Skip to content

Commit

Permalink
add HMAC API test
Browse files Browse the repository at this point in the history
This commit adds tests for the HMAC server API.
It also removes enclave code that is no longer used
nor supported.

Signed-off-by: Andreas Auernhammer <[email protected]>
  • Loading branch information
aead committed Jan 16, 2024
1 parent 480ab49 commit 1a30d61
Show file tree
Hide file tree
Showing 35 changed files with 93 additions and 161 deletions.
51 changes: 50 additions & 1 deletion api_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ package kes

import (
"bytes"
"crypto/hmac"
"errors"
"net/http"
"runtime"
Expand All @@ -15,7 +16,7 @@ import (
"time"

"aead.dev/mem"
"github.com/minio/kes-go"
"github.com/minio/kms-go/kes"
)

func TestImportKey(t *testing.T) {
Expand Down Expand Up @@ -54,6 +55,7 @@ func TestAPI(t *testing.T) {
t.Run("v1/key/import", testImportKey)
t.Run("v1/key/describe", testDescribeKey)
t.Run("v1/key/generate", testGenerateKey)
t.Run("v1/key/hmac", testHMAC)
t.Run("v1/key/encrypt", testEncryptDecryptKey) // also tests decryption
t.Run("v1/key/list", testListKeys)
t.Run("v1/identity/describe", testDescribeIdentity)
Expand Down Expand Up @@ -335,6 +337,53 @@ func testGenerateKey(t *testing.T) {
}
}

func testHMAC(t *testing.T) {
t.Parallel()

ctx := testContext(t)
srv, url := startServer(ctx, nil)
defer srv.Close()

message1 := []byte("Hello World")
message2 := []byte("Hello World!")

client := defaultClient(url)
for i, test := range validNameTests {
err := client.CreateKey(ctx, test.Name)
if err == nil && test.ShouldFail {
t.Errorf("Test %d: setup: creating key '%s' should have failed", i, test.Name)
}
if err != nil && !test.ShouldFail {
t.Errorf("Test %d: setup: failed to create key '%s': %v", i, test.Name, err)
}

if test.ShouldFail {
continue
}

sum1, err := client.HMAC(ctx, test.Name, message1)
if err != nil {
t.Errorf("Test %d: failed to compute HMAC with key '%s': %v", i, test.Name, err)
}
sum2, err := client.HMAC(ctx, test.Name, message2)
if err != nil {
t.Errorf("Test %d: failed to compute HMAC with key '%s': %v", i, test.Name, err)
}
if hmac.Equal(sum1, sum2) {
t.Errorf("Test %d: HMACs of different messages are equal: got '%x' and '%x'", i, sum1, sum2)
}

verifySum, err := client.HMAC(ctx, test.Name, message1)
if err != nil {
t.Errorf("Test %d: failed to compute HMAC with key '%s': %v", i, test.Name, err)
}

if !hmac.Equal(sum1, verifySum) {
t.Errorf("Test %d: HMACs of equal messages are not equal: got '%x' and '%x'", i, sum1, verifySum)
}
}
}

func testEncryptDecryptKey(t *testing.T) {
t.Parallel()

Expand Down
2 changes: 1 addition & 1 deletion audit.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,8 @@ import (
"net/netip"
"time"

"github.com/minio/kes-go"
"github.com/minio/kes/internal/api"
"github.com/minio/kms-go/kes"
)

// AuditRecord describes an audit event logged by a KES server.
Expand Down
2 changes: 1 addition & 1 deletion auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,8 @@ import (
"net/http"
"sync/atomic"

"github.com/minio/kes-go"
"github.com/minio/kes/internal/api"
"github.com/minio/kms-go/kes"
)

