9d73c81f38
* disable raw endpoint by default * adding docs * config option raw -> raw_storage_endpoint * docs updates * adding listing on raw endpoint * reworking tests for enabled raw endpoints * root protecting base raw endpoint
151 lines
3 KiB
Go
151 lines
3 KiB
Go
package vault
|
|
|
|
import (
|
|
"bytes"
|
|
"fmt"
|
|
"testing"
|
|
)
|
|
|
|
var (
|
|
TestCoreUnsealedWithConfigs = testCoreUnsealedWithConfigs
|
|
TestSealDefConfigs = testSealDefConfigs
|
|
)
|
|
|
|
type TestSeal struct {
|
|
defseal *DefaultSeal
|
|
barrierKeys [][]byte
|
|
recoveryKey []byte
|
|
recoveryConfig *SealConfig
|
|
storedKeysDisabled bool
|
|
recoveryKeysDisabled bool
|
|
}
|
|
|
|
func newTestSeal(t *testing.T) Seal {
|
|
return &TestSeal{}
|
|
}
|
|
|
|
func (d *TestSeal) checkCore() error {
|
|
if d.defseal.core == nil {
|
|
return fmt.Errorf("seal does not have a core set")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (d *TestSeal) SetCore(core *Core) {
|
|
d.defseal = &DefaultSeal{}
|
|
d.defseal.core = core
|
|
}
|
|
|
|
func (d *TestSeal) Init() error {
|
|
d.barrierKeys = [][]byte{}
|
|
return d.defseal.Init()
|
|
}
|
|
|
|
func (d *TestSeal) Finalize() error {
|
|
return d.defseal.Finalize()
|
|
}
|
|
|
|
func (d *TestSeal) BarrierType() string {
|
|
return "shamir"
|
|
}
|
|
|
|
func (d *TestSeal) StoredKeysSupported() bool {
|
|
return !d.storedKeysDisabled
|
|
}
|
|
|
|
func (d *TestSeal) RecoveryKeySupported() bool {
|
|
return !d.recoveryKeysDisabled
|
|
}
|
|
|
|
func (d *TestSeal) SetStoredKeys(keys [][]byte) error {
|
|
d.barrierKeys = keys
|
|
return nil
|
|
}
|
|
|
|
func (d *TestSeal) GetStoredKeys() ([][]byte, error) {
|
|
return d.barrierKeys, nil
|
|
}
|
|
|
|
func (d *TestSeal) BarrierConfig() (*SealConfig, error) {
|
|
return d.defseal.BarrierConfig()
|
|
}
|
|
|
|
func (d *TestSeal) SetBarrierConfig(config *SealConfig) error {
|
|
return d.defseal.SetBarrierConfig(config)
|
|
}
|
|
|
|
func (d *TestSeal) RecoveryType() string {
|
|
return "shamir"
|
|
}
|
|
|
|
func (d *TestSeal) RecoveryConfig() (*SealConfig, error) {
|
|
return d.recoveryConfig, nil
|
|
}
|
|
|
|
func (d *TestSeal) SetRecoveryConfig(config *SealConfig) error {
|
|
if config == nil {
|
|
return nil
|
|
}
|
|
|
|
d.recoveryConfig = config
|
|
return nil
|
|
}
|
|
|
|
func (d *TestSeal) VerifyRecoveryKey(key []byte) error {
|
|
if bytes.Equal(d.recoveryKey, key) {
|
|
return nil
|
|
}
|
|
return fmt.Errorf("not equivalent")
|
|
}
|
|
|
|
func (d *TestSeal) SetRecoveryKey(key []byte) error {
|
|
newbuf := bytes.NewBuffer(nil)
|
|
newbuf.Write(key)
|
|
d.recoveryKey = newbuf.Bytes()
|
|
return nil
|
|
}
|
|
|
|
func testCoreUnsealedWithConfigs(t *testing.T, barrierConf, recoveryConf *SealConfig) (*Core, [][]byte, [][]byte, string) {
|
|
seal := &TestSeal{}
|
|
core := TestCoreWithSeal(t, seal, false)
|
|
result, err := core.Initialize(&InitParams{
|
|
BarrierConfig: barrierConf,
|
|
RecoveryConfig: recoveryConf,
|
|
})
|
|
if err != nil {
|
|
t.Fatalf("err: %s", err)
|
|
}
|
|
err = core.UnsealWithStoredKeys()
|
|
if err != nil {
|
|
t.Fatalf("err: %s", err)
|
|
}
|
|
if sealed, _ := core.Sealed(); sealed {
|
|
for _, key := range result.SecretShares {
|
|
if _, err := core.Unseal(TestKeyCopy(key)); err != nil {
|
|
t.Fatalf("unseal err: %s", err)
|
|
}
|
|
}
|
|
|
|
sealed, err = core.Sealed()
|
|
if err != nil {
|
|
t.Fatalf("err checking seal status: %s", err)
|
|
}
|
|
if sealed {
|
|
t.Fatal("should not be sealed")
|
|
}
|
|
}
|
|
|
|
return core, result.SecretShares, result.RecoveryShares, result.RootToken
|
|
}
|
|
|
|
func testSealDefConfigs() (*SealConfig, *SealConfig) {
|
|
return &SealConfig{
|
|
SecretShares: 5,
|
|
SecretThreshold: 3,
|
|
StoredShares: 2,
|
|
}, &SealConfig{
|
|
SecretShares: 5,
|
|
SecretThreshold: 3,
|
|
}
|
|
}
|