public async Task EncryptionResourceTokenAuthRestricted()
{
TestDoc testDoc = await EncryptionTests.CreateItemAsync(EncryptionTests.itemContainerCore, EncryptionTests.dekId, TestDoc.PathsToEncrypt);
User restrictedUser = EncryptionTests.databaseCore.GetUser(Guid.NewGuid().ToString());
await EncryptionTests.databaseCore.CreateUserAsync(restrictedUser.Id);
PermissionProperties restrictedUserPermission = await restrictedUser.CreatePermissionAsync(
new PermissionProperties(Guid.NewGuid().ToString(), PermissionMode.All, EncryptionTests.itemContainer));
CosmosDataEncryptionKeyProvider dekProvider = new CosmosDataEncryptionKeyProvider(new TestKeyWrapProvider());
TestEncryptor encryptor = new TestEncryptor(dekProvider);
(string endpoint, string _) = TestCommon.GetAccountInfo();
CosmosClient clientForRestrictedUser = new CosmosClientBuilder(endpoint, restrictedUserPermission.Token)
.WithEncryptor(encryptor)
.Build();
Database databaseForRestrictedUser = clientForRestrictedUser.GetDatabase(EncryptionTests.databaseCore.Id);
Container containerForRestrictedUser = databaseForRestrictedUser.GetContainer(EncryptionTests.itemContainer.Id);
await EncryptionTests.PerformForbiddenOperationAsync(() =>
dekProvider.InitializeAsync(databaseForRestrictedUser, EncryptionTests.keyContainer.Id), "CosmosDekProvider.InitializeAsync");
await EncryptionTests.PerformOperationOnUninitializedDekProviderAsync(() =>
dekProvider.DataEncryptionKeyContainer.ReadDataEncryptionKeyAsync(EncryptionTests.dekId), "DEK.ReadAsync");
await EncryptionTests.PerformOperationOnUninitializedDekProviderAsync(() =>
containerForRestrictedUser.ReadItemAsync <TestDoc>(testDoc.Id, new PartitionKey(testDoc.PK)), "ReadItemAsync");
await EncryptionTests.PerformOperationOnUninitializedDekProviderAsync(() =>
containerForRestrictedUser.ReadItemStreamAsync(testDoc.Id, new PartitionKey(testDoc.PK)), "ReadItemStreamAsync");
}
private static async Task <DataEncryptionKeyProperties> CreateDekAsync(CosmosDataEncryptionKeyProvider dekProvider, string dekId)
{
ItemResponse <DataEncryptionKeyProperties> dekResponse = await dekProvider.DataEncryptionKeyContainer.CreateDataEncryptionKeyAsync(
dekId,
CosmosEncryptionAlgorithm.AEAes256CbcHmacSha256Randomized,
EncryptionContainerTests.metadata1);
Assert.AreEqual(HttpStatusCode.Created, dekResponse.StatusCode);
return(VerifyDekResponse(dekResponse,
dekId));
}
private static async Task <DataEncryptionKeyProperties> CreateDekAsync(CosmosDataEncryptionKeyProvider dekProvider, string dekId)
{
ItemResponse <DataEncryptionKeyProperties> dekResponse = await dekProvider.DataEncryptionKeyContainer.CreateDataEncryptionKeyAsync(
dekId,
CosmosEncryptionAlgorithm.AEAes256CbcHmacSha256Randomized,
EncryptionTests.metadata1);
Assert.AreEqual(HttpStatusCode.Created, dekResponse.StatusCode);
Assert.IsTrue(dekResponse.RequestCharge > 0);
Assert.IsNotNull(dekResponse.ETag);
DataEncryptionKeyProperties dekProperties = dekResponse.Resource;
Assert.AreEqual(dekResponse.ETag, dekProperties.ETag);
Assert.AreEqual(dekId, dekProperties.Id);
return(dekProperties);
}
public static async Task ClassInitialize(TestContext context)
{
EncryptionTests.dekProvider = new CosmosDataEncryptionKeyProvider(new TestKeyWrapProvider());
EncryptionTests.encryptor = new TestEncryptor(EncryptionTests.dekProvider);
EncryptionTests.client = EncryptionTests.GetClient();
EncryptionTests.databaseCore = (DatabaseInlineCore)await EncryptionTests.client.CreateDatabaseAsync(Guid.NewGuid().ToString());
EncryptionTests.keyContainer = await EncryptionTests.databaseCore.CreateContainerAsync(Guid.NewGuid().ToString(), "/id", 400);
await EncryptionTests.dekProvider.InitializeAsync(EncryptionTests.databaseCore, EncryptionTests.keyContainer.Id);
EncryptionTests.itemContainer = await EncryptionTests.databaseCore.CreateContainerAsync(Guid.NewGuid().ToString(), "/PK", 400);
