ckms 5.23.0

Command Line Interface used to manage the Cosmian KMS server. If any assistance is needed, please either visit the Cosmian technical documentation at https://docs.cosmian.com or contact the Cosmian support team on Discord https://discord.com/invite/7kPMNtHpnz
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98

//! E2E test: verify that KMIP `VendorAttribute` entries use the vendor ID
//! configured on the server, not the hard-coded `"cosmian"` default.

use cosmian_kms_cli_actions::reexport::cosmian_kmip::kmip_2_1::{
    extra::{
        VENDOR_ID_COSMIAN,
        tagging::{SYSTEM_TAG_SYMMETRIC_KEY, VENDOR_ATTR_TAG},
    },
    kmip_operations::GetAttributes,
    kmip_types::{AttributeReference, CryptographicAlgorithm, Tag, UniqueIdentifier},
    requests::symmetric_key_create_request,
};
use test_kms_server::{TestClientOptions, start_test_server_with_patch, test_config_path};

use crate::error::result::CosmianResult;

const TEST_VENDOR_ID: &str = "test_vendor_id";

/// Verify that a KMS server configured with a custom `vendor_identification`
/// stores KMIP `VendorAttribute` entries under that custom vendor ID rather
/// than the default `"cosmian"` one.
#[tokio::test]
pub(crate) async fn test_vendor_id_in_vendor_attributes() -> CosmianResult<()> {
    // 1. Start a test KMS server with a custom vendor_identification patched in.
    let mut ctx = start_test_server_with_patch(
        &test_config_path("auth_plain.toml"),
        |config| {
            config.vendor_identification = TEST_VENDOR_ID.to_owned();
        },
        TestClientOptions::default(),
    )
    .await?;

    // 2. Override the client's vendor_id to match the server's custom value.
    ctx.owner_client_config.vendor_id = TEST_VENDOR_ID.to_owned();
    let client = ctx.get_owner_client();

    // 4. Create a symmetric key.  Tags are persisted server-side as
    //    VendorAttributes using the server's configured vendor_identification.
    let create_request = symmetric_key_create_request(
        TEST_VENDOR_ID,
        None,
        256,
        CryptographicAlgorithm::AES,
        Vec::<String>::new(),
        false,
        None,
    )?;
    let create_response = client.create(create_request).await?;
    let uid = create_response.unique_identifier.to_string();

    // 5. Retrieve all attributes for the created key, explicitly requesting
    //    Tag::Tag so the server serializes the tag vendor attributes in the
    //    response (by default the server omits them to avoid leaking internals).
    let get_attrs_response = client
        .get_attributes(GetAttributes {
            unique_identifier: Some(UniqueIdentifier::TextString(uid)),
            attribute_reference: Some(vec![AttributeReference::Standard(Tag::Tag)]),
        })
        .await?;
    let attributes = &get_attrs_response.attributes;

    // 6. At least one VendorAttribute must carry our custom vendor ID.
    let vendor_attrs = attributes
        .vendor_attributes
        .as_ref()
        .expect("a newly created symmetric key must have VendorAttributes");

    let has_test_vendor = vendor_attrs.iter().any(|va| {
        va.vendor_identification == TEST_VENDOR_ID && va.attribute_name == VENDOR_ATTR_TAG
    });
    assert!(
        has_test_vendor,
        "Expected a VendorAttribute with vendor_identification={TEST_VENDOR_ID} \
         and attribute_name={VENDOR_ATTR_TAG}; got: {vendor_attrs:?}"
    );

    // 7. The system tag `_kk` (symmetric key marker) must be visible when
    //    querying tags under TEST_VENDOR_ID.
    let tags = attributes.get_tags(TEST_VENDOR_ID);
    assert!(
        tags.contains(SYSTEM_TAG_SYMMETRIC_KEY),
        "System tag {SYSTEM_TAG_SYMMETRIC_KEY} must appear under vendor_id \
         {TEST_VENDOR_ID}; got tags: {tags:?}"
    );

    // 8. No tags should appear under the default "cosmian" vendor ID — the
    //    server is not using that vendor ID.
    let cosmian_tags = attributes.get_tags(VENDOR_ID_COSMIAN);
    assert!(
        cosmian_tags.is_empty(),
        "Tags must NOT be stored under the default vendor ID {VENDOR_ID_COSMIAN} \
         when the server uses {TEST_VENDOR_ID}; got: {cosmian_tags:?}"
    );

    ctx.stop_server().await?;
    Ok(())
}