open-vault/builtin/logical/transit/policy_test.go

package transit

import (
	"reflect"
	"testing"

	"github.com/hashicorp/vault/logical"
)

var (
	keysArchive []KeyEntry
)

func resetKeysArchive() {
	keysArchive = []KeyEntry{KeyEntry{}}
}

func Test_KeyUpgrade(t *testing.T) {
	storage := &logical.InmemStorage{}
	policies := &policyCache{
		cache: map[string]*lockingPolicy{},
	}
	lp, err := policies.generatePolicy(storage, "test", false)
	if err != nil {
		t.Fatal(err)
	}
	if lp == nil {
		t.Fatal("nil policy")
	}

	policy := lp.policy

	testBytes := make([]byte, len(policy.Keys[1].Key))
	copy(testBytes, policy.Keys[1].Key)

	policy.Key = policy.Keys[1].Key
	policy.Keys = nil
	policy.migrateKeyToKeysMap()
	if policy.Key != nil {
		t.Fatal("policy.Key is not nil")
	}
	if len(policy.Keys) != 1 {
		t.Fatal("policy.Keys is the wrong size")
	}
	if !reflect.DeepEqual(testBytes, policy.Keys[1].Key) {
		t.Fatal("key mismatch")
	}
}

func Test_ArchivingUpgrade(t *testing.T) {
	resetKeysArchive()

	// First, we generate a policy and rotate it a number of times. Each time
	// we'll ensure that we have the expected number of keys in the archive and
	// the main keys object, which without changing the min version should be
	// zero and latest, respectively

	storage := &logical.InmemStorage{}
	policies := &policyCache{
		cache: map[string]*lockingPolicy{},
	}

	lp, err := policies.generatePolicy(storage, "test", false)
	if err != nil {
		t.Fatal(err)
	}
	if lp == nil {
		t.Fatal("policy is nil")
	}

	policy := lp.policy

	// Store the initial key in the archive
	keysArchive = append(keysArchive, policy.Keys[1])
	checkKeys(t, policy, storage, "initial", 1, 1, 1)

	for i := 2; i <= 10; i++ {
		err = policy.rotate(storage)
		if err != nil {
			t.Fatal(err)
		}
		keysArchive = append(keysArchive, policy.Keys[i])
		checkKeys(t, policy, storage, "rotate", i, i, i)
	}

	// Now, wipe the archive and set the archive version to zero
	err = storage.Delete("archive/test")
	if err != nil {
		t.Fatal(err)
	}
	policy.ArchiveVersion = 0

	// Store it, but without calling persist, so we don't trigger
	// handleArchiving()
	buf, err := policy.Serialize()
	if err != nil {
		t.Fatal(err)
	}

	// Write the policy into storage
	err = storage.Put(&logical.StorageEntry{
		Key:   "policy/" + policy.Name,
		Value: buf,
	})
	if err != nil {
		t.Fatal(err)
	}

	// Expire from the cache since we modified it under-the-hood
	delete(policies.cache, "test")

	// Now get the policy again; the upgrade should happen automatically
	lp, err = policies.getPolicy(&logical.Request{
		Storage: storage,
	}, "test")
	if err != nil {
		t.Fatal(err)
	}
	if lp == nil {
		t.Fatal("policy is nil")
	}

	policy = lp.policy

	checkKeys(t, policy, storage, "upgrade", 10, 10, 10)
}

func Test_Archiving(t *testing.T) {
	resetKeysArchive()

