Add vault seal/unseal lifecycle
- New internal/vault package: thread-safe Vault struct with seal/unseal state, key material zeroing, and key derivation - REST: POST /v1/vault/unseal, POST /v1/vault/seal, GET /v1/vault/status; health returns sealed status - UI: /unseal page with passphrase form, redirect when sealed - gRPC: sealedInterceptor rejects RPCs when sealed - Middleware: RequireUnsealed blocks all routes except exempt paths; RequireAuth reads pubkey from vault at request time - Startup: server starts sealed when passphrase unavailable - All servers share single *vault.Vault by pointer - CSRF manager derives key lazily from vault Security: Key material is zeroed on seal. Sealed middleware runs before auth. Handlers fail closed if vault becomes sealed mid-request. Unseal endpoint is rate-limited (3/s burst 5). No CSRF on unseal page (no session to protect; chicken-and-egg with master key). Passphrase never logged. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -10,7 +10,6 @@
|
||||
package server
|
||||
|
||||
import (
|
||||
"crypto/ed25519"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
@@ -31,28 +30,25 @@ import (
|
||||
"git.wntrmute.dev/kyle/mcias/internal/token"
|
||||
"git.wntrmute.dev/kyle/mcias/internal/ui"
|
||||
"git.wntrmute.dev/kyle/mcias/internal/validate"
|
||||
"git.wntrmute.dev/kyle/mcias/internal/vault"
|
||||
"git.wntrmute.dev/kyle/mcias/web"
|
||||
)
|
||||
|
||||
// Server holds the dependencies injected into all handlers.
|
||||
type Server struct {
|
||||
db *db.DB
|
||||
cfg *config.Config
|
||||
logger *slog.Logger
|
||||
privKey ed25519.PrivateKey
|
||||
pubKey ed25519.PublicKey
|
||||
masterKey []byte
|
||||
db *db.DB
|
||||
cfg *config.Config
|
||||
logger *slog.Logger
|
||||
vault *vault.Vault
|
||||
}
|
||||
|
||||
// New creates a Server with the given dependencies.
|
||||
func New(database *db.DB, cfg *config.Config, priv ed25519.PrivateKey, pub ed25519.PublicKey, masterKey []byte, logger *slog.Logger) *Server {
|
||||
func New(database *db.DB, cfg *config.Config, v *vault.Vault, logger *slog.Logger) *Server {
|
||||
return &Server{
|
||||
db: database,
|
||||
cfg: cfg,
|
||||
privKey: priv,
|
||||
pubKey: pub,
|
||||
masterKey: masterKey,
|
||||
logger: logger,
|
||||
db: database,
|
||||
cfg: cfg,
|
||||
vault: v,
|
||||
logger: logger,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -110,8 +106,14 @@ func (s *Server) Handler() http.Handler {
|
||||
_, _ = w.Write(specYAML)
|
||||
})))
|
||||
|
||||
// Vault endpoints (exempt from sealed middleware and auth).
|
||||
unsealRateLimit := middleware.RateLimit(3, 5, trustedProxy)
|
||||
mux.Handle("POST /v1/vault/unseal", unsealRateLimit(http.HandlerFunc(s.handleUnseal)))
|
||||
mux.HandleFunc("GET /v1/vault/status", s.handleVaultStatus)
|
||||
mux.Handle("POST /v1/vault/seal", middleware.RequireAuth(s.vault, s.db, s.cfg.Tokens.Issuer)(middleware.RequireRole("admin")(http.HandlerFunc(s.handleSeal))))
|
||||
|
||||
// Authenticated endpoints.
|
||||
requireAuth := middleware.RequireAuth(s.pubKey, s.db, s.cfg.Tokens.Issuer)
|
||||
requireAuth := middleware.RequireAuth(s.vault, s.db, s.cfg.Tokens.Issuer)
|
||||
requireAdmin := func(h http.Handler) http.Handler {
|
||||
return requireAuth(middleware.RequireRole("admin")(h))
|
||||
}
|
||||
@@ -152,15 +154,18 @@ func (s *Server) Handler() http.Handler {
|
||||
mux.Handle("DELETE /v1/policy/rules/{id}", requireAdmin(http.HandlerFunc(s.handleDeletePolicyRule)))
|
||||
|
||||
// UI routes (HTMX-based management frontend).
