Merge pull request #1668 from amartinezfayo/vault-fail-multi-auths

Upstream Authority "vault" Plugin: fail if multiple auth methods are configured
spiffe · Jun 19, 2020 · 65ed6b8 · 65ed6b8
2 parents 446a71f + 15b854f
commit 65ed6b8
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 23 deletions.
diff --git a/pkg/server/plugin/upstreamauthority/vault/vault.go b/pkg/server/plugin/upstreamauthority/vault/vault.go
@@ -194,19 +194,37 @@ func makeError(code codes.Code, format string, args ...interface{}) error {
 }
 
 func parseAuthMethod(config *PluginConfig) (AuthMethod, error) {
+	var authMethod AuthMethod
 	if config.TokenAuth != nil {
-		return TOKEN, nil
+		authMethod = TOKEN
 	}
 	if config.CertAuth != nil {
-		return CERT, nil
+		if err := checkForAuthMethodConfigured(authMethod); err != nil {
+			return 0, err
+		}
+		authMethod = CERT
 	}
 	if config.AppRoleAuth != nil {
-		return APPROLE, nil
+		if err := checkForAuthMethodConfigured(authMethod); err != nil {
+			return 0, err
+		}
+		authMethod = APPROLE
+	}
+
+	if authMethod != 0 {
+		return authMethod, nil
 	}
 
 	return 0, errors.New("must be configured one of these authentication method 'Token or Cert or AppRole'")
 }
 
+func checkForAuthMethodConfigured(authMethod AuthMethod) error {
+	if authMethod != 0 {
+		return errors.New("only one authentication method can be configured")
+	}
+	return nil
+}
+
 func genClientParams(method AuthMethod, config *PluginConfig) *ClientParams {
 	cp := &ClientParams{
 		VaultAddr:     getEnvOrDefault(envVaultAddr, config.VaultAddr),

diff --git a/pkg/server/plugin/upstreamauthority/vault/vault_fake_test.go b/pkg/server/plugin/upstreamauthority/vault/vault_fake_test.go
@@ -69,6 +69,18 @@ approle_auth {
    approle_auth_mount_point = "test-approle-auth"
 }`
 
+	testMultipleAuthConfigsTpl = `
+vault_addr  = "{{ .Addr }}"
+pki_mount_point = "test-pki"
+ca_cert_path = "_test_data/keys/EC/root_cert.pem"
+cert_auth {}
+token_auth {}
+approle_auth {
+	approle_auth_mount_point = "test-approle-auth"
+	approle_id = "test-approle-id"
+	approle_secret_id  = "test-approle-secret-id"
+}`
+
 	testCertAuthResponse = `{
   "auth": {
     "client_token": "cf95f87d-f95b-47ff-b1f5-ba7bff850425",

diff --git a/pkg/server/plugin/upstreamauthority/vault/vault_test.go b/pkg/server/plugin/upstreamauthority/vault/vault_test.go
@@ -52,9 +52,10 @@ func (vps *VaultPluginSuite) Test_Configure() {
 	s.Start()
 	defer s.Close()
 
-	cases := []struct {
+	for _, c := range []struct {
 		name       string
 		configTmpl string
+		err        string
 		envKeyVal  map[string]string
 	}{
 		{
@@ -92,25 +93,33 @@ func (vps *VaultPluginSuite) Test_Configure() {
 				"VAULT_APPROLE_SECRET_ID": "test-approle-secret-id",
 			},
 		},
-	}
-
-	for _, c := range cases {
-		for k, v := range c.envKeyVal {
-			os.Setenv(k, v)
-		}
-
-		p := vps.newPlugin()
-
-		req := vps.getTestConfigureRequest(fmt.Sprintf("https://%v/", addr), c.configTmpl)
-
-		ctx := context.Background()
-		_, err = p.Configure(ctx, req)
-		vps.Require().NoError(err)
-		vps.Require().NotNil(p.vc.vaultClient.Token())
-
-		for k := range c.envKeyVal {
-			os.Unsetenv(k)
-		}
+		{
+			name:       "Multiple authentication methods configured",
+			configTmpl: testMultipleAuthConfigsTpl,
+			err:        "only one authentication method can be configured",
+		},
+	} {
+		c := c
+		vps.Run(c.name, func() {
+			defer func() {
+				for k := range c.envKeyVal {
+					os.Unsetenv(k)
+				}
+			}()
+			for k, v := range c.envKeyVal {
+				os.Setenv(k, v)
+			}
+
+			p := vps.newPlugin()
+			req := vps.getTestConfigureRequest(fmt.Sprintf("https://%v/", addr), c.configTmpl)
+			ctx := context.Background()
+			_, err = p.Configure(ctx, req)
+			if c.err != "" {
+				vps.Require().EqualError(err, c.err)
+				return
+			}
+			vps.Require().NotNil(p.vc.vaultClient.Token())
+		})
 	}
 }