Update GCP KMS tests and implementation

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße 2022-03-25 11:02:02 +01:00 committed by Daniel Weiße
parent fefff8ee92
commit f1299a40f4
4 changed files with 364 additions and 293 deletions

View File

@ -113,7 +113,7 @@ func getKMS(ctx context.Context, kmsURI string, store kms.Storage) (kms.CloudKMS
if err != nil {
return nil, err
}
return gcp.New(project, location, keyRing, store, kmspb.ProtectionLevel(protectionLvl)), nil
return gcp.New(ctx, project, location, keyRing, store, kmspb.ProtectionLevel(protectionLvl))
case "cluster-kms":
return &ClusterKMS{}, nil

View File

@ -7,6 +7,7 @@ import (
"crypto/sha1"
"errors"
"fmt"
"io"
"strings"
"time"
@ -18,23 +19,36 @@ import (
"github.com/googleapis/gax-go/v2"
"google.golang.org/api/option"
kmspb "google.golang.org/genproto/googleapis/cloud/kms/v1"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
)
type clientAPI interface {
io.Closer
CreateCryptoKey(context.Context, *kmspb.CreateCryptoKeyRequest, ...gax.CallOption) (*kmspb.CryptoKey, error)
CreateImportJob(context.Context, *kmspb.CreateImportJobRequest, ...gax.CallOption) (*kmspb.ImportJob, error)
Decrypt(context.Context, *kmspb.DecryptRequest, ...gax.CallOption) (*kmspb.DecryptResponse, error)
Encrypt(context.Context, *kmspb.EncryptRequest, ...gax.CallOption) (*kmspb.EncryptResponse, error)
GetKeyRing(context.Context, *kmspb.GetKeyRingRequest, ...gax.CallOption) (*kmspb.KeyRing, error)
ImportCryptoKeyVersion(context.Context, *kmspb.ImportCryptoKeyVersionRequest, ...gax.CallOption) (*kmspb.CryptoKeyVersion, error)
UpdateCryptoKeyPrimaryVersion(context.Context, *kmspb.UpdateCryptoKeyPrimaryVersionRequest, ...gax.CallOption) (*kmspb.CryptoKey, error)
GetImportJob(context.Context, *kmspb.GetImportJobRequest, ...gax.CallOption) (*kmspb.ImportJob, error)
}
// KMSClient implements the CloudKMS interface for Google Cloud Platform.
type KMSClient struct {
projectID string
locationID string
keyRingID string
newClient func(ctx context.Context, opts ...option.ClientOption) (clientAPI, error)
waitBackoffLimit int
storage kmsInterface.Storage
protectionLevel kmspb.ProtectionLevel
opts []gax.CallOption
// Used for testing purposes
clientOpts []option.ClientOption
}
// New initializes a KMS client for Google Cloud Platform.
func New(projectID, locationID, keyRingID string, store kmsInterface.Storage, protectionLvl kmspb.ProtectionLevel, opts ...gax.CallOption) *KMSClient {
func New(ctx context.Context, projectID, locationID, keyRingID string, store kmsInterface.Storage, protectionLvl kmspb.ProtectionLevel, opts ...gax.CallOption) (*KMSClient, error) {
if store == nil {
store = storage.NewMemMapStorage()
}
@ -43,22 +57,30 @@ func New(projectID, locationID, keyRingID string, store kmsInterface.Storage, pr
protectionLvl = kmspb.ProtectionLevel_SOFTWARE
}
return &KMSClient{
c := &KMSClient{
projectID: projectID,
locationID: locationID,
keyRingID: keyRingID,
newClient: keyManagementClientFactory,
waitBackoffLimit: 10,
storage: store,
protectionLevel: protectionLvl,
opts: opts,
}
// test if the KMS can be reached with the given configuration
if err := c.testConnection(ctx); err != nil {
return nil, fmt.Errorf("testing connection to GCP KMS: %w", err)
}
return c, nil
}
// CreateKEK creates a new Key Encryption Key using Google Key Management System.
//
// If no key material is provided, a new key is generated by Google's KMS, otherwise the key material is used to import the key.
func (c *KMSClient) CreateKEK(ctx context.Context, keyID string, key []byte) error {
client, err := kms.NewKeyManagementClient(ctx, c.clientOpts...)
client, err := c.newClient(ctx)
if err != nil {
return err
}
@ -81,6 +103,12 @@ func (c *KMSClient) CreateKEK(ctx context.Context, keyID string, key []byte) err
// GetDEK fetches an encrypted Data Encryption Key from storage and decrypts it using a KEK stored in Google's KMS.
