public async Task EncryptionDecryptQueryResultDifferentDeks()
{
string dekId1 = "mydek1";
await EncryptionTests.CreateDekAsync(EncryptionTests.dekProvider, dekId1);
TestDoc testDoc1 = await EncryptionTests.CreateItemAsync(EncryptionTests.itemContainerCore, EncryptionTests.dekId, TestDoc.PathsToEncrypt);
TestDoc testDoc2 = await EncryptionTests.CreateItemAsync(EncryptionTests.itemContainerCore, dekId1, TestDoc.PathsToEncrypt);
await ValidateQueryResultsMultipleDocumentsAsync(EncryptionTests.itemContainerCore, testDoc1, testDoc2);
}
public async Task EncryptionDecryptQueryResultDifferentDeks()
{
string dekId1 = "mydek1";
await EncryptionTests.CreateDekAsync(EncryptionTests.dekProvider, dekId1);
TestDoc testDoc1 = await EncryptionTests.CreateItemAsync(EncryptionTests.itemContainerCore, EncryptionTests.dekId, TestDoc.PathsToEncrypt);
TestDoc testDoc2 = await EncryptionTests.CreateItemAsync(EncryptionTests.itemContainerCore, dekId1, TestDoc.PathsToEncrypt);
string query = $"SELECT * FROM c WHERE c.PK in ('{testDoc1.PK}', '{testDoc2.PK}')";
await EncryptionTests.ValidateQueryResultsMultipleDocumentsAsync(EncryptionTests.itemContainerCore, testDoc1, testDoc2, query);
}
public static async Task ClassInitialize(TestContext context)
{
EncryptionTests.dekProvider = new CosmosDataEncryptionKeyProvider(new TestKeyWrapProvider());
EncryptionTests.encryptor = new TestEncryptor(EncryptionTests.dekProvider);
EncryptionTests.client = EncryptionTests.GetClient();
EncryptionTests.databaseCore = (DatabaseInlineCore)await EncryptionTests.client.CreateDatabaseAsync(Guid.NewGuid().ToString());
EncryptionTests.keyContainer = await EncryptionTests.databaseCore.CreateContainerAsync(Guid.NewGuid().ToString(), "/id", 400);
await EncryptionTests.dekProvider.InitializeAsync(EncryptionTests.databaseCore, EncryptionTests.keyContainer.Id);
EncryptionTests.itemContainer = await EncryptionTests.databaseCore.CreateContainerAsync(Guid.NewGuid().ToString(), "/PK", 400);
EncryptionTests.itemContainerCore = (ContainerInlineCore)EncryptionTests.itemContainer;
EncryptionTests.dekProperties = await EncryptionTests.CreateDekAsync(EncryptionTests.dekProvider, EncryptionTests.dekId);
}
public async Task EncryptionCreateDek()
{
string dekId = "anotherDek";
DataEncryptionKeyProperties dekProperties = await EncryptionTests.CreateDekAsync(EncryptionTests.databaseCore, dekId);
Assert.IsNotNull(dekProperties);
Assert.IsNotNull(dekProperties.CreatedTime);
Assert.IsNotNull(dekProperties.LastModified);
Assert.IsNotNull(dekProperties.SelfLink);
Assert.IsNotNull(dekProperties.ResourceId);
// Assert.AreEqual(dekProperties.LastModified, dekProperties.CreatedTime);
Assert.AreEqual(
new EncryptionKeyWrapMetadata(EncryptionTests.metadata1.Value + EncryptionTests.metadataUpdateSuffix),
dekProperties.EncryptionKeyWrapMetadata);
// Use a different client instance to avoid (unintentional) cache impact
using (CosmosClient client = EncryptionTests.GetClient())
{
DataEncryptionKeyProperties readProperties =
await((DatabaseCore)(DatabaseInlineCore)client.GetDatabase(EncryptionTests.databaseCore.Id)).GetDataEncryptionKey(dekId).ReadAsync();
Assert.AreEqual(dekProperties, readProperties);
}
}
