pax_global_header00006660000000000000000000000064146162466000014517gustar00rootroot0000000000000052 comment=62c0e104bf5d1e1db0a661cbb7f3d7f0707c070b tink-go-awskms-2.1.0/000077500000000000000000000000001461624660000143725ustar00rootroot00000000000000tink-go-awskms-2.1.0/.bazelversion000066400000000000000000000000061461624660000170720ustar00rootroot000000000000006.4.0 tink-go-awskms-2.1.0/BUILD.bazel000066400000000000000000000012121461624660000162440ustar00rootroot00000000000000load("@io_bazel_rules_go//go:def.bzl", "nogo") load("@bazel_gazelle//:def.bzl", "gazelle") package(default_visibility = ["//:__subpackages__"]) licenses(["notice"]) nogo( name = "tink_nogo", vet = True, visibility = ["//visibility:public"], ) # gazelle:prefix github.com/tink-crypto/tink-go-awskms/v2 # gazelle:exclude proto/*.proto gazelle( name = "gazelle", args = [ "-go_naming_convention=import_alias", ], ) gazelle( name = "gazelle-update-repos", args = [ "-from_file=go.mod", "-to_macro=deps.bzl%tink_go_awskms_dependencies", "-prune", ], command = "update-repos", ) tink-go-awskms-2.1.0/LICENSE000066400000000000000000000261361461624660000154070ustar00rootroot00000000000000 Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. tink-go-awskms-2.1.0/MODULE.bazel000066400000000000000000000013121461624660000163730ustar00rootroot00000000000000module( name = "tink-go-awskms", version = "2.0.0", ) bazel_dep( name = "platforms", version = "0.0.8", ) bazel_dep( name = "rules_go", version = "0.44.2", repo_name = "io_bazel_rules_go" ) bazel_dep( name = "gazelle", version = "0.35.0", repo_name = "bazel_gazelle" ) go_sdk = use_extension("@io_bazel_rules_go//go:extensions.bzl", "go_sdk") go_sdk.download(version = "1.21.8") go_sdk.nogo(nogo = "@//:tink_nogo") go_sdk.host() go_deps = use_extension("@bazel_gazelle//:extensions.bzl", "go_deps") go_deps.from_file(go_mod = "//:go.mod") # Direct Go dependencies. use_repo( go_deps, "com_github_tink_crypto_tink_go_v2", "com_github_aws_aws_sdk_go", ) tink-go-awskms-2.1.0/README.md000066400000000000000000000041311461624660000156500ustar00rootroot00000000000000# Tink Go AWS KMS extension [tink_go_awskms_bazel_badge_gcp_ubuntu]: https://storage.googleapis.com/tink-kokoro-build-badges/tink-go-awskms-bazel-gcp-ubuntu.svg [tink_go_awskms_gomod_badge_gcp_ubuntu]: https://storage.googleapis.com/tink-kokoro-build-badges/tink-go-awskms-gomod-gcp-ubuntu.svg [tink_go_awskms_bazel_badge_macos]: https://storage.googleapis.com/tink-kokoro-build-badges/tink-go-awskms-bazel-macos-external.svg [tink_go_awskms_gomod_badge_macos]: https://storage.googleapis.com/tink-kokoro-build-badges/tink-go-awskms-gomod-macos-external.svg **Test** | **GCP Ubuntu** | **MacOS** ------------ | -------------------------------------------------------------- | --------- Tink (Bazel) | [![Bazel_GcpUbuntu][tink_go_awskms_bazel_badge_gcp_ubuntu]](#) | [![Bazel_MacOs][tink_go_awskms_bazel_badge_macos]](#) Tink (Gomod) | [![Gomod_GcpUbuntu][tink_go_awskms_gomod_badge_gcp_ubuntu]](#) | [![Gomod_MacOs][tink_go_awskms_gomod_badge_macos]](#) This is an extension to the [Tink Go](https://github.com/tink-crypto/tink-go) library that provides support for AWS KMS. The official documentation is available at https://developers.google.com/tink. ## Contact and mailing list If you want to contribute, please read [CONTRIBUTING](docs/CONTRIBUTING.md) and send us pull requests. You can also report bugs or file feature requests. If you'd like to talk to the developers or get notified about major product updates, you may want to subscribe to our [mailing list](https://groups.google.com/forum/#!forum/tink-users). ## Maintainers Tink is maintained by (A-Z): - Moreno Ambrosin - Taymon Beal - William Conner - Thomas Holenstein - Stefan Kölbl - Charles Lee - Cindy Lin - Fernando Lobato Meeser - Ioana Nedelcu - Sophie Schmieg - Elizaveta Tretiakova - Jürg Wullschleger Alumni: - Haris Andrianakis - Daniel Bleichenbacher - Tanuj Dhir - Thai Duong - Atul Luykx - Rafael Misoczki - Quan Nguyen - Bartosz Przydatek - Enzo Puig - Laurent Simon - Veronika Slívová - Paula Vidas tink-go-awskms-2.1.0/WORKSPACE000066400000000000000000000024671461624660000156640ustar00rootroot00000000000000workspace(name = "tink_go_awskms") load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive") # Release from 2023-12-21 http_archive( name = "io_bazel_rules_go", integrity = "sha256-gKmCd60TEdrNg3+bFttiiHcC6fHRxMn3ltASGkbI4YQ=", urls = [ "https://mirror.bazel.build/github.com/bazelbuild/rules_go/releases/download/v0.46.0/rules_go-v0.46.0.zip", "https://github.com/bazelbuild/rules_go/releases/download/v0.46.0/rules_go-v0.46.0.zip", ], ) # Release from 2023-12-21 http_archive( name = "bazel_gazelle", integrity = "sha256-MpOL2hbmcABjA1R5Bj2dJMYO2o15/Uc5Vj9Q0zHLMgk=", urls = [ "https://mirror.bazel.build/github.com/bazelbuild/bazel-gazelle/releases/download/v0.35.0/bazel-gazelle-v0.35.0.tar.gz", "https://github.com/bazelbuild/bazel-gazelle/releases/download/v0.35.0/bazel-gazelle-v0.35.0.tar.gz", ], ) # Tink Go AWS KMS Deps. load("@bazel_gazelle//:deps.bzl", "gazelle_dependencies") load("@io_bazel_rules_go//go:deps.bzl", "go_register_toolchains", "go_rules_dependencies") load("//:deps.bzl", "tink_go_awskms_dependencies") # gazelle:repository_macro deps.bzl%tink_go_awskms_dependencies tink_go_awskms_dependencies() go_rules_dependencies() go_register_toolchains( nogo = "@//:tink_nogo", version = "1.21.8", ) gazelle_dependencies() tink-go-awskms-2.1.0/WORKSPACE.bzlmod000066400000000000000000000001161461624660000171370ustar00rootroot00000000000000# This replaces the content of the WORKSPACE file when using --enable_bzlmod. tink-go-awskms-2.1.0/deps.bzl000066400000000000000000000101161461624660000160350ustar00rootroot00000000000000"""Tink Go AWS-KMS dependencies.""" load("@bazel_gazelle//:deps.bzl", "go_repository") # Placeholder for internal instructions to autogenerate dependencies. def tink_go_awskms_dependencies(): """Loads Tink Go AWS-KMS dependencies. These are autogenerated running `go mod tidy && bazel run //:gazelle-update-repos`. """ go_repository( name = "com_github_aws_aws_sdk_go", importpath = "github.com/aws/aws-sdk-go", sum = "h1:Rl8KW6HqkwzhATwvXhyr7vD4JFUMi7oXGAw9SrxxIFY=", version = "v1.49.21", ) go_repository( name = "com_github_davecgh_go_spew", importpath = "github.com/davecgh/go-spew", sum = "h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=", version = "v1.1.0", ) go_repository( name = "com_github_golang_protobuf", importpath = "github.com/golang/protobuf", sum = "h1:LUVKkCeviFUMKqHa4tXIIij/lbhnMbP7Fn5wKdKkRh4=", version = "v1.5.0", ) go_repository( name = "com_github_google_go_cmp", importpath = "github.com/google/go-cmp", sum = "h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=", version = "v0.6.0", ) go_repository( name = "com_github_jmespath_go_jmespath", importpath = "github.com/jmespath/go-jmespath", sum = "h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=", version = "v0.4.0", ) go_repository( name = "com_github_jmespath_go_jmespath_internal_testify", importpath = "github.com/jmespath/go-jmespath/internal/testify", sum = "h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=", version = "v1.5.1", ) go_repository( name = "com_github_pmezard_go_difflib", importpath = "github.com/pmezard/go-difflib", sum = "h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=", version = "v1.0.0", ) go_repository( name = "com_github_stretchr_objx", importpath = "github.com/stretchr/objx", sum = "h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4=", version = "v0.1.0", ) go_repository( name = "com_github_tink_crypto_tink_go_v2", importpath = "github.com/tink-crypto/tink-go/v2", sum = "h1:QXFBguwMwTIaU17EgZpEJWsUSc60b1BAGTzBIoMdmok=", version = "v2.1.0", ) go_repository( name = "in_gopkg_check_v1", importpath = "gopkg.in/check.v1", sum = "h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=", version = "v0.0.0-20161208181325-20d25e280405", ) go_repository( name = "in_gopkg_yaml_v2", importpath = "gopkg.in/yaml.v2", sum = "h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=", version = "v2.2.8", ) go_repository( name = "org_golang_google_protobuf", importpath = "google.golang.org/protobuf", sum = "h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=", version = "v1.33.0", ) go_repository( name = "org_golang_x_crypto", importpath = "golang.org/x/crypto", sum = "h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=", version = "v0.17.0", ) go_repository( name = "org_golang_x_net", importpath = "golang.org/x/net", sum = "h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=", version = "v0.17.0", ) go_repository( name = "org_golang_x_sys", importpath = "golang.org/x/sys", sum = "h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=", version = "v0.15.0", ) go_repository( name = "org_golang_x_term", importpath = "golang.org/x/term", sum = "h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=", version = "v0.15.0", ) go_repository( name = "org_golang_x_text", importpath = "golang.org/x/text", sum = "h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=", version = "v0.14.0", ) go_repository( name = "org_golang_x_xerrors", importpath = "golang.org/x/xerrors", sum = "h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=", version = "v0.0.0-20191204190536-9bdfabe68543", ) tink-go-awskms-2.1.0/docs/000077500000000000000000000000001461624660000153225ustar00rootroot00000000000000tink-go-awskms-2.1.0/docs/CONTRIBUTING.md000066400000000000000000000002151461624660000175510ustar00rootroot00000000000000# How to contribute Please see the [developer documentation](https://developers.google.com/tink/contributing) on how to contribute to Tink. tink-go-awskms-2.1.0/docs/SECURITY.md000066400000000000000000000004131461624660000171110ustar00rootroot00000000000000To report a security issue, please use http://g.co/vulnz. We use http://g.co/vulnz for our intake and coordination, and disclose vulnerabilities using GitHub Security Advisory. The Google Security Team will respond within 5 working days of your report on g.co/vulnz. tink-go-awskms-2.1.0/go.mod000066400000000000000000000005241461624660000155010ustar00rootroot00000000000000module github.com/tink-crypto/tink-go-awskms/v2 go 1.21 require ( github.com/aws/aws-sdk-go v1.49.21 github.com/tink-crypto/tink-go/v2 v2.1.0 ) require ( github.com/jmespath/go-jmespath v0.4.0 // indirect golang.org/x/crypto v0.17.0 // indirect golang.org/x/sys v0.15.0 // indirect google.golang.org/protobuf v1.33.0 // indirect ) tink-go-awskms-2.1.0/go.sum000066400000000000000000000040641461624660000155310ustar00rootroot00000000000000github.com/aws/aws-sdk-go v1.49.21 h1:Rl8KW6HqkwzhATwvXhyr7vD4JFUMi7oXGAw9SrxxIFY= github.com/aws/aws-sdk-go v1.49.21/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/tink-crypto/tink-go/v2 v2.1.0 h1:QXFBguwMwTIaU17EgZpEJWsUSc60b1BAGTzBIoMdmok= github.com/tink-crypto/tink-go/v2 v2.1.0/go.mod h1:y1TnYFt1i2eZVfx4OGc+C+EMp4CoKWAw2VSEuoicHHI= golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= tink-go-awskms-2.1.0/integration/000077500000000000000000000000001461624660000167155ustar00rootroot00000000000000tink-go-awskms-2.1.0/integration/awskms/000077500000000000000000000000001461624660000202225ustar00rootroot00000000000000tink-go-awskms-2.1.0/integration/awskms/BUILD.bazel000066400000000000000000000027151461624660000221050ustar00rootroot00000000000000load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test") package(default_visibility = ["//:__subpackages__"]) licenses(["notice"]) # keep go_library( name = "awskms", srcs = [ "aws_kms_aead.go", "aws_kms_client.go", ], importpath = "github.com/tink-crypto/tink-go-awskms/v2/integration/awskms", visibility = ["//visibility:public"], deps = [ "@com_github_aws_aws_sdk_go//aws", "@com_github_aws_aws_sdk_go//aws/credentials", "@com_github_aws_aws_sdk_go//aws/session", "@com_github_aws_aws_sdk_go//service/kms", "@com_github_aws_aws_sdk_go//service/kms/kmsiface", "@com_github_tink_crypto_tink_go_v2//core/registry", "@com_github_tink_crypto_tink_go_v2//tink", ], ) go_test( name = "awskms_test", srcs = [ "aws_kms_client_test.go", "aws_kms_integration_test.go", ], data = [ "//testdata/aws:credentials", ], embed = [":awskms"], tags = [ "manual", "no_rbe", ], deps = [ "//integration/awskms/internal/fakeawskms", "@com_github_aws_aws_sdk_go//aws", "@com_github_aws_aws_sdk_go//service/kms", "@com_github_tink_crypto_tink_go_v2//aead", "@com_github_tink_crypto_tink_go_v2//core/registry", "@com_github_tink_crypto_tink_go_v2//tink", ], ) alias( name = "go_default_library", actual = ":awskms", visibility = ["//visibility:public"], ) tink-go-awskms-2.1.0/integration/awskms/aws_kms_aead.go000066400000000000000000000050121461624660000231650ustar00rootroot00000000000000// Copyright 2017 Google Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // Package awskms provides integration with the AWS Key Management Service. package awskms import ( "encoding/hex" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/kms" "github.com/aws/aws-sdk-go/service/kms/kmsiface" ) // AWSAEAD is an implementation of the AEAD interface which performs // cryptographic operations remotely via the AWS KMS service using a specific // key URI. type AWSAEAD struct { keyURI string kms kmsiface.KMSAPI encryptionContextName EncryptionContextName } // newAWSAEAD returns a new AWSAEAD instance. // // keyURI must have the following format: // // aws-kms://arn::kms::[] // // See http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html. func newAWSAEAD(keyURI string, kms kmsiface.KMSAPI, name EncryptionContextName) *AWSAEAD { return &AWSAEAD{ keyURI: keyURI, kms: kms, encryptionContextName: name, } } // Encrypt encrypts the plaintext with associatedData. func (a *AWSAEAD) Encrypt(plaintext, associatedData []byte) ([]byte, error) { req := &kms.EncryptInput{ KeyId: aws.String(a.keyURI), Plaintext: plaintext, } if len(associatedData) > 0 { ad := hex.EncodeToString(associatedData) req.EncryptionContext = map[string]*string{a.encryptionContextName.String(): &ad} } resp, err := a.kms.Encrypt(req) if err != nil { return nil, err } return resp.CiphertextBlob, nil } // Decrypt decrypts the ciphertext and verifies the associated data. func (a *AWSAEAD) Decrypt(ciphertext, associatedData []byte) ([]byte, error) { req := &kms.DecryptInput{ KeyId: aws.String(a.keyURI), CiphertextBlob: ciphertext, } if len(associatedData) > 0 { ad := hex.EncodeToString(associatedData) req.EncryptionContext = map[string]*string{a.encryptionContextName.String(): &ad} } resp, err := a.kms.Decrypt(req) if err != nil { return nil, err } return resp.Plaintext, nil } tink-go-awskms-2.1.0/integration/awskms/aws_kms_client.go000066400000000000000000000271311461624660000235570ustar00rootroot00000000000000// Copyright 2017 Google Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package awskms import ( "encoding/csv" "errors" "fmt" "os" "regexp" "strconv" "strings" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/credentials" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/kms" "github.com/aws/aws-sdk-go/service/kms/kmsiface" "github.com/tink-crypto/tink-go/v2/core/registry" "github.com/tink-crypto/tink-go/v2/tink" ) const ( awsPrefix = "aws-kms://" ) var ( errCred = errors.New("invalid credential path") errBadFile = errors.New("cannot open credential path") errCredCSV = errors.New("malformed credential CSV file") ) // awsClient is a wrapper around an AWS SDK provided KMS client that can // instantiate Tink primitives. type awsClient struct { keyURIPrefix string kms kmsiface.KMSAPI encryptionContextName EncryptionContextName } // ClientOption is an interface for defining options that are passed to // [NewClientWithOptions]. type ClientOption interface{ set(*awsClient) error } type option func(*awsClient) error func (o option) set(a *awsClient) error { return o(a) } // WithCredentialPath instantiates the underlying AWS KMS client using the // credentials located at credentialPath. // // credentialPath can specify a file in CSV format as provided in the IAM // console or an INI-style credentials file. // // See https://docs.aws.amazon.com/cli/latest/userguide/cli-authentication-user.html#cli-authentication-user-configure-csv // and https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-format. func WithCredentialPath(credentialPath string) ClientOption { return option(func(a *awsClient) error { if a.kms != nil { return errors.New("WithCredentialPath option cannot be used, KMS client already set") } k, err := getKMSFromCredentialPath(a.keyURIPrefix, credentialPath) if err != nil { return err } a.kms = k return nil }) } // WithKMS sets the underlying AWS KMS client to kms, a preexisting AWS KMS // client instance. // // It's the callers responsibility to ensure that the configured region of kms // aligns with the region in key URIs passed to this client. Otherwise, API // requests will fail. func WithKMS(kms kmsiface.KMSAPI) ClientOption { return option(func(a *awsClient) error { if a.kms != nil { return errors.New("WithKMS option cannot be used, KMS client already set") } a.kms = kms return nil }) } // EncryptionContextName specifies the name used in the EncryptionContext field // of EncryptInput and DecryptInput requests. See [WithEncryptionContextName] // for further details. type EncryptionContextName uint const ( // AssociatedData will set the EncryptionContext name to "associatedData". AssociatedData EncryptionContextName = 1 + iota // LegacyAdditionalData will set the EncryptionContext name to "additionalData". LegacyAdditionalData ) var encryptionContextNames = map[EncryptionContextName]string{ AssociatedData: "associatedData", LegacyAdditionalData: "additionalData", } func (n EncryptionContextName) valid() bool { _, ok := encryptionContextNames[n] return ok } func (n EncryptionContextName) String() string { if !n.valid() { return "unrecognized value " + strconv.Itoa(int(n)) } return encryptionContextNames[n] } // WithEncryptionContextName sets the name which maps to the base64 encoded // associated data within the EncryptionContext field of EncrypInput and // DecryptInput requests. // // The default is [AssociatedData], which is compatible with the Tink AWS KMS // extensions in other languages. In older versions of this packge, before this // option was present, "additionalData" was hardcoded. // // This option is provided to facilitate compatibility with older ciphertexts. func WithEncryptionContextName(name EncryptionContextName) ClientOption { return option(func(a *awsClient) error { if !name.valid() { return fmt.Errorf("invalid EncryptionContextName: %v", name) } if a.encryptionContextName != 0 { return errors.New("encryptionContextName already set") } a.encryptionContextName = name return nil }) } // NewClientWithOptions returns a [registry.KMSClient] which wraps an AWS KMS // client and will handle keys whose URIs start with uriPrefix. // // By default, the client will use default credentials. // // AEAD primitives produced by this client will use [AssociatedData] when // serializing associated data. func NewClientWithOptions(uriPrefix string, opts ...ClientOption) (registry.KMSClient, error) { if !strings.HasPrefix(strings.ToLower(uriPrefix), awsPrefix) { return nil, fmt.Errorf("uriPrefix must start with %q, but got %q", awsPrefix, uriPrefix) } a := &awsClient{ keyURIPrefix: uriPrefix, } // Process options, if any. for _, opt := range opts { if err := opt.set(a); err != nil { return nil, fmt.Errorf("failed setting option: %v", err) } } // Populate values not defined via options. if a.kms == nil { k, err := getKMS(uriPrefix) if err != nil { return nil, err } a.kms = k } if a.encryptionContextName == 0 { a.encryptionContextName = AssociatedData } return a, nil } // NewClient returns a KMSClient backed by AWS KMS using default credentials to // handle keys whose URIs start with uriPrefix. // // uriPrefix must have the following format: // // aws-kms://arn::kms::[] // // See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html // // AEAD primitives produced by this client will use [LegacyAdditionalData] when // serializing associated data. // // Deprecated: Instead, use [NewClientWithOptions]. // // awskms.NewClientWithOptions(uriPrefix) func NewClient(uriPrefix string) (registry.KMSClient, error) { return NewClientWithOptions(uriPrefix, WithEncryptionContextName(LegacyAdditionalData)) } // NewClientWithCredentials returns a KMSClient backed by AWS KMS using the given // credentials to handle keys whose URIs start with uriPrefix. // // uriPrefix must have the following format: // // aws-kms://arn::kms::[] // // See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html // // credentialPath can specify a file in CSV format as provided in the IAM // console or an INI-style credentials file. // // See https://docs.aws.amazon.com/cli/latest/userguide/cli-authentication-user.html#cli-authentication-user-configure-csv // and https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-format. // // AEAD primitives produced by this client will use [LegacyAdditionalData] when // serializing associated data. // // Deprecated: Instead use [NewClientWithOptions] and [WithCredentialPath]. // // awskms.NewClientWithOptions(uriPrefix, awskms.WithCredentialPath(credentialPath)) func NewClientWithCredentials(uriPrefix string, credentialPath string) (registry.KMSClient, error) { return NewClientWithOptions(uriPrefix, WithCredentialPath(credentialPath), WithEncryptionContextName(LegacyAdditionalData)) } // NewClientWithKMS returns a KMSClient backed by AWS KMS using the provided // instance of the AWS SDK KMS client. // // The caller is responsible for ensuring that the region specified in the KMS // client is consitent with the region specified within uriPrefix. // // uriPrefix must have the following format: // // aws-kms://arn::kms::[] // // See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html // // AEAD primitives produced by this client will use [LegacyAdditionalData] when // serializing associated data. // // Deprecated: Instead use [NewClientWithOptions] and [WithKMS]. // // awskms.NewClientWithOptions(uriPrefix, awskms.WithKMS(kms)) func NewClientWithKMS(uriPrefix string, kms kmsiface.KMSAPI) (registry.KMSClient, error) { return NewClientWithOptions(uriPrefix, WithKMS(kms), WithEncryptionContextName(LegacyAdditionalData)) } // Supported returns true if keyURI starts with the URI prefix provided when // creating the client. func (c *awsClient) Supported(keyURI string) bool { return strings.HasPrefix(keyURI, c.keyURIPrefix) } // GetAEAD returns an implementation of the AEAD interface which performs // cryptographic operations remotely via AWS KMS using keyURI. // // keyUri must be supported by this client and must have the following format: // // aws-kms://arn::kms:: // // See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html func (c *awsClient) GetAEAD(keyURI string) (tink.AEAD, error) { if !c.Supported(keyURI) { return nil, fmt.Errorf("keyURI must start with prefix %s, but got %s", c.keyURIPrefix, keyURI) } uri := strings.TrimPrefix(keyURI, awsPrefix) return newAWSAEAD(uri, c.kms, c.encryptionContextName), nil } func getKMS(uriPrefix string) (*kms.KMS, error) { r, err := getRegion(uriPrefix) if err != nil { return nil, err } session, err := session.NewSession(&aws.Config{ Region: aws.String(r), }) if err != nil { return nil, err } return kms.New(session), nil } func getKMSFromCredentialPath(uriPrefix string, credentialPath string) (*kms.KMS, error) { r, err := getRegion(uriPrefix) if err != nil { return nil, err } var creds *credentials.Credentials if len(credentialPath) == 0 { return nil, errCred } c, err := extractCredsCSV(credentialPath) switch err { case nil: creds = credentials.NewStaticCredentialsFromCreds(*c) case errBadFile, errCredCSV: return nil, err default: // Fallback to load the credential path as .ini shared credentials. creds = credentials.NewSharedCredentials(credentialPath, "default") } session, err := session.NewSession(&aws.Config{ Credentials: creds, Region: aws.String(r), }) if err != nil { return nil, err } return kms.New(session), nil } // extractCredsCSV extracts credentials from a CSV file. // // A CSV formatted credentials file can be obtained when an AWS IAM user is // created through the IAM console. // // Properties of a properly formatted CSV file: // // 1. The first line consists of the headers: // "User name,Password,Access key ID,Secret access key,Console login link" // 2. The second line contains 5 comma separated values. func extractCredsCSV(file string) (*credentials.Value, error) { f, err := os.Open(file) if err != nil { return nil, errBadFile } defer f.Close() lines, err := csv.NewReader(f).ReadAll() if err != nil { return nil, err } // It is possible that the file is an AWS .ini credential file, and it can be // parsed as 1-column CSV file as well. A real AWS credentials.csv is never 1 column. if len(lines) > 0 && len(lines[0]) == 1 { return nil, errors.New("not a valid CSV credential file") } if len(lines) < 2 { return nil, errCredCSV } if len(lines[1]) < 4 { return nil, errCredCSV } return &credentials.Value{ AccessKeyID: lines[1][2], SecretAccessKey: lines[1][3], }, nil } // getRegion extracts the region from keyURI. func getRegion(keyURI string) (string, error) { re1, err := regexp.Compile(`aws-kms://arn:(aws[a-zA-Z0-9-_]*):kms:([a-z0-9-]+):`) if err != nil { return "", err } r := re1.FindStringSubmatch(keyURI) if len(r) != 3 { return "", errors.New("extracting region from URI failed") } return r[2], nil } tink-go-awskms-2.1.0/integration/awskms/aws_kms_client_test.go000066400000000000000000000342531461624660000246210ustar00rootroot00000000000000// Copyright 2020 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package awskms import ( "bytes" "encoding/hex" "os" "path/filepath" "strings" "testing" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/kms" "github.com/tink-crypto/tink-go/v2/core/registry" "github.com/tink-crypto/tink-go-awskms/v2/integration/awskms/internal/fakeawskms" ) func TestNewClientWithOptions_URIPrefix(t *testing.T) { srcDir, ok := os.LookupEnv("TEST_SRCDIR") if !ok { t.Skip("TEST_SRCDIR not set") } workspaceDir, ok := os.LookupEnv("TEST_WORKSPACE") if !ok { t.Skip("TEST_WORKSPACE not set") } // Necessary for testing deprecated factory functions. credFile := filepath.Join(srcDir, workspaceDir, "testdata/aws/credentials.csv") keyARN := "arn:aws:kms:us-east-2:235739564943:key/3ee50705-5a82-4f5b-9753-05c4f473922f" fakekms, err := fakeawskms.New([]string{keyARN}) if err != nil { t.Fatalf("fakeawskms.New() failed: %v", err) } tests := []struct { name string uriPrefix string valid bool }{ { name: "AWS partition", uriPrefix: "aws-kms://arn:aws:kms:us-east-2:235739564943:key/3ee50705-5a82-4f5b-9753-05c4f473922f", valid: true, }, { name: "AWS US government partition", uriPrefix: "aws-kms://arn:aws-us-gov:kms:us-gov-east-1:235739564943:key/3ee50705-5a82-4f5b-9753-05c4f473922f", valid: true, }, { name: "AWS CN partition", uriPrefix: "aws-kms://arn:aws-cn:kms:cn-north-1:235739564943:key/3ee50705-5a82-4f5b-9753-05c4f473922f", valid: true, }, { name: "invalid", uriPrefix: "bad-prefix://arn:aws-cn:kms:cn-north-1:235739564943:key/3ee50705-5a82-4f5b-9753-05c4f473922f", valid: false, }, } for _, test := range tests { t.Run(test.name, func(t *testing.T) { _, err := NewClientWithOptions(test.uriPrefix) if test.valid && err != nil { t.Errorf("NewClientWithOptions(%q) err = %v, want nil", test.uriPrefix, err) } if !test.valid && err == nil { t.Errorf("NewClientWithOptions(%q) err = nil, want