public async Task EncryptionBulkCrud()
{
TestDoc docToReplace = await EncryptionTests.CreateItemAsync(EncryptionTests.containerCore, EncryptionTests.dekId, TestDoc.PathsToEncrypt);
docToReplace.NonSensitive = Guid.NewGuid().ToString();
docToReplace.Sensitive = Guid.NewGuid().ToString();
TestDoc docToUpsert = await EncryptionTests.CreateItemAsync(EncryptionTests.containerCore, EncryptionTests.dekId, TestDoc.PathsToEncrypt);
docToUpsert.NonSensitive = Guid.NewGuid().ToString();
docToUpsert.Sensitive = Guid.NewGuid().ToString();
TestDoc docToDelete = await EncryptionTests.CreateItemAsync(EncryptionTests.containerCore, EncryptionTests.dekId, TestDoc.PathsToEncrypt);
(string endpoint, string authKey) = TestCommon.GetAccountInfo();
CosmosClient clientWithBulk = new CosmosClientBuilder(endpoint, authKey)
.WithEncryptionKeyWrapProvider(new TestKeyWrapProvider())
.WithBulkExecution(true)
.Build();
DatabaseCore databaseWithBulk = (DatabaseInlineCore)clientWithBulk.GetDatabase(EncryptionTests.databaseCore.Id);
ContainerCore containerWithBulk = (ContainerInlineCore)databaseWithBulk.GetContainer(EncryptionTests.container.Id);
List <Task> tasks = new List <Task>();
tasks.Add(EncryptionTests.CreateItemAsync(containerWithBulk, EncryptionTests.dekId, TestDoc.PathsToEncrypt));
tasks.Add(EncryptionTests.UpsertItemAsync(containerWithBulk, TestDoc.Create(), EncryptionTests.dekId, TestDoc.PathsToEncrypt, HttpStatusCode.Created));
tasks.Add(EncryptionTests.ReplaceItemAsync(containerWithBulk, docToReplace, EncryptionTests.dekId, TestDoc.PathsToEncrypt));
tasks.Add(EncryptionTests.UpsertItemAsync(containerWithBulk, docToUpsert, EncryptionTests.dekId, TestDoc.PathsToEncrypt, HttpStatusCode.OK));
tasks.Add(EncryptionTests.DeleteItemAsync(containerWithBulk, docToDelete));
await Task.WhenAll(tasks);
}
public async Task EncryptionResourceTokenAuth()
{
User user = EncryptionTests.databaseCore.GetUser(Guid.NewGuid().ToString());
await EncryptionTests.databaseCore.CreateUserAsync(user.Id);
PermissionProperties permission = await user.CreatePermissionAsync(
new PermissionProperties(Guid.NewGuid().ToString(), PermissionMode.All, EncryptionTests.container));
TestDoc testDoc = await EncryptionTests.CreateItemAsync(EncryptionTests.containerCore, EncryptionTests.dekId, TestDoc.PathsToEncrypt);
(string endpoint, string _) = TestCommon.GetAccountInfo();
CosmosClient resourceTokenBasedClient = new CosmosClientBuilder(endpoint, permission.Token)
.WithEncryptionKeyWrapProvider(new TestKeyWrapProvider())
.Build();
DatabaseCore databaseForTokenClient = (DatabaseInlineCore)resourceTokenBasedClient.GetDatabase(EncryptionTests.databaseCore.Id);
Container containerForTokenClient = databaseForTokenClient.GetContainer(EncryptionTests.container.Id);
await EncryptionTests.PerformForbiddenOperationAsync(() =>
databaseForTokenClient.GetDataEncryptionKey(EncryptionTests.dekId).ReadAsync(), "DEK.ReadAsync");
await EncryptionTests.PerformForbiddenOperationAsync(() =>
containerForTokenClient.ReadItemAsync <TestDoc>(testDoc.Id, new PartitionKey(testDoc.PK)), "ReadItemAsync");
await EncryptionTests.PerformForbiddenOperationAsync(() =>
containerForTokenClient.ReadItemStreamAsync(testDoc.Id, new PartitionKey(testDoc.PK)), "ReadItemStreamAsync");
}
public async Task EncryptionResourceTokenAuthRestricted()
{
TestDoc testDoc = await EncryptionTests.CreateItemAsync(EncryptionTests.itemContainerCore, EncryptionTests.dekId, TestDoc.PathsToEncrypt);
User restrictedUser = EncryptionTests.databaseCore.GetUser(Guid.NewGuid().ToString());
