open-vault/http/sys_seal_test.go

package http

import (
	"encoding/hex"
	"net/http"
	"reflect"
	"testing"

	"github.com/hashicorp/vault/vault"
)

func TestSysSealStatus(t *testing.T) {
	core := vault.TestCore(t)
	vault.TestCoreInit(t, core)
	ln, addr := TestServer(t, core)
	defer ln.Close()

	resp, err := http.Get(addr + "/v1/sys/seal-status")
	if err != nil {
		t.Fatalf("err: %s", err)
	}

	var actual map[string]interface{}
	expected := map[string]interface{}{
		"sealed":   true,
		"t":        float64(1),
		"n":        float64(1),
		"progress": float64(0),
	}
	testResponseStatus(t, resp, 200)
	testResponseBody(t, resp, &actual)
	if !reflect.DeepEqual(actual, expected) {
		t.Fatalf("bad: %#v", actual)
	}
}

func TestSysSealStatus_uninit(t *testing.T) {
	core := vault.TestCore(t)
	ln, addr := TestServer(t, core)
	defer ln.Close()

	resp, err := http.Get(addr + "/v1/sys/seal-status")
	if err != nil {
		t.Fatalf("err: %s", err)
	}
	testResponseStatus(t, resp, 400)
}

func TestSysSeal(t *testing.T) {
	core, _, token := vault.TestCoreUnsealed(t)
	ln, addr := TestServer(t, core)
	defer ln.Close()
	TestServerAuth(t, addr, token)

	resp := testHttpPut(t, token, addr+"/v1/sys/seal", nil)
	testResponseStatus(t, resp, 204)

	check, err := core.Sealed()
	if err != nil {
		t.Fatalf("err: %s", err)
	}
	if !check {
		t.Fatal("should be sealed")
	}
}

func TestSysSeal_unsealed(t *testing.T) {
	core, _, token := vault.TestCoreUnsealed(t)
	ln, addr := TestServer(t, core)
	defer ln.Close()
	TestServerAuth(t, addr, token)

	resp := testHttpPut(t, token, addr+"/v1/sys/seal", nil)
	testResponseStatus(t, resp, 204)

	check, err := core.Sealed()
	if err != nil {
		t.Fatalf("err: %s", err)
	}
	if !check {
		t.Fatal("should be sealed")
	}
}

func TestSysUnseal(t *testing.T) {
	core := vault.TestCore(t)
	key, _ := vault.TestCoreInit(t, core)
	ln, addr := TestServer(t, core)
	defer ln.Close()

	resp := testHttpPut(t, "", addr+"/v1/sys/unseal", map[string]interface{}{
		"key": hex.EncodeToString(key),
	})

	var actual map[string]interface{}
	expected := map[string]interface{}{
		"sealed":   false,
		"t":        float64(1),
		"n":        float64(1),
		"progress": float64(0),
	}
	testResponseStatus(t, resp, 200)
	testResponseBody(t, resp, &actual)
	if !reflect.DeepEqual(actual, expected) {
		t.Fatalf("bad: %#v", actual)
	}
}

func TestSysUnseal_badKey(t *testing.T) {
	core := vault.TestCore(t)
	vault.TestCoreInit(t, core)
	ln, addr := TestServer(t, core)
	defer ln.Close()

	resp := testHttpPut(t, "", addr+"/v1/sys/unseal", map[string]interface{}{
		"key": "0123",
	})

	var actual map[string]interface{}
	expected := map[string]interface{}{
		"sealed":   true,
		"t":        float64(1),
		"n":        float64(1),
		"progress": float64(0),
	}
	testResponseStatus(t, resp, 200)
	testResponseBody(t, resp, &actual)
	if !reflect.DeepEqual(actual, expected) {
		t.Fatalf("bad: %#v", actual)
	}
}

func TestSysUnseal_Reset(t *testing.T) {
	core := vault.TestCore(t)
	ln, addr := TestServer(t, core)
	defer ln.Close()

	thresh := 3
	resp := testHttpPut(t, "", addr+"/v1/sys/init", map[string]interface{}{
		"secret_shares":    5,
		"secret_threshold": thresh,
	})

	var actual map[string]interface{}
	testResponseStatus(t, resp, 200)
	testResponseBody(t, resp, &actual)
	keysRaw, ok := actual["keys"]
	if !ok {
		t.Fatalf("no keys: %#v", actual)
	}
	for i, key := range keysRaw.([]interface{}) {
		if i > thresh-2 {
			break
		}

		resp := testHttpPut(t, "", addr+"/v1/sys/unseal", map[string]interface{}{
			"key": key.(string),
		})

		var actual map[string]interface{}
		expected := map[string]interface{}{
			"sealed":   true,
			"t":        float64(3),
			"n":        float64(5),
			"progress": float64(i + 1),
		}
		testResponseStatus(t, resp, 200)
		testResponseBody(t, resp, &actual)
		if !reflect.DeepEqual(actual, expected) {
			t.Fatalf("\nexpected:\n%#v\nactual:\n%#v\n", expected, actual)
		}
	}

	resp = testHttpPut(t, "", addr+"/v1/sys/unseal", map[string]interface{}{
		"reset": true,
	})

	actual = map[string]interface{}{}
	expected := map[string]interface{}{
		"sealed":   true,
		"t":        float64(3),
		"n":        float64(5),
		"progress": float64(0),
	}
	testResponseStatus(t, resp, 200)
	testResponseBody(t, resp, &actual)
	if !reflect.DeepEqual(actual, expected) {
		t.Fatalf("\nexpected:\n%#v\nactual:\n%#v\n", expected, actual)
	}
}
http: tests 2015-03-12 17:46:45 +00:00			`package http`