error", test.uriPrefix) } // Test deprecated factory functions. _, err = NewClient(test.uriPrefix) if test.valid && err != nil { t.Errorf("NewClient(%q) err = %v, want nil", test.uriPrefix, err) } if !test.valid && err == nil { t.Errorf("NewClient(%q) err = nil, want error", test.uriPrefix) } _, err = NewClientWithCredentials(test.uriPrefix, credFile) if test.valid && err != nil { t.Errorf("NewClientWithCredentialPath(%q, _) err = %v, want nil", test.uriPrefix, err) } if !test.valid && err == nil { t.Errorf("NewClientWithCredentialPath(%q, _) err = nil, want error", test.uriPrefix) } _, err = NewClientWithKMS(test.uriPrefix, fakekms) if test.valid && err != nil { t.Errorf("NewClientWithKMS(%q, _) err = %v, want nil", test.uriPrefix, err) } if !test.valid && err == nil { t.Errorf("NewClientWithKMS(%q, _) err = nil, want error", test.uriPrefix) } }) } } func TestNewClientWithOptions_WithCredentialPath(t *testing.T) { srcDir, ok := os.LookupEnv("TEST_SRCDIR") if !ok { t.Skip("TEST_SRCDIR not set") } workspaceDir, ok := os.LookupEnv("TEST_WORKSPACE") if !ok { t.Skip("TEST_WORKSPACE not set") } uriPrefix := "aws-kms://arn:aws-us-gov:kms:us-gov-east-1:235739564943:key/" tests := []struct { name string credFile string valid bool }{ { name: "valid CSV credentials file", credFile: filepath.Join(srcDir, workspaceDir, "testdata/aws/credentials.csv"), valid: true, }, { name: "valid INI credentials file", credFile: filepath.Join(srcDir, workspaceDir, "testdata/aws/credentials.cred"), valid: true, }, { name: "invalid credentials file", credFile: filepath.Join(srcDir, workspaceDir, "testdata/aws/access_keys_bad.csv"), valid: false, }, } for _, test := range tests { t.Run(test.name, func(t *testing.T) { _, err := NewClientWithOptions(uriPrefix, WithCredentialPath(test.credFile)) if test.valid && err != nil { t.Errorf("NewClientWithOptions(uriPrefix, WithCredentialPath(%q)) err = %v, want nil", test.credFile, err) } if !test.valid && err == nil { t.Errorf("NewClientWithOptions(uriPrefix, WithCredentialPath(%q)) err = nil, want error", test.credFile) } // Test deprecated factory function. _, err = NewClientWithCredentials(uriPrefix, test.credFile) if test.valid && err != nil { t.Errorf("NewClientWithCredentials(uriPrefix, %q) err = %v, want nil", test.credFile, err) } if !test.valid && err == nil { t.Errorf("NewClientWithCredentials(uriPrefix, %q) err = nil, want error", test.credFile) } }) } } func TestNewClientWithOptions_RepeatedWithKMSFails(t *testing.T) { keyARN := "arn:aws:kms:us-east-2:235739564943:key/3ee50705-5a82-4f5b-9753-05c4f473922f" fakekms, err := fakeawskms.New([]string{keyARN}) if err != nil { t.Fatalf("fakekms.New() failed: %v", err) } _, err = NewClientWithOptions("aws-kms://", WithKMS(fakekms), WithKMS(fakekms)) if err == nil { t.Fatalf("NewClientWithOptions(_, WithKMS(_), WithKMS(_)) err = nil, want error") } } func TestNewClientWithOptions_RepeatedWithEncryptionContextNameFails(t *testing.T) { _, err := NewClientWithOptions("aws-kms://", WithEncryptionContextName(LegacyAdditionalData), WithEncryptionContextName(AssociatedData)) if err == nil { t.Fatalf("NewClientWithOptions(_, WithEncryptionContextName(_), WithEncryptionContextName(_)) err = nil, want error") } } func TestSupported(t *testing.T) { uriPrefix := "aws-kms://arn:aws-us-gov:kms:us-gov-east-1:235739564943:key/" supportedKeyURI := "aws-kms://arn:aws-us-gov:kms:us-gov-east-1:235739564943:key/3ee50705-5a82-4f5b-9753-05c4f473922f" nonSupportedKeyURI := "aws-kms://arn:aws-us-gov:kms:us-gov-east-DOES-NOT-EXIST:key/" client, err := NewClientWithOptions(uriPrefix) if err != nil { t.Fatalf("NewClientWithOptions() failed: %v", err) } if !client.Supported(supportedKeyURI) { t.Errorf("client with URI prefix %q should support key URI %q", uriPrefix, supportedKeyURI) } if client.Supported(nonSupportedKeyURI) { t.Errorf("client with URI prefix %q should NOT support key URI %q", uriPrefix, nonSupportedKeyURI) } } func TestGetAEADSupportedURI(t *testing.T) { uriPrefix := "aws-kms://arn:aws-us-gov:kms:us-gov-east-1:235739564943:key/" supportedKeyURI := "aws-kms://arn:aws-us-gov:kms:us-gov-east-1:235739564943:key/3ee50705-5a82-4f5b-9753-05c4f473922f" client, err := NewClientWithOptions(uriPrefix) if err != nil { t.Fatalf("NewClientWithOptions() failed: %v", err) } _, err = client.GetAEAD(supportedKeyURI) if err != nil { t.Errorf("client with URI prefix %q should support key URI %q", uriPrefix, supportedKeyURI) } } func TestGetAEADEncryptDecrypt(t *testing.T) { keyARN := "arn:aws:kms:us-east-2:235739564943:key/3ee50705-5a82-4f5b-9753-05c4f473922f" keyURI := "aws-kms://arn:aws:kms:us-east-2:235739564943:key/3ee50705-5a82-4f5b-9753-05c4f473922f" fakekms, err := fakeawskms.New([]string{keyARN}) if err != nil { t.Fatalf("fakekms.New() failed: %v", err) } client, err := NewClientWithOptions("aws-kms://", WithKMS(fakekms)) if err != nil { t.Fatalf("NewClientWithOptions() failed: %v", err) } a, err := client.GetAEAD(keyURI) if err != nil { t.Fatalf("client.GetAEAD(keyURI) err = %v, want nil", err) } plaintext := []byte("plaintext") associatedData := []byte("associatedData") ciphertext, err := a.Encrypt(plaintext, associatedData) if err != nil { t.Fatalf("a.Encrypt(plaintext, associatedData) err = %v, want nil", err) } decrypted, err := a.Decrypt(ciphertext, associatedData) if err != nil { t.Fatalf("a.Decrypt(ciphertext, associatedData) err = %v, want nil", err) } if !bytes.Equal(decrypted, plaintext) { t.Errorf("decrypted = %q, want %q", decrypted, plaintext) } _, err = a.Decrypt(ciphertext, []byte("invalidAssociatedData")) if err == nil { t.Error("a.Decrypt(ciphertext, []byte(\"invalidAssociatedData\")) err = nil, want error") } _, err = a.Decrypt([]byte("invalidCiphertext"), associatedData) if err == nil { t.Error("a.Decrypt([]byte(\"invalidCiphertext\"), associatedData) err = nil, want error") } } func TestUsesAdditionalDataAsContextName(t *testing.T) { keyARN := "arn:aws:kms:us-east-2:235739564943:key/3ee50705-5a82-4f5b-9753-05c4f473922f" keyURI := "aws-kms://arn:aws:kms:us-east-2:235739564943:key/3ee50705-5a82-4f5b-9753-05c4f473922f" fakekms, err := fakeawskms.New([]string{keyARN}) if err != nil { t.Fatalf("fakeawskms.New() failed: %v", err) } client, err := NewClientWithKMS("aws-kms://", fakekms) if err != nil { t.Fatalf("NewClientWithKMS() failed: %v", err) } a, err := client.GetAEAD(keyURI) if err != nil { t.Fatalf("client.GetAEAD(keyURI) failed: %s", err) } plaintext := []byte("plaintext") associatedData := []byte("associatedData") ciphertext, err := a.Encrypt(plaintext, associatedData) if err != nil { t.Fatalf("a.Encrypt(plaintext, associatedData) err = %v, want nil", err) } hexAD := hex.EncodeToString(associatedData) context := map[string]*string{"additionalData": &hexAD} decRequest := &kms.DecryptInput{ KeyId: aws.String(keyARN), CiphertextBlob: ciphertext, EncryptionContext: context, } decResponse, err := fakekms.Decrypt(decRequest) if err != nil { t.Fatalf("fakeKMS.Decrypt(decRequest) err = %s, want nil", err) } if !bytes.Equal(decResponse.Plaintext, plaintext) { t.Errorf("decResponse.Plaintext = %q, want %q", decResponse.Plaintext, plaintext) } if strings.Compare(*decResponse.KeyId, keyARN) != 0 { t.Errorf("decResponse.KeyId = %q, want %q", *decResponse.KeyId, keyARN) } } func TestEncryptionContextName(t *testing.T) { keyARN := "arn:aws:kms:us-east-2:235739564943:key/3ee50705-5a82-4f5b-9753-05c4f473922f" keyURI := "aws-kms://arn:aws:kms:us-east-2:235739564943:key/3ee50705-5a82-4f5b-9753-05c4f473922f" fakekms, err := fakeawskms.New([]string{keyARN}) if err != nil { t.Fatalf("fakeawskms.New() failed: %v", err) } tests := []struct { contextName EncryptionContextName wantContextName string }{ { contextName: LegacyAdditionalData, wantContextName: "additionalData", }, { contextName: AssociatedData, wantContextName: "associatedData", }, } for _, test := range tests { t.Run(test.wantContextName, func(t *testing.T) { client, err := NewClientWithOptions("aws-kms://", WithKMS(fakekms), WithEncryptionContextName(test.contextName)) if err != nil { t.Fatalf("NewClientWithOptions() failed: %v", err) } a, err := client.GetAEAD(keyURI) if err != nil { t.Fatalf("client.GetAEAD(keyURI) failed: %s", err) } plaintext := []byte("plaintext") associatedData := []byte("associatedData") ciphertext, err := a.Encrypt(plaintext, associatedData) if err != nil { t.Fatalf("a.Encrypt(plaintext, associatedData) err = %v, want nil", err) } hexAD := hex.EncodeToString(associatedData) context := map[string]*string{test.wantContextName: &hexAD} decRequest := &kms.DecryptInput{ KeyId: aws.String(keyARN), CiphertextBlob: ciphertext, EncryptionContext: context, } decResponse, err := fakekms.Decrypt(decRequest) if err != nil { t.Fatalf("fakeKMS.Decrypt(decRequest) err = %s, want nil", err) } if !bytes.Equal(decResponse.Plaintext, plaintext) { t.Errorf("decResponse.Plaintext = %q, want %q", decResponse.Plaintext, plaintext) } if strings.Compare(*decResponse.KeyId, keyARN) != 0 { t.Errorf("decResponse.KeyId = %q, want %q", *decResponse.KeyId, keyARN) } }) } } func TestEncryptionContextName_defaultEncryptionContextName(t *testing.T) { keyARN := "arn:aws:kms:us-east-2:235739564943:key/3ee50705-5a82-4f5b-9753-05c4f473922f" keyURI := "aws-kms://arn:aws:kms:us-east-2:235739564943:key/3ee50705-5a82-4f5b-9753-05c4f473922f" fakekms, err := fakeawskms.New([]string{keyARN}) if err != nil { t.Fatalf("fakeawskms.New() failed: %v", err) } tests := []struct { name string client func(t *testing.T) registry.KMSClient wantContextName string }{ { name: "NewClientWithOptions", client: func(t *testing.T) registry.KMSClient { t.Helper() c, err := NewClientWithOptions(keyURI, WithKMS(fakekms)) if err != nil { t.Fatalf("NewClientWithOptions() failed: %v", err) } return c }, wantContextName: "associatedData", }, // Test deprecated factory function. { name: "NewClientWithKMS", client: func(t *testing.T) registry.KMSClient { t.Helper() c, err := NewClientWithKMS(keyURI, fakekms) if err != nil { t.Fatalf("NewClientWithKMS() failed: %v", err) } return c }, wantContextName: "additionalData", }, } for _, test := range tests { t.Run(test.name, func(t *testing.T) { client := test.client(t) a, err := client.GetAEAD(keyURI) if err != nil { t.Fatalf("client.GetAEAD(keyURI) failed: %s", err) } plaintext := []byte("plaintext") associatedData := []byte("associatedData") ciphertext, err := a.Encrypt(plaintext, associatedData) if err != nil { t.Fatalf("a.Encrypt(plaintext, associatedData) err = %v, want nil", err) } hexAD := hex.EncodeToString(associatedData) context := map[string]*string{test.wantContextName: &hexAD} decRequest := &kms.DecryptInput{ KeyId: aws.String(keyARN), CiphertextBlob: ciphertext, EncryptionContext: context, } decResponse, err := fakekms.Decrypt(decRequest) if err != nil { t.Fatalf("fakeKMS.Decrypt(decRequest) err = %s, want nil", err) } if !bytes.Equal(decResponse.Plaintext, plaintext) { t.Errorf("decResponse.Plaintext = %q, want %q", decResponse.Plaintext, plaintext) } if strings.Compare(*decResponse.KeyId, keyARN) != 0 { t.Errorf("decResponse.KeyId = %q, want %q", *decResponse.KeyId, keyARN) } }) } } tink-go-awskms-2.1.0/integration/awskms/aws_kms_integration_test.go000066400000000000000000000151721461624660000256650ustar00rootroot00000000000000// Copyright 2019 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package awskms_test import ( "bytes" "errors" "os" "path/filepath" "testing" // Placeholder for internal flag import. // context is used to cancel outstanding requests "github.com/tink-crypto/tink-go/v2/aead" "github.com/tink-crypto/tink-go/v2/tink" "github.com/tink-crypto/tink-go-awskms/v2/integration/awskms" ) const ( keyPrefix = "aws-kms://arn:aws:kms:us-east-2:235739564943:" keyAliasURI = "aws-kms://arn:aws:kms:us-east-2:235739564943:alias/unit-and-integration-testing" keyURI = "aws-kms://arn:aws:kms:us-east-2:235739564943:key/3ee50705-5a82-4f5b-9753-05c4f473922f" keyURI2 = "aws-kms://arn:aws:kms:us-east-2:235739564943:key/b3ca2efd-a8fb-47f2-b541-7e20f8c5cd11" ) var ( credCSVFile = "testdata/aws/credentials.csv" credINIFile = "testdata/aws/credentials.ini" ) // Placeholder for internal initialization. func getTestFilePath(filename string) (string, error) { srcDir, ok := os.LookupEnv("TEST_SRCDIR") if !ok { return "", errors.New("TEST_SRCDIR not set") } workspaceDir, ok := os.LookupEnv("TEST_WORKSPACE") if !ok { return "", errors.New("TEST_WORKSPACE not set") } return filepath.Join(srcDir, workspaceDir, filename), nil } func TestNewClientWithCredentialsGetAEADEncryptDecrypt(t *testing.T) { credFilePath, err := getTestFilePath(credCSVFile) if err != nil { t.Skip(err) } client, err := awskms.NewClientWithOptions(keyURI, awskms.WithCredentialPath(credFilePath)) if err != nil { t.Fatalf("error setting up AWS client: %v", err) } a, err := client.GetAEAD(keyURI) if err != nil { t.Fatalf("client.GetAEAD(keyURI) err = %v, want nil", err) } plaintext := []byte("plaintext") associatedData := []byte("associatedData") ciphertext, err := a.Encrypt(plaintext, associatedData) if err != nil { t.Fatalf("a.Encrypt(plaintext, associatedData) err = %v, want nil", err) } gotPlaintext, err := a.Decrypt(ciphertext, associatedData) if err != nil { t.Fatalf("a.Decrypt(ciphertext, associatedData) err = %v, want nil", err) } if !bytes.Equal(gotPlaintext, plaintext) { t.Errorf("a.Decrypt() = %q, want %q", gotPlaintext, plaintext) } invalidAssociatedData := []byte("invalidAssociatedData") _, err = a.Decrypt(ciphertext, invalidAssociatedData) if err == nil { t.Error("a.Decrypt(ciphertext, invalidAssociatedData) err = nil, want error") } } func TestEmptyAssociatedDataEncryptDecrypt(t *testing.T) { credFilePath, err := getTestFilePath(credCSVFile) if err != nil { t.Skip(err) } client, err := awskms.NewClientWithOptions(keyURI, awskms.WithCredentialPath(credFilePath)) if