Skip to content

Commit 311c83c

Browse files
committed
cluster/secretman - add more unit tests
1 parent 37a2854 commit 311c83c

4 files changed

Lines changed: 829 additions & 47 deletions

File tree

Lines changed: 131 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,131 @@
1+
// Copyright (c) 2025-present Octelium Labs, LLC. All rights reserved.
2+
//
3+
// This software is licensed under the Octelium Enterprise Source-Available License.
4+
// Commercial and production use is strictly prohibited without a valid
5+
// Commercial Agreement from Octelium Labs, LLC.
6+
//
7+
// See the LICENSE file in the repository root for full license text.
8+
9+
package awskms
10+
11+
import (
12+
"context"
13+
"fmt"
14+
"testing"
15+
16+
otests "github.com/octelium/octelium-ee/cluster/common/tests"
17+
"github.com/octelium/octelium-ee/cluster/secretman/secretman/migrations"
18+
"github.com/octelium/octelium-ee/cluster/secretman/secretman/stores"
19+
"github.com/octelium/octelium/apis/main/enterprisev1"
20+
"github.com/octelium/octelium/apis/main/metav1"
21+
"github.com/octelium/octelium/cluster/common/postgresutils"
22+
"github.com/octelium/octelium/cluster/common/vutils"
23+
"github.com/octelium/octelium/pkg/utils/utilrand"
24+
"github.com/stretchr/testify/assert"
25+
)
26+
27+
func TestServer(t *testing.T) {
28+
ctx := context.Background()
29+
30+
tst, err := otests.Initialize(nil)
31+
assert.Nil(t, err, "%+v", err)
32+
if err != nil {
33+
return
34+
}
35+
36+
t.Cleanup(func() {
37+
tst.Destroy()
38+
})
39+
40+
fakeC := tst.C
41+
42+
db, err := postgresutils.NewDB()
43+
assert.Nil(t, err, "%+v", err)
44+
if err != nil {
45+
return
46+
}
47+
48+
err = migrations.Migrate(ctx, db)
49+
assert.Nil(t, err, "%+v", err)
50+
if err != nil {
51+
return
52+
}
53+
54+
ss, err := fakeC.OcteliumC.EnterpriseC().CreateSecretStore(
55+
ctx,
56+
&enterprisev1.SecretStore{
57+
Metadata: &metav1.Metadata{
58+
Name: fmt.Sprintf("test-aws-kms-%s", vutils.GetMyRegionName()),
59+
IsSystem: true,
60+
IsSystemHidden: true,
61+
},
62+
Spec: &enterprisev1.SecretStore_Spec{
63+
Type: &enterprisev1.SecretStore_Spec_AwsKeyManagementService{
64+
AwsKeyManagementService: &enterprisev1.SecretStore_Spec_AWSKeyManagementService{
65+
KeyID: "test-key",
66+
Region: "us-east-1",
67+
RoleARN: "arn:aws:iam::123456789012:role/octelium-secretman",
68+
},
69+
},
70+
},
71+
Status: &enterprisev1.SecretStore_Status{
72+
State: enterprisev1.SecretStore_Status_OK,
73+
Type: enterprisev1.SecretStore_Status_TYPE_AWS_KMS,
74+
},
75+
},
76+
)
77+
assert.Nil(t, err, "%+v", err)
78+
if err != nil {
79+
return
80+
}
81+
82+
store, err := NewStore(ctx, &stores.StoreOpts{
83+
SecretStore: ss,
84+
})
85+
assert.Nil(t, err, "%+v", err)
86+
if err != nil {
87+
return
88+
}
89+
90+
t.Cleanup(func() {
91+
assert.Nil(t, store.Close())
92+
})
93+
94+
err = store.Initialize(ctx)
95+
assert.Nil(t, err, "%+v", err)
96+
if err != nil {
97+
return
98+
}
99+
100+
val, err := utilrand.GetRandomBytes(32)
101+
assert.Nil(t, err, "%+v", err)
102+
