mirror of
https://github.com/google/nomulus.git
synced 2025-07-07 03:33:28 +02:00
Convert Kms* classes to use SQL when appropriate (#1043)
* Convert Kms* classes to use SQL when appropriate
This commit is contained in:
gbrodman
GitHub
parent
e30d3efa7c
commit
5c6b2595db
5 changed files with 72 additions and 50 deletions
|
|
@ -15,22 +15,23 @@
|
|||
package google.registry.keyring.kms;
|
||||
|
||||
import static com.google.common.truth.Truth.assertThat;
|
||||
import static google.registry.testing.DatabaseHelper.persistResources;
|
||||
import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
|
||||
|
||||
import com.google.common.collect.ImmutableList;
|
||||
import google.registry.keyring.api.KeySerializer;
|
||||
import google.registry.model.server.KmsSecret;
|
||||
import google.registry.model.server.KmsSecretRevision;
|
||||
import google.registry.testing.AppEngineExtension;
|
||||
import google.registry.testing.BouncyCastleProviderExtension;
|
||||
import google.registry.testing.DualDatabaseTest;
|
||||
import google.registry.testing.TestOfyAndSql;
|
||||
import org.bouncycastle.openpgp.PGPKeyPair;
|
||||
import org.bouncycastle.openpgp.PGPPrivateKey;
|
||||
import org.bouncycastle.openpgp.PGPPublicKey;
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.junit.jupiter.api.extension.RegisterExtension;
|
||||
|
||||
/** Unit tests for {@link KmsKeyring}. */
|
||||
@DualDatabaseTest
|
||||
class KmsKeyringTest {
|
||||
|
||||
@RegisterExtension
|
||||
|
|
@ -47,21 +48,21 @@ class KmsKeyringTest {
|
|||
keyring = new KmsKeyring(new FakeKmsConnection());
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_getCloudSqlPassword() {
|
||||
saveCleartextSecret("cloud-sql-password-string");
|
||||
String cloudSqlPassword = keyring.getCloudSqlPassword();
|
||||
assertThat(cloudSqlPassword).isEqualTo("cloud-sql-password-stringmoo");
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_getToolsCloudSqlPassword() {
|
||||
saveCleartextSecret("tools-cloud-sql-password-string");
|
||||
String toolsCloudSqlPassword = keyring.getToolsCloudSqlPassword();
|
||||
assertThat(toolsCloudSqlPassword).isEqualTo("tools-cloud-sql-password-stringmoo");
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_getRdeSigningKey() throws Exception {
|
||||
saveKeyPairSecret("rde-signing-public", "rde-signing-private");
|
||||
PGPKeyPair rdeSigningKey = keyring.getRdeSigningKey();
|
||||
|
|
@ -69,7 +70,7 @@ class KmsKeyringTest {
|
|||
.isEqualTo(KeySerializer.serializeKeyPair(KmsTestHelper.getKeyPair()));
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_getRdeStagingEncryptionKey() throws Exception {
|
||||
savePublicKeySecret("rde-staging-public");
|
||||
PGPPublicKey rdeStagingEncryptionKey = keyring.getRdeStagingEncryptionKey();
|
||||
|
|
@ -77,7 +78,7 @@ class KmsKeyringTest {
|
|||
.isEqualTo(KmsTestHelper.getPublicKey().getFingerprint());
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_getRdeStagingDecryptionKey() throws Exception {
|
||||
savePrivateKeySecret("rde-staging-private");
|
||||
savePublicKeySecret("rde-staging-public");
|
||||
|
|
@ -90,7 +91,7 @@ class KmsKeyringTest {
|
|||
.isEqualTo(KeySerializer.serializeKeyPair(KmsTestHelper.getKeyPair()));
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_getRdeReceiverKey() throws Exception {
|
||||
savePublicKeySecret("rde-receiver-public");
|
||||
PGPPublicKey rdeReceiverKey = keyring.getRdeReceiverKey();
|
||||
|
|
@ -98,7 +99,7 @@ class KmsKeyringTest {
|
|||
.isEqualTo(KmsTestHelper.getPublicKey().getFingerprint());
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_getBrdaSigningKey() throws Exception {
|
||||
saveKeyPairSecret("brda-signing-public", "brda-signing-private");
|
||||
PGPKeyPair brdaSigningKey = keyring.getBrdaSigningKey();
|
||||
|
|
@ -106,7 +107,7 @@ class KmsKeyringTest {
|
|||
.isEqualTo(KeySerializer.serializeKeyPair(KmsTestHelper.getKeyPair()));
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_getBrdaReceiverKey() throws Exception {
|
||||
savePublicKeySecret("brda-receiver-public");
|
||||
PGPPublicKey brdaReceiverKey = keyring.getBrdaReceiverKey();
|
||||
|
|
@ -114,49 +115,49 @@ class KmsKeyringTest {
|
|||
.isEqualTo(KmsTestHelper.getPublicKey().getFingerprint());
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_getRdeSshClientPublicKey() {
|
||||
saveCleartextSecret("rde-ssh-client-public-string");
|
||||
String rdeSshClientPublicKey = keyring.getRdeSshClientPublicKey();
|
