2016-01-09 02:21:02 +00:00
|
|
|
package command
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/base64"
|
|
|
|
"encoding/hex"
|
|
|
|
"os"
|
|
|
|
"strings"
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/hashicorp/go-uuid"
|
|
|
|
"github.com/hashicorp/vault/helper/pgpkeys"
|
|
|
|
"github.com/hashicorp/vault/helper/xor"
|
|
|
|
"github.com/hashicorp/vault/http"
|
|
|
|
"github.com/hashicorp/vault/logical"
|
2016-04-01 17:16:05 +00:00
|
|
|
"github.com/hashicorp/vault/meta"
|
2016-01-09 02:21:02 +00:00
|
|
|
"github.com/hashicorp/vault/vault"
|
|
|
|
"github.com/mitchellh/cli"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestGenerateRoot_Cancel(t *testing.T) {
|
2017-01-17 20:43:10 +00:00
|
|
|
core, _, _ := vault.TestCoreUnsealed(t)
|
2016-01-09 02:21:02 +00:00
|
|
|
ln, addr := http.TestServer(t, core)
|
|
|
|
defer ln.Close()
|
|
|
|
|
|
|
|
ui := new(cli.MockUi)
|
|
|
|
c := &GenerateRootCommand{
|
2016-04-01 17:16:05 +00:00
|
|
|
Meta: meta.Meta{
|
2016-01-09 02:21:02 +00:00
|
|
|
Ui: ui,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
2016-01-15 15:55:35 +00:00
|
|
|
otpBytes, err := vault.GenerateRandBytes(16)
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
otp := base64.StdEncoding.EncodeToString(otpBytes)
|
|
|
|
|
|
|
|
args := []string{"-address", addr, "-init", "-otp", otp}
|
|
|
|
if code := c.Run(args); code != 0 {
|
|
|
|
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
|
|
|
}
|
|
|
|
|
|
|
|
args = []string{"-address", addr, "-cancel"}
|
|
|
|
if code := c.Run(args); code != 0 {
|
|
|
|
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
|
|
|
}
|
|
|
|
|
2016-01-15 15:55:35 +00:00
|
|
|
config, err := core.GenerateRootConfiguration()
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
|
|
|
if config != nil {
|
|
|
|
t.Fatal("should not have a config for root generation")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestGenerateRoot_status(t *testing.T) {
|
2017-01-17 20:43:10 +00:00
|
|
|
core, _, _ := vault.TestCoreUnsealed(t)
|
2016-01-09 02:21:02 +00:00
|
|
|
ln, addr := http.TestServer(t, core)
|
|
|
|
defer ln.Close()
|
|
|
|
|
|
|
|
ui := new(cli.MockUi)
|
|
|
|
c := &GenerateRootCommand{
|
2016-04-01 17:16:05 +00:00
|
|
|
Meta: meta.Meta{
|
2016-01-09 02:21:02 +00:00
|
|
|
Ui: ui,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
2016-01-15 15:55:35 +00:00
|
|
|
otpBytes, err := vault.GenerateRandBytes(16)
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
otp := base64.StdEncoding.EncodeToString(otpBytes)
|
|
|
|
|
|
|
|
args := []string{"-address", addr, "-init", "-otp", otp}
|
|
|
|
if code := c.Run(args); code != 0 {
|
|
|
|
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
|
|
|
}
|
|
|
|
|
|
|
|
args = []string{"-address", addr, "-status"}
|
|
|
|
if code := c.Run(args); code != 0 {
|
|
|
|
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
|
|
|
}
|
|
|
|
|
|
|
|
if !strings.Contains(string(ui.OutputWriter.Bytes()), "Started: true") {
|
|
|
|
t.Fatalf("bad: %s", ui.OutputWriter.String())
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestGenerateRoot_OTP(t *testing.T) {
|
2017-01-17 20:43:10 +00:00
|
|
|
core, ts, keys, _ := vault.TestCoreWithTokenStore(t)
|
2016-01-09 02:21:02 +00:00
|
|
|
ln, addr := http.TestServer(t, core)
