open-vault/command/init_test.go

package command

import (
	"os"
	"reflect"
	"regexp"
	"testing"

	"github.com/hashicorp/vault/helper/pgpkeys"
	"github.com/hashicorp/vault/http"
	"github.com/hashicorp/vault/meta"
	"github.com/hashicorp/vault/vault"
	"github.com/mitchellh/cli"
)

func TestInit(t *testing.T) {
	ui := new(cli.MockUi)
	c := &InitCommand{
		Meta: meta.Meta{
			Ui: ui,
		},
	}

	core := vault.TestCore(t)
	ln, addr := http.TestServer(t, core)
	defer ln.Close()

	init, err := core.Initialized()
	if err != nil {
		t.Fatalf("err: %s", err)
	}
	if init {
		t.Fatal("should not be initialized")
	}

	args := []string{"-address", addr}
	if code := c.Run(args); code != 0 {
		t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
	}

	init, err = core.Initialized()
	if err != nil {
		t.Fatalf("err: %s", err)
	}
	if !init {
		t.Fatal("should be initialized")
	}

	sealConf, err := core.SealAccess().BarrierConfig()
	if err != nil {
		t.Fatalf("err: %s", err)
	}
	expected := &vault.SealConfig{
		Type:            "shamir",
		SecretShares:    5,
		SecretThreshold: 3,
	}
	if !reflect.DeepEqual(expected, sealConf) {
		t.Fatalf("expected:\n%#v\ngot:\n%#v\n", expected, sealConf)
	}
}

func TestInit_Check(t *testing.T) {
	ui := new(cli.MockUi)
	c := &InitCommand{
		Meta: meta.Meta{
			Ui: ui,
		},
	}

	core := vault.TestCore(t)
	ln, addr := http.TestServer(t, core)
	defer ln.Close()

	// Should return 2, not initialized
	args := []string{"-address", addr, "-check"}
	if code := c.Run(args); code != 2 {
		t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
	}

	// Now initialize it
	args = []string{"-address", addr}
	if code := c.Run(args); code != 0 {
		t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
	}

	// Should return 0, initialized
	args = []string{"-address", addr, "-check"}
	if code := c.Run(args); code != 0 {
		t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
	}

	init, err := core.Initialized()
	if err != nil {
		t.Fatalf("err: %s", err)
	}
	if !init {
		t.Fatal("should be initialized")
	}
}

func TestInit_custom(t *testing.T) {
	ui := new(cli.MockUi)
	c := &InitCommand{
		Meta: meta.Meta{
			Ui: ui,
		},
	}

	core := vault.TestCore(t)
	ln, addr := http.TestServer(t, core)
	defer ln.Close()

	init, err := core.Initialized()
	if err != nil {
		t.Fatalf("err: %s", err)
	}
	if init {
		t.Fatal("should not be initialized")
	}

	args := []string{
		"-address", addr,
		"-key-shares", "7",
		"-key-threshold", "3",
	}
	if code := c.Run(args); code != 0 {
		t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
	}

	init, err = core.Initialized()
	if err != nil {
		t.Fatalf("err: %s", err)
	}
	if !init {
		t.Fatal("should be initialized")
	}

	sealConf, err := core.SealAccess().BarrierConfig()
	if err != nil {
		t.Fatalf("err: %s", err)
	}
	expected := &vault.SealConfig{
		Type:            "shamir",
		SecretShares:    7,
		SecretThreshold: 3,
	}
	if !reflect.DeepEqual(expected, sealConf) {
		t.Fatalf("expected:\n%#v\ngot:\n%#v\n", expected, sealConf)
	}
}

func TestInit_PGP(t *testing.T) {
	ui := new(cli.MockUi)
	c := &InitCommand{
		Meta: meta.Meta{
			Ui: ui,
		},
	}

	core := vault.TestCore(t)
	ln, addr := http.TestServer(t, core)
	defer ln.Close()

	init, err := core.Initialized()
	if err != nil {
		t.Fatalf("err: %s", err)
	}
	if init {
		t.Fatal("should not be initialized")
	}

	tempDir, pubFiles, err := getPubKeyFiles(t)
	if err != nil {
		t.Fatal(err)
	}
	defer os.RemoveAll(tempDir)

	args := []string{
		"-address", addr,
		"-key-shares", "2",
		"-pgp-keys", pubFiles[0] + ",@" + pubFiles[1] + "," + pubFiles[2],
		"-key-threshold", "2",
	}

