blob: 8de49229fdb74555d4dae6c19988fbcabd9e7a9f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
|
#!/bin/bash
# Setup script for OpenBao KMS integration testing
set -e
OPENBAO_ADDR=${OPENBAO_ADDR:-"http://127.0.0.1:8200"}
OPENBAO_TOKEN=${OPENBAO_TOKEN:-"root-token-for-testing"}
TRANSIT_PATH=${TRANSIT_PATH:-"transit"}
echo "๐ Setting up OpenBao for KMS integration testing..."
echo "OpenBao Address: $OPENBAO_ADDR"
echo "Transit Path: $TRANSIT_PATH"
# Wait for OpenBao to be ready
echo "โณ Waiting for OpenBao to be ready..."
for i in {1..30}; do
if curl -s "$OPENBAO_ADDR/v1/sys/health" >/dev/null 2>&1; then
echo "โ
OpenBao is ready!"
break
fi
echo " Attempt $i/30: OpenBao not ready yet, waiting..."
sleep 2
done
# Check if we can connect
if ! curl -s -H "X-Vault-Token: $OPENBAO_TOKEN" "$OPENBAO_ADDR/v1/sys/health" >/dev/null; then
echo "โ Cannot connect to OpenBao at $OPENBAO_ADDR"
exit 1
fi
echo "๐ง Setting up transit secrets engine..."
# Enable transit secrets engine (ignore if already enabled)
curl -s -X POST \
-H "X-Vault-Token: $OPENBAO_TOKEN" \
-H "Content-Type: application/json" \
-d '{"type":"transit","description":"Transit engine for KMS testing"}' \
"$OPENBAO_ADDR/v1/sys/mounts/$TRANSIT_PATH" || true
echo "๐ Creating test encryption keys..."
# Define test keys
declare -a TEST_KEYS=(
"test-key-1:aes256-gcm96:Test key 1 for basic operations"
"test-key-2:aes256-gcm96:Test key 2 for multi-key scenarios"
"seaweedfs-test-key:aes256-gcm96:SeaweedFS integration test key"
"bucket-default-key:aes256-gcm96:Default key for bucket encryption"
"high-security-key:aes256-gcm96:High security test key"
"performance-key:aes256-gcm96:Performance testing key"
"aws-compat-key:aes256-gcm96:AWS compatibility test key"
"multipart-key:aes256-gcm96:Multipart upload test key"
)
# Create each test key
for key_spec in "${TEST_KEYS[@]}"; do
IFS=':' read -r key_name key_type key_desc <<< "$key_spec"
echo " Creating key: $key_name ($key_type)"
# Create the encryption key
curl -s -X POST \
-H "X-Vault-Token: $OPENBAO_TOKEN" \
-H "Content-Type: application/json" \
-d "{\"type\":\"$key_type\",\"description\":\"$key_desc\"}" \
"$OPENBAO_ADDR/v1/$TRANSIT_PATH/keys/$key_name" || {
echo " โ ๏ธ Key $key_name might already exist"
}
# Verify the key was created
if curl -s -H "X-Vault-Token: $OPENBAO_TOKEN" "$OPENBAO_ADDR/v1/$TRANSIT_PATH/keys/$key_name" >/dev/null; then
echo " โ
Key $key_name verified"
else
echo " โ Failed to create/verify key $key_name"
exit 1
fi
done
echo "๐งช Testing basic encryption/decryption..."
# Test basic encrypt/decrypt operation
TEST_PLAINTEXT="Hello, SeaweedFS KMS Integration!"
PLAINTEXT_B64=$(echo -n "$TEST_PLAINTEXT" | base64)
echo " Testing with key: test-key-1"
# Encrypt
ENCRYPT_RESPONSE=$(curl -s -X POST \
-H "X-Vault-Token: $OPENBAO_TOKEN" \
-H "Content-Type: application/json" \
-d "{\"plaintext\":\"$PLAINTEXT_B64\"}" \
"$OPENBAO_ADDR/v1/$TRANSIT_PATH/encrypt/test-key-1")
CIPHERTEXT=$(echo "$ENCRYPT_RESPONSE" | jq -r '.data.ciphertext')
if [[ "$CIPHERTEXT" == "null" || -z "$CIPHERTEXT" ]]; then
echo " โ Encryption test failed"
echo " Response: $ENCRYPT_RESPONSE"
exit 1
fi
echo " โ
Encryption successful: ${CIPHERTEXT:0:50}..."
# Decrypt
DECRYPT_RESPONSE=$(curl -s -X POST \
-H "X-Vault-Token: $OPENBAO_TOKEN" \
-H "Content-Type: application/json" \
-d "{\"ciphertext\":\"$CIPHERTEXT\"}" \
"$OPENBAO_ADDR/v1/$TRANSIT_PATH/decrypt/test-key-1")
DECRYPTED_B64=$(echo "$DECRYPT_RESPONSE" | jq -r '.data.plaintext')
DECRYPTED_TEXT=$(echo "$DECRYPTED_B64" | base64 -d)
if [[ "$DECRYPTED_TEXT" != "$TEST_PLAINTEXT" ]]; then
echo " โ Decryption test failed"
echo " Expected: $TEST_PLAINTEXT"
echo " Got: $DECRYPTED_TEXT"
exit 1
fi
echo " โ
Decryption successful: $DECRYPTED_TEXT"
echo "๐ OpenBao KMS setup summary:"
echo " Address: $OPENBAO_ADDR"
echo " Transit Path: $TRANSIT_PATH"
echo " Keys Created: ${#TEST_KEYS[@]}"
echo " Status: Ready for integration testing"
echo ""
echo "๐ฏ Ready to run KMS integration tests!"
echo ""
echo "Usage:"
echo " # Run Go integration tests"
echo " go test -v ./test/kms/..."
echo ""
echo " # Run with Docker Compose"
echo " cd test/kms && docker-compose up -d"
echo " docker-compose exec openbao bao status"
echo ""
echo " # Test S3 API with encryption"
echo " aws s3api put-bucket-encryption \\"
echo " --endpoint-url http://localhost:8333 \\"
echo " --bucket test-bucket \\"
echo " --server-side-encryption-configuration file://bucket-encryption.json"
echo ""
echo "โ
OpenBao KMS setup complete!"
|
