Fix acceptance test to use identity doc and RSA sig

Acceptance tests were failing due to hashicorp#4014 so, as a workaround for now, passing in the identity document and the RSA signature rather than the PKCS7 document.
joelthompson · Feb 22, 2018 · c342691 · c342691
1 parent c109477
commit c342691
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 19 deletions.
diff --git a/builtin/credential/aws/backend_test.go b/builtin/credential/aws/backend_test.go
@@ -958,18 +958,29 @@ func TestBackend_PathBlacklistRoleTag(t *testing.T) {
 	}
 }
 
-// This is an acceptance test.
-// Requires the following env vars:
-// TEST_AWS_EC2_PKCS7
-// TEST_AWS_EC2_AMI_ID
-// TEST_AWS_EC2_ACCOUNT_ID
-// TEST_AWS_EC2_IAM_ROLE_ARN
-//
-// If the test is not being run on an EC2 instance that has access to
-// credentials using EC2RoleProvider, on top of the above vars, following
-// needs to be set:
-// TEST_AWS_SECRET_KEY
-// TEST_AWS_ACCESS_KEY
+/* This is an acceptance test.
+   Requires the following env vars:
+   TEST_AWS_EC2_IDENTITY_DOCUMENT
+   TEST_AWS_EC2_IDENTITY_DOCUMENT_SIG
+   TEST_AWS_EC2_AMI_ID
+   TEST_AWS_EC2_ACCOUNT_ID
+   TEST_AWS_EC2_IAM_ROLE_ARN
+
+   If this is being run on an EC2 instance, you can set the environment vars using this bash snippet:
+
+   export TEST_AWS_EC2_IDENTITY_DOCUMENT=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | base64 -w 0)
+   export TEST_AWS_EC2_IDENTITY_DOCUMENT_SIG=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/signature | tr -d '\n')
+   export TEST_AWS_EC2_AMI_ID=$(curl -s http://169.254.169.254/latest/meta-data/ami-id)
+   export TEST_AWS_EC2_IAM_ROLE_ARN=$(aws iam get-role --role-name $(curl -q http://169.254.169.254/latest/meta-data/iam/security-credentials/ -S -s) --query Role.Arn --output text)
+   export TEST_AWS_EC2_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+   make testacc TEST=./builtin/credential/aws/
+
+   If the test is not being run on an EC2 instance that has access to
+   credentials using EC2RoleProvider, on top of the above vars, following
+   needs to be set:
+   TEST_AWS_SECRET_KEY
+   TEST_AWS_ACCESS_KEY
+*/
 func TestBackendAcc_LoginWithInstanceIdentityDocAndWhitelistIdentity(t *testing.T) {
 	// This test case should be run only when certain env vars are set and
 	// executed as an acceptance test.
@@ -978,9 +989,13 @@ func TestBackendAcc_LoginWithInstanceIdentityDocAndWhitelistIdentity(t *testing.
 		return
 	}
 
-	pkcs7 := os.Getenv("TEST_AWS_EC2_PKCS7")
-	if pkcs7 == "" {
-		t.Fatalf("env var TEST_AWS_EC2_PKCS7 not set")
+	identityDoc := os.Getenv("TEST_AWS_EC2_IDENTITY_DOCUMENT")
+	if identityDoc == "" {
+		t.Fatalf("env var TEST_AWS_EC2_IDENTITY_DOCUMENT not set")
+	}
+	identityDocSig := os.Getenv("TEST_AWS_EC2_IDENTITY_DOCUMENT_SIG")
+	if identityDoc == "" {
+		t.Fatalf("env var TEST_AWS_EC2_IDENTITY_DOCUMENT_SIG not set")
 	}
 
 	amiID := os.Getenv("TEST_AWS_EC2_AMI_ID")
@@ -1044,8 +1059,9 @@ func TestBackendAcc_LoginWithInstanceIdentityDocAndWhitelistIdentity(t *testing.
 	}
 
 	loginInput := map[string]interface{}{
-		"pkcs7": pkcs7,
-		"nonce": "vault-client-nonce",
+		"identity":  identityDoc,
+		"signature": identityDocSig,
+		"nonce":     "vault-client-nonce",
 	}
 
 	// Perform the login operation with a AMI ID that is not matching

diff --git a/builtin/credential/aws/path_login.go b/builtin/credential/aws/path_login.go
@@ -330,8 +330,8 @@ func (b *backend) parseIdentityDocument(ctx context.Context, s logical.Storage,
 
 	// Verify extracts the authenticated attributes in the PKCS#7 signature, and verifies
 	// the authenticity of the content using 'dsa.PublicKey' embedded in the public certificate.
-	if pkcs7Data.Verify() != nil {
-		return nil, fmt.Errorf("failed to verify the signature")
+	if err = pkcs7Data.Verify(); err != nil {
+		return nil, fmt.Errorf("failed to verify the signature: %v", err)
 	}
 
 	// Check if the signature has content inside of it