def test_full_gpg_with_reseal(vault_server, sample_config_gpg):
sample_config_gpg["vault_addr"] = vault_server
result, result_dir = vault_init.process_vault(sample_config_gpg)
root_token = vault_init.try_decrypt_gpg_key(
result_dir["init_result"]["root_token"])
assert result
assert result_dir["init_result"]["is_init"]
assert result_dir["init_result"]["init_performed"]
assert len(
result_dir["init_result"]["keys"]) == sample_config_gpg["key_share"]
assert result_dir["init_result"]["root_token"] is not None
assert result_dir["init_result"]["keys_gpg_encrypted"]
assert result_dir["init_result"]["root_token_gpg_encrypted"]
assert result_dir["unseal_result"]["is_unseal"]
assert result_dir["unseal_result"]["unseal_performed"]
assert result_dir["unseal_result"]["keys_used_count"] == sample_config_gpg[
"key_threshold"]
client = vault_init.create_client(sample_config_gpg)
assert client.sys.is_initialized()
assert not client.sys.is_sealed()
client.token = root_token
assert client.is_authenticated()
client.sys.seal()
assert client.sys.is_sealed()
vault_init.unseal(client, sample_config_gpg, result_dir["init_result"])
assert not client.sys.is_sealed()
assert client.is_authenticated()
def test_vault_can_authenticated_with_gpg(root_gpg_initialized_vault_server):
client = vault_init.create_client(root_gpg_initialized_vault_server)
assert client.sys.is_initialized()
vault_init.unseal(client, root_gpg_initialized_vault_server)
assert not client.sys.is_sealed()
root_token_decrypt = vault_init.try_decrypt_gpg_key(
root_gpg_initialized_vault_server["root_token"])
assert root_token_decrypt is not None
client.token = root_token_decrypt
assert client.is_authenticated()
def test_full_vault_cannot_authenticated_with_gpg(
full_gpg_initialized_vault_server):
client = vault_init.create_client(full_gpg_initialized_vault_server)
_delete_gpg_keys()
assert client.sys.is_initialized()
with pytest.raises(vault_init.BadKeysProvided):
vault_init.unseal(client, full_gpg_initialized_vault_server)
assert client.sys.is_sealed()
root_token_decrypt = vault_init.try_decrypt_gpg_key(
full_gpg_initialized_vault_server["root_token"])
assert root_token_decrypt is None
client.token = root_token_decrypt
def test_full_gpg_no_private(vault_server, sample_config_gpg_without_private):
sample_config_gpg_without_private["vault_addr"] = vault_server
result, result_dir = vault_init.process_vault(
sample_config_gpg_without_private)
assert result
assert result_dir["init_result"]["is_init"]
assert result_dir["init_result"]["init_performed"]
assert len(result_dir["init_result"]
["keys"]) == sample_config_gpg_without_private["key_share"]
assert result_dir["init_result"]["keys_gpg_encrypted"]
assert result_dir["init_result"]["root_token_gpg_encrypted"]
assert result_dir["init_result"]["root_token"] is not None
assert vault_init.try_decrypt_gpg_key(
result_dir["init_result"]["root_token"]) is None
assert not result_dir["unseal_result"]["is_unseal"]
assert not result_dir["unseal_result"]["unseal_performed"]
client = vault_init.create_client(sample_config_gpg_without_private)
assert client.sys.is_initialized()
assert client.sys.is_sealed()