luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity
open-vault/sdk/helper/keysutil/policy_test.go

644 lines
16 KiB
Go
Raw Normal View History

Move policy test to keysutil package
2016-10-26 23:57:28 +00:00
package keysutil
Add unit tests
2016-01-26 17:23:42 +00:00
import (
Expose generic versions of KDF and symmetric crypto (#10076) * Support salt in DeriveKey * Revert "Support salt in DeriveKey" This reverts commit b295ae42673308a2d66d66b53527c6f9aba92ac9. * Refactor out key derivation, symmetric encryption, and symmetric decryption into generic functions * comments * comments * go mod vendor * bump both go.mods * This one too * bump * bump * bump * Make the lesser used params of symmetric ops a struct * go fmt * Call GetKey instead of DeriveKey * Address feedback * Wrong rv * Rename calls * Assign the nonce field * trivial change * Check nonce len instead * go mod vendor
2020-10-02 02:04:36 +00:00
"bytes"
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
"context"
Run go fmt (#7823)
2019-11-07 16:54:34 +00:00
"crypto/rand"
Add unit tests
2016-01-26 17:23:42 +00:00
"reflect"
Transit: Refactor internal representation of key entry map (#3652) * convert internal map to index by string * Add upgrade test for internal key entry map * address review feedback
2017-12-06 23:24:00 +00:00
"strconv"
Redo transit locking (#4720) This massively simplifies transit locking behavior by pushing some locking down to the Policy level, and embedding either a local or global lock in the Policy depending on whether caching is enabled or not.
2018-06-12 16:24:12 +00:00
"sync"
Add unit tests
2016-01-26 17:23:42 +00:00
"testing"
Transit: Refactor internal representation of key entry map (#3652) * convert internal map to index by string * Add upgrade test for internal key entry map * address review feedback
2017-12-06 23:24:00 +00:00
"time"
Add unit tests
2016-01-26 17:23:42 +00:00
Create sdk/ and api/ submodules (#6583)
2019-04-12 21:54:35 +00:00
"github.com/hashicorp/vault/sdk/helper/jsonutil"
"github.com/hashicorp/vault/sdk/logical"
Add transaction-like behavior for Transit persists. (#3959)
2018-02-12 22:27:28 +00:00
"github.com/mitchellh/copystructure"
Add unit tests
2016-01-26 17:23:42 +00:00
)
Transit: Refactor internal representation of key entry map (#3652) * convert internal map to index by string * Add upgrade test for internal key entry map * address review feedback
2017-12-06 23:24:00 +00:00
func TestPolicy_KeyEntryMapUpgrade(t *testing.T) {
now := time.Now()
old := map[int]KeyEntry{
1: {
Key: []byte("samplekey"),
HMACKey: []byte("samplehmackey"),
CreationTime: now,
FormattedPublicKey: "sampleformattedpublickey",
},
2: {
Key: []byte("samplekey2"),
HMACKey: []byte("samplehmackey2"),
CreationTime: now.Add(10 * time.Second),
FormattedPublicKey: "sampleformattedpublickey2",
},
}
oldEncoded, err := jsonutil.EncodeJSON(old)
if err != nil {
t.Fatal(err)
}
var new keyEntryMap
err = jsonutil.DecodeJSON(oldEncoded, &new)
if err != nil {
t.Fatal(err)
}
newEncoded, err := jsonutil.EncodeJSON(&new)
if err != nil {
t.Fatal(err)
}
if string(oldEncoded) != string(newEncoded) {
t.Fatalf("failed to upgrade key entry map;\nold: %q\nnew: %q", string(oldEncoded), string(newEncoded))
}
}
Address review feedback
2016-01-27 01:21:58 +00:00
func Test_KeyUpgrade(t *testing.T) {
transit cache is an Interface implemented by wrapped versions of sync… (#6225) * transit cache is an Interface implemented by wrapped versions of syncmap and golang-lru * transit cache is an Interface implemented by wrapped versions of syncmap and golang-lru * changed some import paths to point to sdk * Apply suggestions from code review Co-Authored-By: Lexman42 <Lexman42@users.noreply.github.com> * updates docs with information on transit/cache-config endpoint * updates vendored files * fixes policy tests to actually use a cache where expected and renames the struct and storage path used for cache configurations to be more generic * updates document links * fixed a typo in a documentation link * changes cache_size to just size for the cache-config endpoint
2019-06-04 22:40:56 +00:00
lockManagerWithCache, _ := NewLockManager(true, 0)
lockManagerWithoutCache, _ := NewLockManager(false, 0)
testKeyUpgradeCommon(t, lockManagerWithCache)
testKeyUpgradeCommon(t, lockManagerWithoutCache)
Make a non-caching but still locking variant of transit for when caches are disabled
2016-04-21 20:32:06 +00:00
}
Move policy test to keysutil package
2016-10-26 23:57:28 +00:00
func testKeyUpgradeCommon(t *testing.T, lm *LockManager) {
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
ctx := context.Background()
Address review feedback
2016-01-27 01:21:58 +00:00
storage := &logical.InmemStorage{}
Redo transit locking (#4720) This massively simplifies transit locking behavior by pushing some locking down to the Policy level, and embedding either a local or global lock in the Policy depending on whether caching is enabled or not.
