Update rekey command
This commit is contained in:
Seth Vargo
parent
648e0c7913
commit
a72ab1ecf5
942
command/rekey.go
942
command/rekey.go
File diff suppressed because it is too large
Load Diff
|
|
@ -1,312 +1,515 @@
|
|||
package command
|
||||
|
||||
import (
|
||||
"encoding/hex"
|
||||
"os"
|
||||
"sort"
|
||||
"io"
|
||||
"reflect"
|
||||
"regexp"
|
||||
"strings"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/hashicorp/vault/http"
|
||||
"github.com/hashicorp/vault/logical"
|
||||
"github.com/hashicorp/vault/meta"
|
||||
"github.com/hashicorp/vault/vault"
|
||||
"github.com/hashicorp/vault/api"
|
||||
"github.com/mitchellh/cli"
|
||||
)
|
||||
|
||||
func TestRekey(t *testing.T) {
|
||||
core, keys, _ := vault.TestCoreUnsealed(t)
|
||||
ln, addr := http.TestServer(t, core)
|
||||
defer ln.Close()
|
||||
func testRekeyCommand(tb testing.TB) (*cli.MockUi, *RekeyCommand) {
|
||||
tb.Helper()
|
||||
|
||||
ui := new(cli.MockUi)
|
||||
ui := cli.NewMockUi()
|
||||
return ui, &RekeyCommand{
|
||||
BaseCommand: &BaseCommand{
|
||||
UI: ui,
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
for i, key := range keys {
|
||||
c := &RekeyCommand{
|
||||
Key: hex.EncodeToString(key),
|
||||
RecoveryKey: false,
|
||||
Meta: meta.Meta{
|
||||
Ui: ui,
|
||||
func TestRekeyCommand_Run(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
cases := []struct {
|
||||
name string
|
||||
args []string
|
||||
out string
|
||||
code int
|
||||
}{
|
||||
{
|
||||
"pgp_keys_multi",
|
||||
[]string{
|
||||
"-init",
|
||||
"-pgp-keys", "keybase:hashicorp",
|
||||
"-pgp-keys", "keybase:jefferai",
|
||||
},
|
||||
"can only be specified once",
|
||||
1,
|
||||
},
|
||||
{
|
||||
"key_shares_pgp_less",
|
||||
[]string{
|
||||
"-init",
|
||||
"-key-shares", "10",
|
||||
"-pgp-keys", "keybase:jefferai,keybase:sethvargo",
|
||||
},
|
||||
"incorrect number",
|
||||
2,
|
||||
},
|
||||
{
|
||||
"key_shares_pgp_more",
|
||||
[]string{
|
||||
"-init",
|
||||
"-key-shares", "1",
|
||||
"-pgp-keys", "keybase:jefferai,keybase:sethvargo",
|
||||
},
|
||||
"incorrect number",
|
||||
2,
|
||||
},
|
||||
}
|
||||
|
||||
t.Run("validations", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
for _, tc := range cases {
|
||||
tc := tc
|
||||
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
client, closer := testVaultServer(t)
|
||||
defer closer()
|
||||
|
||||
ui, cmd := testRekeyCommand(t)
|
||||
cmd.client = client
|
||||
|
||||
code := cmd.Run(tc.args)
|
||||
if code != tc.code {
|
||||
t.Errorf("expected %d to be %d", code, tc.code)
|
||||
}
|
||||
|
||||
combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
|
||||
if !strings.Contains(combined, tc.out) {
|
||||
t.Errorf("expected %q to contain %q", combined, tc.out)
|
||||
}
|
||||
})
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("status", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
client, closer := testVaultServer(t)
|
||||
defer closer()
|
||||
|
||||
ui, cmd := testRekeyCommand(t)
|
||||
cmd.client = client
|
||||
|
||||
// Verify the non-init response
|
||||
code := cmd.Run([]string{
|
||||
"-status",
|
||||
})
|
||||
if exp := 0; code != exp {
|
||||
t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
|
||||
}
|
||||
|
||||
if i > 0 {
|
||||
conf, err := core.RekeyConfig(false)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
expected := "Nonce"
|
||||
combined := ui.OutputWriter.String()
|
||||
if !strings.Contains(combined, expected) {
|
||||
t.Errorf("expected %q to contain %q", combined, expected)
|
||||
}
|
||||
|
||||
// Now init to verify the init response
|
||||
if _, err := client.Sys().RekeyInit(&api.RekeyInitRequest{
