2023-03-15 16:00:52 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
|
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
|
2015-03-12 19:37:41 +00:00
|
|
|
package http
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/hex"
|
|
|
|
"net/http"
|
|
|
|
"reflect"
|
2022-07-25 19:45:04 +00:00
|
|
|
"strconv"
|
2015-03-12 19:37:41 +00:00
|
|
|
"testing"
|
2015-03-13 18:11:59 +00:00
|
|
|
|
2022-07-25 19:45:04 +00:00
|
|
|
"github.com/hashicorp/go-hclog"
|
|
|
|
"github.com/hashicorp/vault/builtin/logical/transit"
|
|
|
|
"github.com/hashicorp/vault/sdk/helper/logging"
|
|
|
|
"github.com/hashicorp/vault/sdk/logical"
|
2015-03-13 18:11:59 +00:00
|
|
|
"github.com/hashicorp/vault/vault"
|
2022-07-25 19:45:04 +00:00
|
|
|
"github.com/hashicorp/vault/vault/seal"
|
2015-03-12 19:37:41 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func TestSysInit_get(t *testing.T) {
|
2015-03-13 18:11:59 +00:00
|
|
|
core := vault.TestCore(t)
|
2015-03-13 18:13:33 +00:00
|
|
|
ln, addr := TestServer(t, core)
|
2015-03-12 19:37:41 +00:00
|
|
|
defer ln.Close()
|
|
|
|
|
|
|
|
{
|
|
|
|
// Pre-init
|
|
|
|
resp, err := http.Get(addr + "/v1/sys/init")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
var actual map[string]interface{}
|
|
|
|
expected := map[string]interface{}{
|
|
|
|
"initialized": false,
|
|
|
|
}
|
|
|
|
testResponseStatus(t, resp, 200)
|
|
|
|
testResponseBody(t, resp, &actual)
|
|
|
|
if !reflect.DeepEqual(actual, expected) {
|
|
|
|
t.Fatalf("bad: %#v", actual)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-03-13 18:11:59 +00:00
|
|
|
vault.TestCoreInit(t, core)
|
2015-03-12 19:37:41 +00:00
|
|
|
|
|
|
|
{
|
|
|
|
// Post-init
|
|
|
|
resp, err := http.Get(addr + "/v1/sys/init")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
var actual map[string]interface{}
|
|
|
|
expected := map[string]interface{}{
|
|
|
|
"initialized": true,
|
|
|
|
}
|
|
|
|
testResponseStatus(t, resp, 200)
|
|
|
|
testResponseBody(t, resp, &actual)
|
|
|
|
if !reflect.DeepEqual(actual, expected) {
|
|
|
|
t.Fatalf("bad: %#v", actual)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-01-12 00:55:10 +00:00
|
|
|
// Test to check if the API errors out when wrong number of PGP keys are
|
|
|
|
// supplied
|
|
|
|
func TestSysInit_pgpKeysEntries(t *testing.T) {
|
|
|
|
core := vault.TestCore(t)
|
|
|
|
ln, addr := TestServer(t, core)
|
|
|
|
defer ln.Close()
|
|
|
|
|
|
|
|
resp := testHttpPut(t, "", addr+"/v1/sys/init", map[string]interface{}{
|
2018-03-20 18:58:22 +00:00
|
|
|
"secret_shares": 5,
|
2018-03-20 18:54:10 +00:00
|
|
|
"secret_threshold": 3,
|
2018-03-20 18:58:22 +00:00
|
|
|
"pgp_keys": []string{"pgpkey1"},
|
2017-01-12 00:55:10 +00:00
|
|
|
})
|
|
|
|
testResponseStatus(t, resp, 400)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Test to check if the API errors out when wrong number of PGP keys are
|
|
|
|
// supplied for recovery config
|
|
|
|
func TestSysInit_pgpKeysEntriesForRecovery(t *testing.T) {
|
|
|
|
core := vault.TestCoreNewSeal(t)
|
|
|
|
ln, addr := TestServer(t, core)
|
|
|
|
defer ln.Close()
|
|
|
|
|
|
|
|
resp := testHttpPut(t, "", addr+"/v1/sys/init", map[string]interface{}{
|
|
|
|
"secret_shares": 1,
|
|
|
|
"secret_threshold": 1,
|
|
|
|
"stored_shares": 1,
|
|
|
|
"recovery_shares": 5,
|
|
|
|
"recovery_threshold": 3,
|
|
|
|
"recovery_pgp_keys": []string{"pgpkey1"},
|
|
|
|
})
|
|
|
|
testResponseStatus(t, resp, 400)
|
|
|
|
}
|
|
|
|
|
2015-03-12 19:37:41 +00:00
|
|
|
func TestSysInit_put(t *testing.T) {
|