2018-06-12 16:24:12 +00:00
p, upserted, err := lm.GetPolicy(ctx, PolicyRequest{
Upsert: true,
Pulled out transit's lock manager and policy structs into a helper
2016-10-26 23:52:31 +00:00
Storage: storage,
Move policy test to keysutil package
2016-10-26 23:57:28 +00:00
KeyType: KeyType_AES256_GCM96,
Pulled out transit's lock manager and policy structs into a helper
2016-10-26 23:52:31 +00:00
Name: "test",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
}, rand.Reader)
Address review feedback
2016-01-27 01:21:58 +00:00
if err != nil {
t.Fatal(err)
}
Switch to lockManager
2016-04-26 15:39:19 +00:00
if p == nil {
t.Fatal("nil policy")
Address review feedback
2016-01-27 01:21:58 +00:00
}
Switch to lockManager
2016-04-26 15:39:19 +00:00
if !upserted {
t.Fatal("expected an upsert")
}
Redo transit locking (#4720) This massively simplifies transit locking behavior by pushing some locking down to the Policy level, and embedding either a local or global lock in the Policy depending on whether caching is enabled or not.
2018-06-12 16:24:12 +00:00
if !lm.useCache {
p.Unlock()
}
Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU.
2016-01-27 21:24:11 +00:00
Transit: Refactor internal representation of key entry map (#3652) * convert internal map to index by string * Add upgrade test for internal key entry map * address review feedback
2017-12-06 23:24:00 +00:00
testBytes := make([]byte, len(p.Keys["1"].Key))
copy(testBytes, p.Keys["1"].Key)
Address review feedback
2016-01-27 01:21:58 +00:00
Transit: Refactor internal representation of key entry map (#3652) * convert internal map to index by string * Add upgrade test for internal key entry map * address review feedback
2017-12-06 23:24:00 +00:00
p.Key = p.Keys["1"].Key
Switch to lockManager
2016-04-26 15:39:19 +00:00
p.Keys = nil
Pulled out transit's lock manager and policy structs into a helper
2016-10-26 23:52:31 +00:00
p.MigrateKeyToKeysMap()
Switch to lockManager
2016-04-26 15:39:19 +00:00
if p.Key != nil {
Address review feedback
2016-01-27 01:21:58 +00:00
t.Fatal("policy.Key is not nil")
}
Switch to lockManager
2016-04-26 15:39:19 +00:00
if len(p.Keys) != 1 {
Address review feedback
2016-01-27 01:21:58 +00:00
t.Fatal("policy.Keys is the wrong size")
}
Transit: Refactor internal representation of key entry map (#3652) * convert internal map to index by string * Add upgrade test for internal key entry map * address review feedback
2017-12-06 23:24:00 +00:00
if !reflect.DeepEqual(testBytes, p.Keys["1"].Key) {
Address review feedback
2016-01-27 01:21:58 +00:00
t.Fatal("key mismatch")
}
}
Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive.
2016-01-27 17:02:32 +00:00
func Test_ArchivingUpgrade(t *testing.T) {
transit cache is an Interface implemented by wrapped versions of sync… (#6225) * transit cache is an Interface implemented by wrapped versions of syncmap and golang-lru * transit cache is an Interface implemented by wrapped versions of syncmap and golang-lru * changed some import paths to point to sdk * Apply suggestions from code review Co-Authored-By: Lexman42 <Lexman42@users.noreply.github.com> * updates docs with information on transit/cache-config endpoint * updates vendored files * fixes policy tests to actually use a cache where expected and renames the struct and storage path used for cache configurations to be more generic * updates document links * fixed a typo in a documentation link * changes cache_size to just size for the cache-config endpoint
2019-06-04 22:40:56 +00:00
lockManagerWithCache, _ := NewLockManager(true, 0)
lockManagerWithoutCache, _ := NewLockManager(false, 0)
testArchivingUpgradeCommon(t, lockManagerWithCache)
testArchivingUpgradeCommon(t, lockManagerWithoutCache)
Make a non-caching but still locking variant of transit for when caches are disabled
2016-04-21 20:32:06 +00:00
}
Move policy test to keysutil package
2016-10-26 23:57:28 +00:00
func testArchivingUpgradeCommon(t *testing.T, lm *LockManager) {
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
ctx := context.Background()
Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive.
2016-01-27 17:02:32 +00:00
// First, we generate a policy and rotate it a number of times. Each time
// we'll ensure that we have the expected number of keys in the archive and
// the main keys object, which without changing the min version should be
// zero and latest, respectively
storage := &logical.InmemStorage{}
Redo transit locking (#4720) This massively simplifies transit locking behavior by pushing some locking down to the Policy level, and embedding either a local or global lock in the Policy depending on whether caching is enabled or not.
2018-06-12 16:24:12 +00:00
p, _, err := lm.GetPolicy(ctx, PolicyRequest{
Upsert: true,
Pulled out transit's lock manager and policy structs into a helper
2016-10-26 23:52:31 +00:00
Storage: storage,
Move policy test to keysutil package
2016-10-26 23:57:28 +00:00
KeyType: KeyType_AES256_GCM96,
Pulled out transit's lock manager and policy structs into a helper
2016-10-26 23:52:31 +00:00
Name: "test",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
}, rand.Reader)
Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive.
2016-01-27 17:02:32 +00:00
if err != nil {
t.Fatal(err)
}
Redo transit locking (#4720) This massively simplifies transit locking behavior by pushing some locking down to the Policy level, and embedding either a local or global lock in the Policy depending on whether caching is enabled or not.
2018-06-12 16:24:12 +00:00
if p == nil {
t.Fatal("nil policy")
}
if !lm.useCache {
p.Unlock()
Make a non-caching but still locking variant of transit for when caches are disabled
2016-04-21 20:32:06 +00:00
}
Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU.
2016-01-27 21:24:11 +00:00
Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive.
2016-01-27 17:02:32 +00:00
// Store the initial key in the archive
Remove package level variables from transit policy test, makes it easier to parallelize later and less magical
2018-02-12 16:04:58 +00:00
keysArchive := []KeyEntry{KeyEntry{}, p.Keys["1"]}
checkKeys(t, ctx, p, storage, keysArchive, "initial", 1, 1, 1)
Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive.
