From f6545ab8f49f3e29b6b0080e538dbce814f3e8a2 Mon Sep 17 00:00:00 2001 From: Tania B Date: Tue, 9 Nov 2021 16:40:37 +0200 Subject: [PATCH] Chore: Add current provider test for secrets service (#41387) * Chore: Add current provider test for secrets service * Refactor the test * Fix linting issue --- pkg/services/secrets/manager/manager_test.go | 86 ++++++++++++++++---- 1 file changed, 68 insertions(+), 18 deletions(-) diff --git a/pkg/services/secrets/manager/manager_test.go b/pkg/services/secrets/manager/manager_test.go index 6c600eee25f..322ccfa3e26 100644 --- a/pkg/services/secrets/manager/manager_test.go +++ b/pkg/services/secrets/manager/manager_test.go @@ -146,33 +146,22 @@ func TestSecretsService_DataKeys(t *testing.T) { }) } -func TestSecretsService_GetCurrentProvider(t *testing.T) { +func TestSecretsService_UseCurrentProvider(t *testing.T) { t.Run("When encryption_provider is not specified explicitly, should use 'secretKey' as a current provider", func(t *testing.T) { - cfg := `[security] - secret_key = sdDkslslld` - - raw, err := ini.Load([]byte(cfg)) - require.NoError(t, err) - settings := &setting.OSSImpl{Cfg: &setting.Cfg{Raw: raw}} - - svc := ProvideSecretsService( - database.ProvideSecretsStore(sqlstore.InitTestDB(t)), - bus.New(), - ossencryption.ProvideService(), - settings, - ) - + svc := SetupTestService(t, database.ProvideSecretsStore(sqlstore.InitTestDB(t))) assert.Equal(t, "secretKey", svc.currentProvider) }) t.Run("When encryption_provider value is set, should use it as a current provider", func(t *testing.T) { - cfg := `[security] + rawCfg := `[security] secret_key = sdDkslslld encryption_provider = awskms.second_key` - raw, err := ini.Load([]byte(cfg)) + raw, err := ini.Load([]byte(rawCfg)) require.NoError(t, err) - settings := &setting.OSSImpl{Cfg: &setting.Cfg{Raw: raw}} + + cfg := &setting.Cfg{Raw: raw, FeatureToggles: map[string]bool{envelopeEncryptionFeatureToggle: true}} + settings := &setting.OSSImpl{Cfg: cfg} svc := ProvideSecretsService( database.ProvideSecretsStore(sqlstore.InitTestDB(t)), @@ -183,4 +172,65 @@ func TestSecretsService_GetCurrentProvider(t *testing.T) { assert.Equal(t, "awskms.second_key", svc.currentProvider) }) + + t.Run("Should use encrypt/decrypt methods of the current provider", func(t *testing.T) { + rawCfg := ` + [security] + secret_key = sdDkslslld + encryption_provider = fake-provider.some-key + + [security.encryption.fake-provider.some-key] + ` + + raw, err := ini.Load([]byte(rawCfg)) + require.NoError(t, err) + + cfg := &setting.Cfg{Raw: raw, FeatureToggles: map[string]bool{envelopeEncryptionFeatureToggle: true}} + settings := &setting.OSSImpl{Cfg: cfg} + + secretStore := database.ProvideSecretsStore(sqlstore.InitTestDB(t)) + fake := fakeProvider{} + providerID := "fake-provider.some-key" + + svcEncrypt := ProvideSecretsService( + secretStore, + bus.New(), + ossencryption.ProvideService(), + settings, + ) + + svcEncrypt.RegisterProvider(providerID, &fake) + require.NoError(t, err) + assert.Equal(t, providerID, svcEncrypt.CurrentProviderID()) + assert.Equal(t, 2, len(svcEncrypt.GetProviders())) + encrypted, _ := svcEncrypt.Encrypt(context.Background(), []byte{}, secrets.WithoutScope()) + assert.True(t, fake.encryptCalled) + + // secret service tries to find a DEK in a cache first before calling provider's decrypt + // to bypass the cache, we set up one more secrets service to test decrypting + svcDecrypt := ProvideSecretsService( + secretStore, + bus.New(), + ossencryption.ProvideService(), + settings, + ) + svcDecrypt.RegisterProvider(providerID, &fake) + _, _ = svcDecrypt.Decrypt(context.Background(), encrypted) + assert.True(t, fake.decryptCalled, "fake provider's decrypt should be called") + }) +} + +type fakeProvider struct { + encryptCalled bool + decryptCalled bool +} + +func (p *fakeProvider) Encrypt(_ context.Context, _ []byte) ([]byte, error) { + p.encryptCalled = true + return []byte{}, nil +} + +func (p *fakeProvider) Decrypt(_ context.Context, _ []byte) ([]byte, error) { + p.decryptCalled = true + return []byte{}, nil }