Convert Kms* classes to use SQL when appropriate (#1043)

* Convert Kms* classes to use SQL when appropriate
This commit is contained in:
gbrodman 2021-03-29 18:03:42 -04:00 committed by GitHub
parent e30d3efa7c
commit 5c6b2595db
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 72 additions and 50 deletions

View file

@ -19,6 +19,7 @@ import static com.google.common.base.CaseFormat.UPPER_UNDERSCORE;
import static com.google.common.base.Preconditions.checkState; import static com.google.common.base.Preconditions.checkState;
import static google.registry.model.common.EntityGroupRoot.getCrossTldKey; import static google.registry.model.common.EntityGroupRoot.getCrossTldKey;
import static google.registry.model.ofy.ObjectifyService.ofy; import static google.registry.model.ofy.ObjectifyService.ofy;
import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
import com.googlecode.objectify.Key; import com.googlecode.objectify.Key;
import google.registry.config.RegistryConfig.Config; import google.registry.config.RegistryConfig.Config;
@ -26,7 +27,10 @@ import google.registry.keyring.api.KeySerializer;
import google.registry.keyring.api.Keyring; import google.registry.keyring.api.Keyring;
import google.registry.keyring.api.KeyringException; import google.registry.keyring.api.KeyringException;
import google.registry.model.server.KmsSecret; import google.registry.model.server.KmsSecret;
import google.registry.model.server.KmsSecretRevision;
import google.registry.model.server.KmsSecretRevisionSqlDao;
import java.io.IOException; import java.io.IOException;
import java.util.Optional;
import javax.inject.Inject; import javax.inject.Inject;
import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPException;
import org.bouncycastle.openpgp.PGPKeyPair; import org.bouncycastle.openpgp.PGPKeyPair;
@ -201,13 +205,21 @@ public class KmsKeyring implements Keyring {
} }
private byte[] getDecryptedData(String keyName) { private byte[] getDecryptedData(String keyName) {
KmsSecret secret = String encryptedData;
ofy().load().key(Key.create(getCrossTldKey(), KmsSecret.class, keyName)).now(); if (tm().isOfy()) {
checkState(secret != null, "Requested secret '%s' does not exist.", keyName); KmsSecret secret =
String encryptedData = ofy().load().key(secret.getLatestRevision()).now().getEncryptedValue(); ofy().load().key(Key.create(getCrossTldKey(), KmsSecret.class, keyName)).now();
checkState(secret != null, "Requested secret '%s' does not exist.", keyName);
encryptedData = ofy().load().key(secret.getLatestRevision()).now().getEncryptedValue();
} else {
Optional<KmsSecretRevision> revision =
tm().transact(() -> KmsSecretRevisionSqlDao.getLatestRevision(keyName));
checkState(revision.isPresent(), "Requested secret '%s' does not exist.", keyName);
encryptedData = revision.get().getEncryptedValue();
}
try { try {
return kmsConnection.decrypt(secret.getName(), encryptedData); return kmsConnection.decrypt(keyName, encryptedData);
} catch (Exception e) { } catch (Exception e) {
throw new KeyringException( throw new KeyringException(
String.format("CloudKMS decrypt operation failed for secret %s", keyName), e); String.format("CloudKMS decrypt operation failed for secret %s", keyName), e);

View file

@ -34,7 +34,6 @@ import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.RDE_SSH_CLIE
import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.RDE_SSH_CLIENT_PUBLIC_STRING; import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.RDE_SSH_CLIENT_PUBLIC_STRING;
import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.SAFE_BROWSING_API_KEY; import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.SAFE_BROWSING_API_KEY;
