open-cluster-management.io/governance-policy-propagator@v0.13.0/controllers/propagator/encryption_test.go (about) 1 // Copyright (c) 2021 Red Hat, Inc. 2 // Copyright Contributors to the Open Cluster Management project 3 4 package propagator 5 6 import ( 7 "context" 8 "crypto/rand" 9 "encoding/base64" 10 "testing" 11 12 . "github.com/onsi/ginkgo/v2" 13 . "github.com/onsi/gomega" 14 "github.com/stolostron/go-template-utils/v4/pkg/templates" 15 corev1 "k8s.io/api/core/v1" 16 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 17 "k8s.io/apimachinery/pkg/types" 18 "sigs.k8s.io/controller-runtime/pkg/client/fake" 19 ) 20 21 const ( 22 policyName = "test-policy" 23 clusterName = "local-cluster" 24 keySize = 256 25 ) 26 27 func TestGetEncryptionKeyNoSecret(_ *testing.T) { 28 RegisterFailHandler(Fail) 29 30 client := fake.NewClientBuilder().Build() 31 r := Propagator{Client: client} 32 key, err := r.getEncryptionKey(context.TODO(), clusterName) 33 34 Expect(err).ToNot(HaveOccurred()) 35 // Verify that the generated key is 256 bits. 36 Expect(key).To(HaveLen(keySize / 8)) 37 38 ctx := context.TODO() 39 objectKey := types.NamespacedName{ 40 Name: EncryptionKeySecret, 41 Namespace: clusterName, 42 } 43 encryptionSecret := &corev1.Secret{} 44 err = client.Get(ctx, objectKey, encryptionSecret) 45 46 Expect(err).ToNot(HaveOccurred()) 47 // Verify that the generated key stored in the secret is 256 bits. 48 Expect(encryptionSecret.Data["key"]).To(HaveLen(keySize / 8)) 49 } 50 51 func TestGetEncryptionKeySecretExists(_ *testing.T) { 52 RegisterFailHandler(Fail) 53 54 // Generate an AES-256 key and stored it as a secret. 55 key := make([]byte, keySize/8) 56 _, err := rand.Read(key) 57 Expect(err).ToNot(HaveOccurred()) 58 59 encryptionSecret := &corev1.Secret{ 60 ObjectMeta: metav1.ObjectMeta{ 61 Name: EncryptionKeySecret, 62 Namespace: clusterName, 63 }, 64 Data: map[string][]byte{ 65 "key": key, 66 }, 67 } 68 69 client := fake.NewClientBuilder().WithObjects(encryptionSecret).Build() 70 71 r := Propagator{Client: client} 72 key, err = r.getEncryptionKey(context.TODO(), clusterName) 73 74 Expect(err).ToNot(HaveOccurred()) 75 // Verify that the returned key is 256 bits. 76 Expect(key).To(HaveLen(keySize / 8)) 77 } 78 79 func TestGetInitializationVector(t *testing.T) { 80 t.Parallel() 81 RegisterFailHandler(Fail) 82 83 // Test when the initialization vector is generated 84 tests := []struct { 85 description string 86 annotations map[string]string 87 }{ 88 { 89 "No IV", 90 map[string]string{}, 91 }, 92 { 93 "Valid IV", 94 map[string]string{ 95 IVAnnotation: "7cznVUq5SXEE4RMZNkGOrQ==", 96 }, 97 }, 98 { 99 "Invalid IV", 100 map[string]string{ 101 IVAnnotation: "this-is-invalid", 102 }, 103 }, 104 } 105 106 r := Propagator{} 107 108 for _, test := range tests { 109 subTest := test 110 t.Run( 111 test.description, 112 func(t *testing.T) { 113 t.Parallel() 114 initializationVector, err := r.getInitializationVector(policyName, clusterName, subTest.annotations) 115 116 Expect(err).ToNot(HaveOccurred()) 117 // Verify that the returned initialization vector is 128 bits 118 Expect(initializationVector).To(HaveLen(templates.IVSize)) 119 // Verify that the annotation object was updated 120 Expect( 121 subTest.annotations[IVAnnotation], 122 ).To(Equal( 123 base64.StdEncoding.EncodeToString(initializationVector), 124 )) 125 }, 126 ) 127 } 128 }