async def test_get_blob_nonmatching_kid_async(self, storage_account_name, storage_account_key): await self._setup(storage_account_name, storage_account_key) self.bsc.require_encryption = True self.bsc.key_encryption_key = KeyWrapper('key1') blob = await self._create_small_blob(BlobType.BlockBlob) # Act self.bsc.key_encryption_key.kid = 'Invalid' # Assert with self.assertRaises(HttpResponseError) as e: await (await blob.download_blob()).content_as_bytes() self.assertEqual(str(e.exception), 'Decryption failed.')
def test_put_block_blob_single_shot(self): # Arrange self.bsc.key_encryption_key = KeyWrapper('key1') self.bsc.require_encryption = True content = b'small' blob_name = self._get_blob_reference(BlobType.BlockBlob) blob = self.bsc.get_blob_client(self.container_name, blob_name) # Act blob.upload_blob(content) blob_content = blob.download_blob().content_as_bytes() # Assert self.assertEqual(content, blob_content)
def test_invalid_methods_fail_block(self, resource_group, location, storage_account, storage_account_key): self._setup(storage_account, storage_account_key) self.bsc.key_encryption_key = KeyWrapper('key1') blob_name = self._get_blob_reference(BlobType.BlockBlob) blob = self.bsc.get_blob_client(self.container_name, blob_name) # Assert with self.assertRaises(ValueError) as e: blob.stage_block('block1', urandom(32)) self.assertEqual(str(e.exception), _ERROR_UNSUPPORTED_METHOD_FOR_ENCRYPTION) with self.assertRaises(ValueError) as e: blob.commit_block_list(['block1']) self.assertEqual(str(e.exception), _ERROR_UNSUPPORTED_METHOD_FOR_ENCRYPTION)
def test_invalid_methods_fail_page(self, resource_group, location, storage_account, storage_account_key): self._setup(storage_account, storage_account_key) self.bsc.key_encryption_key = KeyWrapper('key1') blob_name = self._get_blob_reference(BlobType.PageBlob) blob = self.bsc.get_blob_client(self.container_name, blob_name) # Assert with self.assertRaises(ValueError) as e: blob.upload_page(urandom(512), offset=0, length=512) self.assertEqual(str(e.exception), _ERROR_UNSUPPORTED_METHOD_FOR_ENCRYPTION) with self.assertRaises(ValueError) as e: blob.create_page_blob(512) self.assertEqual(str(e.exception), _ERROR_UNSUPPORTED_METHOD_FOR_ENCRYPTION)
def test_get_blob_range_middle_to_middle(self, resource_group, location, storage_account, storage_account_key): self._setup(storage_account, storage_account_key) self.bsc.key_encryption_key = KeyWrapper('key1') self.bsc.require_encryption = True content = self.get_random_bytes(128) blob_name = self._get_blob_reference(BlobType.BlockBlob) blob = self.bsc.get_blob_client(self.container_name, blob_name) # Act blob.upload_blob(content) blob_content = blob.download_blob(offset=5, length=93).content_as_bytes() # Assert self.assertEqual(content[5:98], blob_content)
def test_put_blob_serial_upload_chunking(self, resource_group, location, storage_account, storage_account_key): self._setup(storage_account, storage_account_key) self.bsc.key_encryption_key = KeyWrapper('key1') self.bsc.require_encryption = True content = self.get_random_bytes(self.config.max_single_put_size + 1) blob_name = self._get_blob_reference(BlobType.BlockBlob) blob = self.bsc.get_blob_client(self.container_name, blob_name) # Act blob.upload_blob(content, max_concurrency=1) blob_content = blob.download_blob().content_as_bytes(max_concurrency=1) # Assert self.assertEqual(content, blob_content)
def test_put_blob_empty(self, resource_group, location, storage_account, storage_account_key): self._setup(storage_account, storage_account_key) self.bsc.key_encryption_key = KeyWrapper('key1') self.bsc.require_encryption = True content = b'' blob_name = self._get_blob_reference(BlobType.BlockBlob) blob = self.bsc.get_blob_client(self.container_name, blob_name) # Act blob.upload_blob(content) blob_content = blob.download_blob().content_as_bytes(max_concurrency=2) # Assert self.assertEqual(content, blob_content)
async def test_get_blob_strict_mode_no_policy_async( self, resource_group, location, storage_account, storage_account_key): await self._setup(storage_account, storage_account_key) self.bsc.require_encryption = True self.bsc.key_encryption_key = KeyWrapper('key1') blob = await self._create_small_blob(BlobType.BlockBlob) # Act blob.key_encryption_key = None # Assert with self.assertRaises(ValueError): await (await blob.download_blob()).content_as_bytes()
