open-vault/helper/testhelpers/testhelpers.go

package testhelpers

import (
	"encoding/base64"
	"errors"
	"fmt"
	"math/rand"
	"net/http"
	"sync"
	"time"

	log "github.com/hashicorp/go-hclog"
	"github.com/hashicorp/vault/helper/consts"
	"github.com/hashicorp/vault/helper/xor"
	"github.com/hashicorp/vault/physical"
	"github.com/hashicorp/vault/physical/inmem"
	"github.com/hashicorp/vault/vault"
	testing "github.com/mitchellh/go-testing-interface"
)

type ReplicatedTestClusters struct {
	PerfPrimaryCluster     *vault.TestCluster
	PerfSecondaryCluster   *vault.TestCluster
	PerfPrimaryDRCluster   *vault.TestCluster
	PerfSecondaryDRCluster *vault.TestCluster
}

func (r *ReplicatedTestClusters) Cleanup() {
	r.PerfPrimaryCluster.Cleanup()
	r.PerfSecondaryCluster.Cleanup()
	r.PerfPrimaryDRCluster.Cleanup()
	r.PerfSecondaryDRCluster.Cleanup()
}

// Generates a root token on the target cluster.
func GenerateRoot(t testing.T, cluster *vault.TestCluster, drToken bool) string {
	token, err := GenerateRootWithError(t, cluster, drToken)
	if err != nil {
		t.Fatal(err)
	}
	return token
}

func GenerateRootWithError(t testing.T, cluster *vault.TestCluster, drToken bool) (string, error) {
	// If recovery keys supported, use those to perform root token generation instead
	var keys [][]byte
	if cluster.Cores[0].SealAccess().RecoveryKeySupported() {
		keys = cluster.RecoveryKeys
	} else {
		keys = cluster.BarrierKeys
	}

	client := cluster.Cores[0].Client
	f := client.Sys().GenerateRootInit
	if drToken {
		f = client.Sys().GenerateDROperationTokenInit
	}
	status, err := f("", "")
	if err != nil {
		return "", err
	}

	if status.Required > len(keys) {
		return "", fmt.Errorf("need more keys than have, need %d have %d", status.Required, len(keys))
	}

	otp := status.OTP

	for i, key := range keys {
		if i >= status.Required {
			break
		}
		f := client.Sys().GenerateRootUpdate
		if drToken {
			f = client.Sys().GenerateDROperationTokenUpdate
		}
		status, err = f(base64.StdEncoding.EncodeToString(key), status.Nonce)
		if err != nil {
			return "", err
		}
	}
	if !status.Complete {
		return "", errors.New("generate root operation did not end successfully")
	}

	tokenBytes, err := base64.RawStdEncoding.DecodeString(status.EncodedToken)
	if err != nil {
		return "", err
	}
	tokenBytes, err = xor.XORBytes(tokenBytes, []byte(otp))
	if err != nil {
		return "", err
	}
	return string(tokenBytes), nil
}

// RandomWithPrefix is used to generate a unique name with a prefix, for
// randomizing names in acceptance tests
func RandomWithPrefix(name string) string {
	return fmt.Sprintf("%s-%d", name, rand.New(rand.NewSource(time.Now().UnixNano())).Int())
}

func EnsureCoresUnsealed(t testing.T, c *vault.TestCluster) {
	t.Helper()
	for _, core := range c.Cores {
		if !core.Sealed() {
			continue
		}

		client := core.Client
		client.Sys().ResetUnsealProcess()
		for j := 0; j < len(c.BarrierKeys); j++ {
			statusResp, err := client.Sys().Unseal(base64.StdEncoding.EncodeToString(c.BarrierKeys[j]))
			if err != nil {
				// Sometimes when we get here it's already unsealed on its own
				// and then this fails for DR secondaries so check again
				if core.Sealed() {
					t.Fatal(err)
				}
				break
			}
			if statusResp == nil {
				t.Fatal("nil status response during unseal")
			}
			if !statusResp.Sealed {
				break
			}
		}
		if core.Sealed() {
			t.Fatal("core is still sealed")
		}
	}
}

