github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-31 15:25:57 +00:00
Code Issues Projects Releases Wiki Activity

Add unit tests for KMS transformer initialization

Browse Source
This commit is contained in:
Saksham Sharma 2017-07-27 13:56:40 -07:00
parent 49989439d7
commit b76c63a9f0
2 changed files with 98 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/BUILD
View File

@ -36,5 +36,6 @@ go_test(
deps = [ deps = [
"//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", "//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
"//vendor/k8s.io/apiserver/pkg/storage/value:go_default_library", "//vendor/k8s.io/apiserver/pkg/storage/value:go_default_library",
"//vendor/k8s.io/apiserver/pkg/storage/value/encrypt/envelope:go_default_library",
], ],
) )

101
staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig/encryptionconfig_test.go
View File

@ -18,11 +18,16 @@ package encryptionconfig
import ( import (
"bytes" "bytes"
"encoding/base64"
"fmt"
"io"
"os"
"strings" "strings"
"testing" "testing"
"k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apiserver/pkg/storage/value" "k8s.io/apiserver/pkg/storage/value"
"k8s.io/apiserver/pkg/storage/value/encrypt/envelope"
) )
const ( const (
@ -30,6 +35,10 @@ const (
sampleContextText = "0123456789" sampleContextText = "0123456789"
// Modify these in all configurations if changed
testEnvelopeServiceConfigPath = "testproviderconfig"
testEnvelopeServiceProviderName = "testprovider"
correctConfigWithIdentityFirst = ` correctConfigWithIdentityFirst = `
kind: EncryptionConfig kind: EncryptionConfig
apiVersion: v1 apiVersion: v1
@ -45,6 +54,10 @@ resources:
secret: c2VjcmV0IGlzIHNlY3VyZQ== secret: c2VjcmV0IGlzIHNlY3VyZQ==
- name: key2 - name: key2
secret: dGhpcyBpcyBwYXNzd29yZA== secret: dGhpcyBpcyBwYXNzd29yZA==
- kms:
name: testprovider
configfile: testproviderconfig
cachesize: 10
- aescbc: - aescbc:
keys: keys:
- name: key1 - name: key1
@ -74,6 +87,10 @@ resources:
keys: keys:
- name: key1 - name: key1
secret: YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY= secret: YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=
- kms:
name: testprovider
configfile: testproviderconfig
cachesize: 10
- aescbc: - aescbc:
keys: keys:
- name: key1 - name: key1
@ -96,6 +113,10 @@ resources:
secret: c2VjcmV0IGlzIHNlY3VyZQ== secret: c2VjcmV0IGlzIHNlY3VyZQ==
- name: key2 - name: key2
secret: dGhpcyBpcyBwYXNzd29yZA== secret: dGhpcyBpcyBwYXNzd29yZA==
- kms:
name: testprovider
configfile: testproviderconfig
cachesize: 10
- identity: {} - identity: {}
- secretbox: - secretbox:
keys: keys:
@ -116,6 +137,40 @@ resources:
- resources: - resources:
- secrets - secrets
providers: providers:
- secretbox:
keys:
- name: key1
secret: YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=
- aescbc:
keys:
- name: key1
secret: c2VjcmV0IGlzIHNlY3VyZQ==
- name: key2
secret: dGhpcyBpcyBwYXNzd29yZA==
- kms:
name: testprovider
configfile: testproviderconfig
cachesize: 10
- identity: {}
- aesgcm:
keys:
- name: key1
secret: c2VjcmV0IGlzIHNlY3VyZQ==
- name: key2
secret: dGhpcyBpcyBwYXNzd29yZA==
`
correctConfigWithKMSFirst = `
kind: EncryptionConfig
apiVersion: v1
resources:
- resources:
- secrets
providers:
- kms:
name: testprovider
configfile: testproviderconfig
cachesize: 10
- secretbox: - secretbox:
keys: keys:
- name: key1 - name: key1
@ -165,11 +220,42 @@ resources:
` `
) )
func TestEncryptionProviderConfigCorrect(t *testing.T) { // testEnvelopeService is a mock envelope service which can be used to simulate remote Envelope services
// Creates two transformers with different ordering of identity and AES transformers. // for testing of the envelope transformer with other transformers.
// Transforms data using one of them, and tries to untransform using both of them. type testEnvelopeService struct {
// Repeats this for both the possible combinations. disabled bool
}
func (t *testEnvelopeService) Decrypt(data string) ([]byte, error) {
if t.disabled {
return nil, fmt.Errorf("Envelope service was disabled")
}
return base64.StdEncoding.DecodeString(data)
}
func (t *testEnvelopeService) Encrypt(data []byte) (string, error) {
if t.disabled {
return "", fmt.Errorf("Envelope service was disabled")
}
return base64.StdEncoding.EncodeToString(data), nil
}
func (t *testEnvelopeService) SetDisabledStatus(status bool) {
t.disabled = status
}
var _ envelope.Service = &testEnvelopeService{}
func TestEncryptionProviderConfigCorrect(t *testing.T) {
os.OpenFile(testEnvelopeServiceConfigPath, os.O_CREATE, 0666)
defer os.Remove(testEnvelopeServiceConfigPath)
KMSPluginRegistry.Register(testEnvelopeServiceProviderName, func(config io.Reader) (envelope.Service, error) {
return &testEnvelopeService{}, nil
})
// Creates compound/prefix transformers with different ordering of available transformers.
// Transforms data using one of them, and tries to untransform using the others.
// Repeats this for all possible combinations.
identityFirstTransformerOverrides, err := ParseEncryptionConfiguration(strings.NewReader(correctConfigWithIdentityFirst)) identityFirstTransformerOverrides, err := ParseEncryptionConfiguration(strings.NewReader(correctConfigWithIdentityFirst))
if err != nil { if err != nil {
t.Fatalf("error while parsing configuration file: %s.\nThe file was:\n%s", err, correctConfigWithIdentityFirst) t.Fatalf("error while parsing configuration file: %s.\nThe file was:\n%s", err, correctConfigWithIdentityFirst)
@ -190,11 +276,17 @@ func TestEncryptionProviderConfigCorrect(t *testing.T) {
t.Fatalf("error while parsing configuration file: %s.\nThe file was:\n%s", err, correctConfigWithSecretboxFirst) t.Fatalf("error while parsing configuration file: %s.\nThe file was:\n%s", err, correctConfigWithSecretboxFirst)
} }
kmsFirstTransformerOverrides, err := ParseEncryptionConfiguration(strings.NewReader(correctConfigWithKMSFirst))
if err != nil {
t.Fatalf("error while parsing configuration file: %s.\nThe file was:\n%s", err, correctConfigWithKMSFirst)
}
// Pick the transformer for any of the returned resources. // Pick the transformer for any of the returned resources.
identityFirstTransformer := identityFirstTransformerOverrides[schema.ParseGroupResource("secrets")] identityFirstTransformer := identityFirstTransformerOverrides[schema.ParseGroupResource("secrets")]
aesGcmFirstTransformer := aesGcmFirstTransformerOverrides[schema.ParseGroupResource("secrets")] aesGcmFirstTransformer := aesGcmFirstTransformerOverrides[schema.ParseGroupResource("secrets")]
aesCbcFirstTransformer := aesCbcFirstTransformerOverrides[schema.ParseGroupResource("secrets")] aesCbcFirstTransformer := aesCbcFirstTransformerOverrides[schema.ParseGroupResource("secrets")]
secretboxFirstTransformer := secretboxFirstTransformerOverrides[schema.ParseGroupResource("secrets")] secretboxFirstTransformer := secretboxFirstTransformerOverrides[schema.ParseGroupResource("secrets")]
kmsFirstTransformer := kmsFirstTransformerOverrides[schema.ParseGroupResource("secrets")]
context := value.DefaultContext([]byte(sampleContextText)) context := value.DefaultContext([]byte(sampleContextText))
originalText := []byte(sampleText) originalText := []byte(sampleText)
@ -207,6 +299,7 @@ func TestEncryptionProviderConfigCorrect(t *testing.T) {
{aesCbcFirstTransformer, "aesCbcFirst"}, {aesCbcFirstTransformer, "aesCbcFirst"},
{secretboxFirstTransformer, "secretboxFirst"}, {secretboxFirstTransformer, "secretboxFirst"},
{identityFirstTransformer, "identityFirst"}, {identityFirstTransformer, "identityFirst"},
{kmsFirstTransformer, "kmsFirst"},
} }
for _, testCase := range transformers { for _, testCase := range transformers {