open-vault/vault/seal_testing.go

151 lines
3.0 KiB
Go

package vault
import (
"bytes"
"fmt"
"testing"
)
var (
TestCoreUnsealedWithConfigs = testCoreUnsealedWithConfigs
TestSealDefConfigs = testSealDefConfigs
)
type TestSeal struct {
defseal *DefaultSeal
barrierKeys [][]byte
recoveryKey []byte
recoveryConfig *SealConfig
storedKeysDisabled bool
recoveryKeysDisabled bool
}
func newTestSeal(t *testing.T) Seal {
return &TestSeal{}
}
func (d *TestSeal) checkCore() error {
if d.defseal.core == nil {
return fmt.Errorf("seal does not have a core set")
}
return nil
}
func (d *TestSeal) SetCore(core *Core) {
d.defseal = &DefaultSeal{}
d.defseal.core = core
}
func (d *TestSeal) Init() error {
d.barrierKeys = [][]byte{}
return d.defseal.Init()
}
func (d *TestSeal) Finalize() error {
return d.defseal.Finalize()
}
func (d *TestSeal) BarrierType() string {
return "shamir"
}
func (d *TestSeal) StoredKeysSupported() bool {
return !d.storedKeysDisabled
}
func (d *TestSeal) RecoveryKeySupported() bool {
return !d.recoveryKeysDisabled
}
func (d *TestSeal) SetStoredKeys(keys [][]byte) error {
d.barrierKeys = keys
return nil
}
func (d *TestSeal) GetStoredKeys() ([][]byte, error) {
return d.barrierKeys, nil
}
func (d *TestSeal) BarrierConfig() (*SealConfig, error) {
return d.defseal.BarrierConfig()
}
func (d *TestSeal) SetBarrierConfig(config *SealConfig) error {
return d.defseal.SetBarrierConfig(config)
}
func (d *TestSeal) RecoveryType() string {
return "shamir"
}
func (d *TestSeal) RecoveryConfig() (*SealConfig, error) {
return d.recoveryConfig, nil
}
func (d *TestSeal) SetRecoveryConfig(config *SealConfig) error {
if config == nil {
return nil
}
d.recoveryConfig = config
return nil
}
func (d *TestSeal) VerifyRecoveryKey(key []byte) error {
if bytes.Equal(d.recoveryKey, key) {
return nil
}
return fmt.Errorf("not equivalent")
}
func (d *TestSeal) SetRecoveryKey(key []byte) error {
newbuf := bytes.NewBuffer(nil)
newbuf.Write(key)
d.recoveryKey = newbuf.Bytes()
return nil
}
func testCoreUnsealedWithConfigs(t *testing.T, barrierConf, recoveryConf *SealConfig) (*Core, [][]byte, [][]byte, string) {
seal := &TestSeal{}
core := TestCoreWithSeal(t, seal)
result, err := core.Initialize(&InitParams{
BarrierConfig: barrierConf,
RecoveryConfig: recoveryConf,
})
if err != nil {
t.Fatalf("err: %s", err)
}
err = core.UnsealWithStoredKeys()
if err != nil {
t.Fatalf("err: %s", err)
}
if sealed, _ := core.Sealed(); sealed {
for _, key := range result.SecretShares {
if _, err := core.Unseal(TestKeyCopy(key)); err != nil {
t.Fatalf("unseal err: %s", err)
}
}
sealed, err = core.Sealed()
if err != nil {
t.Fatalf("err checking seal status: %s", err)
}
if sealed {
t.Fatal("should not be sealed")
}
}
return core, result.SecretShares, result.RecoveryShares, result.RootToken
}
func testSealDefConfigs() (*SealConfig, *SealConfig) {
return &SealConfig{
SecretShares: 5,
SecretThreshold: 3,
StoredShares: 2,
}, &SealConfig{
SecretShares: 5,
SecretThreshold: 3,
}
}