mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-12-02 16:11:09 +01:00
Code Issues Projects Releases Wiki Activity

More work on recovery test

Browse Source
This commit is contained in:
Jeff Mitchell 2018-05-20 18:42:14 -04:00
parent a63a0dcf05
commit d9535101c3
3 changed files with 78 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
api/sys_rekey_ext_test.go
View File

@ -1,18 +1,18 @@
package api_test package api_test
import ( import (
"context"
"encoding/base64" "encoding/base64"
"strings" "strings"
"testing" "testing"
"github.com/hashicorp/vault/api" "github.com/hashicorp/vault/api"
vaulthttp "github.com/hashicorp/vault/http" vaulthttp "github.com/hashicorp/vault/http"
"github.com/hashicorp/vault/shamir"
"github.com/hashicorp/vault/vault" "github.com/hashicorp/vault/vault"
) )
func TestSysRekey_Verification(t *testing.T) { func TestSysRekey_Verification(t *testing.T) {
testSysRekey_Verification(t, false) //testSysRekey_Verification(t, false)
testSysRekey_Verification(t, true) testSysRekey_Verification(t, true)
} }
@ -40,17 +40,19 @@ func testSysRekey_Verification(t *testing.T, recovery bool) {
verificationCancelFunc = client.Sys().RekeyRecoveryKeyVerificationCancel verificationCancelFunc = client.Sys().RekeyRecoveryKeyVerificationCancel
} }
seal, err := cluster.Cores[0].Core.SealAccess().BarrierConfig(context.Background()) sealAccess := cluster.Cores[0].Core.SealAccess()
if err != nil { sealTestingParams := &vault.SealAccessTestingParams{}
t.Fatal(err)
}
// This first block verifies that if we are using recovery keys to force a // This first block verifies that if we are using recovery keys to force a
// rekey of a stored-shares barrier that verification is not allowed since // rekey of a stored-shares barrier that verification is not allowed since
// the keys aren't returned // the keys aren't returned
if !recovery { if !recovery {
seal.PretendToAllowStoredShares = true sealTestingParams.PretendToAllowRecoveryKeys = true
seal.PretendToAllowRecoveryKeys = true sealTestingParams.PretendToAllowStoredShares = true
if err := sealAccess.SetTestingParams(sealTestingParams); err != nil {
t.Fatal(err)
}
_, err := initFunc(&api.RekeyInitRequest{ _, err := initFunc(&api.RekeyInitRequest{
StoredShares: 1, StoredShares: 1,
RequireVerification: true, RequireVerification: true,
@ -62,10 +64,21 @@ func testSysRekey_Verification(t *testing.T, recovery bool) {
t.Fatalf("unexpected error: %v", err) t.Fatalf("unexpected error: %v", err)
} }
// Now we set things back and start a normal rekey with the verification process // Now we set things back and start a normal rekey with the verification process
seal.PretendToAllowStoredShares = false sealTestingParams.PretendToAllowRecoveryKeys = false
seal.PretendToAllowRecoveryKeys = false sealTestingParams.PretendToAllowStoredShares = false
if err := sealAccess.SetTestingParams(sealTestingParams); err != nil {
t.Fatal(err)
}
} else { } else {
seal.PretendToAllowRecoveryKeys = true sealTestingParams.PretendToAllowRecoveryKeys = true
recoveryKey, err := shamir.Combine(cluster.BarrierKeys)
if err != nil {
t.Fatal(err)
}
sealTestingParams.PretendRecoveryKey = recoveryKey
if err := sealAccess.SetTestingParams(sealTestingParams); err != nil {
t.Fatal(err)
}
} }
var verificationNonce string var verificationNonce string
@ -191,6 +204,7 @@ func testSysRekey_Verification(t *testing.T, recovery bool) {
verificationNonce = vStatus.Nonce verificationNonce = vStatus.Nonce
doStartVerify() doStartVerify()
if !recovery {
// Sealing should clear state, but we never actually finished, so it should // Sealing should clear state, but we never actually finished, so it should
// still be the old keys (which are still currently set) // still be the old keys (which are still currently set)
cluster.EnsureCoresSealed(t) cluster.EnsureCoresSealed(t)
@ -199,6 +213,7 @@ func testSysRekey_Verification(t *testing.T, recovery bool) {
// Should be able to init again and get back to where we were // Should be able to init again and get back to where we were
doRekeyInitialSteps() doRekeyInitialSteps()
doStartVerify() doStartVerify()
}
// Provide the final new key // Provide the final new key
vuStatus, err := verificationUpdateFunc(newKeys[2], verificationNonce) vuStatus, err := verificationUpdateFunc(newKeys[2], verificationNonce)
@ -212,6 +227,7 @@ func testSysRekey_Verification(t *testing.T, recovery bool) {
t.Fatal("expected completion") t.Fatal("expected completion")
} }
if !recovery {
// Seal and unseal -- it should fail to unseal because the key has now been // Seal and unseal -- it should fail to unseal because the key has now been
// rotated // rotated
cluster.EnsureCoresSealed(t) cluster.EnsureCoresSealed(t)
@ -232,4 +248,5 @@ func testSysRekey_Verification(t *testing.T, recovery bool) {
if err := cluster.UnsealCoresWithError(); err != nil { if err := cluster.UnsealCoresWithError(); err != nil {
t.Fatal("expected error") t.Fatal("expected error")
} }
}
} }

