func TestTokenCreate(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
ui := new(cli.MockUi)
c := &TokenCreateCommand{
Meta: Meta{
ClientToken: token,
Ui: ui,
},
}
args := []string{
"-address", addr,
}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
// Ensure we get lease info
output := ui.OutputWriter.String()
if !strings.Contains(output, "token_duration") {
t.Fatalf("bad: %#v", output)
}
}
func TestStatus(t *testing.T) {
ui := new(cli.MockUi)
c := &StatusCommand{
Meta: Meta{
Ui: ui,
},
}
core := vault.TestCore(t)
key, _ := vault.TestCoreInit(t, core)
ln, addr := http.TestServer(t, core)
defer ln.Close()
args := []string{"-address", addr}
if code := c.Run(args); code != 1 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
if _, err := core.Unseal(key); err != nil {
t.Fatalf("err: %s", err)
}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
}
func TestRekey_arg(t *testing.T) {
core, key, _ := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
ui := new(cli.MockUi)
c := &RekeyCommand{
RecoveryKey: false,
Meta: meta.Meta{
Ui: ui,
},
}
args := []string{"-address", addr, hex.EncodeToString(key)}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
config, err := core.SealAccess().BarrierConfig()
if err != nil {
t.Fatalf("err: %s", err)
}
if config.SecretShares != 5 {
t.Fatal("should rekey")
}
}
func TestRekey_init(t *testing.T) {
core, key, _ := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
ui := new(cli.MockUi)
c := &RekeyCommand{
Key: hex.EncodeToString(key),
Meta: meta.Meta{
Ui: ui,
},
}
args := []string{
"-address", addr,
"-init",
"-key-threshold", "10",
"-key-shares", "10",
}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
config, err := core.RekeyConfig(false)
if err != nil {
t.Fatalf("err: %s", err)
}
if config.SecretShares != 10 {
t.Fatal("should rekey")
}
if config.SecretThreshold != 10 {
t.Fatal("should rekey")
}
}
func TestTokenLookupSelf(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
ui := new(cli.MockUi)
c := &TokenLookupCommand{
Meta: meta.Meta{
ClientToken: token,
Ui: ui,
},
}
args := []string{
"-address", addr,
}
// Run it against itself
code := c.Run(args)
// Verify it worked
if code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
}
func TestUnseal_arg(t *testing.T) {
core := vault.TestCore(t)
key, _ := vault.TestCoreInit(t, core)
ln, addr := http.TestServer(t, core)
defer ln.Close()
ui := new(cli.MockUi)
c := &UnsealCommand{
Meta: Meta{
Ui: ui,
},
}
args := []string{"-address", addr, hex.EncodeToString(key)}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
sealed, err := core.Sealed()
if err != nil {
t.Fatalf("err: %s", err)
}
if sealed {
t.Fatal("should not be sealed")
}
}
func TestAuthTokenCreate(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
config := DefaultConfig()
config.Address = addr
client, err := NewClient(config)
if err != nil {
t.Fatal(err)
}
client.SetToken(token)
secret, err := client.Auth().Token().Create(&TokenCreateRequest{
Lease: "1h",
})
if err != nil {
t.Fatal(err)
}
if secret.Auth.LeaseDuration != 3600 {
t.Errorf("expected 1h, got %q", secret.Auth.LeaseDuration)
}
}
func TestAuthTokenLookupSelf(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
config := DefaultConfig()
config.Address = addr
client, err := NewClient(config)
if err != nil {
t.Fatal(err)
}
client.SetToken(token)
// you should be able to lookup your own token
secret, err := client.Auth().Token().LookupSelf()
if err != nil {
t.Fatalf("should be allowed to lookup self, err = %v", err)
}
if secret.Data["id"] != token {
t.Errorf("Did not get back details about our own (self) token, id returned=%s", secret.Data["id"])
}
if secret.Data["display_name"] != "root" {
t.Errorf("Did not get back details about our own (self) token, display_name returned=%s", secret.Data["display_name"])
}
}
func TestAuth_methods(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
testAuthInit(t)
ui := new(cli.MockUi)
c := &AuthCommand{
Meta: Meta{
ClientToken: token,