	// This should fail, as key-shares does not match pgp-keys size
	if code := c.Run(args); code == 0 {
		t.Fatalf("bad (command should have failed): %d\n\n%s", code, ui.ErrorWriter.String())
	}

	args = []string{
		"-address", addr,
		"-key-shares", "4",
		"-pgp-keys", pubFiles[0] + ",@" + pubFiles[1] + "," + pubFiles[2] + "," + pubFiles[3],
		"-key-threshold", "2",
	}

	ui.OutputWriter.Reset()

	if code := c.Run(args); code != 0 {
		t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
	}

	init, err = core.Initialized()
	if err != nil {
		t.Fatalf("err: %s", err)
	}
	if !init {
		t.Fatal("should be initialized")
	}

	sealConf, err := core.SealAccess().BarrierConfig()
	if err != nil {
		t.Fatalf("err: %s", err)
	}

	pgpKeys := []string{}
	for _, pubFile := range pubFiles {
		pub, err := pgpkeys.ReadPGPFile(pubFile)
		if err != nil {
			t.Fatalf("bad: %v", err)
		}
		pgpKeys = append(pgpKeys, pub)
	}

	expected := &vault.SealConfig{
		Type:            "shamir",
		SecretShares:    4,
		SecretThreshold: 2,
		PGPKeys:         pgpKeys,
	}
	if !reflect.DeepEqual(expected, sealConf) {
		t.Fatalf("expected:\n%#v\ngot:\n%#v\n", expected, sealConf)
	}

	re, err := regexp.Compile("\\s+Initial Root Token:\\s+(.*)")
	if err != nil {
		t.Fatalf("Error compiling regex: %s", err)
	}
	matches := re.FindAllStringSubmatch(ui.OutputWriter.String(), -1)
	if len(matches) != 1 {
		t.Fatalf("Unexpected number of tokens found, got %d", len(matches))
	}

	rootToken := matches[0][1]

	parseDecryptAndTestUnsealKeys(t, ui.OutputWriter.String(), rootToken, false, nil, core)
}
command/init: tests 2015-03-13 18:18:42 +00:00			`package command`

			`import (`
Add support for "pgp-tokens" parameters to init. There are thorough unit tests that read the returned encrypted tokens, seal the vault, and unseal it again to ensure all works as expected. 2015-08-25 16:32:45 +00:00			`"os"`
command/init: tests 2015-03-13 18:18:42 +00:00			`"reflect"`
Add support for pgp-keys argument to rekey, as well as tests, plus refactor common bits out of init. 2015-08-25 21:24:19 +00:00			`"regexp"`
command/init: tests 2015-03-13 18:18:42 +00:00			`"testing"`

Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00			`"github.com/hashicorp/vault/helper/pgpkeys"`
command/init: tests 2015-03-13 18:18:42 +00:00			`"github.com/hashicorp/vault/http"`
Move meta into its own package 2016-04-01 17:16:05 +00:00			`"github.com/hashicorp/vault/meta"`
command/init: tests 2015-03-13 18:18:42 +00:00			`"github.com/hashicorp/vault/vault"`
			`"github.com/mitchellh/cli"`
			`)`

			`func TestInit(t *testing.T) {`
			`ui := new(cli.MockUi)`
			`c := &InitCommand{`
Move meta into its own package 2016-04-01 17:16:05 +00:00			`Meta: meta.Meta{`
command/init: tests 2015-03-13 18:18:42 +00:00			`Ui: ui,`
			`},`
			`}`

			`core := vault.TestCore(t)`
			`ln, addr := http.TestServer(t, core)`
			`defer ln.Close()`

			`init, err := core.Initialized()`
			`if err != nil {`
			`t.Fatalf("err: %s", err)`
			`}`
			`if init {`
			`t.Fatal("should not be initialized")`
			`}`

			`args := []string{"-address", addr}`
			`if code := c.Run(args); code != 0 {`
			`t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())`
			`}`

			`init, err = core.Initialized()`
			`if err != nil {`
			`t.Fatalf("err: %s", err)`
			`}`
			`if !init {`
			`t.Fatal("should be initialized")`
			`}`

