github.com/aavshr/aws-sdk-go@v1.41.3/service/s3/s3crypto/kms_key_handler_test.go

github.com/aavshr/aws-sdk-go@v1.41.3/service/s3/s3crypto/kms_key_handler_test.go (about)

     1  package s3crypto
     2  
     3  import (
     4  	"bytes"
     5  	"encoding/base64"
     6  	"encoding/hex"
     7  	"fmt"
     8  	"io/ioutil"
     9  	"net/http"
    10  	"net/http/httptest"
    11  	"reflect"
    12  	"testing"
    13  
    14  	"github.com/aavshr/aws-sdk-go/aws"
    15  	"github.com/aavshr/aws-sdk-go/awstesting/unit"
    16  	"github.com/aavshr/aws-sdk-go/service/kms"
    17  )
    18  
    19  func TestNewKMSKeyGenerator(t *testing.T) {
    20  	svc := kms.New(unit.Session)
    21  	handler := NewKMSKeyGenerator(svc, "testid")
    22  	if handler == nil {
    23  		t.Error("expected non-nil handler")
    24  	}
    25  }
    26  
    27  func TestNewKMSKeyGeneratorWithMatDesc(t *testing.T) {
    28  	svc := kms.New(unit.Session)
    29  	handler := NewKMSKeyGeneratorWithMatDesc(svc, "testid", MaterialDescription{
    30  		"Testing": aws.String("123"),
    31  	})
    32  	if handler == nil {
    33  		t.Error("expected non-nil handler")
    34  	}
    35  
    36  	kmsHandler := handler.(*kmsKeyHandler)
    37  	expected := MaterialDescription{
    38  		"kms_cmk_id": aws.String("testid"),
    39  		"Testing":    aws.String("123"),
    40  	}
    41  
    42  	if !reflect.DeepEqual(expected, kmsHandler.CipherData.MaterialDescription) {
    43  		t.Errorf("expected %v, but received %v", expected, kmsHandler.CipherData.MaterialDescription)
    44  	}
    45  }
    46  
    47  func TestKmsKeyHandler_GenerateCipherData(t *testing.T) {
    48  	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    49  		fmt.Fprintln(w, `{"CiphertextBlob":"AQEDAHhqBCCY1MSimw8gOGcUma79cn4ANvTtQyv9iuBdbcEF1QAAAH4wfAYJKoZIhvcNAQcGoG8wbQIBADBoBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDJ6IcN5E4wVbk38MNAIBEIA7oF1E3lS7FY9DkoxPc/UmJsEwHzL82zMqoLwXIvi8LQHr8If4Lv6zKqY8u0+JRgSVoqCvZDx3p8Cn6nM=","KeyId":"arn:aws:kms:us-west-2:042062605278:key/c80a5cdb-8d09-4f9f-89ee-df01b2e3870a","Plaintext":"6tmyz9JLBE2yIuU7iXpArqpDVle172WSmxjcO6GNT7E="}`)
    50  	}))
    51  	defer ts.Close()
    52  
    53  	sess := unit.Session.Copy(&aws.Config{
    54  		MaxRetries:       aws.Int(0),
    55  		Endpoint:         aws.String(ts.URL),
    56  		DisableSSL:       aws.Bool(true),
    57  		S3ForcePathStyle: aws.Bool(true),
    58  		Region:           aws.String("us-west-2"),
    59  	})
    60  
    61  	svc := kms.New(sess)
    62  	handler := NewKMSKeyGenerator(svc, "testid")
    63  
    64  	keySize := 32
    65  	ivSize := 16
    66  
    67  	cd, err := handler.GenerateCipherData(keySize, ivSize)
    68  	if err != nil {
    69  		t.Errorf("expected no error, but received %v", err)
    70  	}
    71  	if keySize != len(cd.Key) {
    72  		t.Errorf("expected %d, but received %d", keySize, len(cd.Key))
    73  	}
    74  	if ivSize != len(cd.IV) {
    75  		t.Errorf("expected %d, but received %d", ivSize, len(cd.IV))
    76  	}
    77  }
    78  
    79  func TestKmsKeyHandler_DecryptKey(t *testing.T) {
    80  	key, _ := hex.DecodeString("31bdadd96698c204aa9ce1448ea94ae1fb4a9a0b3c9d773b51bb1822666b8f22")
    81  	keyB64 := base64.URLEncoding.EncodeToString(key)
    82  	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    83  		body, err := ioutil.ReadAll(r.Body)
    84  		if err != nil {
    85  			t.Errorf("expected no error, got %v", err)
    86  			w.WriteHeader(500)
    87  			return
    88  		}
    89  		if bytes.Contains(body, []byte(`"KeyId":"test"`)) {
    90  			t.Errorf("expected CMK to not be sent")
    91  		}
    92  		fmt.Fprintln(w, fmt.Sprintf("%s%s%s", `{"KeyId":"test-key-id","Plaintext":"`, keyB64, `"}`))
    93  	}))
    94  	defer ts.Close()
