constellation/keyservice/kms/azure/hsm_test.go

/*
Copyright (c) Edgeless Systems GmbH

SPDX-License-Identifier: AGPL-3.0-only
*/

package azure

import (
	"context"
	"errors"
	"testing"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys"
	"github.com/edgelesssys/constellation/v2/keyservice/internal/storage"
	"github.com/edgelesssys/constellation/v2/keyservice/kms"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

type stubHSMClient struct {
	keyCreated      bool
	createOCTKeyErr error
	importKeyErr    error
	getKeyErr       error
	keyID           string
	unwrapKeyErr    error
	unwrapKeyResult []byte
	wrapKeyErr      error
}

func (s *stubHSMClient) CreateKey(ctx context.Context, name string, parameters azkeys.CreateKeyParameters, options *azkeys.CreateKeyOptions) (azkeys.CreateKeyResponse, error) {
	s.keyCreated = true
	return azkeys.CreateKeyResponse{}, s.createOCTKeyErr
}

func (s *stubHSMClient) ImportKey(ctx context.Context, name string, parameters azkeys.ImportKeyParameters, options *azkeys.ImportKeyOptions) (azkeys.ImportKeyResponse, error) {
	s.keyCreated = true
	return azkeys.ImportKeyResponse{}, s.importKeyErr
}

func (s *stubHSMClient) GetKey(ctx context.Context, name string, version string, options *azkeys.GetKeyOptions) (azkeys.GetKeyResponse, error) {
	return azkeys.GetKeyResponse{
		KeyBundle: azkeys.KeyBundle{
			Key: &azkeys.JSONWebKey{
				KID: to.Ptr(azkeys.ID(s.keyID)),
			},
		},
	}, s.getKeyErr
}

func (s *stubHSMClient) UnwrapKey(ctx context.Context, name string, version string, parameters azkeys.KeyOperationsParameters, options *azkeys.UnwrapKeyOptions) (azkeys.UnwrapKeyResponse, error) {
	return azkeys.UnwrapKeyResponse{
		KeyOperationResult: azkeys.KeyOperationResult{
			Result: s.unwrapKeyResult,
		},
	}, s.unwrapKeyErr
}

func (s *stubHSMClient) WrapKey(ctx context.Context, name string, version string, parameters azkeys.KeyOperationsParameters, options *azkeys.WrapKeyOptions) (azkeys.WrapKeyResponse, error) {
	return azkeys.WrapKeyResponse{}, s.wrapKeyErr
}

type stubStorage struct {
	key    []byte
	getErr error
	putErr error
}

func (s *stubStorage) Get(context.Context, string) ([]byte, error) {
	return s.key, s.getErr
}

func (s *stubStorage) Put(context.Context, string, []byte) error {
	return s.putErr
}

func TestHSMCreateKEK(t *testing.T) {
	someErr := errors.New("error")
	importKey := []byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")

	testCases := map[string]struct {
		client    *stubHSMClient
		importKey []byte
		wantErr   bool
	}{
		"create new kek successful": {
			client: &stubHSMClient{},
		},
		"CreateOCTKey fails": {
			client:  &stubHSMClient{createOCTKeyErr: someErr},
			wantErr: true,
		},
		"import key successful": {
			client:    &stubHSMClient{},
			importKey: importKey,
		},
		"ImportKey fails": {
			client:    &stubHSMClient{importKeyErr: someErr},
			importKey: importKey,
			wantErr:   true,
		},
	}

	for name, tc := range testCases {
		t.Run(name, func(t *testing.T) {
			assert := assert.New(t)

			client := HSMClient{
				client:  tc.client,
				storage: storage.NewMemMapStorage(),
			}

			err := client.CreateKEK(context.Background(), "test-key", tc.importKey)
			if tc.wantErr {
				assert.Error(err)
			} else {
				assert.NoError(err)
				assert.True(tc.client.keyCreated)
			}
		})
	}
}

func TestHSMGetNewDEK(t *testing.T) {
	someErr := errors.New("error")
	keyID := "https://test.managedhsm.azure.net/keys/test-key/test-key-version"

	testCases := map[string]struct {
		client  hsmClientAPI
		storage kms.Storage
		wantErr bool
	}{
		"successful": {
			client:  &stubHSMClient{keyID: keyID},
			storage: storage.NewMemMapStorage(),
		},
		"Get from storage fails": {
			client:  &stubHSMClient{keyID: keyID},
			storage: &stubStorage{getErr: someErr},
			wantErr: true,
		},
		"Put to storage fails": {
			client: &stubHSMClient{keyID: keyID},
			storage: &stubStorage{
				getErr: storage.ErrDEKUnset,
				putErr: someErr,
			},
			wantErr: true,
		},
		"WrapKey fails": {
			client:  &stubHSMClient{keyID: keyID, wrapKeyErr: someErr},
			storage: storage.NewMemMapStorage(),
			wantErr: true,
		},
	}

