open-vault/http/sys_generate_root_test.go

421 lines
12 KiB
Go
Raw Normal View History

package http
import (
"encoding/base64"
"encoding/hex"
"encoding/json"
2017-01-17 20:43:10 +00:00
"fmt"
"net/http"
"reflect"
"testing"
"github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/helper/pgpkeys"
"github.com/hashicorp/vault/helper/xor"
"github.com/hashicorp/vault/vault"
)
2016-01-15 15:55:35 +00:00
func TestSysGenerateRootAttempt_Status(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := TestServer(t, core)
defer ln.Close()
TestServerAuth(t, addr, token)
2016-01-15 15:55:35 +00:00
resp, err := http.Get(addr + "/v1/sys/generate-root/attempt")
if err != nil {
t.Fatalf("err: %s", err)
}
var actual map[string]interface{}
expected := map[string]interface{}{
"started": false,
"progress": json.Number("0"),
2017-01-17 20:43:10 +00:00
"required": json.Number("3"),
"complete": false,
"encoded_root_token": "",
"pgp_fingerprint": "",
"nonce": "",
}
testResponseStatus(t, resp, 200)
testResponseBody(t, resp, &actual)
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
}
}
2016-01-15 15:55:35 +00:00
func TestSysGenerateRootAttempt_Setup_OTP(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := TestServer(t, core)
defer ln.Close()
TestServerAuth(t, addr, token)
2016-01-15 15:55:35 +00:00
otpBytes, err := vault.GenerateRandBytes(16)
if err != nil {
t.Fatal(err)
}
otp := base64.StdEncoding.EncodeToString(otpBytes)
2016-01-15 15:55:35 +00:00
resp := testHttpPut(t, token, addr+"/v1/sys/generate-root/attempt", map[string]interface{}{
"otp": otp,
})
testResponseStatus(t, resp, 200)
var actual map[string]interface{}
expected := map[string]interface{}{
"started": true,
"progress": json.Number("0"),
2017-01-17 20:43:10 +00:00
"required": json.Number("3"),
"complete": false,
"encoded_root_token": "",
"pgp_fingerprint": "",
}
testResponseStatus(t, resp, 200)
testResponseBody(t, resp, &actual)
if actual["nonce"].(string) == "" {
t.Fatalf("nonce was empty")
}
expected["nonce"] = actual["nonce"]
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
}
resp = testHttpGet(t, token, addr+"/v1/sys/generate-root/attempt")
actual = map[string]interface{}{}
expected = map[string]interface{}{
"started": true,
"progress": json.Number("0"),
2017-01-17 20:43:10 +00:00
"required": json.Number("3"),
"complete": false,
"encoded_root_token": "",
"pgp_fingerprint": "",
}
testResponseStatus(t, resp, 200)
testResponseBody(t, resp, &actual)
if actual["nonce"].(string) == "" {
t.Fatalf("nonce was empty")
}
expected["nonce"] = actual["nonce"]
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
}
}
2016-01-15 15:55:35 +00:00
func TestSysGenerateRootAttempt_Setup_PGP(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := TestServer(t, core)
defer ln.Close()
TestServerAuth(t, addr, token)
2016-01-15 15:55:35 +00:00
resp := testHttpPut(t, token, addr+"/v1/sys/generate-root/attempt", map[string]interface{}{
"pgp_key": pgpkeys.TestPubKey1,
})
testResponseStatus(t, resp, 200)
2016-01-15 15:55:35 +00:00
resp = testHttpGet(t, token, addr+"/v1/sys/generate-root/attempt")
var actual map[string]interface{}
expected := map[string]interface{}{
"started": true,
"progress": json.Number("0"),
2017-01-17 20:43:10 +00:00
"required": json.Number("3"),
"complete": false,
"encoded_root_token": "",
"pgp_fingerprint": "816938b8a29146fbe245dd29e7cbaf8e011db793",
}
testResponseStatus(t, resp, 200)
testResponseBody(t, resp, &actual)
if actual["nonce"].(string) == "" {
t.Fatalf("nonce was empty")
}
expected["nonce"] = actual["nonce"]
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
}
}
2016-01-15 15:55:35 +00:00
func TestSysGenerateRootAttempt_Cancel(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := TestServer(t, core)
defer ln.Close()
TestServerAuth(t, addr, token)
2016-01-15 15:55:35 +00:00
otpBytes, err := vault.GenerateRandBytes(16)
if err != nil {
t.Fatal(err)
}
otp := base64.StdEncoding.EncodeToString(otpBytes)
2016-01-15 15:55:35 +00:00