	// First, we generate a policy and rotate it a number of times. Each time
	// we'll ensure that we have the expected number of keys in the archive and
	// the main keys object, which without changing the min version should be
	// zero and latest, respectively

	storage := &logical.InmemStorage{}

	policies := &policyCache{
		cache: map[string]*lockingPolicy{},
	}

	lp, err := policies.generatePolicy(storage, "test", false)
	if err != nil {
		t.Fatal(err)
	}
	if lp == nil {
		t.Fatal("policy is nil")
	}

	policy := lp.policy

	// Store the initial key in the archive
	keysArchive = append(keysArchive, policy.Keys[1])
	checkKeys(t, policy, storage, "initial", 1, 1, 1)

	for i := 2; i <= 10; i++ {
		err = policy.rotate(storage)
		if err != nil {
			t.Fatal(err)
		}
		keysArchive = append(keysArchive, policy.Keys[i])
		checkKeys(t, policy, storage, "rotate", i, i, i)
	}

	// Move the min decryption version up
	for i := 1; i <= 10; i++ {
		policy.MinDecryptionVersion = i

		err = policy.Persist(storage)
		if err != nil {
			t.Fatal(err)
		}
		// We expect to find:
		// * The keys in archive are the same as the latest version
		// * The latest version is constant
		// * The number of keys in the policy itself is from the min
		// decryption version up to the latest version, so for e.g. 7 and
		// 10, you'd need 7, 8, 9, and 10 -- IOW, latest version - min
		// decryption version plus 1 (the min decryption version key
		// itself)
		checkKeys(t, policy, storage, "minadd", 10, 10, policy.LatestVersion-policy.MinDecryptionVersion+1)
	}

	// Move the min decryption version down
	for i := 10; i >= 1; i-- {
		policy.MinDecryptionVersion = i

		err = policy.Persist(storage)
		if err != nil {
			t.Fatal(err)
		}
		// We expect to find:
		// * The keys in archive are never removed so same as the latest version
		// * The latest version is constant
		// * The number of keys in the policy itself is from the min
		// decryption version up to the latest version, so for e.g. 7 and
		// 10, you'd need 7, 8, 9, and 10 -- IOW, latest version - min
		// decryption version plus 1 (the min decryption version key
		// itself)
		checkKeys(t, policy, storage, "minsub", 10, 10, policy.LatestVersion-policy.MinDecryptionVersion+1)
	}
}

func checkKeys(t *testing.T,
	policy *Policy,
	storage logical.Storage,
	action string,
	archiveVer, latestVer, keysSize int) {

	// Sanity check
	if len(keysArchive) != latestVer+1 {
		t.Fatalf("latest expected key version is %d, expected test keys archive size is %d, "+
			"but keys archive is of size %d", latestVer, latestVer+1, len(keysArchive))
	}

	archive, err := policy.loadArchive(storage)
	if err != nil {
		t.Fatal(err)
	}

	badArchiveVer := false
	if archiveVer == 0 {
		if len(archive.Keys) != 0 || policy.ArchiveVersion != 0 {
			badArchiveVer = true
		}
	} else {
		// We need to subtract one because we have the indexes match key
		// versions, which start at 1. So for an archive version of 1, we
		// actually have two entries -- a blank 0 entry, and the key at spot 1
		if archiveVer != len(archive.Keys)-1 || archiveVer != policy.ArchiveVersion {
			badArchiveVer = true
		}
	}
	if badArchiveVer {
		t.Fatalf(
			"expected archive version %d, found length of archive keys %d and policy archive version %d",
			archiveVer, len(archive.Keys), policy.ArchiveVersion,
		)
	}

	if latestVer != policy.LatestVersion {
		t.Fatalf(
			"expected latest version %d, found %d",
			latestVer, policy.LatestVersion,
		)
	}

	if keysSize != len(policy.Keys) {
		t.Fatalf(
			"expected keys size %d, found %d, action is %s, policy is \n%#v\n",
			keysSize, len(policy.Keys), action, policy,
		)
	}

	for i := policy.MinDecryptionVersion; i <= policy.LatestVersion; i++ {
		if _, ok := policy.Keys[i]; !ok {
			t.Fatalf(
				"expected key %d, did not find it in policy keys", i,
			)
		}
	}

	for i := policy.MinDecryptionVersion; i <= policy.LatestVersion; i++ {
		if !reflect.DeepEqual(policy.Keys[i], keysArchive[i]) {
			t.Fatalf("key %d not equivalent between policy keys and test keys archive", i)
		}
	}

	for i := 1; i < len(archive.Keys); i++ {
		if !reflect.DeepEqual(archive.Keys[i].Key, keysArchive[i].Key) {
			t.Fatalf("key %d not equivalent between policy archive and test keys archive", i)
		}
	}
}
Add unit tests 2016-01-26 17:23:42 +00:00			`package transit`

