2015-05-28 22:22:42 +00:00
|
|
|
package command
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"encoding/hex"
|
2015-08-25 21:24:19 +00:00
|
|
|
"os"
|
2016-01-09 03:21:41 +00:00
|
|
|
"sort"
|
2015-05-28 22:22:42 +00:00
|
|
|
"strings"
|
|
|
|
|
"testing"
|
2015-12-16 21:56:15 +00:00
|
|
|
"time"
|
2015-05-28 22:22:42 +00:00
|
|
|
|
|
|
|
|
"github.com/hashicorp/vault/http"
|
2015-12-16 21:56:15 +00:00
|
|
|
"github.com/hashicorp/vault/logical"
|
2016-04-01 17:16:05 +00:00
|
|
|
"github.com/hashicorp/vault/meta"
|
2015-05-28 22:22:42 +00:00
|
|
|
"github.com/hashicorp/vault/vault"
|
|
|
|
|
"github.com/mitchellh/cli"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func TestRekey(t *testing.T) {
|
2017-01-17 20:43:10 +00:00
|
|
|
core, keys, _ := vault.TestCoreUnsealed(t)
|
2015-05-28 22:22:42 +00:00
|
|
|
ln, addr := http.TestServer(t, core)
|
|
|
|
|
defer ln.Close()
|
|
|
|
|
|
|
|
|
|
ui := new(cli.MockUi)
|
|
|
|
|
|
2017-01-17 20:43:10 +00:00
|
|
|
for i, key := range keys {
|
|
|
|
|
c := &RekeyCommand{
|
|
|
|
|
Key: hex.EncodeToString(key),
|
|
|
|
|
RecoveryKey: false,
|
|
|
|
|
Meta: meta.Meta{
|
|
|
|
|
Ui: ui,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if i > 0 {
|
|
|
|
|
conf, err := core.RekeyConfig(false)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
c.Nonce = conf.Nonce
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
args := []string{"-address", addr}
|
|
|
|
|
if code := c.Run(args); code != 0 {
|
|
|
|
|
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
|
|
|
|
}
|
2015-05-28 22:22:42 +00:00
|
|
|
}
|
|
|
|
|
|
2016-04-04 14:44:22 +00:00
|
|
|
config, err := core.SealAccess().BarrierConfig()
|
2015-05-28 22:22:42 +00:00
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
|
}
|
|
|
|
|
if config.SecretShares != 5 {
|
|
|
|
|
t.Fatal("should rekey")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestRekey_arg(t *testing.T) {
|
2017-01-17 20:43:10 +00:00
|
|
|
core, keys, _ := vault.TestCoreUnsealed(t)
|
2015-05-28 22:22:42 +00:00
|
|
|
ln, addr := http.TestServer(t, core)
|
|
|
|
|
defer ln.Close()
|
|
|
|
|
|
|
|
|
|
ui := new(cli.MockUi)
|
|
|
|
|
|
2017-01-17 20:43:10 +00:00
|
|
|
for i, key := range keys {
|
|
|
|
|
c := &RekeyCommand{
|
|
|
|
|
RecoveryKey: false,
|
|
|
|
|
Meta: meta.Meta{
|
|
|
|
|
Ui: ui,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if i > 0 {
|
|
|
|
|
conf, err := core.RekeyConfig(false)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
c.Nonce = conf.Nonce
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
args := []string{"-address", addr, hex.EncodeToString(key)}
|
|
|
|
|
if code := c.Run(args); code != 0 {
|
|
|
|
|
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
|
|
|
|
}
|
2015-05-28 22:22:42 +00:00
|
|
|
}
|
|
|
|
|
|
2016-04-04 14:44:22 +00:00
|
|
|
config, err := core.SealAccess().BarrierConfig()
|
2015-05-28 22:22:42 +00:00
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
|
}
|
|
|
|
|
if config.SecretShares != 5 {
|
|
|
|
|
t.Fatal("should rekey")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestRekey_init(t *testing.T) {
|
2017-01-17 20:43:10 +00:00
|
|
|
core, _, _ := vault.TestCoreUnsealed(t)
|
2015-05-28 22:22:42 +00:00
|
|
|
ln, addr := http.TestServer(t, core)
|
|
|
|
|
defer ln.Close()
|
|
|
|
|
|
|
|
|
|
ui := new(cli.MockUi)
|
2017-01-17 20:43:10 +00:00
|
|
|
|
2015-05-28 22:22:42 +00:00
|
|
|
