constellation/kms/kms/azure/azure_test.go

package azure

import (
	"context"
	"encoding/base64"
	"errors"
	"testing"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets"
	"github.com/edgelesssys/constellation/kms/kms"
	"github.com/edgelesssys/constellation/kms/storage"
	"github.com/stretchr/testify/assert"
)

type stubAzureClient struct {
	setSecretCalled bool
	setSecretErr    error
	getSecretErr    error
	secret          []byte
}

func (s *stubAzureClient) SetSecret(ctx context.Context, secretName string, value string, options *azsecrets.SetSecretOptions) (azsecrets.SetSecretResponse, error) {
	s.setSecretCalled = true
	return azsecrets.SetSecretResponse{}, s.setSecretErr
}

func (s *stubAzureClient) GetSecret(ctx context.Context, secretName string, options *azsecrets.GetSecretOptions) (azsecrets.GetSecretResponse, error) {
	return azsecrets.GetSecretResponse{
		Secret: azsecrets.Secret{Value: to.StringPtr(base64.StdEncoding.EncodeToString(s.secret))},
	}, s.getSecretErr
}

func TestKMSCreateKEK(t *testing.T) {
	someErr := errors.New("error")
	importKey := []byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")

	testCases := map[string]struct {
		client      *stubAzureClient
		importKey   []byte
		errExpected bool
	}{
		"create new kek successful": {
			client: &stubAzureClient{},
		},
		"import kek successful": {
			client:    &stubAzureClient{},
			importKey: importKey,
		},
		"SetSecret fails on new": {
			client:      &stubAzureClient{setSecretErr: someErr},
			errExpected: true,
		},
		"SetSecret fails on import": {
			client:      &stubAzureClient{setSecretErr: someErr},
			importKey:   importKey,
			errExpected: true,
		},
	}

	for name, tc := range testCases {
		t.Run(name, func(t *testing.T) {
			assert := assert.New(t)

			client := &KMSClient{
				client: tc.client,
				opts:   &Opts{},
			}

			err := client.CreateKEK(context.Background(), "test-key", tc.importKey)
			if tc.errExpected {
				assert.Error(err)
			} else {
				assert.NoError(err)
				assert.True(tc.client.setSecretCalled)
			}
		})
	}
}

func TestKMSGetDEK(t *testing.T) {
	someErr := errors.New("error")
	wrapKey := []byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")

	testCases := map[string]struct {
		client      kmsClientAPI
		storage     kms.Storage
		errExpected bool
	}{
		"successful for new key": {
			client:  &stubAzureClient{secret: wrapKey},
			storage: storage.NewMemMapStorage(),
		},
		"successful for existing key": {
			// test keys taken from `kms/util/crypto_test.go`
			client:  &stubAzureClient{secret: []byte{0xD6, 0x8A, 0xED, 0xF5, 0xDB, 0x89, 0x95, 0x66, 0xA9, 0xFF, 0xD9, 0x31, 0x27, 0x4E, 0x30, 0x2D, 0x21, 0xA9, 0x46, 0x21, 0x16, 0x6C, 0x16, 0x17, 0xD1, 0x96, 0x5D, 0xB2, 0xE9, 0x0E, 0x96, 0xD1}},
			storage: &stubStorage{key: []byte{0x14, 0x48, 0xC4, 0xEA, 0x4B, 0x4B, 0xCA, 0xE4, 0x5A, 0xD4, 0xCC, 0xE3, 0xF7, 0xDD, 0xD5, 0x78, 0xA5, 0xA9, 0xEF, 0x9A, 0x93, 0x36, 0x09, 0xD6, 0x23, 0x01, 0xF5, 0x5F, 0xE1, 0x20, 0xDD, 0xFC, 0xBC, 0xF3, 0xA9, 0x67, 0x8B, 0x89, 0x54, 0x96}},
		},
		"Get from storage fails": {
			client:      &stubAzureClient{},
			storage:     &stubStorage{getErr: someErr},
			errExpected: true,
		},
		"Put to storage fails": {
			client: &stubAzureClient{secret: wrapKey},
			storage: &stubStorage{
				getErr: storage.ErrDEKUnset,
				putErr: someErr,
			},
			errExpected: true,
		},
		"GetSecret fails": {
			client:      &stubAzureClient{getSecretErr: someErr},
			storage:     storage.NewMemMapStorage(),
			errExpected: true,
		},
		"GetSecret fails with unknown kek": {
			client:      &stubAzureClient{getSecretErr: errors.New("SecretNotFound")},
			storage:     storage.NewMemMapStorage(),
			errExpected: true,
		},
		"key wrapping fails": {
			client:      &stubAzureClient{secret: []byte{0x1}},
			storage:     storage.NewMemMapStorage(),
			errExpected: true,
		},
		"key unwrapping fails": {
			client:      &stubAzureClient{secret: wrapKey},
			storage:     &stubStorage{key: []byte{0x1}},
			errExpected: true,
		},
	}

	for name, tc := range testCases {
		t.Run(name, func(t *testing.T) {
			assert := assert.New(t)

			client := KMSClient{
				client:  tc.client,
				storage: tc.storage,
				opts:    &Opts{},
			}

			dek, err := client.GetDEK(context.Background(), "test-key", "volume-01", 32)
			if tc.errExpected {
				assert.Error(err)
			} else {
				assert.Len(dek, 32)
				assert.NoError(err)
			}
		})
	}
}
Add Azure KMS unit tests Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-03-24 13:00:17 -04:00			`package azure`

			`import (`
			`"context"`
			`"encoding/base64"`
			`"errors"`
			`"testing"`

			`"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"`
			`"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets"`
			`"github.com/edgelesssys/constellation/kms/kms"`
			`"github.com/edgelesssys/constellation/kms/storage"`
			`"github.com/stretchr/testify/assert"`
			`)`

