Replace godep with dep
This commit is contained in:
Manuel de Brito Fontes
parent
1e7489927c
commit
bf5616c65b
14883 changed files with 3937406 additions and 361781 deletions
372
vendor/k8s.io/apiserver/pkg/storage/value/encrypt/aes/aes_test.go
generated
vendored
Normal file
372
vendor/k8s.io/apiserver/pkg/storage/value/encrypt/aes/aes_test.go
generated
vendored
Normal file
|
|
@ -0,0 +1,372 @@
|
|||
/*
|
||||
Copyright 2017 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package aes
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/aes"
|
||||
"crypto/cipher"
|
||||
"crypto/rand"
|
||||
"encoding/hex"
|
||||
"fmt"
|
||||
"io"
|
||||
"reflect"
|
||||
"testing"
|
||||
|
||||
"k8s.io/apiserver/pkg/storage/value"
|
||||
)
|
||||
|
||||
func TestGCMDataStable(t *testing.T) {
|
||||
block, err := aes.NewCipher([]byte("0123456789abcdef"))
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
aead, err := cipher.NewGCM(block)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
// IMPORTANT: If you must fix this test, then all previously encrypted data from previously compiled versions is broken unless you hardcode the nonce size to 12
|
||||
if aead.NonceSize() != 12 {
|
||||
t.Fatalf("The underlying Golang crypto size has changed, old version of AES on disk will not be readable unless the AES implementation is changed to hardcode nonce size.")
|
||||
}
|
||||
}
|
||||
|
||||
func TestGCMKeyRotation(t *testing.T) {
|
||||
testErr := fmt.Errorf("test error")
|
||||
block1, err := aes.NewCipher([]byte("abcdefghijklmnop"))
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
block2, err := aes.NewCipher([]byte("0123456789abcdef"))
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
context := value.DefaultContext([]byte("authenticated_data"))
|
||||
|
||||
p := value.NewPrefixTransformers(testErr,
|
||||
value.PrefixTransformer{Prefix: []byte("first:"), Transformer: NewGCMTransformer(block1)},
|
||||
value.PrefixTransformer{Prefix: []byte("second:"), Transformer: NewGCMTransformer(block2)},
|
||||
)
|
||||
out, err := p.TransformToStorage([]byte("firstvalue"), context)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if !bytes.HasPrefix(out, []byte("first:")) {
|
||||
t.Fatalf("unexpected prefix: %q", out)
|
||||
}
|
||||
from, stale, err := p.TransformFromStorage(out, context)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if stale || !bytes.Equal([]byte("firstvalue"), from) {
|
||||
t.Fatalf("unexpected data: %t %q", stale, from)
|
||||
}
|
||||
|
||||
// verify changing the context fails storage
|
||||
from, stale, err = p.TransformFromStorage(out, value.DefaultContext([]byte("incorrect_context")))
|
||||
if err == nil {
|
||||
t.Fatalf("expected unauthenticated data")
|
||||
}
|
||||
|
||||
// reverse the order, use the second key
|
||||
p = value.NewPrefixTransformers(testErr,
|
||||
value.PrefixTransformer{Prefix: []byte("second:"), Transformer: NewGCMTransformer(block2)},
|
||||
value.PrefixTransformer{Prefix: []byte("first:"), Transformer: NewGCMTransformer(block1)},
|
||||
)
|
||||
from, stale, err = p.TransformFromStorage(out, context)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if !stale || !bytes.Equal([]byte("firstvalue"), from) {
|
||||
t.Fatalf("unexpected data: %t %q", stale, from)
|
||||
}
|
||||
}
|
||||
|
||||
func TestCBCKeyRotation(t *testing.T) {
|
||||
testErr := fmt.Errorf("test error")
|
||||
block1, err := aes.NewCipher([]byte("abcdefghijklmnop"))
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
block2, err := aes.NewCipher([]byte("0123456789abcdef"))
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
context := value.DefaultContext([]byte("authenticated_data"))
|
||||
|
||||
p := value.NewPrefixTransformers(testErr,
|
||||
value.PrefixTransformer{Prefix: []byte("first:"), Transformer: NewCBCTransformer(block1)},
|
||||
value.PrefixTransformer{Prefix: []byte("second:"), Transformer: NewCBCTransformer(block2)},
|
||||
)
|
||||
out, err := p.TransformToStorage([]byte("firstvalue"), context)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if !bytes.HasPrefix(out, []byte("first:")) {
|
||||
t.Fatalf("unexpected prefix: %q", out)
|
||||
}
|
||||
