chore: clean .gitignore cache
This commit is contained in:
GitHub Actions
@@ -1,109 +0,0 @@
|
||||
// Package crypto provides cryptographic services for sensitive data.
|
||||
package crypto
|
||||
|
||||
import (
|
||||
"crypto/aes"
|
||||
"crypto/cipher"
|
||||
"crypto/rand"
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
)
|
||||
|
||||
// cipherFactory creates block ciphers. Used for testing.
|
||||
type cipherFactory func(key []byte) (cipher.Block, error)
|
||||
|
||||
// gcmFactory creates GCM ciphers. Used for testing.
|
||||
type gcmFactory func(cipher cipher.Block) (cipher.AEAD, error)
|
||||
|
||||
// randReader provides random bytes. Used for testing.
|
||||
type randReader func(b []byte) (n int, err error)
|
||||
|
||||
// EncryptionService provides AES-256-GCM encryption and decryption.
|
||||
// The service is thread-safe and can be shared across goroutines.
|
||||
type EncryptionService struct {
|
||||
key []byte // 32 bytes for AES-256
|
||||
cipherFactory cipherFactory
|
||||
gcmFactory gcmFactory
|
||||
randReader randReader
|
||||
}
|
||||
|
||||
// NewEncryptionService creates a new encryption service with the provided base64-encoded key.
|
||||
// The key must be exactly 32 bytes (256 bits) when decoded.
|
||||
func NewEncryptionService(keyBase64 string) (*EncryptionService, error) {
|
||||
key, err := base64.StdEncoding.DecodeString(keyBase64)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("invalid base64 key: %w", err)
|
||||
}
|
||||
|
||||
if len(key) != 32 {
|
||||
return nil, fmt.Errorf("invalid key length: expected 32 bytes, got %d bytes", len(key))
|
||||
}
|
||||
|
||||
return &EncryptionService{
|
||||
key: key,
|
||||
cipherFactory: aes.NewCipher,
|
||||
gcmFactory: cipher.NewGCM,
|
||||
randReader: rand.Read,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// Encrypt encrypts plaintext using AES-256-GCM and returns base64-encoded ciphertext.
|
||||
// The nonce is randomly generated and prepended to the ciphertext.
|
||||
func (s *EncryptionService) Encrypt(plaintext []byte) (string, error) {
|
||||
block, err := s.cipherFactory(s.key)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("failed to create cipher: %w", err)
|
||||
}
|
||||
|
||||
gcm, err := s.gcmFactory(block)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("failed to create GCM: %w", err)
|
||||
}
|
||||
|
||||
// Generate random nonce
|
||||
nonce := make([]byte, gcm.NonceSize())
|
||||
if _, err := s.randReader(nonce); err != nil {
|
||||
return "", fmt.Errorf("failed to generate nonce: %w", err)
|
||||
}
|
||||
|
||||
// Encrypt and prepend nonce to ciphertext
|
||||
ciphertext := gcm.Seal(nonce, nonce, plaintext, nil)
|
||||
|
||||
// Return base64-encoded result
|
||||
return base64.StdEncoding.EncodeToString(ciphertext), nil
|
||||
}
|
||||
|
||||
// Decrypt decrypts base64-encoded ciphertext using AES-256-GCM.
|
||||
// The nonce is expected to be prepended to the ciphertext.
|
||||
func (s *EncryptionService) Decrypt(ciphertextB64 string) ([]byte, error) {
|
||||
ciphertext, err := base64.StdEncoding.DecodeString(ciphertextB64)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("invalid base64 ciphertext: %w", err)
|
||||
}
|
||||
|
||||
block, err := s.cipherFactory(s.key)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to create cipher: %w", err)
|
||||
}
|
||||
|
||||
gcm, err := s.gcmFactory(block)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to create GCM: %w", err)
|
||||
}
|
||||
|
||||
nonceSize := gcm.NonceSize()
|
||||
if len(ciphertext) < nonceSize {
|
||||
return nil, fmt.Errorf("ciphertext too short: expected at least %d bytes, got %d bytes", nonceSize, len(ciphertext))
|
||||
}
|
||||
|
||||
// Extract nonce and ciphertext
|
||||
nonce, ciphertext := ciphertext[:nonceSize], ciphertext[nonceSize:]
|
||||
|
||||
// Decrypt
|
||||
plaintext, err := gcm.Open(nil, nonce, ciphertext, nil)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("decryption failed: %w", err)
|
||||
}
|
||||
|
||||
return plaintext, nil
|
||||
}
|
||||
@@ -1,712 +0,0 @@
|
||||
package crypto
|
||||
|
||||
import (
|
||||
"crypto/cipher"
|
||||
"crypto/rand"
|
||||
"encoding/base64"
|
||||
"errors"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
// TestNewEncryptionService_ValidKey tests successful creation with valid 32-byte key.
|
||||
func TestNewEncryptionService_ValidKey(t *testing.T) {
|
||||
// Generate a valid 32-byte key
|
||||
key := make([]byte, 32)
|
||||
_, err := rand.Read(key)
|
||||
require.NoError(t, err)
|
||||
keyBase64 := base64.StdEncoding.EncodeToString(key)
|
||||
|
||||
svc, err := NewEncryptionService(keyBase64)
|
||||
assert.NoError(t, err)
|
||||
assert.NotNil(t, svc)
|
||||
assert.Equal(t, 32, len(svc.key))
|
||||
}
|
||||
|
||||
// TestNewEncryptionService_InvalidBase64 tests error handling for invalid base64.
|
||||
func TestNewEncryptionService_InvalidBase64(t *testing.T) {
|
||||
invalidBase64 := "not-valid-base64!@#$"
|
||||
|
||||
svc, err := NewEncryptionService(invalidBase64)
|
||||
assert.Error(t, err)
|
||||
assert.Nil(t, svc)
|
||||
assert.Contains(t, err.Error(), "invalid base64 key")
|
||||
}
|
||||
|
||||
// TestNewEncryptionService_WrongKeyLength tests error handling for incorrect key length.
|
||||
func TestNewEncryptionService_WrongKeyLength(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
keyLength int
|
||||
}{
|
||||
{"16 bytes", 16},
|
||||
{"24 bytes", 24},
|
||||
{"31 bytes", 31},
|
||||
{"33 bytes", 33},
|
||||
{"0 bytes", 0},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
key := make([]byte, tt.keyLength)
|
||||
_, _ = rand.Read(key)
|
||||
keyBase64 := base64.StdEncoding.EncodeToString(key)
|
||||
|
||||
svc, err := NewEncryptionService(keyBase64)
|
||||
assert.Error(t, err)
|
||||
assert.Nil(t, svc)
|
||||
assert.Contains(t, err.Error(), "invalid key length")
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// TestEncryptDecrypt_RoundTrip tests that encrypt followed by decrypt returns original plaintext.
|
||||
func TestEncryptDecrypt_RoundTrip(t *testing.T) {
|
||||
key := make([]byte, 32)
|
||||
_, err := rand.Read(key)
|
||||
require.NoError(t, err)
|
||||
keyBase64 := base64.StdEncoding.EncodeToString(key)
|
||||
|
||||
svc, err := NewEncryptionService(keyBase64)
|
||||
require.NoError(t, err)
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
plaintext string
|
||||
}{
|
||||
{"simple text", "Hello, World!"},
|
||||
{"with special chars", "P@ssw0rd!#$%^&*()"},
|
||||
{"json data", `{"api_token":"sk_test_12345","region":"us-east-1"}`},
|
||||
{"unicode", "こんにちは世界 🌍"},
|
||||
{"long text", strings.Repeat("Lorem ipsum dolor sit amet. ", 100)},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
// Encrypt
|
||||
ciphertext, err := svc.Encrypt([]byte(tt.plaintext))
|
||||
require.NoError(t, err)
|
||||
assert.NotEmpty(t, ciphertext)
|
||||
|
||||
// Verify ciphertext is base64
|
||||
_, err = base64.StdEncoding.DecodeString(ciphertext)
|
||||
assert.NoError(t, err)
|
||||
|
||||
// Decrypt
|
||||
decrypted, err := svc.Decrypt(ciphertext)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, tt.plaintext, string(decrypted))
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// TestEncrypt_EmptyPlaintext tests encryption of empty plaintext.
|
||||
func TestEncrypt_EmptyPlaintext(t *testing.T) {
|
||||
key := make([]byte, 32)
|
||||
_, err := rand.Read(key)
|
||||
require.NoError(t, err)
|
||||
keyBase64 := base64.StdEncoding.EncodeToString(key)
|
||||
|
||||
svc, err := NewEncryptionService(keyBase64)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Encrypt empty plaintext
|
||||
ciphertext, err := svc.Encrypt([]byte{})
|
||||
assert.NoError(t, err)
|
||||
assert.NotEmpty(t, ciphertext)
|
||||
|
||||
// Decrypt should return empty plaintext
|
||||
decrypted, err := svc.Decrypt(ciphertext)
|
||||
assert.NoError(t, err)
|
||||
assert.Empty(t, decrypted)
|
||||
}
|
||||
|
||||
// TestDecrypt_InvalidCiphertext tests decryption error handling.