EncryptionTests.itemContainerCore = (ContainerInlineCore)EncryptionTests.itemContainer;
EncryptionTests.dekProperties = await EncryptionTests.CreateDekAsync(EncryptionTests.dekProvider, EncryptionTests.dekId);
}
public async Task ClassInitialize(TestContext context)
{
EncryptionContainerTests.dekProvider = new CosmosDataEncryptionKeyProvider(new TestKeyWrapProvider());
EncryptionContainerTests.encryptor = new TestEncryptor(EncryptionContainerTests.dekProvider);
EncryptionContainerTests.client = TestCommon.CreateCosmosClient();
EncryptionContainerTests.database = await EncryptionContainerTests.client.CreateDatabaseAsync(Guid.NewGuid().ToString());
EncryptionContainerTests.keyContainer = await EncryptionContainerTests.database.CreateContainerAsync(Guid.NewGuid().ToString(), "/id", 400);
await EncryptionContainerTests.dekProvider.InitializeAsync(EncryptionContainerTests.database, EncryptionContainerTests.keyContainer.Id);
EncryptionContainerTests.itemContainer = await EncryptionContainerTests.database.CreateContainerAsync(Guid.NewGuid().ToString(), "/PK", 400);
EncryptionContainerTests.propertyEncryptionContainer = EncryptionContainerTests.itemContainer.WithPropertyEncryptor(encryptor, EncryptionContainerTests.PathsToEncrypt);
EncryptionContainerTests.pdekProperties = await EncryptionContainerTests.CreatePropertyDekAsync(EncryptionContainerTests.dekProvider, EncryptionContainerTests.pdekId);
EncryptionContainerTests.twoPropertyEncryptionContainer = EncryptionContainerTests.itemContainer.WithPropertyEncryptor(encryptor, EncryptionContainerTests.PathsToEncrypt3);
EncryptionContainerTests.twoPropertyOneDekEncryptionContainer = EncryptionContainerTests.itemContainer.WithPropertyEncryptor(encryptor, EncryptionContainerTests.PathsToEncrypt4);
}
public async Task EncryptionCreateDek()
{
string dekId = "anotherDek";
DataEncryptionKeyProperties dekProperties = await EncryptionTests.CreateDekAsync(EncryptionTests.dekProvider, dekId);
Assert.IsNotNull(dekProperties);
Assert.IsNotNull(dekProperties.CreatedTime);
Assert.IsNotNull(dekProperties.LastModified);
Assert.IsNotNull(dekProperties.SelfLink);
// Assert.IsNotNull(dekProperties.ResourceId);
// Assert.AreEqual(dekProperties.LastModified, dekProperties.CreatedTime);
Assert.AreEqual(
new EncryptionKeyWrapMetadata(EncryptionTests.metadata1.Value + EncryptionTests.metadataUpdateSuffix),
dekProperties.EncryptionKeyWrapMetadata);
// Use different DEK provider to avoid (unintentional) cache impact
CosmosDataEncryptionKeyProvider dekProvider = new CosmosDataEncryptionKeyProvider(new TestKeyWrapProvider());
await dekProvider.InitializeAsync(EncryptionTests.databaseCore, EncryptionTests.keyContainer.Id);
DataEncryptionKeyProperties readProperties = await dekProvider.DataEncryptionKeyContainer.ReadDataEncryptionKeyAsync(dekId);
Assert.AreEqual(dekProperties, readProperties);
}
public async Task EncryptionResourceTokenAuthAllowed()
{
User keyManagerUser = EncryptionTests.databaseCore.GetUser(Guid.NewGuid().ToString());
await EncryptionTests.databaseCore.CreateUserAsync(keyManagerUser.Id);
PermissionProperties keyManagerUserPermission = await keyManagerUser.CreatePermissionAsync(
new PermissionProperties(Guid.NewGuid().ToString(), PermissionMode.All, EncryptionTests.keyContainer));
CosmosDataEncryptionKeyProvider dekProvider = new CosmosDataEncryptionKeyProvider(new TestKeyWrapProvider());
TestEncryptor encryptor = new TestEncryptor(dekProvider);
(string endpoint, string _) = TestCommon.GetAccountInfo();
CosmosClient clientForKeyManagerUser = new CosmosClientBuilder(endpoint, keyManagerUserPermission.Token)
.WithEncryptor(encryptor)
.Build();
Database databaseForKeyManagerUser = clientForKeyManagerUser.GetDatabase(EncryptionTests.databaseCore.Id);