err != nil { t.Fatalf("error setting up AWS client: %v", err) } a, err := client.GetAEAD(keyURI) if err != nil { t.Fatalf("client.GetAEAD(keyURI) err = %v, want nil", err) } plaintext := []byte("plaintext") emptyAssociatedData := []byte{} ciphertext, err := a.Encrypt(plaintext, emptyAssociatedData) if err != nil { t.Fatalf("a.Encrypt(plaintext, emptyAssociatedData) err = %v, want nil", err) } gotPlaintext, err := a.Decrypt(ciphertext, emptyAssociatedData) if err != nil { t.Fatalf("a.Decrypt(ciphertext, associatedData) err = %v, want nil", err) } if !bytes.Equal(gotPlaintext, plaintext) { t.Errorf("a.Decrypt() = %q, want %q", gotPlaintext, plaintext) } gotPlaintext2, err := a.Decrypt(ciphertext, nil) if err != nil { t.Fatalf("a.Decrypt(ciphertext, nil) err = %v, want nil", err) } if !bytes.Equal(gotPlaintext2, plaintext) { t.Errorf("a.Decrypt() = %q, want %q", gotPlaintext, plaintext) } } func TestKeyCommitment(t *testing.T) { credFilePath, err := getTestFilePath(credCSVFile) if err != nil { t.Skip(err) } client, err := awskms.NewClientWithOptions(keyPrefix, awskms.WithCredentialPath(credFilePath)) if err != nil { t.Fatalf("error setting up AWS client: %v", err) } // Create AEAD primitives for two keys. keys := []string{keyURI, keyURI2} aeads := make([]tink.AEAD, 0, len(keys)) for _, k := range keys { a, err := client.GetAEAD(k) if err != nil { t.Fatalf("client.GetAEAD(keyURI) err = %v, want nil", err) } aeads = append(aeads, a) } // Create a ciphertext using the first primitive. plaintext := []byte("plaintext") associatedData := []byte("associated data") ciphertext, err := aeads[0].Encrypt(plaintext, associatedData) if err != nil { t.Fatalf("aeads[0].Encrypt(plaintext, associatedData) err = %v, want nil", err) } gotPlaintext, err := aeads[0].Decrypt(ciphertext, associatedData) if err != nil { t.Fatalf("aeads[0].Decrypt(ciphertext, associatedData) err = %v, want nil", err) } if !bytes.Equal(gotPlaintext, plaintext) { t.Errorf("aeads[0].Decrypt() = %q, want %q", gotPlaintext, plaintext) } // Attempt to decrypt using the other primitive. _, err = aeads[1].Decrypt(ciphertext, associatedData) if err == nil { t.Fatalf("aeads[1].Decrypt(ciphertext, associatedData) err = nil, want non-nil") } } func TestKMSEnvelopeAEADEncryptAndDecrypt(t *testing.T) { for _, credFile := range []string{credCSVFile, credINIFile} { credFilePath, err := getTestFilePath(credFile) if err != nil { t.Skip(err) } client, err := awskms.NewClientWithOptions(keyURI, awskms.WithCredentialPath(credFilePath)) if err != nil { t.Fatalf("awskms.NewClientWithOptions() err = %q, want nil", err) } kekAEAD, err := client.GetAEAD(keyURI) if err != nil { t.Fatalf("client.GetAEAD(keyURI) err = %q, want nil", err) } dekTemplate := aead.AES128CTRHMACSHA256KeyTemplate() a := aead.NewKMSEnvelopeAEAD2(dekTemplate, kekAEAD) if err != nil { t.Fatalf("aead.NewKMSEnvelopeAEAD2(dekTemplate, kekAEAD) err = %q, want nil", err) } plaintext := []byte("plaintext") for _, associatedData := range [][]byte{nil, []byte("associated data")} { ciphertext, err := a.Encrypt(plaintext, associatedData) if err != nil { t.Fatalf("a.Encrypt(plaintext, associatedData) err = %q, want nil", err) } gotPlaintext, err := a.Decrypt(ciphertext, associatedData) if err != nil { t.Fatalf("a.Decrypt(ciphertext, associatedData) err = %q, want nil", err) } if !bytes.Equal(gotPlaintext, plaintext) { t.Errorf("a.Decrypt() = %q, want %q", gotPlaintext, plaintext) } } } } tink-go-awskms-2.1.0/integration/awskms/internal/000077500000000000000000000000001461624660000220365ustar00rootroot00000000000000tink-go-awskms-2.1.0/integration/awskms/internal/fakeawskms/000077500000000000000000000000001461624660000241725ustar00rootroot00000000000000tink-go-awskms-2.1.0/integration/awskms/internal/fakeawskms/BUILD.bazel000066400000000000000000000016751461624660000260610ustar00rootroot00000000000000load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test") package(default_visibility = ["//:__subpackages__"]) licenses(["notice"]) # keep go_library( name = "fakeawskms", srcs = ["fakeawskms.go"], importpath = "github.com/tink-crypto/tink-go-awskms/v2/integration/awskms/internal/fakeawskms", deps = [ "@com_github_aws_aws_sdk_go//service/kms", "@com_github_aws_aws_sdk_go//service/kms/kmsiface", "@com_github_tink_crypto_tink_go_v2//aead", "@com_github_tink_crypto_tink_go_v2//keyset", "@com_github_tink_crypto_tink_go_v2//tink", ], ) go_test( name = "fakeawskms_test", srcs = ["fakeawskms_test.go"], embed = [":fakeawskms"], deps = [ "@com_github_aws_aws_sdk_go//aws", "@com_github_aws_aws_sdk_go//service/kms", ], ) alias( name = "go_default_library", actual = ":fakeawskms", visibility = ["//integration/awskms:__subpackages__"], ) tink-go-awskms-2.1.0/integration/awskms/internal/fakeawskms/fakeawskms.go000066400000000000000000000064251461624660000266640ustar00rootroot00000000000000// Copyright 2022 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // Package fakeawskms provides a partial fake implementation of kmsiface.KMSAPI. package fakeawskms import ( "bytes" "errors" "fmt" "sort" "github.com/aws/aws-sdk-go/service/kms" "github.com/aws/aws-sdk-go/service/kms/kmsiface" "github.com/tink-crypto/tink-go/v2/aead" "github.com/tink-crypto/tink-go/v2/keyset" "github.com/tink-crypto/tink-go/v2/tink" ) type fakeAWSKMS struct { kmsiface.KMSAPI aeads map[string]tink.AEAD keyIDs []string } // serializeContext serializes the context map in a canonical way into a byte array. func serializeContext(context map[string]*string) []byte { names := make([]string, 0, len(context)) for name := range context { names = append(names, name) } sort.Strings(names) b := new(bytes.Buffer) b.WriteString("{") for i, name := range names { if i > 0 { b.WriteString(",") } fmt.Fprintf(b, "%q:%q", name, *context[name]) } b.WriteString("}") return b.Bytes() } // New returns a new fake AWS KMS API. func New(validKeyIDs []string) (kmsiface.KMSAPI, error) { aeads := make(map[string]tink.AEAD) for _, keyID := range validKeyIDs { handle, err := keyset.NewHandle(aead.AES256GCMKeyTemplate()) if err != nil { return nil, err } a, err := aead.New(handle) if err != nil { return nil, err } aeads[keyID] = a } return &fakeAWSKMS{ aeads: aeads, keyIDs: validKeyIDs, }, nil } func (f *fakeAWSKMS) Encrypt(request *kms.EncryptInput) (*kms.EncryptOutput, error) { a, ok := f.aeads[*request.KeyId] if !ok { return nil, fmt.Errorf("Unknown keyID: %q not in %q", *request.KeyId, f.keyIDs) } serializedContext := serializeContext(request.EncryptionContext) ciphertext, err := a.Encrypt(request.Plaintext, serializedContext) if err != nil { return nil, err } return &kms.EncryptOutput{ CiphertextBlob: ciphertext, KeyId: request.KeyId, }, nil } func (f *fakeAWSKMS) Decrypt(request *kms.DecryptInput) (*kms.DecryptOutput, error) { serializedContext := serializeContext(request.EncryptionContext) if request.KeyId != nil { a, ok := f.aeads[*request.KeyId] if !ok { return nil, fmt.Errorf("Unknown keyID: %q not in %q", *request.KeyId, f.keyIDs) } plaintext, err := a.Decrypt(request.CiphertextBlob, serializedContext) if err != nil { return nil, fmt.Errorf("Decryption with keyID %q failed", *request.KeyId) } return &kms.DecryptOutput{ Plaintext: plaintext, KeyId: request.KeyId, }, nil } // When KeyId is not set, try out all AEADs. for keyID, a := range f.aeads { plaintext, err := a.Decrypt(request.CiphertextBlob, serializedContext) if err == nil { return &kms.DecryptOutput{ Plaintext: plaintext, KeyId: &keyID, }, nil } } return nil, errors.New("unable to decrypt message") } tink-go-awskms-2.1.0/integration/awskms/internal/fakeawskms/fakeawskms_test.go000066400000000000000000000201551461624660000277170ustar00rootroot00000000000000// Copyright 2022 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package fakeawskms import ( "bytes" "strings" "testing" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/kms" ) const validKeyID = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" const validKeyID2 = "arn:aws:kms:us-west-2:123:key/different" func TestEncyptDecryptWithValidKeyId(t *testing.T) { fakeKMS, err := New([]string{validKeyID}) if err != nil { t.Fatalf("New() err = %s, want nil", err) } plaintext := []byte("plaintext") contextValue := "contextValue" context := map[string]*string{"contextName": &contextValue} encRequest := &kms.EncryptInput{ KeyId: aws.String(validKeyID), Plaintext: plaintext, EncryptionContext: context, } encResponse, err := fakeKMS.Encrypt(encRequest) if err != nil { t.Fatalf("fakeKMS.Encrypt(encRequest) err = %s, want nil", err) } ciphertext := encResponse.CiphertextBlob decRequest := &kms.DecryptInput{ KeyId: aws.String(validKeyID), CiphertextBlob: ciphertext, EncryptionContext: context, } decResponse, err := fakeKMS.Decrypt(decRequest) if err != nil { t.Fatalf("fakeKMS.Decrypt(decRequest) err = %s, want nil", err) } if !bytes.Equal(decResponse.Plaintext, plaintext) { t.Fatalf("decResponse.Plaintext = %q, want %q", decResponse.Plaintext, plaintext) } if strings.Compare(*decResponse.KeyId, validKeyID) != 0 { t.Fatalf("decResponse.KeyId = %q, want %q", *decResponse.KeyId, validKeyID) } // decrypt with a different context should fail otherContextValue := "otherContextValue" otherContext := map[string]*string{"contextName": &otherContextValue} otherDecRequest := &kms.DecryptInput{ KeyId: aws.String(validKeyID), CiphertextBlob: ciphertext, EncryptionContext: otherContext, } if _, err := fakeKMS.Decrypt(otherDecRequest); err == nil { t.Fatal("fakeKMS.Decrypt(otherDecRequest) err = nil, want not nil") } } func TestEncyptWithUnknownKeyID(t *testing.T) { fakeKMS, err := New([]string{validKeyID}) if err != nil { t.Fatalf("New() err = %s, want nil", err) } plaintext := []byte("plaintext") contextValue := "contextValue" context := map[string]*string{"contextName": &contextValue} encRequestWithUnknownKeyID := &kms.EncryptInput{ KeyId: aws.String(validKeyID2), Plaintext: plaintext, EncryptionContext: context, } if _, err := fakeKMS.Encrypt(encRequestWithUnknownKeyID); err == nil { t.Fatal("fakeKMS.Encrypt(encRequestWithvalidKeyID2) err = nil, want not nil") } } func TestDecryptWithInvalidCiphertext(t *testing.T) { fakeKMS, err := New([]string{validKeyID}) if err != nil { t.Fatalf("New() err = %s, want nil", err) } invalidCiphertext := []byte("plaintext") contextValue := "contextValue" context := map[string]*string{"contextName": &contextValue} decRequest := &kms.DecryptInput{ CiphertextBlob: invalidCiphertext, EncryptionContext: context, } if _, err := fakeKMS.Decrypt(decRequest); err == nil { t.Fatal("fakeKMS.Decrypt(decRequest) err = nil, want not nil") } } func TestDecryptWithUnknownKeyId(t *testing.T) { fakeKMS, err := New([]string{validKeyID}) if err != nil { t.Fatalf("New() err = %s, want nil", err) } ciphertext := []byte("invalidCiphertext") contextValue := "contextValue" context := map[string]*string{"contextName": &contextValue} decRequest := &kms.DecryptInput{ KeyId: aws.String(validKeyID2), CiphertextBlob: ciphertext, EncryptionContext: context, } if _, err := fakeKMS.Decrypt(decRequest); err == nil { t.Fatal("fakeKMS.Decrypt(decRequest) err = nil, want not nil") } } func TestDecryptWithWrongKeyId(t *testing.T) { fakeKMS, err := New([]string{validKeyID, validKeyID2}) if err != nil { t.Fatalf("New() err = %s, want nil", err) } plaintext := []byte("plaintext") contextValue := "contextValue" context := map[string]*string{"contextName": &contextValue} encRequest := &kms.EncryptInput{ KeyId: aws.String(validKeyID), Plaintext: plaintext, EncryptionContext: context, } encResponse, err := fakeKMS.Encrypt(encRequest) if err != nil { t.Fatalf("fakeKMS.Encrypt(encRequest) err = %s, want nil", err) } ciphertext := encResponse.CiphertextBlob decRequest := &kms.DecryptInput{ KeyId: aws.String(validKeyID2), // wrong key id CiphertextBlob: ciphertext, EncryptionContext: context, } if _, err := fakeKMS.Decrypt(decRequest); err == nil { t.Fatal("fakeKMS.Decrypt(decRequest) err = nil, want not nil") } } func TestDecryptWithoutKeyId(t *testing.T) { // setting the keyId in DecryptInput is not required, see // https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/kms#DecryptInput fakeKMS, err := New([]string{validKeyID, validKeyID2}) if err != nil { t.Fatalf("New() err = %s, want nil", err) } plaintext := []byte("plaintext") plaintext2 := []byte("plaintext2") contextValue := "contextValue" context := map[string]*string{"contextName": &contextValue} encRequest := &kms.EncryptInput{ KeyId: aws.String(validKeyID), Plaintext: plaintext, EncryptionContext: context, } encResponse, err := fakeKMS.Encrypt(encRequest) if err != nil { t.Fatalf("fakeKMS.Encrypt(encRequest) err = %s, want nil", err) } if strings.Compare(*encResponse.KeyId, validKeyID) != 0 { t.Fatalf("encResponse.KeyId = %q, want %q", *encResponse.KeyId, validKeyID) } encRequest2 := &kms.EncryptInput{ KeyId: aws.String(validKeyID2), Plaintext: plaintext2, EncryptionContext: context, } encResponse2, err := fakeKMS.Encrypt(encRequest2) if err != nil { t.Fatalf("fakeKMS.Encrypt(encRequest2) err = %s, want nil", err) } if strings.Compare(*encResponse2.KeyId, validKeyID2) != 0 { t.Fatalf("encResponse2.KeyId = %q, want %q", *encResponse2.KeyId, validKeyID2) } decRequest := &kms.DecryptInput{ // KeyId is not set CiphertextBlob: encResponse.CiphertextBlob, EncryptionContext: context, } decResponse, err := fakeKMS.Decrypt(decRequest) if err != nil { t.Fatalf("fakeKMS.Decrypt(decRequest) err = %s, want nil", err) } if !bytes.Equal(decResponse.Plaintext, plaintext) { t.Fatalf("decResponse.Plaintext = %q, want %q", decResponse.Plaintext, plaintext) } if strings.Compare(*decResponse.KeyId, validKeyID) != 0 { t.Fatalf("decResponse.KeyId = %q, want %q", *decResponse.KeyId, validKeyID) } decRequest2 := &kms.DecryptInput{ // KeyId is not set CiphertextBlob: encResponse2.CiphertextBlob, EncryptionContext: context, } decResponse2, err := fakeKMS.Decrypt(decRequest2) if err != nil { t.Fatalf("fakeKMS.Decrypt(decRequest2) err = %s, want nil", err) } if !bytes.Equal(decResponse2.Plaintext, plaintext2) { t.Fatalf("decResponse.Plaintext = %q, want %q", decResponse.Plaintext, plaintext2) } if strings.Compare(*decResponse2.KeyId, validKeyID2) != 0 { t.Fatalf("decResponse2.KeyId = %q, want %q", *decResponse2.KeyId, validKeyID2) } } func TestSerializeContext(t *testing.T) { uvw := "uvw" xyz := "xyz" rst := "rst" context := map[string]*string{"def": &uvw, "abc": &xyz, "ghi": &rst} got := string(serializeContext(context)) want := "{\"abc\":\"xyz\",\"def\":\"uvw\",\"ghi\":\"rst\"}" if got != want { t.Fatalf("SerializeContext(context) = %s, want %s", got, want) } gotEscaped := string(serializeContext(map[string]*string{"a\"b": &xyz})) wantEscaped := "{\"a\\\"b\":\"xyz\"}" if gotEscaped != wantEscaped { t.Fatalf("SerializeContext(context) = %s, want %s", gotEscaped, wantEscaped) } gotEmpty := string(serializeContext(map[string]*string{})) if gotEmpty != "{}" { t.Fatalf("SerializeContext(context) = %s, want %s", gotEmpty, "{}") } } tink-go-awskms-2.1.0/kokoro/000077500000000000000000000000001461624660000156765ustar00rootroot00000000000000tink-go-awskms-2.1.0/kokoro/create_github_release_branch.sh000066400000000000000000000043701461624660000240600ustar00rootroot00000000000000#!