From 79d6faada494f4941ce70bf79c397cca74dd80c6 Mon Sep 17 00:00:00 2001 From: Hugo Rosenkranz-Costa Date: Wed, 18 Oct 2023 16:31:31 +0200 Subject: [PATCH] test: add policy editing integration tests --- crate/pyo3/python/scripts/test_kms.py | 4 +- crate/pyo3/src/py_kms_client.rs | 2 + .../cover_crypt_tests/integration_tests.rs | 147 +++++++++++++++++- 3 files changed, 146 insertions(+), 7 deletions(-) diff --git a/crate/pyo3/python/scripts/test_kms.py b/crate/pyo3/python/scripts/test_kms.py index 9d165ad9c..410df6bbd 100644 --- a/crate/pyo3/python/scripts/test_kms.py +++ b/crate/pyo3/python/scripts/test_kms.py @@ -22,8 +22,8 @@ async def asyncSetUp(self) -> None: 'Security Level', [ ('Protected', False), - ('Confidential', False), - ('Top Secret', False), + ('Confidential', True), + ('Top Secret', True), ], hierarchical=True, ) diff --git a/crate/pyo3/src/py_kms_client.rs b/crate/pyo3/src/py_kms_client.rs index 6a63e54d0..832a26b4f 100644 --- a/crate/pyo3/src/py_kms_client.rs +++ b/crate/pyo3/src/py_kms_client.rs @@ -25,6 +25,8 @@ use pyo3::{ use crate::py_kms_object::KmsObject; +/// Create a Rekey Keypair request from PyO3 arguments +/// Returns a PyO3 Future macro_rules! rekey_keypair { ( $self:ident, diff --git a/crate/server/src/tests/cover_crypt_tests/integration_tests.rs b/crate/server/src/tests/cover_crypt_tests/integration_tests.rs index ad283c798..e8f1f85cf 100644 --- a/crate/server/src/tests/cover_crypt_tests/integration_tests.rs +++ b/crate/server/src/tests/cover_crypt_tests/integration_tests.rs @@ -178,7 +178,7 @@ async fn integration_tests_use_ids_no_tags() -> KResult<()> { let request = build_decryption_request( user_decryption_key_identifier_2, None, - encrypted_data, + encrypted_data.clone(), None, Some(authentication_data.clone()), None, @@ -213,7 +213,7 @@ async fn integration_tests_use_ids_no_tags() -> KResult<()> { let request = build_rekey_keypair_request( private_key_unique_identifier, - abe_policy_attributes, + abe_policy_attributes.clone(), ReKeyKeyPairAction::RotateAttributes, )?; let rekey_keypair_response: ReKeyKeyPairResponse = test_utils::post(&app, &request).await?; @@ -240,7 +240,7 @@ async fn integration_tests_use_ids_no_tags() -> KResult<()> { Some(CryptographicAlgorithm::CoverCrypt), )?; let encrypt_response: EncryptResponse = test_utils::post(&app, &request).await?; - let encrypted_data = encrypt_response + let new_encrypted_data = encrypt_response .data .expect("There should be encrypted data"); @@ -248,7 +248,7 @@ async fn integration_tests_use_ids_no_tags() -> KResult<()> { let request = build_decryption_request( user_decryption_key_identifier_1, None, - encrypted_data.clone(), + new_encrypted_data.clone(), None, Some(authentication_data.clone()), None, @@ -260,7 +260,7 @@ async fn integration_tests_use_ids_no_tags() -> KResult<()> { let request = build_decryption_request( user_decryption_key_identifier_2, None, - encrypted_data, + new_encrypted_data, None, Some(authentication_data.clone()), None, @@ -276,6 +276,143 @@ async fn integration_tests_use_ids_no_tags() -> KResult<()> { assert_eq!(&data, &decrypted_data.plaintext); assert!(decrypted_data.metadata.is_empty()); + // + // Clear old rotations for ABE Attribute + let request = build_rekey_keypair_request( + private_key_unique_identifier, + abe_policy_attributes.clone(), + ReKeyKeyPairAction::ClearOldRotations, + )?; + let rekey_keypair_response: KResult = + test_utils::post(&app, &request).await; + assert!(rekey_keypair_response.is_ok()); + + // test user2 can no longer decrypt old message + let request = build_decryption_request( + user_decryption_key_identifier_2, + None, + encrypted_data, + None, + Some(authentication_data.clone()), + None, + ); + let post_ttlv_decrypt: KResult = test_utils::post(&app, &request).await; + assert!