	for name, tc := range testCases {
		t.Run(name, func(t *testing.T) {
			assert := assert.New(t)

			client := HSMClient{
				client:  tc.client,
				storage: tc.storage,
			}

			dek, err := client.GetDEK(context.Background(), "test-key", "volume-01", 32)
			if tc.wantErr {
				assert.Error(err)
			} else {
				assert.Len(dek, 32)
				assert.NoError(err)
			}
		})
	}
}

func TestHSMGetExistingDEK(t *testing.T) {
	someErr := errors.New("error")
	keyVersion := "https://test.managedhsm.azure.net/keys/test-key/test-key-version"
	testKey := []byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")

	testCases := map[string]struct {
		client  hsmClientAPI
		wantErr bool
	}{
		"successful": {
			client: &stubHSMClient{keyID: keyVersion, unwrapKeyResult: testKey},
		},
		"UnwrapKey fails": {
			client:  &stubHSMClient{keyID: keyVersion, unwrapKeyErr: someErr},
			wantErr: true,
		},
	}

	for name, tc := range testCases {
		t.Run(name, func(t *testing.T) {
			assert := assert.New(t)
			require := require.New(t)

			keyID := "volume-01"
			storage := storage.NewMemMapStorage()
			require.NoError(storage.Put(context.Background(), keyID, testKey))

			client := HSMClient{
				client:  tc.client,
				storage: storage,
			}

			dek, err := client.GetDEK(context.Background(), "test-key", keyID, len(testKey))
			if tc.wantErr {
				assert.Error(err)
			} else {
				assert.Len(dek, len(testKey))
				assert.NoError(err)
			}
		})
	}
}
add license headers sed -i '1i/\nCopyright (c) Edgeless Systems GmbH\n\nSPDX-License-Identifier: AGPL-3.0-only\n/\n' `grep -rL --include='*.go' 'DO NOT EDIT'` gofumpt -w . 2022-09-05 03:06:08 -04:00			`/*`
			`Copyright (c) Edgeless Systems GmbH`

			`SPDX-License-Identifier: AGPL-3.0-only`
			`*/`

Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00			`package azure`

			`import (`
			`"context"`
			`"errors"`
			`"testing"`

Upgrade Azure SDK Signed-off-by: Malte Poll <mp@edgeless.systems> 2022-07-27 16:02:33 -04:00			`"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"`
Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00			`"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys"`
kms: rename kms to keyservice In the light of extending our eKMS support it will be helpful to have a tighter use of the word "KMS". KMS should refer to the actual component that manages keys. The keyservice, also called KMS in the constellation code, does not manage keys itself. It talks to a KMS backend, which in turn does the actual key management. 2023-01-11 04:08:57 -05:00			`"github.com/edgelesssys/constellation/v2/keyservice/internal/storage"`
			`"github.com/edgelesssys/constellation/v2/keyservice/kms"`
Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00			`"github.com/stretchr/testify/assert"`
			`"github.com/stretchr/testify/require"`
			`)`

			`type stubHSMClient struct {`
			`keyCreated bool`
			`createOCTKeyErr error`
			`importKeyErr error`
			`getKeyErr error`
Upgrade Azure SDK Signed-off-by: Malte Poll <mp@edgeless.systems> 2022-07-27 16:02:33 -04:00			`keyID string`
			`unwrapKeyErr error`
			`unwrapKeyResult []byte`
			`wrapKeyErr error`
Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00			`}`

Upgrade Azure SDK Signed-off-by: Malte Poll <mp@edgeless.systems> 2022-07-27 16:02:33 -04:00			`func (s stubHSMClient) CreateKey(ctx context.Context, name string, parameters azkeys.CreateKeyParameters, options azkeys.CreateKeyOptions) (azkeys.CreateKeyResponse, error) {`
Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00			`s.keyCreated = true`
Upgrade Azure SDK Signed-off-by: Malte Poll <mp@edgeless.systems> 2022-07-27 16:02:33 -04:00			`return azkeys.CreateKeyResponse{}, s.createOCTKeyErr`
Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00			`}`

Upgrade Azure SDK Signed-off-by: Malte Poll <mp@edgeless.systems> 2022-07-27 16:02:33 -04:00			`func (s stubHSMClient) ImportKey(ctx context.Context, name string, parameters azkeys.ImportKeyParameters, options azkeys.ImportKeyOptions) (azkeys.ImportKeyResponse, error) {`
Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00			`s.keyCreated = true`
			`return azkeys.ImportKeyResponse{}, s.importKeyErr`
			`}`

Upgrade Azure SDK Signed-off-by: Malte Poll <mp@edgeless.systems> 2022-07-27 16:02:33 -04:00			`func (s stubHSMClient) GetKey(ctx context.Context, name string, version string, options azkeys.GetKeyOptions) (azkeys.GetKeyResponse, error) {`
Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00			`return azkeys.GetKeyResponse{`
			`KeyBundle: azkeys.KeyBundle{`
			`Key: &azkeys.JSONWebKey{`
Upgrade Azure SDK Signed-off-by: Malte Poll <mp@edgeless.systems> 2022-07-27 16:02:33 -04:00			`KID: to.Ptr(azkeys.ID(s.keyID)),`
Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00			`},`
			`},`
			`}, s.getKeyErr`
			`}`

Upgrade Azure SDK Signed-off-by: Malte Poll <mp@edgeless.systems> 2022-07-27 16:02:33 -04:00			`func (s stubHSMClient) UnwrapKey(ctx context.Context, name string, version string, parameters azkeys.KeyOperationsParameters, options azkeys.UnwrapKeyOptions) (azkeys.UnwrapKeyResponse, error) {`
			`return azkeys.UnwrapKeyResponse{`
			`KeyOperationResult: azkeys.KeyOperationResult{`
Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00			`Result: s.unwrapKeyResult,`
			`},`
			`}, s.unwrapKeyErr`
			`}`

Upgrade Azure SDK Signed-off-by: Malte Poll <mp@edgeless.systems> 2022-07-27 16:02:33 -04:00			`func (s stubHSMClient) WrapKey(ctx context.Context, name string, version string, parameters azkeys.KeyOperationsParameters, options azkeys.WrapKeyOptions) (azkeys.WrapKeyResponse, error) {`
			`return azkeys.WrapKeyResponse{}, s.wrapKeyErr`
Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00			`}`

			`type stubStorage struct {`
			`key []byte`
			`getErr error`
			`putErr error`
			`}`

			`func (s *stubStorage) Get(context.Context, string) ([]byte, error) {`
			`return s.key, s.getErr`
			`}`

			`func (s *stubStorage) Put(context.Context, string, []byte) error {`
			`return s.putErr`
			`}`

			`func TestHSMCreateKEK(t *testing.T) {`
			`someErr := errors.New("error")`
			`importKey := []byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")`

			`testCases := map[string]struct {`
Ref/want err from err expected (#82) consistent naming for test values using 'want' instead of 'expect/ed' 2022-04-26 10:54:05 -04:00			`client *stubHSMClient`
			`importKey []byte`
			`wantErr bool`
Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00			`}{`
			`"create new kek successful": {`
			`client: &stubHSMClient{},`
			`},`
			`"CreateOCTKey fails": {`
Ref/want err from err expected (#82) consistent naming for test values using 'want' instead of 'expect/ed' 2022-04-26 10:54:05 -04:00			`client: &stubHSMClient{createOCTKeyErr: someErr},`
			`wantErr: true,`
Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00			`},`
			`"import key successful": {`
			`client: &stubHSMClient{},`
			`importKey: importKey,`
			`},`
			`"ImportKey fails": {`
Ref/want err from err expected (#82) consistent naming for test values using 'want' instead of 'expect/ed' 2022-04-26 10:54:05 -04:00			`client: &stubHSMClient{importKeyErr: someErr},`
			`importKey: importKey,`
			`wantErr: true,`
Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00			`},`
			`}`

			`for name, tc := range testCases {`
			`t.Run(name, func(t *testing.T) {`
			`assert := assert.New(t)`

			`client := HSMClient{`
			`client: tc.client,`
			`storage: storage.NewMemMapStorage(),`
			`}`

			`err := client.CreateKEK(context.Background(), "test-key", tc.importKey)`
Ref/want err from err expected (#82) consistent naming for test values using 'want' instead of 'expect/ed' 2022-04-26 10:54:05 -04:00			`if tc.wantErr {`
Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00			`assert.Error(err)`
			`} else {`
			`assert.NoError(err)`
			`assert.True(tc.client.keyCreated)`
			`}`
			`})`
			`}`
			`}`

