mirror of
https://github.com/optim-enterprises-bv/vault.git
synced 2025-11-03 03:58:01 +00:00
Sync over
This commit is contained in:
Jeff Mitchell
@@ -193,25 +193,28 @@ func WaitForReplicationState(t testing.T, c *vault.Core, state consts.Replicatio
|
||||
}
|
||||
}
|
||||
|
||||
func GetClusterAndCore(t testing.T, logger log.Logger, handlerFunc func(*vault.HandlerProperties) http.Handler) (*vault.TestCluster, *vault.TestClusterCore) {
|
||||
inm, err := inmem.NewTransactionalInmem(nil, logger)
|
||||
func ConfClusterAndCore(t testing.T, conf *vault.CoreConfig, opts *vault.TestClusterOptions) (*vault.TestCluster, *vault.TestClusterCore) {
|
||||
if conf.Physical != nil || conf.HAPhysical != nil {
|
||||
t.Fatalf("conf.Physical and conf.HAPhysical cannot be specified")
|
||||
}
|
||||
if opts.Logger == nil {
|
||||
t.Fatalf("opts.Logger must be specified")
|
||||
}
|
||||
|
||||
inm, err := inmem.NewTransactionalInmem(nil, opts.Logger)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
inmha, err := inmem.NewInmemHA(nil, logger)
|
||||
inmha, err := inmem.NewInmemHA(nil, opts.Logger)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
coreConfig := &vault.CoreConfig{
|
||||
Physical: inm,
|
||||
HAPhysical: inmha.(physical.HABackend),
|
||||
}
|
||||
coreConfig := *conf
|
||||
coreConfig.Physical = inm
|
||||
coreConfig.HAPhysical = inmha.(physical.HABackend)
|
||||
|
||||
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
|
||||
HandlerFunc: handlerFunc,
|
||||
Logger: logger,
|
||||
})
|
||||
cluster := vault.NewTestCluster(t, &coreConfig, opts)
|
||||
cluster.Start()
|
||||
|
||||
cores := cluster.Cores
|
||||
@@ -222,6 +225,13 @@ func GetClusterAndCore(t testing.T, logger log.Logger, handlerFunc func(*vault.H
|
||||
return cluster, core
|
||||
}
|
||||
|
||||
func GetClusterAndCore(t testing.T, logger log.Logger, handlerFunc func(*vault.HandlerProperties) http.Handler) (*vault.TestCluster, *vault.TestClusterCore) {
|
||||
return ConfClusterAndCore(t, &vault.CoreConfig{}, &vault.TestClusterOptions{
|
||||
Logger: logger,
|
||||
HandlerFunc: handlerFunc,
|
||||
})
|
||||
}
|
||||
|
||||
func GetPerfReplicatedClusters(t testing.T, handlerFunc func(*vault.HandlerProperties) http.Handler) *ReplicatedTestClusters {
|
||||
ret := &ReplicatedTestClusters{}
|
||||
|
||||
@@ -317,57 +327,58 @@ func SetupTwoClusterPerfReplication(t testing.T, perfPrimary, perfSecondary *vau
|
||||
}
|
||||
|
||||
func SetupFourClusterReplication(t testing.T, perfPrimary, perfSecondary, perfDRSecondary, perfSecondaryDRSecondary *vault.TestCluster) {
|
||||
var perfToken string
|
||||
var drToken string
|
||||
|
||||
// Setup perf-primary
|
||||
{
|
||||
// Enable performance primary
|
||||
_, err := perfPrimary.Cores[0].Client.Logical().Write("sys/replication/primary/enable", nil)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
WaitForReplicationState(t, perfPrimary.Cores[0].Core, consts.ReplicationPerformancePrimary)
|
||||
// get performance token
|
||||
secret, err := perfPrimary.Cores[0].Client.Logical().Write("sys/replication/primary/secondary-token", map[string]interface{}{
|
||||
"id": "perf-secondary",
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
perfToken = secret.WrapInfo.Token
|
||||
|
||||
// Enable dr primary
|
||||
_, err := perfPrimary.Cores[0].Client.Logical().Write("sys/replication/dr/primary/enable", nil)
|
||||
_, err = perfPrimary.Cores[0].Client.Logical().Write("sys/replication/dr/primary/enable", nil)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
WaitForReplicationState(t, perfPrimary.Cores[0].Core, consts.ReplicationDRPrimary)
|
||||
|
||||
// Enable performance primary
|
||||
_, err = perfPrimary.Cores[0].Client.Logical().Write("sys/replication/performance/primary/enable", nil)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
