. "github.com/onsi/gomega"
)

var _ = Describe("Base 64 Protobuf Encode Migration", func() {
	var (
		migration  migration.Migration
		serializer format.Serializer
		cryptor    encryption.Cryptor

		logger *lagertest.TestLogger
	)

	BeforeEach(func() {
		logger = lagertest.NewTestLogger("test")

		encryptionKey, err := encryption.NewKey("label", "passphrase")
		Expect(err).NotTo(HaveOccurred())
		keyManager, err := encryption.NewKeyManager(encryptionKey, nil)
		Expect(err).NotTo(HaveOccurred())
		cryptor = encryption.NewCryptor(keyManager, rand.Reader)
		serializer = format.NewSerializer(cryptor)
		migration = migrations.NewBase64ProtobufEncode()
	})

	It("appends itself to the migration list", func() {
		Expect(migrations.Migrations).To(ContainElement(migration))
	})

	Describe("Version", func() {
		It("returns the timestamp from which it was created", func() {
			Expect(migration.Version()).To(BeEquivalentTo(1441411196))
Beispiel #2
0
				Expect(keyLabel).To(Equal("expected-key"))
			})
		})

		Context("when the encryption key label key does not exist", func() {
			It("returns a ErrResourceNotFound", func() {
				keyLabel, err := etcdDB.EncryptionKeyLabel(logger)
				Expect(err).To(MatchError(models.ErrResourceNotFound))
				Expect(keyLabel).To(Equal(""))
			})
		})
	})

	makeCryptor := func(activeLabel string, decryptionLabels ...string) encryption.Cryptor {
		activeKey, err := encryption.NewKey(activeLabel, fmt.Sprintf("%s-passphrase", activeLabel))
		Expect(err).NotTo(HaveOccurred())

		decryptionKeys := []encryption.Key{}
		for _, label := range decryptionLabels {
			key, err := encryption.NewKey(label, fmt.Sprintf("%s-passphrase", label))
			Expect(err).NotTo(HaveOccurred())
			decryptionKeys = append(decryptionKeys, key)
		}
		if len(decryptionKeys) == 0 {
			decryptionKeys = nil
		}

		keyManager, err := encryption.NewKeyManager(activeKey, decryptionKeys)
		Expect(err).NotTo(HaveOccurred())
		return encryption.NewCryptor(keyManager, rand.Reader)
Beispiel #3
0
	. "github.com/onsi/ginkgo"
	. "github.com/onsi/gomega"
)

var _ = Describe("KeyManager", func() {
	var (
		encryptionKey  encryption.Key
		decryptionKeys []encryption.Key
		manager        encryption.KeyManager
		cerr           error
	)

	BeforeEach(func() {
		var err error
		encryptionKey, err = encryption.NewKey("key label", "pass phrase")
		Expect(err).NotTo(HaveOccurred())
		decryptionKeys = []encryption.Key{}
		cerr = nil
	})

	JustBeforeEach(func() {
		manager, cerr = encryption.NewKeyManager(encryptionKey, decryptionKeys)
	})

	It("stores the correct encryption key", func() {
		Expect(cerr).NotTo(HaveOccurred())
		Expect(manager.EncryptionKey()).To(Equal(encryptionKey))
	})

	It("adds the encryption key as a decryption key", func() {
Beispiel #4
0
	"code.cloudfoundry.org/bbs/encryption"
	"code.cloudfoundry.org/bbs/encryption/encryptionfakes"
	"code.cloudfoundry.org/bbs/format"

	. "github.com/onsi/ginkgo"
	. "github.com/onsi/gomega"
)

var _ = Describe("Encoding", func() {
	var encoder format.Encoder
	var prng io.Reader
	var cryptor encryption.Cryptor

	BeforeEach(func() {
		key, err := encryption.NewKey("label", "some pass phrase")
		Expect(err).NotTo(HaveOccurred())

		keyManager, err := encryption.NewKeyManager(key, nil)
		Expect(err).NotTo(HaveOccurred())

		prng = &zeroReader{}
		cryptor = encryption.NewCryptor(keyManager, prng)
	})

	JustBeforeEach(func() {
		encoder = format.NewEncoder(cryptor)
	})

	Describe("Encode", func() {
		Describe("LEGACY_UNENCODED", func() {
Beispiel #5
0
		keyManager encryption.KeyManager

		fakeDB *dbfakes.FakeEncryptionDB

		sender *fake.FakeMetricSender
	)

	BeforeEach(func() {
		sender = fake.NewFakeMetricSender()
		metrics.Initialize(sender, nil)

		fakeDB = new(dbfakes.FakeEncryptionDB)

		logger = lagertest.NewTestLogger("test")

		oldKey, err := encryption.NewKey("old-key", "old-passphrase")
		encryptionKey, err := encryption.NewKey("label", "passphrase")
		Expect(err).NotTo(HaveOccurred())
		keyManager, err = encryption.NewKeyManager(encryptionKey, []encryption.Key{oldKey})
		Expect(err).NotTo(HaveOccurred())
		cryptor = encryption.NewCryptor(keyManager, rand.Reader)

		fakeDB.EncryptionKeyLabelReturns("", models.ErrResourceNotFound)
	})

