Merge pull request #1231 from notnoop/b-anon-pki-access

Ignore anonymous request failures checking kv status
hashicorp · Jul 17, 2019 · 4058b14 · 4058b14
2 parents cb2ee2f + ae80c54
commit 4058b14
Show file tree

Hide file tree

Showing 2 changed files with 66 additions and 0 deletions.
diff --git a/dependency/vault_common.go b/dependency/vault_common.go
@@ -225,6 +225,12 @@ func isKVv2(client *api.Client, path string) (string, bool, error) {
 			return "", false, nil
 		}
 
+		// anonymous requests may fail to access /sys/internal/ui path
+		// Vault v1.1.3 returns 500 status code but may return 4XX in future
+		if client.Token() == "" {
+			return "", false, nil
+		}
+
 		return "", false, err
 	}
 

diff --git a/dependency/vault_read_test.go b/dependency/vault_read_test.go
@@ -3,6 +3,8 @@ package dependency
 import (
 	"fmt"
 	"net/url"
+	"reflect"
+	"strings"
 	"testing"
 	"time"
 
@@ -400,6 +402,64 @@ func TestVaultReadQuery_Fetch_KVv2(t *testing.T) {
 	}
 }
 
+// TestVaultReadQuery_Fetch_PKI_Anonymous asserts that vault.read can fetch a
+// pki ca public cert even even when running unauthenticated client.
+func TestVaultReadQuery_Fetch_PKI_Anonymous(t *testing.T) {
+	t.Parallel()
+
+	clients, vault := testVaultServer(t)
+	defer vault.Stop()
+
+	err := clients.Vault().Sys().Mount("pki", &api.MountInput{
+		Type: "pki",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	vc := clients.Vault()
+	_, err = vc.Logical().Write("sys/policies/acl/secrets-only", map[string]interface{}{
+		"policy": `path "secret/*" { capabilities = ["create", "read"] }`,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = vc.Logical().Write("pki/root/generate/internal", map[string]interface{}{
+		"common_name": "example.com",
+		"ttl":         "24h",
+	})
+
+	anonClient := NewClientSet()
+	anonClient.CreateVaultClient(&CreateVaultClientInput{
+		Address: vault.Address,
+		Token:   "",
+	})
+	_, err = anonClient.vault.client.Auth().Token().LookupSelf()
+	if err == nil || !strings.Contains(err.Error(), "missing client token") {
+		t.Fatalf("expected a missing client token error but found: %v", err)
+	}
+
+	d, err := NewVaultReadQuery("pki/cert/ca")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	act, _, err := d.Fetch(anonClient, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	sec, ok := act.(*Secret)
+	if !ok {
+		t.Fatalf("expected secret but found %v", reflect.TypeOf(act))
+	}
+	cert, ok := sec.Data["certificate"].(string)
+	if !ok || !strings.Contains(cert, "BEGIN") {
+		t.Fatalf("expected a cert but found: %v", cert)
+	}
+}
+
 func TestVaultReadQuery_String(t *testing.T) {
 	t.Parallel()