func (c *KMSClient) GetDEK(ctx context.Context, kekID, keyID string, dekSize int) ([]byte, error) {
client, err := c.newClient(ctx)
if err != nil {
return nil, err
}
defer client.Close()
encryptedDEK, err := c.storage.Get(ctx, keyID)
if err != nil {
if !errors.Is(err, storage.ErrDEKUnset) {
@ -92,15 +120,9 @@ func (c *KMSClient) GetDEK(ctx context.Context, kekID, keyID string, dekSize int
if err != nil {
return nil, fmt.Errorf("could not generate key: %w", err)
}
return newDEK, c.putDEK(ctx, kekID, keyID, newDEK)
return newDEK, c.putDEK(ctx, client, kekID, keyID, newDEK)
}
client, err := kms.NewKeyManagementClient(ctx, c.clientOpts...)
if err != nil {
return nil, err
}
defer client.Close()
request := &kmspb.DecryptRequest{
Name: fmt.Sprintf("projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s", c.projectID, c.locationID, c.keyRingID, kekID),
Ciphertext: encryptedDEK,
@ -108,7 +130,7 @@ func (c *KMSClient) GetDEK(ctx context.Context, kekID, keyID string, dekSize int
res, err := client.Decrypt(ctx, request, c.opts...)
if err != nil {
if strings.Contains(err.Error(), "code = NotFound") {
if status.Convert(err).Code() == codes.NotFound {
return nil, kmsInterface.ErrKEKUnknown
}
return nil, fmt.Errorf("decrypting DEK: %w", err)
@ -118,13 +140,7 @@ func (c *KMSClient) GetDEK(ctx context.Context, kekID, keyID string, dekSize int
}
// putDEK encrypts a Data Encryption Key using a KEK stored in Google's KMS and saves it to storage.
func (c *KMSClient) putDEK(ctx context.Context, kekID, keyID string, plainDEK []byte) error {
client, err := kms.NewKeyManagementClient(ctx, c.clientOpts...)
if err != nil {
return err
}
defer client.Close()
func (c *KMSClient) putDEK(ctx context.Context, client clientAPI, kekID, keyID string, plainDEK []byte) error {
request := &kmspb.EncryptRequest{
Name: fmt.Sprintf("projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s", c.projectID, c.locationID, c.keyRingID, kekID),
Plaintext: plainDEK,
@ -132,7 +148,7 @@ func (c *KMSClient) putDEK(ctx context.Context, kekID, keyID string, plainDEK []
res, err := client.Encrypt(ctx, request, c.opts...)
if err != nil {
if strings.Contains(err.Error(), "code = NotFound") {
if status.Convert(err).Code() == codes.NotFound {
return kmsInterface.ErrKEKUnknown
}
return fmt.Errorf("encrypting DEK: %w", err)
@ -142,7 +158,7 @@ func (c *KMSClient) putDEK(ctx context.Context, kekID, keyID string, plainDEK []
}
// createNewKEK creates a new symmetric Crypto Key in Google's KMS.
func (c *KMSClient) createNewKEK(ctx context.Context, keyID string, client *kms.KeyManagementClient, importOnly bool) (*kmspb.CryptoKey, error) {
func (c *KMSClient) createNewKEK(ctx context.Context, keyID string, client clientAPI, importOnly bool) (*kmspb.CryptoKey, error) {
request := &kmspb.CreateCryptoKeyRequest{
Parent: fmt.Sprintf("projects/%s/locations/%s/keyRings/%s", c.projectID, c.locationID, c.keyRingID),
CryptoKeyId: keyID,
@ -168,7 +184,7 @@ func (c *KMSClient) createNewKEK(ctx context.Context, keyID string, client *kms.
//
// Keys in the Google KMS can not be removed, only disabled and/or key material destroyed.
// Since we create the initial key with `SkipInitialVersionCreation=true`, no key material is created and we do not perform any cleanup on failure.
func (c *KMSClient) importKEK(ctx context.Context, keyID string, key []byte, client *kms.KeyManagementClient) (*kmspb.CryptoKey, error) {
func (c *KMSClient) importKEK(ctx context.Context, keyID string, key []byte, client clientAPI) (*kmspb.CryptoKey, error) {
// we need an empty crypto key to import into
parentKey, err := c.createNewKEK(ctx, keyID, client, true)
if err != nil {
@ -228,7 +244,7 @@ func (c *KMSClient) importKEK(ctx context.Context, keyID string, key []byte, cli
}
// waitBackoff is a utility function to wait for the creation of an import job.
func (c *KMSClient) waitBackoff(ctx context.Context, jobName string, client *kms.KeyManagementClient) (*kmspb.ImportJob, bool) {
func (c *KMSClient) waitBackoff(ctx context.Context, jobName string, client clientAPI) (*kmspb.ImportJob, bool) {
for i := 0; i < c.waitBackoffLimit; i++ {
res, err := client.GetImportJob(ctx, &kmspb.GetImportJobRequest{
Name: fmt.Sprintf("projects/%s/locations/%s/keyRings/%s/importJobs/%s", c.projectID, c.locationID, c.keyRingID, jobName),
@ -243,6 +259,26 @@ func (c *KMSClient) waitBackoff(ctx context.Context, jobName string, client *kms
return nil, false
}
// testConnection checks if the KMS is reachable with the given configuration.