def test_get_blob_range_expanded_to_beginning_iv(self): # Arrange self.bsc.key_encryption_key = KeyWrapper('key1') self.bsc.require_encryption = True content = self.get_random_bytes(128) blob_name = self._get_blob_reference(BlobType.BlockBlob) blob = self.bsc.get_blob_client(self.container_name, blob_name) # Act blob.upload_blob(content) blob_content = blob.download_blob(offset=22, length=42).content_as_bytes() # Assert self.assertEqual(content[22:43], blob_content)
def test_get_blob_range_beginning_to_middle(self): # Arrange self.bsc.key_encryption_key = KeyWrapper('key1') self.bsc.require_encryption = True content = self.get_random_bytes(128) blob_name = self._get_blob_reference(BlobType.BlockBlob) blob = self.bsc.get_blob_client(self.container_name, blob_name) # Act blob.upload_blob(content, max_connections=1) blob_content = blob.download_blob( offset=0, length=50).content_as_bytes(max_connections=1) # Assert self.assertEqual(content[:51], blob_content)
def test_get_blob_resolver(self): # Arrange self.bsc.require_encryption = True self.bsc.key_encryption_key = KeyWrapper('key1') key_resolver = KeyResolver() key_resolver.put_key(self.bsc.key_encryption_key) self.bsc.key_resolver_function = key_resolver.resolve_key blob = self._create_small_blob(BlobType.BlockBlob) # Act self.bsc.key_encryption_key = None content = blob.download_blob().content_as_bytes() # Assert self.assertEqual(content, self.bytes)
async def _test_put_with_strict_mode(self): # Arrange queue = await self._create_queue() kek = KeyWrapper('key1') queue.key_encryption_key = kek queue.require_encryption = True await queue.enqueue_message(u'message') queue.key_encryption_key = None # Assert with self.assertRaises(ValueError) as e: await queue.enqueue_message(u'message') self.assertEqual(str(e.exception), "Encryption required but no key was provided.")
def test_get_messages_encrypted_kek(self, storage_account_name, storage_account_key): # Arrange qsc = QueueServiceClient( self.account_url(storage_account_name, "queue"), storage_account_key) qsc.key_encryption_key = KeyWrapper('key1') queue = self._create_queue(qsc) queue.send_message(u'encrypted_message_2') # Act li = next(queue.receive_messages()) # Assert self.assertEqual(li.content, u'encrypted_message_2')
def test_put_blob_serial_upload_chunking(self): # Arrange self.bsc.key_encryption_key = KeyWrapper('key1') self.bsc.require_encryption = True content = self.get_random_bytes( self.config.blob_settings.max_single_put_size + 1) blob_name = self._get_blob_reference(BlobType.BlockBlob) blob = self.bsc.get_blob_client(self.container_name, blob_name) # Act blob.upload_blob(content, max_connections=1) blob_content = blob.download_blob().content_as_bytes(max_connections=1) # Assert self.assertEqual(content, blob_content)
async def test_put_block_blob_single_shot_async(self, resource_group, location, storage_account, storage_account_key): await self._setup(storage_account.name, storage_account_key) self.bsc.key_encryption_key = KeyWrapper('key1') self.bsc.require_encryption = True content = b'small' blob_name = self._get_blob_reference(BlobType.BlockBlob) blob = self.bsc.get_blob_client(self.container_name, blob_name) # Act await blob.upload_blob(content) blob_content = await (await blob.download_blob()).content_as_bytes() # Assert self.assertEqual(content, blob_content)
def test_missing_attribute_kek_unrwap(self, storage_account_name, storage_account_key): # Arrange qsc = QueueServiceClient(self.account_url(storage_account_name, "queue"), storage_account_key) queue = self._create_queue(qsc) queue.key_encryption_key = KeyWrapper('key1') queue.send_message(u'message') # Act valid_key = KeyWrapper('key1') invalid_key_1 = lambda: None # functions are objects, so this effectively creates an empty object invalid_key_1.unwrap_key = valid_key.unwrap_key # No attribute get_kid queue.key_encryption_key = invalid_key_1 with self.assertRaises(HttpResponseError) as e: queue.peek_messages() assert "Decryption failed." in str(e.exception) invalid_key_2 = lambda: None # functions are objects, so this effectively creates an empty object invalid_key_2.get_kid = valid_key.get_kid # No attribute unwrap_key queue.key_encryption_key = invalid_key_2 with self.assertRaises(HttpResponseError): queue.peek_messages()
