blob: f167c4fd40ea2384f2120b1b6a1de623acfb1bf6 [file] [log] [blame]
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Integration tests for Tink Python's HashiCorp Vault KMS integration."""
import base64
import os
from absl.testing import absltest
import hvac
import tink
from tink import aead
from tink.integration import hcvault
_VAULT_TOKEN = os.getenv('VAULT_TOKEN', '') # Your auth token
_VAULT_ADDR = os.getenv('VAULT_ADDR', '')
_BAD_TOKEN = 'notavalidtoken'
# Replace this with your vault URI
_KEY_PATH = '/transit/keys/key-1'
def setUpModule():
aead.register()
def _corrupt(value: bytes, i: int) -> bytes:
"""Corrupts a byte in `value` at a given index `i`."""
assert i >= 0 and i < len(value)
tmp_value = list(value)
tmp_value[i] ^= 2
return bytes(tmp_value)
class HcVaultAeadTest(absltest.TestCase):
def setUp(self):
super().setUp()
self.client = hvac.Client(url=_VAULT_ADDR, token=_VAULT_TOKEN, verify=False)
def test_encrypt_decrypt(self):
vaultaead = hcvault.create_aead(_KEY_PATH, self.client)
plaintext = b'hello'
associated_data = b'world'
ciphertext = vaultaead.encrypt(plaintext, associated_data)
self.assertEqual(plaintext, vaultaead.decrypt(ciphertext, associated_data))
plaintext = b'hello'
ciphertext = vaultaead.encrypt(plaintext, b'')
self.assertEqual(plaintext, vaultaead.decrypt(ciphertext, b''))
def test_corrupted_ciphertext(self):
vaultaead = hcvault.create_aead(_KEY_PATH, self.client)
plaintext = b'helloworld'
ciphertext = vaultaead.encrypt(plaintext, b'')
self.assertEqual(plaintext, vaultaead.decrypt(ciphertext, b''))
# The returned ciphertext is of the form:
# vault:v{N}:Base64(IV+Ciphertext)
vault, version, iv_and_ciphertext = ciphertext.decode().split(':')
# Corrupt vault.
for i in range(len(vault)):
corrupted_vault = _corrupt(vault.encode(), i)
with self.assertRaises(tink.TinkError):
vaultaead.decrypt(
f'{corrupted_vault}:{version}:{iv_and_ciphertext}'.encode(), b''
)
# Corrupt the version.
for i in range(len(version)):
corrupted_version = _corrupt(version.encode(), i)
with self.assertRaises(tink.TinkError):
vaultaead.decrypt(
f'{vault}:{corrupted_version}:{iv_and_ciphertext}'.encode(), b''
)
# Corrupt the ciphertext.
# In this case we corrupt the decoded string, then encode back to Base64.
iv_and_ciphertext = base64.urlsafe_b64decode(iv_and_ciphertext.encode())
for i in range(len(iv_and_ciphertext)):
corrupted_iv_and_ciphertext = base64.urlsafe_b64encode(
_corrupt(iv_and_ciphertext, i)
)
with self.assertRaises(tink.TinkError):
vaultaead.decrypt(
f'{vault}:{version}:{corrupted_iv_and_ciphertext}', b''
)
def test_encrypt_with_bad_client(self):
with self.assertRaises(tink.TinkError):
bad_client = hvac.Client(url=_VAULT_ADDR, token=_BAD_TOKEN, verify=False)
vaultaead = hcvault.create_aead(_KEY_PATH, bad_client)
plaintext = b'hello'
associated_data = b'world'
vaultaead.encrypt(plaintext, associated_data)
if __name__ == '__main__':
absltest.main()