Sync some seal testing stuff
This commit is contained in:
Jeff Mitchell
parent
14b832fde0
commit
d6a9a770c1
|
|
@ -12,12 +12,7 @@ import (
|
|||
func TestCore_GenerateRoot_Lifecycle(t *testing.T) {
|
||||
bc, rc := TestSealDefConfigs()
|
||||
c, masterKeys, _, _ := TestCoreUnsealedWithConfigs(t, bc, rc)
|
||||
c.seal.(*TestSeal).recoveryKeysDisabled = true
|
||||
testCore_GenerateRoot_Lifecycle_Common(t, c, masterKeys)
|
||||
|
||||
bc, rc = TestSealDefConfigs()
|
||||
c, _, recoveryKeys, _ := TestCoreUnsealedWithConfigs(t, bc, rc)
|
||||
testCore_GenerateRoot_Lifecycle_Common(t, c, recoveryKeys)
|
||||
}
|
||||
|
||||
func testCore_GenerateRoot_Lifecycle_Common(t *testing.T, c *Core, keys [][]byte) {
|
||||
|
|
@ -111,27 +106,13 @@ func testCore_GenerateRoot_Init_Common(t *testing.T, c *Core) {
|
|||
}
|
||||
|
||||
func TestCore_GenerateRoot_InvalidMasterNonce(t *testing.T) {
|
||||
bc, rc := TestSealDefConfigs()
|
||||
bc.SecretShares = 1
|
||||
bc.SecretThreshold = 1
|
||||
bc.StoredShares = 0
|
||||
c, masterKeys, _, _ := TestCoreUnsealedWithConfigs(t, bc, rc)
|
||||
c.seal.(*TestSeal).recoveryKeysDisabled = true
|
||||
// Make the master invalid
|
||||
bc, _ := TestSealDefConfigs()
|
||||
bc.SecretShares = 3
|
||||
bc.SecretThreshold = 3
|
||||
c, masterKeys, _, _ := TestCoreUnsealedWithConfigs(t, bc, nil)
|
||||
// Pass in master keys as they'll be invalid
|
||||
masterKeys[0][0]++
|
||||
testCore_GenerateRoot_InvalidMasterNonce_Common(t, c, masterKeys)
|
||||
|
||||
bc, rc = TestSealDefConfigs()
|
||||
// For ease of use let's make the threshold the same as the shares and also
|
||||
// no stored shares so we get an error after the full set
|
||||
bc.StoredShares = 0
|
||||
bc.SecretShares = 5
|
||||
bc.SecretThreshold = 5
|
||||
rc.SecretShares = 5
|
||||
rc.SecretThreshold = 5
|
||||
// In this case, pass in master keys instead as they'll be invalid
|
||||
c, masterKeys, _, _ = TestCoreUnsealedWithConfigs(t, bc, rc)
|
||||
testCore_GenerateRoot_InvalidMasterNonce_Common(t, c, masterKeys)
|
||||
}
|
||||
|
||||
func testCore_GenerateRoot_InvalidMasterNonce_Common(t *testing.T, c *Core, keys [][]byte) {
|
||||
|
|
@ -172,12 +153,7 @@ func testCore_GenerateRoot_InvalidMasterNonce_Common(t *testing.T, c *Core, keys
|
|||
func TestCore_GenerateRoot_Update_OTP(t *testing.T) {
|
||||
bc, rc := TestSealDefConfigs()
|
||||
c, masterKeys, _, _ := TestCoreUnsealedWithConfigs(t, bc, rc)
|
||||
c.seal.(*TestSeal).recoveryKeysDisabled = true
|
||||
testCore_GenerateRoot_Update_OTP_Common(t, c, masterKeys[0:bc.SecretThreshold])
|
||||
|
||||
bc, rc = TestSealDefConfigs()
|
||||
c, _, recoveryKeys, _ := TestCoreUnsealedWithConfigs(t, bc, rc)
|
||||
