init: pgp-keys input validations
This commit is contained in:
vishalnayak
parent
bf6aa296b3
commit
adb6ac749f
|
|
@ -329,13 +329,16 @@ Init Options:
|
|||
-pgp-keys If provided, must be a comma-separated list of
|
||||
files on disk containing binary- or base64-format
|
||||
public PGP keys, or Keybase usernames specified as
|
||||
"keybase:<username>". The number of given entries
|
||||
must match 'key-shares'. The output unseal keys will
|
||||
"keybase:<username>". The output unseal keys will
|
||||
be encrypted and base64-encoded, in order, with the
|
||||
given public keys. If you want to use them with the
|
||||
'vault unseal' command, you will need to base64-
|
||||
decode and decrypt; this will be the plaintext
|
||||
unseal key.
|
||||
unseal key. When 'stored-shares' are not used, the
|
||||
number of entries in this field must match 'key-shares'.
|
||||
When 'stored-shares' are used, the number of entries
|
||||
should match the difference between 'key-shares'
|
||||
and 'stored-shares'.
|
||||
|
||||
-root-token-pgp-key If provided, a file on disk with a binary- or
|
||||
base64-format public PGP key, or a Keybase username
|
||||
|
|
|
|||
|
|
@ -81,6 +81,18 @@ func handleSysInitPut(core *vault.Core, w http.ResponseWriter, r *http.Request)
|
|||
}
|
||||
}
|
||||
|
||||
if len(barrierConfig.PGPKeys) > 0 && len(barrierConfig.PGPKeys) != barrierConfig.SecretShares-barrierConfig.StoredShares {
|
||||
respondError(w, http.StatusBadRequest, fmt.Errorf("incorrect number of PGP keys"))
|
||||
return
|
||||
}
|
||||
|
||||
if core.SealAccess().RecoveryKeySupported() {
|
||||
if len(recoveryConfig.PGPKeys) > 0 && len(recoveryConfig.PGPKeys) != recoveryConfig.SecretShares-recoveryConfig.StoredShares {
|
||||
respondError(w, http.StatusBadRequest, fmt.Errorf("incorrect number of PGP keys for recovery"))
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
initParams := &vault.InitParams{
|
||||
BarrierConfig: barrierConfig,
|
||||
RecoveryConfig: recoveryConfig,
|
||||
|
|
|
|||
|
|
@ -53,6 +53,39 @@ func TestSysInit_get(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
// Test to check if the API errors out when wrong number of PGP keys are
|
||||
// supplied
|
||||
func TestSysInit_pgpKeysEntries(t *testing.T) {
|
||||
core := vault.TestCore(t)
|
||||
ln, addr := TestServer(t, core)
|
||||
defer ln.Close()
|
||||
|
||||
resp := testHttpPut(t, "", addr+"/v1/sys/init", map[string]interface{}{
|
||||
"secret_shares": 5,
|
||||
"secret_threhold": 3,
|
||||
"pgp_keys": []string{"pgpkey1"},
|
||||
})
|
||||
testResponseStatus(t, resp, 400)
|
||||
}
|
||||
|
||||
// Test to check if the API errors out when wrong number of PGP keys are
|
||||
// supplied for recovery config
|
||||
func TestSysInit_pgpKeysEntriesForRecovery(t *testing.T) {
|
||||
core := vault.TestCoreNewSeal(t)
|
||||
ln, addr := TestServer(t, core)
|
||||
defer ln.Close()
|
||||
|
||||
resp := testHttpPut(t, "", addr+"/v1/sys/init", map[string]interface{}{
|
||||
"secret_shares": 1,
|
||||
"secret_threshold": 1,
|
||||
"stored_shares": 1,
|
||||
"recovery_shares": 5,
|
||||
"recovery_threshold": 3,
|
||||
"recovery_pgp_keys": []string{"pgpkey1"},
|
||||
})
|
||||
testResponseStatus(t, resp, 400)
|
||||
}
|
||||
|
||||
func TestSysInit_put(t *testing.T) {
|
||||
core := vault.TestCore(t)
|
||||
ln, addr := TestServer(t, core)
|
||||
|
|
|
|||
|
|
@ -70,6 +70,12 @@ func TestCore(t *testing.T) *Core {
|
|||
return TestCoreWithSeal(t, nil)
|
||||
}
|
||||
|
||||
// TestCoreNewSeal returns an in-memory, ininitialized core with the new seal
|
||||
// configuration.
|
||||
func TestCoreNewSeal(t *testing.T) *Core {
|
||||
return TestCoreWithSeal(t, &TestSeal{})
|
||||
}
|
||||
|
||||
// TestCoreWithSeal returns a pure in-memory, uninitialized core with the
|
||||
// specified seal for testing.
|
||||
func TestCoreWithSeal(t *testing.T, testSeal Seal) *Core {
|
||||
|
|
|
|||
Loading…
Reference in New Issue