initial commit: certmanager

migrate from python to golang
This commit is contained in:
2026-03-24 19:38:24 +11:00
commit 00f5b4a246
15 changed files with 1449 additions and 0 deletions
+89
View File
@@ -0,0 +1,89 @@
package config
import (
"fmt"
"os"
"path/filepath"
"gopkg.in/yaml.v3"
)
// AuthMethod selects how certmanager authenticates to Vault.
type AuthMethod string
const (
AuthMethodAppRole AuthMethod = "approle"
AuthMethodLDAP AuthMethod = "ldap"
AuthMethodKubernetes AuthMethod = "kubernetes"
AuthMethodToken AuthMethod = "token"
)
// Config is the top-level configuration structure.
type Config struct {
Vault VaultConfig `yaml:"vault"`
}
// VaultConfig holds Vault connection and auth parameters.
// Only the fields relevant to the chosen AuthMethod need to be populated.
type VaultConfig struct {
Addr string `yaml:"addr"`
AuthMethod AuthMethod `yaml:"auth_method"` // approle | ldap | kubernetes | token
MountPoint string `yaml:"mount_point"`
RoleName string `yaml:"role_name"`
OutputPath string `yaml:"output_path"`
// approle
ApprolePath string `yaml:"approle_path"`
RoleID string `yaml:"role_id"`
SecretID string `yaml:"secret_id"`
// ldap
LDAPPath string `yaml:"ldap_path"`
LDAPUsername string `yaml:"ldap_username"`
LDAPPassword string `yaml:"ldap_password"`
// kubernetes
KubernetesPath string `yaml:"kubernetes_path"`
KubernetesRole string `yaml:"kubernetes_role"`
KubernetesTokenFile string `yaml:"kubernetes_token_file"`
// token (static; useful for testing or bootstrap)
Token string `yaml:"token"`
}
// DefaultPath returns the XDG-compliant default config file path:
// $XDG_CONFIG_HOME/certmanager/config.yaml, falling back to
// $HOME/.config/certmanager/config.yaml.
func DefaultPath() string {
base := os.Getenv("XDG_CONFIG_HOME")
if base == "" {
home, err := os.UserHomeDir()
if err != nil {
return "config.yaml"
}
base = filepath.Join(home, ".config")
}
return filepath.Join(base, "certmanager", "config.yaml")
}
// Load reads and parses the config file at the given path.
func Load(path string) (*Config, error) {
f, err := os.Open(path)
if err != nil {
return nil, fmt.Errorf("open config %q: %w", path, err)
}
defer f.Close()
var cfg Config
if err := yaml.NewDecoder(f).Decode(&cfg); err != nil {
return nil, fmt.Errorf("parse config %q: %w", path, err)
}
// Default to approle for backwards-compatibility with the existing
// Python certmanager/sshsignhost config format.
if cfg.Vault.AuthMethod == "" {
cfg.Vault.AuthMethod = AuthMethodAppRole
}
return &cfg, nil
}
+162
View File
@@ -0,0 +1,162 @@
package config
import (
"os"
"path/filepath"
"testing"
)
func TestDefaultPath_XDGSet(t *testing.T) {
t.Setenv("XDG_CONFIG_HOME", "/tmp/xdg")
got := DefaultPath()
want := "/tmp/xdg/certmanager/config.yaml"
if got != want {
t.Errorf("got %q, want %q", got, want)
}
}
func TestDefaultPath_XDGUnset(t *testing.T) {
t.Setenv("XDG_CONFIG_HOME", "")
home, _ := os.UserHomeDir()
got := DefaultPath()
want := filepath.Join(home, ".config", "certmanager", "config.yaml")
if got != want {
t.Errorf("got %q, want %q", got, want)
}
}
func TestLoad_AppRole(t *testing.T) {
tmp := t.TempDir()
path := filepath.Join(tmp, "config.yaml")
content := `
vault:
addr: https://vault.example.com:8200
auth_method: approle
approle_path: approle
role_id: my-role-id
mount_point: pki_int
role_name: servers_default
output_path: /tmp/certs
`
os.WriteFile(path, []byte(content), 0o644)
cfg, err := Load(path)
if err != nil {
t.Fatalf("Load() error: %v", err)
}
if cfg.Vault.AuthMethod != AuthMethodAppRole {
t.Errorf("auth_method = %q", cfg.Vault.AuthMethod)
}
if cfg.Vault.RoleID != "my-role-id" {
t.Errorf("role_id = %q", cfg.Vault.RoleID)
}
}
func TestLoad_DefaultAuthMethod(t *testing.T) {
tmp := t.TempDir()
path := filepath.Join(tmp, "config.yaml")
// Omit auth_method — should default to approle for backwards compat.