await EncryptionTests.databaseCore.CreateUserAsync(restrictedUser.Id);
PermissionProperties restrictedUserPermission = await restrictedUser.CreatePermissionAsync(
new PermissionProperties(Guid.NewGuid().ToString(), PermissionMode.All, EncryptionTests.itemContainer));
CosmosDataEncryptionKeyProvider dekProvider = new CosmosDataEncryptionKeyProvider(new TestKeyWrapProvider());
TestEncryptor encryptor = new TestEncryptor(dekProvider);
(string endpoint, string _) = TestCommon.GetAccountInfo();
CosmosClient clientForRestrictedUser = new CosmosClientBuilder(endpoint, restrictedUserPermission.Token)
.WithEncryptor(encryptor)
.Build();
Database databaseForRestrictedUser = clientForRestrictedUser.GetDatabase(EncryptionTests.databaseCore.Id);
Container containerForRestrictedUser = databaseForRestrictedUser.GetContainer(EncryptionTests.itemContainer.Id);
await EncryptionTests.PerformForbiddenOperationAsync(() =>
dekProvider.InitializeAsync(databaseForRestrictedUser, EncryptionTests.keyContainer.Id), "CosmosDekProvider.InitializeAsync");
await EncryptionTests.PerformOperationOnUninitializedDekProviderAsync(() =>
dekProvider.DataEncryptionKeyContainer.ReadDataEncryptionKeyAsync(EncryptionTests.dekId), "DEK.ReadAsync");
await EncryptionTests.PerformOperationOnUninitializedDekProviderAsync(() =>
containerForRestrictedUser.ReadItemAsync <TestDoc>(testDoc.Id, new PartitionKey(testDoc.PK)), "ReadItemAsync");
await EncryptionTests.PerformOperationOnUninitializedDekProviderAsync(() =>
containerForRestrictedUser.ReadItemStreamAsync(testDoc.Id, new PartitionKey(testDoc.PK)), "ReadItemStreamAsync");
}
public async Task DecryptQueryResultMultipleDocsTest()
{
TestDoc testDoc1 = await EncryptionTests.CreateItemAsync(EncryptionTests.containerCore, EncryptionTests.dekId, TestDoc.PathsToEncrypt);
TestDoc testDoc2 = await EncryptionTests.CreateItemAsync(EncryptionTests.containerCore, EncryptionTests.dekId, TestDoc.PathsToEncrypt);
await ValidateQueryResultsMultipleDocumentsAsync(EncryptionTests.containerCore, testDoc1, testDoc2);
}
public async Task EncryptionDecryptQueryValueResponse()
{
TestDoc testDoc = await EncryptionTests.CreateItemAsync(EncryptionTests.itemContainerCore, EncryptionTests.dekId, TestDoc.PathsToEncrypt);
string query = "SELECT VALUE COUNT(1) FROM c";
await EncryptionTests.ValidateQueryResponseAsync(EncryptionTests.itemContainerCore, query);
}
public async Task EncryptionDecryptQueryResultDifferentDeks()
{
string dekId1 = "mydek1";
await EncryptionTests.CreateDekAsync(EncryptionTests.dekProvider, dekId1);
TestDoc testDoc1 = await EncryptionTests.CreateItemAsync(EncryptionTests.itemContainerCore, EncryptionTests.dekId, TestDoc.PathsToEncrypt);
TestDoc testDoc2 = await EncryptionTests.CreateItemAsync(EncryptionTests.itemContainerCore, dekId1, TestDoc.PathsToEncrypt);
await ValidateQueryResultsMultipleDocumentsAsync(EncryptionTests.itemContainerCore, testDoc1, testDoc2);
}
public async Task DecryptQueryResultDifferentDeksTest()
{
string dekId1 = "mydek1";
EncryptionTests.dekProperties = await CreateDekAsync(EncryptionTests.databaseCore, dekId1);
TestDoc testDoc1 = await EncryptionTests.CreateItemAsync(EncryptionTests.containerCore, EncryptionTests.dekId, TestDoc.PathsToEncrypt);
TestDoc testDoc2 = await EncryptionTests.CreateItemAsync(EncryptionTests.containerCore, dekId1, TestDoc.PathsToEncrypt);
await ValidateQueryResultsMultipleDocumentsAsync(EncryptionTests.containerCore, testDoc1, testDoc2);
}
public async Task EncryptionCreateItem()
{