SealInterface 2016-04-04 14:44:22 +00:00			`sealConf, err := core.SealAccess().BarrierConfig()`
command/init: tests 2015-03-13 18:18:42 +00:00			`if err != nil {`
			`t.Fatalf("err: %s", err)`
			`}`
			`expected := &vault.SealConfig{`
Add check against seal type to catch errors before we attempt to use the data 2016-04-15 22:16:48 +00:00			`Type: "shamir",`
command/init: tests 2015-03-13 18:18:42 +00:00			`SecretShares: 5,`
			`SecretThreshold: 3,`
			`}`
			`if !reflect.DeepEqual(expected, sealConf) {`
SealInterface 2016-04-04 14:44:22 +00:00			`t.Fatalf("expected:\n%#v\ngot:\n%#v\n", expected, sealConf)`
command/init: tests 2015-03-13 18:18:42 +00:00			`}`
			`}`

Add -check flag to init. Fixes #949 2016-01-22 18:06:40 +00:00			`func TestInit_Check(t *testing.T) {`
			`ui := new(cli.MockUi)`
			`c := &InitCommand{`
Move meta into its own package 2016-04-01 17:16:05 +00:00			`Meta: meta.Meta{`
Add -check flag to init. Fixes #949 2016-01-22 18:06:40 +00:00			`Ui: ui,`
			`},`
			`}`

			`core := vault.TestCore(t)`
			`ln, addr := http.TestServer(t, core)`
			`defer ln.Close()`

			`// Should return 2, not initialized`
			`args := []string{"-address", addr, "-check"}`
			`if code := c.Run(args); code != 2 {`
			`t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())`
			`}`

			`// Now initialize it`
			`args = []string{"-address", addr}`
			`if code := c.Run(args); code != 0 {`
			`t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())`
			`}`

			`// Should return 0, initialized`
			`args = []string{"-address", addr, "-check"}`
			`if code := c.Run(args); code != 0 {`
			`t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())`
			`}`

			`init, err := core.Initialized()`
			`if err != nil {`
			`t.Fatalf("err: %s", err)`
			`}`
			`if !init {`
			`t.Fatal("should be initialized")`
			`}`
			`}`

command/init: tests 2015-03-13 18:18:42 +00:00			`func TestInit_custom(t *testing.T) {`
			`ui := new(cli.MockUi)`
			`c := &InitCommand{`
Move meta into its own package 2016-04-01 17:16:05 +00:00			`Meta: meta.Meta{`
command/init: tests 2015-03-13 18:18:42 +00:00			`Ui: ui,`
			`},`
			`}`

			`core := vault.TestCore(t)`
			`ln, addr := http.TestServer(t, core)`
			`defer ln.Close()`

			`init, err := core.Initialized()`
			`if err != nil {`
			`t.Fatalf("err: %s", err)`
			`}`
			`if init {`
			`t.Fatal("should not be initialized")`
			`}`

			`args := []string{`
			`"-address", addr,`
			`"-key-shares", "7",`
			`"-key-threshold", "3",`
			`}`
			`if code := c.Run(args); code != 0 {`
			`t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())`
			`}`

			`init, err = core.Initialized()`
			`if err != nil {`
			`t.Fatalf("err: %s", err)`
			`}`
			`if !init {`
			`t.Fatal("should be initialized")`
			`}`

SealInterface 2016-04-04 14:44:22 +00:00			`sealConf, err := core.SealAccess().BarrierConfig()`
command/init: tests 2015-03-13 18:18:42 +00:00			`if err != nil {`
			`t.Fatalf("err: %s", err)`
			`}`
			`expected := &vault.SealConfig{`
Add check against seal type to catch errors before we attempt to use the data 2016-04-15 22:16:48 +00:00			`Type: "shamir",`
command/init: tests 2015-03-13 18:18:42 +00:00			`SecretShares: 7,`
			`SecretThreshold: 3,`
			`}`
			`if !reflect.DeepEqual(expected, sealConf) {`
SealInterface 2016-04-04 14:44:22 +00:00			`t.Fatalf("expected:\n%#v\ngot:\n%#v\n", expected, sealConf)`
command/init: tests 2015-03-13 18:18:42 +00:00			`}`
			`}`
Add support for "pgp-tokens" parameters to init. There are thorough unit tests that read the returned encrypted tokens, seal the vault, and unseal it again to ensure all works as expected. 2015-08-25 16:32:45 +00:00
			`func TestInit_PGP(t *testing.T) {`
			`ui := new(cli.MockUi)`
			`c := &InitCommand{`
Move meta into its own package 2016-04-01 17:16:05 +00:00			`Meta: meta.Meta{`
Add support for "pgp-tokens" parameters to init. There are thorough unit tests that read the returned encrypted tokens, seal the vault, and unseal it again to ensure all works as expected. 2015-08-25 16:32:45 +00:00			`Ui: ui,`
			`},`
			`}`

