github.com/opentofu/opentofu@v1.7.1/internal/encryption/method/aesgcm/compliance_test.go (about) 1 // Copyright (c) The OpenTofu Authors 2 // SPDX-License-Identifier: MPL-2.0 3 // Copyright (c) 2023 HashiCorp, Inc. 4 // SPDX-License-Identifier: MPL-2.0 5 6 package aesgcm 7 8 import ( 9 "bytes" 10 "fmt" 11 "testing" 12 13 "github.com/opentofu/opentofu/internal/encryption/keyprovider" 14 "github.com/opentofu/opentofu/internal/encryption/method/compliancetest" 15 ) 16 17 func TestCompliance(t *testing.T) { 18 compliancetest.ComplianceTest(t, compliancetest.TestConfiguration[*descriptor, *Config, *aesgcm]{ 19 Descriptor: New().(*descriptor), 20 HCLParseTestCases: map[string]compliancetest.HCLParseTestCase[*descriptor, *Config, *aesgcm]{ 21 "empty": { 22 HCL: `method "aes_gcm" "foo" {}`, 23 ValidHCL: false, 24 ValidBuild: false, 25 Validate: nil, 26 }, 27 "empty_keys": { 28 HCL: `method "aes_gcm" "foo" { 29 keys = { 30 encryption_key = [] 31 decryption_key = [] 32 } 33 }`, 34 ValidHCL: true, 35 ValidBuild: false, 36 Validate: nil, 37 }, 38 "short-keys": { 39 HCL: `method "aes_gcm" "foo" { 40 keys = { 41 encryption_key = [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15] 42 decryption_key = [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15] 43 } 44 }`, 45 ValidHCL: true, 46 ValidBuild: false, 47 Validate: nil, 48 }, 49 "short-decryption-key": { 50 HCL: `method "aes_gcm" "foo" { 51 keys = { 52 encryption_key = [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16] 53 decryption_key = [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15] 54 } 55 }`, 56 ValidHCL: true, 57 ValidBuild: false, 58 Validate: nil, 59 }, 60 "short-encryption-key": { 61 HCL: `method "aes_gcm" "foo" { 62 keys = { 63 encryption_key = [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15] 64 decryption_key = [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16] 65 } 66 }`, 67 ValidHCL: true, 68 ValidBuild: false, 69 Validate: nil, 70 }, 71 "only-decryption-key": { 72 HCL: `method "aes_gcm" "foo" { 73 keys = { 74 encryption_key = [] 75 decryption_key = [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16] 76 } 77 }`, 78 ValidHCL: true, 79 ValidBuild: false, 80 }, 81 "only-encryption-key": { 82 HCL: `method "aes_gcm" "foo" { 83 keys = { 84 encryption_key = [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16] 85 decryption_key = [] 86 } 87 }`, 88 ValidHCL: true, 89 ValidBuild: true, 90 Validate: func(config *Config, method *aesgcm) error { 91 if len(config.Keys.DecryptionKey) > 0 { 92 return fmt.Errorf("decryption key found in config despite no decryption key being provided") 93 } 94 if len(method.decryptionKey) > 0 { 95 return fmt.Errorf("decryption key found in method despite no decryption key being provided") 96 } 97 if !bytes.Equal(config.Keys.EncryptionKey, []byte{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16}) { 98 return fmt.Errorf("incorrect encryption key found after HCL parsing in config") 99 } 100 if !bytes.Equal(method.encryptionKey, []byte{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16}) { 101 return fmt.Errorf("incorrect encryption key found after HCL parsing in config") 102 } 103 return nil 104 }, 105 }, 106 "encryption-decryption-key": { 107 HCL: `method "aes_gcm" "foo" { 108 keys = { 109 encryption_key = [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16] 110 decryption_key = [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16] 111 } 112 }`, 113 ValidHCL: true, 114 ValidBuild: true, 115 Validate: func(config *Config, method *aesgcm) error { 116 if !bytes.Equal(config.Keys.DecryptionKey, []byte{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16}) { 117 return fmt.Errorf("incorrect decryption key found after HCL parsing in config") 118 } 119 if !bytes.Equal(method.decryptionKey, []byte{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16}) { 120 return fmt.Errorf("incorrect decryption key found after HCL parsing in config") 121 } 122 123 if !bytes.Equal(config.Keys.EncryptionKey, []byte{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16}) { 124 return fmt.Errorf("incorrect encryption key found after HCL parsing in config") 125 } 126 if !bytes.Equal(method.encryptionKey, []byte{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16}) { 127 return fmt.Errorf("incorrect encryption key found after HCL parsing in config") 128 } 129 return nil 130 }, 131 }, 132 "no-aad": { 133 HCL: `method "aes_gcm" "foo" { 134 keys = { 135 encryption_key = [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16] 136 decryption_key = [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16] 137 } 138 }`, 139 ValidHCL: true, 140 ValidBuild: true, 141 Validate: func(config *Config, method *aesgcm) error { 142 if len(config.AAD) != 0 { 143 return fmt.Errorf("invalid AAD in config after HCL parsing") 144 } 145 if len(method.aad) != 0 { 146 return fmt.Errorf("invalid AAD in method after Build()") 147 } 148 return nil 149 }, 150 }, 151 "aad": { 152 HCL: `method "aes_gcm" "foo" { 153 keys = { 154 encryption_key = [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16] 155 decryption_key = [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16] 156 } 157 aad = [1,2,3,4] 158 }`, 159 ValidHCL: true, 160 ValidBuild: true, 161 Validate: func(config *Config, method *aesgcm) error { 162 if !bytes.Equal(config.AAD, []byte{1, 2, 3, 4}) { 163 return fmt.Errorf("invalid AAD in config after HCL parsing") 164 } 165 if !bytes.Equal(method.aad, []byte{1, 2, 3, 4}) { 166 return fmt.Errorf("invalid AAD in method after Build()") 167 } 168 return nil 169 }, 170 }, 171 }, 172 ConfigStructTestCases: map[string]compliancetest.ConfigStructTestCase[*Config, *aesgcm]{ 173 "empty": { 174 Config: &Config{ 175 Keys: keyprovider.Output{}, 176 AAD: nil, 177 }, 178 ValidBuild: false, 179 Validate: nil, 180 }, 181 }, 182 EncryptDecryptTestCase: compliancetest.EncryptDecryptTestCase[*Config, *aesgcm]{ 183 ValidEncryptOnlyConfig: &Config{ 184 Keys: keyprovider.Output{ 185 EncryptionKey: []byte{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16}, 186 DecryptionKey: nil, 187 }, 188 }, 189 ValidFullConfig: &Config{ 190 Keys: keyprovider.Output{ 191 EncryptionKey: []byte{17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32}, 192 DecryptionKey: []byte{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16}, 193 }, 194 }, 195 }, 196 }) 197 }