|
||||
func TestDecrypt_InvalidCiphertext(t *testing.T) {
|
||||
key := make([]byte, 32)
|
||||
_, err := rand.Read(key)
|
||||
require.NoError(t, err)
|
||||
keyBase64 := base64.StdEncoding.EncodeToString(key)
|
||||
|
||||
svc, err := NewEncryptionService(keyBase64)
|
||||
require.NoError(t, err)
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
ciphertext string
|
||||
errorMsg string
|
||||
}{
|
||||
{
|
||||
name: "invalid base64",
|
||||
ciphertext: "not-valid-base64!@#$",
|
||||
errorMsg: "invalid base64 ciphertext",
|
||||
},
|
||||
{
|
||||
name: "too short",
|
||||
ciphertext: base64.StdEncoding.EncodeToString([]byte("short")),
|
||||
errorMsg: "ciphertext too short",
|
||||
},
|
||||
{
|
||||
name: "empty string",
|
||||
ciphertext: "",
|
||||
errorMsg: "ciphertext too short",
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
_, err := svc.Decrypt(tt.ciphertext)
|
||||
assert.Error(t, err)
|
||||
assert.Contains(t, err.Error(), tt.errorMsg)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// TestDecrypt_TamperedCiphertext tests that tampered ciphertext is detected.
|
||||
func TestDecrypt_TamperedCiphertext(t *testing.T) {
|
||||
key := make([]byte, 32)
|
||||
_, err := rand.Read(key)
|
||||
require.NoError(t, err)
|
||||
keyBase64 := base64.StdEncoding.EncodeToString(key)
|
||||
|
||||
svc, err := NewEncryptionService(keyBase64)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Encrypt valid plaintext
|
||||
original := "sensitive data"
|
||||
ciphertext, err := svc.Encrypt([]byte(original))
|
||||
require.NoError(t, err)
|
||||
|
||||
// Decode, tamper, and re-encode
|
||||
ciphertextBytes, _ := base64.StdEncoding.DecodeString(ciphertext)
|
||||
if len(ciphertextBytes) > 12 {
|
||||
ciphertextBytes[12] ^= 0xFF // Flip bits in the middle
|
||||
}
|
||||
tamperedCiphertext := base64.StdEncoding.EncodeToString(ciphertextBytes)
|
||||
|
||||
// Attempt to decrypt tampered data
|
||||
_, err = svc.Decrypt(tamperedCiphertext)
|
||||
assert.Error(t, err)
|
||||
assert.Contains(t, err.Error(), "decryption failed")
|
||||
}
|
||||
|
||||
// TestEncrypt_DifferentNonces tests that multiple encryptions produce different ciphertexts.
|
||||
func TestEncrypt_DifferentNonces(t *testing.T) {
|
||||
key := make([]byte, 32)
|
||||
_, err := rand.Read(key)
|
||||
require.NoError(t, err)
|
||||
keyBase64 := base64.StdEncoding.EncodeToString(key)
|
||||
|
||||
svc, err := NewEncryptionService(keyBase64)
|
||||
require.NoError(t, err)
|
||||
|
||||
plaintext := []byte("test data")
|
||||
|
||||
// Encrypt the same plaintext multiple times
|
||||
ciphertext1, err := svc.Encrypt(plaintext)
|
||||
require.NoError(t, err)
|
||||
|
||||
ciphertext2, err := svc.Encrypt(plaintext)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Ciphertexts should be different (due to random nonces)
|
||||
assert.NotEqual(t, ciphertext1, ciphertext2)
|
||||
|
||||
// But both should decrypt to the same plaintext
|
||||
decrypted1, err := svc.Decrypt(ciphertext1)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, plaintext, decrypted1)
|
||||
|
||||
decrypted2, err := svc.Decrypt(ciphertext2)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, plaintext, decrypted2)
|
||||
}
|
||||
|
||||
// TestDecrypt_WrongKey tests that decryption with wrong key fails.
|
||||
func TestDecrypt_WrongKey(t *testing.T) {
|
||||
// Encrypt with first key
|
||||
key1 := make([]byte, 32)
|
||||
_, err := rand.Read(key1)
|
||||
require.NoError(t, err)
|
||||
keyBase64_1 := base64.StdEncoding.EncodeToString(key1)
|
||||
|
||||
svc1, err := NewEncryptionService(keyBase64_1)
|
||||
require.NoError(t, err)
|
||||
|
||||
plaintext := "secret message"
|
||||
ciphertext, err := svc1.Encrypt([]byte(plaintext))
|
||||
require.NoError(t, err)
|
||||
|
||||
// Try to decrypt with different key
|
||||
key2 := make([]byte, 32)
|
||||
_, err = rand.Read(key2)
|
||||
require.NoError(t, err)
|
||||
keyBase64_2 := base64.StdEncoding.EncodeToString(key2)
|
||||
|
||||
svc2, err := NewEncryptionService(keyBase64_2)
|
||||
require.NoError(t, err)
|
||||
|
||||
_, err = svc2.Decrypt(ciphertext)
|
||||
assert.Error(t, err)
|
||||
assert.Contains(t, err.Error(), "decryption failed")
|
||||
}
|
||||
|
||||
// TestEncrypt_NilPlaintext tests encryption of nil plaintext.
|
||||
func TestEncrypt_NilPlaintext(t *testing.T) {
|
||||
key := make([]byte, 32)
|
||||
_, err := rand.Read(key)
|
||||
require.NoError(t, err)
|
||||
keyBase64 := base64.StdEncoding.EncodeToString(key)
|
||||
|
||||
svc, err := NewEncryptionService(keyBase64)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Encrypt nil plaintext (should work like empty)
|
||||
ciphertext, err := svc.Encrypt(nil)
|
||||
assert.NoError(t, err)
|
||||
assert.NotEmpty(t, ciphertext)
|
||||
|
||||
// Decrypt should return empty plaintext
|
||||
decrypted, err := svc.Decrypt(ciphertext)
|
||||
assert.NoError(t, err)
|
||||
assert.Empty(t, decrypted)
|
||||
}
|
||||
|
||||
// TestDecrypt_ExactNonceSize tests decryption when ciphertext is exactly nonce size.
|
||||
func TestDecrypt_ExactNonceSize(t *testing.T) {
|
||||
key := make([]byte, 32)
|
||||
_, err := rand.Read(key)
|
||||
require.NoError(t, err)
|
||||
keyBase64 := base64.StdEncoding.EncodeToString(key)
|
||||
|
||||
svc, err := NewEncryptionService(keyBase64)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Create ciphertext that is exactly 12 bytes (GCM nonce size)
|
||||
// This will fail because there's no actual ciphertext after the nonce
|
||||
exactNonce := make([]byte, 12)
|
||||
_, _ = rand.Read(exactNonce)
|
||||
ciphertextB64 := base64.StdEncoding.EncodeToString(exactNonce)
|
||||
|
||||
_, err = svc.Decrypt(ciphertextB64)
|
||||
assert.Error(t, err)
|
||||
assert.Contains(t, err.Error(), "decryption failed")
|
||||
}
|
||||
|
||||
// TestDecrypt_OneByteLessThanNonce tests decryption with one byte less than nonce size.
|
||||
func TestDecrypt_OneByteLessThanNonce(t *testing.T) {
|
||||
key := make([]byte, 32)
|
||||
_, err := rand.Read(key)
|
||||
require.NoError(t, err)
|
||||
keyBase64 := base64.StdEncoding.EncodeToString(key)
|
||||
|
||||
svc, err := NewEncryptionService(keyBase64)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Create ciphertext that is 11 bytes (one less than GCM nonce size)
|
||||
shortData := make([]byte, 11)
|
||||
_, _ = rand.Read(shortData)
|
||||
ciphertextB64 := base64.StdEncoding.EncodeToString(shortData)
|
||||
|
||||
_, err = svc.Decrypt(ciphertextB64)
|
||||
assert.Error(t, err)
|
||||
assert.Contains(t, err.Error(), "ciphertext too short")
|
||||
}
|
||||
|
||||
// TestEncryptDecrypt_BinaryData tests encryption/decryption of binary data.
|
||||
func TestEncryptDecrypt_BinaryData(t *testing.T) {
|
||||
key := make([]byte, 32)
|
||||
_, err := rand.Read(key)
|
||||
require.NoError(t, err)
|
||||
keyBase64 := base64.StdEncoding.EncodeToString(key)
|
||||
|
||||
svc, err := NewEncryptionService(keyBase64)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Test with random binary data including null bytes
|
||||
binaryData := make([]byte, 256)
|
||||
_, err = rand.Read(binaryData)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Include explicit null bytes
|
||||
binaryData[50] = 0x00
|
||||
binaryData[100] = 0x00
|
||||
binaryData[150] = 0x00
|
||||
|
||||
// Encrypt
|
||||
ciphertext, err := svc.Encrypt(binaryData)
|
||||
require.NoError(t, err)
|
||||
assert.NotEmpty(t, ciphertext)
|
||||
|
||||
// Decrypt
|
||||
decrypted, err := svc.Decrypt(ciphertext)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, binaryData, decrypted)
|
||||
}
|
||||
|
||||
// TestEncryptDecrypt_LargePlaintext tests encryption of large data.