Ui: ui,
},
}
args := []string{
"-address", addr,
"-methods",
}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
output := ui.OutputWriter.String()
if !strings.Contains(output, "token") {
t.Fatalf("bad: %#v", output)
}
}
func TestRevoke(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
ui := new(cli.MockUi)
c := &RevokeCommand{
Meta: Meta{
ClientToken: token,
Ui: ui,
},
}
client := testClient(t, addr, token)
_, err := client.Logical().Write("secret/foo", map[string]interface{}{
"key": "value",
"lease": "1m",
})
if err != nil {
t.Fatalf("err: %s", err)
}
secret, err := client.Logical().Read("secret/foo")
if err != nil {
t.Fatalf("err: %s", err)
}
args := []string{
"-address", addr,
secret.LeaseID,
}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
}
func TestRekey_cancel(t *testing.T) {
core, key, _ := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
ui := new(cli.MockUi)
c := &RekeyCommand{
Key: hex.EncodeToString(key),
Meta: Meta{
Ui: ui,
},
}
args := []string{"-address", addr, "-init"}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
args = []string{"-address", addr, "-cancel"}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
config, err := core.RekeyConfig()
if err != nil {
t.Fatalf("err: %s", err)
}
if config != nil {
t.Fatal("should not rekey")
}
}
func TestSeal(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
ui := new(cli.MockUi)
c := &SealCommand{
Meta: Meta{
ClientToken: token,
Ui: ui,
},
}
args := []string{"-address", addr}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
sealed, err := core.Sealed()
if err != nil {
t.Fatalf("err: %s", err)
}
if !sealed {
t.Fatal("should be sealed")
}
}
func TestRekey_status(t *testing.T) {
core, key, _ := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
ui := new(cli.MockUi)
c := &RekeyCommand{
Key: hex.EncodeToString(key),
Meta: Meta{
Ui: ui,
},
}
args := []string{"-address", addr, "-init"}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
args = []string{"-address", addr, "-status"}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
if !strings.Contains(string(ui.OutputWriter.Bytes()), "Started: true") {
t.Fatalf("bad: %s", ui.OutputWriter.String())
}
}
func TestAuditDisable(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
ui := new(cli.MockUi)
c := &AuditDisableCommand{
Meta: Meta{
ClientToken: token,
Ui: ui,
},
}
args := []string{
"-address", addr,
"noop",
}
// Run once to get the client
c.Run(args)
// Get the client
client, err := c.Client()
if err != nil {
t.Fatalf("err: %#v", err)
}
if err := client.Sys().EnableAudit("noop", "noop", "", nil); err != nil {
t.Fatalf("err: %#v", err)
}
// Run again
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
}
func TestAuth_stdin(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
testAuthInit(t)
stdinR, stdinW := io.Pipe()
ui := new(cli.MockUi)
c := &AuthCommand{
Meta: Meta{
Ui: ui,
},
testStdin: stdinR,
}
go func() {
stdinW.Write([]byte(token))
stdinW.Close()
}()
args := []string{
"-address", addr,
"-",
}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
}
func TestCapabilities_Basic(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
ui := new(cli.MockUi)
c := &CapabilitiesCommand{
Meta: meta.Meta{
ClientToken: token,
Ui: ui,
},
}
var args []string
args = []string{"-address", addr}
if code := c.Run(args); code == 0 {
t.Fatalf("expected failure due to no args")
}
args = []string{"-address", addr, "testpath"}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
args = []string{"-address", addr, token, "test"}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
args = []string{"-address", addr, "invalidtoken", "test"}
if code := c.Run(args); code == 0 {
t.Fatalf("expected failure due to invalid token")
}
}
func TestAuthTokenLookup(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
config := DefaultConfig()
config.Address = addr
client, err := NewClient(config)
if err != nil {
t.Fatal(err)
}
client.SetToken(token)
// Create a new token ...