TestDoc testDoc = await EncryptionTests.CreateItemAsync(EncryptionTests.containerCore, EncryptionTests.dekId, TestDoc.PathsToEncrypt);
await EncryptionTests.VerifyItemByReadAsync(EncryptionTests.containerCore, testDoc);
await EncryptionTests.VerifyItemByReadStreamAsync(EncryptionTests.containerCore, testDoc);
TestDoc expectedDoc = new TestDoc(testDoc);
await EncryptionTests.ValidateQueryResultsAsync(
EncryptionTests.containerCore,
"SELECT * FROM c",
expectedDoc);
await EncryptionTests.ValidateQueryResultsAsync(
EncryptionTests.containerCore,
string.Format(
"SELECT * FROM c where c.PK = '{0}' and c.id = '{1}' and c.NonSensitive = '{2}'",
expectedDoc.PK,
expectedDoc.Id,
expectedDoc.NonSensitive),
expectedDoc);
await EncryptionTests.ValidateQueryResultsAsync(
EncryptionTests.containerCore,
string.Format("SELECT * FROM c where c.Sensitive = '{0}'", testDoc.Sensitive),
expectedDoc : null);
await EncryptionTests.ValidateQueryResultsAsync(
EncryptionTests.containerCore,
queryDefinition : new QueryDefinition(
"select * from c where c.id = @theId and c.PK = @thePK")
.WithParameter("@theId", expectedDoc.Id)
.WithParameter("@thePK", expectedDoc.PK),
expectedDoc : expectedDoc);
expectedDoc.Sensitive = null;
await EncryptionTests.ValidateQueryResultsAsync(
EncryptionTests.containerCore,
"SELECT c.id, c.PK, c.Sensitive, c.NonSensitive FROM c",
expectedDoc);
await EncryptionTests.ValidateQueryResultsAsync(
EncryptionTests.containerCore,
"SELECT c.id, c.PK, c.NonSensitive FROM c",
expectedDoc);
await EncryptionTests.ValidateSprocResultsAsync(
EncryptionTests.containerCore,
expectedDoc);
}
public async Task EncryptionDecryptQueryResultDifferentDeks()
{
string dekId1 = "mydek1";
await EncryptionTests.CreateDekAsync(EncryptionTests.dekProvider, dekId1);
TestDoc testDoc1 = await EncryptionTests.CreateItemAsync(EncryptionTests.itemContainerCore, EncryptionTests.dekId, TestDoc.PathsToEncrypt);
TestDoc testDoc2 = await EncryptionTests.CreateItemAsync(EncryptionTests.itemContainerCore, dekId1, TestDoc.PathsToEncrypt);
string query = $"SELECT * FROM c WHERE c.PK in ('{testDoc1.PK}', '{testDoc2.PK}')";
await EncryptionTests.ValidateQueryResultsMultipleDocumentsAsync(EncryptionTests.itemContainerCore, testDoc1, testDoc2, query);
}
public async Task EncryptionDecryptQueryResultMultipleDocs()
{
TestDoc testDoc1 = await EncryptionTests.CreateItemAsync(EncryptionTests.itemContainerCore, EncryptionTests.dekId, TestDoc.PathsToEncrypt);
TestDoc testDoc2 = await EncryptionTests.CreateItemAsync(EncryptionTests.itemContainerCore, EncryptionTests.dekId, TestDoc.PathsToEncrypt);
string query = $"SELECT * FROM c WHERE c.PK in ('{testDoc1.PK}', '{testDoc2.PK}')";
await EncryptionTests.ValidateQueryResultsMultipleDocumentsAsync(EncryptionTests.itemContainerCore, testDoc1, testDoc2, query);
// ORDER BY query
query = query + " ORDER BY c._ts";
await EncryptionTests.ValidateQueryResultsMultipleDocumentsAsync(EncryptionTests.itemContainerCore, testDoc1, testDoc2, query);
}
public async Task DecryptQueryResultMultipleEncryptedPropertiesTest()
{
TestDoc testDoc = await EncryptionTests.CreateItemAsync(
EncryptionTests.containerCore,
EncryptionTests.dekId,
new List <string>(){ "/Sensitive", "/NonSensitive" });
TestDoc expectedDoc = new TestDoc(testDoc);
await EncryptionTests.ValidateQueryResultsAsync(
EncryptionTests.containerCore,
"SELECT * FROM c",
expectedDoc);
}
public async Task DecryptGroupByQueryResultTest()
{
string partitionKey = Guid.NewGuid().ToString();
