kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
apiserver/pkg/storage/value/encrypt/envelope/kmsv2/envelope_test.go

514 lines
16 KiB
Go
Raw Blame History

/*
Copyright 2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Package kmsv2 transforms values for storage at rest using a Envelope v2 provider
package kmsv2
import (
"bytes"
"context"
"encoding/base64"
"fmt"
"reflect"
"strconv"
"strings"
"testing"
"k8s.io/apiserver/pkg/storage/value"
aestransformer "k8s.io/apiserver/pkg/storage/value/encrypt/aes"
kmstypes "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/v2alpha1"
kmsservice "k8s.io/kms/service"
)
const (
testText = "abcdefghijklmnopqrstuvwxyz"
testContextText = "0123456789"
testEnvelopeCacheSize = 10
)
// testEnvelopeService is a mock Envelope service which can be used to simulate remote Envelope services
// for testing of Envelope based encryption providers.
type testEnvelopeService struct {
annotations map[string][]byte
disabled bool
keyVersion string
}
func (t *testEnvelopeService) Decrypt(ctx context.Context, uid string, req *kmsservice.DecryptRequest) ([]byte, error) {
if t.disabled {
return nil, fmt.Errorf("Envelope service was disabled")
}
if len(uid) == 0 {
return nil, fmt.Errorf("uid is required")
}
if len(req.KeyID) == 0 {
return nil, fmt.Errorf("keyID is required")
}
return base64.StdEncoding.DecodeString(string(req.Ciphertext))
}
func (t *testEnvelopeService) Encrypt(ctx context.Context, uid string, data []byte) (*kmsservice.EncryptResponse, error) {
if t.disabled {
return nil, fmt.Errorf("Envelope service was disabled")
}
if len(uid) == 0 {
return nil, fmt.Errorf("uid is required")
}
annotations := make(map[string][]byte)
if t.annotations != nil {
for k, v := range t.annotations {
annotations[k] = v
}
} else {
annotations["local-kek.kms.kubernetes.io"] = []byte("encrypted-local-kek")
}
return &kmsservice.EncryptResponse{Ciphertext: []byte(base64.StdEncoding.EncodeToString(data)), KeyID: t.keyVersion, Annotations: annotations}, nil
}
func (t *testEnvelopeService) Status(ctx context.Context) (*kmsservice.StatusResponse, error) {
if t.disabled {
return nil, fmt.Errorf("Envelope service was disabled")
}
return &kmsservice.StatusResponse{KeyID: t.keyVersion}, nil
}
func (t *testEnvelopeService) SetDisabledStatus(status bool) {
t.disabled = status
}
func (t *testEnvelopeService) SetAnnotations(annotations map[string][]byte) {
t.annotations = annotations
}
func (t *testEnvelopeService) Rotate() {
i, _ := strconv.Atoi(t.keyVersion)
t.keyVersion = strconv.FormatInt(int64(i+1), 10)
}
func newTestEnvelopeService() *testEnvelopeService {
return &testEnvelopeService{
keyVersion: "1",
}
}
// Throw error if Envelope transformer tries to contact Envelope without hitting cache.
func TestEnvelopeCaching(t *testing.T) {
testCases := []struct {
desc string
cacheSize int
simulateKMSPluginFailure bool
expectedError string
}{
{
desc: "positive cache size should withstand plugin failure",
cacheSize: 1000,
simulateKMSPluginFailure: true,
},
{
desc: "cache disabled size should not withstand plugin failure",
cacheSize: 0,
simulateKMSPluginFailure: true,
expectedError: "failed to decrypt DEK, error: Envelope service was disabled",
},
{
desc: "cache disabled, no plugin failure should succeed",
cacheSize: 0,
simulateKMSPluginFailure: false,
},
}
for _, tt := range testCases {
t.Run(tt.desc, func(t *testing.T) {
envelopeService := newTestEnvelopeService()
envelopeTransformer := NewEnvelopeTransformer(envelopeService, tt.cacheSize, aestransformer.NewGCMTransformer)
ctx := context.Background()
dataCtx := value.DefaultContext([]byte(testContextText))
originalText := []byte(testText)
transformedData, err := envelopeTransformer.TransformToStorage(ctx, originalText, dataCtx)
if err != nil {
t.Fatalf("envelopeTransformer: error while transforming data to storage: %s", err)
}
untransformedData, _, err := envelopeTransformer.TransformFromStorage(ctx, transformedData, dataCtx)
if err != nil {
t.Fatalf("could not decrypt Envelope transformer's encrypted data even once: %v", err)
}
if !bytes.Equal(untransformedData, originalText) {
t.Fatalf("envelopeTransformer transformed data incorrectly. Expected: %v, got %v", originalText, untransformedData)
}
envelopeService.SetDisabledStatus(tt.simulateKMSPluginFailure)
untransformedData, _, err = envelopeTransformer.TransformFromStorage(ctx, transformedData, dataCtx)
if tt.expectedError != "" {
if err == nil {
t.Fatalf("expected error: %v, got nil", tt.expectedError)
}
if err.Error() != tt.expectedError {
t.Fatalf("expected error: %v, got: %v", tt.expectedError, err)
}
} else {
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if !bytes.Equal(untransformedData, originalText) {
t.Fatalf("envelopeTransformer transformed data incorrectly. Expected: %v, got %v", originalText, untransformedData)
}
}
})
}
}
// Makes Envelope transformer hit cache limit, throws error if it misbehaves.
