async def test_get_blob_nonmatching_kid_async(self, storage_account_name,
storage_account_key):
await self._setup(storage_account_name, storage_account_key)
self.bsc.require_encryption = True
self.bsc.key_encryption_key = KeyWrapper('key1')
blob = await self._create_small_blob(BlobType.BlockBlob)
# Act
self.bsc.key_encryption_key.kid = 'Invalid'
# Assert
with self.assertRaises(HttpResponseError) as e:
await (await blob.download_blob()).content_as_bytes()
self.assertEqual(str(e.exception), 'Decryption failed.')
def test_put_block_blob_single_shot(self):
# Arrange
self.bsc.key_encryption_key = KeyWrapper('key1')
self.bsc.require_encryption = True
content = b'small'
blob_name = self._get_blob_reference(BlobType.BlockBlob)
blob = self.bsc.get_blob_client(self.container_name, blob_name)
# Act
blob.upload_blob(content)
blob_content = blob.download_blob().content_as_bytes()
# Assert
self.assertEqual(content, blob_content)
def test_invalid_methods_fail_block(self, resource_group, location, storage_account, storage_account_key):
self._setup(storage_account, storage_account_key)
self.bsc.key_encryption_key = KeyWrapper('key1')
blob_name = self._get_blob_reference(BlobType.BlockBlob)
blob = self.bsc.get_blob_client(self.container_name, blob_name)
# Assert
with self.assertRaises(ValueError) as e:
blob.stage_block('block1', urandom(32))
self.assertEqual(str(e.exception), _ERROR_UNSUPPORTED_METHOD_FOR_ENCRYPTION)
with self.assertRaises(ValueError) as e:
blob.commit_block_list(['block1'])
self.assertEqual(str(e.exception), _ERROR_UNSUPPORTED_METHOD_FOR_ENCRYPTION)
def test_invalid_methods_fail_page(self, resource_group, location, storage_account, storage_account_key):
self._setup(storage_account, storage_account_key)
self.bsc.key_encryption_key = KeyWrapper('key1')
blob_name = self._get_blob_reference(BlobType.PageBlob)
blob = self.bsc.get_blob_client(self.container_name, blob_name)
# Assert
with self.assertRaises(ValueError) as e:
blob.upload_page(urandom(512), offset=0, length=512)
self.assertEqual(str(e.exception), _ERROR_UNSUPPORTED_METHOD_FOR_ENCRYPTION)
with self.assertRaises(ValueError) as e:
blob.create_page_blob(512)
self.assertEqual(str(e.exception), _ERROR_UNSUPPORTED_METHOD_FOR_ENCRYPTION)
def test_get_blob_range_middle_to_middle(self, resource_group, location, storage_account, storage_account_key):
self._setup(storage_account, storage_account_key)
self.bsc.key_encryption_key = KeyWrapper('key1')
self.bsc.require_encryption = True
content = self.get_random_bytes(128)
blob_name = self._get_blob_reference(BlobType.BlockBlob)
blob = self.bsc.get_blob_client(self.container_name, blob_name)
# Act
blob.upload_blob(content)
blob_content = blob.download_blob(offset=5, length=93).content_as_bytes()
# Assert
self.assertEqual(content[5:98], blob_content)
def test_put_blob_serial_upload_chunking(self, resource_group, location, storage_account, storage_account_key):
self._setup(storage_account, storage_account_key)
self.bsc.key_encryption_key = KeyWrapper('key1')
self.bsc.require_encryption = True
content = self.get_random_bytes(self.config.max_single_put_size + 1)
blob_name = self._get_blob_reference(BlobType.BlockBlob)
blob = self.bsc.get_blob_client(self.container_name, blob_name)
# Act
blob.upload_blob(content, max_concurrency=1)
blob_content = blob.download_blob().content_as_bytes(max_concurrency=1)
# Assert
self.assertEqual(content, blob_content)
def test_put_blob_empty(self, resource_group, location, storage_account, storage_account_key):
self._setup(storage_account, storage_account_key)
self.bsc.key_encryption_key = KeyWrapper('key1')
self.bsc.require_encryption = True
content = b''
blob_name = self._get_blob_reference(BlobType.BlockBlob)
blob = self.bsc.get_blob_client(self.container_name, blob_name)
# Act
blob.upload_blob(content)
blob_content = blob.download_blob().content_as_bytes(max_concurrency=2)
# Assert
self.assertEqual(content, blob_content)
async def test_get_blob_strict_mode_no_policy_async(
self, resource_group, location, storage_account,
storage_account_key):
await self._setup(storage_account, storage_account_key)
self.bsc.require_encryption = True
self.bsc.key_encryption_key = KeyWrapper('key1')
blob = await self._create_small_blob(BlobType.BlockBlob)
# Act
blob.key_encryption_key = None
# Assert
with self.assertRaises(ValueError):
await (await blob.download_blob()).content_as_bytes()
def test_get_blob_range_expanded_to_beginning_iv(self):
# Arrange
self.bsc.key_encryption_key = KeyWrapper('key1')