import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.TOOLS_CLOUD_SQL_PASSWORD_STRING; import static google.registry.keyring.kms.KmsKeyring.StringKeyLabel.TOOLS_CLOUD_SQL_PASSWORD_STRING;
import static google.registry.model.ofy.ObjectifyService.ofy;
import static google.registry.persistence.transaction.TransactionManagerFactory.tm; import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
import static google.registry.util.PreconditionsUtils.checkArgumentNotNull; import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
@ -194,8 +193,7 @@ public final class KmsUpdater {
*/ */
private static void persistEncryptedValues( private static void persistEncryptedValues(
final ImmutableMap<String, EncryptResponse> encryptedValues) { final ImmutableMap<String, EncryptResponse> encryptedValues) {
tm() tm().transact(
.transact(
() -> { () -> {
for (Map.Entry<String, EncryptResponse> entry : encryptedValues.entrySet()) { for (Map.Entry<String, EncryptResponse> entry : encryptedValues.entrySet()) {
String secretName = entry.getKey(); String secretName = entry.getKey();
@ -207,7 +205,7 @@ public final class KmsUpdater {
.setKmsCryptoKeyVersionName(revisionData.cryptoKeyVersionName()) .setKmsCryptoKeyVersionName(revisionData.cryptoKeyVersionName())
.setParent(secretName) .setParent(secretName)
.build(); .build();
ofy().save().entities(secretRevision, KmsSecret.create(secretName, secretRevision)); tm().putAll(secretRevision, KmsSecret.create(secretName, secretRevision));
} }
}); });
} }

View file

@ -36,6 +36,7 @@ import google.registry.model.index.ForeignKeyIndex.ForeignKeyContactIndex;
import google.registry.model.index.ForeignKeyIndex.ForeignKeyDomainIndex; import google.registry.model.index.ForeignKeyIndex.ForeignKeyDomainIndex;
import google.registry.model.index.ForeignKeyIndex.ForeignKeyHostIndex; import google.registry.model.index.ForeignKeyIndex.ForeignKeyHostIndex;
import google.registry.model.ofy.DatastoreTransactionManager; import google.registry.model.ofy.DatastoreTransactionManager;
import google.registry.model.server.KmsSecret;
import google.registry.persistence.JpaRetries; import google.registry.persistence.JpaRetries;
import google.registry.persistence.VKey; import google.registry.persistence.VKey;
import google.registry.util.Clock; import google.registry.util.Clock;
@ -73,7 +74,8 @@ public class JpaTransactionManagerImpl implements JpaTransactionManager {
EppResourceIndex.class, EppResourceIndex.class,
ForeignKeyContactIndex.class, ForeignKeyContactIndex.class,
ForeignKeyDomainIndex.class, ForeignKeyDomainIndex.class,
ForeignKeyHostIndex.class); ForeignKeyHostIndex.class,
KmsSecret.class);
// EntityManagerFactory is thread safe. // EntityManagerFactory is thread safe.
private final EntityManagerFactory emf; private final EntityManagerFactory emf;

View file

@ -15,22 +15,23 @@
package google.registry.keyring.kms; package google.registry.keyring.kms;
import static com.google.common.truth.Truth.assertThat; import static com.google.common.truth.Truth.assertThat;
import static google.registry.testing.DatabaseHelper.persistResources; import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
import com.google.common.collect.ImmutableList;
import google.registry.keyring.api.KeySerializer; import google.registry.keyring.api.KeySerializer;
import google.registry.model.server.KmsSecret; import google.registry.model.server.KmsSecret;
import google.registry.model.server.KmsSecretRevision; import google.registry.model.server.KmsSecretRevision;
