open-vault/vault/barrier_test.go

236 lines
4.3 KiB
Go

package vault
import (
"reflect"
"testing"
)
func testBarrier(t *testing.T, b SecurityBarrier) {
// Should not be initialized
init, err := b.Initialized()
if err != nil {
t.Fatalf("err: %v", err)
}
if init {
t.Fatalf("should not be initialized")
}
// Should start sealed
sealed, err := b.Sealed()
if err != nil {
t.Fatalf("err: %v", err)
}
if !sealed {
t.Fatalf("should be sealed")
}
// Sealing should be a no-op
if err := b.Seal(); err != nil {
t.Fatalf("err: %v", err)
}
// All operations should fail
e := &Entry{Key: "test", Value: []byte("test")}
if err := b.Put(e); err != ErrBarrierSealed {
t.Fatalf("err: %v", err)
}
if _, err := b.Get("test"); err != ErrBarrierSealed {
t.Fatalf("err: %v", err)
}
if err := b.Delete("test"); err != ErrBarrierSealed {
t.Fatalf("err: %v", err)
}
if _, err := b.List(""); err != ErrBarrierSealed {
t.Fatalf("err: %v", err)
}
// Get a new key
key, err := b.GenerateKey()
if err != nil {
t.Fatalf("err: %v", err)
}
// Validate minimum key length
min, max := b.KeyLength()
if min < 16 {
t.Fatalf("minimum key size too small: %d", min)
}
if max < min {
t.Fatalf("maximum key size smaller than min")
}
// Unseal should not work
if err := b.Unseal(key); err != ErrBarrierNotInit {
t.Fatalf("err: %v", err)
}
// Initialize the vault
if err := b.Initialize(key); err != nil {
t.Fatalf("err: %v", err)
}
// Double Initialize should fail
if err := b.Initialize(key); err != ErrBarrierAlreadyInit {
t.Fatalf("err: %v", err)
}
// Should be initialized
init, err = b.Initialized()
if err != nil {
t.Fatalf("err: %v", err)
}
if !init {
t.Fatalf("should be initialized")
}
// Should still be sealed
sealed, err = b.Sealed()
if err != nil {
t.Fatalf("err: %v", err)
}
if !sealed {
t.Fatalf("should sealed")
}
// Unseal should work
if err := b.Unseal(key); err != nil {
t.Fatalf("err: %v", err)
}
// Unseal should no-op when done twice
if err := b.Unseal(key); err != nil {
t.Fatalf("err: %v", err)
}
// Should no longer be sealed
sealed, err = b.Sealed()
if err != nil {
t.Fatalf("err: %v", err)
}
if sealed {
t.Fatalf("should be unsealed")
}
// Operations should work
out, err := b.Get("test")
if err != nil {
t.Fatalf("err: %v", err)
}
if out != nil {
t.Fatalf("bad: %v", out)
}
// List should have only "barrier/"
keys, err := b.List("")
if err != nil {
t.Fatalf("err: %v", err)
}
if len(keys) != 1 || keys[0] != "barrier/" {
t.Fatalf("bad: %v", keys)
}
// Try to write
if err := b.Put(e); err != nil {
t.Fatalf("err: %v", err)
}
// Should be equal
out, err = b.Get("test")
if err != nil {
t.Fatalf("err: %v", err)
}
if !reflect.DeepEqual(out, e) {
t.Fatalf("bad: %v exp: %v", out, e)
}
// List should show the items
keys, err = b.List("")
if err != nil {
t.Fatalf("err: %v", err)
}
if len(keys) != 2 {
t.Fatalf("bad: %v", keys)
}
if keys[0] != "barrier/" || keys[1] != "test" {
t.Fatalf("bad: %v", keys)
}
// Delete should clear
err = b.Delete("test")
if err != nil {
t.Fatalf("err: %v", err)
}
// Double Delete is fine
err = b.Delete("test")
if err != nil {
t.Fatalf("err: %v", err)
}
// Should be nil
out, err = b.Get("test")
if err != nil {
t.Fatalf("err: %v", err)
}
if out != nil {
t.Fatalf("bad: %v", out)
}
// List should have nothing
keys, err = b.List("")
if err != nil {
t.Fatalf("err: %v", err)
}
if len(keys) != 1 || keys[0] != "barrier/" {
t.Fatalf("bad: %v", keys)
}
// Add the item back
if err := b.Put(e); err != nil {
t.Fatalf("err: %v", err)
}
// Reseal should prevent any updates
if err := b.Seal(); err != nil {
t.Fatalf("err: %v", err)
}
// No access allowed
if _, err := b.Get("test"); err != ErrBarrierSealed {
t.Fatalf("err: %v", err)
}
// Unseal should work
if err := b.Unseal(key); err != nil {
t.Fatalf("err: %v", err)
}
// Should be equal
out, err = b.Get("test")
if err != nil {
t.Fatalf("err: %v", err)
}
if !reflect.DeepEqual(out, e) {
t.Fatalf("bad: %v exp: %v", out, e)
}
// Final cleanup
err = b.Delete("test")
if err != nil {
t.Fatalf("err: %v", err)
}
// Reseal should prevent any updates
if err := b.Seal(); err != nil {
t.Fatalf("err: %v", err)
}
// Modify the key
key[0]++
// Unseal should fail
if err := b.Unseal(key); err != ErrBarrierInvalidKey {
t.Fatalf("err: %v", err)
}
}