feat: completed certificate auth tests

Signed-off-by: Kai Fink <kai.fink@yahoo.de>

Author: 4ch3los

go.mod

@@ -114,6 +114,7 @@ require (
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/fatih/color v1.16.0 // indirect
+	github.com/fatih/structs v1.1.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/gammazero/deque v0.2.1 // indirect
@@ -183,6 +184,7 @@ require (
 	github.com/hashicorp/go-secure-stdlib/awsutil v0.3.0 // indirect
 	github.com/hashicorp/go-secure-stdlib/base62 v0.1.2 // indirect
 	github.com/hashicorp/go-secure-stdlib/mlock v0.1.3 // indirect
+	github.com/hashicorp/go-secure-stdlib/nonceutil v0.1.0 // indirect
 	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8 // indirect
 	github.com/hashicorp/go-secure-stdlib/password v0.1.1 // indirect
 	github.com/hashicorp/go-secure-stdlib/plugincontainer v0.3.0 // indirect
@@ -194,6 +196,7 @@ require (
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/hashicorp/go-version v1.6.0 // indirect
 	github.com/hashicorp/golang-lru v1.0.2 // indirect
+	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
 	github.com/hashicorp/hcp-sdk-go v0.75.0 // indirect
 	github.com/hashicorp/mdns v1.0.4 // indirect

go.sum

@@ -867,6 +867,8 @@ github.com/hashicorp/vault-testing-stepwise v0.1.4 h1:Lsv1KdpQyjhvmLgKeH65FG5MmY
 github.com/hashicorp/vault-testing-stepwise v0.1.4/go.mod h1:Ym1T/kMM2sT6qgCIIJ3an7uaSWCJ8O7ohsWB9UiB5tI=
 github.com/hashicorp/vault/api v1.12.0 h1:meCpJSesvzQyao8FCOgk2fGdoADAnbDu2WPJN1lDLJ4=
 github.com/hashicorp/vault/api v1.12.0/go.mod h1:si+lJCYO7oGkIoNPAN8j3azBLTn9SjMGS+jFaHd1Cck=
+github.com/hashicorp/vault/api/auth/userpass v0.1.0 h1:C6OdAYczMbzd1Pe1LLf2SHDulxOq/iybWV3kbgV/PS4=
+github.com/hashicorp/vault/api/auth/userpass v0.1.0/go.mod h1:0orUbtkEwbEPmaQ+wvfrOddGBimLJnuN8A/J0PNfBks=
 github.com/hashicorp/vault/sdk v0.12.0 h1:c2WeMWtF08zKQmrJya7paM4IVnsXIXF5UlhQTBdwZwQ=
 github.com/hashicorp/vault/sdk v0.12.0/go.mod h1:2kN1F5owc/Yh1OwL32GGnYrX9E3vFOIKA/cGJxCNQ30=
 github.com/hashicorp/vic v1.5.1-0.20190403131502-bbfe86ec9443 h1:O/pT5C1Q3mVXMyuqg7yuAWUg/jMZR1/0QTzTRdNR6Uw=

pkg/auth/vault/certificate.go

@@ -64,15 +64,15 @@ func (a *CertificateAuth) Authenticate(vaultClient *api.Client) error {
 
 	apiClientConfig := vaultClient.CloneConfig()
 
-	tlsConfig := &api.TLSConfig{
+	/*tlsConfig := &api.TLSConfig{
 		ClientKey:  tempKey.Name(),
 		ClientCert: tempCrt.Name(),
 	}
 
 	err = apiClientConfig.ConfigureTLS(tlsConfig)
 	if err != nil {
 		return err
-	}
+	}*/
 
 	certVaultClient, err := api.NewClient(apiClientConfig)
 
@@ -81,6 +81,8 @@ func (a *CertificateAuth) Authenticate(vaultClient *api.Client) error {
 	}
 
 	utils.VerboseToStdErr("Hashicorp Vault authenticating with certificate")
+
+	certVaultClient.ClearToken()
 	data, err := certVaultClient.Logical().Write(fmt.Sprintf("%s/login", a.MountPath), payload)
 	if err != nil {
 		return err

pkg/auth/vault/certificate_test.go

@@ -10,10 +10,10 @@ import (
 )
 
 func TestCertificateLogin(t *testing.T) {
-	cluster, cert, key := helpers.CreateTestCertificateVault(t)
+	cluster, _, _ := helpers.CreateTestCertificateVault(t)
 	defer cluster.Cleanup()
 