import google.registry.testing.AppEngineExtension; import google.registry.testing.AppEngineExtension;
import google.registry.testing.BouncyCastleProviderExtension; import google.registry.testing.BouncyCastleProviderExtension;
import google.registry.testing.DualDatabaseTest;
import google.registry.testing.TestOfyAndSql;
import org.bouncycastle.openpgp.PGPKeyPair; import org.bouncycastle.openpgp.PGPKeyPair;
import org.bouncycastle.openpgp.PGPPrivateKey; import org.bouncycastle.openpgp.PGPPrivateKey;
import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPPublicKey;
import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.RegisterExtension; import org.junit.jupiter.api.extension.RegisterExtension;
/** Unit tests for {@link KmsKeyring}. */ /** Unit tests for {@link KmsKeyring}. */
@DualDatabaseTest
class KmsKeyringTest { class KmsKeyringTest {
@RegisterExtension @RegisterExtension
@ -47,21 +48,21 @@ class KmsKeyringTest {
keyring = new KmsKeyring(new FakeKmsConnection()); keyring = new KmsKeyring(new FakeKmsConnection());
} }
@Test @TestOfyAndSql
void test_getCloudSqlPassword() { void test_getCloudSqlPassword() {
saveCleartextSecret("cloud-sql-password-string"); saveCleartextSecret("cloud-sql-password-string");
String cloudSqlPassword = keyring.getCloudSqlPassword(); String cloudSqlPassword = keyring.getCloudSqlPassword();
assertThat(cloudSqlPassword).isEqualTo("cloud-sql-password-stringmoo"); assertThat(cloudSqlPassword).isEqualTo("cloud-sql-password-stringmoo");
} }
@Test @TestOfyAndSql
void test_getToolsCloudSqlPassword() { void test_getToolsCloudSqlPassword() {
saveCleartextSecret("tools-cloud-sql-password-string"); saveCleartextSecret("tools-cloud-sql-password-string");
String toolsCloudSqlPassword = keyring.getToolsCloudSqlPassword(); String toolsCloudSqlPassword = keyring.getToolsCloudSqlPassword();
assertThat(toolsCloudSqlPassword).isEqualTo("tools-cloud-sql-password-stringmoo"); assertThat(toolsCloudSqlPassword).isEqualTo("tools-cloud-sql-password-stringmoo");
} }
@Test @TestOfyAndSql
void test_getRdeSigningKey() throws Exception { void test_getRdeSigningKey() throws Exception {
saveKeyPairSecret("rde-signing-public", "rde-signing-private"); saveKeyPairSecret("rde-signing-public", "rde-signing-private");
PGPKeyPair rdeSigningKey = keyring.getRdeSigningKey(); PGPKeyPair rdeSigningKey = keyring.getRdeSigningKey();
@ -69,7 +70,7 @@ class KmsKeyringTest {
.isEqualTo(KeySerializer.serializeKeyPair(KmsTestHelper.getKeyPair())); .isEqualTo(KeySerializer.serializeKeyPair(KmsTestHelper.getKeyPair()));
} }
@Test @TestOfyAndSql
void test_getRdeStagingEncryptionKey() throws Exception { void test_getRdeStagingEncryptionKey() throws Exception {
savePublicKeySecret("rde-staging-public"); savePublicKeySecret("rde-staging-public");
PGPPublicKey rdeStagingEncryptionKey = keyring.getRdeStagingEncryptionKey(); PGPPublicKey rdeStagingEncryptionKey = keyring.getRdeStagingEncryptionKey();
@ -77,7 +78,7 @@ class KmsKeyringTest {
.isEqualTo(KmsTestHelper.getPublicKey().getFingerprint()); .isEqualTo(KmsTestHelper.getPublicKey().getFingerprint());
} }
@Test @TestOfyAndSql
void test_getRdeStagingDecryptionKey() throws Exception { void test_getRdeStagingDecryptionKey() throws Exception {
savePrivateKeySecret("rde-staging-private"); savePrivateKeySecret("rde-staging-private");
savePublicKeySecret("rde-staging-public"); savePublicKeySecret("rde-staging-public");
@ -90,7 +91,7 @@ class KmsKeyringTest {
.isEqualTo(KeySerializer.serializeKeyPair(KmsTestHelper.getKeyPair())); .isEqualTo(KeySerializer.serializeKeyPair(KmsTestHelper.getKeyPair()));