			`core := vault.TestCore(t)`
			`ln, addr := http.TestServer(t, core)`
			`defer ln.Close()`

			`init, err := core.Initialized()`
			`if err != nil {`
			`t.Fatalf("err: %s", err)`
			`}`
			`if init {`
			`t.Fatal("should not be initialized")`
			`}`

Add support for pgp-keys argument to rekey, as well as tests, plus refactor common bits out of init. 2015-08-25 21:24:19 +00:00			`tempDir, pubFiles, err := getPubKeyFiles(t)`
Add support for "pgp-tokens" parameters to init. There are thorough unit tests that read the returned encrypted tokens, seal the vault, and unseal it again to ensure all works as expected. 2015-08-25 16:32:45 +00:00			`if err != nil {`
Add support for pgp-keys argument to rekey, as well as tests, plus refactor common bits out of init. 2015-08-25 21:24:19 +00:00			`t.Fatal(err)`
Add support for "pgp-tokens" parameters to init. There are thorough unit tests that read the returned encrypted tokens, seal the vault, and unseal it again to ensure all works as expected. 2015-08-25 16:32:45 +00:00			`}`
			`defer os.RemoveAll(tempDir)`

			`args := []string{`
			`"-address", addr,`
			`"-key-shares", "2",`
Add support for pgp-keys argument to rekey, as well as tests, plus refactor common bits out of init. 2015-08-25 21:24:19 +00:00			`"-pgp-keys", pubFiles[0] + ",@" + pubFiles[1] + "," + pubFiles[2],`
Add support for "pgp-tokens" parameters to init. There are thorough unit tests that read the returned encrypted tokens, seal the vault, and unseal it again to ensure all works as expected. 2015-08-25 16:32:45 +00:00			`"-key-threshold", "2",`
			`}`

			`// This should fail, as key-shares does not match pgp-keys size`
			`if code := c.Run(args); code == 0 {`
			`t.Fatalf("bad (command should have failed): %d\n\n%s", code, ui.ErrorWriter.String())`
			`}`

			`args = []string{`
			`"-address", addr,`
Allow ASCII-armored PGP pub keys to be passed into -pgp-keys. Fixes #940 2016-01-18 22:01:52 +00:00			`"-key-shares", "4",`
			`"-pgp-keys", pubFiles[0] + ",@" + pubFiles[1] + "," + pubFiles[2] + "," + pubFiles[3],`
Add support for "pgp-tokens" parameters to init. There are thorough unit tests that read the returned encrypted tokens, seal the vault, and unseal it again to ensure all works as expected. 2015-08-25 16:32:45 +00:00			`"-key-threshold", "2",`
			`}`

Add support for pgp-keys argument to rekey, as well as tests, plus refactor common bits out of init. 2015-08-25 21:24:19 +00:00			`ui.OutputWriter.Reset()`
Add support for "pgp-tokens" parameters to init. There are thorough unit tests that read the returned encrypted tokens, seal the vault, and unseal it again to ensure all works as expected. 2015-08-25 16:32:45 +00:00
			`if code := c.Run(args); code != 0 {`
			`t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())`
			`}`

			`init, err = core.Initialized()`
			`if err != nil {`
			`t.Fatalf("err: %s", err)`
			`}`
			`if !init {`
			`t.Fatal("should be initialized")`
			`}`

SealInterface 2016-04-04 14:44:22 +00:00			`sealConf, err := core.SealAccess().BarrierConfig()`
Add support for "pgp-tokens" parameters to init. There are thorough unit tests that read the returned encrypted tokens, seal the vault, and unseal it again to ensure all works as expected. 2015-08-25 16:32:45 +00:00			`if err != nil {`
			`t.Fatalf("err: %s", err)`
			`}`

Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00			`pgpKeys := []string{}`
			`for _, pubFile := range pubFiles {`
			`pub, err := pgpkeys.ReadPGPFile(pubFile)`
			`if err != nil {`
			`t.Fatalf("bad: %v", err)`
			`}`
			`pgpKeys = append(pgpKeys, pub)`
			`}`

Add support for "pgp-tokens" parameters to init. There are thorough unit tests that read the returned encrypted tokens, seal the vault, and unseal it again to ensure all works as expected. 2015-08-25 16:32:45 +00:00			`expected := &vault.SealConfig{`
Add check against seal type to catch errors before we attempt to use the data 2016-04-15 22:16:48 +00:00			`Type: "shamir",`
Allow ASCII-armored PGP pub keys to be passed into -pgp-keys. Fixes #940 2016-01-18 22:01:52 +00:00			`SecretShares: 4,`
Add support for "pgp-tokens" parameters to init. There are thorough unit tests that read the returned encrypted tokens, seal the vault, and unseal it again to ensure all works as expected. 2015-08-25 16:32:45 +00:00			`SecretThreshold: 2,`
Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00			`PGPKeys: pgpKeys,`
Add support for "pgp-tokens" parameters to init. There are thorough unit tests that read the returned encrypted tokens, seal the vault, and unseal it again to ensure all works as expected. 2015-08-25 16:32:45 +00:00			`}`
			`if !reflect.DeepEqual(expected, sealConf) {`
SealInterface 2016-04-04 14:44:22 +00:00			`t.Fatalf("expected:\n%#v\ngot:\n%#v\n", expected, sealConf)`
Add support for "pgp-tokens" parameters to init. There are thorough unit tests that read the returned encrypted tokens, seal the vault, and unseal it again to ensure all works as expected. 2015-08-25 16:32:45 +00:00			`}`
Address comments from review. 2015-08-25 22:33:58 +00:00
Add support for pgp-keys argument to rekey, as well as tests, plus refactor common bits out of init. 2015-08-25 21:24:19 +00:00			`re, err := regexp.Compile("\\s+Initial Root Token:\\s+(.*)")`
Add support for "pgp-tokens" parameters to init. There are thorough unit tests that read the returned encrypted tokens, seal the vault, and unseal it again to ensure all works as expected. 2015-08-25 16:32:45 +00:00			`if err != nil {`
Add support for pgp-keys argument to rekey, as well as tests, plus refactor common bits out of init. 2015-08-25 21:24:19 +00:00			`t.Fatalf("Error compiling regex: %s", err)`
Add support for "pgp-tokens" parameters to init. There are thorough unit tests that read the returned encrypted tokens, seal the vault, and unseal it again to ensure all works as expected. 2015-08-25 16:32:45 +00:00			`}`
Add support for pgp-keys argument to rekey, as well as tests, plus refactor common bits out of init. 2015-08-25 21:24:19 +00:00			`matches := re.FindAllStringSubmatch(ui.OutputWriter.String(), -1)`
			`if len(matches) != 1 {`
			`t.Fatalf("Unexpected number of tokens found, got %d", len(matches))`
Add support for "pgp-tokens" parameters to init. There are thorough unit tests that read the returned encrypted tokens, seal the vault, and unseal it again to ensure all works as expected. 2015-08-25 16:32:45 +00:00			`}`

Add support for pgp-keys argument to rekey, as well as tests, plus refactor common bits out of init. 2015-08-25 21:24:19 +00:00			`rootToken := matches[0][1]`
Add support for "pgp-tokens" parameters to init. There are thorough unit tests that read the returned encrypted tokens, seal the vault, and unseal it again to ensure all works as expected. 2015-08-25 16:32:45 +00:00
Add rekey nonce/backup. 2015-12-16 21:56:15 +00:00			`parseDecryptAndTestUnsealKeys(t, ui.OutputWriter.String(), rootToken, false, nil, core)`
Add support for "pgp-tokens" parameters to init. There are thorough unit tests that read the returned encrypted tokens, seal the vault, and unseal it again to ensure all works as expected. 2015-08-25 16:32:45 +00:00			`}`