java source code of DecryptAetIdentifiersTest

gcp-ingestion-master
- .circleci
  - config.yml
- custom_docs_theme
  - main.html
- ingestion-beam
  - src
    - main
      - resources
        keystore-metadata.schema.json
        account-ecosystem
        structured.schema.json
        telemetry.schema.json
        telemetry.pioneer-study.4.schema.json
        metadata-local.json
      - java
        com
        mozilla
        telemetry
        avro
        PubsubMessageRecordFormatter.java
        GuidedJsonDecoder.java
        GenericRecordBinaryEncoder.java
        BinaryRecordFormatter.java
        options
        InputFileFormat.java
        ErrorOutputType.java
        InputType.java
        SinkOptions.java
        BigQueryWriteMethod.java
        BigQueryReadMethod.java
        OutputFileFormat.java
        OutputType.java
        aet
        DecryptAetIdentifiers.java
        IpPrivacyDecoder.java
        decoder
        ParsePayload.java
        ParseUri.java
        ParseProxy.java
        GeoIspLookup.java
        GeoCityLookup.java
        MessageScrubber.java
        Deduplicate.java
        AddMetadata.java
        ipprivacy
        ParseIp.java
        ExtractClientIdAndDropPayload.java
        HashClientInfo.java
        RemoveAttributes.java
        IpPrivacyDecoderOptions.java
        ParseUserAgent.java
        DecoderOptions.java
        DecryptPioneerPayloads.java
        PioneerBenchmarkGenerator.java
        util
        Json.java
        KeyStore.java
        GzipUtil.java
        JsonValidator.java
        BeamFileInputStream.java
        Time.java
        NoColonFileNaming.java
        DynamicPathTemplate.java
        Decoder.java
        Sink.java
        Republisher.java
        io
        Read.java
        Write.java
        metrics
        PerDocTypeCounter.java
        republisher
        RepublishPerDocType.java
        RepublisherOptions.java
        RepublishPerChannel.java
        RepublishPerNamespace.java
        RandomSampler.java
        transforms
        DecodePubsubMessages.java
        Println.java
        NormalizeAttributes.java
        PubsubConstraints.java
        FailureMessage.java
        PubsubMessageToTableRow.java
        CompressPayload.java
        LimitPayloadSize.java
        DecompressPayload.java
        KeyByBigQueryTableDestination.java
    - test
      - resources
        cityDB
        GeoIP2-City-Test.mmdb
        README.md
        pioneer
        telemetry.pioneer-study.4.sample.pass.json
        study-foo.public.json
        study-foo.ciphertext.json
        study-foo.private.json
        study-bar.private.json
        study-bar.ciphertext.json
        metadata-decoder.json
        sample.plaintext.json
        metadata-integration.json
        metadata-local.json
        metadata-invalid.json
        study-bar.public.json
        testdata
        basic-messages-invalid.ndjson
        json-payload.ndjson
        avro-message-invalid-doctype.ndjson
        avro-message-multiple-doctype.ndjson
        basic-messages-valid-with-timestamp.ndjson
        heka
        test_snappy.heka.json
        test_telemetry_snappy.heka
        crashping.heka.json
        test_snappy.heka
        crashping.heka
        avro-message-single-doctype.ndjson
        decode-pubsub-messages
        input-valid-json.ndjson
        output-normalized-json.ndjson
        input-invalid-json.txt
        json-payload-wrapped.ndjson
        basic-messages-valid-null-attributes.ndjson
        basic-messages-nonempty.ndjson
        single-message-input.json
        json-payload-attributes.ndjson
        pubsub-integration
        error-output.ndjson
        error-input.ndjson
        truncated.ndjson
        input.ndjson
        gzipped.ndjson
        republisher-integration
        per-doctype-event.ndjson
        per-channel-nightly.ndjson
        per-channel-beta.ndjson
        per-channel-release.ndjson
        per-namespace-mynamespace.ndjson
        per-doctype-foo.ndjson
        debug-messages.ndjson
        basic-messages-valid.ndjson
        basic-messages-payloads.txt
        attribute-placeholders
        hostA-cityA.ndjson
        hostA-cityB.ndjson
