test: add policy editing integration tests

crate/pyo3/python/scripts/test_kms.py

@@ -22,8 +22,8 @@ async def asyncSetUp(self) -> None:
                 'Security Level',
                 [
                     ('Protected', False),
-                    ('Confidential', False),
-                    ('Top Secret', False),
+                    ('Confidential', True),
+                    ('Top Secret', True),
                 ],
                 hierarchical=True,
             )

crate/pyo3/src/py_kms_client.rs

@@ -25,6 +25,8 @@ use pyo3::{
 
 use crate::py_kms_object::KmsObject;
 
+/// Create a Rekey Keypair request from PyO3 arguments
+/// Returns a PyO3 Future
 macro_rules! rekey_keypair {
     (
         $self:ident,

crate/server/src/tests/cover_crypt_tests/integration_tests.rs

@@ -178,7 +178,7 @@ async fn integration_tests_use_ids_no_tags() -> KResult<()> {
     let request = build_decryption_request(
         user_decryption_key_identifier_2,
         None,
-        encrypted_data,
+        encrypted_data.clone(),
         None,
         Some(authentication_data.clone()),
         None,
@@ -213,7 +213,7 @@ async fn integration_tests_use_ids_no_tags() -> KResult<()> {
 
     let request = build_rekey_keypair_request(
         private_key_unique_identifier,
-        abe_policy_attributes,
+        abe_policy_attributes.clone(),
         ReKeyKeyPairAction::RotateAttributes,
     )?;
     let rekey_keypair_response: ReKeyKeyPairResponse = test_utils::post(&app, &request).await?;
@@ -240,15 +240,15 @@ async fn integration_tests_use_ids_no_tags() -> KResult<()> {
         Some(CryptographicAlgorithm::CoverCrypt),
     )?;
     let encrypt_response: EncryptResponse = test_utils::post(&app, &request).await?;
-    let encrypted_data = encrypt_response
+    let new_encrypted_data = encrypt_response
         .data
         .expect("There should be encrypted data");
 
     // Make sure first user decryption key cannot decrypt new encrypted message (message being encrypted with new `MKG` value)
     let request = build_decryption_request(
         user_decryption_key_identifier_1,
         None,
-        encrypted_data.clone(),
+        new_encrypted_data.clone(),
         None,
         Some(authentication_data.clone()),
         None,
@@ -260,7 +260,7 @@ async fn integration_tests_use_ids_no_tags() -> KResult<()> {
     let request = build_decryption_request(
         user_decryption_key_identifier_2,
         None,
-        encrypted_data,
+        new_encrypted_data,
         None,
         Some(authentication_data.clone()),
         None,
@@ -276,6 +276,143 @@ async fn integration_tests_use_ids_no_tags() -> KResult<()> {
     assert_eq!(&data, &decrypted_data.plaintext);
     assert!(decrypted_data.metadata.is_empty());
 
