b634e1964d
Decrypting an ciphertext where its corresponding value equals empty, the payload property "plaintext" is missing in the response object. This fixes the problem by adding a new, distinct struct for decrypt batch response items where "omitempty" is not set.
320 lines
9.2 KiB
Go
320 lines
9.2 KiB
Go
package transit
|
|
|
|
import (
|
|
"context"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/hashicorp/vault/sdk/logical"
|
|
)
|
|
|
|
// Check the normal flow of rewrap
|
|
func TestTransit_BatchRewrapCase1(t *testing.T) {
|
|
var resp *logical.Response
|
|
var err error
|
|
b, s := createBackendWithStorage(t)
|
|
|
|
// Upsert the key and encrypt the data
|
|
plaintext := "dGhlIHF1aWNrIGJyb3duIGZveA=="
|
|
|
|
encData := map[string]interface{}{
|
|
"plaintext": plaintext,
|
|
}
|
|
|
|
// Create a key and encrypt a plaintext
|
|
encReq := &logical.Request{
|
|
Operation: logical.CreateOperation,
|
|
Path: "encrypt/upserted_key",
|
|
Storage: s,
|
|
Data: encData,
|
|
}
|
|
resp, err = b.HandleRequest(context.Background(), encReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("err:%v resp:%#v", err, resp)
|
|
}
|
|
|
|
// Cache the ciphertext
|
|
ciphertext := resp.Data["ciphertext"]
|
|
if !strings.HasPrefix(ciphertext.(string), "vault:v1") {
|
|
t.Fatalf("bad: ciphertext version: expected: 'vault:v1', actual: %s", ciphertext)
|
|
}
|
|
|
|
keyVersion := resp.Data["key_version"].(int)
|
|
if keyVersion != 1 {
|
|
t.Fatalf("unexpected key version; got: %d, expected: %d", keyVersion, 1)
|
|
}
|
|
|
|
rewrapData := map[string]interface{}{
|
|
"ciphertext": ciphertext,
|
|
}
|
|
|
|
// Read the policy and check if the latest version is 1
|
|
policyReq := &logical.Request{
|
|
Operation: logical.ReadOperation,
|
|
Path: "keys/upserted_key",
|
|
Storage: s,
|
|
}
|
|
|
|
resp, err = b.HandleRequest(context.Background(), policyReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("err:%v resp:%#v", err, resp)
|
|
}
|
|
|
|
if resp.Data["latest_version"] != 1 {
|
|
t.Fatalf("bad: latest_version: expected: 1, actual: %d", resp.Data["latest_version"])
|
|
}
|
|
|
|
rotateReq := &logical.Request{
|
|
Operation: logical.UpdateOperation,
|
|
Path: "keys/upserted_key/rotate",
|
|
Storage: s,
|
|
}
|
|
resp, err = b.HandleRequest(context.Background(), rotateReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("err:%v resp:%#v", err, resp)
|
|
}
|
|
|
|
// Read the policy again and the latest version is 2
|
|
resp, err = b.HandleRequest(context.Background(), policyReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("err:%v resp:%#v", err, resp)
|
|
}
|
|
|
|
if resp.Data["latest_version"] != 2 {
|
|
t.Fatalf("bad: latest_version: expected: 2, actual: %d", resp.Data["latest_version"])
|
|
}
|
|
|
|
// Rewrap the ciphertext and check that they are different
|
|
rewrapReq := &logical.Request{
|
|
Operation: logical.UpdateOperation,
|
|
Path: "rewrap/upserted_key",
|
|
Storage: s,
|
|
Data: rewrapData,
|
|
}
|
|
|
|
resp, err = b.HandleRequest(context.Background(), rewrapReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("err:%v resp:%#v", err, resp)
|
|
}
|
|
|
|
if ciphertext.(string) == resp.Data["ciphertext"].(string) {
|
|
t.Fatalf("bad: ciphertexts are same before and after rewrap")
|
|
}
|
|
|
|
if !strings.HasPrefix(resp.Data["ciphertext"].(string), "vault:v2") {
|
|
t.Fatalf("bad: ciphertext version: expected: 'vault:v2', actual: %s", resp.Data["ciphertext"].(string))