} }
@Test @TestOfyAndSql
void test_getRdeReceiverKey() throws Exception { void test_getRdeReceiverKey() throws Exception {
savePublicKeySecret("rde-receiver-public"); savePublicKeySecret("rde-receiver-public");
PGPPublicKey rdeReceiverKey = keyring.getRdeReceiverKey(); PGPPublicKey rdeReceiverKey = keyring.getRdeReceiverKey();
@ -98,7 +99,7 @@ class KmsKeyringTest {
.isEqualTo(KmsTestHelper.getPublicKey().getFingerprint()); .isEqualTo(KmsTestHelper.getPublicKey().getFingerprint());
} }
@Test @TestOfyAndSql
void test_getBrdaSigningKey() throws Exception { void test_getBrdaSigningKey() throws Exception {
saveKeyPairSecret("brda-signing-public", "brda-signing-private"); saveKeyPairSecret("brda-signing-public", "brda-signing-private");
PGPKeyPair brdaSigningKey = keyring.getBrdaSigningKey(); PGPKeyPair brdaSigningKey = keyring.getBrdaSigningKey();
@ -106,7 +107,7 @@ class KmsKeyringTest {
.isEqualTo(KeySerializer.serializeKeyPair(KmsTestHelper.getKeyPair())); .isEqualTo(KeySerializer.serializeKeyPair(KmsTestHelper.getKeyPair()));
} }
@Test @TestOfyAndSql
void test_getBrdaReceiverKey() throws Exception { void test_getBrdaReceiverKey() throws Exception {
savePublicKeySecret("brda-receiver-public"); savePublicKeySecret("brda-receiver-public");
PGPPublicKey brdaReceiverKey = keyring.getBrdaReceiverKey(); PGPPublicKey brdaReceiverKey = keyring.getBrdaReceiverKey();
@ -114,49 +115,49 @@ class KmsKeyringTest {
.isEqualTo(KmsTestHelper.getPublicKey().getFingerprint()); .isEqualTo(KmsTestHelper.getPublicKey().getFingerprint());
} }
@Test @TestOfyAndSql
void test_getRdeSshClientPublicKey() { void test_getRdeSshClientPublicKey() {
saveCleartextSecret("rde-ssh-client-public-string"); saveCleartextSecret("rde-ssh-client-public-string");
String rdeSshClientPublicKey = keyring.getRdeSshClientPublicKey(); String rdeSshClientPublicKey = keyring.getRdeSshClientPublicKey();
assertThat(rdeSshClientPublicKey).isEqualTo("rde-ssh-client-public-stringmoo"); assertThat(rdeSshClientPublicKey).isEqualTo("rde-ssh-client-public-stringmoo");
} }
@Test @TestOfyAndSql
void test_getRdeSshClientPrivateKey() { void test_getRdeSshClientPrivateKey() {
saveCleartextSecret("rde-ssh-client-private-string"); saveCleartextSecret("rde-ssh-client-private-string");
String rdeSshClientPrivateKey = keyring.getRdeSshClientPrivateKey(); String rdeSshClientPrivateKey = keyring.getRdeSshClientPrivateKey();
assertThat(rdeSshClientPrivateKey).isEqualTo("rde-ssh-client-private-stringmoo"); assertThat(rdeSshClientPrivateKey).isEqualTo("rde-ssh-client-private-stringmoo");
} }
@Test @TestOfyAndSql
void test_getIcannReportingPassword() { void test_getIcannReportingPassword() {
saveCleartextSecret("icann-reporting-password-string"); saveCleartextSecret("icann-reporting-password-string");
String icannReportingPassword = keyring.getIcannReportingPassword(); String icannReportingPassword = keyring.getIcannReportingPassword();
assertThat(icannReportingPassword).isEqualTo("icann-reporting-password-stringmoo"); assertThat(icannReportingPassword).isEqualTo("icann-reporting-password-stringmoo");
} }
@Test @TestOfyAndSql
void test_getMarksdbDnlLoginAndPassword() { void test_getMarksdbDnlLoginAndPassword() {
saveCleartextSecret("marksdb-dnl-login-string"); saveCleartextSecret("marksdb-dnl-login-string");
String marksdbDnlLoginAndPassword = keyring.getMarksdbDnlLoginAndPassword(); String marksdbDnlLoginAndPassword = keyring.getMarksdbDnlLoginAndPassword();
assertThat(marksdbDnlLoginAndPassword).isEqualTo("marksdb-dnl-login-stringmoo"); assertThat(marksdbDnlLoginAndPassword).isEqualTo("marksdb-dnl-login-stringmoo");