content := `
vault:
addr: https://vault.example.com:8200
role_id: my-role-id
approle_path: approle
mount_point: pki_int
role_name: servers_default
`
os.WriteFile(path, []byte(content), 0o644)
cfg, err := Load(path)
if err != nil {
t.Fatalf("Load() error: %v", err)
}
if cfg.Vault.AuthMethod != AuthMethodAppRole {
t.Errorf("expected default approle, got %q", cfg.Vault.AuthMethod)
}
}
func TestLoad_LDAP(t *testing.T) {
tmp := t.TempDir()
path := filepath.Join(tmp, "config.yaml")
content := `
vault:
addr: https://vault.example.com:8200
auth_method: ldap
ldap_path: ldap
ldap_username: alice
ldap_password: secret
mount_point: pki_int
role_name: servers_default
`
os.WriteFile(path, []byte(content), 0o644)
cfg, err := Load(path)
if err != nil {
t.Fatalf("Load() error: %v", err)
}
if cfg.Vault.AuthMethod != AuthMethodLDAP {
t.Errorf("auth_method = %q", cfg.Vault.AuthMethod)
}
if cfg.Vault.LDAPUsername != "alice" {
t.Errorf("ldap_username = %q", cfg.Vault.LDAPUsername)
}
}
func TestLoad_Kubernetes(t *testing.T) {
tmp := t.TempDir()
path := filepath.Join(tmp, "config.yaml")
content := `
vault:
addr: https://vault.example.com:8200
auth_method: kubernetes
kubernetes_path: kubernetes
kubernetes_role: puppet
kubernetes_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
mount_point: pki_int
role_name: servers_default
`
os.WriteFile(path, []byte(content), 0o644)
cfg, err := Load(path)
if err != nil {
t.Fatalf("Load() error: %v", err)
}
if cfg.Vault.AuthMethod != AuthMethodKubernetes {
t.Errorf("auth_method = %q", cfg.Vault.AuthMethod)
}
if cfg.Vault.KubernetesRole != "puppet" {
t.Errorf("kubernetes_role = %q", cfg.Vault.KubernetesRole)
}
}
func TestLoad_Token(t *testing.T) {
tmp := t.TempDir()
path := filepath.Join(tmp, "config.yaml")
content := `
vault:
addr: https://vault.example.com:8200
auth_method: token
token: hvs.statictoken
mount_point: pki_int
role_name: servers_default
`
os.WriteFile(path, []byte(content), 0o644)
cfg, err := Load(path)
if err != nil {
t.Fatalf("Load() error: %v", err)
}
if cfg.Vault.AuthMethod != AuthMethodToken {
t.Errorf("auth_method = %q", cfg.Vault.AuthMethod)
}
if cfg.Vault.Token != "hvs.statictoken" {
t.Errorf("token = %q", cfg.Vault.Token)
}
}
func TestLoad_MissingFile(t *testing.T) {
_, err := Load("/nonexistent/config.yaml")
if err == nil {
t.Error("expected error for missing file, got nil")
}
}
+60
View File
@@ -0,0 +1,60 @@
package pki
import (
"fmt"
"strings"
"git.unkin.net/unkin/certmanager/internal/vault"
)
// CertificateResponse is the JSON-serialisable output returned to callers.
type CertificateResponse struct {
Certificate string `json:"certificate"`
PrivateKey string `json:"private_key"`
FullChain string `json:"full_chain"`
CACertificate string `json:"ca_certificate"`
}
type issueRequest struct {
CommonName string `json:"common_name"`
AltNames string `json:"alt_names,omitempty"`
IPSans string `json:"ip_sans,omitempty"`
TTL string `json:"ttl"`
}
type issueResponse struct {
Data struct {
Certificate string `json:"certificate"`
PrivateKey string `json:"private_key"`
IssuingCA string `json:"issuing_ca"`
} `json:"data"`
}
// IssueCert requests a PKI certificate from Vault.