|
||||
func TestEncryptDecrypt_LargePlaintext(t *testing.T) {
|
||||
key := make([]byte, 32)
|
||||
_, err := rand.Read(key)
|
||||
require.NoError(t, err)
|
||||
keyBase64 := base64.StdEncoding.EncodeToString(key)
|
||||
|
||||
svc, err := NewEncryptionService(keyBase64)
|
||||
require.NoError(t, err)
|
||||
|
||||
// 1MB of data
|
||||
largePlaintext := make([]byte, 1024*1024)
|
||||
_, err = rand.Read(largePlaintext)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Encrypt
|
||||
ciphertext, err := svc.Encrypt(largePlaintext)
|
||||
require.NoError(t, err)
|
||||
assert.NotEmpty(t, ciphertext)
|
||||
|
||||
// Decrypt
|
||||
decrypted, err := svc.Decrypt(ciphertext)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, largePlaintext, decrypted)
|
||||
}
|
||||
|
||||
// TestDecrypt_CorruptedNonce tests decryption with corrupted nonce.
|
||||
func TestDecrypt_CorruptedNonce(t *testing.T) {
|
||||
key := make([]byte, 32)
|
||||
_, err := rand.Read(key)
|
||||
require.NoError(t, err)
|
||||
keyBase64 := base64.StdEncoding.EncodeToString(key)
|
||||
|
||||
svc, err := NewEncryptionService(keyBase64)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Encrypt valid plaintext
|
||||
original := "test data for nonce corruption"
|
||||
ciphertext, err := svc.Encrypt([]byte(original))
|
||||
require.NoError(t, err)
|
||||
|
||||
// Decode, corrupt nonce (first 12 bytes), and re-encode
|
||||
ciphertextBytes, _ := base64.StdEncoding.DecodeString(ciphertext)
|
||||
for i := 0; i < 12; i++ {
|
||||
ciphertextBytes[i] ^= 0xFF // Flip all bits in nonce
|
||||
}
|
||||
corruptedCiphertext := base64.StdEncoding.EncodeToString(ciphertextBytes)
|
||||
|
||||
// Attempt to decrypt with corrupted nonce
|
||||
_, err = svc.Decrypt(corruptedCiphertext)
|
||||
assert.Error(t, err)
|
||||
assert.Contains(t, err.Error(), "decryption failed")
|
||||
}
|
||||
|
||||
// TestDecrypt_TruncatedCiphertext tests decryption with truncated ciphertext.
|
||||
func TestDecrypt_TruncatedCiphertext(t *testing.T) {
|
||||
key := make([]byte, 32)
|
||||
_, err := rand.Read(key)
|
||||
require.NoError(t, err)
|
||||
keyBase64 := base64.StdEncoding.EncodeToString(key)
|
||||
|
||||
svc, err := NewEncryptionService(keyBase64)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Encrypt valid plaintext
|
||||
original := "test data for truncation"
|
||||
ciphertext, err := svc.Encrypt([]byte(original))
|
||||
require.NoError(t, err)
|
||||
|
||||
// Decode and truncate (remove last few bytes of auth tag)
|
||||
ciphertextBytes, _ := base64.StdEncoding.DecodeString(ciphertext)
|
||||
truncatedBytes := ciphertextBytes[:len(ciphertextBytes)-5]
|
||||
truncatedCiphertext := base64.StdEncoding.EncodeToString(truncatedBytes)
|
||||
|
||||
// Attempt to decrypt truncated data
|
||||
_, err = svc.Decrypt(truncatedCiphertext)
|
||||
assert.Error(t, err)
|
||||
assert.Contains(t, err.Error(), "decryption failed")
|
||||
}
|
||||
|
||||
// TestDecrypt_AppendedData tests decryption with extra data appended.
|
||||
func TestDecrypt_AppendedData(t *testing.T) {
|
||||
key := make([]byte, 32)
|
||||
_, err := rand.Read(key)
|
||||
require.NoError(t, err)
|
||||
keyBase64 := base64.StdEncoding.EncodeToString(key)
|
||||
|
||||
svc, err := NewEncryptionService(keyBase64)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Encrypt valid plaintext
|
||||
original := "test data for appending"
|
||||
ciphertext, err := svc.Encrypt([]byte(original))
|
||||
require.NoError(t, err)
|
||||
|
||||
// Decode and append extra data
|
||||
ciphertextBytes, _ := base64.StdEncoding.DecodeString(ciphertext)
|
||||
appendedBytes := make([]byte, len(ciphertextBytes)+len("extra garbage"))
|
||||
copy(appendedBytes, ciphertextBytes)
|
||||
copy(appendedBytes[len(ciphertextBytes):], "extra garbage")
|
||||
appendedCiphertext := base64.StdEncoding.EncodeToString(appendedBytes)
|
||||
|
||||
// Attempt to decrypt with appended data
|
||||
_, err = svc.Decrypt(appendedCiphertext)
|
||||
assert.Error(t, err)
|
||||
assert.Contains(t, err.Error(), "decryption failed")
|
||||
}
|
||||
|
||||
// TestEncryptionService_ConcurrentAccess tests thread safety.
|
||||
func TestEncryptionService_ConcurrentAccess(t *testing.T) {
|
||||
key := make([]byte, 32)
|
||||
_, err := rand.Read(key)
|
||||
require.NoError(t, err)
|
||||
keyBase64 := base64.StdEncoding.EncodeToString(key)
|
||||
|
||||
svc, err := NewEncryptionService(keyBase64)
|
||||
require.NoError(t, err)
|
||||
|
||||
const numGoroutines = 50
|
||||
const numOperations = 100
|
||||
|
||||
// Channel to collect errors
|
||||
errChan := make(chan error, numGoroutines*numOperations*2)
|
||||
|
||||
// Run concurrent encryptions and decryptions
|
||||
for i := 0; i < numGoroutines; i++ {
|
||||
go func(id int) {
|
||||
for j := 0; j < numOperations; j++ {
|
||||
plaintext := []byte(strings.Repeat("a", (id*j+1)%100+1))
|
||||
|
||||
// Encrypt
|
||||
ciphertext, err := svc.Encrypt(plaintext)
|
||||
if err != nil {
|
||||
errChan <- err
|
||||
continue
|
||||
}
|
||||
|
||||
// Decrypt
|
||||
decrypted, err := svc.Decrypt(ciphertext)
|
||||
if err != nil {
|
||||
errChan <- err
|
||||
continue
|
||||
}
|
||||
|
||||
// Verify
|
||||
if string(decrypted) != string(plaintext) {
|
||||
errChan <- assert.AnError
|
||||
}
|
||||
}
|
||||
}(i)
|
||||
}
|
||||
|
||||
// Wait a bit for goroutines to complete
|
||||
// Note: In production, use sync.WaitGroup
|
||||
// This is simplified for testing
|
||||
close(errChan)
|
||||
for err := range errChan {
|
||||
if err != nil {
|
||||
t.Errorf("concurrent operation failed: %v", err)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// TestDecrypt_AllZerosCiphertext tests decryption of all-zeros ciphertext.
|
||||
func TestDecrypt_AllZerosCiphertext(t *testing.T) {
|
||||
key := make([]byte, 32)
|
||||
_, err := rand.Read(key)
|
||||
require.NoError(t, err)
|
||||
keyBase64 := base64.StdEncoding.EncodeToString(key)
|
||||
|
||||
svc, err := NewEncryptionService(keyBase64)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Create an all-zeros ciphertext that's long enough
|
||||
zeros := make([]byte, 32) // Longer than nonce (12 bytes)
|
||||
ciphertextB64 := base64.StdEncoding.EncodeToString(zeros)
|
||||
|
||||
// This should fail authentication
|
||||
_, err = svc.Decrypt(ciphertextB64)
|
||||
assert.Error(t, err)
|
||||
assert.Contains(t, err.Error(), "decryption failed")
|
||||
}
|
||||
|
||||
// TestDecrypt_RandomGarbageCiphertext tests decryption of random garbage.
|
||||
func TestDecrypt_RandomGarbageCiphertext(t *testing.T) {
|
||||
key := make([]byte, 32)
|
||||
_, err := rand.Read(key)
|
||||
require.NoError(t, err)
|
||||
keyBase64 := base64.StdEncoding.EncodeToString(key)
|
||||
|
||||
svc, err := NewEncryptionService(keyBase64)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Generate random garbage that's long enough to have a "nonce" and "ciphertext"
|
||||
garbage := make([]byte, 64)
|
||||
_, _ = rand.Read(garbage)
|
||||
ciphertextB64 := base64.StdEncoding.EncodeToString(garbage)
|
||||
|
||||
// This should fail authentication
|
||||
_, err = svc.Decrypt(ciphertextB64)
|
||||
assert.Error(t, err)
|
||||
assert.Contains(t, err.Error(), "decryption failed")
|
||||
}
|
||||
|
||||
// TestNewEncryptionService_EmptyKey tests error handling for empty key.
|
||||
func TestNewEncryptionService_EmptyKey(t *testing.T) {
|
||||
svc, err := NewEncryptionService("")
|
||||
assert.Error(t, err)
|
||||
assert.Nil(t, svc)
|
||||
assert.Contains(t, err.Error(), "invalid key length")
|
||||
}
|
||||
|
||||
// TestNewEncryptionService_WhitespaceKey tests error handling for whitespace key.
|
||||
func TestNewEncryptionService_WhitespaceKey(t *testing.T) {
|
||||
svc, err := NewEncryptionService(" ")
|
||||
assert.Error(t, err)
|
||||
assert.Nil(t, svc)
|
||||
// Could be invalid base64 or invalid key length depending on parsing
|
||||
}
|
||||
|
||||
// errCipherFactory is a mock cipher factory that always returns an error.