|
||||
uiSrv, err := ui.New(s.db, s.cfg, s.privKey, s.pubKey, s.masterKey, s.logger)
|
||||
uiSrv, err := ui.New(s.db, s.cfg, s.vault, s.logger)
|
||||
if err != nil {
|
||||
panic(fmt.Sprintf("ui: init failed: %v", err))
|
||||
}
|
||||
uiSrv.Register(mux)
|
||||
|
||||
// Apply global middleware: request logging and security headers.
|
||||
// Apply global middleware: request logging, sealed check, and security headers.
|
||||
// Rate limiting is applied per-route above (login, token/validate).
|
||||
var root http.Handler = mux
|
||||
// Security: RequireUnsealed runs after the mux (so exempt routes can be
|
||||
// routed) but before the logger (so sealed-blocked requests are still logged).
|
||||
root = middleware.RequireUnsealed(s.vault)(root)
|
||||
root = middleware.RequestLogger(s.logger)(root)
|
||||
|
||||
// Security (SEC-04): apply baseline security headers to ALL responses
|
||||
@@ -178,12 +183,21 @@ func (s *Server) Handler() http.Handler {
|
||||
// ---- Public handlers ----
|
||||
|
||||
func (s *Server) handleHealth(w http.ResponseWriter, _ *http.Request) {
|
||||
if s.vault.IsSealed() {
|
||||
writeJSON(w, http.StatusOK, map[string]string{"status": "sealed"})
|
||||
return
|
||||
}
|
||||
writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
|
||||
}
|
||||
|
||||
// handlePublicKey returns the server's Ed25519 public key in JWK format.
|
||||
// This allows relying parties to independently verify JWTs.
|
||||
func (s *Server) handlePublicKey(w http.ResponseWriter, _ *http.Request) {
|
||||
pubKey, err := s.vault.PubKey()
|
||||
if err != nil {
|
||||
middleware.WriteError(w, http.StatusServiceUnavailable, "vault sealed", "vault_sealed")
|
||||
return
|
||||
}
|
||||
// Encode the Ed25519 public key as a JWK (RFC 8037).
|
||||
// The "x" parameter is the base64url-encoded public key bytes.
|
||||
jwk := map[string]string{
|
||||
@@ -191,7 +205,7 @@ func (s *Server) handlePublicKey(w http.ResponseWriter, _ *http.Request) {
|
||||
"crv": "Ed25519",
|
||||
"use": "sig",
|
||||
"alg": "EdDSA",
|
||||
"x": encodeBase64URL(s.pubKey),
|
||||
"x": encodeBase64URL(pubKey),
|
||||
}
|
||||
writeJSON(w, http.StatusOK, jwk)
|
||||
}
|
||||
@@ -282,7 +296,12 @@ func (s *Server) handleLogin(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
// Decrypt the TOTP secret.