from, stale, err := p.TransformFromStorage(out, context)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if stale || !bytes.Equal([]byte("firstvalue"), from) {
|
||||
t.Fatalf("unexpected data: %t %q", stale, from)
|
||||
}
|
||||
|
||||
// verify changing the context fails storage
|
||||
from, stale, err = p.TransformFromStorage(out, value.DefaultContext([]byte("incorrect_context")))
|
||||
if err != nil {
|
||||
t.Fatalf("CBC mode does not support authentication: %v", err)
|
||||
}
|
||||
|
||||
// reverse the order, use the second key
|
||||
p = value.NewPrefixTransformers(testErr,
|
||||
value.PrefixTransformer{Prefix: []byte("second:"), Transformer: NewCBCTransformer(block2)},
|
||||
value.PrefixTransformer{Prefix: []byte("first:"), Transformer: NewCBCTransformer(block1)},
|
||||
)
|
||||
from, stale, err = p.TransformFromStorage(out, context)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if !stale || !bytes.Equal([]byte("firstvalue"), from) {
|
||||
t.Fatalf("unexpected data: %t %q", stale, from)
|
||||
}
|
||||
}
|
||||
|
||||
func BenchmarkGCMRead_16_1024(b *testing.B) { benchmarkGCMRead(b, 16, 1024, false) }
|
||||
func BenchmarkGCMRead_32_1024(b *testing.B) { benchmarkGCMRead(b, 32, 1024, false) }
|
||||
func BenchmarkGCMRead_32_16384(b *testing.B) { benchmarkGCMRead(b, 32, 16384, false) }
|
||||
func BenchmarkGCMRead_32_16384_Stale(b *testing.B) { benchmarkGCMRead(b, 32, 16384, true) }
|
||||
|
||||
func BenchmarkGCMWrite_16_1024(b *testing.B) { benchmarkGCMWrite(b, 16, 1024) }
|
||||
func BenchmarkGCMWrite_32_1024(b *testing.B) { benchmarkGCMWrite(b, 32, 1024) }
|
||||
func BenchmarkGCMWrite_32_16384(b *testing.B) { benchmarkGCMWrite(b, 32, 16384) }
|
||||
|
||||
func benchmarkGCMRead(b *testing.B, keyLength int, valueLength int, expectStale bool) {
|
||||
block1, err := aes.NewCipher(bytes.Repeat([]byte("a"), keyLength))
|
||||
if err != nil {
|
||||
b.Fatal(err)
|
||||
}
|
||||
block2, err := aes.NewCipher(bytes.Repeat([]byte("b"), keyLength))
|
||||
if err != nil {
|
||||
b.Fatal(err)
|
||||
}
|
||||
p := value.NewPrefixTransformers(nil,
|
||||
value.PrefixTransformer{Prefix: []byte("first:"), Transformer: NewGCMTransformer(block1)},
|
||||
value.PrefixTransformer{Prefix: []byte("second:"), Transformer: NewGCMTransformer(block2)},
|
||||
)
|
||||
|
||||
context := value.DefaultContext([]byte("authenticated_data"))
|
||||
v := bytes.Repeat([]byte("0123456789abcdef"), valueLength/16)
|
||||
|
||||
out, err := p.TransformToStorage(v, context)
|
||||
if err != nil {
|
||||
b.Fatal(err)
|
||||
}
|
||||
// reverse the key order if expecting stale
|
||||
if expectStale {
|
||||
p = value.NewPrefixTransformers(nil,
|
||||
value.PrefixTransformer{Prefix: []byte("second:"), Transformer: NewGCMTransformer(block2)},
|
||||
value.PrefixTransformer{Prefix: []byte("first:"), Transformer: NewGCMTransformer(block1)},
|
||||
)
|
||||
}
|
||||
|
||||
b.ResetTimer()
|
||||
for i := 0; i < b.N; i++ {
|
||||
from, stale, err := p.TransformFromStorage(out, context)
|
||||
if err != nil {
|
||||
b.Fatal(err)
|
||||
}
|
||||
if expectStale != stale {
|
||||
b.Fatalf("unexpected data: %q, expect stale %t but got %t", from, expectStale, stale)
|
||||
}
|
||||
}
|
||||
b.StopTimer()
|
||||
}
|
||||
|
||||
func benchmarkGCMWrite(b *testing.B, keyLength int, valueLength int) {
|
||||
block1, err := aes.NewCipher(bytes.Repeat([]byte("a"), keyLength))
|
||||
if err != nil {
|
||||
b.Fatal(err)
|
||||
}
|
||||
block2, err := aes.NewCipher(bytes.Repeat([]byte("b"), keyLength))
|
||||
if err != nil {
|
||||
b.Fatal(err)
|
||||
}
|
||||
p := value.NewPrefixTransformers(nil,
|
||||
value.PrefixTransformer{Prefix: []byte("first:"), Transformer: NewGCMTransformer(block1)},
|
||||
value.PrefixTransformer{Prefix: []byte("second:"), Transformer: NewGCMTransformer(block2)},
|
||||
)
|
||||
|
||||
context := value.DefaultContext([]byte("authenticated_data"))
|
||||
v := bytes.Repeat([]byte("0123456789abcdef"), valueLength/16)
|
||||
|
||||
b.ResetTimer()
|
||||
for i := 0; i < b.N; i++ {
|
||||
_, err := p.TransformToStorage(v, context)
|
||||
if err != nil {
|
||||
b.Fatal(err)
|
||||
}
|
||||
}
|
||||
b.StopTimer()
|
||||
}
|
||||
|
||||
