wip: Dynamic Creds tests

hashicorp · Aug 21, 2023 · 11e7deb · 11e7deb
1 parent d970294
commit 11e7deb
Show file tree

Hide file tree

Showing 2 changed files with 105 additions and 1 deletion.
diff --git a/plugin/service/storage/plugin.go b/plugin/service/storage/plugin.go
@@ -174,7 +174,17 @@ func (p *StoragePlugin) OnUpdateStorageBucket(ctx context.Context, req *pb.OnUpd
 		}
 	}
 
-	credentialType := cred.GetCredentialType(credState.CredentialsConfig.AccessKey)
+	awsCfg, err := credState.CredentialsConfig.GenerateCredentialChain(ctx)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to generate aws credential chain: %s", err)
+	}
+
+	awsCredentials, err := awsCfg.Credentials.Retrieve(ctx)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to retrieve aws credentials: %s", err)
+	}
+
+	credentialType := cred.GetCredentialType(awsCredentials.AccessKeyID)
 	switch credentialType {
 	case cred.Static:
 		// This is a validate check to make sure that we aren't disabling

diff --git a/plugin/service/storage/plugin_test.go b/plugin/service/storage/plugin_test.go
@@ -849,6 +849,100 @@ func TestStoragePlugin_OnUpdateStorageBucket(t *testing.T) {
 	}
 }
 
+func TestStoragePlugin_OnUpdateStorageBucket_DynamicCredentials(t *testing.T) {
+	cases := []struct {
+		name                string
+		req                 *pb.OnUpdateStorageBucketRequest
+		credOpts            []credential.AwsCredentialPersistedStateOption
+		storageOpts         []awsStoragePersistedStateOption
+		expectedErrContains string
+		expectedErrCode     codes.Code
+	}{
+		{
+			name: "attempt to enable credential rotation",
+			req: &pb.OnUpdateStorageBucketRequest{
+				CurrentBucket: &storagebuckets.StorageBucket{
+					Attributes: &structpb.Struct{
+						Fields: map[string]*structpb.Value{
+							credential.ConstRegion:                    structpb.NewStringValue("us-west-2"),
+							credential.ConstDisableCredentialRotation: structpb.NewBoolValue(true),
+							credential.ConstRoleArn:                   structpb.NewStringValue("arn:aws:iam::123456789012:role/S3Access"),
+							credential.ConstRoleExternalId:            structpb.NewStringValue("1234567890"),
+							credential.ConstRoleSessionName:           structpb.NewStringValue("ec2-assume-role-provider"),
+							credential.ConstRoleTags: structpb.NewStructValue(&structpb.Struct{
+								Fields: map[string]*structpb.Value{
+									"foo": structpb.NewStringValue("bar"),
+								},
+							}),
+						},
+					},
+				},
+				NewBucket: &storagebuckets.StorageBucket{
+					BucketName: "foo",
+					Attributes: &structpb.Struct{
+						Fields: map[string]*structpb.Value{
+							credential.ConstRegion:                    structpb.NewStringValue("us-west-2"),
+							credential.ConstDisableCredentialRotation: structpb.NewBoolValue(false),
+							credential.ConstRoleArn:                   structpb.NewStringValue("arn:aws:iam::123456789012:role/S3Access"),
+							credential.ConstRoleExternalId:            structpb.NewStringValue("1234567890"),
+							credential.ConstRoleSessionName:           structpb.NewStringValue("ec2-assume-role-provider"),
+							credential.ConstRoleTags: structpb.NewStructValue(&structpb.Struct{
+								Fields: map[string]*structpb.Value{
+									"foo": structpb.NewStringValue("bar"),
+								},
+							}),
+						},
+					},
+				},
+				Persisted: &storagebuckets.StorageBucketPersisted{
+					Data: credential.MockAssumeRoleAttributes("us-west-2", false),
+				},
+			},
+			credOpts: []credential.AwsCredentialPersistedStateOption{
+				credential.WithStateTestOpts([]awsutilv2.Option{
+					awsutilv2.WithCredentialsProvider(
+						awsutilv2.NewMockCredentialsProvider(
+							awsutilv2.WithCredentials(
+								aws.Credentials{
+									AccessKeyID:     "ASIA_one",
+									SecretAccessKey: "secret_key_123",
+									SessionToken:    "session_token_123",
+									CanExpire:       true,
+									Expires:         time.Now().Add(time.Hour * 2),
+								},
+							),
+						),
+					),
+				}),
+			},
+			expectedErrContains: "cannot enable credential rotation for dynamic credential type",
+			expectedErrCode:     codes.InvalidArgument,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(t.Name(), func(t *testing.T) {
+			require := require.New(t)
+			p := &StoragePlugin{
+				testCredStateOpts:    tc.credOpts,
+				testStorageStateOpts: tc.storageOpts,
+			}
+
+			fmt.Println("Test cred opts", p.testCredStateOpts[0])
+			resp, err := p.OnUpdateStorageBucket(context.Background(), tc.req)
+			if tc.expectedErrContains != "" {
+				require.Contains(err.Error(), tc.expectedErrContains)
+				require.Equal(status.Code(err).String(), tc.expectedErrCode.String())
+				return
+			}
+			require.NoError(err)
+			require.NotNil(resp)
+			require.NotNil(resp.GetPersisted())
+			require.NotNil(resp.GetPersisted().GetData())
+		})
+	}
+}
+
 func TestStoragePlugin_OnDeleteStorageBucket(t *testing.T) {
 	cases := []struct {
 		name                string