public async Task EncryptionCreateDek()
{
string dekId = "anotherDek";
DataEncryptionKeyProperties dekProperties = await EncryptionTests.CreateDekAsync(EncryptionTests.dekProvider, dekId);
Assert.IsNotNull(dekProperties);
Assert.IsNotNull(dekProperties.CreatedTime);
Assert.IsNotNull(dekProperties.LastModified);
Assert.IsNotNull(dekProperties.SelfLink);
// Assert.IsNotNull(dekProperties.ResourceId);
// Assert.AreEqual(dekProperties.LastModified, dekProperties.CreatedTime);
Assert.AreEqual(
new EncryptionKeyWrapMetadata(EncryptionTests.metadata1.Value + EncryptionTests.metadataUpdateSuffix),
dekProperties.EncryptionKeyWrapMetadata);
// Use different DEK provider to avoid (unintentional) cache impact
CosmosDataEncryptionKeyProvider dekProvider = new CosmosDataEncryptionKeyProvider(new TestKeyWrapProvider());
await dekProvider.InitializeAsync(EncryptionTests.databaseCore, EncryptionTests.keyContainer.Id);
DataEncryptionKeyProperties readProperties = await dekProvider.DataEncryptionKeyContainer.ReadDataEncryptionKeyAsync(dekId);
Assert.AreEqual(dekProperties, readProperties);
}
public async Task EncryptionDekReadFeed()
{
DatabaseCore databaseCore = null;
try
{
databaseCore = (DatabaseInlineCore)await EncryptionTests.client.CreateDatabaseAsync(Guid.NewGuid().ToString());
ContainerCore containerCore = (ContainerInlineCore)await EncryptionTests.databaseCore.CreateContainerAsync(Guid.NewGuid().ToString(), "/PK", 400);
string contosoV1 = "Contoso_v001";
string contosoV2 = "Contoso_v002";
string fabrikamV1 = "Fabrikam_v001";
string fabrikamV2 = "Fabrikam_v002";
await EncryptionTests.CreateDekAsync(databaseCore, contosoV1);
await EncryptionTests.CreateDekAsync(databaseCore, contosoV2);
await EncryptionTests.CreateDekAsync(databaseCore, fabrikamV1);
await EncryptionTests.CreateDekAsync(databaseCore, fabrikamV2);
// Test getting all keys
await EncryptionTests.IterateDekFeedAsync(
databaseCore,
new List <string> {
contosoV1, contosoV2, fabrikamV1, fabrikamV2
},
isExpectedDeksCompleteSetForRequest : true,
isResultOrderExpected : false);
// Test getting specific subset of keys
await EncryptionTests.IterateDekFeedAsync(
databaseCore,
new List <string> {
contosoV2
},
isExpectedDeksCompleteSetForRequest : false,
isResultOrderExpected : true,
startId : "Contoso_v000",
endId : "Contoso_v999",
isDescending : true,
itemCountInPage : 1);
// Ensure only required results are returned (ascending)
await EncryptionTests.IterateDekFeedAsync(
databaseCore,
new List <string> {
contosoV1, contosoV2
},
isExpectedDeksCompleteSetForRequest : true,
isResultOrderExpected : true,
startId : "Contoso_v000",
endId : "Contoso_v999",
isDescending : false);
// Test startId inclusive and endId inclusive (ascending)
await EncryptionTests.IterateDekFeedAsync(
databaseCore,
new List <string> {
contosoV1, contosoV2
},
isExpectedDeksCompleteSetForRequest : true,
isResultOrderExpected : true,
startId : "Contoso_v001",
endId : "Contoso_v002",
isDescending : false);
// Ensure only required results are returned (descending)
await EncryptionTests.IterateDekFeedAsync(
databaseCore,
new List <string> {
contosoV2, contosoV1
},
isExpectedDeksCompleteSetForRequest : true,
isResultOrderExpected : true,
