diff options
author | Xabier de Zuazo <xabier@onddo.com> | 2014-06-18 10:29:14 +0200 |
---|---|---|
committer | Xabier de Zuazo <xabier@onddo.com> | 2014-07-01 10:59:26 +0200 |
commit | 4a3141d4f1e6799faf332854cdb41e387747a1ca (patch) | |
tree | 13b290ea40a690182824517487fa83c6fc13cf62 /spec/unit/encrypted_data_bag_item_spec.rb | |
parent | 7ffcfd2743a1ddedbdbcdb68e65fbe4731ab0b2e (diff) | |
download | chef-4a3141d4f1e6799faf332854cdb41e387747a1ca.tar.gz |
[CHEF-5356-gcm] Chef::EncryptedDataBagItem Version3 unit tests added
Diffstat (limited to 'spec/unit/encrypted_data_bag_item_spec.rb')
-rw-r--r-- | spec/unit/encrypted_data_bag_item_spec.rb | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/spec/unit/encrypted_data_bag_item_spec.rb b/spec/unit/encrypted_data_bag_item_spec.rb index 1e662a0b7c..0c8e991535 100644 --- a/spec/unit/encrypted_data_bag_item_spec.rb +++ b/spec/unit/encrypted_data_bag_item_spec.rb @@ -92,6 +92,34 @@ describe Chef::EncryptedDataBagItem::Encryptor do end end + describe "when using version 3 format" do + + before do + Chef::Config[:data_bag_encrypt_version] = 3 + end + + it "creates a version 3 encryptor" do + encryptor.should be_a_instance_of(Chef::EncryptedDataBagItem::Encryptor::Version3Encryptor) + end + + it "generates different authentication tags" do + encryptor3 = Chef::EncryptedDataBagItem::Encryptor.new(plaintext_data, key) + encryptor.for_encrypted_item # required to generate the auth_tag + encryptor3.for_encrypted_item + encryptor.auth_tag.should_not eq(encryptor3.auth_tag) + end + + it "includes the auth_tag in the envelope" do + final_data = encryptor.for_encrypted_item + final_data["auth_tag"].should eq(Base64::encode64(encryptor.auth_tag)) + end + + it "throws an error if auth tag is read before encrypting the data" do + lambda { encryptor.auth_tag }.should raise_error(Chef::EncryptedDataBagItem::EncryptionFailure) + end + + end + end describe Chef::EncryptedDataBagItem::Decryptor do @@ -101,6 +129,33 @@ describe Chef::EncryptedDataBagItem::Decryptor do let(:encryption_key) { "passwd" } let(:decryption_key) { encryption_key } + context "when decrypting a version 3 (JSON+aes-256-gcm+random iv+auth tag) encrypted value" do + let(:encrypted_value) do + Chef::EncryptedDataBagItem::Encryptor::Version3Encryptor.new(plaintext_data, encryption_key).for_encrypted_item + end + + let(:bogus_auth_tag) { "bogus_auth_tag" } + + it "decrypts the encrypted value" do + decryptor.decrypted_data.should eq({"json_wrapper" => plaintext_data}.to_json) + end + + it "unwraps the encrypted data and returns it" do + decryptor.for_decrypted_item.should eq plaintext_data + end + + it "rejects the data if the authentication tag is wrong" do + encrypted_value["auth_tag"] = bogus_auth_tag + lambda { decryptor.for_decrypted_item }.should raise_error(Chef::EncryptedDataBagItem::DecryptionFailure) + end + + it "rejects the data if the authentication tag is missing" do + encrypted_value.delete("auth_tag") + lambda { decryptor.for_decrypted_item }.should raise_error(Chef::EncryptedDataBagItem::DecryptionFailure) + end + + end + context "when decrypting a version 2 (JSON+aes-256-cbc+hmac-sha256+random iv) encrypted value" do let(:encrypted_value) do Chef::EncryptedDataBagItem::Encryptor::Version2Encryptor.new(plaintext_data, encryption_key).for_encrypted_item |