vault: testing barrier rekey

2015-05-27 17:17:03 -07:00 · 2015-05-27 17:17:03 -07:00 · 3e717907cd
parent b93feb8a6b
commit 3e717907cd
2 changed files with 68 additions and 0 deletions
--- a/vault/barrier_aes_gcm_test.go
+++ b/vault/barrier_aes_gcm_test.go
@ -41,6 +41,15 @@ func TestAESGCMBarrier_Rotate(t *testing.T) {
 	testBarrier_Rotate(t, b)
 }

+func TestAESGCMBarrier_Rekey(t *testing.T) {
+	inm := physical.NewInmem()
+	b, err := NewAESGCMBarrier(inm)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	testBarrier_Rekey(t, b)
+}
+
 // Test an upgrade from the old (0.1) barrier/init to the new
 // core/keyring style
 func TestAESGCMBarrier_BackwardsCompatible(t *testing.T) {
--- a/vault/barrier_test.go
+++ b/vault/barrier_test.go
@ -305,3 +305,62 @@ func testBarrier_Rotate(t *testing.T, b SecurityBarrier) {
 		t.Fatalf("bad: %v", out)
 	}
 }
+
+func testBarrier_Rekey(t *testing.T, b SecurityBarrier) {
+	// Initialize the barrier
+	key, _ := b.GenerateKey()
+	b.Initialize(key)
+	err := b.Unseal(key)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Write a key
+	e1 := &Entry{Key: "test", Value: []byte("test")}
+	if err := b.Put(e1); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Rekey to a new key
+	newKey, _ := b.GenerateKey()
+	err = b.Rekey(newKey)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Reading should work
+	out, err := b.Get(e1.Key)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if out == nil {
+		t.Fatalf("bad: %v", out)
+	}
+
+	// Seal
+	err = b.Seal()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Unseal with old key should fail
+	err = b.Unseal(key)
+	if err == nil {
+		t.Fatalf("unseal should fail")
+	}
+
+	// Unseal with new keys should work
+	err = b.Unseal(newKey)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Reading should work
+	out, err = b.Get(e1.Key)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if out == nil {
+		t.Fatalf("bad: %v", out)
+	}
+}