mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-14 10:37:00 +02:00
3c0656e4c4
* [transit-pkcs1v15] transit support for the pkcs1v15 padding scheme – without UI tests (yet). * [transit-pkcs1v15] renamed padding_scheme parameter in transit documentation. * [transit-pkcs1v15] add changelog file. * [transit-pkcs1v15] remove the algorithm path as padding_scheme is chosen by parameter. * Update ui/app/templates/components/transit-key-action/datakey.hbs Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com> * Update ui/app/templates/components/transit-key-action/datakey.hbs Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com> * Update ui/app/templates/components/transit-key-action/datakey.hbs Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com> * Update website/content/api-docs/secret/transit.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> * Update website/content/api-docs/secret/transit.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> * Update website/content/api-docs/secret/transit.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> * Add warnings to PKCS1v1.5 usage * Update transit * Update transit, including separating encrypt/decrypt paddings for rewrap * Clean up factory use in the presence of padding * address review feedback * remove defaults * lint * more lint * Some fixes for UI issues - Fix padding scheme dropdown console error by adding values to the transit-key-actions.hbs - Populate both padding scheme drop down menus within rewrap, not just the one padding_scheme - Do not submit a padding_scheme value through POST for non-rsa keys * Fix Transit rewrap API to use decrypt_padding_scheme, encrypt_padding_scheme - Map the appropriate API fields for the RSA padding scheme to the batch items within the rewrap API - Add the ability to create RSA keys within the encrypt API endpoint - Add test case for rewrap api that leverages the padding_scheme fields * Fix code linting issues * simply padding scheme enum * Apply suggestions from code review Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com> * Fix padding_scheme processing on data key api - The data key api was using the incorrect parameter name for the padding scheme - Enforce that padding_scheme is only used on RSA keys, we are punting on supporting it for managed keys at the moment. * Add tests for parsePaddingSchemeArg * Add missing copywrite headers * Some small UI fixes * Add missing param to datakey in api-docs * Do not send padding_scheme for non-RSA key types within UI * add UI tests for transit key actions form --------- Co-authored-by: Marcel Lanz <marcellanz@n-1.ch> Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com> Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> Co-authored-by: Steve Clark <steven.clark@hashicorp.com> Co-authored-by: claire bontempo <cbontempo@hashicorp.com>
356 lines
12 KiB
JavaScript
356 lines
12 KiB
JavaScript
/**
|
|
* Copyright (c) HashiCorp, Inc.
|
|
* SPDX-License-Identifier: BUSL-1.1
|
|
*/
|
|
|
|
import { run } from '@ember/runloop';
|
|
import { resolve } from 'rsvp';
|
|
import Service from '@ember/service';
|
|
import { module, test } from 'qunit';
|
|
import { setupRenderingTest } from 'ember-qunit';
|
|
import { render, click, find, fillIn, blur, triggerEvent } from '@ember/test-helpers';
|
|
import hbs from 'htmlbars-inline-precompile';
|
|
import { encodeString } from 'vault/utils/b64';
|
|
import waitForError from 'vault/tests/helpers/wait-for-error';
|
|
import codemirror from 'vault/tests/helpers/codemirror';
|
|
|
|
const storeStub = Service.extend({
|
|
callArgs: null,
|
|
keyActionReturnVal: null,
|
|
rootKeyActionReturnVal: null,
|
|
adapterFor() {
|
|
const self = this;
|
|
return {
|
|
keyAction(action, { backend, id, payload }, options) {
|
|
self.set('callArgs', { action, backend, id, payload });
