open-vault/vault/seal/seal_testing.go
Jeff Mitchell a83ed04730 Add ability to migrate autoseal to autoseal (#5930)
* Add ability to migrate autoseal to autoseal

This adds the ability to migrate from shamir to autoseal, autoseal to
shamir, or autoseal to autoseal, by allowing multiple seal stanzas. A
disabled stanza will be used as the config being migrated from; this can
also be used to provide an unwrap seal on ent over multiple unseals.

A new test is added to ensure that autoseal to autoseal works as
expected.

* Fix test

* Provide default shamir info if not given in config

* Linting feedback

* Remove context var that isn't used

* Don't run auto unseal watcher when in migration, and move SetCores to SetSealsForMigration func

* Slight logic cleanup

* Fix test build and fix bug

* Updates

* remove GetRecoveryKey function
2019-03-04 14:11:56 -08:00

84 lines
1.5 KiB
Go

package seal
import (
"context"
"github.com/hashicorp/vault/helper/xor"
"github.com/hashicorp/vault/physical"
)
type TestSeal struct {
Type string
secret []byte
}
var _ Access = (*TestSeal)(nil)
func NewTestSeal(secret []byte) *TestSeal {
return &TestSeal{
Type: Test,
secret: secret,
}
}
func (s *TestSeal) Init(_ context.Context) error {
return nil
}
func (t *TestSeal) Finalize(_ context.Context) error {
return nil
}
func (t *TestSeal) SealType() string {
return t.Type
}
func (t *TestSeal) KeyID() string {
return "static-key"
}
func (t *TestSeal) Encrypt(_ context.Context, plaintext []byte) (*physical.EncryptedBlobInfo, error) {
ct, err := t.obscureBytes(plaintext)
if err != nil {
return nil, err
}
return &physical.EncryptedBlobInfo{
Ciphertext: ct,
KeyInfo: &physical.SealKeyInfo{
KeyID: t.KeyID(),
},
}, nil
}
func (t *TestSeal) Decrypt(_ context.Context, dwi *physical.EncryptedBlobInfo) ([]byte, error) {
return t.obscureBytes(dwi.Ciphertext)
}
// obscureBytes is a helper to simulate "encryption/decryption"
// on protected values.
func (t *TestSeal) obscureBytes(in []byte) ([]byte, error) {
out := make([]byte, len(in))
if len(t.secret) != 0 {
// make sure they are the same length
localSecret := make([]byte, len(in))
copy(localSecret, t.secret)
var err error
out, err = xor.XORBytes(in, localSecret)
if err != nil {
return nil, err
}
} else {
// if there is no secret, simply reverse the string
for i := 0; i < len(in); i++ {
out[i] = in[len(in)-1-i]
}
}
return out, nil
}