From ce325ecf9e6cef2dcf51f183fed9f22a1c990303 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hiram=20J=2E=20P=C3=A9rez?= Date: Wed, 9 Jul 2025 19:33:27 -0600 Subject: [PATCH 1/3] fix: Add namespace support for AppRole auth MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Hiram J. Pérez --- src/auth/VaultAppRoleAuth.js | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/auth/VaultAppRoleAuth.js b/src/auth/VaultAppRoleAuth.js index 00fc781..d9cf277 100644 --- a/src/auth/VaultAppRoleAuth.js +++ b/src/auth/VaultAppRoleAuth.js @@ -16,6 +16,7 @@ class VaultAppRoleAuth extends VaultBaseAuth { this.__roleId = config.role_id; this.__secretId = config.secret_id; + this.__namespace = config.namespace; } _authenticate() { @@ -23,10 +24,16 @@ class VaultAppRoleAuth extends VaultBaseAuth { 'making authentication request: role_id=%s', this.__roleId ); + + const headers = {}; + if (this.__namespace) { + headers['X-Vault-Namespace'] = this.__namespace; + } + return this.__apiClient.makeRequest('POST', `/auth/${this._mount}/login`, { role_id: this.__roleId, secret_id: this.__secretId, - }).then(res => { + }, headers).then(res => { this._log.debug( 'receive token: %s', res.auth.client_token From 4cc5b4f634e1871ac28f5d03737eee48c3588df6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hiram=20J=2E=20P=C3=A9rez?= Date: Thu, 17 Jul 2025 17:31:22 -0600 Subject: [PATCH 2/3] test: add AppRole unit tests for namespace support MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Hiram J. Pérez --- test/auth.appRole.test.js | 101 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 test/auth.appRole.test.js diff --git a/test/auth.appRole.test.js b/test/auth.appRole.test.js new file mode 100644 index 0000000..4bec17a --- /dev/null +++ b/test/auth.appRole.test.js @@ -0,0 +1,101 @@ +"use strict"; + +require("co-mocha"); + +const _ = require("lodash"); +const sinon = require("sinon"); +const chai = require("chai"); +const expect = chai.expect; +chai.use(require("sinon-chai")); + +const VaultApiClient = require("../src/VaultApiClient"); +const VaultAppRoleAuth = require("../src/auth/VaultAppRoleAuth"); +const errors = require("../src/errors"); + +const logger = _.fromPairs( + _.map(["error", "warn", "info", "debug", "trace"], (prop) => [prop, _.noop]), +); + +describe("AppRole auth backend", function () { + function base64decode(str) { + return Buffer.from(str, "base64").toString(); + } + + function getAuthorizationHeaderRegExp(awsAccessKey) { + return new RegExp( + `^AWS4-HMAC-SHA256\\sCredential=${awsAccessKey}.+Signature=\\w+$`, + ); + } + + /** + * @returns {VaultApiClient} + */ + function getApiStub() { + return sinon.createStubInstance(VaultApiClient); + } + + describe("Vault Request", function () { + const mount = "approle"; + + it("Should make a correct vault login request with namespace", async () => { + const api = getApiStub(); + + const auth = new VaultAppRoleAuth( + api, + logger, + { + role_id: "role123", + secret_id: "secret456", + namespace: "ns1", + }, + mount, + ); + + api.makeRequest + .withArgs("POST") + .resolves({ auth: { client_token: "fake_token" } }); + sinon.stub(auth, "_getTokenEntity"); + + await auth._authenticate(); + + expect( + api.makeRequest.calledWith( + "POST", + "/auth/approle/login", + { role_id: "role123", secret_id: "secret456" }, + { "X-Vault-Namespace": "ns1" }, + ), + ).to.be.true; + }); + + it("Should not set namespace header if not provided", async () => { + const api = getApiStub(); + + const auth = new VaultAppRoleAuth( + api, + logger, + { + role_id: "role123", + secret_id: "secret456", + }, + mount, + ); + + api.makeRequest + .withArgs("POST") + .resolves({ auth: { client_token: "fake_token" } }); + sinon.stub(auth, "_getTokenEntity"); + + await auth._authenticate(); + + expect( + api.makeRequest.calledWith( + "POST", + "/auth/approle/login", + { role_id: "role123", secret_id: "secret456" }, + {}, + ), + ).to.be.true; + }); + }); +}); From 1aca7f16b03a750d9d8cd0476d5e478055f0864d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hiram=20J=2E=20P=C3=A9rez?= Date: Thu, 17 Jul 2025 17:34:57 -0600 Subject: [PATCH 3/3] test: remove unused helpers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Hiram J. Pérez --- test/auth.appRole.test.js | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/test/auth.appRole.test.js b/test/auth.appRole.test.js index 4bec17a..7d9bd85 100644 --- a/test/auth.appRole.test.js +++ b/test/auth.appRole.test.js @@ -17,16 +17,6 @@ const logger = _.fromPairs( ); describe("AppRole auth backend", function () { - function base64decode(str) { - return Buffer.from(str, "base64").toString(); - } - - function getAuthorizationHeaderRegExp(awsAccessKey) { - return new RegExp( - `^AWS4-HMAC-SHA256\\sCredential=${awsAccessKey}.+Signature=\\w+$`, - ); - } - /** * @returns {VaultApiClient} */