open-vault/helper/keysutil/encrypted_key_storage_test.go

401 lines
7.9 KiB
Go
Raw Normal View History

package keysutil
import (
"context"
"fmt"
"reflect"
"testing"
2018-06-05 22:51:35 +00:00
"github.com/hashicorp/vault/helper/strutil"
"github.com/hashicorp/vault/logical"
)
var compilerOpt []string
func TestBase58(t *testing.T) {
tCases := []struct {
in string
out string
}{
{
"",
"0",
},
{
"foo",
"sapp",
},
{
"5d5746d044b9a9429249966c9e3fee178ca679b91487b11d4b73c9865202104c",
"cozMP2pOYdDiNGeFQ2afKAOGIzO0HVpJ8OPFXuVPNbHasFyenK9CzIIPuOG7EFWOCy4YWvKGZa671N4kRSoaxZ",
},
{
"5ba33e16d742f3c785f6e7e8bb6f5fe82346ffa1c47aa8e95da4ddd5a55bb334",
"cotpEJPnhuTRofLi4lDe5iKw2fkSGc6TpUYeuWoBp8eLYJBWLRUVDZI414OjOCWXKZ0AI8gqNMoxd4eLOklwYk",
},
{
" ",
"w",
},
{
"-",
"J",
},
{
"0",
"M",
},
{
"1",
"N",
},
{
"-1",
"30B",
},
{
"11",
"3h7",
},
{
"abc",
"qMin",
},
{
"1234598760",
"1a0AFzKIPnihTq",
},
{
"abcdefghijklmnopqrstuvwxyz",
"hUBXsgd3F2swSlEgbVi2p0Ncr6kzVeJTLaW",
},
}
for _, c := range tCases {
e := Base62Encode([]byte(c.in))
d := string(Base62Decode(e))
if d != c.in {
t.Fatalf("decoded value didn't match input %#v %#v", c.in, d)
}
if e != c.out {
t.Fatalf("encoded value didn't match expected %#v, %#v", e, c.out)
}
}
d := Base62Decode("!0000/")
if len(d) != 0 {
t.Fatalf("Decode of invalid string should be empty, got %#v", d)
}
}
func TestEncrytedKeysStorage_BadPolicy(t *testing.T) {
2018-06-05 22:51:35 +00:00
policy := NewPolicy(PolicyConfig{
Name: "metadata",
Type: KeyType_AES256_GCM96,
Derived: false,
KDF: Kdf_hkdf_sha256,
ConvergentEncryption: true,
VersionTemplate: EncryptedKeyPolicyVersionTpl,
2018-06-05 22:51:35 +00:00
})
_, err := NewEncryptedKeyStorageWrapper(EncryptedKeyStorageConfig{
Policy: policy,
Prefix: "prefix",
})
if err != ErrPolicyDerivedKeys {
t.Fatalf("Unexpected Error: %s", err)
}
2018-06-05 22:51:35 +00:00
policy = NewPolicy(PolicyConfig{
Name: "metadata",
Type: KeyType_AES256_GCM96,
Derived: true,
KDF: Kdf_hkdf_sha256,
ConvergentEncryption: false,
VersionTemplate: EncryptedKeyPolicyVersionTpl,
2018-06-05 22:51:35 +00:00
})
_, err = NewEncryptedKeyStorageWrapper(EncryptedKeyStorageConfig{
Policy: policy,
Prefix: "prefix",
})
if err != ErrPolicyConvergentEncryption {
t.Fatalf("Unexpected Error: %s", err)
}
2018-06-05 22:51:35 +00:00
policy = NewPolicy(PolicyConfig{
Name: "metadata",
Type: KeyType_AES256_GCM96,
Derived: true,
KDF: Kdf_hkdf_sha256,
ConvergentEncryption: true,
VersionTemplate: EncryptedKeyPolicyVersionTpl,
2018-06-05 22:51:35 +00:00
})
_, err = NewEncryptedKeyStorageWrapper(EncryptedKeyStorageConfig{
Policy: policy,
Prefix: "prefix",
})
2018-06-05 22:51:35 +00:00
if err != nil {
t.Fatalf("Unexpected Error: %s", err)
}
}
func TestEncryptedKeysStorage_List(t *testing.T) {
s := &logical.InmemStorage{}
2018-06-05 22:51:35 +00:00
policy := NewPolicy(PolicyConfig{
Name: "metadata",
Type: KeyType_AES256_GCM96,
Derived: true,
KDF: Kdf_hkdf_sha256,
ConvergentEncryption: true,
VersionTemplate: EncryptedKeyPolicyVersionTpl,
2018-06-05 22:51:35 +00:00
})
ctx := context.Background()
err := policy.Rotate(ctx, s)
if err != nil {
t.Fatal(err)
}
es, err := NewEncryptedKeyStorageWrapper(EncryptedKeyStorageConfig{
Policy: policy,
Prefix: "prefix",
})
if err != nil {
t.Fatal(err)
}
err = es.Wrap(s).Put(ctx, &logical.StorageEntry{
Key: "test",
Value: []byte("test"),
})
if err != nil {
t.Fatal(err)
}
err = es.Wrap(s).Put(ctx, &logical.StorageEntry{
Key: "test/foo",
Value: []byte("test"),
})
if err != nil {
t.Fatal(err)
}
err = es.Wrap(s).Put(ctx, &logical.StorageEntry{
Key: "test/foo1/test",
Value: []byte("test"),
})
if err != nil {
t.Fatal(err)
}
keys, err := es.Wrap(s).List(ctx, "test/")
if err != nil {
t.Fatal(err)
}
// Test prefixed with "/"
keys, err = es.Wrap(s).List(ctx, "/test/")
if err != nil {
t.Fatal(err)
}