|
||||
SecretShares: 1,
|
||||
SecretThreshold: 1,
|
||||
}); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
// Verify the init response
|
||||
ui, cmd = testRekeyCommand(t)
|
||||
cmd.client = client
|
||||
code = cmd.Run([]string{
|
||||
"-status",
|
||||
})
|
||||
if exp := 0; code != exp {
|
||||
t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
|
||||
}
|
||||
|
||||
expected = "Progress"
|
||||
combined = ui.OutputWriter.String()
|
||||
if !strings.Contains(combined, expected) {
|
||||
t.Errorf("expected %q to contain %q", combined, expected)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("cancel", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
client, closer := testVaultServer(t)
|
||||
defer closer()
|
||||
|
||||
// Initialize a rekey
|
||||
if _, err := client.Sys().RekeyInit(&api.RekeyInitRequest{
|
||||
SecretShares: 1,
|
||||
SecretThreshold: 1,
|
||||
}); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
ui, cmd := testRekeyCommand(t)
|
||||
cmd.client = client
|
||||
|
||||
code := cmd.Run([]string{
|
||||
"-cancel",
|
||||
})
|
||||
if exp := 0; code != exp {
|
||||
t.Errorf("expected %d to be %d", code, exp)
|
||||
}
|
||||
|
||||
expected := "Success! Canceled rekeying"
|
||||
combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
|
||||
if !strings.Contains(combined, expected) {
|
||||
t.Errorf("expected %q to contain %q", combined, expected)
|
||||
}
|
||||
|
||||
status, err := client.Sys().GenerateRootStatus()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
if status.Started {
|
||||
t.Errorf("expected status to be canceled: %#v", status)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("init", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
client, closer := testVaultServer(t)
|
||||
defer closer()
|
||||
|
||||
ui, cmd := testRekeyCommand(t)
|
||||
cmd.client = client
|
||||
|
||||
code := cmd.Run([]string{
|
||||
"-init",
|
||||
"-key-shares", "1",
|
||||
"-key-threshold", "1",
|
||||
})
|
||||
if exp := 0; code != exp {
|
||||
t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
|
||||
}
|
||||
|
||||
expected := "Nonce"
|
||||
combined := ui.OutputWriter.String()
|
||||
if !strings.Contains(combined, expected) {
|
||||
t.Errorf("expected %q to contain %q", combined, expected)
|
||||
}
|
||||
|
||||
status, err := client.Sys().RekeyStatus()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if !status.Started {
|
||||
t.Errorf("expected status to be started: %#v", status)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("init_pgp", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
pgpKey := "keybase:hashicorp"
|
||||
pgpFingerprints := []string{"91a6e7f85d05c65630bef18951852d87348ffc4c"}
|
||||
|
||||
client, closer := testVaultServer(t)
|
||||
defer closer()
|
||||
|
||||
ui, cmd := testRekeyCommand(t)
|
||||
cmd.client = client
|
||||
|
||||
code := cmd.Run([]string{
|
||||
"-init",
|
||||
"-key-shares", "1",
|
||||
"-key-threshold", "1",
|
||||
"-pgp-keys", pgpKey,
|
||||
})
|
||||
if exp := 0; code != exp {
|
||||
t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
|
||||
}
|
||||
|
||||
expected := "Nonce"
|
||||
combined := ui.OutputWriter.String()
|
||||
if !strings.Contains(combined, expected) {
|
||||
t.Errorf("expected %q to contain %q", combined, expected)
|
||||
}
|
||||
|
||||
status, err := client.Sys().RekeyStatus()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if !status.Started {
|
||||
t.Errorf("expected status to be started: %#v", status)
|
||||
}
|
||||
if !reflect.DeepEqual(status.PGPFingerprints, pgpFingerprints) {
|
||||
