github.com/opentofu/opentofu@v1.7.1/internal/encryption/keyprovider/aws_kms/compliance_test.go (about) 1 // Copyright (c) The OpenTofu Authors 2 // SPDX-License-Identifier: MPL-2.0 3 // Copyright (c) 2023 HashiCorp, Inc. 4 // SPDX-License-Identifier: MPL-2.0 5 6 package aws_kms 7 8 import ( 9 "fmt" 10 "testing" 11 12 "github.com/opentofu/opentofu/internal/encryption/keyprovider/compliancetest" 13 ) 14 15 func TestKeyProvider(t *testing.T) { 16 testKeyId := getKey(t) 17 18 if testKeyId == "" { 19 testKeyId = "alias/my-mock-key" 20 injectDefaultMock() 21 22 t.Setenv("AWS_REGION", "us-east-1") 23 t.Setenv("AWS_ACCESS_KEY_ID", "accesskey") 24 t.Setenv("AWS_SECRET_ACCESS_KEY", "secretkey") 25 } 26 27 compliancetest.ComplianceTest( 28 t, 29 compliancetest.TestConfiguration[*descriptor, *Config, *keyMeta, *keyProvider]{ 30 Descriptor: New().(*descriptor), 31 HCLParseTestCases: map[string]compliancetest.HCLParseTestCase[*Config, *keyProvider]{ 32 "success": { 33 HCL: fmt.Sprintf(`key_provider "aws_kms" "foo" { 34 kms_key_id = "%s" 35 key_spec = "AES_256" 36 skip_credentials_validation = true // required for mocking 37 }`, testKeyId), 38 ValidHCL: true, 39 ValidBuild: true, 40 Validate: func(config *Config, keyProvider *keyProvider) error { 41 if config.KMSKeyID != testKeyId { 42 return fmt.Errorf("incorrect key ID returned") 43 } 44 return nil 45 }, 46 }, 47 "empty": { 48 HCL: `key_provider "aws_kms" "foo" {}`, 49 ValidHCL: false, 50 ValidBuild: false, 51 }, 52 "invalid-key-spec": { 53 HCL: fmt.Sprintf(`key_provider "aws_kms" "foo" { 54 kms_key_id = "%s" 55 key_spec = "BROKEN STUFF" 56 }`, testKeyId), 57 ValidHCL: true, 58 ValidBuild: false, 59 }, 60 "empty-key-id": { 61 HCL: `key_provider "aws_kms" "foo" { 62 kms_key_id = "" 63 key_spec = "AES_256" 64 }`, 65 ValidHCL: true, 66 ValidBuild: false, 67 }, 68 "empty-key-spec": { 69 HCL: `key_provider "aws_kms" "foo" { 70 kms_key_id = "alias/temp" 71 key_spec = "" 72 }`, 73 ValidHCL: true, 74 ValidBuild: false, 75 }, 76 "unknown-property": { 77 HCL: fmt.Sprintf(`key_provider "aws_kms" "foo" { 78 kms_key_id = "%s" 79 key_spec = "AES_256" 80 unknown_property = "foo" 81 }`, testKeyId), 82 ValidHCL: false, 83 ValidBuild: false, 84 }, 85 }, 86 ConfigStructTestCases: map[string]compliancetest.ConfigStructTestCase[*Config, *keyProvider]{ 87 "success": { 88 Config: &Config{ 89 KMSKeyID: testKeyId, 90 KeySpec: "AES_256", 91 92 SkipCredsValidation: true, // Required for mocking 93 }, 94 ValidBuild: true, 95 Validate: nil, 96 }, 97 "empty": { 98 Config: &Config{ 99 KMSKeyID: "", 100 KeySpec: "", 101 }, 102 ValidBuild: false, 103 Validate: nil, 104 }, 105 }, 106 MetadataStructTestCases: map[string]compliancetest.MetadataStructTestCase[*Config, *keyMeta]{ 107 "empty": { 108 ValidConfig: &Config{ 109 KMSKeyID: testKeyId, 110 KeySpec: "AES_256", 111 112 SkipCredsValidation: true, // Required for mocking 113 }, 114 Meta: &keyMeta{}, 115 IsPresent: false, 116 IsValid: false, 117 }, 118 }, 119 ProvideTestCase: compliancetest.ProvideTestCase[*Config, *keyMeta]{ 120 ValidConfig: &Config{ 121 KMSKeyID: testKeyId, 122 KeySpec: "AES_256", 123 SkipCredsValidation: true, // Required for mocking 124 }, 125 ValidateKeys: func(dec []byte, enc []byte) error { 126 if len(dec) == 0 { 127 return fmt.Errorf("decryption key is empty") 128 } 129 if len(enc) == 0 { 130 return fmt.Errorf("encryption key is empty") 131 } 132 return nil 133 }, 134 ValidateMetadata: func(meta *keyMeta) error { 135 if meta.CiphertextBlob == nil || len(meta.CiphertextBlob) == 0 { 136 return fmt.Errorf("ciphertext blob is nil") 137 } 138 return nil 139 }, 140 }, 141 }) 142 }