minio/cmd/crypto/kms_test.go

// MinIO Cloud Storage, (C) 2015, 2016, 2017, 2018 MinIO, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//    http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package crypto

import (
	"bytes"
	"path"
	"strings"
	"testing"
)

var masterKeyKMSTests = []struct {
	GenKeyID, UnsealKeyID     string
	GenContext, UnsealContext Context

	ShouldFail bool
}{
	{GenKeyID: "", UnsealKeyID: "", GenContext: Context{}, UnsealContext: nil, ShouldFail: false},                                                                                     // 0
	{GenKeyID: "ac47be7f", UnsealKeyID: "ac47be7f", GenContext: Context{}, UnsealContext: Context{}, ShouldFail: false},                                                               // 1
	{GenKeyID: "ac47be7f", UnsealKeyID: "ac47be7f", GenContext: Context{"bucket": "object"}, UnsealContext: Context{"bucket": "object"}, ShouldFail: false},                           // 2
	{GenKeyID: "", UnsealKeyID: "", GenContext: Context{"bucket": path.Join("bucket", "object")}, UnsealContext: Context{"bucket": path.Join("bucket", "object")}, ShouldFail: false}, // 3
	{GenKeyID: "", UnsealKeyID: "", GenContext: Context{"a": "a", "0": "0", "b": "b"}, UnsealContext: Context{"b": "b", "a": "a", "0": "0"}, ShouldFail: false},                       // 4

	{GenKeyID: "ac47be7f", UnsealKeyID: "ac47be7e", GenContext: Context{}, UnsealContext: Context{}, ShouldFail: true},                                                               // 5
	{GenKeyID: "ac47be7f", UnsealKeyID: "ac47be7f", GenContext: Context{"bucket": "object"}, UnsealContext: Context{"Bucket": "object"}, ShouldFail: true},                           // 6
	{GenKeyID: "", UnsealKeyID: "", GenContext: Context{"bucket": path.Join("bucket", "Object")}, UnsealContext: Context{"bucket": path.Join("bucket", "object")}, ShouldFail: true}, // 7
	{GenKeyID: "", UnsealKeyID: "", GenContext: Context{"a": "a", "0": "1", "b": "b"}, UnsealContext: Context{"b": "b", "a": "a", "0": "0"}, ShouldFail: true},                       // 8
}

func TestMasterKeyKMS(t *testing.T) {
	for i, test := range masterKeyKMSTests {
		kms := NewMasterKey(test.GenKeyID, [32]byte{})

		key, sealedKey, err := kms.GenerateKey(test.GenKeyID, test.GenContext)
		if err != nil {
			t.Errorf("Test %d: KMS failed to generate key: %v", i, err)
		}
		unsealedKey, err := kms.UnsealKey(test.UnsealKeyID, sealedKey, test.UnsealContext)
		if err != nil && !test.ShouldFail {
			t.Errorf("Test %d: KMS failed to unseal the generated key: %v", i, err)
		}
		if err == nil && test.ShouldFail {
			t.Errorf("Test %d: KMS unsealed the generated key successfully but should have failed", i)
		}
		if !test.ShouldFail && !bytes.Equal(key[:], unsealedKey[:]) {
			t.Errorf("Test %d: The generated and unsealed key differ", i)
		}

		rotatedKey, err := kms.UpdateKey(test.UnsealKeyID, sealedKey, test.UnsealContext)
		if err == nil && test.ShouldFail {
			t.Errorf("Test %d: KMS updated the generated key successfully but should have failed", i)
		}
		if !test.ShouldFail && !bytes.Equal(rotatedKey, sealedKey[:]) {
			t.Errorf("Test %d: The updated and sealed key differ", i)
		}

	}
}

var contextWriteToTests = []struct {
	Context      Context
	ExpectedJSON string
}{
	{Context: Context{}, ExpectedJSON: "{}"},                                                    // 0
	{Context: Context{"a": "b"}, ExpectedJSON: `{"a":"b"}`},                                     // 1
	{Context: Context{"a": "b", "c": "d"}, ExpectedJSON: `{"a":"b","c":"d"}`},                   // 2
	{Context: Context{"c": "d", "a": "b"}, ExpectedJSON: `{"a":"b","c":"d"}`},                   // 3
	{Context: Context{"0": "1", "-": "2", ".": "#"}, ExpectedJSON: `{"-":"2",".":"#","0":"1"}`}, // 4
}

func TestContextWriteTo(t *testing.T) {
	for i, test := range contextWriteToTests {
		var jsonContext strings.Builder
		if _, err := test.Context.WriteTo(&jsonContext); err != nil {
			t.Errorf("Test %d: Failed to encode context: %v", i, err)
			continue
		}
		if s := jsonContext.String(); s != test.ExpectedJSON {
			t.Errorf("Test %d: JSON representation differ - got: '%s' want: '%s'", i, s, test.ExpectedJSON)
		}
	}
}
Replace Minio refs in docs with MinIO and links (#7494) 2019-04-10 02:39:42 +08:00			`// MinIO Cloud Storage, (C) 2015, 2016, 2017, 2018 MinIO, Inc.`
crypto: add a basic KMS implementation (#6161) This commit adds a basic KMS implementation for an operator-specified SSE-S3 master key. The master key is wrapped as KMS such that using SSE-S3 with master key and SSE-S3 with KMS can use the same code. Bindings for a remote / true KMS (like hashicorp vault) will be added later on. 2018-07-18 13:40:34 +08:00			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`package crypto`

