Merge pull request #2886 from hashicorp/sethvargo/renew_api

Add API helper for renewing a secret
hashicorp · Jul 11, 2017 · 23a8f61 · 23a8f61
2 parents 48ab9c5 + 2fbb192
commit 23a8f61
Show file tree

Hide file tree

Showing 5 changed files with 731 additions and 0 deletions.
diff --git a/api/api_integration_test.go b/api/api_integration_test.go
@@ -0,0 +1,96 @@
+package api_test
+
+import (
+	"database/sql"
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/builtin/logical/pki"
+	"github.com/hashicorp/vault/builtin/logical/transit"
+	"github.com/hashicorp/vault/logical"
+	"github.com/hashicorp/vault/vault"
+
+	vaulthttp "github.com/hashicorp/vault/http"
+	logxi "github.com/mgutz/logxi/v1"
+	dockertest "gopkg.in/ory-am/dockertest.v3"
+)
+
+var testVaultServerDefaultBackends = map[string]logical.Factory{
+	"transit": transit.Factory,
+	"pki":     pki.Factory,
+}
+
+func testVaultServer(t testing.TB) (*api.Client, func()) {
+	return testVaultServerBackends(t, testVaultServerDefaultBackends)
+}
+
+func testVaultServerBackends(t testing.TB, backends map[string]logical.Factory) (*api.Client, func()) {
+	coreConfig := &vault.CoreConfig{
+		DisableMlock:    true,
+		DisableCache:    true,
+		Logger:          logxi.NullLog,
+		LogicalBackends: backends,
+	}
+
+	cluster := vault.NewTestCluster(t, coreConfig, true)
+	cluster.StartListeners()
+	for _, core := range cluster.Cores {
+		core.Handler.Handle("/", vaulthttp.Handler(core.Core))
+	}
+
+	// make it easy to get access to the active
+	core := cluster.Cores[0].Core
+	vault.TestWaitActive(t, core)
+
+	// Grab the root token
+	rootToken := cluster.Cores[0].Root
+
+	client := cluster.Cores[0].Client
+	client.SetToken(rootToken)
+
+	// Sanity check
+	secret, err := client.Auth().Token().LookupSelf()
+	if err != nil {
+		t.Fatal(err)
+	}
+	if secret == nil || secret.Data["id"].(string) != rootToken {
+		t.Fatalf("token mismatch: %#v vs %q", secret, rootToken)
+	}
+	return client, func() { defer cluster.CloseListeners() }
+}
+
+// testPostgresDB creates a testing postgres database in a Docker container,
+// returning the connection URL and the associated closer function.
+func testPostgresDB(t testing.TB) (string, func()) {
+	pool, err := dockertest.NewPool("")
+	if err != nil {
+		t.Fatalf("postgresdb: failed to connect to docker: %s", err)
+	}
+
+	resource, err := pool.Run("postgres", "latest", []string{
+		"POSTGRES_PASSWORD=secret",
+		"POSTGRES_DB=database",
+	})
+	if err != nil {
+		t.Fatalf("postgresdb: could not start container: %s", err)
+	}
+
+	addr := fmt.Sprintf("postgres://postgres:secret@localhost:%s/database?sslmode=disable", resource.GetPort("5432/tcp"))
+
+	if err := pool.Retry(func() error {
+		db, err := sql.Open("postgres", addr)
+		if err != nil {
+			return err
+		}
+		return db.Ping()
+	}); err != nil {
+		t.Fatalf("postgresdb: could not connect: %s", err)
+	}
+
+	return addr, func() {
+		if err := pool.Purge(resource); err != nil {
+			t.Fatalf("postgresdb: failed to cleanup container: %s", err)
+		}
+	}
+}
diff --git a/api/auth_token.go b/api/auth_token.go
@@ -135,6 +135,26 @@ func (c *TokenAuth) RenewSelf(increment int) (*Secret, error) {
 	return ParseSecret(resp.Body)
 }
 
+// RenewTokenAsSelf behaves like renew-self, but authenticates using a provided
+// token instead of the token attached to the client.
+func (c *TokenAuth) RenewTokenAsSelf(token string, increment int) (*Secret, error) {
+	r := c.c.NewRequest("PUT", "/v1/auth/token/renew-self")
+	r.ClientToken = token
+
+	body := map[string]interface{}{"increment": increment}
+	if err := r.SetJSONBody(body); err != nil {
+		return nil, err
+	}
+
+	resp, err := c.c.RawRequest(r)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	return ParseSecret(resp.Body)
+}
+
 // RevokeAccessor revokes a token associated with the given accessor
 // along with all the child tokens.
 func (c *TokenAuth) RevokeAccessor(accessor string) error {