			`type stubAzureClient struct {`
			`setSecretCalled bool`
			`setSecretErr error`
			`getSecretErr error`
			`secret []byte`
			`}`

			`func (s stubAzureClient) SetSecret(ctx context.Context, secretName string, value string, options azsecrets.SetSecretOptions) (azsecrets.SetSecretResponse, error) {`
			`s.setSecretCalled = true`
			`return azsecrets.SetSecretResponse{}, s.setSecretErr`
			`}`

			`func (s stubAzureClient) GetSecret(ctx context.Context, secretName string, options azsecrets.GetSecretOptions) (azsecrets.GetSecretResponse, error) {`
			`return azsecrets.GetSecretResponse{`
			`Secret: azsecrets.Secret{Value: to.StringPtr(base64.StdEncoding.EncodeToString(s.secret))},`
			`}, s.getSecretErr`
			`}`

			`func TestKMSCreateKEK(t *testing.T) {`
			`someErr := errors.New("error")`
			`importKey := []byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")`

			`testCases := map[string]struct {`
			`client *stubAzureClient`
			`importKey []byte`
			`errExpected bool`
			`}{`
			`"create new kek successful": {`
			`client: &stubAzureClient{},`
			`},`
			`"import kek successful": {`
			`client: &stubAzureClient{},`
			`importKey: importKey,`
			`},`
			`"SetSecret fails on new": {`
			`client: &stubAzureClient{setSecretErr: someErr},`
			`errExpected: true,`
			`},`
			`"SetSecret fails on import": {`
			`client: &stubAzureClient{setSecretErr: someErr},`
			`importKey: importKey,`
			`errExpected: true,`
			`},`
			`}`

			`for name, tc := range testCases {`
			`t.Run(name, func(t *testing.T) {`
			`assert := assert.New(t)`

			`client := &KMSClient{`
			`client: tc.client,`
			`opts: &Opts{},`
			`}`

			`err := client.CreateKEK(context.Background(), "test-key", tc.importKey)`
			`if tc.errExpected {`
			`assert.Error(err)`
			`} else {`
			`assert.NoError(err)`
			`assert.True(tc.client.setSecretCalled)`
			`}`
			`})`
			`}`
			`}`

			`func TestKMSGetDEK(t *testing.T) {`
			`someErr := errors.New("error")`
			`wrapKey := []byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")`

			`testCases := map[string]struct {`
			`client kmsClientAPI`
			`storage kms.Storage`
			`errExpected bool`
			`}{`
			`"successful for new key": {`
			`client: &stubAzureClient{secret: wrapKey},`
			`storage: storage.NewMemMapStorage(),`
			`},`
			`"successful for existing key": {`
			// test keys taken from `kms/util/crypto_test.go`
			`client: &stubAzureClient{secret: []byte{0xD6, 0x8A, 0xED, 0xF5, 0xDB, 0x89, 0x95, 0x66, 0xA9, 0xFF, 0xD9, 0x31, 0x27, 0x4E, 0x30, 0x2D, 0x21, 0xA9, 0x46, 0x21, 0x16, 0x6C, 0x16, 0x17, 0xD1, 0x96, 0x5D, 0xB2, 0xE9, 0x0E, 0x96, 0xD1}},`
			`storage: &stubStorage{key: []byte{0x14, 0x48, 0xC4, 0xEA, 0x4B, 0x4B, 0xCA, 0xE4, 0x5A, 0xD4, 0xCC, 0xE3, 0xF7, 0xDD, 0xD5, 0x78, 0xA5, 0xA9, 0xEF, 0x9A, 0x93, 0x36, 0x09, 0xD6, 0x23, 0x01, 0xF5, 0x5F, 0xE1, 0x20, 0xDD, 0xFC, 0xBC, 0xF3, 0xA9, 0x67, 0x8B, 0x89, 0x54, 0x96}},`
			`},`
			`"Get from storage fails": {`
			`client: &stubAzureClient{},`
			`storage: &stubStorage{getErr: someErr},`
			`errExpected: true,`
			`},`
			`"Put to storage fails": {`
			`client: &stubAzureClient{secret: wrapKey},`
			`storage: &stubStorage{`
			`getErr: storage.ErrDEKUnset,`
			`putErr: someErr,`
			`},`
			`errExpected: true,`
			`},`
			`"GetSecret fails": {`
			`client: &stubAzureClient{getSecretErr: someErr},`
			`storage: storage.NewMemMapStorage(),`
			`errExpected: true,`
			`},`
			`"GetSecret fails with unknown kek": {`
			`client: &stubAzureClient{getSecretErr: errors.New("SecretNotFound")},`
			`storage: storage.NewMemMapStorage(),`
			`errExpected: true,`
			`},`
			`"key wrapping fails": {`
			`client: &stubAzureClient{secret: []byte{0x1}},`
			`storage: storage.NewMemMapStorage(),`
			`errExpected: true,`
			`},`
			`"key unwrapping fails": {`
			`client: &stubAzureClient{secret: wrapKey},`
			`storage: &stubStorage{key: []byte{0x1}},`
			`errExpected: true,`
			`},`
			`}`

			`for name, tc := range testCases {`
			`t.Run(name, func(t *testing.T) {`
			`assert := assert.New(t)`

			`client := KMSClient{`
			`client: tc.client,`
			`storage: tc.storage,`
			`opts: &Opts{},`
			`}`

			`dek, err := client.GetDEK(context.Background(), "test-key", "volume-01", 32)`
			`if tc.errExpected {`
			`assert.Error(err)`
			`} else {`
			`assert.Len(dek, 32)`
			`assert.NoError(err)`
			`}`
			`})`
			`}`
			`}`