Test vault client create key function (spiffe#5058)

InverseIntegral · InverseIntegral · commit d74610edd2f9 · 2024-09-16T20:40:45.000+02:00
diff --git a/pkg/server/plugin/keymanager/hashicorpvault/vault_client.go b/pkg/server/plugin/keymanager/hashicorpvault/vault_client.go
@@ -372,9 +372,12 @@ func (c *Client) CreateKey(ctx context.Context, spireKeyID string, keyType Trans
 		"exportable": "false", // TODO: Maybe make this configurable
 	}
 
-	// TODO: Handle errors here such as key already exists
 	_, err := c.vaultClient.Logical().WriteWithContext(ctx, fmt.Sprintf("/%s/keys/%s", c.clientParams.TransitEnginePath, spireKeyID), arguments)
-	return err
+	if err != nil {
+		return status.Errorf(codes.Internal, "failed to create transit engine key: %v", err)
+	}
+
+	return nil
 }
 
 // GetKey gets the transit engine key with the specified spire key id.
diff --git a/pkg/server/plugin/keymanager/hashicorpvault/vault_client_test.go b/pkg/server/plugin/keymanager/hashicorpvault/vault_client_test.go
@@ -1,6 +1,7 @@
 package hashicorpvault
 
 import (
+	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
@@ -607,7 +608,69 @@ func TestConfigureTLSRequireClientCertAndKey(t *testing.T) {
 	spiretest.RequireGRPCStatus(t, err, codes.InvalidArgument, "both client cert and client key are required")
 }
 
-// TODO: Test CreateKey
+func TestCreateKey(t *testing.T) {
+	fakeVaultServer := newFakeVaultServer()
+	fakeVaultServer.CertAuthResponseCode = 200
+	fakeVaultServer.CertAuthResponse = []byte(testCertAuthResponse)
+	fakeVaultServer.CreateKeyResponseCode = 204
+
+	s, addr, err := fakeVaultServer.NewTLSServer()
+	require.NoError(t, err)
+
+	s.Start()
+	defer s.Close()
+
+	cp := &ClientParams{
+		VaultAddr:      fmt.Sprintf("https://%v/", addr),
+		CACertPath:     testRootCert,
+		ClientCertPath: testClientCert,
+		ClientKeyPath:  testClientKey,
+	}
+
+	cc, err := NewClientConfig(cp, hclog.Default())
+	require.NoError(t, err)
+
+	renewCh := make(chan struct{})
+	client, err := cc.NewAuthenticatedClient(CERT, renewCh)
+	require.NoError(t, err)
+
+	err = client.CreateKey(context.Background(), "x509-CA-A", TransitKeyTypeRSA2048)
+	require.NoError(t, err)
+}
+
+func TestCreateKeyErrorFromEndpoint(t *testing.T) {
+	fakeVaultServer := newFakeVaultServer()
+	fakeVaultServer.CertAuthResponseCode = 200
+	fakeVaultServer.CertAuthResponse = []byte(testCertAuthResponse)
+	fakeVaultServer.CreateKeyResponseCode = 500
+	fakeVaultServer.CreateKeyResponse = []byte("test error")
+
+	s, addr, err := fakeVaultServer.NewTLSServer()
+	require.NoError(t, err)
+
+	s.Start()
+	defer s.Close()
+
+	retry := 0 // Disable retry
+	cp := &ClientParams{
+		MaxRetries:     &retry,
+		VaultAddr:      fmt.Sprintf("https://%v/", addr),
+		CACertPath:     testRootCert,
+		ClientCertPath: testClientCert,
+		ClientKeyPath:  testClientKey,
+	}
+
+	cc, err := NewClientConfig(cp, hclog.Default())
+	require.NoError(t, err)
+
+	renewCh := make(chan struct{})
+	client, err := cc.NewAuthenticatedClient(CERT, renewCh)
+	require.NoError(t, err)
+
+	err = client.CreateKey(context.Background(), "x509-CA-A", TransitKeyTypeRSA2048)
+	spiretest.RequireGRPCStatusHasPrefix(t, err, codes.Internal, "failed to create transit engine key: Error making API request.")
+}
+
 // TODO: Test GetKey
 // TODO: Test SignData
 
