open-vault/vault/external_tests/sealmigration/seal_migration_pre14_test.go

// +build !enterprise

package sealmigration

import (
	"context"
	"fmt"
	"testing"
	"time"

	"github.com/go-test/deep"

	"github.com/hashicorp/go-hclog"
	wrapping "github.com/hashicorp/go-kms-wrapping"
	"github.com/hashicorp/vault/helper/testhelpers"
	sealhelper "github.com/hashicorp/vault/helper/testhelpers/seal"
	"github.com/hashicorp/vault/helper/testhelpers/teststorage"
	vaulthttp "github.com/hashicorp/vault/http"
	"github.com/hashicorp/vault/vault"
)

// TestSealMigration_TransitToShamir_Pre14 tests transit-to-shamir seal
// migration, using the pre-1.4 method of bring down the whole cluster to do
// the migration.
func TestSealMigration_TransitToShamir_Pre14(t *testing.T) {
	// Note that we do not test integrated raft storage since this is
	// a pre-1.4 test.
	testVariousBackends(t, testSealMigrationTransitToShamir_Pre14, false)
}

func testSealMigrationTransitToShamir_Pre14(
	t *testing.T, logger hclog.Logger,
	storage teststorage.ReusableStorage, basePort int) {

	// Create the transit server.
	tss := sealhelper.NewTransitSealServer(t)
	defer func() {
		if tss != nil {
			tss.Cleanup()
		}
	}()
	tss.MakeKey(t, "transit-seal-key")

	// Initialize the backend with transit.
	rootToken, recoveryKeys, transitSeal := initializeTransit(t, logger, storage, basePort, tss)

	// Migrate the backend from transit to shamir
	migrateFromTransitToShamir_Pre14(t, logger, storage, basePort, tss, transitSeal, rootToken, recoveryKeys)

	// Now that migration is done, we can nuke the transit server, since we
	// can unseal without it.
	tss.Cleanup()
	tss = nil

	// Run the backend with shamir.  Note that the recovery keys are now the
	// barrier keys.
	runShamir(t, logger, storage, basePort, rootToken, recoveryKeys)
}

func migrateFromTransitToShamir_Pre14(
	t *testing.T, logger hclog.Logger,
	storage teststorage.ReusableStorage, basePort int,
	tss *sealhelper.TransitSealServer, transitSeal vault.Seal,
	rootToken string, recoveryKeys [][]byte) {

	var baseClusterPort = basePort + 10

	var conf = vault.CoreConfig{
		Logger: logger.Named("migrateFromTransitToShamir"),
		// N.B. Providing an UnwrapSeal puts us in migration mode. This is the
		// equivalent of doing the following in HCL:
		//     seal "transit" {
		//       // ...
		//       disabled = "true"
		//     }
		UnwrapSeal: transitSeal,
	}
	var opts = vault.TestClusterOptions{
		HandlerFunc:           vaulthttp.Handler,
		NumCores:              numTestCores,
		BaseListenAddress:     fmt.Sprintf("127.0.0.1:%d", basePort),
		BaseClusterListenPort: baseClusterPort,
		SkipInit:              true,
	}
	storage.Setup(&conf, &opts)
	cluster := vault.NewTestCluster(t, &conf, &opts)
	cluster.Start()
	defer func() {
		storage.Cleanup(t, cluster)
		cluster.Cleanup()
	}()

	leader := cluster.Cores[0]
	client := leader.Client
	client.SetToken(rootToken)

	// Attempt to unseal while the transit server is unreachable.  Although
	// we're unsealing using the recovery keys, this is still an
	// autounseal, so it should fail.
	tss.EnsureCoresSealed(t)
	unsealMigrate(t, client, recoveryKeys, false)
	tss.UnsealCores(t)
	testhelpers.WaitForActiveNode(t, tss.TestCluster)

