From ca4ae7cb9f99d4a9f0b0d2e6a788cf566b0cba2e Mon Sep 17 00:00:00 2001 From: Kalpesh Pandya Date: Mon, 21 Jun 2021 15:47:09 +0530 Subject: [PATCH] src/rgw: DPP addition to rgw_kms.cc Signed-off-by: Kalpesh Pandya --- src/rgw/rgw_kms.cc | 161 ++++++++++++++++++----------------- src/rgw/rgw_kms.h | 2 +- src/test/rgw/test_rgw_kms.cc | 46 +++++----- 3 files changed, 111 insertions(+), 98 deletions(-) diff --git a/src/rgw/rgw_kms.cc b/src/rgw/rgw_kms.cc index 4d024641620d5..fb6e897c75661 100644 --- a/src/rgw/rgw_kms.cc +++ b/src/rgw/rgw_kms.cc @@ -165,25 +165,25 @@ class VaultSecretEngine: public SecretEngine { protected: CephContext *cct; - int load_token_from_file(std::string *vault_token) + int load_token_from_file(const DoutPrefixProvider *dpp, std::string *vault_token) { int res = 0; std::string token_file = cct->_conf->rgw_crypt_vault_token_file; if (token_file.empty()) { - ldout(cct, 0) << "ERROR: Vault token file not set in rgw_crypt_vault_token_file" << dendl; + ldpp_dout(dpp, 0) << "ERROR: Vault token file not set in rgw_crypt_vault_token_file" << dendl; return -EINVAL; } - ldout(cct, 20) << "Vault token file: " << token_file << dendl; + ldpp_dout(dpp, 20) << "Vault token file: " << token_file << dendl; struct stat token_st; if (stat(token_file.c_str(), &token_st) != 0) { - ldout(cct, 0) << "ERROR: Vault token file '" << token_file << "' not found " << dendl; + ldpp_dout(dpp, 0) << "ERROR: Vault token file '" << token_file << "' not found " << dendl; return -ENOENT; } if (token_st.st_mode & (S_IRWXG | S_IRWXO)) { - ldout(cct, 0) << "ERROR: Vault token file '" << token_file << "' permissions are " + ldpp_dout(dpp, 0) << "ERROR: Vault token file '" << token_file << "' permissions are " << "too open, it must not be accessible by other users" << dendl; return -EACCES; } @@ -192,9 +192,9 @@ protected: res = safe_read_file("", token_file.c_str(), buf, sizeof(buf)); if (res < 0) { if (-EACCES == res) { - ldout(cct, 0) << "ERROR: Permission denied reading Vault token file" << dendl; + ldpp_dout(dpp, 0) << "ERROR: Permission denied reading Vault token file" << dendl; } else { - ldout(cct, 0) << "ERROR: Failed to read Vault token file with error " << res << dendl; + ldpp_dout(dpp, 0) << "ERROR: Failed to read Vault token file with error " << res << dendl; } return res; } @@ -209,7 +209,7 @@ protected: } FORTEST_VIRTUAL - int send_request(const char *method, std::string_view infix, + int send_request(const DoutPrefixProvider *dpp, const char *method, std::string_view infix, std::string_view key_id, const std::string& postdata, bufferlist &secret_bl) @@ -217,8 +217,8 @@ protected: int res; string vault_token = ""; if (RGW_SSE_KMS_VAULT_AUTH_TOKEN == cct->_conf->rgw_crypt_vault_auth){ - ldout(cct, 0) << "Loading Vault Token from filesystem" << dendl; - res = load_token_from_file(&vault_token); + ldpp_dout(dpp, 0) << "Loading Vault Token from filesystem" << dendl; + res = load_token_from_file(dpp, &vault_token); if (res < 0){ return res; } @@ -226,7 +226,7 @@ protected: std::string secret_url = cct->_conf->rgw_crypt_vault_addr; if (secret_url.empty()) { - ldout(cct, 0) << "ERROR: Vault address not set in rgw_crypt_vault_addr" << dendl; + ldpp_dout(dpp, 0) << "ERROR: Vault address not set in rgw_crypt_vault_addr" << dendl; return -EINVAL; } @@ -249,7 +249,7 @@ protected: string vault_namespace = cct->_conf->rgw_crypt_vault_namespace; if (!vault_namespace.empty()){ - ldout(cct, 20) << "Vault Namespace: " << vault_namespace << dendl; + ldpp_dout(dpp, 20) << "Vault Namespace: " << vault_namespace << dendl; secret_req.append_header("X-Vault-Namespace", vault_namespace); } @@ -268,32 +268,32 @@ protected: res = secret_req.process(null_yield); if (res < 0) { - ldout(cct, 0) << "ERROR: Request to Vault failed with error " << res << dendl; + ldpp_dout(dpp, 0) << "ERROR: Request to Vault failed with error " << res << dendl; return res; } if (secret_req.get_http_status() == RGWHTTPTransceiver::HTTP_STATUS_UNAUTHORIZED) { - ldout(cct, 0) << "ERROR: Vault request failed authorization" << dendl; + ldpp_dout(dpp, 0) << "ERROR: Vault request failed authorization" << dendl; return -EACCES; } - ldout(cct, 20) << "Request to Vault returned " << res << " and HTTP status " + ldpp_dout(dpp, 20) << "Request to Vault returned " << res << " and HTTP status " << secret_req.get_http_status() << dendl; return res; } - int send_request(std::string_view key_id, bufferlist &secret_bl) + int send_request(const DoutPrefixProvider *dpp, std::string_view key_id, bufferlist &secret_bl) { - return send_request("GET", "", key_id, string{}, secret_bl); + return send_request(dpp, "GET", "", key_id, string{}, secret_bl); } - int decode_secret(std::string encoded, std::string& actual_key){ + int decode_secret(const DoutPrefixProvider *dpp, std::string encoded, std::string& actual_key){ try { actual_key = from_base64(encoded); } catch (std::exception&) { - ldout(cct, 0) << "ERROR: Failed to base64 decode key retrieved from Vault" << dendl; + ldpp_dout(dpp, 0) << "ERROR: Failed to base64 decode key retrieved from Vault" << dendl; return -EINVAL; } memset(encoded.data(), 0, encoded.length()); @@ -364,7 +364,7 @@ public: } } - int get_key(std::string_view key_id, std::string& actual_key) + int get_key(const DoutPrefixProvider *dpp, std::string_view key_id, std::string& actual_key) { ZeroPoolDocument d; ZeroPoolValue *v; @@ -372,24 +372,24 @@ public: bufferlist secret_bl; if (get_key_version(key_id, version) < 0){ - ldout(cct, 20) << "Missing or invalid key version" << dendl; + ldpp_dout(dpp, 20) << "Missing or invalid key version" << dendl; return -EINVAL; } - int res = send_request("GET", compat == COMPAT_ONLY_OLD ? "" : "/export/encryption-key", + int res = send_request(dpp, "GET", compat == COMPAT_ONLY_OLD ? "" : "/export/encryption-key", key_id, string{}, secret_bl); if (res < 0) { return res; } - ldout(cct, 20) << "Parse response into JSON Object" << dendl; + ldpp_dout(dpp, 20) << "Parse response into JSON Object" << dendl; secret_bl.append('\0'); rapidjson::StringStream isw(secret_bl.c_str()); d.ParseStream<>(isw); if (d.HasParseError()) { - ldout(cct, 0) << "ERROR: Failed to parse JSON response from Vault: " + ldpp_dout(dpp, 0) << "ERROR: Failed to parse JSON response from Vault: " << rapidjson::GetParseError_En(d.GetParseError()) << dendl; return -EINVAL; } @@ -411,18 +411,18 @@ public: v = &itr->value; } if (!v || !v->IsString()) { - ldout(cct, 0) << "ERROR: Key not found in JSON response from Vault using Transit Engine" << dendl; + ldpp_dout(dpp, 0) << "ERROR: Key not found in JSON response from Vault using Transit Engine" << dendl; return -EINVAL; } - return decode_secret(v->GetString(), actual_key); + return decode_secret(dpp, v->GetString(), actual_key); } - int make_actual_key(map& attrs, std::string& actual_key) + int make_actual_key(const DoutPrefixProvider *dpp, map& attrs, std::string& actual_key) { std::string key_id = get_str_attribute(attrs, RGW_ATTR_CRYPT_KEYID); - if (compat == COMPAT_ONLY_OLD) return get_key(key_id, actual_key); + if (compat == COMPAT_ONLY_OLD) return get_key(dpp, key_id, actual_key); if (key_id.find("/") != std::string::npos) { - ldout(cct, 0) << "sorry, can't allow / in keyid" << dendl; + ldpp_dout(dpp, 0) << "sorry, can't allow / in keyid" << dendl; return -EINVAL; } /* @@ -441,18 +441,18 @@ public: rapidjson::StringBuffer buf; rapidjson::Writer writer(buf); if (!d.Accept(writer)) { - ldout(cct, 0) << "ERROR: can't make json for vault" << dendl; + ldpp_dout(dpp, 0) << "ERROR: can't make json for vault" << dendl; return -EINVAL; } std::string post_data { buf.GetString() }; - int res = send_request("POST", "/datakey/plaintext/", key_id, + int res = send_request(dpp, "POST", "/datakey/plaintext/", key_id, post_data, secret_bl); if (res < 0) { return res; } - ldout(cct, 20) << "Parse response into JSON Object" << dendl; + ldpp_dout(dpp, 20) << "Parse response into JSON Object" << dendl; secret_bl.append('\0'); rapidjson::StringStream isw(secret_bl.c_str()); @@ -460,53 +460,53 @@ public: d.ParseStream<>(isw); if (d.HasParseError()) { - ldout(cct, 0) << "ERROR: Failed to parse JSON response from Vault: " + ldpp_dout(dpp, 0) << "ERROR: Failed to parse JSON response from Vault: " << rapidjson::GetParseError_En(d.GetParseError()) << dendl; return -EINVAL; } secret_bl.zero(); if (!d.IsObject()) { - ldout(cct, 0) << "ERROR: response from Vault is not an object" << dendl; + ldpp_dout(dpp, 0) << "ERROR: response from Vault is not an object" << dendl; return -EINVAL; } { auto data_itr { d.FindMember("data") }; if (data_itr == d.MemberEnd()) { - ldout(cct, 0) << "ERROR: no .data in response from Vault" << dendl; + ldpp_dout(dpp, 0) << "ERROR: no .data in response from Vault" << dendl; return -EINVAL; } auto ciphertext_itr { data_itr->value.FindMember("ciphertext") }; auto plaintext_itr { data_itr->value.FindMember("plaintext") }; if (ciphertext_itr == data_itr->value.MemberEnd()) { - ldout(cct, 0) << "ERROR: no .data.ciphertext in response from Vault" << dendl; + ldpp_dout(dpp, 0) << "ERROR: no .data.ciphertext in response from Vault" << dendl; return -EINVAL; } if (plaintext_itr == data_itr->value.MemberEnd()) { - ldout(cct, 0) << "ERROR: no .data.plaintext in response from Vault" << dendl; + ldpp_dout(dpp, 0) << "ERROR: no .data.plaintext in response from Vault" << dendl; return -EINVAL; } auto &ciphertext_v { ciphertext_itr->value }; auto &plaintext_v { plaintext_itr->value }; if (!ciphertext_v.IsString()) { - ldout(cct, 0) << "ERROR: .data.ciphertext not a string in response from Vault" << dendl; + ldpp_dout(dpp, 0) << "ERROR: .data.ciphertext not a string in response from Vault" << dendl; return -EINVAL; } if (!plaintext_v.IsString()) { - ldout(cct, 0) << "ERROR: .data.plaintext not a string in response from Vault" << dendl; + ldpp_dout(dpp, 0) << "ERROR: .data.plaintext not a string in response from Vault" << dendl; return -EINVAL; } set_attr(attrs, RGW_ATTR_CRYPT_DATAKEY, ciphertext_v.GetString()); - return decode_secret(plaintext_v.GetString(), actual_key); + return decode_secret(dpp, plaintext_v.GetString(), actual_key); } } - int reconstitute_actual_key(map& attrs, std::string& actual_key) + int reconstitute_actual_key(const DoutPrefixProvider *dpp, map& attrs, std::string& actual_key) { std::string key_id = get_str_attribute(attrs, RGW_ATTR_CRYPT_KEYID); std::string wrapped_key = get_str_attribute(attrs, RGW_ATTR_CRYPT_DATAKEY); if (compat == COMPAT_ONLY_OLD || key_id.rfind("/") != std::string::npos) { - return get_key(key_id, actual_key); + return get_key(dpp, key_id, actual_key); } /* .data.ciphertext <- (to-be) named attribute @@ -525,18 +525,18 @@ public: rapidjson::StringBuffer buf; rapidjson::Writer