||||
assertThat(rdeSshClientPublicKey).isEqualTo("rde-ssh-client-public-stringmoo");
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_getRdeSshClientPrivateKey() {
|
||||
saveCleartextSecret("rde-ssh-client-private-string");
|
||||
String rdeSshClientPrivateKey = keyring.getRdeSshClientPrivateKey();
|
||||
assertThat(rdeSshClientPrivateKey).isEqualTo("rde-ssh-client-private-stringmoo");
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_getIcannReportingPassword() {
|
||||
saveCleartextSecret("icann-reporting-password-string");
|
||||
String icannReportingPassword = keyring.getIcannReportingPassword();
|
||||
assertThat(icannReportingPassword).isEqualTo("icann-reporting-password-stringmoo");
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_getMarksdbDnlLoginAndPassword() {
|
||||
saveCleartextSecret("marksdb-dnl-login-string");
|
||||
String marksdbDnlLoginAndPassword = keyring.getMarksdbDnlLoginAndPassword();
|
||||
assertThat(marksdbDnlLoginAndPassword).isEqualTo("marksdb-dnl-login-stringmoo");
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_getMarksdbLordnPassword() {
|
||||
saveCleartextSecret("marksdb-lordn-password-string");
|
||||
String marksdbLordnPassword = keyring.getMarksdbLordnPassword();
|
||||
assertThat(marksdbLordnPassword).isEqualTo("marksdb-lordn-password-stringmoo");
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_getMarksdbSmdrlLoginAndPassword() {
|
||||
saveCleartextSecret("marksdb-smdrl-login-string");
|
||||
String marksdbSmdrlLoginAndPassword = keyring.getMarksdbSmdrlLoginAndPassword();
|
||||
assertThat(marksdbSmdrlLoginAndPassword).isEqualTo("marksdb-smdrl-login-stringmoo");
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_getJsonCredential() {
|
||||
saveCleartextSecret("json-credential-string");
|
||||
String jsonCredential = keyring.getJsonCredential();
|
||||
|
|
@ -173,7 +174,7 @@ class KmsKeyringTest {
|
|||
.setParent(secretName)
|
||||
.build();
|
||||
KmsSecret secret = KmsSecret.create(secretName, secretRevision);
|
||||
persistResources(ImmutableList.of(secretRevision, secret));
|
||||
tm().transact(() -> tm().putAll(secretRevision, secret));
|
||||
}
|
||||
|
||||
private static void saveCleartextSecret(String secretName) {
|
||||
|
|
|
|||
|
|
@ -17,21 +17,25 @@ package google.registry.keyring.kms;
|
|||
import static com.google.common.truth.Truth.assertThat;
|
||||
import static google.registry.model.common.EntityGroupRoot.getCrossTldKey;
|
||||
import static google.registry.model.ofy.ObjectifyService.ofy;
|
||||
import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
|
||||
|
||||
import com.googlecode.objectify.Key;
|
||||
import google.registry.keyring.api.KeySerializer;
|
||||
import google.registry.model.server.KmsSecret;
|
||||
import google.registry.model.server.KmsSecretRevision;
|
||||
import google.registry.model.server.KmsSecretRevisionSqlDao;
|
||||
import google.registry.testing.AppEngineExtension;
|
||||
import google.registry.testing.BouncyCastleProviderExtension;
|
||||
import google.registry.testing.DualDatabaseTest;
|
||||
import google.registry.testing.TestOfyAndSql;
|
||||
import java.io.IOException;
|
||||
import org.bouncycastle.openpgp.PGPKeyPair;
|
||||
import org.bouncycastle.openpgp.PGPPublicKey;
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.junit.jupiter.api.extension.RegisterExtension;
|
||||
|
||||
/** Unit tests for {@link KmsUpdater} */
|
||||
@DualDatabaseTest
|
||||
public class KmsUpdaterTest {
|
||||
|
||||
@RegisterExtension
|
||||
|
|
@ -48,7 +52,7 @@ public class KmsUpdaterTest {
|
|||
updater = new KmsUpdater(new FakeKmsConnection());
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_setMultipleSecrets() {
|
||||
updater
|
||||
.setMarksdbDnlLoginAndPassword("value1")
|
||||
|
|
@ -68,7 +72,7 @@ public class KmsUpdaterTest {
|
|||
"json-credential-string", "json-credential-string/foo", getCiphertext("value3"));
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_setBrdaReceiverKey() throws Exception {
|
||||
updater.setBrdaReceiverPublicKey(KmsTestHelper.getPublicKey()).update();
|
||||
|
||||
|
|
@ -78,7 +82,7 @@ public class KmsUpdaterTest {
|
|||
getCiphertext(KmsTestHelper.getPublicKey()));
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_setBrdaSigningKey() throws Exception {
|
||||
updater.setBrdaSigningKey(KmsTestHelper.getKeyPair()).update();
|
||||
|
||||
|
|
@ -92,7 +96,7 @@ public class KmsUpdaterTest {
|
|||
