github-mirrors
/
mirror-seaweedfs


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145
							#!/bin/bash

# Setup script for OpenBao KMS integration testing
set -e

OPENBAO_ADDR=${OPENBAO_ADDR:-"http://127.0.0.1:8200"}
OPENBAO_TOKEN=${OPENBAO_TOKEN:-"root-token-for-testing"}
TRANSIT_PATH=${TRANSIT_PATH:-"transit"}

echo "🚀 Setting up OpenBao for KMS integration testing..."
echo "OpenBao Address: $OPENBAO_ADDR"
echo "Transit Path: $TRANSIT_PATH"

# Wait for OpenBao to be ready
echo "⏳ Waiting for OpenBao to be ready..."
for i in {1..30}; do
    if curl -s "$OPENBAO_ADDR/v1/sys/health" >/dev/null 2>&1; then
        echo "✅ OpenBao is ready!"
        break
    fi
    echo "   Attempt $i/30: OpenBao not ready yet, waiting..."
    sleep 2
done

# Check if we can connect
if ! curl -s -H "X-Vault-Token: $OPENBAO_TOKEN" "$OPENBAO_ADDR/v1/sys/health" >/dev/null; then
    echo "❌ Cannot connect to OpenBao at $OPENBAO_ADDR"
    exit 1
fi

echo "🔧 Setting up transit secrets engine..."

# Enable transit secrets engine (ignore if already enabled)
curl -s -X POST \
    -H "X-Vault-Token: $OPENBAO_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"type":"transit","description":"Transit engine for KMS testing"}' \
    "$OPENBAO_ADDR/v1/sys/mounts/$TRANSIT_PATH" || true

echo "🔑 Creating test encryption keys..."

# Define test keys
declare -a TEST_KEYS=(
    "test-key-1:aes256-gcm96:Test key 1 for basic operations"
    "test-key-2:aes256-gcm96:Test key 2 for multi-key scenarios" 
    "seaweedfs-test-key:aes256-gcm96:SeaweedFS integration test key"
    "bucket-default-key:aes256-gcm96:Default key for bucket encryption"
    "high-security-key:aes256-gcm96:High security test key"
    "performance-key:aes256-gcm96:Performance testing key"
    "aws-compat-key:aes256-gcm96:AWS compatibility test key"
    "multipart-key:aes256-gcm96:Multipart upload test key"
)

# Create each test key
for key_spec in "${TEST_KEYS[@]}"; do
    IFS=':' read -r key_name key_type key_desc <<< "$key_spec"
    
    echo "   Creating key: $key_name ($key_type)"
    
    # Create the encryption key
    curl -s -X POST \
        -H "X-Vault-Token: $OPENBAO_TOKEN" \
        -H "Content-Type: application/json" \
        -d "{\"type\":\"$key_type\",\"description\":\"$key_desc\"}" \
        "$OPENBAO_ADDR/v1/$TRANSIT_PATH/keys/$key_name" || {
        echo "   ⚠️  Key $key_name might already exist"
    }
    
    # Verify the key was created
    if curl -s -H "X-Vault-Token: $OPENBAO_TOKEN" "$OPENBAO_ADDR/v1/$TRANSIT_PATH/keys/$key_name" >/dev/null; then
        echo "   ✅ Key $key_name verified"
    else
        echo "   ❌ Failed to create/verify key $key_name"
        exit 1
    fi
done

echo "🧪 Testing basic encryption/decryption..."

# Test basic encrypt/decrypt operation
TEST_PLAINTEXT="Hello, SeaweedFS KMS Integration!"
PLAINTEXT_B64=$(echo -n "$TEST_PLAINTEXT" | base64)

echo "   Testing with key: test-key-1"

# Encrypt
ENCRYPT_RESPONSE=$(curl -s -X POST \
    -H "X-Vault-Token: $OPENBAO_TOKEN" \
    -H "Content-Type: application/json" \
    -d "{\"plaintext\":\"$PLAINTEXT_B64\"}" \
    "$OPENBAO_ADDR/v1/$TRANSIT_PATH/encrypt/test-key-1")

CIPHERTEXT=$(echo "$ENCRYPT_RESPONSE" | jq -r '.data.ciphertext')

if [[ "$CIPHERTEXT" == "null" || -z "$CIPHERTEXT" ]]; then
    echo "   ❌ Encryption test failed"
    echo "   Response: $ENCRYPT_RESPONSE"
    exit 1
fi

echo "   ✅ Encryption successful: ${CIPHERTEXT:0:50}..."

# Decrypt
DECRYPT_RESPONSE=$(curl -s -X POST \
    -H "X-Vault-Token: $OPENBAO_TOKEN" \
    -H "Content-Type: application/json" \
    -d "{\"ciphertext\":\"$CIPHERTEXT\"}" \
    "$OPENBAO_ADDR/v1/$TRANSIT_PATH/decrypt/test-key-1")

DECRYPTED_B64=$(echo "$DECRYPT_RESPONSE" | jq -r '.data.plaintext')
DECRYPTED_TEXT=$(echo "$DECRYPTED_B64" | base64 -d)

if [[ "$DECRYPTED_TEXT" != "$TEST_PLAINTEXT" ]]; then
    echo "   ❌ Decryption test failed"
    echo "   Expected: $TEST_PLAINTEXT"
    echo "   Got: $DECRYPTED_TEXT"
    exit 1
fi

echo "   ✅ Decryption successful: $DECRYPTED_TEXT"

echo "📊 OpenBao KMS setup summary:"
echo "   Address: $OPENBAO_ADDR"
echo "   Transit Path: $TRANSIT_PATH"
echo "   Keys Created: ${#TEST_KEYS[@]}"
echo "   Status: Ready for integration testing"

echo ""
echo "🎯 Ready to run KMS integration tests!"
echo ""
echo "Usage:"
echo "   # Run Go integration tests"
echo "   go test -v ./test/kms/..."
echo ""
echo "   # Run with Docker Compose"
echo "   cd test/kms && docker-compose up -d"
echo "   docker-compose exec openbao bao status"
echo ""
echo "   # Test S3 API with encryption"
echo "   aws s3api put-bucket-encryption \\"
echo "     --endpoint-url http://localhost:8333 \\"
echo "     --bucket test-bucket \\"
echo "     --server-side-encryption-configuration file://bucket-encryption.json"
echo ""
echo "✅ OpenBao KMS setup complete!"