open-vault/http/sys_rekey_test.go

package http

import (
	"encoding/hex"
	"net/http"
	"reflect"
	"testing"

	"github.com/hashicorp/vault/vault"
)

func TestSysRekeyInit_Status(t *testing.T) {
	core, _, token := vault.TestCoreUnsealed(t)
	ln, addr := TestServer(t, core)
	defer ln.Close()
	TestServerAuth(t, addr, token)

	resp, err := http.Get(addr + "/v1/sys/rekey/init")
	if err != nil {
		t.Fatalf("err: %s", err)
	}

	var actual map[string]interface{}
	expected := map[string]interface{}{
		"started":          false,
		"t":                float64(0),
		"n":                float64(0),
		"progress":         float64(0),
		"required":         float64(1),
		"pgp_fingerprints": interface{}(nil),
		"backup":           false,
		"nonce":            "",
	}
	testResponseStatus(t, resp, 200)
	testResponseBody(t, resp, &actual)
	if !reflect.DeepEqual(actual, expected) {
		t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
	}
}

func TestSysRekeyInit_Setup(t *testing.T) {
	core, _, token := vault.TestCoreUnsealed(t)
	ln, addr := TestServer(t, core)
	defer ln.Close()
	TestServerAuth(t, addr, token)

	resp := testHttpPut(t, token, addr+"/v1/sys/rekey/init", map[string]interface{}{
		"secret_shares":    5,
		"secret_threshold": 3,
	})
	testResponseStatus(t, resp, 200)

	var actual map[string]interface{}
	expected := map[string]interface{}{
		"started":          true,
		"t":                float64(3),
		"n":                float64(5),
		"progress":         float64(0),
		"required":         float64(1),
		"pgp_fingerprints": interface{}(nil),
		"backup":           false,
	}
	testResponseStatus(t, resp, 200)
	testResponseBody(t, resp, &actual)
	if actual["nonce"].(string) == "" {
		t.Fatalf("nonce was empty")
	}
	expected["nonce"] = actual["nonce"]
	if !reflect.DeepEqual(actual, expected) {
		t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
	}

	resp = testHttpGet(t, token, addr+"/v1/sys/rekey/init")

	actual = map[string]interface{}{}
	expected = map[string]interface{}{
		"started":          true,
		"t":                float64(3),
		"n":                float64(5),
		"progress":         float64(0),
		"required":         float64(1),
		"pgp_fingerprints": interface{}(nil),
		"backup":           false,
	}
	testResponseStatus(t, resp, 200)
	testResponseBody(t, resp, &actual)
	if actual["nonce"].(string) == "" {
		t.Fatalf("nonce was empty")
	}
	if actual["nonce"].(string) == "" {
		t.Fatalf("nonce was empty")
	}
	expected["nonce"] = actual["nonce"]
	if !reflect.DeepEqual(actual, expected) {
		t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
	}
}

func TestSysRekeyInit_Cancel(t *testing.T) {
	core, _, token := vault.TestCoreUnsealed(t)
	ln, addr := TestServer(t, core)
	defer ln.Close()
	TestServerAuth(t, addr, token)

	resp := testHttpPut(t, token, addr+"/v1/sys/rekey/init", map[string]interface{}{
		"secret_shares":    5,
		"secret_threshold": 3,
	})
	testResponseStatus(t, resp, 200)

	resp = testHttpDelete(t, token, addr+"/v1/sys/rekey/init")
	testResponseStatus(t, resp, 204)

	resp, err := http.Get(addr + "/v1/sys/rekey/init")
	if err != nil {
		t.Fatalf("err: %s", err)
	}

	var actual map[string]interface{}
	expected := map[string]interface{}{
		"started":          false,
		"t":                float64(0),
		"n":                float64(0),
		"progress":         float64(0),
		"required":         float64(1),
		"pgp_fingerprints": interface{}(nil),
		"backup":           false,
		"nonce":            "",
	}
	testResponseStatus(t, resp, 200)
	testResponseBody(t, resp, &actual)
	if !reflect.DeepEqual(actual, expected) {
		t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
	}
}