startId : "Contoso_v000",
endId : "Contoso_v999",
isDescending : true);
// Test startId inclusive and endId inclusive (descending)
await EncryptionTests.IterateDekFeedAsync(
databaseCore,
new List <string> {
contosoV2, contosoV1
},
isExpectedDeksCompleteSetForRequest : true,
isResultOrderExpected : true,
startId : "Contoso_v001",
endId : "Contoso_v002",
isDescending : true);
// Test pagination
await EncryptionTests.IterateDekFeedAsync(
databaseCore,
new List <string> {
contosoV1, contosoV2, fabrikamV1, fabrikamV2
},
isExpectedDeksCompleteSetForRequest : true,
isResultOrderExpected : false,
itemCountInPage : 3);
}
finally
{
if (databaseCore != null)
{
await databaseCore.DeleteStreamAsync();
}
}
}
public async Task EncryptionTransactionBatchCrud()
{
string partitionKey = "thePK";
string dek1 = EncryptionTests.dekId;
string dek2 = "dek2Forbatch";
await EncryptionTests.CreateDekAsync(EncryptionTests.dekProvider, dek2);
TestDoc doc1ToCreate = TestDoc.Create(partitionKey);
TestDoc doc2ToCreate = TestDoc.Create(partitionKey);
TestDoc doc3ToCreate = TestDoc.Create(partitionKey);
ItemResponse <TestDoc> doc1ToReplaceCreateResponse = await EncryptionTests.CreateItemAsync(EncryptionTests.itemContainerCore, dek1, TestDoc.PathsToEncrypt, partitionKey);
TestDoc doc1ToReplace = doc1ToReplaceCreateResponse.Resource;
doc1ToReplace.NonSensitive = Guid.NewGuid().ToString();
doc1ToReplace.Sensitive = Guid.NewGuid().ToString();
TestDoc doc2ToReplace = await EncryptionTests.CreateItemAsync(EncryptionTests.itemContainerCore, dek2, TestDoc.PathsToEncrypt, partitionKey);
doc2ToReplace.NonSensitive = Guid.NewGuid().ToString();
doc2ToReplace.Sensitive = Guid.NewGuid().ToString();
TestDoc doc1ToUpsert = await EncryptionTests.CreateItemAsync(EncryptionTests.itemContainerCore, dek2, TestDoc.PathsToEncrypt, partitionKey);
doc1ToUpsert.NonSensitive = Guid.NewGuid().ToString();
doc1ToUpsert.Sensitive = Guid.NewGuid().ToString();
TestDoc doc2ToUpsert = await EncryptionTests.CreateItemAsync(EncryptionTests.itemContainerCore, dek1, TestDoc.PathsToEncrypt, partitionKey);
doc2ToUpsert.NonSensitive = Guid.NewGuid().ToString();
doc2ToUpsert.Sensitive = Guid.NewGuid().ToString();
TestDoc docToDelete = await EncryptionTests.CreateItemAsync(EncryptionTests.itemContainerCore, dek1, TestDoc.PathsToEncrypt, partitionKey);
TransactionalBatchResponse batchResponse = await EncryptionTests.itemContainer.CreateTransactionalBatch(new Cosmos.PartitionKey(partitionKey))
.CreateItem(doc1ToCreate, EncryptionTests.GetBatchItemRequestOptions(EncryptionTests.itemContainerCore, dek1, TestDoc.PathsToEncrypt))
.CreateItemStream(doc2ToCreate.ToStream(), EncryptionTests.GetBatchItemRequestOptions(EncryptionTests.itemContainerCore, dek2, TestDoc.PathsToEncrypt))
.ReplaceItem(doc1ToReplace.Id, doc1ToReplace, EncryptionTests.GetBatchItemRequestOptions(EncryptionTests.itemContainerCore, dek2, TestDoc.PathsToEncrypt, doc1ToReplaceCreateResponse.ETag))
.CreateItem(doc3ToCreate)
.ReplaceItemStream(doc2ToReplace.Id, doc2ToReplace.ToStream(), EncryptionTests.GetBatchItemRequestOptions(EncryptionTests.itemContainerCore, dek2, TestDoc.PathsToEncrypt))