testCore_GenerateRoot_Update_OTP_Common(t, c, recoveryKeys[0:rc.SecretThreshold])
|
||||
}
|
||||
|
||||
func testCore_GenerateRoot_Update_OTP_Common(t *testing.T, c *Core, keys [][]byte) {
|
||||
|
|
@ -260,12 +236,7 @@ func testCore_GenerateRoot_Update_OTP_Common(t *testing.T, c *Core, keys [][]byt
|
|||
func TestCore_GenerateRoot_Update_PGP(t *testing.T) {
|
||||
bc, rc := TestSealDefConfigs()
|
||||
c, masterKeys, _, _ := TestCoreUnsealedWithConfigs(t, bc, rc)
|
||||
c.seal.(*TestSeal).recoveryKeysDisabled = true
|
||||
testCore_GenerateRoot_Update_PGP_Common(t, c, masterKeys[0:bc.SecretThreshold])
|
||||
|
||||
bc, rc = TestSealDefConfigs()
|
||||
c, _, recoveryKeys, _ := TestCoreUnsealedWithConfigs(t, bc, rc)
|
||||
testCore_GenerateRoot_Update_PGP_Common(t, c, recoveryKeys[0:rc.SecretThreshold])
|
||||
}
|
||||
|
||||
func testCore_GenerateRoot_Update_PGP_Common(t *testing.T, c *Core, keys [][]byte) {
|
||||
|
|
|
|||
|
|
@ -15,11 +15,9 @@ func TestCore_Init(t *testing.T) {
|
|||
c, conf := testCore_NewTestCore(t, nil)
|
||||
testCore_Init_Common(t, c, conf, &SealConfig{SecretShares: 5, SecretThreshold: 3}, nil)
|
||||
|
||||
c, conf = testCore_NewTestCore(t, newTestSeal(t))
|
||||
bc, rc := TestSealDefConfigs()
|
||||
rc.SecretShares = 4
|
||||
rc.SecretThreshold = 2
|
||||
testCore_Init_Common(t, c, conf, bc, rc)
|
||||
c, conf = testCore_NewTestCore(t, NewTestSeal(t, nil))
|
||||
bc, _ := TestSealDefConfigs()
|
||||
testCore_Init_Common(t, c, conf, bc, nil)
|
||||
}
|
||||
|
||||
func testCore_NewTestCore(t *testing.T, seal Seal) (*Core, *CoreConfig) {
|
||||
|
|
|
|||
|
|
@ -13,23 +13,24 @@ import (
|
|||
)
|
||||
|
||||
func TestCore_Rekey_Lifecycle(t *testing.T) {
|
||||
bc, rc := TestSealDefConfigs()
|
||||
bc, _ := TestSealDefConfigs()
|
||||
bc.SecretShares = 1
|
||||
bc.SecretThreshold = 1
|
||||
bc.StoredShares = 0
|
||||
c, masterKeys, recoveryKeys, _ := TestCoreUnsealedWithConfigs(t, bc, rc)
|
||||
c, masterKeys, _, _ := TestCoreUnsealedWithConfigs(t, bc, nil)
|
||||
if len(masterKeys) != 1 {
|
||||
t.Fatalf("expected %d keys, got %d", bc.SecretShares-bc.StoredShares, len(masterKeys))
|
||||
}
|
||||
testCore_Rekey_Lifecycle_Common(t, c, masterKeys, false)
|
||||
|
||||
bc, rc = TestSealDefConfigs()
|
||||
c, masterKeys, recoveryKeys, _ = TestCoreUnsealedWithConfigs(t, bc, rc)
|
||||
bc, _ = TestSealDefConfigs()
|
||||
bc.SecretShares = 3
|
||||
bc.SecretThreshold = 3
|
||||
c, masterKeys, _, _ = TestCoreUnsealedWithConfigs(t, bc, nil)
|
||||
if len(masterKeys) != 3 {
|
||||
t.Fatalf("expected %d keys, got %d", bc.SecretShares-bc.StoredShares, len(masterKeys))
|
||||
}
|
||||
testCore_Rekey_Lifecycle_Common(t, c, masterKeys, false)
|
||||
