From 1b3ad6521121d7834edb370a7ce914486b805a2f Mon Sep 17 00:00:00 2001 From: Raja Nadar Date: Tue, 30 Aug 2016 00:34:20 -0700 Subject: [PATCH] token-capabilities-api hashicorp/vault#1171 and hashicorp/vault#1188 --- src/VaultSharp/IVaultClient.cs | 29 ++++++++++++ src/VaultSharp/VaultClient.cs | 47 +++++++++++++++++++ .../End2End/VaultClientEnd2EndTests.cs | 12 ++++- 3 files changed, 86 insertions(+), 2 deletions(-) diff --git a/src/VaultSharp/IVaultClient.cs b/src/VaultSharp/IVaultClient.cs index 26bbcb84..98599723 100644 --- a/src/VaultSharp/IVaultClient.cs +++ b/src/VaultSharp/IVaultClient.cs @@ -331,6 +331,35 @@ public interface IVaultClient /// Task DeletePolicyAsync(string policyName); + /// + /// Gets the capabilities of the token on the given path. + /// + /// [required] + /// Token for which capabilities are being queried. + /// [required] + /// Path on which the token's capabilities will be checked. + /// The list of capabilities. + Task> GetTokenCapabilitiesAsync(string token, string path); + + /// + /// Gets the capabilities of client token on the given path. + /// Client token is the Vault token with which this API call is made. + /// + /// [required] + /// Path on which the token's capabilities will be checked. + /// The list of capabilities. + Task> GetCallingTokenCapabilitiesAsync(string path); + + /// + /// Gets the capabilities of the token associated with an accessor, on the given path. + /// + /// [required] + /// Token accessor for which capabilities are being queried. + /// [required] + /// Path on which the token's capabilities will be checked. + /// The list of capabilities. + Task> GetTokenAccessorCapabilitiesAsync(string tokenAccessor, string path); + /// /// Gets all the enabled audit backends. /// diff --git a/src/VaultSharp/VaultClient.cs b/src/VaultSharp/VaultClient.cs index f91b3e88..9e4eb209 100644 --- a/src/VaultSharp/VaultClient.cs +++ b/src/VaultSharp/VaultClient.cs @@ -326,6 +326,53 @@ public async Task DeletePolicyAsync(string policyName) await MakeVaultApiRequest("sys/policy/" + policyName, HttpMethod.Delete).ConfigureAwait(continueOnCapturedContext: _continueAsyncTasksOnCapturedContext); } + public async Task> GetTokenCapabilitiesAsync(string token, string path) + { + Checker.NotNull(token, "token"); + Checker.NotNull(path, "path"); + + var requestData = new {token = token, path = path}; + var response = await MakeVaultApiRequest("sys/capabilities", HttpMethod.Post, requestData).ConfigureAwait(continueOnCapturedContext: _continueAsyncTasksOnCapturedContext); + + if (response != null && response.capabilities != null) + { + return response.capabilities.ToObject>(); + } + + return Enumerable.Empty(); + } + + public async Task> GetCallingTokenCapabilitiesAsync(string path) + { + Checker.NotNull(path, "path"); + + var requestData = new { path = path }; + var response = await MakeVaultApiRequest("sys/capabilities-self", HttpMethod.Post, requestData).ConfigureAwait(continueOnCapturedContext: _continueAsyncTasksOnCapturedContext); + + if (response != null && response.capabilities != null) + { + return response.capabilities.ToObject>(); + } + + return Enumerable.Empty(); + } + + public async Task> GetTokenAccessorCapabilitiesAsync(string tokenAccessor, string path) + { + Checker.NotNull(tokenAccessor, "tokenAccessor"); + Checker.NotNull(path, "path"); + + var requestData = new { accessor = tokenAccessor, path = path }; + var response = await MakeVaultApiRequest("sys/capabilities-accessor", HttpMethod.Post, requestData).ConfigureAwait(continueOnCapturedContext: _continueAsyncTasksOnCapturedContext); + + if (response != null && response.capabilities != null) + { + return response.capabilities.ToObject>(); + } + + return Enumerable.Empty(); + } + public async Task> GetAllEnabledAuditBackendsAsync() { var response = await MakeVaultApiRequest>("sys/audit", HttpMethod.Get).ConfigureAwait(continueOnCapturedContext: _continueAsyncTasksOnCapturedContext); diff --git a/test/VaultSharp.UnitTests/End2End/VaultClientEnd2EndTests.cs b/test/VaultSharp.UnitTests/End2End/VaultClientEnd2EndTests.cs index dc19aadf..03c8ba21 100644 --- a/test/VaultSharp.UnitTests/End2End/VaultClientEnd2EndTests.cs +++ b/test/VaultSharp.UnitTests/End2End/VaultClientEnd2EndTests.cs @@ -44,7 +44,8 @@ public async Task AllTests() // await GithubAuthenticationProviderTests(); } - await _authenticatedClient.StepDownActiveNodeAsync(); + await TokenTests(); + // await _authenticatedClient.StepDownActiveNodeAsync(); await EncryptStrongTests(); await MountedSecretBackendTests(); @@ -52,7 +53,6 @@ public async Task AllTests() await PoliciesTests(); await AuditBackendsTests(); await SecretTests(); - await TokenTests(); await EncryptTests(); await AppIdAuthenticationProviderTests(); await UsernamePasswordAuthenticationProviderTests(); @@ -658,6 +658,14 @@ private async Task TokenTests() var secret1 = await _authenticatedClient.CreateTokenAsync(); Assert.NotNull(secret1); + // capabilities. + var caps = + await _authenticatedClient.GetTokenCapabilitiesAsync(secret1.AuthorizationInfo.ClientToken, "sys"); + Assert.NotNull(caps); + + var caps2 = await _authenticatedClient.GetCallingTokenCapabilitiesAsync("sys"); + Assert.NotNull(caps2); + var secret2 = await _authenticatedClient.CreateTokenAsync(new TokenCreationOptions { NoParent = true }); Assert.NotNull(secret2);