diff --git a/wrappers/gcpckms/gcpckms.go b/wrappers/gcpckms/gcpckms.go index 359106b1..9dd7b1e8 100644 --- a/wrappers/gcpckms/gcpckms.go +++ b/wrappers/gcpckms/gcpckms.go @@ -130,7 +130,7 @@ func (s *Wrapper) SetConfig(_ context.Context, opt ...wrapping.Option) (*wrappin switch { case os.Getenv(EnvGcpCkmsWrapperKeyRing) != "" && !opts.Options.WithDisallowEnvVars: s.keyRing = os.Getenv(EnvGcpCkmsWrapperKeyRing) - case os.Getenv(EnvVaultGcpCkmsSealKeyRing) != "": + case os.Getenv(EnvVaultGcpCkmsSealKeyRing) != "" && !opts.Options.WithDisallowEnvVars: s.keyRing = os.Getenv(EnvVaultGcpCkmsSealKeyRing) case opts.withKeyRing != "": s.keyRing = opts.withKeyRing @@ -141,7 +141,7 @@ func (s *Wrapper) SetConfig(_ context.Context, opt ...wrapping.Option) (*wrappin switch { case os.Getenv(EnvGcpCkmsWrapperCryptoKey) != "" && !opts.Options.WithDisallowEnvVars: s.cryptoKey = os.Getenv(EnvGcpCkmsWrapperCryptoKey) - case os.Getenv(EnvVaultGcpCkmsSealCryptoKey) != "": + case os.Getenv(EnvVaultGcpCkmsSealCryptoKey) != "" && !opts.Options.WithDisallowEnvVars: s.cryptoKey = os.Getenv(EnvVaultGcpCkmsSealCryptoKey) case opts.withCryptoKey != "": s.cryptoKey = opts.withCryptoKey diff --git a/wrappers/gcpckms/gcpckms_acc_test.go b/wrappers/gcpckms/gcpckms_acc_test.go index 210c890f..be967691 100644 --- a/wrappers/gcpckms/gcpckms_acc_test.go +++ b/wrappers/gcpckms/gcpckms_acc_test.go @@ -23,7 +23,6 @@ const ( // TestGcpKeyIdAfterConfig will test the result of calling the wrapper's KeyId() // after it's configured with various options func TestGcpKeyIdAfterConfig(t *testing.T) { - t.Parallel() // Now test for cases where CKMS values are provided checkAndSetEnvVars(t) ctx := context.Background() @@ -91,10 +90,55 @@ func TestGcpKeyIdAfterConfig(t *testing.T) { } }) } +} + +// TestDisableEnv makes sure that we properly get all our settings from a configuration +// map instead of the environment variables +func TestDisableEnv(t *testing.T) { + // Now test for cases where CKMS values are provided + checkAndSetEnvVars(t) + + configMap := map[string]string{ + "project": os.Getenv(EnvGcpCkmsWrapperProject), + "region": os.Getenv(EnvGcpCkmsWrapperLocation), + "key_ring": os.Getenv(EnvGcpCkmsWrapperKeyRing), + "crypto_key": os.Getenv(EnvGcpCkmsWrapperCryptoKey), + } + + // Reset the env values to validate we are using the config map ones + t.Setenv(EnvGcpCkmsWrapperProject, "bad_project") + t.Setenv(EnvGcpCkmsWrapperLocation, "bad_location") + t.Setenv(EnvGcpCkmsWrapperKeyRing, "bad_key_ring") + t.Setenv(EnvGcpCkmsWrapperCryptoKey, "bad_crypto_key") + t.Setenv(EnvVaultGcpCkmsSealKeyRing, "bad_vault_key_ring") + t.Setenv(EnvVaultGcpCkmsSealCryptoKey, "bad_vault_crypto_key") + + s := NewWrapper() + _, err := s.SetConfig(context.Background(), wrapping.WithConfigMap(configMap), wrapping.WithDisallowEnvVars(true)) + if err != nil { + t.Fatalf("got error from SetConfig %v", err) + } + + // Make sure we can use the key properly. + input := []byte("foo") + swi, err := s.Encrypt(context.Background(), input) + if err != nil { + t.Fatalf("err: %s", err.Error()) + } + pt, err := s.Decrypt(context.Background(), swi) + if err != nil { + t.Fatalf("err: %s", err.Error()) + } + + if !reflect.DeepEqual(input, pt) { + t.Fatalf("expected %s, got %s", input, pt) + } } func TestGcpCkmsSeal(t *testing.T) { + t.Setenv(EnvGcpCkmsWrapperProject, "") // Make sure at least one required value is not set. + // Do an error check before env vars are set s := NewWrapper() _, err := s.SetConfig(context.Background())