|
||||
secret, err := crypto.OpenAESGCM(s.masterKey, acct.TOTPSecretNonce, acct.TOTPSecretEnc)
|
||||
masterKey, err := s.vault.MasterKey()
|
||||
if err != nil {
|
||||
middleware.WriteError(w, http.StatusServiceUnavailable, "vault sealed", "vault_sealed")
|
||||
return
|
||||
}
|
||||
secret, err := crypto.OpenAESGCM(masterKey, acct.TOTPSecretNonce, acct.TOTPSecretEnc)
|
||||
if err != nil {
|
||||
s.logger.Error("decrypt TOTP secret", "error", err, "account_id", acct.ID)
|
||||
middleware.WriteError(w, http.StatusInternalServerError, "internal error", "internal_error")
|
||||
@@ -322,7 +341,12 @@ func (s *Server) handleLogin(w http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
}
|
||||
|
||||
tokenStr, claims, err := token.IssueToken(s.privKey, s.cfg.Tokens.Issuer, acct.UUID, roles, expiry)
|
||||
privKey, err := s.vault.PrivKey()
|
||||
if err != nil {
|
||||
middleware.WriteError(w, http.StatusServiceUnavailable, "vault sealed", "vault_sealed")
|
||||
return
|
||||
}
|
||||
tokenStr, claims, err := token.IssueToken(privKey, s.cfg.Tokens.Issuer, acct.UUID, roles, expiry)
|
||||
if err != nil {
|
||||
s.logger.Error("issue token", "error", err)
|
||||
middleware.WriteError(w, http.StatusInternalServerError, "internal error", "internal_error")
|
||||
@@ -392,7 +416,12 @@ func (s *Server) handleRenew(w http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
}
|
||||
|
||||
newTokenStr, newClaims, err := token.IssueToken(s.privKey, s.cfg.Tokens.Issuer, acct.UUID, roles, expiry)
|
||||
privKey, err := s.vault.PrivKey()
|
||||
if err != nil {
|
||||
middleware.WriteError(w, http.StatusServiceUnavailable, "vault sealed", "vault_sealed")
|
||||
return
|
||||
}
|
||||
newTokenStr, newClaims, err := token.IssueToken(privKey, s.cfg.Tokens.Issuer, acct.UUID, roles, expiry)
|
||||
if err != nil {
|
||||
middleware.WriteError(w, http.StatusInternalServerError, "internal error", "internal_error")
|
||||
return
|
||||
@@ -444,7 +473,12 @@ func (s *Server) handleTokenValidate(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
claims, err := token.ValidateToken(s.pubKey, tokenStr, s.cfg.Tokens.Issuer)
|
||||
pubKey, err := s.vault.PubKey()
|
||||
if err != nil {
|
||||
middleware.WriteError(w, http.StatusServiceUnavailable, "vault sealed", "vault_sealed")
|
||||
return
|
||||
}
|
||||
claims, err := token.ValidateToken(pubKey, tokenStr, s.cfg.Tokens.Issuer)
|
||||
if err != nil {
|
||||
writeJSON(w, http.StatusOK, validateResponse{Valid: false})
|
||||
return
|
||||
@@ -484,7 +518,12 @@ func (s *Server) handleTokenIssue(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
tokenStr, claims, err := token.IssueToken(s.privKey, s.cfg.Tokens.Issuer, acct.UUID, nil, s.cfg.ServiceExpiry())
|
||||
privKey, err := s.vault.PrivKey()
|
||||
if err != nil {
|
||||
middleware.WriteError(w, http.StatusServiceUnavailable, "vault sealed", "vault_sealed")
|
||||
return
|
||||
}
|
||||
tokenStr, claims, err := token.IssueToken(privKey, s.cfg.Tokens.Issuer, acct.UUID, nil, s.cfg.ServiceExpiry())
|
||||
if err != nil {
|
||||
middleware.WriteError(w, http.StatusInternalServerError, "internal error", "internal_error")
|
||||
return
|
||||
@@ -875,7 +914,12 @@ func (s *Server) handleTOTPEnroll(w http.ResponseWriter, r *http.Request) {
|
||||
|
||||
// Encrypt the secret before storing it temporarily.
|
||||
// Note: we store as pending; enrollment is confirmed with /confirm.