func BenchmarkCBCRead_32_1024(b *testing.B) { benchmarkCBCRead(b, 32, 1024, false) }
|
||||
func BenchmarkCBCRead_32_16384(b *testing.B) { benchmarkCBCRead(b, 32, 16384, false) }
|
||||
func BenchmarkCBCRead_32_16384_Stale(b *testing.B) { benchmarkCBCRead(b, 32, 16384, true) }
|
||||
|
||||
func BenchmarkCBCWrite_32_1024(b *testing.B) { benchmarkCBCWrite(b, 32, 1024) }
|
||||
func BenchmarkCBCWrite_32_16384(b *testing.B) { benchmarkCBCWrite(b, 32, 16384) }
|
||||
|
||||
func benchmarkCBCRead(b *testing.B, keyLength int, valueLength int, expectStale bool) {
|
||||
block1, err := aes.NewCipher(bytes.Repeat([]byte("a"), keyLength))
|
||||
if err != nil {
|
||||
b.Fatal(err)
|
||||
}
|
||||
block2, err := aes.NewCipher(bytes.Repeat([]byte("b"), keyLength))
|
||||
if err != nil {
|
||||
b.Fatal(err)
|
||||
}
|
||||
p := value.NewPrefixTransformers(nil,
|
||||
value.PrefixTransformer{Prefix: []byte("first:"), Transformer: NewCBCTransformer(block1)},
|
||||
value.PrefixTransformer{Prefix: []byte("second:"), Transformer: NewCBCTransformer(block2)},
|
||||
)
|
||||
|
||||
context := value.DefaultContext([]byte("authenticated_data"))
|
||||
v := bytes.Repeat([]byte("0123456789abcdef"), valueLength/16)
|
||||
|
||||
out, err := p.TransformToStorage(v, context)
|
||||
if err != nil {
|
||||
b.Fatal(err)
|
||||
}
|
||||
// reverse the key order if expecting stale
|
||||
if expectStale {
|
||||
p = value.NewPrefixTransformers(nil,
|
||||
value.PrefixTransformer{Prefix: []byte("second:"), Transformer: NewCBCTransformer(block2)},
|
||||
value.PrefixTransformer{Prefix: []byte("first:"), Transformer: NewCBCTransformer(block1)},
|
||||
)
|
||||
}
|
||||
|
||||
b.ResetTimer()
|
||||
for i := 0; i < b.N; i++ {
|
||||
from, stale, err := p.TransformFromStorage(out, context)
|
||||
if err != nil {
|
||||
b.Fatal(err)
|
||||
}
|
||||
if expectStale != stale {
|
||||
b.Fatalf("unexpected data: %q, expect stale %t but got %t", from, expectStale, stale)
|
||||
}
|
||||
}
|
||||
b.StopTimer()
|
||||
}
|
||||
|
||||
func benchmarkCBCWrite(b *testing.B, keyLength int, valueLength int) {
|
||||
block1, err := aes.NewCipher(bytes.Repeat([]byte("a"), keyLength))
|
||||
if err != nil {
|
||||
b.Fatal(err)
|
||||
}
|
||||
block2, err := aes.NewCipher(bytes.Repeat([]byte("b"), keyLength))
|
||||
if err != nil {
|
||||
b.Fatal(err)
|
||||
}
|
||||
p := value.NewPrefixTransformers(nil,
|
||||
value.PrefixTransformer{Prefix: []byte("first:"), Transformer: NewCBCTransformer(block1)},
|
||||
value.PrefixTransformer{Prefix: []byte("second:"), Transformer: NewCBCTransformer(block2)},
|
||||
)
|
||||
|
||||
context := value.DefaultContext([]byte("authenticated_data"))
|
||||
v := bytes.Repeat([]byte("0123456789abcdef"), valueLength/16)
|
||||
|
||||
b.ResetTimer()
|
||||
for i := 0; i < b.N; i++ {
|
||||
_, err := p.TransformToStorage(v, context)
|
||||
if err != nil {
|
||||
b.Fatal(err)
|
||||
}
|
||||
}
|
||||
b.StopTimer()
|
||||
}
|
||||
|
||||
func TestRoundTrip(t *testing.T) {
|
||||
lengths := []int{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 128, 1024}
|
||||
|
||||
aes16block, err := aes.NewCipher([]byte(bytes.Repeat([]byte("a"), 16)))
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
aes24block, err := aes.NewCipher([]byte(bytes.Repeat([]byte("b"), 24)))
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
aes32block, err := aes.NewCipher([]byte(bytes.Repeat([]byte("c"), 32)))
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
context value.Context
|
||||
t value.Transformer
|
||||
}{
|
||||
{name: "GCM 16 byte key", t: NewGCMTransformer(aes16block)},
|
||||
{name: "GCM 24 byte key", t: NewGCMTransformer(aes24block)},
|
||||
{name: "GCM 32 byte key", t: NewGCMTransformer(aes32block)},
|
||||
{name: "CBC 32 byte key", t: NewCBCTransformer(aes32block)},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
context := tt.context
|
||||
if context == nil {
|
||||
context = value.DefaultContext("")
|
||||
}
|
||||
for _, l := range lengths {
|
||||
data := make([]byte, l)
|
||||
if _, err := io.ReadFull(rand.Reader, data); err != nil {
|
||||
t.Fatalf("unable to read sufficient random bytes: %v", err)
|
||||
}
|
||||
original := append([]byte{}, data...)
