public async Task EncryptionResourceTokenAuthRestricted() { TestDoc testDoc = await EncryptionTests.CreateItemAsync(EncryptionTests.itemContainerCore, EncryptionTests.dekId, TestDoc.PathsToEncrypt); User restrictedUser = EncryptionTests.databaseCore.GetUser(Guid.NewGuid().ToString()); await EncryptionTests.databaseCore.CreateUserAsync(restrictedUser.Id); PermissionProperties restrictedUserPermission = await restrictedUser.CreatePermissionAsync( new PermissionProperties(Guid.NewGuid().ToString(), PermissionMode.All, EncryptionTests.itemContainer)); CosmosDataEncryptionKeyProvider dekProvider = new CosmosDataEncryptionKeyProvider(new TestKeyWrapProvider()); TestEncryptor encryptor = new TestEncryptor(dekProvider); (string endpoint, string _) = TestCommon.GetAccountInfo(); CosmosClient clientForRestrictedUser = new CosmosClientBuilder(endpoint, restrictedUserPermission.Token) .WithEncryptor(encryptor) .Build(); Database databaseForRestrictedUser = clientForRestrictedUser.GetDatabase(EncryptionTests.databaseCore.Id); Container containerForRestrictedUser = databaseForRestrictedUser.GetContainer(EncryptionTests.itemContainer.Id); await EncryptionTests.PerformForbiddenOperationAsync(() => dekProvider.InitializeAsync(databaseForRestrictedUser, EncryptionTests.keyContainer.Id), "CosmosDekProvider.InitializeAsync"); await EncryptionTests.PerformOperationOnUninitializedDekProviderAsync(() => dekProvider.DataEncryptionKeyContainer.ReadDataEncryptionKeyAsync(EncryptionTests.dekId), "DEK.ReadAsync"); await EncryptionTests.PerformOperationOnUninitializedDekProviderAsync(() => containerForRestrictedUser.ReadItemAsync <TestDoc>(testDoc.Id, new PartitionKey(testDoc.PK)), "ReadItemAsync"); await EncryptionTests.PerformOperationOnUninitializedDekProviderAsync(() => containerForRestrictedUser.ReadItemStreamAsync(testDoc.Id, new PartitionKey(testDoc.PK)), "ReadItemStreamAsync"); }
private static async Task <DataEncryptionKeyProperties> CreateDekAsync(CosmosDataEncryptionKeyProvider dekProvider, string dekId) { ItemResponse <DataEncryptionKeyProperties> dekResponse = await dekProvider.DataEncryptionKeyContainer.CreateDataEncryptionKeyAsync( dekId, CosmosEncryptionAlgorithm.AEAes256CbcHmacSha256Randomized, EncryptionContainerTests.metadata1); Assert.AreEqual(HttpStatusCode.Created, dekResponse.StatusCode); return(VerifyDekResponse(dekResponse, dekId)); }
private static async Task <DataEncryptionKeyProperties> CreateDekAsync(CosmosDataEncryptionKeyProvider dekProvider, string dekId) { ItemResponse <DataEncryptionKeyProperties> dekResponse = await dekProvider.DataEncryptionKeyContainer.CreateDataEncryptionKeyAsync( dekId, CosmosEncryptionAlgorithm.AEAes256CbcHmacSha256Randomized, EncryptionTests.metadata1); Assert.AreEqual(HttpStatusCode.Created, dekResponse.StatusCode); Assert.IsTrue(dekResponse.RequestCharge > 0); Assert.IsNotNull(dekResponse.ETag); DataEncryptionKeyProperties dekProperties = dekResponse.Resource; Assert.AreEqual(dekResponse.ETag, dekProperties.ETag); Assert.AreEqual(dekId, dekProperties.Id); return(dekProperties); }
public static async Task ClassInitialize(TestContext context) { EncryptionTests.dekProvider = new CosmosDataEncryptionKeyProvider(new TestKeyWrapProvider()); EncryptionTests.encryptor = new TestEncryptor(EncryptionTests.dekProvider); EncryptionTests.client = EncryptionTests.GetClient(); EncryptionTests.databaseCore = (DatabaseInlineCore)await EncryptionTests.client.CreateDatabaseAsync(Guid.NewGuid().ToString()); EncryptionTests.keyContainer = await EncryptionTests.databaseCore.CreateContainerAsync(Guid.NewGuid().ToString(), "/id", 400); await EncryptionTests.dekProvider.InitializeAsync(EncryptionTests.databaseCore, EncryptionTests.keyContainer.Id); EncryptionTests.itemContainer = await EncryptionTests.databaseCore.CreateContainerAsync(Guid.NewGuid().ToString(), "/PK", 400); EncryptionTests.itemContainerCore = (ContainerInlineCore)EncryptionTests.itemContainer; EncryptionTests.dekProperties = await EncryptionTests.CreateDekAsync(EncryptionTests.dekProvider, EncryptionTests.dekId); }
