Initial set of AWS KMS tests (#444)

* Initial set of AWS KMS tests * rename temp file in kms test * Skip AWS KMS functional tests if env var is unset
getsops · Mar 21, 2019 · 51503b5 · 51503b5
1 parent c3c3b7c
commit 51503b5
Showing 1 changed file with 79 additions and 0 deletions.
diff --git a/functional-tests/src/lib.rs b/functional-tests/src/lib.rs
@@ -13,13 +13,15 @@ mod tests {
     extern crate serde_json;
     extern crate serde_yaml;
 
+    use std::env;
     use std::fs::File;
     use std::io::{Write, Read};
     use tempdir::TempDir;
     use std::process::Command;
     use serde_yaml::Value;
     use std::path::Path;
     const SOPS_BINARY_PATH: &'static str = "./sops";
+    const KMS_KEY: &'static str = "FUNCTIONAL_TEST_KMS_ARN";
 
     macro_rules! assert_encrypted {
         ($object:expr, $key:expr) => {
@@ -72,6 +74,43 @@ mod tests {
         }
     }
 
+    #[test]
+    fn encrypt_json_file_kms() {
+	let kms_arn = match env::var(KMS_KEY) {
+	    Ok(val) => val,
+	    _ => "".to_string(),
+	};
+        if kms_arn == "" {
+            return;
+        }
+
+        let file_path = prepare_temp_file("test_encrypt_kms.json",
+                                          b"{
+    \"foo\": 2,
+    \"bar\": \"baz\"
+}");
+
+        let output = Command::new(SOPS_BINARY_PATH)
+            .arg("--kms")
+            .arg(kms_arn)
+            .arg("-e")
+            .arg(file_path.clone())
+            .output()
+            .expect("Error running sops");
+        assert!(output.status.success(), "sops didn't exit successfully");
+        let json = &String::from_utf8_lossy(&output.stdout);
+        let data: Value = serde_json::from_str(json).expect("Error parsing sops's JSON output");
+        match data.into() {
+            Value::Mapping(m) => {
+                assert!(m.get(&Value::String("sops".to_owned())).is_some(),
+                        "sops metadata branch not found");
+                assert_encrypted!(&m, Value::String("foo".to_owned()));
+                assert_encrypted!(&m, Value::String("bar".to_owned()));
+            }
+            _ => panic!("sops's JSON output is not an object"),
+        }
+    }
+
     #[test]
     fn encrypt_yaml_file() {
         let file_path = prepare_temp_file("test_encrypt.yaml",
@@ -410,6 +449,46 @@ b: ba"#
         assert_eq!(output.stdout, data);
     }
 
+    #[test]
+    fn roundtrip_kms_encryption_context() {
+	let kms_arn = match env::var(KMS_KEY) {
+	    Ok(val) => val,
+	    _ => "".to_string(),
+	};
+        if kms_arn == "" {
+            return;
+        }
+
+        let file_path = prepare_temp_file("test_roundtrip_kms_encryption_context.json",
+                                          b"{
+    \"foo\": 2,
+    \"bar\": \"baz\"
+}");
+
+        let output = Command::new(SOPS_BINARY_PATH)
+            .arg("--kms")
+            .arg(kms_arn)
+            .arg("--encryption-context")
+            .arg("foo:bar,one:two")
+            .arg("-i")
+            .arg("-e")
+            .arg(file_path.clone())
+            .output()
+            .expect("Error running sops");
+        assert!(output.status.success(), "sops didn't exit successfully");
+
+        let output = Command::new(SOPS_BINARY_PATH)
+            .arg("-d")
+            .arg(file_path.clone())
+            .output()
+            .expect("Error running sops");
+        assert!(output.status
+                    .success(),
+                "SOPS failed to decrypt a file with KMS Encryption Context");
+        assert!(String::from_utf8_lossy(&output.stdout).contains("foo"));
+        assert!(String::from_utf8_lossy(&output.stdout).contains("baz"));
+    }
+
     #[test]
     fn output_flag() {
         let input_path = prepare_temp_file("test_output_flag.binary", b"foo");