func (c *KMSClient) testConnection(ctx context.Context) error {
client, err := c.newClient(ctx)
if err != nil {
return err
}
defer client.Close()
if _, err := client.GetKeyRing(ctx, &kmspb.GetKeyRingRequest{
Name: fmt.Sprintf("projects/%s/locations/%s/keyRings/%s", c.projectID, c.locationID, c.keyRingID),
}); err != nil {
return fmt.Errorf("GCP KMS not reachable: %w", err)
}
return nil
}
func keyManagementClientFactory(ctx context.Context, opts ...option.ClientOption) (clientAPI, error) {
return kms.NewKeyManagementClient(ctx, opts...)
}
// wrapCryptoKey wraps a key for import using a public RSA key, see: https://cloud.google.com/kms/docs/wrapping-a-key
func wrapCryptoKey(key []byte, wrapKeyRSA *rsa.PublicKey) ([]byte, error) {
// Enforce 256bit key length

View File

@ -3,28 +3,20 @@ package gcp
import (
"context"
"errors"
"fmt"
"net"
"strings"
"testing"
"github.com/edgelesssys/constellation/kms/config"
kmsInterface "github.com/edgelesssys/constellation/kms/kms"
"github.com/edgelesssys/constellation/kms/kms/util"
"github.com/edgelesssys/constellation/kms/storage"
"github.com/googleapis/gax-go/v2"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"google.golang.org/api/option"
kmspb "google.golang.org/genproto/googleapis/cloud/kms/v1"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials/insecure"
"google.golang.org/grpc/metadata"
"google.golang.org/protobuf/proto"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
)
var (
testKey = []byte{0x52, 0xFD, 0xFC, 0x07, 0x21, 0x82, 0x65, 0x4F, 0x16, 0x3F, 0x5F, 0x0F, 0x9A, 0x62, 0x1D, 0x72, 0x95, 0x66, 0xC7, 0x4D, 0x10, 0x03, 0x7C, 0x4D, 0x7B, 0xBB, 0x04, 0x07, 0xD1, 0xE2, 0xC6, 0x49}
testKeyRSA = `-----BEGIN PUBLIC KEY-----
var testKeyRSA = `-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAu+OepfHCTiTi27nkTGke
dn+AIkiM1AIWWDwqfqG85aNulcj60mGQGXIYV8LoEVkyKOhYBIUmJUaVczB4ltqq
ZhR7l46RQw2vnv+XiUmfK555d4ZDInyjTusO69hE6tkuYKdXLlG1HzcrhJ254LE2
@ -38,310 +30,346 @@ Ubhn4tvjy/q5XzVqZtBeoseW2TyyrsAN53LBkSqag5tG/264CQDigQ6Y/OADOE2x
n08MyrFHIL/wFMscOvJo7c2Eo4EW1yXkEkAy5tF5PZgnfRObakj4gdqPeq18FNzc
Y+t5OxL3kL15VzY1Ob0d5cMCAwEAAQ==
-----END PUBLIC KEY-----`
)
// Google KMS testing implementation taken from: https://github.com/googleapis/google-cloud-go/blob/kms/v1.1.0/kms/apiv1/mock_test.go
//
// To keep the tests simple this only implements the methods required by our Google KMS client.
// More methods can be added as needed.
type mockKeyManagementServer struct {
// Embed for forward compatibility.
// Tests will keep working if more methods are added
// in the future.
kmspb.KeyManagementServiceServer
reqs []proto.Message
// If set, all calls return this error.
err error
// responses to return if err == nil
resps []proto.Message
type stubGCPClient struct {
createErr error
createCryptoKeyCalled bool
createCryptoKeyErr error
createImportJobErr error
decryptResponse []byte
decryptErr error
encryptErr error
getKeyRingErr error
importCryptoKeyVersionErr error
updateCryptoKeyPrimaryVersionCalled bool
updateCryptoKeyPrimaryVersionErr error
getImportJobErr error
getImportJobResponse *kmspb.ImportJob
}
// CreateCryptoKey creates a new KEK.