			`import (`
			`"reflect"`
			`"testing"`

			`"github.com/hashicorp/vault/logical"`
			`)`

			`var (`
Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive. 2016-01-27 17:02:32 +00:00			`keysArchive []KeyEntry`
Add unit tests 2016-01-26 17:23:42 +00:00			`)`

Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive. 2016-01-27 17:02:32 +00:00			`func resetKeysArchive() {`
			`keysArchive = []KeyEntry{KeyEntry{}}`
			`}`

Address review feedback 2016-01-27 01:21:58 +00:00			`func Test_KeyUpgrade(t *testing.T) {`
			`storage := &logical.InmemStorage{}`
Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`policies := &policyCache{`
			`cache: map[string]*lockingPolicy{},`
			`}`
			`lp, err := policies.generatePolicy(storage, "test", false)`
Address review feedback 2016-01-27 01:21:58 +00:00			`if err != nil {`
			`t.Fatal(err)`
			`}`
Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`if lp == nil {`
Address review feedback 2016-01-27 01:21:58 +00:00			`t.Fatal("nil policy")`
			`}`

Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`policy := lp.policy`

Address review feedback 2016-01-27 01:21:58 +00:00			`testBytes := make([]byte, len(policy.Keys[1].Key))`
			`copy(testBytes, policy.Keys[1].Key)`

			`policy.Key = policy.Keys[1].Key`
			`policy.Keys = nil`
			`policy.migrateKeyToKeysMap()`
			`if policy.Key != nil {`
			`t.Fatal("policy.Key is not nil")`
			`}`
			`if len(policy.Keys) != 1 {`
			`t.Fatal("policy.Keys is the wrong size")`
			`}`
			`if !reflect.DeepEqual(testBytes, policy.Keys[1].Key) {`
			`t.Fatal("key mismatch")`
			`}`
			`}`

Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive. 2016-01-27 17:02:32 +00:00			`func Test_ArchivingUpgrade(t *testing.T) {`
			`resetKeysArchive()`

			`// First, we generate a policy and rotate it a number of times. Each time`
			`// we'll ensure that we have the expected number of keys in the archive and`
			`// the main keys object, which without changing the min version should be`
			`// zero and latest, respectively`

			`storage := &logical.InmemStorage{}`
Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`policies := &policyCache{`
			`cache: map[string]*lockingPolicy{},`
			`}`
Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive. 2016-01-27 17:02:32 +00:00
Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`lp, err := policies.generatePolicy(storage, "test", false)`
Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive. 2016-01-27 17:02:32 +00:00			`if err != nil {`
			`t.Fatal(err)`
			`}`
Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`if lp == nil {`
Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive. 2016-01-27 17:02:32 +00:00			`t.Fatal("policy is nil")`
			`}`

Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`policy := lp.policy`

Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive. 2016-01-27 17:02:32 +00:00			`// Store the initial key in the archive`
			`keysArchive = append(keysArchive, policy.Keys[1])`
			`checkKeys(t, policy, storage, "initial", 1, 1, 1)`

			`for i := 2; i <= 10; i++ {`
			`err = policy.rotate(storage)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`keysArchive = append(keysArchive, policy.Keys[i])`
			`checkKeys(t, policy, storage, "rotate", i, i, i)`
			`}`

