vault: test for backwards compatability
This commit is contained in:
parent
e8e9103300
commit
28560a612f
|
@ -138,7 +138,7 @@ func (b *AESGCMBarrier) persistKeyring(keyring *Keyring) error {
|
|||
// Encrypt the barrier init value
|
||||
value := b.encrypt(initialKeyTerm, gcm, buf)
|
||||
|
||||
// Create the barrierInitPath
|
||||
// Create the keyring physical entry
|
||||
pe := &physical.Entry{
|
||||
Key: keyringPath,
|
||||
Value: value,
|
||||
|
@ -253,6 +253,11 @@ func (b *AESGCMBarrier) Unseal(key []byte) error {
|
|||
return err
|
||||
}
|
||||
|
||||
// Delete the old barrier entry
|
||||
if err := b.backend.Delete(barrierInitPath); err != nil {
|
||||
return fmt.Errorf("failed to delete barrier init file: %v", err)
|
||||
}
|
||||
|
||||
// Set the vault as unsealed
|
||||
b.keyring = keyring
|
||||
b.sealed = false
|
||||
|
|
|
@ -2,6 +2,7 @@ package vault
|
|||
|
||||
import (
|
||||
"bytes"
|
||||
"encoding/json"
|
||||
"testing"
|
||||
|
||||
"github.com/hashicorp/vault/physical"
|
||||
|
@ -31,6 +32,69 @@ func TestAESGCMBarrier_Basic(t *testing.T) {
|
|||
testBarrier(t, b)
|
||||
}
|
||||
|
||||
// Test an upgrade from the old (0.1) barrier/init to the new
|
||||
// core/keyring style
|
||||
func TestAESGCMBarrier_BackwardsCompatible(t *testing.T) {
|
||||
inm := physical.NewInmem()
|
||||
b, err := NewAESGCMBarrier(inm)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
|
||||
// Generate a barrier/init entry
|
||||
encrypt, _ := b.GenerateKey()
|
||||
init := &barrierInit{
|
||||
Version: 1,
|
||||
Key: encrypt,
|
||||
}
|
||||
buf, _ := json.Marshal(init)
|
||||
|
||||
// Protect with master key
|
||||
master, _ := b.GenerateKey()
|
||||
gcm, _ := b.aeadFromKey(master)
|
||||
value := b.encrypt(initialKeyTerm, gcm, buf)
|
||||
|
||||
// Write to the physical backend
|
||||
pe := &physical.Entry{
|
||||
Key: barrierInitPath,
|
||||
Value: value,
|
||||
}
|
||||
inm.Put(pe)
|
||||
|
||||
// Should still be initialized
|
||||
isInit, err := b.Initialized()
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
if !isInit {
|
||||
t.Fatalf("should be initialized")
|
||||
}
|
||||
|
||||
// Unseal should work and migrate online
|
||||
err = b.Unseal(master)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
|
||||
// Check for migraiton
|
||||
out, err := inm.Get(barrierInitPath)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
if out != nil {
|
||||
t.Fatalf("should delete old barrier init")
|
||||
}
|
||||
|
||||
// Should have keyring
|
||||
out, err = inm.Get(keyringPath)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
if out == nil {
|
||||
t.Fatalf("should have keyring file")
|
||||
}
|
||||
}
|
||||
|
||||
// Verify data sent through is encrypted
|
||||
func TestAESGCMBarrier_Confidential(t *testing.T) {
|
||||
inm := physical.NewInmem()
|
||||
|
|
Loading…
Reference in a new issue