|
|
self.set('callArgsOptions', options);
|
|
const rootResp = { ...self.get('rootKeyActionReturnVal') };
|
|
const resp =
|
|
Object.keys(rootResp).length > 0
|
|
? rootResp
|
|
: {
|
|
data: { ...self.get('keyActionReturnVal') },
|
|
};
|
|
return resolve(resp);
|
|
},
|
|
};
|
|
},
|
|
});
|
|
|
|
module('Integration | Component | transit key actions', function (hooks) {
|
|
setupRenderingTest(hooks);
|
|
|
|
hooks.beforeEach(function () {
|
|
run(() => {
|
|
this.owner.unregister('service:store');
|
|
this.owner.register('service:store', storeStub);
|
|
this.storeService = this.owner.lookup('service:store');
|
|
});
|
|
});
|
|
|
|
test('it requires `key`', async function (assert) {
|
|
const promise = waitForError();
|
|
render(hbs`
|
|
<TransitKeyActions />`);
|
|
const err = await promise;
|
|
assert.ok(err.message.includes('@key is required for'), 'asserts without key');
|
|
});
|
|
|
|
test('it renders', async function (assert) {
|
|
this.set('key', { backend: 'transit', supportedActions: ['encrypt'] });
|
|
await render(hbs`<TransitKeyActions @selectedAction="encrypt" @key={{this.key}} />`);
|
|
assert.dom('[data-test-transit-action="encrypt"]').exists({ count: 1 }, 'renders encrypt');
|
|
|
|
this.set('key', { backend: 'transit', supportedActions: ['sign'] });
|
|
await render(hbs`<TransitKeyActions @selectedAction="sign" @key={{this.key}} />`);
|
|
assert.dom('[data-test-transit-action="sign"]').exists({ count: 1 }, 'renders sign');
|
|
});
|
|
|
|
test('it renders: signature_algorithm field', async function (assert) {
|
|
this.set('key', { backend: 'transit', supportsSigning: true, supportedActions: ['sign', 'verify'] });
|
|
this.set('selectedAction', 'sign');
|
|
await render(hbs`
|
|
<TransitKeyActions @selectedAction={{this.selectedAction}} @key={{this.key}} />`);
|
|
assert
|
|
.dom('[data-test-signature-algorithm]')
|
|
.doesNotExist('does not render signature_algorithm field on sign');
|
|
this.set('selectedAction', 'verify');
|
|
assert
|
|
.dom('[data-test-signature-algorithm]')
|
|
.doesNotExist('does not render signature_algorithm field on verify');
|
|
|
|
this.set('selectedAction', 'sign');
|
|
this.set('key', {
|
|
type: 'rsa-2048',
|
|
supportsSigning: true,
|
|
backend: 'transit',
|
|
supportedActions: ['sign', 'verify'],
|
|
});
|
|
assert
|
|
.dom('[data-test-signature-algorithm]')
|
|
.exists({ count: 1 }, 'renders signature_algorithm field on sign with rsa key');
|
|
this.set('selectedAction', 'verify');
|
|
assert
|
|
.dom('[data-test-signature-algorithm]')
|
|
.exists({ count: 1 }, 'renders signature_algorithm field on verify with rsa key');
|
|
});
|
|
|
|
test('it renders: padding_scheme field for rsa key types', async function (assert) {
|
|
const supportedActions = ['datakey', 'decrypt', 'encrypt'];
|
|
const supportedKeyTypes = ['rsa-2048', 'rsa-3072', 'rsa-4096'];
|
|
|
|
for (const key of supportedKeyTypes) {
|
|
this.set('key', {
|
|
type: key,
|
|
backend: 'transit',
|
|
supportedActions,
|
|
});
|
|
for (const action of this.key.supportedActions) {
|
|
this.selectedAction = action;
|
|
await render(hbs`
|
|
<TransitKeyActions @selectedAction={{this.selectedAction}} @key={{this.key}} />`);
|
|
assert
|
|
.dom('[data-test-padding-scheme]')
|
|
.hasValue(
|
|
'oaep',
|
|
`key type: ${key} renders padding_scheme field with default value for action: ${action}`
|
|
);
|
|
}
|
|
}
|
|
});
|
|
test('it renders: decrypt_padding_scheme and encrypt_padding_scheme fields for rsa key types', async function (assert) {
|
|
this.selectedAction = 'rewrap';
|
|
const supportedKeyTypes = ['rsa-2048', 'rsa-3072', 'rsa-4096'];
|
|
const SELECTOR = (type) => `[data-test-padding-scheme="${type}"]`;
|
|
for (const key of supportedKeyTypes) {
|
|
this.set('key', {
|
|
type: key,
|
|
backend: 'transit',