func TestSysRekey_badKey(t *testing.T) {
	core, _, token := vault.TestCoreUnsealed(t)
	ln, addr := TestServer(t, core)
	defer ln.Close()
	TestServerAuth(t, addr, token)

	resp := testHttpPut(t, token, addr+"/v1/sys/rekey/update", map[string]interface{}{
		"key": "0123",
	})
	testResponseStatus(t, resp, 400)
}

func TestSysRekey_Update(t *testing.T) {
	core, master, token := vault.TestCoreUnsealed(t)
	ln, addr := TestServer(t, core)
	defer ln.Close()
	TestServerAuth(t, addr, token)

	resp := testHttpPut(t, token, addr+"/v1/sys/rekey/init", map[string]interface{}{
		"secret_shares":    5,
		"secret_threshold": 3,
	})
	var rekeyStatus map[string]interface{}
	testResponseStatus(t, resp, 200)
	testResponseBody(t, resp, &rekeyStatus)

	resp = testHttpPut(t, token, addr+"/v1/sys/rekey/update", map[string]interface{}{
		"nonce": rekeyStatus["nonce"].(string),
		"key":   hex.EncodeToString(master),
	})

	var actual map[string]interface{}
	expected := map[string]interface{}{
		"complete":         true,
		"nonce":            rekeyStatus["nonce"].(string),
		"backup":           false,
		"pgp_fingerprints": interface{}(nil),
	}
	testResponseStatus(t, resp, 200)
	testResponseBody(t, resp, &actual)

	keys := actual["keys"].([]interface{})
	if len(keys) != 5 {
		t.Fatalf("bad: %#v", keys)
	}

	delete(actual, "keys")
	if !reflect.DeepEqual(actual, expected) {
		t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
	}
}

func TestSysRekey_ReInitUpdate(t *testing.T) {
	core, master, token := vault.TestCoreUnsealed(t)
	ln, addr := TestServer(t, core)
	defer ln.Close()
	TestServerAuth(t, addr, token)

	resp := testHttpPut(t, token, addr+"/v1/sys/rekey/init", map[string]interface{}{
		"secret_shares":    5,
		"secret_threshold": 3,
	})
	testResponseStatus(t, resp, 200)

	resp = testHttpDelete(t, token, addr+"/v1/sys/rekey/init")
	testResponseStatus(t, resp, 204)

	resp = testHttpPut(t, token, addr+"/v1/sys/rekey/init", map[string]interface{}{
		"secret_shares":    5,
		"secret_threshold": 3,
	})
	testResponseStatus(t, resp, 200)

	resp = testHttpPut(t, token, addr+"/v1/sys/rekey/update", map[string]interface{}{
		"key": hex.EncodeToString(master),
	})

	testResponseStatus(t, resp, 400)
}
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`package http`

			`import (`
			`"encoding/hex"`
			`"net/http"`
			`"reflect"`
			`"testing"`

			`"github.com/hashicorp/vault/vault"`
			`)`

			`func TestSysRekeyInit_Status(t *testing.T) {`
			`core, _, token := vault.TestCoreUnsealed(t)`
			`ln, addr := TestServer(t, core)`
			`defer ln.Close()`
			`TestServerAuth(t, addr, token)`

			`resp, err := http.Get(addr + "/v1/sys/rekey/init")`
			`if err != nil {`
			`t.Fatalf("err: %s", err)`
			`}`

			`var actual map[string]interface{}`
			`expected := map[string]interface{}{`
Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00			`"started": false,`
			`"t": float64(0),`
			`"n": float64(0),`
			`"progress": float64(0),`
			`"required": float64(1),`
			`"pgp_fingerprints": interface{}(nil),`
			`"backup": false,`
Verify that nonces are non-empty in tests 2016-02-12 20:35:26 +00:00			`"nonce": "",`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`}`
			`testResponseStatus(t, resp, 200)`
			`testResponseBody(t, resp, &actual)`
			`if !reflect.DeepEqual(actual, expected) {`
Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00			`t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`}`
			`}`

			`func TestSysRekeyInit_Setup(t *testing.T) {`
			`core, _, token := vault.TestCoreUnsealed(t)`
			`ln, addr := TestServer(t, core)`
			`defer ln.Close()`
			`TestServerAuth(t, addr, token)`

