mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-23 23:00:19 +00:00
eea97ca014
There is no need for each EncryptionKMS to implement the same GetID() function. We have a VolumeEncryption type that is more suitable for keeping track of the KMS-ID that was used to get the configuration of the KMS. This does not change any metadata that is stored anywhere. Signed-off-by: Niels de Vos <ndevos@redhat.com>
106 lines
2.9 KiB
Go
106 lines
2.9 KiB
Go
/*
|
|
Copyright 2021 The Ceph-CSI Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package util
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestGenerateNonce(t *testing.T) {
|
|
size := 64
|
|
nonce, err := generateNonce(size)
|
|
assert.Equal(t, size, len(nonce))
|
|
assert.NoError(t, err)
|
|
}
|
|
|
|
func TestGenerateCipher(t *testing.T) {
|
|
// nolint:gosec // this passphrase is intentionally hardcoded
|
|
passphrase := "my-cool-luks-passphrase"
|
|
salt := "unique-id-for-the-volume"
|
|
|
|
aead, err := generateCipher(passphrase, salt)
|
|
assert.NoError(t, err)
|
|
assert.NotNil(t, aead)
|
|
}
|
|
|
|
func TestInitSecretsMetadataKMS(t *testing.T) {
|
|
args := KMSInitializerArgs{
|
|
Tenant: "tenant",
|
|
Config: nil,
|
|
Secrets: map[string]string{},
|
|
}
|
|
|
|
// passphrase it not set, init should fail
|
|
kms, err := initSecretsMetadataKMS(args)
|
|
assert.Error(t, err)
|
|
assert.Nil(t, kms)
|
|
|
|
// set a passphrase to get a working KMS
|
|
args.Secrets[encryptionPassphraseKey] = "my-passphrase-from-kubernetes"
|
|
|
|
kms, err = initSecretsMetadataKMS(args)
|
|
assert.NoError(t, err)
|
|
require.NotNil(t, kms)
|
|
assert.Equal(t, DEKStoreMetadata, kms.requiresDEKStore())
|
|
}
|
|
|
|
func TestWorkflowSecretsMetadataKMS(t *testing.T) {
|
|
secrets := map[string]string{
|
|
encryptionPassphraseKey: "my-passphrase-from-kubernetes",
|
|
}
|
|
args := KMSInitializerArgs{
|
|
Tenant: "tenant",
|
|
Config: nil,
|
|
Secrets: secrets,
|
|
}
|
|
volumeID := "csi-vol-1b00f5f8-b1c1-11e9-8421-9243c1f659f0"
|
|
|
|
kms, err := initSecretsMetadataKMS(args)
|
|
assert.NoError(t, err)
|
|
require.NotNil(t, kms)
|
|
|
|
// plainDEK is the (LUKS) passphrase for the volume
|
|
plainDEK, err := generateNewEncryptionPassphrase()
|
|
assert.NoError(t, err)
|
|
assert.NotEqual(t, "", plainDEK)
|
|
|
|
encryptedDEK, err := kms.EncryptDEK(volumeID, plainDEK)
|
|
assert.NoError(t, err)
|
|
assert.NotEqual(t, "", encryptedDEK)
|
|
assert.NotEqual(t, plainDEK, encryptedDEK)
|
|
|
|
// with an incorrect volumeID, decrypting should fail
|
|
decryptedDEK, err := kms.DecryptDEK("incorrect-volumeID", encryptedDEK)
|
|
assert.Error(t, err)
|
|
assert.Equal(t, "", decryptedDEK)
|
|
assert.NotEqual(t, plainDEK, decryptedDEK)
|
|
|
|
// with the right volumeID, decrypting should return the plainDEK
|
|
decryptedDEK, err = kms.DecryptDEK(volumeID, encryptedDEK)
|
|
assert.NoError(t, err)
|
|
assert.NotEqual(t, "", decryptedDEK)
|
|
assert.Equal(t, plainDEK, decryptedDEK)
|
|
}
|
|
|
|
func TestSecretsMetadataKMSRegistered(t *testing.T) {
|
|
_, ok := kmsManager.providers[kmsTypeSecretsMetadata]
|
|
assert.True(t, ok)
|
|
}
|