public async Task ExpectProtectRoundTripToSucceed() { var s3Config = new S3XmlRepositoryConfig(S3IntegrationTests.BucketName) { KeyPrefix = "CombinedXmlKeyManager3/" }; await s3Cleanup.ClearKeys(S3IntegrationTests.BucketName, s3Config.KeyPrefix); var kmsConfig = new KmsXmlEncryptorConfig(KmsIntegrationTests.KmsTestingKey); var serviceCollection = new ServiceCollection(); serviceCollection.AddSingleton(s3Client); serviceCollection.AddSingleton(kmsClient); serviceCollection.AddDataProtection() .SetApplicationName(KmsIntegrationTests.ApplicationName) .PersistKeysToAwsS3(s3Config) .ProtectKeysWithAwsKms(kmsConfig); using (var serviceProvider = serviceCollection.BuildServiceProvider()) { var prov = serviceProvider.GetRequiredService <IDataProtectionProvider>().CreateProtector("bob"); var plaintext = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8, 9 }; var encrypted = prov.Protect(plaintext); var decrypted = prov.Unprotect(encrypted); Assert.Equal(plaintext, decrypted); } }
public void ExpectFullKeyManagerStoreRetrieveToSucceed() { var config = new KmsXmlEncryptorConfig(KmsIntegrationTests.KmsTestingKey); var serviceCollection = new ServiceCollection(); serviceCollection.AddSingleton(kmsClient); serviceCollection.AddDataProtection() .PersistKeysToEphemeral() .ProtectKeysWithAwsKms(config); using (var serviceProvider = serviceCollection.BuildServiceProvider()) { var keyManager = new XmlKeyManager(serviceProvider.GetRequiredService <IOptions <KeyManagementOptions> >(), serviceProvider.GetRequiredService <IActivator>()); var activationDate = new DateTimeOffset(new DateTime(1980, 1, 1)); var expirationDate = new DateTimeOffset(new DateTime(1980, 6, 1)); keyManager.CreateNewKey(activationDate, expirationDate); IReadOnlyCollection <IKey> keys = keyManager.GetAllKeys(); Assert.Equal(1, keys.Count); Assert.Equal(activationDate, keys.Single().ActivationDate); Assert.Equal(expirationDate, keys.Single().ExpirationDate); Assert.NotNull(keys.Single().Descriptor); } }
public void ExpectFullKeyManagerStoreRetrieveToSucceed() { var config = new KmsXmlEncryptorConfig(KmsIntegrationTests.ApplicationName, KmsIntegrationTests.KmsTestingKey); var serviceCollection = new ServiceCollection(); serviceCollection.AddSingleton(kmsClient); serviceCollection.AddDataProtection() .ProtectKeysWithAwsKms(config); serviceCollection.AddSingleton <IXmlRepository, EphemeralXmlRepository>(); var serviceProvider = serviceCollection.BuildServiceProvider(); var keyManager = new XmlKeyManager(serviceProvider.GetRequiredService <IXmlRepository>(), serviceProvider.GetRequiredService <IAuthenticatedEncryptorConfiguration>(), serviceProvider); var activationDate = new DateTimeOffset(new DateTime(1980, 1, 1)); var expirationDate = new DateTimeOffset(new DateTime(1980, 6, 1)); keyManager.CreateNewKey(activationDate, expirationDate); IReadOnlyCollection <IKey> keys = keyManager.GetAllKeys(); Assert.Equal(1, keys.Count); Assert.Equal(activationDate, keys.Single().ActivationDate); Assert.Equal(expirationDate, keys.Single().ExpirationDate); }
public async Task ExpectFullKeyManagerStoreRetrieveToSucceed() { var s3Config = new S3XmlRepositoryConfig(S3IntegrationTests.BucketName) { KeyPrefix = "CombinedXmlKeyManager2/" }; await s3Cleanup.ClearKeys(S3IntegrationTests.BucketName, s3Config.KeyPrefix); var kmsConfig = new KmsXmlEncryptorConfig(KmsIntegrationTests.KmsTestingKey); var serviceCollection = new ServiceCollection(); serviceCollection.AddSingleton(s3Client); serviceCollection.AddSingleton(kmsClient); serviceCollection.AddDataProtection() .SetApplicationName(KmsIntegrationTests.ApplicationName) .PersistKeysToAwsS3(s3Config) .ProtectKeysWithAwsKms(kmsConfig); using (var serviceProvider = serviceCollection.BuildServiceProvider()) { var keyManager = new XmlKeyManager(serviceProvider.GetRequiredService <IOptions <KeyManagementOptions> >(), serviceProvider.GetRequiredService <IActivator>()); var activationDate = new DateTimeOffset(new DateTime(1980, 1, 1)); var expirationDate = new DateTimeOffset(new DateTime(1980, 6, 1)); keyManager.CreateNewKey(activationDate, expirationDate); IReadOnlyCollection <IKey> keys = keyManager.GetAllKeys(); Assert.Equal(1, keys.Count); Assert.Equal(activationDate, keys.Single().ActivationDate); Assert.Equal(expirationDate, keys.Single().ExpirationDate); Assert.NotNull(keys.Single().Descriptor); } }
public void ExpectBuilderAdditions(bool withClient) { var services = new List <ServiceDescriptor>(); builder.Setup(x => x.Services).Returns(svcCollection.Object); svcCollection.Setup(x => x.Count).Returns(() => services.Count); svcCollection.Setup(x => x.Add(It.IsAny <ServiceDescriptor>())).Callback <ServiceDescriptor>(sd => services.Add(sd)); svcCollection.Setup(x => x[It.IsAny <int>()]).Returns <int>(index => services[index]); svcCollection.Setup(x => x.RemoveAt(It.IsAny <int>())).Callback <int>(index => services.RemoveAt(index)); var config = new KmsXmlEncryptorConfig("appName", "keyId"); // Repeat call to ensure cumulative calls work if (withClient) { builder.Object.ProtectKeysWithAwsKms(client.Object, config); builder.Object.ProtectKeysWithAwsKms(client.Object, config); } else { builder.Object.ProtectKeysWithAwsKms(config); builder.Object.ProtectKeysWithAwsKms(config); } Assert.Equal(withClient ? 6 : 5, services.Count); Assert.Equal(1, services.Count(x => x.ServiceType == typeof(IXmlEncryptor))); Assert.Equal(1, services.Count(x => x.ServiceType == typeof(IXmlDecryptor))); Assert.Equal(withClient ? 1 : 0, services.Count(x => x.ServiceType == typeof(IAmazonKeyManagementService))); Assert.Equal(1, services.Count(x => x.ServiceType == typeof(KmsXmlEncryptorConfig))); Assert.Equal(1, services.Count(x => x.ServiceType == typeof(IKmsXmlEncryptorConfig))); Assert.Equal(1, services.Count(x => x.ServiceType == typeof(KmsXmlDecryptor))); Assert.Equal(ServiceLifetime.Singleton, services.Single(x => x.ServiceType == typeof(IXmlEncryptor)).Lifetime); Assert.Equal(ServiceLifetime.Singleton, services.Single(x => x.ServiceType == typeof(IXmlDecryptor)).Lifetime); Assert.Equal(ServiceLifetime.Singleton, services.Single(x => x.ServiceType == typeof(KmsXmlEncryptorConfig)).Lifetime); Assert.Equal(ServiceLifetime.Singleton, services.Single(x => x.ServiceType == typeof(IKmsXmlEncryptorConfig)).Lifetime); Assert.Equal(ServiceLifetime.Singleton, services.Single(x => x.ServiceType == typeof(KmsXmlDecryptor)).Lifetime); provider.Setup(x => x.GetService(typeof(IAmazonKeyManagementService))).Returns(client.Object); if (withClient) { Assert.Equal(ServiceLifetime.Singleton, services.Single(x => x.ServiceType == typeof(IAmazonKeyManagementService)).Lifetime); Assert.Same(client.Object, services.Single(x => x.ServiceType == typeof(IAmazonKeyManagementService)).ImplementationInstance); } Assert.Same(config, services.Single(x => x.ServiceType == typeof(KmsXmlEncryptorConfig)).ImplementationInstance); Assert.Same(config, services.Single(x => x.ServiceType == typeof(IKmsXmlEncryptorConfig)).ImplementationInstance); provider.Setup(x => x.GetService(typeof(ILoggerFactory))).Returns(loggerFactory.Object); loggerFactory.Setup(x => x.CreateLogger(typeof(KmsXmlEncryptor).FullName)).Returns(repository.Create <ILogger <KmsXmlEncryptor> >().Object); loggerFactory.Setup(x => x.CreateLogger(typeof(KmsXmlDecryptor).FullName)).Returns(repository.Create <ILogger <KmsXmlDecryptor> >().Object); provider.Setup(x => x.GetService(typeof(IKmsXmlEncryptorConfig))).Returns(config); var decryptor = services.Single(x => x.ServiceType == typeof(KmsXmlDecryptor)).ImplementationFactory(provider.Object); provider.Setup(x => x.GetService(typeof(KmsXmlDecryptor))).Returns(decryptor); Assert.IsType <KmsXmlDecryptor>(decryptor); Assert.IsType <KmsXmlEncryptor>(services.Single(x => x.ServiceType == typeof(IXmlEncryptor)).ImplementationFactory(provider.Object)); Assert.Same(decryptor, services.Single(x => x.ServiceType == typeof(IXmlDecryptor)).ImplementationFactory(provider.Object)); }
public void ExpectBuilderAdditions(bool withClient) { var services = new List <ServiceDescriptor>(); builder.Setup(x => x.Services).Returns(svcCollection.Object); svcCollection.Setup(x => x.GetEnumerator()).Returns(() => services.GetEnumerator()); svcCollection.Setup(x => x.Add(It.IsAny <ServiceDescriptor>())) .Callback <ServiceDescriptor>(sd => { services.Add(sd); }); var config = new KmsXmlEncryptorConfig("keyId"); // Repeat call to ensure cumulative calls work if (withClient) { builder.Object.ProtectKeysWithAwsKms(client.Object, config); builder.Object.ProtectKeysWithAwsKms(client.Object, config); } else { builder.Object.ProtectKeysWithAwsKms(config); builder.Object.ProtectKeysWithAwsKms(config); } Assert.Equal(withClient ? 1 : 0, services.Count(x => x.ServiceType == typeof(IAmazonKeyManagementService))); // IConfigureOptions is designed & expected to be present multiple times, so expect two after two calls Assert.Equal(2, services.Count(x => x.ServiceType == typeof(IConfigureOptions <KeyManagementOptions>))); Assert.Equal(2, services.Count(x => x.ServiceType == typeof(IConfigureOptions <KmsXmlEncryptorConfig>))); Assert.Equal(ServiceLifetime.Singleton, services.First(x => x.ServiceType == typeof(IConfigureOptions <KeyManagementOptions>)).Lifetime); Assert.Equal(ServiceLifetime.Singleton, services.First(x => x.ServiceType == typeof(IConfigureOptions <KmsXmlEncryptorConfig>)).Lifetime); provider.Setup(x => x.GetService(typeof(IAmazonKeyManagementService))).Returns(client.Object); if (withClient) { Assert.Equal(ServiceLifetime.Singleton, services.Single(x => x.ServiceType == typeof(IAmazonKeyManagementService)).Lifetime); Assert.Same(client.Object, services.Single(x => x.ServiceType == typeof(IAmazonKeyManagementService)).ImplementationInstance); } // Ensure we run equivalent config for the actual configuration object var configureObject = services.First(x => x.ServiceType == typeof(IConfigureOptions <KmsXmlEncryptorConfig>)).ImplementationInstance; var optionsObject = new KmsXmlEncryptorConfig(); ((IConfigureOptions <KmsXmlEncryptorConfig>)configureObject).Configure(optionsObject); provider.Setup(x => x.GetService(typeof(ILoggerFactory))).Returns(loggerFactory.Object); provider.Setup(x => x.GetService(typeof(IOptions <KmsXmlEncryptorConfig>))).Returns(snapshot.Object); provider.Setup(x => x.GetService(typeof(IOptions <DataProtectionOptions>))).Returns(dpSnapshot.Object); loggerFactory.Setup(x => x.CreateLogger(typeof(KmsXmlEncryptor).FullName)).Returns(repository.Create <ILogger <KmsXmlEncryptor> >().Object); snapshot.Setup(x => x.Value).Returns(optionsObject); var dbOptions = new DataProtectionOptions(); dpSnapshot.Setup(x => x.Value).Returns(dbOptions); var configure = services.First(x => x.ServiceType == typeof(IConfigureOptions <KeyManagementOptions>)).ImplementationFactory(provider.Object); var options = new KeyManagementOptions(); ((IConfigureOptions <KeyManagementOptions>)configure).Configure(options); Assert.IsType <KmsXmlEncryptor>(options.XmlEncryptor); }