        null-cityA.ndjson
        decoder-integration
        error-output.ndjson
        output.ndjson
        pioneer.ndjson
        error-input.ndjson
        valid-input.ndjson
        gzipped.ndjson
        bigquery-integration
        input-raw-format.ndjson
        input-decoded-format.ndjson
        input-varied-doctypes.ndjson
        input.ndjson
        input-with-attributes.ndjson
        logging.properties
        account-ecosystem
        testkey1.private.json
        testkey1.public.json
        metadata-local.json
        cityFilters
        milton.txt
        invalid.txt
        sacramento.txt
        ispDB
        README.md
        GeoIP2-ISP-Test.mmdb
        ipPrivacy
        client_ip.key
        client_id.key
        pioneer.py
      - java
        com
        mozilla
        telemetry
        avro
        PubsubMessageRecordFormatterTest.java
        matchers
        Lines.java
        options
        ErrorOutputTypeTest.java
        OutputFileFormatTest.java
        aet
        DecryptAetIdentifiersTest.java
        DecoderMainTest.java
        decoder
        DecoderOptionsTest.java
        ParsePayloadTest.java
        DecryptPioneerPayloadsTest.java
        AddMetadataTest.java
        ParseUriTest.java
        MessageScrubberTest.java
        ParseUserAgentTest.java
        DeduplicateTest.java
        GeoIspLookupTest.java
        ipprivacy
        HashClientInfoTest.java
        TestRemoveAttributes.java
        ParseIpTest.java
        ParseProxyTest.java
        GeoCityLookupTest.java
        integration
        PubsubIntegrationTest.java
        StorageIntegrationTest.java
        KeyStoreIntegrationTest.java
        BigQueryIntegrationTest.java
        util
        DynamicPathTemplateTest.java
        NormalizeAttributesTest.java
        TestWithDeterministicJson.java
        TimeTest.java
        JsonTest.java
        KeyStoreTest.java
        SinkAvroTest.java
        RepublisherMainTest.java
        FileWindowingTest.java
        SinkMainTest.java
        rules
        RedisServer.java
        metrics
        PerDocTypeCounterTest.java
        republisher
        RandomSamplerTest.java
        transforms
        CompressPayloadTest.java
        DecompressPayloadTest.java
        PubsubConstraintsTest.java
        DecodePubsubMessagesTest.java
        LimitPayloadSizeTest.java
  - pom.xml
  - checkstyle
    - checks.xml
    - suppressions.xml
  - bin
    - download-cities15000
    - generate-avro-schemas
    - download-geolite2
    - build-template
    - copy-bq-schemas
    - update-bq-table
    - run-pioneer-benchmark
    - mvn
    - generate-avro-test-resources
    - download-schemas
    - download-document-sample
    - generate-jwk-pair
    - generate-bq-schemas
  - .gitignore
- pom.xml
- ingestion-edge
  - pubsub_emulator.py
  - docker-compose.override.yml
  - LICENSE
  - docker-compose.circleci.yml
  - .flake8
  - requirements.in
  - ingestion_edge
    - util.py
    - create_app.py
    - wsgi.py
    - config.py
    - dockerflow.py
    - publish.py
    - flush.py
    - __init__.py
  - tests
    - integration
      - __init__.py
      - test_dockerflow.py
      - publish
        test_healthy.py
        test_misconfigured.py
        test_pubsub_failure.py
        __init__.py
        helpers.py
        conftest.py
      - test_pubsub_emulator.py
      - conftest.py
    - __init__.py
    - load
      - kube
        server.svc.yml
        emulator.svc.yml
        server.secret.yml
        server.deploy.yml
        generator.deploy.yml
        emulator.deploy.yml
        server.ingress.yml
      - wrk
        telemetry.lua
      - conftest.py
      - test_throughput.py
    - unit
      - flush
        test_init_app.py
        test_flush.py
      - test_util.py
      - test_wsgi.py
      - __init__.py
      - dockerflow
        test_init_app.py
        test_check_disk_bytes_free.py
        test_check_queue_size.py
        __init__.py
      - publish
        test_submit.py
        test_init_app.py
        __init__.py
      - conftest.py
  - pytest.ini
  - bin
    - pytest
    - include
      - common.sh
      - clean_relocates.sh
    - build
    - pytest-all
    - lint