(post_ttlv_decrypt.is_err()); + + // + // Add new Attributes + let new_policy_attributes = vec![ + Attribute::from(("Department", "IT")), + Attribute::from(("Department", "R&D")), + ]; + let request = build_rekey_keypair_request( + private_key_unique_identifier, + new_policy_attributes, + ReKeyKeyPairAction::AddAttributeClassic, + )?; + let rekey_keypair_response: KResult = + test_utils::post(&app, &request).await; + assert!(rekey_keypair_response.is_ok()); + + // Encrypt for new attribute + let data = "New tech research data".as_bytes(); + let encryption_policy = "Level::Confidential && (Department::IT || Department::R&D)"; + + let request = build_encryption_request( + public_key_unique_identifier, + Some(encryption_policy.to_string()), + data.to_vec(), + None, + Some(authentication_data.clone()), + Some(CryptographicAlgorithm::CoverCrypt), + )?; + let encrypt_response: KResult = test_utils::post(&app, &request).await; + assert!(encrypt_response.is_ok()); + + // + // Rename Attributes + let rename_policy_attributes_pair = vec![ + Attribute::from(("Department", "HR")), + Attribute::from(("Department", "HumanResources")), + ]; + let request = build_rekey_keypair_request( + private_key_unique_identifier, + rename_policy_attributes_pair, + ReKeyKeyPairAction::RenameAttribute, + )?; + let rekey_keypair_response: KResult = + test_utils::post(&app, &request).await; + assert!(rekey_keypair_response.is_ok()); + + // Encrypt for renamed attribute + let data = "hr data".as_bytes(); + let encryption_policy = "Level::Confidential && Department::HumanResources"; + + let request = build_encryption_request( + public_key_unique_identifier, + Some(encryption_policy.to_string()), + data.to_vec(), + None, + Some(authentication_data.clone()), + Some(CryptographicAlgorithm::CoverCrypt), + )?; + let encrypt_response: KResult = test_utils::post(&app, &request).await; + assert!(encrypt_response.is_ok()); + + // + // Disable ABE Attribute + let request = build_rekey_keypair_request( + private_key_unique_identifier, + abe_policy_attributes.clone(), + ReKeyKeyPairAction::DisableAttribute, + )?; + let rekey_keypair_response: KResult = + test_utils::post(&app, &request).await; + assert!(rekey_keypair_response.is_ok()); + + // Encrypt with disabled ABE attribute will fail + let authentication_data = b"cc the uid".to_vec(); + let data = "Will fail".as_bytes(); + let encryption_policy = "Level::Confidential && Department::MKG"; + + let request = build_encryption_request( + public_key_unique_identifier, + Some(encryption_policy.to_string()), + data.to_vec(), + None, + Some(authentication_data.clone()), + Some(CryptographicAlgorithm::CoverCrypt), + )?; + let encrypt_response: KResult = test_utils::post(&app, &request).await; + assert!(encrypt_response.is_err()); + + // + // Delete attribute + let remove_policy_attributes_pair = vec![Attribute::from(("Department", "HumanResources"))]; + let request = build_rekey_keypair_request( + private_key_unique_identifier, + remove_policy_attributes_pair, + ReKeyKeyPairAction::RemoveAttribute, + )?; + let rekey_keypair_response: KResult = + test_utils::post(&app, &request).await; + assert!(rekey_keypair_response.is_ok()); + + // Encrypt for removed attribute will fail + let data = "New hr data".as_bytes(); + let encryption_policy = "Level::Confidential && Department::HumanResources"; + + let request = build_encryption_request( + public_key_unique_identifier, + Some(encryption_policy.to_string()), + data.to_vec(), + None, + Some(authentication_data.clone()), + Some(CryptographicAlgorithm::CoverCrypt), + )?; + let encrypt_response: KResult = test_utils::post(&app, &request).await; + assert!(encrypt_response.is_err()); + // // Destroy user decryption key let request = build_destroy_key_request(user_decryption_key_identifier_1)?;