4
http/sys_rekey.go
View File

@ -205,7 +205,7 @@ func handleSysRekeyUpdate(core *vault.Core, recovery bool) http.Handler {
// Use the key to make progress on rekey // Use the key to make progress on rekey
result, rekeyErr := core.RekeyUpdate(ctx, key, req.Nonce, recovery) result, rekeyErr := core.RekeyUpdate(ctx, key, req.Nonce, recovery)
if rekeyErr != nil { if rekeyErr != nil {
respondError(w, rekeyErr.Code(), err) respondError(w, rekeyErr.Code(), rekeyErr)
return return
} }
@ -356,7 +356,7 @@ func handleSysRekeyVerifyPut(ctx context.Context, core *vault.Core, recovery boo
// Use the key to make progress on rekey // Use the key to make progress on rekey
result, rekeyErr := core.RekeyVerify(ctx, key, req.Nonce, recovery) result, rekeyErr := core.RekeyVerify(ctx, key, req.Nonce, recovery)
if rekeyErr != nil { if rekeyErr != nil {
respondError(w, rekeyErr.Code(), err) respondError(w, rekeyErr.Code(), rekeyErr)
return return
} }

24
vault/seal_access.go
View File

@ -1,6 +1,9 @@
package vault package vault
import "context" import (
"context"
"fmt"
)
// SealAccess is a wrapper around Seal that exposes accessor methods // SealAccess is a wrapper around Seal that exposes accessor methods
// through Core.SealAccess() while restricting the ability to modify // through Core.SealAccess() while restricting the ability to modify
@ -39,3 +42,22 @@ func (s *SealAccess) ClearCaches(ctx context.Context) {
s.seal.SetRecoveryConfig(ctx, nil) s.seal.SetRecoveryConfig(ctx, nil)
} }
} }
type SealAccessTestingParams struct {
PretendToAllowStoredShares bool
PretendToAllowRecoveryKeys bool
PretendRecoveryKey []byte
}
func (s *SealAccess) SetTestingParams(params *SealAccessTestingParams) error {
d, ok := s.seal.(*defaultSeal)
if !ok {
return fmt.Errorf("not a defaultseal")
}
d.PretendToAllowRecoveryKeys = params.PretendToAllowRecoveryKeys
d.PretendToAllowStoredShares = params.PretendToAllowStoredShares
if params.PretendRecoveryKey != nil {
d.PretendRecoveryKey = params.PretendRecoveryKey
}
return nil
}