-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathstate_transitions.go
161 lines (130 loc) · 7.05 KB
/
state_transitions.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
package main
import (
"fmt"
"time"
"github.com/ovh/kmip-go"
"github.com/ovh/kmip-go/kmipclient"
)
// If the operation that creates or registers the object contains an Activation Date
// that has already occurred, then the state immediately transitions from Pre-Active to Active.
func test_state_transitions1(client *kmipclient.Client) {
res := client.Create().AES(256, kmip.CryptographicUsageEncrypt|kmip.CryptographicUsageDecrypt).
WithName("test-state").
WithAttribute(kmip.AttributeNameActivationDate, time.Now().AddDate(0, 0, -1)).
MustExec()
assertState(client, res.UniqueIdentifier, kmip.StateActive)
client.Revoke(res.UniqueIdentifier).MustExec()
client.Destroy(res.UniqueIdentifier).MustExec()
}
// The transition from Pre-Active to Compromised is caused by a client issuing a Revoke operation
// with a Revocation Reason of Compromised.
func test_state_transitions3(client *kmipclient.Client) {
res := client.Create().AES(256, kmip.CryptographicUsageEncrypt|kmip.CryptographicUsageDecrypt).
WithName("test-state").
MustExec()
assertState(client, res.UniqueIdentifier, kmip.StatePreActive)
client.Revoke(res.UniqueIdentifier).WithRevocationReasonCode(kmip.RevocationReasonCodeKeyCompromise).MustExec()
assertState(client, res.UniqueIdentifier, kmip.StateCompromised)
client.Destroy(res.UniqueIdentifier).MustExec()
assertState(client, res.UniqueIdentifier, kmip.StateDestroyedCompromised)
}
// The transition from Pre-Active to Active SHALL occur in one of three ways:
// 1. The Activation Date is reached.
func test_state_transitions4_1(client *kmipclient.Client) {
res := client.Create().AES(256, kmip.CryptographicUsageEncrypt|kmip.CryptographicUsageDecrypt).
WithName("test-state").
WithAttribute(kmip.AttributeNameActivationDate, time.Now().Add(15*time.Second)).
MustExec()
assertState(client, res.UniqueIdentifier, kmip.StatePreActive)
time.Sleep(16 * time.Second)
assertState(client, res.UniqueIdentifier, kmip.StateActive)
client.Revoke(res.UniqueIdentifier).WithRevocationReasonCode(kmip.RevocationReasonCodeKeyCompromise).MustExec()
client.Destroy(res.UniqueIdentifier).MustExec()
}
// The transition from Pre-Active to Active SHALL occur in one of three ways:
// 2. A client successfully issues a Modify Attribute operation, modifying the Activation Date to a
// date in the past, or the current date.
func test_state_transitions4_2(client *kmipclient.Client) {
res := client.Create().AES(256, kmip.CryptographicUsageEncrypt|kmip.CryptographicUsageDecrypt).
WithName("test-state").
WithAttribute(kmip.AttributeNameActivationDate, time.Now().AddDate(1, 0, 0)).
MustExec()
assertState(client, res.UniqueIdentifier, kmip.StatePreActive)
client.ModifyAttribute(res.UniqueIdentifier, kmip.AttributeNameActivationDate, time.Now().AddDate(0, 0, -1)).MustExec()
assertState(client, res.UniqueIdentifier, kmip.StateActive)
client.Revoke(res.UniqueIdentifier).WithRevocationReasonCode(kmip.RevocationReasonCodeKeyCompromise).MustExec()
client.Destroy(res.UniqueIdentifier).MustExec()
}
// The transition from Active to Deactivated SHALL occur in one of three ways:
// 1. The object's Deactivation Date is reached
func test_state_transitions6_1(client *kmipclient.Client) {
res := client.Create().AES(256, kmip.CryptographicUsageEncrypt|kmip.CryptographicUsageDecrypt).
WithName("test-state").
WithAttribute(kmip.AttributeNameActivationDate, time.Now()).
WithAttribute(kmip.AttributeNameDeactivationDate, time.Now().Add(15*time.Second)).