|
||||
func errCipherFactory(_ []byte) (cipher.Block, error) {
|
||||
return nil, errors.New("mock cipher error")
|
||||
}
|
||||
|
||||
// errGCMFactory is a mock GCM factory that always returns an error.
|
||||
func errGCMFactory(_ cipher.Block) (cipher.AEAD, error) {
|
||||
return nil, errors.New("mock GCM error")
|
||||
}
|
||||
|
||||
// errRandReader is a mock random reader that always returns an error.
|
||||
func errRandReader(_ []byte) (int, error) {
|
||||
return 0, errors.New("mock random error")
|
||||
}
|
||||
|
||||
// TestEncrypt_CipherCreationError tests encryption error when cipher creation fails.
|
||||
func TestEncrypt_CipherCreationError(t *testing.T) {
|
||||
key := make([]byte, 32)
|
||||
_, err := rand.Read(key)
|
||||
require.NoError(t, err)
|
||||
keyBase64 := base64.StdEncoding.EncodeToString(key)
|
||||
|
||||
svc, err := NewEncryptionService(keyBase64)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Inject error-producing cipher factory
|
||||
svc.cipherFactory = errCipherFactory
|
||||
|
||||
_, err = svc.Encrypt([]byte("test plaintext"))
|
||||
assert.Error(t, err)
|
||||
assert.Contains(t, err.Error(), "failed to create cipher")
|
||||
}
|
||||
|
||||
// TestEncrypt_GCMCreationError tests encryption error when GCM creation fails.
|
||||
func TestEncrypt_GCMCreationError(t *testing.T) {
|
||||
key := make([]byte, 32)
|
||||
_, err := rand.Read(key)
|
||||
require.NoError(t, err)
|
||||
keyBase64 := base64.StdEncoding.EncodeToString(key)
|
||||
|
||||
svc, err := NewEncryptionService(keyBase64)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Inject error-producing GCM factory
|
||||
svc.gcmFactory = errGCMFactory
|
||||
|
||||
_, err = svc.Encrypt([]byte("test plaintext"))
|
||||
assert.Error(t, err)
|
||||
assert.Contains(t, err.Error(), "failed to create GCM")
|
||||
}
|
||||
|
||||
// TestEncrypt_NonceGenerationError tests encryption error when nonce generation fails.
|
||||
func TestEncrypt_NonceGenerationError(t *testing.T) {
|
||||
key := make([]byte, 32)
|
||||
_, err := rand.Read(key)
|
||||
require.NoError(t, err)
|
||||
keyBase64 := base64.StdEncoding.EncodeToString(key)
|
||||
|
||||
svc, err := NewEncryptionService(keyBase64)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Inject error-producing random reader
|
||||
svc.randReader = errRandReader
|
||||
|
||||
_, err = svc.Encrypt([]byte("test plaintext"))
|
||||
assert.Error(t, err)
|
||||
assert.Contains(t, err.Error(), "failed to generate nonce")
|
||||
}
|
||||
|
||||
// TestDecrypt_CipherCreationError tests decryption error when cipher creation fails.
|
||||
func TestDecrypt_CipherCreationError(t *testing.T) {
|
||||
key := make([]byte, 32)
|
||||
_, err := rand.Read(key)
|
||||
require.NoError(t, err)
|
||||
keyBase64 := base64.StdEncoding.EncodeToString(key)
|
||||
|
||||
svc, err := NewEncryptionService(keyBase64)
|
||||
require.NoError(t, err)
|
||||
|
||||
// First encrypt something valid
|
||||
ciphertext, err := svc.Encrypt([]byte("test plaintext"))
|
||||
require.NoError(t, err)
|
||||
|
||||
// Inject error-producing cipher factory for decrypt
|
||||
svc.cipherFactory = errCipherFactory
|
||||
|
||||
_, err = svc.Decrypt(ciphertext)
|
||||
assert.Error(t, err)
|
||||
assert.Contains(t, err.Error(), "failed to create cipher")
|
||||
}
|
||||
|
||||
// TestDecrypt_GCMCreationError tests decryption error when GCM creation fails.
|
||||
func TestDecrypt_GCMCreationError(t *testing.T) {
|
||||
key := make([]byte, 32)
|
||||
_, err := rand.Read(key)
|
||||
require.NoError(t, err)
|
||||
keyBase64 := base64.StdEncoding.EncodeToString(key)
|
||||
|
||||
svc, err := NewEncryptionService(keyBase64)
|
||||
require.NoError(t, err)
|
||||
|
||||
// First encrypt something valid
|
||||
ciphertext, err := svc.Encrypt([]byte("test plaintext"))
|
||||
require.NoError(t, err)
|
||||
|
||||
// Inject error-producing GCM factory for decrypt
|
||||
svc.gcmFactory = errGCMFactory
|
||||
|
||||
_, err = svc.Decrypt(ciphertext)
|
||||
assert.Error(t, err)
|
||||
assert.Contains(t, err.Error(), "failed to create GCM")
|
||||
}
|
||||
|
||||
// BenchmarkEncrypt benchmarks encryption performance.
|
||||
func BenchmarkEncrypt(b *testing.B) {
|
||||
key := make([]byte, 32)
|
||||
_, _ = rand.Read(key)
|
||||
keyBase64 := base64.StdEncoding.EncodeToString(key)
|
||||
|
||||
svc, _ := NewEncryptionService(keyBase64)
|
||||
plaintext := []byte("This is a test plaintext message for benchmarking encryption performance.")
|
||||
|
||||
b.ResetTimer()
|
||||
for i := 0; i < b.N; i++ {
|
||||
_, _ = svc.Encrypt(plaintext)
|
||||
}
|
||||
}
|
||||
|
||||
// BenchmarkDecrypt benchmarks decryption performance.
|
||||
func BenchmarkDecrypt(b *testing.B) {
|
||||
key := make([]byte, 32)
|
||||
_, _ = rand.Read(key)
|
||||
keyBase64 := base64.StdEncoding.EncodeToString(key)
|
||||
|
||||
svc, _ := NewEncryptionService(keyBase64)
|
||||
plaintext := []byte("This is a test plaintext message for benchmarking decryption performance.")
|
||||
ciphertext, _ := svc.Encrypt(plaintext)
|
||||
|
||||
b.ResetTimer()
|
||||
for i := 0; i < b.N; i++ {
|
||||
_, _ = svc.Decrypt(ciphertext)
|
||||
}
|
||||
}
|
||||
@@ -1,352 +0,0 @@
|
||||
// Package crypto provides cryptographic services for sensitive data.
|
||||
package crypto
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/rand"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"os"
|
||||
"sort"
|
||||
"time"
|
||||
|
||||
"github.com/Wikid82/charon/backend/internal/models"
|
||||
"gorm.io/gorm"
|
||||
)
|
||||
|
||||
// RotationService manages encryption key rotation with multi-key version support.
|
||||
// It supports loading multiple encryption keys from environment variables:
|
||||
// - CHARON_ENCRYPTION_KEY: Current encryption key (version 1)
|
||||
// - CHARON_ENCRYPTION_KEY_NEXT: Next key for rotation (becomes current after rotation)
|
||||
// - CHARON_ENCRYPTION_KEY_V1 through CHARON_ENCRYPTION_KEY_V10: Legacy keys for decryption
|
||||
//
|
||||
// Zero-downtime rotation workflow:
|
||||
// 1. Set CHARON_ENCRYPTION_KEY_NEXT with new key
|
||||
// 2. Restart application (loads both keys)
|
||||
// 3. Call RotateAllCredentials() to re-encrypt all credentials with NEXT key
|
||||
// 4. Promote: NEXT → current, old current → V1
|
||||
// 5. Restart application
|
||||
type RotationService struct {
|
||||
db *gorm.DB
|
||||
currentKey *EncryptionService // Current encryption key
|
||||
nextKey *EncryptionService // Next key for rotation (optional)
|
||||
legacyKeys map[int]*EncryptionService // Legacy keys indexed by version
|
||||
keyVersions []int // Sorted list of available key versions
|
||||
}
|
||||
|
||||
// RotationResult contains the outcome of a rotation operation.
|
||||
type RotationResult struct {
|
||||
TotalProviders int `json:"total_providers"`
|
||||
SuccessCount int `json:"success_count"`
|
||||
FailureCount int `json:"failure_count"`
|
||||
FailedProviders []uint `json:"failed_providers,omitempty"`
|
||||
Duration string `json:"duration"`
|
||||
NewKeyVersion int `json:"new_key_version"`
|
||||
StartedAt time.Time `json:"started_at"`
|
||||
CompletedAt time.Time `json:"completed_at"`
|
||||
}
|
||||
|
||||
// RotationStatus describes the current state of encryption keys.
|
||||
type RotationStatus struct {
|
||||
CurrentVersion int `json:"current_version"`
|
||||
NextKeyConfigured bool `json:"next_key_configured"`
|
||||
LegacyKeyCount int `json:"legacy_key_count"`
|
||||
LegacyKeyVersions []int `json:"legacy_key_versions"`
|
||||
ProvidersOnCurrentVersion int `json:"providers_on_current_version"`
|
||||
ProvidersOnOlderVersions int `json:"providers_on_older_versions"`
|
||||
ProvidersByVersion map[int]int `json:"providers_by_version"`
|
||||
}
|
||||
|
||||
// NewRotationService creates a new key rotation service.