/bin/bash # Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ################################################################################ set -euo pipefail # Fail if RELEASE_VERSION is not set. if [[ -z "${RELEASE_VERSION:-}" ]]; then echo "RELEASE_VERSION must be set" >&2 exit 1 fi IS_KOKORO="false" if [[ -n "${KOKORO_ARTIFACTS_DIR:-}" ]]; then IS_KOKORO="true" fi readonly IS_KOKORO # If not defined, default to /tmp. : "${TMPDIR:="/tmp"}" # WARNING: Setting this environment varialble to "true" will cause this script # to actually perform a release. : "${DO_MAKE_RELEASE:="false"}" if [[ ! "${DO_MAKE_RELEASE}" =~ ^(false|true)$ ]]; then echo "DO_MAKE_RELEASE must be either \"true\" or \"false\"" >&2 exit 1 fi if [[ "${IS_KOKORO}" == "true" ]] ; then readonly TINK_BASE_DIR="$(echo "${KOKORO_ARTIFACTS_DIR}"/git*)" cd "${TINK_BASE_DIR}/tink_go_awskms" fi GITHUB_RELEASE_UTIL_OPTS=() if [[ "${IS_KOKORO}" == "true" ]] ; then # Note: KOKORO_GIT_COMMIT is populated by Kokoro. GITHUB_RELEASE_UTIL_OPTS+=( -c "${KOKORO_GIT_COMMIT}" -t "${GITHUB_ACCESS_TOKEN}" ) fi if [[ "${DO_MAKE_RELEASE}" == "true" ]]; then GITHUB_RELEASE_UTIL_OPTS+=( -r ) fi readonly GITHUB_RELEASE_UTIL_OPTS # If running on Kokoro, TMPDIR is populated with the tmp folder. readonly TMP_DIR="$(mktemp -d "${TMPDIR}/release_XXXXXX")" readonly RELEASE_UTIL_SCRIPT="$(pwd)/kokoro/testutils/github_release_util.sh" if [[ ! -f "${RELEASE_UTIL_SCRIPT}" ]]; then echo "${RELEASE_UTIL_SCRIPT} not found." echo "Make sure you run this script from the root of tink-go-awskms." return 1 fi pushd "${TMP_DIR}" # Create a release branch. "${RELEASE_UTIL_SCRIPT}" "${GITHUB_RELEASE_UTIL_OPTS[@]}" create_branch \ "${RELEASE_VERSION}" tink-go-awskms popd tink-go-awskms-2.1.0/kokoro/create_github_release_tag.sh000066400000000000000000000043651461624660000234020ustar00rootroot00000000000000#!/bin/bash # Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ################################################################################ set -euo pipefail # Fail if RELEASE_VERSION is not set. if [[ -z "${RELEASE_VERSION:-}" ]]; then echo "RELEASE_VERSION must be set" >&2 exit 1 fi IS_KOKORO="false" if [[ -n "${KOKORO_ARTIFACTS_DIR:-}" ]]; then IS_KOKORO="true" fi readonly IS_KOKORO # If not defined, default to /tmp. : "${TMPDIR:="/tmp"}" # WARNING: Setting this environment varialble to "true" will cause this script # to actually perform a release. : "${DO_MAKE_RELEASE:="false"}" if [[ ! "${DO_MAKE_RELEASE}" =~ ^(false|true)$ ]]; then echo "DO_MAKE_RELEASE must be either \"true\" or \"false\"" >&2 exit 1 fi if [[ "${IS_KOKORO}" == "true" ]] ; then readonly TINK_BASE_DIR="$(echo "${KOKORO_ARTIFACTS_DIR}"/git*)" cd "${TINK_BASE_DIR}/tink_go_awskms" fi GITHUB_RELEASE_UTIL_OPTS=() if [[ "${IS_KOKORO}" == "true" ]] ; then # Note: KOKORO_GIT_COMMIT is populated by Kokoro. GITHUB_RELEASE_UTIL_OPTS+=( -c "${KOKORO_GIT_COMMIT}" -t "${GITHUB_ACCESS_TOKEN}" ) fi if [[ "${DO_MAKE_RELEASE}" == "true" ]]; then GITHUB_RELEASE_UTIL_OPTS+=( -r ) fi readonly GITHUB_RELEASE_UTIL_OPTS # If running on Kokoro, TMPDIR is populated with the tmp folder. readonly TMP_DIR="$(mktemp -d "${TMPDIR}/release_XXXXXX")" readonly RELEASE_UTIL_SCRIPT="$(pwd)/kokoro/testutils/github_release_util.sh" if [[ ! -f "${RELEASE_UTIL_SCRIPT}" ]]; then echo "${RELEASE_UTIL_SCRIPT} not found." echo "Make sure you run this script from the root of tink-go-awskms." return 1 fi pushd "${TMP_DIR}" # Create a release branch. "${RELEASE_UTIL_SCRIPT}" "${GITHUB_RELEASE_UTIL_OPTS[@]}" create_tag \ "${RELEASE_VERSION}" tink-go-awskms popd tink-go-awskms-2.1.0/kokoro/gcp_ubuntu/000077500000000000000000000000001461624660000200515ustar00rootroot00000000000000tink-go-awskms-2.1.0/kokoro/gcp_ubuntu/bazel/000077500000000000000000000000001461624660000211465ustar00rootroot00000000000000tink-go-awskms-2.1.0/kokoro/gcp_ubuntu/bazel/run_tests.sh000066400000000000000000000050351461624660000235330ustar00rootroot00000000000000#!/bin/bash # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ################################################################################ # Builds and tests tink-go-awskms using Bazel. # # The behavior of this script can be modified using the following optional env # variables: # # - CONTAINER_IMAGE (unset by default): By default when run locally this script # executes tests directly on the host. The CONTAINER_IMAGE variable can be set # to execute tests in a custom container image for local testing. E.g.: # # CONTAINER_IMAGE="us-docker.pkg.dev/tink-test-infrastructure/tink-ci-images/linux-tink-go-base:latest" \ # sh ./kokoro/gcp_ubuntu/bazel/run_tests.sh set -euo pipefail RUN_COMMAND_ARGS=() if [[ -n "${KOKORO_ARTIFACTS_DIR:-}" ]]; then readonly TINK_BASE_DIR="$(echo "${KOKORO_ARTIFACTS_DIR}"/git*)" cd "${TINK_BASE_DIR}/tink_go_awskms" source "./kokoro/testutils/go_test_container_images.sh" CONTAINER_IMAGE="${TINK_GO_BASE_IMAGE}" RUN_COMMAND_ARGS+=( -k "${TINK_GCR_SERVICE_KEY}" ) fi readonly CONTAINER_IMAGE if [[ -n "${CONTAINER_IMAGE:-}" ]]; then RUN_COMMAND_ARGS+=( -c "${CONTAINER_IMAGE}" ) fi ./kokoro/testutils/copy_credentials.sh "testdata" "aws" cat <<'EOF' > _do_run_test.sh #!/bin/bash set -euo pipefail ./kokoro/testutils/check_go_generated_files_up_to_date.sh "$(pwd)" MANUAL_TARGETS=() # Run manual tests that rely on test data only available via Bazel. if [[ -n "${KOKORO_ROOT:-}" ]]; then MANUAL_TARGETS+=( "//integration/awskms:awskms_test" ) fi readonly MANUAL_TARGETS ./kokoro/testutils/run_bazel_tests.sh -t --test_arg=--test.v . \ "${MANUAL_TARGETS[@]}" ./kokoro/testutils/run_bazel_tests.sh -b --enable_bzlmod \ -t --enable_bzlmod,--test_arg=--test.v . "${MANUAL_TARGETS[@]}" EOF chmod +x _do_run_test.sh cat < _env_variables.txt KOKORO_ROOT EOF RUN_COMMAND_ARGS+=( -e _env_variables.txt ) # Run cleanup on EXIT. trap cleanup EXIT cleanup() { rm -rf _do_run_test.sh rm -rf _env_variables.txt } ./kokoro/testutils/run_command.sh "${RUN_COMMAND_ARGS[@]}" ./_do_run_test.sh tink-go-awskms-2.1.0/kokoro/gcp_ubuntu/gomod/000077500000000000000000000000001461624660000211565ustar00rootroot00000000000000tink-go-awskms-2.1.0/kokoro/gcp_ubuntu/gomod/run_tests.sh000066400000000000000000000036551461624660000235510ustar00rootroot00000000000000#!/bin/bash # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ################################################################################ # Builds and tests tink-go-awskms using Go tooling. # # The behavior of this script can be modified using the following optional env # variables: # # - CONTAINER_IMAGE (unset by default): By default when run locally this script # executes tests directly on the host. The CONTAINER_IMAGE variable can be set # to execute tests in a custom container image for local testing. E.g.: # # CONTAINER_IMAGE="us-docker.pkg.dev/tink-test-infrastructure/tink-ci-images/linux-tink-go-base:latest" \ # sh ./kokoro/gcp_ubuntu/gomod/run_tests.sh set -eEuo pipefail RUN_COMMAND_ARGS=() if [[ -n "${KOKORO_ARTIFACTS_DIR:-}" ]]; then readonly TINK_BASE_DIR="$(echo "${KOKORO_ARTIFACTS_DIR}"/git*)" cd "${TINK_BASE_DIR}/tink_go_awskms" source "./kokoro/testutils/go_test_container_images.sh" CONTAINER_IMAGE="${TINK_GO_BASE_IMAGE}" RUN_COMMAND_ARGS+=( -k "${TINK_GCR_SERVICE_KEY}" ) fi readonly CONTAINER_IMAGE if [[ -n "${CONTAINER_IMAGE:-}" ]]; then RUN_COMMAND_ARGS+=( -c "${CONTAINER_IMAGE}" ) fi readonly MODULE_URL="github.com/tink-crypto/tink-go-awskms" readonly MODULE_VERSION="$(cat version.bzl | grep ^TINK | cut -f 2 -d \")" ./kokoro/testutils/run_command.sh "${RUN_COMMAND_ARGS[@]}" \ ./kokoro/testutils/run_go_mod_tests.sh "${MODULE_URL}" . \ "${MODULE_VERSION}" "main" tink-go-awskms-2.1.0/kokoro/macos_external/000077500000000000000000000000001461624660000207025ustar00rootroot00000000000000tink-go-awskms-2.1.0/kokoro/macos_external/bazel/000077500000000000000000000000001461624660000217775ustar00rootroot00000000000000tink-go-awskms-2.1.0/kokoro/macos_external/bazel/run_tests.sh000066400000000000000000000026751461624660000243730ustar00rootroot00000000000000#!/bin/bash # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ################################################################################ set -euo pipefail if [[ -n "${KOKORO_ROOT:-}" ]]; then readonly TINK_BASE_DIR="$(echo "${KOKORO_ARTIFACTS_DIR}"/git*)" cd "${TINK_BASE_DIR}/tink_go_awskms" fi # Sourcing required to update callers environment. source ./kokoro/testutils/install_go.sh echo "Using go binary from $(which go): $(go version)" # TODO(b/238389921): Run check_go_generated_files_up_to_date.sh after a # refactoring that takes into account extensions to tink-go. ./kokoro/testutils/copy_credentials.sh "testdata" "aws" MANUAL_TARGETS=() # Run manual tests that rely on test data only available via Bazel. if [[ -n "${KOKORO_ROOT:-}" ]]; then MANUAL_TARGETS+=( "//integration/awskms:awskms_test" ) fi readonly MANUAL_TARGETS ./kokoro/testutils/run_bazel_tests.sh -t --test_arg=--test.v . \ "${MANUAL_TARGETS[@]}" tink-go-awskms-2.1.0/kokoro/macos_external/gomod/000077500000000000000000000000001461624660000220075ustar00rootroot00000000000000tink-go-awskms-2.1.0/kokoro/macos_external/gomod/run_tests.sh000066400000000000000000000022741461624660000243760ustar00rootroot00000000000000#!/bin/bash # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ################################################################################ set -euo pipefail if [[ -n "${KOKORO_ROOT:-}" ]]; then readonly TINK_BASE_DIR="$(echo "${KOKORO_ARTIFACTS_DIR}"/git*)" cd "${TINK_BASE_DIR}/tink_go_awskms" fi # Sourcing required to update callers environment. source ./kokoro/testutils/install_go.sh echo "Using go binary from $(which go): $(go version)" readonly MODULE_URL="github.com/tink-crypto/tink-go-awskms" readonly MODULE_VERSION="$(cat version.bzl | grep ^TINK | cut -f 2 -d \")" ./kokoro/testutils/run_go_mod_tests.sh "${MODULE_URL}" "$(pwd)" \ "${MODULE_VERSION}" "main" tink-go-awskms-2.1.0/kokoro/testutils/000077500000000000000000000000001461624660000177365ustar00rootroot00000000000000tink-go-awskms-2.1.0/kokoro/testutils/BUILD.bazel000066400000000000000000000012531461624660000216150ustar00rootroot00000000000000package(default_visibility = ["//:__subpackages__"]) licenses(["notice"]) sh_binary( name = "test_utils", srcs = ["test_utils.sh"], ) sh_binary( name = "github_release_util", srcs = ["github_release_util.sh"], ) sh_test( name = "github_release_util_test", size = "small", srcs = ["github_release_util_test.sh"], args = [ "$(rlocationpath :github_release_util.sh)", "$(rlocationpath :test_utils)", ], data = [ ":github_release_util.sh", ":test_utils", ], target_compatible_with = select({ "@platforms//os:windows": ["@platforms//:incompatible"], "//conditions:default": [], }), ) tink-go-awskms-2.1.0/kokoro/testutils/check_go_generated_files_up_to_date.sh000077500000000000000000000062111461624660000274420ustar00rootroot00000000000000#!/bin/bash # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ################################################################################ # This scripts checks that a given Go workspace has its generated Bazel files up # to date. BAZEL_CMD="bazel" # Use Bazelisk (https://github.com/bazelbuild/bazelisk) if available. if command -v "bazelisk" &> /dev/null; then BAZEL_CMD="bazelisk" "${BAZEL_CMD}" version fi usage() { echo "Usage: $0 [-h] [-c ] " echo " -c: Value to pass to `-compat`. Default to 1.19." echo " -h: Help. Print this usage information." exit 1 } COMPAT="1.19" GO_PROJECT_DIR= process_args() { # Parse options. while getopts "hc:" opt; do case "${opt}" in c) COMPAT="${OPTARG}" ;; *) usage ;; esac done shift $((OPTIND - 1)) readonly GO_PROJECT_DIR="$1" if [[ -z "${GO_PROJECT_DIR}" ]]; then usage fi } main() { process_args "$@" ( cd "${GO_PROJECT_DIR}" local -r temp_dir_current_generated_files="$(mktemp -dt \ current_tink_go_build_files.XXXXXX)" local -r go_generated_files=( ./go.mod ./go.sum ./deps.bzl ) # Copy all current generated files into temp_dir_current_generated_files. local current_go_generated_files=( "${go_generated_files[@]}" ) while read -r -d $'\0' generated_file; do current_go_generated_files+=("${generated_file}") done < <(find . -name BUILD.bazel -print0) readonly current_go_generated_files for generated_file_path in "${current_go_generated_files[@]}"; do mkdir -p \ "$(dirname \ "${temp_dir_current_generated_files}/${generated_file_path}")" cp "${generated_file_path}" \ "${temp_dir_current_generated_files}/${generated_file_path}" done # Update build files. go mod tidy -compat="${COMPAT}" # Update deps.bzl. "${BAZEL_CMD}" run //:gazelle-update-repos # Update all BUILD.bazel files. "${BAZEL_CMD}" run //:gazelle # Compare current with new build files. local new_go_generated_files=( "${go_generated_files[@]}" ) while read -r -d $'\0' generated_file; do new_go_generated_files+=("${generated_file}") done < <(find . -name BUILD.bazel -print0) readonly new_go_generated_files for generated_file_path in "${new_go_generated_files[@]}"; do if ! cmp -s "${generated_file_path}" \ "${temp_dir_current_generated_files}/${generated_file_path}"; then echo "ERROR: ${generated_file_path} needs to be updated. Please follow \ the instructions on go/tink-workflows#update-go-build." >&2 exit 1 fi done ) } main "$@" tink-go-awskms-2.1.0/kokoro/testutils/copy_credentials.sh000077500000000000000000000066461461624660000236400ustar00rootroot00000000000000#!