internal static Mock <MemoryPersistenceImpl <JObject> > CreateMetastoreMock( AppEncryptionPartition appEncryptionPartition, KeyManagementService kms, KeyState metaIK, KeyState metaSK, CryptoKeyHolder cryptoKeyHolder) { // TODO Change this to generate a mock dynamically based on the Metastore type Mock <MemoryPersistenceImpl <JObject> > metastorePersistenceSpy = new Mock <MemoryPersistenceImpl <JObject> > { CallBase = true }; CryptoKey systemKey = cryptoKeyHolder.SystemKey; if (metaSK != KeyState.Empty) { if (metaSK == KeyState.Retired) { // We create a revoked copy of the same key DateTimeOffset created = systemKey.GetCreated(); systemKey = systemKey .WithKey(bytes => Crypto.GenerateKeyFromBytes(bytes, created, true)); } EnvelopeKeyRecord systemKeyRecord = new EnvelopeKeyRecord( systemKey.GetCreated(), null, kms.EncryptKey(systemKey), systemKey.IsRevoked()); metastorePersistenceSpy.Object.Store( appEncryptionPartition.SystemKeyId, systemKeyRecord.Created, systemKeyRecord.ToJson()); } if (metaIK != KeyState.Empty) { CryptoKey intermediateKey = cryptoKeyHolder.IntermediateKey; if (metaIK == KeyState.Retired) { // We create a revoked copy of the same key DateTimeOffset created = intermediateKey.GetCreated(); intermediateKey = intermediateKey .WithKey(bytes => Crypto.GenerateKeyFromBytes(bytes, created, true)); } EnvelopeKeyRecord intermediateKeyRecord = new EnvelopeKeyRecord( intermediateKey.GetCreated(), new KeyMeta(appEncryptionPartition.SystemKeyId, systemKey.GetCreated()), Crypto.EncryptKey(intermediateKey, systemKey), intermediateKey.IsRevoked()); metastorePersistenceSpy.Object.Store( appEncryptionPartition.IntermediateKeyId, intermediateKeyRecord.Created, intermediateKeyRecord.ToJson()); } metastorePersistenceSpy.Reset(); return(metastorePersistenceSpy); }
private static object[] GenerateMocks(KeyState cacheIK, KeyState metaIK, KeyState cacheSK, KeyState metaSK) { AppEncryptionPartition appEncryptionPartition = new AppEncryptionPartition( cacheIK + "CacheIK_" + metaIK + "MetaIK_" + DateTimeUtils.GetCurrentTimeAsUtcIsoDateTimeOffset() + "_" + Random.Next(), cacheSK + "CacheSK_" + metaSK + "MetaSK_" + DateTimeUtils.GetCurrentTimeAsUtcIsoDateTimeOffset() + "_" + Random.Next(), DefaultProductId); // TODO Update to create KeyManagementService based on config/param once we plug in AWS KMS KeyManagementService kms = new StaticKeyManagementServiceImpl(KeyManagementStaticMasterKey); CryptoKeyHolder cryptoKeyHolder = CryptoKeyHolder.GenerateIKSK(); // TODO Pass Metastore type to enable spy generation once we plug in external metastore types Mock <MemoryPersistenceImpl <JObject> > metastorePersistence = MetastoreMock.CreateMetastoreMock(appEncryptionPartition, kms, metaIK, metaSK, cryptoKeyHolder); CacheMock cacheMock = CacheMock.CreateCacheMock(cacheIK, cacheSK, cryptoKeyHolder); // Mimics (mostly) the old TimeBasedCryptoPolicyImpl settings CryptoPolicy cryptoPolicy = BasicExpiringCryptoPolicy.NewBuilder() .WithKeyExpirationDays(KeyExpiryDays) .WithRevokeCheckMinutes(int.MaxValue) .WithCanCacheIntermediateKeys(false) .WithCanCacheSystemKeys(false) .Build(); SecureCryptoKeyDictionary <DateTimeOffset> intermediateKeyCache = cacheMock.IntermediateKeyCache; SecureCryptoKeyDictionary <DateTimeOffset> systemKeyCache = cacheMock.SystemKeyCache; EnvelopeEncryptionJsonImpl envelopeEncryptionJson = new EnvelopeEncryptionJsonImpl( appEncryptionPartition, metastorePersistence.Object, systemKeyCache, new FakeSecureCryptoKeyDictionaryFactory <DateTimeOffset>(intermediateKeyCache), new BouncyAes256GcmCrypto(), cryptoPolicy, kms); IEnvelopeEncryption <byte[]> envelopeEncryptionByteImpl = new EnvelopeEncryptionBytesImpl(envelopeEncryptionJson); // Need to manually set a no-op metrics instance IMetrics metrics = new MetricsBuilder() .Configuration.Configure(options => options.Enabled = false) .Build(); MetricsUtil.SetMetricsInstance(metrics); return(new object[] { envelopeEncryptionByteImpl, metastorePersistence, cacheIK, metaIK, cacheSK, metaSK, appEncryptionPartition }); }