public void ExpectEncryptToSucceed(bool useAppId, bool hashAppId, string appId, string expectedAppId) { var myEncryptedString = "encrypted"; var myBase64EncryptedData = Convert.ToBase64String(Encoding.UTF8.GetBytes(myEncryptedString)); var myEncryptedXml = new XElement(ElementName, new XElement("value", myBase64EncryptedData)); var myOutputXml = new XElement(ElementName, "output"); using (var decryptedResponseStream = new MemoryStream()) { myOutputXml.Save(decryptedResponseStream); decryptedResponseStream.Seek(0, SeekOrigin.Begin); var decryptResponse = new DecryptResponse { KeyId = KeyId, Plaintext = decryptedResponseStream }; var actualConfig = new KmsXmlEncryptorConfig { EncryptionContext = encryptionContext, GrantTokens = grantTokens, KeyId = KeyId, DiscriminatorAsContext = useAppId, HashDiscriminatorContext = hashAppId }; var actualOptions = new DataProtectionOptions { ApplicationDiscriminator = appId }; encryptConfig.Setup(x => x.Value).Returns(actualConfig); dpOptions.Setup(x => x.Value).Returns(actualOptions); kmsClient.Setup(x => x.DecryptAsync(It.IsAny <DecryptRequest>(), CancellationToken.None)) .ReturnsAsync(decryptResponse) .Callback <DecryptRequest, CancellationToken>((dr, ct) => { if (appId != null && useAppId) { Assert.Contains(KmsConstants.ApplicationEncryptionContextKey, dr.EncryptionContext.Keys); Assert.Equal(expectedAppId, dr.EncryptionContext[KmsConstants.ApplicationEncryptionContextKey]); } else { Assert.Same(encryptionContext, dr.EncryptionContext); } Assert.Same(grantTokens, dr.GrantTokens); Assert.Equal(myEncryptedString, Encoding.UTF8.GetString(dr.CiphertextBlob.ToArray())); }); var plaintextXml = decryptor.Decrypt(myEncryptedXml); Assert.True(XNode.DeepEquals(myOutputXml, plaintextXml)); } }
public void ExpectValidationOfConfigToThrow() { var configObject = new KmsXmlEncryptorConfig(); encryptConfig.Setup(x => x.Value).Returns(configObject); var altRepo = new KmsXmlEncryptor(kmsClient.Object, encryptConfig.Object, dpOptions.Object); Assert.Throws <ArgumentException>(() => altRepo.ValidateConfig()); }
public async Task ExpectApplicationIsolationToThrow(string app1, string app2, bool throws) { var s3Config = new S3XmlRepositoryConfig(S3IntegrationTests.BucketName) { KeyPrefix = "CombinedXmlKeyManager4/" }; await s3Cleanup.ClearKeys(S3IntegrationTests.BucketName, s3Config.KeyPrefix); var kmsConfig = new KmsXmlEncryptorConfig(KmsIntegrationTests.KmsTestingKey); var plaintext = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8, 9 }; byte[] encrypted; { var serviceCollection = new ServiceCollection(); serviceCollection.AddSingleton(s3Client); serviceCollection.AddSingleton(kmsClient); serviceCollection.AddDataProtection() .SetApplicationName(app1) .PersistKeysToAwsS3(s3Config) .ProtectKeysWithAwsKms(kmsConfig); using (var serviceProvider = serviceCollection.BuildServiceProvider()) { var prov = serviceProvider.GetRequiredService <IDataProtectionProvider>().CreateProtector("bob"); encrypted = prov.Protect(plaintext); } } { var serviceCollection = new ServiceCollection(); serviceCollection.AddSingleton(s3Client); serviceCollection.AddSingleton(kmsClient); serviceCollection.AddDataProtection() .SetApplicationName(app2) .PersistKeysToAwsS3(s3Config) .ProtectKeysWithAwsKms(kmsConfig); using (var serviceProvider = serviceCollection.BuildServiceProvider()) { var prov = serviceProvider.GetRequiredService <IDataProtectionProvider>().CreateProtector("bob"); if (throws) { Assert.Throws <CryptographicException>(() => prov.Unprotect(encrypted)); } else { Assert.NotNull(prov.Unprotect(encrypted)); } } } }
