auth_login: enforce empty client token (hashicorp#2029)

other fixes:
- parallelize AuthLogin tests
- ensure VAULT_TOKEN is not set from the test make targets

Author: benashz

Makefile

@@ -15,7 +15,7 @@ build: go-version-check fmtcheck
 	go install
 
 test: go-version-check fmtcheck
-	TF_ACC= go test $(TESTARGS) -timeout 10m $(TEST_PATH)
+	TF_ACC= VAULT_TOKEN= go test $(TESTARGS) -timeout 10m $(TEST_PATH)
 
 testacc: fmtcheck
 	TF_ACC=1 go test $(TESTARGS) -timeout 30m $(TEST_PATH)

internal/provider/auth.go

@@ -211,6 +211,10 @@ func (l *AuthLoginCommon) copyParamsExcluding(excludes ...string) (map[string]in
 }
 
 func (l *AuthLoginCommon) login(client *api.Client, path string, params map[string]interface{}) (*api.Secret, error) {
+	if client.Token() != "" {
+		return nil, fmt.Errorf("vault login client has a token set")
+	}
+
 	return client.Logical().Write(path, params)
 }
 

internal/provider/auth_aws_test.go

@@ -5,6 +5,7 @@ package provider
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"reflect"
@@ -286,9 +287,29 @@ func TestAuthLoginAWS_Login(t *testing.T) {
 			wantErr:   true,
 			expectErr: authLoginInitCheckError,
 		},
+		{
+			name: "error-vault-token-set",
+			authLogin: &AuthLoginAWS{
+				AuthLoginCommon{
+					authField: "baz",
+					mount:     "foo",
+					params: map[string]interface{}{
+						consts.FieldRole: "bob",
+					},
+					initialized: true,
+				},
+			},
+			handler: &testLoginHandler{
+				handlerFunc: handlerFunc,
+			},
+			token:     "foo",
+			wantErr:   true,
+			expectErr: errors.New("vault login client has a token set"),
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
 			testAuthLogin(t, tt)
 		})
 	}

internal/provider/auth_azure_test.go

@@ -5,6 +5,7 @@ package provider
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"testing"
@@ -240,6 +241,27 @@ func TestAuthLoginAzure_Login(t *testing.T) {
 			},
 			wantErr: false,
 		},
+		{
+			name: "error-vault-token-set",
+			authLogin: &AuthLoginAzure{
+				AuthLoginCommon: AuthLoginCommon{
+					authField: consts.FieldAuthLoginAzure,
+					params: map[string]interface{}{
+						consts.FieldRole:              "alice",
+						consts.FieldJWT:               "jwt1",
+						consts.FieldSubscriptionID:    "sub1",
+						consts.FieldResourceGroupName: "res1",
+						consts.FieldVMSSName:          "vmss1",
+					},
+					initialized: true,
+				},
+			},
+			handler: &testLoginHandler{
+				handlerFunc: handlerFunc,
+			},
+			wantErr:   true,
+			expectErr: errors.New("vault login client has a token set"),
+		},
 		{
 			name: "error-uninitialized",
 			authLogin: &AuthLoginAzure{
@@ -258,6 +280,7 @@ func TestAuthLoginAzure_Login(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
 			testAuthLogin(t, tt)
 		})
 	}

internal/provider/auth_cert_test.go

@@ -5,6 +5,7 @@ package provider
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"os"
@@ -294,6 +295,28 @@ func TestAuthLoginCert_Login(t *testing.T) {
 			tls:     true,
 			wantErr: false,
 		},
+		{
+			name: "error-vault-token-set",
+			authLogin: &AuthLoginCert{
+				AuthLoginCommon{
+					authField: "baz",
+					mount:     "qux",
+					params: map[string]interface{}{
+						consts.FieldName:          "bob",
+						consts.FieldCertFile:      certFile,
+						consts.FieldKeyFile:       keyFile,
+						consts.FieldSkipTLSVerify: true,
+					},
+					initialized: true,
+				},
+			},
+			handler: &testLoginHandler{
+				handlerFunc: handlerFunc,
+			},
+			token:     "foo",
+			wantErr:   true,
+			expectErr: errors.New("vault login client has a token set"),
+		},
 		{
 			name: "error-uninitialized",
 			authLogin: &AuthLoginCert{
@@ -312,6 +335,7 @@ func TestAuthLoginCert_Login(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
 			testAuthLogin(t, tt)
 		})
 	}

internal/provider/auth_gcp_test.go

@@ -5,6 +5,7 @@ package provider
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"os"
@@ -168,6 +169,42 @@ func TestAuthLoginGCP_Login(t *testing.T) {
 				testutil.SkipTestEnvUnset(t, consts.EnvVarGoogleApplicationCreds, envVarGCPServiceAccount)
 			},
 		},
+		{
+			name: "error-vault-token-set",
+			authLogin: &AuthLoginGCP{
+				AuthLoginCommon{
+					authField: "baz",
+					mount:     "qux",
+					params: map[string]interface{}{
+						consts.FieldRole:           "bob",
+						consts.FieldCredentials:    os.Getenv(consts.EnvVarGoogleApplicationCreds),
+						consts.FieldServiceAccount: os.Getenv(envVarGCPServiceAccount),
+					},
+					initialized: true,
+				},
+			},
+			handler: &testLoginHandler{
+				excludeParams: []string{consts.FieldJWT},
+				handlerFunc:   handlerFunc,
+			},
+			expectReqCount: 1,
+			expectReqPaths: []string{
+				"/v1/auth/qux/login",
+			},
+			expectReqParams: []map[string]interface{}{{
+				consts.FieldRole: "bob",
+			}},
+			want: &api.Secret{
+				Auth: &api.SecretAuth{
+					Metadata: map[string]string{
+						consts.FieldRole: "bob",
+					},
+				},
+			},
+			token:     "foo",
+			wantErr:   true,
+			expectErr: errors.New("vault login client has a token set"),
+		},
 		{
 			name: "no-jwt",
 			authLogin: &AuthLoginGCP{
@@ -201,6 +238,7 @@ func TestAuthLoginGCP_Login(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
 			testAuthLogin(t, tt)
 		})
 	}

