ckms 5.23.0

Command Line Interface used to manage the Cosmian KMS server. If any assistance is needed, please either visit the Cosmian technical documentation at https://docs.cosmian.com or contact the Cosmian support team on Discord https://discord.com/invite/7kPMNtHpnz
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78

//! Forward proxy integration test for the `ckms` CLI.
//!
//! This test is skipped by default (`#[ignore]`) and only runs in CI environments
//! where a Squid proxy is pre-configured on `localhost:8888` with basic auth.
//!
//! Proxy credentials match `.github/scripts/squid/squid.conf`:
//!   user: `myuser`, password: `mypwd`
//!
//! To run locally, set up squid as described in `.github/scripts/squid/squid.conf`
//! and run:
//!
//! ```bash
//! KMS_URL=http://<your-local-ip> \
//!   cargo test --lib --features non-fips -- --nocapture --ignored test_server_version_using_forward_proxy
//! ```

#![allow(deprecated)]

use std::process::Command;

use assert_cmd::prelude::*;
use test_kms_server::{TestClientOptions, start_test_server, test_config_path};

const PROXY_URL: &str = "http://localhost:8888";
const PROXY_USER: &str = "myuser";
const PROXY_PASSWORD: &str = "mypwd";

/// Verify that `ckms server version` succeeds when the connection to the KMS
/// server is routed through an authenticated forward HTTP proxy.
///
/// Steps:
/// 1. Start a plain-HTTP KMS server on port 9998 (no auth, `SQLite` backend).
/// 2. Read `KMS_URL` from the environment to determine the target URL.
///    In CI this is set to `http://<local-ip>:9998` so the proxy actually
///    forwards the request — Squid does not proxy connections to `127.0.0.1`.
/// 3. Run `ckms server version` with the proxy env vars configured.
/// 4. Assert the command exits successfully.
#[ignore = "requires a Squid proxy on localhost:8888 (myuser/mypwd) and KMS_URL set to a non-loopback address"]
#[tokio::test]
pub(crate) async fn test_server_version_using_forward_proxy() {
    let ctx = start_test_server(
        &test_config_path("auth_plain.toml"),
        TestClientOptions::default(),
    )
    .await
    .expect("Failed to start test KMS server");

    // In CI, KMS_URL is set to the machine's non-loopback IP so that Squid
    // forwards the connection (Squid skips proxying 127.0.0.1).
    // The test server allocates a random port, so we extract only the host from
    // KMS_URL and combine it with ctx.server_port.
    // KMS_URL may be "http://1.2.3.4" (no port) or "http://1.2.3.4:PORT" — both
    // are handled: split(':') after stripping the scheme gives either ["1.2.3.4"]
    // or ["1.2.3.4", "PORT"]; we always take the first element.
    let kms_url = match std::env::var("KMS_URL") {
        Ok(url) => {
            let host = url
                .trim_start_matches("http://")
                .trim_start_matches("https://")
                .split(':')
                .next()
                .unwrap_or("127.0.0.1");
            format!("http://{}:{}", host, ctx.server_port)
        }
        Err(_) => format!("http://127.0.0.1:{}", ctx.server_port),
    };

    Command::cargo_bin("ckms")
        .expect("ckms binary not found")
        .env("KMS_DEFAULT_URL", &kms_url)
        .env("CLI_PROXY_URL", PROXY_URL)
        .env("CLI_PROXY_BASIC_AUTH_USERNAME", PROXY_USER)
        .env("CLI_PROXY_BASIC_AUTH_PASSWORD", PROXY_PASSWORD)
        .arg("server")
        .arg("version")
        .assert()
        .success();
}