73 lines
3.0 KiB
Ruby
73 lines
3.0 KiB
Ruby
# Copyright 2019 Google LLC
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
require 'spec_helper'
|
|
require 'google/apis/cloudkms_v1'
|
|
require 'googleauth'
|
|
require "logger"
|
|
|
|
Cloudkms = Google::Apis::CloudkmsV1
|
|
|
|
RSpec.describe Google::Apis::CloudkmsV1, :if => run_integration_tests? do
|
|
|
|
before(:context) do
|
|
# Note: the service account running this test must have
|
|
# roles/cloudkms.cryptoKeyEncrypterDecrypter permissions.
|
|
WebMock.allow_net_connect!
|
|
@kms = Cloudkms::CloudKMSService.new
|
|
@kms.authorization = Google::Auth.get_application_default([Cloudkms::AUTH_CLOUDKMS])
|
|
|
|
@project = ENV["GOOGLE_PROJECT_ID"]
|
|
@suffix = Time.now.utc.strftime("%Y%m%d%H%M%S-") + rand(36**8).to_s(36)
|
|
@parent_name = "projects/#{@project}/locations/us-central1"
|
|
@ring_name = @kms.create_project_location_key_ring(@parent_name, key_ring_id: "ring-#{@suffix}").name
|
|
key_object = Cloudkms::CryptoKey.new
|
|
key_object.purpose = "ENCRYPT_DECRYPT"
|
|
@key_name = @kms.create_project_location_key_ring_crypto_key(@ring_name, key_object, crypto_key_id: "key-#{@suffix}").name
|
|
|
|
@old_logger = Google::Apis.logger
|
|
@logio = StringIO.new
|
|
Google::Apis.logger = ::Logger.new(@logio)
|
|
Google::Apis.logger.level = ::Logger::DEBUG
|
|
end
|
|
|
|
it 'should not log secrets in plain text' do
|
|
request = Cloudkms::EncryptRequest.new(plaintext: "secretabcde")
|
|
response = @kms.encrypt_crypto_key(@key_name, request)
|
|
request = ::Google::Apis::CloudkmsV1::DecryptRequest.new(ciphertext: response.ciphertext)
|
|
recovered_secret = @kms.decrypt_crypto_key(@key_name, request).plaintext
|
|
expect(recovered_secret).to eq "secretabcde"
|
|
|
|
logs = @logio.string
|
|
# Plain text content should never show up in logs.
|
|
# Ensure we redact the service response object for the decrypt call.
|
|
expect(logs).not_to match(/secretabcde/)
|
|
# Base64 encoding of the plain text content should never show up in logs.
|
|
# Ensure we redact the http response object for the decrypt call.
|
|
expect(logs).not_to match(/c2VjcmV0YWJjZGU=/)
|
|
# It's okay for the ciphertext to show up in logs.
|
|
# Ensure we don't redact the service response object for the encrypt call.
|
|
expect(logs).to match(/@ciphertext=/)
|
|
# Ensure we don't redact the http response object for the encrypt call.
|
|
expect(logs).to match(/\\"ciphertext\\"/)
|
|
end
|
|
|
|
after(:context) do
|
|
# There does not appear to be a way to clean up key resources. :sadface:
|
|
Google::Apis.logger = @old_logger
|
|
WebMock.disable_net_connect!
|
|
end
|
|
|
|
end
|