|
||||
secretEnc, secretNonce, err := crypto.SealAESGCM(s.masterKey, rawSecret)
|
||||
masterKey, err := s.vault.MasterKey()
|
||||
if err != nil {
|
||||
middleware.WriteError(w, http.StatusServiceUnavailable, "vault sealed", "vault_sealed")
|
||||
return
|
||||
}
|
||||
secretEnc, secretNonce, err := crypto.SealAESGCM(masterKey, rawSecret)
|
||||
if err != nil {
|
||||
middleware.WriteError(w, http.StatusInternalServerError, "internal error", "internal_error")
|
||||
return
|
||||
@@ -918,7 +962,12 @@ func (s *Server) handleTOTPConfirm(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
secret, err := crypto.OpenAESGCM(s.masterKey, acct.TOTPSecretNonce, acct.TOTPSecretEnc)
|
||||
masterKey, err := s.vault.MasterKey()
|
||||
if err != nil {
|
||||
middleware.WriteError(w, http.StatusServiceUnavailable, "vault sealed", "vault_sealed")
|
||||
return
|
||||
}
|
||||
secret, err := crypto.OpenAESGCM(masterKey, acct.TOTPSecretNonce, acct.TOTPSecretEnc)
|
||||
if err != nil {
|
||||
middleware.WriteError(w, http.StatusInternalServerError, "internal error", "internal_error")
|
||||
return
|
||||
@@ -1178,7 +1227,12 @@ func (s *Server) handleGetPGCreds(w http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
|
||||
// Decrypt the password to return it to the admin caller.
|
||||
password, err := crypto.OpenAESGCM(s.masterKey, cred.PGPasswordNonce, cred.PGPasswordEnc)
|
||||
masterKey, err := s.vault.MasterKey()
|
||||
if err != nil {
|
||||
middleware.WriteError(w, http.StatusServiceUnavailable, "vault sealed", "vault_sealed")
|
||||
return
|
||||
}
|
||||
password, err := crypto.OpenAESGCM(masterKey, cred.PGPasswordNonce, cred.PGPasswordEnc)
|
||||
if err != nil {
|
||||
middleware.WriteError(w, http.StatusInternalServerError, "internal error", "internal_error")
|
||||
return
|
||||
@@ -1215,7 +1269,12 @@ func (s *Server) handleSetPGCreds(w http.ResponseWriter, r *http.Request) {
|
||||
req.Port = 5432
|
||||
}
|
||||
|
||||
enc, nonce, err := crypto.SealAESGCM(s.masterKey, []byte(req.Password))
|
||||
masterKey, err := s.vault.MasterKey()
|
||||
if err != nil {
|
||||
middleware.WriteError(w, http.StatusServiceUnavailable, "vault sealed", "vault_sealed")
|
||||
return
|
||||
}
|
||||
enc, nonce, err := crypto.SealAESGCM(masterKey, []byte(req.Password))
|
||||
if err != nil {
|
||||
middleware.WriteError(w, http.StatusInternalServerError, "internal error", "internal_error")
|
||||
return
|
||||
|
||||
@@ -24,6 +24,7 @@ import (
|
||||
"git.wntrmute.dev/kyle/mcias/internal/db"
|
||||
"git.wntrmute.dev/kyle/mcias/internal/model"
|
||||
"git.wntrmute.dev/kyle/mcias/internal/token"
|
||||
"git.wntrmute.dev/kyle/mcias/internal/vault"
|
||||
)
|
||||
|
||||
// generateTOTPCode computes a valid RFC 6238 TOTP code for the current time
|
||||
@@ -72,8 +73,9 @@ func newTestServer(t *testing.T) (*Server, ed25519.PublicKey, ed25519.PrivateKey
|
||||
|
||||
cfg := config.NewTestConfig(testIssuer)
|
||||
|
||||
v := vault.NewUnsealed(masterKey, priv, pub)
|
||||
logger := slog.New(slog.NewTextHandler(io.Discard, nil))
|
||||
srv := New(database, cfg, priv, pub, masterKey, logger)
|
||||
srv := New(database, cfg, v, logger)
|
||||
return srv, pub, priv, database
|
||||
}
|
||||
|
||||
|
||||
102
internal/server/vault.go
Normal file
102
internal/server/vault.go
Normal file
@@ -0,0 +1,102 @@
|
||||
// Vault seal/unseal REST handlers for MCIAS.
|
||||
package server
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
|
||||
"git.wntrmute.dev/kyle/mcias/internal/audit"
|
||||
"git.wntrmute.dev/kyle/mcias/internal/middleware"
|
||||
"git.wntrmute.dev/kyle/mcias/internal/model"
|
||||
"git.wntrmute.dev/kyle/mcias/internal/vault"
|
||||
)
|
||||
|
||||
// unsealRequest is the request body for POST /v1/vault/unseal.