} }
@Test @TestOfyAndSql
void test_getMarksdbLordnPassword() { void test_getMarksdbLordnPassword() {
saveCleartextSecret("marksdb-lordn-password-string"); saveCleartextSecret("marksdb-lordn-password-string");
String marksdbLordnPassword = keyring.getMarksdbLordnPassword(); String marksdbLordnPassword = keyring.getMarksdbLordnPassword();
assertThat(marksdbLordnPassword).isEqualTo("marksdb-lordn-password-stringmoo"); assertThat(marksdbLordnPassword).isEqualTo("marksdb-lordn-password-stringmoo");
} }
@Test @TestOfyAndSql
void test_getMarksdbSmdrlLoginAndPassword() { void test_getMarksdbSmdrlLoginAndPassword() {
saveCleartextSecret("marksdb-smdrl-login-string"); saveCleartextSecret("marksdb-smdrl-login-string");
String marksdbSmdrlLoginAndPassword = keyring.getMarksdbSmdrlLoginAndPassword(); String marksdbSmdrlLoginAndPassword = keyring.getMarksdbSmdrlLoginAndPassword();
assertThat(marksdbSmdrlLoginAndPassword).isEqualTo("marksdb-smdrl-login-stringmoo"); assertThat(marksdbSmdrlLoginAndPassword).isEqualTo("marksdb-smdrl-login-stringmoo");
} }
@Test @TestOfyAndSql
void test_getJsonCredential() { void test_getJsonCredential() {
saveCleartextSecret("json-credential-string"); saveCleartextSecret("json-credential-string");
String jsonCredential = keyring.getJsonCredential(); String jsonCredential = keyring.getJsonCredential();
@ -173,7 +174,7 @@ class KmsKeyringTest {
.setParent(secretName) .setParent(secretName)
.build(); .build();
KmsSecret secret = KmsSecret.create(secretName, secretRevision); KmsSecret secret = KmsSecret.create(secretName, secretRevision);
persistResources(ImmutableList.of(secretRevision, secret)); tm().transact(() -> tm().putAll(secretRevision, secret));
} }
private static void saveCleartextSecret(String secretName) { private static void saveCleartextSecret(String secretName) {

View file

@ -17,21 +17,25 @@ package google.registry.keyring.kms;
import static com.google.common.truth.Truth.assertThat; import static com.google.common.truth.Truth.assertThat;
import static google.registry.model.common.EntityGroupRoot.getCrossTldKey; import static google.registry.model.common.EntityGroupRoot.getCrossTldKey;
import static google.registry.model.ofy.ObjectifyService.ofy; import static google.registry.model.ofy.ObjectifyService.ofy;
import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
import com.googlecode.objectify.Key; import com.googlecode.objectify.Key;
import google.registry.keyring.api.KeySerializer; import google.registry.keyring.api.KeySerializer;
import google.registry.model.server.KmsSecret; import google.registry.model.server.KmsSecret;
import google.registry.model.server.KmsSecretRevision; import google.registry.model.server.KmsSecretRevision;
import google.registry.model.server.KmsSecretRevisionSqlDao;
import google.registry.testing.AppEngineExtension; import google.registry.testing.AppEngineExtension;
import google.registry.testing.BouncyCastleProviderExtension; import google.registry.testing.BouncyCastleProviderExtension;
import google.registry.testing.DualDatabaseTest;
import google.registry.testing.TestOfyAndSql;
import java.io.IOException; import java.io.IOException;
import org.bouncycastle.openpgp.PGPKeyPair; import org.bouncycastle.openpgp.PGPKeyPair;
import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPPublicKey;
import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.RegisterExtension; import org.junit.jupiter.api.extension.RegisterExtension;
/** Unit tests for {@link KmsUpdater} */ /** Unit tests for {@link KmsUpdater} */
@DualDatabaseTest