2015-03-13 18:11:59 +00:00
|
|
|
core := vault.TestCore(t)
|
2015-03-13 18:13:33 +00:00
|
|
|
ln, addr := TestServer(t, core)
|
2015-03-12 19:37:41 +00:00
|
|
|
defer ln.Close()
|
|
|
|
|
2015-08-22 00:36:19 +00:00
|
|
|
resp := testHttpPut(t, "", addr+"/v1/sys/init", map[string]interface{}{
|
2015-03-12 19:37:41 +00:00
|
|
|
"secret_shares": 5,
|
|
|
|
"secret_threshold": 3,
|
|
|
|
})
|
|
|
|
|
|
|
|
var actual map[string]interface{}
|
|
|
|
testResponseStatus(t, resp, 200)
|
|
|
|
testResponseBody(t, resp, &actual)
|
|
|
|
keysRaw, ok := actual["keys"]
|
|
|
|
if !ok {
|
|
|
|
t.Fatalf("no keys: %#v", actual)
|
|
|
|
}
|
|
|
|
|
2015-03-29 23:22:09 +00:00
|
|
|
if _, ok := actual["root_token"]; !ok {
|
|
|
|
t.Fatal("no root token")
|
|
|
|
}
|
|
|
|
|
2015-03-12 19:37:41 +00:00
|
|
|
for _, key := range keysRaw.([]interface{}) {
|
|
|
|
keySlice, err := hex.DecodeString(key.(string))
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("bad: %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if _, err := core.Unseal(keySlice); err != nil {
|
|
|
|
t.Fatalf("bad: %s", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-07-24 20:57:25 +00:00
|
|
|
if core.Sealed() {
|
2015-03-12 19:37:41 +00:00
|
|
|
t.Fatal("should not be sealed")
|
|
|
|
}
|
|
|
|
}
|
2022-07-25 19:45:04 +00:00
|
|
|
|
|
|
|
func TestSysInit_Put_ValidateParams(t *testing.T) {
|
|
|
|
core := vault.TestCore(t)
|
|
|
|
ln, addr := TestServer(t, core)
|
|
|
|
defer ln.Close()
|
|
|
|
|
|
|
|
resp := testHttpPut(t, "", addr+"/v1/sys/init", map[string]interface{}{
|
|
|
|
"secret_shares": 5,
|
|
|
|
"secret_threshold": 3,
|
|
|
|
"recovery_shares": 5,
|
|
|
|
"recovery_threshold": 3,
|
|
|
|
})
|
|
|
|
testResponseStatus(t, resp, http.StatusBadRequest)
|
|
|
|
body := map[string][]string{}
|
|
|
|
testResponseBody(t, resp, &body)
|
|
|
|
if body["errors"][0] != "parameters recovery_shares,recovery_threshold not applicable to seal type shamir" {
|
|
|
|
t.Fatal(body)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestSysInit_Put_ValidateParams_AutoUnseal(t *testing.T) {
|
2023-05-04 18:22:30 +00:00
|
|
|
testSeal, _ := seal.NewTestSeal(&seal.TestSealOpts{Name: "transit"})
|
2022-08-23 19:37:16 +00:00
|
|
|
autoSeal, err := vault.NewAutoSeal(testSeal)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
2022-07-25 19:45:04 +00:00
|
|
|
|
|
|
|
// Create the transit server.
|
|
|
|
conf := &vault.CoreConfig{
|
|
|
|
LogicalBackends: map[string]logical.Factory{
|
|
|
|
"transit": transit.Factory,
|
|
|
|
},
|
|
|
|
Seal: autoSeal,
|
|
|
|
}
|
|
|
|
opts := &vault.TestClusterOptions{
|
|
|
|
NumCores: 1,
|
|
|
|
HandlerFunc: Handler,
|
|
|
|
Logger: logging.NewVaultLogger(hclog.Trace).Named(t.Name()).Named("transit-seal" + strconv.Itoa(0)),
|
|
|
|
}
|
|
|
|
cluster := vault.NewTestCluster(t, conf, opts)
|
|
|
|
cluster.Start()
|
|
|
|
defer cluster.Cleanup()
|
|
|
|
|
|
|
|
cores := cluster.Cores
|
|
|
|
core := cores[0].Core
|
|
|
|
|
|
|
|
ln, addr := TestServer(t, core)
|
|
|
|
defer ln.Close()
|
|
|
|
|
|
|
|
resp := testHttpPut(t, "", addr+"/v1/sys/init", map[string]interface{}{
|
|
|
|
"secret_shares": 5,
|
|
|
|
"secret_threshold": 3,
|
|
|
|
"recovery_shares": 5,
|
|
|
|
"recovery_threshold": 3,
|
|
|
|
})
|
|
|
|
testResponseStatus(t, resp, http.StatusBadRequest)
|
|
|
|
body := map[string][]string{}
|
|
|
|
testResponseBody(t, resp, &body)
|
|
|
|
if body["errors"][0] != "parameters secret_shares,secret_threshold not applicable to seal type transit" {
|
|
|
|
t.Fatal(body)
|
|
|
|
}
|
|
|
|
}
|