makeCryptor := func(activeLabel string, decryptionLabels ...string) encryption.Cryptor { activeKey, err := encryption.NewKey(activeLabel, fmt.Sprintf("%s-passphrase", activeLabel)) Expect(err).NotTo(HaveOccurred()) decryptionKeys := []encryption.Key{} for _, label := range decryptionLabels { key, err := encryption.NewKey(label, fmt.Sprintf("%s-passphrase", label)) Expect(err).NotTo(HaveOccurred()) decryptionKeys = append(decryptionKeys, key) } if len(decryptionKeys) == 0 { decryptionKeys = nil } keyManager, err := encryption.NewKeyManager(activeKey, decryptionKeys) Expect(err).NotTo(HaveOccurred()) return encryption.NewCryptor(keyManager, rand.Reader) } Describe("PerformEncryption", func() { It("recursively re-encrypts all existing records", func() { var cryptor encryption.Cryptor var encoder format.Encoder value1 := []byte("some text") value2 := []byte("more text") cryptor = makeCryptor("old") encoder = format.NewEncoder(cryptor)
consulRunner = consulrunner.NewClusterRunner( 9001+config.GinkgoConfig.ParallelNode*consulrunner.PortOffsetLength, 1, "http", ) consulRunner.Start() consulRunner.WaitUntilReady() etcdRunner.Start() Expect(workPoolCreateError).ToNot(HaveOccurred()) encryptionKey, err := encryption.NewKey("label", "passphrase") Expect(err).NotTo(HaveOccurred()) keyManager, err := encryption.NewKeyManager(encryptionKey, nil) Expect(err).NotTo(HaveOccurred()) cryptor = encryption.NewCryptor(keyManager, rand.Reader) }) var _ = AfterSuite(func() { etcdRunner.Stop() consulRunner.Stop() }) var _ = BeforeEach(func() { logger = lagertest.NewTestLogger("test") fakeAuctioneerClient = new(auctioneerfakes.FakeClient) etcdRunner.Reset()
BeforeEach(func() { sender = fake.NewFakeMetricSender() metrics.Initialize(sender, nil) runErrChan = make(chan error, 1) ready = make(chan struct{}) signals = make(chan os.Signal) fakeDB = new(dbfakes.FakeEncryptionDB) logger = lagertest.NewTestLogger("test") oldKey, err := encryption.NewKey("old-key", "old-passphrase") encryptionKey, err := encryption.NewKey("label", "passphrase") Expect(err).NotTo(HaveOccurred()) keyManager, err = encryption.NewKeyManager(encryptionKey, []encryption.Key{oldKey}) Expect(err).NotTo(HaveOccurred()) cryptor = encryption.NewCryptor(keyManager, rand.Reader) fakeDB.EncryptionKeyLabelReturns("", models.ErrResourceNotFound) }) JustBeforeEach(func() { runner = encryptor.New(logger, fakeDB, keyManager, cryptor, clock.NewClock()) encryptorProcess = ifrit.Background(runner) }) AfterEach(func() { ginkgomon.Kill(encryptorProcess) })
"github.com/cloudfoundry-incubator/bbs/encryption" "github.com/cloudfoundry-incubator/bbs/encryption/fakes" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" ) var _ = Describe("Crypt", func() { var cryptor encryption.Cryptor var keyManager encryption.KeyManager var prng io.Reader BeforeEach(func() { key, err := encryption.NewKey("label", "pass phrase") Expect(err).NotTo(HaveOccurred()) keyManager, err = encryption.NewKeyManager(key, nil) Expect(err).NotTo(HaveOccurred()) prng = rand.Reader }) JustBeforeEach(func() { cryptor = encryption.NewCryptor(keyManager, prng) }) It("successfully encrypts and decrypts with a key", func() { input := []byte("some plaintext data") encrypted, err := cryptor.Encrypt(input) Expect(err).NotTo(HaveOccurred()) Expect(encrypted.CipherText).NotTo(HaveLen(0)) Expect(encrypted.CipherText).NotTo(Equal(input))