public class KmsUpdaterTest { public class KmsUpdaterTest {
@RegisterExtension @RegisterExtension
@ -48,7 +52,7 @@ public class KmsUpdaterTest {
updater = new KmsUpdater(new FakeKmsConnection()); updater = new KmsUpdater(new FakeKmsConnection());
} }
@Test @TestOfyAndSql
void test_setMultipleSecrets() { void test_setMultipleSecrets() {
updater updater
.setMarksdbDnlLoginAndPassword("value1") .setMarksdbDnlLoginAndPassword("value1")
@ -68,7 +72,7 @@ public class KmsUpdaterTest {
"json-credential-string", "json-credential-string/foo", getCiphertext("value3")); "json-credential-string", "json-credential-string/foo", getCiphertext("value3"));
} }
@Test @TestOfyAndSql
void test_setBrdaReceiverKey() throws Exception { void test_setBrdaReceiverKey() throws Exception {
updater.setBrdaReceiverPublicKey(KmsTestHelper.getPublicKey()).update(); updater.setBrdaReceiverPublicKey(KmsTestHelper.getPublicKey()).update();
@ -78,7 +82,7 @@ public class KmsUpdaterTest {
getCiphertext(KmsTestHelper.getPublicKey())); getCiphertext(KmsTestHelper.getPublicKey()));
} }
@Test @TestOfyAndSql
void test_setBrdaSigningKey() throws Exception { void test_setBrdaSigningKey() throws Exception {
updater.setBrdaSigningKey(KmsTestHelper.getKeyPair()).update(); updater.setBrdaSigningKey(KmsTestHelper.getKeyPair()).update();
@ -92,7 +96,7 @@ public class KmsUpdaterTest {
getCiphertext(KmsTestHelper.getPublicKey())); getCiphertext(KmsTestHelper.getPublicKey()));
} }
@Test @TestOfyAndSql
void test_setCloudSqlPassword() { void test_setCloudSqlPassword() {
updater.setCloudSqlPassword("value1").update(); updater.setCloudSqlPassword("value1").update();
@ -100,7 +104,7 @@ public class KmsUpdaterTest {
"cloud-sql-password-string", "cloud-sql-password-string/foo", getCiphertext("value1")); "cloud-sql-password-string", "cloud-sql-password-string/foo", getCiphertext("value1"));
} }
@Test @TestOfyAndSql
void test_setToolsCloudSqlPassword() { void test_setToolsCloudSqlPassword() {
updater.setToolsCloudSqlPassword("value1").update(); updater.setToolsCloudSqlPassword("value1").update();
@ -110,7 +114,7 @@ public class KmsUpdaterTest {
getCiphertext("value1")); getCiphertext("value1"));
} }
@Test @TestOfyAndSql
void test_setIcannReportingPassword() { void test_setIcannReportingPassword() {
updater.setIcannReportingPassword("value1").update(); updater.setIcannReportingPassword("value1").update();
@ -120,7 +124,7 @@ public class KmsUpdaterTest {
getCiphertext("value1")); getCiphertext("value1"));
} }
@Test @TestOfyAndSql
void test_setJsonCredential() { void test_setJsonCredential() {
updater.setJsonCredential("value1").update(); updater.setJsonCredential("value1").update();
@ -128,7 +132,7 @@ public class KmsUpdaterTest {
"json-credential-string", "json-credential-string/foo", getCiphertext("value1")); "json-credential-string", "json-credential-string/foo", getCiphertext("value1"));
} }
@Test @TestOfyAndSql
void test_setMarksdbDnlLoginAndPassword() { void test_setMarksdbDnlLoginAndPassword() {
updater.setMarksdbDnlLoginAndPassword("value1").update(); updater.setMarksdbDnlLoginAndPassword("value1").update();
@ -136,7 +140,7 @@ public class KmsUpdaterTest {
"marksdb-dnl-login-string", "marksdb-dnl-login-string/foo", getCiphertext("value1")); "marksdb-dnl-login-string", "marksdb-dnl-login-string/foo", getCiphertext("value1"));
} }
@Test @TestOfyAndSql
void test_setMarksdbLordnPassword() { void test_setMarksdbLordnPassword() {
updater.setMarksdbLordnPassword("value1").update(); updater.setMarksdbLordnPassword("value1").update();
@ -146,7 +150,7 @@ public class KmsUpdaterTest {
getCiphertext("value1")); getCiphertext("value1"));
