blob: 5aeea91693a97a671b0ba84888b1e438670a3b5a [file] [log] [blame]
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* See the License for the specific language governing permissions and
* limitations under the License.
package org.apache.openwhisk.core.entity.test
import org.apache.openwhisk.core.entity._
import org.junit.runner.RunWith
import org.scalatest.junit.JUnitRunner
import org.scalatest.{BeforeAndAfter, FlatSpec, Matchers}
import spray.json.DefaultJsonProtocol._
import spray.json._
class ParameterEncryptionTests extends FlatSpec with Matchers with BeforeAndAfter {
val k128 = "ra1V6AfOYAv0jCzEdufIFA=="
val k256 = "j5rLzhtxwzPyUVUy8/p8XJmBoKeDoSzNJP1SITJEY9E="
// default is no-op but keys are available to decode encoded params
val noop = ParameterEncryption(ParameterStorageConfig(aes128 = Some(k128), aes256 = Some(k256)))
val aes128decoder = ParameterEncryption(ParameterStorageConfig("aes-128", aes128 = Some(k128)))
val aes128encoder = aes128decoder.default
val aes256decoder = ParameterEncryption(ParameterStorageConfig("aes-256", aes256 = Some(k256)))
val aes256encoder = aes256decoder.default
val parameters = new Parameters(
new ParameterName("one") -> new ParameterValue("secret".toJson, false),
new ParameterName("two") -> new ParameterValue("secret".toJson, true)))
behavior of "ParameterEncryption"
it should "not have a default coder when turned off" in {
ParameterEncryption(ParameterStorageConfig("")).default shouldBe empty
ParameterEncryption(ParameterStorageConfig("off")).default shouldBe empty
ParameterEncryption(ParameterStorageConfig("noop")).default shouldBe empty
ParameterEncryption(ParameterStorageConfig("OFF")).default shouldBe empty
ParameterEncryption(ParameterStorageConfig("NOOP")).default shouldBe empty
behavior of "Parameters"
it should "handle decryption of json objects" in {
val originalValue =
| { "key": "paramName1", "init": false, "value": "from-action" },
| { "key": "paramName2", "init": false, "value": "from-pack" }
val p =
p.get("paramName1").get.convertTo[String] shouldBe "from-action"
p.get("paramName2").get.convertTo[String] shouldBe "from-pack"
p.params.foreach {
case (_, paramValue) =>
paramValue.encryption shouldBe empty
it should "handle decryption of json objects with null field" in {
val originalValue =
| { "key": "paramName1", "encryption":null, "init": false, "value": "from-action" },
| { "key": "paramName2", "encryption":null, "init": false, "value": "from-pack" }
val p =
p.get("paramName1").get.convertTo[String] shouldBe "from-action"
p.get("paramName2").get.convertTo[String] shouldBe "from-pack"
p.params.foreach {
case (_, paramValue) =>
paramValue.encryption shouldBe empty
it should "drop encryption propery when no longer encrypted" in {
val originalValue =
| { "key": "paramName1", "encryption":null, "init": false, "value": "from-action" },
| { "key": "paramName2", "encryption":null, "init": false, "value": "from-pack" }
val p =
Parameters.serdes.write(p).compactPrint should not include "encryption"
p.params.foreach {
case (_, paramValue) =>
paramValue.encryption shouldBe empty
it should "read the merged message payload from kafka into parameters" in {
val locked = parameters.lock(aes128encoder)
val mixedParams = locked.merge(Some(Parameters("plain", "test-plain").toJsObject))
mixedParams shouldBe defined
mixedParams.get.fields("one") shouldBe locked.get("one").get
mixedParams.get.fields("two") shouldBe locked.get("two").get
mixedParams.get.fields("two") should not be locked.get("one").get
mixedParams.get.fields("plain") shouldBe JsString("test-plain")
behavior of "AesParameterEncryption"
it should "correctly mark the encrypted parameters after lock" in {
val locked = parameters.lock(aes128encoder)
locked.params.foreach {
case (_, paramValue) =>
