open-vault/command/operator_init_test.go

364 lines
7.7 KiB
Go
Raw Normal View History

// +build !race
2015-03-13 18:18:42 +00:00
package command
import (
2017-09-05 04:02:02 +00:00
"fmt"
"os"
"regexp"
2017-09-05 04:02:02 +00:00
"strconv"
"strings"
2015-03-13 18:18:42 +00:00
"testing"
2017-09-05 04:02:02 +00:00
"github.com/hashicorp/vault/api"
2015-12-16 21:56:15 +00:00
"github.com/hashicorp/vault/helper/pgpkeys"
2015-03-13 18:18:42 +00:00
"github.com/mitchellh/cli"
)
2017-09-08 02:03:12 +00:00
func testOperatorInitCommand(tb testing.TB) (*cli.MockUi, *OperatorInitCommand) {
2017-09-05 04:02:02 +00:00
tb.Helper()
ui := cli.NewMockUi()
2017-09-08 02:03:12 +00:00
return ui, &OperatorInitCommand{
2017-09-05 04:02:02 +00:00
BaseCommand: &BaseCommand{
UI: ui,
2015-03-13 18:18:42 +00:00
},
}
2017-09-05 04:02:02 +00:00
}
2015-03-13 18:18:42 +00:00
2017-09-08 02:03:12 +00:00
func TestOperatorInitCommand_Run(t *testing.T) {
2017-09-05 04:02:02 +00:00
t.Parallel()
cases := []struct {
name string
args []string
out string
code int
}{
{
"pgp_keys_multi",
[]string{
"-pgp-keys", "keybase:hashicorp",
"-pgp-keys", "keybase:jefferai",
},
"can only be specified once",
1,
},
{
"root_token_pgp_key_multi",
[]string{
"-root-token-pgp-key", "keybase:hashicorp",
"-root-token-pgp-key", "keybase:jefferai",
},
"can only be specified once",
1,
},
{
"root_token_pgp_key_multi_inline",
[]string{
"-root-token-pgp-key", "keybase:hashicorp,keybase:jefferai",
},
"can only specify one pgp key",
1,
},
{
"recovery_pgp_keys_multi",
[]string{
"-recovery-pgp-keys", "keybase:hashicorp",
"-recovery-pgp-keys", "keybase:jefferai",
},
"can only be specified once",
1,
},
{
"key_shares_pgp_less",
[]string{
"-key-shares", "10",
"-pgp-keys", "keybase:jefferai,keybase:sethvargo",
},
"incorrect number",
2,
},
{
"key_shares_pgp_more",
[]string{
"-key-shares", "1",
"-pgp-keys", "keybase:jefferai,keybase:sethvargo",
},
"incorrect number",
2,
},
2015-03-13 18:18:42 +00:00
}
2017-09-05 04:02:02 +00:00
t.Run("validations", func(t *testing.T) {
t.Parallel()
2015-03-13 18:18:42 +00:00
2017-09-05 04:02:02 +00:00
for _, tc := range cases {
tc := tc
2015-03-13 18:18:42 +00:00
2017-09-05 04:02:02 +00:00
t.Run(tc.name, func(t *testing.T) {
t.Parallel()
2015-03-13 18:18:42 +00:00
2017-09-05 04:02:02 +00:00
client, closer := testVaultServer(t)
defer closer()
2016-01-22 18:06:40 +00:00
2017-09-08 02:03:12 +00:00
ui, cmd := testOperatorInitCommand(t)
2017-09-05 04:02:02 +00:00
cmd.client = client
2016-01-22 18:06:40 +00:00
2017-09-05 04:02:02 +00:00
code := cmd.Run(tc.args)
if code != tc.code {
t.Errorf("expected %d to be %d", code, tc.code)
}
2016-01-22 18:06:40 +00:00
2017-09-05 04:02:02 +00:00
combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
if !strings.Contains(combined, tc.out) {
t.Errorf("expected %q to contain %q", combined, tc.out)
}
})
}
})
2016-01-22 18:06:40 +00:00
2017-09-05 04:02:02 +00:00
t.Run("status", func(t *testing.T) {
t.Parallel()
2016-01-22 18:06:40 +00:00
2017-09-05 04:02:02 +00:00
client, closer := testVaultServerUninit(t)
defer closer()
2016-01-22 18:06:40 +00:00
2017-09-08 02:03:12 +00:00
ui, cmd := testOperatorInitCommand(t)
2017-09-05 04:02:02 +00:00
cmd.client = client
2015-03-13 18:18:42 +00:00
2017-09-05 04:02:02 +00:00
// Verify the non-init response code
code := cmd.Run([]string{
"-status",
})
if exp := 2; code != exp {
t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
}
2015-03-13 18:18:42 +00:00
2017-09-05 04:02:02 +00:00
// Now init to verify the init response code
if _, err := client.Sys().Init(&api.InitRequest{
SecretShares: 1,
SecretThreshold: 1,
}); err != nil {
t.Fatal(err)
}
2015-03-13 18:18:42 +00:00
2017-09-05 04:02:02 +00:00
// Verify the init response code
2017-09-08 02:03:12 +00:00
ui, cmd = testOperatorInitCommand(t)
2017-09-05 04:02:02 +00:00
cmd.client = client
code = cmd.Run([]string{
"-status",
})
if exp := 0; code != exp {
t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
}
})
2015-03-13 18:18:42 +00:00
2017-09-05 04:02:02 +00:00
t.Run("default", func(t *testing.T) {
t.Parallel()
2015-03-13 18:18:42 +00:00
2017-09-05 04:02:02 +00:00
client, closer := testVaultServerUninit(t)
defer closer()
2017-09-08 02:03:12 +00:00
ui, cmd := testOperatorInitCommand(t)
2017-09-05 04:02:02 +00:00
cmd.client = client
2017-09-05 04:02:02 +00:00
code := cmd.Run([]string{})
if exp := 0; code != exp {
t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
}
2017-09-05 04:02:02 +00:00
init, err := client.Sys().InitStatus()
if err != nil {
t.Fatal(err)
}
if !init {
t.Error("expected initialized")
}
2017-09-05 04:02:02 +00:00
re := regexp.MustCompile(`Unseal Key \d+: (.+)`)
output := ui.OutputWriter.String()
match := re.FindAllStringSubmatch(output, -1)
if len(match) < 5 || len(match[0]) < 2 {
t.Fatalf("no match: %#v", match)
}
2017-09-05 04:02:02 +00:00
keys := make([]string, len(match))
for i := range match {
keys[i] = match[i][1]
}
2017-09-05 04:02:02 +00:00
// Try unsealing with those keys - only use 3, which is the default
// threshold.
for i, key := range keys[:3] {
resp, err := client.Sys().Unseal(key)
if err != nil {
t.Fatal(err)
}
exp := (i + 1) % 3 // 1, 2, 0
if resp.Progress != exp {
t.Errorf("expected %d to be %d", resp.Progress, exp)
}
}
2017-09-05 04:02:02 +00:00
status, err := client.Sys().SealStatus()
if err != nil {
2017-09-05 04:02:02 +00:00
t.Fatal(err)
}
2017-09-05 04:02:02 +00:00
if status.Sealed {
t.Errorf("expected vault to be unsealed: %#v", status)
}
})
2017-09-05 04:02:02 +00:00
t.Run("custom_shares_threshold", func(t *testing.T) {
t.Parallel()
2017-09-05 04:02:02 +00:00
keyShares, keyThreshold := 20, 15
2017-09-05 04:02:02 +00:00
client, closer := testVaultServerUninit(t)
defer closer()
2017-09-08 02:03:12 +00:00
ui, cmd := testOperatorInitCommand(t)
2017-09-05 04:02:02 +00:00
cmd.client = client
2017-09-05 04:02:02 +00:00
code := cmd.Run([]string{
"-key-shares", strconv.Itoa(keyShares),
"-key-threshold", strconv.Itoa(keyThreshold),
})
if exp := 0; code != exp {
t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
}
2017-09-05 04:02:02 +00:00
init, err := client.Sys().InitStatus()
if err != nil {
t.Fatal(err)
}
if !init {
t.Error("expected initialized")
}
2017-09-05 04:02:02 +00:00
re := regexp.MustCompile(`Unseal Key \d+: (.+)`)
output := ui.OutputWriter.String()
match := re.FindAllStringSubmatch(output, -1)
if len(match) < keyShares || len(match[0]) < 2 {
t.Fatalf("no match: %#v", match)
}
2017-09-05 04:02:02 +00:00
keys := make([]string, len(match))
for i := range match {
keys[i] = match[i][1]
}
2017-09-05 04:02:02 +00:00
// Try unsealing with those keys - only use 3, which is the default
// threshold.
for i, key := range keys[:keyThreshold] {
resp, err := client.Sys().Unseal(key)
if err != nil {
t.Fatal(err)
}
exp := (i + 1) % keyThreshold
if resp.Progress != exp {
t.Errorf("expected %d to be %d", resp.Progress, exp)
}
}
2017-09-05 04:02:02 +00:00
status, err := client.Sys().SealStatus()
if err != nil {
t.Fatal(err)
}
if status.Sealed {
t.Errorf("expected vault to be unsealed: %#v", status)
}
})
2017-09-05 04:02:02 +00:00
t.Run("pgp", func(t *testing.T) {
t.Parallel()
2017-09-05 04:02:02 +00:00
tempDir, pubFiles, err := getPubKeyFiles(t)
2015-12-16 21:56:15 +00:00
if err != nil {
2017-09-05 04:02:02 +00:00
t.Fatal(err)
}
defer os.RemoveAll(tempDir)
client, closer := testVaultServerUninit(t)
defer closer()
2017-09-08 02:03:12 +00:00
ui, cmd := testOperatorInitCommand(t)
2017-09-05 04:02:02 +00:00
cmd.client = client
code := cmd.Run([]string{
"-key-shares", "4",
"-key-threshold", "2",
"-pgp-keys", fmt.Sprintf("%s,@%s, %s, %s ",
pubFiles[0], pubFiles[1], pubFiles[2], pubFiles[3]),
"-root-token-pgp-key", pubFiles[0],
})
if exp := 0; code != exp {
t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
2015-12-16 21:56:15 +00:00
}
2017-09-05 04:02:02 +00:00
re := regexp.MustCompile(`Unseal Key \d+: (.+)`)
output := ui.OutputWriter.String()
match := re.FindAllStringSubmatch(output, -1)
if len(match) < 4 || len(match[0]) < 2 {
t.Fatalf("no match: %#v", match)
}
2015-08-25 22:33:58 +00:00
2017-09-05 04:02:02 +00:00
keys := make([]string, len(match))
for i := range match {
keys[i] = match[i][1]
}
2017-09-05 04:02:02 +00:00
// Try unsealing with one key
decryptedKey := testPGPDecrypt(t, pgpkeys.TestPrivKey1, keys[0])
if _, err := client.Sys().Unseal(decryptedKey); err != nil {
t.Fatal(err)
}
2017-09-05 04:02:02 +00:00
// Decrypt the root token
reToken := regexp.MustCompile(`Root Token: (.+)`)
match = reToken.FindAllStringSubmatch(output, -1)
if len(match) < 1 || len(match[0]) < 2 {
t.Fatalf("no match")
}
root := match[0][1]
decryptedRoot := testPGPDecrypt(t, pgpkeys.TestPrivKey1, root)
2017-09-05 04:02:02 +00:00
if l, exp := len(decryptedRoot), 36; l != exp {
t.Errorf("expected %d to be %d", l, exp)
}
})
2017-09-05 04:02:02 +00:00
t.Run("communication_failure", func(t *testing.T) {
t.Parallel()
2017-09-05 04:02:02 +00:00
client, closer := testVaultServerBad(t)
defer closer()
2017-09-08 02:03:12 +00:00
ui, cmd := testOperatorInitCommand(t)
2017-09-05 04:02:02 +00:00
cmd.client = client
code := cmd.Run([]string{
"secret/foo",
})
if exp := 2; code != exp {
t.Errorf("expected %d to be %d", code, exp)
}
expected := "Error initializing: "
combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
if !strings.Contains(combined, expected) {
t.Errorf("expected %q to contain %q", combined, expected)
}
})
t.Run("no_tabs", func(t *testing.T) {
t.Parallel()
2017-09-08 02:03:12 +00:00
_, cmd := testOperatorInitCommand(t)
2017-09-05 04:02:02 +00:00
assertNoTabs(t, cmd)
})
}