1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
# frozen_string_literal: true
require 'spec_helper'
describe 'RewrapManyDataKey' do
require_libmongocrypt
min_server_version '7.0.0-rc0'
require_topology :replica_set, :sharded, :load_balanced
include_context 'define shared FLE helpers'
let(:kms_providers) do
{}.merge(aws_kms_providers)
.merge(azure_kms_providers)
.merge(gcp_kms_providers)
.merge(kmip_kms_providers)
.merge(local_kms_providers)
end
let(:master_keys) do
{
aws: {
region: 'us-east-1',
key: 'arn:aws:kms:us-east-1:579766882180:key/89fcc2c4-08b0-4bd9-9f25-e30687b580d0',
},
azure: {
key_vault_endpoint: 'key-vault-csfle.vault.azure.net',
key_name: 'key-name-csfle',
},
gcp: {
project_id: 'devprod-drivers',
location: 'global',
key_ring: 'key-ring-csfle',
key_name: 'key-name-csfle',
},
kmip: {}
}
end
before do
authorized_client.use('keyvault')['datakeys'].drop
end
%i[ aws azure gcp kmip local ].each do |src_provider|
%i[ aws azure gcp kmip local ].each do |dst_provider|
context "with #{src_provider} as source provider and #{dst_provider} as destination provider" do
let(:client_encryption1) do
key_vault_client = ClientRegistry.instance.new_local_client(
SpecConfig.instance.addresses,
SpecConfig.instance.test_options
)
Mongo::ClientEncryption.new(
key_vault_client,
key_vault_namespace: 'keyvault.datakeys',
kms_providers: kms_providers,
kms_tls_options: {
kmip: default_kms_tls_options_for_provider
}
)
end
let(:client_encryption2) do
key_vault_client = ClientRegistry.instance.new_local_client(
SpecConfig.instance.addresses,
SpecConfig.instance.test_options
)
Mongo::ClientEncryption.new(
key_vault_client,
key_vault_namespace: 'keyvault.datakeys',
kms_providers: kms_providers,
kms_tls_options: {
kmip: default_kms_tls_options_for_provider
}
)
end
let(:key_id) do
client_encryption1.create_data_key(
src_provider.to_s,
master_key: master_keys[src_provider]
)
end
let(:ciphertext) do
client_encryption1.encrypt(
'test',
key_id: key_id,
algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic'
)
end
before do
client_encryption2.rewrap_many_data_key(
{},
provider: dst_provider.to_s,
master_key: master_keys[dst_provider]
)
end
it 'rewraps', :aggregate_failures do
expect(client_encryption1.decrypt(ciphertext)).to eq('test')
expect(client_encryption2.decrypt(ciphertext)).to eq('test')
end
context 'when master_key is present without provider' do
it 'raises an exception' do
expect { client_encryption1.rewrap_many_data_key({}, master_key: {}) }
.to raise_error(ArgumentError, /provider/)
end
end
end
end
end
end
|
