def test_full_gpg_with_reseal(vault_server, sample_config_gpg): sample_config_gpg["vault_addr"] = vault_server result, result_dir = vault_init.process_vault(sample_config_gpg) root_token = vault_init.try_decrypt_gpg_key( result_dir["init_result"]["root_token"]) assert result assert result_dir["init_result"]["is_init"] assert result_dir["init_result"]["init_performed"] assert len( result_dir["init_result"]["keys"]) == sample_config_gpg["key_share"] assert result_dir["init_result"]["root_token"] is not None assert result_dir["init_result"]["keys_gpg_encrypted"] assert result_dir["init_result"]["root_token_gpg_encrypted"] assert result_dir["unseal_result"]["is_unseal"] assert result_dir["unseal_result"]["unseal_performed"] assert result_dir["unseal_result"]["keys_used_count"] == sample_config_gpg[ "key_threshold"] client = vault_init.create_client(sample_config_gpg) assert client.sys.is_initialized() assert not client.sys.is_sealed() client.token = root_token assert client.is_authenticated() client.sys.seal() assert client.sys.is_sealed() vault_init.unseal(client, sample_config_gpg, result_dir["init_result"]) assert not client.sys.is_sealed() assert client.is_authenticated()
def test_vault_can_authenticated_with_gpg(root_gpg_initialized_vault_server): client = vault_init.create_client(root_gpg_initialized_vault_server) assert client.sys.is_initialized() vault_init.unseal(client, root_gpg_initialized_vault_server) assert not client.sys.is_sealed() root_token_decrypt = vault_init.try_decrypt_gpg_key( root_gpg_initialized_vault_server["root_token"]) assert root_token_decrypt is not None client.token = root_token_decrypt assert client.is_authenticated()
def test_full_vault_cannot_authenticated_with_gpg( full_gpg_initialized_vault_server): client = vault_init.create_client(full_gpg_initialized_vault_server) _delete_gpg_keys() assert client.sys.is_initialized() with pytest.raises(vault_init.BadKeysProvided): vault_init.unseal(client, full_gpg_initialized_vault_server) assert client.sys.is_sealed() root_token_decrypt = vault_init.try_decrypt_gpg_key( full_gpg_initialized_vault_server["root_token"]) assert root_token_decrypt is None client.token = root_token_decrypt
def test_full_gpg_no_private(vault_server, sample_config_gpg_without_private): sample_config_gpg_without_private["vault_addr"] = vault_server result, result_dir = vault_init.process_vault( sample_config_gpg_without_private) assert result assert result_dir["init_result"]["is_init"] assert result_dir["init_result"]["init_performed"] assert len(result_dir["init_result"] ["keys"]) == sample_config_gpg_without_private["key_share"] assert result_dir["init_result"]["keys_gpg_encrypted"] assert result_dir["init_result"]["root_token_gpg_encrypted"] assert result_dir["init_result"]["root_token"] is not None assert vault_init.try_decrypt_gpg_key( result_dir["init_result"]["root_token"]) is None assert not result_dir["unseal_result"]["is_unseal"] assert not result_dir["unseal_result"]["unseal_performed"] client = vault_init.create_client(sample_config_gpg_without_private) assert client.sys.is_initialized() assert client.sys.is_sealed()