self.bsc.require_encryption = True
content = self.get_random_bytes(128)
blob_name = self._get_blob_reference(BlobType.BlockBlob)
blob = self.bsc.get_blob_client(self.container_name, blob_name)
# Act
blob.upload_blob(content)
blob_content = blob.download_blob(offset=22,
length=42).content_as_bytes()
# Assert
self.assertEqual(content[22:43], blob_content)
def test_get_blob_range_beginning_to_middle(self):
# Arrange
self.bsc.key_encryption_key = KeyWrapper('key1')
self.bsc.require_encryption = True
content = self.get_random_bytes(128)
blob_name = self._get_blob_reference(BlobType.BlockBlob)
blob = self.bsc.get_blob_client(self.container_name, blob_name)
# Act
blob.upload_blob(content, max_connections=1)
blob_content = blob.download_blob(
offset=0, length=50).content_as_bytes(max_connections=1)
# Assert
self.assertEqual(content[:51], blob_content)
def test_get_blob_resolver(self):
# Arrange
self.bsc.require_encryption = True
self.bsc.key_encryption_key = KeyWrapper('key1')
key_resolver = KeyResolver()
key_resolver.put_key(self.bsc.key_encryption_key)
self.bsc.key_resolver_function = key_resolver.resolve_key
blob = self._create_small_blob(BlobType.BlockBlob)
# Act
self.bsc.key_encryption_key = None
content = blob.download_blob().content_as_bytes()
# Assert
self.assertEqual(content, self.bytes)
async def _test_put_with_strict_mode(self):
# Arrange
queue = await self._create_queue()
kek = KeyWrapper('key1')
queue.key_encryption_key = kek
queue.require_encryption = True
await queue.enqueue_message(u'message')
queue.key_encryption_key = None
# Assert
with self.assertRaises(ValueError) as e:
await queue.enqueue_message(u'message')
self.assertEqual(str(e.exception), "Encryption required but no key was provided.")
def test_get_messages_encrypted_kek(self, storage_account_name,
storage_account_key):
# Arrange
qsc = QueueServiceClient(
self.account_url(storage_account_name, "queue"),
storage_account_key)
qsc.key_encryption_key = KeyWrapper('key1')
queue = self._create_queue(qsc)
queue.send_message(u'encrypted_message_2')
# Act
li = next(queue.receive_messages())
# Assert
self.assertEqual(li.content, u'encrypted_message_2')
def test_put_blob_serial_upload_chunking(self):
# Arrange
self.bsc.key_encryption_key = KeyWrapper('key1')
self.bsc.require_encryption = True
content = self.get_random_bytes(
self.config.blob_settings.max_single_put_size + 1)
blob_name = self._get_blob_reference(BlobType.BlockBlob)
blob = self.bsc.get_blob_client(self.container_name, blob_name)
# Act
blob.upload_blob(content, max_connections=1)
blob_content = blob.download_blob().content_as_bytes(max_connections=1)
# Assert
self.assertEqual(content, blob_content)
async def test_put_block_blob_single_shot_async(self, resource_group, location, storage_account,
storage_account_key):
await self._setup(storage_account.name, storage_account_key)
self.bsc.key_encryption_key = KeyWrapper('key1')
self.bsc.require_encryption = True
content = b'small'
blob_name = self._get_blob_reference(BlobType.BlockBlob)
blob = self.bsc.get_blob_client(self.container_name, blob_name)
# Act
await blob.upload_blob(content)
blob_content = await (await blob.download_blob()).content_as_bytes()
# Assert
self.assertEqual(content, blob_content)
def test_missing_attribute_kek_unrwap(self, storage_account_name, storage_account_key):
# Arrange
qsc = QueueServiceClient(self.account_url(storage_account_name, "queue"), storage_account_key)
queue = self._create_queue(qsc)
queue.key_encryption_key = KeyWrapper('key1')
queue.send_message(u'message')
# Act
valid_key = KeyWrapper('key1')
invalid_key_1 = lambda: None # functions are objects, so this effectively creates an empty object
invalid_key_1.unwrap_key = valid_key.unwrap_key
# No attribute get_kid
queue.key_encryption_key = invalid_key_1
with self.assertRaises(HttpResponseError) as e:
queue.peek_messages()
assert "Decryption failed." in str(e.exception)
invalid_key_2 = lambda: None # functions are objects, so this effectively creates an empty object
invalid_key_2.get_kid = valid_key.get_kid
# No attribute unwrap_key
queue.key_encryption_key = invalid_key_2
with self.assertRaises(HttpResponseError):
queue.peek_messages()
def test_encryption_nonmatching_kid(self, storage_account_name, storage_account_key):
# Arrange
qsc = QueueServiceClient(self.account_url(storage_account_name, "queue"), storage_account_key)
queue = self._create_queue(qsc)
queue.key_encryption_key = KeyWrapper('key1')