resp := testHttpPut(t, token, addr+"/v1/sys/generate-root/attempt", map[string]interface{}{
"otp": otp,
})
var actual map[string]interface{}
expected := map[string]interface{}{
"started": true,
"progress": json.Number("0"),
2017-01-17 20:43:10 +00:00
"required": json.Number("3"),
"complete": false,
"encoded_root_token": "",
"pgp_fingerprint": "",
}
testResponseStatus(t, resp, 200)
testResponseBody(t, resp, &actual)
if actual["nonce"].(string) == "" {
t.Fatalf("nonce was empty")
}
expected["nonce"] = actual["nonce"]
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
}
2016-01-15 15:55:35 +00:00
resp = testHttpDelete(t, token, addr+"/v1/sys/generate-root/attempt")
testResponseStatus(t, resp, 204)
2016-01-15 15:55:35 +00:00
resp, err = http.Get(addr + "/v1/sys/generate-root/attempt")
if err != nil {
t.Fatalf("err: %s", err)
}
actual = map[string]interface{}{}
expected = map[string]interface{}{
"started": false,
"progress": json.Number("0"),
2017-01-17 20:43:10 +00:00
"required": json.Number("3"),
"complete": false,
"encoded_root_token": "",
"pgp_fingerprint": "",
"nonce": "",
}
testResponseStatus(t, resp, 200)
testResponseBody(t, resp, &actual)
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
}
}
2016-01-15 15:55:35 +00:00
func TestSysGenerateRoot_badKey(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := TestServer(t, core)
defer ln.Close()
TestServerAuth(t, addr, token)
2016-01-15 15:55:35 +00:00
otpBytes, err := vault.GenerateRandBytes(16)
if err != nil {
t.Fatal(err)
}
otp := base64.StdEncoding.EncodeToString(otpBytes)
2016-01-15 15:55:35 +00:00
resp := testHttpPut(t, token, addr+"/v1/sys/generate-root/update", map[string]interface{}{
"key": "0123",
"otp": otp,
})
testResponseStatus(t, resp, 400)
}
2016-01-15 15:55:35 +00:00
func TestSysGenerateRoot_ReAttemptUpdate(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := TestServer(t, core)
defer ln.Close()
TestServerAuth(t, addr, token)
2016-01-15 15:55:35 +00:00
otpBytes, err := vault.GenerateRandBytes(16)
if err != nil {
t.Fatal(err)
}
otp := base64.StdEncoding.EncodeToString(otpBytes)
2016-01-15 15:55:35 +00:00
resp := testHttpPut(t, token, addr+"/v1/sys/generate-root/attempt", map[string]interface{}{
"otp": otp,
})
testResponseStatus(t, resp, 200)
2016-01-15 15:55:35 +00:00
resp = testHttpDelete(t, token, addr+"/v1/sys/generate-root/attempt")
testResponseStatus(t, resp, 204)
2016-01-15 15:55:35 +00:00
resp = testHttpPut(t, token, addr+"/v1/sys/generate-root/attempt", map[string]interface{}{
"pgp_key": pgpkeys.TestPubKey1,
})
testResponseStatus(t, resp, 200)
}
2016-01-15 15:55:35 +00:00
func TestSysGenerateRoot_Update_OTP(t *testing.T) {
2017-01-17 20:43:10 +00:00
core, keys, token := vault.TestCoreUnsealed(t)
ln, addr := TestServer(t, core)
defer ln.Close()
TestServerAuth(t, addr, token)
2016-01-15 15:55:35 +00:00
otpBytes, err := vault.GenerateRandBytes(16)
if err != nil {
t.Fatal(err)
}
otp := base64.StdEncoding.EncodeToString(otpBytes)
2016-01-15 15:55:35 +00:00
resp := testHttpPut(t, token, addr+"/v1/sys/generate-root/attempt", map[string]interface{}{
"otp": otp,
})
var rootGenerationStatus map[string]interface{}
testResponseStatus(t, resp, 200)
testResponseBody(t, resp, &rootGenerationStatus)
var actual map[string]interface{}
2017-01-17 20:43:10 +00:00
var expected map[string]interface{}
for i, key := range keys {
resp = testHttpPut(t, token, addr+"/v1/sys/generate-root/update", map[string]interface{}{
"nonce": rootGenerationStatus["nonce"].(string),
"key": hex.EncodeToString(key),
})
actual = map[string]interface{}{}
expected = map[string]interface{}{
"complete": false,
"nonce": rootGenerationStatus["nonce"].(string),
"progress": json.Number(fmt.Sprintf("%d", i+1)),
"required": json.Number(fmt.Sprintf("%d", len(keys))),
"started": true,
"pgp_fingerprint": "",
}
if i+1 == len(keys) {
expected["complete"] = true
}
testResponseStatus(t, resp, 200)
testResponseBody(t, resp, &actual)
}
if actual["encoded_root_token"] == nil {