  - requirements.txt
  - Dockerfile
  - .gitignore
  - .dockerignore
  - version.json
  - docker-compose.yml
  - .pydocstyle.ini
- mkdocs.yml
- LICENSE
- .mermaid
- checkstyle
  - checks.xml
  - suppressions.xml
- .spelling
- ingestion-sink
  - src
    - main
      - resources
        log4j2.yaml
      - java
        com
        mozilla
        telemetry
        ingestion
        sink
        util
        Env.java
        BatchException.java
        TimedFuture.java
        BatchWrite.java
        config
        SinkConfig.java
        Sink.java
        io
        BigQuery.java
        Pubsub.java
        Gcs.java
        transform
        BlobIdToPubsubMessage.java
        DocumentTypePredicate.java
        BlobIdToString.java
        CompressPayload.java
        PubsubMessageToTemplatedString.java
        DecompressPayload.java
    - test
      - resources
        log4j2-list.yaml
      - java
        com
        mozilla
        telemetry
        ingestion
        sink
        SinkBigQueryIntegrationTest.java
        SinkGcsIntegrationTest.java
        SinkTest.java
        SinkPubsubIntegrationTest.java
        util
        SinglePubsubTopic.java
        BatchWriteTest.java
        BigQueryDataset.java
        GcsBucket.java
        PubsubTopics.java
        BoundedSink.java
        LoggingTest.java
        io
        BigQueryLoadTest.java
        BigQueryWriteTest.java
        PubsubWriteIntegrationTest.java
        GcsWriteTest.java
        PubsubReadIntegrationTest.java
        transform
        CompressPayloadTest.java
        DecompressPayloadTest.java
        PubsubMessageToTemplatedStringTest.java
  - pom.xml
  - docker-compose.override.yml
  - docker-compose.circleci.yml
  - checkstyle
    - checks.xml
    - suppressions.xml
  - bin
    - mvn
  - Dockerfile
  - version.json
  - docker-compose.yml
- ingestion-core
  - src
    - main
      - java
        com
        mozilla
        telemetry
        ingestion
        core
        Constant.java
        util
        Json.java
        IOFunction.java
        Time.java
        SnakeCase.java
        DerivedAttributesMap.java
        schema
        JSONSchemaStore.java
        BigQuerySchemaStore.java
        SchemaStore.java
        AvroSchemaStore.java
        SchemaNotFoundException.java
        transform
        PubsubMessageToObjectNode.java
        AddMetadata.java
    - test
      - resources
        avro
        test-schema.tar.gz
        testdata
        payload-format-input.ndjson
        payload-format-expected.ndjson
        casing
        word_4.csv
        alphanum_3.csv
        mps-diff-integration.csv
        schema
        test-schemas
        schemas
        namespace_0
        bar
        bar.1.avro.json
        bar.1.bq
        bar.1.schema.json
        foo
        foo.1.avro.json
        foo.1.schema.json
        foo.1.bq
        live_sink
        test
        test.1.bq
        namespace_1
        baz
        baz.1.schema.json
        baz.1.avro.json
        assembly.xml
      - java
        com
        mozilla
        telemetry
        ingestion
        core
        util
        SnakeCaseTest.java
        DerivedAttributesMapTest.java
        IOFunctionTest.java
        schema
        AvroSchemaStoreTest.java
        JSONSchemaStoreTest.java
        TestConstant.java
        transform
        PubsubMessageToObjectNodeSinkTest.java
        PubsubMessageToObjectNodeBeamTest.java
  - pom.xml
  - checkstyle
    - checks.xml
    - suppressions.xml
- README.md
- CODE_OF_CONDUCT.md
- bin
  - format-python
  - mvn
  - update-diagrams
- GRAVEYARD.md
- .gitignore
- docs
  - ingestion-beam
    - decoder-job.md
    - ingestion_testing_workflow.md
    - index.md
    - sink-job.md
    - republisher-job.md
  - diagrams
    - workflow.svg
    - workflow.mmd
  - ingestion-edge
    - index.md
  - index.md
  - architecture
    - pain_points.md
    - test_requirements.md
    - differences_from_aws.md
    - landfill_service_specification.md
    - overview.md
    - edge_migration_plan.md
    - reliability.md
    - decoder_service_specification.md
    - diagram.svg
    - diagram.mmd
    - bigquery_sink_specification.md
    - edge_service_specification.md