2016-01-27 17:02:32 +00:00
for i := 2; i <= 10; i++ {
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
err = p.Rotate(ctx, storage, rand.Reader)
Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive.
2016-01-27 17:02:32 +00:00
if err != nil {
t.Fatal(err)
}
Transit: Refactor internal representation of key entry map (#3652) * convert internal map to index by string * Add upgrade test for internal key entry map * address review feedback
2017-12-06 23:24:00 +00:00
keysArchive = append(keysArchive, p.Keys[strconv.Itoa(i)])
Remove package level variables from transit policy test, makes it easier to parallelize later and less magical
2018-02-12 16:04:58 +00:00
checkKeys(t, ctx, p, storage, keysArchive, "rotate", i, i, i)
Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive.
2016-01-27 17:02:32 +00:00
}
// Now, wipe the archive and set the archive version to zero
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
err = storage.Delete(ctx, "archive/test")
Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive.
2016-01-27 17:02:32 +00:00
if err != nil {
t.Fatal(err)
}
Switch to lockManager
2016-04-26 15:39:19 +00:00
p.ArchiveVersion = 0
Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive.
2016-01-27 17:02:32 +00:00
// Store it, but without calling persist, so we don't trigger
// handleArchiving()
Switch to lockManager
2016-04-26 15:39:19 +00:00
buf, err := p.Serialize()
Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive.
2016-01-27 17:02:32 +00:00
if err != nil {
t.Fatal(err)
}
// Write the policy into storage
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
err = storage.Put(ctx, &logical.StorageEntry{
Switch to lockManager
2016-04-26 15:39:19 +00:00
Key: "policy/" + p.Name,
Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive.
2016-01-27 17:02:32 +00:00
Value: buf,
})
if err != nil {
t.Fatal(err)
}
Switch to lockManager
2016-04-26 15:39:19 +00:00
// If we're caching, expire from the cache since we modified it
Make a non-caching but still locking variant of transit for when caches are disabled
2016-04-21 20:32:06 +00:00
// under-the-hood
Redo transit locking (#4720) This massively simplifies transit locking behavior by pushing some locking down to the Policy level, and embedding either a local or global lock in the Policy depending on whether caching is enabled or not.
2018-06-12 16:24:12 +00:00
if lm.useCache {
lm.cache.Delete("test")
Make a non-caching but still locking variant of transit for when caches are disabled
2016-04-21 20:32:06 +00:00
}
Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU.
2016-01-27 21:24:11 +00:00
Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive.
2016-01-27 17:02:32 +00:00
// Now get the policy again; the upgrade should happen automatically
Redo transit locking (#4720) This massively simplifies transit locking behavior by pushing some locking down to the Policy level, and embedding either a local or global lock in the Policy depending on whether caching is enabled or not.
2018-06-12 16:24:12 +00:00
p, _, err = lm.GetPolicy(ctx, PolicyRequest{
Storage: storage,
Name: "test",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
}, rand.Reader)
Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive.
2016-01-27 17:02:32 +00:00
if err != nil {
t.Fatal(err)
}
Redo transit locking (#4720) This massively simplifies transit locking behavior by pushing some locking down to the Policy level, and embedding either a local or global lock in the Policy depending on whether caching is enabled or not.
2018-06-12 16:24:12 +00:00
if p == nil {
t.Fatal("nil policy")
}
if !lm.useCache {
p.Unlock()
Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive.
2016-01-27 17:02:32 +00:00
}
Remove package level variables from transit policy test, makes it easier to parallelize later and less magical
2018-02-12 16:04:58 +00:00
checkKeys(t, ctx, p, storage, keysArchive, "upgrade", 10, 10, 10)
Add some more tests around deletion and fix upsert status returning
2016-05-03 04:19:18 +00:00
// Let's check some deletion logic while we're at it
// The policy should be in there
Redo transit locking (#4720) This massively simplifies transit locking behavior by pushing some locking down to the Policy level, and embedding either a local or global lock in the Policy depending on whether caching is enabled or not.
2018-06-12 16:24:12 +00:00
if lm.useCache {
_, ok := lm.cache.Load("test")
if !ok {
t.Fatal("nil policy in cache")
}
Add some more tests around deletion and fix upsert status returning
2016-05-03 04:19:18 +00:00
}
// First we'll do this wrong, by not setting the deletion flag
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
err = lm.DeletePolicy(ctx, storage, "test")
Add some more tests around deletion and fix upsert status returning
2016-05-03 04:19:18 +00:00
if err == nil {
t.Fatal("got nil error, but should not have been able to delete since we didn't set the deletion flag on the policy")
}
// The policy should still be in there
Redo transit locking (#4720) This massively simplifies transit locking behavior by pushing some locking down to the Policy level, and embedding either a local or global lock in the Policy depending on whether caching is enabled or not.
2018-06-12 16:24:12 +00:00
if lm.useCache {
_, ok := lm.cache.Load("test")
if !ok {
t.Fatal("nil policy in cache")
}
Add some more tests around deletion and fix upsert status returning
2016-05-03 04:19:18 +00:00
}
Redo transit locking (#4720) This massively simplifies transit locking behavior by pushing some locking down to the Policy level, and embedding either a local or global lock in the Policy depending on whether caching is enabled or not.