if err != nil {
103+
return
104+
}
105+
106+
const uid = "test-dek-uid"
107+
108+
ciphertext, err := store.Encrypt(ctx, uid, val)
109+
assert.Nil(t, err, "%+v", err)
110+
if err != nil {
111+
return
112+
}
113+
assert.NotEmpty(t, ciphertext)
114+
115+
plaintext, err := store.Decrypt(ctx, uid, ciphertext)
116+
assert.Nil(t, err, "%+v", err)
117+
if err != nil {
118+
return
119+
}
120+
assert.Equal(t, val, plaintext)
121+
122+
p2, err := store.Decrypt(ctx, uid, ciphertext)
123+
assert.Nil(t, err, "%+v", err)
124+
if err != nil {
125+
return
126+
}
127+
assert.Equal(t, plaintext, p2)
128+
129+
_, err = store.Decrypt(ctx, "different-dek-uid", ciphertext)
130+
assert.NotNil(t, err)
131+
}
Lines changed: 212 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,212 @@
1+
// Copyright (c) 2025-present Octelium Labs, LLC. All rights reserved.
2+
//
3+
// This software is licensed under the Octelium Enterprise Source-Available License.
4+
// Commercial and production use is strictly prohibited without a valid
5+
// Commercial Agreement from Octelium Labs, LLC.
6+
//
7+
// See the LICENSE file in the repository root for full license text.
8+
9+
package azurekeyvault
10+
11+
import (
12+
"context"
13+
"fmt"
14+
"testing"
15+
16+
otests "github.com/octelium/octelium-ee/cluster/common/tests"
17+
"github.com/octelium/octelium-ee/cluster/secretman/secretman/migrations"
18+
"github.com/octelium/octelium-ee/cluster/secretman/secretman/stores"
19+
"github.com/octelium/octelium/apis/main/enterprisev1"
20+
"github.com/octelium/octelium/apis/main/metav1"
21+
"github.com/octelium/octelium/cluster/common/postgresutils"
22+
"github.com/octelium/octelium/cluster/common/vutils"
23+
"github.com/octelium/octelium/pkg/utils/utilrand"
24+
"github.com/stretchr/testify/assert"
25+
)
26+
27+
func TestServer(t *testing.T) {
28+
ctx := context.Background()
29+
30+
tst, err := otests.Initialize(nil)
31+
assert.Nil(t, err, "%+v", err)
32+
if err != nil {
33+
return
34+
}
35+
36+
t.Cleanup(func() {
37+
tst.Destroy()
38+
})
39+
40+
fakeC := tst.C
41+
42+
db, err := postgresutils.NewDB()
43+
assert.Nil(t, err, "%+v", err)
44+
if err != nil {
45+
return
46+
}
47+
48+
err = migrations.Migrate(ctx, db)
49+
assert.Nil(t, err, "%+v", err)
50+
if err != nil {
51+
return
52+
}
53+
54+
ss, err := fakeC.OcteliumC.EnterpriseC().CreateSecretStore(
55+
ctx,
56+
&enterprisev1.SecretStore{
57+
Metadata: &metav1.Metadata{
58+
Name: fmt.Sprintf("test-azure-key-vault-%s", vutils.GetMyRegionName()),
59+
IsSystem: true,
60+
IsSystemHidden: true,
61+
},
62+
Spec: &enterprisev1.SecretStore_Spec{
63+
Type: &enterprisev1.SecretStore_Spec_AzureKeyVault_{
64+
AzureKeyVault: &enterprisev1.SecretStore_Spec_AzureKeyVault{
65+
ClientID: "00000000-0000-0000-0000-000000000001",
66+
TenantID: "00000000-0000-0000-0000-000000000002",
67+
VaultURL: "https://octelium-test.vault.azure.net",
68+
Key: "octelium-test-key",
69+
},
70+
},
71+
},
72+
Status: &enterprisev1.SecretStore_Status{
73+
State: enterprisev1.SecretStore_Status_OK,
74+
