internal static Mock <MemoryPersistenceImpl <JObject> > CreateMetastoreMock(
AppEncryptionPartition appEncryptionPartition,
KeyManagementService kms,
KeyState metaIK,
KeyState metaSK,
CryptoKeyHolder cryptoKeyHolder)
{
// TODO Change this to generate a mock dynamically based on the Metastore type
Mock <MemoryPersistenceImpl <JObject> > metastorePersistenceSpy = new Mock <MemoryPersistenceImpl <JObject> > {
CallBase = true
};
CryptoKey systemKey = cryptoKeyHolder.SystemKey;
if (metaSK != KeyState.Empty)
{
if (metaSK == KeyState.Retired)
{
// We create a revoked copy of the same key
DateTimeOffset created = systemKey.GetCreated();
systemKey = systemKey
.WithKey(bytes => Crypto.GenerateKeyFromBytes(bytes, created, true));
}
EnvelopeKeyRecord systemKeyRecord = new EnvelopeKeyRecord(
systemKey.GetCreated(), null, kms.EncryptKey(systemKey), systemKey.IsRevoked());
metastorePersistenceSpy.Object.Store(
appEncryptionPartition.SystemKeyId,
systemKeyRecord.Created,
systemKeyRecord.ToJson());
}
if (metaIK != KeyState.Empty)
{
CryptoKey intermediateKey = cryptoKeyHolder.IntermediateKey;
if (metaIK == KeyState.Retired)
{
// We create a revoked copy of the same key
DateTimeOffset created = intermediateKey.GetCreated();
intermediateKey = intermediateKey
.WithKey(bytes => Crypto.GenerateKeyFromBytes(bytes, created, true));
}
EnvelopeKeyRecord intermediateKeyRecord = new EnvelopeKeyRecord(
intermediateKey.GetCreated(),
new KeyMeta(appEncryptionPartition.SystemKeyId, systemKey.GetCreated()),
Crypto.EncryptKey(intermediateKey, systemKey),
intermediateKey.IsRevoked());
metastorePersistenceSpy.Object.Store(
appEncryptionPartition.IntermediateKeyId,
intermediateKeyRecord.Created,
intermediateKeyRecord.ToJson());
}
metastorePersistenceSpy.Reset();
return(metastorePersistenceSpy);
}
private static object[] GenerateMocks(KeyState cacheIK, KeyState metaIK, KeyState cacheSK, KeyState metaSK)
{
AppEncryptionPartition appEncryptionPartition = new AppEncryptionPartition(
cacheIK + "CacheIK_" + metaIK + "MetaIK_" + DateTimeUtils.GetCurrentTimeAsUtcIsoDateTimeOffset() + "_" + Random.Next(),
cacheSK + "CacheSK_" + metaSK + "MetaSK_" + DateTimeUtils.GetCurrentTimeAsUtcIsoDateTimeOffset() + "_" + Random.Next(),
DefaultProductId);
// TODO Update to create KeyManagementService based on config/param once we plug in AWS KMS
KeyManagementService kms = new StaticKeyManagementServiceImpl(KeyManagementStaticMasterKey);
CryptoKeyHolder cryptoKeyHolder = CryptoKeyHolder.GenerateIKSK();
// TODO Pass Metastore type to enable spy generation once we plug in external metastore types
Mock <MemoryPersistenceImpl <JObject> > metastorePersistence = MetastoreMock.CreateMetastoreMock(appEncryptionPartition, kms, metaIK, metaSK, cryptoKeyHolder);
CacheMock cacheMock = CacheMock.CreateCacheMock(cacheIK, cacheSK, cryptoKeyHolder);
// Mimics (mostly) the old TimeBasedCryptoPolicyImpl settings
CryptoPolicy cryptoPolicy = BasicExpiringCryptoPolicy.NewBuilder()
.WithKeyExpirationDays(KeyExpiryDays)
.WithRevokeCheckMinutes(int.MaxValue)