|
||||
|
||||
ciphertext, err := tt.t.TransformToStorage(data, context)
|
||||
if err != nil {
|
||||
t.Errorf("TransformToStorage error = %v", err)
|
||||
continue
|
||||
}
|
||||
|
||||
result, stale, err := tt.t.TransformFromStorage(ciphertext, context)
|
||||
if err != nil {
|
||||
t.Errorf("TransformFromStorage error = %v", err)
|
||||
continue
|
||||
}
|
||||
if stale {
|
||||
t.Errorf("unexpected stale output")
|
||||
continue
|
||||
}
|
||||
|
||||
switch {
|
||||
case l == 0:
|
||||
if len(result) != 0 {
|
||||
t.Errorf("Round trip failed len=%d\noriginal:\n%s\nresult:\n%s", l, hex.Dump(original), hex.Dump(result))
|
||||
}
|
||||
case !reflect.DeepEqual(original, result):
|
||||
t.Errorf("Round trip failed len=%d\noriginal:\n%s\nresult:\n%s", l, hex.Dump(original), hex.Dump(result))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
203
vendor/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/envelope_test.go
generated
vendored
Normal file
203
vendor/k8s.io/apiserver/pkg/storage/value/encrypt/envelope/envelope_test.go
generated
vendored
Normal file
|
|
@ -0,0 +1,203 @@
|
|||
/*
|
||||
Copyright 2017 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package envelope
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/aes"
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"strconv"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"k8s.io/apiserver/pkg/storage/value"
|
||||
aestransformer "k8s.io/apiserver/pkg/storage/value/encrypt/aes"
|
||||
)
|
||||
|
||||
const (
|
||||
testText = "abcdefghijklmnopqrstuvwxyz"
|
||||
testContextText = "0123456789"
|
||||
testEnvelopeCacheSize = 10
|
||||
)
|
||||
|
||||
// testEnvelopeService is a mock Envelope service which can be used to simulate remote Envelope services
|
||||
// for testing of Envelope based encryption providers.
|
||||
type testEnvelopeService struct {
|
||||
disabled bool
|
||||
keyVersion string
|
||||
}
|
||||
|
||||
func (t *testEnvelopeService) Decrypt(data string) ([]byte, error) {
|
||||
if t.disabled {
|
||||
return nil, fmt.Errorf("Envelope service was disabled")
|
||||
}
|
||||
dataChunks := strings.SplitN(data, ":", 2)
|
||||
if len(dataChunks) != 2 {
|
||||
return nil, fmt.Errorf("invalid data encountered for decryption: %s. Missing key version", data)
|
||||
}
|
||||
return base64.StdEncoding.DecodeString(dataChunks[1])
|
||||
}
|
||||
|
||||
func (t *testEnvelopeService) Encrypt(data []byte) (string, error) {
|
||||
if t.disabled {
|
||||
return "", fmt.Errorf("Envelope service was disabled")
|
||||
}
|
||||
return t.keyVersion + ":" + base64.StdEncoding.EncodeToString(data), nil
|
||||
}
|
||||
|
||||
func (t *testEnvelopeService) SetDisabledStatus(status bool) {
|
||||
t.disabled = status
|
||||
}
|
||||
|
||||
func (t *testEnvelopeService) Rotate() {
|
||||
i, _ := strconv.Atoi(t.keyVersion)
|
||||
t.keyVersion = strconv.FormatInt(int64(i+1), 10)
|
||||
}
|
||||
|
||||
func newTestEnvelopeService() *testEnvelopeService {
|
||||
return &testEnvelopeService{
|
||||
keyVersion: "1",
|
||||
}
|
||||
}
|
||||
|
||||
// Throw error if Envelope transformer tries to contact Envelope without hitting cache.
