vendor/k8s.io/kubernetes/test/integration/master/secrets_transformation_test.go - cloudstack-kubernetes-provider - Git at Google

 /*
 Copyright 2017 The Kubernetes Authors.

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at

     http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */

 package master

 import (
 	"crypto/aes"
 	"crypto/cipher"
 	"encoding/base64"
 	"fmt"
 	"testing"

 	apiserverconfigv1 "k8s.io/apiserver/pkg/apis/config/v1"
 	"k8s.io/apiserver/pkg/storage/value"
 	aestransformer "k8s.io/apiserver/pkg/storage/value/encrypt/aes"
 )

 const (
 	aesGCMPrefix = "k8s:enc:aesgcm:v1:key1:"
 	aesCBCPrefix = "k8s:enc:aescbc:v1:key1:"

 	aesGCMConfigYAML = `
 kind: EncryptionConfiguration
 apiVersion: apiserver.config.k8s.io/v1
 resources:
   - resources:
     - secrets
     providers:
     - aesgcm:
         keys:
         - name: key1
           secret: c2VjcmV0IGlzIHNlY3VyZQ==
 `

 	aesCBCConfigYAML = `
 kind: EncryptionConfiguration
 apiVersion: apiserver.config.k8s.io/v1
 resources:
   - resources:
     - secrets
     providers:
     - aescbc:
         keys:
         - name: key1
           secret: c2VjcmV0IGlzIHNlY3VyZQ==
 `

 	identityConfigYAML = `
 kind: EncryptionConfiguration
 apiVersion: apiserver.config.k8s.io/v1
 resources:
   - resources:
     - secrets
     providers:
     - identity: {}
 `
 )

 // TestSecretsShouldBeEnveloped is an integration test between KubeAPI and etcd that checks:
 // 1. Secrets are encrypted on write
 // 2. Secrets are decrypted on read
 // when EncryptionConfiguration is passed to KubeAPI server.
 func TestSecretsShouldBeTransformed(t *testing.T) {
 	var testCases = []struct {
 		transformerConfigContent string
 		transformerPrefix        string
 		unSealFunc               unSealSecret
 	}{
 		{aesGCMConfigYAML, aesGCMPrefix, unSealWithGCMTransformer},
 		{aesCBCConfigYAML, aesCBCPrefix, unSealWithCBCTransformer},
 		// TODO: add secretbox
 	}
 	for _, tt := range testCases {
 		test, err := newTransformTest(t, tt.transformerConfigContent)
 		if err != nil {
 			test.cleanUp()
 			t.Errorf("failed to setup test for envelop %s, error was %v", tt.transformerPrefix, err)
 			continue
 		}
 		test.run(tt.unSealFunc, tt.transformerPrefix)
 		test.cleanUp()
 	}
 }

 // Baseline (no enveloping) - use to contrast with enveloping benchmarks.
 func BenchmarkBase(b *testing.B) {
 	runBenchmark(b, "")
 }

 // Identity transformer is a NOOP (crypto-wise) - use to contrast with AESGCM and AESCBC benchmark results.
 func BenchmarkIdentityWrite(b *testing.B) {
 	runBenchmark(b, identityConfigYAML)
 }

 func BenchmarkAESGCMEnvelopeWrite(b *testing.B) {
 	runBenchmark(b, aesGCMConfigYAML)
 }

 func BenchmarkAESCBCEnvelopeWrite(b *testing.B) {
 	runBenchmark(b, aesCBCConfigYAML)
 }

 func runBenchmark(b *testing.B, transformerConfig string) {
 	b.StopTimer()
 	test, err := newTransformTest(b, transformerConfig)
 	defer test.cleanUp()
 	if err != nil {
 		b.Fatalf("failed to setup benchmark for config %s, error was %v", transformerConfig, err)
 	}

 	b.StartTimer()
 	test.benchmark(b)
 	b.StopTimer()
 	test.printMetrics()
 }

 func unSealWithGCMTransformer(cipherText []byte, ctx value.Context,
 	transformerConfig apiserverconfigv1.ProviderConfiguration) ([]byte, error) {

 	block, err := newAESCipher(transformerConfig.AESGCM.Keys[0].Secret)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create block cipher: %v", err)
 	}

 	gcmTransformer := aestransformer.NewGCMTransformer(block)

 	clearText, _, err := gcmTransformer.TransformFromStorage(cipherText, ctx)
 	if err != nil {
 		return nil, fmt.Errorf("failed to decypt secret: %v", err)
 	}

 	return clearText, nil
 }

 func unSealWithCBCTransformer(cipherText []byte, ctx value.Context,
 	transformerConfig apiserverconfigv1.ProviderConfiguration) ([]byte, error) {

 	block, err := newAESCipher(transformerConfig.AESCBC.Keys[0].Secret)
 	if err != nil {
 		return nil, err
 	}

 	cbcTransformer := aestransformer.NewCBCTransformer(block)

 	clearText, _, err := cbcTransformer.TransformFromStorage(cipherText, ctx)
 	if err != nil {
 		return nil, fmt.Errorf("failed to decypt secret: %v", err)
 	}

 	return clearText, nil
 }

 func newAESCipher(key string) (cipher.Block, error) {
 	k, err := base64.StdEncoding.DecodeString(key)
 	if err != nil {
 		return nil, fmt.Errorf("failed to decode config secret: %v", err)
 	}

 	block, err := aes.NewCipher(k)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create AES cipher: %v", err)
 	}

 	return block, nil
 }
	/*
	Copyright 2017 The Kubernetes Authors.

