-
Notifications
You must be signed in to change notification settings - Fork 107
/
keymanager_dump_restore.go
130 lines (108 loc) · 3.48 KB
/
keymanager_dump_restore.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
package runtime
import (
"context"
"fmt"
beacon "github.com/oasisprotocol/oasis-core/go/beacon/api"
"github.com/oasisprotocol/oasis-core/go/oasis-test-runner/env"
"github.com/oasisprotocol/oasis-core/go/oasis-test-runner/oasis"
"github.com/oasisprotocol/oasis-core/go/oasis-test-runner/oasis/cli"
"github.com/oasisprotocol/oasis-core/go/oasis-test-runner/scenario"
)
// KeymanagerDumpRestore is the keymanager dump restore rotation scenario.
//
// In this scenario we test if the deployment of the master secret rotation
// feature is backwards compatible. The old key managers which are already
// initialized with the first master secret should be able to rotate secrets
// once enabled via the policy.
var KeymanagerDumpRestore scenario.Scenario = newKmDumpRestoreImpl()
type kmDumpRestoreImpl struct {
Scenario
}
func newKmDumpRestoreImpl() scenario.Scenario {
return &kmDumpRestoreImpl{
Scenario: *NewScenario(
"keymanager-dump-restore",
NewTestClient().WithScenario(InsertRemoveKeyValueEncScenario),
),
}
}
func (sc *kmDumpRestoreImpl) Fixture() (*oasis.NetworkFixture, error) {
f, err := sc.Scenario.Fixture()
if err != nil {
return nil, err
}
// Speed up the test.
f.Network.Beacon.VRFParameters = &beacon.VRFParameters{
Interval: 10,
ProofSubmissionDelay: 2,
}
// Compute workers are not needed.
f.ComputeWorkers = []oasis.ComputeWorkerFixture{}
// Test requires multiple key managers.
f.Keymanagers = []oasis.KeymanagerFixture{
{Runtime: 0, Entity: 1},
{Runtime: 0, Entity: 1},
}
return f, nil
}
func (sc *kmDumpRestoreImpl) Clone() scenario.Scenario {
return &kmDumpRestoreImpl{
Scenario: *sc.Scenario.Clone().(*Scenario),
}
}
func (sc *kmDumpRestoreImpl) Run(ctx context.Context, childEnv *env.Env) (err error) { // nolint: gocyclo
cli := cli.New(childEnv, sc.Net, sc.Logger)
// Start the network.
if err = sc.StartNetworkAndWaitForClientSync(ctx); err != nil {
return err
}
// Wait until the first master secret is generated.
if _, err = sc.WaitMasterSecret(ctx, 0); err != nil {
return err
}
// Dump/restore should erase the last master secret and leave the key manager initialized.
fixture, err := sc.Fixture()
if err != nil {
return err
}
for i := range fixture.Keymanagers {
fixture.Keymanagers[i].NoAutoStart = true
}
if err = sc.DumpRestoreNetwork(childEnv, fixture, false, nil, nil); err != nil {
return err
}
cli.SetConfig(sc.Net.GetCLIConfig())
// Start the network.
if err = sc.StartNetworkAndWaitForClientSync(ctx); err != nil {
return err
}
// Make sure the last secret was not preserved.
secret, err := sc.MasterSecret(ctx)
if err != nil {
return err
}
if secret != nil {
return fmt.Errorf("dump/restore should not preserve the master secret proposal")
}
// Make sure the manager is initialized.
status, err := sc.KeyManagerStatus(ctx)
if err != nil {
return err
}
if !status.IsInitialized || len(status.Checksum) == 0 || status.Generation != 0 {
return fmt.Errorf("key manager should be initialized")
}
// Start both key manager nodes.
if err = sc.StartAndWaitKeymanagers(ctx, []int{0, 1}); err != nil {
return err
}
// Test master secret rotations. To enable them, update the rotation interval in the policy.
if err = sc.UpdateRotationInterval(ctx, childEnv, cli, 1, 0); err != nil {
return err
}
if _, err = sc.WaitMasterSecret(ctx, 3); err != nil {
return err
}
// Test if all key managers can derive keys from all master secrets.
return sc.CompareLongtermPublicKeys(ctx, []int{0, 1})
}