|
||||
type unsealRequest struct {
|
||||
Passphrase string `json:"passphrase"`
|
||||
}
|
||||
|
||||
// handleUnseal accepts a passphrase, derives the master key, decrypts the
|
||||
// signing key, and unseals the vault. Rate-limited to 3/s burst 5.
|
||||
//
|
||||
// Security: The passphrase is never logged. A generic error is returned on
|
||||
// any failure to prevent information leakage about the vault state.
|
||||
func (s *Server) handleUnseal(w http.ResponseWriter, r *http.Request) {
|
||||
if !s.vault.IsSealed() {
|
||||
writeJSON(w, http.StatusOK, map[string]string{"status": "already unsealed"})
|
||||
return
|
||||
}
|
||||
|
||||
var req unsealRequest
|
||||
if !decodeJSON(w, r, &req) {
|
||||
return
|
||||
}
|
||||
if req.Passphrase == "" {
|
||||
middleware.WriteError(w, http.StatusBadRequest, "passphrase is required", "bad_request")
|
||||
return
|
||||
}
|
||||
|
||||
// Derive master key from passphrase.
|
||||
masterKey, err := vault.DeriveFromPassphrase(req.Passphrase, s.db)
|
||||
if err != nil {
|
||||
s.logger.Error("vault unseal: derive key", "error", err)
|
||||
middleware.WriteError(w, http.StatusUnauthorized, "unseal failed", "unauthorized")
|
||||
return
|
||||
}
|
||||
|
||||
// Decrypt the signing key.
|
||||
privKey, pubKey, err := vault.DecryptSigningKey(s.db, masterKey)
|
||||
if err != nil {
|
||||
// Zero derived master key on failure.
|
||||
for i := range masterKey {
|
||||
masterKey[i] = 0
|
||||
}
|
||||
s.logger.Error("vault unseal: decrypt signing key", "error", err)
|
||||
middleware.WriteError(w, http.StatusUnauthorized, "unseal failed", "unauthorized")
|
||||
return
|
||||
}
|
||||
|
||||
if err := s.vault.Unseal(masterKey, privKey, pubKey); err != nil {
|
||||
s.logger.Error("vault unseal: state transition", "error", err)
|
||||
middleware.WriteError(w, http.StatusConflict, "vault is already unsealed", "conflict")
|
||||
return
|
||||
}
|
||||
|
||||
ip := middleware.ClientIP(r, nil)
|
||||
s.writeAudit(r, model.EventVaultUnsealed, nil, nil, audit.JSON("source", "api", "ip", ip))
|
||||
s.logger.Info("vault unsealed via API", "ip", ip)
|
||||
|
||||
writeJSON(w, http.StatusOK, map[string]string{"status": "unsealed"})
|
||||
}
|
||||
|
||||
// handleSeal seals the vault, zeroing all key material. Admin-only.
|
||||
//
|
||||
// Security: The caller's token becomes invalid after sealing because the
|
||||
// public key needed to validate it is no longer available.
|
||||
func (s *Server) handleSeal(w http.ResponseWriter, r *http.Request) {
|
||||
if s.vault.IsSealed() {
|
||||
writeJSON(w, http.StatusOK, map[string]string{"status": "already sealed"})
|
||||
return
|
||||
}
|
||||
|
||||
claims := middleware.ClaimsFromContext(r.Context())
|
||||
var actorID *int64
|
||||
if claims != nil {
|
||||
acct, err := s.db.GetAccountByUUID(claims.Subject)
|
||||
if err == nil {
|
||||
actorID = &acct.ID
|
||||
}
|
||||
}
|
||||
|
||||
s.vault.Seal()
|
||||
|
||||
ip := middleware.ClientIP(r, nil)
|
||||
s.writeAudit(r, model.EventVaultSealed, actorID, nil, audit.JSON("source", "api", "ip", ip))
|
||||
s.logger.Info("vault sealed via API", "ip", ip)
|
||||
|
||||
writeJSON(w, http.StatusOK, map[string]string{"status": "sealed"})
|
||||
}
|
||||
|
||||
// handleVaultStatus returns the current seal state of the vault.