|
|
supportedActions: [this.selectedAction],
|
|
});
|
|
await render(hbs`
|
|
<TransitKeyActions @selectedAction={{this.selectedAction}} @key={{this.key}} />`);
|
|
assert
|
|
.dom(SELECTOR('encrypt'))
|
|
.hasValue('oaep', `key type: ${key} renders ${SELECTOR('encrypt')} field with default value`);
|
|
assert
|
|
.dom(SELECTOR('decrypt'))
|
|
.hasValue('oaep', `key type: ${key} renders ${SELECTOR('decrypt')} field with default value`);
|
|
}
|
|
});
|
|
|
|
async function doEncrypt(assert, actions = [], keyattrs = {}) {
|
|
const keyDefaults = { backend: 'transit', id: 'akey', supportedActions: ['encrypt'].concat(actions) };
|
|
|
|
const key = { ...keyDefaults, ...keyattrs };
|
|
this.set('key', key);
|
|
this.set('selectedAction', 'encrypt');
|
|
this.set('storeService.keyActionReturnVal', { ciphertext: 'secret' });
|
|
await render(hbs`
|
|
<TransitKeyActions @selectedAction={{this.selectedAction}} @key={{this.key}} />`);
|
|
|
|
codemirror('#plaintext-control').setValue('plaintext');
|
|
await click('button[type="submit"]');
|
|
assert.deepEqual(
|
|
this.storeService.callArgs,
|
|
{
|
|
action: 'encrypt',
|
|
backend: 'transit',
|
|
id: 'akey',
|
|
payload: {
|
|
plaintext: encodeString('plaintext'),
|
|
},
|
|
},
|
|
'passes expected args to the adapter'
|
|
);
|
|
|
|
assert.strictEqual(find('[data-test-encrypted-value="ciphertext"]').innerText, 'secret');
|
|
|
|
// exit modal
|
|
await click('dialog button');
|
|
// Encrypt again, with pre-encoded value and checkbox selected
|
|
const preEncodedValue = encodeString('plaintext');
|
|
codemirror('#plaintext-control').setValue(preEncodedValue);
|
|
await click('input[data-test-transit-input="encodedBase64"]');
|
|
await click('button[type="submit"]');
|
|
|
|
assert.deepEqual(
|
|
this.storeService.callArgs,
|
|
{
|
|
action: 'encrypt',
|
|
backend: 'transit',
|
|
id: 'akey',
|
|
payload: {
|
|
plaintext: preEncodedValue,
|
|
},
|
|
},
|
|
'passes expected args to the adapter'
|
|
);
|
|
await click('dialog button');
|
|
}
|
|
|
|
test('it encrypts', doEncrypt);
|
|
|
|
test('it shows key version selection', async function (assert) {
|
|
const keyDefaults = { backend: 'transit', id: 'akey', supportedActions: ['encrypt'].concat([]) };
|
|
const keyattrs = { keysForEncryption: [3, 2, 1], latestVersion: 3 };
|
|
const key = { ...keyDefaults, ...keyattrs };
|
|
this.set('key', key);
|
|
this.set('storeService.keyActionReturnVal', { ciphertext: 'secret' });
|
|
await render(hbs`
|
|
<TransitKeyActions @selectedAction="encrypt" @key={{this.key}} />`);
|
|
|
|
codemirror().setValue('plaintext');
|
|
assert.dom('#key_version').exists({ count: 1 }, 'it renders the key version selector');
|
|
|
|
await triggerEvent('#key_version', 'change');
|
|
await click('button[type="submit"]');
|
|
assert.deepEqual(
|
|
this.storeService.callArgs,
|
|
{
|
|
action: 'encrypt',
|
|
backend: 'transit',
|
|
id: 'akey',
|
|
payload: {
|
|
plaintext: encodeString('plaintext'),
|
|
key_version: '0',
|
|
},
|
|
},
|
|
'includes key_version in the payload'
|
|
);
|
|
});
|
|
|
|
test('it hides key version selection', async function (assert) {
|
|
const keyDefaults = { backend: 'transit', id: 'akey', supportedActions: ['encrypt'].concat([]) };
|
|
const keyattrs = { keysForEncryption: [1] };
|
|
const key = { ...keyDefaults, ...keyattrs };
|
|
this.set('key', key);
|
|
this.set('storeService.keyActionReturnVal', { ciphertext: 'secret' });
|
|
await render(hbs`
|
|
<TransitKeyActions @selectedAction="encrypt" @key={{this.key}} />`);
|
|
|
|
codemirror('#plaintext-control').setValue('plaintext');
|
|
assert.dom('#key_version').doesNotExist('it does not render the selector when there is only one key');
|
|
});
|
|
|
|
test('it does not carry ciphertext value over to decrypt', async function (assert) {
|