public async Task ClassInitialize(TestContext context) { EncryptionContainerTests.dekProvider = new CosmosDataEncryptionKeyProvider(new TestKeyWrapProvider()); EncryptionContainerTests.encryptor = new TestEncryptor(EncryptionContainerTests.dekProvider); EncryptionContainerTests.client = TestCommon.CreateCosmosClient(); EncryptionContainerTests.database = await EncryptionContainerTests.client.CreateDatabaseAsync(Guid.NewGuid().ToString()); EncryptionContainerTests.keyContainer = await EncryptionContainerTests.database.CreateContainerAsync(Guid.NewGuid().ToString(), "/id", 400); await EncryptionContainerTests.dekProvider.InitializeAsync(EncryptionContainerTests.database, EncryptionContainerTests.keyContainer.Id); EncryptionContainerTests.itemContainer = await EncryptionContainerTests.database.CreateContainerAsync(Guid.NewGuid().ToString(), "/PK", 400); EncryptionContainerTests.propertyEncryptionContainer = EncryptionContainerTests.itemContainer.WithPropertyEncryptor(encryptor, EncryptionContainerTests.PathsToEncrypt); EncryptionContainerTests.pdekProperties = await EncryptionContainerTests.CreatePropertyDekAsync(EncryptionContainerTests.dekProvider, EncryptionContainerTests.pdekId); EncryptionContainerTests.twoPropertyEncryptionContainer = EncryptionContainerTests.itemContainer.WithPropertyEncryptor(encryptor, EncryptionContainerTests.PathsToEncrypt3); EncryptionContainerTests.twoPropertyOneDekEncryptionContainer = EncryptionContainerTests.itemContainer.WithPropertyEncryptor(encryptor, EncryptionContainerTests.PathsToEncrypt4); }
public async Task EncryptionCreateDek() { string dekId = "anotherDek"; DataEncryptionKeyProperties dekProperties = await EncryptionTests.CreateDekAsync(EncryptionTests.dekProvider, dekId); Assert.IsNotNull(dekProperties); Assert.IsNotNull(dekProperties.CreatedTime); Assert.IsNotNull(dekProperties.LastModified); Assert.IsNotNull(dekProperties.SelfLink); // Assert.IsNotNull(dekProperties.ResourceId); // Assert.AreEqual(dekProperties.LastModified, dekProperties.CreatedTime); Assert.AreEqual( new EncryptionKeyWrapMetadata(EncryptionTests.metadata1.Value + EncryptionTests.metadataUpdateSuffix), dekProperties.EncryptionKeyWrapMetadata); // Use different DEK provider to avoid (unintentional) cache impact CosmosDataEncryptionKeyProvider dekProvider = new CosmosDataEncryptionKeyProvider(new TestKeyWrapProvider()); await dekProvider.InitializeAsync(EncryptionTests.databaseCore, EncryptionTests.keyContainer.Id); DataEncryptionKeyProperties readProperties = await dekProvider.DataEncryptionKeyContainer.ReadDataEncryptionKeyAsync(dekId); Assert.AreEqual(dekProperties, readProperties); }
public async Task EncryptionResourceTokenAuthAllowed() { User keyManagerUser = EncryptionTests.databaseCore.GetUser(Guid.NewGuid().ToString()); await EncryptionTests.databaseCore.CreateUserAsync(keyManagerUser.Id); PermissionProperties keyManagerUserPermission = await keyManagerUser.CreatePermissionAsync( new PermissionProperties(Guid.NewGuid().ToString(), PermissionMode.All, EncryptionTests.keyContainer)); CosmosDataEncryptionKeyProvider dekProvider = new CosmosDataEncryptionKeyProvider(new TestKeyWrapProvider()); TestEncryptor encryptor = new TestEncryptor(dekProvider); (string endpoint, string _) = TestCommon.GetAccountInfo(); CosmosClient clientForKeyManagerUser = new CosmosClientBuilder(endpoint, keyManagerUserPermission.Token) .WithEncryptor(encryptor) .Build(); Database databaseForKeyManagerUser = clientForKeyManagerUser.GetDatabase(EncryptionTests.databaseCore.Id); await dekProvider.InitializeAsync(databaseForKeyManagerUser, EncryptionTests.keyContainer.Id); DataEncryptionKeyProperties readDekProperties = await dekProvider.DataEncryptionKeyContainer.ReadDataEncryptionKeyAsync(EncryptionTests.dekId); Assert.AreEqual(EncryptionTests.dekProperties, readDekProperties); }