func IssueCert(client *vault.Client, mountPoint, roleName, commonName string, altNames, ipSans []string, expiryDays int) (*CertificateResponse, error) {
req := issueRequest{
CommonName: commonName,
TTL: fmt.Sprintf("%dd", expiryDays),
}
if len(altNames) > 0 {
req.AltNames = strings.Join(altNames, ",")
}
if len(ipSans) > 0 {
req.IPSans = strings.Join(ipSans, ",")
}
var resp issueResponse
path := fmt.Sprintf("%s/issue/%s", mountPoint, roleName)
if err := client.Post(path, req, &resp); err != nil {
return nil, err
}
fullChain := resp.Data.IssuingCA + "\n" + resp.Data.Certificate
return &CertificateResponse{
Certificate: resp.Data.Certificate,
PrivateKey: resp.Data.PrivateKey,
FullChain: fullChain,
CACertificate: resp.Data.IssuingCA,
}, nil
}
+84
View File
@@ -0,0 +1,84 @@
package pki_test
import (
"encoding/json"
"net/http"
"net/http/httptest"
"strings"
"testing"
"git.unkin.net/unkin/certmanager/internal/config"
"git.unkin.net/unkin/certmanager/internal/pki"
"git.unkin.net/unkin/certmanager/internal/vault"
)
func newVaultClient(t *testing.T, mux *http.ServeMux) *vault.Client {
t.Helper()
const token = "test-token"
mux.HandleFunc("/v1/auth/approle/login", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]any{
"auth": map[string]any{"client_token": token},
})
})
srv := httptest.NewTLSServer(mux)
t.Cleanup(srv.Close)
client, err := vault.New(config.VaultConfig{
Addr: srv.URL,
AuthMethod: config.AuthMethodAppRole,
RoleID: "role",
ApprolePath: "approle",
})
if err != nil {
t.Fatalf("vault.New: %v", err)
}
return client
}
func TestIssueCert(t *testing.T) {
mux := http.NewServeMux()
mux.HandleFunc("/v1/pki_int/issue/servers_default", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]any{
"data": map[string]any{
"certificate": "CERT",
"private_key": "KEY",
"issuing_ca": "CA",
},
})
})
client := newVaultClient(t, mux)
cert, err := pki.IssueCert(client, "pki_int", "servers_default", "host.example.com",
[]string{"host", "host.example.com"}, []string{"127.0.0.1"}, 90)
if err != nil {
t.Fatalf("IssueCert: %v", err)
}
if cert.Certificate != "CERT" {
t.Errorf("certificate = %q", cert.Certificate)
}
if cert.PrivateKey != "KEY" {
t.Errorf("private_key = %q", cert.PrivateKey)
}
if cert.CACertificate != "CA" {
t.Errorf("ca_certificate = %q", cert.CACertificate)
}
if !strings.Contains(cert.FullChain, "CA") || !strings.Contains(cert.FullChain, "CERT") {
t.Errorf("full_chain = %q", cert.FullChain)
}
}
func TestIssueCert_VaultError(t *testing.T) {
mux := http.NewServeMux()
mux.HandleFunc("/v1/pki_int/issue/servers_default", func(w http.ResponseWriter, r *http.Request) {
http.Error(w, "permission denied", http.StatusForbidden)
})
client := newVaultClient(t, mux)
_, err := pki.IssueCert(client, "pki_int", "servers_default", "host.example.com", nil, nil, 90)
if err == nil {
t.Error("expected error, got nil")
}
}
+52
View File
@@ -0,0 +1,52 @@
package ssh
import (
"fmt"
"strings"
"git.unkin.net/unkin/certmanager/internal/vault"
)
// SignedCertResponse is the JSON-serialisable output returned to callers.
type SignedCertResponse struct {
SignedKey string `json:"signed_key"`
}
type signRequest struct {
CertType string `json:"cert_type"`
PublicKey string `json:"public_key"`
ValidPrincipals string `json:"valid_principals"`
TTL string `json:"ttl"`
}
type signResponse struct {
Data struct {
SignedKey string `json:"signed_key"`
} `json:"data"`
}
// SignHostCert signs an SSH host public key via the Vault SSH secrets engine.