private object[] GenerateMocks(KeyState cacheIK, KeyState metaIK, KeyState cacheSK, KeyState metaSK) { Partition partition = new Partition( cacheIK + "CacheIK_" + metaIK + "MetaIK_" + DateTimeUtils.GetCurrentTimeAsUtcIsoDateTimeOffset() + "_" + Random.Next(), cacheSK + "CacheSK_" + metaSK + "MetaSK_" + DateTimeUtils.GetCurrentTimeAsUtcIsoDateTimeOffset() + "_" + Random.Next(), DefaultProductId); KeyManagementService kms = configFixture.KeyManagementService; CryptoKeyHolder cryptoKeyHolder = CryptoKeyHolder.GenerateIKSK(); Mock <IMetastore <JObject> > metastoreMock = MetastoreMock.CreateMetastoreMock( partition, kms, metaIK, metaSK, cryptoKeyHolder, configFixture.Metastore); CacheMock cacheMock = CacheMock.CreateCacheMock(cacheIK, cacheSK, cryptoKeyHolder); // Mimics (mostly) the old TimeBasedCryptoPolicyImpl settings CryptoPolicy cryptoPolicy = BasicExpiringCryptoPolicy.NewBuilder() .WithKeyExpirationDays(KeyExpiryDays) .WithRevokeCheckMinutes(int.MaxValue) .WithCanCacheIntermediateKeys(false) .WithCanCacheSystemKeys(false) .Build(); SecureCryptoKeyDictionary <DateTimeOffset> intermediateKeyCache = cacheMock.IntermediateKeyCache; SecureCryptoKeyDictionary <DateTimeOffset> systemKeyCache = cacheMock.SystemKeyCache; EnvelopeEncryptionJsonImpl envelopeEncryptionJson = new EnvelopeEncryptionJsonImpl( partition, metastoreMock.Object, systemKeyCache, new FakeSecureCryptoKeyDictionaryFactory <DateTimeOffset>(intermediateKeyCache), new BouncyAes256GcmCrypto(), cryptoPolicy, kms); IEnvelopeEncryption <byte[]> envelopeEncryptionByteImpl = new EnvelopeEncryptionBytesImpl(envelopeEncryptionJson); return(new object[] { envelopeEncryptionByteImpl, metastoreMock, cacheIK, metaIK, cacheSK, metaSK, partition }); }
internal static CacheMock CreateCacheMock( KeyState cacheIK, KeyState cacheSK, CryptoKeyHolder cryptoKeyHolder) { Mock <SecureCryptoKeyDictionary <DateTimeOffset> > systemKeyCacheSpy = new Mock <SecureCryptoKeyDictionary <DateTimeOffset> >(long.MaxValue / 2) { CallBase = true }; Mock <SecureCryptoKeyDictionary <DateTimeOffset> > intermediateKeyCacheSpy = new Mock <SecureCryptoKeyDictionary <DateTimeOffset> >(long.MaxValue / 2) { CallBase = true }; if (cacheSK != KeyState.Empty) { CryptoKey systemKey = cryptoKeyHolder.SystemKey; if (cacheSK == KeyState.Retired) { // We create a revoked copy of the same key DateTimeOffset created = systemKey.GetCreated(); systemKey = systemKey .WithKey(bytes => Crypto.GenerateKeyFromBytes(bytes, created, true)); } systemKeyCacheSpy.Object.PutAndGetUsable(systemKey.GetCreated(), systemKey); } if (cacheIK != KeyState.Empty) { CryptoKey intermediateKey = cryptoKeyHolder.IntermediateKey; if (cacheIK == KeyState.Retired) { // We create a revoked copy of the same key DateTimeOffset created = intermediateKey.GetCreated(); intermediateKey = intermediateKey .WithKey(bytes => Crypto.GenerateKeyFromBytes(bytes, created, true)); } intermediateKeyCacheSpy.Object.PutAndGetUsable(intermediateKey.GetCreated(), intermediateKey); } return(new CacheMock(systemKeyCacheSpy.Object, intermediateKeyCacheSpy.Object)); }
internal static Mock <IMetastore <JObject> > CreateMetastoreMock( Partition partition, KeyManagementService kms, KeyState metaIK, KeyState metaSK, CryptoKeyHolder cryptoKeyHolder, IMetastore <JObject> metastore) { CryptoKey systemKey = cryptoKeyHolder.SystemKey; Mock <IMetastore <JObject> > metastoreSpy = new Mock <IMetastore <JObject> >(); metastoreSpy .Setup(x => x.Load(It.IsAny <string>(), It.IsAny <DateTimeOffset>())) .Returns <string, DateTimeOffset>(metastore.Load); metastoreSpy .Setup(x => x.LoadLatest(It.IsAny <string>())) .Returns <string>(metastore.LoadLatest); metastoreSpy .Setup(x => x.Store(It.IsAny <string>(), It.IsAny <DateTimeOffset>(), It.IsAny <JObject>())) .Returns <string, DateTimeOffset, JObject>(metastore.Store); if (metaSK != KeyState.Empty) { if (metaSK == KeyState.Retired) { // We create a revoked copy of the same key DateTimeOffset created = systemKey.GetCreated(); systemKey = systemKey .WithKey(bytes => Crypto.GenerateKeyFromBytes(bytes, created, true)); } EnvelopeKeyRecord systemKeyRecord = new EnvelopeKeyRecord( systemKey.GetCreated(), null, kms.EncryptKey(systemKey), systemKey.IsRevoked()); metastore.Store( partition.SystemKeyId, systemKeyRecord.Created, systemKeyRecord.ToJson()); } if (metaIK != KeyState.Empty) { CryptoKey intermediateKey = cryptoKeyHolder.IntermediateKey; if (metaIK == KeyState.Retired) { // We create a revoked copy of the same key DateTimeOffset created = intermediateKey.GetCreated(); intermediateKey = intermediateKey .WithKey(bytes => Crypto.GenerateKeyFromBytes(bytes, created, true)); } EnvelopeKeyRecord intermediateKeyRecord = new EnvelopeKeyRecord( intermediateKey.GetCreated(), new KeyMeta(partition.SystemKeyId, systemKey.GetCreated()), Crypto.EncryptKey(intermediateKey, systemKey), intermediateKey.IsRevoked()); metastore.Store( partition.IntermediateKeyId, intermediateKeyRecord.Created, intermediateKeyRecord.ToJson()); } return(metastoreSpy); }