.WithCanCacheIntermediateKeys(false)
.WithCanCacheSystemKeys(false)
.Build();
SecureCryptoKeyDictionary <DateTimeOffset> intermediateKeyCache = cacheMock.IntermediateKeyCache;
SecureCryptoKeyDictionary <DateTimeOffset> systemKeyCache = cacheMock.SystemKeyCache;
EnvelopeEncryptionJsonImpl envelopeEncryptionJson = new EnvelopeEncryptionJsonImpl(
appEncryptionPartition,
metastorePersistence.Object,
systemKeyCache,
new FakeSecureCryptoKeyDictionaryFactory <DateTimeOffset>(intermediateKeyCache),
new BouncyAes256GcmCrypto(),
cryptoPolicy,
kms);
IEnvelopeEncryption <byte[]> envelopeEncryptionByteImpl = new EnvelopeEncryptionBytesImpl(envelopeEncryptionJson);
// Need to manually set a no-op metrics instance
IMetrics metrics = new MetricsBuilder()
.Configuration.Configure(options => options.Enabled = false)
.Build();
MetricsUtil.SetMetricsInstance(metrics);
return(new object[] { envelopeEncryptionByteImpl, metastorePersistence, cacheIK, metaIK, cacheSK, metaSK, appEncryptionPartition });
}
private object[] GenerateMocks(KeyState cacheIK, KeyState metaIK, KeyState cacheSK, KeyState metaSK)
{
Partition partition = new Partition(
cacheIK + "CacheIK_" + metaIK + "MetaIK_" + DateTimeUtils.GetCurrentTimeAsUtcIsoDateTimeOffset() +
"_" + Random.Next(),
cacheSK + "CacheSK_" + metaSK + "MetaSK_" + DateTimeUtils.GetCurrentTimeAsUtcIsoDateTimeOffset() + "_" + Random.Next(),
DefaultProductId);
KeyManagementService kms = configFixture.KeyManagementService;
CryptoKeyHolder cryptoKeyHolder = CryptoKeyHolder.GenerateIKSK();
Mock <IMetastore <JObject> > metastoreMock = MetastoreMock.CreateMetastoreMock(
partition, kms, metaIK, metaSK, cryptoKeyHolder, configFixture.Metastore);
CacheMock cacheMock = CacheMock.CreateCacheMock(cacheIK, cacheSK, cryptoKeyHolder);
// Mimics (mostly) the old TimeBasedCryptoPolicyImpl settings
CryptoPolicy cryptoPolicy = BasicExpiringCryptoPolicy.NewBuilder()
.WithKeyExpirationDays(KeyExpiryDays)
.WithRevokeCheckMinutes(int.MaxValue)
.WithCanCacheIntermediateKeys(false)
.WithCanCacheSystemKeys(false)
.Build();
SecureCryptoKeyDictionary <DateTimeOffset> intermediateKeyCache = cacheMock.IntermediateKeyCache;
SecureCryptoKeyDictionary <DateTimeOffset> systemKeyCache = cacheMock.SystemKeyCache;
EnvelopeEncryptionJsonImpl envelopeEncryptionJson = new EnvelopeEncryptionJsonImpl(
partition,
metastoreMock.Object,
systemKeyCache,
new FakeSecureCryptoKeyDictionaryFactory <DateTimeOffset>(intermediateKeyCache),
new BouncyAes256GcmCrypto(),
cryptoPolicy,
kms);
IEnvelopeEncryption <byte[]> envelopeEncryptionByteImpl =
new EnvelopeEncryptionBytesImpl(envelopeEncryptionJson);
return(new object[]
{
envelopeEncryptionByteImpl, metastoreMock, cacheIK, metaIK, cacheSK, metaSK,
partition
});
}
internal static CacheMock CreateCacheMock(
KeyState cacheIK,
KeyState cacheSK,
CryptoKeyHolder cryptoKeyHolder)
{
Mock <SecureCryptoKeyDictionary <DateTimeOffset> > systemKeyCacheSpy =
new Mock <SecureCryptoKeyDictionary <DateTimeOffset> >(long.MaxValue / 2)
{
CallBase = true