2018-06-12 16:24:12 +00:00
p, _, err = lm.GetPolicy(ctx, PolicyRequest{
Storage: storage,
Name: "test",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
}, rand.Reader)
Add some more tests around deletion and fix upsert status returning
2016-05-03 04:19:18 +00:00
if err != nil {
t.Fatal(err)
}
Redo transit locking (#4720) This massively simplifies transit locking behavior by pushing some locking down to the Policy level, and embedding either a local or global lock in the Policy depending on whether caching is enabled or not.
2018-06-12 16:24:12 +00:00
if p == nil {
t.Fatal("policy nil after bad delete")
}
if !lm.useCache {
p.Unlock()
Add some more tests around deletion and fix upsert status returning
2016-05-03 04:19:18 +00:00
}
// Now do it properly
p.DeletionAllowed = true
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
err = p.Persist(ctx, storage)
Add some more tests around deletion and fix upsert status returning
2016-05-03 04:19:18 +00:00
if err != nil {
t.Fatal(err)
}
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
err = lm.DeletePolicy(ctx, storage, "test")
Add some more tests around deletion and fix upsert status returning
2016-05-03 04:19:18 +00:00
if err != nil {
t.Fatal(err)
}
// The policy should *not* be in there
Redo transit locking (#4720) This massively simplifies transit locking behavior by pushing some locking down to the Policy level, and embedding either a local or global lock in the Policy depending on whether caching is enabled or not.
2018-06-12 16:24:12 +00:00
if lm.useCache {
_, ok := lm.cache.Load("test")
if ok {
t.Fatal("non-nil policy in cache")
}
Add some more tests around deletion and fix upsert status returning
2016-05-03 04:19:18 +00:00
}
Redo transit locking (#4720) This massively simplifies transit locking behavior by pushing some locking down to the Policy level, and embedding either a local or global lock in the Policy depending on whether caching is enabled or not.
2018-06-12 16:24:12 +00:00
p, _, err = lm.GetPolicy(ctx, PolicyRequest{
Storage: storage,
Name: "test",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
}, rand.Reader)
Add some more tests around deletion and fix upsert status returning
2016-05-03 04:19:18 +00:00
if err != nil {
t.Fatal(err)
}
Redo transit locking (#4720) This massively simplifies transit locking behavior by pushing some locking down to the Policy level, and embedding either a local or global lock in the Policy depending on whether caching is enabled or not.
2018-06-12 16:24:12 +00:00
if p != nil {
t.Fatal("policy not nil after delete")
Add some more tests around deletion and fix upsert status returning
2016-05-03 04:19:18 +00:00
}
Move archive location; also detect first load of a policy after archive is added and cause the keys to be copied to the archive.
2016-01-27 17:02:32 +00:00
}
Add unit tests
2016-01-26 17:23:42 +00:00
func Test_Archiving(t *testing.T) {
transit cache is an Interface implemented by wrapped versions of sync… (#6225) * transit cache is an Interface implemented by wrapped versions of syncmap and golang-lru * transit cache is an Interface implemented by wrapped versions of syncmap and golang-lru * changed some import paths to point to sdk * Apply suggestions from code review Co-Authored-By: Lexman42 <Lexman42@users.noreply.github.com> * updates docs with information on transit/cache-config endpoint * updates vendored files * fixes policy tests to actually use a cache where expected and renames the struct and storage path used for cache configurations to be more generic * updates document links * fixed a typo in a documentation link * changes cache_size to just size for the cache-config endpoint
2019-06-04 22:40:56 +00:00
lockManagerWithCache, _ := NewLockManager(true, 0)
lockManagerWithoutCache, _ := NewLockManager(false, 0)
testArchivingUpgradeCommon(t, lockManagerWithCache)
testArchivingUpgradeCommon(t, lockManagerWithoutCache)
Make a non-caching but still locking variant of transit for when caches are disabled
2016-04-21 20:32:06 +00:00
}
Move policy test to keysutil package
2016-10-26 23:57:28 +00:00
func testArchivingCommon(t *testing.T, lm *LockManager) {
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
ctx := context.Background()
ed25519 support in transit (#2778)
2017-06-05 19:00:39 +00:00
// First, we generate a policy and rotate it a number of times. Each time
// we'll ensure that we have the expected number of keys in the archive and
Add unit tests
2016-01-26 17:23:42 +00:00
// the main keys object, which without changing the min version should be
// zero and latest, respectively
storage := &logical.InmemStorage{}
Redo transit locking (#4720) This massively simplifies transit locking behavior by pushing some locking down to the Policy level, and embedding either a local or global lock in the Policy depending on whether caching is enabled or not.
2018-06-12 16:24:12 +00:00
p, _, err := lm.GetPolicy(ctx, PolicyRequest{
Upsert: true,
Pulled out transit's lock manager and policy structs into a helper
2016-10-26 23:52:31 +00:00
Storage: storage,
Move policy test to keysutil package
2016-10-26 23:57:28 +00:00
KeyType: KeyType_AES256_GCM96,
Pulled out transit's lock manager and policy structs into a helper
2016-10-26 23:52:31 +00:00
Name: "test",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
}, rand.Reader)
Add unit tests
2016-01-26 17:23:42 +00:00
if err != nil {
t.Fatal(err)
}
Redo transit locking (#4720) This massively simplifies transit locking behavior by pushing some locking down to the Policy level, and embedding either a local or global lock in the Policy depending on whether caching is enabled or not.
2018-06-12 16:24:12 +00:00
if p == nil {
t.Fatal("nil policy")
}
if !lm.useCache {
p.Unlock()
Make a non-caching but still locking variant of transit for when caches are disabled
2016-04-21 20:32:06 +00:00
}
Implement locking in the transit backend. This ensures that we can safely rotate and modify configuration parameters with multiple requests in flight. As a side effect we also get a cache, which should provide a nice speedup since we don't need to decrypt/deserialize constantly, which would happen even with the physical LRU.
