open-vault/vault/barrier_test.go

413 lines
7.5 KiB
Go
Raw Normal View History

2015-03-05 21:27:35 +00:00
package vault
import (
"reflect"
"testing"
2015-05-28 00:25:36 +00:00
"time"
2015-03-05 21:27:35 +00:00
)
func testBarrier(t *testing.T, b SecurityBarrier) {
// Should not be initialized
init, err := b.Initialized()
if err != nil {
t.Fatalf("err: %v", err)
}
if init {
t.Fatalf("should not be initialized")
}
// Should start sealed
sealed, err := b.Sealed()
if err != nil {
t.Fatalf("err: %v", err)
}
if !sealed {
t.Fatalf("should be sealed")
}
// Sealing should be a no-op
if err := b.Seal(); err != nil {
t.Fatalf("err: %v", err)
}
// All operations should fail
e := &Entry{Key: "test", Value: []byte("test")}
if err := b.Put(e); err != ErrBarrierSealed {
t.Fatalf("err: %v", err)
}
if _, err := b.Get("test"); err != ErrBarrierSealed {
t.Fatalf("err: %v", err)
}
if err := b.Delete("test"); err != ErrBarrierSealed {
t.Fatalf("err: %v", err)
}
if _, err := b.List(""); err != ErrBarrierSealed {
t.Fatalf("err: %v", err)
}
// Get a new key
key, err := b.GenerateKey()
if err != nil {
t.Fatalf("err: %v", err)
}
2015-03-12 18:20:27 +00:00
// Validate minimum key length
min, max := b.KeyLength()
if min < 16 {
t.Fatalf("minimum key size too small: %d", min)
}
if max < min {
t.Fatalf("maximum key size smaller than min")
}
2015-03-05 21:27:35 +00:00
// Unseal should not work
if err := b.Unseal(key); err != ErrBarrierNotInit {
t.Fatalf("err: %v", err)
}
// Initialize the vault
if err := b.Initialize(key); err != nil {
t.Fatalf("err: %v", err)
}
// Double Initialize should fail
if err := b.Initialize(key); err != ErrBarrierAlreadyInit {
t.Fatalf("err: %v", err)
}
// Should be initialized
init, err = b.Initialized()
if err != nil {
t.Fatalf("err: %v", err)
}
if !init {
t.Fatalf("should be initialized")
}
// Should still be sealed
sealed, err = b.Sealed()
if err != nil {
t.Fatalf("err: %v", err)
}
if !sealed {
t.Fatalf("should sealed")
}
// Unseal should work
if err := b.Unseal(key); err != nil {
t.Fatalf("err: %v", err)
}
2015-03-05 21:29:23 +00:00
// Unseal should no-op when done twice
if err := b.Unseal(key); err != nil {
t.Fatalf("err: %v", err)
}
2015-03-05 21:27:35 +00:00
// Should no longer be sealed
sealed, err = b.Sealed()
if err != nil {
t.Fatalf("err: %v", err)
}
if sealed {
t.Fatalf("should be unsealed")
}
2015-05-28 18:28:33 +00:00
// Verify the master key
if err := b.VerifyMaster(key); err != nil {
t.Fatalf("err: %v", err)
}
2015-03-05 21:27:35 +00:00
// Operations should work
out, err := b.Get("test")
if err != nil {
t.Fatalf("err: %v", err)
}
if out != nil {
t.Fatalf("bad: %v", out)
}
// List should have only "core/"
2015-03-05 21:27:35 +00:00
keys, err := b.List("")
if err != nil {
t.Fatalf("err: %v", err)
}
if len(keys) != 1 || keys[0] != "core/" {
2015-03-05 21:27:35 +00:00
t.Fatalf("bad: %v", keys)
}
// Try to write
if err := b.Put(e); err != nil {
t.Fatalf("err: %v", err)
}
// Should be equal
out, err = b.Get("test")
if err != nil {
t.Fatalf("err: %v", err)
}
if !reflect.DeepEqual(out, e) {
t.Fatalf("bad: %v exp: %v", out, e)
}
// List should show the items
keys, err = b.List("")
if err != nil {
t.Fatalf("err: %v", err)
}
if len(keys) != 2 {
t.Fatalf("bad: %v", keys)
}
if keys[0] != "core/" || keys[1] != "test" {
2015-03-05 21:27:35 +00:00
t.Fatalf("bad: %v", keys)
}
// Delete should clear
err = b.Delete("test")
if err != nil {
t.Fatalf("err: %v", err)
}
// Double Delete is fine
err = b.Delete("test")
if err != nil {
t.Fatalf("err: %v", err)
}
// Should be nil
out, err = b.Get("test")
if err != nil {
t.Fatalf("err: %v", err)
}
if out != nil {
t.Fatalf("bad: %v", out)
}
// List should have nothing
keys, err = b.List("")
if err != nil {
t.Fatalf("err: %v", err)
}
if len(keys) != 1 || keys[0] != "core/" {
2015-03-05 21:27:35 +00:00
t.Fatalf("bad: %v", keys)
}
// Add the item back
if err := b.Put(e); err != nil {
t.Fatalf("err: %v", err)
}
// Reseal should prevent any updates
if err := b.Seal(); err != nil {