func (s *mockKeyManagementServer) CreateCryptoKey(ctx context.Context, req *kmspb.CreateCryptoKeyRequest) (*kmspb.CryptoKey, error) {
md, _ := metadata.FromIncomingContext(ctx)
if xg := md["x-goog-api-client"]; len(xg) == 0 || !strings.Contains(xg[0], "gl-go/") {
return nil, fmt.Errorf("x-goog-api-client = %v, expected gl-go key", xg)
func newStubGCPClientFactory(stub *stubGCPClient) func(ctx context.Context, opts ...option.ClientOption) (clientAPI, error) {
return func(ctx context.Context, opts ...option.ClientOption) (clientAPI, error) {
return stub, stub.createErr
}
s.reqs = append(s.reqs, req)
if s.err != nil {
return nil, s.err
}
return s.popResponse().(*kmspb.CryptoKey), nil
}
// Decrypt performs decryption.
func (s *mockKeyManagementServer) Decrypt(ctx context.Context, req *kmspb.DecryptRequest) (*kmspb.DecryptResponse, error) {
md, _ := metadata.FromIncomingContext(ctx)
if xg := md["x-goog-api-client"]; len(xg) == 0 || !strings.Contains(xg[0], "gl-go/") {
return nil, fmt.Errorf("x-goog-api-client = %v, expected gl-go key", xg)
}
s.reqs = append(s.reqs, req)
if s.err != nil {
return nil, s.err
}
res := s.popResponse().(*kmspb.DecryptResponse)
res.Plaintext = make([]byte, len(req.Ciphertext))
for i, v := range req.Ciphertext {
res.Plaintext[len(res.Plaintext)-1-i] = v
}
return res, nil
func (s *stubGCPClient) Close() error {
return nil
}
// Encrypt performs encryption.
func (s *mockKeyManagementServer) Encrypt(ctx context.Context, req *kmspb.EncryptRequest) (*kmspb.EncryptResponse, error) {
md, _ := metadata.FromIncomingContext(ctx)
if xg := md["x-goog-api-client"]; len(xg) == 0 || !strings.Contains(xg[0], "gl-go/") {
return nil, fmt.Errorf("x-goog-api-client = %v, expected gl-go key", xg)
}
s.reqs = append(s.reqs, req)
if s.err != nil {
return nil, s.err
}
res := s.popResponse().(*kmspb.EncryptResponse)
// Reverse the input string to generate a ciphertext
res.Ciphertext = make([]byte, len(req.Plaintext))
for i, v := range req.Plaintext {
res.Ciphertext[len(res.Ciphertext)-1-i] = v
}
return res, nil
func (s *stubGCPClient) CreateCryptoKey(ctx context.Context, req *kmspb.CreateCryptoKeyRequest, opts ...gax.CallOption) (*kmspb.CryptoKey, error) {
s.createCryptoKeyCalled = true
return &kmspb.CryptoKey{}, s.createCryptoKeyErr
}
// CreateImportJob creates a new import job.
func (s *mockKeyManagementServer) CreateImportJob(ctx context.Context, req *kmspb.CreateImportJobRequest) (*kmspb.ImportJob, error) {
md, _ := metadata.FromIncomingContext(ctx)
if xg := md["x-goog-api-client"]; len(xg) == 0 || !strings.Contains(xg[0], "gl-go/") {
return nil, fmt.Errorf("x-goog-api-client = %v, expected gl-go key", xg)
}
s.reqs = append(s.reqs, req)
if s.err != nil {
return nil, s.err
}
return s.popResponse().(*kmspb.ImportJob), nil
func (s *stubGCPClient) CreateImportJob(ctx context.Context, req *kmspb.CreateImportJobRequest, opts ...gax.CallOption) (*kmspb.ImportJob, error) {
return &kmspb.ImportJob{}, s.createImportJobErr
}
// ImportCryptoKeyVersion imports a KEK using an import job.
func (s *mockKeyManagementServer) ImportCryptoKeyVersion(ctx context.Context, req *kmspb.ImportCryptoKeyVersionRequest) (*kmspb.CryptoKeyVersion, error) {
md, _ := metadata.FromIncomingContext(ctx)
if xg := md["x-goog-api-client"]; len(xg) == 0 || !strings.Contains(xg[0], "gl-go/") {
return nil, fmt.Errorf("x-goog-api-client = %v, expected gl-go key", xg)
}
s.reqs = append(s.reqs, req)
if s.err != nil {
return nil, s.err
}
return s.popResponse().(*kmspb.CryptoKeyVersion), nil
func (s *stubGCPClient) Decrypt(ctx context.Context, req *kmspb.DecryptRequest, opts ...gax.CallOption) (*kmspb.DecryptResponse, error) {
return &kmspb.DecryptResponse{Plaintext: s.decryptResponse}, s.decryptErr
}
// UpdateCryptoKeyPrimaryVersion sets the primary version of a KEK.
