1#!/bin/bash 2# Copyright 2021 Google LLC 3# 4# Licensed under the Apache License, Version 2.0 (the "License"); 5# you may not use this file except in compliance with the License. 6# You may obtain a copy of the License at 7# 8# http://www.apache.org/licenses/LICENSE-2.0 9# 10# Unless required by applicable law or agreed to in writing, software 11# distributed under the License is distributed on an "AS IS" BASIS, 12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13# See the License for the specific language governing permissions and 14# limitations under the License. 15################################################################################ 16 17set -euo pipefail 18 19############################################################################# 20# Tests for encrypted keyset python example. 21############################################################################# 22 23CLI="$1" 24KEK_URI="$2" 25CREDENTIAL_FILE="$3" 26 27# Root certificates for GRPC. 28# Referece: 29# https://github.com/grpc/grpc/blob/master/doc/environment_variables.md 30export GRPC_DEFAULT_SSL_ROOTS_FILE_PATH="${TEST_SRCDIR}/google_root_pem/file/downloaded" 31 32DATA_FILE="${TEST_TMPDIR}/example_data.txt" 33KEYSET_FILE="${TEST_TMPDIR}/example_encrypted_keyset.json" 34 35echo "This is some plaintext to be encrypted." > "${DATA_FILE}" 36 37############################################################################# 38 39# A helper function for getting the return code of a command that may fail 40# Temporarily disables error safety and stores return value in ${TEST_STATUS} 41# Usage: 42# % test_command somecommand some args 43# % echo ${TEST_STATUS} 44test_command() { 45 set +e 46 "$@" 47 TEST_STATUS=$? 48 set -e 49} 50 51print_test() { 52 echo "+++ Starting test $1..." 53} 54 55############################################################################# 56 57print_test "generate" 58 59# Run encryption 60test_command ${CLI} --mode generate --keyset_path "${KEYSET_FILE}" \ 61 --kek_uri "${KEK_URI}" --gcp_credential_path "${CREDENTIAL_FILE}" 62 63if (( TEST_STATUS == 0 )); then 64 echo "+++ Success: key file was generated and encrypted." 65else 66 echo "--- Failure: could not generate or encrypt key file." 67 exit 1 68fi 69 70############################################################################# 71 72print_test "encrypt" 73 74# Run encryption 75test_command ${CLI} --mode encrypt --keyset_path "${KEYSET_FILE}" \ 76 --kek_uri "${KEK_URI}" --gcp_credential_path "${CREDENTIAL_FILE}" \ 77 --input_path "${DATA_FILE}" --output_path "${DATA_FILE}.encrypted" 78 79if (( TEST_STATUS == 0 )); then 80 echo "+++ Success: file was encrypted." 81else 82 echo "--- Failure: could not encrypt file." 83 exit 1 84fi 85 86############################################################################# 87 88print_test "decrypt" 89 90# Run decryption 91test_command ${CLI} --mode decrypt --keyset_path "${KEYSET_FILE}" \ 92 --kek_uri "${KEK_URI}" --gcp_credential_path "${CREDENTIAL_FILE}" \ 93 --input_path "${DATA_FILE}.encrypted" --output_path "${DATA_FILE}.decrypted" 94 95if (( TEST_STATUS == 0 )); then 96 echo "+++ Success: file was successfully decrypted." 97else 98 echo "--- Failure: could not decrypt file." 99 exit 1 100fi 101 102if cmp -s "${DATA_FILE}" "${DATA_FILE}.decrypted"; then 103 echo "+++ Success: file content is the same after decryption." 104else 105 echo "--- Failure: file content is not the same after decryption." 106 exit 1 107fi 108 109############################################################################# 110 111print_test "encrypt_decrypt_with_associated_data" 112 113# Run encryption 114ASSOCIATED_DATA="contextual data" 115test_command ${CLI} --mode encrypt --keyset_path "${KEYSET_FILE}" \ 116 --kek_uri "${KEK_URI}" --gcp_credential_path "${CREDENTIAL_FILE}" \ 117 --input_path "${DATA_FILE}" \ 118 --output_path "${DATA_FILE}.encrypted" \ 119 --associated_data "${ASSOCIATED_DATA}" 120 121if (( TEST_STATUS == 0 )); then 122 echo "+++ Success: file was encrypted." 123else 124 echo "--- Failure: could not encrypt file." 125 exit 1 126fi 127 128# Run decryption 129test_command ${CLI} --mode decrypt --keyset_path "${KEYSET_FILE}" \ 130 --kek_uri "${KEK_URI}" --gcp_credential_path "${CREDENTIAL_FILE}" \ 131 --input_path "${DATA_FILE}.encrypted" \ 132 --output_path "${DATA_FILE}.decrypted" \ 133 --associated_data "${ASSOCIATED_DATA}" 134 135if (( TEST_STATUS == 0 )); then 136 echo "+++ Success: file was successfully decrypted." 137else 138 echo "--- Failure: could not decrypt file." 139 exit 1 140fi 141 142if cmp -s "${DATA_FILE}" "${DATA_FILE}.decrypted"; then 143 echo "+++ Success: file content is the same after decryption." 144else 145 echo "--- Failure: file content is not the same after decryption." 146 exit 1 147fi 148 149############################################################################# 150 151print_test "encrypt_decrypt_fails_with_modified_associated_data" 152 153# Run encryption 154ASSOCIATED_DATA="contextual data" 155test_command ${CLI} --mode encrypt --keyset_path "${KEYSET_FILE}" \ 156 --kek_uri "${KEK_URI}" --gcp_credential_path "${CREDENTIAL_FILE}" \ 157 --input_path "${DATA_FILE}" --output_path "${DATA_FILE}.encrypted" \ 158 --associated_data "${ASSOCIATED_DATA}" 159 160if (( TEST_STATUS == 0 )); then 161 echo "+++ Success: file was encrypted." 162else 163 echo "--- Failure: could not encrypt file." 164 exit 1 165fi 166 167# Run decryption 168MODIFIED_ASSOCIATED_DATA="modified contextual data" 169test_command ${CLI} --mode decrypt --keyset_path "${KEYSET_FILE}" \ 170 --kek_uri "${KEK_URI}" --gcp_credential_path "${CREDENTIAL_FILE}" \ 171 --input_path "${DATA_FILE}.encrypted" \ 172 --output_path "${DATA_FILE}.decrypted" \ 173 --associated_data "${MODIFIED_ASSOCIATED_DATA}" 174 175if (( TEST_STATUS == 1 )); then 176 echo "+++ Success: decryption failed as expected." 177else 178 echo "--- Failure: decryption succeeded but expected to fail." 179 exit 1 180fi 181