def test_encryption_nonmatching_kid(self, storage_account_name, storage_account_key): # Arrange qsc = QueueServiceClient(self.account_url(storage_account_name, "queue"), storage_account_key) queue = self._create_queue(qsc) queue.key_encryption_key = KeyWrapper('key1') queue.send_message(u'message') # Act queue.key_encryption_key.kid = 'Invalid' # Assert with self.assertRaises(HttpResponseError) as e: next(queue.receive_messages()) assert "Decryption failed." in str(e.exception)
async def test_get_blob_range_expanded_to_beginning_iv_async(self, resource_group, location, storage_account, storage_account_key): await self._setup(storage_account.name, storage_account_key) self.bsc.key_encryption_key = KeyWrapper('key1') self.bsc.require_encryption = True content = self.get_random_bytes(128) blob_name = self._get_blob_reference(BlobType.BlockBlob) blob = self.bsc.get_blob_client(self.container_name, blob_name) # Act await blob.upload_blob(content) blob_content = await (await blob.download_blob(offset=22, length=20)).content_as_bytes() # Assert self.assertEqual(content[22:42], blob_content)
def test_get_with_strict_mode(self, storage_account_name, storage_account_key): # Arrange qsc = QueueServiceClient( self.account_url(storage_account_name, "queue"), storage_account_key) queue = self._create_queue(qsc) queue.send_message(u'message') queue.require_encryption = True queue.key_encryption_key = KeyWrapper('key1') with self.assertRaises(ValueError) as e: next(queue.receive_messages()) self.assertEqual(str(e.exception), 'Message was not encrypted.')
async def test_get_blob_resolver_async(self, storage_account_name, storage_account_key): await self._setup(storage_account_name, storage_account_key) self.bsc.require_encryption = True self.bsc.key_encryption_key = KeyWrapper('key1') key_resolver = KeyResolver() key_resolver.put_key(self.bsc.key_encryption_key) self.bsc.key_resolver_function = key_resolver.resolve_key blob = await self._create_small_blob(BlobType.BlockBlob) # Act self.bsc.key_encryption_key = None content = await (await blob.download_blob()).content_as_bytes() # Assert self.assertEqual(content, self.bytes)
async def _test_peek_messages_encrypted_resolver(self): # Arrange self.qsc.key_encryption_key = KeyWrapper('key1') queue = await self._create_queue() await queue.enqueue_message(u'encrypted_message_4') key_resolver = KeyResolver() key_resolver.put_key(self.qsc.key_encryption_key) queue.key_resolver_function = key_resolver.resolve_key queue.key_encryption_key = None # Ensure that the resolver is used # Act li = await queue.peek_messages() # Assert self.assertEqual(li[0].content, u'encrypted_message_4')
async def test_invalid_value_kek_unwrap(self, resource_group, location, storage_account, storage_account_key): qsc = QueueServiceClient(self._account_url(storage_account.name), storage_account_key, transport=AiohttpTestTransport()) # Arrange queue = await self._create_queue(qsc) queue.key_encryption_key = KeyWrapper('key1') await queue.send_message(u'message') # Act queue.key_encryption_key.unwrap_key = None with self.assertRaises(HttpResponseError): await queue.peek_messages() queue.key_encryption_key.get_kid = None with self.assertRaises(HttpResponseError): await queue.peek_messages()
def test_invalid_value_kek_wrap(self): # Arrange self.bsc.require_encryption = True self.bsc.key_encryption_key = KeyWrapper('key1') self.bsc.key_encryption_key.get_key_wrap_algorithm = None try: self._create_small_blob(BlobType.BlockBlob) self.fail() except AttributeError as e: self.assertEqual( str(e), _ERROR_OBJECT_INVALID.format('key encryption key', 'get_key_wrap_algorithm')) self.bsc.key_encryption_key = KeyWrapper('key1') self.bsc.key_encryption_key.get_kid = None with self.assertRaises(AttributeError): self._create_small_blob(BlobType.BlockBlob) self.bsc.key_encryption_key = KeyWrapper('key1') self.bsc.key_encryption_key.wrap_key = None with self.assertRaises(AttributeError): self._create_small_blob(BlobType.BlockBlob)
