vault: public TestCoreUnsealed, don't modify key in Unseal

/cc @armon - I do a key copy within Unseal now. It tripped me up for quite awhile that that method actually modifies the param in-place and I can't think of any scenario that is good for the user. Do you see any issues here?
2015-03-14 17:47:11 -07:00 · 2015-03-14 17:47:11 -07:00 · 866b91d858
parent b2af154fb4
commit 866b91d858
5 changed files with 40 additions and 48 deletions
--- a/vault/core.go
+++ b/vault/core.go
@ -305,9 +305,13 @@ func (c *Core) SecretProgress() int {
 	return len(c.unlockParts)
 }

-// Unseal is used to provide one of the key parts to
-// unseal the Vault.
-func (c *Core) Unseal(key []byte) (bool, error) {
+// Unseal is used to provide one of the key parts to unseal the Vault.
+func (c *Core) Unseal(keyRaw []byte) (bool, error) {
+	// Copy the key since it is modified in-place and we don't want to
+	// modify the parameter.
+	key := make([]byte, len(keyRaw))
+	copy(key, keyRaw)
+
 	// Verify the key length
 	min, max := c.barrier.KeyLength()
 	max += shamir.ShareOverhead
--- a/vault/core_test.go
+++ b/vault/core_test.go
@ -12,38 +12,6 @@ var (
 	invalidKey = []byte("abcdefghijklmnopqrstuvwxyz")[:17]
 )

-func testCore(t *testing.T) *Core {
-	inm := physical.NewInmem()
-	conf := &CoreConfig{Physical: inm}
-	c, err := NewCore(conf)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	return c
-}
-
-func testUnsealedCore(t *testing.T) (*Core, []byte) {
-	c := testCore(t)
-	sealConf := &SealConfig{
-		SecretShares:    1,
-		SecretThreshold: 1,
-	}
-	res, err := c.Initialize(sealConf)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	master := make([]byte, len(res.SecretShares[0]))
-	copy(master, res.SecretShares[0])
-	unseal, err := c.Unseal(res.SecretShares[0])
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-	if !unseal {
-		t.Fatalf("should be unsealed")
-	}
-	return c, master
-}
-
 func TestCore_Init(t *testing.T) {
 	inm := physical.NewInmem()
 	conf := &CoreConfig{Physical: inm}
@ -137,7 +105,7 @@ func TestCore_Init(t *testing.T) {
 }

 func TestCore_Init_MultiShare(t *testing.T) {
-	c := testCore(t)
+	c := TestCore(t)
 	sealConf := &SealConfig{
 		SecretShares:    5,
 		SecretThreshold: 3,
@ -162,7 +130,7 @@ func TestCore_Init_MultiShare(t *testing.T) {
 }

 func TestCore_Unseal_MultiShare(t *testing.T) {
-	c := testCore(t)
+	c := TestCore(t)

 	_, err := c.Unseal(invalidKey)
 	if err != ErrNotInit {
@ -247,7 +215,7 @@ func TestCore_Unseal_MultiShare(t *testing.T) {
 }

 func TestCore_Unseal_Single(t *testing.T) {
-	c := testCore(t)
+	c := TestCore(t)

 	_, err := c.Unseal(invalidKey)
 	if err != ErrNotInit {
@ -297,7 +265,7 @@ func TestCore_Unseal_Single(t *testing.T) {
 }

 func TestCore_Route_Sealed(t *testing.T) {
-	c := testCore(t)
+	c := TestCore(t)
 	sealConf := &SealConfig{
 		SecretShares:    1,
 		SecretThreshold: 1,
@ -335,7 +303,7 @@ func TestCore_Route_Sealed(t *testing.T) {

 // Attempt to unseal after doing a first seal
 func TestCore_SealUnseal(t *testing.T) {
-	c, key := testUnsealedCore(t)
+	c, key := TestCoreUnsealed(t)
 	if err := c.Seal(); err != nil {
 		t.Fatalf("err: %v", err)
 	}
--- a/vault/mount_test.go
+++ b/vault/mount_test.go
@ -6,7 +6,7 @@ import (
 )

 func TestCore_DefaultMountTable(t *testing.T) {
-	c, key := testUnsealedCore(t)
+	c, key := TestCoreUnsealed(t)
 	verifyDefaultTable(t, c.mounts)

 	// Start a second core with same physical
@ -30,7 +30,7 @@ func TestCore_DefaultMountTable(t *testing.T) {
 }

 func TestCore_Mount(t *testing.T) {
-	c, key := testUnsealedCore(t)
+	c, key := TestCoreUnsealed(t)
 	me := &MountEntry{
 		Path: "foo",
 		Type: "generic",
@ -65,7 +65,7 @@ func TestCore_Mount(t *testing.T) {
 }

 func TestCore_Unmount(t *testing.T) {
-	c, key := testUnsealedCore(t)
+	c, key := TestCoreUnsealed(t)
 	err := c.Unmount("secret")
 	if err != nil {
 		t.Fatalf("err: %v", err)
@ -96,7 +96,7 @@ func TestCore_Unmount(t *testing.T) {
 }

 func TestCore_Remount(t *testing.T) {
-	c, key := testUnsealedCore(t)
+	c, key := TestCoreUnsealed(t)
 	err := c.Remount("secret", "foo")
 	if err != nil {
 		t.Fatalf("err: %v", err)
@ -127,7 +127,7 @@ func TestCore_Remount(t *testing.T) {
 }

 func TestCore_Remount_Protected(t *testing.T) {
-	c, _ := testUnsealedCore(t)
+	c, _ := TestCoreUnsealed(t)
 	err := c.Remount("sys", "foo")
 	if err.Error() != "cannot remount 'sys/'" {
 		t.Fatalf("err: %v", err)
--- a/vault/system_test.go
+++ b/vault/system_test.go
@ -6,7 +6,7 @@ import (
 )

 func testSystem(t *testing.T) *SystemBackend {
-	c, _ := testUnsealedCore(t)
+	c, _ := TestCoreUnsealed(t)
 	return &SystemBackend{c}
 }

--- a/vault/testing.go
+++ b/vault/testing.go
@ -24,7 +24,7 @@ func TestCore(t *testing.T) *Core {

 // TestCoreInit initializes the core with a single key, and returns
 // the list of keys that must be used to unseal the core.
-func TestCoreInit(t *testing.T, core *Core) [][]byte {
+func TestCoreInit(t *testing.T, core *Core) []byte {
 	result, err := core.Initialize(&SealConfig{
 		SecretShares:    1,
 		SecretThreshold: 1,
@ -33,5 +33,25 @@ func TestCoreInit(t *testing.T, core *Core) [][]byte {
 		t.Fatalf("err: %s", err)
 	}

-	return result.SecretShares
+	return result.SecretShares[0]
+}
+
+// TestCoreUnsealed returns a pure in-memory core that is already
+// initialized and unsealed.
+func TestCoreUnsealed(t *testing.T) (*Core, []byte) {
+	core := TestCore(t)
+	key := TestCoreInit(t, core)
+	if _, err := core.Unseal(key); err != nil {
+		t.Fatalf("unseal err: %s", err)
+	}
+
+	sealed, err := core.Sealed()
+	if err != nil {
+		t.Fatalf("err checking seal status: %s", err)
+	}
+	if sealed {
+		t.Fatal("should not be sealed")
+	}
+
+	return core, key
 }