func runConfidentialUnwrapTests()

in cmd/conformance/main.go [1427:1493]

• 66 lines of code
• 3 McCabe index (conditional complexity)

func runConfidentialUnwrapTests(ctx context.Context) {
	confidentialUnwrapTestCases := []confidentialWrapUnwrapTest{
		{
			testName:  "Establish secure session then valid ConfidentialUnwrap",
			expectErr: false,
			keyInfo:   unprotectedKey,
		},
		{
			testName:   "Establish secure session then valid Confidential Unwrap twice",
			expectErr:  false,
			keyInfo:    unprotectedKey,
			extraCalls: 1,
		},
		{
			testName:  "ConfidentialWrap with invalid key path",
			expectErr: true,
			keyInfo: &externalKeyInfo{
				uri: "fake.domain/Surely the EKM would not have a valid key with this path...",
			},
		},
		{
			testName:         "No TLS records in request",
			expectErr:        true,
			mutateTLSRecords: emptyFn,
			keyInfo:          unprotectedKey,
		},
		{
			testName:         "Invalid session key",
			expectErr:        true,
			mutateSessionKey: emptyFn,
			keyInfo:          unprotectedKey,
		},
		{
			testName:     "Close session before unwrap",
			expectErr:    true,
			closeSession: true,
			keyInfo:      unprotectedKey,
		},
		{
			testName:  "Unwrap using protected key without CC attestation negotiated",
			expectErr: true,
			keyInfo:   protectedKey,
		},
		{
			testName:  "JWT has invalid signature",
			expectErr: true,
			mutateJWT: invalidateJwtSignature,
			keyInfo:   unprotectedKey,
		},
		{
			testName:  "JWT has a bad audience",
			expectErr: true,
			mutateJWT: badAudience,
			keyInfo:   unprotectedKey,
		},
	}

	for _, testCase := range confidentialUnwrapTestCases {
		err := runConfidentialUnwrapTestCase(ctx, testCase)
		testPassed := testCase.expectErr == (err != nil)
		if testPassed {
			colour.Printf(" - ^2%v^R\n", testCase.testName)
		} else {
			printError(testCase.testName, err, false)
		}
	}
}