github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-07 19:23:40 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #116893 from aramase/aramase/t/generate_transformer_test

Browse Source 
[KMSv2] add tests for generate transformer
This commit is contained in:
Kubernetes Prow Robot 2023-04-11 19:16:43 -07:00 committed by GitHub
commit d78ca2a552
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 82 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope.go
View File

@ -265,6 +265,8 @@ func (t *envelopeTransformer) doDecode(originalData []byte) (*kmstypes.Encrypted
return o, nil return o, nil
} }
// GenerateTransformer generates a new transformer and encrypts the DEK using the envelope service.
// It returns the transformer, the encrypted DEK, cache key and error.
func GenerateTransformer(ctx context.Context, uid string, envelopeService kmsservice.Service) (value.Transformer, *kmsservice.EncryptResponse, []byte, error) { func GenerateTransformer(ctx context.Context, uid string, envelopeService kmsservice.Service) (value.Transformer, *kmsservice.EncryptResponse, []byte, error) {
transformer, newKey, err := aestransformer.NewGCMTransformerWithUniqueKeyUnsafe() transformer, newKey, err := aestransformer.NewGCMTransformerWithUniqueKeyUnsafe()
if err != nil { if err != nil {

80
staging/src/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope_test.go
View File

@ -990,6 +990,86 @@ func TestGenerateCacheKey(t *testing.T) {
} }
} }
func TestGenerateTransformer(t *testing.T) {
t.Parallel()
testCases := []struct {
name string
envelopeService func() kmsservice.Service
expectedErr string
}{
{
name: "encrypt call fails",
envelopeService: func() kmsservice.Service {
envelopeService := newTestEnvelopeService()
envelopeService.SetDisabledStatus(true)
return envelopeService
},
expectedErr: "Envelope service was disabled",
},
{
name: "invalid key ID",
envelopeService: func() kmsservice.Service {
envelopeService := newTestEnvelopeService()
envelopeService.keyVersion = ""
return envelopeService
},
expectedErr: "failed to validate key id: keyID is empty",
},
{
name: "invalid encrypted DEK",
envelopeService: func() kmsservice.Service {
envelopeService := newTestEnvelopeService()
envelopeService.SetCiphertext([]byte{})
return envelopeService
},
expectedErr: "failed to validate encrypted DEK: encrypted DEK is empty",
},
{
name: "invalid annotations",
envelopeService: func() kmsservice.Service {
envelopeService := newTestEnvelopeService()
envelopeService.SetAnnotations(map[string][]byte{"invalid": {}})
return envelopeService
},
expectedErr: "failed to validate annotations: annotations: Invalid value: \"invalid\": should be a domain with at least two segments separated by dots",
},
{
name: "success",
envelopeService: func() kmsservice.Service {
return newTestEnvelopeService()
},
expectedErr: "",
},
}
for _, tc := range testCases {
tc := tc
t.Run(tc.name, func(t *testing.T) {
t.Parallel()
transformer, encryptResp, cacheKey, err := GenerateTransformer(testContext(t), "panda", tc.envelopeService())
if tc.expectedErr == "" {
if err != nil {
t.Errorf("expected no error, got %q", errString(err))
}
if transformer == nil {
t.Error("expected transformer, got nil")
}
if encryptResp == nil {
t.Error("expected encrypt response, got nil")
}
if cacheKey == nil {
t.Error("expected cache key, got nil")
}
} else {
if err == nil || !strings.Contains(err.Error(), tc.expectedErr) {
t.Errorf("expected error %q, got %q", tc.expectedErr, errString(err))
}
}
})
}
}
func errString(err error) string { func errString(err error) string {
if err == nil { if err == nil {
return "" return ""