|
||||
func TestEnvelopeCaching(t *testing.T) {
|
||||
envelopeService := newTestEnvelopeService()
|
||||
envelopeTransformer, err := NewEnvelopeTransformer(envelopeService, testEnvelopeCacheSize, aestransformer.NewCBCTransformer)
|
||||
if err != nil {
|
||||
t.Fatalf("failed to initialize envelope transformer: %v", err)
|
||||
}
|
||||
context := value.DefaultContext([]byte(testContextText))
|
||||
originalText := []byte(testText)
|
||||
|
||||
transformedData, err := envelopeTransformer.TransformToStorage(originalText, context)
|
||||
if err != nil {
|
||||
t.Fatalf("envelopeTransformer: error while transforming data to storage: %s", err)
|
||||
}
|
||||
untransformedData, _, err := envelopeTransformer.TransformFromStorage(transformedData, context)
|
||||
if err != nil {
|
||||
t.Fatalf("could not decrypt Envelope transformer's encrypted data even once: %v", err)
|
||||
}
|
||||
if bytes.Compare(untransformedData, originalText) != 0 {
|
||||
t.Fatalf("envelopeTransformer transformed data incorrectly. Expected: %v, got %v", originalText, untransformedData)
|
||||
}
|
||||
|
||||
envelopeService.SetDisabledStatus(true)
|
||||
// Subsequent read for the same data should work fine due to caching.
|
||||
untransformedData, _, err = envelopeTransformer.TransformFromStorage(transformedData, context)
|
||||
if err != nil {
|
||||
t.Fatalf("could not decrypt Envelope transformer's encrypted data using just cache: %v", err)
|
||||
}
|
||||
if bytes.Compare(untransformedData, originalText) != 0 {
|
||||
t.Fatalf("envelopeTransformer transformed data incorrectly using cache. Expected: %v, got %v", originalText, untransformedData)
|
||||
}
|
||||
}
|
||||
|
||||
// Makes Envelope transformer hit cache limit, throws error if it misbehaves.
|
||||
func TestEnvelopeCacheLimit(t *testing.T) {
|
||||
envelopeTransformer, err := NewEnvelopeTransformer(newTestEnvelopeService(), testEnvelopeCacheSize, aestransformer.NewCBCTransformer)
|
||||
if err != nil {
|
||||
t.Fatalf("failed to initialize envelope transformer: %v", err)
|
||||
}
|
||||
context := value.DefaultContext([]byte(testContextText))
|
||||
|
||||
transformedOutputs := map[int][]byte{}
|
||||
|
||||
// Overwrite lots of entries in the map
|
||||
for i := 0; i < 2*testEnvelopeCacheSize; i++ {
|
||||
numberText := []byte(strconv.Itoa(i))
|
||||
|
||||
res, err := envelopeTransformer.TransformToStorage(numberText, context)
|
||||
transformedOutputs[i] = res
|
||||
if err != nil {
|
||||
t.Fatalf("envelopeTransformer: error while transforming data (%v) to storage: %s", numberText, err)
|
||||
}
|
||||
}
|
||||
|
||||
// Try reading all the data now, ensuring cache misses don't cause a concern.
|
||||
for i := 0; i < 2*testEnvelopeCacheSize; i++ {
|
||||
numberText := []byte(strconv.Itoa(i))
|
||||
|
||||
output, _, err := envelopeTransformer.TransformFromStorage(transformedOutputs[i], context)
|
||||
if err != nil {
|
||||
t.Fatalf("envelopeTransformer: error while transforming data (%v) from storage: %s", transformedOutputs[i], err)
|
||||
}
|
||||
|
||||
if bytes.Compare(numberText, output) != 0 {
|
||||
t.Fatalf("envelopeTransformer transformed data incorrectly using cache. Expected: %v, got %v", numberText, output)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func BenchmarkEnvelopeCBCRead(b *testing.B) {
|
||||
envelopeTransformer, err := NewEnvelopeTransformer(newTestEnvelopeService(), testEnvelopeCacheSize, aestransformer.NewCBCTransformer)
|
||||
if err != nil {
|
||||
b.Fatalf("failed to initialize envelope transformer: %v", err)
|
||||
}
|
||||
benchmarkRead(b, envelopeTransformer, 1024)
|
||||
}
|
||||
|
||||
func BenchmarkAESCBCRead(b *testing.B) {
|
||||
