ckms 5.20.1

Command Line Interface used to manage the Cosmian KMS server. If any assistance is needed, please either visit the Cosmian technical documentation at https://docs.cosmian.com or contact the Cosmian support team on Discord https://discord.com/invite/7kPMNtHpnz
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122

//! E2E test: verify that KMIP `VendorAttribute` entries use the vendor ID
//! configured on the server, not the hard-coded `"cosmian"` default.

use cosmian_kms_cli_actions::reexport::cosmian_kmip::kmip_2_1::{
    extra::{
        VENDOR_ID_COSMIAN,
        tagging::{SYSTEM_TAG_SYMMETRIC_KEY, VENDOR_ATTR_TAG},
    },
    kmip_operations::GetAttributes,
    kmip_types::{AttributeReference, CryptographicAlgorithm, Tag, UniqueIdentifier},
    requests::symmetric_key_create_request,
};
use test_kms_server::{
    AuthenticationOptions, BuildServerParamsOptions, MainDBConfig, build_server_params_full,
    start_test_server_with_options,
};

use crate::error::result::CosmianResult;

const TEST_VENDOR_ID: &str = "test_vendor_id";
/// Port offset +7 from `DEFAULT_KMS_SERVER_PORT` (9998).
/// Offsets 0-6 and 20 are already reserved by `test_kms_server` singleton servers.
const TEST_PORT: u16 = 9998 + 7;

/// Verify that a KMS server configured with a custom `vendor_identification`
/// stores KMIP `VendorAttribute` entries under that custom vendor ID rather
/// than the default `"cosmian"` one.
#[tokio::test]
pub(crate) async fn test_vendor_id_in_vendor_attributes() -> CosmianResult<()> {
    // 1. Build server params with a custom vendor_identification.
    //    `BuildServerParamsOptions` has no `vendor_identification` field, so we
    //    mutate the returned `ServerParams` directly.
    let mut server_params = build_server_params_full(BuildServerParamsOptions {
        db_config: MainDBConfig {
            database_type: Some("sqlite".to_owned()),
            clear_database: true,
            ..MainDBConfig::default()
        },
        port: TEST_PORT,
        ..Default::default()
    })?;
    server_params.vendor_identification = TEST_VENDOR_ID.to_owned();

    // 2. Start the test KMS server.  The `db_config` first argument is ignored
    //    when `AuthenticationOptions.server_params` is `Some`.
    let mut ctx = start_test_server_with_options(
        MainDBConfig::default(),
        TEST_PORT,
        AuthenticationOptions {
            server_params: Some(server_params),
            ..Default::default()
        },
        None,
        None,
    )
    .await?;

    // 3. Override the client's vendor_id to match the server's custom value.
    ctx.owner_client_config.vendor_id = TEST_VENDOR_ID.to_owned();
    let client = ctx.get_owner_client();

    // 4. Create a symmetric key.  Tags are persisted server-side as
    //    VendorAttributes using the server's configured vendor_identification.
    let create_request = symmetric_key_create_request(
        TEST_VENDOR_ID,
        None,
        256,
        CryptographicAlgorithm::AES,
        Vec::<String>::new(),
        false,
        None,
    )?;
    let create_response = client.create(create_request).await?;
    let uid = create_response.unique_identifier.to_string();

    // 5. Retrieve all attributes for the created key, explicitly requesting
    //    Tag::Tag so the server serializes the tag vendor attributes in the
    //    response (by default the server omits them to avoid leaking internals).
    let get_attrs_response = client
        .get_attributes(GetAttributes {
            unique_identifier: Some(UniqueIdentifier::TextString(uid)),
            attribute_reference: Some(vec![AttributeReference::Standard(Tag::Tag)]),
        })
        .await?;
    let attributes = &get_attrs_response.attributes;

    // 6. At least one VendorAttribute must carry our custom vendor ID.
    let vendor_attrs = attributes
        .vendor_attributes
        .as_ref()
        .expect("a newly created symmetric key must have VendorAttributes");

    let has_test_vendor = vendor_attrs.iter().any(|va| {
        va.vendor_identification == TEST_VENDOR_ID && va.attribute_name == VENDOR_ATTR_TAG
    });
    assert!(
        has_test_vendor,
        "Expected a VendorAttribute with vendor_identification={TEST_VENDOR_ID} \
         and attribute_name={VENDOR_ATTR_TAG}; got: {vendor_attrs:?}"
    );

    // 7. The system tag `_kk` (symmetric key marker) must be visible when
    //    querying tags under TEST_VENDOR_ID.
    let tags = attributes.get_tags(TEST_VENDOR_ID);
    assert!(
        tags.contains(SYSTEM_TAG_SYMMETRIC_KEY),
        "System tag {SYSTEM_TAG_SYMMETRIC_KEY} must appear under vendor_id \
         {TEST_VENDOR_ID}; got tags: {tags:?}"
    );

    // 8. No tags should appear under the default "cosmian" vendor ID — the
    //    server is not using that vendor ID.
    let cosmian_tags = attributes.get_tags(VENDOR_ID_COSMIAN);
    assert!(
        cosmian_tags.is_empty(),
        "Tags must NOT be stored under the default vendor ID {VENDOR_ID_COSMIAN} \
         when the server uses {TEST_VENDOR_ID}; got: {cosmian_tags:?}"
    );

    ctx.stop_server().await?;
    Ok(())
}