deb.open-vault/http/sys_init_test.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package http

import (
	"encoding/hex"
	"net/http"
	"reflect"
	"strconv"
	"testing"

	"github.com/hashicorp/go-hclog"
	"github.com/hashicorp/vault/builtin/logical/transit"
	"github.com/hashicorp/vault/sdk/helper/logging"
	"github.com/hashicorp/vault/sdk/logical"
	"github.com/hashicorp/vault/vault"
	"github.com/hashicorp/vault/vault/seal"
)

func TestSysInit_get(t *testing.T) {
	core := vault.TestCore(t)
	ln, addr := TestServer(t, core)
	defer ln.Close()

	{
		// Pre-init
		resp, err := http.Get(addr + "/v1/sys/init")
		if err != nil {
			t.Fatalf("err: %s", err)
		}

		var actual map[string]interface{}
		expected := map[string]interface{}{
			"initialized": false,
		}
		testResponseStatus(t, resp, 200)
		testResponseBody(t, resp, &actual)
		if !reflect.DeepEqual(actual, expected) {
			t.Fatalf("bad: %#v", actual)
		}
	}

	vault.TestCoreInit(t, core)

	{
		// Post-init
		resp, err := http.Get(addr + "/v1/sys/init")
		if err != nil {
			t.Fatalf("err: %s", err)
		}

		var actual map[string]interface{}
		expected := map[string]interface{}{
			"initialized": true,
		}
		testResponseStatus(t, resp, 200)
		testResponseBody(t, resp, &actual)
		if !reflect.DeepEqual(actual, expected) {
			t.Fatalf("bad: %#v", actual)
		}
	}
}

// Test to check if the API errors out when wrong number of PGP keys are
// supplied
func TestSysInit_pgpKeysEntries(t *testing.T) {
	core := vault.TestCore(t)
	ln, addr := TestServer(t, core)
	defer ln.Close()

	resp := testHttpPut(t, "", addr+"/v1/sys/init", map[string]interface{}{
		"secret_shares":    5,
		"secret_threshold": 3,
		"pgp_keys":         []string{"pgpkey1"},
	})
	testResponseStatus(t, resp, 400)
}

// Test to check if the API errors out when wrong number of PGP keys are
// supplied for recovery config
func TestSysInit_pgpKeysEntriesForRecovery(t *testing.T) {
	core := vault.TestCoreNewSeal(t)
	ln, addr := TestServer(t, core)
	defer ln.Close()

	resp := testHttpPut(t, "", addr+"/v1/sys/init", map[string]interface{}{
		"secret_shares":      1,
		"secret_threshold":   1,
		"stored_shares":      1,
		"recovery_shares":    5,
		"recovery_threshold": 3,
		"recovery_pgp_keys":  []string{"pgpkey1"},
	})
	testResponseStatus(t, resp, 400)
}

func TestSysInit_put(t *testing.T) {
	core := vault.TestCore(t)
	ln, addr := TestServer(t, core)
	defer ln.Close()

	resp := testHttpPut(t, "", addr+"/v1/sys/init", map[string]interface{}{
		"secret_shares":    5,
		"secret_threshold": 3,
	})

	var actual map[string]interface{}
	testResponseStatus(t, resp, 200)
	testResponseBody(t, resp, &actual)
	keysRaw, ok := actual["keys"]
	if !ok {
		t.Fatalf("no keys: %#v", actual)
	}

	if _, ok := actual["root_token"]; !ok {
		t.Fatal("no root token")
	}

	for _, key := range keysRaw.([]interface{}) {
		keySlice, err := hex.DecodeString(key.(string))
		if err != nil {
			t.Fatalf("bad: %s", err)
		}

		if _, err := core.Unseal(keySlice); err != nil {
			t.Fatalf("bad: %s", err)
		}
	}

	if core.Sealed() {
		t.Fatal("should not be sealed")
	}
}

func TestSysInit_Put_ValidateParams(t *testing.T) {
	core := vault.TestCore(t)
	ln, addr := TestServer(t, core)
	defer ln.Close()

	resp := testHttpPut(t, "", addr+"/v1/sys/init", map[string]interface{}{
		"secret_shares":      5,
		"secret_threshold":   3,
		"recovery_shares":    5,
		"recovery_threshold": 3,
	})
	testResponseStatus(t, resp, http.StatusBadRequest)
	body := map[string][]string{}
	testResponseBody(t, resp, &body)
	if body["errors"][0] != "parameters recovery_shares,recovery_threshold not applicable to seal type shamir" {
		t.Fatal(body)
	}
}

func TestSysInit_Put_ValidateParams_AutoUnseal(t *testing.T) {
	testSeal, _ := seal.NewTestSeal(&seal.TestSealOpts{Name: "transit"})
	autoSeal, err := vault.NewAutoSeal(testSeal)
	if err != nil {
		t.Fatal(err)
	}