block, err := aes.NewCipher(bytes.Repeat([]byte("a"), 32))
|
||||
if err != nil {
|
||||
b.Fatal(err)
|
||||
}
|
||||
|
||||
aesCBCTransformer := aestransformer.NewCBCTransformer(block)
|
||||
benchmarkRead(b, aesCBCTransformer, 1024)
|
||||
}
|
||||
|
||||
func BenchmarkEnvelopeGCMRead(b *testing.B) {
|
||||
envelopeTransformer, err := NewEnvelopeTransformer(newTestEnvelopeService(), testEnvelopeCacheSize, aestransformer.NewGCMTransformer)
|
||||
if err != nil {
|
||||
b.Fatalf("failed to initialize envelope transformer: %v", err)
|
||||
}
|
||||
benchmarkRead(b, envelopeTransformer, 1024)
|
||||
}
|
||||
|
||||
func BenchmarkAESGCMRead(b *testing.B) {
|
||||
block, err := aes.NewCipher(bytes.Repeat([]byte("a"), 32))
|
||||
if err != nil {
|
||||
b.Fatal(err)
|
||||
}
|
||||
|
||||
aesGCMTransformer := aestransformer.NewGCMTransformer(block)
|
||||
benchmarkRead(b, aesGCMTransformer, 1024)
|
||||
}
|
||||
|
||||
func benchmarkRead(b *testing.B, transformer value.Transformer, valueLength int) {
|
||||
context := value.DefaultContext([]byte(testContextText))
|
||||
v := bytes.Repeat([]byte("0123456789abcdef"), valueLength/16)
|
||||
|
||||
out, err := transformer.TransformToStorage(v, context)
|
||||
if err != nil {
|
||||
b.Fatal(err)
|
||||
}
|
||||
|
||||
b.ResetTimer()
|
||||
for i := 0; i < b.N; i++ {
|
||||
from, stale, err := transformer.TransformFromStorage(out, context)
|
||||
if err != nil {
|
||||
b.Fatal(err)
|
||||
}
|
||||
if stale {
|
||||
b.Fatalf("unexpected data: %t %q", stale, from)
|
||||
}
|
||||
}
|
||||
b.StopTimer()
|
||||
}
|
||||
190
vendor/k8s.io/apiserver/pkg/storage/value/encrypt/secretbox/secretbox_test.go
generated
vendored
Normal file
190
vendor/k8s.io/apiserver/pkg/storage/value/encrypt/secretbox/secretbox_test.go
generated
vendored
Normal file
|
|
@ -0,0 +1,190 @@
|
|||
/*
|
||||
Copyright 2017 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package secretbox
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/rand"
|
||||
"encoding/hex"
|
||||
"fmt"
|
||||
"io"
|
||||
"reflect"
|
||||
"testing"
|
||||
|
||||
"k8s.io/apiserver/pkg/storage/value"
|
||||
)
|
||||
|
||||
var (
|
||||
key1 = [32]byte{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01}
|
||||
key2 = [32]byte{0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02}
|
||||
)
|
||||
|
||||
func TestSecretboxKeyRotation(t *testing.T) {
|
||||
testErr := fmt.Errorf("test error")
|
||||
context := value.DefaultContext([]byte("authenticated_data"))
|
||||
|
||||
p := value.NewPrefixTransformers(testErr,
|
||||
value.PrefixTransformer{Prefix: []byte("first:"), Transformer: NewSecretboxTransformer(key1)},
|
||||
value.PrefixTransformer{Prefix: []byte("second:"), Transformer: NewSecretboxTransformer(key2)},
|
||||
)
|
||||
out, err := p.TransformToStorage([]byte("firstvalue"), context)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if !bytes.HasPrefix(out, []byte("first:")) {
|
||||
t.Fatalf("unexpected prefix: %q", out)
|
||||
}
|
||||
from, stale, err := p.TransformFromStorage(out, context)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if stale || !bytes.Equal([]byte("firstvalue"), from) {
|
||||
t.Fatalf("unexpected data: %t %q", stale, from)
|
||||
}
|
||||
|
||||
// verify changing the context does not fails storage
|
||||
// Secretbox is not currently an authenticating store
|
||||
from, stale, err = p.TransformFromStorage(out, value.DefaultContext([]byte("incorrect_context")))
|
||||
if err != nil {
|
||||
t.Fatalf("secretbox is not authenticated")
|
||||
}
|
||||
|
||||
// reverse the order, use the second key
|
||||
p = value.NewPrefixTransformers(testErr,
|
||||
value.PrefixTransformer{Prefix: []byte("second:"), Transformer: NewSecretboxTransformer(key2)},
|
||||
value.PrefixTransformer{Prefix: []byte("first:"), Transformer: NewSecretboxTransformer(key1)},
|
||||
)
|
||||
from, stale, err = p.TransformFromStorage(out, context)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if !stale || !bytes.Equal([]byte("firstvalue"), from) {
|
||||
t.Fatalf("unexpected data: %t %q", stale, from)
|
||||
}
|
||||
}
|
||||
|
||||
func BenchmarkSecretboxRead_32_1024(b *testing.B) { benchmarkSecretboxRead(b, 32, 1024, false) }
|
||||
func BenchmarkSecretboxRead_32_16384(b *testing.B) { benchmarkSecretboxRead(b, 32, 16384, false) }
|
||||
func BenchmarkSecretboxRead_32_16384_Stale(b *testing.B) { benchmarkSecretboxRead(b, 32, 16384, true) }
|
||||
|
||||
func BenchmarkSecretboxWrite_32_1024(b *testing.B) { benchmarkSecretboxWrite(b, 32, 1024) }
|
||||
func BenchmarkSecretboxWrite_32_16384(b *testing.B) { benchmarkSecretboxWrite(b, 32, 16384) }
|
||||
|
||||
func benchmarkSecretboxRead(b *testing.B, keyLength int, valueLength int, expectStale bool) {
|
||||
p := value.NewPrefixTransformers(nil,
|
||||
value.PrefixTransformer{Prefix: []byte("first:"), Transformer: NewSecretboxTransformer(key1)},
|
||||
value.PrefixTransformer{Prefix: []byte("second:"), Transformer: NewSecretboxTransformer(key2)},
|
||||
)
|
||||
|
||||
context := value.DefaultContext([]byte("authenticated_data"))
|
||||
v := bytes.Repeat([]byte("0123456789abcdef"), valueLength/16)
|
||||
|
||||
out, err := p.TransformToStorage(v, context)
|
||||
if err != nil {
|
||||
b.Fatal(err)
|
||||
}
|
||||
// reverse the key order if expecting stale
|
||||
if expectStale {
|
||||
p = value.NewPrefixTransformers(nil,
|
||||
value.PrefixTransformer{Prefix: []byte("second:"), Transformer: NewSecretboxTransformer(key2)},
|
||||
value.PrefixTransformer{Prefix: []byte("first:"), Transformer: NewSecretboxTransformer(key1)},
|
||||
)
|
||||
}
|
||||
|
||||
b.ResetTimer()
|
||||
for i := 0; i < b.N; i++ {
|
||||
from, stale, err := p.TransformFromStorage(out, context)
|
||||
if err != nil {
|
||||
b.Fatal(err)
|
||||
}
|
||||
if expectStale != stale {
|
||||
b.Fatalf("unexpected data: %q, expect stale %t but got %t", from, expectStale, stale)
|
||||
}
|
||||
}
|
||||
b.StopTimer()
|
||||
}
|
||||
|
||||
func benchmarkSecretboxWrite(b *testing.B, keyLength int, valueLength int) {
|
||||
p := value.NewPrefixTransformers(nil,
|
||||
value.PrefixTransformer{Prefix: []byte("first:"), Transformer: NewSecretboxTransformer(key1)},
|
||||
value.PrefixTransformer{Prefix: []byte("second:"), Transformer: NewSecretboxTransformer(key2)},
|
||||
)
|
||||
|
||||
context := value.DefaultContext([]byte("authenticated_data"))
|
||||
v := bytes.Repeat([]byte("0123456789abcdef"), valueLength/16)
|
||||
|
||||
b.ResetTimer()
|
||||
for i := 0; i < b.N; i++ {
|
||||
_, err := p.TransformToStorage(v, context)
|
||||
if err != nil {
|
||||
b.Fatal(err)
|
||||
}
|
||||
}
|
||||
b.StopTimer()
|
||||
}
|
||||
|
||||
func TestRoundTrip(t *testing.T) {
|
||||
lengths := []int{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 128, 1024}
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
context value.Context
|
||||
t value.Transformer
|
||||
}{
|
||||
{name: "Secretbox 32 byte key", t: NewSecretboxTransformer(key1)},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
context := tt.context
|
||||
if context == nil {
|
||||
context = value.DefaultContext("")
|
||||
}
|
||||
for _, l := range lengths {
|
||||
data := make([]byte, l)
|
||||
if _, err := io.ReadFull(rand.Reader, data); err != nil {
|
||||
t.Fatalf("unable to read sufficient random bytes: %v", err)
|
||||
}
|
||||
original := append([]byte{}, data...)