func (s *mockKeyManagementServer) UpdateCryptoKeyPrimaryVersion(ctx context.Context, req *kmspb.UpdateCryptoKeyPrimaryVersionRequest) (*kmspb.CryptoKey, error) {
md, _ := metadata.FromIncomingContext(ctx)
if xg := md["x-goog-api-client"]; len(xg) == 0 || !strings.Contains(xg[0], "gl-go/") {
return nil, fmt.Errorf("x-goog-api-client = %v, expected gl-go key", xg)
}
s.reqs = append(s.reqs, req)
if s.err != nil {
return nil, s.err
}
return s.popResponse().(*kmspb.CryptoKey), nil
func (s *stubGCPClient) Encrypt(ctx context.Context, req *kmspb.EncryptRequest, opts ...gax.CallOption) (*kmspb.EncryptResponse, error) {
return &kmspb.EncryptResponse{}, s.encryptErr
}
// GetImportJob returns information about a running import job.
func (s *mockKeyManagementServer) GetImportJob(ctx context.Context, req *kmspb.GetImportJobRequest) (*kmspb.ImportJob, error) {
md, _ := metadata.FromIncomingContext(ctx)
if xg := md["x-goog-api-client"]; len(xg) == 0 || !strings.Contains(xg[0], "gl-go/") {
return nil, fmt.Errorf("x-goog-api-client = %v, expected gl-go key", xg)
}
s.reqs = append(s.reqs, req)
if s.err != nil {
return nil, s.err
}
return s.popResponse().(*kmspb.ImportJob), nil
func (s *stubGCPClient) GetKeyRing(ctx context.Context, req *kmspb.GetKeyRingRequest, opts ...gax.CallOption) (*kmspb.KeyRing, error) {
return &kmspb.KeyRing{}, s.getKeyRingErr
}
func (s *mockKeyManagementServer) popResponse() proto.Message {
resp := s.resps[0]
if len(s.resps) > 1 {
s.resps = s.resps[1:]
}
return resp
func (s *stubGCPClient) ImportCryptoKeyVersion(ctx context.Context, req *kmspb.ImportCryptoKeyVersionRequest, opts ...gax.CallOption) (*kmspb.CryptoKeyVersion, error) {
return &kmspb.CryptoKeyVersion{}, s.importCryptoKeyVersionErr
}
func TestGoogleKMS(t *testing.T) {
assert := assert.New(t)
require := require.New(t)
func (s *stubGCPClient) UpdateCryptoKeyPrimaryVersion(ctx context.Context, req *kmspb.UpdateCryptoKeyPrimaryVersionRequest, opts ...gax.CallOption) (*kmspb.CryptoKey, error) {
s.updateCryptoKeyPrimaryVersionCalled = true
return &kmspb.CryptoKey{}, s.updateCryptoKeyPrimaryVersionErr
}
serv := grpc.NewServer()
defer serv.GracefulStop()
var mockKeyManagement mockKeyManagementServer
kmspb.RegisterKeyManagementServiceServer(serv, &mockKeyManagement)
lis, err := net.Listen("tcp", "localhost:0")
require.NoError(err)
go serv.Serve(lis)
func (s *stubGCPClient) GetImportJob(ctx context.Context, req *kmspb.GetImportJobRequest, opts ...gax.CallOption) (*kmspb.ImportJob, error) {
return s.getImportJobResponse, s.getImportJobErr
}
project := "test-project"
location := "global"
keyRing := "test-key-ring"
kekName := "test-kek"
dekName := "test-dek"
plainDEK := []byte("plain DEK")
type stubStorage struct {
key []byte
getErr error
putErr error
}
// load responses
mockKeyManagement.resps = []proto.Message{
&kmspb.CryptoKey{
Name: fmt.Sprintf("projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s", project, location, keyRing, kekName),
func (s *stubStorage) Get(context.Context, string) ([]byte, error) {
return s.key, s.getErr
}
func (s *stubStorage) Put(context.Context, string, []byte) error {
return s.putErr
}
func TestCreateKEK(t *testing.T) {
someErr := errors.New("error")
importKey := []byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")
testCases := map[string]struct {
client *stubGCPClient
importKey []byte
errExpected bool
}{
"create new kek successful": {
client: &stubGCPClient{},
},
&kmspb.EncryptResponse{
Name: dekName,
},
&kmspb.DecryptResponse{
Plaintext: plainDEK,
},
&kmspb.CryptoKey{
Name: fmt.Sprintf("projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s", project, location, keyRing, kekName),
},
&kmspb.ImportJob{
Name: "import-job",
},
&kmspb.ImportJob{
Name: "import-job",
State: kmspb.ImportJob_ACTIVE,
PublicKey: &kmspb.ImportJob_WrappingPublicKey{
Pem: testKeyRSA,
"import kek successful": {
client: &stubGCPClient{
getImportJobResponse: &kmspb.ImportJob{