|
assert.expect(4);
|
|
const plaintext = 'not so secret';
|
|
await doEncrypt.call(this, assert, ['decrypt']);
|
|
|
|
this.set('storeService.keyActionReturnVal', { plaintext });
|
|
this.set('selectedAction', 'decrypt');
|
|
assert.strictEqual(codemirror('#ciphertext-control').getValue(), '', 'does not prefill ciphertext value');
|
|
});
|
|
|
|
const setupExport = async function () {
|
|
this.set('key', {
|
|
backend: 'transit',
|
|
id: 'akey',
|
|
supportedActions: ['export'],
|
|
exportKeyTypes: ['encryption'],
|
|
validKeyVersions: [1],
|
|
});
|
|
await render(hbs`
|
|
<TransitKeyActions @key={{this.key}} />`);
|
|
};
|
|
|
|
test('it can export a key:default behavior', async function (assert) {
|
|
this.set('storeService.rootKeyActionReturnVal', { wrap_info: { token: 'wrapped-token' } });
|
|
await setupExport.call(this);
|
|
await click('button[type="submit"]');
|
|
|
|
assert.deepEqual(
|
|
this.storeService.callArgs,
|
|
{
|
|
action: 'export',
|
|
backend: 'transit',
|
|
id: 'akey',
|
|
payload: {
|
|
param: ['encryption'],
|
|
},
|
|
},
|
|
'passes expected args to the adapter'
|
|
);
|
|
assert.strictEqual(this.storeService.callArgsOptions.wrapTTL, '30m', 'passes value for wrapTTL');
|
|
assert.strictEqual(
|
|
find('[data-test-encrypted-value="export"]').innerText,
|
|
'wrapped-token',
|
|
'wraps by default'
|
|
);
|
|
});
|
|
|
|
test('it can export a key:unwrapped behavior', async function (assert) {
|
|
const response = { keys: { a: 'key' } };
|
|
this.set('storeService.keyActionReturnVal', response);
|
|
await setupExport.call(this);
|
|
await click('[data-test-toggle-label="Wrap response"]');
|
|
await click('button[type="submit"]');
|
|
assert.dom('#transit-export-modal').exists('Modal opens after export');
|
|
assert.deepEqual(
|
|
JSON.parse(find('[data-test-encrypted-value="export"]').innerText),
|
|
response,
|
|
'prints json response'
|
|
);
|
|
});
|
|
|
|
test('it can export a key: unwrapped, single version', async function (assert) {
|
|
const response = { keys: { a: 'key' } };
|
|
this.set('storeService.keyActionReturnVal', response);
|
|
await setupExport.call(this);
|
|
await click('[data-test-toggle-label="Wrap response"]');
|
|
await click('#exportVersion');
|
|
await triggerEvent('#exportVersion', 'change');
|
|
await click('button[type="submit"]');
|
|
assert.dom('#transit-export-modal').exists('Modal opens after export');
|
|
assert.deepEqual(
|
|
JSON.parse(find('[data-test-encrypted-value="export"]').innerText),
|
|
response,
|
|
'prints json response'
|
|
);
|
|
assert.deepEqual(
|
|
this.storeService.callArgs,
|
|
{
|
|
action: 'export',
|
|
backend: 'transit',
|
|
id: 'akey',
|
|
payload: {
|
|
param: ['encryption', 1],
|
|
},
|
|
},
|
|
'passes expected args to the adapter'
|
|
);
|
|
});
|
|
|
|
test('it includes algorithm param for HMAC', async function (assert) {
|
|
// Return mocked data so a11y-testing doesn't get mad about empty copy button contents
|
|
this.set('storeService.rootKeyActionReturnVal', { data: { hmac: 'vault:v1:hmac-token' } });
|
|
this.set('key', {
|
|
backend: 'transit',
|
|
id: 'akey',
|
|
supportedActions: ['hmac'],
|
|
validKeyVersions: [1],
|
|
});
|
|
await render(hbs`
|
|
<TransitKeyActions @key={{this.key}} @selectedAction="hmac" />`);
|
|
await fillIn('#algorithm', 'sha2-384');
|
|
await blur('#algorithm');
|
|
await fillIn('[data-test-component="code-mirror-modifier"] textarea', 'plaintext');
|
|
await click('input[data-test-transit-input="encodedBase64"]');
|
|
await click('button[type="submit"]');
|
|
assert.deepEqual(
|
|
this.storeService.callArgs,
|
|
{
|
|
action: 'hmac',
|
|
backend: 'transit',
|
|
id: 'akey',
|
|
payload: {
|
|
algorithm: 'sha2-384',
|
|
input: 'plaintext',
|
|
},
|
|
},
|
|
'passes expected args to the adapter'
|
|
);
|
|
});
|
|
});
|