1 // Copyright 2020 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ///////////////////////////////////////////////////////////////////////////////
16 #include "tink/util/fake_kms_client.h"
17
18 #include <fstream>
19 #include <iostream>
20 #include <memory>
21 #include <ostream>
22 #include <sstream>
23 #include <string>
24 #include <utility>
25
26 #include "absl/status/status.h"
27 #include "absl/strings/ascii.h"
28 #include "absl/strings/escaping.h"
29 #include "absl/strings/match.h"
30 #include "absl/strings/str_cat.h"
31 #include "absl/strings/str_split.h"
32 #include "absl/strings/string_view.h"
33 #include "tink/aead/aead_key_templates.h"
34 #include "tink/binary_keyset_reader.h"
35 #include "tink/binary_keyset_writer.h"
36 #include "tink/cleartext_keyset_handle.h"
37 #include "tink/kms_client.h"
38 #include "tink/util/errors.h"
39 #include "tink/util/status.h"
40 #include "tink/util/statusor.h"
41
42 namespace crypto {
43 namespace tink {
44 namespace test {
45
46 namespace {
47
48 using crypto::tink::ToStatusF;
49 using crypto::tink::util::Status;
50 using crypto::tink::util::StatusOr;
51 using google::crypto::tink::KeyTemplate;
52
53 static constexpr char kKeyUriPrefix[] = "fake-kms://";
54
55 // Returns the encoded keyset contained in 'key_uri'.
56 // If 'key_uri' does not refer to an fake KMS key, returns an empty string.
GetEncodedKeyset(absl::string_view key_uri)57 std::string GetEncodedKeyset(absl::string_view key_uri) {
58 if (!absl::StartsWithIgnoreCase(key_uri, kKeyUriPrefix)) return "";
59 return std::string(key_uri.substr(std::string(kKeyUriPrefix).length()));
60 }
61
62 } // namespace
63
64
65 // static
New(absl::string_view key_uri,absl::string_view credentials_path)66 StatusOr<std::unique_ptr<FakeKmsClient>> FakeKmsClient::New(
67 absl::string_view key_uri, absl::string_view credentials_path) {
68 std::unique_ptr<FakeKmsClient> client(new FakeKmsClient());
69
70 if (!key_uri.empty()) {
71 client->encoded_keyset_ = GetEncodedKeyset(key_uri);
72 if (client->encoded_keyset_.empty()) {
73 return ToStatusF(absl::StatusCode::kInvalidArgument,
74 "Key '%s' not supported", key_uri);
75 }
76 }
77 return std::move(client);
78 }
79
DoesSupport(absl::string_view key_uri) const80 bool FakeKmsClient::DoesSupport(absl::string_view key_uri) const {
81 if (!encoded_keyset_.empty()) {
82 return encoded_keyset_ == GetEncodedKeyset(key_uri);
83 }
84 return !GetEncodedKeyset(key_uri).empty();
85 }
86
GetAead(absl::string_view key_uri) const87 StatusOr<std::unique_ptr<Aead>> FakeKmsClient::GetAead(
88 absl::string_view key_uri) const {
89 if (!DoesSupport(key_uri)) {
90 if (!encoded_keyset_.empty()) {
91 return ToStatusF(absl::StatusCode::kInvalidArgument,
92 "This client is bound to a different key, and cannot "
93 "use key '%s'.",
94 key_uri);
95 } else {
96 return ToStatusF(absl::StatusCode::kInvalidArgument,
97 "This client does not support key '%s'.", key_uri);
98 }
99 }
100 std::string keyset;
101 if (!absl::WebSafeBase64Unescape(GetEncodedKeyset(key_uri), &keyset)) {
102 return util::Status(absl::StatusCode::kInvalidArgument, "Invalid Keyset");
103 }
104 auto reader_result = BinaryKeysetReader::New(keyset);
105 if (!reader_result.ok()) {
106 return reader_result.status();
107 }
108 auto handle_result =
109 CleartextKeysetHandle::Read(std::move(reader_result.value()));
110 if (!handle_result.ok()) {
111 return handle_result.status();
112 }
113 return handle_result.value()->GetPrimitive<crypto::tink::Aead>();
114 }
115
RegisterNewClient(absl::string_view key_uri,absl::string_view credentials_path)116 Status FakeKmsClient::RegisterNewClient(absl::string_view key_uri,
117 absl::string_view credentials_path) {
118 auto client_result = FakeKmsClient::New(key_uri, credentials_path);
119 if (!client_result.ok()) {
120 return client_result.status();
121 }
122
123 return KmsClients::Add(std::move(client_result.value()));
124 }
125
CreateFakeKeyUri()126 StatusOr<std::string> FakeKmsClient::CreateFakeKeyUri() {
127 // The key_uri contains an encoded keyset with a new Aes128Gcm key.
128 const KeyTemplate& key_template = AeadKeyTemplates::Aes128Gcm();
129 auto handle_result = KeysetHandle::GenerateNew(key_template);
130 if (!handle_result.ok()) {
131 return handle_result.status();
132 }
133 std::stringbuf keyset;
134 auto writer_result =
135 BinaryKeysetWriter::New(absl::make_unique<std::ostream>(&keyset));
136 if (!writer_result.ok()) {
137 return writer_result.status();
138 }
139 auto status = CleartextKeysetHandle::Write(writer_result.value().get(),
140 *handle_result.value());
141 if (!status.ok()) {
142 return status;
143 }
144 std::string encoded_keyset;
145 absl::WebSafeBase64Escape(keyset.str(), &encoded_keyset);
146 return absl::StrCat(kKeyUriPrefix, encoded_keyset);
147 }
148
149 } // namespace test
150 } // namespace tink
151 } // namespace crypto
152