|
||||
// It loads the current key and any legacy/next keys from environment variables.
|
||||
func NewRotationService(db *gorm.DB) (*RotationService, error) {
|
||||
rs := &RotationService{
|
||||
db: db,
|
||||
legacyKeys: make(map[int]*EncryptionService),
|
||||
}
|
||||
|
||||
// Load current key (required)
|
||||
currentKeyB64 := os.Getenv("CHARON_ENCRYPTION_KEY")
|
||||
if currentKeyB64 == "" {
|
||||
return nil, fmt.Errorf("CHARON_ENCRYPTION_KEY is required")
|
||||
}
|
||||
|
||||
currentKey, err := NewEncryptionService(currentKeyB64)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to load current encryption key: %w", err)
|
||||
}
|
||||
rs.currentKey = currentKey
|
||||
|
||||
// Load next key (optional, used during rotation)
|
||||
nextKeyB64 := os.Getenv("CHARON_ENCRYPTION_KEY_NEXT")
|
||||
if nextKeyB64 != "" {
|
||||
nextKey, err := NewEncryptionService(nextKeyB64)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to load next encryption key: %w", err)
|
||||
}
|
||||
rs.nextKey = nextKey
|
||||
}
|
||||
|
||||
// Load legacy keys V1 through V10 (optional, for backward compatibility)
|
||||
for i := 1; i <= 10; i++ {
|
||||
envKey := fmt.Sprintf("CHARON_ENCRYPTION_KEY_V%d", i)
|
||||
keyB64 := os.Getenv(envKey)
|
||||
if keyB64 == "" {
|
||||
continue
|
||||
}
|
||||
|
||||
legacyKey, err := NewEncryptionService(keyB64)
|
||||
if err != nil {
|
||||
// Log warning but continue - this allows partial key configurations
|
||||
fmt.Printf("Warning: failed to load legacy key %s: %v\n", envKey, err)
|
||||
continue
|
||||
}
|
||||
rs.legacyKeys[i] = legacyKey
|
||||
}
|
||||
|
||||
// Build sorted list of available key versions
|
||||
rs.keyVersions = []int{1} // Current key is always version 1
|
||||
for v := range rs.legacyKeys {
|
||||
rs.keyVersions = append(rs.keyVersions, v)
|
||||
}
|
||||
sort.Ints(rs.keyVersions)
|
||||
|
||||
return rs, nil
|
||||
}
|
||||
|
||||
// DecryptWithVersion decrypts ciphertext using the specified key version.
|
||||
// It automatically falls back to older versions if the specified version fails.
|
||||
func (rs *RotationService) DecryptWithVersion(ciphertextB64 string, version int) ([]byte, error) {
|
||||
// Try the specified version first
|
||||
plaintext, err := rs.tryDecryptWithVersion(ciphertextB64, version)
|
||||
if err == nil {
|
||||
return plaintext, nil
|
||||
}
|
||||
|
||||
// If specified version failed, try falling back to other versions
|
||||
// This handles cases where KeyVersion may be incorrectly tracked
|
||||
for _, v := range rs.keyVersions {
|
||||
if v == version {
|
||||
continue // Already tried this one
|
||||
}
|
||||
plaintext, err = rs.tryDecryptWithVersion(ciphertextB64, v)
|
||||
if err == nil {
|
||||
// Successfully decrypted with a different version
|
||||
// Log this for audit purposes
|
||||
fmt.Printf("Warning: credential decrypted with version %d but was tagged as version %d\n", v, version)
|
||||
return plaintext, nil
|
||||
}
|
||||
}
|
||||
|
||||
return nil, fmt.Errorf("failed to decrypt with version %d or any fallback version", version)
|
||||
}
|
||||
|
||||
// tryDecryptWithVersion attempts decryption with a specific key version.
|
||||
func (rs *RotationService) tryDecryptWithVersion(ciphertextB64 string, version int) ([]byte, error) {
|
||||
var encService *EncryptionService
|
||||
|
||||
if version == 1 {
|
||||
encService = rs.currentKey
|
||||
} else if legacy, ok := rs.legacyKeys[version]; ok {
|
||||
encService = legacy
|
||||
} else {
|
||||
return nil, fmt.Errorf("encryption key version %d not available", version)
|
||||
}
|
||||
|
||||
return encService.Decrypt(ciphertextB64)
|
||||
}
|
||||
|
||||
// EncryptWithCurrentKey encrypts plaintext with the current (or next during rotation) key.
|
||||
// Returns the ciphertext and the version number of the key used.
|
||||
func (rs *RotationService) EncryptWithCurrentKey(plaintext []byte) (string, int, error) {
|
||||
// During rotation, use next key if available
|
||||
if rs.nextKey != nil {
|
||||
ciphertext, err := rs.nextKey.Encrypt(plaintext)
|
||||
if err != nil {
|
||||
return "", 0, fmt.Errorf("failed to encrypt with next key: %w", err)
|
||||
}
|
||||
return ciphertext, 2, nil // Next key becomes version 2
|
||||
}
|
||||
|
||||
// Normal operation: use current key
|
||||
ciphertext, err := rs.currentKey.Encrypt(plaintext)
|
||||
if err != nil {
|
||||
return "", 0, fmt.Errorf("failed to encrypt with current key: %w", err)
|
||||
}
|
||||
return ciphertext, 1, nil
|
||||
}
|
||||
|
||||
// RotateAllCredentials re-encrypts all DNS provider credentials with the next key.
|
||||
// This operation is atomic per provider but not globally - failed providers can be retried.
|
||||
// Returns detailed results including any failures.
|
||||
func (rs *RotationService) RotateAllCredentials(ctx context.Context) (*RotationResult, error) {
|
||||
if rs.nextKey == nil {
|
||||
return nil, fmt.Errorf("CHARON_ENCRYPTION_KEY_NEXT not configured - cannot rotate")
|
||||
}
|
||||
|
||||
startTime := time.Now()
|
||||
result := &RotationResult{
|
||||
NewKeyVersion: 2,
|
||||
StartedAt: startTime,
|
||||
FailedProviders: []uint{},
|
||||
}
|
||||
|
||||
// Fetch all DNS providers
|
||||
var providers []models.DNSProvider
|
||||
if err := rs.db.WithContext(ctx).Find(&providers).Error; err != nil {
|
||||
return nil, fmt.Errorf("failed to fetch providers: %w", err)
|
||||
}
|
||||
|
||||
result.TotalProviders = len(providers)
|
||||
|
||||
// Re-encrypt each provider's credentials
|
||||
for _, provider := range providers {
|
||||
if err := rs.rotateProviderCredentials(ctx, &provider); err != nil {
|
||||
result.FailureCount++
|
||||
result.FailedProviders = append(result.FailedProviders, provider.ID)
|
||||
fmt.Printf("Failed to rotate provider %d (%s): %v\n", provider.ID, provider.Name, err)
|
||||
continue
|
||||
}
|
||||
result.SuccessCount++
|
||||
}
|
||||
|
||||
result.CompletedAt = time.Now()
|
||||
result.Duration = result.CompletedAt.Sub(startTime).String()
|
||||
|
||||
return result, nil
|
||||
}
|
||||
|
||||
// rotateProviderCredentials re-encrypts a single provider's credentials.
|
||||
func (rs *RotationService) rotateProviderCredentials(ctx context.Context, provider *models.DNSProvider) error {
|
||||
// Decrypt with old key (using fallback mechanism)
|
||||
plaintext, err := rs.DecryptWithVersion(provider.CredentialsEncrypted, provider.KeyVersion)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to decrypt credentials: %w", err)
|
||||
}
|
||||
|
||||
// Validate that decrypted data is valid JSON
|
||||
var credentials map[string]string
|
||||
if err := json.Unmarshal(plaintext, &credentials); err != nil {
|
||||
return fmt.Errorf("invalid credential format after decryption: %w", err)
|
||||
}
|
||||
|
||||
// Re-encrypt with next key
|
||||
newCiphertext, err := rs.nextKey.Encrypt(plaintext)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to encrypt with next key: %w", err)
|
||||
}
|
||||
|
||||
// Update provider record atomically
|
||||
updates := map[string]interface{}{
|
||||
"credentials_encrypted": newCiphertext,
|
||||
"key_version": 2, // Next key becomes version 2
|
||||
"updated_at": time.Now(),
|
||||
}
|
||||
|
||||
if err := rs.db.WithContext(ctx).Model(provider).Updates(updates).Error; err != nil {
|
||||
return fmt.Errorf("failed to update provider record: %w", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// GetStatus returns the current rotation status including key configuration and provider distribution.