			`import (`
http: test all seal endpoints 2015-03-12 18:12:44 +00:00			`"encoding/hex"`
http: tests 2015-03-12 17:46:45 +00:00			`"net/http"`
			`"reflect"`
			`"testing"`
vault: public testing methods 2015-03-13 18:11:59 +00:00
			`"github.com/hashicorp/vault/vault"`
http: tests 2015-03-12 17:46:45 +00:00			`)`

			`func TestSysSealStatus(t *testing.T) {`
vault: public testing methods 2015-03-13 18:11:59 +00:00			`core := vault.TestCore(t)`
			`vault.TestCoreInit(t, core)`
http: make TestServer public 2015-03-13 18:13:33 +00:00			`ln, addr := TestServer(t, core)`
http: tests 2015-03-12 17:46:45 +00:00			`defer ln.Close()`

http: prefix with v1 2015-03-12 17:47:31 +00:00			`resp, err := http.Get(addr + "/v1/sys/seal-status")`
http: tests 2015-03-12 17:46:45 +00:00			`if err != nil {`
			`t.Fatalf("err: %s", err)`
			`}`

			`var actual map[string]interface{}`
			`expected := map[string]interface{}{`
			`"sealed": true,`
			`"t": float64(1),`
			`"n": float64(1),`
			`"progress": float64(0),`
			`}`
			`testResponseStatus(t, resp, 200)`
			`testResponseBody(t, resp, &actual)`
			`if !reflect.DeepEqual(actual, expected) {`
			`t.Fatalf("bad: %#v", actual)`
			`}`
			`}`
http: test all seal endpoints 2015-03-12 18:12:44 +00:00
http: /sys/seal-status should return 400 if still uninitialized 2015-03-31 06:36:03 +00:00			`func TestSysSealStatus_uninit(t *testing.T) {`
			`core := vault.TestCore(t)`
			`ln, addr := TestServer(t, core)`
			`defer ln.Close()`

			`resp, err := http.Get(addr + "/v1/sys/seal-status")`
			`if err != nil {`
			`t.Fatalf("err: %s", err)`
			`}`
			`testResponseStatus(t, resp, 400)`
			`}`

http: test all seal endpoints 2015-03-12 18:12:44 +00:00			`func TestSysSeal(t *testing.T) {`
vault: require root token for seal 2015-03-31 16:59:02 +00:00			`core, _, token := vault.TestCoreUnsealed(t)`
http: make TestServer public 2015-03-13 18:13:33 +00:00			`ln, addr := TestServer(t, core)`
http: test all seal endpoints 2015-03-12 18:12:44 +00:00			`defer ln.Close()`
vault: require root token for seal 2015-03-31 16:59:02 +00:00			`TestServerAuth(t, addr, token)`
http: test all seal endpoints 2015-03-12 18:12:44 +00:00
Remove cookie authentication. 2015-08-22 00:36:19 +00:00			`resp := testHttpPut(t, token, addr+"/v1/sys/seal", nil)`
http: test all seal endpoints 2015-03-12 18:12:44 +00:00			`testResponseStatus(t, resp, 204)`

			`check, err := core.Sealed()`
			`if err != nil {`
			`t.Fatalf("err: %s", err)`
			`}`
			`if !check {`
			`t.Fatal("should be sealed")`
			`}`
			`}`

			`func TestSysSeal_unsealed(t *testing.T) {`
http: /sys/seal requires a token 2015-03-31 18:45:44 +00:00			`core, _, token := vault.TestCoreUnsealed(t)`
http: make TestServer public 2015-03-13 18:13:33 +00:00			`ln, addr := TestServer(t, core)`
http: test all seal endpoints 2015-03-12 18:12:44 +00:00			`defer ln.Close()`
http: /sys/seal requires a token 2015-03-31 18:45:44 +00:00			`TestServerAuth(t, addr, token)`
http: test all seal endpoints 2015-03-12 18:12:44 +00:00
Remove cookie authentication. 2015-08-22 00:36:19 +00:00			`resp := testHttpPut(t, token, addr+"/v1/sys/seal", nil)`
http: test all seal endpoints 2015-03-12 18:12:44 +00:00			`testResponseStatus(t, resp, 204)`