// verifyIdentity authenticates client requests by verifying that
Expand Down
56 changes: 2 additions & 54 deletions cmd/kes/identity.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,9 @@ import (
"time"

tui "github.com/charmbracelet/lipgloss"
"github.com/minio/kes-go"
"github.com/minio/kes/internal/cli"
"github.com/minio/kes/internal/https"
"github.com/minio/kms-go/kes"
flag "github.com/spf13/pflag"
"golang.org/x/term"
)
Expand All @@ -39,7 +39,6 @@ Commands:
of Compute a KES identity from a certificate.
info Get information about a KES identity.
ls List KES identities.
rm Remove a KES identity.
Options:
-h, --help Print command line options.
Expand All @@ -54,7 +53,6 @@ func identityCmd(args []string) {
"of": ofIdentityCmd,
"info": infoIdentityCmd,
"ls": lsIdentityCmd,
"rm": rmIdentityCmd,
}

if len(args) < 2 {
Expand Down Expand Up @@ -480,7 +478,6 @@ Options:
is detected - colors are automatically disabled if
the output goes to a pipe.
Possible values: *auto*, never, always.
-e, --enclave <name> Operate within the specified enclave.
-h, --help Print command line options.
Expand All @@ -497,12 +494,10 @@ func lsIdentityCmd(args []string) {
jsonFlag bool
colorFlag colorOption
insecureSkipVerify bool
enclaveName string
)
cmd.BoolVar(&jsonFlag, "json", false, "Print identities in JSON format")
cmd.Var(&colorFlag, "color", "Specify when to use colored output")
cmd.BoolVarP(&insecureSkipVerify, "insecure", "k", false, "Skip TLS certificate validation")
cmd.StringVarP(&enclaveName, "enclave", "e", "", "Operate within the specified enclave")
if err := cmd.Parse(args[1:]); err != nil {
if errors.Is(err, flag.ErrHelp) {
os.Exit(2)
Expand All @@ -522,7 +517,7 @@ func lsIdentityCmd(args []string) {
ctx, cancelCtx := signal.NotifyContext(context.Background(), os.Interrupt, os.Kill)
defer cancelCtx()

enclave := newEnclave(enclaveName, insecureSkipVerify)
enclave := newClient(insecureSkipVerify)
iter := &kes.ListIter[kes.Identity]{
NextFunc: enclave.ListIdentities,
}
Expand Down Expand Up @@ -556,50 +551,3 @@ func lsIdentityCmd(args []string) {
}
fmt.Print(buf)
}

const rmIdentityCmdUsage = `Usage:
kes identity rm <identity>...
Options:
-k, --insecure Skip TLS certificate validation.
-e, --enclave <name> Operate within the specified enclave.
-h, --help Print command line options.
Examples:
$ kes identity rm 736bf58626441e3e134a2daf2e6a8441b40e1abc0eac510878168c8aac9f2b0b
`

func rmIdentityCmd(args []string) {
cmd := flag.NewFlagSet(args[0], flag.ContinueOnError)
cmd.Usage = func() { fmt.Fprint(os.Stderr, rmIdentityCmdUsage) }

var (
insecureSkipVerify bool
enclaveName string
)
cmd.BoolVarP(&insecureSkipVerify, "insecure", "k", false, "Skip TLS certificate validation")
cmd.StringVarP(&enclaveName, "enclave", "e", "", "Operate within the specified enclave")
if err := cmd.Parse(args[1:]); err != nil {
if errors.Is(err, flag.ErrHelp) {
os.Exit(2)
}
cli.Fatalf("%v. See 'kes identity rm --help'", err)
}
if cmd.NArg() == 0 {
cli.Fatal("no identity specified. See 'kes identity rm --help'")
}

client := newClient(insecureSkipVerify)
ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt, os.Kill)
defer cancel()

for _, identity := range cmd.Args() {
if err := client.DeleteIdentity(ctx, kes.Identity(identity)); err != nil {
if errors.Is(err, context.Canceled) {
os.Exit(1)
}
cli.Fatalf("failed to remove identity %q: %v", identity, err)
}
}
}
13 changes: 4 additions & 9 deletions cmd/kes/key.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,8 @@ import (
"strings"

tui "github.com/charmbracelet/lipgloss"
"github.com/minio/kes-go"
"github.com/minio/kes/internal/cli"
"github.com/minio/kms-go/kes"
flag "github.com/spf13/pflag"
)

