mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-12-18 11:00:25 +00:00
93 lines
2.8 KiB
Go
93 lines
2.8 KiB
Go
|
/*
|
||
|
Copyright 2021 The Ceph-CSI Authors.
|
||
|
|
||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||
|
you may not use this file except in compliance with the License.
|
||
|
You may obtain a copy of the License at
|
||
|
|
||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||
|
|
||
|
Unless required by applicable law or agreed to in writing, software
|
||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
|
See the License for the specific language governing permissions and
|
||
|
limitations under the License.
|
||
|
*/
|
||
|
|
||
|
package util
|
||
|
|
||
|
import (
|
||
|
"testing"
|
||
|
|
||
|
"github.com/stretchr/testify/assert"
|
||
|
"github.com/stretchr/testify/require"
|
||
|
)
|
||
|
|
||
|
func TestGenerateNonce(t *testing.T) {
|
||
|
size := 64
|
||
|
nonce, err := generateNonce(size)
|
||
|
assert.Equal(t, size, len(nonce))
|
||
|
assert.NoError(t, err)
|
||
|
}
|
||
|
|
||
|
func TestGenerateCipher(t *testing.T) {
|
||
|
// nolint:gosec // this passphrase is intentionally hardcoded
|
||
|
passphrase := "my-cool-luks-passphrase"
|
||
|
salt := "unique-id-for-the-volume"
|
||
|
|
||
|
aead, err := generateCipher(passphrase, salt)
|
||
|
assert.NoError(t, err)
|
||
|
assert.NotNil(t, aead)
|
||
|
}
|
||
|
|
||
|
func TestInitSecretsMetadataKMS(t *testing.T) {
|
||
|
secrets := map[string]string{}
|
||
|
|
||
|
// passphrase it not set, init should fail
|
||
|
kms, err := initSecretsMetadataKMS("secrets-metadata-unit-test", secrets)
|
||
|
assert.Error(t, err)
|
||
|
assert.Nil(t, kms)
|
||
|
|
||
|
// set a passphrase to get a working KMS
|
||
|
secrets[encryptionPassphraseKey] = "my-passphrase-from-kubernetes"
|
||
|
|
||
|
kms, err = initSecretsMetadataKMS("secrets-metadata-unit-test", secrets)
|
||
|
assert.NoError(t, err)
|
||
|
require.NotNil(t, kms)
|
||
|
assert.Equal(t, "secrets-metadata-unit-test", kms.GetID())
|
||
|
assert.Equal(t, DEKStoreMetadata, kms.requiresDEKStore())
|
||
|
}
|
||
|
|
||
|
func TestWorkflowSecretsMetadataKMS(t *testing.T) {
|
||
|
secrets := map[string]string{
|
||
|
encryptionPassphraseKey: "my-passphrase-from-kubernetes",
|
||
|
}
|
||
|
volumeID := "csi-vol-1b00f5f8-b1c1-11e9-8421-9243c1f659f0"
|
||
|
|
||
|
kms, err := initSecretsMetadataKMS("secrets-metadata-unit-test", secrets)
|
||
|
assert.NoError(t, err)
|
||
|
require.NotNil(t, kms)
|
||
|
|
||
|
// plainDEK is the (LUKS) passphrase for the volume
|
||
|
plainDEK, err := generateNewEncryptionPassphrase()
|
||
|
assert.NoError(t, err)
|
||
|
assert.NotEqual(t, "", plainDEK)
|
||
|
|
||
|
encryptedDEK, err := kms.EncryptDEK(volumeID, plainDEK)
|
||
|
assert.NoError(t, err)
|
||
|
assert.NotEqual(t, "", encryptedDEK)
|
||
|
assert.NotEqual(t, plainDEK, encryptedDEK)
|
||
|
|
||
|
// with an incorrect volumeID, decrypting should fail
|
||
|
decryptedDEK, err := kms.DecryptDEK("incorrect-volumeID", encryptedDEK)
|
||
|
assert.Error(t, err)
|
||
|
assert.Equal(t, "", decryptedDEK)
|
||
|
assert.NotEqual(t, plainDEK, decryptedDEK)
|
||
|
|
||
|
// with the right volumeID, decrypting should return the plainDEK
|
||
|
decryptedDEK, err = kms.DecryptDEK(volumeID, encryptedDEK)
|
||
|
assert.NoError(t, err)
|
||
|
assert.NotEqual(t, "", decryptedDEK)
|
||
|
assert.Equal(t, plainDEK, decryptedDEK)
|
||
|
}
|