes.A_Token); // Now create 3 child tokens. Token token1 = await TAE.CreateToken(tokenNewSettings); Assert.NotNull(token1, "A2: Error creating a new token - expected to receive the new token back, instead we received a null value."); // Token 2. tokenNewSettings.Name = "Token2"; Token token2 = await TAE.CreateToken(tokenNewSettings); Assert.NotNull(token2, "A3: Error creating a new token - expected to receive the new token back, instead we received a null value."); // Token 3. tokenNewSettings.Name = "Token3"; Token token3 = await TAE.CreateToken(tokenNewSettings); Assert.NotNull(token3, "A4: Error creating a new token - expected to receive the new token back, instead we received a null value."); // Now revoke the Parent token. Assert.IsTrue(await _tokenAuthEngine.RevokeToken(parent.ID, false), "A5: Revocation of parent token was not successful."); Token parent2 = await _tokenAuthEngine.GetTokenWithID(parent.ID); Assert.IsNull(parent2, "A6: The parent token should have been revoked. But it still exists."); // Validate that each of the child tokens is revoked as well. Token a1 = await _tokenAuthEngine.GetTokenWithID(token1.ID); Token a2 = await _tokenAuthEngine.GetTokenWithID(token2.ID); Token a3 = await _tokenAuthEngine.GetTokenWithID(token3.ID); Assert.IsNotNull(a1, "A7: Expected the child token to still exist. But it is null"); Assert.IsNotNull(a2, "A8: Expected the child token to still exist. But it is null"); Assert.IsNotNull(a3, "A9: Expected the child token to still exist. But it is null"); Assert.IsTrue(a1.IsOrphan, "A10: Expected token to be marked as an orphan."); Assert.IsTrue(a2.IsOrphan, "A11: Expected token to be marked as an orphan."); Assert.IsTrue(a3.IsOrphan, "A12: Expected token to be marked as an orphan."); }
/// <summary> /// Creates an orphan token (a token with no parent) /// </summary> /// <param name="tokenSettings">A TokenNewSettings object with the options you would like the new token to have. </param> /// <returns>True if token was created successfully.</returns> public async Task <Token> CreateOrphanToken(TokenNewSettings tokenSettings) { string path = MountPointPath + "create-orphan"; string json = JsonConvert.SerializeObject(tokenSettings, Formatting.None); VaultDataResponseObjectB vdro = await ParentVault._httpConnector.PostAsync_B(path, "CreateOrphanToken", json); if (vdro.Success) { LoginResponse loginResponse = await vdro.GetDotNetObject <LoginResponse>("auth"); // Now read the token.back. return(await this.GetTokenWithID(loginResponse.ClientToken)); } throw new ApplicationException("TokenAuthEngine: CreateOrphanToken returned an unexpected error."); }
public async Task NormalLogin() { // SETUP // We need our own vault since we will be manipulating the token value VaultAgentAPI ourVault = await VaultServerRef.ConnectVault("TokenTest"); TokenAuthEngine ourTokenAuthEngine = (TokenAuthEngine)ourVault.ConnectAuthenticationBackend(EnumBackendTypes.A_Token); // Need a Token Role so we can autogenerate a token TokenRole tokenRole = new TokenRole(); UniqueKeys UK = new UniqueKeys("", ""); // Unique Key generator tokenRole.Name = UK.GetKey(); await ourTokenAuthEngine.SaveTokenRole(tokenRole); string tokenName = "Name" + tokenRole.Name; TokenNewSettings tokenNewSettings = new TokenNewSettings() { Name = tokenName, NumberOfUses = 6, NoParentToken = true, RoleName = tokenRole.Name }; Token token = await ourTokenAuthEngine.CreateToken(tokenNewSettings); Assert.NotNull(token, "A10: Expected to receive the new token back, instead we received a null value."); // Read the token we just created. //Token token = await _tokenAuthEngine.GetTokenWithID(tokenID); Assert.IsNotNull(token, "A20: No Token returned. Was expecting one."); VaultAgentAPI vault2 = await VaultServerRef.ConnectVault("TokenLoginTest"); TokenLoginConnector loginConnector = new TokenLoginConnector(vault2, "test"); loginConnector.TokenId = token.ID; Assert.IsTrue(await loginConnector.Connect(), "A30: Login Failed"); }
/// <summary> /// Creates a token that is a child of the calling token. Note, IF you do not specify any Policies, it will have the same policies as the token /// being used to call this routine. This could mean it has root access! Best to always set at least 1 policy. Use default if you need. /// </summary> /// <param name="tokenSettings">A TokenNewSettings object with the options you would like the new token to have. </param> /// <returns>True if token was created successfully.</returns> public async Task <Token> CreateToken(TokenNewSettings tokenSettings) { string path = MountPointPath + "create"; string json = JsonConvert.SerializeObject(tokenSettings, Formatting.None); VaultDataResponseObjectB vdro = await ParentVault._httpConnector.PostAsync_B(path, "CreateToken", json); if (vdro.Success) { LoginResponse loginResponse = await vdro.GetDotNetObject <LoginResponse>("auth"); // Now read the token.back. return(await this.GetTokenWithID(loginResponse.ClientToken)); } else { return(null); } }
public async Task RenewTokenWithLease_Success() { string tokenID = UK.GetKey("tok"); int numUses = 19; string tokenName = "Name" + tokenID.ToString(); TokenNewSettings tokenNewSettings = new TokenNewSettings() { ID = tokenID, Name = tokenName, NumberOfUses = numUses, IsRenewable = true, MaxTTL = "86400" }; Token token = await _tokenAuthEngine.CreateToken(tokenNewSettings); Assert.NotNull(token, "A1: Error creating a new token - expected to receive the new token back, instead we received a null value."); // Vault seems to prepend the auth backends name to the display name. Assert.AreEqual("token-" + tokenName, token.DisplayName, "M2: Token names are not equal"); Assert.AreEqual(tokenID, token.ID, "M3: Token ID's are not equal"); Assert.AreEqual(numUses, token.NumberOfUses, "M4: Token number of uses are not equal"); Assert.IsTrue(token.IsRenewable); // Renew token TimeUnit timeUnit12Hrs = new TimeUnit("12h"); bool result = await _tokenAuthEngine.RenewToken(token.ID, timeUnit12Hrs); Assert.IsTrue(result, "M5: Token was unable to be renewed successfully."); // Retrieve token and validate lease time. Token token2 = await _tokenAuthEngine.GetTokenWithID(tokenID); // Token should be very close to 12 hrs. Assert.LessOrEqual(token2.TTL, 43200, "M6: Token lease was not set to expected value."); Assert.GreaterOrEqual(token2.TTL, 43190, "M7: Token lease was not close to 12hours."); }
public async Task RevokeTokenViaAccessor_Succeeds() { string tokenID = UK.GetKey("Rev"); string tokenName = "Name" + tokenID.ToString(); TokenNewSettings tokenNewSettings = new TokenNewSettings() { ID = tokenID, Name = tokenName, }; Token token = await _tokenAuthEngine.CreateToken(tokenNewSettings); Assert.NotNull(token, "A1: Error creating a new token - expected to receive the new token back, instead we received a null value."); // Revoke and validate it is gone. Assert.True(await _tokenAuthEngine.RevokeTokenViaAccessor(token.AccessorTokenID), "M2: Revocation of token failed."); // If token is null then it has been revoked successfully. Token token2 = await _tokenAuthEngine.GetTokenWithID(tokenID); Assert.IsNull(token2); }