Expand Down Expand Up @@ -132,7 +132,6 @@ const importKeyCmdUsage = `Usage:
Options:
-k, --insecure Skip TLS certificate validation.
-e, --enclave <name> Operate within the specified enclave.
-h, --help Print command line options.
Expand All @@ -144,12 +143,8 @@ func importKeyCmd(args []string) {
cmd := flag.NewFlagSet(args[0], flag.ContinueOnError)
cmd.Usage = func() { fmt.Fprint(os.Stderr, importKeyCmdUsage) }

var (
insecureSkipVerify bool
enclaveName string
)
var insecureSkipVerify bool
cmd.BoolVarP(&insecureSkipVerify, "insecure", "k", false, "Skip TLS certificate validation")
cmd.StringVarP(&enclaveName, "enclave", "e", "", "Operate within the specified enclave")
if err := cmd.Parse(args[1:]); err != nil {
if errors.Is(err, flag.ErrHelp) {
os.Exit(2)
Expand All @@ -174,7 +169,7 @@ func importKeyCmd(args []string) {
ctx, cancel := signal.NotifyContext(context.Background(), os.Interrupt, os.Kill)
defer cancel()

enclave := newEnclave(enclaveName, insecureSkipVerify)
enclave := newClient(insecureSkipVerify)
if err = enclave.ImportKey(ctx, name, &kes.ImportKeyRequest{Key: key}); err != nil {
if errors.Is(err, context.Canceled) {
os.Exit(1)
Expand Down Expand Up @@ -313,7 +308,7 @@ func lsKeyCmd(args []string) {
ctx, cancelCtx := signal.NotifyContext(context.Background(), os.Interrupt, os.Kill)
defer cancelCtx()

enclave := newEnclave(enclaveName, insecureSkipVerify)
enclave := newClient(insecureSkipVerify)
iter := &kes.ListIter[string]{
NextFunc: enclave.ListKeys,
}
Expand Down
2 changes: 1 addition & 1 deletion cmd/kes/log.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ import (
"time"

tui "github.com/charmbracelet/lipgloss"
"github.com/minio/kes-go"
"github.com/minio/kes/internal/cli"
"github.com/minio/kms-go/kes"

flag "github.com/spf13/pflag"
)
Expand Down
10 changes: 1 addition & 9 deletions cmd/kes/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,10 @@ import (
"time"

tui "github.com/charmbracelet/lipgloss"
"github.com/minio/kes-go"
"github.com/minio/kes/internal/cli"
"github.com/minio/kes/internal/https"
"github.com/minio/kes/internal/sys"
"github.com/minio/kms-go/kes"
flag "github.com/spf13/pflag"
"golang.org/x/term"
)
Expand Down Expand Up @@ -227,14 +227,6 @@ func newClient(insecureSkipVerify bool) *kes.Client {
})
}

func newEnclave(name string, insecureSkipVerify bool) *kes.Enclave {
client := newClient(insecureSkipVerify)
if name == "" {
name = os.Getenv("KES_ENCLAVE")
}
return client.Enclave(name)
}

func isTerm(f *os.File) bool { return term.IsTerminal(int(f.Fd())) }

func decodePrivateKey(pemBlock []byte) (*pem.Block, error) {
Expand Down
2 changes: 1 addition & 1 deletion cmd/kes/metric.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,8 @@ import (

"aead.dev/mem"
tui "github.com/charmbracelet/lipgloss"
"github.com/minio/kes-go"
"github.com/minio/kes/internal/cli"
"github.com/minio/kms-go/kes"
flag "github.com/spf13/pflag"
)

Expand Down
2 changes: 1 addition & 1 deletion cmd/kes/migrate.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,9 @@ import (
"time"

"github.com/fatih/color"
"github.com/minio/kes-go"
"github.com/minio/kes/internal/cli"
"github.com/minio/kes/kesconf"
"github.com/minio/kms-go/kes"
flag "github.com/spf13/pflag"
"golang.org/x/term"
)
Expand Down
Loading

0 comments on commit 1a30d61

Please sign in to comment.