package com.mozilla.telemetry.aet;

import static org.junit.Assert.assertEquals;

import com.fasterxml.jackson.databind.node.ObjectNode;
import com.fasterxml.jackson.databind.node.TextNode;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.io.Resources;
import com.mozilla.telemetry.ingestion.core.Constant.Attribute;
import com.mozilla.telemetry.ingestion.core.schema.JSONSchemaStore;
import com.mozilla.telemetry.options.InputFileFormat;
import com.mozilla.telemetry.options.OutputFileFormat;
import com.mozilla.telemetry.util.Json;
import com.mozilla.telemetry.util.JsonValidator;
import com.mozilla.telemetry.util.KeyStore;
import com.mozilla.telemetry.util.TestWithDeterministicJson;
import java.util.List;
import java.util.stream.Collectors;
import org.apache.beam.sdk.io.gcp.pubsub.PubsubMessage;
import org.apache.beam.sdk.options.ValueProvider;
import org.apache.beam.sdk.testing.PAssert;
import org.apache.beam.sdk.testing.TestPipeline;
import org.apache.beam.sdk.transforms.Create;
import org.apache.beam.sdk.transforms.MapElements;
import org.apache.beam.sdk.transforms.WithFailures.Result;
import org.apache.beam.sdk.values.PCollection;
import org.apache.beam.sdk.values.TypeDescriptor;
import org.everit.json.schema.Schema;
import org.everit.json.schema.ValidationException;
import org.jose4j.jwe.ContentEncryptionAlgorithmIdentifiers;
import org.jose4j.jwe.JsonWebEncryption;
import org.jose4j.jwe.KeyManagementAlgorithmIdentifiers;
import org.jose4j.jwk.PublicJsonWebKey;
import org.junit.Rule;
import org.junit.Test;

public class DecryptAetIdentifiersTest extends TestWithDeterministicJson {

  @Rule
  public final transient TestPipeline pipeline = TestPipeline.create();

  /** Load a public key from a JWK. See the KeyStore for more details. */
  private static PublicJsonWebKey loadPublicKey(String resourceLocation) throws Exception {
    byte[] data = Resources.toByteArray(Resources.getResource(resourceLocation));
    return PublicJsonWebKey.Factory.newPublicJwk(new String(data));
  }

  private static String encryptWithTestPublicKey(String payload) throws Exception {
    PublicJsonWebKey key = loadPublicKey("account-ecosystem/testkey1.public.json");
    JsonWebEncryption jwe = new JsonWebEncryption();
    jwe.setKey(key.getKey());
    jwe.setKeyIdHeaderValue(key.getKeyId());
    jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.ECDH_ES_A256KW);
    jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_256_GCM);
    jwe.setPayload(payload);
    return jwe.getCompactSerialization();
  }

  @Test
  public void testDecrypt() throws Exception {
    String expected = "abc123";
    KeyStore keyStore = KeyStore.of("src/test/resources/account-ecosystem/metadata-local.json",
        false);
    String encrypted = encryptWithTestPublicKey(expected);
    String actual = DecryptAetIdentifiers.decrypt(keyStore, TextNode.valueOf(encrypted))
        .textValue();
    assertEquals(expected, actual);
  }

