getsops/sops
1
0
Fork 0
mirror of https://github.com/getsops/sops.git synced 2026-02-05 12:45:21 +01:00
Code Issues Activity
Files
b6d3c9700d88e0c9348f3ec7cd2f10ce4a4b3ee1
sops/azkv/keysource_integration_test.go
Hidde Beydals 0953fe0d7e azkv: update dependencies 
- github.com/Azure/azure-sdk-for-go/sdk/azcore to v1.7.0
- github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys to v1.0.0

This includes dealing with some breaking changes, which should be the
last ones for the foreseeable future as they tagged it as the first
MAJOR.

Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2023-08-12 12:16:32 +02:00

120 lines
3.4 KiB
Go
Raw Blame History

//go:build integration
package azkv
import (
"context"
"encoding/base64"
"os"
"testing"
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys"
"github.com/stretchr/testify/assert"
)
// The following values should be created based on the instructions in:
// https://github.com/mozilla/sops#encrypting-using-azure-key-vault
//
// Additionally required permissions for auto key creation:
// - KeyManagementOperations/Get
// - KeyManagementOperations/Create
var (
testVaultTenantID = os.Getenv("SOPS_TEST_AZURE_TENANT_ID")
testVaultClientID = os.Getenv("SOPS_TEST_AZURE_CLIENT_ID")
testVaultClientSecret = os.Getenv("SOPS_TEST_AZURE_CLIENT_SECRET")
testVaultURL = os.Getenv("SOPS_TEST_AZURE_VAULT_URL")
testVaultKeyName = os.Getenv("SOPS_TEST_AZURE_VAULT_KEY_NAME")
testVaultKeyVersion = os.Getenv("SOPS_TEST_AZURE_VAULT_KEY_VERSION")
)
func TestMasterKey_Encrypt(t *testing.T) {
key, err := createTestKMSKeyIfNotExists()
assert.NoError(t, err)
data := []byte("to be or not to be static bytes")
assert.NoError(t, key.Encrypt(data))
assert.NotEmpty(t, key.EncryptedDataKey())
assert.NotEqual(t, data, key.EncryptedKey)
}
func TestMasterKey_Decrypt(t *testing.T) {
key, err := createTestKMSKeyIfNotExists()
assert.NoError(t, err)
data := []byte("this is super secret data")
c, err := azkeys.NewClient(key.VaultURL, key.tokenCredential, nil)
assert.NoError(t, err)
resp, err := c.Encrypt(context.Background(), key.Name, key.Version, azkeys.KeyOperationParameters{
Algorithm: to.Ptr(azkeys.EncryptionAlgorithmRSAOAEP256),
Value: data,
}, nil)
assert.NoError(t, err)
key.EncryptedKey = base64.RawURLEncoding.EncodeToString(resp.KeyOperationResult.Result)
got, err := key.Decrypt()
assert.NoError(t, err)
assert.Equal(t, data, got)
}
func TestMasterKey_EncryptDecrypt_RoundTrip(t *testing.T) {
key, err := createTestKMSKeyIfNotExists()
assert.NoError(t, err)
data := []byte("the earth is round")
assert.NoError(t, key.Encrypt(data))
assert.NotNil(t, key.EncryptedDataKey())
got, err := key.Decrypt()
assert.NoError(t, err)
assert.Equal(t, data, got)
}
func createTestKMSKeyIfNotExists() (*MasterKey, error) {
token, err := testTokenCredential()
if err != nil {
return nil, err
}
key := &MasterKey{
VaultURL: testVaultURL,
Name: testVaultKeyName,
Version: testVaultKeyVersion,
}
NewTokenCredential(token).ApplyToMasterKey(key)
// If we have been given a version, assume it exists.
if key.Version == "" {
c, err := azkeys.NewClient(key.VaultURL, token, nil)
if err != nil {
return nil, err
}
getResp, err := c.GetKey(context.TODO(), key.Name, key.Version, nil)
if err == nil {
key.Version = getResp.KeyBundle.Key.KID.Version()
}
if err != nil {
createResp, err := c.CreateKey(context.TODO(), key.Name, azkeys.CreateKeyParameters{
Kty: to.Ptr(azkeys.KeyTypeRSA),
KeyOps: to.SliceOfPtrs(azkeys.KeyOperationEncrypt, azkeys.KeyOperationDecrypt),
}, nil)
if err != nil {
return nil, err
}
key.Version = createResp.Key.KID.Version()
}
}
return key, nil
}
func testTokenCredential() (azcore.TokenCredential, error) {
return azidentity.NewClientSecretCredential(testVaultTenantID, testVaultClientID, testVaultClientSecret, nil)
}
View Git Blame Copy Permalink