+    //
+    // Clear old rotations for ABE Attribute
+    let request = build_rekey_keypair_request(
+        private_key_unique_identifier,
+        abe_policy_attributes.clone(),
+        ReKeyKeyPairAction::ClearOldRotations,
+    )?;
+    let rekey_keypair_response: KResult<ReKeyKeyPairResponse> =
+        test_utils::post(&app, &request).await;
+    assert!(rekey_keypair_response.is_ok());
+
+    // test user2 can no longer decrypt old message
+    let request = build_decryption_request(
+        user_decryption_key_identifier_2,
+        None,
+        encrypted_data,
+        None,
+        Some(authentication_data.clone()),
+        None,
+    );
+    let post_ttlv_decrypt: KResult<DecryptResponse> = test_utils::post(&app, &request).await;
+    assert!(post_ttlv_decrypt.is_err());
+
+    //
+    // Add new Attributes
+    let new_policy_attributes = vec![
+        Attribute::from(("Department", "IT")),
+        Attribute::from(("Department", "R&D")),
+    ];
+    let request = build_rekey_keypair_request(
+        private_key_unique_identifier,
+        new_policy_attributes,
+        ReKeyKeyPairAction::AddAttributeClassic,
+    )?;
+    let rekey_keypair_response: KResult<ReKeyKeyPairResponse> =
+        test_utils::post(&app, &request).await;
+    assert!(rekey_keypair_response.is_ok());
+
+    // Encrypt for new attribute
+    let data = "New tech research data".as_bytes();
+    let encryption_policy = "Level::Confidential && (Department::IT || Department::R&D)";
+
+    let request = build_encryption_request(
+        public_key_unique_identifier,
+        Some(encryption_policy.to_string()),
+        data.to_vec(),
+        None,
+        Some(authentication_data.clone()),
+        Some(CryptographicAlgorithm::CoverCrypt),
+    )?;
+    let encrypt_response: KResult<EncryptResponse> = test_utils::post(&app, &request).await;
+    assert!(encrypt_response.is_ok());
+
+    //
+    // Rename Attributes
+    let rename_policy_attributes_pair = vec![
+        Attribute::from(("Department", "HR")),
+        Attribute::from(("Department", "HumanResources")),
+    ];
+    let request = build_rekey_keypair_request(
+        private_key_unique_identifier,
+        rename_policy_attributes_pair,
+        ReKeyKeyPairAction::RenameAttribute,
+    )?;
+    let rekey_keypair_response: KResult<ReKeyKeyPairResponse> =
+        test_utils::post(&app, &request).await;
+    assert!(rekey_keypair_response.is_ok());
+
+    // Encrypt for renamed attribute
+    let data = "hr data".as_bytes();
+    let encryption_policy = "Level::Confidential && Department::HumanResources";
+
+    let request = build_encryption_request(
+        public_key_unique_identifier,
+        Some(encryption_policy.to_string()),
+        data.to_vec(),
+        None,
+        Some(authentication_data.clone()),
+        Some(CryptographicAlgorithm::CoverCrypt),
+    )?;
+    let encrypt_response: KResult<EncryptResponse> = test_utils::post(&app, &request).await;
+    assert!(encrypt_response.is_ok());
+
+    //
+    // Disable ABE Attribute
+    let request = build_rekey_keypair_request(
+        private_key_unique_identifier,
+        abe_policy_attributes.clone(),
+        ReKeyKeyPairAction::DisableAttribute,
+    )?;
+    let rekey_keypair_response: KResult<ReKeyKeyPairResponse> =
+        test_utils::post(&app, &request).await;
+    assert!(rekey_keypair_response.is_ok());
+
+    // Encrypt with disabled ABE attribute will fail
+    let authentication_data = b"cc the uid".to_vec();
+    let data = "Will fail".as_bytes();
+    let encryption_policy = "Level::Confidential && Department::MKG";
+
+    let request = build_encryption_request(
+        public_key_unique_identifier,
+        Some(encryption_policy.to_string()),
+        data.to_vec(),
+        None,
+        Some(authentication_data.clone()),
+        Some(CryptographicAlgorithm::CoverCrypt),
+    )?;
+    let encrypt_response: KResult<EncryptResponse> = test_utils::post(&app, &request).await;
+    assert!(encrypt_response.is_err());
+
+    //
+    // Delete attribute
+    let remove_policy_attributes_pair = vec![Attribute::from(("Department", "HumanResources"))];
+    let request = build_rekey_keypair_request(
+        private_key_unique_identifier,
+        remove_policy_attributes_pair,
+        ReKeyKeyPairAction::RemoveAttribute,
+    )?;
+    let rekey_keypair_response: KResult<ReKeyKeyPairResponse> =
+        test_utils::post(&app, &request).await;
+    assert!(rekey_keypair_response.is_ok());
+
+    // Encrypt for removed attribute will fail
+    let data = "New hr data".as_bytes();
+    let encryption_policy = "Level::Confidential && Department::HumanResources";
+
+    let request = build_encryption_request(
+        public_key_unique_identifier,
+        Some(encryption_policy.to_string()),
+        data.to_vec(),
+        None,
+        Some(authentication_data.clone()),
+        Some(CryptographicAlgorithm::CoverCrypt),
+    )?;
+    let encrypt_response: KResult<EncryptResponse> = test_utils::post(&app, &request).await;
+    assert!(encrypt_response.is_err());
+
     //
     // Destroy user decryption key
     let request = build_destroy_key_request(user_decryption_key_identifier_1)?;