/bin/bash # Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. #################################################################################### # This script takes credentials injected into the environment via the Kokoro job # configuration and copies them to the expected locations. # # The second argument indicates whether all KMS service credentials should be # copied (all) or only credentials for a specific KMS service (gcp|aws). # # Usage insructions: # # ./kokoro/testutils/copy_credentials.sh # TESTDATA_DIR= KMS_SERVICE= ####################################### # Process command line arguments. # # Globals: # TESTDATA_DIR # KMS_SERVICE ####################################### process_args() { TESTDATA_DIR="$1" readonly TESTDATA_DIR KMS_SERVICE="$2" readonly KMS_SERVICE if [[ -z "${TESTDATA_DIR}" ]]; then echo "Testdata directory must be set" >&2 exit 1 fi if [[ ! -d "${TESTDATA_DIR}" ]]; then echo "Testdata directory \"${TESTDATA_DIR}\" doesn't exist" >&2 exit 1 fi if [[ -z "${KMS_SERVICE}" ]]; then echo "KMS service must be specified" >&2 exit 1 fi } ####################################### # Copy GCP credentials. # # Globals: # TESTDATA_DIR # TINK_TEST_SERVICE_ACCOUNT ####################################### copy_gcp_credentials() { if [[ -z "${TINK_TEST_SERVICE_ACCOUNT}" ]]; then echo "ERROR: TINK_TEST_SERVICE_ACCOUNT is expected to be set" >&2 exit 1 fi cp "${TINK_TEST_SERVICE_ACCOUNT}" "${TESTDATA_DIR}/gcp/credential.json" } ####################################### # Copy AWS credentials. # # Globals: # TESTDATA_DIR # AWS_TINK_TEST_SERVICE_ACCOUNT ####################################### copy_aws_credentials() { if [[ -z "${AWS_TINK_TEST_SERVICE_ACCOUNT}" ]]; then echo "ERROR: AWS_TINK_TEST_SERVICE_ACCOUNT is expected to be set" >&2 exit 1 fi # Create the different format for the AWS credentials local -r aws_key_id="AKIATNYZMJOHVMN7MSYH" local -r aws_key="$(cat ${AWS_TINK_TEST_SERVICE_ACCOUNT})" cat < "${TESTDATA_DIR}/aws/credentials.ini" [default] aws_access_key_id = ${aws_key_id} aws_secret_access_key = ${aws_key} END cat < "${TESTDATA_DIR}/aws/credentials.cred" [default] accessKey = ${aws_key_id} secretKey = ${aws_key} END cat < "${TESTDATA_DIR}/aws/credentials.csv" User name,Password,Access key ID,Secret access key,Console login link tink-user1,,${aws_key_id},${aws_key},https://235739564943.signin.aws.amazon.com/console END } main() { if [[ -z "${KOKORO_ROOT}" ]]; then echo "Not running on Kokoro, skipping copying credentials." exit 0 fi process_args "$@" case "${KMS_SERVICE}" in aws) copy_aws_credentials ;; gcp) copy_gcp_credentials ;; all) copy_aws_credentials copy_gcp_credentials ;; *) echo "Invalid KMS service \"${KMS_SERVICE}\"" >&2 exit 1 esac } main "$@" tink-go-awskms-2.1.0/kokoro/testutils/github_release_util.sh000077500000000000000000000162231461624660000243200ustar00rootroot00000000000000#!/bin/bash # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ################################################################################ # This script performs a source release on GitHub for a given repo, that is: # - Creates a release branch (if it does not yet exist), # - Creates a release tag. set -eo pipefail # Parameters and arguments. These will be populated/modified by args parsing. # Options. # Whether to actually create a release. This is false by default and meant to # prevent accidental releases. DO_RUN_ACTION="false" # Commit at which to make the release. If unspecified, the release is made from # HEAD. COMMIT_HASH= # Optional personal access token. ACCESS_TOKEN= # Arguments. # Action to be performed. ACTION= # This must be of the form `MAJOR.MINOR.PATCH`. VERSION= # Repo name after github.com/tink-crypto/, e.g., tink-cc. REPO_NAME= # Derived variables. GITHUB_REPO_URL= RELEASE_BRANCH= TAG= GITHUB_REFS= BRANCH_EXISTS="false" # Constants. readonly GITHUB_ORG_URL="github.com/tink-crypto" usage() { echo "Usage: $0 [-rh] [-c ] [-t ] \\" echo " " echo " : The action to be performed (crete_branch|create_tag)." echo " : The version identifier in MAJOR.MINOR.PATCH format." echo " : The name of the repository (e.g. \"tink-cc\")." echo " -c: Commit hash to use as HEAD of the release branch (optional)." echo " -t: Access token. Without this, the default is SSH (optional)." echo " -r: Whether to actually create a release; this is false by default." echo " -h: Show this help message." exit 1 } process_params() { while getopts "rhc:t:" opt; do case "${opt}" in r) DO_RUN_ACTION="true" ;; c) COMMIT_HASH="${OPTARG}" ;; t) ACCESS_TOKEN="${OPTARG}" ;; *) usage ;; esac done shift $((OPTIND - 1)) readonly DO_RUN_ACTION readonly COMMIT_HASH readonly ACCESS_TOKEN ACTION="$1" if [[ ! "${ACTION}" =~ create_branch|create_tag ]]; then echo "ERROR: Expected (create_branch|create_tag) got ${ACTION}" >&2 usage fi readonly ACTION VERSION="$2" if [[ ! "${VERSION}" =~ ^[0-9]+.[0-9]+.[0-9]+$ ]]; then echo "ERROR: Invalid version format: expected MAJOR.MINOR.PATCH, got \ ${VERSION}" >&2 usage fi readonly VERSION REPO_NAME="$3" if [[ -z "${REPO_NAME}" ]]; then echo "ERROR: Repo name must be specified." >&2 usage fi readonly REPO_NAME # Use SSH by default. local protocol_and_credentials="ssh://git" if [[ -n "${ACCESS_TOKEN}" ]]; then protocol_and_credentials="https://ise-crypto:${ACCESS_TOKEN}" fi readonly protocol_and_credentials GITHUB_REPO_URL="${protocol_and_credentials}@${GITHUB_ORG_URL}/${REPO_NAME}" readonly GITHUB_REPO_URL # Release branch is only MAJOR.MINOR. readonly RELEASE_BRANCH="$(echo "${VERSION}" | cut -d'.' -f1,2)" # Splitting declaration and assignment guarantees correct propagation of the # exit code of the subshell. local GITHUB_REFS GITHUB_REFS="$(git ls-remote "${GITHUB_REPO_URL}")" readonly GITHUB_REFS local -r expected_release_branch="refs/heads/${RELEASE_BRANCH}" if echo "${GITHUB_REFS}" | grep "${expected_release_branch}" > /dev/null; then BRANCH_EXISTS="true" fi readonly BRANCH_EXISTS if [[ "${ACTION}" == "create_tag" ]]; then if [[ "${BRANCH_EXISTS}" == "false" ]]; then echo "ERROR: The release branch does not exist in \ ${GITHUB_ORG_URL}/${REPO_NAME}." >&2 return 1 fi local -r release_tag="v${VERSION}" local -r expected_release_tag="refs/tags/${release_tag}" if echo "${GITHUB_REFS}" | grep "${expected_release_tag}" > /dev/null; then echo "ERROR The tag \"${release_tag}\" already exists in \ ${GITHUB_ORG_URL}/${REPO_NAME}." >&2 return 1 fi fi } ####################################### # Prints a command # # Args: # Command to execute. # ####################################### print_command() { printf '%q ' '+' "$@" echo } ####################################### # Runs a command if DO_RUN_ACTION is true. # # Args: # Command to execute. # Globals: # DO_RUN_ACTION # ####################################### run_command() { if [[ "${DO_RUN_ACTION}" == "false" ]]; then echo " *** Dry run, command not executed. ***" return 0 fi # Actually run the command. "$@" return $? } ####################################### # Prints and runs a command. # # Args: # Command to execute. # ####################################### print_and_run_command() { print_command "$@" run_command "$@" } ####################################### # Creates and checks out to the release branch. # # If COMMIT_HASH is specified, use COMMIT_HASH as HEAD for the branch. # # Globals: # RELEASE_BRANCH # COMMIT_HASH # ####################################### git_create_release_branch() { if [[ "${BRANCH_EXISTS}" == "true" ]]; then echo "WARNING: The release branch already exists. Nothing to do." return 0 fi # Target branch does not exist so we create the release branch. if [[ -n "${COMMIT_HASH:-}" ]]; then # Use COMMIT_HASH as HEAD for this branch. print_and_run_command git branch "${RELEASE_BRANCH}" "${COMMIT_HASH}" else print_and_run_command git branch "${RELEASE_BRANCH}" fi print_and_run_command git push origin "${RELEASE_BRANCH}" } ####################################### # Creates a release tag. # # Globals: # RELEASE_BRANCH # REPO_NAME # VERSION # ####################################### git_create_release_tag() { if [[ "${BRANCH_EXISTS}" == "false" ]]; then echo "ERROR: The release branch does not exist in \ ${GITHUB_ORG_URL}/${REPO_NAME}." >&2 return 1 fi local -r release_tag="v${VERSION}" local -r expected_release_tag="refs/tags/${release_tag}" if echo "${GITHUB_REFS}" | grep "${expected_release_tag}" > /dev/null; then echo "ERROR The tag \"${release_tag}\" already exists in \ ${GITHUB_ORG_URL}/${REPO_NAME}." >&2 return 1 fi print_and_run_command git checkout "${RELEASE_BRANCH}" print_and_run_command git tag -a "${release_tag}" \ -m "${REPO_NAME} version ${VERSION}" print_and_run_command git push origin "${release_tag}" } main() { process_params "$@" # Avoid logging the full URL; replace GIT_URL with a version that omits user # and access token. local -r protocol="$(echo "${GITHUB_REPO_URL}" | cut -d':' -f1)" local -r github_repo="$(echo "${GITHUB_REPO_URL}" | cut -d'@' -f2)" print_command git clone "${protocol}://...@${github_repo}" run_command git clone "${GITHUB_REPO_URL}" print_and_run_command cd "${REPO_NAME}" case "${ACTION}" in create_branch) git_create_release_branch ;; create_tag) git_create_release_tag ;; esac } main "$@" tink-go-awskms-2.1.0/kokoro/testutils/github_release_util_test.sh000077500000000000000000000301511461624660000253530ustar00rootroot00000000000000#!/bin/bash # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ################################################################################ DEFAULT_DIR="$(pwd)" if [[ -n "${TEST_SRCDIR}" ]]; then DEFAULT_DIR="${TEST_SRCDIR}" fi readonly DEFAULT_DIR readonly CLI="${DEFAULT_DIR}/${1:-"github_release_util.sh"}" readonly TEST_UTILS="${DEFAULT_DIR}/${2:-test_utils.sh}" # Load the test library. source "${TEST_UTILS}" test_GitHubReleaseUtil_CreateBranchMinorSucceeds() { cd "${TEST_CASE_TMPDIR}" local -r expected_git_cmds_file="${TEST_CASE_TMPDIR}/expected_cmds.txt" cat << EOF > ${expected_git_cmds_file} git ls-remote ssh://git@github.com/tink-crypto/some-repo git clone ssh://git@github.com/tink-crypto/some-repo git branch 1.6 git push origin 1.6 EOF local -r actual_git_cmds_file="${TEST_CASE_TMPDIR}/actual_git_cmds_file.txt" # Mock git command. git() { local -r command="$1" shift 1 cmd_and_args="git ${command} $@" echo "${cmd_and_args}" >> "${actual_git_cmds_file}" case "${command}" in "ls-remote") cat << EOF 6c68b48c884e0aeb983b8864f35187d9584d0d74 HEAD 6c68b48c884e0aeb983b8864f35187d9584d0d74 refs/heads/main EOF ;; "clone") local -r repo_name="${1##*/}" mkdir "${repo_name}" ;; *) ;; # Do nothing esac } # Run this in the caller's environment. ( source "${CLI}" -r create_branch 1.6.0 some-repo &> /dev/null ) ASSERT_CMD_SUCCEEDED ASSERT_FILE_EQUALS "${actual_git_cmds_file}" "${expected_git_cmds_file}" } test_GitHubReleaseUtil_CreateBranchMinorWithCommitSucceeds() { cd "${TEST_CASE_TMPDIR}" local -r expected_git_cmds_file="${TEST_CASE_TMPDIR}/expected_cmds.txt" cat << EOF > ${expected_git_cmds_file} git ls-remote ssh://git@github.com/tink-crypto/some-repo git clone ssh://git@github.com/tink-crypto/some-repo git branch 1.6 6c68b48c884e0aeb983b8864f35187d9584d0d74 git push origin 1.6 EOF local -r actual_git_cmds_file="${TEST_CASE_TMPDIR}/actual_git_cmds_file.txt" # Mock git command. git() { local -r command="$1" shift 1 cmd_and_args="git ${command} $@" echo "${cmd_and_args}" >> "${actual_git_cmds_file}" case "${command}" in "ls-remote") cat << EOF 6c68b48c884e0aeb983b8864f35187d9584d0d74 HEAD 6c68b48c884e0aeb983b8864f35187d9584d0d74 refs/heads/main EOF ;; "clone") local -r repo_name="${1##*/}" mkdir "${repo_name}" ;; *) ;; # Do nothing esac } # Run this in the caller's environment. ( source "${CLI}" -r -c 6c68b48c884e0aeb983b8864f35187d9584d0d74 \ create_branch 1.6.0 some-repo &> /dev/null ) ASSERT_CMD_SUCCEEDED ASSERT_FILE_EQUALS "${actual_git_cmds_file}" "${expected_git_cmds_file}" } test_GitHubReleaseUtil_CreateTagPatchSucceeds() { cd "${TEST_CASE_TMPDIR}" local -r expected_git_cmds_file="${TEST_CASE_TMPDIR}/expected_cmds.txt" cat << EOF > ${expected_git_cmds_file} git ls-remote ssh://git@github.com/tink-crypto/some-repo git clone ssh://git@github.com/tink-crypto/some-repo git checkout 1.6 git tag -a v1.6.2 -m some-repo version 1.6.2 git push origin v1.6.2 EOF local -r actual_git_cmds_file="${TEST_CASE_TMPDIR}/actual_git_cmds_file.txt" # Mock git command. git() { local -r command="$1" shift 1 cmd_and_args="git ${command} $@" echo "${cmd_and_args}" >> "${actual_git_cmds_file}" case "${command}" in "ls-remote") cat << EOF 6c68b48c884e0aeb983b8864f35187d9584d0d74 HEAD 6c68b48c884e0aeb983b8864f35187d9584d0d74 refs/heads/main 9940095f3081a116fa7a1337ad5ba27a3ccc59fe refs/heads/1.6 EOF ;; "clone") local -r repo_name="${1##*/}" mkdir "${repo_name}" ;; *) ;; # Do nothing. esac } # Run this in the caller's environment. ( source "${CLI}" -r -c 6c68b48c884e0aeb983b8864f35187d9584d0d74 \ create_tag 1.6.2 some-repo &> /dev/null ) ASSERT_CMD_SUCCEEDED ASSERT_FILE_EQUALS "${actual_git_cmds_file}" "${expected_git_cmds_file}" } test_GitHubReleaseUtil_CreateBranchFailsWhenLsRemoteFails() { cd "${TEST_CASE_TMPDIR}" local -r expected_git_cmds_file="${TEST_CASE_TMPDIR}/expected_cmds.txt" cat << EOF > ${expected_git_cmds_file} git ls-remote ssh://git@github.com/tink-crypto/some-repo EOF local actual_git_cmds_file="${TEST_CASE_TMPDIR}/actual_cmds.txt" # Mock git command. git() { local -r command="$1" shift 1 cmd_and_args="git ${command} $@" echo "${cmd_and_args}" >> "${actual_git_cmds_file}" case "${command}" in "ls-remote") return 1 ;; *) ;; # Do nothing. esac } # Run this in a subshell to prevent exiting on failure. ( source "${CLI}" -r create_branch 1.6.2 some-repo &> /dev/null ) ASSERT_CMD_FAILED ASSERT_FILE_EQUALS "${actual_git_cmds_file}" "${expected_git_cmds_file}" echo "" > "${actual_git_cmds_file}" } test_GitHubReleaseUtil_CreateBranchFailsWhenCloneFails() { cd "${TEST_CASE_TMPDIR}" local -r expected_git_cmds_file="${TEST_CASE_TMPDIR}/expected_cmds.txt" cat << EOF > ${expected_git_cmds_file} git ls-remote ssh://git@github.com/tink-crypto/some-repo git clone ssh://git@github.com/tink-crypto/some-repo EOF local actual_git_cmds_file="${TEST_CASE_TMPDIR}/actual_cmds.txt" # Mock git command. git() { local -r command="$1" shift 1 cmd_and_args="git ${command} $@" echo "${cmd_and_args}" >> "${actual_git_cmds_file}" case "${command}" in "ls-remote") cat << EOF 6c68b48c884e0aeb983b8864f35187d9584d0d74 HEAD 6c68b48c884e0aeb983b8864f35187d9584d0d74 refs/heads/main EOF ;; "clone") return 1 ;; *) ;; # Do nothing. esac } # Run this in a subshell to prevent exiting on failure. ( source "${CLI}" -r create_branch 1.6.2 some-repo &> /dev/null ) ASSERT_CMD_FAILED ASSERT_FILE_EQUALS "${actual_git_cmds_file}" "${expected_git_cmds_file}" } test_GitHubReleaseUtil_CreateTagFailsIfBranchDoesNotExist() { cd "${TEST_CASE_TMPDIR}" local -r expected_git_cmds_file="${TEST_CASE_TMPDIR}/expected_cmds.txt" cat << EOF > ${expected_git_cmds_file} git ls-remote ssh://git@github.com/tink-crypto/some-repo EOF local actual_git_cmds_file="${TEST_CASE_TMPDIR}/actual_cmds.txt" # Mock git command. git() { local -r command="$1" shift 1 cmd_and_args="git ${command} $@" echo "${cmd_and_args}" >> "${actual_git_cmds_file}" case "${command}" in "ls-remote") cat << EOF 6c68b48c884e0aeb983b8864f35187d9584d0d74 HEAD 6c68b48c884e0aeb983b8864f35187d9584d0d74 refs/heads/main EOF ;; *) ;; # Do nothing. esac } # Run this in a subshell to prevent exiting on failure. ( source "${CLI}" -r create_tag 1.6.2 some-repo &> /dev/null ) ASSERT_CMD_FAILED ASSERT_FILE_EQUALS "${actual_git_cmds_file}" "${expected_git_cmds_file}" } test_GitHubReleaseUtil_CreateTagFailsIfReleaseTagAlreadyExists() { cd "${TEST_CASE_TMPDIR}" local -r expected_git_cmds_file="${TEST_CASE_TMPDIR}/expected_cmds.txt" cat << EOF > ${expected_git_cmds_file} git ls-remote ssh://git@github.com/tink-crypto/some-repo EOF local actual_git_cmds_file="${TEST_CASE_TMPDIR}/actual_cmds.txt" # Mock git command. git() { local -r command="$1" shift 1 cmd_and_args="git ${command} $@" echo "${cmd_and_args}" >> "${actual_git_cmds_file}" case "${command}" in "ls-remote") cat << EOF 6c68b48c884e0aeb983b8864f35187d9584d0d74 HEAD 6c68b48c884e0aeb983b8864f35187d9584d0d74 refs/heads/main 112a7d3a0453a1d926448519f94fe5a91c69be45 refs/heads/1.6 8c266441044c4dfaf7560e21663a8037043b750b refs/tags/v1.6.2 195ec3c1edeee8877ab5dc287f95c4402e3fb510 refs/tags/v1.6.1 c6f48771296bca0bd22724b208abafeae7d7b764 refs/tags/v1.6.0 EOF ;; *) ;; # Do nothing. esac } # Run this in a subshell to prevent exiting on failure. ( source "${CLI}" -r create_tag 1.6.2 some-repo &> /dev/null ) ASSERT_CMD_FAILED ASSERT_FILE_EQUALS "${actual_git_cmds_file}" "${expected_git_cmds_file}" } test_GitHubReleaseUtil_FailsWhenInvalidVersion() { cd "${TEST_CASE_TMPDIR}" for action in create_branch create_tag; do ( source "${CLI}" -r "${action}" 1 some-repo &> /dev/null ) ASSERT_CMD_FAILED ( source "${CLI}" -r "${action}" 1.2 some-repo &> /dev/null ) ASSERT_CMD_FAILED ( source "${CLI}" -r "${action}" 1.2.a some-repo &> /dev/null ) ASSERT_CMD_FAILED ( source "${CLI}" -r "${action}" a.b.c some-repo &> /dev/null ) ASSERT_CMD_FAILED ( source "${CLI}" -r "${action}" 1.2.3.4 some-repo &> /dev/null ) ASSERT_CMD_FAILED ( source "${CLI}" -r "${action}" invalid some-repo &> /dev/null ) ASSERT_CMD_FAILED done } test_GitHubReleaseUtil_FailsWhenNoRepoNameIsGiven() { cd "${TEST_CASE_TMPDIR}" for action in create_branch create_tag; do # Run this in a subshell to prevent exiting on failure. ( source "${CLI}" -r "${action}" 1.6.0 &> /dev/null ) ASSERT_CMD_FAILED done } test_GitHubReleaseUtil_CreateBranchUsesCorrectGithubToken() { cd "${TEST_CASE_TMPDIR}" local -r access_token="a227da63673c236090a067c3f96b62e74dbd5857" local -r expected_url="https://ise-crypto:${access_token}@github.com/tink-crypto/some-repo" local -r expected_git_cmds_file="${TEST_CASE_TMPDIR}/expected_cmds.txt" cat << EOF > ${expected_git_cmds_file} git ls-remote ${expected_url} git clone ${expected_url} git branch 1.6 git push origin 1.6 EOF local -r actual_git_cmds_file="${TEST_CASE_TMPDIR}/actual_git_cmds_file.txt" # Mock git command. git() { local -r command="$1" shift 1 cmd_and_args="git ${command} $@" echo "${cmd_and_args}" >> "${actual_git_cmds_file}" case "${command}" in "ls-remote") cat << EOF 6c68b48c884e0aeb983b8864f35187d9584d0d74 HEAD 6c68b48c884e0aeb983b8864f35187d9584d0d74 refs/heads/main EOF ;; "clone") local -r repo_name="${1##*/}" mkdir "${repo_name}" ;; *) ;; # Do nothing esac } # Run this in the caller's environment. ( source "${CLI}" -r -t "${access_token}" create_branch 1.6.0 some-repo \ &> /dev/null ) ASSERT_CMD_SUCCEEDED ASSERT_FILE_EQUALS "${actual_git_cmds_file}" "${expected_git_cmds_file}" } test_GitHubReleaseUtil_CreateTagUsesCorrectGithubToken() { cd "${TEST_CASE_TMPDIR}" local -r access_token="a227da63673c236090a067c3f96b62e74dbd5857" local -r expected_url="https://ise-crypto:${access_token}@github.com/tink-crypto/some-repo" local -r expected_git_cmds_file="${TEST_CASE_TMPDIR}/expected_cmds.txt" cat << EOF > ${expected_git_cmds_file} git ls-remote ${expected_url} git clone ${expected_url} git checkout 1.6 git tag -a v1.6.2 -m some-repo version 1.6.2 git push origin v1.6.2 EOF local -r actual_git_cmds_file="${TEST_CASE_TMPDIR}/actual_git_cmds_file.txt" # Mock git command. git() { local -r command="$1" shift 1 cmd_and_args="git ${command} $@" echo "${cmd_and_args}" >> "${actual_git_cmds_file}" case "${command}" in "ls-remote") cat << EOF 6c68b48c884e0aeb983b8864f35187d9584d0d74 HEAD 6c68b48c884e0aeb983b8864f35187d9584d0d74 refs/heads/main 112a7d3a0453a1d926448519f94fe5a91c69be45 refs/heads/1.6 EOF ;; "clone") local -r repo_name="${1##*/}" mkdir "${repo_name}" ;; *) ;; # Do nothing esac } # Run this in the caller's environment. ( source "${CLI}" -r -t "${access_token}" create_tag 1.6.2 some-repo \ &> /dev/null ) ASSERT_CMD_SUCCEEDED ASSERT_FILE_EQUALS "${actual_git_cmds_file}" "${expected_git_cmds_file}" } main() { run_all_tests "$@" } main "$@" tink-go-awskms-2.1.0/kokoro/testutils/go_test_container_images.sh000066400000000000000000000024001461624660000253210ustar00rootroot00000000000000#!/bin/bash # Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ################################################################################ _image_prefix() { local -r artifact_registry_url="us-docker.pkg.dev" local -r test_project="tink-test-infrastructure" local -r artifact_registry_repo="tink-ci-images" echo "${artifact_registry_url}/${test_project}/${artifact_registry_repo}" } # Linux container images for Tink Go libraries. readonly TINK_GO_BASE_IMAGE_NAME="linux-tink-go-base" # Image from 2024-03-19. readonly TINK_GO_BASE_IMAGE_HASH="309617d28992a6b381ef3cbb229375d1a0907a5423be5856f43fa87da3490401" readonly TINK_GO_BASE_IMAGE="$(_image_prefix)/${TINK_GO_BASE_IMAGE_NAME}@sha256:${TINK_GO_BASE_IMAGE_HASH}" unset -f _image_prefix tink-go-awskms-2.1.0/kokoro/testutils/install_go.sh000077500000000000000000000033371461624660000224360ustar00rootroot00000000000000#!/bin/bash # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ################################################################################ # This script installs a recent version of Go into a temporary directory. The Go # bin directory is then added to the PATH environment variable. # # NOTE: This script MUST be sourced to update the environment of the calling # script. # # Usage instructions: # # source ./kokoro/testutils/install_go.sh install_temp_go() { local -r go_version="1.20.10" local -r platform="$(uname | tr '[:upper:]' '[:lower:]')" local go_platform case "${platform}" in 'linux') go_platform='linux-amd64' ;; 'darwin') go_platform='darwin-amd64' ;; *) echo "Unsupported platform, unable to install Go." exit 1 ;; esac readonly go_platform local -r go_archive="go${go_version}.${go_platform}.tar.gz" local -r go_url="https://go.dev/dl/${go_archive}" local -r go_tmpdir=$(mktemp -dt tink-go.XXXXXX) ( cd "${go_tmpdir}" curl -OLsS "${go_url}" tar -xzf "${go_archive}" ) export GOROOT="${go_tmpdir}/go" export PATH="${go_tmpdir}/go/bin:${PATH}" } if [[ -n "${KOKORO_ARTIFACTS_DIR:-}" ]] ; then install_temp_go fi tink-go-awskms-2.1.0/kokoro/testutils/run_bazel_tests.sh000077500000000000000000000100011461624660000234700ustar00rootroot00000000000000#!/bin/bash # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ################################################################################ # This script runs all the Bazel tests within a given workspace directory. # # Users must spcify the WORKSPACE directory. Optionally, the user can specify # a set of additional manual targets to run. # # Note: -E extends the trap to shell functions, command substitutions, and # commands executed in a subshell environment. set -eEo pipefail # Print some debug output on error before exiting. trap print_debug_output ERR usage() { echo "Usage: $0 [-mh] [-b ...] [-t ...] \\" echo " [ ...]" echo " -m: Runs only the manual targets. If set, manual targets must be" echo " provided." echo " -b: Comma separated list of flags to pass to `bazel build`." echo " -t: Comma separated list of flags to pass to `bazel test`." echo " -h: Help. Print this usage information." exit 1 } readonly PLATFORM="$(uname | tr '[:upper:]' '[:lower:]')" MANUAL_ONLY="false" WORKSPACE_DIR= MANUAL_TARGETS= BAZEL_CMD="bazel" BUILD_FLAGS=() TEST_FLAGS=() ####################################### # Process command line arguments. # # Globals: # WORKSPACE_DIR # MANUAL_TARGETS ####################################### process_args() { # Parse options. while getopts "mhb:t:" opt; do case "${opt}" in m) MANUAL_ONLY="true" ;; b) BUILD_FLAGS=($(echo "${OPTARG}" | tr ',' '\n')) ;; t) TEST_FLAGS=($(echo "${OPTARG}" | tr ',' '\n')) ;; *) usage ;; esac done shift $((OPTIND - 1)) WORKSPACE_DIR="$1" readonly WORKSPACE_DIR if [[ -z "${WORKSPACE_DIR}" ]]; then usage fi shift 1 MANUAL_TARGETS=("$@") readonly MANUAL_TARGETS if [[ "${MANUAL_ONLY}" == "true" ]] && (( ${#MANUAL_TARGETS[@]} == 0 )); then usage fi # Use Bazelisk (https://github.com/bazelbuild/bazelisk) if available. if command -v "bazelisk" &> /dev/null; then BAZEL_CMD="bazelisk" fi readonly BAZEL_CMD echo "Using: $(which ${BAZEL_CMD})" } ####################################### # Print some debugging output. ####################################### print_debug_output() { ls -l df -h } main() { process_args "$@" TEST_FLAGS+=( --strategy=TestRunner=standalone --test_output=all ) local -r workspace_dir="$(cd ${WORKSPACE_DIR} && pwd)" if [[ "${PLATFORM}" == 'darwin' ]]; then TEST_FLAGS+=( --jvmopt="-Djava.net.preferIPv6Addresses=true" ) if [[ "${workspace_dir}" =~ javascript ]]; then BUILD_FLAGS+=( --experimental_inprocess_symlink_creation ) TEST_FLAGS+=( --experimental_inprocess_symlink_creation ) fi fi readonly BUILD_FLAGS readonly TEST_FLAGS ( set -x cd "${workspace_dir}" if [[ "${MANUAL_ONLY}" == "false" ]]; then time "${BAZEL_CMD}" build "${BUILD_FLAGS[@]}" -- ... # Exit code 4 means targets build correctly but no tests were found. See # https://bazel.build/docs/scripts#exit-codes. bazel_test_return=0 time "${BAZEL_CMD}" test "${TEST_FLAGS[@]}" -- ... || bazel_test_return="$?" if (( $bazel_test_return != 0 && $bazel_test_return != 4 )); then return "${bazel_test_return}" fi fi # Run specific manual targets. if (( ${#MANUAL_TARGETS[@]} > 0 )); then time "${BAZEL_CMD}" build "${BUILD_FLAGS[@]}" -- "${MANUAL_TARGETS[@]}" time "${BAZEL_CMD}" test "${TEST_FLAGS[@]}" -- "${MANUAL_TARGETS[@]}" fi ) } main "$@" tink-go-awskms-2.1.0/kokoro/testutils/run_command.sh000077500000000000000000000065551461624660000226120ustar00rootroot00000000000000#!/bin/bash # Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ################################################################################ # Utility script to optionally run a command optionally in a new container. # # This script must be run from inside the Tink library to run the command for. # # NOTE: When running in a new container, this sctips mounts the parent folder of # `pwd`. Other dependencies, if any, are assumed to be located there. For # example, if running tink-py tests, this script assumes: # - pwd => /path/to/parent/tink-py # - mount path => /path/to/parent # - ls /path/to/parent => tink_cc tink_py. set -eo pipefail usage() { cat <] [-k ] -c: [Optional] Container image to run the command on. -k: [Optional] Service key file path for pulling the image from the Google Artifact Registry (https://cloud.google.com/artifact-registry). -e: [Optional] File containing a list of environment variables to pass to Docker using --env-file (see https://docs.docker.com/engine/reference/commandline/run/#env). -h: Help. Print this usage information. EOF exit 1 } # Args. COMMAND= # Options. CONTAINER_IMAGE_NAME= GCR_SERVICE_KEY_PATH= DOCKER_ENV_FILE= ####################################### # Process command line arguments. ####################################### process_args() { # Parse options. while getopts "hc:k:e:" opt; do case "${opt}" in c) CONTAINER_IMAGE_NAME="${OPTARG}" ;; k) GCR_SERVICE_KEY_PATH="${OPTARG}" ;; e) DOCKER_ENV_FILE="${OPTARG}" ;; *) usage ;; esac done shift $((OPTIND - 1)) readonly CONTAINER_IMAGE_NAME readonly GCR_SERVICE_KEY_PATH readonly DOCKER_ENV_FILE readonly COMMAND=("$@") } main() { process_args "$@" if [[ -z "${CONTAINER_IMAGE_NAME:-}" ]]; then echo "Running command on the host" time "${COMMAND[@]}" else echo "Running command on a new container from image ${CONTAINER_IMAGE_NAME}" if [[ ! -z "${GCR_SERVICE_KEY_PATH:-}" ]]; then # Activate service account to read from a private artifact registry repo. gcloud auth activate-service-account --key-file="${GCR_SERVICE_KEY_PATH}" gcloud config set project tink-test-infrastructure gcloud auth configure-docker us-docker.pkg.dev --quiet fi local -r path_to_mount="$(dirname "$(pwd)")" local -r library_to_test="$(basename "$(pwd)")" time docker pull "${CONTAINER_IMAGE_NAME}" local docker_opts=( --network="host" --mount type=bind,src="${path_to_mount}",dst=/deps --workdir=/deps/"${library_to_test}" --rm ) if [[ -n "${DOCKER_ENV_FILE}" ]]; then docker_opts+=( --env-file="${DOCKER_ENV_FILE}" ) fi readonly docker_opts time docker run "${docker_opts[@]}" "${CONTAINER_IMAGE_NAME}" \ bash -c "$(echo "${COMMAND[@]}")" fi } main "$@" tink-go-awskms-2.1.0/kokoro/testutils/run_go_mod_tests.sh000077500000000000000000000124471461624660000236570ustar00rootroot00000000000000#!/bin/bash # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ################################################################################ # This script runs tests on a given Go module. # # Usage: # ./kokoro/testutils/run_gomod_tests.sh \ # \ # \ # \ # set -eo pipefail FULL_GITHUB_MODULE_NAME= GO_MODULE_LOCAL_PATH= GO_MODULE_VERSION= GO_MODULE_GITHUB_HEAD_BRANCH= usage() { echo "Usage: $0 \\" echo " " exit 1 } ####################################### # Process command line arguments. # # Globals: # FULL_GITHUB_MODULE_NAME # GO_MODULE_LOCAL_PATH # GO_MODULE_VERSION # GO_MODULE_GITHUB_HEAD_BRANCH ####################################### process_args() { FULL_GITHUB_MODULE_NAME="$1" readonly FULL_GITHUB_MODULE_NAME GO_MODULE_LOCAL_PATH="$2" readonly GO_MODULE_LOCAL_PATH GO_MODULE_VERSION="$3" readonly GO_MODULE_VERSION GO_MODULE_GITHUB_HEAD_BRANCH="$4" readonly GO_MODULE_GITHUB_HEAD_BRANCH if [[ -z "${FULL_GITHUB_MODULE_NAME}" ]]; then usage fi if [[ -z "${GO_MODULE_LOCAL_PATH}" ]]; then usage fi if [[ -z "${GO_MODULE_VERSION}" ]]; then usage fi if [[ -z "${GO_MODULE_GITHUB_HEAD_BRANCH}" ]]; then usage fi } ####################################### # Add a require statement for a module and a replace statement to point it # to the local copy. # Arguments: # full_github_module_name: The full module name. # module_local_path: The root directory of the local Go module. # tink_version: Tink version. ####################################### function overlay_module() { local full_github_module_name="$1" local module_local_path="$2" local tink_version="$3" go mod edit "-require=${full_github_module_name}@v${tink_version}" go mod edit "-replace=${full_github_module_name}=${module_local_path}" } ####################################### # Search the go.mod being tested for internal dependencies and overlay them with # the local copies. # # Globals: # FULL_GITHUB_MODULE_NAME # GO_MODULE_LOCAL_PATH # GO_MODULE_VERSION ####################################### overlay_internal_deps() { declare -a internal_deps while read internal_dep; do internal_deps+=("${internal_dep}") done < <(grep "${FULL_GITHUB_MODULE_NAME}" "${GO_MODULE_LOCAL_PATH}/go.mod" \ | grep -v ^module \ | awk '{print $1}') # If internal_deps are found... if [[ ! -z "${internal_deps+x}" ]]; then for full_dep_name in "${internal_deps[@]}"; do local dep_name="$(echo "${full_dep_name}" \ | sed "s#${FULL_GITHUB_MODULE_NAME}/##")" overlay_module \ "${full_dep_name}" \ "${dep_name}" \ "${GO_MODULE_VERSION}" done fi } ####################################### # Builds and tests a given local module. # # Globals: # GO_MODULE_LOCAL_PATH # Outputs: # Prints progress to STDOUT. ####################################### build_and_test_local_go_mod() { echo "### Testing local Go module at ${GO_MODULE_LOCAL_PATH}" ( set -x cd "${GO_MODULE_LOCAL_PATH}" go build -v ./... go test -v ./... ) } ####################################### # Builds and tests a given local module. # # Globals: # FULL_GITHUB_MODULE_NAME # GO_MODULE_LOCAL_PATH # GO_MODULE_VERSION # GO_MODULE_GITHUB_HEAD_BRANCH # Outputs: # Prints progress to STDOUT. ####################################### test_go_module_depending_on_local_one() { # Create a temporary directory for performing module tests. local -r test_tmp_dir="$(mktemp -dt tink-gomod-test.XXXXXX)" local -r go_module_tmp_directory="${test_tmp_dir}/go-mod-test" mkdir "${go_module_tmp_directory}" ( cd "${go_module_tmp_directory}" echo "Using go binary from $(which go): $(go version)" set -x # Initialize a test Go module. go mod init tink-go-mod-test overlay_module \ "${FULL_GITHUB_MODULE_NAME}" \ "${GO_MODULE_LOCAL_PATH}" \ "${GO_MODULE_VERSION}" overlay_internal_deps # Print the prepared go.mod. cat go.mod # Get the module at the latest commit and print graph output depicting # direct dependencies. go get -v "${FULL_GITHUB_MODULE_NAME}@${GO_MODULE_GITHUB_HEAD_BRANCH}" # Pint contextual information concerning dependencies. go mod graph | grep tink go list -m all | grep tink ) # Leave a clean environment for subsequent tests. go clean -modcache rm -rf "${test_tmp_dir}" } main() { process_args "$@" build_and_test_local_go_mod # Skip this test for modules that are not on github.com/google/tink. if [[ "${FULL_GITHUB_MODULE_NAME}" =~ github.com/google/tink[a-z./]+ ]]; then test_go_module_depending_on_local_one fi } main "$@" tink-go-awskms-2.1.0/kokoro/testutils/test_utils.sh000077500000000000000000000103161461624660000224750ustar00rootroot00000000000000#!/bin/bash # Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ################################################################################ # Set of utilities to run unit tests for bash scripts. # # Example usage: # From your test script: # source some/path/to/test_utils.sh # # # Test functions must be defined as follows: # test__() { # # Do some ground work. # # Run the test script. # ./path/to/script_to_test ... # ASSERT_CMD_SUCCEEDED # ASSERT_FILE_EQUALS # } # # # Finds all the functions starting with `test_`, extracts test name and # # test case, and run them. # run_all_tests "$@" # # This is either set by Bazel or generated. : "${TEST_TMPDIR:="$(mktemp -td test.XXXXX)"}" readonly TEST_TMPDIR # Temporary directory for the testcase to use. TEST_CASE_TMPDIR= # Current test name. _CURRENT_TEST_SCOPE= # Current test case. _CURRENT_TEST_CASE= # True if at least one of the test cases terminated with an error. _HAS_ERROR="false" _print_testcase_failed_and_exit() { echo "[ FAILED ] ${_CURRENT_TEST_SCOPE}.${_CURRENT_TEST_CASE}" exit 1 } ####################################### # Starts a new test case. # # Globals: # _CURRENT_TEST_SCOPE # _CURRENT_TEST_CASE ####################################### _start_test_case() { echo "[ RUN ] ${_CURRENT_TEST_SCOPE}.${_CURRENT_TEST_CASE}" # Create a tmp dir for the test case. TEST_CASE_TMPDIR="${TEST_TMPDIR}/${_CURRENT_TEST_SCOPE}/${_CURRENT_TEST_CASE}" mkdir -p "${TEST_CASE_TMPDIR}" } ####################################### # Ends a test case printing a success message. # # Globals: # _CURRENT_TEST_SCOPE # _CURRENT_TEST_CASE ####################################### _end_test_case_with_success() { test_case="$1" echo "[ OK ] ${_CURRENT_TEST_SCOPE}.${_CURRENT_TEST_CASE}" } ####################################### # Returns the list of tests defined in the test script. # # A test case is a function of the form: # test__ # # This function returns all the functions starting with `test_`. # # Globals: # None # Arguments: # None ####################################### _get_all_tests() { declare -F | while read line; do case "${line}" in "declare -f test_"*) echo "${line#declare -f }" ;; esac done } ####################################### # Runs a given test function. # # A test case is a function of the form: # test__ # # This script extracts test name and test case from the name. # # Globals: # _CURRENT_TEST_SCOPE # Arguments: # None ####################################### _do_run_test() { test_function="$1" IFS=_ read _CURRENT_TEST_SCOPE _CURRENT_TEST_CASE <<< "${test_function#test_}" _start_test_case ( # Make sure we exit only when assertions fail. set +e "${test_function}" ) local -r result=$? if (( $result == 0 )); then _end_test_case_with_success else _HAS_ERROR="true" fi } ####################################### # Runs all the test cases defined in the test script file. # Globals: # None # Arguments: # None # ####################################### run_all_tests() { for test in $(_get_all_tests); do _do_run_test "${test}" done # Make sure we return an error code for the failing test if [[ "${_HAS_ERROR}" == "true" ]]; then exit 1 fi } ASSERT_CMD_SUCCEEDED() { if (( $? != 0 )); then _print_testcase_failed_and_exit fi } ASSERT_CMD_FAILED() { if (( $? == 0 )); then _print_testcase_failed_and_exit fi } ASSERT_FILE_EQUALS() { input_file="$1" expected_file="$2" if ! diff "${input_file}" "${expected_file}"; then _print_testcase_failed_and_exit fi } tink-go-awskms-2.1.0/testdata/000077500000000000000000000000001461624660000162035ustar00rootroot00000000000000tink-go-awskms-2.1.0/testdata/aws/000077500000000000000000000000001461624660000167755ustar00rootroot00000000000000tink-go-awskms-2.1.0/testdata/aws/BUILD.bazel000066400000000000000000000007151461624660000206560ustar00rootroot00000000000000package(default_visibility = ["//visibility:public"]) licenses(["notice"]) filegroup( name = "credentials", testonly = 1, srcs = [ "credentials.cred", "credentials.csv", "credentials.ini", "key_arn.txt", ], ) filegroup( name = "bad_credentials", testonly = 1, srcs = [ "access_keys_bad.csv", "credentials_bad.csv", "credentials_bad.ini", "key_arn_bad.txt", ], ) tink-go-awskms-2.1.0/testdata/aws/README.md000066400000000000000000000016471461624660000202640ustar00rootroot00000000000000This folder contains AWS credentials that are used for testing Tink. For security reasons, all credentials in this folder are invalid. If you want to run tests that depend on them, please create your own [AWS access keys][aws-access-keys]. The credentials are required in several formats expected by different APIs. For example, Java expects the credentials as a [properties file][properties-file]. In order to cover all tests across all languages you have to replace `aws/credentials.cred`, `aws/credentials.csv` and `aws/credentials.ini`. These can be generated in a similar way to this [credential copying script][copy-credentials-script]. [aws-access-keys]: https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html [properties-file]: https://docs.aws.amazon.com/AmazonS3/latest/dev/AuthUsingAcctOrUserCredentials.html [copy-credentials-script]: https://github.com/google/tink/blob/master/kokoro/copy_credentials.sh tink-go-awskms-2.1.0/testdata/aws/access_keys_bad.csv000066400000000000000000000001361461624660000226140ustar00rootroot00000000000000Access key ID,Secret access key AKIAIOSFODNN7EXAMPLE,wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY tink-go-awskms-2.1.0/testdata/aws/credentials.cred000066400000000000000000000001401461624660000221240ustar00rootroot00000000000000[default] accessKey = AKIAIIK5X7P3NAHNSNUQ secretKey = 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 tink-go-awskms-2.1.0/testdata/aws/credentials.csv000066400000000000000000000003041461624660000220040ustar00rootroot00000000000000User name,Password,Access key ID,Secret access key,Console login link tink-user1,,AKIAIIK5X7P3NAHNSNUQ,c7k55Gw83QlN1gYBhVPEEn1pKV909sxbll8JOvHF,https://235739564943.signin.aws.amazon.com/console tink-go-awskms-2.1.0/testdata/aws/credentials.ini000066400000000000000000000001641461624660000217740ustar00rootroot00000000000000[default] aws_access_key_id = AKIAIIK5X7P3NAHNSNUQ aws_secret_access_key = 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 tink-go-awskms-2.1.0/testdata/aws/credentials_bad.csv000066400000000000000000000001631461624660000226150ustar00rootroot00000000000000User name,Password,Access key ID,Secret access key ,,AKIAIOSFODNN7EXAMPLE,wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY tink-go-awskms-2.1.0/testdata/aws/credentials_bad.ini000066400000000000000000000001641461624660000226020ustar00rootroot00000000000000[default] aws_access_key_id = AKIAIOSFODNN7EXAMPLE aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY tink-go-awskms-2.1.0/testdata/aws/key_arn.txt000066400000000000000000000001141461624660000211620ustar00rootroot00000000000000arn:aws:kms:us-east-2:235739564943:key/3ee50705-5a82-4f5b-9753-05c4f473922f tink-go-awskms-2.1.0/testdata/aws/key_arn_bad.txt000066400000000000000000000001141461624660000217700ustar00rootroot00000000000000arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012 tink-go-awskms-2.1.0/version.bzl000066400000000000000000000001511461624660000165650ustar00rootroot00000000000000"""Version of the current release of the Tink Go AWS KMS Extension""" TINK_GO_AWSKMS_EXTENSION = "2.1.0"