mirror of
https://github.com/optim-enterprises-bv/vault.git
synced 2025-11-02 03:27:54 +00:00
The big one (#5346)
This commit is contained in:
Jeff Mitchell
@@ -29,134 +29,140 @@ func TestSysRekey_Init_pgpKeysEntriesForRekey(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestSysRekey_Init_Status(t *testing.T) {
|
||||
core, _, token := vault.TestCoreUnsealed(t)
|
||||
ln, addr := TestServer(t, core)
|
||||
defer ln.Close()
|
||||
TestServerAuth(t, addr, token)
|
||||
t.Run("status-barrier-default", func(t *testing.T) {
|
||||
core, _, token := vault.TestCoreUnsealed(t)
|
||||
ln, addr := TestServer(t, core)
|
||||
defer ln.Close()
|
||||
TestServerAuth(t, addr, token)
|
||||
|
||||
resp, err := http.Get(addr + "/v1/sys/rekey/init")
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
resp, err := http.Get(addr + "/v1/sys/rekey/init")
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
|
||||
var actual map[string]interface{}
|
||||
expected := map[string]interface{}{
|
||||
"started": false,
|
||||
"t": json.Number("0"),
|
||||
"n": json.Number("0"),
|
||||
"progress": json.Number("0"),
|
||||
"required": json.Number("3"),
|
||||
"pgp_fingerprints": interface{}(nil),
|
||||
"backup": false,
|
||||
"nonce": "",
|
||||
"verification_required": false,
|
||||
}
|
||||
testResponseStatus(t, resp, 200)
|
||||
testResponseBody(t, resp, &actual)
|
||||
if !reflect.DeepEqual(actual, expected) {
|
||||
t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
|
||||
}
|
||||
var actual map[string]interface{}
|
||||
expected := map[string]interface{}{
|
||||
"started": false,
|
||||
"t": json.Number("0"),
|
||||
"n": json.Number("0"),
|
||||
"progress": json.Number("0"),
|
||||
"required": json.Number("3"),
|
||||
"pgp_fingerprints": interface{}(nil),
|
||||
"backup": false,
|
||||
"nonce": "",
|
||||
"verification_required": false,
|
||||
}
|
||||
testResponseStatus(t, resp, 200)
|
||||
testResponseBody(t, resp, &actual)
|
||||
if !reflect.DeepEqual(actual, expected) {
|
||||
t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
func TestSysRekey_Init_Setup(t *testing.T) {
|
||||
core, _, token := vault.TestCoreUnsealed(t)
|
||||
ln, addr := TestServer(t, core)
|
||||
defer ln.Close()
|
||||
TestServerAuth(t, addr, token)
|
||||
t.Run("init-barrier-barrier-key", func(t *testing.T) {
|
||||
core, _, token := vault.TestCoreUnsealed(t)
|
||||
ln, addr := TestServer(t, core)
|
||||
defer ln.Close()
|
||||
TestServerAuth(t, addr, token)
|
||||
|
||||
// Start rekey
|
||||
resp := testHttpPut(t, token, addr+"/v1/sys/rekey/init", map[string]interface{}{
|
||||
"secret_shares": 5,
|
||||
"secret_threshold": 3,
|
||||
// Start rekey
|
||||
resp := testHttpPut(t, token, addr+"/v1/sys/rekey/init", map[string]interface{}{
|
||||
"secret_shares": 5,
|
||||
"secret_threshold": 3,
|
||||
})
|
||||
testResponseStatus(t, resp, 200)
|
||||
|
||||
var actual map[string]interface{}
|
||||
expected := map[string]interface{}{
|
||||
"started": true,
|
||||
"t": json.Number("3"),
|
||||
"n": json.Number("5"),
|
||||
"progress": json.Number("0"),
|
||||
"required": json.Number("3"),
|
||||
"pgp_fingerprints": interface{}(nil),
|
||||
"backup": false,
|
||||
"verification_required": false,
|
||||
}
|
||||
testResponseStatus(t, resp, 200)
|
||||
testResponseBody(t, resp, &actual)