|
||||
|
||||
ciphertext, err := tt.t.TransformToStorage(data, context)
|
||||
if err != nil {
|
||||
t.Errorf("TransformToStorage error = %v", err)
|
||||
continue
|
||||
}
|
||||
|
||||
result, stale, err := tt.t.TransformFromStorage(ciphertext, context)
|
||||
if err != nil {
|
||||
t.Errorf("TransformFromStorage error = %v", err)
|
||||
continue
|
||||
}
|
||||
if stale {
|
||||
t.Errorf("unexpected stale output")
|
||||
continue
|
||||
}
|
||||
|
||||
switch {
|
||||
case l == 0:
|
||||
if len(result) != 0 {
|
||||
t.Errorf("Round trip failed len=%d\noriginal:\n%s\nresult:\n%s", l, hex.Dump(original), hex.Dump(result))
|
||||
}
|
||||
case !reflect.DeepEqual(original, result):
|
||||
t.Errorf("Round trip failed len=%d\noriginal:\n%s\nresult:\n%s", l, hex.Dump(original), hex.Dump(result))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
101
vendor/k8s.io/apiserver/pkg/storage/value/transformer_test.go
generated
vendored
Normal file
101
vendor/k8s.io/apiserver/pkg/storage/value/transformer_test.go
generated
vendored
Normal file
|
|
@ -0,0 +1,101 @@
|
|||
/*
|
||||
Copyright 2017 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package value
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"fmt"
|
||||
"testing"
|
||||
)
|
||||
|
||||
type testTransformer struct {
|
||||
from, to []byte
|
||||
err error
|
||||
stale bool
|
||||
receivedFrom, receivedTo []byte
|
||||
}
|
||||
|
||||
func (t *testTransformer) TransformFromStorage(from []byte, context Context) (data []byte, stale bool, err error) {
|
||||
t.receivedFrom = from
|
||||
return t.from, t.stale, t.err
|
||||
}
|
||||
|
||||
func (t *testTransformer) TransformToStorage(to []byte, context Context) (data []byte, err error) {
|
||||
t.receivedTo = to
|
||||
return t.to, t.err
|
||||
}
|
||||
|
||||
func TestPrefixFrom(t *testing.T) {
|
||||
testErr := fmt.Errorf("test error")
|
||||
transformErr := fmt.Errorf("test error")
|
||||
transformers := []PrefixTransformer{
|
||||
{Prefix: []byte("first:"), Transformer: &testTransformer{from: []byte("value1")}},
|
||||
{Prefix: []byte("second:"), Transformer: &testTransformer{from: []byte("value2")}},
|
||||
{Prefix: []byte("fails:"), Transformer: &testTransformer{err: transformErr}},
|
||||
{Prefix: []byte("stale:"), Transformer: &testTransformer{from: []byte("value3"), stale: true}},
|
||||
}
|
||||
p := NewPrefixTransformers(testErr, transformers...)
|
||||
|
||||
testCases := []struct {
|
||||
input []byte
|
||||
expect []byte
|
||||
stale bool
|
||||
err error
|
||||
match int
|
||||
}{
|
||||
{[]byte("first:value"), []byte("value1"), false, nil, 0},
|
||||
{[]byte("second:value"), []byte("value2"), true, nil, 1},
|
||||
{[]byte("third:value"), nil, false, testErr, -1},
|
||||
{[]byte("fails:value"), nil, true, transformErr, 2},
|
||||
{[]byte("stale:value"), []byte("value3"), true, nil, 3},
|
||||
}
|
||||
for i, test := range testCases {
|
||||
got, stale, err := p.TransformFromStorage(test.input, nil)
|
||||
if err != test.err || stale != test.stale || !bytes.Equal(got, test.expect) {
|
||||
t.Errorf("%d: unexpected out: %q %t %#v", i, string(got), stale, err)
|
||||
continue
|
||||
}
|
||||
if test.match != -1 && !bytes.Equal([]byte("value"), transformers[test.match].Transformer.(*testTransformer).receivedFrom) {
|
||||
t.Errorf("%d: unexpected value received by transformer: %s", i, transformers[test.match].Transformer.(*testTransformer).receivedFrom)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestPrefixTo(t *testing.T) {
|
||||
testErr := fmt.Errorf("test error")
|
||||
transformErr := fmt.Errorf("test error")
|
||||
testCases := []struct {
|
||||
transformers []PrefixTransformer
|
||||
expect []byte
|
||||
err error
|
||||
}{
|
||||
{[]PrefixTransformer{{Prefix: []byte("first:"), Transformer: &testTransformer{to: []byte("value1")}}}, []byte("first:value1"), nil},
|
||||
{[]PrefixTransformer{{Prefix: []byte("second:"), Transformer: &testTransformer{to: []byte("value2")}}}, []byte("second:value2"), nil},
|
||||
{[]PrefixTransformer{{Prefix: []byte("fails:"), Transformer: &testTransformer{err: transformErr}}}, nil, transformErr},
|
||||
}
|
||||
for i, test := range testCases {
|
||||
p := NewPrefixTransformers(testErr, test.transformers...)
|
||||
got, err := p.TransformToStorage([]byte("value"), nil)
|
||||
if err != test.err || !bytes.Equal(got, test.expect) {
|
||||
t.Errorf("%d: unexpected out: %q %#v", i, string(got), err)
|
||||
continue
|
||||
}
|
||||
if !bytes.Equal([]byte("value"), test.transformers[0].Transformer.(*testTransformer).receivedTo) {
|
||||
t.Errorf("%d: unexpected value received by transformer: %s", i, test.transformers[0].Transformer.(*testTransformer).receivedTo)
|
||||
}
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue