2018-10-23 06:34:02 +00:00
|
|
|
package command
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"encoding/base64"
|
2020-02-13 21:27:31 +00:00
|
|
|
"path"
|
2018-10-23 06:34:02 +00:00
|
|
|
"testing"
|
|
|
|
|
2020-01-21 17:24:33 +00:00
|
|
|
"github.com/hashicorp/go-hclog"
|
2020-01-11 01:39:52 +00:00
|
|
|
wrapping "github.com/hashicorp/go-kms-wrapping"
|
2020-02-13 21:27:31 +00:00
|
|
|
"github.com/hashicorp/vault/api"
|
|
|
|
"github.com/hashicorp/vault/builtin/logical/transit"
|
|
|
|
commandseal "github.com/hashicorp/vault/command/server/seal"
|
|
|
|
"github.com/hashicorp/vault/helper/testhelpers"
|
|
|
|
"github.com/hashicorp/vault/helper/testhelpers/teststorage"
|
2018-10-23 06:34:02 +00:00
|
|
|
vaulthttp "github.com/hashicorp/vault/http"
|
2019-04-13 07:44:06 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/helper/logging"
|
2020-02-13 21:27:31 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/logical"
|
2018-10-23 06:34:02 +00:00
|
|
|
"github.com/hashicorp/vault/vault"
|
|
|
|
"github.com/hashicorp/vault/vault/seal"
|
|
|
|
)
|
|
|
|
|
2020-02-13 21:27:31 +00:00
|
|
|
type transitSealServer struct {
|
|
|
|
*vault.TestCluster
|
|
|
|
}
|
|
|
|
|
|
|
|
func newTransitSealServer(t *testing.T) *transitSealServer {
|
|
|
|
conf := &vault.CoreConfig{
|
|
|
|
LogicalBackends: map[string]logical.Factory{
|
|
|
|
"transit": transit.Factory,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
opts := &vault.TestClusterOptions{
|
|
|
|
NumCores: 1,
|
|
|
|
HandlerFunc: vaulthttp.Handler,
|
|
|
|
Logger: logging.NewVaultLogger(hclog.Trace).Named(t.Name()).Named("transit"),
|
|
|
|
}
|
|
|
|
teststorage.InmemBackendSetup(conf, opts)
|
|
|
|
cluster := vault.NewTestCluster(t, conf, opts)
|
|
|
|
cluster.Start()
|
|
|
|
|
|
|
|
if err := cluster.Cores[0].Client.Sys().Mount("transit", &api.MountInput{
|
|
|
|
Type: "transit",
|
|
|
|
}); err != nil {
|
2020-01-21 17:24:33 +00:00
|
|
|
t.Fatal(err)
|
|
|
|
}
|
2020-02-13 21:27:31 +00:00
|
|
|
|
|
|
|
return &transitSealServer{cluster}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (tss *transitSealServer) makeKey(t *testing.T, key string) {
|
|
|
|
client := tss.Cores[0].Client
|
|
|
|
// Create default aesgcm key
|
|
|
|
if _, err := client.Logical().Write(path.Join("transit", "keys", key), nil); err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
if _, err := client.Logical().Write(path.Join("transit", "keys", key, "config"), map[string]interface{}{
|
|
|
|
"deletion_allowed": true,
|
|
|
|
}); err != nil {
|
2020-01-21 17:24:33 +00:00
|
|
|
t.Fatal(err)
|
|
|
|
}
|
2020-02-13 21:27:31 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (tss *transitSealServer) makeSeal(t *testing.T, key string) vault.Seal {
|
|
|
|
client := tss.Cores[0].Client
|
|
|
|
wrapperConfig := map[string]string{
|
|
|
|
"address": client.Address(),
|
|
|
|
"token": client.Token(),
|
|
|
|
"mount_path": "transit",
|
|
|
|
"key_name": key,
|
|
|
|
"tls_ca_cert": tss.CACertPEMFile,
|
|
|
|
}
|
|
|
|
transitSeal, _, err := commandseal.GetTransitKMSFunc(nil, wrapperConfig)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("error setting wrapper config: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return vault.NewAutoSeal(&seal.Access{
|
|
|
|
Wrapper: transitSeal,
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func verifyBarrierConfig(t *testing.T, cfg *vault.SealConfig, sealType string, shares, threshold, stored int) {
|
|
|
|
t.Helper()
|
|
|
|
if cfg.Type != sealType {
|
|
|
|
t.Fatalf("bad seal config: %#v, expected type=%q", cfg, sealType)
|
|
|
|
}
|
|
|
|
if cfg.SecretShares != shares {
|
|
|
|
t.Fatalf("bad seal config: %#v, expected SecretShares=%d", cfg, shares)
|
|
|
|
}
|
|
|
|
if cfg.SecretThreshold != threshold {
|
|
|
|
t.Fatalf("bad seal config: %#v, expected SecretThreshold=%d", cfg, threshold)
|
|
|
|
}
|
|
|
|
if cfg.StoredShares != stored {
|
|
|
|
t.Fatalf("bad seal config: %#v, expected StoredShares=%d", cfg, stored)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestSealMigration_ShamirToAuto(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
t.Run("inmem", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
testSealMigrationShamirToAuto(t, teststorage.InmemBackendSetup)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("file", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
testSealMigrationShamirToAuto(t, teststorage.FileBackendSetup)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("consul", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
testSealMigrationShamirToAuto(t, teststorage.ConsulBackendSetup)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("raft", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
testSealMigrationShamirToAuto(t, teststorage.RaftBackendSetup)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func testSealMigrationShamirToAuto(t *testing.T, setup teststorage.ClusterSetupMutator) {
|
|
|
|
tcluster := newTransitSealServer(t)
|
|
|
|
defer tcluster.Cleanup()
|
|
|
|
|
|
|
|
conf, opts := teststorage.ClusterSetup(&vault.CoreConfig{
|
2020-01-21 17:24:33 +00:00
|
|
|
DisableSealWrap: true,
|
|
|
|
}, &vault.TestClusterOptions{
|
|
|
|
HandlerFunc: vaulthttp.Handler,
|
|
|
|
SkipInit: true,
|
2020-02-13 21:27:31 +00:00
|
|
|
NumCores: 3,
|
|
|
|
},
|
|
|
|
setup,
|
|
|
|
)
|
|
|
|
opts.SetupFunc = nil
|
|
|
|
cluster := vault.NewTestCluster(t, conf, opts)
|
|
|
|
tcluster.makeKey(t, "key1")
|
|
|
|
autoSeal := tcluster.makeSeal(t, "key1")
|
2020-01-21 17:24:33 +00:00
|
|
|
cluster.Start()
|
|
|
|
defer cluster.Cleanup()
|
|
|
|
|
|
|
|
client := cluster.Cores[0].Client
|
|
|
|
initResp, err := client.Sys().Init(&api.InitRequest{
|
2020-02-13 21:27:31 +00:00
|
|
|
SecretShares: 5,
|
|
|
|
SecretThreshold: 3,
|
2020-01-21 17:24:33 +00:00
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
2020-02-13 21:27:31 +00:00
|
|
|
var resp *api.SealStatusResponse
|
|
|
|
for _, key := range initResp.KeysB64 {
|
|
|
|
resp, err = client.Sys().UnsealWithOptions(&api.UnsealOpts{Key: key})
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
if resp == nil || !resp.Sealed {
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if resp == nil || resp.Sealed {
|
|
|
|
t.Fatalf("expected unsealed state; got %#v", resp)
|
|
|
|
}
|
2020-01-21 17:24:33 +00:00
|
|
|
|
2020-02-13 21:27:31 +00:00
|
|
|
testhelpers.WaitForActiveNode(t, cluster)
|
2020-01-21 17:24:33 +00:00
|
|
|
rootToken := initResp.RootToken
|
|
|
|
client.SetToken(rootToken)
|
|
|
|
if err := client.Sys().Seal(); err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
2020-02-13 21:27:31 +00:00
|
|
|
if err := adjustCoreForSealMigration(cluster.Logger, cluster.Cores[0].Core, autoSeal, nil); err != nil {
|
2020-01-21 17:24:33 +00:00
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
2020-02-13 21:27:31 +00:00
|
|
|
for _, key := range initResp.KeysB64 {
|
|
|
|
resp, err = client.Sys().UnsealWithOptions(&api.UnsealOpts{Key: key})
|
2020-01-21 17:24:33 +00:00
|
|
|
if err == nil {
|
|
|
|
t.Fatal("expected error due to lack of migrate parameter")
|
|
|
|
}
|
2020-02-13 21:27:31 +00:00
|
|
|
resp, err = client.Sys().UnsealWithOptions(&api.UnsealOpts{Key: key, Migrate: true})
|
2020-01-21 17:24:33 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
2020-02-13 21:27:31 +00:00
|
|
|
if resp == nil || !resp.Sealed {
|
2020-01-21 17:24:33 +00:00
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
2020-02-13 21:27:31 +00:00
|
|
|
if resp == nil || resp.Sealed {
|
|
|
|
t.Fatalf("expected unsealed state; got %#v", resp)
|
2020-01-21 17:24:33 +00:00
|
|
|
}
|
|
|
|
|
2020-02-13 21:27:31 +00:00
|
|
|
testhelpers.WaitForActiveNode(t, cluster)
|
2020-01-21 17:24:33 +00:00
|
|
|
// Seal and unseal again to verify that things are working fine
|
|
|
|
if err := client.Sys().Seal(); err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
2020-02-13 21:27:31 +00:00
|
|
|
|
|
|
|
// Now the barrier unseal keys are actually the recovery keys.
