def test_new_secret_is_created_from_dict(self):
date_time = datetime.datetime.now().isoformat()
self.parsed_secret['expiration'] = date_time
secret = models.Secret(self.parsed_secret)
self.assertEqual(self.parsed_secret['name'], secret.name)
self.assertEqual(self.parsed_secret['secret_type'], secret.secret_type)
self.assertEqual(self.parsed_secret['algorithm'], secret.algorithm)
self.assertEqual(self.parsed_secret['bit_length'], secret.bit_length)
self.assertEqual(self.parsed_secret['mode'], secret.mode)
self.assertIsInstance(secret.expiration, datetime.datetime)
self.assertEqual(self.parsed_secret['creator_id'], secret.creator_id)
self.assertEqual(secret.created_at, secret.updated_at)
fields = secret.to_dict_fields()
self.assertEqual(self.parsed_secret['secret_type'],
fields['secret_type'])
self.assertEqual(self.parsed_secret['algorithm'], fields['algorithm'])
self.assertEqual(self.parsed_secret['creator_id'],
fields['creator_id'])
def test_generate_128_bit_key(self):
secret = models.Secret()
secret.bit_length = 128
secret.algorithm = "AES"
kek_meta_dto = self._get_mocked_kek_meta_dto()
generate_dto = plugin.GenerateDTO(
secret.algorithm,
secret.bit_length,
None, None)
response_dto = self.plugin.generate_symmetric(
generate_dto,
kek_meta_dto,
mock.MagicMock()
)
decrypt_dto = plugin.DecryptDTO(response_dto.cypher_text)
key = self.plugin.decrypt(decrypt_dto, kek_meta_dto,
response_dto.kek_meta_extended,
mock.MagicMock())
self.assertEqual(16, len(key))
def _create_base_secret(self, project_id=None):
# Setup the secret and needed base relationship
secret_repo = repositories.get_secret_repository()
session = secret_repo.get_session()
if project_id is None: # don't re-create project if it created earlier
project = models.Project()
project.external_id = "keystone_project_id"
project.save(session=session)
project_id = project.id
secret_model = models.Secret()
secret_model.project_id = project_id
secret = secret_repo.create_from(secret_model, session=session)
secret.save(session=session)
session.commit()
return secret
def test_store_secret_dto(self):
spec = {
'algorithm': 'AES',
'bit_length': 256,
'secret_type': 'symmetric'
}
secret = base64.b64encode(b'ABCDEFABCDEFABCDEFABCDEF')
self.plugin_resource.store_secret(unencrypted_raw=secret,
content_type_raw=self.content_type,
content_encoding='base64',
secret_model=models.Secret(spec),
project_model=self.project_model)
dto = self.moc_plugin.store_secret.call_args_list[0][0][0]
self.assertEqual("symmetric", dto.type)
self.assertEqual(secret, dto.secret)
self.assertEqual(spec['algorithm'], dto.key_spec.alg)
self.assertEqual(spec['bit_length'], dto.key_spec.bit_length)
self.assertEqual(self.content_type, dto.content_type)
def create_secret(mime_type,
id="id",
name="name",
algorithm=None,
bit_length=None,
cypher_type=None,
encrypted_datum=None):
"""Generate a Secret entity instance."""
info = {
'id': id,
'name': name,
'mime_type': mime_type,
'algorithm': algorithm,
'bit_length': bit_length,
'cypher_type': cypher_type
}
secret = models.Secret(info)
if encrypted_datum:
secret.encrypted_data = [encrypted_datum]
return secret
def on_post(self, external_project_id, **kwargs):
LOG.debug('Start on_post for project-ID %s:...',
external_project_id)
data = api.load_body(pecan.request, validator=self.validator)
project = res.get_or_create_project(external_project_id)
self.quota_enforcer.enforce(project)
transport_key_needed = data.get('transport_key_needed',
'false').lower() == 'true'
ctxt = controllers._get_barbican_context(pecan.request)
if ctxt: # in authenticated pipleline case, always use auth token user
data['creator_id'] = ctxt.user
secret_model = models.Secret(data)
new_secret, transport_key_model = plugin.store_secret(
unencrypted_raw=data.get('payload'),
content_type_raw=data.get('payload_content_type',
'application/octet-stream'),
content_encoding=data.get('payload_content_encoding'),
secret_model=secret_model,
project_model=project,
transport_key_needed=transport_key_needed,
transport_key_id=data.get('transport_key_id'))
url = hrefs.convert_secret_to_href(new_secret.id)
LOG.debug('URI to secret is %s', url)
pecan.response.status = 201
pecan.response.headers['Location'] = url
LOG.info('Created a secret for project: %s',
external_project_id)
if transport_key_model is not None:
