Test vault client sign data function (spiffe#5058)

Signed-off-by: Matteo Kamm <[email protected]>

pkg/server/plugin/keymanager/hashicorpvault/vault_client.go

@@ -434,7 +434,6 @@ func (c *Client) SignData(ctx context.Context, spireKeyID string, data []byte, h
 		"prehashed":             "true",
 	}
 
-	// TODO: Handle errors here
 	sigResp, err := c.vaultClient.Logical().WriteWithContext(ctx, fmt.Sprintf("/%s/sign/%s/%s", c.clientParams.TransitEnginePath, spireKeyID, hashAlgo), body)
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, "transit engine sign call failed: %v", err)

pkg/server/plugin/keymanager/hashicorpvault/vault_client_test.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"encoding/base64"
 	"fmt"
 	vapi "github.com/hashicorp/vault/api"
 	"net/http"
@@ -738,7 +739,74 @@ func TestGetKeyErrorFromEndpoint(t *testing.T) {
 	require.Empty(t, resp)
 }
 
-// TODO: Test SignData
+func TestSignData(t *testing.T) {
+	fakeVaultServer := newFakeVaultServer()
+	fakeVaultServer.CertAuthResponseCode = 200
+	fakeVaultServer.CertAuthResponse = []byte(testCertAuthResponse)
+	fakeVaultServer.SignDataResponseCode = 200
+	fakeVaultServer.SignDataResponse = []byte(testSignDataResponse)
+
+	s, addr, err := fakeVaultServer.NewTLSServer()
+	require.NoError(t, err)
+
+	s.Start()
+	defer s.Close()
+
+	cp := &ClientParams{
+		VaultAddr:      fmt.Sprintf("https://%v/", addr),
+		CACertPath:     testRootCert,
+		ClientCertPath: testClientCert,
+		ClientKeyPath:  testClientKey,
+	}
+
+	cc, err := NewClientConfig(cp, hclog.Default())
+	require.NoError(t, err)
+
+	renewCh := make(chan struct{})
+	client, err := cc.NewAuthenticatedClient(CERT, renewCh)
+	require.NoError(t, err)
+
+	resp, err := client.SignData(context.Background(), "x509-CA-A", []byte("foo"), TransitHashAlgorithmSHA256, TransitSignatureSignatureAlgorithmPKCS1v15)
+	require.NoError(t, err)
+
+	expected, err := base64.StdEncoding.DecodeString("MEQCIHw3maFgxsmzAUsUXnw2ahUgPcomjF8+XxflwH4CsouhAiAYL3RhWx8dP2ymm7hjSUvc9EQ8GPXmLrvgacqkEKQPGw==")
+	require.NoError(t, err)
+	require.Equal(t, expected, resp)
+}
+
+func TestSignDataErrorFromEndpoint(t *testing.T) {
+	fakeVaultServer := newFakeVaultServer()
+	fakeVaultServer.CertAuthResponseCode = 200
+	fakeVaultServer.CertAuthResponse = []byte(testCertAuthResponse)
+	fakeVaultServer.SignDataResponseCode = 500
+	fakeVaultServer.SignDataResponse = []byte("test error")
+
+	s, addr, err := fakeVaultServer.NewTLSServer()
+	require.NoError(t, err)
+
+	s.Start()
+	defer s.Close()
+
+	retry := 0 // Disable retry
+	cp := &ClientParams{
+		MaxRetries:     &retry,
+		VaultAddr:      fmt.Sprintf("https://%v/", addr),
+		CACertPath:     testRootCert,
+		ClientCertPath: testClientCert,
+		ClientKeyPath:  testClientKey,
+	}
+
+	cc, err := NewClientConfig(cp, hclog.Default())
+	require.NoError(t, err)
+
+	renewCh := make(chan struct{})
+	client, err := cc.NewAuthenticatedClient(CERT, renewCh)
+	require.NoError(t, err)
+
+	resp, err := client.SignData(context.Background(), "x509-CA-A", []byte("foo"), TransitHashAlgorithmSHA256, TransitSignatureSignatureAlgorithmPKCS1v15)
+	spiretest.RequireGRPCStatusHasPrefix(t, err, codes.Internal, "transit engine sign call failed: Error making API request.")
+	require.Empty(t, resp)
+}
 
 func newFakeVaultServer() *FakeVaultServerConfig {
 	fakeVaultServer := NewFakeVaultServerConfig()

pkg/server/plugin/keymanager/hashicorpvault/vault_fake_test.go

@@ -15,6 +15,7 @@ const (
 	defaultLookupSelfEndpoint  = "GET /v1/auth/token/lookup-self"
 	defaultCreateKeyEndpoint   = "PUT /v1/transit/keys/{id}"
 	defaultGetKeyEndpoint      = "GET /v1/transit/keys/{id}"
+	defaultSignDataEndpoint    = "PUT /v1/transit/sign/{id}/{algo}"
 
 	listenAddr = "127.0.0.1:0"
 )
@@ -303,6 +304,20 @@ var (
   "warnings": null,
   "auth": null
 }`
+	testSignDataResponse = `{
+  "request_id": "51bb98fa-8da3-8678-64e7-7220bc8b94a6",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "key_version": 1,
+    "signature": "vault:v1:MEQCIHw3maFgxsmzAUsUXnw2ahUgPcomjF8+XxflwH4CsouhAiAYL3RhWx8dP2ymm7hjSUvc9EQ8GPXmLrvgacqkEKQPGw=="
+  },
+  "wrap_info": null,
+  "warnings": null,
+  "auth": null
+}
+`
 )
 
 type FakeVaultServerConfig struct {
@@ -337,6 +352,10 @@ type FakeVaultServerConfig struct {
 	GetKeyReqHandler         func(code int, resp []byte) func(http.ResponseWriter, *http.Request)
 	GetKeyResponseCode       int
 	GetKeyResponse           []byte
+	SignDataReqEndpoint      string
+	SignDataReqHandler       func(code int, resp []byte) func(http.ResponseWriter, *http.Request)
+	SignDataResponseCode     int
+	SignDataResponse         []byte
 }
 
 // NewFakeVaultServerConfig returns VaultServerConfig with default values
@@ -357,6 +376,8 @@ func NewFakeVaultServerConfig() *FakeVaultServerConfig {
 		CreateKeyReqHandler:    defaultReqHandler,
 		GetKeyReqEndpoint:      defaultGetKeyEndpoint,
 		GetKeyReqHandler:       defaultReqHandler,
+		SignDataReqEndpoint:    defaultSignDataEndpoint,
+		SignDataReqHandler:     defaultReqHandler,
 	}
 }
 
@@ -390,6 +411,7 @@ func (v *FakeVaultServerConfig) NewTLSServer() (srv *httptest.Server, addr strin
 	mux.HandleFunc(v.LookupSelfReqEndpoint, v.LookupSelfReqHandler(v.LookupSelfResponseCode, v.LookupSelfResponse))
 	mux.HandleFunc(v.CreateKeyReqEndpoint, v.CreateKeyReqHandler(v.CreateKeyResponseCode, v.CreateKeyResponse))
 	mux.HandleFunc(v.GetKeyReqEndpoint, v.GetKeyReqHandler(v.GetKeyResponseCode, v.GetKeyResponse))
+	mux.HandleFunc(v.SignDataReqEndpoint, v.SignDataReqHandler(v.SignDataResponseCode, v.SignDataResponse))
 
 	srv = httptest.NewUnstartedServer(mux)
 	srv.Listener = l