queue.send_message(u'message')
# Act
queue.key_encryption_key.kid = 'Invalid'
# Assert
with self.assertRaises(HttpResponseError) as e:
next(queue.receive_messages())
assert "Decryption failed." in str(e.exception)
async def test_get_blob_range_expanded_to_beginning_iv_async(self, resource_group, location, storage_account,
storage_account_key):
await self._setup(storage_account.name, storage_account_key)
self.bsc.key_encryption_key = KeyWrapper('key1')
self.bsc.require_encryption = True
content = self.get_random_bytes(128)
blob_name = self._get_blob_reference(BlobType.BlockBlob)
blob = self.bsc.get_blob_client(self.container_name, blob_name)
# Act
await blob.upload_blob(content)
blob_content = await (await blob.download_blob(offset=22, length=20)).content_as_bytes()
# Assert
self.assertEqual(content[22:42], blob_content)
def test_get_with_strict_mode(self, storage_account_name,
storage_account_key):
# Arrange
qsc = QueueServiceClient(
self.account_url(storage_account_name, "queue"),
storage_account_key)
queue = self._create_queue(qsc)
queue.send_message(u'message')
queue.require_encryption = True
queue.key_encryption_key = KeyWrapper('key1')
with self.assertRaises(ValueError) as e:
next(queue.receive_messages())
self.assertEqual(str(e.exception), 'Message was not encrypted.')
async def test_get_blob_resolver_async(self, storage_account_name, storage_account_key):
await self._setup(storage_account_name, storage_account_key)
self.bsc.require_encryption = True
self.bsc.key_encryption_key = KeyWrapper('key1')
key_resolver = KeyResolver()
key_resolver.put_key(self.bsc.key_encryption_key)
self.bsc.key_resolver_function = key_resolver.resolve_key
blob = await self._create_small_blob(BlobType.BlockBlob)
# Act
self.bsc.key_encryption_key = None
content = await (await blob.download_blob()).content_as_bytes()
# Assert
self.assertEqual(content, self.bytes)
async def _test_peek_messages_encrypted_resolver(self):
# Arrange
self.qsc.key_encryption_key = KeyWrapper('key1')
queue = await self._create_queue()
await queue.enqueue_message(u'encrypted_message_4')
key_resolver = KeyResolver()
key_resolver.put_key(self.qsc.key_encryption_key)
queue.key_resolver_function = key_resolver.resolve_key
queue.key_encryption_key = None # Ensure that the resolver is used
# Act
li = await queue.peek_messages()
# Assert
self.assertEqual(li[0].content, u'encrypted_message_4')
async def test_invalid_value_kek_unwrap(self, resource_group, location, storage_account, storage_account_key):
qsc = QueueServiceClient(self._account_url(storage_account.name), storage_account_key, transport=AiohttpTestTransport())
# Arrange
queue = await self._create_queue(qsc)
queue.key_encryption_key = KeyWrapper('key1')
await queue.send_message(u'message')
# Act
queue.key_encryption_key.unwrap_key = None
with self.assertRaises(HttpResponseError):
await queue.peek_messages()
queue.key_encryption_key.get_kid = None
with self.assertRaises(HttpResponseError):
await queue.peek_messages()
def test_invalid_value_kek_wrap(self):
# Arrange
self.bsc.require_encryption = True
self.bsc.key_encryption_key = KeyWrapper('key1')
self.bsc.key_encryption_key.get_key_wrap_algorithm = None
try:
self._create_small_blob(BlobType.BlockBlob)
self.fail()
except AttributeError as e:
self.assertEqual(
str(e),
_ERROR_OBJECT_INVALID.format('key encryption key',
'get_key_wrap_algorithm'))
self.bsc.key_encryption_key = KeyWrapper('key1')
self.bsc.key_encryption_key.get_kid = None
with self.assertRaises(AttributeError):
self._create_small_blob(BlobType.BlockBlob)
self.bsc.key_encryption_key = KeyWrapper('key1')
self.bsc.key_encryption_key.wrap_key = None
with self.assertRaises(AttributeError):
self._create_small_blob(BlobType.BlockBlob)
async def test_missing_attribute_kek_unrwap(self, resource_group, location, storage_account, storage_account_key):
qsc = QueueServiceClient(self._account_url(storage_account.name), storage_account_key, transport=AiohttpTestTransport())
# Arrange
queue = await self._create_queue(qsc)
queue.key_encryption_key = KeyWrapper('key1')
await queue.send_message(u'message')
# Act
valid_key = KeyWrapper('key1')
invalid_key_1 = lambda: None # functions are objects, so this effectively creates an empty object
invalid_key_1.unwrap_key = valid_key.unwrap_key
# No attribute get_kid
queue.key_encryption_key = invalid_key_1
with self.assertRaises(HttpResponseError) as e:
await queue.peek_messages()
self.assertEqual(str(e.exception), "Decryption failed.")
