# frozen_string_literal: true
require "spec_helper"
RSpec.describe Gitlab::EncryptedConfiguration do
subject(:configuration) { described_class.new }
let!(:config_tmp_dir) { Dir.mktmpdir('config-') }
after do
FileUtils.rm_f(config_tmp_dir)
end
describe '#initialize' do
it 'accepts all args as optional fields' do
expect { configuration }.not_to raise_exception
expect(configuration.key).to be_nil
expect(configuration.previous_keys).to be_empty
end
it 'generates 32 byte key when provided a larger base key' do
configuration = described_class.new(base_key: 'A' * 64)
expect(configuration.key.bytesize).to eq 32
end
it 'generates 32 byte key when provided a smaller base key' do
configuration = described_class.new(base_key: 'A' * 16)
expect(configuration.key.bytesize).to eq 32
end
it 'throws an error when the base key is too small' do
expect { described_class.new(base_key: 'A' * 12) }.to raise_error 'Base key too small'
end
end
context 'when provided a config file but no key' do
let(:config_path) { File.join(config_tmp_dir, 'credentials.yml.enc') }
it 'throws an error when writing without a key' do
expect { described_class.new(content_path: config_path).write('test') }.to raise_error Gitlab::EncryptedConfiguration::MissingKeyError
end
it 'throws an error when reading without a key' do
config = described_class.new(content_path: config_path)
File.write(config_path, 'test')
expect { config.read }.to raise_error Gitlab::EncryptedConfiguration::MissingKeyError
end
end
context 'when provided key and config file' do
let(:credentials_config_path) { File.join(config_tmp_dir, 'credentials.yml.enc') }
let(:credentials_key) { SecureRandom.hex(64) }
describe '#write' do
it 'encrypts the file using the provided key' do
encryptor = ActiveSupport::MessageEncryptor.new(Gitlab::EncryptedConfiguration.generate_key(credentials_key), cipher: 'aes-256-gcm')
config = described_class.new(content_path: credentials_config_path, base_key: credentials_key)
config.write('sample-content')
expect(encryptor.decrypt_and_verify(File.read(credentials_config_path))).to eq('sample-content')
end
end
describe '#read' do
it 'reads yaml configuration' do
config = described_class.new(content_path: credentials_config_path, base_key: credentials_key)
config.write({ foo: { bar: true } }.to_yaml)
expect(config[:foo][:bar]).to be true
end
it 'allows referencing top level keys via dot syntax' do
config = described_class.new(content_path: credentials_config_path, base_key: credentials_key)
config.write({ foo: { bar: true } }.to_yaml)
expect(config.foo[:bar]).to be true
end
it 'throws a custom error when referencing an invalid key map config' do
config = described_class.new(content_path: credentials_config_path, base_key: credentials_key)
config.write("stringcontent")
expect { config[:foo] }.to raise_error Gitlab::EncryptedConfiguration::InvalidConfigError
end
end
describe '#change' do
it 'changes yaml configuration' do
config = described_class.new(content_path: credentials_config_path, base_key: credentials_key)
config.write({ foo: { bar: true } }.to_yaml)
config.change do |unencrypted_contents|
contents = YAML.safe_load(unencrypted_contents, permitted_classes: [Symbol])
contents.merge(beef: "stew").to_yaml
end
expect(config.foo[:bar]).to be true
expect(config.beef).to eq('stew')
end
end
context 'when provided previous_keys for rotation' do
let(:credential_key_original) { SecureRandom.hex(64) }
let(:credential_key_latest) { SecureRandom.hex(64) }
let(:config_path_original) { File.join(config_tmp_dir, 'credentials-orig.yml.enc') }
let(:config_path_latest) { File.join(config_tmp_dir, 'credentials-latest.yml.enc') }
def encryptor(key)
ActiveSupport::MessageEncryptor.new(Gitlab::EncryptedConfiguration.generate_key(key), cipher: 'aes-256-gcm')
end
describe '#write' do
it 'rotates the key when provided a new key' do
config1 = described_class.new(content_path: config_path_original, base_key: credential_key_original)
config1.write('sample-content1')
config2 = described_class.new(content_path: config_path_latest, base_key: credential_key_latest, previous_keys: [credential_key_original])
config2.write('sample-content2')
original_key_encryptor = encryptor(credential_key_original) # can read with the initial key
latest_key_encryptor = encryptor(credential_key_latest) # can read with the new key
both_key_encryptor = encryptor(credential_key_latest) # can read with either key
both_key_encryptor.rotate(Gitlab::EncryptedConfiguration.generate_key(credential_key_original))
expect(original_key_encryptor.decrypt_and_verify(File.read(config_path_original))).to eq('sample-content1')
expect(both_key_encryptor.decrypt_and_verify(File.read(config_path_original))).to eq('sample-content1')
expect(latest_key_encryptor.decrypt_and_verify(File.read(config_path_latest))).to eq('sample-content2')
expect(both_key_encryptor.decrypt_and_verify(File.read(config_path_latest))).to eq('sample-content2')
expect { original_key_encryptor.decrypt_and_verify(File.read(config_path_latest)) }.to raise_error(ActiveSupport::MessageEncryptor::InvalidMessage)
end
end
describe '#read' do
it 'supports reading using rotated config' do
described_class.new(content_path: config_path_original, base_key: credential_key_original).write({ foo: { bar: true } }.to_yaml)
config = described_class.new(content_path: config_path_original, base_key: credential_key_latest, previous_keys: [credential_key_original])
expect(config[:foo][:bar]).to be true
end
end
end
end
end