public void ExpectConstructorRoundTrip() { var config = new KmsXmlEncryptorConfig("keyId"); Assert.Equal("keyId", config.KeyId); // strictly a List & Dictionary test, but validates the config doesn't really care about these entries as long as the user sets them up how they want config.GrantTokens.Add("token"); Assert.Contains("token", config.GrantTokens); config.EncryptionContext.Add("myContext", "myValue"); Assert.Contains("myContext", config.EncryptionContext.Keys); Assert.Contains("myValue", config.EncryptionContext.Values); }
public KmsIntegrationTests() { // Expectation that local SDK has been configured correctly, whether via VS Tools or user config files kmsClient = new AmazonKeyManagementServiceClient(RegionEndpoint.EUWest1); var encryptConfig = new KmsXmlEncryptorConfig(ApplicationName, KmsTestingKey); var svcCollection = new ServiceCollection(); svcCollection.AddSingleton <IKmsXmlEncryptorConfig>(sp => encryptConfig); svcCollection.AddSingleton(sp => kmsClient); var svcProvider = svcCollection.BuildServiceProvider(); encryptor = new KmsXmlEncryptor(kmsClient, encryptConfig, svcProvider); decryptor = new KmsXmlDecryptor(svcProvider); }
public void ExpectApplicationIsolationToThrow(string app1, string app2, bool throws) { var config = new KmsXmlEncryptorConfig(KmsIntegrationTests.KmsTestingKey); var sharedStorage = new EphemeralXmlRepository(); var plaintext = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8, 9 }; byte[] encrypted; { var serviceCollection = new ServiceCollection(); serviceCollection.AddSingleton(kmsClient); serviceCollection.AddDataProtection() .SetApplicationName(app1) .PersistKeysToEphemeral(sharedStorage) .ProtectKeysWithAwsKms(config); using (var serviceProvider = serviceCollection.BuildServiceProvider()) { var prov = serviceProvider.GetRequiredService <IDataProtectionProvider>().CreateProtector("bob"); encrypted = prov.Protect(plaintext); } } { var serviceCollection = new ServiceCollection(); serviceCollection.AddSingleton(kmsClient); serviceCollection.AddDataProtection() .SetApplicationName(app2) .PersistKeysToEphemeral(sharedStorage) .ProtectKeysWithAwsKms(config); using (var serviceProvider = serviceCollection.BuildServiceProvider()) { var prov = serviceProvider.GetRequiredService <IDataProtectionProvider>().CreateProtector("bob"); if (throws) { Assert.Throws <CryptographicException>(() => prov.Unprotect(encrypted)); } else { Assert.NotNull(prov.Unprotect(encrypted)); } } } }
public void ExpectProtectRoundTripToSucceed() { var config = new KmsXmlEncryptorConfig(KmsIntegrationTests.KmsTestingKey); var serviceCollection = new ServiceCollection(); serviceCollection.AddSingleton(kmsClient); serviceCollection.AddDataProtection() .PersistKeysToEphemeral() .ProtectKeysWithAwsKms(config); using (var serviceProvider = serviceCollection.BuildServiceProvider()) { var prov = serviceProvider.GetRequiredService <IDataProtectionProvider>().CreateProtector("bob"); var plaintext = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8, 9 }; var encrypted = prov.Protect(plaintext); var decrypted = prov.Unprotect(encrypted); Assert.Equal(plaintext, decrypted); } }
public void ExpectConstructorCopy() { var config = new KmsXmlEncryptorConfig { KeyId = "keyId" }; config.EncryptionContext.Add("myContext", "myValue"); config.GrantTokens.Add("token"); config.DiscriminatorAsContext = false; config.HashDiscriminatorContext = false; var copy = new KmsXmlEncryptorConfig(); copy.CopyFrom(config); Assert.Equal(config.KeyId, copy.KeyId); Assert.Equal(config.EncryptionContext, copy.EncryptionContext); Assert.Equal(config.GrantTokens, copy.GrantTokens); Assert.Equal(config.DiscriminatorAsContext, copy.DiscriminatorAsContext); Assert.Equal(config.HashDiscriminatorContext, copy.HashDiscriminatorContext); }