			`func TestHSMGetNewDEK(t *testing.T) {`
			`someErr := errors.New("error")`
Upgrade Azure SDK Signed-off-by: Malte Poll <mp@edgeless.systems> 2022-07-27 16:02:33 -04:00			`keyID := "https://test.managedhsm.azure.net/keys/test-key/test-key-version"`
Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00
			`testCases := map[string]struct {`
Upgrade Azure SDK Signed-off-by: Malte Poll <mp@edgeless.systems> 2022-07-27 16:02:33 -04:00			`client hsmClientAPI`
			`storage kms.Storage`
			`wantErr bool`
Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00			`}{`
			`"successful": {`
Upgrade Azure SDK Signed-off-by: Malte Poll <mp@edgeless.systems> 2022-07-27 16:02:33 -04:00			`client: &stubHSMClient{keyID: keyID},`
			`storage: storage.NewMemMapStorage(),`
Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00			`},`
			`"Get from storage fails": {`
Upgrade Azure SDK Signed-off-by: Malte Poll <mp@edgeless.systems> 2022-07-27 16:02:33 -04:00			`client: &stubHSMClient{keyID: keyID},`
			`storage: &stubStorage{getErr: someErr},`
			`wantErr: true,`
Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00			`},`
			`"Put to storage fails": {`
Upgrade Azure SDK Signed-off-by: Malte Poll <mp@edgeless.systems> 2022-07-27 16:02:33 -04:00			`client: &stubHSMClient{keyID: keyID},`
Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00			`storage: &stubStorage{`
			`getErr: storage.ErrDEKUnset,`
			`putErr: someErr,`
			`},`
Ref/want err from err expected (#82) consistent naming for test values using 'want' instead of 'expect/ed' 2022-04-26 10:54:05 -04:00			`wantErr: true,`
Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00			`},`
			`"WrapKey fails": {`
Upgrade Azure SDK Signed-off-by: Malte Poll <mp@edgeless.systems> 2022-07-27 16:02:33 -04:00			`client: &stubHSMClient{keyID: keyID, wrapKeyErr: someErr},`
			`storage: storage.NewMemMapStorage(),`
			`wantErr: true,`
Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00			`},`
			`}`

			`for name, tc := range testCases {`
			`t.Run(name, func(t *testing.T) {`
			`assert := assert.New(t)`

			`client := HSMClient{`
Upgrade Azure SDK Signed-off-by: Malte Poll <mp@edgeless.systems> 2022-07-27 16:02:33 -04:00			`client: tc.client,`
			`storage: tc.storage,`
Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00			`}`

			`dek, err := client.GetDEK(context.Background(), "test-key", "volume-01", 32)`
Ref/want err from err expected (#82) consistent naming for test values using 'want' instead of 'expect/ed' 2022-04-26 10:54:05 -04:00			`if tc.wantErr {`
Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00			`assert.Error(err)`
			`} else {`
			`assert.Len(dek, 32)`
			`assert.NoError(err)`
			`}`
			`})`
			`}`
			`}`

			`func TestHSMGetExistingDEK(t *testing.T) {`
			`someErr := errors.New("error")`
			`keyVersion := "https://test.managedhsm.azure.net/keys/test-key/test-key-version"`
			`testKey := []byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")`

			`testCases := map[string]struct {`
Upgrade Azure SDK Signed-off-by: Malte Poll <mp@edgeless.systems> 2022-07-27 16:02:33 -04:00			`client hsmClientAPI`
			`wantErr bool`
Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00			`}{`
			`"successful": {`
Upgrade Azure SDK Signed-off-by: Malte Poll <mp@edgeless.systems> 2022-07-27 16:02:33 -04:00			`client: &stubHSMClient{keyID: keyVersion, unwrapKeyResult: testKey},`
Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00			`},`
			`"UnwrapKey fails": {`
Upgrade Azure SDK Signed-off-by: Malte Poll <mp@edgeless.systems> 2022-07-27 16:02:33 -04:00			`client: &stubHSMClient{keyID: keyVersion, unwrapKeyErr: someErr},`
			`wantErr: true,`
Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00			`},`
			`}`

			`for name, tc := range testCases {`
			`t.Run(name, func(t *testing.T) {`
			`assert := assert.New(t)`
			`require := require.New(t)`

			`keyID := "volume-01"`
			`storage := storage.NewMemMapStorage()`
			`require.NoError(storage.Put(context.Background(), keyID, testKey))`

			`client := HSMClient{`
Upgrade Azure SDK Signed-off-by: Malte Poll <mp@edgeless.systems> 2022-07-27 16:02:33 -04:00			`client: tc.client,`
			`storage: storage,`
Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00			`}`

			`dek, err := client.GetDEK(context.Background(), "test-key", keyID, len(testKey))`
Ref/want err from err expected (#82) consistent naming for test values using 'want' instead of 'expect/ed' 2022-04-26 10:54:05 -04:00			`if tc.wantErr {`
Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00			`assert.Error(err)`
			`} else {`
			`assert.Len(dek, len(testKey))`
			`assert.NoError(err)`
			`}`
			`})`
			`}`
			`}`