2016-01-27 21:24:11 +00:00
Add unit tests
2016-01-26 17:23:42 +00:00
// Store the initial key in the archive
Remove package level variables from transit policy test, makes it easier to parallelize later and less magical
2018-02-12 16:04:58 +00:00
keysArchive := []KeyEntry{KeyEntry{}, p.Keys["1"]}
checkKeys(t, ctx, p, storage, keysArchive, "initial", 1, 1, 1)
Add unit tests
2016-01-26 17:23:42 +00:00
for i := 2; i <= 10; i++ {
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
err = p.Rotate(ctx, storage, rand.Reader)
Add unit tests
2016-01-26 17:23:42 +00:00
if err != nil {
t.Fatal(err)
}
Transit: Refactor internal representation of key entry map (#3652) * convert internal map to index by string * Add upgrade test for internal key entry map * address review feedback
2017-12-06 23:24:00 +00:00
keysArchive = append(keysArchive, p.Keys[strconv.Itoa(i)])
Remove package level variables from transit policy test, makes it easier to parallelize later and less magical
2018-02-12 16:04:58 +00:00
checkKeys(t, ctx, p, storage, keysArchive, "rotate", i, i, i)
Add unit tests
2016-01-26 17:23:42 +00:00
}
// Move the min decryption version up
for i := 1; i <= 10; i++ {
Switch to lockManager
2016-04-26 15:39:19 +00:00
p.MinDecryptionVersion = i
Add unit tests
2016-01-26 17:23:42 +00:00
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
err = p.Persist(ctx, storage)
Add unit tests
2016-01-26 17:23:42 +00:00
if err != nil {
t.Fatal(err)
}
// We expect to find:
Store all keys in archive always
2016-01-26 22:14:21 +00:00
// * The keys in archive are the same as the latest version
Add unit tests
2016-01-26 17:23:42 +00:00
// * The latest version is constant
// * The number of keys in the policy itself is from the min
// decryption version up to the latest version, so for e.g. 7 and
// 10, you'd need 7, 8, 9, and 10 -- IOW, latest version - min
// decryption version plus 1 (the min decryption version key
// itself)
Remove package level variables from transit policy test, makes it easier to parallelize later and less magical
2018-02-12 16:04:58 +00:00
checkKeys(t, ctx, p, storage, keysArchive, "minadd", 10, 10, p.LatestVersion-p.MinDecryptionVersion+1)
Add unit tests
2016-01-26 17:23:42 +00:00
}
// Move the min decryption version down
for i := 10; i >= 1; i-- {
Switch to lockManager
2016-04-26 15:39:19 +00:00
p.MinDecryptionVersion = i
Add unit tests
2016-01-26 17:23:42 +00:00
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
err = p.Persist(ctx, storage)
Add unit tests
2016-01-26 17:23:42 +00:00
if err != nil {
t.Fatal(err)
}
// We expect to find:
Store all keys in archive always
2016-01-26 22:14:21 +00:00
// * The keys in archive are never removed so same as the latest version
Add unit tests
2016-01-26 17:23:42 +00:00
// * The latest version is constant
// * The number of keys in the policy itself is from the min
// decryption version up to the latest version, so for e.g. 7 and
// 10, you'd need 7, 8, 9, and 10 -- IOW, latest version - min
// decryption version plus 1 (the min decryption version key
// itself)
Remove package level variables from transit policy test, makes it easier to parallelize later and less magical
2018-02-12 16:04:58 +00:00
checkKeys(t, ctx, p, storage, keysArchive, "minsub", 10, 10, p.LatestVersion-p.MinDecryptionVersion+1)
Add unit tests
2016-01-26 17:23:42 +00:00
}
}
func checkKeys(t *testing.T,
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
ctx context.Context,
Move policy test to keysutil package
2016-10-26 23:57:28 +00:00
p *Policy,
Add unit tests
2016-01-26 17:23:42 +00:00
storage logical.Storage,
Remove package level variables from transit policy test, makes it easier to parallelize later and less magical
2018-02-12 16:04:58 +00:00
keysArchive []KeyEntry,
Store all keys in archive always
2016-01-26 22:14:21 +00:00
action string,
Add unit tests
2016-01-26 17:23:42 +00:00
archiveVer, latestVer, keysSize int) {
// Sanity check
if len(keysArchive) != latestVer+1 {
t.Fatalf("latest expected key version is %d, expected test keys archive size is %d, "+
"but keys archive is of size %d", latestVer, latestVer+1, len(keysArchive))
}
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
archive, err := p.LoadArchive(ctx, storage)
Add unit tests
2016-01-26 17:23:42 +00:00
if err != nil {
t.Fatal(err)
}
badArchiveVer := false
if archiveVer == 0 {
Not exposing structs from the backend's package
2016-09-01 15:57:28 +00:00
if len(archive.Keys) != 0 || p.ArchiveVersion != 0 {
Add unit tests
2016-01-26 17:23:42 +00:00
badArchiveVer = true
}
} else {
// We need to subtract one because we have the indexes match key
// versions, which start at 1. So for an archive version of 1, we
// actually have two entries -- a blank 0 entry, and the key at spot 1
Not exposing structs from the backend's package
2016-09-01 15:57:28 +00:00
if archiveVer != len(archive.Keys)-1 || archiveVer != p.ArchiveVersion {
Add unit tests
2016-01-26 17:23:42 +00:00
badArchiveVer = true
}
}
if badArchiveVer {
t.Fatalf(
"expected archive version %d, found length of archive keys %d and policy archive version %d",
Not exposing structs from the backend's package
2016-09-01 15:57:28 +00:00
archiveVer, len(archive.Keys), p.ArchiveVersion,
Add unit tests
2016-01-26 17:23:42 +00:00
)
}
Not exposing structs from the backend's package
2016-09-01 15:57:28 +00:00
if latestVer != p.LatestVersion {
Add unit tests
2016-01-26 17:23:42 +00:00
t.Fatalf(
"expected latest version %d, found %d",
Not exposing structs from the backend's package
2016-09-01 15:57:28 +00:00
latestVer, p.LatestVersion,
Add unit tests
2016-01-26 17:23:42 +00:00
)
}
Not exposing structs from the backend's package
2016-09-01 15:57:28 +00:00
if keysSize != len(p.Keys) {
Add unit tests
2016-01-26 17:23:42 +00:00
t.Fatalf(
Store all keys in archive always
2016-01-26 22:14:21 +00:00
"expected keys size %d, found %d, action is %s, policy is \n%#v\n",
Not exposing structs from the backend's package
2016-09-01 15:57:28 +00:00
keysSize, len(p.Keys), action, p,
Add unit tests
2016-01-26 17:23:42 +00:00
)
}
Not exposing structs from the backend's package
2016-09-01 15:57:28 +00:00
for i := p.MinDecryptionVersion; i <= p.LatestVersion; i++ {
Transit: Refactor internal representation of key entry map (#3652) * convert internal map to index by string * Add upgrade test for internal key entry map * address review feedback
2017-12-06 23:24:00 +00:00
if _, ok := p.Keys[strconv.Itoa(i)]; !ok {
Add unit tests
2016-01-26 17:23:42 +00:00
t.Fatalf(
"expected key %d, did not find it in policy keys", i,
)
}
}
Not exposing structs from the backend's package
2016-09-01 15:57:28 +00:00
for i := p.MinDecryptionVersion; i <= p.LatestVersion; i++ {
Transit: Refactor internal representation of key entry map (#3652) * convert internal map to index by string * Add upgrade test for internal key entry map * address review feedback
2017-12-06 23:24:00 +00:00
ver := strconv.Itoa(i)
if !p.Keys[ver].CreationTime.Equal(keysArchive[i].CreationTime) {
t.Fatalf("key %d not equivalent between policy keys and test keys archive; policy keys:\n%#v\ntest keys archive:\n%#v\n", i, p.Keys[ver], keysArchive[i])
ed25519 support in transit (#2778)
2017-06-05 19:00:39 +00:00
}
Transit: Refactor internal representation of key entry map (#3652) * convert internal map to index by string * Add upgrade test for internal key entry map * address review feedback
2017-12-06 23:24:00 +00:00
polKey := p.Keys[ver]
ed25519 support in transit (#2778)
2017-06-05 19:00:39 +00:00
polKey.CreationTime = keysArchive[i].CreationTime
Transit: Refactor internal representation of key entry map (#3652) * convert internal map to index by string * Add upgrade test for internal key entry map * address review feedback
2017-12-06 23:24:00 +00:00
p.Keys[ver] = polKey
if !reflect.DeepEqual(p.Keys[ver], keysArchive[i]) {
t.Fatalf("key %d not equivalent between policy keys and test keys archive; policy keys:\n%#v\ntest keys archive:\n%#v\n", i, p.Keys[ver], keysArchive[i])
Add unit tests
2016-01-26 17:23:42 +00:00
}
}
for i := 1; i < len(archive.Keys); i++ {
ed25519 support in transit (#2778)
2017-06-05 19:00:39 +00:00
if !reflect.DeepEqual(archive.Keys[i].Key, keysArchive[i].Key) {
t.Fatalf("key %d not equivalent between policy archive and test keys archive; policy archive:\n%#v\ntest keys archive:\n%#v\n", i, archive.Keys[i].Key, keysArchive[i].Key)
Add unit tests
2016-01-26 17:23:42 +00:00
}
}
}
Add transaction-like behavior for Transit persists. (#3959)
2018-02-12 22:27:28 +00:00
func Test_StorageErrorSafety(t *testing.T) {
ctx := context.Background()
transit cache is an Interface implemented by wrapped versions of sync… (#6225) * transit cache is an Interface implemented by wrapped versions of syncmap and golang-lru * transit cache is an Interface implemented by wrapped versions of syncmap and golang-lru * changed some import paths to point to sdk * Apply suggestions from code review Co-Authored-By: Lexman42 <Lexman42@users.noreply.github.com> * updates docs with information on transit/cache-config endpoint * updates vendored files * fixes policy tests to actually use a cache where expected and renames the struct and storage path used for cache configurations to be more generic * updates document links * fixed a typo in a documentation link * changes cache_size to just size for the cache-config endpoint
2019-06-04 22:40:56 +00:00
lm, _ := NewLockManager(true, 0)
Add transaction-like behavior for Transit persists. (#3959)
2018-02-12 22:27:28 +00:00
storage := &logical.InmemStorage{}
Redo transit locking (#4720) This massively simplifies transit locking behavior by pushing some locking down to the Policy level, and embedding either a local or global lock in the Policy depending on whether caching is enabled or not.
2018-06-12 16:24:12 +00:00
p, _, err := lm.GetPolicy(ctx, PolicyRequest{
Upsert: true,
Add transaction-like behavior for Transit persists. (#3959)
2018-02-12 22:27:28 +00:00
Storage: storage,
KeyType: KeyType_AES256_GCM96,
Name: "test",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
}, rand.Reader)
Add transaction-like behavior for Transit persists. (#3959)
2018-02-12 22:27:28 +00:00
if err != nil {
t.Fatal(err)
}
Redo transit locking (#4720) This massively simplifies transit locking behavior by pushing some locking down to the Policy level, and embedding either a local or global lock in the Policy depending on whether caching is enabled or not.