|
||||
if actual["nonce"].(string) == "" {
|
||||
t.Fatalf("nonce was empty")
|
||||
}
|
||||
expected["nonce"] = actual["nonce"]
|
||||
if diff := deep.Equal(actual, expected); diff != nil {
|
||||
t.Fatal(diff)
|
||||
}
|
||||
|
||||
// Get rekey status
|
||||
resp = testHttpGet(t, token, addr+"/v1/sys/rekey/init")
|
||||
|
||||
actual = map[string]interface{}{}
|
||||
expected = map[string]interface{}{
|
||||
"started": true,
|
||||
"t": json.Number("3"),
|
||||
"n": json.Number("5"),
|
||||
"progress": json.Number("0"),
|
||||
"required": json.Number("3"),
|
||||
"pgp_fingerprints": interface{}(nil),
|
||||
"backup": false,
|
||||
"verification_required": false,
|
||||
}
|
||||
testResponseStatus(t, resp, 200)
|
||||
testResponseBody(t, resp, &actual)
|
||||
if actual["nonce"].(string) == "" {
|
||||
t.Fatalf("nonce was empty")
|
||||
}
|
||||
if actual["nonce"].(string) == "" {
|
||||
t.Fatalf("nonce was empty")
|
||||
}
|
||||
expected["nonce"] = actual["nonce"]
|
||||
if !reflect.DeepEqual(actual, expected) {
|
||||
t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
|
||||
}
|
||||
})
|
||||
testResponseStatus(t, resp, 200)
|
||||
|
||||
var actual map[string]interface{}
|
||||
expected := map[string]interface{}{
|
||||
"started": true,
|
||||
"t": json.Number("3"),
|
||||
"n": json.Number("5"),
|
||||
"progress": json.Number("0"),
|
||||
"required": json.Number("3"),
|
||||
"pgp_fingerprints": interface{}(nil),
|
||||
"backup": false,
|
||||
"verification_required": false,
|
||||
}
|
||||
testResponseStatus(t, resp, 200)
|
||||
testResponseBody(t, resp, &actual)
|
||||
if actual["nonce"].(string) == "" {
|
||||
t.Fatalf("nonce was empty")
|
||||
}
|
||||
expected["nonce"] = actual["nonce"]
|
||||
if !reflect.DeepEqual(actual, expected) {
|
||||
t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
|
||||
}
|
||||
|
||||
// Get rekey status
|
||||
resp = testHttpGet(t, token, addr+"/v1/sys/rekey/init")
|
||||
|
||||
actual = map[string]interface{}{}
|
||||
expected = map[string]interface{}{
|
||||
"started": true,
|
||||
"t": json.Number("3"),
|
||||
"n": json.Number("5"),
|
||||
"progress": json.Number("0"),
|
||||
"required": json.Number("3"),
|
||||
"pgp_fingerprints": interface{}(nil),
|
||||
"backup": false,
|
||||
"verification_required": false,
|
||||
}
|
||||
testResponseStatus(t, resp, 200)
|
||||
testResponseBody(t, resp, &actual)
|
||||
if actual["nonce"].(string) == "" {
|
||||
t.Fatalf("nonce was empty")
|
||||
}
|
||||
if actual["nonce"].(string) == "" {
|
||||
t.Fatalf("nonce was empty")
|
||||
}
|
||||
expected["nonce"] = actual["nonce"]
|
||||
if !reflect.DeepEqual(actual, expected) {
|
||||
t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
|
||||
}
|
||||
}
|
||||
|
||||
func TestSysRekey_Init_Cancel(t *testing.T) {
|
||||
core, _, token := vault.TestCoreUnsealed(t)
|
||||
ln, addr := TestServer(t, core)
|
||||
defer ln.Close()
|
||||
TestServerAuth(t, addr, token)
|
||||
t.Run("cancel-barrier-barrier-key", func(t *testing.T) {
|
||||
core, _, token := vault.TestCoreUnsealed(t)
|
||||
ln, addr := TestServer(t, core)
|
||||
defer ln.Close()
|
||||
TestServerAuth(t, addr, token)
|
||||
|
||||
resp := testHttpPut(t, token, addr+"/v1/sys/rekey/init", map[string]interface{}{
|
||||
"secret_shares": 5,
|
||||
"secret_threshold": 3,
|
||||
resp := testHttpPut(t, token, addr+"/v1/sys/rekey/init", map[string]interface{}{
|
||||
"secret_shares": 5,
|
||||
"secret_threshold": 3,
|
||||
})
|
||||
testResponseStatus(t, resp, 200)
|
||||
|
||||
resp = testHttpDelete(t, token, addr+"/v1/sys/rekey/init")
|
||||
testResponseStatus(t, resp, 204)
|
||||
|
||||
resp, err := http.Get(addr + "/v1/sys/rekey/init")
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
|
||||
var actual map[string]interface{}
|
||||
expected := map[string]interface{}{
|
||||
"started": false,
|
||||
"t": json.Number("0"),
|
||||
"n": json.Number("0"),
|
||||
"progress": json.Number("0"),
|
||||
"required": json.Number("3"),
|
||||
"pgp_fingerprints": interface{}(nil),
|
||||
"backup": false,
|
||||
"nonce": "",
|
||||
"verification_required": false,
|
||||
}
|
||||
testResponseStatus(t, resp, 200)
|
||||
testResponseBody(t, resp, &actual)
|
||||
if !reflect.DeepEqual(actual, expected) {
|
||||
t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
|
||||
}
|
||||
})
|
||||
testResponseStatus(t, resp, 200)
|
||||
|
||||
resp = testHttpDelete(t, token, addr+"/v1/sys/rekey/init")
|
||||
testResponseStatus(t, resp, 204)
|
||||
|
||||
resp, err := http.Get(addr + "/v1/sys/rekey/init")
|
||||
if err != nil {
|
||||
t.Fatalf("err: %s", err)
|
||||
}
|
||||
|
||||
var actual map[string]interface{}
|
||||
expected := map[string]interface{}{
|
||||
"started": false,
|
||||
"t": json.Number("0"),
|
||||
"n": json.Number("0"),
|
||||
"progress": json.Number("0"),
|
||||
"required": json.Number("3"),
|
||||
"pgp_fingerprints": interface{}(nil),
|
||||
"backup": false,
|
||||
"nonce": "",
|
||||
"verification_required": false,
|
||||
}
|
||||
testResponseStatus(t, resp, 200)
|
||||
testResponseBody(t, resp, &actual)
|
||||
if !reflect.DeepEqual(actual, expected) {
|
||||
t.Fatalf("\nexpected: %#v\nactual: %#v", expected, actual)
|
||||
}
|
||||
}
|
||||
|
||||
func TestSysRekey_badKey(t *testing.T) {
|
||||
@@ -172,71 +178,73 @@ func TestSysRekey_badKey(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestSysRekey_Update(t *testing.T) {
|
||||
core, keys, token := vault.TestCoreUnsealed(t)
|
||||
ln, addr := TestServer(t, core)
|
||||
defer ln.Close()
|
||||
TestServerAuth(t, addr, token)
|
||||
t.Run("rekey-barrier-barrier-key", func(t *testing.T) {
|
||||
core, keys, token := vault.TestCoreUnsealed(t)
|
||||
ln, addr := TestServer(t, core)
|
||||
defer ln.Close()
|
||||
TestServerAuth(t, addr, token)
|
||||
|
||||
resp := testHttpPut(t, token, addr+"/v1/sys/rekey/init", map[string]interface{}{
|
||||
"secret_shares": 5,
|
||||
"secret_threshold": 3,
|
||||
})
|
||||
var rekeyStatus map[string]interface{}
|
||||
testResponseStatus(t, resp, 200)
|
||||
testResponseBody(t, resp, &rekeyStatus)
|
||||
|
||||
var actual map[string]interface{}
|
||||
var expected map[string]interface{}
|
||||
|
||||
for i, key := range keys {
|
||||
resp = testHttpPut(t, token, addr+"/v1/sys/rekey/update", map[string]interface{}{
|
||||
"nonce": rekeyStatus["nonce"].(string),
|
||||
"key": hex.EncodeToString(key),
|
||||
resp := testHttpPut(t, token, addr+"/v1/sys/rekey/init", map[string]interface{}{
|
||||
"secret_shares": 5,
|
||||
"secret_threshold": 3,
|
||||
})
|
||||
|
||||
actual = map[string]interface{}{}
|
||||
expected = map[string]interface{}{
|
||||
"started": true,
|
||||
"nonce": rekeyStatus["nonce"].(string),
|
||||
"backup": false,
|
||||
"pgp_fingerprints": interface{}(nil),
|
||||
"required": json.Number("3"),
|
||||
"t": json.Number("3"),
|
||||
"n": json.Number("5"),
|
||||
"progress": json.Number(fmt.Sprintf("%d", i+1)),
|
||||
"verification_required": false,
|
||||
}
|
||||
var rekeyStatus map[string]interface{}
|
||||
testResponseStatus(t, resp, 200)
|
||||
testResponseBody(t, resp, &actual)
|
||||
testResponseBody(t, resp, &rekeyStatus)
|
||||
|
||||
if i+1 == len(keys) {
|
||||
delete(expected, "started")
|
||||
delete(expected, "required")
|
||||
delete(expected, "t")
|
||||
delete(expected, "n")
|
||||
delete(expected, "progress")
|
||||
expected["complete"] = true
|
||||
expected["keys"] = actual["keys"]
|
||||
expected["keys_base64"] = actual["keys_base64"]
|
||||
var actual map[string]interface{}
|
||||
var expected map[string]interface{}
|
||||
|
||||
for i, key := range keys {
|
||||
resp = testHttpPut(t, token, addr+"/v1/sys/rekey/update", map[string]interface{}{
|
||||
"nonce": rekeyStatus["nonce"].(string),
|
||||
"key": hex.EncodeToString(key),
|
||||
})
|
||||
|
||||
actual = map[string]interface{}{}
|
||||
expected = map[string]interface{}{
|
||||
"started": true,
|
||||
"nonce": rekeyStatus["nonce"].(string),
|
||||
"backup": false,
|
||||
"pgp_fingerprints": interface{}(nil),
|
||||
"required": json.Number("3"),
|
||||
"t": json.Number("3"),
|
||||
"n": json.Number("5"),
|
||||
"progress": json.Number(fmt.Sprintf("%d", i+1)),
|
||||
"verification_required": false,
|
||||
}
|
||||
testResponseStatus(t, resp, 200)
|
||||
testResponseBody(t, resp, &actual)
|
||||
|
||||
if i+1 == len(keys) {
|
||||
delete(expected, "started")
|
||||
delete(expected, "required")
|
||||
delete(expected, "t")
|
||||
delete(expected, "n")
|
||||
delete(expected, "progress")
|
||||
expected["complete"] = true
|
||||
expected["keys"] = actual["keys"]
|
||||
expected["keys_base64"] = actual["keys_base64"]
|
||||
}
|
||||
|
||||
if i+1 < len(keys) && (actual["nonce"] == nil || actual["nonce"].(string) == "") {
|
||||
t.Fatalf("expected a nonce, i is %d, actual is %#v", i, actual)
|
||||
}
|
||||
|
||||
if !reflect.DeepEqual(actual, expected) {
|
||||
t.Fatalf("\nexpected: \n%#v\nactual: \n%#v", expected, actual)
|
||||
}
|
||||
}
|
||||
|
||||
if i+1 < len(keys) && (actual["nonce"] == nil || actual["nonce"].(string) == "") {
|
||||
t.Fatalf("expected a nonce, i is %d, actual is %#v", i, actual)
|
||||
retKeys := actual["keys"].([]interface{})
|
||||
if len(retKeys) != 5 {
|
||||
t.Fatalf("bad: %#v", retKeys)
|
||||
}
|
||||
|
||||
if diff := deep.Equal(actual, expected); diff != nil {
|
||||
t.Fatal(diff)
|
||||
keysB64 := actual["keys_base64"].([]interface{})
|
||||
if len(keysB64) != 5 {
|
||||
t.Fatalf("bad: %#v", keysB64)
|
||||
}
|
||||
}
|
||||
|
||||
retKeys := actual["keys"].([]interface{})
|
||||
if len(retKeys) != 5 {
|
||||
t.Fatalf("bad: %#v", retKeys)
|
||||
}
|
||||
keysB64 := actual["keys_base64"].([]interface{})
|
||||
if len(keysB64) != 5 {
|
||||
t.Fatalf("bad: %#v", keysB64)
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
func TestSysRekey_ReInitUpdate(t *testing.T) {
|
||||
|
||||
Reference in New Issue
Block a user