writer(buf); if (!d.Accept(writer)) { - ldout(cct, 0) << "ERROR: can't make json for vault" << dendl; + ldpp_dout(dpp, 0) << "ERROR: can't make json for vault" << dendl; return -EINVAL; } std::string post_data { buf.GetString() }; - int res = send_request("POST", "/decrypt/", key_id, + int res = send_request(dpp, "POST", "/decrypt/", key_id, post_data, secret_bl); if (res < 0) { return res; } - ldout(cct, 20) << "Parse response into JSON Object" << dendl; + ldpp_dout(dpp, 20) << "Parse response into JSON Object" << dendl; secret_bl.append('\0'); rapidjson::StringStream isw(secret_bl.c_str()); @@ -544,33 +544,33 @@ public: d.ParseStream<>(isw); if (d.HasParseError()) { - ldout(cct, 0) << "ERROR: Failed to parse JSON response from Vault: " + ldpp_dout(dpp, 0) << "ERROR: Failed to parse JSON response from Vault: " << rapidjson::GetParseError_En(d.GetParseError()) << dendl; return -EINVAL; } secret_bl.zero(); if (!d.IsObject()) { - ldout(cct, 0) << "ERROR: response from Vault is not an object" << dendl; + ldpp_dout(dpp, 0) << "ERROR: response from Vault is not an object" << dendl; return -EINVAL; } { auto data_itr { d.FindMember("data") }; if (data_itr == d.MemberEnd()) { - ldout(cct, 0) << "ERROR: no .data in response from Vault" << dendl; + ldpp_dout(dpp, 0) << "ERROR: no .data in response from Vault" << dendl; return -EINVAL; } auto plaintext_itr { data_itr->value.FindMember("plaintext") }; if (plaintext_itr == data_itr->value.MemberEnd()) { - ldout(cct, 0) << "ERROR: no .data.plaintext in response from Vault" << dendl; + ldpp_dout(dpp, 0) << "ERROR: no .data.plaintext in response from Vault" << dendl; return -EINVAL; } auto &plaintext_v { plaintext_itr->value }; if (!plaintext_v.IsString()) { - ldout(cct, 0) << "ERROR: .data.plaintext not a string in response from Vault" << dendl; + ldpp_dout(dpp, 0) << "ERROR: .data.plaintext not a string in response from Vault" << dendl; return -EINVAL; } - return decode_secret(plaintext_v.GetString(), actual_key); + return decode_secret(dpp, plaintext_v.GetString(), actual_key); } } }; @@ -587,24 +587,24 @@ public: virtual ~KvSecretEngine(){} - int get_key(std::string_view key_id, std::string& actual_key){ + int get_key(const DoutPrefixProvider *dpp, std::string_view key_id, std::string& actual_key){ ZeroPoolDocument d; ZeroPoolValue *v; bufferlist secret_bl; - int res = send_request(key_id, secret_bl); + int res = send_request(dpp, key_id, secret_bl); if (res < 0) { return res; } - ldout(cct, 20) << "Parse response into JSON Object" << dendl; + ldpp_dout(dpp, 20) << "Parse response into JSON Object" << dendl; secret_bl.append('\0'); rapidjson::StringStream isw(secret_bl.c_str()); d.ParseStream<>(isw); if (d.HasParseError()) { - ldout(cct, 0) << "ERROR: Failed to parse JSON response from Vault: " + ldpp_dout(dpp, 0) << "ERROR: Failed to parse JSON response from Vault: " << rapidjson::GetParseError_En(d.GetParseError()) << dendl; return -EINVAL; } @@ -626,10 +626,10 @@ public: v = &itr->value; } if (!v || !v->IsString()) { - ldout(cct, 0) << "ERROR: Key not found in JSON response from Vault using KV Engine" << dendl; + ldpp_dout(dpp, 0) << "ERROR: Key not found in JSON response from Vault using KV Engine" << dendl; return -EINVAL; } - return decode_secret(v->GetString(), actual_key); + return decode_secret(dpp, v->GetString(), actual_key); } }; @@ -722,7 +722,7 @@ public: this->cct = cct; } - int get_key(std::string_view key_id, std::string& actual_key) + int get_key(const DoutPrefixProvider *dpp, std::string_view key_id, std::string& actual_key) { int