func SignHostCert(client *vault.Client, mountPoint, roleName, publicKey string, principals []string, ttl string) (*SignedCertResponse, error) {
if ttl == "" {
ttl = "87600h"
}
req := signRequest{
CertType: "host",
PublicKey: publicKey,
ValidPrincipals: strings.Join(principals, ","),
TTL: ttl,
}
var resp signResponse
path := fmt.Sprintf("%s/sign/%s", mountPoint, roleName)
if err := client.Post(path, req, &resp); err != nil {
return nil, err
}
if resp.Data.SignedKey == "" {
return nil, fmt.Errorf("vault returned empty signed_key")
}
return &SignedCertResponse{SignedKey: resp.Data.SignedKey}, nil
}
+96
View File
@@ -0,0 +1,96 @@
package ssh_test
import (
"encoding/json"
"net/http"
"net/http/httptest"
"testing"
"git.unkin.net/unkin/certmanager/internal/config"
"git.unkin.net/unkin/certmanager/internal/ssh"
"git.unkin.net/unkin/certmanager/internal/vault"
)
func newVaultClient(t *testing.T, mux *http.ServeMux) *vault.Client {
t.Helper()
const token = "test-token"
mux.HandleFunc("/v1/auth/approle/login", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]any{
"auth": map[string]any{"client_token": token},
})
})
srv := httptest.NewTLSServer(mux)
t.Cleanup(srv.Close)
client, err := vault.New(config.VaultConfig{
Addr: srv.URL,
AuthMethod: config.AuthMethodAppRole,
RoleID: "role",
ApprolePath: "approle",
})
if err != nil {
t.Fatalf("vault.New: %v", err)
}
return client
}
func TestSignHostCert(t *testing.T) {
mux := http.NewServeMux()
mux.HandleFunc("/v1/ssh-host-signer/sign/hostrole", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]any{
"data": map[string]any{
"signed_key": "ssh-rsa-cert-v01@openssh.com AAAA...",
},
})
})
client := newVaultClient(t, mux)
resp, err := ssh.SignHostCert(client, "ssh-host-signer", "hostrole",
"ssh-rsa AAAA...", []string{"host.example.com", "host"}, "87600h")
if err != nil {
t.Fatalf("SignHostCert: %v", err)
}
if resp.SignedKey != "ssh-rsa-cert-v01@openssh.com AAAA..." {
t.Errorf("signed_key = %q", resp.SignedKey)
}
}
func TestSignHostCert_DefaultTTL(t *testing.T) {
mux := http.NewServeMux()
mux.HandleFunc("/v1/ssh-host-signer/sign/hostrole", func(w http.ResponseWriter, r *http.Request) {
var body map[string]string
json.NewDecoder(r.Body).Decode(&body)
if body["ttl"] != "87600h" {
t.Errorf("expected default ttl 87600h, got %q", body["ttl"])
}
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]any{
"data": map[string]any{"signed_key": "CERT"},
})
})
client := newVaultClient(t, mux)
_, err := ssh.SignHostCert(client, "ssh-host-signer", "hostrole", "ssh-rsa AAAA...", []string{"host"}, "")
if err != nil {
t.Fatalf("SignHostCert: %v", err)
}
}
func TestSignHostCert_EmptySignedKey(t *testing.T) {
mux := http.NewServeMux()
mux.HandleFunc("/v1/ssh-host-signer/sign/hostrole", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]any{
"data": map[string]any{"signed_key": ""},
})
})
client := newVaultClient(t, mux)
_, err := ssh.SignHostCert(client, "ssh-host-signer", "hostrole", "ssh-rsa AAAA...", []string{"host"}, "87600h")
if err == nil {
t.Error("expected error for empty signed_key, got nil")
}
}
+186
View File
@@ -0,0 +1,186 @@
package vault
import (
"bytes"
"crypto/tls"
"encoding/json"
"fmt"
"net/http"
"os"
"git.unkin.net/unkin/certmanager/internal/config"
)
const defaultKubernetesTokenFile = "/var/run/secrets/kubernetes.io/serviceaccount/token"
// Client is an authenticated Vault HTTP client.
type Client struct {
addr string
token string
http *http.Client
}
// New authenticates to Vault using the method specified in cfg and returns a
// ready Client.