Expect(err).To(HaveOccurred()) }) It("splits keys on the first colon", func() { args = append(args, "-encryptionKey="+"label:key:with:colon") args = append(args, "-activeKeyLabel="+"label") flagSet.Parse(args) _, _, err := encryptionFlags.Parse() Expect(err).ToNot(HaveOccurred()) flagSet.Parse(args) key, keys, err := encryptionFlags.Parse() Expect(err).ToNot(HaveOccurred()) km, err := encryption.NewKeyManager(key, keys) Expect(km.EncryptionKey().Label()).To(Equal("label")) }) It("ensures there's a selected active key", func() { args = append(args, "-encryptionKey="+"label:key") flagSet.Parse(args) _, _, err := encryptionFlags.Parse() Expect(err).To(HaveOccurred()) }) It("fails if the active key is not on the list", func() { args = append(args, "-encryptionKey="+"label:key") args = append(args, "-activeKeyLabel="+"other-label") flagSet.Parse(args)
func main() { cf_debug_server.AddFlags(flag.CommandLine) cf_lager.AddFlags(flag.CommandLine) etcdFlags := AddETCDFlags(flag.CommandLine) encryptionFlags := encryption.AddEncryptionFlags(flag.CommandLine) flag.Parse() cf_http.Initialize(*communicationTimeout) logger, reconfigurableSink := cf_lager.New("bbs") logger.Info("starting") initializeDropsonde(logger) clock := clock.NewClock() consulClient, err := consuladapter.NewClientFromUrl(*consulCluster) if err != nil { logger.Fatal("new-consul-client-failed", err) } serviceClient := bbs.NewServiceClient(consulClient, clock) maintainer := initializeLockMaintainer(logger, serviceClient) _, portString, err := net.SplitHostPort(*listenAddress) if err != nil { logger.Fatal("failed-invalid-listen-address", err) } portNum, err := net.LookupPort("tcp", portString) if err != nil { logger.Fatal("failed-invalid-listen-port", err) } _, portString, err = net.SplitHostPort(*healthAddress) if err != nil { logger.Fatal("failed-invalid-health-address", err) } _, err = net.LookupPort("tcp", portString) if err != nil { logger.Fatal("failed-invalid-health-port", err) } registrationRunner := initializeRegistrationRunner(logger, consulClient, portNum, clock) cbWorkPool := taskworkpool.New(logger, *taskCallBackWorkers, taskworkpool.HandleCompletedTask) var activeDB db.DB var sqlDB *sqldb.SQLDB var sqlConn *sql.DB var storeClient etcddb.StoreClient var etcdDB *etcddb.ETCDDB key, keys, err := encryptionFlags.Parse() if err != nil { logger.Fatal("cannot-setup-encryption", err) } keyManager, err := encryption.NewKeyManager(key, keys) if err != nil { logger.Fatal("cannot-setup-encryption", err) } cryptor := encryption.NewCryptor(keyManager, rand.Reader) etcdOptions, err := etcdFlags.Validate() if err != nil { logger.Fatal("etcd-validation-failed", err) } if etcdOptions.IsConfigured { storeClient = initializeEtcdStoreClient(logger, etcdOptions) etcdDB = initializeEtcdDB(logger, cryptor, storeClient, cbWorkPool, serviceClient, *desiredLRPCreationTimeout) activeDB = etcdDB } // If SQL database info is passed in, use SQL instead of ETCD if *databaseDriver != "" && *databaseConnectionString != "" { var err error connectionString := appendSSLConnectionStringParam(logger, *databaseDriver, *databaseConnectionString, *sqlCACertFile) sqlConn, err = sql.Open(*databaseDriver, connectionString) if err != nil { logger.Fatal("failed-to-open-sql", err) } defer sqlConn.Close() sqlConn.SetMaxOpenConns(*maxDatabaseConnections) sqlConn.SetMaxIdleConns(*maxDatabaseConnections) err = sqlConn.Ping() if err != nil { logger.Fatal("sql-failed-to-connect", err) } sqlDB = sqldb.NewSQLDB(sqlConn, *convergenceWorkers, *updateWorkers, format.ENCRYPTED_PROTO, cryptor, guidprovider.DefaultGuidProvider, clock, *databaseDriver) err = sqlDB.CreateConfigurationsTable(logger) if err != nil { logger.Fatal("sql-failed-create-configurations-table", err) } activeDB = sqlDB } if activeDB == nil { logger.Fatal("no-database-configured", errors.New("no database configured")) } encryptor := encryptor.New(logger, activeDB, keyManager, cryptor, clock) migrationsDone := make(chan struct{}) migrationManager := migration.NewManager(logger, etcdDB, storeClient, sqlDB, sqlConn, cryptor, migrations.Migrations, migrationsDone, clock, *databaseDriver, ) desiredHub := events.NewHub() actualHub := events.NewHub() repClientFactory := rep.NewClientFactory(cf_http.NewClient(), cf_http.NewClient()) auctioneerClient := initializeAuctioneerClient(logger) exitChan := make(chan struct{}) handler := handlers.New( logger, *updateWorkers, *convergenceWorkers, activeDB, desiredHub, actualHub, cbWorkPool, serviceClient, auctioneerClient, repClientFactory, migrationsDone, exitChan, ) metricsNotifier := metrics.NewPeriodicMetronNotifier( logger, *reportInterval, etcdOptions, clock, ) var server ifrit.Runner if *requireSSL { tlsConfig, err := cf_http.NewTLSConfig(*certFile, *keyFile, *caFile) if err != nil { logger.Fatal("tls-configuration-failed", err) } server = http_server.NewTLSServer(*listenAddress, handler, tlsConfig) } else { server = http_server.New(*listenAddress, handler) } healthcheckServer := http_server.New(*healthAddress, http.HandlerFunc(healthCheckHandler)) members := grouper.Members{ {"healthcheck", healthcheckServer}, {"lock-maintainer", maintainer}, {"workpool", cbWorkPool}, {"server", server}, {"migration-manager", migrationManager}, {"encryptor", encryptor}, {"hub-maintainer", hubMaintainer(logger, desiredHub, actualHub)}, {"metrics", *metricsNotifier}, {"registration-runner", registrationRunner}, } if dbgAddr := cf_debug_server.DebugAddress(flag.CommandLine); dbgAddr != "" { members = append(grouper.Members{ {"debug-server", cf_debug_server.Runner(dbgAddr, reconfigurableSink)}, }, members...) } group := grouper.NewOrdered(os.Interrupt, members) monitor := ifrit.Invoke(sigmon.New(group)) go func() { // If a handler writes to this channel, we've hit an unrecoverable error // and should shut down (cleanly) <-exitChan monitor.Signal(os.Interrupt) }() logger.Info("started") err = <-monitor.Wait() if sqlConn != nil { sqlConn.Close() } if err != nil { logger.Error("exited-with-failure", err) os.Exit(1) } logger.Info("exited") }
encryptionKey encryption.Key decryptionKeys []encryption.Key manager encryption.KeyManager cerr error ) BeforeEach(func() { var err error encryptionKey, err = encryption.NewKey("key label", "pass phrase") Expect(err).NotTo(HaveOccurred()) decryptionKeys = []encryption.Key{} cerr = nil }) JustBeforeEach(func() { manager, cerr = encryption.NewKeyManager(encryptionKey, decryptionKeys) }) It("stores the correct encryption key", func() { Expect(cerr).NotTo(HaveOccurred()) Expect(manager.EncryptionKey()).To(Equal(encryptionKey)) }) It("adds the encryption key as a decryption key", func() { Expect(manager.DecryptionKey(encryptionKey.Label())).To(Equal(manager.EncryptionKey())) }) Context("when decryption keys are provided", func() { BeforeEach(func() { key1, err := encryption.NewKey("label1", "some pass phrase") Expect(err).NotTo(HaveOccurred())