} }
@Test @TestOfyAndSql
void test_setMarksdbSmdrlLoginAndPassword() { void test_setMarksdbSmdrlLoginAndPassword() {
updater.setMarksdbSmdrlLoginAndPassword("value1").update(); updater.setMarksdbSmdrlLoginAndPassword("value1").update();
@ -154,7 +158,7 @@ public class KmsUpdaterTest {
"marksdb-smdrl-login-string", "marksdb-smdrl-login-string/foo", getCiphertext("value1")); "marksdb-smdrl-login-string", "marksdb-smdrl-login-string/foo", getCiphertext("value1"));
} }
@Test @TestOfyAndSql
void test_setRdeReceiverKey() throws Exception { void test_setRdeReceiverKey() throws Exception {
updater.setRdeReceiverPublicKey(KmsTestHelper.getPublicKey()).update(); updater.setRdeReceiverPublicKey(KmsTestHelper.getPublicKey()).update();
@ -165,7 +169,7 @@ public class KmsUpdaterTest {
KeySerializer.serializePublicKey(KmsTestHelper.getPublicKey()))); KeySerializer.serializePublicKey(KmsTestHelper.getPublicKey())));
} }
@Test @TestOfyAndSql
void test_setRdeSigningKey() throws Exception { void test_setRdeSigningKey() throws Exception {
updater.setRdeSigningKey(KmsTestHelper.getKeyPair()).update(); updater.setRdeSigningKey(KmsTestHelper.getKeyPair()).update();
@ -179,7 +183,7 @@ public class KmsUpdaterTest {
getCiphertext(KmsTestHelper.getPublicKey())); getCiphertext(KmsTestHelper.getPublicKey()));
} }
@Test @TestOfyAndSql
void test_setRdeSshClientPrivateKey() { void test_setRdeSshClientPrivateKey() {
updater.setRdeSshClientPrivateKey("value1").update(); updater.setRdeSshClientPrivateKey("value1").update();
@ -189,7 +193,7 @@ public class KmsUpdaterTest {
getCiphertext("value1")); getCiphertext("value1"));
} }
@Test @TestOfyAndSql
void test_setRdeSshClientPublicKey() { void test_setRdeSshClientPublicKey() {
updater.setRdeSshClientPublicKey("value1").update(); updater.setRdeSshClientPublicKey("value1").update();
@ -199,7 +203,7 @@ public class KmsUpdaterTest {
getCiphertext("value1")); getCiphertext("value1"));
} }
@Test @TestOfyAndSql
void test_setRdeStagingKey() throws Exception { void test_setRdeStagingKey() throws Exception {
updater.setRdeStagingKey(KmsTestHelper.getKeyPair()).update(); updater.setRdeStagingKey(KmsTestHelper.getKeyPair()).update();
@ -213,13 +217,18 @@ public class KmsUpdaterTest {
getCiphertext(KmsTestHelper.getPublicKey())); getCiphertext(KmsTestHelper.getPublicKey()));
} }
private static void verifySecretAndSecretRevisionWritten( private static void verifySecretAndSecretRevisionWritten(
String secretName, String expectedCryptoKeyVersionName, String expectedEncryptedValue) { String secretName, String expectedCryptoKeyVersionName, String expectedEncryptedValue) {
KmsSecret secret = KmsSecretRevision secretRevision;
ofy().load().key(Key.create(getCrossTldKey(), KmsSecret.class, secretName)).now(); if (tm().isOfy()) {
assertThat(secret).isNotNull(); KmsSecret secret =
KmsSecretRevision secretRevision = ofy().load().key(secret.getLatestRevision()).now(); ofy().load().key(Key.create(getCrossTldKey(), KmsSecret.class, secretName)).now();
assertThat(secret).isNotNull();
secretRevision = ofy().load().key(secret.getLatestRevision()).now();
} else {
secretRevision =
tm().transact(() -> KmsSecretRevisionSqlDao.getLatestRevision(secretName).get());
}
assertThat(secretRevision.getKmsCryptoKeyVersionName()).isEqualTo(expectedCryptoKeyVersionName); assertThat(secretRevision.getKmsCryptoKeyVersionName()).isEqualTo(expectedCryptoKeyVersionName);
assertThat(secretRevision.getEncryptedValue()).isEqualTo(expectedEncryptedValue); assertThat(secretRevision.getEncryptedValue()).isEqualTo(expectedEncryptedValue);
} }