};
Mock <SecureCryptoKeyDictionary <DateTimeOffset> > intermediateKeyCacheSpy =
new Mock <SecureCryptoKeyDictionary <DateTimeOffset> >(long.MaxValue / 2)
{
CallBase = true
};
if (cacheSK != KeyState.Empty)
{
CryptoKey systemKey = cryptoKeyHolder.SystemKey;
if (cacheSK == KeyState.Retired)
{
// We create a revoked copy of the same key
DateTimeOffset created = systemKey.GetCreated();
systemKey = systemKey
.WithKey(bytes => Crypto.GenerateKeyFromBytes(bytes, created, true));
}
systemKeyCacheSpy.Object.PutAndGetUsable(systemKey.GetCreated(), systemKey);
}
if (cacheIK != KeyState.Empty)
{
CryptoKey intermediateKey = cryptoKeyHolder.IntermediateKey;
if (cacheIK == KeyState.Retired)
{
// We create a revoked copy of the same key
DateTimeOffset created = intermediateKey.GetCreated();
intermediateKey = intermediateKey
.WithKey(bytes => Crypto.GenerateKeyFromBytes(bytes, created, true));
}
intermediateKeyCacheSpy.Object.PutAndGetUsable(intermediateKey.GetCreated(), intermediateKey);
}
return(new CacheMock(systemKeyCacheSpy.Object, intermediateKeyCacheSpy.Object));
}
internal static Mock <IMetastore <JObject> > CreateMetastoreMock(
Partition partition,
KeyManagementService kms,
KeyState metaIK,
KeyState metaSK,
CryptoKeyHolder cryptoKeyHolder,
IMetastore <JObject> metastore)
{
CryptoKey systemKey = cryptoKeyHolder.SystemKey;
Mock <IMetastore <JObject> > metastoreSpy = new Mock <IMetastore <JObject> >();
metastoreSpy
.Setup(x => x.Load(It.IsAny <string>(), It.IsAny <DateTimeOffset>()))
.Returns <string, DateTimeOffset>(metastore.Load);
metastoreSpy
.Setup(x => x.LoadLatest(It.IsAny <string>()))
.Returns <string>(metastore.LoadLatest);
metastoreSpy
.Setup(x => x.Store(It.IsAny <string>(), It.IsAny <DateTimeOffset>(), It.IsAny <JObject>()))
.Returns <string, DateTimeOffset, JObject>(metastore.Store);
if (metaSK != KeyState.Empty)
{
if (metaSK == KeyState.Retired)
{
// We create a revoked copy of the same key
DateTimeOffset created = systemKey.GetCreated();
systemKey = systemKey
.WithKey(bytes => Crypto.GenerateKeyFromBytes(bytes, created, true));
}
EnvelopeKeyRecord systemKeyRecord = new EnvelopeKeyRecord(
systemKey.GetCreated(), null, kms.EncryptKey(systemKey), systemKey.IsRevoked());
metastore.Store(
partition.SystemKeyId,
systemKeyRecord.Created,
systemKeyRecord.ToJson());
}
if (metaIK != KeyState.Empty)
{
CryptoKey intermediateKey = cryptoKeyHolder.IntermediateKey;
if (metaIK == KeyState.Retired)
{
// We create a revoked copy of the same key
DateTimeOffset created = intermediateKey.GetCreated();
intermediateKey = intermediateKey
.WithKey(bytes => Crypto.GenerateKeyFromBytes(bytes, created, true));
}
EnvelopeKeyRecord intermediateKeyRecord = new EnvelopeKeyRecord(
intermediateKey.GetCreated(),
new KeyMeta(partition.SystemKeyId, systemKey.GetCreated()),
Crypto.EncryptKey(intermediateKey, systemKey),
intermediateKey.IsRevoked());
metastore.Store(
partition.IntermediateKeyId,
intermediateKeyRecord.Created,
intermediateKeyRecord.ToJson());
}
return(metastoreSpy);
}