c := &RekeyCommand{
|
2016-04-01 17:16:05 +00:00
|
|
|
Meta: meta.Meta{
|
2015-05-28 22:22:42 +00:00
|
|
|
Ui: ui,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
2015-12-16 21:56:15 +00:00
|
|
|
args := []string{
|
|
|
|
|
"-address", addr,
|
|
|
|
|
"-init",
|
|
|
|
|
"-key-threshold", "10",
|
|
|
|
|
"-key-shares", "10",
|
|
|
|
|
}
|
2015-05-28 22:22:42 +00:00
|
|
|
if code := c.Run(args); code != 0 {
|
|
|
|
|
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
|
|
|
|
}
|
|
|
|
|
|
2016-04-04 14:44:22 +00:00
|
|
|
config, err := core.RekeyConfig(false)
|
2015-05-28 22:22:42 +00:00
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
|
}
|
|
|
|
|
if config.SecretShares != 10 {
|
|
|
|
|
t.Fatal("should rekey")
|
|
|
|
|
}
|
|
|
|
|
if config.SecretThreshold != 10 {
|
|
|
|
|
t.Fatal("should rekey")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestRekey_cancel(t *testing.T) {
|
2017-01-17 20:43:10 +00:00
|
|
|
core, keys, _ := vault.TestCoreUnsealed(t)
|
2015-05-28 22:22:42 +00:00
|
|
|
ln, addr := http.TestServer(t, core)
|
|
|
|
|
defer ln.Close()
|
|
|
|
|
|
|
|
|
|
ui := new(cli.MockUi)
|
|
|
|
|
c := &RekeyCommand{
|
2017-01-17 20:43:10 +00:00
|
|
|
Key: hex.EncodeToString(keys[0]),
|
2016-04-01 17:16:05 +00:00
|
|
|
Meta: meta.Meta{
|
2015-05-28 22:22:42 +00:00
|
|
|
Ui: ui,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
args := []string{"-address", addr, "-init"}
|
|
|
|
|
if code := c.Run(args); code != 0 {
|
|
|
|
|
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
args = []string{"-address", addr, "-cancel"}
|
|
|
|
|
if code := c.Run(args); code != 0 {
|
|
|
|
|
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
|
|
|
|
}
|
|
|
|
|
|
2016-04-04 14:44:22 +00:00
|
|
|
config, err := core.RekeyConfig(false)
|
2015-05-28 22:22:42 +00:00
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
|
}
|
|
|
|
|
if config != nil {
|
|
|
|
|
t.Fatal("should not rekey")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestRekey_status(t *testing.T) {
|
2017-01-17 20:43:10 +00:00
|
|
|
core, keys, _ := vault.TestCoreUnsealed(t)
|
2015-05-28 22:22:42 +00:00
|
|
|
ln, addr := http.TestServer(t, core)
|
|
|
|
|
defer ln.Close()
|
|
|
|
|
|
|
|
|
|
ui := new(cli.MockUi)
|
|
|
|
|
c := &RekeyCommand{
|
2017-01-17 20:43:10 +00:00
|
|
|
Key: hex.EncodeToString(keys[0]),
|
2016-04-01 17:16:05 +00:00
|
|
|
Meta: meta.Meta{
|
2015-05-28 22:22:42 +00:00
|
|
|
Ui: ui,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
args := []string{"-address", addr, "-init"}
|
|
|
|
|
if code := c.Run(args); code != 0 {
|
|
|
|
|
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
args = []string{"-address", addr, "-status"}
|
|
|
|
|
if code := c.Run(args); code != 0 {
|
|
|
|
|
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
|
|
|
|
}
|
|
|
|
|
|
2017-05-25 13:00:49 +00:00
|
|
|
if !strings.Contains(ui.OutputWriter.String(), "Started: true") {
|
2015-05-28 22:22:42 +00:00
|
|
|
t.Fatalf("bad: %s", ui.OutputWriter.String())
|
|
|
|
|
}
|
|
|
|
|
}
|
2015-08-25 21:24:19 +00:00
|
|
|
|
|
|
|
|
func TestRekey_init_pgp(t *testing.T) {
|
2017-01-17 20:43:10 +00:00
|
|
|
core, keys, token := vault.TestCoreUnsealed(t)
|
2015-08-25 21:24:19 +00:00
|
|
|
ln, addr := http.TestServer(t, core)
|
|
|
|
|
defer ln.Close()
|
|
|
|
|
|
2015-12-16 21:56:15 +00:00
|
|
|
bc := &logical.BackendConfig{
|
|
|
|
|
Logger: nil,
|
|
|
|
|