|
|
|
|
defer ln.Close()
|
|
|
|
|
|
|
|
ui := new(cli.MockUi)
|
|
|
|
c := &GenerateRootCommand{
|
2016-04-01 17:16:05 +00:00
|
|
|
Meta: meta.Meta{
|
2016-01-09 02:21:02 +00:00
|
|
|
Ui: ui,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
// Generate an OTP
|
2016-01-15 15:55:35 +00:00
|
|
|
otpBytes, err := vault.GenerateRandBytes(16)
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
otp := base64.StdEncoding.EncodeToString(otpBytes)
|
|
|
|
|
|
|
|
// Init the attempt
|
|
|
|
args := []string{
|
|
|
|
"-address", addr,
|
|
|
|
"-init",
|
|
|
|
"-otp", otp,
|
|
|
|
}
|
|
|
|
if code := c.Run(args); code != 0 {
|
|
|
|
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
|
|
|
}
|
|
|
|
|
2016-01-15 15:55:35 +00:00
|
|
|
config, err := core.GenerateRootConfiguration()
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
2017-01-17 20:43:10 +00:00
|
|
|
for _, key := range keys {
|
|
|
|
ui = new(cli.MockUi)
|
|
|
|
c = &GenerateRootCommand{
|
|
|
|
Key: hex.EncodeToString(key),
|
|
|
|
Meta: meta.Meta{
|
|
|
|
Ui: ui,
|
|
|
|
},
|
|
|
|
}
|
2016-01-09 02:21:02 +00:00
|
|
|
|
2017-01-17 20:43:10 +00:00
|
|
|
c.Nonce = config.Nonce
|
|
|
|
|
|
|
|
// Provide the key
|
|
|
|
args = []string{
|
|
|
|
"-address", addr,
|
|
|
|
}
|
|
|
|
if code := c.Run(args); code != 0 {
|
|
|
|
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
|
|
|
}
|
2016-01-09 02:21:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
beforeNAfter := strings.Split(ui.OutputWriter.String(), "Encoded root token: ")
|
|
|
|
if len(beforeNAfter) != 2 {
|
|
|
|
t.Fatalf("did not find encoded root token in %s", ui.OutputWriter.String())
|
|
|
|
}
|
|
|
|
encodedToken := strings.TrimSpace(beforeNAfter[1])
|
|
|
|
|
|
|
|
decodedToken, err := xor.XORBase64(encodedToken, otp)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
token, err := uuid.FormatUUID(decodedToken)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
req := logical.TestRequest(t, logical.ReadOperation, "lookup-self")
|
|
|
|
req.ClientToken = token
|
|
|
|
|
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("error running token lookup-self: %v", err)
|
|
|
|
}
|
|
|
|
if resp == nil {
|
|
|
|
t.Fatalf("got nil resp with token lookup-self")
|
|
|
|
}
|
|
|
|
if resp.Data == nil {
|
|
|
|
t.Fatalf("got nil resp.Data with token lookup-self")
|
|
|
|
}
|
|
|
|
|
|
|
|
if resp.Data["orphan"].(bool) != true ||
|
|
|
|
resp.Data["ttl"].(int64) != 0 ||
|
|
|
|
resp.Data["num_uses"].(int) != 0 ||
|
2016-01-23 02:26:06 +00:00
|
|
|
resp.Data["meta"].(map[string]string) != nil ||
|
2016-01-09 02:21:02 +00:00
|
|
|
len(resp.Data["policies"].([]string)) != 1 ||
|
|
|
|
resp.Data["policies"].([]string)[0] != "root" {
|
|
|
|
t.Fatalf("bad: %#v", resp.Data)
|
|
|
|
}
|
2016-01-21 17:18:57 +00:00
|
|
|
|
|
|
|
// Clear the output and run a decode to verify we get the same result
|
|
|
|
ui.OutputWriter.Reset()
|
|
|
|
args = []string{
|
|
|
|
"-address", addr,
|
|
|
|
"-decode", encodedToken,
|
|
|
|
"-otp", otp,
|
|
|
|
}
|
|
|
|
if code := c.Run(args); code != 0 {
|
|
|
|
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
|
|
|
}
|
|
|
|
beforeNAfter = strings.Split(ui.OutputWriter.String(), "Root token: ")
|
|
|
|
if len(beforeNAfter) != 2 {
|
|
|
|