t.Errorf("expected %#v to be %#v", status.PGPFingerprints, pgpFingerprints)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("provide_arg", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
client, keys, closer := testVaultServerUnseal(t)
|
||||
defer closer()
|
||||
|
||||
// Initialize a rekey
|
||||
status, err := client.Sys().RekeyInit(&api.RekeyInitRequest{
|
||||
SecretShares: 1,
|
||||
SecretThreshold: 1,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
nonce := status.Nonce
|
||||
|
||||
// Supply the first n-1 unseal keys
|
||||
for _, key := range keys[:len(keys)-1] {
|
||||
ui, cmd := testRekeyCommand(t)
|
||||
cmd.client = client
|
||||
|
||||
code := cmd.Run([]string{
|
||||
"-nonce", nonce,
|
||||
key,
|
||||
})
|
||||
if exp := 0; code != exp {
|
||||
t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
|
||||
}
|
||||
c.Nonce = conf.Nonce
|
||||
}
|
||||
|
||||
args := []string{"-address", addr}
|
||||
if code := c.Run(args); code != 0 {
|
||||
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
||||
}
|
||||
}
|
||||
ui, cmd := testRekeyCommand(t)
|
||||
cmd.client = client
|
||||
|
||||
config, err := core.SealAccess().BarrierConfig()
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
if config.SecretShares != 5 {
|
||||
t.Fatal("should rekey")
|
||||
}
|
||||
}
|
||||
|
||||
func TestRekey_arg(t *testing.T) {
|
||||
core, keys, _ := vault.TestCoreUnsealed(t)
|
||||
ln, addr := http.TestServer(t, core)
|
||||
defer ln.Close()
|
||||
|
||||
ui := new(cli.MockUi)
|
||||
|
||||
for i, key := range keys {
|
||||
c := &RekeyCommand{
|
||||
RecoveryKey: false,
|
||||
Meta: meta.Meta{
|
||||
Ui: ui,
|
||||
},
|
||||
code := cmd.Run([]string{
|
||||
"-nonce", nonce,
|
||||
keys[len(keys)-1], // the last unseal key
|
||||
})
|
||||
if exp := 0; code != exp {
|
||||
t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
|
||||
}
|
||||
|
||||
if i > 0 {
|
||||
conf, err := core.RekeyConfig(false)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
re := regexp.MustCompile(`Key 1: (.+)`)
|
||||
output := ui.OutputWriter.String()
|
||||
match := re.FindAllStringSubmatch(output, -1)
|
||||
if len(match) < 1 || len(match[0]) < 2 {
|
||||
t.Fatalf("bad match: %#v", match)
|
||||
}
|
||||
|
||||
// Grab the unseal key and try to unseal
|
||||
unsealKey := match[0][1]
|
||||
if err := client.Sys().Seal(); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
sealStatus, err := client.Sys().Unseal(unsealKey)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if sealStatus.Sealed {
|
||||
t.Errorf("expected vault to be unsealed: %#v", sealStatus)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("provide_stdin", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
client, keys, closer := testVaultServerUnseal(t)
|
||||
defer closer()
|
||||
|
||||
// Initialize a rekey
|
||||
status, err := client.Sys().RekeyInit(&api.RekeyInitRequest{
|
||||
SecretShares: 1,
|
||||
SecretThreshold: 1,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
nonce := status.Nonce
|
||||
|
||||
// Supply the first n-1 unseal keys
|
||||
for _, key := range keys[:len(keys)-1] {
|
||||
stdinR, stdinW := io.Pipe()
|
||||
go func() {
|
||||
stdinW.Write([]byte(key))
|
||||
stdinW.Close()
|
||||
}()
|
||||
|
||||
ui, cmd := testRekeyCommand(t)
|
||||
cmd.client = client
|
||||
cmd.testStdin = stdinR
|
||||
|
||||
code := cmd.Run([]string{
|
||||
"-nonce", nonce,
|
||||
"-",
|
||||
})
|
||||
if exp := 0; code != exp {
|
||||
t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
|
||||
}
|
||||
c.Nonce = conf.Nonce
|
||||
}
|
||||
|
||||
args := []string{"-address", addr, hex.EncodeToString(key)}
|
||||
if code := c.Run(args); code != 0 {
|
||||