Remove cookie authentication. 2015-08-22 00:36:19 +00:00			`resp := testHttpPut(t, token, addr+"/v1/sys/rekey/init", map[string]interface{}{`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`"secret_shares": 5,`
			`"secret_threshold": 3,`
			`})`
Return status for rekey/root generation at init time. This mitigates a (very unlikely) potential timing attack between init-ing and fetching status. Fixes #1054 2016-02-12 19:24:36 +00:00			`testResponseStatus(t, resp, 200)`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00
			`var actual map[string]interface{}`
			`expected := map[string]interface{}{`
Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00			`"started": true,`
			`"t": float64(3),`
			`"n": float64(5),`
			`"progress": float64(0),`
			`"required": float64(1),`
			`"pgp_fingerprints": interface{}(nil),`
			`"backup": false,`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`}`
			`testResponseStatus(t, resp, 200)`
			`testResponseBody(t, resp, &actual)`
Verify that nonces are non-empty in tests 2016-02-12 20:35:26 +00:00			`if actual["nonce"].(string) == "" {`
			`t.Fatalf("nonce was empty")`
			`}`
Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00			`expected["nonce"] = actual["nonce"]`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`if !reflect.DeepEqual(actual, expected) {`
Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00			`t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`}`
Return status for rekey/root generation at init time. This mitigates a (very unlikely) potential timing attack between init-ing and fetching status. Fixes #1054 2016-02-12 19:24:36 +00:00
			`resp = testHttpGet(t, token, addr+"/v1/sys/rekey/init")`

			`actual = map[string]interface{}{}`
			`expected = map[string]interface{}{`
			`"started": true,`
			`"t": float64(3),`
			`"n": float64(5),`
			`"progress": float64(0),`
			`"required": float64(1),`
			`"pgp_fingerprints": interface{}(nil),`
			`"backup": false,`
			`}`
			`testResponseStatus(t, resp, 200)`
			`testResponseBody(t, resp, &actual)`
Verify that nonces are non-empty in tests 2016-02-12 20:35:26 +00:00			`if actual["nonce"].(string) == "" {`
			`t.Fatalf("nonce was empty")`
			`}`
			`if actual["nonce"].(string) == "" {`
			`t.Fatalf("nonce was empty")`
			`}`
Return status for rekey/root generation at init time. This mitigates a (very unlikely) potential timing attack between init-ing and fetching status. Fixes #1054 2016-02-12 19:24:36 +00:00			`expected["nonce"] = actual["nonce"]`
			`if !reflect.DeepEqual(actual, expected) {`
			`t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)`
			`}`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`}`

			`func TestSysRekeyInit_Cancel(t *testing.T) {`
			`core, _, token := vault.TestCoreUnsealed(t)`
			`ln, addr := TestServer(t, core)`
			`defer ln.Close()`
			`TestServerAuth(t, addr, token)`

Remove cookie authentication. 2015-08-22 00:36:19 +00:00			`resp := testHttpPut(t, token, addr+"/v1/sys/rekey/init", map[string]interface{}{`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`"secret_shares": 5,`
			`"secret_threshold": 3,`
			`})`
Return status for rekey/root generation at init time. This mitigates a (very unlikely) potential timing attack between init-ing and fetching status. Fixes #1054 2016-02-12 19:24:36 +00:00			`testResponseStatus(t, resp, 200)`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00
Remove cookie authentication. 2015-08-22 00:36:19 +00:00			`resp = testHttpDelete(t, token, addr+"/v1/sys/rekey/init")`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`testResponseStatus(t, resp, 204)`

			`resp, err := http.Get(addr + "/v1/sys/rekey/init")`
			`if err != nil {`
			`t.Fatalf("err: %s", err)`
			`}`