PublicKey: &kmspb.ImportJob_WrappingPublicKey{
Pem: testKeyRSA,
},
State: kmspb.ImportJob_ACTIVE,
},
},
importKey: importKey,
},
&kmspb.CryptoKeyVersion{
Name: fmt.Sprintf("projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s/cryptoKeyVersions/1", project, location, keyRing, kekName),
"CreateCryptoKey fails": {
client: &stubGCPClient{createCryptoKeyErr: someErr},
errExpected: true,
},
&kmspb.CryptoKey{
Name: fmt.Sprintf("projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s", project, location, keyRing, kekName),
"CreatCryptoKey fails on import": {
client: &stubGCPClient{
createCryptoKeyErr: someErr,
getImportJobResponse: &kmspb.ImportJob{
PublicKey: &kmspb.ImportJob_WrappingPublicKey{
Pem: testKeyRSA,
},
State: kmspb.ImportJob_ACTIVE,
},
},
importKey: importKey,
errExpected: true,
},
"CreateImportJob fails": {
client: &stubGCPClient{createImportJobErr: someErr},
importKey: importKey,
errExpected: true,
},
"ImportCryptoKeyVersion fails": {
client: &stubGCPClient{
getImportJobResponse: &kmspb.ImportJob{
PublicKey: &kmspb.ImportJob_WrappingPublicKey{
Pem: testKeyRSA,
},
State: kmspb.ImportJob_ACTIVE,
},
importCryptoKeyVersionErr: someErr,
},
importKey: importKey,
errExpected: true,
},
"UpdateCryptoKeyPrimaryVersion fails": {
client: &stubGCPClient{
getImportJobResponse: &kmspb.ImportJob{
PublicKey: &kmspb.ImportJob_WrappingPublicKey{
Pem: testKeyRSA,
},
State: kmspb.ImportJob_ACTIVE,
},
updateCryptoKeyPrimaryVersionErr: someErr,
},
importKey: importKey,
errExpected: true,
},
"GetImportJob fails during waitBackoff": {
client: &stubGCPClient{getImportJobErr: someErr},
importKey: importKey,
errExpected: true,
},
"GetImportJob returns no key": {
client: &stubGCPClient{
getImportJobResponse: &kmspb.ImportJob{
State: kmspb.ImportJob_ACTIVE,
},
},
importKey: importKey,
errExpected: true,
},
"waitBackoff times out": {
client: &stubGCPClient{
getImportJobResponse: &kmspb.ImportJob{
PublicKey: &kmspb.ImportJob_WrappingPublicKey{
Pem: testKeyRSA,
},
State: kmspb.ImportJob_PENDING_GENERATION,
},
},
importKey: importKey,
errExpected: true,
},
"creating client fails": {
client: &stubGCPClient{createErr: someErr},
errExpected: true,
},
}
store := storage.NewMemMapStorage()
client := New(project, location, keyRing, store, kmspb.ProtectionLevel_SOFTWARE)
for name, tc := range testCases {
t.Run(name, func(t *testing.T) {
assert := assert.New(t)
// redirect client calls to mock kms
// since the connection is closed after each call, we need to reset this option every time
client.clientOpts = []option.ClientOption{getConnection(lis.Addr().String(), require)}
ctx := context.Background()
client := &KMSClient{
projectID: "test-project",
locationID: "global",
keyRingID: "test-ring",
newClient: newStubGCPClientFactory(tc.client),
protectionLevel: kmspb.ProtectionLevel_SOFTWARE,
waitBackoffLimit: 1,
}
// Create KEK
assert.NoError(client.CreateKEK(ctx, kekName, nil))
// Encrypt and save new DEK
client.clientOpts = []option.ClientOption{getConnection(lis.Addr().String(), require)}
err = client.putDEK(ctx, kekName, dekName, plainDEK)
assert.NoError(err)
savedDEK, err := store.Get(ctx, dekName)
require.NoError(err)
assert.NotEqual(plainDEK, savedDEK)
// Decrypt DEK
client.clientOpts = []option.ClientOption{getConnection(lis.Addr().String(), require)}
res, err := client.GetDEK(ctx, kekName, dekName, config.SymmetricKeyLength)
assert.NoError(err)
assert.Equal(plainDEK, res)
// Import a key
client.clientOpts = []option.ClientOption{getConnection(lis.Addr().String(), require)}
assert.NoError(client.CreateKEK(ctx, kekName, testKey))
err := client.CreateKEK(context.Background(), "test-key", tc.importKey)
if tc.errExpected {
assert.Error(err)
} else {
assert.NoError(err)
if len(tc.importKey) != 0 {
assert.True(tc.client.updateCryptoKeyPrimaryVersionCalled)
} else {
assert.True(tc.client.createCryptoKeyCalled)
}
}
})
}
}
func TestGetNewDEK(t *testing.T) {
assert := assert.New(t)
require := require.New(t)