Type: enterprisev1.SecretStore_Status_TYPE_AZURE_KEY_VAULT,
75+
},
76+
},
77+
)
78+
assert.Nil(t, err, "%+v", err)
79+
if err != nil {
80+
return
81+
}
82+
83+
store, err := NewStore(ctx, &stores.StoreOpts{
84+
SecretStore: ss,
85+
})
86+
assert.Nil(t, err, "%+v", err)
87+
if err != nil {
88+
return
89+
}
90+
91+
t.Cleanup(func() {
92+
assert.Nil(t, store.Close())
93+
})
94+
95+
assert.Equal(t, ss.Metadata.Uid, store.UID())
96+
97+
err = store.Initialize(ctx)
98+
assert.Nil(t, err, "%+v", err)
99+
if err != nil {
100+
return
101+
}
102+
103+
val, err := utilrand.GetRandomBytes(32)
104+
assert.Nil(t, err, "%+v", err)
105+
if err != nil {
106+
return
107+
}
108+
109+
const uid = "test-dek-uid"
110+
111+
{
112+
ciphertext, err := store.Encrypt(ctx, uid, val)
113+
assert.Nil(t, err, "%+v", err)
114+
if err != nil {
115+
return
116+
}
117+
118+
assert.NotEmpty(t, ciphertext)
119+
assert.NotEqual(t, val, ciphertext)
120+
121+
plaintext, err := store.Decrypt(ctx, uid, ciphertext)
122+
assert.Nil(t, err, "%+v", err)
123+
if err != nil {
124+
return
125+
}
126+
127+
assert.Equal(t, val, plaintext)
128+
129+
p2, err := store.Decrypt(ctx, uid, ciphertext)
130+
assert.Nil(t, err, "%+v", err)
131+
if err != nil {
132+
return
133+
}
134+
135+
assert.Equal(t, plaintext, p2)
136+
137+
_, err = store.Decrypt(
138+
ctx,
139+
"different-dek-uid",
140+
ciphertext,
141+
)
142+
assert.NotNil(t, err)
143+
}
144+
145+
{
146+
ciphertext1, err := store.Encrypt(ctx, uid, val)
147+
assert.Nil(t, err, "%+v", err)
148+
if err != nil {
149+
return
150+
}
151+
152+
ciphertext2, err := store.Encrypt(ctx, uid, val)
153+
assert.Nil(t, err, "%+v", err)
154+
if err != nil {
155+
return
156+
}
157+
158+
assert.NotEqual(t, ciphertext1, ciphertext2)
159+
160+
plaintext1, err := store.Decrypt(ctx, uid, ciphertext1)
161+
assert.Nil(t, err, "%+v", err)
162+
if err != nil {
163+
return
164+
}
165+
166+
plaintext2, err := store.Decrypt(ctx, uid, ciphertext2)
167+
assert.Nil(t, err, "%+v", err)
168+
if err != nil {
169+
return
170+
}
171+
172+
assert.Equal(t, val, plaintext1)
173+
assert.Equal(t, val, plaintext2)
174+
}
175+
176+
{
177+
ciphertext, err := store.Encrypt(ctx, uid, val)
178+
assert.Nil(t, err, "%+v", err)
179+
if err != nil {
180+
return
181+
}
182+
183+
tampered := append([]byte(nil), ciphertext...)
184+
tampered[len(tampered)-1] ^= 0x01
185+
186+
_, err = store.Decrypt(ctx, uid, tampered)
187+
assert.NotNil(t, err)
188+
}
189+
190+
{
191+
_, err := store.Encrypt(ctx, "", val)
192+
assert.NotNil(t, err)
193+
194+
_, err = store.Encrypt(ctx, uid, nil)
195+
assert.NotNil(t, err)
196+
197+
_, err = store.Encrypt(ctx, uid, []byte{})
198+
assert.NotNil(t, err)
199+
200+
_, err = store.Decrypt(ctx, "", []byte("invalid"))
201+
assert.NotNil(t, err)
202+
203+
_, err = store.Decrypt(ctx, uid, nil)
204+
assert.NotNil(t, err)
205+
206+
_, err = store.Decrypt(ctx, uid, []byte{})
207+
assert.NotNil(t, err)
208+
209+
_, err = store.Decrypt(ctx, uid, []byte("invalid"))
210+
assert.NotNil(t, err)
211+
}
212+
}

0 commit comments

Comments
 (0)