t.Fatalf("did not find decoded root token in %s", ui.OutputWriter.String())
|
|
|
|
}
|
|
|
|
|
|
|
|
outToken := strings.TrimSpace(beforeNAfter[1])
|
|
|
|
if outToken != token {
|
|
|
|
t.Fatalf("tokens do not match:\n%s\n%s", token, outToken)
|
|
|
|
}
|
2016-01-09 02:21:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func TestGenerateRoot_PGP(t *testing.T) {
|
2017-01-17 20:43:10 +00:00
|
|
|
core, ts, keys, _ := vault.TestCoreWithTokenStore(t)
|
2016-01-09 02:21:02 +00:00
|
|
|
ln, addr := http.TestServer(t, core)
|
|
|
|
defer ln.Close()
|
|
|
|
|
|
|
|
ui := new(cli.MockUi)
|
|
|
|
c := &GenerateRootCommand{
|
2016-04-01 17:16:05 +00:00
|
|
|
Meta: meta.Meta{
|
2016-01-09 02:21:02 +00:00
|
|
|
Ui: ui,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
tempDir, pubFiles, err := getPubKeyFiles(t)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
defer os.RemoveAll(tempDir)
|
|
|
|
|
|
|
|
// Init the attempt
|
|
|
|
args := []string{
|
|
|
|
"-address", addr,
|
|
|
|
"-init",
|
|
|
|
"-pgp-key", pubFiles[0],
|
|
|
|
}
|
|
|
|
if code := c.Run(args); code != 0 {
|
|
|
|
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
|
|
|
}
|
|
|
|
|
2016-01-15 15:55:35 +00:00
|
|
|
config, err := core.GenerateRootConfiguration()
|
2016-01-09 02:21:02 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
2017-01-17 20:43:10 +00:00
|
|
|
for _, key := range keys {
|
|
|
|
c = &GenerateRootCommand{
|
|
|
|
Key: hex.EncodeToString(key),
|
|
|
|
Meta: meta.Meta{
|
|
|
|
Ui: ui,
|
|
|
|
},
|
|
|
|
}
|
2016-01-09 02:21:02 +00:00
|
|
|
|
2017-01-17 20:43:10 +00:00
|
|
|
c.Nonce = config.Nonce
|
|
|
|
|
|
|
|
// Provide the key
|
|
|
|
args = []string{
|
|
|
|
"-address", addr,
|
|
|
|
}
|
|
|
|
if code := c.Run(args); code != 0 {
|
|
|
|
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
|
|
|
}
|
2016-01-09 02:21:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
beforeNAfter := strings.Split(ui.OutputWriter.String(), "Encoded root token: ")
|
|
|
|
if len(beforeNAfter) != 2 {
|
|
|
|
t.Fatalf("did not find encoded root token in %s", ui.OutputWriter.String())
|
|
|
|
}
|
|
|
|
encodedToken := strings.TrimSpace(beforeNAfter[1])
|
|
|
|
|
|
|
|
ptBuf, err := pgpkeys.DecryptBytes(encodedToken, pgpkeys.TestPrivKey1)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
if ptBuf == nil {
|
|
|
|
t.Fatal("returned plain text buffer is nil")
|
|
|
|
}
|
|
|
|
|
|
|
|
token := ptBuf.String()
|
|
|
|
|
|
|
|
req := logical.TestRequest(t, logical.ReadOperation, "lookup-self")
|
|
|
|
req.ClientToken = token
|
|
|
|
|
|
|
|
resp, err := ts.HandleRequest(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("error running token lookup-self: %v", err)
|
|
|
|
}
|
|
|
|
if resp == nil {
|
|
|
|
t.Fatalf("got nil resp with token lookup-self")
|
|
|
|
}
|
|
|
|
if resp.Data == nil {
|
|
|
|
t.Fatalf("got nil resp.Data with token lookup-self")
|
|
|
|
}
|
|
|
|
|
|
|
|
if resp.Data["orphan"].(bool) != true ||
|
|
|
|
resp.Data["ttl"].(int64) != 0 ||
|
|
|
|
resp.Data["num_uses"].(int) != 0 ||
|
2016-01-23 02:26:06 +00:00
|
|
|
resp.Data["meta"].(map[string]string) != nil ||
|
2016-01-09 02:21:02 +00:00
|
|
|
len(resp.Data["policies"].([]string)) != 1 ||
|
|
|
|
resp.Data["policies"].([]string)[0] != "root" {
|
|
|
|
t.Fatalf("bad: %#v", resp.Data)
|
|
|
|
}
|
|
|
|
}
|