diff --git a/pkg/server/plugin/keymanager/hashicorpvault/vault_fake_test.go b/pkg/server/plugin/keymanager/hashicorpvault/vault_fake_test.go
@@ -13,6 +13,7 @@ const (
 	defaultK8sAuthEndpoint     = "/v1/auth/kubernetes/login"
 	defaultRenewEndpoint       = "/v1/auth/token/renew-self"
 	defaultLookupSelfEndpoint  = "/v1/auth/token/lookup-self"
+	defaultCreateKeyEndpoint   = "/v1/transit/keys/x509-CA-A"
 
 	listenAddr = "127.0.0.1:0"
 )
@@ -292,6 +293,10 @@ type FakeVaultServerConfig struct {
 	LookupSelfReqHandler     func(code int, resp []byte) func(w http.ResponseWriter, r *http.Request)
 	LookupSelfResponseCode   int
 	LookupSelfResponse       []byte
+	CreateKeyReqEndpoint     string
+	CreateKeyReqHandler      func(code int, resp []byte) func(http.ResponseWriter, *http.Request)
+	CreateKeyResponseCode    int
+	CreateKeyResponse        []byte
 }
 
 // NewFakeVaultServerConfig returns VaultServerConfig with default values
@@ -308,6 +313,8 @@ func NewFakeVaultServerConfig() *FakeVaultServerConfig {
 		RenewReqHandler:        defaultReqHandler,
 		LookupSelfReqEndpoint:  defaultLookupSelfEndpoint,
 		LookupSelfReqHandler:   defaultReqHandler,
+		CreateKeyReqEndpoint:   defaultCreateKeyEndpoint,
+		CreateKeyReqHandler:    defaultReqHandler,
 	}
 }
 
@@ -339,6 +346,7 @@ func (v *FakeVaultServerConfig) NewTLSServer() (srv *httptest.Server, addr strin
 	mux.HandleFunc(v.K8sAuthReqEndpoint, v.AppRoleAuthReqHandler(v.K8sAuthResponseCode, v.K8sAuthResponse))
 	mux.HandleFunc(v.RenewReqEndpoint, v.RenewReqHandler(v.RenewResponseCode, v.RenewResponse))
 	mux.HandleFunc(v.LookupSelfReqEndpoint, v.LookupSelfReqHandler(v.LookupSelfResponseCode, v.LookupSelfResponse))
+	mux.HandleFunc(v.CreateKeyReqEndpoint, v.CreateKeyReqHandler(v.CreateKeyResponseCode, v.CreateKeyResponse))
 
 	srv = httptest.NewUnstartedServer(mux)
 	srv.Listener = l

Original file line number	Diff line number	Diff line change
`@@ -372,9 +372,12 @@ func (c *Client) CreateKey(ctx context.Context, spireKeyID string, keyType Trans`
`372`	`372`	`"exportable": "false", // TODO: Maybe make this configurable`
`373`	`373`	`}`
`374`	`374`
`375`		`- // TODO: Handle errors here such as key already exists`
`376`	`375`	`_, err := c.vaultClient.Logical().WriteWithContext(ctx, fmt.Sprintf("/%s/keys/%s", c.clientParams.TransitEnginePath, spireKeyID), arguments)`
`377`		`- return err`
	`376`	`+ if err != nil {`
	`377`	`+ return status.Errorf(codes.Internal, "failed to create transit engine key: %v", err)`
	`378`	`+ }`
	`379`	`+`
	`380`	`+ return nil`
`378`	`381`	`}`
`379`	`382`
`380`	`383`	`// GetKey gets the transit engine key with the specified spire key id.`