2018-06-12 16:24:12 +00:00
if p == nil {
t.Fatal("nil policy")
Add transaction-like behavior for Transit persists. (#3959)
2018-02-12 22:27:28 +00:00
}
// Store the initial key in the archive
keysArchive := []KeyEntry{KeyEntry{}, p.Keys["1"]}
checkKeys(t, ctx, p, storage, keysArchive, "initial", 1, 1, 1)
// We use checkKeys here just for sanity; it doesn't really handle cases of
// errors below so we do more targeted testing later
for i := 2; i <= 5; i++ {
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
err = p.Rotate(ctx, storage, rand.Reader)
Add transaction-like behavior for Transit persists. (#3959)
2018-02-12 22:27:28 +00:00
if err != nil {
t.Fatal(err)
}
keysArchive = append(keysArchive, p.Keys[strconv.Itoa(i)])
checkKeys(t, ctx, p, storage, keysArchive, "rotate", i, i, i)
}
underlying := storage.Underlying()
underlying.FailPut(true)
priorLen := len(p.Keys)
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
err = p.Rotate(ctx, storage, rand.Reader)
Add transaction-like behavior for Transit persists. (#3959)
2018-02-12 22:27:28 +00:00
if err == nil {
t.Fatal("expected error")
}
if len(p.Keys) != priorLen {
t.Fatal("length of keys should not have changed")
}
}
func Test_BadUpgrade(t *testing.T) {
ctx := context.Background()
transit cache is an Interface implemented by wrapped versions of sync… (#6225) * transit cache is an Interface implemented by wrapped versions of syncmap and golang-lru * transit cache is an Interface implemented by wrapped versions of syncmap and golang-lru * changed some import paths to point to sdk * Apply suggestions from code review Co-Authored-By: Lexman42 <Lexman42@users.noreply.github.com> * updates docs with information on transit/cache-config endpoint * updates vendored files * fixes policy tests to actually use a cache where expected and renames the struct and storage path used for cache configurations to be more generic * updates document links * fixed a typo in a documentation link * changes cache_size to just size for the cache-config endpoint
2019-06-04 22:40:56 +00:00
lm, _ := NewLockManager(true, 0)
Add transaction-like behavior for Transit persists. (#3959)
2018-02-12 22:27:28 +00:00
storage := &logical.InmemStorage{}
Redo transit locking (#4720) This massively simplifies transit locking behavior by pushing some locking down to the Policy level, and embedding either a local or global lock in the Policy depending on whether caching is enabled or not.
2018-06-12 16:24:12 +00:00
p, _, err := lm.GetPolicy(ctx, PolicyRequest{
Upsert: true,
Add transaction-like behavior for Transit persists. (#3959)
2018-02-12 22:27:28 +00:00
Storage: storage,
KeyType: KeyType_AES256_GCM96,
Name: "test",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
}, rand.Reader)
Add transaction-like behavior for Transit persists. (#3959)
2018-02-12 22:27:28 +00:00
if err != nil {
t.Fatal(err)
}
Redo transit locking (#4720) This massively simplifies transit locking behavior by pushing some locking down to the Policy level, and embedding either a local or global lock in the Policy depending on whether caching is enabled or not.
2018-06-12 16:24:12 +00:00
if p == nil {
t.Fatal("nil policy")
Add transaction-like behavior for Transit persists. (#3959)
2018-02-12 22:27:28 +00:00
}
orig, err := copystructure.Copy(p)
if err != nil {
t.Fatal(err)
}
Redo transit locking (#4720) This massively simplifies transit locking behavior by pushing some locking down to the Policy level, and embedding either a local or global lock in the Policy depending on whether caching is enabled or not.
2018-06-12 16:24:12 +00:00
orig.(*Policy).l = p.l
Add transaction-like behavior for Transit persists. (#3959)
2018-02-12 22:27:28 +00:00
p.Key = p.Keys["1"].Key
p.Keys = nil
p.MinDecryptionVersion = 0
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
if err := p.Upgrade(ctx, storage, rand.Reader); err != nil {
Add transaction-like behavior for Transit persists. (#3959)
2018-02-12 22:27:28 +00:00
t.Fatal(err)
}
k := p.Keys["1"]
o := orig.(*Policy).Keys["1"]
k.CreationTime = o.CreationTime
k.HMACKey = o.HMACKey
p.Keys["1"] = k
Redo transit locking (#4720) This massively simplifies transit locking behavior by pushing some locking down to the Policy level, and embedding either a local or global lock in the Policy depending on whether caching is enabled or not.