invalid_key_2 = lambda: None # functions are objects, so this effectively creates an empty object
invalid_key_2.get_kid = valid_key.get_kid
# No attribute unwrap_key
queue.key_encryption_key = invalid_key_2
with self.assertRaises(HttpResponseError):
await queue.peek_messages()
def test_get_blob_nonmatching_kid(self):
if TestMode.need_recording_file(self.test_mode):
return
# Arrange
self.bsc.require_encryption = True
self.bsc.key_encryption_key = KeyWrapper('key1')
blob = self._create_small_blob(BlobType.BlockBlob)
# Act
self.bsc.key_encryption_key.kid = 'Invalid'
# Assert
with self.assertRaises(HttpResponseError) as e:
blob.download_blob().content_as_bytes()
self.assertEqual(str(e.exception), 'Decryption failed.')
def test_put_blob_chunking_required_non_mult_of_block_size(self, storage_account_name, storage_account_key):
# parallel tests introduce random order of requests, can only run live
self._setup(storage_account_name, storage_account_key)
self.bsc.key_encryption_key = KeyWrapper('key1')
self.bsc.require_encryption = True
content = urandom(self.config.max_single_put_size + 1)
blob_name = self._get_blob_reference(BlobType.BlockBlob)
blob = self.bsc.get_blob_client(self.container_name, blob_name)
# Act
blob.upload_blob(content, max_concurrency=3)
blob_content = blob.download_blob().content_as_bytes(max_concurrency=3)
# Assert
self.assertEqual(content, blob_content)
def test_get_blob_range_aligns_on_16_byte_block(self):
# Arrange
self.bsc.key_encryption_key = KeyWrapper('key1')
self.bsc.require_encryption = True
content = self.get_random_bytes(128)
blob_name = self._get_blob_reference(BlobType.BlockBlob)
blob = self.bsc.get_blob_client(self.container_name, blob_name)
# Act
blob.upload_blob(content)
blob_content = blob.download_blob(offset=48,
length=63).content_as_bytes()
# Assert
self.assertEqual(content[48:64], blob_content)
def test_get_messages_encrypted_resolver(self):
# Arrange
self.qsc.key_encryption_key = KeyWrapper('key1')
queue = self._create_queue()
queue.enqueue_message(u'encrypted_message_2')
key_resolver = KeyResolver()
key_resolver.put_key(self.qsc.key_encryption_key)
queue.key_resolver_function = key_resolver.resolve_key
queue.key_encryption_key = None # Ensure that the resolver is used
# Act
li = next(queue.receive_messages())
# Assert
self.assertEqual(li.content, u'encrypted_message_2')
def test_invalid_value_kek_unwrap(self, storage_account_name, storage_account_key):
# Arrange
qsc = QueueServiceClient(self.account_url(storage_account_name, "queue"), storage_account_key)
queue = self._create_queue(qsc)
queue.key_encryption_key = KeyWrapper('key1')
queue.send_message(u'message')
# Act
queue.key_encryption_key.unwrap_key = None
with self.assertRaises(HttpResponseError):
queue.peek_messages()
queue.key_encryption_key.get_kid = None
with self.assertRaises(HttpResponseError):
queue.peek_messages()
async def test_peek_messages_encrypted_kek(self, storage_account_name,
storage_account_key):
qsc = QueueServiceClient(self.account_url(storage_account_name,
"queue"),
storage_account_key,
transport=AiohttpTestTransport())
# Arrange
qsc.key_encryption_key = KeyWrapper('key1')
queue = await self._create_queue(qsc)
await queue.send_message(u'encrypted_message_3')
# Act
li = await queue.peek_messages()
# Assert
self.assertEqual(li[0].content, u'encrypted_message_3')
