github.com/opentofu/opentofu@v1.7.1/internal/encryption/keyprovider/gcp_kms/compliance_test.go (about) 1 package gcp_kms 2 3 import ( 4 "fmt" 5 "os" 6 "testing" 7 8 "cloud.google.com/go/kms/apiv1/kmspb" 9 "github.com/opentofu/opentofu/internal/encryption/keyprovider/compliancetest" 10 ) 11 12 func getKey(t *testing.T) string { 13 if os.Getenv("TF_ACC") == "" && os.Getenv("TF_KMS_TEST") == "" { 14 return "" 15 } 16 return os.Getenv("TF_GCP_KMS_KEY") 17 } 18 19 func TestKeyProvider(t *testing.T) { 20 testKeyId := getKey(t) 21 22 if testKeyId == "" { 23 testKeyId = "projects/local-vehicle-id/locations/global/keyRings/ringid/cryptoKeys/keyid" 24 mock := &mockKMC{ 25 encrypt: func(req *kmspb.EncryptRequest) (*kmspb.EncryptResponse, error) { 26 return &kmspb.EncryptResponse{ 27 Ciphertext: append([]byte(testKeyId), req.Plaintext...), 28 }, nil 29 }, 30 decrypt: func(req *kmspb.DecryptRequest) (*kmspb.DecryptResponse, error) { 31 return &kmspb.DecryptResponse{ 32 Plaintext: req.Ciphertext[len(testKeyId):], 33 }, nil 34 }, 35 } 36 37 injectMock(mock) 38 39 // Used by impersonation tests 40 t.Setenv("GOOGLE_CREDENTIALS", `{"type": "service_account"}`) 41 42 } 43 44 compliancetest.ComplianceTest( 45 t, 46 compliancetest.TestConfiguration[*descriptor, *Config, *keyMeta, *keyProvider]{ 47 Descriptor: New().(*descriptor), 48 HCLParseTestCases: map[string]compliancetest.HCLParseTestCase[*Config, *keyProvider]{ 49 "success": { 50 HCL: fmt.Sprintf(`key_provider "gcp_kms" "foo" { 51 kms_encryption_key = "%s" 52 key_length = 32 53 }`, testKeyId), 54 ValidHCL: true, 55 ValidBuild: true, 56 Validate: func(config *Config, keyProvider *keyProvider) error { 57 if config.KMSKeyName != testKeyId { 58 return fmt.Errorf("incorrect key ID returned") 59 } 60 return nil 61 }, 62 }, 63 "empty": { 64 HCL: `key_provider "gcp_kms" "foo" {}`, 65 ValidHCL: false, 66 ValidBuild: false, 67 }, 68 "invalid-key-size": { 69 HCL: fmt.Sprintf(`key_provider "gcp_kms" "foo" { 70 kms_encryption_key = "%s" 71 key_length = -1 72 }`, testKeyId), 73 ValidHCL: true, 74 ValidBuild: false, 75 }, 76 "empty-key-id": { 77 HCL: `key_provider "gcp_kms" "foo" { 78 kms_encryption_key = "" 79 key_length = 32 80 }`, 81 ValidHCL: true, 82 ValidBuild: false, 83 }, 84 "large-key-size": { 85 HCL: `key_provider "gcp_kms" "foo" { 86 kms_encryption_key = "alias/temp" 87 key_length = 99999999 88 }`, 89 ValidHCL: true, 90 ValidBuild: false, 91 }, 92 "unknown-property": { 93 HCL: fmt.Sprintf(`key_provider "gcp_kms" "foo" { 94 kms_encryption_key = "%s" 95 key_length = 32 96 unknown_property = "foo" 97 }`, testKeyId), 98 ValidHCL: false, 99 ValidBuild: false, 100 }, 101 "with-access-token": { 102 HCL: `key_provider "gcp_kms" "foo" { 103 kms_encryption_key = "alias/temp" 104 key_length = 32 105 access_token = "my-access-token" 106 }`, 107 ValidHCL: true, 108 ValidBuild: true, 109 }, 110 "bad-credentials": { 111 HCL: `key_provider "gcp_kms" "foo" { 112 kms_encryption_key = "alias/temp" 113 key_length = 32 114 credentials = "AS{DU*@#8UQDD*a" 115 }`, 116 ValidHCL: true, 117 ValidBuild: false, 118 }, 119 "impersonation": { 120 HCL: `key_provider "gcp_kms" "foo" { 121 kms_encryption_key = "alias/temp" 122 key_length = 32 123 impersonate_service_account = "batman" 124 }`, 125 ValidHCL: true, 126 ValidBuild: true, 127 }, 128 }, 129 ConfigStructTestCases: map[string]compliancetest.ConfigStructTestCase[*Config, *keyProvider]{ 130 "success": { 131 Config: &Config{ 132 KMSKeyName: testKeyId, 133 KeyLength: 32, 134 }, 135 ValidBuild: true, 136 Validate: nil, 137 }, 138 "empty": { 139 Config: &Config{ 140 KMSKeyName: "", 141 KeyLength: 0, 142 }, 143 ValidBuild: false, 144 Validate: nil, 145 }, 146 }, 147 MetadataStructTestCases: map[string]compliancetest.MetadataStructTestCase[*Config, *keyMeta]{ 148 "empty": { 149 ValidConfig: &Config{ 150 KMSKeyName: testKeyId, 151 KeyLength: 32, 152 }, 153 Meta: &keyMeta{}, 154 IsPresent: false, 155 IsValid: false, 156 }, 157 }, 158 ProvideTestCase: compliancetest.ProvideTestCase[*Config, *keyMeta]{ 159 ValidConfig: &Config{ 160 KMSKeyName: testKeyId, 161 KeyLength: 32, 162 }, 163 ValidateKeys: func(dec []byte, enc []byte) error { 164 if len(dec) == 0 { 165 return fmt.Errorf("decryption key is empty") 166 } 167 if len(enc) == 0 { 168 return fmt.Errorf("encryption key is empty") 169 } 170 return nil 171 }, 172 ValidateMetadata: func(meta *keyMeta) error { 173 if len(meta.Ciphertext) == 0 { 174 return fmt.Errorf("ciphertext is empty") 175 } 176 return nil 177 }, 178 }, 179 }) 180 }