2018-06-12 16:24:12 +00:00
p.versionPrefixCache = sync.Map{}
Add transaction-like behavior for Transit persists. (#3959)
2018-02-12 22:27:28 +00:00
if !reflect.DeepEqual(orig, p) {
t.Fatalf("not equal:\n%#v\n%#v", orig, p)
}
// Do it again with a failing storage call
underlying := storage.Underlying()
underlying.FailPut(true)
p.Key = p.Keys["1"].Key
p.Keys = nil
p.MinDecryptionVersion = 0
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
if err := p.Upgrade(ctx, storage, rand.Reader); err == nil {
Add transaction-like behavior for Transit persists. (#3959)
2018-02-12 22:27:28 +00:00
t.Fatal("expected error")
}
if p.MinDecryptionVersion == 1 {
t.Fatal("min decryption version was changed")
}
if p.Keys != nil {
t.Fatal("found upgraded keys")
}
if p.Key == nil {
t.Fatal("non-upgraded key not found")
}
}
func Test_BadArchive(t *testing.T) {
ctx := context.Background()
transit cache is an Interface implemented by wrapped versions of sync… (#6225) * transit cache is an Interface implemented by wrapped versions of syncmap and golang-lru * transit cache is an Interface implemented by wrapped versions of syncmap and golang-lru * changed some import paths to point to sdk * Apply suggestions from code review Co-Authored-By: Lexman42 <Lexman42@users.noreply.github.com> * updates docs with information on transit/cache-config endpoint * updates vendored files * fixes policy tests to actually use a cache where expected and renames the struct and storage path used for cache configurations to be more generic * updates document links * fixed a typo in a documentation link * changes cache_size to just size for the cache-config endpoint
2019-06-04 22:40:56 +00:00
lm, _ := NewLockManager(true, 0)
Add transaction-like behavior for Transit persists. (#3959)
2018-02-12 22:27:28 +00:00
storage := &logical.InmemStorage{}
Redo transit locking (#4720) This massively simplifies transit locking behavior by pushing some locking down to the Policy level, and embedding either a local or global lock in the Policy depending on whether caching is enabled or not.
2018-06-12 16:24:12 +00:00
p, _, err := lm.GetPolicy(ctx, PolicyRequest{
Upsert: true,
Add transaction-like behavior for Transit persists. (#3959)
2018-02-12 22:27:28 +00:00
Storage: storage,
KeyType: KeyType_AES256_GCM96,
Name: "test",
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
}, rand.Reader)
Add transaction-like behavior for Transit persists. (#3959)
2018-02-12 22:27:28 +00:00
if err != nil {
t.Fatal(err)
}
Redo transit locking (#4720) This massively simplifies transit locking behavior by pushing some locking down to the Policy level, and embedding either a local or global lock in the Policy depending on whether caching is enabled or not.
2018-06-12 16:24:12 +00:00
if p == nil {
t.Fatal("nil policy")
Add transaction-like behavior for Transit persists. (#3959)
2018-02-12 22:27:28 +00:00
}
for i := 2; i <= 10; i++ {
oss changes for entropy augmentation feature (#7670) * oss changes for entropy augmentation feature * fix oss command/server/config tests * update go.sum * fix logical_system and http/ tests * adds vendored files * removes unused variable
2019-10-17 17:33:00 +00:00
err = p.Rotate(ctx, storage, rand.Reader)
Add transaction-like behavior for Transit persists. (#3959)
2018-02-12 22:27:28 +00:00
if err != nil {
t.Fatal(err)
}
}
p.MinDecryptionVersion = 5
if err := p.Persist(ctx, storage); err != nil {
t.Fatal(err)
}
if p.ArchiveVersion != 10 {
t.Fatalf("unexpected archive version %d", p.ArchiveVersion)
}
if len(p.Keys) != 6 {
t.Fatalf("unexpected key length %d", len(p.Keys))
}
// Set back
p.MinDecryptionVersion = 1
if err := p.Persist(ctx, storage); err != nil {
t.Fatal(err)
}
if p.ArchiveVersion != 10 {
t.Fatalf("unexpected archive version %d", p.ArchiveVersion)
}
if len(p.Keys) != 10 {
t.Fatalf("unexpected key length %d", len(p.Keys))
}
// Run it again but we'll turn off storage along the way
p.MinDecryptionVersion = 5
if err := p.Persist(ctx, storage); err != nil {
t.Fatal(err)
}
if p.ArchiveVersion != 10 {
t.Fatalf("unexpected archive version %d", p.ArchiveVersion)
}
if len(p.Keys) != 6 {
t.Fatalf("unexpected key length %d", len(p.Keys))
}
underlying := storage.Underlying()
underlying.FailPut(true)
// Set back, which should cause p.Keys to be changed if the persist works,
// but it doesn't
p.MinDecryptionVersion = 1
if err := p.Persist(ctx, storage); err == nil {
t.Fatal("expected error during put")
}
if p.ArchiveVersion != 10 {
t.Fatalf("unexpected archive version %d", p.ArchiveVersion)
}
// Here's the expected change
if len(p.Keys) != 6 {
t.Fatalf("unexpected key length %d", len(p.Keys))
}
}
Expose generic versions of KDF and symmetric crypto (#10076) * Support salt in DeriveKey * Revert "Support salt in DeriveKey" This reverts commit b295ae42673308a2d66d66b53527c6f9aba92ac9. * Refactor out key derivation, symmetric encryption, and symmetric decryption into generic functions * comments * comments * go mod vendor * bump both go.mods * This one too * bump * bump * bump * Make the lesser used params of symmetric ops a struct * go fmt * Call GetKey instead of DeriveKey * Address feedback * Wrong rv * Rename calls * Assign the nonce field * trivial change * Check nonce len instead * go mod vendor
2020-10-02 02:04:36 +00:00
func BenchmarkSymmetric(b *testing.B) {
ctx := context.Background()
lm, _ := NewLockManager(true, 0)
storage := &logical.InmemStorage{}
p, _, _ := lm.GetPolicy(ctx, PolicyRequest{
Upsert: true,
Storage: storage,
KeyType: KeyType_AES256_GCM96,
Name: "test",
}, rand.Reader)
key, _ := p.GetKey(nil, 1, 32)
pt := make([]byte, 10)
ad := make([]byte, 10)
for i := 0; i < b.N; i++ {
ct, _ := p.SymmetricEncryptRaw(1, key, pt,
SymmetricOpts{
AdditionalData: ad,
})
pt2, _ := p.SymmetricDecryptRaw(key, ct, SymmetricOpts{
AdditionalData: ad,
})
if !bytes.Equal(pt, pt2) {
b.Fail()
}
}
}