Affected by GO-2022-1021 and 15 other vulnerabilities

GO-2022-1021: HashiCorp Vault vulnerable to incorrect metadata access in github.com/hashicorp/vault

GO-2023-1685: HashiCorp Vault’s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File in github.com/hashicorp/vault

GO-2023-1708: HashiCorp Vault's PKI mount vulnerable to denial of service in github.com/hashicorp/vault

GO-2023-1849: Hashicorp Vault vulnerable to Cross-site Scripting in github.com/hashicorp/vault

GO-2023-1897: HashiCorp Vault's revocation list not respected in github.com/hashicorp/vault

GO-2023-1900: Hashicorp Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation in github.com/hashicorp/vault

GO-2023-1986: HashiCorp Vault and Vault Enterprise vulnerable to user enumeration in github.com/hashicorp/vault

GO-2023-2063: HashiCorp Vault Improper Input Validation vulnerability in github.com/hashicorp/vault

GO-2023-2088: Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability in github.com/hashicorp/vault

GO-2023-2329: HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability in github.com/hashicorp/vault

GO-2024-2617: Authentication bypass in github.com/hashicorp/vault

GO-2024-2690: HashiCorpVault does not correctly validate OCSP responses in github.com/hashicorp/vault

GO-2024-2921: HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims in github.com/hashicorp/vault

GO-2024-3162: Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default in github.com/hashicorp/vault

GO-2024-3191: Vault Community Edition privilege escalation vulnerability in github.com/hashicorp/vault

GO-2024-3246: Hashicorp Vault vulnerable to denial of service through memory exhaustion in github.com/hashicorp/vault

testing

package

v1.8.11 Latest Latest Go to latest Published: Apr 26, 2022 License: MPL-2.0 Imports: 11 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/hashicorp/vault

Links

Open Source Insights

README ¶

How to Test Manually

$ minikube start
In the Vault folder, $ make dev XC_ARCH=amd64 XC_OS=linux XC_OSARCH=linux/amd64
Create a file called vault-test.yaml with the following contents:

apiVersion: v1
kind: Pod
metadata:
  name: vault
spec:
  containers:
    - name: nginx
      image: nginx
      command: [ "sh", "-c"]
      args:
      - while true; do
          echo -en '\n';
          printenv VAULT_K8S_POD_NAME VAULT_K8S_NAMESPACE;
          sleep 10;
        done;
      env:
        - name: VAULT_K8S_POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: VAULT_K8S_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
  restartPolicy: Never

Create the pod: $ kubectl apply -f vault-test.yaml
View the full initial state of the pod: $ kubectl get pod vault -o=yaml > initialstate.txt
Drop the Vault binary into the pod: $ kubectl cp bin/vault /vault:/
Drop to the shell within the pod: $ kubectl exec -it vault -- /bin/bash
Install a text editor: $ apt-get update, $ apt-get install nano
Write a test Vault config to vault.config like:

storage "inmem" {}
service_registration "kubernetes" {}
disable_mlock = true
ui = true
api_addr = "http://127.0.0.1:8200"
log_level = "debug"

Run Vault: $ ./vault server -config=vault.config -dev -dev-root-token-id=root
If 403's are received, you may need to grant RBAC, example here: https://github.com/fabric8io/fabric8/issues/6840#issuecomment-307560275
In a separate window outside the pod, view the resulting state of the pod: $ kubectl get pod vault -o=yaml > currentstate.txt
View the differences: $ diff initialstate.txt currentstate.txt

Documentation ¶

Index ¶

Constants
Variables
func Server(t *testing.T) (testState *State, testConf *Conf, closeFunc func())
type Conf
type State
- func (s *State) Get(key string) map[string]interface{}
- func (s *State) NumPatches() int

Constants ¶

View Source

const (
	ExpectedNamespace = "default"
	ExpectedPodName   = "shell-demo"
)

Variables ¶

View Source

var (
	// ReturnGatewayTimeouts toggles whether the test server should return,
	// well, gateway timeouts...
	ReturnGatewayTimeouts = atomic.NewBool(false)
)

Functions ¶

func Server ¶

func Server(t *testing.T) (testState *State, testConf *Conf, closeFunc func())

Server returns an http test server that can be used to test Kubernetes client code. It also retains the current state, and a func to close the server and to clean up any temporary files.

Types ¶

type Conf ¶

type Conf struct {
	ClientScheme, PathToTokenFile, PathToRootCAFile, ServiceHost, ServicePort string
}

Conf returns the info needed to configure the client to point at the test server. This must be done by the caller to avoid an import cycle between the client and the testserver. Example usage:

client.Scheme = testConf.ClientScheme
client.TokenFile = testConf.PathToTokenFile
client.RootCAFile = testConf.PathToRootCAFile
if err := os.Setenv(client.EnvVarKubernetesServiceHost, testConf.ServiceHost); err != nil {
	t.Fatal(err)
}
if err := os.Setenv(client.EnvVarKubernetesServicePort, testConf.ServicePort); err != nil {
	t.Fatal(err)
}

type State ¶

type State struct {
	// contains filtered or unexported fields
}

func (*State) Get ¶

func (s *State) Get(key string) map[string]interface{}

func (*State) NumPatches ¶

func (s *State) NumPatches() int

Source Files ¶

View all Source files

testserver.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL