2016-01-09 02:21:02 +00:00
|
|
|
package vault
|
|
|
|
|
|
|
|
import (
|
2018-01-19 06:44:44 +00:00
|
|
|
"context"
|
2016-01-09 02:21:02 +00:00
|
|
|
"encoding/base64"
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/hashicorp/go-uuid"
|
|
|
|
"github.com/hashicorp/vault/helper/pgpkeys"
|
|
|
|
"github.com/hashicorp/vault/helper/xor"
|
|
|
|
)
|
|
|
|
|
2016-01-15 15:55:35 +00:00
|
|
|
func TestCore_GenerateRoot_Lifecycle(t *testing.T) {
|
2016-04-25 19:39:04 +00:00
|
|
|
bc, rc := TestSealDefConfigs()
|
2017-01-17 20:43:10 +00:00
|
|
|
c, masterKeys, _, _ := TestCoreUnsealedWithConfigs(t, bc, rc)
|
|
|
|
testCore_GenerateRoot_Lifecycle_Common(t, c, masterKeys)
|
2016-04-25 19:39:04 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func testCore_GenerateRoot_Lifecycle_Common(t *testing.T, c *Core, keys [][]byte) {
|
2016-01-09 02:21:02 +00:00
|
|
|
// Verify update not allowed
|
2018-01-19 06:44:44 +00:00
|
|
|
if _, err := c.GenerateRootUpdate(context.Background(), keys[0], "", GenerateStandardRootTokenStrategy); err == nil {
|
2016-01-09 02:21:02 +00:00
|
|
|
t.Fatalf("no root generation in progress")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Should be no progress
|
2016-01-15 15:55:35 +00:00
|
|
|
num, err := c.GenerateRootProgress()
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if num != 0 {
|
|
|
|
t.Fatalf("bad: %d", num)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Should be no config
|
2016-01-15 15:55:35 +00:00
|
|
|
conf, err := c.GenerateRootConfiguration()
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if conf != nil {
|
|
|
|
t.Fatalf("bad: %v", conf)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Cancel should be idempotent
|
2016-01-15 15:55:35 +00:00
|
|
|
err = c.GenerateRootCancel()
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
2016-01-15 15:55:35 +00:00
|
|
|
otpBytes, err := GenerateRandBytes(16)
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Start a root generation
|
2017-11-10 18:19:42 +00:00
|
|
|
err = c.GenerateRootInit(base64.StdEncoding.EncodeToString(otpBytes), "", GenerateStandardRootTokenStrategy)
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Should get config
|
2016-01-15 15:55:35 +00:00
|
|
|
conf, err = c.GenerateRootConfiguration()
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Cancel should be clear
|
2016-01-15 15:55:35 +00:00
|
|
|
err = c.GenerateRootCancel()
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Should be no config
|
2016-01-15 15:55:35 +00:00
|
|
|
conf, err = c.GenerateRootConfiguration()
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if conf != nil {
|
|
|
|
t.Fatalf("bad: %v", conf)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-01-15 15:55:35 +00:00
|
|
|
func TestCore_GenerateRoot_Init(t *testing.T) {
|
2016-01-09 02:21:02 +00:00
|
|
|
c, _, _ := TestCoreUnsealed(t)
|
2016-04-25 19:39:04 +00:00
|
|
|
testCore_GenerateRoot_Init_Common(t, c)
|
|
|
|
|
|
|
|
bc, rc := TestSealDefConfigs()
|
|
|
|
c, _, _, _ = TestCoreUnsealedWithConfigs(t, bc, rc)
|
|
|
|
testCore_GenerateRoot_Init_Common(t, c)
|
|
|
|
}
|
2016-01-09 02:21:02 +00:00
|
|
|
|
2016-04-25 19:39:04 +00:00
|
|
|
func testCore_GenerateRoot_Init_Common(t *testing.T, c *Core) {
|
2016-01-15 15:55:35 +00:00
|
|
|
otpBytes, err := GenerateRandBytes(16)
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
2017-11-10 18:19:42 +00:00
|
|
|
err = c.GenerateRootInit(base64.StdEncoding.EncodeToString(otpBytes), "", GenerateStandardRootTokenStrategy)
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Second should fail
|
2017-11-10 18:19:42 +00:00
|
|
|
err = c.GenerateRootInit("", pgpkeys.TestPubKey1, GenerateStandardRootTokenStrategy)
|
2016-01-09 02:21:02 +00:00
|
|
|
if err == nil {
|
|
|
|
t.Fatalf("should fail")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-04-25 19:39:04 +00:00
|
|
|
func TestCore_GenerateRoot_InvalidMasterNonce(t *testing.T) {
|
2017-10-23 17:42:04 +00:00
|
|
|
bc, _ := TestSealDefConfigs()
|
|
|
|
bc.SecretShares = 3
|
|
|
|
bc.SecretThreshold = 3
|
|
|
|
c, masterKeys, _, _ := TestCoreUnsealedWithConfigs(t, bc, nil)
|
|
|
|
// Pass in master keys as they'll be invalid
|
2017-01-17 20:43:10 +00:00
|
|
|
masterKeys[0][0]++
|
|
|
|
testCore_GenerateRoot_InvalidMasterNonce_Common(t, c, masterKeys)
|
2016-04-25 19:39:04 +00:00
|
|
|
}
|
2016-01-09 02:21:02 +00:00
|
|
|
|
2016-04-25 19:39:04 +00:00
|
|
|
func testCore_GenerateRoot_InvalidMasterNonce_Common(t *testing.T, c *Core, keys [][]byte) {
|
2016-01-15 15:55:35 +00:00
|
|
|
otpBytes, err := GenerateRandBytes(16)
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
2017-11-10 18:19:42 +00:00
|
|
|
err = c.GenerateRootInit(base64.StdEncoding.EncodeToString(otpBytes), "", GenerateStandardRootTokenStrategy)
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Fetch new config with generated nonce
|
2016-01-15 15:55:35 +00:00
|
|
|
rgconf, err := c.GenerateRootConfiguration()
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if rgconf == nil {
|
|
|
|
t.Fatalf("bad: no rekey config received")
|
|
|
|
}
|
|
|
|
|
2016-04-25 19:39:04 +00:00
|
|
|
// Provide the nonce (invalid)
|
2018-01-19 06:44:44 +00:00
|
|
|
_, err = c.GenerateRootUpdate(context.Background(), keys[0], "abcd", GenerateStandardRootTokenStrategy)
|
2016-01-09 02:21:02 +00:00
|
|
|
if err == nil {
|
|
|
|
t.Fatalf("expected error")
|
|
|
|
}
|
|
|
|
|
2016-04-25 19:39:04 +00:00
|
|
|
// Provide the master (invalid)
|
|
|
|
for _, key := range keys {
|
2018-01-19 06:44:44 +00:00
|
|
|
_, err = c.GenerateRootUpdate(context.Background(), key, rgconf.Nonce, GenerateStandardRootTokenStrategy)
|
2016-01-09 02:21:02 +00:00
|
|
|
}
|
|
|
|
if err == nil {
|
|
|
|
t.Fatalf("expected error")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-01-15 15:55:35 +00:00
|
|
|
func TestCore_GenerateRoot_Update_OTP(t *testing.T) {
|
2016-04-25 19:39:04 +00:00
|
|
|
bc, rc := TestSealDefConfigs()
|
2017-01-17 20:43:10 +00:00
|
|
|
c, masterKeys, _, _ := TestCoreUnsealedWithConfigs(t, bc, rc)
|
|
|
|
testCore_GenerateRoot_Update_OTP_Common(t, c, masterKeys[0:bc.SecretThreshold])
|
2016-04-25 19:39:04 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func testCore_GenerateRoot_Update_OTP_Common(t *testing.T, c *Core, keys [][]byte) {
|
2016-01-15 15:55:35 +00:00
|
|
|
otpBytes, err := GenerateRandBytes(16)
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
otp := base64.StdEncoding.EncodeToString(otpBytes)
|
|
|
|
// Start a root generation
|
2017-11-10 18:19:42 +00:00
|
|
|
err = c.GenerateRootInit(otp, "", GenerateStandardRootTokenStrategy)
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Fetch new config with generated nonce
|
2016-01-15 15:55:35 +00:00
|
|
|
rkconf, err := c.GenerateRootConfiguration()
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if rkconf == nil {
|
|
|
|
t.Fatalf("bad: no root generation config received")
|
|
|
|
}
|
|
|
|
|
2016-04-25 19:39:04 +00:00
|
|
|
// Provide the keys
|
|
|
|
var result *GenerateRootResult
|
|
|
|
for _, key := range keys {
|
2018-01-19 06:44:44 +00:00
|
|
|
result, err = c.GenerateRootUpdate(context.Background(), key, rkconf.Nonce, GenerateStandardRootTokenStrategy)
|
2016-04-25 19:39:04 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2016-01-09 02:21:02 +00:00
|
|
|
}
|
|
|
|
if result == nil {
|
|
|
|
t.Fatalf("Bad, result is nil")
|
|
|
|
}
|
|
|
|
|
2017-11-13 20:44:26 +00:00
|
|
|
encodedToken := result.EncodedToken
|
2016-01-09 02:21:02 +00:00
|
|
|
|
|
|
|
// Should be no progress
|
2016-01-15 15:55:35 +00:00
|
|
|
num, err := c.GenerateRootProgress()
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if num != 0 {
|
|
|
|
t.Fatalf("bad: %d", num)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Should be no config
|
2016-01-15 15:55:35 +00:00
|
|
|
conf, err := c.GenerateRootConfiguration()
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if conf != nil {
|
|
|
|
t.Fatalf("bad: %v", conf)
|
|
|
|
}
|
|
|
|
|
2017-11-13 20:44:26 +00:00
|
|
|
tokenBytes, err := xor.XORBase64(encodedToken, otp)
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
token, err := uuid.FormatUUID(tokenBytes)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Ensure that the token is a root token
|
2018-01-19 06:44:44 +00:00
|
|
|
te, err := c.tokenStore.Lookup(context.Background(), token)
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if te == nil {
|
|
|
|
t.Fatalf("token was nil")
|
|
|
|
}
|
|
|
|
if te.ID != token || te.Parent != "" ||
|
|
|
|
len(te.Policies) != 1 || te.Policies[0] != "root" {
|
|
|
|
t.Fatalf("bad: %#v", *te)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-01-15 15:55:35 +00:00
|
|
|
func TestCore_GenerateRoot_Update_PGP(t *testing.T) {
|
2016-04-25 19:39:04 +00:00
|
|
|
bc, rc := TestSealDefConfigs()
|
2017-01-17 20:43:10 +00:00
|
|
|
c, masterKeys, _, _ := TestCoreUnsealedWithConfigs(t, bc, rc)
|
|
|
|
testCore_GenerateRoot_Update_PGP_Common(t, c, masterKeys[0:bc.SecretThreshold])
|
2016-04-25 19:39:04 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func testCore_GenerateRoot_Update_PGP_Common(t *testing.T, c *Core, keys [][]byte) {
|
2016-01-09 02:21:02 +00:00
|
|
|
// Start a root generation
|
2017-11-10 18:19:42 +00:00
|
|
|
err := c.GenerateRootInit("", pgpkeys.TestPubKey1, GenerateStandardRootTokenStrategy)
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Fetch new config with generated nonce
|
2016-01-15 15:55:35 +00:00
|
|
|
rkconf, err := c.GenerateRootConfiguration()
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if rkconf == nil {
|
|
|
|
t.Fatalf("bad: no root generation config received")
|
|
|
|
}
|
|
|
|
|
2016-04-25 19:39:04 +00:00
|
|
|
// Provide the keys
|
|
|
|
var result *GenerateRootResult
|
|
|
|
for _, key := range keys {
|
2018-01-19 06:44:44 +00:00
|
|
|
result, err = c.GenerateRootUpdate(context.Background(), key, rkconf.Nonce, GenerateStandardRootTokenStrategy)
|
2016-04-25 19:39:04 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2016-01-09 02:21:02 +00:00
|
|
|
}
|
|
|
|
if result == nil {
|
|
|
|
t.Fatalf("Bad, result is nil")
|
|
|
|
}
|
|
|
|
|
2017-11-13 20:44:26 +00:00
|
|
|
encodedToken := result.EncodedToken
|
2016-01-09 02:21:02 +00:00
|
|
|
|
|
|
|
// Should be no progress
|
2016-01-15 15:55:35 +00:00
|
|
|
num, err := c.GenerateRootProgress()
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if num != 0 {
|
|
|
|
t.Fatalf("bad: %d", num)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Should be no config
|
2016-01-15 15:55:35 +00:00
|
|
|
conf, err := c.GenerateRootConfiguration()
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if conf != nil {
|
|
|
|
t.Fatalf("bad: %v", conf)
|
|
|
|
}
|
|
|
|
|
2017-11-13 20:44:26 +00:00
|
|
|
ptBuf, err := pgpkeys.DecryptBytes(encodedToken, pgpkeys.TestPrivKey1)
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
if ptBuf == nil {
|
|
|
|
t.Fatal("Got nil plaintext key")
|
|
|
|
}
|
|
|
|
|
|
|
|
token := ptBuf.String()
|
|
|
|
|
|
|
|
// Ensure that the token is a root token
|
2018-01-19 06:44:44 +00:00
|
|
|
te, err := c.tokenStore.Lookup(context.Background(), token)
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if te == nil {
|
|
|
|
t.Fatalf("token was nil")
|
|
|
|
}
|
|
|
|
if te.ID != token || te.Parent != "" ||
|
|
|
|
len(te.Policies) != 1 || te.Policies[0] != "root" {
|
|
|
|
t.Fatalf("bad: %#v", *te)
|
|
|
|
}
|
|
|
|
}
|