func New(cfg config.VaultConfig) (*Client, error) {
// TLS verification is intentionally skipped to match the existing Python
// scripts; the TODO comment in those scripts notes this should be removed
// once certs are generated everywhere.
transport := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, //nolint:gosec
}
httpClient := &http.Client{Transport: transport}
c := &Client{addr: cfg.Addr, http: httpClient}
var err error
switch cfg.AuthMethod {
case config.AuthMethodAppRole, "":
err = c.loginAppRole(cfg)
case config.AuthMethodLDAP:
err = c.loginLDAP(cfg)
case config.AuthMethodKubernetes:
err = c.loginKubernetes(cfg)
case config.AuthMethodToken:
err = c.loginToken(cfg)
default:
return nil, fmt.Errorf("unknown auth_method %q (valid: approle, ldap, kubernetes, token)", cfg.AuthMethod)
}
if err != nil {
return nil, err
}
return c, nil
}
// ---------------------------------------------------------------------------
// auth method implementations
// ---------------------------------------------------------------------------
func (c *Client) loginAppRole(cfg config.VaultConfig) error {
path := cfg.ApprolePath
if path == "" {
path = "approle"
}
payload := map[string]string{"role_id": cfg.RoleID}
if cfg.SecretID != "" {
payload["secret_id"] = cfg.SecretID
}
token, err := c.fetchToken(fmt.Sprintf("auth/%s/login", path), payload)
if err != nil {
return fmt.Errorf("approle login: %w", err)
}
c.token = token
return nil
}
func (c *Client) loginLDAP(cfg config.VaultConfig) error {
path := cfg.LDAPPath
if path == "" {
path = "ldap"
}
payload := map[string]string{"password": cfg.LDAPPassword}
token, err := c.fetchToken(fmt.Sprintf("auth/%s/login/%s", path, cfg.LDAPUsername), payload)
if err != nil {
return fmt.Errorf("ldap login: %w", err)
}
c.token = token
return nil
}
func (c *Client) loginKubernetes(cfg config.VaultConfig) error {
path := cfg.KubernetesPath
if path == "" {
path = "kubernetes"
}
tokenFile := cfg.KubernetesTokenFile
if tokenFile == "" {
tokenFile = defaultKubernetesTokenFile
}
jwt, err := os.ReadFile(tokenFile)
if err != nil {
return fmt.Errorf("kubernetes login: read service account token %q: %w", tokenFile, err)
}
payload := map[string]string{
"role": cfg.KubernetesRole,
"jwt": string(jwt),
}
token, err := c.fetchToken(fmt.Sprintf("auth/%s/login", path), payload)
if err != nil {
return fmt.Errorf("kubernetes login: %w", err)
}
c.token = token
return nil
}
func (c *Client) loginToken(cfg config.VaultConfig) error {
if cfg.Token == "" {
return fmt.Errorf("token auth: vault.token must not be empty")
}
c.token = cfg.Token
return nil
}
// fetchToken posts to a Vault auth endpoint and extracts the client token.
func (c *Client) fetchToken(authPath string, payload any) (string, error) {
body, err := json.Marshal(payload)
if err != nil {
return "", err
}
url := fmt.Sprintf("%s/v1/%s", c.addr, authPath)
resp, err := c.http.Post(url, "application/json", bytes.NewReader(body))
if err != nil {
return "", err
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
return "", fmt.Errorf("unexpected status %d", resp.StatusCode)
}
var result struct {
Auth struct {
ClientToken string `json:"client_token"`
} `json:"auth"`
}
if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
return "", fmt.Errorf("decode response: %w", err)
}
if result.Auth.ClientToken == "" {
return "", fmt.Errorf("empty client token in response")
}
return result.Auth.ClientToken, nil
}
// ---------------------------------------------------------------------------
// request helpers
// ---------------------------------------------------------------------------
// Post sends an authenticated POST to a Vault path and decodes the response.
