Merge pull request #488 from smallstep/cloudkms-error

CloudKMS signer with errors
This commit is contained in:
Mariano Cano 2021-02-22 12:31:28 -08:00 committed by GitHub
commit abda738a12
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 86 additions and 49 deletions

View file

@ -140,8 +140,7 @@ func (k *CloudKMS) CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signer,
if req.SigningKey == "" { if req.SigningKey == "" {
return nil, errors.New("signing key cannot be empty") return nil, errors.New("signing key cannot be empty")
} }
return NewSigner(k.client, req.SigningKey)
return NewSigner(k.client, req.SigningKey), nil
} }
// CreateKey creates in Google's Cloud KMS a new asymmetric key for signing. // CreateKey creates in Google's Cloud KMS a new asymmetric key for signing.

View file

@ -165,6 +165,15 @@ func TestCloudKMS_Close(t *testing.T) {
func TestCloudKMS_CreateSigner(t *testing.T) { func TestCloudKMS_CreateSigner(t *testing.T) {
keyName := "projects/p/locations/l/keyRings/k/cryptoKeys/c/cryptoKeyVersions/1" keyName := "projects/p/locations/l/keyRings/k/cryptoKeys/c/cryptoKeyVersions/1"
pemBytes, err := ioutil.ReadFile("testdata/pub.pem")
if err != nil {
t.Fatal(err)
}
pk, err := pemutil.ParseKey(pemBytes)
if err != nil {
t.Fatal(err)
}
type fields struct { type fields struct {
client KeyManagementClient client KeyManagementClient
} }
@ -178,8 +187,16 @@ func TestCloudKMS_CreateSigner(t *testing.T) {
want crypto.Signer want crypto.Signer
wantErr bool wantErr bool
}{ }{
{"ok", fields{&MockClient{}}, args{&apiv1.CreateSignerRequest{SigningKey: keyName}}, &Signer{client: &MockClient{}, signingKey: keyName}, false}, {"ok", fields{&MockClient{
{"fail", fields{&MockClient{}}, args{&apiv1.CreateSignerRequest{SigningKey: ""}}, nil, true}, getPublicKey: func(_ context.Context, _ *kmspb.GetPublicKeyRequest, _ ...gax.CallOption) (*kmspb.PublicKey, error) {
return &kmspb.PublicKey{Pem: string(pemBytes)}, nil
},
}}, args{&apiv1.CreateSignerRequest{SigningKey: keyName}}, &Signer{client: &MockClient{}, signingKey: keyName, publicKey: pk}, false},
{"fail", fields{&MockClient{
getPublicKey: func(_ context.Context, _ *kmspb.GetPublicKeyRequest, _ ...gax.CallOption) (*kmspb.PublicKey, error) {
return nil, fmt.Errorf("test error")
},
}}, args{&apiv1.CreateSignerRequest{SigningKey: ""}}, nil, true},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
@ -191,6 +208,9 @@ func TestCloudKMS_CreateSigner(t *testing.T) {
t.Errorf("CloudKMS.CreateSigner() error = %v, wantErr %v", err, tt.wantErr) t.Errorf("CloudKMS.CreateSigner() error = %v, wantErr %v", err, tt.wantErr)
return return
} }
if signer, ok := got.(*Signer); ok {
signer.client = &MockClient{}
}
if !reflect.DeepEqual(got, tt.want) { if !reflect.DeepEqual(got, tt.want) {
t.Errorf("CloudKMS.CreateSigner() = %v, want %v", got, tt.want) t.Errorf("CloudKMS.CreateSigner() = %v, want %v", got, tt.want)
} }

View file

@ -13,33 +13,41 @@ import (
type Signer struct { type Signer struct {
client KeyManagementClient client KeyManagementClient
signingKey string signingKey string
publicKey crypto.PublicKey
} }
func NewSigner(c KeyManagementClient, signingKey string) *Signer { // NewSigner creates a new crypto.Signer the given CloudKMS signing key.
return &Signer{ func NewSigner(c KeyManagementClient, signingKey string) (*Signer, error) {
// Make sure that the key exists.
signer := &Signer{
client: c, client: c,
signingKey: signingKey, signingKey: signingKey,
} }
if err := signer.preloadKey(signingKey); err != nil {
return nil, err
} }
// Public returns the public key of this signer or an error. return signer, nil
func (s *Signer) Public() crypto.PublicKey { }
func (s *Signer) preloadKey(signingKey string) error {
ctx, cancel := defaultContext() ctx, cancel := defaultContext()
defer cancel() defer cancel()
response, err := s.client.GetPublicKey(ctx, &kmspb.GetPublicKeyRequest{ response, err := s.client.GetPublicKey(ctx, &kmspb.GetPublicKeyRequest{
Name: s.signingKey, Name: signingKey,
}) })
if err != nil { if err != nil {
return errors.Wrap(err, "cloudKMS GetPublicKey failed") return errors.Wrap(err, "cloudKMS GetPublicKey failed")
} }
pk, err := pemutil.ParseKey([]byte(response.Pem)) s.publicKey, err = pemutil.ParseKey([]byte(response.Pem))
if err != nil {
return err return err
} }
return pk // Public returns the public key of this signer or an error.
func (s *Signer) Public() crypto.PublicKey {
return s.publicKey
} }
// Sign signs digest with the private key stored in Google's Cloud KMS. // Sign signs digest with the private key stored in Google's Cloud KMS.

View file

@ -16,6 +16,15 @@ import (
) )
func Test_newSigner(t *testing.T) { func Test_newSigner(t *testing.T) {
pemBytes, err := ioutil.ReadFile("testdata/pub.pem")
if err != nil {
t.Fatal(err)
}
pk, err := pemutil.ParseKey(pemBytes)
if err != nil {
t.Fatal(err)
}
type args struct { type args struct {
c KeyManagementClient c KeyManagementClient
signingKey string signingKey string
@ -24,22 +33,42 @@ func Test_newSigner(t *testing.T) {
name string name string
args args args args
want *Signer want *Signer
wantErr bool
}{ }{
{"ok", args{&MockClient{}, "signingKey"}, &Signer{client: &MockClient{}, signingKey: "signingKey"}}, {"ok", args{&MockClient{
getPublicKey: func(_ context.Context, _ *kmspb.GetPublicKeyRequest, _ ...gax.CallOption) (*kmspb.PublicKey, error) {
return &kmspb.PublicKey{Pem: string(pemBytes)}, nil
},
}, "signingKey"}, &Signer{client: &MockClient{}, signingKey: "signingKey", publicKey: pk}, false},
{"fail get public key", args{&MockClient{
getPublicKey: func(_ context.Context, _ *kmspb.GetPublicKeyRequest, _ ...gax.CallOption) (*kmspb.PublicKey, error) {
return nil, fmt.Errorf("an error")
},
}, "signingKey"}, nil, true},
{"fail parse pem", args{&MockClient{
getPublicKey: func(_ context.Context, _ *kmspb.GetPublicKeyRequest, _ ...gax.CallOption) (*kmspb.PublicKey, error) {
return &kmspb.PublicKey{Pem: string("bad pem")}, nil
},
}, "signingKey"}, nil, true},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
if got := NewSigner(tt.args.c, tt.args.signingKey); !reflect.DeepEqual(got, tt.want) { got, err := NewSigner(tt.args.c, tt.args.signingKey)
t.Errorf("newSigner() = %v, want %v", got, tt.want) if (err != nil) != tt.wantErr {
t.Errorf("NewSigner() error = %v, wantErr %v", err, tt.wantErr)
return
}
if got != nil {
got.client = &MockClient{}
}
if !reflect.DeepEqual(got, tt.want) {
t.Errorf("NewSigner() = %v, want %v", got, tt.want)
} }
}) })
} }
} }
func Test_signer_Public(t *testing.T) { func Test_signer_Public(t *testing.T) {
keyName := "projects/p/locations/l/keyRings/k/cryptoKeys/c/cryptoKeyVersions/1"
testError := fmt.Errorf("an error")
pemBytes, err := ioutil.ReadFile("testdata/pub.pem") pemBytes, err := ioutil.ReadFile("testdata/pub.pem")
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
@ -52,42 +81,23 @@ func Test_signer_Public(t *testing.T) {
type fields struct { type fields struct {
client KeyManagementClient client KeyManagementClient
signingKey string signingKey string
publicKey crypto.PublicKey
} }
tests := []struct { tests := []struct {
name string name string
fields fields fields fields
want crypto.PublicKey want crypto.PublicKey
wantErr bool
}{ }{
{"ok", fields{&MockClient{ {"ok", fields{&MockClient{}, "signingKey", pk}, pk},
getPublicKey: func(_ context.Context, _ *kmspb.GetPublicKeyRequest, _ ...gax.CallOption) (*kmspb.PublicKey, error) {
return &kmspb.PublicKey{Pem: string(pemBytes)}, nil
},
}, keyName}, pk, false},
{"fail get public key", fields{&MockClient{
getPublicKey: func(_ context.Context, _ *kmspb.GetPublicKeyRequest, _ ...gax.CallOption) (*kmspb.PublicKey, error) {
return nil, testError
},
}, keyName}, nil, true},
{"fail parse pem", fields{
&MockClient{
getPublicKey: func(_ context.Context, _ *kmspb.GetPublicKeyRequest, _ ...gax.CallOption) (*kmspb.PublicKey, error) {
return &kmspb.PublicKey{Pem: string("bad pem")}, nil
},
}, keyName}, nil, true},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
s := &Signer{ s := &Signer{
client: tt.fields.client, client: tt.fields.client,
signingKey: tt.fields.signingKey, signingKey: tt.fields.signingKey,
publicKey: tt.fields.publicKey,
} }
got := s.Public() if got := s.Public(); !reflect.DeepEqual(got, tt.want) {
if _, ok := got.(error); ok != tt.wantErr {
t.Errorf("signer.Public() error = %v, wantErr %v", got, tt.wantErr)
return
}
if !tt.wantErr && !reflect.DeepEqual(got, tt.want) {
t.Errorf("signer.Public() = %v, want %v", got, tt.want) t.Errorf("signer.Public() = %v, want %v", got, tt.want)
} }
}) })