	// Create the transit server.
	conf := &vault.CoreConfig{
		LogicalBackends: map[string]logical.Factory{
			"transit": transit.Factory,
		},
		Seal: autoSeal,
	}
	opts := &vault.TestClusterOptions{
		NumCores:    1,
		HandlerFunc: Handler,
		Logger:      logging.NewVaultLogger(hclog.Trace).Named(t.Name()).Named("transit-seal" + strconv.Itoa(0)),
	}
	cluster := vault.NewTestCluster(t, conf, opts)
	cluster.Start()
	defer cluster.Cleanup()

	cores := cluster.Cores
	core := cores[0].Core

	ln, addr := TestServer(t, core)
	defer ln.Close()

	resp := testHttpPut(t, "", addr+"/v1/sys/init", map[string]interface{}{
		"secret_shares":      5,
		"secret_threshold":   3,
		"recovery_shares":    5,
		"recovery_threshold": 3,
	})
	testResponseStatus(t, resp, http.StatusBadRequest)
	body := map[string][]string{}
	testResponseBody(t, resp, &body)
	if body["errors"][0] != "parameters secret_shares,secret_threshold not applicable to seal type transit" {
		t.Fatal(body)
	}
}
New upstream version 1.14.8 2024-04-20 12:23:50 +00:00			`// Copyright (c) HashiCorp, Inc.`
			`// SPDX-License-Identifier: MPL-2.0`

			`package http`

			`import (`
			`"encoding/hex"`
			`"net/http"`
			`"reflect"`
			`"strconv"`
			`"testing"`

			`"github.com/hashicorp/go-hclog"`
			`"github.com/hashicorp/vault/builtin/logical/transit"`
			`"github.com/hashicorp/vault/sdk/helper/logging"`
			`"github.com/hashicorp/vault/sdk/logical"`
			`"github.com/hashicorp/vault/vault"`
			`"github.com/hashicorp/vault/vault/seal"`
			`)`

			`func TestSysInit_get(t *testing.T) {`
			`core := vault.TestCore(t)`
			`ln, addr := TestServer(t, core)`
			`defer ln.Close()`

			`{`
			`// Pre-init`
			`resp, err := http.Get(addr + "/v1/sys/init")`
			`if err != nil {`
			`t.Fatalf("err: %s", err)`
			`}`

			`var actual map[string]interface{}`
			`expected := map[string]interface{}{`
			`"initialized": false,`
			`}`
			`testResponseStatus(t, resp, 200)`
			`testResponseBody(t, resp, &actual)`
			`if !reflect.DeepEqual(actual, expected) {`
			`t.Fatalf("bad: %#v", actual)`
			`}`
			`}`

			`vault.TestCoreInit(t, core)`

			`{`
			`// Post-init`
			`resp, err := http.Get(addr + "/v1/sys/init")`
			`if err != nil {`
			`t.Fatalf("err: %s", err)`
			`}`

			`var actual map[string]interface{}`
			`expected := map[string]interface{}{`
			`"initialized": true,`
			`}`
			`testResponseStatus(t, resp, 200)`
			`testResponseBody(t, resp, &actual)`
			`if !reflect.DeepEqual(actual, expected) {`
			`t.Fatalf("bad: %#v", actual)`
			`}`
			`}`
			`}`

			`// Test to check if the API errors out when wrong number of PGP keys are`
			`// supplied`
			`func TestSysInit_pgpKeysEntries(t *testing.T) {`
			`core := vault.TestCore(t)`
			`ln, addr := TestServer(t, core)`
			`defer ln.Close()`

			`resp := testHttpPut(t, "", addr+"/v1/sys/init", map[string]interface{}{`
			`"secret_shares": 5,`
			`"secret_threshold": 3,`
			`"pgp_keys": []string{"pgpkey1"},`
			`})`
			`testResponseStatus(t, resp, 400)`
			`}`