WaitForReplicationState(t, perfPrimary.Cores[0].Core, consts.ReplicationPerformancePrimary)
|
||||
|
||||
// get dr token
|
||||
secret, err := perfPrimary.Cores[0].Client.Logical().Write("sys/replication/dr/primary/secondary-token", map[string]interface{}{
|
||||
"id": "1",
|
||||
secret, err = perfPrimary.Cores[0].Client.Logical().Write("sys/replication/dr/primary/secondary-token", map[string]interface{}{
|
||||
"id": "primary-dr-secondary",
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
token := secret.WrapInfo.Token
|
||||
|
||||
// enable dr secondary
|
||||
secret, err = perfDRSecondary.Cores[0].Client.Logical().Write("sys/replication/dr/secondary/enable", map[string]interface{}{
|
||||
"token": token,
|
||||
"ca_file": perfPrimary.CACertPEMFile,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
drToken = secret.WrapInfo.Token
|
||||
if drToken == "" {
|
||||
t.Fatal("empty token retrieved")
|
||||
}
|
||||
}
|
||||
|
||||
WaitForReplicationState(t, perfDRSecondary.Cores[0].Core, consts.ReplicationDRSecondary)
|
||||
perfDRSecondary.BarrierKeys = perfPrimary.BarrierKeys
|
||||
EnsureCoresUnsealed(t, perfDRSecondary)
|
||||
|
||||
// get performance token
|
||||
secret, err = perfPrimary.Cores[0].Client.Logical().Write("sys/replication/performance/primary/secondary-token", map[string]interface{}{
|
||||
"id": "1",
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
token = secret.WrapInfo.Token
|
||||
WaitForActiveNode(t, perfPrimary)
|
||||
|
||||
// Setup perf-secondary
|
||||
var perfSecondaryRootToken string
|
||||
var perfSecondaryDRToken string
|
||||
{
|
||||
// enable performace secondary
|
||||
secret, err = perfSecondary.Cores[0].Client.Logical().Write("sys/replication/performance/secondary/enable", map[string]interface{}{
|
||||
"token": token,
|
||||
_, err := perfSecondary.Cores[0].Client.Logical().Write("sys/replication/secondary/enable", map[string]interface{}{
|
||||
"token": perfToken,
|
||||
"ca_file": perfPrimary.CACertPEMFile,
|
||||
})
|
||||
if err != nil {
|
||||
@@ -375,14 +386,14 @@ func SetupFourClusterReplication(t testing.T, perfPrimary, perfSecondary, perfDR
|
||||
}
|
||||
|
||||
WaitForReplicationState(t, perfSecondary.Cores[0].Core, consts.ReplicationPerformanceSecondary)
|
||||
time.Sleep(time.Second * 3)
|
||||
perfSecondary.BarrierKeys = perfPrimary.BarrierKeys
|
||||
|
||||
// We want to make sure we unseal all the nodes so we first need to wait
|
||||
// until two of the nodes seal due to the poison pill being written
|
||||
WaitForNCoresSealed(t, perfSecondary, 2)
|
||||
EnsureCoresUnsealed(t, perfSecondary)
|
||||
rootToken := GenerateRoot(t, perfSecondary, false)
|
||||
for _, core := range perfSecondary.Cores {
|
||||
core.Client.SetToken(rootToken)
|
||||
}
|
||||
perfSecondaryRootToken = GenerateRoot(t, perfSecondary, false)
|
||||
perfSecondary.Cores[0].Client.SetToken(perfSecondaryRootToken)
|
||||
|
||||
// Enable dr primary on perf secondary
|
||||
_, err = perfSecondary.Cores[0].Client.Logical().Write("sys/replication/dr/primary/enable", nil)
|
||||
@@ -393,18 +404,49 @@ func SetupFourClusterReplication(t testing.T, perfPrimary, perfSecondary, perfDR
|
||||
WaitForReplicationState(t, perfSecondary.Cores[0].Core, consts.ReplicationDRPrimary)
|
||||
|
||||
// get dr token from perf secondary
|
||||
secret, err = perfSecondary.Cores[0].Client.Logical().Write("sys/replication/dr/primary/secondary-token", map[string]interface{}{
|
||||
"id": "1",
|
||||
secret, err := perfSecondary.Cores[0].Client.Logical().Write("sys/replication/dr/primary/secondary-token", map[string]interface{}{
|
||||
"id": "secondary-dr-secondary",
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
token = secret.WrapInfo.Token
|
||||