testCore_Rekey_Lifecycle_Common(t, c, recoveryKeys, true)
|
||||
}
|
||||
|
||||
func testCore_Rekey_Lifecycle_Common(t *testing.T, c *Core, masterKeys [][]byte, recovery bool) {
|
||||
|
|
@ -101,11 +102,6 @@ func testCore_Rekey_Lifecycle_Common(t *testing.T, c *Core, masterKeys [][]byte,
|
|||
func TestCore_Rekey_Init(t *testing.T) {
|
||||
c, _, _ := TestCoreUnsealed(t)
|
||||
testCore_Rekey_Init_Common(t, c, false)
|
||||
|
||||
bc, rc := TestSealDefConfigs()
|
||||
c, _, _, _ = TestCoreUnsealedWithConfigs(t, bc, rc)
|
||||
testCore_Rekey_Init_Common(t, c, false)
|
||||
testCore_Rekey_Init_Common(t, c, true)
|
||||
}
|
||||
|
||||
func testCore_Rekey_Init_Common(t *testing.T, c *Core, recovery bool) {
|
||||
|
|
@ -137,18 +133,11 @@ func testCore_Rekey_Init_Common(t *testing.T, c *Core, recovery bool) {
|
|||
}
|
||||
|
||||
func TestCore_Rekey_Update(t *testing.T) {
|
||||
bc, rc := TestSealDefConfigs()
|
||||
bc, _ := TestSealDefConfigs()
|
||||
bc.SecretShares = 1
|
||||
bc.SecretThreshold = 1
|
||||
bc.StoredShares = 0
|
||||
c, masterKeys, _, root := TestCoreUnsealedWithConfigs(t, bc, rc)
|
||||
c, masterKeys, _, root := TestCoreUnsealedWithConfigs(t, bc, nil)
|
||||
testCore_Rekey_Update_Common(t, c, masterKeys, root, false)
|
||||
|
||||
bc, rc = TestSealDefConfigs()
|
||||
bc.StoredShares = 0
|
||||
c, masterKeys, recoveryKeys, root := TestCoreUnsealedWithConfigs(t, bc, rc)
|
||||
testCore_Rekey_Update_Common(t, c, masterKeys, root, false)
|
||||
testCore_Rekey_Update_Common(t, c, recoveryKeys, root, true)
|
||||
}
|
||||
|
||||
func testCore_Rekey_Update_Common(t *testing.T, c *Core, keys [][]byte, root string, recovery bool) {
|
||||
|
|
@ -321,15 +310,12 @@ func testCore_Rekey_Update_Common(t *testing.T, c *Core, keys [][]byte, root str
|
|||
}
|
||||
|
||||
func TestCore_Rekey_Invalid(t *testing.T) {
|
||||
bc, rc := TestSealDefConfigs()
|
||||
bc, _ := TestSealDefConfigs()
|
||||
bc.StoredShares = 0
|
||||
bc.SecretShares = 1
|
||||
bc.SecretThreshold = 1
|
||||
rc.SecretShares = 1
|
||||
rc.SecretThreshold = 1
|
||||
c, masterKeys, recoveryKeys, _ := TestCoreUnsealedWithConfigs(t, bc, rc)
|
||||
c, masterKeys, _, _ := TestCoreUnsealedWithConfigs(t, bc, nil)
|
||||
testCore_Rekey_Invalid_Common(t, c, masterKeys, false)
|
||||
testCore_Rekey_Invalid_Common(t, c, recoveryKeys, true)
|
||||
}
|
||||
|
||||
func testCore_Rekey_Invalid_Common(t *testing.T, c *Core, keys [][]byte, recovery bool) {
|
||||
|
|
|
|||
|
|
@ -1,9 +1,7 @@
|
|||
package vault
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"fmt"
|
||||
"testing"
|
||||
"github.com/mitchellh/go-testing-interface"
|
||||
)
|
||||
|
||||
var (
|
||||
|
|
@ -11,102 +9,17 @@ var (
|
|||
TestSealDefConfigs = testSealDefConfigs