func WaitForReplicationState(t testing.T, c *vault.Core, state consts.ReplicationState) {
	timeout := time.Now().Add(10 * time.Second)
	for {
		if time.Now().After(timeout) {
			t.Fatalf("timeout waiting for core to have state %d", uint32(state))
		}
		state := c.ReplicationState()
		if state.HasState(state) {
			break
		}
		time.Sleep(1 * time.Second)
	}
}

func GetClusterAndCore(t testing.T, logger log.Logger, handlerFunc func(*vault.HandlerProperties) http.Handler) (*vault.TestCluster, *vault.TestClusterCore) {
	inm, err := inmem.NewTransactionalInmem(nil, logger)
	if err != nil {
		t.Fatal(err)
	}
	inmha, err := inmem.NewInmemHA(nil, logger)
	if err != nil {
		t.Fatal(err)
	}

	coreConfig := &vault.CoreConfig{
		Physical:   inm,
		HAPhysical: inmha.(physical.HABackend),
	}

	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
		HandlerFunc: handlerFunc,
		Logger:      logger,
	})
	cluster.Start()

	cores := cluster.Cores
	core := cores[0]

	vault.TestWaitActive(t, core.Core)

	return cluster, core
}

func GetFourReplicatedClusters(t testing.T, handlerFunc func(*vault.HandlerProperties) http.Handler) *ReplicatedTestClusters {
	ret := &ReplicatedTestClusters{}

	logger := log.New(&log.LoggerOptions{
		Mutex: &sync.Mutex{},
		Level: log.Trace,
	})
	// Set this lower so that state populates quickly to standby nodes
	vault.HeartbeatInterval = 2 * time.Second

	ret.PerfPrimaryCluster, _ = GetClusterAndCore(t, logger.Named("perf-pri"), handlerFunc)

	ret.PerfSecondaryCluster, _ = GetClusterAndCore(t, logger.Named("perf-sec"), handlerFunc)

	ret.PerfPrimaryDRCluster, _ = GetClusterAndCore(t, logger.Named("perf-pri-dr"), handlerFunc)

	ret.PerfSecondaryDRCluster, _ = GetClusterAndCore(t, logger.Named("perf-sec-dr"), handlerFunc)

	SetupFourClusterReplication(t, ret.PerfPrimaryCluster, ret.PerfSecondaryCluster, ret.PerfPrimaryDRCluster, ret.PerfSecondaryDRCluster)

	// Wait until poison pills have been read
	time.Sleep(45 * time.Second)
	EnsureCoresUnsealed(t, ret.PerfPrimaryCluster)
	EnsureCoresUnsealed(t, ret.PerfSecondaryCluster)
	EnsureCoresUnsealed(t, ret.PerfPrimaryDRCluster)
	EnsureCoresUnsealed(t, ret.PerfSecondaryDRCluster)

	return ret
}

func SetupFourClusterReplication(t testing.T, perfPrimary, perfSecondary, perfDRSecondary, perfSecondaryDRSecondary *vault.TestCluster) {
	// Enable dr primary
	_, err := perfPrimary.Cores[0].Client.Logical().Write("sys/replication/dr/primary/enable", nil)
	if err != nil {
		t.Fatal(err)
	}

	WaitForReplicationState(t, perfPrimary.Cores[0].Core, consts.ReplicationDRPrimary)

	// Enable performance primary
	_, err = perfPrimary.Cores[0].Client.Logical().Write("sys/replication/performance/primary/enable", nil)
	if err != nil {
		t.Fatal(err)
	}

	WaitForReplicationState(t, perfPrimary.Cores[0].Core, consts.ReplicationPerformancePrimary)

	// get dr token
	secret, err := perfPrimary.Cores[0].Client.Logical().Write("sys/replication/dr/primary/secondary-token", map[string]interface{}{
		"id": "1",
	})
	if err != nil {
		t.Fatal(err)
	}
	token := secret.WrapInfo.Token

	// enable dr secondary
	secret, err = perfDRSecondary.Cores[0].Client.Logical().Write("sys/replication/dr/secondary/enable", map[string]interface{}{
		"token":   token,
		"ca_file": perfPrimary.CACertPEMFile,
	})
	if err != nil {
		t.Fatal(err)
	}

	WaitForReplicationState(t, perfDRSecondary.Cores[0].Core, consts.ReplicationDRSecondary)
	perfDRSecondary.BarrierKeys = perfPrimary.BarrierKeys
	EnsureCoresUnsealed(t, perfDRSecondary)

	// get performance token
	secret, err = perfPrimary.Cores[0].Client.Logical().Write("sys/replication/performance/primary/secondary-token", map[string]interface{}{
		"id": "1",
	})
	if err != nil {
		t.Fatal(err)
	}

	token = secret.WrapInfo.Token

	// enable performace secondary
	secret, err = perfSecondary.Cores[0].Client.Logical().Write("sys/replication/performance/secondary/enable", map[string]interface{}{
		"token":   token,
		"ca_file": perfPrimary.CACertPEMFile,
	})
	if err != nil {
		t.Fatal(err)
	}

	WaitForReplicationState(t, perfSecondary.Cores[0].Core, consts.ReplicationPerformanceSecondary)
	time.Sleep(time.Second * 3)
	perfSecondary.BarrierKeys = perfPrimary.BarrierKeys

	EnsureCoresUnsealed(t, perfSecondary)
	rootToken := GenerateRoot(t, perfSecondary, false)
	perfSecondary.Cores[0].Client.SetToken(rootToken)

	// Enable dr primary on perf secondary
	_, err = perfSecondary.Cores[0].Client.Logical().Write("sys/replication/dr/primary/enable", nil)
	if err != nil {
		t.Fatal(err)
	}

	WaitForReplicationState(t, perfSecondary.Cores[0].Core, consts.ReplicationDRPrimary)

	// get dr token from perf secondary
	secret, err = perfSecondary.Cores[0].Client.Logical().Write("sys/replication/dr/primary/secondary-token", map[string]interface{}{
		"id": "1",
	})
	if err != nil {
		t.Fatal(err)
	}

	token = secret.WrapInfo.Token

	// enable dr secondary
	secret, err = perfSecondaryDRSecondary.Cores[0].Client.Logical().Write("sys/replication/dr/secondary/enable", map[string]interface{}{
		"token":   token,
		"ca_file": perfSecondary.CACertPEMFile,
	})
	if err != nil {
		t.Fatal(err)
	}

	WaitForReplicationState(t, perfSecondaryDRSecondary.Cores[0].Core, consts.ReplicationDRSecondary)
	perfSecondaryDRSecondary.BarrierKeys = perfPrimary.BarrierKeys
	EnsureCoresUnsealed(t, perfSecondaryDRSecondary)

	perfDRSecondary.Cores[0].Client.SetToken(perfPrimary.Cores[0].Client.Token())
	perfSecondaryDRSecondary.Cores[0].Client.SetToken(rootToken)
}

func DeriveActiveCore(t testing.T, cluster *vault.TestCluster) *vault.TestClusterCore {
	for i := 0; i < 10; i++ {
		for _, core := range cluster.Cores {
			leaderResp, err := core.Client.Sys().Leader()
			if err != nil {
				t.Fatal(err)
			}
			if leaderResp.IsSelf {
				return core
			}
		}
		time.Sleep(1 * time.Second)
	}
	t.Fatal("could not derive the active core")
	return nil
}

func WaitForNCoresSealed(t testing.T, cluster *vault.TestCluster, n int) {
	for i := 0; i < 10; i++ {
		sealed := 0
		for _, core := range cluster.Cores {
			if core.Core.Sealed() {
				sealed++
			}
		}

		if sealed >= n {
			return
		}
		time.Sleep(time.Second)
	}

	t.Fatalf("%d cores were not sealed", n)
}
Finish api tests for verification 2018-05-20 23:01:24 +00:00			`package testhelpers`