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
||||
}
|
||||
}
|
||||
stdinR, stdinW := io.Pipe()
|
||||
go func() {
|
||||
stdinW.Write([]byte(keys[len(keys)-1])) // the last unseal key
|
||||
stdinW.Close()
|
||||
}()
|
||||
|
||||
config, err := core.SealAccess().BarrierConfig()
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
if config.SecretShares != 5 {
|
||||
t.Fatal("should rekey")
|
||||
}
|
||||
}
|
||||
ui, cmd := testRekeyCommand(t)
|
||||
cmd.client = client
|
||||
cmd.testStdin = stdinR
|
||||
|
||||
func TestRekey_init(t *testing.T) {
|
||||
core, _, _ := vault.TestCoreUnsealed(t)
|
||||
ln, addr := http.TestServer(t, core)
|
||||
defer ln.Close()
|
||||
|
||||
ui := new(cli.MockUi)
|
||||
|
||||
c := &RekeyCommand{
|
||||
Meta: meta.Meta{
|
||||
Ui: ui,
|
||||
},
|
||||
}
|
||||
|
||||
args := []string{
|
||||
"-address", addr,
|
||||
"-init",
|
||||
"-key-threshold", "10",
|
||||
"-key-shares", "10",
|
||||
}
|
||||
if code := c.Run(args); code != 0 {
|
||||
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
||||
}
|
||||
|
||||
config, err := core.RekeyConfig(false)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
if config.SecretShares != 10 {
|
||||
t.Fatal("should rekey")
|
||||
}
|
||||
if config.SecretThreshold != 10 {
|
||||
t.Fatal("should rekey")
|
||||
}
|
||||
}
|
||||
|
||||
func TestRekey_cancel(t *testing.T) {
|
||||
core, keys, _ := vault.TestCoreUnsealed(t)
|
||||
ln, addr := http.TestServer(t, core)
|
||||
defer ln.Close()
|
||||
|
||||
ui := new(cli.MockUi)
|
||||
c := &RekeyCommand{
|
||||
Key: hex.EncodeToString(keys[0]),
|
||||
Meta: meta.Meta{
|
||||
Ui: ui,
|
||||
},
|
||||
}
|
||||
|
||||
args := []string{"-address", addr, "-init"}
|
||||
if code := c.Run(args); code != 0 {
|
||||
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
||||
}
|
||||
|
||||
args = []string{"-address", addr, "-cancel"}
|
||||
if code := c.Run(args); code != 0 {
|
||||
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
||||
}
|
||||
|
||||
config, err := core.RekeyConfig(false)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
if config != nil {
|
||||
t.Fatal("should not rekey")
|
||||
}
|
||||
}
|
||||
|
||||
func TestRekey_status(t *testing.T) {
|
||||
core, keys, _ := vault.TestCoreUnsealed(t)
|
||||
ln, addr := http.TestServer(t, core)
|
||||
defer ln.Close()
|
||||
|
||||
ui := new(cli.MockUi)
|
||||
c := &RekeyCommand{
|
||||
Key: hex.EncodeToString(keys[0]),
|
||||
Meta: meta.Meta{
|
||||
Ui: ui,
|
||||
},
|
||||
}
|
||||
|
||||
args := []string{"-address", addr, "-init"}
|
||||
if code := c.Run(args); code != 0 {
|
||||
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
||||
}
|
||||
|
||||
args = []string{"-address", addr, "-status"}
|
||||
if code := c.Run(args); code != 0 {
|
||||
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
||||
}
|
||||
|
||||
if !strings.Contains(ui.OutputWriter.String(), "Started: true") {
|
||||
t.Fatalf("bad: %s", ui.OutputWriter.String())
|
||||
}
|
||||
}
|
||||
|
||||
func TestRekey_init_pgp(t *testing.T) {
|
||||
core, keys, token := vault.TestCoreUnsealed(t)
|
||||
ln, addr := http.TestServer(t, core)
|
||||
defer ln.Close()
|
||||
|
||||
bc := &logical.BackendConfig{
|
||||
Logger: nil,
|
||||
System: logical.StaticSystemView{
|
||||
DefaultLeaseTTLVal: time.Hour * 24,
|
||||
MaxLeaseTTLVal: time.Hour * 24 * 32,
|
||||
},
|
||||
}
|
||||
sysBackend := vault.NewSystemBackend(core)
|
||||
err := sysBackend.Backend.Setup(bc)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
ui := new(cli.MockUi)
|
||||
c := &RekeyCommand{
|
||||
Meta: meta.Meta{
|
||||
Ui: ui,
|
||||
},
|
||||
}
|
||||
|
||||