|
||||
)
|
||||
|
||||
type TestSeal struct {
|
||||
defseal *DefaultSeal
|
||||
barrierKeys [][]byte
|
||||
recoveryKey []byte
|
||||
recoveryConfig *SealConfig
|
||||
storedKeysDisabled bool
|
||||
recoveryKeysDisabled bool
|
||||
type TestSealOpts struct {
|
||||
StoredKeysDisabled bool
|
||||
RecoveryKeysDisabled bool
|
||||
}
|
||||
|
||||
func newTestSeal(t *testing.T) Seal {
|
||||
return &TestSeal{}
|
||||
func NewTestSeal(t testing.T, opts *TestSealOpts) Seal {
|
||||
return &DefaultSeal{}
|
||||
}
|
||||
|
||||
func (d *TestSeal) checkCore() error {
|
||||
if d.defseal.core == nil {
|
||||
return fmt.Errorf("seal does not have a core set")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (d *TestSeal) SetCore(core *Core) {
|
||||
d.defseal = &DefaultSeal{}
|
||||
d.defseal.core = core
|
||||
}
|
||||
|
||||
func (d *TestSeal) Init() error {
|
||||
d.barrierKeys = [][]byte{}
|
||||
return d.defseal.Init()
|
||||
}
|
||||
|
||||
func (d *TestSeal) Finalize() error {
|
||||
return d.defseal.Finalize()
|
||||
}
|
||||
|
||||
func (d *TestSeal) BarrierType() string {
|
||||
return "shamir"
|
||||
}
|
||||
|
||||
func (d *TestSeal) StoredKeysSupported() bool {
|
||||
return !d.storedKeysDisabled
|
||||
}
|
||||
|
||||
func (d *TestSeal) RecoveryKeySupported() bool {
|
||||
return !d.recoveryKeysDisabled
|
||||
}
|
||||
|
||||
func (d *TestSeal) SetStoredKeys(keys [][]byte) error {
|
||||
d.barrierKeys = keys
|
||||
return nil
|
||||
}
|
||||
|
||||
func (d *TestSeal) GetStoredKeys() ([][]byte, error) {
|
||||
return d.barrierKeys, nil
|
||||
}
|
||||
|
||||
func (d *TestSeal) BarrierConfig() (*SealConfig, error) {
|
||||
return d.defseal.BarrierConfig()
|
||||
}
|
||||
|
||||
func (d *TestSeal) SetBarrierConfig(config *SealConfig) error {
|
||||
return d.defseal.SetBarrierConfig(config)
|
||||
}
|
||||
|
||||
func (d *TestSeal) RecoveryType() string {
|
||||
return "shamir"
|
||||
}
|
||||
|
||||
func (d *TestSeal) RecoveryConfig() (*SealConfig, error) {
|
||||
return d.recoveryConfig, nil
|
||||
}
|
||||
|
||||
func (d *TestSeal) SetRecoveryConfig(config *SealConfig) error {
|
||||
if config == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
d.recoveryConfig = config
|
||||
return nil
|
||||
}
|
||||
|
||||
func (d *TestSeal) VerifyRecoveryKey(key []byte) error {
|
||||
if bytes.Equal(d.recoveryKey, key) {
|
||||
return nil
|
||||
}
|
||||
return fmt.Errorf("not equivalent")
|
||||
}
|
||||
|
||||
func (d *TestSeal) SetRecoveryKey(key []byte) error {
|
||||
newbuf := bytes.NewBuffer(nil)
|
||||
newbuf.Write(key)
|
||||
d.recoveryKey = newbuf.Bytes()
|
||||
return nil
|
||||
}
|
||||
|
||||
