test/kms/setup_openbao.sh


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145

#!/bin/bash

# Setup script for OpenBao KMS integration testing
set -e

OPENBAO_ADDR=${OPENBAO_ADDR:-"http://127.0.0.1:8200"}
OPENBAO_TOKEN=${OPENBAO_TOKEN:-"root-token-for-testing"}
TRANSIT_PATH=${TRANSIT_PATH:-"transit"}

echo "🚀 Setting up OpenBao for KMS integration testing..."
echo "OpenBao Address: $OPENBAO_ADDR"
echo "Transit Path: $TRANSIT_PATH"

# Wait for OpenBao to be ready
echo "⏳ Waiting for OpenBao to be ready..."
for i in {1..30}; do
    if curl -s "$OPENBAO_ADDR/v1/sys/health" >/dev/null 2>&1; then
        echo "[OK] OpenBao is ready!"
        break
    fi
    echo "   Attempt $i/30: OpenBao not ready yet, waiting..."
    sleep 2
done

# Check if we can connect
if ! curl -s -H "X-Vault-Token: $OPENBAO_TOKEN" "$OPENBAO_ADDR/v1/sys/health" >/dev/null; then
    echo "[FAIL] Cannot connect to OpenBao at $OPENBAO_ADDR"
    exit 1
fi

echo "🔧 Setting up transit secrets engine..."

# Enable transit secrets engine (ignore if already enabled)
curl -s -X POST \
    -H "X-Vault-Token: $OPENBAO_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"type":"transit","description":"Transit engine for KMS testing"}' \
    "$OPENBAO_ADDR/v1/sys/mounts/$TRANSIT_PATH" || true

echo "🔑 Creating test encryption keys..."

# Define test keys
declare -a TEST_KEYS=(
    "test-key-1:aes256-gcm96:Test key 1 for basic operations"
    "test-key-2:aes256-gcm96:Test key 2 for multi-key scenarios" 
    "seaweedfs-test-key:aes256-gcm96:SeaweedFS integration test key"
    "bucket-default-key:aes256-gcm96:Default key for bucket encryption"
    "high-security-key:aes256-gcm96:High security test key"
    "performance-key:aes256-gcm96:Performance testing key"
    "aws-compat-key:aes256-gcm96:AWS compatibility test key"
    "multipart-key:aes256-gcm96:Multipart upload test key"
)

# Create each test key
for key_spec in "${TEST_KEYS[@]}"; do
    IFS=':' read -r key_name key_type key_desc <<< "$key_spec"
    
    echo "   Creating key: $key_name ($key_type)"
    
    # Create the encryption key
    curl -s -X POST \
        -H "X-Vault-Token: $OPENBAO_TOKEN" \
        -H "Content-Type: application/json" \
        -d "{\"type\":\"$key_type\",\"description\":\"$key_desc\"}" \
        "$OPENBAO_ADDR/v1/$TRANSIT_PATH/keys/$key_name" || {
        echo "   ⚠️  Key $key_name might already exist"
    }
    
    # Verify the key was created
    if curl -s -H "X-Vault-Token: $OPENBAO_TOKEN" "$OPENBAO_ADDR/v1/$TRANSIT_PATH/keys/$key_name" >/dev/null; then
        echo "   [OK] Key $key_name verified"
    else
        echo "   [FAIL] Failed to create/verify key $key_name"
        exit 1
    fi
done

echo "🧪 Testing basic encryption/decryption..."

# Test basic encrypt/decrypt operation
TEST_PLAINTEXT="Hello, SeaweedFS KMS Integration!"
PLAINTEXT_B64=$(echo -n "$TEST_PLAINTEXT" | base64)

echo "   Testing with key: test-key-1"

# Encrypt
ENCRYPT_RESPONSE=$(curl -s -X POST \
    -H "X-Vault-Token: $OPENBAO_TOKEN" \
    -H "Content-Type: application/json" \
    -d "{\"plaintext\":\"$PLAINTEXT_B64\"}" \
    "$OPENBAO_ADDR/v1/$TRANSIT_PATH/encrypt/test-key-1")

CIPHERTEXT=$(echo "$ENCRYPT_RESPONSE" | jq -r '.data.ciphertext')

if [[ "$CIPHERTEXT" == "null" || -z "$CIPHERTEXT" ]]; then
    echo "   [FAIL] Encryption test failed"
    echo "   Response: $ENCRYPT_RESPONSE"
    exit 1
fi

echo "   [OK] Encryption successful: ${CIPHERTEXT:0:50}..."

# Decrypt
DECRYPT_RESPONSE=$(curl -s -X POST \
    -H "X-Vault-Token: $OPENBAO_TOKEN" \
    -H "Content-Type: application/json" \
    -d "{\"ciphertext\":\"$CIPHERTEXT\"}" \
    "$OPENBAO_ADDR/v1/$TRANSIT_PATH/decrypt/test-key-1")

DECRYPTED_B64=$(echo "$DECRYPT_RESPONSE" | jq -r '.data.plaintext')
DECRYPTED_TEXT=$(echo "$DECRYPTED_B64" | base64 -d)

if [[ "$DECRYPTED_TEXT" != "$TEST_PLAINTEXT" ]]; then
    echo "   [FAIL] Decryption test failed"
    echo "   Expected: $TEST_PLAINTEXT"
    echo "   Got: $DECRYPTED_TEXT"
    exit 1
fi

echo "   [OK] Decryption successful: $DECRYPTED_TEXT"

echo "📊 OpenBao KMS setup summary:"
echo "   Address: $OPENBAO_ADDR"
echo "   Transit Path: $TRANSIT_PATH"
echo "   Keys Created: ${#TEST_KEYS[@]}"
echo "   Status: Ready for integration testing"

echo ""
echo "🎯 Ready to run KMS integration tests!"
echo ""
echo "Usage:"
echo "   # Run Go integration tests"
echo "   go test -v ./test/kms/..."
echo ""
echo "   # Run with Docker Compose"
echo "   cd test/kms && docker-compose up -d"
echo "   docker-compose exec openbao bao status"
echo ""
echo "   # Test S3 API with encryption"
echo "   aws s3api put-bucket-encryption \\"
echo "     --endpoint-url http://localhost:8333 \\"
echo "     --bucket test-bucket \\"
echo "     --server-side-encryption-configuration file://bucket-encryption.json"
echo ""
echo "[OK] OpenBao KMS setup complete!"