|
|
|
|
// Seal the transit cluster; we expect the unseal of our other cluster
|
|
|
|
// to fail as a result.
|
|
|
|
tcluster.EnsureCoresSealed(t)
|
|
|
|
for _, key := range initResp.KeysB64 {
|
|
|
|
resp, err = client.Sys().UnsealWithOptions(&api.UnsealOpts{Key: key})
|
2020-01-21 17:24:33 +00:00
|
|
|
if err != nil {
|
2020-02-13 21:27:31 +00:00
|
|
|
break
|
2020-01-21 17:24:33 +00:00
|
|
|
}
|
2020-02-13 21:27:31 +00:00
|
|
|
if resp == nil || !resp.Sealed {
|
2020-01-21 17:24:33 +00:00
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
2020-02-13 21:27:31 +00:00
|
|
|
if err == nil || resp != nil {
|
|
|
|
t.Fatalf("expected sealed state; got %#v", resp)
|
2020-01-21 17:24:33 +00:00
|
|
|
}
|
|
|
|
|
2020-02-13 21:27:31 +00:00
|
|
|
tcluster.UnsealCores(t)
|
|
|
|
for _, key := range initResp.KeysB64 {
|
|
|
|
resp, err = client.Sys().UnsealWithOptions(&api.UnsealOpts{Key: key})
|
2018-10-23 06:34:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
2020-02-13 21:27:31 +00:00
|
|
|
if resp == nil || !resp.Sealed {
|
|
|
|
break
|
2018-10-23 06:34:02 +00:00
|
|
|
}
|
2020-02-13 21:27:31 +00:00
|
|
|
}
|
|
|
|
if resp == nil || resp.Sealed {
|
|
|
|
t.Fatalf("expected unsealed state; got %#v", resp)
|
2018-10-23 06:34:02 +00:00
|
|
|
}
|
|
|
|
|
2020-02-13 21:27:31 +00:00
|
|
|
// Make sure the seal configs were updated correctly
|
|
|
|
b, r, err := cluster.Cores[0].Core.PhysicalSealConfigs(context.Background())
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
verifyBarrierConfig(t, b, wrapping.Transit, 1, 1, 1)
|
|
|
|
verifyBarrierConfig(t, r, wrapping.Shamir, 5, 3, 0)
|
|
|
|
}
|
2018-10-23 06:34:02 +00:00
|
|
|
|
2020-02-13 21:27:31 +00:00
|
|
|
/*
|
|
|
|
func TestSealMigration_AutoToAuto(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
t.Run("inmem", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
testSealMigrationAutoToAuto(t, teststorage.InmemBackendSetup)
|
|
|
|
})
|
2018-10-23 06:34:02 +00:00
|
|
|
|
2020-02-13 21:27:31 +00:00
|
|
|
t.Run("file", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
testSealMigrationAutoToAuto(t, teststorage.FileBackendSetup)
|
|
|
|
})
|
2018-10-23 06:34:02 +00:00
|
|
|
|
2020-02-13 21:27:31 +00:00
|
|
|
t.Run("consul", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
testSealMigrationAutoToAuto(t, teststorage.ConsulBackendSetup)
|
|
|
|
})
|
2018-10-23 06:34:02 +00:00
|
|
|
|
2020-02-13 21:27:31 +00:00
|
|
|
t.Run("raft", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
testSealMigrationAutoToAuto(t, teststorage.RaftBackendSetup)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
*/
|
2018-10-23 06:34:02 +00:00
|
|
|
|
2020-02-13 21:27:31 +00:00
|
|
|
func testSealMigrationAutoToAuto(t *testing.T, setup teststorage.ClusterSetupMutator) {
|
|
|
|
tcluster := newTransitSealServer(t)
|
|
|
|
defer tcluster.Cleanup()
|
|
|
|
tcluster.makeKey(t, "key1")
|
|
|
|
tcluster.makeKey(t, "key2")
|
|
|
|
var seals []vault.Seal
|
2020-01-21 17:24:33 +00:00
|
|
|
|
2020-02-13 21:27:31 +00:00
|
|
|
conf, opts := teststorage.ClusterSetup(&vault.CoreConfig{
|
|
|
|
DisableSealWrap: true,
|
|
|
|
}, &vault.TestClusterOptions{
|
|
|
|
HandlerFunc: vaulthttp.Handler,
|
|
|
|
SkipInit: true,
|
|
|
|
NumCores: 3,
|
|
|
|