private static KmsXmlEncryptorConfig ToNewKmsConfig(JObject config) { var newConfig = new KmsXmlEncryptorConfig(config[nameof(KmsXmlEncryptorConfig.KeyId)].Value <string>()); var appName = config[MigrationV1Fixture.ApplicationNameKey].Value <string>(); var kmsAppName = config[MigrationV1Fixture.KmsApplicationNameKey].Value <string>(); if (appName == kmsAppName) { // Normal migration requires the following settings newConfig.DiscriminatorAsContext = true; newConfig.HashDiscriminatorContext = false; } else { // If the app names differed, migration requires special contexts newConfig.DiscriminatorAsContext = false; newConfig.HashDiscriminatorContext = false; newConfig.EncryptionContext[KmsConstants.ApplicationEncryptionContextKey] = kmsAppName; } return(newConfig); }
public KmsIntegrationTests() { // Expectation that local SDK has been configured correctly, whether via VS Tools or user config files kmsClient = new AmazonKeyManagementServiceClient(RegionEndpoint.EUWest1); var encryptConfig = new KmsXmlEncryptorConfig(KmsTestingKey); dpOptions = new DataProtectionOptions { ApplicationDiscriminator = ApplicationName }; var encryptSnapshot = new DirectOptions <KmsXmlEncryptorConfig>(encryptConfig); var dpSnapshot = new DirectOptions <DataProtectionOptions>(dpOptions); var svcCollection = new ServiceCollection(); svcCollection.AddSingleton <IOptions <KmsXmlEncryptorConfig> >(sp => encryptSnapshot); svcCollection.AddSingleton <IOptions <DataProtectionOptions> >(sp => dpSnapshot); svcCollection.AddSingleton(sp => kmsClient); svcProvider = svcCollection.BuildServiceProvider(); encryptor = new KmsXmlEncryptor(kmsClient, encryptSnapshot, dpSnapshot); decryptor = new KmsXmlDecryptor(svcProvider); }
#pragma warning disable S3242 // JObject is more descriptive than 'more general' IDictionary private static (string ControlValue, byte[] ToEncrypt, string Protector, string ApplicationName, S3XmlRepositoryConfig S3Config, KmsXmlEncryptorConfig KmsConfig) ToOldConfig(JObject config) #pragma warning restore S3242 { var controlValue = config[ConfigType].Value <string>(); var protectData = Convert.FromBase64String(config[DataToProtect].Value <string>()); var protectorValue = config[ProtectorKey].Value <string>(); var old = new S3XmlRepositoryConfig(config[nameof(S3XmlRepositoryConfig.Bucket)].Value <string>()); if (config.TryGetValue(nameof(S3XmlRepositoryConfig.KeyPrefix), out JToken keyprefix)) { old.KeyPrefix = keyprefix.Value <string>(); } if (config.TryGetValue(nameof(S3XmlRepositoryConfig.MaxS3QueryConcurrency), out JToken concurrency)) { old.MaxS3QueryConcurrency = concurrency.Value <int>(); } if (config.TryGetValue(nameof(S3XmlRepositoryConfig.StorageClass), out JToken storageClass)) { old.StorageClass = S3StorageClass.FindValue(storageClass.Value <string>()); } if (config.TryGetValue(nameof(S3XmlRepositoryConfig.ServerSideEncryptionMethod), out JToken serverSideEncryptionMethod)) { old.ServerSideEncryptionMethod = ServerSideEncryptionMethod.FindValue(serverSideEncryptionMethod.Value <string>()); } if (config.TryGetValue(nameof(S3XmlRepositoryConfig.ServerSideEncryptionCustomerMethod), out JToken serverSideEncryptionCustomerMethod)) { old.ServerSideEncryptionCustomerMethod = ServerSideEncryptionCustomerMethod.FindValue(serverSideEncryptionCustomerMethod.Value <string>()); } if (config.TryGetValue(nameof(S3XmlRepositoryConfig.ServerSideEncryptionCustomerProvidedKey), out JToken serverSideEncryptionCustomerProvidedKey)) { old.ServerSideEncryptionCustomerProvidedKey = serverSideEncryptionCustomerProvidedKey.Value <string>(); } if (config.TryGetValue(nameof(S3XmlRepositoryConfig.ServerSideEncryptionCustomerProvidedKeyMd5), out JToken serverSideEncryptionCustomerProvidedKeyMd5)) { old.ServerSideEncryptionCustomerProvidedKeyMd5 = serverSideEncryptionCustomerProvidedKeyMd5.Value <string>(); } if (config.TryGetValue(nameof(S3XmlRepositoryConfig.ServerSideEncryptionKeyManagementServiceKeyId), out JToken serverSideEncryptionKeyManagementServiceKeyId)) { old.ServerSideEncryptionKeyManagementServiceKeyId = serverSideEncryptionKeyManagementServiceKeyId.Value <string>(); } if (config.TryGetValue(nameof(S3XmlRepositoryConfig.ClientSideCompression), out JToken clientSideCompression)) { old.ClientSideCompression = clientSideCompression.Value <bool>(); } string applicationName = null; if (config.TryGetValue(ApplicationNameKey, out JToken appName)) { applicationName = appName.Value <string>(); } string kmsApplicationName = null; if (config.TryGetValue(KmsApplicationNameKey, out JToken kmsAppName)) { kmsApplicationName = kmsAppName.Value <string>(); } string keyIdentifier = null; if (config.TryGetValue(nameof(KmsXmlEncryptorConfig.KeyId), out JToken keyId)) { keyIdentifier = keyId.Value <string>(); } KmsXmlEncryptorConfig kmsConfig = null; if (!string.IsNullOrEmpty(kmsApplicationName) && !string.IsNullOrEmpty(keyIdentifier)) { kmsConfig = new KmsXmlEncryptorConfig(kmsApplicationName, keyIdentifier); } return(controlValue, protectData, protectorValue, applicationName, old, kmsConfig); }
public void ExpectEncryptToSucceed(bool useAppId, bool hashAppId, string appId, string expectedAppId) { var myInputXml = new XElement(ElementName, "input"); byte[] myEncryptedData = Encoding.UTF8.GetBytes("encrypted"); var myBase64EncryptedData = Convert.ToBase64String(myEncryptedData); using (var encryptedResponseStream = new MemoryStream()) { encryptedResponseStream.Write(myEncryptedData, 0, myEncryptedData.Length); encryptedResponseStream.Seek(0, SeekOrigin.Begin); var encryptResponse = new EncryptResponse { KeyId = KeyId, CiphertextBlob = encryptedResponseStream }; var actualConfig = new KmsXmlEncryptorConfig { EncryptionContext = encryptionContext, GrantTokens = grantTokens, KeyId = KeyId, DiscriminatorAsContext = useAppId, HashDiscriminatorContext = hashAppId }; var actualOptions = new DataProtectionOptions { ApplicationDiscriminator = appId }; encryptConfig.Setup(x => x.Value).Returns(actualConfig); dpOptions.Setup(x => x.Value).Returns(actualOptions); kmsClient.Setup(x => x.EncryptAsync(It.IsAny <EncryptRequest>(), CancellationToken.None)) .ReturnsAsync(encryptResponse) .Callback <EncryptRequest, CancellationToken>((er, ct) => { if (appId != null && useAppId) { Assert.Contains(KmsConstants.ApplicationEncryptionContextKey, er.EncryptionContext.Keys); Assert.Equal(expectedAppId, er.EncryptionContext[KmsConstants.ApplicationEncryptionContextKey]); } else { Assert.Same(encryptionContext, er.EncryptionContext); } Assert.Same(grantTokens, er.GrantTokens); var body = XElement.Load(er.Plaintext); Assert.True(XNode.DeepEquals(myInputXml, body)); }); var encryptedXml = encryptor.Encrypt(myInputXml); Assert.Equal(typeof(KmsXmlDecryptor), encryptedXml.DecryptorType); var encryptedBlob = (string)encryptedXml.EncryptedElement.Element("value"); Assert.Equal(myBase64EncryptedData, encryptedBlob); } }
public byte[] CreateS3AndKms(byte[] toEncrypt, string protector, string applicationName, S3XmlRepositoryConfig s3Config, KmsXmlEncryptorConfig kmsConfig) { var serviceCollection = new ServiceCollection(); serviceCollection.AddDataProtection() .SetApplicationName(applicationName) .ProtectKeysWithAwsKms(kmsClient, kmsConfig) .PersistKeysToAwsS3(s3Client, s3Config); var serviceProvider = serviceCollection.BuildServiceProvider(); using (serviceProvider as IDisposable) { var prov = serviceProvider.GetRequiredService <IDataProtectionProvider>().CreateProtector(protector); return(prov.Protect(toEncrypt)); } }