	// Unseal and migrate to Shamir. Although we're unsealing using the
	// recovery keys, this is still an autounseal.
	unsealMigrate(t, client, recoveryKeys, true)
	testhelpers.WaitForActiveNode(t, cluster)

	// Wait for migration to finish.  Sadly there is no callback, and the
	// test will fail later on if we don't do this.
	time.Sleep(10 * time.Second)

	// Read the secret
	secret, err := client.Logical().Read("secret/foo")
	if err != nil {
		t.Fatal(err)
	}
	if diff := deep.Equal(secret.Data, map[string]interface{}{"zork": "quux"}); len(diff) > 0 {
		t.Fatal(diff)
	}

	// Make sure the seal configs were updated correctly.
	b, r, err := cluster.Cores[0].Core.PhysicalSealConfigs(context.Background())
	if err != nil {
		t.Fatal(err)
	}
	verifyBarrierConfig(t, b, wrapping.Shamir, keyShares, keyThreshold, 1)
	if r != nil {
		t.Fatalf("expected nil recovery config, got: %#v", r)
	}

	cluster.EnsureCoresSealed(t)
}
Test pre-1.4 seal migration (#9085) * enable seal wrap in all seal migration tests * move adjustForSealMigration to vault package * fix adjustForSealMigration * begin working on new seal migration test * create shamir seal migration test * refactor testhelpers * add VerifyRaftConfiguration to testhelpers * stub out TestTransit * Revert "refactor testhelpers" This reverts commit 39593defd0d4c6fd79aedfd37df6298391abb9db. * get shamir test working again * stub out transit join * work on transit join * Revert "move resuable storage test to avoid creating import cycle" This reverts commit b3ff2317381a5af12a53117f87d1c6fbb093af6b. * remove debug code * initTransit now works with raft join * runTransit works with inmem * work on runTransit with raft * runTransit works with raft * get rid of dis-used test * cleanup tests * TestSealMigration_TransitToShamir_Pre14 * TestSealMigration_ShamirToTransit_Pre14 * split for pre-1.4 testing * add simple tests for transit and shamir * fix typo in test suite * debug wrapper type * test debug * test-debug * refactor core migration * Revert "refactor core migration" This reverts commit a776452d32a9dca7a51e3df4a76b9234d8c0c7ce. * begin refactor of adjustForSealMigration * fix bug in adjustForSealMigration * clean up tests * clean up core refactoring * fix bug in shamir->transit migration * remove unnecessary lock from setSealsForMigration() * rename sealmigration test package * use ephemeral ports below 30000 * simplify use of numTestCores 2020-06-11 19:07:59 +00:00			`// +build !enterprise`

			`package sealmigration`

			`import (`
			`"context"`
			`"fmt"`
			`"testing"`
			`"time"`

			`"github.com/go-test/deep"`

			`"github.com/hashicorp/go-hclog"`
			`wrapping "github.com/hashicorp/go-kms-wrapping"`
			`"github.com/hashicorp/vault/helper/testhelpers"`
			`sealhelper "github.com/hashicorp/vault/helper/testhelpers/seal"`
			`"github.com/hashicorp/vault/helper/testhelpers/teststorage"`
			`vaulthttp "github.com/hashicorp/vault/http"`
			`"github.com/hashicorp/vault/vault"`
			`)`

			`// TestSealMigration_TransitToShamir_Pre14 tests transit-to-shamir seal`
			`// migration, using the pre-1.4 method of bring down the whole cluster to do`
			`// the migration.`
			`func TestSealMigration_TransitToShamir_Pre14(t *testing.T) {`
			`// Note that we do not test integrated raft storage since this is`
			`// a pre-1.4 test.`
			`testVariousBackends(t, testSealMigrationTransitToShamir_Pre14, false)`
			`}`

			`func testSealMigrationTransitToShamir_Pre14(`
			`t *testing.T, logger hclog.Logger,`
			`storage teststorage.ReusableStorage, basePort int) {`