	Licensed under the Apache License, Version 2.0 (the "License");
	you may not use this file except in compliance with the License.
	You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	*/

	package master

	import (
	"crypto/aes"
	"crypto/cipher"
	"encoding/base64"
	"fmt"
	"testing"

	apiserverconfigv1 "k8s.io/apiserver/pkg/apis/config/v1"
	"k8s.io/apiserver/pkg/storage/value"
	aestransformer "k8s.io/apiserver/pkg/storage/value/encrypt/aes"
	)

	const (
	aesGCMPrefix = "k8s:enc:aesgcm:v1:key1:"
	aesCBCPrefix = "k8s:enc:aescbc:v1:key1:"

	aesGCMConfigYAML = `
	kind: EncryptionConfiguration
	apiVersion: apiserver.config.k8s.io/v1
	resources:
	- resources:
	- secrets
	providers:
	- aesgcm:
	keys:
	- name: key1
	secret: c2VjcmV0IGlzIHNlY3VyZQ==
	`

	aesCBCConfigYAML = `
	kind: EncryptionConfiguration
	apiVersion: apiserver.config.k8s.io/v1
	resources:
	- resources:
	- secrets
	providers:
	- aescbc:
	keys:
	- name: key1
	secret: c2VjcmV0IGlzIHNlY3VyZQ==
	`

	identityConfigYAML = `
	kind: EncryptionConfiguration
	apiVersion: apiserver.config.k8s.io/v1
	resources:
	- resources:
	- secrets
	providers:
	- identity: {}
	`
	)

	// TestSecretsShouldBeEnveloped is an integration test between KubeAPI and etcd that checks:
	// 1. Secrets are encrypted on write
	// 2. Secrets are decrypted on read
	// when EncryptionConfiguration is passed to KubeAPI server.
	func TestSecretsShouldBeTransformed(t *testing.T) {
	var testCases = []struct {
	transformerConfigContent string
	transformerPrefix string
	unSealFunc unSealSecret
	}{
	{aesGCMConfigYAML, aesGCMPrefix, unSealWithGCMTransformer},
	{aesCBCConfigYAML, aesCBCPrefix, unSealWithCBCTransformer},
	// TODO: add secretbox
	}
	for _, tt := range testCases {
	test, err := newTransformTest(t, tt.transformerConfigContent)
	if err != nil {
	test.cleanUp()
	t.Errorf("failed to setup test for envelop %s, error was %v", tt.transformerPrefix, err)
	continue
	}
	test.run(tt.unSealFunc, tt.transformerPrefix)
	test.cleanUp()
	}
	}

	// Baseline (no enveloping) - use to contrast with enveloping benchmarks.
	func BenchmarkBase(b *testing.B) {
	runBenchmark(b, "")
	}

	// Identity transformer is a NOOP (crypto-wise) - use to contrast with AESGCM and AESCBC benchmark results.
	func BenchmarkIdentityWrite(b *testing.B) {
	runBenchmark(b, identityConfigYAML)
	}

	func BenchmarkAESGCMEnvelopeWrite(b *testing.B) {
	runBenchmark(b, aesGCMConfigYAML)
	}

	func BenchmarkAESCBCEnvelopeWrite(b *testing.B) {
	runBenchmark(b, aesCBCConfigYAML)
	}

	func runBenchmark(b *testing.B, transformerConfig string) {
	b.StopTimer()
	test, err := newTransformTest(b, transformerConfig)
	defer test.cleanUp()
	if err != nil {
	b.Fatalf("failed to setup benchmark for config %s, error was %v", transformerConfig, err)
	}

	b.StartTimer()
	test.benchmark(b)
	b.StopTimer()
	test.printMetrics()
	}

	func unSealWithGCMTransformer(cipherText []byte, ctx value.Context,
	transformerConfig apiserverconfigv1.ProviderConfiguration) ([]byte, error) {

	block, err := newAESCipher(transformerConfig.AESGCM.Keys[0].Secret)
	if err != nil {
	return nil, fmt.Errorf("failed to create block cipher: %v", err)
	}

	gcmTransformer := aestransformer.NewGCMTransformer(block)

	clearText, _, err := gcmTransformer.TransformFromStorage(cipherText, ctx)
	if err != nil {
	return nil, fmt.Errorf("failed to decypt secret: %v", err)
	}

	return clearText, nil
	}

	func unSealWithCBCTransformer(cipherText []byte, ctx value.Context,
	transformerConfig apiserverconfigv1.ProviderConfiguration) ([]byte, error) {

	block, err := newAESCipher(transformerConfig.AESCBC.Keys[0].Secret)
	if err != nil {
	return nil, err
	}

	cbcTransformer := aestransformer.NewCBCTransformer(block)

	clearText, _, err := cbcTransformer.TransformFromStorage(cipherText, ctx)
	if err != nil {
	return nil, fmt.Errorf("failed to decypt secret: %v", err)
	}

	return clearText, nil
	}

	func newAESCipher(key string) (cipher.Block, error) {
	k, err := base64.StdEncoding.DecodeString(key)
	if err != nil {
	return nil, fmt.Errorf("failed to decode config secret: %v", err)
	}

	block, err := aes.NewCipher(k)
	if err != nil {
	return nil, fmt.Errorf("failed to create AES cipher: %v", err)
	}

	return block, nil
	}