fixes rewrap tests

opentdf · Jan 7, 2025 · 7efe9b6 · 7efe9b6
1 parent 056b339
commit 7efe9b6
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 16 deletions.
diff --git a/service/kas/access/rewrap.go b/service/kas/access/rewrap.go
@@ -223,20 +223,6 @@ func extractSRTBody(ctx context.Context, headers http.Header, in *kaspb.RewrapRe
 	}
 }
 
-func extractPolicyBinding(policyBinding interface{}) (string, error) {
-	switch v := policyBinding.(type) {
-	case string:
-		return v, nil
-	case map[string]interface{}:
-		if hash, ok := v["hash"].(string); ok {
-			return hash, nil
-		}
-		return "", fmt.Errorf("invalid policy binding object, missing 'hash' field")
-	default:
-		return "", fmt.Errorf("unsupported policy binding type")
-	}
-}
-
 func verifyAndParsePolicy(ctx context.Context, req *request.RewrapRequests, logger logger.Logger) (*request.Policy, error) {
 	failed := false
 	sDecPolicy, err := base64.StdEncoding.DecodeString(req.Policy.Body)
@@ -264,8 +250,8 @@ func verifyAndParsePolicy(ctx context.Context, req *request.RewrapRequests, logg
 			failedKAORewrap(req.Results, kao, err400("bad request"))
 			continue
 		}
-		policyBinding, ok := kao.PolicyBinding.(string)
-		if !ok {
+		policyBinding, err := extractPolicyBinding(kao.PolicyBinding)
+		if err != nil {
 			logger.WarnContext(ctx, "bad policy binding")
 			failedKAORewrap(req.Results, kao, err400("bad request"))
 			continue
@@ -295,6 +281,20 @@ func verifyAndParsePolicy(ctx context.Context, req *request.RewrapRequests, logg
 	return &policy, nil
 }
 
+func extractPolicyBinding(policyBinding interface{}) (string, error) {
+	switch v := policyBinding.(type) {
+	case string:
+		return v, nil
+	case map[string]interface{}:
+		if hash, ok := v["hash"].(string); ok {
+			return hash, nil
+		}
+		return "", fmt.Errorf("invalid policy binding object, missing 'hash' field")
+	default:
+		return "", fmt.Errorf("unsupported policy binding type")
+	}
+}
+
 func getEntityInfo(ctx context.Context, logger *logger.Logger) (*entityInfo, error) {
 	info := new(entityInfo)
 

diff --git a/service/kas/access/rewrap_test.go b/service/kas/access/rewrap_test.go
@@ -8,6 +8,7 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"encoding/pem"
+	"errors"
 	"log/slog"
 	"net/http"
 	"testing"
@@ -365,7 +366,12 @@ func TestParseAndVerifyRequest(t *testing.T) {
 				require.NotNil(t, verified, "unable to load request body")
 				require.NotNil(t, verified.ClientPublicKey, "unable to load public key")
 
+				verified.Requests[0].Results = &kaspb.RewrapResult{}
+
+				verified.Requests[0].KeyAccessObjectRequests[0].SymmetricKey = []byte(plainKey)
+
 				policy, err := verifyAndParsePolicy(context.Background(), verified.Requests[0], *logger)
+				err = errors.Join(err, verified.Requests[0].KeyAccessObjectRequests[0].Err)
 				if !tt.shouldError {
 					require.NoError(t, err, "failed to verify policy body=[%v]", tt.body)
 					assert.Len(t, policy.Body.DataAttributes, 2, "incorrect policy body=[%v]", policy.Body)