private static async Task IterateDekFeedAsync( CosmosDataEncryptionKeyProvider dekProvider, List <string> expectedDekIds, bool isExpectedDeksCompleteSetForRequest, bool isResultOrderExpected, string query, int?itemCountInPage = null) { int remainingItemCount = expectedDekIds.Count; QueryRequestOptions requestOptions = null; if (itemCountInPage.HasValue) { requestOptions = new QueryRequestOptions() { MaxItemCount = itemCountInPage }; } FeedIterator <DataEncryptionKeyProperties> dekIterator = dekProvider.DataEncryptionKeyContainer .GetDataEncryptionKeyQueryIterator <DataEncryptionKeyProperties>( query, requestOptions: requestOptions); Assert.IsTrue(dekIterator.HasMoreResults); List <string> readDekIds = new List <string>(); while (remainingItemCount > 0) { FeedResponse <DataEncryptionKeyProperties> page = await dekIterator.ReadNextAsync(); if (itemCountInPage.HasValue) { // last page if (remainingItemCount < itemCountInPage.Value) { Assert.AreEqual(remainingItemCount, page.Count); } else { Assert.AreEqual(itemCountInPage.Value, page.Count); } } else { Assert.AreEqual(expectedDekIds.Count, page.Count); } remainingItemCount -= page.Count; if (isExpectedDeksCompleteSetForRequest) { Assert.AreEqual(remainingItemCount > 0, dekIterator.HasMoreResults); } foreach (DataEncryptionKeyProperties dek in page.Resource) { readDekIds.Add(dek.Id); } } if (isResultOrderExpected) { Assert.IsTrue(expectedDekIds.SequenceEqual(readDekIds)); } else { Assert.IsTrue(expectedDekIds.ToHashSet().SetEquals(readDekIds)); } }
public async Task EncryptionDekReadFeed() { Container newKeyContainer = await EncryptionTests.databaseCore.CreateContainerAsync(Guid.NewGuid().ToString(), "/id", 400); try { CosmosDataEncryptionKeyProvider dekProvider = new CosmosDataEncryptionKeyProvider(new TestKeyWrapProvider()); await dekProvider.InitializeAsync(EncryptionTests.databaseCore, newKeyContainer.Id); string contosoV1 = "Contoso_v001"; string contosoV2 = "Contoso_v002"; string fabrikamV1 = "Fabrikam_v001"; string fabrikamV2 = "Fabrikam_v002"; await EncryptionTests.CreateDekAsync(dekProvider, contosoV1); await EncryptionTests.CreateDekAsync(dekProvider, contosoV2); await EncryptionTests.CreateDekAsync(dekProvider, fabrikamV1); await EncryptionTests.CreateDekAsync(dekProvider, fabrikamV2); // Test getting all keys await EncryptionTests.IterateDekFeedAsync( dekProvider, new List <string> { contosoV1, contosoV2, fabrikamV1, fabrikamV2 }, isExpectedDeksCompleteSetForRequest : true, isResultOrderExpected : false, "SELECT * from c"); // Test getting specific subset of keys await EncryptionTests.IterateDekFeedAsync( dekProvider, new List <string> { contosoV2 }, isExpectedDeksCompleteSetForRequest : false, isResultOrderExpected : true, "SELECT TOP 1 * from c where c.id >= 'Contoso_v000' and c.id <= 'Contoso_v999' ORDER BY c.id DESC"); // Ensure only required results are returned await EncryptionTests.IterateDekFeedAsync( dekProvider, new List <string> { contosoV1, contosoV2 }, isExpectedDeksCompleteSetForRequest : true, isResultOrderExpected : true, "SELECT * from c where c.id >= 'Contoso_v000' and c.id <= 'Contoso_v999' ORDER BY c.id ASC"); // Test pagination await EncryptionTests.IterateDekFeedAsync( dekProvider, new List <string> { contosoV1, contosoV2, fabrikamV1, fabrikamV2 }, isExpectedDeksCompleteSetForRequest : true, isResultOrderExpected : false, "SELECT * from c", itemCountInPage : 3); } finally { await newKeyContainer.DeleteContainerStreamAsync(); } }