|
|
}
|
|
|
|
keyVersion = resp.Data["key_version"].(int)
|
|
if keyVersion != 2 {
|
|
t.Fatalf("unexpected key version; got: %d, expected: %d", keyVersion, 2)
|
|
}
|
|
}
|
|
|
|
// Check the normal flow of rewrap with upserted key
|
|
func TestTransit_BatchRewrapCase2(t *testing.T) {
|
|
var resp *logical.Response
|
|
var err error
|
|
b, s := createBackendWithStorage(t)
|
|
|
|
// Upsert the key and encrypt the data
|
|
plaintext := "dGhlIHF1aWNrIGJyb3duIGZveA=="
|
|
|
|
encData := map[string]interface{}{
|
|
"plaintext": plaintext,
|
|
"context": "dmlzaGFsCg==",
|
|
}
|
|
|
|
// Create a key and encrypt a plaintext
|
|
encReq := &logical.Request{
|
|
Operation: logical.CreateOperation,
|
|
Path: "encrypt/upserted_key",
|
|
Storage: s,
|
|
Data: encData,
|
|
}
|
|
resp, err = b.HandleRequest(context.Background(), encReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("err:%v resp:%#v", err, resp)
|
|
}
|
|
|
|
// Cache the ciphertext
|
|
ciphertext := resp.Data["ciphertext"]
|
|
if !strings.HasPrefix(ciphertext.(string), "vault:v1") {
|
|
t.Fatalf("bad: ciphertext version: expected: 'vault:v1', actual: %s", ciphertext)
|
|
}
|
|
|
|
keyVersion := resp.Data["key_version"].(int)
|
|
if keyVersion != 1 {
|
|
t.Fatalf("unexpected key version; got: %d, expected: %d", keyVersion, 1)
|
|
}
|
|
|
|
rewrapData := map[string]interface{}{
|
|
"ciphertext": ciphertext,
|
|
"context": "dmlzaGFsCg==",
|
|
}
|
|
|
|
// Read the policy and check if the latest version is 1
|
|
policyReq := &logical.Request{
|
|
Operation: logical.ReadOperation,
|
|
Path: "keys/upserted_key",
|
|
Storage: s,
|
|
}
|
|
|
|
resp, err = b.HandleRequest(context.Background(), policyReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("err:%v resp:%#v", err, resp)
|
|
}
|
|
|
|
if resp.Data["latest_version"] != 1 {
|
|
t.Fatalf("bad: latest_version: expected: 1, actual: %d", resp.Data["latest_version"])
|
|
}
|
|
|
|
rotateReq := &logical.Request{
|
|
Operation: logical.UpdateOperation,
|
|
Path: "keys/upserted_key/rotate",
|
|
Storage: s,
|
|
}
|
|
resp, err = b.HandleRequest(context.Background(), rotateReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("err:%v resp:%#v", err, resp)
|
|
}
|
|
|
|
// Read the policy again and the latest version is 2
|
|
resp, err = b.HandleRequest(context.Background(), policyReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("err:%v resp:%#v", err, resp)
|
|
}
|
|
|
|
if resp.Data["latest_version"] != 2 {
|
|
t.Fatalf("bad: latest_version: expected: 2, actual: %d", resp.Data["latest_version"])
|
|
}
|
|
|
|
// Rewrap the ciphertext and check that they are different
|
|
rewrapReq := &logical.Request{
|
|
Operation: logical.UpdateOperation,
|
|
Path: "rewrap/upserted_key",
|
|
Storage: s,
|
|
Data: rewrapData,
|
|
}
|
|
|
|
resp, err = b.HandleRequest(context.Background(), rewrapReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("err:%v resp:%#v", err, resp)
|
|
}
|
|
|
|
if ciphertext.(string) == resp.Data["ciphertext"].(string) {
|
|
t.Fatalf("bad: ciphertexts are same before and after rewrap")
|
|
}
|
|
|
|
if !strings.HasPrefix(resp.Data["ciphertext"].(string), "vault:v2") {
|
|
t.Fatalf("bad: ciphertext version: expected: 'vault:v2', actual: %s", resp.Data["ciphertext"].(string))
|
|
}
|
|
|
|
keyVersion = resp.Data["key_version"].(int)
|
|
if keyVersion != 2 {
|
|
t.Fatalf("unexpected key version; got: %d, expected: %d", keyVersion, 2)