r; r = KmipGetTheKey{cct} @@ -785,7 +785,8 @@ static int get_actual_key_from_conf(const DoutPrefixProvider* dpp, return res; } -static int request_key_from_barbican(CephContext *cct, +static int request_key_from_barbican(const DoutPrefixProvider *dpp, + CephContext *cct, std::string_view key_id, const std::string& barbican_token, std::string& actual_key) { @@ -793,7 +794,7 @@ static int request_key_from_barbican(CephContext *cct, std::string secret_url = cct->_conf->rgw_barbican_url; if (secret_url.empty()) { - ldout(cct, 0) << "ERROR: conf rgw_barbican_url is not set" << dendl; + ldpp_dout(dpp, 0) << "ERROR: conf rgw_barbican_url is not set" << dendl; return -EINVAL; } concat_url(secret_url, "/v1/secrets/"); @@ -837,7 +838,7 @@ static int get_actual_key_from_barbican(const DoutPrefixProvider *dpp, return -EINVAL; } - res = request_key_from_barbican(cct, key_id, token, actual_key); + res = request_key_from_barbican(dpp, cct, key_id, token, actual_key); if (res != 0) { ldpp_dout(dpp, 5) << "Failed to retrieve secret from Barbican:" << key_id << dendl; } @@ -881,7 +882,8 @@ std::string config_to_engine_and_parms(CephContext *cct, } -static int get_actual_key_from_vault(CephContext *cct, +static int get_actual_key_from_vault(const DoutPrefixProvider *dpp, + CephContext *cct, map& attrs, std::string& actual_key, bool make_it) { @@ -890,45 +892,48 @@ static int get_actual_key_from_vault(CephContext *cct, auto secret_engine { config_to_engine_and_parms( cct, "rgw_crypt_vault_secret_engine", secret_engine_str, secret_engine_parms) }; - ldout(cct, 20) << "Vault authentication method: " << cct->_conf->rgw_crypt_vault_auth << dendl; - ldout(cct, 20) << "Vault Secrets Engine: " << secret_engine << dendl; + ldpp_dout(dpp, 20) << "Vault authentication method: " << cct->_conf->rgw_crypt_vault_auth << dendl; + ldpp_dout(dpp, 20) << "Vault Secrets Engine: " << secret_engine << dendl; if (RGW_SSE_KMS_VAULT_SE_KV == secret_engine){ std::string key_id = get_str_attribute(attrs, RGW_ATTR_CRYPT_KEYID); KvSecretEngine engine(cct, std::move(secret_engine_parms)); - return engine.get_key(key_id, actual_key); + return engine.get_key(dpp, key_id, actual_key); } else if (RGW_SSE_KMS_VAULT_SE_TRANSIT == secret_engine){ TransitSecretEngine engine(cct, std::move(secret_engine_parms)); std::string key_id = get_str_attribute(attrs, RGW_ATTR_CRYPT_KEYID); return make_it - ? engine.make_actual_key(attrs, actual_key) - : engine.reconstitute_actual_key(attrs, actual_key); + ? engine.make_actual_key(dpp, attrs, actual_key) + : engine.reconstitute_actual_key(dpp, attrs, actual_key); } else { - ldout(cct, 0) << "Missing or invalid secret engine" << dendl; + ldpp_dout(dpp, 0) << "Missing or invalid secret engine" << dendl; return -EINVAL; } } -static int make_actual_key_from_vault(CephContext *cct, +static int make_actual_key_from_vault(const DoutPrefixProvider *dpp, + CephContext *cct, map& attrs, std::string& actual_key) { - return get_actual_key_from_vault(cct, attrs, actual_key, true); + return get_actual_key_from_vault(dpp, cct, attrs, actual_key, true); } -static int reconstitute_actual_key_from_vault(CephContext *cct, +static int reconstitute_actual_key_from_vault(const DoutPrefixProvider *dpp, + CephContext *cct, map& attrs, std::string& actual_key) { - return get_actual_key_from_vault(cct, attrs, actual_key, false); + return get_actual_key_from_vault(dpp, cct, attrs, actual_key, false); } -static int get_actual_key_from_kmip(CephContext *cct, +static int get_actual_key_from_kmip(const DoutPrefixProvider *dpp, + CephContext *cct, std::string_view key_id, std::string& actual_key) { @@ -936,10 +941,10 @@ static int get_actual_key_from_kmip(CephContext *cct, if (RGW_SSE_KMS_KMIP_SE_KV == secret_engine){ KmipSecretEngine engine(cct); - return engine.get_key(key_id, actual_key); + return engine.get_key(dpp, key_id, actual_key); } else{ - ldout(cct, 0) << "Missing or invalid secret engine" << dendl; + ldpp_dout(dpp, 0) << "Missing or invalid secret engine" << dendl; return -EINVAL; } } @@ -960,11 +965,11 @@ int reconstitute_actual_key_from_kms(const DoutPrefixProvider *dpp, CephContext } if (RGW_SSE_KMS_BACKEND_VAULT == kms_backend) { - return reconstitute_actual_key_from_vault(cct, attrs, actual_key); + return reconstitute_actual_key_from_vault(dpp, cct, attrs, actual_key); } if (RGW_SSE_KMS_BACKEND_KMIP == kms_backend) { - return get_actual_key_from_kmip(cct, key_id, actual_key); + return get_actual_key_from_kmip(dpp, cct, key_id, actual_key); } if (RGW_SSE_KMS_BACKEND_TESTING == kms_backend) { @@ -982,6 +987,6 @@ int make_actual_key_from_kms(const DoutPrefixProvider *dpp, CephContext *cct, { std::string kms_backend { cct->_conf->rgw_crypt_s3_kms_backend }; if (RGW_SSE_KMS_BACKEND_VAULT == kms_backend) - return make_actual_key_from_vault(cct, attrs, actual_key); + return make_actual_key_from_vault(dpp, cct, attrs, actual_key); return reconstitute_actual_key_from_kms(dpp, cct, attrs, actual_key); } diff --git a/src/rgw/rgw_kms.h b/src/rgw/rgw_kms.h index 60d0e2113e1c9..58f2d8728438a 100644 --- a/src/rgw/rgw_kms.h +++ b/src/rgw/rgw_kms.h @@ -46,7 +46,7 @@ int reconstitute_actual_key_from_kms(const DoutPrefixProvider *dpp, CephContext class SecretEngine { public: - virtual int get_key(std::string_view key_id, std::string& actual_key) = 0; + virtual int get_key(const DoutPrefixProvider *dpp, std::string_view key_id, std::string& actual_key) = 0; virtual ~SecretEngine(){}; }; #endif diff --git a/src/test/rgw/test_rgw_kms.cc b/src/test/rgw/test_rgw_kms.cc index c1e36ad215a89..02b6604b69823 100644 --- a/src/test/rgw/test_rgw_kms.cc +++ b/src/test/rgw/test_rgw_kms.cc @@ -20,7 +20,7 @@ class MockTransitSecretEngine : public TransitSecretEngine { public: MockTransitSecretEngine(CephContext *cct, EngineParmMap parms) : TransitSecretEngine(cct, parms){} - MOCK_METHOD(int, send_request, (const char *method, std::string_view infix, std::string_view key_id, const std::string& postdata, bufferlist &bl), (override)); + MOCK_METHOD(int, send_request, (const DoutPrefixProvider *dpp, const char *method, std::string_view infix, std::string_view key_id, const std::string& postdata, bufferlist &bl), (override)); }; @@ -29,7 +29,7 @@ class MockKvSecretEngine : public KvSecretEngine { public: MockKvSecretEngine(CephContext *cct, EngineParmMap parms) : KvSecretEngine(cct, parms){} - MOCK_METHOD(int, send_request, (const char *method, std::string_view infix, std::string_view key_id, const std::string& postdata, bufferlist &bl), (override)); + MOCK_METHOD(int, send_request, (const DoutPrefixProvider *dpp, const char *method, std::string_view infix, std::string_view key_id, const std::string& postdata, bufferlist &bl), (override)); }; @@ -62,6 +62,7 @@ protected: TEST_F(TestSSEKMS, vault_token_file_unset) { + const NoDoutPrefix no_dpp(g_ceph_context, dout_subsys); cct->_conf.set_val("rgw_crypt_vault_auth", "token"); EngineParmMap old_parms, kv_parms; TransitSecretEngine te(cct, std::move(old_parms)); @@ -70,13 +71,14 @@ TEST_F(TestSSEKMS, vault_token_file_unset) std::string_view key_id("my_key"); std::string