perfSecondaryDRToken = secret.WrapInfo.Token
|
||||
if perfSecondaryDRToken == "" {
|
||||
t.Fatal("empty token retrieved")
|
||||
}
|
||||
}
|
||||
|
||||
WaitForActiveNode(t, perfSecondary)
|
||||
// Setup pref-primary's dr secondary using "drToken"
|
||||
{
|
||||
// enable dr secondary
|
||||
secret, err = perfSecondaryDRSecondary.Cores[0].Client.Logical().Write("sys/replication/dr/secondary/enable", map[string]interface{}{
|
||||
"token": token,
|
||||
_, err := perfDRSecondary.Cores[0].Client.Logical().Write("sys/replication/dr/secondary/enable", map[string]interface{}{
|
||||
"token": drToken,
|
||||
"ca_file": perfPrimary.CACertPEMFile,
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
WaitForReplicationState(t, perfDRSecondary.Cores[0].Core, consts.ReplicationDRSecondary)
|
||||
perfDRSecondary.BarrierKeys = perfPrimary.BarrierKeys
|
||||
|
||||
// We want to make sure we unseal all the nodes so we first need to wait
|
||||
// until two of the nodes seal due to the poison pill being written
|
||||
WaitForNCoresSealed(t, perfDRSecondary, 2)
|
||||
EnsureCoresUnsealed(t, perfDRSecondary)
|
||||
|
||||
perfDRSecondary.Cores[0].Client.SetToken(perfPrimary.Cores[0].Client.Token())
|
||||
}
|
||||
|
||||
WaitForActiveNode(t, perfDRSecondary)
|
||||
time.Sleep(1 * time.Second)
|
||||
// Setup pref-primary's dr secondary using "perfSecondaryDRToken"
|
||||
{
|
||||
// enable dr secondary
|
||||
_, err := perfSecondaryDRSecondary.Cores[0].Client.Logical().Write("sys/replication/dr/secondary/enable", map[string]interface{}{
|
||||
"token": perfSecondaryDRToken,
|
||||
"ca_file": perfSecondary.CACertPEMFile,
|
||||
})
|
||||
if err != nil {
|
||||
@@ -413,10 +455,16 @@ func SetupFourClusterReplication(t testing.T, perfPrimary, perfSecondary, perfDR
|
||||
|
||||
WaitForReplicationState(t, perfSecondaryDRSecondary.Cores[0].Core, consts.ReplicationDRSecondary)
|
||||
perfSecondaryDRSecondary.BarrierKeys = perfPrimary.BarrierKeys
|
||||
|
||||
// We want to make sure we unseal all the nodes so we first need to wait
|
||||
// until two of the nodes seal due to the poison pill being written
|
||||
WaitForNCoresSealed(t, perfSecondaryDRSecondary, 2)
|
||||
EnsureCoresUnsealed(t, perfSecondaryDRSecondary)
|
||||
|
||||
perfDRSecondary.Cores[0].Client.SetToken(perfPrimary.Cores[0].Client.Token())
|
||||
perfSecondaryDRSecondary.Cores[0].Client.SetToken(rootToken)
|
||||
perfSecondaryDRSecondary.Cores[0].Client.SetToken(perfSecondaryRootToken)
|
||||
}
|
||||
|
||||
WaitForActiveNode(t, perfSecondaryDRSecondary)
|
||||
}
|
||||
|
||||
func DeriveActiveCore(t testing.T, cluster *vault.TestCluster) *vault.TestClusterCore {
|
||||
|
||||
@@ -47,12 +47,14 @@ rm -rf pkg/*
|
||||
mkdir -p bin/
|
||||
|
||||
# Build!
|
||||
# If GOX_PARALLEL_BUILDS is set, it will be used to add a "-parallel=${GOX_PARALLEL_BUILDS}" gox parameter
|
||||
echo "==> Building..."
|
||||
gox \
|
||||
-osarch="${XC_OSARCH}" \
|
||||
-gcflags "${GCFLAGS}" \
|
||||
-ldflags "${LD_FLAGS}-X github.com/hashicorp/vault/version.GitCommit='${GIT_COMMIT}${GIT_DIRTY}'" \
|
||||
-output "pkg/{{.OS}}_{{.Arch}}/vault" \
|
||||
${GOX_PARALLEL_BUILDS+-parallel="${GOX_PARALLEL_BUILDS}"} \
|
||||
-tags="${BUILD_TAGS}" \
|
||||
.
|
||||
|
||||
|
||||
@@ -2134,7 +2134,7 @@ func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Reque
|
||||
}
|
||||
|
||||
if !isSudo {
|
||||
return logical.ErrorResponse("root or sudo privileges required generate a namespace admin token"), logical.ErrInvalidRequest
|
||||
return logical.ErrorResponse("root or sudo privileges required to directly generate a token in a child namespace"), logical.ErrInvalidRequest
|
||||
}
|
||||
|
||||
if strutil.StrListContains(data.Policies, "root") {
|
||||
|
||||
Reference in New Issue
Block a user