SealFunc: func() vault.Seal {
|
|
|
|
tseal := tcluster.makeSeal(t, "key1")
|
|
|
|
seals = append(seals, tseal)
|
|
|
|
return tseal
|
|
|
|
},
|
|
|
|
},
|
|
|
|
setup,
|
|
|
|
)
|
|
|
|
opts.SetupFunc = nil
|
|
|
|
cluster := vault.NewTestCluster(t, conf, opts)
|
|
|
|
cluster.Start()
|
|
|
|
defer cluster.Cleanup()
|
2020-01-21 17:24:33 +00:00
|
|
|
|
2020-02-13 21:27:31 +00:00
|
|
|
client := cluster.Cores[0].Client
|
|
|
|
initResp, err := client.Sys().Init(&api.InitRequest{
|
|
|
|
RecoveryShares: 5,
|
|
|
|
RecoveryThreshold: 3,
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
rootToken := initResp.RootToken
|
|
|
|
client.SetToken(rootToken)
|
|
|
|
for _, k := range initResp.RecoveryKeysB64 {
|
|
|
|
b, _ := base64.RawStdEncoding.DecodeString(k)
|
|
|
|
cluster.RecoveryKeys = append(cluster.RecoveryKeys, b)
|
2018-10-23 06:34:02 +00:00
|
|
|
}
|
|
|
|
|
2020-02-13 21:27:31 +00:00
|
|
|
testhelpers.WaitForActiveNode(t, cluster)
|
2018-10-23 06:34:02 +00:00
|
|
|
|
2020-02-13 21:27:31 +00:00
|
|
|
if err := client.Sys().Seal(); err != nil {
|
|
|
|
t.Fatal(err)
|
2018-10-23 06:34:02 +00:00
|
|
|
}
|
|
|
|
|
2020-02-13 21:27:31 +00:00
|
|
|
logger := cluster.Logger.Named("shamir")
|
|
|
|
autoSeal2 := tcluster.makeSeal(t, "key2")
|
|
|
|
if err := adjustCoreForSealMigration(logger, cluster.Cores[0].Core, autoSeal2, seals[0]); err != nil {
|
|
|
|
t.Fatal(err)
|
2018-11-05 19:06:39 +00:00
|
|
|
}
|
|
|
|
|
2020-02-13 21:27:31 +00:00
|
|
|
// Although we're unsealing using the recovery keys, this is still an
|
|
|
|
// autounseal; if we stopped the transit cluster this would fail.
|
|
|
|
var resp *api.SealStatusResponse
|
|
|
|
for _, key := range initResp.RecoveryKeysB64 {
|
|
|
|
resp, err = client.Sys().UnsealWithOptions(&api.UnsealOpts{Key: key})
|
|
|
|
if err == nil {
|
|
|
|
t.Fatal("expected error due to lack of migrate parameter")
|
2020-01-21 17:24:33 +00:00
|
|
|
}
|
2020-02-13 21:27:31 +00:00
|
|
|
resp, err = client.Sys().UnsealWithOptions(&api.UnsealOpts{Key: key, Migrate: true})
|
2020-01-21 17:24:33 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
2020-02-13 21:27:31 +00:00
|
|
|
if resp == nil || !resp.Sealed {
|
|
|
|
break
|
2020-01-21 17:24:33 +00:00
|
|
|
}
|
2019-03-04 22:11:56 +00:00
|
|
|
}
|
2020-02-13 21:27:31 +00:00
|
|
|
if resp == nil || resp.Sealed {
|
|
|
|
t.Fatalf("expected unsealed state; got %#v", resp)
|
2018-10-23 06:34:02 +00:00
|
|
|
}
|
|
|
|
|
2020-02-13 21:27:31 +00:00
|
|
|
testhelpers.WaitForActiveNode(t, cluster)
|
2018-10-23 06:34:02 +00:00
|
|
|
|
2020-02-13 21:27:31 +00:00
|
|
|
// Seal and unseal again to verify that things are working fine
|
|
|
|
if err := client.Sys().Seal(); err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
2018-10-23 06:34:02 +00:00
|
|
|
|
2020-02-13 21:27:31 +00:00
|
|
|
// Delete the original seal's transit key.
|
|
|
|
_, err = tcluster.Cores[0].Client.Logical().Delete(path.Join("transit", "keys", "key1"))
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
2018-10-23 06:34:02 +00:00
|
|
|
|
2020-02-13 21:27:31 +00:00
|
|
|
err = cluster.Cores[0].Core.UnsealWithStoredKeys(context.Background())
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
2018-10-23 06:34:02 +00:00
|
|
|
}
|
|
|
|
}
|