System: logical.StaticSystemView{
|
|
|
|
|
DefaultLeaseTTLVal: time.Hour * 24,
|
2016-09-28 22:32:49 +00:00
|
|
|
MaxLeaseTTLVal: time.Hour * 24 * 32,
|
2015-12-16 21:56:15 +00:00
|
|
|
},
|
|
|
|
|
}
|
Backend plugin system (#2874)
* Add backend plugin changes
* Fix totp backend plugin tests
* Fix logical/plugin InvalidateKey test
* Fix plugin catalog CRUD test, fix NoopBackend
* Clean up commented code block
* Fix system backend mount test
* Set plugin_name to omitempty, fix handleMountTable config parsing
* Clean up comments, keep shim connections alive until cleanup
* Include pluginClient, disallow LookupPlugin call from within a plugin
* Add wrapper around backendPluginClient for proper cleanup
* Add logger shim tests
* Add logger, storage, and system shim tests
* Use pointer receivers for system view shim
* Use plugin name if no path is provided on mount
* Enable plugins for auth backends
* Add backend type attribute, move builtin/plugin/package
* Fix merge conflict
* Fix missing plugin name in mount config
* Add integration tests on enabling auth backend plugins
* Remove dependency cycle on mock-plugin
* Add passthrough backend plugin, use logical.BackendType to determine lease generation
* Remove vault package dependency on passthrough package
* Add basic impl test for passthrough plugin
* Incorporate feedback; set b.backend after shims creation on backendPluginServer
* Fix totp plugin test
* Add plugin backends docs
* Fix tests
* Fix builtin/plugin tests
* Remove flatten from PluginRunner fields
* Move mock plugin to logical/plugin, remove totp and passthrough plugins
* Move pluginMap into newPluginClient
* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck
* Change shim logger's Fatal to no-op
* Change BackendType to uint32, match UX backend types
* Change framework.Backend Setup signature
* Add Setup func to logical.Backend interface
* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments
* Remove commented var in plugin package
* RegisterLicense on logical.Backend interface (#3017)
* Add RegisterLicense to logical.Backend interface
* Update RegisterLicense to use callback func on framework.Backend
* Refactor framework.Backend.RegisterLicense
* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs
* plugin: Revert BackendType to remove TypePassthrough and related references
* Fix typo in plugin backends docs
2017-07-20 17:28:40 +00:00
|
|
|
sysBackend := vault.NewSystemBackend(core)
|
|
|
|
|
err := sysBackend.Backend.Setup(bc)
|
2016-09-29 04:01:28 +00:00
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
2015-12-16 21:56:15 +00:00
|
|
|
|
2015-08-25 21:24:19 +00:00
|
|
|
ui := new(cli.MockUi)
|
|
|
|
|
c := &RekeyCommand{
|
2016-04-01 17:16:05 +00:00
|
|
|
Meta: meta.Meta{
|
2015-08-25 21:24:19 +00:00
|
|
|
Ui: ui,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tempDir, pubFiles, err := getPubKeyFiles(t)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
defer os.RemoveAll(tempDir)
|
|
|
|
|
|
|
|
|
|
args := []string{
|
|
|
|
|
"-address", addr,
|
|
|
|
|
"-init",
|
2016-01-18 22:01:52 +00:00
|
|
|
"-key-shares", "4",
|
|
|
|
|
"-pgp-keys", pubFiles[0] + ",@" + pubFiles[1] + "," + pubFiles[2] + "," + pubFiles[3],
|
2015-08-25 22:33:58 +00:00
|
|
|
"-key-threshold", "2",
|
2015-12-16 21:56:15 +00:00
|
|
|
"-backup", "true",
|
2015-08-25 21:24:19 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if code := c.Run(args); code != 0 {
