Example #1
0
def test_full_gpg_with_reseal(vault_server, sample_config_gpg):
    sample_config_gpg["vault_addr"] = vault_server
    result, result_dir = vault_init.process_vault(sample_config_gpg)
    root_token = vault_init.try_decrypt_gpg_key(
        result_dir["init_result"]["root_token"])
    assert result
    assert result_dir["init_result"]["is_init"]
    assert result_dir["init_result"]["init_performed"]
    assert len(
        result_dir["init_result"]["keys"]) == sample_config_gpg["key_share"]
    assert result_dir["init_result"]["root_token"] is not None
    assert result_dir["init_result"]["keys_gpg_encrypted"]
    assert result_dir["init_result"]["root_token_gpg_encrypted"]

    assert result_dir["unseal_result"]["is_unseal"]
    assert result_dir["unseal_result"]["unseal_performed"]
    assert result_dir["unseal_result"]["keys_used_count"] == sample_config_gpg[
        "key_threshold"]

    client = vault_init.create_client(sample_config_gpg)
    assert client.sys.is_initialized()
    assert not client.sys.is_sealed()
    client.token = root_token
    assert client.is_authenticated()

    client.sys.seal()
    assert client.sys.is_sealed()
    vault_init.unseal(client, sample_config_gpg, result_dir["init_result"])
    assert not client.sys.is_sealed()
    assert client.is_authenticated()
Example #2
0
def test_vault_unseal_not_enough_keys(initialized_vault_server, random_hex):
    client = vault_init.create_client(initialized_vault_server)
    assert client.sys.is_initialized()
    initialized_vault_server["keys"] = initialized_vault_server["keys"][0:1]
    with pytest.raises(vault_init.NotEnoughtKeysError):
        vault_init.unseal(client, initialized_vault_server)
    assert client.sys.is_sealed()
Example #3
0
def test_vault_unseal_bad_token(initialized_vault_server, random_hex):
    client = vault_init.create_client(initialized_vault_server)
    assert client.sys.is_initialized()
    vault_init.unseal(client, initialized_vault_server)
    assert not client.sys.is_sealed()
    client.token = next(random_hex)
    assert not client.is_authenticated()
Example #4
0
def test_vault_unseal(initialized_vault_server):
    client = vault_init.create_client(initialized_vault_server)
    assert client.sys.is_initialized()
    vault_init.unseal(client, initialized_vault_server)
    assert not client.sys.is_sealed()
    client.token = initialized_vault_server["root_token"]
    assert client.is_authenticated()
Example #5
0
def test_cannot_unseal_twice(vault_server, sample_config):
    sample_config["vault_addr"] = vault_server
    client = vault_init.create_client(sample_config)
    init_result = vault_init.init(client, sample_config)
    vault_init.unseal(client, sample_config, init_result)
    assert client.sys.is_initialized()
    assert not client.sys.is_sealed()
    assert vault_init.unseal(client, sample_config, init_result) == 0
Example #6
0
def test_vault_can_unseal_with_gpg(gpg_initialized_vault_server):
    client = vault_init.create_client(gpg_initialized_vault_server)

    assert client.sys.is_initialized()
    vault_init.unseal(client, gpg_initialized_vault_server)
    assert not client.sys.is_sealed()
    client.token = gpg_initialized_vault_server["root_token"]
    assert client.is_authenticated()
Example #7
0
def test_vault_can_authenticated_with_gpg(root_gpg_initialized_vault_server):
    client = vault_init.create_client(root_gpg_initialized_vault_server)

    assert client.sys.is_initialized()
    vault_init.unseal(client, root_gpg_initialized_vault_server)
    assert not client.sys.is_sealed()
    root_token_decrypt = vault_init.try_decrypt_gpg_key(
        root_gpg_initialized_vault_server["root_token"])
    assert root_token_decrypt is not None
    client.token = root_token_decrypt
    assert client.is_authenticated()
Example #8
0
def test_vault_cannot_unseal_with_gpg(gpg_initialized_vault_server):
    client = vault_init.create_client(gpg_initialized_vault_server)
    _delete_gpg_keys()

    assert client.sys.is_initialized()
    with pytest.raises(vault_init.BadKeysProvided):
        vault_init.unseal(client, gpg_initialized_vault_server)
    assert client.sys.is_sealed()
    client.token = gpg_initialized_vault_server["root_token"]
    with pytest.raises(hvac.exceptions.VaultDown):
        assert not client.is_authenticated()
Example #9
0
def test_full_vault_cannot_authenticated_with_gpg(
        full_gpg_initialized_vault_server):
    client = vault_init.create_client(full_gpg_initialized_vault_server)
    _delete_gpg_keys()

    assert client.sys.is_initialized()
    with pytest.raises(vault_init.BadKeysProvided):
        vault_init.unseal(client, full_gpg_initialized_vault_server)
    assert client.sys.is_sealed()
    root_token_decrypt = vault_init.try_decrypt_gpg_key(
        full_gpg_initialized_vault_server["root_token"])
    assert root_token_decrypt is None
    client.token = root_token_decrypt
Example #10
0
def test_vault_unseal_bad_key(initialized_vault_server, random_hex):
    client = vault_init.create_client(initialized_vault_server)
    assert client.sys.is_initialized()
    initialized_vault_server["keys"] = [
        next(random_hex)
        for i in range(0, len(initialized_vault_server["keys"]))
    ]
    with pytest.raises(vault_init.errors.BadKeysProvided):
        vault_init.unseal(client, initialized_vault_server)
    assert client.sys.is_sealed()
    client.token = next(random_hex)
    with pytest.raises(hvac.exceptions.VaultDown):
        assert not client.is_authenticated()