github.com/hashicorp/vault/sdk@v0.11.0/helper/keysutil/encrypted_key_storage_test.go (about) 1 // Copyright (c) HashiCorp, Inc. 2 // SPDX-License-Identifier: MPL-2.0 3 4 package keysutil 5 6 import ( 7 "context" 8 "crypto/rand" 9 "fmt" 10 "reflect" 11 "testing" 12 13 "github.com/hashicorp/go-secure-stdlib/strutil" 14 "github.com/hashicorp/vault/sdk/logical" 15 ) 16 17 var compilerOpt []string 18 19 func TestEncrytedKeysStorage_BadPolicy(t *testing.T) { 20 policy := NewPolicy(PolicyConfig{ 21 Name: "metadata", 22 Type: KeyType_AES256_GCM96, 23 Derived: false, 24 KDF: Kdf_hkdf_sha256, 25 ConvergentEncryption: true, 26 VersionTemplate: EncryptedKeyPolicyVersionTpl, 27 }) 28 29 _, err := NewEncryptedKeyStorageWrapper(EncryptedKeyStorageConfig{ 30 Policy: policy, 31 Prefix: "prefix", 32 }) 33 if err != ErrPolicyDerivedKeys { 34 t.Fatalf("Unexpected Error: %s", err) 35 } 36 37 policy = NewPolicy(PolicyConfig{ 38 Name: "metadata", 39 Type: KeyType_AES256_GCM96, 40 Derived: true, 41 KDF: Kdf_hkdf_sha256, 42 ConvergentEncryption: false, 43 VersionTemplate: EncryptedKeyPolicyVersionTpl, 44 }) 45 46 _, err = NewEncryptedKeyStorageWrapper(EncryptedKeyStorageConfig{ 47 Policy: policy, 48 Prefix: "prefix", 49 }) 50 if err != ErrPolicyConvergentEncryption { 51 t.Fatalf("Unexpected Error: %s", err) 52 } 53 54 policy = NewPolicy(PolicyConfig{ 55 Name: "metadata", 56 Type: KeyType_AES256_GCM96, 57 Derived: true, 58 KDF: Kdf_hkdf_sha256, 59 ConvergentEncryption: true, 60 VersionTemplate: EncryptedKeyPolicyVersionTpl, 61 }) 62 _, err = NewEncryptedKeyStorageWrapper(EncryptedKeyStorageConfig{ 63 Policy: policy, 64 Prefix: "prefix", 65 }) 66 if err != nil { 67 t.Fatalf("Unexpected Error: %s", err) 68 } 69 } 70 71 func TestEncryptedKeysStorage_List(t *testing.T) { 72 s := &logical.InmemStorage{} 73 policy := NewPolicy(PolicyConfig{ 74 Name: "metadata", 75 Type: KeyType_AES256_GCM96, 76 Derived: true, 77 KDF: Kdf_hkdf_sha256, 78 ConvergentEncryption: true, 79 VersionTemplate: EncryptedKeyPolicyVersionTpl, 80 }) 81 82 ctx := context.Background() 83 84 err := policy.Rotate(ctx, s, rand.Reader) 85 if err != nil { 86 t.Fatal(err) 87 } 88 89 es, err := NewEncryptedKeyStorageWrapper(EncryptedKeyStorageConfig{ 90 Policy: policy, 91 Prefix: "prefix", 92 }) 93 if err != nil { 94 t.Fatal(err) 95 } 96 97 err = es.Wrap(s).Put(ctx, &logical.StorageEntry{ 98 Key: "test", 99 Value: []byte("test"), 100 }) 101 if err != nil { 102 t.Fatal(err) 103 } 104 105 err = es.Wrap(s).Put(ctx, &logical.StorageEntry{ 106 Key: "test/foo", 107 Value: []byte("test"), 108 }) 109 if err != nil { 110 t.Fatal(err) 111 } 112 113 err = es.Wrap(s).Put(ctx, &logical.StorageEntry{ 114 Key: "test/foo1/test", 115 Value: []byte("test"), 116 }) 117 if err != nil { 118 t.Fatal(err) 119 } 120 121 keys, err := es.Wrap(s).List(ctx, "test/") 122 if err != nil { 123 t.Fatal(err) 124 } 125 126 // Test prefixed with "/" 127 keys, err = es.Wrap(s).List(ctx, "/test/") 128 if err != nil { 129 t.Fatal(err) 130 } 131 132 if len(keys) != 2 || keys[1] != "foo1/" || keys[0] != "foo" { 133 t.Fatalf("bad keys: %#v", keys) 134 } 135 136 keys, err = es.Wrap(s).List(ctx, "/") 137 if err != nil { 138 t.Fatal(err) 139 } 140 if len(keys) != 2 || keys[0] != "test" || keys[1] != "test/" { 141 t.Fatalf("bad keys: %#v", keys) 142 } 143 144 keys, err = es.Wrap(s).List(ctx, "") 145 if err != nil { 146 t.Fatal(err) 147 } 148 if len(keys) != 2 || keys[0] != "test" || keys[1] != "test/" { 149 t.Fatalf("bad keys: %#v", keys) 150 } 151 } 152 153 func TestEncryptedKeysStorage_CRUD(t *testing.T) { 154 s := &logical.InmemStorage{} 155 policy := NewPolicy(PolicyConfig{ 156 Name: "metadata", 157 Type: KeyType_AES256_GCM96, 158 Derived: true, 159 KDF: Kdf_hkdf_sha256, 160 ConvergentEncryption: true, 161 VersionTemplate: EncryptedKeyPolicyVersionTpl, 162 }) 163 164 ctx := context.Background() 165 166 err := policy.Rotate(ctx, s, rand.Reader) 167 if err != nil { 168 t.Fatal(err) 169 } 170 171 es, err := NewEncryptedKeyStorageWrapper(EncryptedKeyStorageConfig{ 172 Policy: policy, 173 Prefix: "prefix", 174 }) 175 if err != nil { 176 t.Fatal(err) 177 } 178 179 err = es.Wrap(s).Put(ctx, &logical.StorageEntry{ 180 Key: "test/foo", 181 Value: []byte("test"), 182 }) 183 if err != nil { 184 t.Fatal(err) 185 } 186 187 err = es.Wrap(s).Put(ctx, &logical.StorageEntry{ 188 Key: "test/foo1/test", 189 Value: []byte("test"), 190 }) 191 if err != nil { 192 t.Fatal(err) 193 } 194 195 keys, err := es.Wrap(s).List(ctx, "test/") 196 if err != nil { 197 t.Fatal(err) 198 } 199 200 // Test prefixed with "/" 201 keys, err = es.Wrap(s).List(ctx, "/test/") 202 if err != nil { 203 t.Fatal(err) 204 } 205 206 if len(keys) != 2 || !strutil.StrListContains(keys, "foo1/") || !strutil.StrListContains(keys, "foo") { 207 t.Fatalf("bad keys: %#v", keys) 208 } 209 210 // Test the cached value is correct 211 keys, err = es.Wrap(s).List(ctx, "test/") 212 if err != nil { 213 t.Fatal(err) 214 } 215 216 if len(keys) != 2 || !strutil.StrListContains(keys, "foo1/") || !strutil.StrListContains(keys, "foo") { 217 t.Fatalf("bad keys: %#v", keys) 218 } 219 220 data, err := es.Wrap(s).Get(ctx, "test/foo") 221 if err != nil { 222 t.Fatal(err) 223 } 224 if !reflect.DeepEqual(data.Value, []byte("test")) { 225 t.Fatalf("bad data: %#v", data) 226 } 227 228 err = es.Wrap(s).Delete(ctx, "test/foo") 229 if err != nil { 230 t.Fatal(err) 231 } 232 233 data, err = es.Wrap(s).Get(ctx, "test/foo") 234 if err != nil { 235 t.Fatal(err) 236 } 237 if data != nil { 238 t.Fatal("data should be nil") 239 } 240 } 241 242 func BenchmarkEncrytedKeyStorage_List(b *testing.B) { 243 s := &logical.InmemStorage{} 244 policy := NewPolicy(PolicyConfig{ 245 Name: "metadata", 246 Type: KeyType_AES256_GCM96, 247 Derived: true, 248 KDF: Kdf_hkdf_sha256, 249 ConvergentEncryption: true, 250 VersionTemplate: EncryptedKeyPolicyVersionTpl, 251 }) 252 253 ctx := context.Background() 254 255 err := policy.Rotate(ctx, s, rand.Reader) 256 if err != nil { 257 b.Fatal(err) 258 } 259 260 es, err := NewEncryptedKeyStorageWrapper(EncryptedKeyStorageConfig{ 261 Policy: policy, 262 Prefix: "prefix", 263 }) 264 if err != nil { 265 b.Fatal(err) 266 } 267 268 for i := 0; i < 10000; i++ { 269 err = es.Wrap(s).Put(ctx, &logical.StorageEntry{ 270 Key: fmt.Sprintf("test/%d", i), 271 Value: []byte("test"), 272 }) 273 if err != nil { 274 b.Fatal(err) 275 } 276 } 277 b.ResetTimer() 278 279 for i := 0; i < b.N; i++ { 280 keys, err := es.Wrap(s).List(ctx, "test/") 281 if err != nil { 282 b.Fatal(err) 283 } 284 compilerOpt = keys 285 } 286 } 287 288 func BenchmarkEncrytedKeyStorage_Put(b *testing.B) { 289 s := &logical.InmemStorage{} 290 policy := NewPolicy(PolicyConfig{ 291 Name: "metadata", 292 Type: KeyType_AES256_GCM96, 293 Derived: true, 294 KDF: Kdf_hkdf_sha256, 295 ConvergentEncryption: true, 296 VersionTemplate: EncryptedKeyPolicyVersionTpl, 297 }) 298 299 ctx := context.Background() 300 301 err := policy.Rotate(ctx, s, rand.Reader) 302 if err != nil { 303 b.Fatal(err) 304 } 305 306 es, err := NewEncryptedKeyStorageWrapper(EncryptedKeyStorageConfig{ 307 Policy: policy, 308 Prefix: "prefix", 309 }) 310 if err != nil { 311 b.Fatal(err) 312 } 313 314 b.ResetTimer() 315 316 for i := 0; i < b.N; i++ { 317 err = es.Wrap(s).Put(ctx, &logical.StorageEntry{ 318 Key: fmt.Sprintf("test/%d", i), 319 Value: []byte("test"), 320 }) 321 if err != nil { 322 b.Fatal(err) 323 } 324 } 325 }