  @Test
  public void testSanitizeJsonNode() throws Exception {
    String userId = "2ef67665ec7369ba0fab7f802a5e1e04";
    String anonId = encryptWithTestPublicKey(userId);
    ObjectNode json = Json.asObjectNode(
        ImmutableMap.of("payload", ImmutableMap.of("myList", ImmutableList.of("foo", anonId))));
    ObjectNode expected = Json.asObjectNode(ImmutableMap.of("payload",
        ImmutableMap.of("myList", ImmutableList.of("foo", "eyJr<435 characters redacted>"))));
    DecryptAetIdentifiers.sanitizeJsonNode(json);
    assertEquals(Json.asString(expected), Json.asString(json));
  }

  @Test(expected = ValidationException.class)
  public void testForbiddenFieldsStructured() throws Exception {
    JsonValidator validator = new JsonValidator();
    byte[] data = Resources
        .toByteArray(Resources.getResource("account-ecosystem/structured.schema.json"));
    Schema fxaSchema = JSONSchemaStore.readSchema(data);
    ObjectNode json = Json.asObjectNode(ImmutableMap.<String, Object>builder()
        .put("ecosystem_client_id", "3ed15efab7e94757bf9e9ef5e844ada2")
        .put("ecosystem_device_id", "7ab4e373ce434b848a9d0946e388fee9")
        .put("ecosystem_user_id", "aab4e373ce434b848a9d0946e388fdd3").build());
    validator.validate(fxaSchema, json);
  }

  @Test
  public void testOutputStructured() throws Exception {
    // minimal test for throughput of a single document
    ValueProvider<String> metadataLocation = pipeline
        .newProvider(Resources.getResource("account-ecosystem/metadata-local.json").getPath());
    ValueProvider<Boolean> kmsEnabled = pipeline.newProvider(false);

    String userId = "2ef67665ec7369ba0fab7f802a5e1e04";
    String anonId = encryptWithTestPublicKey(userId);
    List<String> prevUserIds = ImmutableList.of("3ef67665ec7369ba0fab7f802a5e1e04",
        "4ef67665ec7369ba0fab7f802a5e1e04");
    List<String> prevAnonIds = prevUserIds.stream().map(x -> {
      try {
        return encryptWithTestPublicKey(x);
      } catch (Exception e) {
        throw new RuntimeException(e);
      }
    }).collect(Collectors.toList());
    String input = Json.asString(ImmutableMap.builder().put("ecosystem_anon_id", anonId)
        .put("ecosystem_client_id", "3ed15efab7e94757bf9e9ef5e844ada2")
        .put("ecosystem_device_id", "7ab4e373ce434b848a9d0946e388fee9")
        .put("previous_ecosystem_anon_ids", prevAnonIds).build());
    String expected = Json.asString(ImmutableMap.builder().put("ecosystem_user_id", userId)
        .put("ecosystem_client_id", "3ed15efab7e94757bf9e9ef5e844ada2")
        .put("ecosystem_device_id", "7ab4e373ce434b848a9d0946e388fee9")
        .put("previous_ecosystem_user_ids", prevUserIds).build());
    Result<PCollection<PubsubMessage>, PubsubMessage> result = pipeline.apply(Create.of(input))
        .apply(InputFileFormat.text.decode())
        .apply("AddAttributes",
            MapElements.into(TypeDescriptor.of(PubsubMessage.class))
                .via(element -> new PubsubMessage(element.getPayload(),
                    ImmutableMap.of(Attribute.URI,
                        "/submit/firefox-accounts/account-ecosystem/1/"
                            + "8299c050-6be8-4197-8a0b-fd1062a11da4"))))
        .apply(DecryptAetIdentifiers.of(metadataLocation, kmsEnabled));
    PAssert.that(result.failures()).empty();
    PAssert.that(result.output().apply(OutputFileFormat.text.encode()))
        .containsInAnyOrder(ImmutableList.of(expected));
    pipeline.run();
  }

  @Test
  public void testOutputTelemetry() throws Exception {
    // minimal test for throughput of a single document
    ValueProvider<String> metadataLocation = pipeline
        .newProvider(Resources.getResource("account-ecosystem/metadata-local.json").getPath());
    ValueProvider<Boolean> kmsEnabled = pipeline.newProvider(false);

