TestServerDBCrypt tests end-to-end encryption, decryption, and deletion of encrypted user data. nolint: paralleltest // use of t.Setenv
(t *testing.T)
| 27 | // |
| 28 | // nolint: paralleltest // use of t.Setenv |
| 29 | func TestServerDBCrypt(t *testing.T) { |
| 30 | ctx, cancel := context.WithCancel(context.Background()) |
| 31 | t.Cleanup(cancel) |
| 32 | |
| 33 | // Setup a postgres database. |
| 34 | connectionURL, err := dbtestutil.Open(t) |
| 35 | require.NoError(t, err) |
| 36 | t.Cleanup(func() { dbtestutil.DumpOnFailure(t, connectionURL) }) |
| 37 | |
| 38 | sqlDB, err := sql.Open("postgres", connectionURL) |
| 39 | require.NoError(t, err) |
| 40 | t.Cleanup(func() { |
| 41 | _ = sqlDB.Close() |
| 42 | }) |
| 43 | db := database.New(sqlDB) |
| 44 | |
| 45 | // Populate the database with some unencrypted data. |
| 46 | t.Log("Generating unencrypted data") |
| 47 | users := genData(t, db) |
| 48 | |
| 49 | // Setup an initial cipher A |
| 50 | keyA := testutil.MustRandString(t, 32) |
| 51 | cipherA, err := dbcrypt.NewCiphers([]byte(keyA)) |
| 52 | require.NoError(t, err) |
| 53 | |
| 54 | // Create an encrypted database |
| 55 | cryptdb, err := dbcrypt.New(ctx, db, cipherA...) |
| 56 | require.NoError(t, err) |
| 57 | |
| 58 | // Populate the database with some encrypted data using cipher A. |
| 59 | t.Log("Generating data encrypted with cipher A") |
| 60 | newUsers := genData(t, cryptdb) |
| 61 | |
| 62 | // Validate that newly created users were encrypted with cipher A |
| 63 | for _, usr := range newUsers { |
| 64 | requireEncryptedWithCipher(ctx, t, db, cipherA[0], usr.ID) |
| 65 | } |
| 66 | users = append(users, newUsers...) |
| 67 | |
| 68 | // Encrypt all the data with the initial cipher. |
| 69 | t.Log("Encrypting all data with cipher A") |
| 70 | inv, _ := newCLI(t, "server", "dbcrypt", "rotate", |
| 71 | "--postgres-url", connectionURL, |
| 72 | "--new-key", base64.StdEncoding.EncodeToString([]byte(keyA)), |
| 73 | "--yes", |
| 74 | ) |
| 75 | pty := ptytest.New(t) |
| 76 | inv.Stdout = pty.Output() |
| 77 | err = inv.Run() |
| 78 | require.NoError(t, err) |
| 79 | require.NoError(t, pty.Close()) |
| 80 | |
| 81 | // Validate that all existing data has been encrypted with cipher A. |
| 82 | for _, usr := range users { |
| 83 | requireEncryptedWithCipher(ctx, t, db, cipherA[0], usr.ID) |
| 84 | } |
| 85 | |
| 86 | // Re-encrypt all existing data with a new cipher. |
nothing calls this directly
no test coverage detected