func testCoreUnsealedWithConfigs(t *testing.T, barrierConf, recoveryConf *SealConfig) (*Core, [][]byte, [][]byte, string) {
|
||||
seal := &TestSeal{}
|
||||
func testCoreUnsealedWithConfigs(t testing.T, barrierConf, recoveryConf *SealConfig) (*Core, [][]byte, [][]byte, string) {
|
||||
seal := NewTestSeal(t, nil)
|
||||
core := TestCoreWithSeal(t, seal, false)
|
||||
result, err := core.Initialize(&InitParams{
|
||||
BarrierConfig: barrierConf,
|
||||
|
|
@ -140,11 +53,34 @@ func testCoreUnsealedWithConfigs(t *testing.T, barrierConf, recoveryConf *SealCo
|
|||
|
||||
func testSealDefConfigs() (*SealConfig, *SealConfig) {
|
||||
return &SealConfig{
|
||||
SecretShares: 5,
|
||||
SecretThreshold: 3,
|
||||
StoredShares: 2,
|
||||
}, &SealConfig{
|
||||
SecretShares: 5,
|
||||
SecretThreshold: 3,
|
||||
}
|
||||
SecretShares: 5,
|
||||
SecretThreshold: 3,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func TestCoreUnsealedWithConfigSealOpts(t testing.T, barrierConf, recoveryConf *SealConfig, sealOpts *TestSealOpts) (*Core, [][]byte, [][]byte, string) {
|
||||
seal := NewTestSeal(t, sealOpts)
|
||||
core := TestCoreWithSeal(t, seal, false)
|
||||
result, err := core.Initialize(&InitParams{
|
||||
BarrierConfig: barrierConf,
|
||||
RecoveryConfig: recoveryConf,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
for _, key := range result.SecretShares {
|
||||
if _, err := core.Unseal(TestKeyCopy(key)); err != nil {
|
||||
t.Fatalf("unseal err: %s", err)
|
||||
}
|
||||
}
|
||||
|
||||
sealed, err := core.Sealed()
|
||||
if err != nil {
|
||||
t.Fatalf("err checking seal status: %s", err)
|
||||
}
|
||||
if sealed {
|
||||
t.Fatal("should not be sealed")
|
||||
}
|
||||
|
||||
return core, result.SecretShares, result.RecoveryShares, result.RootToken
|
||||
}
|
||||
|
|
|
|||
|
|
@ -97,7 +97,8 @@ func TestCoreRaw(t testing.T) *Core {
|
|||
// TestCoreNewSeal returns a pure in-memory, uninitialized core with
|
||||
// the new seal configuration.
|
||||
func TestCoreNewSeal(t testing.T) *Core {
|
||||
return TestCoreWithSeal(t, &TestSeal{}, false)
|
||||
seal := NewTestSeal(t, nil)
|
||||
return TestCoreWithSeal(t, seal, false)
|
||||
}
|
||||
|
||||
// TestCoreWithSeal returns a pure in-memory, uninitialized core with the
|
||||
|
|
@ -249,7 +250,7 @@ func testCoreUnsealed(t testing.T, core *Core) (*Core, [][]byte, string) {
|
|||
func TestCoreUnsealedBackend(t testing.T, backend physical.Backend) (*Core, [][]byte, string) {
|
||||
logger := logformat.NewVaultLogger(log.LevelTrace)
|
||||
conf := testCoreConfig(t, backend, logger)
|
||||
conf.Seal = &TestSeal{}
|
||||
conf.Seal = NewTestSeal(t, nil)
|
||||
|
||||
core, err := NewCore(conf)
|
||||
if err != nil {
|
||||
|
|
|
|||
Loading…
Reference in New Issue