|
||||
func (s *Server) handleVaultStatus(w http.ResponseWriter, _ *http.Request) {
|
||||
writeJSON(w, http.StatusOK, map[string]bool{"sealed": s.vault.IsSealed()})
|
||||
}
|
||||
171
internal/server/vault_test.go
Normal file
171
internal/server/vault_test.go
Normal file
@@ -0,0 +1,171 @@
|
||||
package server
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"git.wntrmute.dev/kyle/mcias/internal/vault"
|
||||
)
|
||||
|
||||
func TestHandleHealthSealed(t *testing.T) {
|
||||
srv, _, _, _ := newTestServer(t)
|
||||
srv.vault.Seal()
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/v1/health", nil)
|
||||
rr := httptest.NewRecorder()
|
||||
srv.Handler().ServeHTTP(rr, req)
|
||||
|
||||
if rr.Code != http.StatusOK {
|
||||
t.Fatalf("health status = %d, want 200", rr.Code)
|
||||
}
|
||||
|
||||
var resp map[string]string
|
||||
if err := json.NewDecoder(rr.Body).Decode(&resp); err != nil {
|
||||
t.Fatalf("decode health: %v", err)
|
||||
}
|
||||
if resp["status"] != "sealed" {
|
||||
t.Fatalf("health status = %q, want sealed", resp["status"])
|
||||
}
|
||||
}
|
||||
|
||||
func TestHandleHealthUnsealed(t *testing.T) {
|
||||
srv, _, _, _ := newTestServer(t)
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/v1/health", nil)
|
||||
rr := httptest.NewRecorder()
|
||||
srv.Handler().ServeHTTP(rr, req)
|
||||
|
||||
if rr.Code != http.StatusOK {
|
||||
t.Fatalf("health status = %d, want 200", rr.Code)
|
||||
}
|
||||
|
||||
var resp map[string]string
|
||||
if err := json.NewDecoder(rr.Body).Decode(&resp); err != nil {
|
||||
t.Fatalf("decode health: %v", err)
|
||||
}
|
||||
if resp["status"] != "ok" {
|
||||
t.Fatalf("health status = %q, want ok", resp["status"])
|
||||
}
|
||||
}
|
||||
|
||||
func TestVaultStatusEndpoint(t *testing.T) {
|
||||
srv, _, _, _ := newTestServer(t)
|
||||
|
||||
// Unsealed
|
||||
req := httptest.NewRequest(http.MethodGet, "/v1/vault/status", nil)
|
||||
rr := httptest.NewRecorder()
|
||||
srv.Handler().ServeHTTP(rr, req)
|
||||
if rr.Code != http.StatusOK {
|
||||
t.Fatalf("status code = %d, want 200", rr.Code)
|
||||
}
|
||||
var resp map[string]bool
|
||||
if err := json.NewDecoder(rr.Body).Decode(&resp); err != nil {
|
||||
t.Fatalf("decode: %v", err)
|
||||
}
|
||||
if resp["sealed"] {
|
||||
t.Fatal("vault should be unsealed")
|
||||
}
|
||||
|
||||
// Seal and check again
|
||||
srv.vault.Seal()
|
||||
req = httptest.NewRequest(http.MethodGet, "/v1/vault/status", nil)
|
||||
rr = httptest.NewRecorder()
|
||||
srv.Handler().ServeHTTP(rr, req)
|
||||
if rr.Code != http.StatusOK {
|
||||
t.Fatalf("status code = %d, want 200", rr.Code)
|
||||
}
|
||||
resp = nil
|
||||
if err := json.NewDecoder(rr.Body).Decode(&resp); err != nil {
|
||||
t.Fatalf("decode: %v", err)
|
||||
}
|
||||
if !resp["sealed"] {
|
||||
t.Fatal("vault should be sealed")
|
||||
}
|
||||
}
|
||||
|