.UpsertItem(doc1ToUpsert, EncryptionTests.GetBatchItemRequestOptions(EncryptionTests.itemContainerCore, dek1, TestDoc.PathsToEncrypt))
.DeleteItem(docToDelete.Id)
.UpsertItemStream(doc2ToUpsert.ToStream(), EncryptionTests.GetBatchItemRequestOptions(EncryptionTests.itemContainerCore, dek2, TestDoc.PathsToEncrypt))
.ExecuteAsync();
Assert.AreEqual(HttpStatusCode.OK, batchResponse.StatusCode);
await EncryptionTests.VerifyItemByReadAsync(EncryptionTests.itemContainerCore, doc1ToCreate);
await EncryptionTests.VerifyItemByReadAsync(EncryptionTests.itemContainerCore, doc2ToCreate);
await EncryptionTests.VerifyItemByReadAsync(EncryptionTests.itemContainerCore, doc3ToCreate);
await EncryptionTests.VerifyItemByReadAsync(EncryptionTests.itemContainerCore, doc1ToReplace);
await EncryptionTests.VerifyItemByReadAsync(EncryptionTests.itemContainerCore, doc2ToReplace);
await EncryptionTests.VerifyItemByReadAsync(EncryptionTests.itemContainerCore, doc1ToUpsert);
await EncryptionTests.VerifyItemByReadAsync(EncryptionTests.itemContainerCore, doc2ToUpsert);
ResponseMessage readResponseMessage = await EncryptionTests.itemContainer.ReadItemStreamAsync(docToDelete.Id, new PartitionKey(docToDelete.PK));
Assert.AreEqual(HttpStatusCode.NotFound, readResponseMessage.StatusCode);
}
public async Task EncryptionDekReadFeed()
{
Container newKeyContainer = await EncryptionTests.databaseCore.CreateContainerAsync(Guid.NewGuid().ToString(), "/id", 400);
try
{
CosmosDataEncryptionKeyProvider dekProvider = new CosmosDataEncryptionKeyProvider(new TestKeyWrapProvider());
await dekProvider.InitializeAsync(EncryptionTests.databaseCore, newKeyContainer.Id);
string contosoV1 = "Contoso_v001";
string contosoV2 = "Contoso_v002";
string fabrikamV1 = "Fabrikam_v001";
string fabrikamV2 = "Fabrikam_v002";
await EncryptionTests.CreateDekAsync(dekProvider, contosoV1);
await EncryptionTests.CreateDekAsync(dekProvider, contosoV2);
await EncryptionTests.CreateDekAsync(dekProvider, fabrikamV1);
await EncryptionTests.CreateDekAsync(dekProvider, fabrikamV2);
// Test getting all keys
await EncryptionTests.IterateDekFeedAsync(
dekProvider,
new List <string> {
contosoV1, contosoV2, fabrikamV1, fabrikamV2
},
isExpectedDeksCompleteSetForRequest : true,
isResultOrderExpected : false,
"SELECT * from c");
// Test getting specific subset of keys
await EncryptionTests.IterateDekFeedAsync(
dekProvider,
new List <string> {
contosoV2
},
isExpectedDeksCompleteSetForRequest : false,
isResultOrderExpected : true,
"SELECT TOP 1 * from c where c.id >= 'Contoso_v000' and c.id <= 'Contoso_v999' ORDER BY c.id DESC");
// Ensure only required results are returned
await EncryptionTests.IterateDekFeedAsync(
dekProvider,
new List <string> {
contosoV1, contosoV2
},
isExpectedDeksCompleteSetForRequest : true,
isResultOrderExpected : true,
"SELECT * from c where c.id >= 'Contoso_v000' and c.id <= 'Contoso_v999' ORDER BY c.id ASC");
// Test pagination
await EncryptionTests.IterateDekFeedAsync(
dekProvider,
new List <string> {
contosoV1, contosoV2, fabrikamV1, fabrikamV2
},
isExpectedDeksCompleteSetForRequest : true,
isResultOrderExpected : false,
"SELECT * from c",
itemCountInPage : 3);
}
finally
{
await newKeyContainer.DeleteContainerStreamAsync();
}
}