    String userId = "2ef67665ec7369ba0fab7f802a5e1e04";
    String anonId = encryptWithTestPublicKey(userId);
    List<String> prevUserIds = ImmutableList.of("3ef67665ec7369ba0fab7f802a5e1e04",
        "4ef67665ec7369ba0fab7f802a5e1e04");
    List<String> prevAnonIds = prevUserIds.stream().map(x -> {
      try {
        return encryptWithTestPublicKey(x);
      } catch (Exception e) {
        throw new RuntimeException(e);
      }
    }).collect(Collectors.toList());
    String input = Json.asString(ImmutableMap.of("payload",
        ImmutableMap.builder().put("ecosystemAnonId", anonId)
            .put("ecosystemClientId", "3ed15efab7e94757bf9e9ef5e844ada2")
            .put("ecosystemDeviceId", "7ab4e373ce434b848a9d0946e388fee9")
            .put("previousEcosystemAnonIds", prevAnonIds).build()));
    String expected = Json.asString(ImmutableMap.of("payload",
        ImmutableMap.builder().put("ecosystemUserId", userId)
            .put("ecosystemClientId", "3ed15efab7e94757bf9e9ef5e844ada2")
            .put("ecosystemDeviceId", "7ab4e373ce434b848a9d0946e388fee9")
            .put("previousEcosystemUserIds", prevUserIds).build()));
    Result<PCollection<PubsubMessage>, PubsubMessage> result = pipeline.apply(Create.of(input))
        .apply(InputFileFormat.text.decode())
        .apply("AddAttributes",
            MapElements.into(TypeDescriptor.of(PubsubMessage.class))
                .via(element -> new PubsubMessage(element.getPayload(),
                    ImmutableMap.of(Attribute.URI,
                        "/submit/telemetry/ce39b608-f595-4c69-b6a6-f7a436604648"
                            + "/account-ecosystem/Firefox/61.0a1/nightly/20180328030202"))))
        .apply(DecryptAetIdentifiers.of(metadataLocation, kmsEnabled));
    PAssert.that(result.failures()).empty();
    PAssert.that(result.output().apply(OutputFileFormat.text.encode()))
        .containsInAnyOrder(ImmutableList.of(expected));
    pipeline.run();
  }

  @Test
  public void testErrorOutput() throws Exception {
    // minimal test for throughput of a single document
    ValueProvider<String> metadataLocation = pipeline
        .newProvider(Resources.getResource("account-ecosystem/metadata-local.json").getPath());
    ValueProvider<Boolean> kmsEnabled = pipeline.newProvider(false);

    String userId = "2ef67665ec7369ba0fab7f802a5e1e04";
    String anonId = encryptWithTestPublicKey(userId);
    List<String> prevUserIds = ImmutableList.of("3ef67665ec7369ba0fab7f802a5e1e04",
        "4ef67665ec7369ba0fab7f802a5e1e04");
    List<String> prevAnonIds = prevUserIds.stream().map(x -> {
      try {
        return encryptWithTestPublicKey(x);
      } catch (Exception e) {
        throw new RuntimeException(e);
      }
    }).collect(Collectors.toList());
    String input = Json.asString(ImmutableMap.builder()
        // We incorrectly name the anonId field like telemetry to cause a failure.
        .put("ecosystemAnonId", anonId)
        .put("ecosystem_client_id", "3ed15efab7e94757bf9e9ef5e844ada2")
        .put("ecosystem_device_id", "7ab4e373ce434b848a9d0946e388fee9")
        .put("previous_ecosystem_anon_ids", prevAnonIds).build());
    String expected = "{\"ecosystemAnonId\":\"eyJr<435 characters redacted>\""
        + ",\"ecosystem_client_id\":\"3ed15efab7e94757bf9e9ef5e844ada2\""
        + ",\"ecosystem_device_id\":\"7ab4e373ce434b848a9d0946e388fee9\""
        + ",\"previous_ecosystem_anon_ids\":[\"eyJr<435 characters redacted>\""
        + ",\"eyJr<435 characters redacted>\"]}";
    Result<PCollection<PubsubMessage>, PubsubMessage> result = pipeline.apply(Create.of(input))
        .apply(InputFileFormat.text.decode())
        .apply("AddAttributes",
            MapElements.into(TypeDescriptor.of(PubsubMessage.class))
                .via(element -> new PubsubMessage(element.getPayload(),
                    ImmutableMap.of(Attribute.URI,
                        "/submit/firefox-accounts/account-ecosystem/1/"
                            + "8299c050-6be8-4197-8a0b-fd1062a11da4"))))
        .apply(DecryptAetIdentifiers.of(metadataLocation, kmsEnabled));
    PAssert.that(result.output()).empty();
    PAssert.that(result.failures().apply(OutputFileFormat.text.encode()))
        .containsInAnyOrder(ImmutableList.of(expected));
    pipeline.run();
  }