paramValue.encryption shouldBe Some("aes-128")
paramValue.value.convertTo[String] should not be "secret"
it should "serialize to json correctly" in {
val locked = parameters.lock(aes128encoder)
locked.toJsObject.toString should fullyMatch regex """\Q{"one":"\E.*\Q","two":"\E.*\Q"}""".stripMargin.r
locked.lockedParameters() shouldBe Map("one" -> "aes-128", "two" -> "aes-128")
it should "serialize to json correctly when a locked parameter is overridden" in {
val locked = parameters.lock(aes128encoder)
.merge(Some(JsObject("one" -> JsString("override"))))
.compactPrint should fullyMatch regex """\Q{"one":"override","two":"\E.*\Q"}""".stripMargin.r
locked.lockedParameters(Set("one")) shouldBe Map("two" -> "aes-128")
it should "correctly decrypt encrypted values" in {
val locked = parameters.lock(aes128encoder)
locked.params.foreach {
case (_, paramValue) =>
paramValue.encryption shouldBe Some("aes-128")
paramValue.value.convertTo[String] should not be "secret"
val unlocked = locked.unlock(aes128decoder)
unlocked.params.foreach {
case (_, paramValue) =>
paramValue.encryption shouldBe empty
paramValue.value.convertTo[String] shouldBe "secret"
it should "correctly decrypt encrypted JsObject values" in {
val obj = Map("key" -> "xyz".toJson, "value" -> "v1".toJson).toJson
val complexParam = new Parameters(Map(new ParameterName("one") -> new ParameterValue(obj, false)))
val locked = complexParam.lock(aes128encoder)
locked.params.foreach {
case (_, paramValue) =>
paramValue.encryption shouldBe Some("aes-128")
paramValue.value.convertTo[String] should not be "secret"
val unlocked = locked.unlock(aes128decoder)
unlocked.params.foreach {
case (_, paramValue) =>
paramValue.encryption shouldBe empty
paramValue.value shouldBe obj
it should "correctly decrypt encrypted multiline values" in {
val lines = "line1\nline2\nline3\nline4"
val multiline = new Parameters(Map(new ParameterName("one") -> new ParameterValue(JsString(lines), false)))
val locked = multiline.lock(aes128encoder)
locked.params.foreach {
case (_, paramValue) =>
paramValue.encryption shouldBe Some("aes-128")
paramValue.value.convertTo[String] should not be "secret"
val unlocked = locked.unlock(aes128decoder)
unlocked.params.foreach {
case (_, paramValue) =>
paramValue.encryption shouldBe empty
paramValue.value.convertTo[String] shouldBe lines
// Not sure having cancelled tests is a good idea either, need to work on aes256 packaging.
it should "work if with aes256 if policy allows it" in {
try {
val locked = parameters.lock(aes256encoder)
locked.params.foreach {
case (_, paramValue) =>
paramValue.encryption shouldBe Some("aes-256")
paramValue.value.convertTo[String] should not be "secret"
val unlocked = locked.unlock(noop)
unlocked.params.foreach {
case (_, paramValue) =>
paramValue.encryption shouldBe empty
paramValue.value.convertTo[String] shouldBe "secret"
} catch {
case e: InvalidAlgorithmParameterException =>
it should "support reverting back to Noop encryption" in {
try {
val locked = parameters.lock(aes128encoder)
locked.params.foreach {
case (_, paramValue) =>
paramValue.encryption shouldBe Some("aes-128")
paramValue.value.convertTo[String] should not be "secret"
val lockedJson = Parameters.serdes.write(locked).compactPrint
val toDecrypt =
// defaults to no-op
val unlocked = toDecrypt.unlock(noop)
unlocked.params.foreach {
case (_, paramValue) =>
paramValue.encryption shouldBe empty
paramValue.value.convertTo[String] shouldBe "secret"
unlocked.toJsObject shouldBe JsObject("one" -> "secret".toJson, "two" -> "secret".toJson)
} catch {
case e: InvalidAlgorithmParameterException =>
behavior of "No-op Encryption"
it should "not mark parameters as encrypted" in {
val locked = parameters.lock()
locked.params.foreach {
case (_, paramValue) =>
paramValue.value.convertTo[String] shouldBe "secret"