			`import (`
			`"encoding/base64"`
			`"errors"`
			`"fmt"`
			`"math/rand"`
Update testhelpers to allow passing in custom handler 2019-01-22 22:16:26 +00:00			`"net/http"`
Batch tokens (#755) 2018-10-15 16:56:24 +00:00			`"sync"`
[WIP] Support custom max Nomad token name length [supersedes https://github.com/hashicorp/vault/pull/4361] (#5117) * Nomad: updating max token length to 256 * Initial support for supporting custom max token name length for Nomad * simplify/correct tests * document nomad max_token_name_length * removed support for max token length env var. Rename field for clarity * cleanups after removing env var support * move RandomWithPrefix to testhelpers * fix spelling * Remove default 256 value. Use zero as a sentinel value and ignore it * update docs 2018-08-16 19:48:23 +00:00			`"time"`
Finish api tests for verification 2018-05-20 23:01:24 +00:00
Batch tokens (#755) 2018-10-15 16:56:24 +00:00			`log "github.com/hashicorp/go-hclog"`
The big one (#5346) 2018-09-18 03:03:00 +00:00			`"github.com/hashicorp/vault/helper/consts"`
Finish api tests for verification 2018-05-20 23:01:24 +00:00			`"github.com/hashicorp/vault/helper/xor"`
Batch tokens (#755) 2018-10-15 16:56:24 +00:00			`"github.com/hashicorp/vault/physical"`
			`"github.com/hashicorp/vault/physical/inmem"`
Finish api tests for verification 2018-05-20 23:01:24 +00:00			`"github.com/hashicorp/vault/vault"`
Batch tokens (#755) 2018-10-15 16:56:24 +00:00			`testing "github.com/mitchellh/go-testing-interface"`
Finish api tests for verification 2018-05-20 23:01:24 +00:00			`)`

Batch tokens (#755) 2018-10-15 16:56:24 +00:00			`type ReplicatedTestClusters struct {`
			`PerfPrimaryCluster *vault.TestCluster`
			`PerfSecondaryCluster *vault.TestCluster`
			`PerfPrimaryDRCluster *vault.TestCluster`
			`PerfSecondaryDRCluster *vault.TestCluster`
			`}`

			`func (r *ReplicatedTestClusters) Cleanup() {`
			`r.PerfPrimaryCluster.Cleanup()`
			`r.PerfSecondaryCluster.Cleanup()`
			`r.PerfPrimaryDRCluster.Cleanup()`
			`r.PerfSecondaryDRCluster.Cleanup()`
			`}`

Finish api tests for verification 2018-05-20 23:01:24 +00:00			`// Generates a root token on the target cluster.`
			`func GenerateRoot(t testing.T, cluster *vault.TestCluster, drToken bool) string {`
			`token, err := GenerateRootWithError(t, cluster, drToken)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`return token`
			`}`

			`func GenerateRootWithError(t testing.T, cluster *vault.TestCluster, drToken bool) (string, error) {`
			`// If recovery keys supported, use those to perform root token generation instead`
			`var keys [][]byte`
			`if cluster.Cores[0].SealAccess().RecoveryKeySupported() {`
			`keys = cluster.RecoveryKeys`
			`} else {`
			`keys = cluster.BarrierKeys`
			`}`

			`client := cluster.Cores[0].Client`
			`f := client.Sys().GenerateRootInit`
			`if drToken {`
			`f = client.Sys().GenerateDROperationTokenInit`
			`}`
The big one (#5346) 2018-09-18 03:03:00 +00:00			`status, err := f("", "")`
Finish api tests for verification 2018-05-20 23:01:24 +00:00			`if err != nil {`
			`return "", err`
			`}`

			`if status.Required > len(keys) {`
			`return "", fmt.Errorf("need more keys than have, need %d have %d", status.Required, len(keys))`
			`}`

