github.com/kaisenlinux/docker.io@v0.0.0-20230510090727-ea55db55fac7/swarmkit/manager/encryption/nacl_test.go

github.com/kaisenlinux/docker.io@v0.0.0-20230510090727-ea55db55fac7/swarmkit/manager/encryption/nacl_test.go (about)

     1  package encryption
     2  
     3  import (
     4  	cryptorand "crypto/rand"
     5  	"io"
     6  	"testing"
     7  
     8  	"github.com/docker/swarmkit/api"
     9  	"github.com/stretchr/testify/require"
    10  )
    11  
    12  // Using the same key to encrypt the same message, this encrypter produces two
    13  // different ciphertexts because it produces two different nonces.  Both
    14  // of these can be decrypted into the same data though.
    15  func TestNACLSecretbox(t *testing.T) {
    16  	key := make([]byte, 32)
    17  	_, err := io.ReadFull(cryptorand.Reader, key)
    18  	require.NoError(t, err)
    19  	keyCopy := make([]byte, 32)
    20  	copy(key, keyCopy)
    21  
    22  	crypter1 := NewNACLSecretbox(key)
    23  	crypter2 := NewNACLSecretbox(keyCopy)
    24  	data := []byte("Hello again world")
    25  
    26  	er1, err := crypter1.Encrypt(data)
    27  	require.NoError(t, err)
    28  
    29  	er2, err := crypter1.Encrypt(data)
    30  	require.NoError(t, err)
    31  
    32  	require.NotEqual(t, er1.Data, er2.Data)
    33  	require.NotEmpty(t, er1.Nonce)
    34  	require.NotEmpty(t, er2.Nonce)
    35  
    36  	// both crypters can decrypt the other's text
    37  	for _, decrypter := range []Decrypter{crypter1, crypter2} {
    38  		for _, record := range []*api.MaybeEncryptedRecord{er1, er2} {
    39  			result, err := decrypter.Decrypt(*record)
    40  			require.NoError(t, err)
    41  			require.Equal(t, data, result)
    42  		}
    43  	}
    44  }
    45  
    46  func TestNACLSecretboxInvalidAlgorithm(t *testing.T) {
    47  	key := make([]byte, 32)
    48  	_, err := io.ReadFull(cryptorand.Reader, key)
    49  	require.NoError(t, err)
    50  
    51  	crypter := NewNACLSecretbox(key)
    52  	er, err := crypter.Encrypt([]byte("Hello again world"))
    53  	require.NoError(t, err)
    54  	er.Algorithm = api.MaybeEncryptedRecord_NotEncrypted
    55  
    56  	_, err = crypter.Decrypt(*er)
    57  	require.Error(t, err)
    58  	require.Contains(t, err.Error(), "not a NACL secretbox")
    59  }
    60  
    61  func TestNACLSecretboxCannotDecryptWithoutRightKey(t *testing.T) {
    62  	key := make([]byte, 32)
    63  	_, err := io.ReadFull(cryptorand.Reader, key)
    64  	require.NoError(t, err)
    65  
    66  	crypter := NewNACLSecretbox(key)
    67  	er, err := crypter.Encrypt([]byte("Hello again world"))
    68  	require.NoError(t, err)
    69  
    70  	crypter = NewNACLSecretbox([]byte{})
    71  	_, err = crypter.Decrypt(*er)
    72  	require.Error(t, err)
    73  }
    74  
    75  func TestNACLSecretboxInvalidNonce(t *testing.T) {
    76  	key := make([]byte, 32)
    77  	_, err := io.ReadFull(cryptorand.Reader, key)
    78  	require.NoError(t, err)
    79  
    80  	crypter := NewNACLSecretbox(key)
    81  	er, err := crypter.Encrypt([]byte("Hello again world"))
    82  	require.NoError(t, err)
    83  	er.Nonce = er.Nonce[:20]
    84  
    85  	_, err = crypter.Decrypt(*er)
    86  	require.Error(t, err)
    87  	require.Contains(t, err.Error(), "invalid nonce size")
    88  }