TestDoc testDoc1 = await EncryptionTests.CreateItemAsync(EncryptionTests.itemContainerCore, EncryptionTests.dekId, TestDoc.PathsToEncrypt, partitionKey);
TestDoc testDoc2 = await EncryptionTests.CreateItemAsync(EncryptionTests.itemContainerCore, EncryptionTests.dekId, TestDoc.PathsToEncrypt, partitionKey);
string query = $"SELECT COUNT(c.Id), c.PK " +
$"FROM c WHERE c.PK = '{partitionKey}' " +
$"GROUP BY c.PK ";
await EncryptionTests.ValidateQueryResponseAsync(EncryptionTests.itemContainerCore, query);
}
public async Task DecryptQueryBinaryResponse()
{
TestDoc testDoc = await EncryptionTests.CreateItemAsync(EncryptionTests.containerCore, EncryptionTests.dekId, TestDoc.PathsToEncrypt);
CosmosSerializationFormatOptions options = new CosmosSerializationFormatOptions(
Documents.ContentSerializationFormat.CosmosBinary.ToString(),
(content) => JsonNavigator.Create(content),
() => JsonWriter.Create(JsonSerializationFormat.Binary));
QueryRequestOptions requestOptions = new QueryRequestOptions()
{
CosmosSerializationFormatOptions = options
};
TestDoc expectedDoc = new TestDoc(testDoc);
string query = "SELECT * FROM c";
FeedIterator feedIterator = EncryptionTests.containerCore.GetItemQueryStreamIterator(
query,
requestOptions: requestOptions);
while (feedIterator.HasMoreResults)
{
ResponseMessage response = await feedIterator.ReadNextAsync();
Assert.IsTrue(response.IsSuccessStatusCode);
Assert.IsNull(response.ErrorMessage);
// Copy the stream and check that the first byte is the correct value
MemoryStream memoryStream = new MemoryStream();
response.Content.CopyTo(memoryStream);
byte[] content = memoryStream.ToArray();
response.Content.Position = 0;
// Examine the first buffer byte to determine the serialization format
byte firstByte = content[0];
Assert.AreEqual(128, firstByte);
Assert.AreEqual(JsonSerializationFormat.Binary, (JsonSerializationFormat)firstByte);
IJsonReader reader = JsonReader.Create(content);
IJsonWriter textWriter = JsonWriter.Create(JsonSerializationFormat.Text);
textWriter.WriteAll(reader);
string json = Encoding.UTF8.GetString(textWriter.GetResult().ToArray());
Assert.IsNotNull(json);
Assert.IsTrue(json.Contains(testDoc.Sensitive));
}
}
public async Task DecryptQueryValueResponse()
{
TestDoc testDoc = await EncryptionTests.CreateItemAsync(EncryptionTests.containerCore, EncryptionTests.dekId, TestDoc.PathsToEncrypt);
string query = "SELECT VALUE COUNT(1) FROM c";
FeedIterator feedIterator = EncryptionTests.containerCore.GetItemQueryStreamIterator(query);
while (feedIterator.HasMoreResults)
{
ResponseMessage response = await feedIterator.ReadNextAsync();
Assert.IsTrue(response.IsSuccessStatusCode);
Assert.IsNull(response.ErrorMessage);
}
}
public async Task EncryptionRestrictedProperties()
{
TestDoc testDoc = TestDoc.Create();
try
{
await EncryptionTests.CreateItemAsync(EncryptionTests.containerCore, EncryptionTests.dekId, new List <string>() { "/id" });
Assert.Fail("Expected item creation with id specified to be encrypted to fail.");
}
catch (CosmosException ex) when(ex.StatusCode == HttpStatusCode.BadRequest)
{
}
try
{
await EncryptionTests.CreateItemAsync(EncryptionTests.containerCore, EncryptionTests.dekId, new List <string>() { "/PK" });
Assert.Fail("Expected item creation with PK specified to be encrypted to fail.");
}
catch (CosmosException ex) when(ex.StatusCode == HttpStatusCode.BadRequest)
{
}
}
public async Task EncryptionTransactionBatchCrud()
{
string partitionKey = "thePK";
string dek1 = EncryptionTests.dekId;
string dek2 = "dek2Forbatch";