			`import (`
			`"bytes"`
			`"path"`
			`"strings"`
			`"testing"`
			`)`

			`var masterKeyKMSTests = []struct {`
			`GenKeyID, UnsealKeyID string`
			`GenContext, UnsealContext Context`

			`ShouldFail bool`
			`}{`
			`{GenKeyID: "", UnsealKeyID: "", GenContext: Context{}, UnsealContext: nil, ShouldFail: false}, // 0`
			`{GenKeyID: "ac47be7f", UnsealKeyID: "ac47be7f", GenContext: Context{}, UnsealContext: Context{}, ShouldFail: false}, // 1`
			`{GenKeyID: "ac47be7f", UnsealKeyID: "ac47be7f", GenContext: Context{"bucket": "object"}, UnsealContext: Context{"bucket": "object"}, ShouldFail: false}, // 2`
			`{GenKeyID: "", UnsealKeyID: "", GenContext: Context{"bucket": path.Join("bucket", "object")}, UnsealContext: Context{"bucket": path.Join("bucket", "object")}, ShouldFail: false}, // 3`
			`{GenKeyID: "", UnsealKeyID: "", GenContext: Context{"a": "a", "0": "0", "b": "b"}, UnsealContext: Context{"b": "b", "a": "a", "0": "0"}, ShouldFail: false}, // 4`

			`{GenKeyID: "ac47be7f", UnsealKeyID: "ac47be7e", GenContext: Context{}, UnsealContext: Context{}, ShouldFail: true}, // 5`
			`{GenKeyID: "ac47be7f", UnsealKeyID: "ac47be7f", GenContext: Context{"bucket": "object"}, UnsealContext: Context{"Bucket": "object"}, ShouldFail: true}, // 6`
			`{GenKeyID: "", UnsealKeyID: "", GenContext: Context{"bucket": path.Join("bucket", "Object")}, UnsealContext: Context{"bucket": path.Join("bucket", "object")}, ShouldFail: true}, // 7`
			`{GenKeyID: "", UnsealKeyID: "", GenContext: Context{"a": "a", "0": "1", "b": "b"}, UnsealContext: Context{"b": "b", "a": "a", "0": "0"}, ShouldFail: true}, // 8`
			`}`

			`func TestMasterKeyKMS(t *testing.T) {`
			`for i, test := range masterKeyKMSTests {`
Move etcd, logger, crypto into their own packages (#8366) - Deprecates _MINIO_PROFILER, `mc admin profile` does the job - Move ENVs to common location in cmd/config/ 2019-10-08 13:47:56 +08:00			`kms := NewMasterKey(test.GenKeyID, [32]byte{})`