||||
func TestSealedMiddlewareAPIReturns503(t *testing.T) {
|
||||
srv, _, _, _ := newTestServer(t)
|
||||
srv.vault.Seal()
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/v1/accounts", nil)
|
||||
rr := httptest.NewRecorder()
|
||||
srv.Handler().ServeHTTP(rr, req)
|
||||
|
||||
if rr.Code != http.StatusServiceUnavailable {
|
||||
t.Fatalf("sealed API status = %d, want 503", rr.Code)
|
||||
}
|
||||
|
||||
var resp map[string]string
|
||||
if err := json.NewDecoder(rr.Body).Decode(&resp); err != nil {
|
||||
t.Fatalf("decode: %v", err)
|
||||
}
|
||||
if resp["code"] != "vault_sealed" {
|
||||
t.Fatalf("error code = %q, want vault_sealed", resp["code"])
|
||||
}
|
||||
}
|
||||
|
||||
func TestSealedMiddlewareUIRedirects(t *testing.T) {
|
||||
srv, _, _, _ := newTestServer(t)
|
||||
srv.vault.Seal()
|
||||
|
||||
req := httptest.NewRequest(http.MethodGet, "/dashboard", nil)
|
||||
rr := httptest.NewRecorder()
|
||||
srv.Handler().ServeHTTP(rr, req)
|
||||
|
||||
if rr.Code != http.StatusFound {
|
||||
t.Fatalf("sealed UI status = %d, want 302", rr.Code)
|
||||
}
|
||||
loc := rr.Header().Get("Location")
|
||||
if loc != "/unseal" {
|
||||
t.Fatalf("redirect location = %q, want /unseal", loc)
|
||||
}
|
||||
}
|
||||
|
||||
func TestUnsealBadPassphrase(t *testing.T) {
|
||||
srv, _, _, _ := newTestServer(t)
|
||||
// Start sealed.
|
||||
v := vault.NewSealed()
|
||||
srv.vault = v
|
||||
|
||||
body := `{"passphrase":"wrong-passphrase"}`
|
||||
req := httptest.NewRequest(http.MethodPost, "/v1/vault/unseal", strings.NewReader(body))
|
||||
req.Header.Set("Content-Type", "application/json")
|
||||
rr := httptest.NewRecorder()
|
||||
srv.Handler().ServeHTTP(rr, req)
|
||||
|
||||
if rr.Code != http.StatusUnauthorized {
|
||||
t.Fatalf("unseal with bad passphrase status = %d, want 401", rr.Code)
|
||||
}
|
||||
}
|
||||
|
||||
func TestSealAlreadySealedNoop(t *testing.T) {
|
||||
srv, _, priv, _ := newTestServer(t)
|
||||
|
||||
// Seal via API (needs admin token)
|
||||
adminToken, _ := issueAdminToken(t, srv, priv, "admin")
|
||||
|
||||
req := httptest.NewRequest(http.MethodPost, "/v1/vault/seal", nil)
|
||||
req.Header.Set("Authorization", "Bearer "+adminToken)
|
||||
rr := httptest.NewRecorder()
|
||||
srv.Handler().ServeHTTP(rr, req)
|
||||
|
||||
if rr.Code != http.StatusOK {
|
||||
t.Fatalf("seal status = %d, want 200", rr.Code)
|
||||
}
|
||||
|
||||
var resp map[string]string
|
||||
if err := json.NewDecoder(rr.Body).Decode(&resp); err != nil {
|
||||
t.Fatalf("decode: %v", err)
|
||||
}
|
||||
if resp["status"] != "sealed" {
|
||||
t.Fatalf("seal response status = %q, want sealed", resp["status"])
|
||||
}
|
||||
|
||||
// Vault should be sealed now
|
||||
if !srv.vault.IsSealed() {
|
||||
t.Fatal("vault should be sealed after seal API call")
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user