Expect(keyLabel).To(Equal("expected-key")) }) }) Context("when the encryption key label key does not exist", func() { It("returns a ErrResourceNotFound", func() { keyLabel, err := etcdDB.EncryptionKeyLabel(logger) Expect(err).To(MatchError(models.ErrResourceNotFound)) Expect(keyLabel).To(Equal("")) }) }) }) makeCryptor := func(activeLabel string, decryptionLabels ...string) encryption.Cryptor { activeKey, err := encryption.NewKey(activeLabel, fmt.Sprintf("%s-passphrase", activeLabel)) Expect(err).NotTo(HaveOccurred()) decryptionKeys := []encryption.Key{} for _, label := range decryptionLabels { key, err := encryption.NewKey(label, fmt.Sprintf("%s-passphrase", label)) Expect(err).NotTo(HaveOccurred()) decryptionKeys = append(decryptionKeys, key) } if len(decryptionKeys) == 0 { decryptionKeys = nil } keyManager, err := encryption.NewKeyManager(activeKey, decryptionKeys) Expect(err).NotTo(HaveOccurred()) return encryption.NewCryptor(keyManager, rand.Reader)
etcdRunner = etcdstorerunner.NewETCDClusterRunner(etcdPort, 1, nil) consulRunner = consulrunner.NewClusterRunner( 9001+config.GinkgoConfig.ParallelNode*consulrunner.PortOffsetLength, 1, "http", ) consulRunner.Start() consulRunner.WaitUntilReady() etcdRunner.Start() Expect(workPoolCreateError).ToNot(HaveOccurred()) encryptionKey, err := encryption.NewKey("label", "passphrase") Expect(err).NotTo(HaveOccurred()) keyManager, err := encryption.NewKeyManager(encryptionKey, nil) Expect(err).NotTo(HaveOccurred()) cryptor = encryption.NewCryptor(keyManager, rand.Reader) }) var _ = AfterSuite(func() { etcdRunner.Stop() consulRunner.Stop() }) var _ = BeforeEach(func() { logger = lagertest.NewTestLogger("test") fakeAuctioneerClient = new(auctioneerfakes.FakeClient)
) var _ = Describe("Key", func() { Describe("NewKey", func() { It("generates a 256 bit key from a string that can be used as aes keys", func() { phrases := []string{ "", "a", "a short phrase", "12345678901234567890123456789012", "1234567890123456789012345678901234567890123456789012345678901234567890", } for i, phrase := range phrases { label := fmt.Sprintf("%d", i) key, err := encryption.NewKey(label, phrase) Expect(err).NotTo(HaveOccurred()) Expect(key.Label()).To(Equal(label)) Expect(key.Block().BlockSize()).To(Equal(aes.BlockSize)) phraseHash := sha256.Sum256([]byte(phrase)) block, err := aes.NewCipher(phraseHash[:]) Expect(err).NotTo(HaveOccurred()) Expect(key.Block()).To(Equal(block)) } }) Context("when a key label is not specified", func() { It("returns a meaningful error", func() { _, err := encryption.NewKey("", "phrase") Expect(err).To(MatchError("A key label is required"))
sender *fake.FakeMetricSender ) BeforeEach(func() { sender = fake.NewFakeMetricSender() metrics.Initialize(sender, nil) runErrChan = make(chan error, 1) ready = make(chan struct{}) signals = make(chan os.Signal) fakeDB = new(dbfakes.FakeEncryptionDB) logger = lagertest.NewTestLogger("test") oldKey, err := encryption.NewKey("old-key", "old-passphrase") encryptionKey, err := encryption.NewKey("label", "passphrase") Expect(err).NotTo(HaveOccurred()) keyManager, err = encryption.NewKeyManager(encryptionKey, []encryption.Key{oldKey}) Expect(err).NotTo(HaveOccurred()) cryptor = encryption.NewCryptor(keyManager, rand.Reader) fakeDB.EncryptionKeyLabelReturns("", models.ErrResourceNotFound) }) JustBeforeEach(func() { runner = encryptor.New(logger, fakeDB, keyManager, cryptor, clock.NewClock()) encryptorProcess = ifrit.Background(runner) }) AfterEach(func() {
Expect(err).NotTo(HaveOccurred()) }) Context("when provided a single encryption key", func() { BeforeEach(func() { bbsArgs.ActiveKeyLabel = "label" bbsArgs.EncryptionKeys = []string{"label:some phrase"} }) It("writes the value as base64 encoded encrypted protobufs with metadata", func() { res, err := etcdClient.Get(etcddb.TaskSchemaPathByGuid(task.TaskGuid), false, false) Expect(err).NotTo(HaveOccurred()) var decodedTask models.Task encryptionKey, err := encryption.NewKey("label", "some phrase") Expect(err).NotTo(HaveOccurred()) keyManager, err := encryption.NewKeyManager(encryptionKey, nil) Expect(err).NotTo(HaveOccurred()) cryptor := encryption.NewCryptor(keyManager, rand.Reader) serializer := format.NewSerializer(cryptor) encoding := res.Node.Value[:format.EnvelopeOffset] Expect(format.Encoding{encoding[0], encoding[1]}).To(Equal(format.BASE64_ENCRYPTED)) err = serializer.Unmarshal(logger, []byte(res.Node.Value), &decodedTask) Expect(err).NotTo(HaveOccurred()) Expect(task.TaskGuid).To(Equal(decodedTask.TaskGuid)) }) })
"github.com/cloudfoundry-incubator/bbs/encryption" encryption_fakes "github.com/cloudfoundry-incubator/bbs/encryption/fakes" "github.com/cloudfoundry-incubator/bbs/format" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" ) var _ = Describe("Encoding", func() { var encoder format.Encoder var prng io.Reader var cryptor encryption.Cryptor BeforeEach(func() { key, err := encryption.NewKey("label", "some pass phrase") Expect(err).NotTo(HaveOccurred()) keyManager, err := encryption.NewKeyManager(key, nil) Expect(err).NotTo(HaveOccurred()) prng = &zeroReader{} cryptor = encryption.NewCryptor(keyManager, prng) }) JustBeforeEach(func() { encoder = format.NewEncoder(cryptor) }) Describe("Encode", func() { Describe("LEGACY_UNENCODED", func() {
. "github.com/onsi/ginkgo" . "github.com/onsi/gomega" ) var _ = Describe("KeyManager", func() { var ( encryptionKey encryption.Key decryptionKeys []encryption.Key manager encryption.KeyManager cerr error ) BeforeEach(func() { var err error encryptionKey, err = encryption.NewKey("key label", "pass phrase") Expect(err).NotTo(HaveOccurred()) decryptionKeys = []encryption.Key{} cerr = nil }) JustBeforeEach(func() { manager, cerr = encryption.NewKeyManager(encryptionKey, decryptionKeys) }) It("stores the correct encryption key", func() { Expect(cerr).NotTo(HaveOccurred()) Expect(manager.EncryptionKey()).To(Equal(encryptionKey)) }) It("adds the encryption key as a decryption key", func() {