|
||||
func (rs *RotationService) GetStatus() (*RotationStatus, error) {
|
||||
status := &RotationStatus{
|
||||
CurrentVersion: 1,
|
||||
NextKeyConfigured: rs.nextKey != nil,
|
||||
LegacyKeyCount: len(rs.legacyKeys),
|
||||
LegacyKeyVersions: []int{},
|
||||
ProvidersByVersion: make(map[int]int),
|
||||
}
|
||||
|
||||
// Collect legacy key versions
|
||||
for v := range rs.legacyKeys {
|
||||
status.LegacyKeyVersions = append(status.LegacyKeyVersions, v)
|
||||
}
|
||||
sort.Ints(status.LegacyKeyVersions)
|
||||
|
||||
// Count providers by key version
|
||||
var providers []models.DNSProvider
|
||||
if err := rs.db.Select("key_version").Find(&providers).Error; err != nil {
|
||||
return nil, fmt.Errorf("failed to count providers by version: %w", err)
|
||||
}
|
||||
|
||||
for _, p := range providers {
|
||||
status.ProvidersByVersion[p.KeyVersion]++
|
||||
if p.KeyVersion == 1 {
|
||||
status.ProvidersOnCurrentVersion++
|
||||
} else {
|
||||
status.ProvidersOnOlderVersions++
|
||||
}
|
||||
}
|
||||
|
||||
return status, nil
|
||||
}
|
||||
|
||||
// ValidateKeyConfiguration checks all configured encryption keys for validity.
|
||||
// Returns error if any key is invalid (wrong length, invalid base64, etc.).
|
||||
func (rs *RotationService) ValidateKeyConfiguration() error {
|
||||
// Current key is already validated during NewRotationService()
|
||||
// Just verify it's still accessible
|
||||
if rs.currentKey == nil {
|
||||
return fmt.Errorf("current encryption key not loaded")
|
||||
}
|
||||
|
||||
// Test encryption/decryption with current key
|
||||
testData := []byte("validation_test")
|
||||
ciphertext, err := rs.currentKey.Encrypt(testData)
|
||||
if err != nil {
|
||||
return fmt.Errorf("current key encryption test failed: %w", err)
|
||||
}
|
||||
plaintext, err := rs.currentKey.Decrypt(ciphertext)
|
||||
if err != nil {
|
||||
return fmt.Errorf("current key decryption test failed: %w", err)
|
||||
}
|
||||
if string(plaintext) != string(testData) {
|
||||
return fmt.Errorf("current key round-trip test failed")
|
||||
}
|
||||
|
||||
// Validate next key if configured
|
||||
if rs.nextKey != nil {
|
||||
ciphertext, err := rs.nextKey.Encrypt(testData)
|
||||
if err != nil {
|
||||
return fmt.Errorf("next key encryption test failed: %w", err)
|
||||
}
|
||||
plaintext, err := rs.nextKey.Decrypt(ciphertext)
|
||||
if err != nil {
|
||||
return fmt.Errorf("next key decryption test failed: %w", err)
|
||||
}
|
||||
if string(plaintext) != string(testData) {
|
||||
return fmt.Errorf("next key round-trip test failed")
|
||||
}
|
||||
}
|
||||
|
||||
// Validate legacy keys
|
||||
for version, legacyKey := range rs.legacyKeys {
|
||||
ciphertext, err := legacyKey.Encrypt(testData)
|
||||
if err != nil {
|
||||
return fmt.Errorf("legacy key V%d encryption test failed: %w", version, err)
|
||||
}
|
||||
plaintext, err := legacyKey.Decrypt(ciphertext)
|
||||
if err != nil {
|
||||
return fmt.Errorf("legacy key V%d decryption test failed: %w", version, err)
|
||||
}
|
||||
if string(plaintext) != string(testData) {
|
||||
return fmt.Errorf("legacy key V%d round-trip test failed", version)
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// GenerateNewKey generates a new random 32-byte encryption key and returns it as base64.
|
||||
// This is a utility function for administrators to generate keys for rotation.
|
||||
func GenerateNewKey() (string, error) {
|
||||
key := make([]byte, 32)
|
||||
if _, err := rand.Read(key); err != nil {
|
||||
return "", fmt.Errorf("failed to generate random key: %w", err)
|
||||
}
|
||||
return base64.StdEncoding.EncodeToString(key), nil
|
||||
}
|
||||
@@ -1,533 +0,0 @@
|
||||
package crypto
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"os"
|
||||
"testing"
|
||||
|
||||
"github.com/Wikid82/charon/backend/internal/models"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
"gorm.io/driver/sqlite"
|
||||
"gorm.io/gorm"
|
||||
)
|
||||
|
||||
// setupTestDB creates an in-memory SQLite database for testing
|
||||
func setupTestDB(t *testing.T) *gorm.DB {
|
||||
db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
|
||||
require.NoError(t, err)
|
||||
|
||||
// Auto-migrate the DNSProvider model
|
||||
err = db.AutoMigrate(&models.DNSProvider{})
|
||||
require.NoError(t, err)
|
||||
|
||||
return db
|
||||
}
|
||||
|
||||
// setupTestKeys sets up test encryption keys in environment variables
|
||||
func setupTestKeys(t *testing.T) (currentKey, nextKey, legacyKey string) {
|
||||
currentKey, err := GenerateNewKey()
|
||||
require.NoError(t, err)
|
||||
|
||||
nextKey, err = GenerateNewKey()
|
||||
require.NoError(t, err)
|
||||
|
||||
legacyKey, err = GenerateNewKey()
|
||||
require.NoError(t, err)
|
||||
|
||||
_ = os.Setenv("CHARON_ENCRYPTION_KEY", currentKey)
|
||||
t.Cleanup(func() { _ = os.Unsetenv("CHARON_ENCRYPTION_KEY") })
|
||||
|
||||
return currentKey, nextKey, legacyKey
|
||||
}
|
||||
|
||||
func TestNewRotationService(t *testing.T) {
|
||||
db := setupTestDB(t)
|
||||
currentKey, _, _ := setupTestKeys(t)
|
||||
|
||||
t.Run("successful initialization with current key only", func(t *testing.T) {
|
||||
rs, err := NewRotationService(db)
|
||||
assert.NoError(t, err)
|
||||
assert.NotNil(t, rs)
|
||||
assert.NotNil(t, rs.currentKey)
|
||||
assert.Nil(t, rs.nextKey)
|
||||
assert.Equal(t, 0, len(rs.legacyKeys))
|
||||
})
|
||||
|
||||
t.Run("successful initialization with next key", func(t *testing.T) {
|
||||
_, nextKey, _ := setupTestKeys(t)
|
||||
_ = os.Setenv("CHARON_ENCRYPTION_KEY_NEXT", nextKey)
|
||||
defer func() { _ = os.Unsetenv("CHARON_ENCRYPTION_KEY_NEXT") }()
|
||||
|
||||
rs, err := NewRotationService(db)
|
||||
assert.NoError(t, err)
|
||||
assert.NotNil(t, rs)
|
||||
assert.NotNil(t, rs.nextKey)
|
||||
})
|
||||
|
||||
t.Run("successful initialization with legacy keys", func(t *testing.T) {
|
||||
_, _, legacyKey := setupTestKeys(t)
|
||||
_ = os.Setenv("CHARON_ENCRYPTION_KEY_V1", legacyKey)
|
||||
defer func() { _ = os.Unsetenv("CHARON_ENCRYPTION_KEY_V1") }()
|
||||
|
||||
rs, err := NewRotationService(db)
|
||||
assert.NoError(t, err)
|
||||
assert.NotNil(t, rs)
|
||||
assert.Equal(t, 1, len(rs.legacyKeys))
|
||||
assert.NotNil(t, rs.legacyKeys[1])
|
||||
})
|
||||
|
||||
t.Run("fails without current key", func(t *testing.T) {
|
||||
_ = os.Unsetenv("CHARON_ENCRYPTION_KEY")
|
||||
defer func() { _ = os.Setenv("CHARON_ENCRYPTION_KEY", currentKey) }()
|
||||
|
||||
rs, err := NewRotationService(db)
|
||||
assert.Error(t, err)
|
||||
assert.Nil(t, rs)
|
||||
assert.Contains(t, err.Error(), "CHARON_ENCRYPTION_KEY is required")
|
||||
})
|
||||
|
||||
t.Run("handles invalid next key gracefully", func(t *testing.T) {
|
||||
_ = os.Setenv("CHARON_ENCRYPTION_KEY_NEXT", "invalid_base64")
|
||||
defer func() { _ = os.Unsetenv("CHARON_ENCRYPTION_KEY_NEXT") }()
|
||||
|
||||
rs, err := NewRotationService(db)
|
||||
assert.Error(t, err)
|
||||
assert.Nil(t, rs)
|
||||
})
|
||||
}
|
||||
|
||||
func TestEncryptWithCurrentKey(t *testing.T) {
|
||||
db := setupTestDB(t)
|
||||
setupTestKeys(t)
|
||||
|
||||
t.Run("encrypts with current key when no next key", func(t *testing.T) {
|
||||
rs, err := NewRotationService(db)
|
||||
require.NoError(t, err)
|
||||
|
||||
plaintext := []byte("test credentials")
|
||||
ciphertext, version, err := rs.EncryptWithCurrentKey(plaintext)
|
||||
|
||||