The big one (#5346) 2018-09-18 03:03:00 +00:00			`otp := status.OTP`

Finish api tests for verification 2018-05-20 23:01:24 +00:00			`for i, key := range keys {`
			`if i >= status.Required {`
			`break`
			`}`
			`f := client.Sys().GenerateRootUpdate`
			`if drToken {`
			`f = client.Sys().GenerateDROperationTokenUpdate`
			`}`
			`status, err = f(base64.StdEncoding.EncodeToString(key), status.Nonce)`
			`if err != nil {`
			`return "", err`
			`}`
			`}`
			`if !status.Complete {`
			`return "", errors.New("generate root operation did not end successfully")`
			`}`
The big one (#5346) 2018-09-18 03:03:00 +00:00
			`tokenBytes, err := base64.RawStdEncoding.DecodeString(status.EncodedToken)`
Finish api tests for verification 2018-05-20 23:01:24 +00:00			`if err != nil {`
			`return "", err`
			`}`
The big one (#5346) 2018-09-18 03:03:00 +00:00			`tokenBytes, err = xor.XORBytes(tokenBytes, []byte(otp))`
Finish api tests for verification 2018-05-20 23:01:24 +00:00			`if err != nil {`
			`return "", err`
			`}`
The big one (#5346) 2018-09-18 03:03:00 +00:00			`return string(tokenBytes), nil`
Finish api tests for verification 2018-05-20 23:01:24 +00:00			`}`
[WIP] Support custom max Nomad token name length [supersedes https://github.com/hashicorp/vault/pull/4361] (#5117) * Nomad: updating max token length to 256 * Initial support for supporting custom max token name length for Nomad * simplify/correct tests * document nomad max_token_name_length * removed support for max token length env var. Rename field for clarity * cleanups after removing env var support * move RandomWithPrefix to testhelpers * fix spelling * Remove default 256 value. Use zero as a sentinel value and ignore it * update docs 2018-08-16 19:48:23 +00:00
			`// RandomWithPrefix is used to generate a unique name with a prefix, for`
			`// randomizing names in acceptance tests`
			`func RandomWithPrefix(name string) string {`
			`return fmt.Sprintf("%s-%d", name, rand.New(rand.NewSource(time.Now().UnixNano())).Int())`
			`}`
The big one (#5346) 2018-09-18 03:03:00 +00:00
			`func EnsureCoresUnsealed(t testing.T, c *vault.TestCluster) {`
			`t.Helper()`
			`for _, core := range c.Cores {`
			`if !core.Sealed() {`
			`continue`
			`}`

			`client := core.Client`
			`client.Sys().ResetUnsealProcess()`
			`for j := 0; j < len(c.BarrierKeys); j++ {`
			`statusResp, err := client.Sys().Unseal(base64.StdEncoding.EncodeToString(c.BarrierKeys[j]))`
			`if err != nil {`
			`// Sometimes when we get here it's already unsealed on its own`
			`// and then this fails for DR secondaries so check again`
			`if core.Sealed() {`
			`t.Fatal(err)`
			`}`
			`break`
			`}`
			`if statusResp == nil {`
			`t.Fatal("nil status response during unseal")`
			`}`
			`if !statusResp.Sealed {`
			`break`
			`}`
			`}`
			`if core.Sealed() {`
			`t.Fatal("core is still sealed")`
			`}`
			`}`
			`}`

			`func WaitForReplicationState(t testing.T, c *vault.Core, state consts.ReplicationState) {`
			`timeout := time.Now().Add(10 * time.Second)`
			`for {`
			`if time.Now().After(timeout) {`
			`t.Fatalf("timeout waiting for core to have state %d", uint32(state))`
			`}`
			`state := c.ReplicationState()`
			`if state.HasState(state) {`
			`break`
			`}`
			`time.Sleep(1 * time.Second)`
			`}`
			`}`

Update testhelpers to allow passing in custom handler 2019-01-22 22:16:26 +00:00			`func GetClusterAndCore(t testing.T, logger log.Logger, handlerFunc func(vault.HandlerProperties) http.Handler) (vault.TestCluster, *vault.TestClusterCore) {`
Batch tokens (#755) 2018-10-15 16:56:24 +00:00			`inm, err := inmem.NewTransactionalInmem(nil, logger)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`inmha, err := inmem.NewInmemHA(nil, logger)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`coreConfig := &vault.CoreConfig{`
			`Physical: inm,`
			`HAPhysical: inmha.(physical.HABackend),`
			`}`

			`cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{`
Update testhelpers to allow passing in custom handler 2019-01-22 22:16:26 +00:00			`HandlerFunc: handlerFunc,`
Batch tokens (#755) 2018-10-15 16:56:24 +00:00			`Logger: logger,`
			`})`
			`cluster.Start()`

			`cores := cluster.Cores`
			`core := cores[0]`

			`vault.TestWaitActive(t, core.Core)`

			`return cluster, core`
			`}`

Update testhelpers to allow passing in custom handler 2019-01-22 22:16:26 +00:00			`func GetFourReplicatedClusters(t testing.T, handlerFunc func(vault.HandlerProperties) http.Handler) ReplicatedTestClusters {`
Batch tokens (#755) 2018-10-15 16:56:24 +00:00			`ret := &ReplicatedTestClusters{}`

			`logger := log.New(&log.LoggerOptions{`
			`Mutex: &sync.Mutex{},`
			`Level: log.Trace,`
			`})`
			`// Set this lower so that state populates quickly to standby nodes`
			`vault.HeartbeatInterval = 2 * time.Second`

Update testhelpers to allow passing in custom handler 2019-01-22 22:16:26 +00:00			`ret.PerfPrimaryCluster, _ = GetClusterAndCore(t, logger.Named("perf-pri"), handlerFunc)`
Batch tokens (#755) 2018-10-15 16:56:24 +00:00
Update testhelpers to allow passing in custom handler 2019-01-22 22:16:26 +00:00			`ret.PerfSecondaryCluster, _ = GetClusterAndCore(t, logger.Named("perf-sec"), handlerFunc)`
Batch tokens (#755) 2018-10-15 16:56:24 +00:00
Update testhelpers to allow passing in custom handler 2019-01-22 22:16:26 +00:00			`ret.PerfPrimaryDRCluster, _ = GetClusterAndCore(t, logger.Named("perf-pri-dr"), handlerFunc)`
Batch tokens (#755) 2018-10-15 16:56:24 +00:00
Update testhelpers to allow passing in custom handler 2019-01-22 22:16:26 +00:00			`ret.PerfSecondaryDRCluster, _ = GetClusterAndCore(t, logger.Named("perf-sec-dr"), handlerFunc)`
Batch tokens (#755) 2018-10-15 16:56:24 +00:00
			`SetupFourClusterReplication(t, ret.PerfPrimaryCluster, ret.PerfSecondaryCluster, ret.PerfPrimaryDRCluster, ret.PerfSecondaryDRCluster)`

			`// Wait until poison pills have been read`
			`time.Sleep(45 * time.Second)`
			`EnsureCoresUnsealed(t, ret.PerfPrimaryCluster)`
			`EnsureCoresUnsealed(t, ret.PerfSecondaryCluster)`
			`EnsureCoresUnsealed(t, ret.PerfPrimaryDRCluster)`
			`EnsureCoresUnsealed(t, ret.PerfSecondaryDRCluster)`

			`return ret`
			`}`

The big one (#5346) 2018-09-18 03:03:00 +00:00			`func SetupFourClusterReplication(t testing.T, perfPrimary, perfSecondary, perfDRSecondary, perfSecondaryDRSecondary *vault.TestCluster) {`
			`// Enable dr primary`
			`_, err := perfPrimary.Cores[0].Client.Logical().Write("sys/replication/dr/primary/enable", nil)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`WaitForReplicationState(t, perfPrimary.Cores[0].Core, consts.ReplicationDRPrimary)`

			`// Enable performance primary`
Batch tokens (#755) 2018-10-15 16:56:24 +00:00			`_, err = perfPrimary.Cores[0].Client.Logical().Write("sys/replication/performance/primary/enable", nil)`
The big one (#5346) 2018-09-18 03:03:00 +00:00			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`WaitForReplicationState(t, perfPrimary.Cores[0].Core, consts.ReplicationPerformancePrimary)`

			`// get dr token`
			`secret, err := perfPrimary.Cores[0].Client.Logical().Write("sys/replication/dr/primary/secondary-token", map[string]interface{}{`
			`"id": "1",`
			`})`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`token := secret.WrapInfo.Token`