tempDir, pubFiles, err := getPubKeyFiles(t)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
defer os.RemoveAll(tempDir)
|
||||
|
||||
args := []string{
|
||||
"-address", addr,
|
||||
"-init",
|
||||
"-key-shares", "4",
|
||||
"-pgp-keys", pubFiles[0] + ",@" + pubFiles[1] + "," + pubFiles[2] + "," + pubFiles[3],
|
||||
"-key-threshold", "2",
|
||||
"-backup", "true",
|
||||
}
|
||||
|
||||
if code := c.Run(args); code != 0 {
|
||||
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
||||
}
|
||||
|
||||
config, err := core.RekeyConfig(false)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
if config.SecretShares != 4 {
|
||||
t.Fatal("should rekey")
|
||||
}
|
||||
if config.SecretThreshold != 2 {
|
||||
t.Fatal("should rekey")
|
||||
}
|
||||
|
||||
for _, key := range keys {
|
||||
c = &RekeyCommand{
|
||||
Key: hex.EncodeToString(key),
|
||||
Meta: meta.Meta{
|
||||
Ui: ui,
|
||||
},
|
||||
code := cmd.Run([]string{
|
||||
"-nonce", nonce,
|
||||
"-",
|
||||
})
|
||||
if exp := 0; code != exp {
|
||||
t.Errorf("expected %d to be %d", code, exp)
|
||||
}
|
||||
|
||||
c.Nonce = config.Nonce
|
||||
|
||||
args = []string{
|
||||
"-address", addr,
|
||||
re := regexp.MustCompile(`Key 1: (.+)`)
|
||||
output := ui.OutputWriter.String()
|
||||
match := re.FindAllStringSubmatch(output, -1)
|
||||
if len(match) < 1 || len(match[0]) < 2 {
|
||||
t.Fatalf("bad match: %#v", match)
|
||||
}
|
||||
if code := c.Run(args); code != 0 {
|
||||
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
|
||||
|
||||
// Grab the unseal key and try to unseal
|
||||
unsealKey := match[0][1]
|
||||
if err := client.Sys().Seal(); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
}
|
||||
sealStatus, err := client.Sys().Unseal(unsealKey)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if sealStatus.Sealed {
|
||||
t.Errorf("expected vault to be unsealed: %#v", sealStatus)
|
||||
}
|
||||
})
|
||||
|
||||
type backupStruct struct {
|
||||
Keys map[string][]string
|
||||
KeysB64 map[string][]string
|
||||
}
|
||||
backupVals := &backupStruct{}
|
||||
t.Run("backup", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
req := logical.TestRequest(t, logical.ReadOperation, "rekey/backup")
|
||||
resp, err := sysBackend.HandleRequest(req)
|
||||
if err != nil {
|
||||
t.Fatalf("error running backed-up unseal key fetch: %v", err)
|
||||
}
|
||||
if resp == nil {
|
||||
t.Fatalf("got nil resp with unseal key fetch")
|
||||
}
|
||||
if resp.Data["keys"] == nil {
|
||||
t.Fatalf("could not retrieve unseal keys from token")
|
||||
}
|
||||
if resp.Data["nonce"] != config.Nonce {
|
||||
t.Fatalf("nonce mismatch between rekey and backed-up keys")
|
||||
}
|
||||
pgpKey := "keybase:hashicorp"
|
||||
// pgpFingerprints := []string{"91a6e7f85d05c65630bef18951852d87348ffc4c"}
|
||||
|
||||
backupVals.Keys = resp.Data["keys"].(map[string][]string)
|
||||
backupVals.KeysB64 = resp.Data["keys_base64"].(map[string][]string)
|
||||
client, keys, closer := testVaultServerUnseal(t)
|
||||
defer closer()
|
||||
|
||||
// Now delete and try again; the values should be inaccessible
|
||||
req = logical.TestRequest(t, logical.DeleteOperation, "rekey/backup")
|
||||
resp, err = sysBackend.HandleRequest(req)
|
||||
if err != nil {
|
||||
t.Fatalf("error running backed-up unseal key delete: %v", err)
|
||||
}
|
||||
req = logical.TestRequest(t, logical.ReadOperation, "rekey/backup")
|
||||
resp, err = sysBackend.HandleRequest(req)
|
||||
if err != nil {
|
||||
t.Fatalf("error running backed-up unseal key fetch: %v", err)
|
||||
}
|
||||
if resp == nil {
|
||||
t.Fatalf("got nil resp with unseal key fetch")
|
||||
}
|
||||