if len(keys) != 2 || keys[1] != "foo1/" || keys[0] != "foo" {
t.Fatalf("bad keys: %#v", keys)
}
keys, err = es.Wrap(s).List(ctx, "/")
if err != nil {
t.Fatal(err)
}
if len(keys) != 2 || keys[0] != "test" || keys[1] != "test/" {
t.Fatalf("bad keys: %#v", keys)
}
keys, err = es.Wrap(s).List(ctx, "")
if err != nil {
t.Fatal(err)
}
if len(keys) != 2 || keys[0] != "test" || keys[1] != "test/" {
t.Fatalf("bad keys: %#v", keys)
}
}
func TestEncryptedKeysStorage_CRUD(t *testing.T) {
s := &logical.InmemStorage{}
2018-06-05 22:51:35 +00:00
policy := NewPolicy(PolicyConfig{
Name: "metadata",
Type: KeyType_AES256_GCM96,
Derived: true,
KDF: Kdf_hkdf_sha256,
ConvergentEncryption: true,
VersionTemplate: EncryptedKeyPolicyVersionTpl,
2018-06-05 22:51:35 +00:00
})
ctx := context.Background()
err := policy.Rotate(ctx, s)
if err != nil {
t.Fatal(err)
}
es, err := NewEncryptedKeyStorageWrapper(EncryptedKeyStorageConfig{
Policy: policy,
Prefix: "prefix",
})
if err != nil {
t.Fatal(err)
}
err = es.Wrap(s).Put(ctx, &logical.StorageEntry{
Key: "test/foo",
Value: []byte("test"),
})
if err != nil {
t.Fatal(err)
}
err = es.Wrap(s).Put(ctx, &logical.StorageEntry{
Key: "test/foo1/test",
Value: []byte("test"),
})
if err != nil {
t.Fatal(err)
}
keys, err := es.Wrap(s).List(ctx, "test/")
if err != nil {
t.Fatal(err)
}
// Test prefixed with "/"
keys, err = es.Wrap(s).List(ctx, "/test/")
if err != nil {
t.Fatal(err)
}
2018-06-05 22:51:35 +00:00
if len(keys) != 2 || !strutil.StrListContains(keys, "foo1/") || !strutil.StrListContains(keys, "foo") {
t.Fatalf("bad keys: %#v", keys)
}
// Test the cached value is correct
keys, err = es.Wrap(s).List(ctx, "test/")
if err != nil {
t.Fatal(err)
}
2018-06-05 22:51:35 +00:00
if len(keys) != 2 || !strutil.StrListContains(keys, "foo1/") || !strutil.StrListContains(keys, "foo") {
t.Fatalf("bad keys: %#v", keys)
}
data, err := es.Wrap(s).Get(ctx, "test/foo")
if err != nil {
t.Fatal(err)
}
if !reflect.DeepEqual(data.Value, []byte("test")) {
t.Fatalf("bad data: %#v", data)
}
err = es.Wrap(s).Delete(ctx, "test/foo")
if err != nil {
t.Fatal(err)
}
data, err = es.Wrap(s).Get(ctx, "test/foo")
if err != nil {
t.Fatal(err)
}
if data != nil {
t.Fatal("data should be nil")
}
}
func BenchmarkEncrytedKeyStorage_List(b *testing.B) {
s := &logical.InmemStorage{}
2018-06-05 22:51:35 +00:00
policy := NewPolicy(PolicyConfig{
Name: "metadata",
Type: KeyType_AES256_GCM96,
Derived: true,
KDF: Kdf_hkdf_sha256,
ConvergentEncryption: true,
VersionTemplate: EncryptedKeyPolicyVersionTpl,
2018-06-05 22:51:35 +00:00
})
ctx := context.Background()
err := policy.Rotate(ctx, s)
if err != nil {
b.Fatal(err)
}
es, err := NewEncryptedKeyStorageWrapper(EncryptedKeyStorageConfig{
Policy: policy,
Prefix: "prefix",
})
if err != nil {
b.Fatal(err)
}
for i := 0; i < 10000; i++ {
err = es.Wrap(s).Put(ctx, &logical.StorageEntry{
Key: fmt.Sprintf("test/%d", i),
Value: []byte("test"),
})
if err != nil {
b.Fatal(err)
}
}
b.ResetTimer()
for i := 0; i < b.N; i++ {
keys, err := es.Wrap(s).List(ctx, "test/")
if err != nil {
b.Fatal(err)
}
compilerOpt = keys
}
}
func BenchmarkEncrytedKeyStorage_Put(b *testing.B) {
s := &logical.InmemStorage{}
2018-06-05 22:51:35 +00:00
policy := NewPolicy(PolicyConfig{
Name: "metadata",
Type: KeyType_AES256_GCM96,
Derived: true,
KDF: Kdf_hkdf_sha256,
ConvergentEncryption: true,
VersionTemplate: EncryptedKeyPolicyVersionTpl,
2018-06-05 22:51:35 +00:00
})
ctx := context.Background()
err := policy.Rotate(ctx, s)
if err != nil {
b.Fatal(err)
}
es, err := NewEncryptedKeyStorageWrapper(EncryptedKeyStorageConfig{
Policy: policy,
Prefix: "prefix",
})
if err != nil {
b.Fatal(err)
}
b.ResetTimer()
for i := 0; i < b.N; i++ {
err = es.Wrap(s).Put(ctx, &logical.StorageEntry{
Key: fmt.Sprintf("test/%d", i),
Value: []byte("test"),
})
if err != nil {
b.Fatal(err)
}
}
}