secret2, err := client.Auth().Token().Create(&TokenCreateRequest{
Lease: "1h",
})
if err != nil {
t.Fatal(err)
}
// lookup details of this token
secret, err := client.Auth().Token().Lookup(secret2.Auth.ClientToken)
if err != nil {
t.Fatalf("unable to lookup details of token, err = %v", err)
}
if secret.Data["id"] != secret2.Auth.ClientToken {
t.Errorf("Did not get back details about our provided token, id returned=%s", secret.Data["id"])
}
}
func TestWrite_Output(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
ui := new(cli.MockUi)
c := &WriteCommand{
Meta: meta.Meta{
ClientToken: token,
Ui: ui,
},
}
args := []string{
"-address", addr,
"auth/token/create",
"display_name=foo",
}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
if !strings.Contains(string(ui.OutputWriter.Bytes()), "Key") {
t.Fatalf("bad: %s", string(ui.OutputWriter.Bytes()))
}
}
func TestAuthTokenRenew(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
config := DefaultConfig()
config.Address = addr
client, err := NewClient(config)
if err != nil {
t.Fatal(err)
}
client.SetToken(token)
// The default root token is not renewable, so this should not work
_, err = client.Auth().Token().Renew(token, 0)
if err == nil {
t.Fatal("should not be allowed to renew root token")
}
if !strings.Contains(err.Error(), "lease is not renewable") {
t.Fatal("wrong error")
}
// Create a new token that should be renewable
secret, err := client.Auth().Token().Create(&TokenCreateRequest{
Lease: "1h",
})
if err != nil {
t.Fatal(err)
}
client.SetToken(secret.Auth.ClientToken)
// Now attempt a renew with the new token
secret, err = client.Auth().Token().Renew(secret.Auth.ClientToken, 3600)
if err != nil {
t.Fatal(err)
}
if secret.Auth.LeaseDuration != 3600 {
t.Errorf("expected 1h, got %v", secret.Auth.LeaseDuration)
}
if secret.Auth.Renewable != true {
t.Error("expected lease to be renewable")
}
// Do the same thing with the self variant
secret, err = client.Auth().Token().RenewSelf(3600)
if err != nil {
t.Fatal(err)
}
if secret.Auth.LeaseDuration != 3600 {
t.Errorf("expected 1h, got %v", secret.Auth.LeaseDuration)
}
if secret.Auth.Renewable != true {
t.Error("expected lease to be renewable")
}
}
func TestGenerateRoot_status(t *testing.T) {
core, key, _ := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
ui := new(cli.MockUi)
c := &GenerateRootCommand{
Key: hex.EncodeToString(key),
Meta: Meta{
Ui: ui,
},
}
otpBytes, err := vault.GenerateRandBytes(16)
if err != nil {
t.Fatal(err)
}
otp := base64.StdEncoding.EncodeToString(otpBytes)
args := []string{"-address", addr, "-init", "-otp", otp}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
args = []string{"-address", addr, "-status"}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
if !strings.Contains(string(ui.OutputWriter.Bytes()), "Started: true") {
t.Fatalf("bad: %s", ui.OutputWriter.String())
}
}
func TestList(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
ui := new(cli.MockUi)
c := &ReadCommand{
Meta: meta.Meta{
ClientToken: token,
Ui: ui,
},
}
args := []string{
"-address", addr,
"-format", "json",
"secret",
}
// Run once so the client is setup, ignore errors
c.Run(args)
// Get the client so we can write data
client, err := c.Client()
if err != nil {
t.Fatalf("err: %s", err)
}
data := map[string]interface{}{"value": "bar"}
if _, err := client.Logical().Write("secret/foo", data); err != nil {
t.Fatalf("err: %s", err)
}
data = map[string]interface{}{"value": "bar"}
if _, err := client.Logical().Write("secret/foo/bar", data); err != nil {
t.Fatalf("err: %s", err)
}
secret, err := client.Logical().List("secret/")
if err != nil {
t.Fatalf("err: %s", err)
}
if secret == nil {
t.Fatalf("err: No value found at secret/")
}
if secret.Data == nil {
t.Fatalf("err: Data not found")
}
exp := map[string]interface{}{
"keys": []interface{}{"foo", "foo/"},
}
if !reflect.DeepEqual(secret.Data, exp) {
t.Fatalf("err: expected %#v, got %#v", exp, secret.Data)
}
}