await EncryptionTests.CreateDekAsync(EncryptionTests.dekProvider, dek2);
TestDoc doc1ToCreate = TestDoc.Create(partitionKey);
TestDoc doc2ToCreate = TestDoc.Create(partitionKey);
TestDoc doc3ToCreate = TestDoc.Create(partitionKey);
ItemResponse <TestDoc> doc1ToReplaceCreateResponse = await EncryptionTests.CreateItemAsync(EncryptionTests.itemContainerCore, dek1, TestDoc.PathsToEncrypt, partitionKey);
TestDoc doc1ToReplace = doc1ToReplaceCreateResponse.Resource;
doc1ToReplace.NonSensitive = Guid.NewGuid().ToString();
doc1ToReplace.Sensitive = Guid.NewGuid().ToString();
TestDoc doc2ToReplace = await EncryptionTests.CreateItemAsync(EncryptionTests.itemContainerCore, dek2, TestDoc.PathsToEncrypt, partitionKey);
doc2ToReplace.NonSensitive = Guid.NewGuid().ToString();
doc2ToReplace.Sensitive = Guid.NewGuid().ToString();
TestDoc doc1ToUpsert = await EncryptionTests.CreateItemAsync(EncryptionTests.itemContainerCore, dek2, TestDoc.PathsToEncrypt, partitionKey);
doc1ToUpsert.NonSensitive = Guid.NewGuid().ToString();
doc1ToUpsert.Sensitive = Guid.NewGuid().ToString();
TestDoc doc2ToUpsert = await EncryptionTests.CreateItemAsync(EncryptionTests.itemContainerCore, dek1, TestDoc.PathsToEncrypt, partitionKey);
doc2ToUpsert.NonSensitive = Guid.NewGuid().ToString();
doc2ToUpsert.Sensitive = Guid.NewGuid().ToString();
TestDoc docToDelete = await EncryptionTests.CreateItemAsync(EncryptionTests.itemContainerCore, dek1, TestDoc.PathsToEncrypt, partitionKey);
TransactionalBatchResponse batchResponse = await EncryptionTests.itemContainer.CreateTransactionalBatch(new Cosmos.PartitionKey(partitionKey))
.CreateItem(doc1ToCreate, EncryptionTests.GetBatchItemRequestOptions(EncryptionTests.itemContainerCore, dek1, TestDoc.PathsToEncrypt))
.CreateItemStream(doc2ToCreate.ToStream(), EncryptionTests.GetBatchItemRequestOptions(EncryptionTests.itemContainerCore, dek2, TestDoc.PathsToEncrypt))
.ReplaceItem(doc1ToReplace.Id, doc1ToReplace, EncryptionTests.GetBatchItemRequestOptions(EncryptionTests.itemContainerCore, dek2, TestDoc.PathsToEncrypt, doc1ToReplaceCreateResponse.ETag))
.CreateItem(doc3ToCreate)
.ReplaceItemStream(doc2ToReplace.Id, doc2ToReplace.ToStream(), EncryptionTests.GetBatchItemRequestOptions(EncryptionTests.itemContainerCore, dek2, TestDoc.PathsToEncrypt))
.UpsertItem(doc1ToUpsert, EncryptionTests.GetBatchItemRequestOptions(EncryptionTests.itemContainerCore, dek1, TestDoc.PathsToEncrypt))
.DeleteItem(docToDelete.Id)
.UpsertItemStream(doc2ToUpsert.ToStream(), EncryptionTests.GetBatchItemRequestOptions(EncryptionTests.itemContainerCore, dek2, TestDoc.PathsToEncrypt))
.ExecuteAsync();
Assert.AreEqual(HttpStatusCode.OK, batchResponse.StatusCode);
await EncryptionTests.VerifyItemByReadAsync(EncryptionTests.itemContainerCore, doc1ToCreate);
await EncryptionTests.VerifyItemByReadAsync(EncryptionTests.itemContainerCore, doc2ToCreate);
await EncryptionTests.VerifyItemByReadAsync(EncryptionTests.itemContainerCore, doc3ToCreate);
await EncryptionTests.VerifyItemByReadAsync(EncryptionTests.itemContainerCore, doc1ToReplace);
await EncryptionTests.VerifyItemByReadAsync(EncryptionTests.itemContainerCore, doc2ToReplace);
await EncryptionTests.VerifyItemByReadAsync(EncryptionTests.itemContainerCore, doc1ToUpsert);
await EncryptionTests.VerifyItemByReadAsync(EncryptionTests.itemContainerCore, doc2ToUpsert);
ResponseMessage readResponseMessage = await EncryptionTests.itemContainer.ReadItemStreamAsync(docToDelete.Id, new PartitionKey(docToDelete.PK));
Assert.AreEqual(HttpStatusCode.NotFound, readResponseMessage.StatusCode);
}