	JustBeforeEach(func() {
		runner = encryptor.New(logger, fakeDB, keyManager, cryptor, clock.NewClock())
		encryptorProcess = ifrit.Background(runner)
	})

	AfterEach(func() {
Beispiel #6
0
)

var _ = Describe("Key", func() {
	Describe("NewKey", func() {
		It("generates a 256 bit key from a string that can be used as aes keys", func() {
			phrases := []string{
				"",
				"a",
				"a short phrase",
				"12345678901234567890123456789012",
				"1234567890123456789012345678901234567890123456789012345678901234567890",
			}

			for i, phrase := range phrases {
				label := fmt.Sprintf("%d", i)
				key, err := encryption.NewKey(label, phrase)
				Expect(err).NotTo(HaveOccurred())
				Expect(key.Label()).To(Equal(label))
				Expect(key.Block().BlockSize()).To(Equal(aes.BlockSize))

				phraseHash := sha256.Sum256([]byte(phrase))
				block, err := aes.NewCipher(phraseHash[:])
				Expect(err).NotTo(HaveOccurred())
				Expect(key.Block()).To(Equal(block))
			}
		})

		Context("when a key label is not specified", func() {
			It("returns a meaningful error", func() {
				_, err := encryption.NewKey("", "phrase")
				Expect(err).To(MatchError("A key label is required"))
			}

			for _, m := range initialMigrations {
				m.SetRawSQLDB(rawSQLDB)
				m.SetDBFlavor(flavor)
				m.SetClock(fakeClock)
				err := m.Up(logger)
				Expect(err).NotTo(HaveOccurred())
			}

			// Can't do this in the Describe BeforeEach
			// as the test on line 37 will cause ginkgo to panic
			mig.SetRawSQLDB(rawSQLDB)
			mig.SetDBFlavor(flavor)

			key, err := encryption.NewKey("a", "my key")
			Expect(err).NotTo(HaveOccurred())
			keys := []encryption.Key{key}

			keyManager, err := encryption.NewKeyManager(key, keys)
			Expect(err).NotTo(HaveOccurred())
			cryptor := encryption.NewCryptor(keyManager, rand.Reader)
			mig.SetCryptor(cryptor)

			routes = `{"cf-router":[{"hostnames":["dora.bosh-lite.com"],"port":8080}],"diego-ssh":{"container_port":2222,"host_fingerprint":"95:9d:7f:d7:cd:bc:d0:01:fa:8a:3a:a1:c6:ef:58:d7","private_key":"-----BEGIN RSA PRIVATE KEY-----\nMIICXAIBAAKBgQDR/LGweyezjduoCGqmp2AR+5ggWxAT8ofEGt+PFQYY4Un/+xJ7\naeiAkk7GhHhJdL7UjuFU45XROiiZxKZhHGD1jKyG7CvaV47NVLvgqvPiY5jNjR2M\nCfnjpQ98QJ2Bv7usVfBiQP0cWK1bScchwZ1Y5At9ipyIztMqlOshKLRJPQIDAQAB\nAoGAdVtHp3081AG9OGzzxg4XCBXXkIW0N6G9NOFb/ihezvriE5krXCP1mB2svw/7\n9fm0STFNR9clvNhHJqEb53wnxzCpHMV+oH5Zg+5suQ5UsX3nof/c5PI5PK0jvIRI\nFe83ty3cu9UzYEJFVDSqJjx6SFoKBLXnxCzbVSskpkTZvlUCQQDxRcIlGLOE1lEZ\nORZuTd3TI/lg8NssEDL801PGdOIxchkiAzZz1RZW3M3SjY/PswuwiV1s4qkeHIPh\nlVeg4kS3AkEA3s4OAEl+gUtYGtLw2lSmEhgxNjK1x5EHzhuIulEla9iftbSy9Jpa\nPtzfHZ5ZxFdCnCvyukVW3KGVww40w921qwJBAN7DFo6jsNP8AKK2J7SuJhoUw+Iy\nX1nelwUBpP692j3m57eUmcj2vAp1EX/OfjI5UJitK1omKBkKIOW9uktrvh8CQBlq\ngAZgW+H76k0FCxyc02T1BYgdOMdPMAi+81Xts8sdpvpfZpqokOri30DNs4fGPH78\nNHAzQLliZWce074UKIkCQDbumNywkGzajAu+fTk+/Hts/o0g+btFS1oBDF5ztpJE\nGr9v4KGkJ//Nam2GucW1OY/JpgvZ3ITqj340wSqyyu4=\n-----END RSA PRIVATE KEY-----\n"},"tcp-router":[]`

			_, err = rawSQLDB.Exec(
				sqldb.RebindForFlavor(
					`INSERT INTO desired_lrps
						  (process_guid, domain, placement_tags, log_guid, instances, memory_mb,
							  disk_mb, rootfs, routes, volume_placement, modification_tag_epoch, run_info)