func TestEnvelopeCacheLimit(t *testing.T) {
envelopeTransformer := NewEnvelopeTransformer(newTestEnvelopeService(), testEnvelopeCacheSize, aestransformer.NewGCMTransformer)
ctx := context.Background()
dataCtx := value.DefaultContext([]byte(testContextText))
transformedOutputs := map[int][]byte{}
// Overwrite lots of entries in the map
for i := 0; i < 2*testEnvelopeCacheSize; i++ {
numberText := []byte(strconv.Itoa(i))
res, err := envelopeTransformer.TransformToStorage(ctx, numberText, dataCtx)
transformedOutputs[i] = res
if err != nil {
t.Fatalf("envelopeTransformer: error while transforming data (%v) to storage: %s", numberText, err)
}
}
// Try reading all the data now, ensuring cache misses don't cause a concern.
for i := 0; i < 2*testEnvelopeCacheSize; i++ {
numberText := []byte(strconv.Itoa(i))
output, _, err := envelopeTransformer.TransformFromStorage(ctx, transformedOutputs[i], dataCtx)
if err != nil {
t.Fatalf("envelopeTransformer: error while transforming data (%v) from storage: %s", transformedOutputs[i], err)
}
if !bytes.Equal(numberText, output) {
t.Fatalf("envelopeTransformer transformed data incorrectly using cache. Expected: %v, got %v", numberText, output)
}
}
}
func TestTransformToStorageError(t *testing.T) {
t.Parallel()
testCases := []struct {
name string
annotations map[string][]byte
}{
{
name: "invalid annotation key",
annotations: map[string][]byte{
"http://foo.example.com": []byte("bar"),
},
},
{
name: "annotation value size too large",
annotations: map[string][]byte{
"simple": []byte(strings.Repeat("a", 32*1024)),
},
},
{
name: "annotations size too large",
annotations: map[string][]byte{
"simple": []byte(strings.Repeat("a", 31*1024)),
"simple2": []byte(strings.Repeat("a", 1024)),
},
},
}
for _, tt := range testCases {
tt := tt
t.Run(tt.name, func(t *testing.T) {
t.Parallel()
envelopeService := newTestEnvelopeService()
envelopeService.SetAnnotations(tt.annotations)
envelopeTransformer := NewEnvelopeTransformer(envelopeService, 0, aestransformer.NewGCMTransformer)
ctx := context.Background()
dataCtx := value.DefaultContext([]byte(testContextText))
_, err := envelopeTransformer.TransformToStorage(ctx, []byte(testText), dataCtx)
if err == nil {
t.Fatalf("expected error, got nil")
}
if !strings.Contains(err.Error(), "failed to validate annotations") {
t.Fatalf("expected error to contain 'failed to validate annotations', got %v", err)
}
})
}
}
func TestEncodeDecode(t *testing.T) {
envelopeTransformer := &envelopeTransformer{}
obj := &kmstypes.EncryptedObject{
EncryptedData: []byte{0x01, 0x02, 0x03},
KeyID: "1",
EncryptedDEK: []byte{0x04, 0x05, 0x06},
}
data, err := envelopeTransformer.doEncode(obj)
if err != nil {
t.Fatalf("envelopeTransformer: error while encoding data: %s", err)
}
got, err := envelopeTransformer.doDecode(data)
if err != nil {
t.Fatalf("envelopeTransformer: error while decoding data: %s", err)
}
// reset internal field modified by marshaling obj
obj.XXX_sizecache = 0
if !reflect.DeepEqual(got, obj) {
t.Fatalf("envelopeTransformer: decoded data does not match original data. Got: %v, want %v", got, obj)
}
}
func TestValidateEncryptedObject(t *testing.T) {
t.Parallel()
testCases := []struct {
desc string
originalData *kmstypes.EncryptedObject
expectedError error
}{
{
desc: "encrypted object is nil",
originalData: nil,
expectedError: fmt.Errorf("encrypted object is nil"),
},
{
desc: "encrypted data is nil",
