def test_full_gpg_with_reseal(vault_server, sample_config_gpg):
sample_config_gpg["vault_addr"] = vault_server
result, result_dir = vault_init.process_vault(sample_config_gpg)
root_token = vault_init.try_decrypt_gpg_key(
result_dir["init_result"]["root_token"])
assert result
assert result_dir["init_result"]["is_init"]
assert result_dir["init_result"]["init_performed"]
assert len(
result_dir["init_result"]["keys"]) == sample_config_gpg["key_share"]
assert result_dir["init_result"]["root_token"] is not None
assert result_dir["init_result"]["keys_gpg_encrypted"]
assert result_dir["init_result"]["root_token_gpg_encrypted"]
assert result_dir["unseal_result"]["is_unseal"]
assert result_dir["unseal_result"]["unseal_performed"]
assert result_dir["unseal_result"]["keys_used_count"] == sample_config_gpg[
"key_threshold"]
client = vault_init.create_client(sample_config_gpg)
assert client.sys.is_initialized()
assert not client.sys.is_sealed()
client.token = root_token
assert client.is_authenticated()
client.sys.seal()
assert client.sys.is_sealed()
vault_init.unseal(client, sample_config_gpg, result_dir["init_result"])
assert not client.sys.is_sealed()
assert client.is_authenticated()
def test_cannot_init_twice(vault_server, sample_config):
sample_config["vault_addr"] = vault_server
client = vault_init.create_client(sample_config)
vault_init.init(client, sample_config)
assert client.sys.is_initialized()
with pytest.raises(vault_init.BadInitParameterValue):
vault_init.init(client, sample_config)
def test_vault_unseal_not_enough_keys(initialized_vault_server, random_hex):
client = vault_init.create_client(initialized_vault_server)
assert client.sys.is_initialized()
initialized_vault_server["keys"] = initialized_vault_server["keys"][0:1]
with pytest.raises(vault_init.NotEnoughtKeysError):
vault_init.unseal(client, initialized_vault_server)
assert client.sys.is_sealed()
def test_vault_init_with_gpg(vault_server, sample_config_gpg):
sample_config_gpg["vault_addr"] = vault_server
client = vault_init.create_client(sample_config_gpg)
result = vault_init.init(client, sample_config_gpg)
assert len(result["keys"]) == sample_config_gpg["key_share"]
assert len(result["root_token"]) != 0
assert client.sys.is_initialized()
def test_vault_unseal_bad_token(initialized_vault_server, random_hex):
client = vault_init.create_client(initialized_vault_server)
assert client.sys.is_initialized()
vault_init.unseal(client, initialized_vault_server)
assert not client.sys.is_sealed()
client.token = next(random_hex)
assert not client.is_authenticated()
def test_vault_unseal(initialized_vault_server):
client = vault_init.create_client(initialized_vault_server)
assert client.sys.is_initialized()
vault_init.unseal(client, initialized_vault_server)
assert not client.sys.is_sealed()
client.token = initialized_vault_server["root_token"]
assert client.is_authenticated()
def test_cannot_unseal_twice(vault_server, sample_config):
sample_config["vault_addr"] = vault_server
client = vault_init.create_client(sample_config)
init_result = vault_init.init(client, sample_config)
vault_init.unseal(client, sample_config, init_result)
assert client.sys.is_initialized()
assert not client.sys.is_sealed()
assert vault_init.unseal(client, sample_config, init_result) == 0
def test_vault_can_unseal_with_gpg(gpg_initialized_vault_server):
client = vault_init.create_client(gpg_initialized_vault_server)
assert client.sys.is_initialized()
vault_init.unseal(client, gpg_initialized_vault_server)
assert not client.sys.is_sealed()
client.token = gpg_initialized_vault_server["root_token"]
assert client.is_authenticated()
def test_vault_can_authenticated_with_gpg(root_gpg_initialized_vault_server):
client = vault_init.create_client(root_gpg_initialized_vault_server)
assert client.sys.is_initialized()
vault_init.unseal(client, root_gpg_initialized_vault_server)
assert not client.sys.is_sealed()
root_token_decrypt = vault_init.try_decrypt_gpg_key(
root_gpg_initialized_vault_server["root_token"])
assert root_token_decrypt is not None
client.token = root_token_decrypt
assert client.is_authenticated()
def test_vault_cannot_unseal_with_gpg(gpg_initialized_vault_server):
client = vault_init.create_client(gpg_initialized_vault_server)
_delete_gpg_keys()
assert client.sys.is_initialized()
with pytest.raises(vault_init.BadKeysProvided):
vault_init.unseal(client, gpg_initialized_vault_server)
assert client.sys.is_sealed()
client.token = gpg_initialized_vault_server["root_token"]
with pytest.raises(hvac.exceptions.VaultDown):
assert not client.is_authenticated()
def test_full_vault_cannot_authenticated_with_gpg(
full_gpg_initialized_vault_server):
client = vault_init.create_client(full_gpg_initialized_vault_server)
_delete_gpg_keys()
assert client.sys.is_initialized()
with pytest.raises(vault_init.BadKeysProvided):
vault_init.unseal(client, full_gpg_initialized_vault_server)
assert client.sys.is_sealed()
root_token_decrypt = vault_init.try_decrypt_gpg_key(
full_gpg_initialized_vault_server["root_token"])
assert root_token_decrypt is None
client.token = root_token_decrypt
def test_vault_unseal_bad_key(initialized_vault_server, random_hex):
client = vault_init.create_client(initialized_vault_server)
assert client.sys.is_initialized()
initialized_vault_server["keys"] = [
next(random_hex)
for i in range(0, len(initialized_vault_server["keys"]))
]
with pytest.raises(vault_init.errors.BadKeysProvided):
vault_init.unseal(client, initialized_vault_server)
assert client.sys.is_sealed()
client.token = next(random_hex)
with pytest.raises(hvac.exceptions.VaultDown):
assert not client.is_authenticated()
def test_full_gpg_no_private(vault_server, sample_config_gpg_without_private):
sample_config_gpg_without_private["vault_addr"] = vault_server
result, result_dir = vault_init.process_vault(
sample_config_gpg_without_private)
assert result
assert result_dir["init_result"]["is_init"]
assert result_dir["init_result"]["init_performed"]
assert len(result_dir["init_result"]
["keys"]) == sample_config_gpg_without_private["key_share"]
assert result_dir["init_result"]["keys_gpg_encrypted"]
assert result_dir["init_result"]["root_token_gpg_encrypted"]
assert result_dir["init_result"]["root_token"] is not None
assert vault_init.try_decrypt_gpg_key(
result_dir["init_result"]["root_token"]) is None
assert not result_dir["unseal_result"]["is_unseal"]
assert not result_dir["unseal_result"]["unseal_performed"]
client = vault_init.create_client(sample_config_gpg_without_private)
assert client.sys.is_initialized()
assert client.sys.is_sealed()
def test_vault_init_with_wrong_gpg(vault_server, sample_config_wrong_gpg):
sample_config_wrong_gpg["vault_addr"] = vault_server
client = vault_init.create_client(sample_config_wrong_gpg)
with pytest.raises(vault_init.BadInitParameterValue):
vault_init.init(client, sample_config_wrong_gpg)
assert not client.sys.is_initialized()
def test_vault_server_running(vault_server):
client = vault_init.create_client({"vault_addr": vault_server})
assert client.sys.is_sealed()
assert not client.sys.is_initialized()