assert.NoError(t, err)
|
||||
assert.NotEmpty(t, ciphertext)
|
||||
assert.Equal(t, 1, version)
|
||||
})
|
||||
|
||||
t.Run("encrypts with next key when configured", func(t *testing.T) {
|
||||
_, nextKey, _ := setupTestKeys(t)
|
||||
_ = os.Setenv("CHARON_ENCRYPTION_KEY_NEXT", nextKey)
|
||||
defer func() { _ = os.Unsetenv("CHARON_ENCRYPTION_KEY_NEXT") }()
|
||||
|
||||
rs, err := NewRotationService(db)
|
||||
require.NoError(t, err)
|
||||
|
||||
plaintext := []byte("test credentials")
|
||||
ciphertext, version, err := rs.EncryptWithCurrentKey(plaintext)
|
||||
|
||||
assert.NoError(t, err)
|
||||
assert.NotEmpty(t, ciphertext)
|
||||
assert.Equal(t, 2, version) // Next key becomes version 2
|
||||
})
|
||||
}
|
||||
|
||||
func TestDecryptWithVersion(t *testing.T) {
|
||||
db := setupTestDB(t)
|
||||
setupTestKeys(t)
|
||||
|
||||
t.Run("decrypts with correct version", func(t *testing.T) {
|
||||
rs, err := NewRotationService(db)
|
||||
require.NoError(t, err)
|
||||
|
||||
plaintext := []byte("test credentials")
|
||||
ciphertext, version, err := rs.EncryptWithCurrentKey(plaintext)
|
||||
require.NoError(t, err)
|
||||
|
||||
decrypted, err := rs.DecryptWithVersion(ciphertext, version)
|
||||
assert.NoError(t, err)
|
||||
assert.Equal(t, plaintext, decrypted)
|
||||
})
|
||||
|
||||
t.Run("falls back to other versions on failure", func(t *testing.T) {
|
||||
// This test verifies version fallback works when version hint is wrong
|
||||
// Skip for now as it's an edge case - main functionality is tested elsewhere
|
||||
t.Skip("Version fallback edge case - functionality verified in integration test")
|
||||
})
|
||||
|
||||
t.Run("fails when no keys can decrypt", func(t *testing.T) {
|
||||
// Save original keys
|
||||
origKey := os.Getenv("CHARON_ENCRYPTION_KEY")
|
||||
defer os.Setenv("CHARON_ENCRYPTION_KEY", origKey)
|
||||
|
||||
rs, err := NewRotationService(db)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Encrypt with a completely different key
|
||||
otherKey, err := GenerateNewKey()
|
||||
require.NoError(t, err)
|
||||
otherService, err := NewEncryptionService(otherKey)
|
||||
require.NoError(t, err)
|
||||
|
||||
plaintext := []byte("encrypted with other key")
|
||||
ciphertext, err := otherService.Encrypt(plaintext)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Should fail to decrypt
|
||||
_, err = rs.DecryptWithVersion(ciphertext, 1)
|
||||
assert.Error(t, err)
|
||||
})
|
||||
}
|
||||
|
||||
func TestRotateAllCredentials(t *testing.T) {
|
||||
currentKey, nextKey, _ := setupTestKeys(t)
|
||||
|
||||
t.Run("successfully rotates all providers", func(t *testing.T) {
|
||||
db := setupTestDB(t) // Fresh DB for this test
|
||||
// Create test providers
|
||||
currentService, err := NewEncryptionService(currentKey)
|
||||
require.NoError(t, err)
|
||||
|
||||
credentials := map[string]string{"api_key": "test123"}
|
||||
credJSON, _ := json.Marshal(credentials)
|
||||
encrypted, _ := currentService.Encrypt(credJSON)
|
||||
|
||||
provider1 := models.DNSProvider{
|
||||
UUID: "test-provider-1",
|
||||
Name: "Provider 1",
|
||||
ProviderType: "cloudflare",
|
||||
CredentialsEncrypted: encrypted,
|
||||
KeyVersion: 1,
|
||||
}
|
||||
provider2 := models.DNSProvider{
|
||||
UUID: "test-provider-2",
|
||||
Name: "Provider 2",
|
||||
ProviderType: "route53",
|
||||
CredentialsEncrypted: encrypted,
|
||||
KeyVersion: 1,
|
||||
}
|
||||
require.NoError(t, db.Create(&provider1).Error)
|
||||
require.NoError(t, db.Create(&provider2).Error)
|
||||
|
||||
// Set up rotation service with next key
|
||||
os.Setenv("CHARON_ENCRYPTION_KEY_NEXT", nextKey)
|
||||
defer os.Unsetenv("CHARON_ENCRYPTION_KEY_NEXT")
|
||||
|
||||
rs, err := NewRotationService(db)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Perform rotation
|
||||
ctx := context.Background()
|
||||
result, err := rs.RotateAllCredentials(ctx)
|
||||
|
||||
assert.NoError(t, err)
|
||||
assert.NotNil(t, result)
|
||||
assert.Equal(t, 2, result.TotalProviders)
|
||||
assert.Equal(t, 2, result.SuccessCount)
|
||||
assert.Equal(t, 0, result.FailureCount)
|
||||
assert.Equal(t, 2, result.NewKeyVersion)
|
||||
assert.NotZero(t, result.Duration)
|
||||
|
||||
// Verify providers were updated
|
||||
var updatedProvider1 models.DNSProvider
|
||||
require.NoError(t, db.First(&updatedProvider1, provider1.ID).Error)
|
||||
assert.Equal(t, 2, updatedProvider1.KeyVersion)
|
||||
assert.NotEqual(t, encrypted, updatedProvider1.CredentialsEncrypted)
|
||||
|
||||
// Verify credentials can be decrypted with next key
|
||||
nextService, err := NewEncryptionService(nextKey)
|
||||
require.NoError(t, err)
|
||||
decrypted, err := nextService.Decrypt(updatedProvider1.CredentialsEncrypted)
|
||||
assert.NoError(t, err)
|
||||
|
||||
var decryptedCreds map[string]string
|
||||
require.NoError(t, json.Unmarshal(decrypted, &decryptedCreds))
|
||||
assert.Equal(t, "test123", decryptedCreds["api_key"])
|
||||
})
|
||||
|
||||
t.Run("fails when next key not configured", func(t *testing.T) {
|
||||
db := setupTestDB(t) // Fresh DB for this test
|
||||
rs, err := NewRotationService(db)
|
||||
require.NoError(t, err)
|
||||
|
||||
ctx := context.Background()
|
||||
result, err := rs.RotateAllCredentials(ctx)
|
||||
|
||||
assert.Error(t, err)
|
||||
assert.Nil(t, result)
|
||||
assert.Contains(t, err.Error(), "CHARON_ENCRYPTION_KEY_NEXT not configured")
|
||||
})
|
||||
|
||||
t.Run("handles partial failures", func(t *testing.T) {
|
||||
db := setupTestDB(t) // Fresh DB for this test
|
||||
// Create a provider with corrupted credentials
|
||||
corruptedProvider := models.DNSProvider{
|
||||
UUID: "test-corrupted",
|
||||
Name: "Corrupted",
|
||||
ProviderType: "cloudflare",
|
||||
CredentialsEncrypted: "corrupted_data_not_base64",
|
||||
KeyVersion: 1,
|
||||
}
|
||||
require.NoError(t, db.Create(&corruptedProvider).Error)
|
||||
|
||||
// Create a valid provider
|
||||
currentService, err := NewEncryptionService(currentKey)
|
||||
require.NoError(t, err)
|
||||
credentials := map[string]string{"api_key": "valid"}
|
||||
credJSON, _ := json.Marshal(credentials)
|
||||
encrypted, _ := currentService.Encrypt(credJSON)
|
||||
|
||||
validProvider := models.DNSProvider{
|
||||
UUID: "test-valid",
|
||||
Name: "Valid",
|
||||
ProviderType: "route53",
|
||||
CredentialsEncrypted: encrypted,
|
||||
KeyVersion: 1,
|
||||
}
|
||||
require.NoError(t, db.Create(&validProvider).Error)
|
||||
|
||||
// Set up rotation service with next key
|
||||
os.Setenv("CHARON_ENCRYPTION_KEY_NEXT", nextKey)
|
||||
defer os.Unsetenv("CHARON_ENCRYPTION_KEY_NEXT")
|
||||
|
||||
rs, err := NewRotationService(db)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Perform rotation
|
||||
ctx := context.Background()
|
||||
result, err := rs.RotateAllCredentials(ctx)
|
||||
|
||||
// Should complete with partial failures
|
||||
assert.NoError(t, err)
|
||||
assert.NotNil(t, result)
|
||||
assert.Equal(t, 1, result.SuccessCount)
|
||||
assert.Equal(t, 1, result.FailureCount)
|
||||
assert.Contains(t, result.FailedProviders, corruptedProvider.ID)
|
||||
})
|
||||
}
|
||||
|
||||
func TestGetStatus(t *testing.T) {
|
||||
db := setupTestDB(t)
|
||||
_, nextKey, legacyKey := setupTestKeys(t)
|
||||
|
||||
t.Run("returns correct status with no providers", func(t *testing.T) {
|
||||
rs, err := NewRotationService(db)
|
||||
require.NoError(t, err)
|
||||
|
||||