actual_key; - ASSERT_EQ(te.get_key(key_id, actual_key), -EINVAL); - ASSERT_EQ(kv.get_key(key_id, actual_key), -EINVAL); + ASSERT_EQ(te.get_key(&no_dpp, key_id, actual_key), -EINVAL); + ASSERT_EQ(kv.get_key(&no_dpp, key_id, actual_key), -EINVAL); } TEST_F(TestSSEKMS, non_existent_vault_token_file) { + const NoDoutPrefix no_dpp(g_ceph_context, dout_subsys); cct->_conf.set_val("rgw_crypt_vault_auth", "token"); cct->_conf.set_val("rgw_crypt_vault_token_file", "/nonexistent/file"); EngineParmMap old_parms, kv_parms; @@ -86,8 +88,8 @@ TEST_F(TestSSEKMS, non_existent_vault_token_file) std::string_view key_id("my_key/1"); std::string actual_key; - ASSERT_EQ(te.get_key(key_id, actual_key), -ENOENT); - ASSERT_EQ(kv.get_key(key_id, actual_key), -ENOENT); + ASSERT_EQ(te.get_key(&no_dpp, key_id, actual_key), -ENOENT); + ASSERT_EQ(kv.get_key(&no_dpp, key_id, actual_key), -ENOENT); } @@ -129,8 +131,9 @@ Action SetPointedValue(std::string json) { TEST_F(TestSSEKMS, test_transit_key_version_extraction){ + const NoDoutPrefix no_dpp(g_ceph_context, dout_subsys); string json = R"({"data": {"keys": {"6": "8qgPWvdtf6zrriS5+nkOzDJ14IGVR6Bgkub5dJn6qeg="}}})"; - EXPECT_CALL(*old_engine, send_request(StrEq("GET"), StrEq(""), StrEq("1/2/3/4/5/6"), StrEq(""), _)).WillOnce(SetPointedValue(json)); + EXPECT_CALL(*old_engine, send_request(&no_dpp, StrEq("GET"), StrEq(""), StrEq("1/2/3/4/5/6"), StrEq(""), _)).WillOnce(SetPointedValue(json)); std::string actual_key; std::string tests[11] {"/", "my_key/", "my_key", "", "my_key/a", "my_key/1a", @@ -139,11 +142,11 @@ TEST_F(TestSSEKMS, test_transit_key_version_extraction){ int res; for (const auto &test: tests) { - res = old_engine->get_key(std::string_view(test), actual_key); + res = old_engine->get_key(&no_dpp, std::string_view(test), actual_key); ASSERT_EQ(res, -EINVAL); } - res = old_engine->get_key(std::string_view("1/2/3/4/5/6"), actual_key); + res = old_engine->get_key(&no_dpp, std::string_view("1/2/3/4/5/6"), actual_key); ASSERT_EQ(res, 0); ASSERT_EQ(actual_key, from_base64("8qgPWvdtf6zrriS5+nkOzDJ14IGVR6Bgkub5dJn6qeg=")); } @@ -151,14 +154,15 @@ TEST_F(TestSSEKMS, test_transit_key_version_extraction){ TEST_F(TestSSEKMS, test_transit_backend){ + const NoDoutPrefix no_dpp(g_ceph_context, dout_subsys); std::string_view my_key("my_key/1"); std::string actual_key; // Mocks the expected return Value from Vault Server using custom Argument Action string json = R"({"data": {"keys": {"1": "8qgPWvdtf6zrriS5+nkOzDJ14IGVR6Bgkub5dJn6qeg="}}})"; - EXPECT_CALL(*old_engine, send_request(StrEq("GET"), StrEq(""), StrEq("my_key/1"), StrEq(""), _)).WillOnce(SetPointedValue(json)); + EXPECT_CALL(*old_engine, send_request(&no_dpp, StrEq("GET"), StrEq(""), StrEq("my_key/1"), StrEq(""), _)).WillOnce(SetPointedValue(json)); - int res = old_engine->get_key(my_key, actual_key); + int res = old_engine->get_key(&no_dpp, my_key, actual_key); ASSERT_EQ(res, 0); ASSERT_EQ(actual_key, from_base64("8qgPWvdtf6zrriS5+nkOzDJ14IGVR6Bgkub5dJn6qeg=")); @@ -167,19 +171,20 @@ TEST_F(TestSSEKMS, test_transit_backend){ TEST_F(TestSSEKMS, test_transit_makekey){ + const NoDoutPrefix no_dpp(g_ceph_context, dout_subsys); std::string_view my_key("my_key"); std::string actual_key; map attrs; // Mocks the expected return Value from Vault Server using custom Argument Action string post_json = R"({"data": {"ciphertext": "vault:v2:HbdxLnUztGVo+RseCIaYVn/4wEUiJNT6GQfw57KXQmhXVe7i1/kgLWegEPg1I6lexhIuXAM6Q2YvY0aZ","key_version": 