await dekProvider.InitializeAsync(databaseForKeyManagerUser, EncryptionTests.keyContainer.Id);
DataEncryptionKeyProperties readDekProperties = await dekProvider.DataEncryptionKeyContainer.ReadDataEncryptionKeyAsync(EncryptionTests.dekId);
Assert.AreEqual(EncryptionTests.dekProperties, readDekProperties);
}
private static async Task IterateDekFeedAsync(
CosmosDataEncryptionKeyProvider dekProvider,
List <string> expectedDekIds,
bool isExpectedDeksCompleteSetForRequest,
bool isResultOrderExpected,
string query,
int?itemCountInPage = null)
{
int remainingItemCount = expectedDekIds.Count;
QueryRequestOptions requestOptions = null;
if (itemCountInPage.HasValue)
{
requestOptions = new QueryRequestOptions()
{
MaxItemCount = itemCountInPage
};
}
FeedIterator <DataEncryptionKeyProperties> dekIterator = dekProvider.DataEncryptionKeyContainer
.GetDataEncryptionKeyQueryIterator <DataEncryptionKeyProperties>(
query,
requestOptions: requestOptions);
Assert.IsTrue(dekIterator.HasMoreResults);
List <string> readDekIds = new List <string>();
while (remainingItemCount > 0)
{
FeedResponse <DataEncryptionKeyProperties> page = await dekIterator.ReadNextAsync();
if (itemCountInPage.HasValue)
{
// last page
if (remainingItemCount < itemCountInPage.Value)
{
Assert.AreEqual(remainingItemCount, page.Count);
}
else
{
Assert.AreEqual(itemCountInPage.Value, page.Count);
}
}
else
{
Assert.AreEqual(expectedDekIds.Count, page.Count);
}
remainingItemCount -= page.Count;
if (isExpectedDeksCompleteSetForRequest)
{
Assert.AreEqual(remainingItemCount > 0, dekIterator.HasMoreResults);
}
foreach (DataEncryptionKeyProperties dek in page.Resource)
{
readDekIds.Add(dek.Id);
}
}
if (isResultOrderExpected)
{
Assert.IsTrue(expectedDekIds.SequenceEqual(readDekIds));
}
else
{
Assert.IsTrue(expectedDekIds.ToHashSet().SetEquals(readDekIds));
}
}
public async Task EncryptionDekReadFeed()
{
Container newKeyContainer = await EncryptionTests.databaseCore.CreateContainerAsync(Guid.NewGuid().ToString(), "/id", 400);
try
{
CosmosDataEncryptionKeyProvider dekProvider = new CosmosDataEncryptionKeyProvider(new TestKeyWrapProvider());
await dekProvider.InitializeAsync(EncryptionTests.databaseCore, newKeyContainer.Id);
string contosoV1 = "Contoso_v001";
string contosoV2 = "Contoso_v002";
string fabrikamV1 = "Fabrikam_v001";
string fabrikamV2 = "Fabrikam_v002";
await EncryptionTests.CreateDekAsync(dekProvider, contosoV1);
await EncryptionTests.CreateDekAsync(dekProvider, contosoV2);
await EncryptionTests.CreateDekAsync(dekProvider, fabrikamV1);
await EncryptionTests.CreateDekAsync(dekProvider, fabrikamV2);
// Test getting all keys
await EncryptionTests.IterateDekFeedAsync(
dekProvider,
new List <string> {
contosoV1, contosoV2, fabrikamV1, fabrikamV2
},
isExpectedDeksCompleteSetForRequest : true,
isResultOrderExpected : false,
"SELECT * from c");
// Test getting specific subset of keys
await EncryptionTests.IterateDekFeedAsync(
dekProvider,
new List <string> {
contosoV2
},
isExpectedDeksCompleteSetForRequest : false,
isResultOrderExpected : true,
"SELECT TOP 1 * from c where c.id >= 'Contoso_v000' and c.id <= 'Contoso_v999' ORDER BY c.id DESC");
// Ensure only required results are returned
await EncryptionTests.IterateDekFeedAsync(
dekProvider,
new List <string> {
contosoV1, contosoV2
},
isExpectedDeksCompleteSetForRequest : true,
isResultOrderExpected : true,
"SELECT * from c where c.id >= 'Contoso_v000' and c.id <= 'Contoso_v999' ORDER BY c.id ASC");
// Test pagination
await EncryptionTests.IterateDekFeedAsync(
dekProvider,
new List <string> {
contosoV1, contosoV2, fabrikamV1, fabrikamV2
},
isExpectedDeksCompleteSetForRequest : true,
isResultOrderExpected : false,
"SELECT * from c",
itemCountInPage : 3);
}
finally
{
await newKeyContainer.DeleteContainerStreamAsync();
}
}
