open-nomad/api/keyring_test.go

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

68 lines
1.6 KiB
Go
Raw Normal View History

2022-05-20 16:16:21 +00:00
package api
import (
"encoding/base64"
"math/rand"
"testing"
"github.com/stretchr/testify/require"
"github.com/hashicorp/nomad/api/internal/testutil"
)
func TestKeyring_CRUD(t *testing.T) {
testutil.Parallel(t)
c, s := makeClient(t, nil, nil)
defer s.Stop()
kr := c.Keyring()
// Create a key by requesting a rotation
key, wm, err := kr.Rotate(nil, nil)
require.NoError(t, err)
require.NotNil(t, key)
assertWriteMeta(t, wm)
// Read all the keys
keys, qm, err := kr.List(&QueryOptions{WaitIndex: key.CreateIndex})
require.NoError(t, err)
assertQueryMeta(t, qm)
require.Len(t, keys, 2)
2022-05-20 16:16:21 +00:00
// Write a new active key, forcing a rotation
id := "fd77c376-9785-4c80-8e62-4ec3ab5f8b9a"
buf := make([]byte, 32)
2022-05-20 16:16:21 +00:00
rand.Read(buf)
encodedKey := base64.StdEncoding.EncodeToString(buf)
2022-05-20 16:16:21 +00:00
wm, err = kr.Update(&RootKey{
Key: encodedKey,
2022-05-20 16:16:21 +00:00
Meta: &RootKeyMeta{
KeyID: id,
State: RootKeyStateActive,
Algorithm: EncryptionAlgorithmAES256GCM,
2022-05-20 16:16:21 +00:00
}}, nil)
require.NoError(t, err)
assertWriteMeta(t, wm)
// Delete the old key
wm, err = kr.Delete(&KeyringDeleteOptions{KeyID: keys[0].KeyID}, nil)
require.NoError(t, err)
assertWriteMeta(t, wm)
// Read all the keys back
keys, qm, err = kr.List(&QueryOptions{WaitIndex: key.CreateIndex})
require.NoError(t, err)
assertQueryMeta(t, qm)
require.Len(t, keys, 2)
for _, key := range keys {
if key.KeyID == id {
require.Equal(t, RootKeyState(RootKeyStateActive),
key.State, "new key should be active")
} else {
require.Equal(t, RootKeyState(RootKeyStateInactive),
key.State, "initial key should be inactive")
}
}
2022-05-20 16:16:21 +00:00
}