getCiphertext(KmsTestHelper.getPublicKey()));
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_setCloudSqlPassword() {
|
||||
updater.setCloudSqlPassword("value1").update();
|
||||
|
||||
|
|
@ -100,7 +104,7 @@ public class KmsUpdaterTest {
|
|||
"cloud-sql-password-string", "cloud-sql-password-string/foo", getCiphertext("value1"));
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_setToolsCloudSqlPassword() {
|
||||
updater.setToolsCloudSqlPassword("value1").update();
|
||||
|
||||
|
|
@ -110,7 +114,7 @@ public class KmsUpdaterTest {
|
|||
getCiphertext("value1"));
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_setIcannReportingPassword() {
|
||||
updater.setIcannReportingPassword("value1").update();
|
||||
|
||||
|
|
@ -120,7 +124,7 @@ public class KmsUpdaterTest {
|
|||
getCiphertext("value1"));
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_setJsonCredential() {
|
||||
updater.setJsonCredential("value1").update();
|
||||
|
||||
|
|
@ -128,7 +132,7 @@ public class KmsUpdaterTest {
|
|||
"json-credential-string", "json-credential-string/foo", getCiphertext("value1"));
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_setMarksdbDnlLoginAndPassword() {
|
||||
updater.setMarksdbDnlLoginAndPassword("value1").update();
|
||||
|
||||
|
|
@ -136,7 +140,7 @@ public class KmsUpdaterTest {
|
|||
"marksdb-dnl-login-string", "marksdb-dnl-login-string/foo", getCiphertext("value1"));
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_setMarksdbLordnPassword() {
|
||||
updater.setMarksdbLordnPassword("value1").update();
|
||||
|
||||
|
|
@ -146,7 +150,7 @@ public class KmsUpdaterTest {
|
|||
getCiphertext("value1"));
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_setMarksdbSmdrlLoginAndPassword() {
|
||||
updater.setMarksdbSmdrlLoginAndPassword("value1").update();
|
||||
|
||||
|
|
@ -154,7 +158,7 @@ public class KmsUpdaterTest {
|
|||
"marksdb-smdrl-login-string", "marksdb-smdrl-login-string/foo", getCiphertext("value1"));
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_setRdeReceiverKey() throws Exception {
|
||||
updater.setRdeReceiverPublicKey(KmsTestHelper.getPublicKey()).update();
|
||||
|
||||
|
|
@ -165,7 +169,7 @@ public class KmsUpdaterTest {
|
|||
KeySerializer.serializePublicKey(KmsTestHelper.getPublicKey())));
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_setRdeSigningKey() throws Exception {
|
||||
updater.setRdeSigningKey(KmsTestHelper.getKeyPair()).update();
|
||||
|
||||
|
|
@ -179,7 +183,7 @@ public class KmsUpdaterTest {
|
|||
getCiphertext(KmsTestHelper.getPublicKey()));
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_setRdeSshClientPrivateKey() {
|
||||
updater.setRdeSshClientPrivateKey("value1").update();
|
||||
|
||||
|
|
@ -189,7 +193,7 @@ public class KmsUpdaterTest {
|
|||
getCiphertext("value1"));
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_setRdeSshClientPublicKey() {
|
||||
updater.setRdeSshClientPublicKey("value1").update();
|
||||
|
||||
|
|
@ -199,7 +203,7 @@ public class KmsUpdaterTest {
|
|||
getCiphertext("value1"));
|
||||
}
|
||||
|
||||
@Test
|
||||
@TestOfyAndSql
|
||||
void test_setRdeStagingKey() throws Exception {
|
||||
updater.setRdeStagingKey(KmsTestHelper.getKeyPair()).update();
|
||||
|
||||
|
|
@ -213,13 +217,18 @@ public class KmsUpdaterTest {
|
|||
getCiphertext(KmsTestHelper.getPublicKey()));
|
||||
}
|
||||
|
||||
|
||||
private static void verifySecretAndSecretRevisionWritten(
|
||||
String secretName, String expectedCryptoKeyVersionName, String expectedEncryptedValue) {
|
||||
KmsSecret secret =
|
||||
ofy().load().key(Key.create(getCrossTldKey(), KmsSecret.class, secretName)).now();
|
||||
assertThat(secret).isNotNull();
|
||||
KmsSecretRevision secretRevision = ofy().load().key(secret.getLatestRevision()).now();
|
||||
KmsSecretRevision secretRevision;
|
||||
if (tm().isOfy()) {
|
||||
KmsSecret secret =
|
||||
ofy().load().key(Key.create(getCrossTldKey(), KmsSecret.class, secretName)).now();
|
||||
assertThat(secret).isNotNull();
|
||||
secretRevision = ofy().load().key(secret.getLatestRevision()).now();
|
||||
} else {
|
||||
secretRevision =
|
||||
tm().transact(() -> KmsSecretRevisionSqlDao.getLatestRevision(secretName).get());
|
||||
}
|
||||
assertThat(secretRevision.getKmsCryptoKeyVersionName()).isEqualTo(expectedCryptoKeyVersionName);
|
||||
assertThat(secretRevision.getEncryptedValue()).isEqualTo(expectedEncryptedValue);
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue