PG-1607 Run our test suite for Vault with HTTPS

Since the dev mode of Vault supports generating HTTPs ceritficates we should just use that since in production everyone will use HTTPS we should run our tests with HTTPS too.
4 months ago · 2272e9df41
parent fb83aa1ab9
commit 2272e9df41
3 changed files with 32 additions and 16 deletions
--- a/ci_scripts/setup-keyring-servers.sh
+++ b/ci_scripts/setup-keyring-servers.sh
@ -17,12 +17,14 @@ cd ..
 echo $SCRIPT_DIR
 pykmip-server -f "$SCRIPT_DIR/../contrib/pg_tde/pykmip-server.conf" -l /tmp/kmip-server.log &

-TV=$(mktemp)
-{ exec >$TV; vault server -dev; } &
+CLUSTER_INFO=$(mktemp)
+vault server -dev -dev-tls -dev-cluster-json="$CLUSTER_INFO" > /dev/null &
 sleep 10
-export ROOT_TOKEN_FILE=$(mktemp)
-cat $TV | grep "Root Token" | cut -d ":" -f 2 | xargs echo -n > $ROOT_TOKEN_FILE
-echo "export ROOT_TOKEN_FILE=$ROOT_TOKEN_FILE"
+export VAULT_ROOT_TOKEN_FILE=$(mktemp)
+jq -r .root_token "$CLUSTER_INFO" > "$VAULT_ROOT_TOKEN_FILE"
+export VAULT_CACERT_FILE=$(jq -r .ca_cert_path "$CLUSTER_INFO")
+rm "$CLUSTER_INFO"
 if [ -v GITHUB_ACTIONS ]; then
-    echo "ROOT_TOKEN_FILE=$ROOT_TOKEN_FILE" >> $GITHUB_ENV
+    echo "VAULT_ROOT_TOKEN_FILE=$VAULT_ROOT_TOKEN_FILE" >> $GITHUB_ENV
+    echo "VAULT_CACERT_FILE=$VAULT_CACERT_FILE" >> $GITHUB_ENV
 fi
--- a/contrib/pg_tde/expected/vault_v2_test.out
+++ b/contrib/pg_tde/expected/vault_v2_test.out
@ -1,6 +1,7 @@
 CREATE EXTENSION IF NOT EXISTS pg_tde;
-\getenv root_token_file ROOT_TOKEN_FILE
-SELECT pg_tde_add_database_key_provider_vault_v2('vault-incorrect',:'root_token_file','http://127.0.0.1:8200','DUMMY-TOKEN',NULL);
+\getenv root_token_file VAULT_ROOT_TOKEN_FILE
+\getenv cacert_file VAULT_CACERT_FILE
+SELECT pg_tde_add_database_key_provider_vault_v2('vault-incorrect',:'root_token_file','https://127.0.0.1:8200','DUMMY-TOKEN',:'cacert_file');
 pg_tde_add_database_key_provider_vault_v2 
 -------------------------------------------
 
@ -16,7 +17,7 @@ CREATE TABLE test_enc(
 	) USING tde_heap;
 ERROR:  principal key not configured
 HINT:  create one using pg_tde_set_key before using encrypted tables
-SELECT pg_tde_add_database_key_provider_vault_v2('vault-v2',:'root_token_file','http://127.0.0.1:8200','secret',NULL);
+SELECT pg_tde_add_database_key_provider_vault_v2('vault-v2',:'root_token_file','https://127.0.0.1:8200','secret',:'cacert_file');
 pg_tde_add_database_key_provider_vault_v2 
 -------------------------------------------
 
@ -52,9 +53,15 @@ SELECT pg_tde_verify_key();