			`var actual map[string]interface{}`
			`expected := map[string]interface{}{`
Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00			`"started": false,`
			`"t": float64(0),`
			`"n": float64(0),`
			`"progress": float64(0),`
			`"required": float64(1),`
			`"pgp_fingerprints": interface{}(nil),`
			`"backup": false,`
Verify that nonces are non-empty in tests 2016-02-12 20:35:26 +00:00			`"nonce": "",`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`}`
			`testResponseStatus(t, resp, 200)`
			`testResponseBody(t, resp, &actual)`
			`if !reflect.DeepEqual(actual, expected) {`
Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00			`t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`}`
			`}`

			`func TestSysRekey_badKey(t *testing.T) {`
			`core, _, token := vault.TestCoreUnsealed(t)`
			`ln, addr := TestServer(t, core)`
			`defer ln.Close()`
			`TestServerAuth(t, addr, token)`

Remove cookie authentication. 2015-08-22 00:36:19 +00:00			`resp := testHttpPut(t, token, addr+"/v1/sys/rekey/update", map[string]interface{}{`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`"key": "0123",`
			`})`
			`testResponseStatus(t, resp, 400)`
			`}`

			`func TestSysRekey_Update(t *testing.T) {`
			`core, master, token := vault.TestCoreUnsealed(t)`
			`ln, addr := TestServer(t, core)`
			`defer ln.Close()`
			`TestServerAuth(t, addr, token)`

Remove cookie authentication. 2015-08-22 00:36:19 +00:00			`resp := testHttpPut(t, token, addr+"/v1/sys/rekey/init", map[string]interface{}{`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`"secret_shares": 5,`
			`"secret_threshold": 3,`
			`})`
Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00			`var rekeyStatus map[string]interface{}`
			`testResponseStatus(t, resp, 200)`
			`testResponseBody(t, resp, &rekeyStatus)`

Remove cookie authentication. 2015-08-22 00:36:19 +00:00			`resp = testHttpPut(t, token, addr+"/v1/sys/rekey/update", map[string]interface{}{`
Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00			`"nonce": rekeyStatus["nonce"].(string),`
			`"key": hex.EncodeToString(master),`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`})`

			`var actual map[string]interface{}`
			`expected := map[string]interface{}{`
Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00			`"complete": true,`
			`"nonce": rekeyStatus["nonce"].(string),`
			`"backup": false,`
			`"pgp_fingerprints": interface{}(nil),`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`}`
			`testResponseStatus(t, resp, 200)`
			`testResponseBody(t, resp, &actual)`

			`keys := actual["keys"].([]interface{})`
			`if len(keys) != 5 {`
			`t.Fatalf("bad: %#v", keys)`
			`}`

			`delete(actual, "keys")`
			`if !reflect.DeepEqual(actual, expected) {`
Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00			`t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)`
http: adding rekey handlers 2015-05-28 21:28:50 +00:00			`}`
			`}`
Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00
			`func TestSysRekey_ReInitUpdate(t *testing.T) {`
			`core, master, token := vault.TestCoreUnsealed(t)`
			`ln, addr := TestServer(t, core)`
			`defer ln.Close()`
			`TestServerAuth(t, addr, token)`

			`resp := testHttpPut(t, token, addr+"/v1/sys/rekey/init", map[string]interface{}{`
			`"secret_shares": 5,`
			`"secret_threshold": 3,`
			`})`
Return status for rekey/root generation at init time. This mitigates a (very unlikely) potential timing attack between init-ing and fetching status. Fixes #1054 2016-02-12 19:24:36 +00:00			`testResponseStatus(t, resp, 200)`
Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00
			`resp = testHttpDelete(t, token, addr+"/v1/sys/rekey/init")`
			`testResponseStatus(t, resp, 204)`

			`resp = testHttpPut(t, token, addr+"/v1/sys/rekey/init", map[string]interface{}{`
			`"secret_shares": 5,`
			`"secret_threshold": 3,`
			`})`
Return status for rekey/root generation at init time. This mitigates a (very unlikely) potential timing attack between init-ing and fetching status. Fixes #1054 2016-02-12 19:24:36 +00:00			`testResponseStatus(t, resp, 200)`
Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00
			`resp = testHttpPut(t, token, addr+"/v1/sys/rekey/update", map[string]interface{}{`
			`"key": hex.EncodeToString(master),`
			`})`

			`testResponseStatus(t, resp, 400)`
			`}`