  @Test
  public void testTelemetryErrorOutput() throws Exception {
    // minimal test for throughput of a single document
    ValueProvider<String> metadataLocation = pipeline
        .newProvider(Resources.getResource("account-ecosystem/metadata-local.json").getPath());
    ValueProvider<Boolean> kmsEnabled = pipeline.newProvider(false);

    String userId = "2ef67665ec7369ba0fab7f802a5e1e04";
    String anonId = encryptWithTestPublicKey(userId);
    List<String> prevUserIds = ImmutableList.of("3ef67665ec7369ba0fab7f802a5e1e04",
        "4ef67665ec7369ba0fab7f802a5e1e04");
    List<String> prevAnonIds = prevUserIds.stream().map(x -> {
      try {
        return encryptWithTestPublicKey(x);
      } catch (Exception e) {
        throw new RuntimeException(e);
      }
    }).collect(Collectors.toList());
    List<String> input = ImmutableList.of("{}", "{\"payload\":{}}",
        "{\"payload\":{\"ecosystemClientId\":\"foo\",\"ecosystemDeviceId\":\"bar\"}}",
        Json.asString(ImmutableMap.of("payload",
            ImmutableMap.builder().put("ecosystemAnonId", anonId)
                .put("ecosystemClientId", "3ed15efab7e94757bf9e9ef5e844ada2")
                .put("ecosystemDeviceId", "7ab4e373ce434b848a9d0946e388fee9")
                // We incorrectly name the anonId field like structured to cause a failure.
                .put("previous_ecosystem_anon_ids", prevAnonIds).build())));
    List<String> expectedOutput = ImmutableList
        .of("{\"payload\":{\"ecosystemClientId\":\"foo\",\"ecosystemDeviceId\":\"bar\"}}");
    List<String> expectedError = ImmutableList.of("{}", "{\"payload\":{}}",
        "{\"payload\":{\"ecosystemAnonId\":\"eyJr<435 characters redacted>\""
            + ",\"ecosystemClientId\":\"3ed15efab7e94757bf9e9ef5e844ada2\""
            + ",\"ecosystemDeviceId\":\"7ab4e373ce434b848a9d0946e388fee9\""
            + ",\"previous_ecosystem_anon_ids\":[\"eyJr<435 characters redacted>\""
            + ",\"eyJr<435 characters redacted>\"]}}");
    Result<PCollection<PubsubMessage>, PubsubMessage> result = pipeline.apply(Create.of(input))
        .apply(InputFileFormat.text.decode())
        .apply("AddAttributes",
            MapElements.into(TypeDescriptor.of(PubsubMessage.class))
                .via(element -> new PubsubMessage(element.getPayload(),
                    ImmutableMap.of(Attribute.URI,
                        "/submit/telemetry/ce39b608-f595-4c69-b6a6-f7a436604648"
                            + "/account-ecosystem/Firefox/61.0a1/nightly/20180328030202"))))
        .apply(DecryptAetIdentifiers.of(metadataLocation, kmsEnabled));
    PAssert.that(result.output().apply("EncodeOutput", OutputFileFormat.text.encode()))
        .containsInAnyOrder(expectedOutput);
    PAssert.that(result.failures().apply("EncodeErrors", OutputFileFormat.text.encode()))
        .containsInAnyOrder(expectedError);
    pipeline.run();
  }

}