|
|
}
|
|
}
|
|
|
|
// Batch encrypt plaintexts, rotate the keys and rewrap all the ciphertexts
|
|
func TestTransit_BatchRewrapCase3(t *testing.T) {
|
|
var resp *logical.Response
|
|
var err error
|
|
|
|
b, s := createBackendWithStorage(t)
|
|
|
|
batchEncryptionInput := []interface{}{
|
|
map[string]interface{}{"plaintext": "dmlzaGFsCg=="},
|
|
map[string]interface{}{"plaintext": "dGhlIHF1aWNrIGJyb3duIGZveA=="},
|
|
}
|
|
batchEncryptionData := map[string]interface{}{
|
|
"batch_input": batchEncryptionInput,
|
|
}
|
|
batchReq := &logical.Request{
|
|
Operation: logical.CreateOperation,
|
|
Path: "encrypt/upserted_key",
|
|
Storage: s,
|
|
Data: batchEncryptionData,
|
|
}
|
|
resp, err = b.HandleRequest(context.Background(), batchReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("err:%v resp:%#v", err, resp)
|
|
}
|
|
|
|
batchEncryptionResponseItems := resp.Data["batch_results"].([]EncryptBatchResponseItem)
|
|
|
|
batchRewrapInput := make([]interface{}, len(batchEncryptionResponseItems))
|
|
for i, item := range batchEncryptionResponseItems {
|
|
batchRewrapInput[i] = map[string]interface{}{"ciphertext": item.Ciphertext}
|
|
}
|
|
|
|
batchRewrapData := map[string]interface{}{
|
|
"batch_input": batchRewrapInput,
|
|
}
|
|
|
|
rotateReq := &logical.Request{
|
|
Operation: logical.UpdateOperation,
|
|
Path: "keys/upserted_key/rotate",
|
|
Storage: s,
|
|
}
|
|
resp, err = b.HandleRequest(context.Background(), rotateReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("err:%v resp:%#v", err, resp)
|
|
}
|
|
|
|
rewrapReq := &logical.Request{
|
|
Operation: logical.UpdateOperation,
|
|
Path: "rewrap/upserted_key",
|
|
Storage: s,
|
|
Data: batchRewrapData,
|
|
}
|
|
|
|
resp, err = b.HandleRequest(context.Background(), rewrapReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("err:%v resp:%#v", err, resp)
|
|
}
|
|
|
|
batchRewrapResponseItems := resp.Data["batch_results"].([]EncryptBatchResponseItem)
|
|
|
|
if len(batchRewrapResponseItems) != len(batchEncryptionResponseItems) {
|
|
t.Fatalf("bad: length of input and output or rewrap are not matching; expected: %d, actual: %d", len(batchEncryptionResponseItems), len(batchRewrapResponseItems))
|
|
}
|
|
|
|
decReq := &logical.Request{
|
|
Operation: logical.UpdateOperation,
|
|
Path: "decrypt/upserted_key",
|
|
Storage: s,
|
|
}
|
|
|
|
for i, eItem := range batchEncryptionResponseItems {
|
|
rItem := batchRewrapResponseItems[i]
|
|
|
|
if eItem.Ciphertext == rItem.Ciphertext {
|
|
t.Fatalf("bad: rewrap input and output are the same")
|
|
}
|
|
|
|
if !strings.HasPrefix(rItem.Ciphertext, "vault:v2") {
|
|
t.Fatalf("bad: invalid version of ciphertext in rewrap response; expected: 'vault:v2', actual: %s", rItem.Ciphertext)
|
|
}
|
|
|
|
if rItem.KeyVersion != 2 {
|
|
t.Fatalf("unexpected key version; got: %d, expected: %d", rItem.KeyVersion, 2)
|
|
}
|
|
|
|
decReq.Data = map[string]interface{}{
|
|
"ciphertext": rItem.Ciphertext,
|
|
}
|
|
|
|
resp, err = b.HandleRequest(context.Background(), decReq)
|
|
if err != nil || (resp != nil && resp.IsError()) {
|
|
t.Fatalf("err:%v resp:%#v", err, resp)
|
|
}
|
|
|
|
plaintext1 := "dGhlIHF1aWNrIGJyb3duIGZveA=="
|
|
plaintext2 := "dmlzaGFsCg=="
|
|
if resp.Data["plaintext"] != plaintext1 && resp.Data["plaintext"] != plaintext2 {
|
|
t.Fatalf("bad: plaintext. Expected: %q or %q, Actual: %q", plaintext1, plaintext2, resp.Data["plaintext"])
|
|
}
|
|
}
|
|
}
|