t.Fatalf("no encoded root token found in response")
}
expected["encoded_root_token"] = actual["encoded_root_token"]
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
}
decodedToken, err := xor.XORBase64(otp, actual["encoded_root_token"].(string))
if err != nil {
t.Fatal(err)
}
newRootToken, err := uuid.FormatUUID(decodedToken)
if err != nil {
t.Fatal(err)
}
actual = map[string]interface{}{}
expected = map[string]interface{}{
"id": newRootToken,
"display_name": "root",
"meta": interface{}(nil),
"num_uses": json.Number("0"),
"policies": []interface{}{"root"},
"orphan": true,
"creation_ttl": json.Number("0"),
"ttl": json.Number("0"),
"path": "auth/token/root",
"explicit_max_ttl": json.Number("0"),
"expire_time": nil,
"entity_id": "",
}
resp = testHttpGet(t, newRootToken, addr+"/v1/auth/token/lookup-self")
testResponseStatus(t, resp, 200)
testResponseBody(t, resp, &actual)
expected["creation_time"] = actual["data"].(map[string]interface{})["creation_time"]
2016-03-09 18:45:36 +00:00
expected["accessor"] = actual["data"].(map[string]interface{})["accessor"]
if !reflect.DeepEqual(actual["data"], expected) {
t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual["data"])
}
}
2016-01-15 15:55:35 +00:00
func TestSysGenerateRoot_Update_PGP(t *testing.T) {
2017-01-17 20:43:10 +00:00
core, keys, token := vault.TestCoreUnsealed(t)
ln, addr := TestServer(t, core)
defer ln.Close()
TestServerAuth(t, addr, token)
2016-01-15 15:55:35 +00:00
resp := testHttpPut(t, token, addr+"/v1/sys/generate-root/attempt", map[string]interface{}{
"pgp_key": pgpkeys.TestPubKey1,
})
testResponseStatus(t, resp, 200)
// We need to get the nonce first before we update
2016-01-15 15:55:35 +00:00
resp, err := http.Get(addr + "/v1/sys/generate-root/attempt")
if err != nil {
t.Fatalf("err: %s", err)
}
var rootGenerationStatus map[string]interface{}
testResponseStatus(t, resp, 200)
testResponseBody(t, resp, &rootGenerationStatus)
var actual map[string]interface{}
2017-01-17 20:43:10 +00:00
var expected map[string]interface{}
for i, key := range keys {
resp = testHttpPut(t, token, addr+"/v1/sys/generate-root/update", map[string]interface{}{
"nonce": rootGenerationStatus["nonce"].(string),
"key": hex.EncodeToString(key),
})
actual = map[string]interface{}{}
expected = map[string]interface{}{
"complete": false,
"nonce": rootGenerationStatus["nonce"].(string),
"progress": json.Number(fmt.Sprintf("%d", i+1)),
"required": json.Number(fmt.Sprintf("%d", len(keys))),
"started": true,
"pgp_fingerprint": "816938b8a29146fbe245dd29e7cbaf8e011db793",
}
if i+1 == len(keys) {
expected["complete"] = true
}
testResponseStatus(t, resp, 200)
testResponseBody(t, resp, &actual)
}
if actual["encoded_root_token"] == nil {
t.Fatalf("no encoded root token found in response")
}
expected["encoded_root_token"] = actual["encoded_root_token"]
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
}
decodedTokenBuf, err := pgpkeys.DecryptBytes(actual["encoded_root_token"].(string), pgpkeys.TestPrivKey1)
if err != nil {
t.Fatal(err)
}
if decodedTokenBuf == nil {
t.Fatal("decoded root token buffer is nil")
}
newRootToken := decodedTokenBuf.String()
actual = map[string]interface{}{}
expected = map[string]interface{}{
"id": newRootToken,
"display_name": "root",
"meta": interface{}(nil),
"num_uses": json.Number("0"),
"policies": []interface{}{"root"},
"orphan": true,
"creation_ttl": json.Number("0"),
"ttl": json.Number("0"),
"path": "auth/token/root",
"explicit_max_ttl": json.Number("0"),
"expire_time": nil,
"entity_id": "",
}
resp = testHttpGet(t, newRootToken, addr+"/v1/auth/token/lookup-self")
testResponseStatus(t, resp, 200)
testResponseBody(t, resp, &actual)
expected["creation_time"] = actual["data"].(map[string]interface{})["creation_time"]
2016-03-09 18:45:36 +00:00
expected["accessor"] = actual["data"].(map[string]interface{})["accessor"]
if !reflect.DeepEqual(actual["data"], expected) {
t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual["data"])
}
}