func TestRenewBothWays(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
// write a secret with a lease
client := testClient(t, addr, token)
_, err := client.Logical().Write("secret/foo", map[string]interface{}{
"key": "value",
"ttl": "1m",
})
if err != nil {
t.Fatalf("err: %s", err)
}
// read the secret to get its lease ID
secret, err := client.Logical().Read("secret/foo")
if err != nil {
t.Fatalf("err: %s", err)
}
// Test one renew path
r := client.NewRequest("PUT", "/v1/sys/renew")
body := map[string]interface{}{
"lease_id": secret.LeaseID,
}
if err := r.SetJSONBody(body); err != nil {
t.Fatal(err)
}
resp, err := client.RawRequest(r)
if err != nil {
t.Fatal(err)
}
defer resp.Body.Close()
secret, err = api.ParseSecret(resp.Body)
if err != nil {
t.Fatal(err)
}
if secret.LeaseDuration != 60 {
t.Fatal("bad lease duration")
}
// Test the other
r = client.NewRequest("PUT", "/v1/sys/renew/"+secret.LeaseID)
resp, err = client.RawRequest(r)
if err != nil {
t.Fatal(err)
}
defer resp.Body.Close()
secret, err = api.ParseSecret(resp.Body)
if err != nil {
t.Fatal(err)
}
if secret.LeaseDuration != 60 {
t.Fatalf("bad lease duration; secret is %#v\n", *secret)
}
}
func TestTokenRevokeAccessor(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
ui := new(cli.MockUi)
c := &TokenRevokeCommand{
Meta: meta.Meta{
ClientToken: token,
Ui: ui,
},
}
args := []string{
"-address", addr,
}
// Run it once for client
c.Run(args)
// Create a token
client, err := c.Client()
if err != nil {
t.Fatalf("err: %s", err)
}
resp, err := client.Auth().Token().Create(nil)
if err != nil {
t.Fatalf("err: %s", err)
}
// Treat the argument as accessor
args = append(args, "-accessor")
if code := c.Run(args); code == 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
// Verify it worked with proper accessor
args1 := append(args, resp.Auth.Accessor)
if code := c.Run(args1); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
// Fail if mode is set to 'orphan' when accessor is set
args2 := append(args, "-mode=\"orphan\"")
if code := c.Run(args2); code == 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
// Fail if mode is set to 'path' when accessor is set
args3 := append(args, "-mode=\"path\"")
if code := c.Run(args3); code == 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
}
func TestWrapping_Env(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
ui := new(cli.MockUi)
c := &TokenLookupCommand{
Meta: meta.Meta{
ClientToken: token,
Ui: ui,
},
}
args := []string{
"-address", addr,
}
// Run it once for client
c.Run(args)
// Create a new token for us to use
client, err := c.Client()
if err != nil {
t.Fatalf("err: %s", err)
}
resp, err := client.Auth().Token().Create(&api.TokenCreateRequest{
Lease: "1h",
})
if err != nil {
t.Fatalf("err: %s", err)
}
prevWrapTTLEnv := os.Getenv(api.EnvVaultWrapTTL)
os.Setenv(api.EnvVaultWrapTTL, "5s")
defer func() {
os.Setenv(api.EnvVaultWrapTTL, prevWrapTTLEnv)
}()
// Now when we do a lookup-self the response should be wrapped
args = append(args, resp.Auth.ClientToken)
resp, err = client.Auth().Token().LookupSelf()
if err != nil {
t.Fatalf("err: %s", err)
}
if resp == nil {
t.Fatal("nil response")
}
if resp.WrapInfo == nil {
t.Fatal("nil wrap info")
}
if resp.WrapInfo.Token == "" || resp.WrapInfo.TTL != 5 {
t.Fatal("did not get token or ttl wrong")
}
}
func TestRekey_init_pgp(t *testing.T) {
core, key, token := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
ui := new(cli.MockUi)
c := &RekeyCommand{
Key: hex.EncodeToString(key),
Meta: Meta{
Ui: ui,
},
}
tempDir, pubFiles, err := getPubKeyFiles(t)
if err != nil {
t.Fatal(err)
}
defer os.RemoveAll(tempDir)
args := []string{
"-address", addr,
"-init",
"-key-shares", "3",
"-pgp-keys", pubFiles[0] + ",@" + pubFiles[1] + "," + pubFiles[2],
"-key-threshold", "2",
}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
config, err := core.RekeyConfig()
if err != nil {
t.Fatalf("err: %s", err)
}
if config.SecretShares != 3 {