-	certificateAuth := vault.NewCertificateAuth(cert, key, "")
+	certificateAuth := vault.NewCertificateAuth("", "", "")
 
 	err := certificateAuth.Authenticate(cluster.Cores[0].Client)
 	if err != nil {

pkg/helpers/test_helpers.go

@@ -1,20 +1,27 @@
 package helpers
 
 import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
 	"fmt"
-	"net"
-	"strconv"
-	"testing"
-
 	"github.com/hashicorp/go-hclog"
 	kv "github.com/hashicorp/vault-plugin-secrets-kv"
 	"github.com/hashicorp/vault/api"
 	credAppRole "github.com/hashicorp/vault/builtin/credential/approle"
 	credCert "github.com/hashicorp/vault/builtin/credential/cert"
 	credUserPass "github.com/hashicorp/vault/builtin/credential/userpass"
+	"github.com/hashicorp/vault/builtin/logical/pki"
 	"github.com/hashicorp/vault/http"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/hashicorp/vault/vault"
+	"math/big"
+	"net"
+	"strconv"
+	"testing"
+	"time"
 )
 
 // Test Constants
@@ -302,7 +309,8 @@ func CreateTestCertificateVault(t *testing.T) (*vault.TestCluster, string, strin
 
 	coreConfig := &vault.CoreConfig{
 		LogicalBackends: map[string]logical.Factory{
-			"kv": kv.Factory,
+			"kv":  kv.Factory,
+			"pki": pki.Factory,
 		},
 		CredentialBackends: map[string]logical.Factory{
 			"cert": credCert.Factory,
@@ -333,8 +341,17 @@ func CreateTestCertificateVault(t *testing.T) (*vault.TestCluster, string, strin
 		t.Fatal(err)
 	}
 
+	write, err := client.Logical().Write("auth/cert/certs/vault-cert", map[string]interface{}{
+		"display_name": "vault-cert",
+		"policies":     "cert-kv,cert-secret",
+		"certificate":  string(cluster.CACertPEM),
+	})
+	if err != nil && write == nil {
+		return nil, "", ""
+	}
+
 	// Create Policy for secret/foo
-	err := client.Sys().PutPolicy("cert-secret", "path \"secret/*\" { capabilities = [\"read\",\"list\"] }")
+	err = client.Sys().PutPolicy("cert-secret", "path \"secret/*\" { capabilities = [\"read\",\"list\"] }")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -345,15 +362,6 @@ func CreateTestCertificateVault(t *testing.T) (*vault.TestCluster, string, strin
 		t.Fatal(err)
 	}
 
-	_, err = client.Logical().Write("auth/approle/role/role1", map[string]interface{}{
-		"bind_secret_id": "true",
-		"period":         "300",
-		"policies":       "cert-secret, cert-kv",
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
 	_, err = client.Logical().Write("secret/testing", map[string]interface{}{
 		"name":              "test-name",
 		"namespace":         "test-namespace",
@@ -463,19 +471,49 @@ func CreateTestCertificateVault(t *testing.T) (*vault.TestCluster, string, strin
 		t.Fatal(err)
 	}
 
-	secret, err := client.Logical().Write("auth/approle/role/role1/secret-id", nil)
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		t.Fatal(err)
 	}
-	secretID := secret.Data["secret_id"].(string)
+	privateKeyPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(key),
+	})
 
-	secret, err = client.Logical().Read("auth/approle/role/role1/role-id")
+	csrTemplate := x509.CertificateRequest{
+		Subject: pkix.Name{
+			CommonName:   "vault-cert",
+			Organization: []string{"Client Org"},
+		},
+	}
+	csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, key)
 	if err != nil {
 		t.Fatal(err)
 	}
-	roleID := secret.Data["role_id"].(string)
 
-	return cluster, roleID, secretID
+	csr, err := x509.ParseCertificateRequest(csrBytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	clientCertTemplate := x509.Certificate{
+		SerialNumber: big.NewInt(1234567890), // Eine eindeutige Seriennummer
+		Subject:      csr.Subject,
+		NotBefore:    time.Now(),
+		NotAfter:     time.Now().Add(365 * 24 * time.Hour), // 1 Jahr Gültigkeit
+		KeyUsage:     x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
+	}
+	clientCertBytes, err := x509.CreateCertificate(rand.Reader, &clientCertTemplate, cluster.CACert, csr.PublicKey, cluster.CAKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	clientCertPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: clientCertBytes,
+	})
+	return cluster, string(clientCertPEM), string(privateKeyPEM)
 }
 
 // CreateTestGithubVault initializes a new test vault with AppRole and Kv v2