 DROP TABLE test_enc;
 -- Creating provider fails if we can't connect to vault
-SELECT pg_tde_add_database_key_provider_vault_v2('will-not-work', :'root_token_file', 'http://127.0.0.1:61', 'secret', NULL);
+SELECT pg_tde_add_database_key_provider_vault_v2('will-not-work', :'root_token_file', 'https://127.0.0.1:61', 'secret', :'cacert_file');
 ERROR:  HTTP(S) request to keyring provider "will-not-work" failed
 -- Changing provider fails if we can't connect to vault
-SELECT pg_tde_change_database_key_provider_vault_v2('vault-v2', :'root_token_file', 'http://127.0.0.1:61', 'secret', NULL);
+SELECT pg_tde_change_database_key_provider_vault_v2('vault-v2', :'root_token_file', 'https://127.0.0.1:61', 'secret', :'cacert_file');
 ERROR:  HTTP(S) request to keyring provider "vault-v2" failed
+-- HTTPS without cert fails
+SELECT pg_tde_change_database_key_provider_vault_v2('vault-v2', :'root_token_file', 'https://127.0.0.1:8200', 'secret', NULL);
+ERROR:  HTTP(S) request to keyring provider "vault-v2" failed
+-- HTTP against HTTPS server fails
+SELECT pg_tde_change_database_key_provider_vault_v2('vault-v2', :'root_token_file', 'http://127.0.0.1:8200', 'secret', NULL);
+ERROR:  Listing secrets of "http://127.0.0.1:8200" at mountpoint "secret" failed
 DROP EXTENSION pg_tde;
--- a/contrib/pg_tde/sql/vault_v2_test.sql
+++ b/contrib/pg_tde/sql/vault_v2_test.sql
@ -1,8 +1,9 @@
 CREATE EXTENSION IF NOT EXISTS pg_tde;

-\getenv root_token_file ROOT_TOKEN_FILE
+\getenv root_token_file VAULT_ROOT_TOKEN_FILE
+\getenv cacert_file VAULT_CACERT_FILE

-SELECT pg_tde_add_database_key_provider_vault_v2('vault-incorrect',:'root_token_file','http://127.0.0.1:8200','DUMMY-TOKEN',NULL);
+SELECT pg_tde_add_database_key_provider_vault_v2('vault-incorrect',:'root_token_file','https://127.0.0.1:8200','DUMMY-TOKEN',:'cacert_file');
 -- FAILS
 SELECT pg_tde_set_key_using_database_key_provider('vault-v2-key','vault-incorrect');

@ -12,7 +13,7 @@ CREATE TABLE test_enc(
 	  PRIMARY KEY (id)
 	) USING tde_heap;

-SELECT pg_tde_add_database_key_provider_vault_v2('vault-v2',:'root_token_file','http://127.0.0.1:8200','secret',NULL);
+SELECT pg_tde_add_database_key_provider_vault_v2('vault-v2',:'root_token_file','https://127.0.0.1:8200','secret',:'cacert_file');
 SELECT pg_tde_set_key_using_database_key_provider('vault-v2-key','vault-v2');

 CREATE TABLE test_enc(
@ -32,9 +33,15 @@ SELECT pg_tde_verify_key();
 DROP TABLE test_enc;

 -- Creating provider fails if we can't connect to vault
-SELECT pg_tde_add_database_key_provider_vault_v2('will-not-work', :'root_token_file', 'http://127.0.0.1:61', 'secret', NULL);
+SELECT pg_tde_add_database_key_provider_vault_v2('will-not-work', :'root_token_file', 'https://127.0.0.1:61', 'secret', :'cacert_file');

 -- Changing provider fails if we can't connect to vault
-SELECT pg_tde_change_database_key_provider_vault_v2('vault-v2', :'root_token_file', 'http://127.0.0.1:61', 'secret', NULL);
+SELECT pg_tde_change_database_key_provider_vault_v2('vault-v2', :'root_token_file', 'https://127.0.0.1:61', 'secret', :'cacert_file');
+
+-- HTTPS without cert fails
+SELECT pg_tde_change_database_key_provider_vault_v2('vault-v2', :'root_token_file', 'https://127.0.0.1:8200', 'secret', NULL);
+
+-- HTTP against HTTPS server fails
+SELECT pg_tde_change_database_key_provider_vault_v2('vault-v2', :'root_token_file', 'http://127.0.0.1:8200', 'secret', NULL);

 DROP EXTENSION pg_tde;