Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-06-04 12:49:54 -04:00
Code Issues Projects Releases Packages Wiki Activity

internal: use go-kms-wrapping for KMS backends (#1012)

Browse source 
* Replace external KMS backend logic for AWS, Azure, and GCP with go-kms-wrapping

* Move kms client setup config into its own package for easier parsing

* Update kms integration flag naming

* Error if nil storage is passed to external KMS

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße 2023-02-08 12:03:54 +01:00 committed by GitHub
parent 68ce23b909
commit 3a7b829107
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
36 changed files with 1319 additions and 3121 deletions
Download patch file Download diff file Expand all files Collapse all files

49
internal/kms/setup/setup_test.go
View file

@ -90,11 +90,7 @@ func TestGetKMS(t *testing.T) {
wantErr: true,
},
"azure kms": {
uri: fmt.Sprintf(AzureKMSURI, "", "", ""),
wantErr: true,
},
"azure hsm": {
uri: fmt.Sprintf(AzureHSMURI, "", ""),
uri: fmt.Sprintf(AzureKMSURI, "", "", "", "", "", ""),
wantErr: true,
},
"gcp kms": {
@ -175,49 +171,6 @@ func TestGetAzureBlobConfig(t *testing.T) {
assert.Equal(connStr, rConnStr)
}
func TestGetGCPKMSConfig(t *testing.T) {
assert := assert.New(t)
require := require.New(t)
project := "test-project"
location := "global"
keyRing := "test-ring"
protectionLvl := "2"
kekID := base64.URLEncoding.EncodeToString([]byte(constellationKekID))
uri, err := url.Parse(fmt.Sprintf(GCPKMSURI, project, location, keyRing, protectionLvl, kekID))
require.NoError(err)
rProject, rLocation, rKeyRing, rProtectionLvl, rKekID, err := getGCPKMSConfig(uri)
require.NoError(err)
assert.Equal(project, rProject)
assert.Equal(location, rLocation)
assert.Equal(keyRing, rKeyRing)
assert.Equal(int32(2), rProtectionLvl)
assert.Equal(constellationKekID, rKekID)
uri, err = url.Parse(fmt.Sprintf(GCPKMSURI, project, location, keyRing, "invalid", kekID))
require.NoError(err)
_, _, _, _, _, err = getGCPKMSConfig(uri)
assert.Error(err)
}
func TestGetClusterKMSConfig(t *testing.T) {
assert := assert.New(t)
require := require.New(t)
expectedSalt := []byte{
0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf,
0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf,
}
masterSecretIn := MasterSecret{Key: []byte("key"), Salt: expectedSalt}
uri, err := url.Parse(masterSecretIn.EncodeToURI())
require.NoError(err)
masterSecretOut, err := getClusterKMSConfig(uri)
assert.NoError(err)
assert.Equal(expectedSalt, masterSecretOut.Salt)
}
func TestGetConfig(t *testing.T) {
const testURI = "test://config?name=test-name&data=test-data&value=test-value"