originalData: &kmstypes.EncryptedObject{
KeyID: "1",
EncryptedDEK: []byte{0x01, 0x02, 0x03},
},
expectedError: fmt.Errorf("encrypted data is empty"),
},
{
desc: "encrypted data is []byte{}",
originalData: &kmstypes.EncryptedObject{
EncryptedDEK: []byte{0x01, 0x02, 0x03},
EncryptedData: []byte{},
},
expectedError: fmt.Errorf("encrypted data is empty"),
},
}
for _, tt := range testCases {
t.Run(tt.desc, func(t *testing.T) {
err := validateEncryptedObject(tt.originalData)
if err == nil {
t.Fatalf("envelopeTransformer: expected error while decoding data, got nil")
}
if err.Error() != tt.expectedError.Error() {
t.Fatalf("doDecode() error: expected %v, got %v", tt.expectedError, err)
}
})
}
}
func TestValidateAnnotations(t *testing.T) {
t.Parallel()
successCases := []map[string][]byte{
{"a.com": []byte("bar")},
{"k8s.io": []byte("bar")},
{"dev.k8s.io": []byte("bar")},
{"dev.k8s.io.": []byte("bar")},
{"foo.example.com": []byte("bar")},
{"this.is.a.really.long.fqdn": []byte("bar")},
{"bbc.co.uk": []byte("bar")},
{"10.0.0.1": []byte("bar")}, // DNS labels can start with numbers and there is no requirement for letters.
{"hyphens-are-good.k8s.io": []byte("bar")},
{strings.Repeat("a", 63) + ".k8s.io": []byte("bar")},
{strings.Repeat("a", 63) + "." + strings.Repeat("b", 63) + "." + strings.Repeat("c", 63) + "." + strings.Repeat("d", 54) + ".k8s.io": []byte("bar")},
}
t.Run("success", func(t *testing.T) {
for i := range successCases {
t.Run(fmt.Sprintf("%d", i), func(t *testing.T) {
t.Parallel()
if err := validateAnnotations(successCases[i]); err != nil {
t.Errorf("case[%d] expected success, got %#v", i, err)
}
})
}
})
atleastTwoSegmentsErrorMsg := "should be a domain with at least two segments separated by dots"
moreThan63CharsErrorMsg := "must be no more than 63 characters"
moreThan253CharsErrorMsg := "must be no more than 253 characters"
dns1123SubdomainErrorMsg := "a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character"
annotationsNameErrorCases := []struct {
annotations map[string][]byte
expect string
}{
{map[string][]byte{".": []byte("bar")}, dns1123SubdomainErrorMsg},
{map[string][]byte{"...": []byte("bar")}, dns1123SubdomainErrorMsg},
{map[string][]byte{".io": []byte("bar")}, dns1123SubdomainErrorMsg},
{map[string][]byte{"com": []byte("bar")}, atleastTwoSegmentsErrorMsg},
{map[string][]byte{".com": []byte("bar")}, dns1123SubdomainErrorMsg},
{map[string][]byte{"Dev.k8s.io": []byte("bar")}, dns1123SubdomainErrorMsg},
{map[string][]byte{".foo.example.com": []byte("bar")}, dns1123SubdomainErrorMsg},
{map[string][]byte{"*.example.com": []byte("bar")}, dns1123SubdomainErrorMsg},
{map[string][]byte{"*.bar.com": []byte("bar")}, dns1123SubdomainErrorMsg},
{map[string][]byte{"*.foo.bar.com": []byte("bar")}, dns1123SubdomainErrorMsg},
{map[string][]byte{"underscores_are_bad.k8s.io": []byte("bar")}, dns1123SubdomainErrorMsg},
{map[string][]byte{"foo@bar.example.com": []byte("bar")}, dns1123SubdomainErrorMsg},
{map[string][]byte{"http://foo.example.com": []byte("bar")}, dns1123SubdomainErrorMsg},
{map[string][]byte{strings.Repeat("a", 64) + ".k8s.io": []byte("bar")}, moreThan63CharsErrorMsg},
{map[string][]byte{strings.Repeat("a", 63) + "." + strings.Repeat("b", 63) + "." + strings.Repeat("c", 63) + "." + strings.Repeat("d", 55) + ".k8s.io": []byte("bar")}, moreThan253CharsErrorMsg},
}
t.Run("name error", func(t *testing.T) {