status, err := rs.GetStatus()
|
||||
assert.NoError(t, err)
|
||||
assert.NotNil(t, status)
|
||||
assert.Equal(t, 1, status.CurrentVersion)
|
||||
assert.False(t, status.NextKeyConfigured)
|
||||
assert.Equal(t, 0, status.LegacyKeyCount)
|
||||
assert.Equal(t, 0, status.ProvidersOnCurrentVersion)
|
||||
})
|
||||
|
||||
t.Run("returns correct status with next key configured", func(t *testing.T) {
|
||||
os.Setenv("CHARON_ENCRYPTION_KEY_NEXT", nextKey)
|
||||
defer os.Unsetenv("CHARON_ENCRYPTION_KEY_NEXT")
|
||||
|
||||
rs, err := NewRotationService(db)
|
||||
require.NoError(t, err)
|
||||
|
||||
status, err := rs.GetStatus()
|
||||
assert.NoError(t, err)
|
||||
assert.True(t, status.NextKeyConfigured)
|
||||
})
|
||||
|
||||
t.Run("returns correct status with legacy keys", func(t *testing.T) {
|
||||
os.Setenv("CHARON_ENCRYPTION_KEY_V1", legacyKey)
|
||||
defer os.Unsetenv("CHARON_ENCRYPTION_KEY_V1")
|
||||
|
||||
rs, err := NewRotationService(db)
|
||||
require.NoError(t, err)
|
||||
|
||||
status, err := rs.GetStatus()
|
||||
assert.NoError(t, err)
|
||||
assert.Equal(t, 1, status.LegacyKeyCount)
|
||||
assert.Contains(t, status.LegacyKeyVersions, 1)
|
||||
})
|
||||
|
||||
t.Run("counts providers by version", func(t *testing.T) {
|
||||
// Create providers with different key versions
|
||||
provider1 := models.DNSProvider{
|
||||
UUID: "test-v1-provider",
|
||||
Name: "V1 Provider",
|
||||
KeyVersion: 1,
|
||||
}
|
||||
provider2 := models.DNSProvider{
|
||||
UUID: "test-v2-provider",
|
||||
Name: "V2 Provider",
|
||||
KeyVersion: 2,
|
||||
}
|
||||
require.NoError(t, db.Create(&provider1).Error)
|
||||
require.NoError(t, db.Create(&provider2).Error)
|
||||
|
||||
rs, err := NewRotationService(db)
|
||||
require.NoError(t, err)
|
||||
|
||||
status, err := rs.GetStatus()
|
||||
assert.NoError(t, err)
|
||||
assert.Equal(t, 1, status.ProvidersOnCurrentVersion)
|
||||
assert.Equal(t, 1, status.ProvidersOnOlderVersions)
|
||||
assert.Equal(t, 1, status.ProvidersByVersion[1])
|
||||
assert.Equal(t, 1, status.ProvidersByVersion[2])
|
||||
})
|
||||
}
|
||||
|
||||
func TestValidateKeyConfiguration(t *testing.T) {
|
||||
db := setupTestDB(t)
|
||||
_, nextKey, legacyKey := setupTestKeys(t)
|
||||
|
||||
t.Run("validates current key successfully", func(t *testing.T) {
|
||||
rs, err := NewRotationService(db)
|
||||
require.NoError(t, err)
|
||||
|
||||
err = rs.ValidateKeyConfiguration()
|
||||
assert.NoError(t, err)
|
||||
})
|
||||
|
||||
t.Run("validates next key successfully", func(t *testing.T) {
|
||||
os.Setenv("CHARON_ENCRYPTION_KEY_NEXT", nextKey)
|
||||
defer os.Unsetenv("CHARON_ENCRYPTION_KEY_NEXT")
|
||||
|
||||
rs, err := NewRotationService(db)
|
||||
require.NoError(t, err)
|
||||
|
||||
err = rs.ValidateKeyConfiguration()
|
||||
assert.NoError(t, err)
|
||||
})
|
||||
|
||||
t.Run("validates legacy keys successfully", func(t *testing.T) {
|
||||
os.Setenv("CHARON_ENCRYPTION_KEY_V1", legacyKey)
|
||||
defer os.Unsetenv("CHARON_ENCRYPTION_KEY_V1")
|
||||
|
||||
rs, err := NewRotationService(db)
|
||||
require.NoError(t, err)
|
||||
|
||||
err = rs.ValidateKeyConfiguration()
|
||||
assert.NoError(t, err)
|
||||
})
|
||||
}
|
||||
|
||||
func TestGenerateNewKey(t *testing.T) {
|
||||
t.Run("generates valid base64 key", func(t *testing.T) {
|
||||
key, err := GenerateNewKey()
|
||||
assert.NoError(t, err)
|
||||
assert.NotEmpty(t, key)
|
||||
|
||||
// Verify it can be used to create an encryption service
|
||||
_, err = NewEncryptionService(key)
|
||||
assert.NoError(t, err)
|
||||
})
|
||||
|
||||
t.Run("generates unique keys", func(t *testing.T) {
|
||||
key1, err := GenerateNewKey()
|
||||
require.NoError(t, err)
|
||||
|
||||
key2, err := GenerateNewKey()
|
||||
require.NoError(t, err)
|
||||
|
||||
assert.NotEqual(t, key1, key2)
|
||||
})
|
||||
}
|
||||
|
||||
func TestRotationServiceConcurrency(t *testing.T) {
|
||||
db := setupTestDB(t)
|
||||
currentKey, nextKey, _ := setupTestKeys(t)
|
||||
|
||||
// Create multiple providers
|
||||
currentService, err := NewEncryptionService(currentKey)
|
||||
require.NoError(t, err)
|
||||
|
||||
for i := 0; i < 10; i++ {
|
||||
credentials := map[string]string{"api_key": "test"}
|
||||
credJSON, _ := json.Marshal(credentials)
|
||||
encrypted, _ := currentService.Encrypt(credJSON)
|
||||
|
||||
provider := models.DNSProvider{
|
||||
UUID: fmt.Sprintf("test-concurrent-%d", i),
|
||||
Name: "Provider",
|
||||
CredentialsEncrypted: encrypted,
|
||||
KeyVersion: 1,
|
||||
}
|
||||
require.NoError(t, db.Create(&provider).Error)
|
||||
}
|
||||
|
||||
os.Setenv("CHARON_ENCRYPTION_KEY_NEXT", nextKey)
|
||||
defer os.Unsetenv("CHARON_ENCRYPTION_KEY_NEXT")
|
||||
|
||||
rs, err := NewRotationService(db)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Perform rotation
|
||||
ctx := context.Background()
|
||||
result, err := rs.RotateAllCredentials(ctx)
|
||||
|
||||
assert.NoError(t, err)
|
||||
assert.Equal(t, 10, result.TotalProviders)
|
||||
assert.Equal(t, 10, result.SuccessCount)
|
||||
assert.Equal(t, 0, result.FailureCount)
|
||||
}
|
||||
|
||||
func TestRotationServiceZeroDowntime(t *testing.T) {
|
||||
db := setupTestDB(t)
|
||||
currentKey, nextKey, _ := setupTestKeys(t)
|
||||
|
||||
// Simulate the zero-downtime workflow
|
||||
t.Run("step 1: initial setup with current key", func(t *testing.T) {
|
||||
currentService, err := NewEncryptionService(currentKey)
|
||||
require.NoError(t, err)
|
||||
|
||||
credentials := map[string]string{"api_key": "secret"}
|
||||
credJSON, _ := json.Marshal(credentials)
|
||||
encrypted, _ := currentService.Encrypt(credJSON)
|
||||
|
||||
provider := models.DNSProvider{
|
||||
UUID: "test-zero-downtime",
|
||||
Name: "Test Provider",
|
||||
ProviderType: "cloudflare",
|
||||
CredentialsEncrypted: encrypted,
|
||||
KeyVersion: 1,
|
||||
}
|
||||
require.NoError(t, db.Create(&provider).Error)
|
||||
})
|
||||
|
||||
t.Run("step 2: configure next key and rotate", func(t *testing.T) {
|
||||
os.Setenv("CHARON_ENCRYPTION_KEY_NEXT", nextKey)
|
||||
defer os.Unsetenv("CHARON_ENCRYPTION_KEY_NEXT")
|
||||
|
||||
rs, err := NewRotationService(db)
|
||||
require.NoError(t, err)
|
||||
|
||||
ctx := context.Background()
|
||||
result, err := rs.RotateAllCredentials(ctx)
|
||||
assert.NoError(t, err)
|
||||
assert.Equal(t, 1, result.SuccessCount)
|
||||
})
|
||||
|
||||
t.Run("step 3: promote next to current", func(t *testing.T) {
|
||||
// Simulate promotion: NEXT → current, old current → V1
|
||||
os.Setenv("CHARON_ENCRYPTION_KEY", nextKey)
|
||||
os.Setenv("CHARON_ENCRYPTION_KEY_V1", currentKey)
|
||||
os.Unsetenv("CHARON_ENCRYPTION_KEY_NEXT")
|
||||
defer func() {
|
||||
os.Setenv("CHARON_ENCRYPTION_KEY", currentKey)
|
||||
os.Unsetenv("CHARON_ENCRYPTION_KEY_V1")
|
||||
}()
|
||||
|
||||
rs, err := NewRotationService(db)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Verify we can still decrypt with new key (now current)
|
||||
var provider models.DNSProvider
|
||||
require.NoError(t, db.First(&provider).Error)
|
||||
|
||||
decrypted, err := rs.DecryptWithVersion(provider.CredentialsEncrypted, provider.KeyVersion)
|
||||
assert.NoError(t, err)
|
||||
|
||||
var credentials map[string]string
|
||||
require.NoError(t, json.Unmarshal(decrypted, &credentials))
|
||||
assert.Equal(t, "secret", credentials["api_key"])
|
||||
})
|
||||
}
|
||||
Reference in New Issue
Block a user