async def test_missing_attribute_kek_unrwap(self, resource_group, location, storage_account, storage_account_key): qsc = QueueServiceClient(self._account_url(storage_account.name), storage_account_key, transport=AiohttpTestTransport()) # Arrange queue = await self._create_queue(qsc) queue.key_encryption_key = KeyWrapper('key1') await queue.send_message(u'message') # Act valid_key = KeyWrapper('key1') invalid_key_1 = lambda: None # functions are objects, so this effectively creates an empty object invalid_key_1.unwrap_key = valid_key.unwrap_key # No attribute get_kid queue.key_encryption_key = invalid_key_1 with self.assertRaises(HttpResponseError) as e: await queue.peek_messages() self.assertEqual(str(e.exception), "Decryption failed.") invalid_key_2 = lambda: None # functions are objects, so this effectively creates an empty object invalid_key_2.get_kid = valid_key.get_kid # No attribute unwrap_key queue.key_encryption_key = invalid_key_2 with self.assertRaises(HttpResponseError): await queue.peek_messages()
def test_get_blob_nonmatching_kid(self): if TestMode.need_recording_file(self.test_mode): return # Arrange self.bsc.require_encryption = True self.bsc.key_encryption_key = KeyWrapper('key1') blob = self._create_small_blob(BlobType.BlockBlob) # Act self.bsc.key_encryption_key.kid = 'Invalid' # Assert with self.assertRaises(HttpResponseError) as e: blob.download_blob().content_as_bytes() self.assertEqual(str(e.exception), 'Decryption failed.')
def test_put_blob_chunking_required_non_mult_of_block_size(self, storage_account_name, storage_account_key): # parallel tests introduce random order of requests, can only run live self._setup(storage_account_name, storage_account_key) self.bsc.key_encryption_key = KeyWrapper('key1') self.bsc.require_encryption = True content = urandom(self.config.max_single_put_size + 1) blob_name = self._get_blob_reference(BlobType.BlockBlob) blob = self.bsc.get_blob_client(self.container_name, blob_name) # Act blob.upload_blob(content, max_concurrency=3) blob_content = blob.download_blob().content_as_bytes(max_concurrency=3) # Assert self.assertEqual(content, blob_content)
def test_get_blob_range_aligns_on_16_byte_block(self): # Arrange self.bsc.key_encryption_key = KeyWrapper('key1') self.bsc.require_encryption = True content = self.get_random_bytes(128) blob_name = self._get_blob_reference(BlobType.BlockBlob) blob = self.bsc.get_blob_client(self.container_name, blob_name) # Act blob.upload_blob(content) blob_content = blob.download_blob(offset=48, length=63).content_as_bytes() # Assert self.assertEqual(content[48:64], blob_content)
def test_get_messages_encrypted_resolver(self): # Arrange self.qsc.key_encryption_key = KeyWrapper('key1') queue = self._create_queue() queue.enqueue_message(u'encrypted_message_2') key_resolver = KeyResolver() key_resolver.put_key(self.qsc.key_encryption_key) queue.key_resolver_function = key_resolver.resolve_key queue.key_encryption_key = None # Ensure that the resolver is used # Act li = next(queue.receive_messages()) # Assert self.assertEqual(li.content, u'encrypted_message_2')
def test_invalid_value_kek_unwrap(self, storage_account_name, storage_account_key): # Arrange qsc = QueueServiceClient(self.account_url(storage_account_name, "queue"), storage_account_key) queue = self._create_queue(qsc) queue.key_encryption_key = KeyWrapper('key1') queue.send_message(u'message') # Act queue.key_encryption_key.unwrap_key = None with self.assertRaises(HttpResponseError): queue.peek_messages() queue.key_encryption_key.get_kid = None with self.assertRaises(HttpResponseError): queue.peek_messages()
async def test_peek_messages_encrypted_kek(self, storage_account_name, storage_account_key): qsc = QueueServiceClient(self.account_url(storage_account_name, "queue"), storage_account_key, transport=AiohttpTestTransport()) # Arrange qsc.key_encryption_key = KeyWrapper('key1') queue = await self._create_queue(qsc) await queue.send_message(u'encrypted_message_3') # Act li = await queue.peek_messages() # Assert self.assertEqual(li[0].content, u'encrypted_message_3')