    95  
    96  	sess := unit.Session.Copy(&aws.Config{
    97  		MaxRetries:       aws.Int(0),
    98  		Endpoint:         aws.String(ts.URL),
    99  		DisableSSL:       aws.Bool(true),
   100  		S3ForcePathStyle: aws.Bool(true),
   101  		Region:           aws.String("us-west-2"),
   102  	})
   103  	handler, err := (kmsKeyHandler{kms: kms.New(sess)}).decryptHandler(Envelope{WrapAlg: KMSWrap, MatDesc: `{"kms_cmk_id":"test"}`})
   104  	if err != nil {
   105  		t.Errorf("expected no error, but received %v", err)
   106  	}
   107  
   108  	plaintextKey, err := handler.DecryptKey([]byte{1, 2, 3, 4})
   109  	if err != nil {
   110  		t.Errorf("expected no error, but received %v", err)
   111  	}
   112  
   113  	if !bytes.Equal(key, plaintextKey) {
   114  		t.Errorf("expected %v, but received %v", key, plaintextKey)
   115  	}
   116  }
   117  
   118  func TestKmsKeyHandler_DecryptKey_WithCMK(t *testing.T) {
   119  	key, _ := hex.DecodeString("31bdadd96698c204aa9ce1448ea94ae1fb4a9a0b3c9d773b51bb1822666b8f22")
   120  	keyB64 := base64.URLEncoding.EncodeToString(key)
   121  	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
   122  		body, err := ioutil.ReadAll(r.Body)
   123  		if err != nil {
   124  			t.Errorf("expected no error, got %v", err)
   125  			w.WriteHeader(500)
   126  			return
   127  		}
   128  
   129  		if !bytes.Contains(body, []byte(`"KeyId":"thisKey"`)) {
   130  			t.Errorf("expected CMK to be sent")
   131  		}
   132  
   133  		fmt.Fprintln(w, fmt.Sprintf("%s%s%s", `{"KeyId":"test-key-id","Plaintext":"`, keyB64, `"}`))
   134  	}))
   135  	defer ts.Close()
   136  
   137  	sess := unit.Session.Copy(&aws.Config{
   138  		MaxRetries:       aws.Int(0),
   139  		Endpoint:         aws.String(ts.URL),
   140  		DisableSSL:       aws.Bool(true),
   141  		S3ForcePathStyle: aws.Bool(true),
   142  		Region:           aws.String("us-west-2"),
   143  	})
   144  	handler, err := newKMSWrapEntryWithCMK(kms.New(sess), "thisKey")(Envelope{WrapAlg: KMSWrap, MatDesc: `{"kms_cmk_id":"test"}`})
   145  	if err != nil {
   146  		t.Errorf("expected no error, but received %v", err)
   147  	}
   148  
   149  	plaintextKey, err := handler.DecryptKey([]byte{1, 2, 3, 4})
   150  	if err != nil {
   151  		t.Errorf("expected no error, but received %v", err)
   152  	}
   153  	if !bytes.Equal(key, plaintextKey) {
   154  		t.Errorf("expected %v, but received %v", key, plaintextKey)
   155  	}
   156  }
   157  
   158  func TestRegisterKMSWrapWithAnyCMK(t *testing.T) {
   159  	kmsClient := kms.New(unit.Session.Copy())
   160  
   161  	cr := NewCryptoRegistry()
   162  	if err := RegisterKMSWrapWithAnyCMK(cr, kmsClient); err != nil {
   163  		t.Errorf("expected no error, got %v", err)
   164  	}
   165  
   166  	if wrap, ok := cr.GetWrap(KMSWrap); !ok {
   167  		t.Errorf("expected wrapped to be present")
   168  	} else if wrap == nil {
   169  		t.Errorf("expected wrap to not be nil")
   170  	}
   171  
   172  	if err := RegisterKMSWrapWithCMK(cr, kmsClient, "test-key-id"); err == nil {
   173  		t.Error("expected error, got none")
   174  	}
   175  }
   176  
   177  func TestRegisterKMSWrapWithCMK(t *testing.T) {
   178  	kmsClient := kms.New(unit.Session.Copy())
   179  
   180  	cr := NewCryptoRegistry()
   181  	if err := RegisterKMSWrapWithCMK(cr, kmsClient, "cmkId"); err != nil {
   182  		t.Errorf("expected no error, got %v", err)
   183  	}
   184  
   185  	if wrap, ok := cr.GetWrap(KMSWrap); !ok {
   186  		t.Errorf("expected wrapped to be present")
   187  	} else if wrap == nil {
   188  		t.Errorf("expected wrap to not be nil")
   189  	}
   190  
   191  	if err := RegisterKMSWrapWithAnyCMK(cr, kmsClient); err == nil {
   192  		t.Error("expected error, got none")
   193  	}
   194  }