func TestGetDEK(t *testing.T) {
someErr := errors.New("error")
testKey := []byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")
serv := grpc.NewServer()
defer serv.GracefulStop()
var mockKeyManagement mockKeyManagementServer
kmspb.RegisterKeyManagementServiceServer(serv, &mockKeyManagement)
lis, err := net.Listen("tcp", "localhost:0")
require.NoError(err)
go serv.Serve(lis)
project := "test-project"
location := "global"
keyRing := "test-key-ring"
kekName := "test-kek"
dekName := "test-dek"
largeDEKName := "test-dek-large"
store := storage.NewMemMapStorage()
client := New(project, location, keyRing, store, kmspb.ProtectionLevel_SOFTWARE)
mockKeyManagement.resps = []proto.Message{
&kmspb.EncryptResponse{
Name: dekName,
testCases := map[string]struct {
client *stubGCPClient
storage kmsInterface.Storage
errExpected bool
}{
"GetDEK successful for new key": {
client: &stubGCPClient{},
storage: &stubStorage{getErr: storage.ErrDEKUnset},
},
&kmspb.DecryptResponse{},
&kmspb.EncryptResponse{
Name: largeDEKName,
"GetDEK successful for existing key": {
client: &stubGCPClient{decryptResponse: testKey},
storage: &stubStorage{key: testKey},
},
"Get from storage fails": {
client: &stubGCPClient{},
storage: &stubStorage{getErr: someErr},
errExpected: true,
},
"Encrypt fails": {
client: &stubGCPClient{encryptErr: someErr},
storage: &stubStorage{getErr: storage.ErrDEKUnset},
errExpected: true,
},
"Encrypt fails with notfound error": {
client: &stubGCPClient{encryptErr: status.Error(codes.NotFound, "error")},
storage: &stubStorage{getErr: storage.ErrDEKUnset},
errExpected: true,
},
"Put to storage fails": {
client: &stubGCPClient{},
storage: &stubStorage{
getErr: storage.ErrDEKUnset,
putErr: someErr,
},
errExpected: true,
},
"Decrypt fails": {
client: &stubGCPClient{decryptErr: someErr},
storage: &stubStorage{key: testKey},
errExpected: true,
},
"Decrypt fails with notfound error": {
client: &stubGCPClient{decryptErr: status.Error(codes.NotFound, "error")},
storage: &stubStorage{key: testKey},
errExpected: true,
},
"creating client fails": {
client: &stubGCPClient{createErr: someErr},
storage: &stubStorage{getErr: storage.ErrDEKUnset},
errExpected: true,
},
}
ctx := context.Background()
// Requesting an unset DEK should generate a new one, which we can then fetch in a second request
client.clientOpts = []option.ClientOption{getConnection(lis.Addr().String(), require)}
res1, err := client.GetDEK(ctx, kekName, dekName, config.SymmetricKeyLength)
assert.NoError(err)
client.clientOpts = []option.ClientOption{getConnection(lis.Addr().String(), require)}
res2, err := client.GetDEK(ctx, kekName, dekName, config.SymmetricKeyLength)
assert.NoError(err)
assert.Equal(res1, res2)
for name, tc := range testCases {
t.Run(name, func(t *testing.T) {
assert := assert.New(t)
// Requesting larger key sizes should be possible
client.clientOpts = []option.ClientOption{getConnection(lis.Addr().String(), require)}
res3, err := client.GetDEK(ctx, kekName, largeDEKName, 96)
assert.NoError(err)
assert.Len(res3, 96)
client := &KMSClient{
projectID: "test-project",
locationID: "global",
keyRingID: "test-ring",
newClient: newStubGCPClientFactory(tc.client),
protectionLevel: kmspb.ProtectionLevel_SOFTWARE,
waitBackoffLimit: 1,
storage: tc.storage,
}
dek, err := client.GetDEK(context.Background(), "test-key", "volume-01", 32)
if tc.errExpected {
assert.Error(err)
} else {
assert.NoError(err)
assert.Len(dek, 32)
}
})
}
}
func TestUnknownKEK(t *testing.T) {
assert := assert.New(t)
require := require.New(t)
func TestConnection(t *testing.T) {
someErr := errors.New("error")
testCases := map[string]struct {
client *stubGCPClient
errExpected bool
}{
"success": {
client: &stubGCPClient{},
},
"newClient fails": {
client: &stubGCPClient{createErr: someErr},
errExpected: true,
},
"GetKeyRing fails": {
client: &stubGCPClient{getKeyRingErr: someErr},
errExpected: true,
},
}
serv := grpc.NewServer()
