test: add example of KMS edit policy rename and add

Cosmian · Mar 1, 2024 · c299cce · c299cce
1 parent c325a32
commit c299cce
Show file tree

Hide file tree

Showing 2 changed files with 85 additions and 21 deletions.
diff --git a/tests/KMS.test.ts b/tests/KMS.test.ts
@@ -492,7 +492,7 @@ test(
 )
 
 test(
-  "Key rotation security when importing with tempered access policy",
+  "Key rekey security when importing with tempered access policy",
   async () => {
     const { Policy, PolicyAxis } = await CoverCrypt()
 
@@ -548,14 +548,10 @@ test(
       return await client?.coverCryptDecrypt(userKeyID, ciphertext)
     }).rejects.toThrow()
 
-    // After rekeying, the temperedUserKey get access to new and old TopSecret key
-    {
-      const { plaintext } = await client.coverCryptDecrypt(
-        temperedUserKeyID,
-        ciphertext,
-      )
-      expect(plaintext).toEqual(plaintext)
-    }
+    // After rekeying, the temperedUserKey gains no access to TopSecret
+    await expect(async () => {
+      return await client.coverCryptDecrypt(temperedUserKeyID, ciphertext)
+    }).rejects.toThrow()
 
     const newCiphertext = await client.coverCryptEncrypt(
       mpkID,
@@ -567,18 +563,18 @@ test(
       return await client?.coverCryptDecrypt(userKeyID, newCiphertext)
     }).rejects.toThrow()
 
-    // TODO fix this bug, this should fail (cannot decrypt with the tempered user key)
-    // await expect(async () => {
-    //   return await client.coverCryptDecrypt(temperedUserKeyID, newCiphertext);
-    // }).rejects.toThrow()
+    // Cannot decrypt with the tempered user key)
+    await expect(async () => {
+      return await client.coverCryptDecrypt(temperedUserKeyID, newCiphertext)
+    }).rejects.toThrow()
   },
   {
     timeout: 30 * 1000,
   },
 )
 
 test(
-  "Decrypt old ciphertext after rotation",
+  "Decrypt old ciphertext after rekeying",
   async () => {
     const {
       CoverCryptHybridEncryption,

diff --git a/tests/cover_crypt.test.ts b/tests/cover_crypt.test.ts
@@ -158,7 +158,6 @@ test("Demo using KMS", async () => {
     new PolicyAxis(
       "Department", // this axis name
       [
-        { name: "R&D", isHybridized: false },
         { name: "HR", isHybridized: false },
         { name: "MKG", isHybridized: false },
         { name: "FIN", isHybridized: false },
@@ -376,7 +375,7 @@ test("Demo using KMS", async () => {
     "Department::MKG",
   )
 
-  // Decrypting old messages will fail even with the rekeyed key
+  // decrypting old messages will fail even with the rekeyed key
   try {
     // will throw
     await client.coverCryptDecrypt(
@@ -387,12 +386,81 @@ test("Demo using KMS", async () => {
     // ==> the non rekeyed key cannot decrypt the new message after rotation
   }
 
-  // Decrypting the new message will still work
-  const newConfidentialMkgCleartext_ = await client.coverCryptDecrypt(
-    confidentialMkgUserKeyUid,
-    newConfidentialMkgCiphertext,
+  // decrypting the new message will still work
+  {
+    const newConfidentialMkgCleartext = await client.coverCryptDecrypt(
+      confidentialMkgUserKeyUid,
+      newConfidentialMkgCiphertext,
+    )
+    expect(confidentialMkgData).toEqual(newConfidentialMkgCleartext.plaintext)
+  }
+
+  //
+  // Edit Policy
+  //
+
+  // Rename attribute "Department::MKG" to "Department::Marketing"
+  await client.renameCoverCryptAttribute(
+    masterSecretKeyUID,
+    "Department::MKG",
+    "Marketing",
   )
-  expect(confidentialMkgData).toEqual(newConfidentialMkgCleartext_.plaintext)
+
+  // decryption rights have not been modified even for previously generated keys and ciphers
+  {
+    const newConfidentialMkgCleartext = await client.coverCryptDecrypt(
+      confidentialMkgUserKeyUid,
+      newConfidentialMkgCiphertext,
+    )
+    expect(confidentialMkgData).toEqual(newConfidentialMkgCleartext.plaintext)
+  }
+
+  // new encryption or user key generation must use the new attribute name
+  {
+    const topSecretMkgCiphertext = await client.coverCryptEncrypt(
+      masterPublicKeyUID,
+      "Department::Marketing && Security Level::Top Secret",
+      topSecretMkgData,
+    )
+
+    // new "Marketing" message can still be decrypted with "MKG" keys
+    const topSecretMkgCleartext = await client.coverCryptDecrypt(
+      topSecretMkgFinUserKeyUid,
+      topSecretMkgCiphertext,
+    )
+    expect(topSecretMkgData).toEqual(topSecretMkgCleartext.plaintext)
+  }
+
+  // Add new attributes
+  await client.addCoverCryptAttribute(
+    masterSecretKeyUID,
+    "Department::R&D",
+    false,
+  )
+
+  // encrypt a message for the newly created `R&D` attribute
+  const protectedRdData = new TextEncoder().encode("protected_rd_message")
+  const protectedRdCiphertext = await client.coverCryptEncrypt(
+    masterPublicKeyUID,
+    "Department::R&D && Security Level::Protected",
+    protectedRdData,
+  )
+
+  // and generate a user key with access rights for this attribute
+  const confidentialRdFinUserKeyUid =
+    await client.createCoverCryptUserDecryptionKey(
+      "(Department::R&D || Department::FIN) && Security Level::Confidential",
+      masterSecretKeyUID,
+    )
+
+  // decrypt the R&D message with the new user key
+  {
+    const protectedRdCleartext = await client.coverCryptDecrypt(
+      confidentialRdFinUserKeyUid,
+      protectedRdCiphertext,
+    )
+    expect(protectedRdData).toEqual(protectedRdCleartext.plaintext)
+  }
 })
 
 test("Generate non-regression tests vector", async () => {