			`// Now, wipe the archive and set the archive version to zero`
			`err = storage.Delete("archive/test")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`policy.ArchiveVersion = 0`

			`// Store it, but without calling persist, so we don't trigger`
			`// handleArchiving()`
			`buf, err := policy.Serialize()`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`// Write the policy into storage`
			`err = storage.Put(&logical.StorageEntry{`
			`Key: "policy/" + policy.Name,`
			`Value: buf,`
			`})`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`// Expire from the cache since we modified it under-the-hood`
			`delete(policies.cache, "test")`

Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive. 2016-01-27 17:02:32 +00:00			`// Now get the policy again; the upgrade should happen automatically`
Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`lp, err = policies.getPolicy(&logical.Request{`
Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive. 2016-01-27 17:02:32 +00:00			`Storage: storage,`
			`}, "test")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`if lp == nil {`
Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive. 2016-01-27 17:02:32 +00:00			`t.Fatal("policy is nil")`
			`}`

Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`policy = lp.policy`

Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive. 2016-01-27 17:02:32 +00:00			`checkKeys(t, policy, storage, "upgrade", 10, 10, 10)`
			`}`

Add unit tests 2016-01-26 17:23:42 +00:00			`func Test_Archiving(t *testing.T) {`
Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive. 2016-01-27 17:02:32 +00:00			`resetKeysArchive()`

Add unit tests 2016-01-26 17:23:42 +00:00			`// First, we generate a policy and rotate it a number of times. Each time`
			`// we'll ensure that we have the expected number of keys in the archive and`
			`// the main keys object, which without changing the min version should be`
			`// zero and latest, respectively`

			`storage := &logical.InmemStorage{}`

Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`policies := &policyCache{`
			`cache: map[string]*lockingPolicy{},`
			`}`

			`lp, err := policies.generatePolicy(storage, "test", false)`
Add unit tests 2016-01-26 17:23:42 +00:00			`if err != nil {`
			`t.Fatal(err)`
			`}`
Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`if lp == nil {`
Add unit tests 2016-01-26 17:23:42 +00:00			`t.Fatal("policy is nil")`
			`}`

Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU. 2016-01-27 21:24:11 +00:00			`policy := lp.policy`

Add unit tests 2016-01-26 17:23:42 +00:00			`// Store the initial key in the archive`
			`keysArchive = append(keysArchive, policy.Keys[1])`
Store all keys in archive always 2016-01-26 22:14:21 +00:00			`checkKeys(t, policy, storage, "initial", 1, 1, 1)`
Add unit tests 2016-01-26 17:23:42 +00:00
			`for i := 2; i <= 10; i++ {`
			`err = policy.rotate(storage)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`keysArchive = append(keysArchive, policy.Keys[i])`
Store all keys in archive always 2016-01-26 22:14:21 +00:00			`checkKeys(t, policy, storage, "rotate", i, i, i)`
Add unit tests 2016-01-26 17:23:42 +00:00			`}`

			`// Move the min decryption version up`
			`for i := 1; i <= 10; i++ {`
			`policy.MinDecryptionVersion = i`

			`err = policy.Persist(storage)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`// We expect to find:`
Store all keys in archive always 2016-01-26 22:14:21 +00:00			`// * The keys in archive are the same as the latest version`
Add unit tests 2016-01-26 17:23:42 +00:00			`// * The latest version is constant`
			`// * The number of keys in the policy itself is from the min`
			`// decryption version up to the latest version, so for e.g. 7 and`
			`// 10, you'd need 7, 8, 9, and 10 -- IOW, latest version - min`
			`// decryption version plus 1 (the min decryption version key`
			`// itself)`
Store all keys in archive always 2016-01-26 22:14:21 +00:00			`checkKeys(t, policy, storage, "minadd", 10, 10, policy.LatestVersion-policy.MinDecryptionVersion+1)`
Add unit tests 2016-01-26 17:23:42 +00:00			`}`

			`// Move the min decryption version down`
			`for i := 10; i >= 1; i-- {`
			`policy.MinDecryptionVersion = i`

			`err = policy.Persist(storage)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`// We expect to find:`
Store all keys in archive always 2016-01-26 22:14:21 +00:00			`// * The keys in archive are never removed so same as the latest version`
Add unit tests 2016-01-26 17:23:42 +00:00			`// * The latest version is constant`
			`// * The number of keys in the policy itself is from the min`
			`// decryption version up to the latest version, so for e.g. 7 and`
			`// 10, you'd need 7, 8, 9, and 10 -- IOW, latest version - min`
			`// decryption version plus 1 (the min decryption version key`
			`// itself)`
Store all keys in archive always 2016-01-26 22:14:21 +00:00			`checkKeys(t, policy, storage, "minsub", 10, 10, policy.LatestVersion-policy.MinDecryptionVersion+1)`
Add unit tests 2016-01-26 17:23:42 +00:00			`}`
			`}`

			`func checkKeys(t *testing.T,`
			`policy *Policy,`
			`storage logical.Storage,`
Store all keys in archive always 2016-01-26 22:14:21 +00:00			`action string,`
Add unit tests 2016-01-26 17:23:42 +00:00			`archiveVer, latestVer, keysSize int) {`

			`// Sanity check`
			`if len(keysArchive) != latestVer+1 {`
			`t.Fatalf("latest expected key version is %d, expected test keys archive size is %d, "+`
			`"but keys archive is of size %d", latestVer, latestVer+1, len(keysArchive))`
			`}`

			`archive, err := policy.loadArchive(storage)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`badArchiveVer := false`
			`if archiveVer == 0 {`
			`if len(archive.Keys) != 0 \|\| policy.ArchiveVersion != 0 {`
			`badArchiveVer = true`
			`}`
			`} else {`
			`// We need to subtract one because we have the indexes match key`
			`// versions, which start at 1. So for an archive version of 1, we`
			`// actually have two entries -- a blank 0 entry, and the key at spot 1`
			`if archiveVer != len(archive.Keys)-1 \|\| archiveVer != policy.ArchiveVersion {`
			`badArchiveVer = true`
			`}`
			`}`
			`if badArchiveVer {`
			`t.Fatalf(`
			`"expected archive version %d, found length of archive keys %d and policy archive version %d",`
			`archiveVer, len(archive.Keys), policy.ArchiveVersion,`
			`)`
			`}`

			`if latestVer != policy.LatestVersion {`
			`t.Fatalf(`
			`"expected latest version %d, found %d",`
			`latestVer, policy.LatestVersion,`
			`)`
			`}`

			`if keysSize != len(policy.Keys) {`
			`t.Fatalf(`
Store all keys in archive always 2016-01-26 22:14:21 +00:00			`"expected keys size %d, found %d, action is %s, policy is \n%#v\n",`
			`keysSize, len(policy.Keys), action, policy,`
Add unit tests 2016-01-26 17:23:42 +00:00			`)`
			`}`

			`for i := policy.MinDecryptionVersion; i <= policy.LatestVersion; i++ {`
			`if _, ok := policy.Keys[i]; !ok {`
			`t.Fatalf(`
			`"expected key %d, did not find it in policy keys", i,`
			`)`
			`}`
			`}`

			`for i := policy.MinDecryptionVersion; i <= policy.LatestVersion; i++ {`
			`if !reflect.DeepEqual(policy.Keys[i], keysArchive[i]) {`
			`t.Fatalf("key %d not equivalent between policy keys and test keys archive", i)`
			`}`
			`}`

			`for i := 1; i < len(archive.Keys); i++ {`
			`if !reflect.DeepEqual(archive.Keys[i].Key, keysArchive[i].Key) {`
			`t.Fatalf("key %d not equivalent between policy archive and test keys archive", i)`
			`}`
			`}`
			`}`