			`// Test to check if the API errors out when wrong number of PGP keys are`
			`// supplied for recovery config`
			`func TestSysInit_pgpKeysEntriesForRecovery(t *testing.T) {`
			`core := vault.TestCoreNewSeal(t)`
			`ln, addr := TestServer(t, core)`
			`defer ln.Close()`

			`resp := testHttpPut(t, "", addr+"/v1/sys/init", map[string]interface{}{`
			`"secret_shares": 1,`
			`"secret_threshold": 1,`
			`"stored_shares": 1,`
			`"recovery_shares": 5,`
			`"recovery_threshold": 3,`
			`"recovery_pgp_keys": []string{"pgpkey1"},`
			`})`
			`testResponseStatus(t, resp, 400)`
			`}`

			`func TestSysInit_put(t *testing.T) {`
			`core := vault.TestCore(t)`
			`ln, addr := TestServer(t, core)`
			`defer ln.Close()`

			`resp := testHttpPut(t, "", addr+"/v1/sys/init", map[string]interface{}{`
			`"secret_shares": 5,`
			`"secret_threshold": 3,`
			`})`

			`var actual map[string]interface{}`
			`testResponseStatus(t, resp, 200)`
			`testResponseBody(t, resp, &actual)`
			`keysRaw, ok := actual["keys"]`
			`if !ok {`
			`t.Fatalf("no keys: %#v", actual)`
			`}`

			`if _, ok := actual["root_token"]; !ok {`
			`t.Fatal("no root token")`
			`}`

			`for _, key := range keysRaw.([]interface{}) {`
			`keySlice, err := hex.DecodeString(key.(string))`
			`if err != nil {`
			`t.Fatalf("bad: %s", err)`
			`}`

			`if _, err := core.Unseal(keySlice); err != nil {`
			`t.Fatalf("bad: %s", err)`
			`}`
			`}`

			`if core.Sealed() {`
			`t.Fatal("should not be sealed")`
			`}`
			`}`

			`func TestSysInit_Put_ValidateParams(t *testing.T) {`
			`core := vault.TestCore(t)`
			`ln, addr := TestServer(t, core)`
			`defer ln.Close()`

			`resp := testHttpPut(t, "", addr+"/v1/sys/init", map[string]interface{}{`
			`"secret_shares": 5,`
			`"secret_threshold": 3,`
			`"recovery_shares": 5,`
			`"recovery_threshold": 3,`
			`})`
			`testResponseStatus(t, resp, http.StatusBadRequest)`
			`body := map[string][]string{}`
			`testResponseBody(t, resp, &body)`
			`if body["errors"][0] != "parameters recovery_shares,recovery_threshold not applicable to seal type shamir" {`
			`t.Fatal(body)`
			`}`
			`}`

			`func TestSysInit_Put_ValidateParams_AutoUnseal(t *testing.T) {`
			`testSeal, _ := seal.NewTestSeal(&seal.TestSealOpts{Name: "transit"})`
			`autoSeal, err := vault.NewAutoSeal(testSeal)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`// Create the transit server.`
			`conf := &vault.CoreConfig{`
			`LogicalBackends: map[string]logical.Factory{`
			`"transit": transit.Factory,`
			`},`
			`Seal: autoSeal,`
			`}`
			`opts := &vault.TestClusterOptions{`
			`NumCores: 1,`
			`HandlerFunc: Handler,`
			`Logger: logging.NewVaultLogger(hclog.Trace).Named(t.Name()).Named("transit-seal" + strconv.Itoa(0)),`
			`}`
			`cluster := vault.NewTestCluster(t, conf, opts)`
			`cluster.Start()`
			`defer cluster.Cleanup()`

			`cores := cluster.Cores`
			`core := cores[0].Core`

			`ln, addr := TestServer(t, core)`
			`defer ln.Close()`

			`resp := testHttpPut(t, "", addr+"/v1/sys/init", map[string]interface{}{`
			`"secret_shares": 5,`
			`"secret_threshold": 3,`
			`"recovery_shares": 5,`
			`"recovery_threshold": 3,`
			`})`
			`testResponseStatus(t, resp, http.StatusBadRequest)`
			`body := map[string][]string{}`
			`testResponseBody(t, resp, &body)`
			`if body["errors"][0] != "parameters secret_shares,secret_threshold not applicable to seal type transit" {`
			`t.Fatal(body)`
			`}`
			`}`