Clear the Barrier AEAD cache on keyring reload (#6870)

* Clear the barrier's AEAD cache on keyring reload

* Update barrier_aes_gcm_test.go
This commit is contained in:
Brian Kassouf 2019-06-12 08:56:16 -07:00 committed by GitHub
parent 342c1b57e3
commit 934b497101
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 80 additions and 0 deletions

View file

@ -287,6 +287,7 @@ func (b *AESGCMBarrier) ReloadKeyring(ctx context.Context) error {
} }
// Setup the keyring and finish // Setup the keyring and finish
b.cache = make(map[uint32]cipher.AEAD)
b.keyring = keyring b.keyring = keyring
return nil return nil
} }

View file

@ -516,3 +516,82 @@ func TestEncrypt_BarrierEncryptor(t *testing.T) {
t.Fatalf("bad: %s", plain) t.Fatalf("bad: %s", plain)
} }
} }
func TestAESGCMBarrier_ReloadKeyring(t *testing.T) {
inm, err := inmem.NewInmem(nil, logger)
if err != nil {
t.Fatalf("err: %v", err)
}
b, err := NewAESGCMBarrier(inm)
if err != nil {
t.Fatalf("err: %v", err)
}
// Initialize and unseal
key, _ := b.GenerateKey()
b.Initialize(context.Background(), key)
b.Unseal(context.Background(), key)
keyringRaw, err := inm.Get(context.Background(), keyringPath)
if err != nil {
t.Fatalf("err: %v", err)
}
// Encrypt something to test cache invalidation
_, err = b.Encrypt(context.Background(), "foo", []byte("quick brown fox"))
if err != nil {
t.Fatalf("err: %v", err)
}
{
// Create a second barrier and rotate the keyring
b2, err := NewAESGCMBarrier(inm)
if err != nil {
t.Fatalf("err: %v", err)
}
b2.Unseal(context.Background(), key)
_, err = b2.Rotate(context.Background())
if err != nil {
t.Fatalf("err: %v", err)
}
}
// Reload the keyring on the first
err = b.ReloadKeyring(context.Background())
if err != nil {
t.Fatalf("err: %v", err)
}
if b.keyring.ActiveTerm() != 2 {
t.Fatal("failed to reload keyring")
}
if len(b.cache) != 0 {
t.Fatal("failed to clear cache")
}
// Encrypt something to test cache invalidation
_, err = b.Encrypt(context.Background(), "foo", []byte("quick brown fox"))
if err != nil {
t.Fatalf("err: %v", err)
}
// Restore old keyring to test rolling back
err = inm.Put(context.Background(), keyringRaw)
if err != nil {
t.Fatalf("err: %v", err)
}
// Reload the keyring on the first
err = b.ReloadKeyring(context.Background())
if err != nil {
t.Fatalf("err: %v", err)
}
if b.keyring.ActiveTerm() != 1 {
t.Fatal("failed to reload keyring")
}
if len(b.cache) != 0 {
t.Fatal("failed to clear cache")
}
}