			`// Create the transit server.`
			`tss := sealhelper.NewTransitSealServer(t)`
			`defer func() {`
			`if tss != nil {`
			`tss.Cleanup()`
			`}`
			`}()`
			`tss.MakeKey(t, "transit-seal-key")`

			`// Initialize the backend with transit.`
			`rootToken, recoveryKeys, transitSeal := initializeTransit(t, logger, storage, basePort, tss)`

			`// Migrate the backend from transit to shamir`
			`migrateFromTransitToShamir_Pre14(t, logger, storage, basePort, tss, transitSeal, rootToken, recoveryKeys)`

			`// Now that migration is done, we can nuke the transit server, since we`
			`// can unseal without it.`
			`tss.Cleanup()`
			`tss = nil`

			`// Run the backend with shamir. Note that the recovery keys are now the`
			`// barrier keys.`
			`runShamir(t, logger, storage, basePort, rootToken, recoveryKeys)`
			`}`

			`func migrateFromTransitToShamir_Pre14(`
			`t *testing.T, logger hclog.Logger,`
			`storage teststorage.ReusableStorage, basePort int,`
			`tss *sealhelper.TransitSealServer, transitSeal vault.Seal,`
			`rootToken string, recoveryKeys [][]byte) {`

			`var baseClusterPort = basePort + 10`

			`var conf = vault.CoreConfig{`
			`Logger: logger.Named("migrateFromTransitToShamir"),`
			`// N.B. Providing an UnwrapSeal puts us in migration mode. This is the`
			`// equivalent of doing the following in HCL:`
			`// seal "transit" {`
			`// // ...`
			`// disabled = "true"`
			`// }`
			`UnwrapSeal: transitSeal,`
			`}`
			`var opts = vault.TestClusterOptions{`
			`HandlerFunc: vaulthttp.Handler,`
			`NumCores: numTestCores,`
			`BaseListenAddress: fmt.Sprintf("127.0.0.1:%d", basePort),`
			`BaseClusterListenPort: baseClusterPort,`
			`SkipInit: true,`
			`}`
			`storage.Setup(&conf, &opts)`
			`cluster := vault.NewTestCluster(t, &conf, &opts)`
			`cluster.Start()`
			`defer func() {`
			`storage.Cleanup(t, cluster)`
			`cluster.Cleanup()`
			`}()`

			`leader := cluster.Cores[0]`
			`client := leader.Client`
			`client.SetToken(rootToken)`

			`// Attempt to unseal while the transit server is unreachable. Although`
			`// we're unsealing using the recovery keys, this is still an`
			`// autounseal, so it should fail.`
			`tss.EnsureCoresSealed(t)`
			`unsealMigrate(t, client, recoveryKeys, false)`
			`tss.UnsealCores(t)`
			`testhelpers.WaitForActiveNode(t, tss.TestCluster)`

			`// Unseal and migrate to Shamir. Although we're unsealing using the`
			`// recovery keys, this is still an autounseal.`
			`unsealMigrate(t, client, recoveryKeys, true)`
			`testhelpers.WaitForActiveNode(t, cluster)`

			`// Wait for migration to finish. Sadly there is no callback, and the`
			`// test will fail later on if we don't do this.`
			`time.Sleep(10 * time.Second)`

			`// Read the secret`
			`secret, err := client.Logical().Read("secret/foo")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`if diff := deep.Equal(secret.Data, map[string]interface{}{"zork": "quux"}); len(diff) > 0 {`
			`t.Fatal(diff)`
			`}`

			`// Make sure the seal configs were updated correctly.`
			`b, r, err := cluster.Cores[0].Core.PhysicalSealConfigs(context.Background())`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`verifyBarrierConfig(t, b, wrapping.Shamir, keyShares, keyThreshold, 1)`
			`if r != nil {`
			`t.Fatalf("expected nil recovery config, got: %#v", r)`
			`}`

			`cluster.EnsureCoresSealed(t)`
			`}`