			`check, err := core.Sealed()`
			`if err != nil {`
			`t.Fatalf("err: %s", err)`
			`}`
			`if !check {`
			`t.Fatal("should be sealed")`
			`}`
			`}`

			`func TestSysUnseal(t *testing.T) {`
vault: public testing methods 2015-03-13 18:11:59 +00:00			`core := vault.TestCore(t)`
Fixing compilation errors due to API change 2015-03-24 23:20:05 +00:00			`key, _ := vault.TestCoreInit(t, core)`
http: make TestServer public 2015-03-13 18:13:33 +00:00			`ln, addr := TestServer(t, core)`
http: test all seal endpoints 2015-03-12 18:12:44 +00:00			`defer ln.Close()`

Remove cookie authentication. 2015-08-22 00:36:19 +00:00			`resp := testHttpPut(t, "", addr+"/v1/sys/unseal", map[string]interface{}{`
fix all tests 2015-03-16 00:10:33 +00:00			`"key": hex.EncodeToString(key),`
http: test all seal endpoints 2015-03-12 18:12:44 +00:00			`})`

			`var actual map[string]interface{}`
			`expected := map[string]interface{}{`
			`"sealed": false,`
			`"t": float64(1),`
			`"n": float64(1),`
			`"progress": float64(0),`
			`}`
			`testResponseStatus(t, resp, 200)`
			`testResponseBody(t, resp, &actual)`
			`if !reflect.DeepEqual(actual, expected) {`
			`t.Fatalf("bad: %#v", actual)`
			`}`
			`}`

			`func TestSysUnseal_badKey(t *testing.T) {`
vault: public testing methods 2015-03-13 18:11:59 +00:00			`core := vault.TestCore(t)`
			`vault.TestCoreInit(t, core)`
http: make TestServer public 2015-03-13 18:13:33 +00:00			`ln, addr := TestServer(t, core)`
http: test all seal endpoints 2015-03-12 18:12:44 +00:00			`defer ln.Close()`

Remove cookie authentication. 2015-08-22 00:36:19 +00:00			`resp := testHttpPut(t, "", addr+"/v1/sys/unseal", map[string]interface{}{`
http: mask user error away from unseal since its not actionable 2015-03-12 18:26:59 +00:00			`"key": "0123",`
http: test all seal endpoints 2015-03-12 18:12:44 +00:00			`})`

			`var actual map[string]interface{}`
			`expected := map[string]interface{}{`
			`"sealed": true,`
			`"t": float64(1),`
			`"n": float64(1),`
			`"progress": float64(0),`
			`}`
			`testResponseStatus(t, resp, 200)`
			`testResponseBody(t, resp, &actual)`
			`if !reflect.DeepEqual(actual, expected) {`
			`t.Fatalf("bad: %#v", actual)`
			`}`
			`}`
Add reset support to the unseal command. Reset clears the provided unseal keys, allowing the process to be begun again. Includes documentation and unit test changes. Fixes #695 2015-10-28 19:59:39 +00:00
			`func TestSysUnseal_Reset(t *testing.T) {`
			`core := vault.TestCore(t)`
			`ln, addr := TestServer(t, core)`
			`defer ln.Close()`

			`thresh := 3`
			`resp := testHttpPut(t, "", addr+"/v1/sys/init", map[string]interface{}{`
			`"secret_shares": 5,`
			`"secret_threshold": thresh,`
			`})`

			`var actual map[string]interface{}`
			`testResponseStatus(t, resp, 200)`
			`testResponseBody(t, resp, &actual)`
			`keysRaw, ok := actual["keys"]`
			`if !ok {`
			`t.Fatalf("no keys: %#v", actual)`
			`}`
			`for i, key := range keysRaw.([]interface{}) {`
			`if i > thresh-2 {`
			`break`
			`}`

			`resp := testHttpPut(t, "", addr+"/v1/sys/unseal", map[string]interface{}{`
			`"key": key.(string),`
			`})`

			`var actual map[string]interface{}`
			`expected := map[string]interface{}{`
			`"sealed": true,`
			`"t": float64(3),`
			`"n": float64(5),`
			`"progress": float64(i + 1),`
			`}`
			`testResponseStatus(t, resp, 200)`
			`testResponseBody(t, resp, &actual)`
			`if !reflect.DeepEqual(actual, expected) {`
			`t.Fatalf("\nexpected:\n%#v\nactual:\n%#v\n", expected, actual)`
			`}`
			`}`

			`resp = testHttpPut(t, "", addr+"/v1/sys/unseal", map[string]interface{}{`
			`"reset": true,`
			`})`

			`actual = map[string]interface{}{}`
			`expected := map[string]interface{}{`
			`"sealed": true,`
			`"t": float64(3),`
			`"n": float64(5),`
			`"progress": float64(0),`
			`}`
			`testResponseStatus(t, resp, 200)`
			`testResponseBody(t, resp, &actual)`
			`if !reflect.DeepEqual(actual, expected) {`
			`t.Fatalf("\nexpected:\n%#v\nactual:\n%#v\n", expected, actual)`
			`}`
			`}`