vault: test for backwards compatability

This commit is contained in:
Armon Dadgar 2015-05-27 16:42:42 -07:00
parent e8e9103300
commit 28560a612f
2 changed files with 70 additions and 1 deletions

View file

@ -138,7 +138,7 @@ func (b *AESGCMBarrier) persistKeyring(keyring *Keyring) error {
// Encrypt the barrier init value
value := b.encrypt(initialKeyTerm, gcm, buf)
// Create the barrierInitPath
// Create the keyring physical entry
pe := &physical.Entry{
Key: keyringPath,
Value: value,
@ -253,6 +253,11 @@ func (b *AESGCMBarrier) Unseal(key []byte) error {
return err
}
// Delete the old barrier entry
if err := b.backend.Delete(barrierInitPath); err != nil {
return fmt.Errorf("failed to delete barrier init file: %v", err)
}
// Set the vault as unsealed
b.keyring = keyring
b.sealed = false

View file

@ -2,6 +2,7 @@ package vault
import (
"bytes"
"encoding/json"
"testing"
"github.com/hashicorp/vault/physical"
@ -31,6 +32,69 @@ func TestAESGCMBarrier_Basic(t *testing.T) {
testBarrier(t, b)
}
// Test an upgrade from the old (0.1) barrier/init to the new
// core/keyring style
func TestAESGCMBarrier_BackwardsCompatible(t *testing.T) {
inm := physical.NewInmem()
b, err := NewAESGCMBarrier(inm)
if err != nil {
t.Fatalf("err: %v", err)
}
// Generate a barrier/init entry
encrypt, _ := b.GenerateKey()
init := &barrierInit{
Version: 1,
Key: encrypt,
}
buf, _ := json.Marshal(init)
// Protect with master key
master, _ := b.GenerateKey()
gcm, _ := b.aeadFromKey(master)
value := b.encrypt(initialKeyTerm, gcm, buf)
// Write to the physical backend
pe := &physical.Entry{
Key: barrierInitPath,
Value: value,
}
inm.Put(pe)
// Should still be initialized
isInit, err := b.Initialized()
if err != nil {
t.Fatalf("err: %v", err)
}
if !isInit {
t.Fatalf("should be initialized")
}
// Unseal should work and migrate online
err = b.Unseal(master)
if err != nil {
t.Fatalf("err: %v", err)
}
// Check for migraiton
out, err := inm.Get(barrierInitPath)
if err != nil {
t.Fatalf("err: %v", err)
}
if out != nil {
t.Fatalf("should delete old barrier init")
}
// Should have keyring
out, err = inm.Get(keyringPath)
if err != nil {
t.Fatalf("err: %v", err)
}
if out == nil {
t.Fatalf("should have keyring file")
}
}
// Verify data sent through is encrypted
func TestAESGCMBarrier_Confidential(t *testing.T) {
inm := physical.NewInmem()