			`// enable dr secondary`
			`secret, err = perfDRSecondary.Cores[0].Client.Logical().Write("sys/replication/dr/secondary/enable", map[string]interface{}{`
			`"token": token,`
			`"ca_file": perfPrimary.CACertPEMFile,`
			`})`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`WaitForReplicationState(t, perfDRSecondary.Cores[0].Core, consts.ReplicationDRSecondary)`
			`perfDRSecondary.BarrierKeys = perfPrimary.BarrierKeys`
			`EnsureCoresUnsealed(t, perfDRSecondary)`

			`// get performance token`
Batch tokens (#755) 2018-10-15 16:56:24 +00:00			`secret, err = perfPrimary.Cores[0].Client.Logical().Write("sys/replication/performance/primary/secondary-token", map[string]interface{}{`
The big one (#5346) 2018-09-18 03:03:00 +00:00			`"id": "1",`
			`})`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`token = secret.WrapInfo.Token`

			`// enable performace secondary`
Batch tokens (#755) 2018-10-15 16:56:24 +00:00			`secret, err = perfSecondary.Cores[0].Client.Logical().Write("sys/replication/performance/secondary/enable", map[string]interface{}{`
The big one (#5346) 2018-09-18 03:03:00 +00:00			`"token": token,`
			`"ca_file": perfPrimary.CACertPEMFile,`
			`})`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`WaitForReplicationState(t, perfSecondary.Cores[0].Core, consts.ReplicationPerformanceSecondary)`
			`time.Sleep(time.Second * 3)`
			`perfSecondary.BarrierKeys = perfPrimary.BarrierKeys`

			`EnsureCoresUnsealed(t, perfSecondary)`
			`rootToken := GenerateRoot(t, perfSecondary, false)`
			`perfSecondary.Cores[0].Client.SetToken(rootToken)`

			`// Enable dr primary on perf secondary`
			`_, err = perfSecondary.Cores[0].Client.Logical().Write("sys/replication/dr/primary/enable", nil)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`WaitForReplicationState(t, perfSecondary.Cores[0].Core, consts.ReplicationDRPrimary)`

			`// get dr token from perf secondary`
			`secret, err = perfSecondary.Cores[0].Client.Logical().Write("sys/replication/dr/primary/secondary-token", map[string]interface{}{`
			`"id": "1",`
			`})`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`token = secret.WrapInfo.Token`

			`// enable dr secondary`
			`secret, err = perfSecondaryDRSecondary.Cores[0].Client.Logical().Write("sys/replication/dr/secondary/enable", map[string]interface{}{`
			`"token": token,`
			`"ca_file": perfSecondary.CACertPEMFile,`
			`})`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`WaitForReplicationState(t, perfSecondaryDRSecondary.Cores[0].Core, consts.ReplicationDRSecondary)`
			`perfSecondaryDRSecondary.BarrierKeys = perfPrimary.BarrierKeys`
			`EnsureCoresUnsealed(t, perfSecondaryDRSecondary)`

			`perfDRSecondary.Cores[0].Client.SetToken(perfPrimary.Cores[0].Client.Token())`
			`perfSecondaryDRSecondary.Cores[0].Client.SetToken(rootToken)`
			`}`

			`func DeriveActiveCore(t testing.T, cluster vault.TestCluster) vault.TestClusterCore {`
			`for i := 0; i < 10; i++ {`
			`for _, core := range cluster.Cores {`
			`leaderResp, err := core.Client.Sys().Leader()`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if leaderResp.IsSelf {`
			`return core`
			`}`
			`}`
			`time.Sleep(1 * time.Second)`
			`}`
			`t.Fatal("could not derive the active core")`
			`return nil`
			`}`

			`func WaitForNCoresSealed(t testing.T, cluster *vault.TestCluster, n int) {`
			`for i := 0; i < 10; i++ {`
			`sealed := 0`
			`for _, core := range cluster.Cores {`
			`if core.Core.Sealed() {`
			`sealed++`
			`}`
			`}`

			`if sealed >= n {`
			`return`
			`}`
			`time.Sleep(time.Second)`
			`}`

			`t.Fatalf("%d cores were not sealed", n)`
			`}`