145 lines
6 KiB
Ruby
145 lines
6 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require "spec_helper"
|
|
|
|
RSpec.describe Gitlab::EncryptedConfiguration do
|
|
subject(:configuration) { described_class.new }
|
|
|
|
let!(:config_tmp_dir) { Dir.mktmpdir('config-') }
|
|
|
|
after do
|
|
FileUtils.rm_f(config_tmp_dir)
|
|
end
|
|
|
|
describe '#initialize' do
|
|
it 'accepts all args as optional fields' do
|
|
expect { configuration }.not_to raise_exception
|
|
|
|
expect(configuration.key).to be_nil
|
|
expect(configuration.previous_keys).to be_empty
|
|
end
|
|
|
|
it 'generates 32 byte key when provided a larger base key' do
|
|
configuration = described_class.new(base_key: 'A' * 64)
|
|
|
|
expect(configuration.key.bytesize).to eq 32
|
|
end
|
|
|
|
it 'generates 32 byte key when provided a smaller base key' do
|
|
configuration = described_class.new(base_key: 'A' * 16)
|
|
|
|
expect(configuration.key.bytesize).to eq 32
|
|
end
|
|
|
|
it 'throws an error when the base key is too small' do
|
|
expect { described_class.new(base_key: 'A' * 12) }.to raise_error 'Base key too small'
|
|
end
|
|
end
|
|
|
|
context 'when provided a config file but no key' do
|
|
let(:config_path) { File.join(config_tmp_dir, 'credentials.yml.enc') }
|
|
|
|
it 'throws an error when writing without a key' do
|
|
expect { described_class.new(content_path: config_path).write('test') }.to raise_error Gitlab::EncryptedConfiguration::MissingKeyError
|
|
end
|
|
|
|
it 'throws an error when reading without a key' do
|
|
config = described_class.new(content_path: config_path)
|
|
File.write(config_path, 'test')
|
|
expect { config.read }.to raise_error Gitlab::EncryptedConfiguration::MissingKeyError
|
|
end
|
|
end
|
|
|
|
context 'when provided key and config file' do
|
|
let(:credentials_config_path) { File.join(config_tmp_dir, 'credentials.yml.enc') }
|
|
let(:credentials_key) { SecureRandom.hex(64) }
|
|
|
|
describe '#write' do
|
|
it 'encrypts the file using the provided key' do
|
|
encryptor = ActiveSupport::MessageEncryptor.new(Gitlab::EncryptedConfiguration.generate_key(credentials_key), cipher: 'aes-256-gcm')
|
|
config = described_class.new(content_path: credentials_config_path, base_key: credentials_key)
|
|
|
|
config.write('sample-content')
|
|
expect(encryptor.decrypt_and_verify(File.read(credentials_config_path))).to eq('sample-content')
|
|
end
|
|
end
|
|
|
|
describe '#read' do
|
|
it 'reads yaml configuration' do
|
|
config = described_class.new(content_path: credentials_config_path, base_key: credentials_key)
|
|
|
|
config.write({ foo: { bar: true } }.to_yaml)
|
|
expect(config[:foo][:bar]).to be true
|
|
end
|
|
|
|
it 'allows referencing top level keys via dot syntax' do
|
|
config = described_class.new(content_path: credentials_config_path, base_key: credentials_key)
|
|
|
|
config.write({ foo: { bar: true } }.to_yaml)
|
|
expect(config.foo[:bar]).to be true
|
|
end
|
|
|
|
it 'throws a custom error when referencing an invalid key map config' do
|
|
config = described_class.new(content_path: credentials_config_path, base_key: credentials_key)
|
|
|
|
config.write("stringcontent")
|
|
expect { config[:foo] }.to raise_error Gitlab::EncryptedConfiguration::InvalidConfigError
|
|
end
|
|
end
|
|
|
|
describe '#change' do
|
|
it 'changes yaml configuration' do
|
|
config = described_class.new(content_path: credentials_config_path, base_key: credentials_key)
|
|
|
|
config.write({ foo: { bar: true } }.to_yaml)
|
|
config.change do |unencrypted_contents|
|
|
contents = YAML.safe_load(unencrypted_contents, permitted_classes: [Symbol])
|
|
contents.merge(beef: "stew").to_yaml
|
|
end
|
|
expect(config.foo[:bar]).to be true
|
|
expect(config.beef).to eq('stew')
|
|
end
|
|
end
|
|
|
|
context 'when provided previous_keys for rotation' do
|
|
let(:credential_key_original) { SecureRandom.hex(64) }
|
|
let(:credential_key_latest) { SecureRandom.hex(64) }
|
|
let(:config_path_original) { File.join(config_tmp_dir, 'credentials-orig.yml.enc') }
|
|
let(:config_path_latest) { File.join(config_tmp_dir, 'credentials-latest.yml.enc') }
|
|
|
|
def encryptor(key)
|
|
ActiveSupport::MessageEncryptor.new(Gitlab::EncryptedConfiguration.generate_key(key), cipher: 'aes-256-gcm')
|
|
end
|
|
|
|
describe '#write' do
|
|
it 'rotates the key when provided a new key' do
|
|
config1 = described_class.new(content_path: config_path_original, base_key: credential_key_original)
|
|
config1.write('sample-content1')
|
|
|
|
config2 = described_class.new(content_path: config_path_latest, base_key: credential_key_latest, previous_keys: [credential_key_original])
|
|
config2.write('sample-content2')
|
|
|
|
original_key_encryptor = encryptor(credential_key_original) # can read with the initial key
|
|
latest_key_encryptor = encryptor(credential_key_latest) # can read with the new key
|
|
both_key_encryptor = encryptor(credential_key_latest) # can read with either key
|
|
both_key_encryptor.rotate(Gitlab::EncryptedConfiguration.generate_key(credential_key_original))
|
|
|
|
expect(original_key_encryptor.decrypt_and_verify(File.read(config_path_original))).to eq('sample-content1')
|
|
expect(both_key_encryptor.decrypt_and_verify(File.read(config_path_original))).to eq('sample-content1')
|
|
expect(latest_key_encryptor.decrypt_and_verify(File.read(config_path_latest))).to eq('sample-content2')
|
|
expect(both_key_encryptor.decrypt_and_verify(File.read(config_path_latest))).to eq('sample-content2')
|
|
expect { original_key_encryptor.decrypt_and_verify(File.read(config_path_latest)) }.to raise_error(ActiveSupport::MessageEncryptor::InvalidMessage)
|
|
end
|
|
end
|
|
|
|
describe '#read' do
|
|
it 'supports reading using rotated config' do
|
|
described_class.new(content_path: config_path_original, base_key: credential_key_original).write({ foo: { bar: true } }.to_yaml)
|
|
|
|
config = described_class.new(content_path: config_path_original, base_key: credential_key_latest, previous_keys: [credential_key_original])
|
|
expect(config[:foo][:bar]).to be true
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|