func (c *Client) Post(path string, payload, out any) error {
body, err := json.Marshal(payload)
if err != nil {
return err
}
url := fmt.Sprintf("%s/v1/%s", c.addr, path)
req, err := http.NewRequest(http.MethodPost, url, bytes.NewReader(body))
if err != nil {
return err
}
req.Header.Set("X-Vault-Token", c.token)
req.Header.Set("Content-Type", "application/json")
resp, err := c.http.Do(req)
if err != nil {
return fmt.Errorf("vault POST %s: %w", path, err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
return fmt.Errorf("vault POST %s: unexpected status %d", path, resp.StatusCode)
}
return json.NewDecoder(resp.Body).Decode(out)
}
+283
View File
@@ -0,0 +1,283 @@
package vault_test
import (
"encoding/json"
"net/http"
"net/http/httptest"
"os"
"path/filepath"
"strings"
"testing"
"git.unkin.net/unkin/certmanager/internal/config"
"git.unkin.net/unkin/certmanager/internal/vault"
)
// tokenHandler returns a handler that serves a fixed Vault token on POST.
func tokenHandler(token string) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]any{
"auth": map[string]any{"client_token": token},
})
}
}
func newTLSServer(t *testing.T, mux *http.ServeMux) *httptest.Server {
t.Helper()
srv := httptest.NewTLSServer(mux)
t.Cleanup(srv.Close)
return srv
}
// ---------------------------------------------------------------------------
// AppRole
// ---------------------------------------------------------------------------
func TestNew_AppRole(t *testing.T) {
mux := http.NewServeMux()
mux.HandleFunc("/v1/auth/approle/login", tokenHandler("tok-approle"))
srv := newTLSServer(t, mux)
_, err := vault.New(config.VaultConfig{
Addr: srv.URL,
AuthMethod: config.AuthMethodAppRole,
ApprolePath: "approle",
RoleID: "role-id",
})
if err != nil {
t.Fatalf("AppRole auth failed: %v", err)
}
}
func TestNew_AppRole_WithSecretID(t *testing.T) {
mux := http.NewServeMux()
mux.HandleFunc("/v1/auth/approle/login", func(w http.ResponseWriter, r *http.Request) {
var body map[string]string
json.NewDecoder(r.Body).Decode(&body)
if body["secret_id"] != "my-secret" {
http.Error(w, "missing secret_id", http.StatusBadRequest)
return
}
tokenHandler("tok-approle-secret")(w, r)
})
srv := newTLSServer(t, mux)
_, err := vault.New(config.VaultConfig{
Addr: srv.URL,
AuthMethod: config.AuthMethodAppRole,
ApprolePath: "approle",
RoleID: "role-id",
SecretID: "my-secret",
})
if err != nil {
t.Fatalf("AppRole+SecretID auth failed: %v", err)
}
}
func TestNew_AppRole_DefaultPath(t *testing.T) {
mux := http.NewServeMux()
mux.HandleFunc("/v1/auth/approle/login", tokenHandler("tok"))
srv := newTLSServer(t, mux)
_, err := vault.New(config.VaultConfig{
Addr: srv.URL,
AuthMethod: config.AuthMethodAppRole,
RoleID: "role-id",
// ApprolePath intentionally omitted — should default to "approle"
})
if err != nil {
t.Fatalf("AppRole default path failed: %v", err)
}
}
// ---------------------------------------------------------------------------
// LDAP
// ---------------------------------------------------------------------------
func TestNew_LDAP(t *testing.T) {
mux := http.NewServeMux()
mux.HandleFunc("/v1/auth/ldap/login/testuser", func(w http.ResponseWriter, r *http.Request) {
var body map[string]string
json.NewDecoder(r.Body).Decode(&body)
if body["password"] != "secret" {
http.Error(w, "bad password", http.StatusForbidden)
return
}
tokenHandler("tok-ldap")(w, r)
})
srv := newTLSServer(t, mux)
_, err := vault.New(config.VaultConfig{
Addr: srv.URL,
AuthMethod: config.AuthMethodLDAP,
LDAPPath: "ldap",
LDAPUsername: "testuser",
LDAPPassword: "secret",
})
if err != nil {
t.Fatalf("LDAP auth failed: %v", err)
}
}
func TestNew_LDAP_DefaultPath(t *testing.T) {
mux := http.NewServeMux()
mux.HandleFunc("/v1/auth/ldap/login/u", tokenHandler("tok"))
srv := newTLSServer(t, mux)
_, err := vault.New(config.VaultConfig{
Addr: srv.URL,
AuthMethod: config.AuthMethodLDAP,
LDAPUsername: "u",
LDAPPassword: "p",
})
if err != nil {
t.Fatalf("LDAP default path failed: %v", err)