crypto: add a basic KMS implementation (#6161) This commit adds a basic KMS implementation for an operator-specified SSE-S3 master key. The master key is wrapped as KMS such that using SSE-S3 with master key and SSE-S3 with KMS can use the same code. Bindings for a remote / true KMS (like hashicorp vault) will be added later on. 2018-07-18 13:40:34 +08:00			`key, sealedKey, err := kms.GenerateKey(test.GenKeyID, test.GenContext)`
			`if err != nil {`
			`t.Errorf("Test %d: KMS failed to generate key: %v", i, err)`
			`}`
			`unsealedKey, err := kms.UnsealKey(test.UnsealKeyID, sealedKey, test.UnsealContext)`
			`if err != nil && !test.ShouldFail {`
			`t.Errorf("Test %d: KMS failed to unseal the generated key: %v", i, err)`
			`}`
			`if err == nil && test.ShouldFail {`
add `UpdateKey` method to KMS interface (#7974) This commit adds a new method `UpdateKey` to the KMS interface. The purpose of `UpdateKey` is to re-wrap an encrypted data key (the key generated & encrypted with a master key by e.g. Vault). For example, consider Vault with a master key ID: `master-key-1` and an encrypted data key `E(dk)` for a particular object. The data key `dk` has been generated randomly when the object was created. Now, the KMS operator may "rotate" the master key `master-key-1`. However, the KMS cannot forget the "old" value of that master key since there is still an object that requires `dk`, and therefore, the `D(E(dk))`. With the `UpdateKey` method call MinIO can ask the KMS to decrypt `E(dk)` with the old key (internally) and re-encrypted `dk` with the new master key value: `E'(dk)`. However, this operation only works for the same master key ID. When rotating the data key (replacing it with a new one) then we perform a `UnsealKey` operation with the 1st master key ID and then a `GenerateKey` operation with the 2nd master key ID. This commit also updates the KMS documentation and removes the `encrypt` policy entry (we don't use `encrypt`) and add a policy entry for `rewarp`. 2019-08-02 06:47:47 +08:00			`t.Errorf("Test %d: KMS unsealed the generated key successfully but should have failed", i)`
crypto: add a basic KMS implementation (#6161) This commit adds a basic KMS implementation for an operator-specified SSE-S3 master key. The master key is wrapped as KMS such that using SSE-S3 with master key and SSE-S3 with KMS can use the same code. Bindings for a remote / true KMS (like hashicorp vault) will be added later on. 2018-07-18 13:40:34 +08:00			`}`
crypto: add support for parsing/creating SSE-C/SSE-S3 metadata (#6169) * crypto: add support for parsing SSE-C/SSE-S3 metadata This commit adds support for detecting and parsing SSE-C/SSE-S3 object metadata. With the `IsEncrypted` functions it is possible to determine whether an object seems to be encrypted. With the `ParseMetadata` functions it is possible to validate such metadata and extract the SSE-C/SSE-S3 related values. It also fixes some naming issues. * crypto: add functions for creating SSE object metadata This commit adds functions for creating SSE-S3 and SSE-C metadata. It also adds a `CreateMultipartMetadata` for creating multipart metadata. For all functions unit tests are included. 2018-07-26 04:35:54 +08:00			`if !test.ShouldFail && !bytes.Equal(key[:], unsealedKey[:]) {`
crypto: add a basic KMS implementation (#6161) This commit adds a basic KMS implementation for an operator-specified SSE-S3 master key. The master key is wrapped as KMS such that using SSE-S3 with master key and SSE-S3 with KMS can use the same code. Bindings for a remote / true KMS (like hashicorp vault) will be added later on. 2018-07-18 13:40:34 +08:00			`t.Errorf("Test %d: The generated and unsealed key differ", i)`
			`}`
add `UpdateKey` method to KMS interface (#7974) This commit adds a new method `UpdateKey` to the KMS interface. The purpose of `UpdateKey` is to re-wrap an encrypted data key (the key generated & encrypted with a master key by e.g. Vault). For example, consider Vault with a master key ID: `master-key-1` and an encrypted data key `E(dk)` for a particular object. The data key `dk` has been generated randomly when the object was created. Now, the KMS operator may "rotate" the master key `master-key-1`. However, the KMS cannot forget the "old" value of that master key since there is still an object that requires `dk`, and therefore, the `D(E(dk))`. With the `UpdateKey` method call MinIO can ask the KMS to decrypt `E(dk)` with the old key (internally) and re-encrypted `dk` with the new master key value: `E'(dk)`. However, this operation only works for the same master key ID. When rotating the data key (replacing it with a new one) then we perform a `UnsealKey` operation with the 1st master key ID and then a `GenerateKey` operation with the 2nd master key ID. This commit also updates the KMS documentation and removes the `encrypt` policy entry (we don't use `encrypt`) and add a policy entry for `rewarp`. 2019-08-02 06:47:47 +08:00
			`rotatedKey, err := kms.UpdateKey(test.UnsealKeyID, sealedKey, test.UnsealContext)`
			`if err == nil && test.ShouldFail {`
			`t.Errorf("Test %d: KMS updated the generated key successfully but should have failed", i)`
			`}`
			`if !test.ShouldFail && !bytes.Equal(rotatedKey, sealedKey[:]) {`
			`t.Errorf("Test %d: The updated and sealed key differ", i)`
			`}`

crypto: add a basic KMS implementation (#6161) This commit adds a basic KMS implementation for an operator-specified SSE-S3 master key. The master key is wrapped as KMS such that using SSE-S3 with master key and SSE-S3 with KMS can use the same code. Bindings for a remote / true KMS (like hashicorp vault) will be added later on. 2018-07-18 13:40:34 +08:00			`}`
			`}`

			`var contextWriteToTests = []struct {`
			`Context Context`
			`ExpectedJSON string`
			`}{`
			`{Context: Context{}, ExpectedJSON: "{}"}, // 0`
			{Context: Context{"a": "b"}, ExpectedJSON: `{"a":"b"}`}, // 1
			{Context: Context{"a": "b", "c": "d"}, ExpectedJSON: `{"a":"b","c":"d"}`}, // 2
			{Context: Context{"c": "d", "a": "b"}, ExpectedJSON: `{"a":"b","c":"d"}`}, // 3
			{Context: Context{"0": "1", "-": "2", ".": "#"}, ExpectedJSON: `{"-":"2",".":"#","0":"1"}`}, // 4
			`}`

			`func TestContextWriteTo(t *testing.T) {`
			`for i, test := range contextWriteToTests {`
			`var jsonContext strings.Builder`
			`if _, err := test.Context.WriteTo(&jsonContext); err != nil {`
			`t.Errorf("Test %d: Failed to encode context: %v", i, err)`
			`continue`
			`}`
			`if s := jsonContext.String(); s != test.ExpectedJSON {`
			`t.Errorf("Test %d: JSON representation differ - got: '%s' want: '%s'", i, s, test.ExpectedJSON)`
			`}`
			`}`
			`}`