@@ -20,6 +20,9 @@ import (
2020 "github.com/coder/coder/v2/pty/ptytest"
2121)
2222
23+ // TestServerDBCrypt tests end-to-end encryption, decryption, and deletion
24+ // of encrypted user data.
25+ //
2326// nolint: paralleltest // use of t.Setenv
2427func TestServerDBCrypt (t * testing.T ) {
2528 if ! dbtestutil .WillUsePostgres () {
@@ -49,6 +52,7 @@ func TestServerDBCrypt(t *testing.T) {
4952 })
5053
5154 // Populate the database with some unencrypted data.
55+ t .Logf ("Generating unencrypted data" )
5256 users := genData (t , db )
5357
5458 // Setup an initial cipher A
@@ -61,6 +65,7 @@ func TestServerDBCrypt(t *testing.T) {
6165 require .NoError (t , err )
6266
6367 // Populate the database with some encrypted data using cipher A.
68+ t .Logf ("Generating data encrypted with cipher A" )
6469 newUsers := genData (t , cryptdb )
6570
6671 // Validate that newly created users were encrypted with cipher A
@@ -70,6 +75,7 @@ func TestServerDBCrypt(t *testing.T) {
7075 users = append (users , newUsers ... )
7176
7277 // Encrypt all the data with the initial cipher.
78+ t .Logf ("Encrypting all data with cipher A" )
7379 inv , _ := newCLI (t , "server" , "dbcrypt" , "rotate" ,
7480 "--postgres-url" , connectionURL ,
7581 "--new-key" , base64 .StdEncoding .EncodeToString ([]byte (keyA )),
@@ -90,9 +96,7 @@ func TestServerDBCrypt(t *testing.T) {
9096 cipherBA , err := dbcrypt .NewCiphers ([]byte (keyB ), []byte (keyA ))
9197 require .NoError (t , err )
9298
93- // Generate some more encrypted data using the new cipher
94- users = append (users , genData (t , db )... )
95-
99+ t .Logf ("Enrypting all data with cipher B" )
96100 inv , _ = newCLI (t , "server" , "dbcrypt" , "rotate" ,
97101 "--postgres-url" , connectionURL ,
98102 "--new-key" , base64 .StdEncoding .EncodeToString ([]byte (keyB )),
@@ -110,6 +114,7 @@ func TestServerDBCrypt(t *testing.T) {
110114 }
111115
112116 // Assert that we can revoke the old key.
117+ t .Logf ("Revoking cipher A" )
113118 err = db .RevokeDBCryptKey (ctx , cipherA [0 ].HexDigest ())
114119 require .NoError (t , err , "failed to revoke old key" )
115120
@@ -125,13 +130,15 @@ func TestServerDBCrypt(t *testing.T) {
125130 require .Empty (t , oldKey .ActiveKeyDigest .String , "expected the old key to not be active" )
126131
127132 // Revoking the new key should fail.
133+ t .Logf ("Attempting to revoke cipher B should fail as it is still in use" )
128134 err = db .RevokeDBCryptKey (ctx , cipherBA [0 ].HexDigest ())
129135 require .Error (t , err , "expected to fail to revoke the new key" )
130136 var pgErr * pq.Error
131137 require .True (t , xerrors .As (err , & pgErr ), "expected a pg error" )
132138 require .EqualValues (t , "23503" , pgErr .Code , "expected a foreign key constraint violation error" )
133139
134140 // Decrypt the data using only cipher B. This should result in the key being revoked.
141+ t .Logf ("Decrypting with cipher B" )
135142 inv , _ = newCLI (t , "server" , "dbcrypt" , "decrypt" ,
136143 "--postgres-url" , connectionURL ,
137144 "--keys" , base64 .StdEncoding .EncodeToString ([]byte (keyB )),
@@ -160,6 +167,7 @@ func TestServerDBCrypt(t *testing.T) {
160167 cipherC , err := dbcrypt .NewCiphers ([]byte (keyC ))
161168 require .NoError (t , err )
162169
170+ t .Logf ("Re-encrypting with cipher C" )
163171 inv , _ = newCLI (t , "server" , "dbcrypt" , "rotate" ,
164172 "--postgres-url" , connectionURL ,
165173 "--new-key" , base64 .StdEncoding .EncodeToString ([]byte (keyC )),
@@ -177,6 +185,7 @@ func TestServerDBCrypt(t *testing.T) {
177185 }
178186
179187 // Now delete all the encrypted data.
188+ t .Logf ("Deleting all encrypted data" )
180189 inv , _ = newCLI (t , "server" , "dbcrypt" , "delete" ,
181190 "--postgres-url" , connectionURL ,
182191 "--external-token-encryption-keys" , base64 .StdEncoding .EncodeToString ([]byte (keyC )),
0 commit comments