t.Fatal("should rekey")
}
if config.SecretThreshold != 2 {
t.Fatal("should rekey")
}
args = []string{
"-address", addr,
}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
parseDecryptAndTestUnsealKeys(t, ui.OutputWriter.String(), token, core)
}
func TestInit_custom(t *testing.T) {
ui := new(cli.MockUi)
c := &InitCommand{
Meta: meta.Meta{
Ui: ui,
},
}
core := vault.TestCore(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
init, err := core.Initialized()
if err != nil {
t.Fatalf("err: %s", err)
}
if init {
t.Fatal("should not be initialized")
}
args := []string{
"-address", addr,
"-key-shares", "7",
"-key-threshold", "3",
}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
init, err = core.Initialized()
if err != nil {
t.Fatalf("err: %s", err)
}
if !init {
t.Fatal("should be initialized")
}
sealConf, err := core.SealAccess().BarrierConfig()
if err != nil {
t.Fatalf("err: %s", err)
}
expected := &vault.SealConfig{
Type: "shamir",
SecretShares: 7,
SecretThreshold: 3,
}
if !reflect.DeepEqual(expected, sealConf) {
t.Fatalf("expected:\n%#v\ngot:\n%#v\n", expected, sealConf)
}
}
// testVaultServer is a helper for creating a Vault server and returning the
// appropriate client to connect to it.
func testVaultServer(t *testing.T) (*ClientSet, *vaultServer) {
t.Parallel()
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
clients := NewClientSet()
if err := clients.CreateVaultClient(&CreateVaultClientInput{
Address: addr,
Token: token,
}); err != nil {
ln.Close()
t.Fatal(err)
}
return clients, &vaultServer{Token: token, core: core, ln: ln}
}
func TestInit(t *testing.T) {
ui := new(cli.MockUi)
c := &InitCommand{
Meta: Meta{
Ui: ui,
},
}
core := vault.TestCore(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
init, err := core.Initialized()
if err != nil {
t.Fatalf("err: %s", err)
}
if init {
t.Fatal("should not be initialized")
}
args := []string{"-address", addr}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
init, err = core.Initialized()
if err != nil {
t.Fatalf("err: %s", err)
}
if !init {
t.Fatal("should be initialized")
}
sealConf, err := core.SealConfig()
if err != nil {
t.Fatalf("err: %s", err)
}
expected := &vault.SealConfig{
SecretShares: 5,
SecretThreshold: 3,
}
if !reflect.DeepEqual(expected, sealConf) {
t.Fatalf("bad: %#v", sealConf)
}
}
func TestDelete(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
ui := new(cli.MockUi)
c := &DeleteCommand{
Meta: Meta{
ClientToken: token,
Ui: ui,
},
}
args := []string{
"-address", addr,
"secret/foo",
}
// Run once so the client is setup, ignore errors
c.Run(args)
// Get the client so we can write data
client, err := c.Client()
if err != nil {
t.Fatalf("err: %s", err)
}
data := map[string]interface{}{"value": "bar"}
if _, err := client.Logical().Write("secret/foo", data); err != nil {
t.Fatalf("err: %s", err)
}
// Run the delete
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
resp, err := client.Logical().Read("secret/foo")
if err != nil {
t.Fatalf("err: %s", err)
}
if resp != nil {
t.Fatalf("bad: %#v", resp)
}
}
func TestTokenLookupAccessor(t *testing.T) {
core, _, token := vault.TestCoreUnsealed(t)
ln, addr := http.TestServer(t, core)
defer ln.Close()
ui := new(cli.MockUi)
c := &TokenLookupCommand{
Meta: meta.Meta{
ClientToken: token,
Ui: ui,
},
}
args := []string{
"-address", addr,
}
c.Run(args)
// Create a new token for us to use
client, err := c.Client()
if err != nil {
t.Fatalf("err: %s", err)
}
resp, err := client.Auth().Token().Create(&api.TokenCreateRequest{
Lease: "1h",
})
if err != nil {
t.Fatalf("err: %s", err)
}
// Enable the accessor flag
args = append(args, "-accessor")
// Expect failure if no argument is passed when accessor flag is set
code := c.Run(args)
if code == 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
// Add token accessor as arg
args = append(args, resp.Auth.Accessor)
code = c.Run(args)
if code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())
}
}