if resp.Data["keys"] != nil {
|
||||
t.Fatalf("keys found when they should have been deleted")
|
||||
}
|
||||
ui, cmd := testRekeyCommand(t)
|
||||
cmd.client = client
|
||||
|
||||
// Sort, because it'll be tested with DeepEqual later
|
||||
for k, _ := range backupVals.Keys {
|
||||
sort.Strings(backupVals.Keys[k])
|
||||
sort.Strings(backupVals.KeysB64[k])
|
||||
}
|
||||
code := cmd.Run([]string{
|
||||
"-init",
|
||||
"-key-shares", "1",
|
||||
"-key-threshold", "1",
|
||||
"-pgp-keys", pgpKey,
|
||||
"-backup",
|
||||
})
|
||||
if exp := 0; code != exp {
|
||||
t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
|
||||
}
|
||||
|
||||
parseDecryptAndTestUnsealKeys(t, ui.OutputWriter.String(), token, true, backupVals.Keys, backupVals.KeysB64, core)
|
||||
// Get the status for the nonce
|
||||
status, err := client.Sys().RekeyStatus()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
nonce := status.Nonce
|
||||
|
||||
var combined string
|
||||
// Supply the unseal keys
|
||||
for _, key := range keys {
|
||||
ui, cmd := testRekeyCommand(t)
|
||||
cmd.client = client
|
||||
|
||||
code := cmd.Run([]string{
|
||||
"-nonce", nonce,
|
||||
key,
|
||||
})
|
||||
if exp := 0; code != exp {
|
||||
t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
|
||||
}
|
||||
|
||||
// Append to our output string
|
||||
combined += ui.OutputWriter.String()
|
||||
}
|
||||
|
||||
re := regexp.MustCompile(`Key 1 fingerprint: (.+); value: (.+)`)
|
||||
match := re.FindAllStringSubmatch(combined, -1)
|
||||
if len(match) < 1 || len(match[0]) < 3 {
|
||||
t.Fatalf("bad match: %#v", match)
|
||||
}
|
||||
|
||||
// Grab the output fingerprint and encrypted key
|
||||
fingerprint, encryptedKey := match[0][1], match[0][2]
|
||||
|
||||
// Get the backup
|
||||
ui, cmd = testRekeyCommand(t)
|
||||
cmd.client = client
|
||||
|
||||
code = cmd.Run([]string{
|
||||
"-backup-retrieve",
|
||||
})
|
||||
if exp := 0; code != exp {
|
||||
t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
|
||||
}
|
||||
|
||||
output := ui.OutputWriter.String()
|
||||
if !strings.Contains(output, fingerprint) {
|
||||
t.Errorf("expected %q to contain %q", output, fingerprint)
|
||||
}
|
||||
if !strings.Contains(output, encryptedKey) {
|
||||
t.Errorf("expected %q to contain %q", output, encryptedKey)
|
||||
}
|
||||
|
||||
// Delete the backup
|
||||
ui, cmd = testRekeyCommand(t)
|
||||
cmd.client = client
|
||||
|
||||
code = cmd.Run([]string{
|
||||
"-backup-delete",
|
||||
})
|
||||
if exp := 0; code != exp {
|
||||
t.Errorf("expected %d to be %d: %s", code, exp, ui.ErrorWriter.String())
|
||||
}
|
||||
|
||||
secret, err := client.Sys().RekeyRetrieveBackup()
|
||||
if err == nil {
|
||||
t.Errorf("expected error: %#v", secret)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("communication_failure", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
client, closer := testVaultServerBad(t)
|
||||
defer closer()
|
||||
|
||||
ui, cmd := testRekeyCommand(t)
|
||||
cmd.client = client
|
||||
|
||||
code := cmd.Run([]string{
|
||||
"secret/foo",
|
||||
})
|
||||
if exp := 2; code != exp {
|
||||
t.Errorf("expected %d to be %d", code, exp)
|
||||
}
|
||||
|
||||
expected := "Error getting rekey status: "
|
||||
combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
|
||||
if !strings.Contains(combined, expected) {
|
||||
t.Errorf("expected %q to contain %q", combined, expected)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("no_tabs", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
_, cmd := testRekeyCommand(t)
|
||||
assertNoTabs(t, cmd)
|
||||
})
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue