本文整理匯總了Golang中github.com/hashicorp/vault/vault.Core.Unseal方法的典型用法代碼示例。如果您正苦於以下問題:Golang Core.Unseal方法的具體用法?Golang Core.Unseal怎麽用?Golang Core.Unseal使用的例子?那麽, 這裏精選的方法代碼示例或許可以為您提供幫助。您也可以進一步了解該方法所在類github.com/hashicorp/vault/vault.Core的用法示例。
在下文中一共展示了Core.Unseal方法的7個代碼示例,這些例子默認根據受歡迎程度排序。您可以為喜歡或者感覺有用的代碼點讚,您的評價將有助於係統推薦出更棒的Golang代碼示例。
示例1: enableDev
func (c *ServerCommand) enableDev(core *vault.Core) (*vault.InitResult, error) {
// Initialize it with a basic single key
init, err := core.Initialize(&vault.SealConfig{
SecretShares: 1,
SecretThreshold: 1,
})
if err != nil {
return nil, err
}
// Copy the key so that it can be zeroed
key := make([]byte, len(init.SecretShares[0]))
copy(key, init.SecretShares[0])
// Unseal the core
unsealed, err := core.Unseal(key)
if err != nil {
return nil, err
}
if !unsealed {
return nil, fmt.Errorf("failed to unseal Vault for dev mode")
}
// Set the token
tokenHelper, err := c.TokenHelper()
if err != nil {
return nil, err
}
if err := tokenHelper.Store(init.RootToken); err != nil {
return nil, err
}
return init, nil
}示例2: handleSysUnseal
func handleSysUnseal(core *vault.Core) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
switch r.Method {
case "PUT":
case "POST":
default:
respondError(w, http.StatusMethodNotAllowed, nil)
return
}
// Parse the request
var req UnsealRequest
if err := parseRequest(r, &req); err != nil {
respondError(w, http.StatusBadRequest, err)
return
}
if !req.Reset && req.Key == "" {
respondError(
w, http.StatusBadRequest,
errors.New("'key' must specified in request body as JSON, or 'reset' set to true"))
return
}
if req.Reset {
sealed, err := core.Sealed()
if err != nil {
respondError(w, http.StatusInternalServerError, err)
return
}
if !sealed {
respondError(w, http.StatusBadRequest, errors.New("vault is unsealed"))
return
}
core.ResetUnsealProcess()
} else {
// Decode the key, which is hex encoded
key, err := hex.DecodeString(req.Key)
if err != nil {
respondError(
w, http.StatusBadRequest,
errors.New("'key' must be a valid hex-string"))
return
}
// Attempt the unseal
if _, err := core.Unseal(key); err != nil {
// Ignore ErrInvalidKey because its a user error that we
// mask away. We just show them the seal status.
if !errwrap.ContainsType(err, new(vault.ErrInvalidKey)) {
respondError(w, http.StatusInternalServerError, err)
return
}
}
}
// Return the seal status
handleSysSealStatusRaw(core, w, r)
})
}示例3: parseDecryptAndTestUnsealKeys
func parseDecryptAndTestUnsealKeys(t *testing.T,
input, rootToken string,
fingerprints bool,
backupKeys map[string][]string,
core *vault.Core) {
decoder := base64.StdEncoding
priv1Bytes, err := decoder.DecodeString(privKey1)
if err != nil {
t.Fatalf("Error decoding bytes for private key 1: %s", err)
}
priv2Bytes, err := decoder.DecodeString(privKey2)
if err != nil {
t.Fatalf("Error decoding bytes for private key 2: %s", err)
}
priv3Bytes, err := decoder.DecodeString(privKey3)
if err != nil {
t.Fatalf("Error decoding bytes for private key 3: %s", err)
}
privBytes := [][]byte{
priv1Bytes,
priv2Bytes,
priv3Bytes,
}
var re *regexp.Regexp
if fingerprints {
re, err = regexp.Compile("\\s*Key\\s+\\d+\\s+fingerprint:\\s+([0-9a-fA-F]+);\\s+value:\\s+(.*)")
} else {
re, err = regexp.Compile("\\s*Key\\s+\\d+:\\s+(.*)")
}
if err != nil {
t.Fatalf("Error compiling regex: %s", err)
}
matches := re.FindAllStringSubmatch(input, -1)
if len(matches) != 3 {
t.Fatalf("Unexpected number of keys returned, got %d, matches was \n\n%#v\n\n, input was \n\n%s\n\n", len(matches), matches, input)
}
encodedKeys := []string{}
matchedFingerprints := []string{}
for _, tuple := range matches {
if fingerprints {
if len(tuple) != 3 {
t.Fatalf("Key not found: %#v", tuple)
}
matchedFingerprints = append(matchedFingerprints, tuple[1])
encodedKeys = append(encodedKeys, tuple[2])
} else {
if len(tuple) != 2 {
t.Fatalf("Key not found: %#v", tuple)
}
encodedKeys = append(encodedKeys, tuple[1])
}
}
if backupKeys != nil && len(matchedFingerprints) != 0 {
testMap := map[string][]string{}
for i, v := range matchedFingerprints {
testMap[v] = append(testMap[v], encodedKeys[i])
sort.Strings(testMap[v])
}
if !reflect.DeepEqual(testMap, backupKeys) {
t.Fatalf("test map and backup map do not match, test map is\n%#v\nbackup map is\n%#v", testMap, backupKeys)
}
}
unsealKeys := []string{}
ptBuf := bytes.NewBuffer(nil)
for i, keyHex := range privBytes {
if i > 2 {
break
}
ptBuf.Reset()
entity, err := openpgp.ReadEntity(packet.NewReader(bytes.NewBuffer(keyHex)))
if err != nil {
t.Fatalf("Error parsing private key %d: %s", i, err)
}
keyBytes, err := hex.DecodeString(encodedKeys[i])
if err != nil {
t.Fatalf("Error hex-decoding key %d: %s", i, err)
}
entityList := &openpgp.EntityList{entity}
md, err := openpgp.ReadMessage(bytes.NewBuffer(keyBytes), entityList, nil, nil)
if err != nil {
t.Fatalf("Error decrypting with key %d (%s): %s", i, encodedKeys[i], err)
}
ptBuf.ReadFrom(md.UnverifiedBody)
unsealKeys = append(unsealKeys, ptBuf.String())
}
err = core.Seal(rootToken)
if err != nil {
t.Fatalf("Error sealing vault with provided root token: %s", err)
}
for i, unsealKey := range unsealKeys {
unsealBytes, err := hex.DecodeString(unsealKey)
if err != nil {
t.Fatalf("Error hex decoding unseal key %s: %s", unsealKey, err)
//.........這裏部分代碼省略.........
示例4: enableDev
func (c *ServerCommand) enableDev(core *vault.Core, rootTokenID string) (*vault.InitResult, error) {
// Initialize it with a basic single key
init, err := core.Initialize(&vault.SealConfig{
SecretShares: 1,
SecretThreshold: 1,
}, nil)
if err != nil {
return nil, err
}
// Copy the key so that it can be zeroed
key := make([]byte, len(init.SecretShares[0]))
copy(key, init.SecretShares[0])
// Unseal the core
unsealed, err := core.Unseal(key)
if err != nil {
return nil, err
}
if !unsealed {
return nil, fmt.Errorf("failed to unseal Vault for dev mode")
}
if rootTokenID != "" {
req := &logical.Request{
Operation: logical.UpdateOperation,
ClientToken: init.RootToken,
Path: "auth/token/create",
Data: map[string]interface{}{
"id": rootTokenID,
"policies": []string{"root"},
"no_parent": true,
"no_default_policy": true,
},
}
resp, err := core.HandleRequest(req)
if err != nil {
return nil, fmt.Errorf("failed to create root token with ID %s: %s", rootTokenID, err)
}
if resp == nil {
return nil, fmt.Errorf("nil response when creating root token with ID %s", rootTokenID)
}
if resp.Auth == nil {
return nil, fmt.Errorf("nil auth when creating root token with ID %s", rootTokenID)
}
init.RootToken = resp.Auth.ClientToken
req.Path = "auth/token/revoke-self"
req.Data = nil
resp, err = core.HandleRequest(req)
if err != nil {
return nil, fmt.Errorf("failed to revoke initial root token: %s", err)
}
}
// Set the token
tokenHelper, err := c.TokenHelper()
if err != nil {
return nil, err
}
if err := tokenHelper.Store(init.RootToken); err != nil {
return nil, err
}
return init, nil
}示例5: enableDev
func (c *ServerCommand) enableDev(core *vault.Core, rootTokenID string) (*vault.InitResult, error) {
// Initialize it with a basic single key
init, err := core.Initialize(&vault.InitParams{
BarrierConfig: &vault.SealConfig{
SecretShares: 1,
SecretThreshold: 1,
},
RecoveryConfig: nil,
})
if err != nil {
return nil, err
}
// Copy the key so that it can be zeroed
key := make([]byte, len(init.SecretShares[0]))
copy(key, init.SecretShares[0])
// Unseal the core
unsealed, err := core.Unseal(key)
if err != nil {
return nil, err
}
if !unsealed {
return nil, fmt.Errorf("failed to unseal Vault for dev mode")
}
isLeader, _, err := core.Leader()
if err != nil && err != vault.ErrHANotEnabled {
return nil, fmt.Errorf("failed to check active status: %v", err)
}
if err == nil {
leaderCount := 5
for !isLeader {
if leaderCount == 0 {
buf := make([]byte, 1<<16)
runtime.Stack(buf, true)
return nil, fmt.Errorf("failed to get active status after five seconds; call stack is\n%s\n", buf)
}
time.Sleep(1 * time.Second)
isLeader, _, err = core.Leader()
if err != nil {
return nil, fmt.Errorf("failed to check active status: %v", err)
}
leaderCount--
}
}
if rootTokenID != "" {
req := &logical.Request{
ID: "dev-gen-root",
Operation: logical.UpdateOperation,
ClientToken: init.RootToken,
Path: "auth/token/create",
Data: map[string]interface{}{
"id": rootTokenID,
"policies": []string{"root"},
"no_parent": true,
"no_default_policy": true,
},
}
resp, err := core.HandleRequest(req)
if err != nil {
return nil, fmt.Errorf("failed to create root token with ID %s: %s", rootTokenID, err)
}
if resp == nil {
return nil, fmt.Errorf("nil response when creating root token with ID %s", rootTokenID)
}
if resp.Auth == nil {
return nil, fmt.Errorf("nil auth when creating root token with ID %s", rootTokenID)
}
init.RootToken = resp.Auth.ClientToken
req.ID = "dev-revoke-init-root"
req.Path = "auth/token/revoke-self"
req.Data = nil
resp, err = core.HandleRequest(req)
if err != nil {
return nil, fmt.Errorf("failed to revoke initial root token: %s", err)
}
}
// Set the token
tokenHelper, err := c.TokenHelper()
if err != nil {
return nil, err
}
if err := tokenHelper.Store(init.RootToken); err != nil {
return nil, err
}
return init, nil
}示例6: handleSysUnseal
func handleSysUnseal(core *vault.Core) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
switch r.Method {
case "PUT":
case "POST":
default:
respondError(w, http.StatusMethodNotAllowed, nil)
return
}
// Parse the request
var req UnsealRequest
if err := parseRequest(r, w, &req); err != nil {
respondError(w, http.StatusBadRequest, err)
return
}
if !req.Reset && req.Key == "" {
respondError(
w, http.StatusBadRequest,
errors.New("'key' must specified in request body as JSON, or 'reset' set to true"))
return
}
if req.Reset {
sealed, err := core.Sealed()
if err != nil {
respondError(w, http.StatusInternalServerError, err)
return
}
if !sealed {
respondError(w, http.StatusBadRequest, errors.New("vault is unsealed"))
return
}
core.ResetUnsealProcess()
} else {
// Decode the key, which is base64 or hex encoded
min, max := core.BarrierKeyLength()
key, err := hex.DecodeString(req.Key)
// We check min and max here to ensure that a string that is base64
// encoded but also valid hex will not be valid and we instead base64
// decode it
if err != nil || len(key) < min || len(key) > max {
key, err = base64.StdEncoding.DecodeString(req.Key)
if err != nil {
respondError(
w, http.StatusBadRequest,
errors.New("'key' must be a valid hex or base64 string"))
return
}
}
// Attempt the unseal
if _, err := core.Unseal(key); err != nil {
switch {
case errwrap.ContainsType(err, new(vault.ErrInvalidKey)):
case errwrap.Contains(err, vault.ErrBarrierInvalidKey.Error()):
case errwrap.Contains(err, vault.ErrBarrierNotInit.Error()):
case errwrap.Contains(err, vault.ErrBarrierSealed.Error()):
case errwrap.Contains(err, vault.ErrStandby.Error()):
default:
respondError(w, http.StatusInternalServerError, err)
return
}
respondError(w, http.StatusBadRequest, err)
return
}
}
// Return the seal status
handleSysSealStatusRaw(core, w, r)
})
}示例7: parseDecryptAndTestUnsealKeys
func parseDecryptAndTestUnsealKeys(t *testing.T, input, rootToken string, core *vault.Core) {
decoder := base64.StdEncoding
priv1Bytes, err := decoder.DecodeString(privKey1)
if err != nil {
t.Fatalf("Error decoding bytes for private key 1: %s", err)
}
priv2Bytes, err := decoder.DecodeString(privKey2)
if err != nil {
t.Fatalf("Error decoding bytes for private key 2: %s", err)
}
priv3Bytes, err := decoder.DecodeString(privKey3)
if err != nil {
t.Fatalf("Error decoding bytes for private key 3: %s", err)
}
privBytes := [][]byte{
priv1Bytes,
priv2Bytes,
priv3Bytes,
}
re, err := regexp.Compile("\\s*Key\\s+\\d+:\\s+(.*)")
if err != nil {
t.Fatalf("Error compiling regex: %s", err)
}
matches := re.FindAllStringSubmatch(input, -1)
if len(matches) != 3 {
t.Fatalf("Unexpected number of keys returned, got %d, matches was \n\n%#v\n\n, input was \n\n%s\n\n", len(matches), matches, input)
}
encodedKeys := []string{}
for _, pair := range matches {
if len(pair) != 2 {
t.Fatalf("Key not found: %#v", pair)
}
encodedKeys = append(encodedKeys, pair[1])
}
unsealKeys := []string{}
ptBuf := bytes.NewBuffer(nil)
for i, keyHex := range privBytes {
if i > 2 {
break
}
ptBuf.Reset()
entity, err := openpgp.ReadEntity(packet.NewReader(bytes.NewBuffer(keyHex)))
if err != nil {
t.Fatalf("Error parsing private key %d: %s", i, err)
}
keyBytes, err := hex.DecodeString(encodedKeys[i])
if err != nil {
t.Fatalf("Error hex-decoding key %d: %s", i, err)
}
entityList := &openpgp.EntityList{entity}
md, err := openpgp.ReadMessage(bytes.NewBuffer(keyBytes), entityList, nil, nil)
if err != nil {
t.Fatalf("Error decrypting with key %d (%s): %s", i, encodedKeys[i], err)
}
ptBuf.ReadFrom(md.UnverifiedBody)
unsealKeys = append(unsealKeys, ptBuf.String())
}
err = core.Seal(rootToken)
if err != nil {
t.Fatalf("Error sealing vault with provided root token: %s", err)
}
for i, unsealKey := range unsealKeys {
unsealBytes, err := hex.DecodeString(unsealKey)
if err != nil {
t.Fatalf("Error hex decoding unseal key %s: %s", unsealKey, err)
}
unsealed, err := core.Unseal(unsealBytes)
if err != nil {
t.Fatalf("Error using unseal key %s: %s", unsealKey, err)
}
if i >= 2 && !unsealed {
t.Fatalf("Error: Provided two unseal keys but core is not unsealed")
}
}
}