MustExec()
assertState(client, res.UniqueIdentifier, kmip.StateActive)
time.Sleep(16 * time.Second)
assertState(client, res.UniqueIdentifier, kmip.StateDeactivated)
client.Revoke(res.UniqueIdentifier).WithRevocationReasonCode(kmip.RevocationReasonCodeKeyCompromise).MustExec()
client.Destroy(res.UniqueIdentifier).MustExec()
}
// The transition from Active to Deactivated SHALL occur in one of three ways:
// 3. The client successfully issues a Modify Attribute operation, modifying the Deactivation Date
// to a date in the past, or the current date.
func test_state_transitions6_3(client *kmipclient.Client) {
res := client.Create().AES(256, kmip.CryptographicUsageEncrypt|kmip.CryptographicUsageDecrypt).
WithName("test-state").
WithAttribute(kmip.AttributeNameActivationDate, time.Now()).
WithAttribute(kmip.AttributeNameDeactivationDate, time.Now().AddDate(1, 0, 0)).
MustExec()
assertState(client, res.UniqueIdentifier, kmip.StateActive)
client.ModifyAttribute(res.UniqueIdentifier, kmip.AttributeNameDeactivationDate, time.Now().AddDate(0, 0, -1)).MustExec()
assertState(client, res.UniqueIdentifier, kmip.StateDeactivated)
client.Revoke(res.UniqueIdentifier).WithRevocationReasonCode(kmip.RevocationReasonCodeKeyCompromise).MustExec()
client.Destroy(res.UniqueIdentifier).MustExec()
}
// The transition from Deactivated to Compromised is caused by a client issuing a Revoke operation
// with a Revocation Reason of Compromised.
func test_state_transitions8(client *kmipclient.Client) {
res := client.Create().AES(256, kmip.CryptographicUsageEncrypt|kmip.CryptographicUsageDecrypt).
WithName("test-state").
WithAttribute(kmip.AttributeNameActivationDate, time.Now()).
WithAttribute(kmip.AttributeNameDeactivationDate, time.Now().AddDate(-11, 0, 0)).
MustExec()
assertState(client, res.UniqueIdentifier, kmip.StateDeactivated)
client.Revoke(res.UniqueIdentifier).WithRevocationReasonCode(kmip.RevocationReasonCodeKeyCompromise).MustExec()
assertState(client, res.UniqueIdentifier, kmip.StateCompromised)
client.Destroy(res.UniqueIdentifier).MustExec()
assertState(client, res.UniqueIdentifier, kmip.StateDestroyedCompromised)
}
// The transition from Destroyed to Destroyed Compromised is caused by a client issuing a Revoke
// operation with a Revocation Reason of Compromised.
func test_state_transitions10(client *kmipclient.Client) {
res := client.Create().AES(256, kmip.CryptographicUsageEncrypt|kmip.CryptographicUsageDecrypt).
WithName("test-state").
WithAttribute(kmip.AttributeNameCryptographicUsageMask, kmip.CryptographicUsageEncrypt|kmip.CryptographicUsageDecrypt).
MustExec()
client.Destroy(res.UniqueIdentifier).MustExec()
assertState(client, res.UniqueIdentifier, kmip.StateDestroyed)
client.Revoke(res.UniqueIdentifier).WithRevocationReasonCode(kmip.RevocationReasonCodeKeyCompromise).MustExec()
assertState(client, res.UniqueIdentifier, kmip.StateDestroyedCompromised)
}
// Test some state transition defined in the KMIP spec.
func test_state_transitions(client *kmipclient.Client) {
test_state_transitions1(client)
test_state_transitions3(client)
test_state_transitions4_1(client)
test_state_transitions4_2(client)
test_state_transitions6_1(client)
test_state_transitions6_3(client)
test_state_transitions8(client)
test_state_transitions10(client)
}
func assertState(client *kmipclient.Client, id string, expected kmip.State) {
res := client.GetAttributes(id).WithAttributes(kmip.AttributeNameState).MustExec()
current := res.Attribute[0].AttributeValue.(kmip.State)
if current != expected {
panic(fmt.Sprintf("Unexpected kmip object state. Expected %d, got %d", expected, current))
}
}