1,"plaintext": "3xfTra/dsIf3TMa3mAT2IxPpM7YWm/NvUb4gDfSDX4g="}})"; - EXPECT_CALL(*transit_engine, send_request(StrEq("POST"), StrEq("/datakey/plaintext/"), StrEq("my_key"), _, _)) + EXPECT_CALL(*transit_engine, send_request(&no_dpp, StrEq("POST"), StrEq("/datakey/plaintext/"), StrEq("my_key"), _, _)) .WillOnce(SetPointedValue(post_json)); set_attr(attrs, RGW_ATTR_CRYPT_CONTEXT, R"({"aws:s3:arn": "fred"})"); set_attr(attrs, RGW_ATTR_CRYPT_KEYID, my_key); - int res = transit_engine->make_actual_key(attrs, actual_key); + int res = transit_engine->make_actual_key(&no_dpp, attrs, actual_key); std::string cipher_text { get_str_attribute(attrs,RGW_ATTR_CRYPT_DATAKEY) }; ASSERT_EQ(res, 0); @@ -189,6 +194,7 @@ TEST_F(TestSSEKMS, test_transit_makekey){ TEST_F(TestSSEKMS, test_transit_reconstitutekey){ + const NoDoutPrefix no_dpp(g_ceph_context, dout_subsys); std::string_view my_key("my_key"); std::string actual_key; map attrs; @@ -196,13 +202,13 @@ TEST_F(TestSSEKMS, test_transit_reconstitutekey){ // Mocks the expected return Value from Vault Server using custom Argument Action set_attr(attrs, RGW_ATTR_CRYPT_DATAKEY, "vault:v2:HbdxLnUztGVo+RseCIaYVn/4wEUiJNT6GQfw57KXQmhXVe7i1/kgLWegEPg1I6lexhIuXAM6Q2YvY0aZ"); string post_json = R"({"data": {"key_version": 1,"plaintext": "3xfTra/dsIf3TMa3mAT2IxPpM7YWm/NvUb4gDfSDX4g="}})"; - EXPECT_CALL(*transit_engine, send_request(StrEq("POST"), StrEq("/decrypt/"), StrEq("my_key"), _, _)) + EXPECT_CALL(*transit_engine, send_request(&no_dpp, StrEq("POST"), StrEq("/decrypt/"), StrEq("my_key"), _, _)) .WillOnce(SetPointedValue(post_json)); set_attr(attrs, RGW_ATTR_CRYPT_CONTEXT, R"({"aws:s3:arn": "fred"})"); set_attr(attrs, RGW_ATTR_CRYPT_KEYID, my_key); - int res = transit_engine->reconstitute_actual_key(attrs, actual_key); + int res = transit_engine->reconstitute_actual_key(&no_dpp, attrs, actual_key); ASSERT_EQ(res, 0); ASSERT_EQ(actual_key, from_base64("3xfTra/dsIf3TMa3mAT2IxPpM7YWm/NvUb4gDfSDX4g=")); @@ -210,15 +216,16 @@ TEST_F(TestSSEKMS, test_transit_reconstitutekey){ TEST_F(TestSSEKMS, test_kv_backend){ + const NoDoutPrefix no_dpp(g_ceph_context, dout_subsys); std::string_view my_key("my_key"); std::string actual_key; // Mocks the expected return value from Vault Server using custom Argument Action string json = R"({"data": {"data": {"key": "8qgPWvdtf6zrriS5+nkOzDJ14IGVR6Bgkub5dJn6qeg="}}})"; - EXPECT_CALL(*kv_engine, send_request(StrEq("GET"), StrEq(""), StrEq("my_key"), StrEq(""), _)) + EXPECT_CALL(*kv_engine, send_request(&no_dpp, StrEq("GET"), StrEq(""), StrEq("my_key"), StrEq(""), _)) .WillOnce(SetPointedValue(json)); - int res = kv_engine->get_key(my_key, actual_key); + int res = kv_engine->get_key(&no_dpp, my_key, actual_key); ASSERT_EQ(res, 0); ASSERT_EQ(actual_key, from_base64("8qgPWvdtf6zrriS5+nkOzDJ14IGVR6Bgkub5dJn6qeg=")); @@ -268,14 +275,15 @@ TEST_F(TestSSEKMS, string_ends_maybe_slash) TEST_F(TestSSEKMS, test_transit_backend_empty_response) { + const NoDoutPrefix no_dpp(g_ceph_context, dout_subsys); std::string_view my_key("/key/nonexistent/1"); std::string actual_key; // Mocks the expected return Value from Vault Server using custom Argument Action string json = R"({"errors": ["version does not exist or cannot be found"]})"; - EXPECT_CALL(*old_engine, send_request(StrEq("GET"), StrEq(""), StrEq("/key/nonexistent/1"), StrEq(""), _)).WillOnce(SetPointedValue(json)); + EXPECT_CALL(*old_engine, send_request(&no_dpp, StrEq("GET"), StrEq(""), StrEq("/key/nonexistent/1"), StrEq(""), _)).WillOnce(SetPointedValue(json)); - int res = old_engine->get_key(my_key, actual_key); + int res = old_engine->get_key(&no_dpp, my_key, actual_key); ASSERT_EQ(res, -EINVAL); ASSERT_EQ(actual_key, from_base64("")); -- 2.39.5