|
|
|
|
|
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
|
|
|
|
}
|
|
|
|
|
|
2016-04-04 14:44:22 +00:00
|
|
|
config, err := core.RekeyConfig(false)
|
2015-08-25 21:24:19 +00:00
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
|
}
|
2016-01-18 22:01:52 +00:00
|
|
|
if config.SecretShares != 4 {
|
2015-08-25 21:24:19 +00:00
|
|
|
t.Fatal("should rekey")
|
|
|
|
|
}
|
|
|
|
|
if config.SecretThreshold != 2 {
|
|
|
|
|
t.Fatal("should rekey")
|
|
|
|
|
}
|
|
|
|
|
|
2017-01-17 20:43:10 +00:00
|
|
|
for _, key := range keys {
|
|
|
|
|
c = &RekeyCommand{
|
|
|
|
|
Key: hex.EncodeToString(key),
|
|
|
|
|
Meta: meta.Meta{
|
|
|
|
|
Ui: ui,
|
|
|
|
|
},
|
|
|
|
|
}
|
2015-12-16 21:56:15 +00:00
|
|
|
|
2017-01-17 20:43:10 +00:00
|
|
|
c.Nonce = config.Nonce
|
|
|
|
|
|
|
|
|
|
args = []string{
|
|
|
|
|
"-address", addr,
|
|
|
|
|
}
|
|
|
|
|
if code := c.Run(args); code != 0 {
|
|
|
|
|
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
|
|
|
|
}
|
2015-08-25 21:24:19 +00:00
|
|
|
}
|
|
|
|
|
|
2015-12-16 21:56:15 +00:00
|
|
|
type backupStruct struct {
|
2016-08-15 20:01:15 +00:00
|
|
|
Keys map[string][]string
|
|
|
|
|
KeysB64 map[string][]string
|
2015-12-16 21:56:15 +00:00
|
|
|
}
|
|
|
|
|
backupVals := &backupStruct{}
|
|
|
|
|
|
|
|
|
|
req := logical.TestRequest(t, logical.ReadOperation, "rekey/backup")
|
|
|
|
|
resp, err := sysBackend.HandleRequest(req)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("error running backed-up unseal key fetch: %v", err)
|
|
|
|
|
}
|
|
|
|
|
if resp == nil {
|
|
|
|
|
t.Fatalf("got nil resp with unseal key fetch")
|
|
|
|
|
}
|
|
|
|
|
if resp.Data["keys"] == nil {
|
|
|
|
|
t.Fatalf("could not retrieve unseal keys from token")
|
|
|
|
|
}
|
|
|
|
|
if resp.Data["nonce"] != config.Nonce {
|
|
|
|
|
t.Fatalf("nonce mismatch between rekey and backed-up keys")
|
|
|
|
|
}
|
|
|
|
|
|
2016-01-09 03:21:41 +00:00
|
|
|
backupVals.Keys = resp.Data["keys"].(map[string][]string)
|
2016-08-15 20:01:15 +00:00
|
|
|
backupVals.KeysB64 = resp.Data["keys_base64"].(map[string][]string)
|
2015-12-16 21:56:15 +00:00
|
|
|
|
|
|
|
|
// Now delete and try again; the values should be inaccessible
|
|
|
|
|
req = logical.TestRequest(t, logical.DeleteOperation, "rekey/backup")
|
|
|
|
|
resp, err = sysBackend.HandleRequest(req)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("error running backed-up unseal key delete: %v", err)
|
|
|
|
|
}
|
|
|
|
|
req = logical.TestRequest(t, logical.ReadOperation, "rekey/backup")
|
|
|
|
|
resp, err = sysBackend.HandleRequest(req)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatalf("error running backed-up unseal key fetch: %v", err)
|
|
|
|
|
}
|
|
|
|
|
if resp == nil {
|
|
|
|
|
t.Fatalf("got nil resp with unseal key fetch")
|
|
|
|
|
}
|
|
|
|
|
if resp.Data["keys"] != nil {
|
|
|
|
|
t.Fatalf("keys found when they should have been deleted")
|
|
|
|
|
}
|
|
|
|
|
|
2016-01-09 03:21:41 +00:00
|
|
|
// Sort, because it'll be tested with DeepEqual later
|
|
|
|
|
for k, _ := range backupVals.Keys {
|
|
|
|
|
sort.Strings(backupVals.Keys[k])
|
2016-08-15 20:01:15 +00:00
|
|
|
sort.Strings(backupVals.KeysB64[k])
|
2016-01-09 03:21:41 +00:00
|
|
|
}
|
|
|
|
|
|
2016-08-15 20:01:15 +00:00
|
|
|
parseDecryptAndTestUnsealKeys(t, ui.OutputWriter.String(), token, true, backupVals.Keys, backupVals.KeysB64, core)
|
2015-08-25 21:24:19 +00:00
|
|
|
}
|