for i := range annotationsNameErrorCases {
t.Run(fmt.Sprintf("%d", i), func(t *testing.T) {
t.Parallel()
err := validateAnnotations(annotationsNameErrorCases[i].annotations)
if err == nil {
t.Errorf("case[%d]: expected failure", i)
} else {
if !strings.Contains(err.Error(), annotationsNameErrorCases[i].expect) {
t.Errorf("case[%d]: error details do not include %q: %q", i, annotationsNameErrorCases[i].expect, err)
}
}
})
}
})
maxSizeErrMsg := "which exceeds the max size of"
annotationsSizeErrorCases := []struct {
annotations map[string][]byte
expect string
}{
{map[string][]byte{"simple": []byte(strings.Repeat("a", 33*1024))}, maxSizeErrMsg},
{map[string][]byte{"simple": []byte(strings.Repeat("a", 32*1024))}, maxSizeErrMsg},
{map[string][]byte{"simple": []byte(strings.Repeat("a", 64*1024))}, maxSizeErrMsg},
{map[string][]byte{"simple": []byte(strings.Repeat("a", 31*1024)), "simple2": []byte(strings.Repeat("a", 1024))}, maxSizeErrMsg},
{map[string][]byte{strings.Repeat("a", 253): []byte(strings.Repeat("a", 32*1024))}, maxSizeErrMsg},
}
t.Run("size error", func(t *testing.T) {
for i := range annotationsSizeErrorCases {
t.Run(fmt.Sprintf("%d", i), func(t *testing.T) {
t.Parallel()
err := validateAnnotations(annotationsSizeErrorCases[i].annotations)
if err == nil {
t.Errorf("case[%d]: expected failure", i)
} else {
if !strings.Contains(err.Error(), annotationsSizeErrorCases[i].expect) {
t.Errorf("case[%d]: error details do not include %q: %q", i, annotationsSizeErrorCases[i].expect, err)
}
}
})
}
})
}
func TestValidateKeyID(t *testing.T) {
t.Parallel()
testCases := []struct {
name string
keyID string
expectedError string
}{
{
name: "valid key ID",
keyID: "1234",
expectedError: "",
},
{
name: "empty key ID",
keyID: "",
expectedError: "keyID is empty",
},
{
name: "keyID size is greater than 1 kB",
keyID: strings.Repeat("a", 1024+1),
expectedError: "which exceeds the max size of",
},
}
for _, tt := range testCases {
tt := tt
t.Run(tt.name, func(t *testing.T) {
t.Parallel()
err := validateKeyID(tt.keyID)
if tt.expectedError != "" {
if err == nil {
t.Fatalf("expected error %q, got nil", tt.expectedError)
}
if !strings.Contains(err.Error(), tt.expectedError) {
t.Fatalf("expected error %q, got %q", tt.expectedError, err)
}
} else {
if err != nil {
t.Fatalf("expected no error, got %q", err)
}
}
})
}
}
func TestValidateEncryptedDEK(t *testing.T) {
t.Parallel()
testCases := []struct {
name string
encryptedDEK []byte
expectedError string
}{
{
name: "encrypted DEK is nil",
encryptedDEK: nil,
expectedError: "encrypted DEK is empty",
},
{
name: "encrypted DEK is empty",
encryptedDEK: []byte{},
expectedError: "encrypted DEK is empty",
},
{
name: "encrypted DEK size is greater than 1 kB",
encryptedDEK: bytes.Repeat([]byte("a"), 1024+1),
expectedError: "which exceeds the max size of",
},
{
name: "valid encrypted DEK",
encryptedDEK: []byte{0x01, 0x02, 0x03},
expectedError: "",
},
}
for _, tt := range testCases {
tt := tt
t.Run(tt.name, func(t *testing.T) {
t.Parallel()
err := validateEncryptedDEK(tt.encryptedDEK)
if tt.expectedError != "" {
if err == nil {
t.Fatalf("expected error %q, got nil", tt.expectedError)
}
if !strings.Contains(err.Error(), tt.expectedError) {
t.Fatalf("expected error %q, got %q", tt.expectedError, err)
}
} else {
if err != nil {
t.Fatalf("expected no error, got %q", err)
}
}
})
}
}
Reference in New Issue View Git Blame Copy Permalink