}
}
// ---------------------------------------------------------------------------
// Kubernetes
// ---------------------------------------------------------------------------
func TestNew_Kubernetes(t *testing.T) {
tmp := t.TempDir()
tokenFile := filepath.Join(tmp, "token")
os.WriteFile(tokenFile, []byte("k8s-jwt"), 0o600)
mux := http.NewServeMux()
mux.HandleFunc("/v1/auth/kubernetes/login", func(w http.ResponseWriter, r *http.Request) {
var body map[string]string
json.NewDecoder(r.Body).Decode(&body)
if body["jwt"] != "k8s-jwt" || body["role"] != "puppet" {
http.Error(w, "bad jwt/role", http.StatusForbidden)
return
}
tokenHandler("tok-k8s")(w, r)
})
srv := newTLSServer(t, mux)
_, err := vault.New(config.VaultConfig{
Addr: srv.URL,
AuthMethod: config.AuthMethodKubernetes,
KubernetesPath: "kubernetes",
KubernetesRole: "puppet",
KubernetesTokenFile: tokenFile,
})
if err != nil {
t.Fatalf("Kubernetes auth failed: %v", err)
}
}
func TestNew_Kubernetes_MissingTokenFile(t *testing.T) {
_, err := vault.New(config.VaultConfig{
Addr: "https://vault.example.com",
AuthMethod: config.AuthMethodKubernetes,
KubernetesRole: "puppet",
KubernetesTokenFile: "/nonexistent/token",
})
if err == nil || !strings.Contains(err.Error(), "read service account token") {
t.Errorf("expected token file error, got %v", err)
}
}
// ---------------------------------------------------------------------------
// Token
// ---------------------------------------------------------------------------
func TestNew_Token(t *testing.T) {
mux := http.NewServeMux()
mux.HandleFunc("/v1/pki_int/issue/role", func(w http.ResponseWriter, r *http.Request) {
if r.Header.Get("X-Vault-Token") != "static-token" {
http.Error(w, "forbidden", http.StatusForbidden)
return
}
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]any{
"data": map[string]any{
"certificate": "C", "private_key": "K", "issuing_ca": "CA",
},
})
})
srv := newTLSServer(t, mux)
client, err := vault.New(config.VaultConfig{
Addr: srv.URL,
AuthMethod: config.AuthMethodToken,
Token: "static-token",
})
if err != nil {
t.Fatalf("Token auth failed: %v", err)
}
var out map[string]any
if err := client.Post("pki_int/issue/role", map[string]string{"common_name": "x"}, &out); err != nil {
t.Fatalf("Post with token auth failed: %v", err)
}
}
func TestNew_Token_Empty(t *testing.T) {
_, err := vault.New(config.VaultConfig{
Addr: "https://vault.example.com",
AuthMethod: config.AuthMethodToken,
Token: "",
})
if err == nil {
t.Error("expected error for empty token")
}
}
// ---------------------------------------------------------------------------
// Unknown auth method
// ---------------------------------------------------------------------------
func TestNew_UnknownMethod(t *testing.T) {
_, err := vault.New(config.VaultConfig{
Addr: "https://vault.example.com",
AuthMethod: "magic",
})
if err == nil || !strings.Contains(err.Error(), "unknown auth_method") {
t.Errorf("expected unknown method error, got %v", err)
}
}
// ---------------------------------------------------------------------------
// Auth failure
// ---------------------------------------------------------------------------
func TestNew_AuthFailure(t *testing.T) {
srv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
http.Error(w, "permission denied", http.StatusForbidden)
}))
t.Cleanup(srv.Close)
_, err := vault.New(config.VaultConfig{
Addr: srv.URL,
AuthMethod: config.AuthMethodAppRole,
ApprolePath: "approle",
RoleID: "role-id",
})
if err == nil {
t.Error("expected auth error, got nil")
}
}
func TestNew_EmptyToken(t *testing.T) {
srv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]any{
"auth": map[string]any{"client_token": ""},
})
}))
t.Cleanup(srv.Close)
_, err := vault.New(config.VaultConfig{
Addr: srv.URL,
AuthMethod: config.AuthMethodAppRole,
ApprolePath: "approle",
RoleID: "role-id",
})
if err == nil || !strings.Contains(err.Error(), "empty client token") {
t.Errorf("expected empty token error, got %v", err)
}
}