t.Fatalf("err: %v", err)
}
// No access allowed
if _, err := b.Get("test"); err != ErrBarrierSealed {
t.Fatalf("err: %v", err)
}
// Unseal should work
if err := b.Unseal(key); err != nil {
t.Fatalf("err: %v", err)
}
// Should be equal
out, err = b.Get("test")
if err != nil {
t.Fatalf("err: %v", err)
}
if !reflect.DeepEqual(out, e) {
t.Fatalf("bad: %v exp: %v", out, e)
}
// Final cleanup
err = b.Delete("test")
if err != nil {
t.Fatalf("err: %v", err)
}
// Reseal should prevent any updates
if err := b.Seal(); err != nil {
t.Fatalf("err: %v", err)
}
// Modify the key
key[0]++
// Unseal should fail
if err := b.Unseal(key); err != ErrBarrierInvalidKey {
t.Fatalf("err: %v", err)
}
2015-03-05 21:27:35 +00:00
}
2015-05-28 00:10:08 +00:00
func testBarrier_Rotate(t *testing.T, b SecurityBarrier) {
// Initialize the barrier
key, _ := b.GenerateKey()
b.Initialize(key)
err := b.Unseal(key)
if err != nil {
t.Fatalf("err: %v", err)
}
2015-05-28 00:25:36 +00:00
// Check the key info
info, err := b.ActiveKeyInfo()
if err != nil {
t.Fatalf("err: %v", err)
}
if info.Term != 1 {
t.Fatalf("Bad term: %d", info.Term)
}
if time.Since(info.InstallTime) > time.Second {
t.Fatalf("Bad install: %v", info.InstallTime)
}
first := info.InstallTime
2015-05-28 00:10:08 +00:00
// Write a key
e1 := &Entry{Key: "test", Value: []byte("test")}
if err := b.Put(e1); err != nil {
t.Fatalf("err: %v", err)
}
// Rotate the encryption key
err = b.Rotate()
if err != nil {
t.Fatalf("err: %v", err)
}
2015-05-28 00:25:36 +00:00
// Check the key info
info, err = b.ActiveKeyInfo()
if err != nil {
t.Fatalf("err: %v", err)
}
if info.Term != 2 {
t.Fatalf("Bad term: %d", info.Term)
}
if !info.InstallTime.After(first) {
t.Fatalf("Bad install: %v", info.InstallTime)
}
2015-05-28 00:10:08 +00:00
// Write another key
e2 := &Entry{Key: "foo", Value: []byte("test")}
if err := b.Put(e2); err != nil {
t.Fatalf("err: %v", err)
}
// Reading both should work
out, err := b.Get(e1.Key)
if err != nil {
t.Fatalf("err: %v", err)
}
if out == nil {
t.Fatalf("bad: %v", out)
}
out, err = b.Get(e2.Key)
if err != nil {
t.Fatalf("err: %v", err)
}
if out == nil {
t.Fatalf("bad: %v", out)
}
// Seal and unseal
err = b.Seal()
if err != nil {
t.Fatalf("err: %v", err)
}
err = b.Unseal(key)
if err != nil {
t.Fatalf("err: %v", err)
}
// Reading both should work
out, err = b.Get(e1.Key)
if err != nil {
t.Fatalf("err: %v", err)
}
if out == nil {
t.Fatalf("bad: %v", out)
}
out, err = b.Get(e2.Key)
if err != nil {
t.Fatalf("err: %v", err)
}
if out == nil {
t.Fatalf("bad: %v", out)
}
}
2015-05-28 00:17:03 +00:00
func testBarrier_Rekey(t *testing.T, b SecurityBarrier) {
// Initialize the barrier
key, _ := b.GenerateKey()
b.Initialize(key)
err := b.Unseal(key)
if err != nil {
t.Fatalf("err: %v", err)
}
// Write a key
e1 := &Entry{Key: "test", Value: []byte("test")}
if err := b.Put(e1); err != nil {
t.Fatalf("err: %v", err)
}
2015-05-28 18:28:33 +00:00
// Verify the master key
if err := b.VerifyMaster(key); err != nil {
t.Fatalf("err: %v", err)
}
2015-05-28 00:17:03 +00:00
// Rekey to a new key
newKey, _ := b.GenerateKey()
err = b.Rekey(newKey)
if err != nil {
t.Fatalf("err: %v", err)
}
2015-05-28 18:28:33 +00:00
// Verify the old master key
if err := b.VerifyMaster(key); err != ErrBarrierInvalidKey {
t.Fatalf("err: %v", err)
}
// Verify the new master key
if err := b.VerifyMaster(newKey); err != nil {
t.Fatalf("err: %v", err)
}
2015-05-28 00:17:03 +00:00
// Reading should work
out, err := b.Get(e1.Key)
if err != nil {
t.Fatalf("err: %v", err)
}
if out == nil {
t.Fatalf("bad: %v", out)
}
// Seal
err = b.Seal()
if err != nil {
t.Fatalf("err: %v", err)
}
// Unseal with old key should fail
err = b.Unseal(key)
if err == nil {
t.Fatalf("unseal should fail")
}
// Unseal with new keys should work
err = b.Unseal(newKey)
if err != nil {
t.Fatalf("err: %v", err)
}
// Reading should work
out, err = b.Get(e1.Key)
if err != nil {
t.Fatalf("err: %v", err)
}
if out == nil {
t.Fatalf("bad: %v", out)
}
}