defer serv.GracefulStop()
var mockKeyManagement mockKeyManagementServer
kmspb.RegisterKeyManagementServiceServer(serv, &mockKeyManagement)
lis, err := net.Listen("tcp", "localhost:0")
require.NoError(err)
go serv.Serve(lis)
for name, tc := range testCases {
t.Run(name, func(t *testing.T) {
assert := assert.New(t)
mockKeyManagement.err = errors.New("rpc error: code = NotFound")
client := &KMSClient{
projectID: "test-project",
locationID: "global",
keyRingID: "test-ring",
newClient: newStubGCPClientFactory(tc.client),
protectionLevel: kmspb.ProtectionLevel_SOFTWARE,
waitBackoffLimit: 1,
}
store := storage.NewMemMapStorage()
client := New("test-project", "global", "test-key-ring", store, kmspb.ProtectionLevel_SOFTWARE)
ctx := context.Background()
client.clientOpts = []option.ClientOption{getConnection(lis.Addr().String(), require)}
err = client.putDEK(ctx, "invalid-kek", "test-dek", []byte("dek"))
assert.Error(err)
assert.ErrorIs(err, kmsInterface.ErrKEKUnknown)
require.NoError(store.Put(ctx, "test-dek", []byte("Test Key")))
client.clientOpts = []option.ClientOption{getConnection(lis.Addr().String(), require)}
_, err = client.GetDEK(ctx, "invalid-kek", "test-dek", config.SymmetricKeyLength)
assert.Error(err)
assert.ErrorIs(err, kmsInterface.ErrKEKUnknown)
err := client.testConnection(context.Background())
if tc.errExpected {
assert.Error(err)
} else {
assert.NoError(err)
}
})
}
}
func getConnection(lisAddr string, r *require.Assertions) option.ClientOption {
conn, err := grpc.Dial(lisAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
r.NoError(err)
return option.WithGRPCConn(conn)
}
func TestWrapKeyRSA(t *testing.T) {
func TestWrapCryptoKey(t *testing.T) {
assert := assert.New(t)
rsaPub, err := util.ParsePEMtoPublicKeyRSA([]byte(testKeyRSA))
assert.NoError(err)
res, err := wrapCryptoKey(testKey, rsaPub)
res, err := wrapCryptoKey([]byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"), rsaPub)
assert.NoError(err)
assert.Equal(552, len(res))
_, err = wrapCryptoKey([]byte{0x1}, rsaPub)
assert.Error(err)
}

View File

@ -12,6 +12,7 @@ import (
"github.com/edgelesssys/constellation/kms/kms/gcp"
"github.com/edgelesssys/constellation/kms/storage"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
kmspb "google.golang.org/genproto/googleapis/cloud/kms/v1"
)
@ -27,15 +28,18 @@ func TestCreateGcpKEK(t *testing.T) {
t.Skip("Skipping Google KMS key creation test")
}
assert := assert.New(t)
require := require.New(t)
store := storage.NewMemMapStorage()
kekName := addSuffix("test-kek")
dekName := "test-dek"
kmsClient := gcp.New(gcpProjectID, gcpLocation, gcpKeyRing, store, kmspb.ProtectionLevel_SOFTWARE)
ctx, cancel := context.WithTimeout(context.Background(), time.Second*30)
defer cancel()
kmsClient, err := gcp.New(ctx, gcpProjectID, gcpLocation, gcpKeyRing, store, kmspb.ProtectionLevel_SOFTWARE)
require.NoError(err)
// Key name is random, but there is a chance we try to create a key that already exists, in that case the test fails
assert.NoError(kmsClient.CreateKEK(ctx, kekName, nil))
@ -57,16 +61,19 @@ func TestImportGcpKEK(t *testing.T) {
t.Skip("Skipping Google KMS key import test")
}
assert := assert.New(t)
require := require.New(t)
store := storage.NewMemMapStorage()
kekName := addSuffix("test-kek")
kekData := []byte{0x52, 0xFD, 0xFC, 0x07, 0x21, 0x82, 0x65, 0x4F, 0x16, 0x3F, 0x5F, 0x0F, 0x9A, 0x62, 0x1D, 0x72, 0x95, 0x66, 0xC7, 0x4D, 0x10, 0x03, 0x7C, 0x4D, 0x7B, 0xBB, 0x04, 0x07, 0xD1, 0xE2, 0xC6, 0x49}
dekName := "test-dek"
kmsClient := gcp.New(gcpProjectID, gcpLocation, gcpKeyRing, store, kmspb.ProtectionLevel_SOFTWARE)
ctx, cancel := context.WithTimeout(context.Background(), time.Second*30)
defer cancel()
kmsClient, err := gcp.New(ctx, gcpProjectID, gcpLocation, gcpKeyRing, store, kmspb.ProtectionLevel_SOFTWARE)
require.NoError(err)
assert.NoError(kmsClient.CreateKEK(ctx, kekName, kekData))
res, err := kmsClient.GetDEK(ctx, kekName, dekName, config.SymmetricKeyLength)