internal/provider/auth_jwt_test.go

@@ -5,6 +5,7 @@ package provider
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"testing"
@@ -157,6 +158,25 @@ func TestAuthLoginJWT_Login(t *testing.T) {
 			},
 			wantErr: false,
 		},
+		{
+			name: "error-vault-token-set",
+			authLogin: &AuthLoginJWT{
+				AuthLoginCommon: AuthLoginCommon{
+					authField: consts.FieldAuthLoginJWT,
+					params: map[string]interface{}{
+						consts.FieldRole: "alice",
+						consts.FieldJWT:  "jwt1",
+					},
+					initialized: true,
+				},
+			},
+			handler: &testLoginHandler{
+				handlerFunc: handlerFunc,
+			},
+			token:     "foo",
+			wantErr:   true,
+			expectErr: errors.New("vault login client has a token set"),
+		},
 		{
 			name: "error-uninitialized",
 			authLogin: &AuthLoginJWT{
@@ -175,6 +195,7 @@ func TestAuthLoginJWT_Login(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
 			testAuthLogin(t, tt)
 		})
 	}

internal/provider/auth_kerberos_test.go

@@ -6,6 +6,7 @@ package provider
 import (
 	"encoding/base64"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"reflect"
@@ -221,9 +222,43 @@ func TestAuthLoginKerberos_Login(t *testing.T) {
 			},
 			wantErr: false,
 		},
+		{
+			name: "error-vault-token-set",
+			authLogin: &AuthLoginKerberos{
+				authHeaderFunc: getTestAuthHeaderFunc(&krbauth.LoginCfg{
+					Username:               "alice",
+					Service:                "service1",
+					Realm:                  "realm1",
+					KeytabPath:             "/etc/kerberos/keytab",
+					Krb5ConfPath:           "/etc/kerberos/krb5.conf",
+					DisableFASTNegotiation: true,
+					RemoveInstanceName:     false,
+				}),
+				AuthLoginCommon: AuthLoginCommon{
+					authField: consts.FieldAuthLoginKerberos,
+					params: map[string]interface{}{
+						consts.FieldUsername:               "alice",
+						consts.FieldService:                "service1",
+						consts.FieldRealm:                  "realm1",
+						consts.FieldKeytabPath:             "/etc/kerberos/keytab",
+						consts.FieldKRB5ConfPath:           "/etc/kerberos/krb5.conf",
+						consts.FieldDisableFastNegotiation: true,
+						consts.FieldRemoveInstanceName:     false,
+					},
+					initialized: true,
+				},
+			},
+			handler: &testLoginHandler{
+				handlerFunc: handlerFunc,
+			},
+			token:     "foo",
+			wantErr:   true,
+			expectErr: errors.New("vault login client has a token set"),
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
 			testAuthLogin(t, tt)
 		})
 	}

internal/provider/auth_oci_test.go

@@ -5,6 +5,7 @@ package provider
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"testing"
@@ -187,6 +188,25 @@ func TestAuthLoginOCI_Login(t *testing.T) {
 			},
 			wantErr: false,
 		},
+		{
+			name: "error-vault-token-set",
+			authLogin: &AuthLoginOCI{
+				AuthLoginCommon: AuthLoginCommon{
+					authField: consts.FieldAuthLoginOCI,
+					params: map[string]interface{}{
+						consts.FieldRole:     "alice",
+						consts.FieldAuthType: ociAuthTypeAPIKeys,
+					},
+					initialized: true,
+				},
+			},
+			handler: &testLoginHandler{
+				handlerFunc: handlerFunc,
+			},
+			token:     "foo",
+			wantErr:   true,
+			expectErr: errors.New("vault login client has a token set"),
+		},
 		{
 			name: "error-uninitialized",
 			authLogin: &AuthLoginOCI{
@@ -205,6 +225,7 @@ func TestAuthLoginOCI_Login(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
 			testAuthLogin(t, tt)
 		})
 	}

internal/provider/auth_oidc_test.go

@@ -5,6 +5,7 @@ package provider
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"reflect"
@@ -229,6 +230,25 @@ func TestAuthLoginOIDC_Login(t *testing.T) {
 	}
 
 	tests := []authLoginTest{
+		{
+			name: "error-vault-token-set",
+			authLogin: &AuthLoginOIDC{
+				AuthLoginCommon{
+					authField: "baz",
+					mount:     "foo",
+					params: map[string]interface{}{
+						consts.FieldRole: "bob",
+					},
+					initialized: true,
+				},
+			},
+			handler: &testLoginHandler{
+				handlerFunc: handlerFunc,
+			},
+			token:     "foo",
+			wantErr:   true,
+			expectErr: errors.New("vault login client has a token set"),
+		},
 		{
 			name: "error-uninitialized",
 			authLogin: &AuthLoginOIDC{
@@ -246,6 +266,7 @@ func TestAuthLoginOIDC_Login(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
 			testAuthLogin(t, tt)
 		})
 	}