tkey_url = hrefs.convert_transport_key_to_href(
transport_key_model.id)
return {'secret_ref': url, 'transport_key_ref': tkey_url}
else:
return {'secret_ref': url}
def test_get_secret_list(self):
session = self.repo.get_session()
project = models.Project()
project.external_id = "my keystone id"
project.save(session=session)
secret_model = models.Secret()
secret_model.project_id = project.id
secret = self.repo.create_from(secret_model, session=session)
session.commit()
secrets, offset, limit, total = self.repo.get_secret_list(
"my keystone id",
session=session,
)
self.assertEqual([secret.id], [s.id for s in secrets])
self.assertEqual(0, offset)
self.assertEqual(10, limit)
self.assertEqual(1, total)
def test_get_by_create_date(self):
session = self.repo.get_session()
secret = self.repo.create_from(models.Secret(), session=session)
project = models.Project()
project.external_id = "my keystone id"
project.save(session=session)
project_secret = models.ProjectSecret()
project_secret.secret_id = secret.id
project_secret.project_id = project.id
project_secret.save(session=session)
session.commit()
secrets, offset, limit, total = self.repo.get_by_create_date(
"my keystone id",
session=session,
)
self.assertEqual([s.id for s in secrets], [secret.id])
self.assertEqual(offset, 0)
self.assertEqual(limit, 10)
self.assertEqual(total, 1)
def create_secret(id_ref="id",
name="name",
algorithm=None,
bit_length=None,
mode=None,
encrypted_datum=None,
content_type=None):
"""Generate a Secret entity instance."""
info = {
'id': id_ref,
'name': name,
'algorithm': algorithm,
'bit_length': bit_length,
'mode': mode
}
secret = models.Secret(info)
secret.id = id_ref
if encrypted_datum:
secret.encrypted_data = [encrypted_datum]
if content_type:
content_meta = models.SecretStoreMetadatum('content_type',
content_type)
secret.secret_store_metadata['content_type'] = content_meta
return secret
def test_can_create_new_secret_with_transport_key(self, mocked_store):
# TODO(jvrbanac): Look into removing this patch
mocked_store.return_value = models.Secret(), None
# Create Transport Key (keeping for session scoping reasons)
transport_key_model = models.TransportKey('default_plugin', 'tkey1234')
transport_key_id = transport_key_model.id
tkey_repo.create_from(transport_key_model)
# Create a normal secret with the TransportKey
resp, secret_uuid = create_secret(self.app,
payload=b'not-encrypted',
content_type='text/plain',
transport_key_id=transport_key_id)
self.assertEqual(201, resp.status_int)
# We're interested in the transport key values
mocked_store.assert_called_once_with(unencrypted_raw='not-encrypted',
content_type_raw='text/plain',
content_encoding=None,
secret_model=mock.ANY,
project_model=mock.ANY,
transport_key_id=transport_key_id,
transport_key_needed=False)
def setUp(self):
self.secret = models.Secret({})
self.secret.secret_id = "secret#1"
self.datum = models.EncryptedDatum(self.secret)
self.secret.encrypted_data = [self.datum]
def test_new_secret_is_created_from_dict(self):
secret = models.Secret(self.parsed_secret)
self.assertEqual(secret.name, self.parsed_secret['name'])
self.assertEqual(secret.algorithm, self.parsed_secret['algorithm'])
self.assertEqual(secret.bit_length, self.parsed_secret['bit_length'])
self.assertEqual(secret.mode, self.parsed_secret['mode'])
def create_secret(project=None, session=None):
secret = models.Secret()
secret.project_id = project.id
secret_repo = repositories.get_secret_repository()
secret_repo.create_from(secret, session=session)
return secret
def setUp(self):
super(BaseCertificateRequestsTestCase, self).setUp()
self.external_project_id = "56789"
self.project = res.get_or_create_project(self.external_project_id)
project_repo.save(self.project)
self.barbican_meta_dto = mock.MagicMock()
self.order_meta = {}
self.plugin_meta = {}
self.barbican_meta = {}
self.result = cert_man.ResultDTO(
cert_man.CertificateStatus.WAITING_FOR_CA
)
self.result_follow_on = common.FollowOnProcessingStatusDTO()
self.cert_plugin = mock.MagicMock()
self.cert_plugin.issue_certificate_request.return_value = self.result
self.cert_plugin.check_certificate_status.return_value = self.result
self.store_plugin = mock.MagicMock()
parsed_ca = {
'plugin_name': "cert_plugin",
'plugin_ca_id': "XXXX",
'name': "test ca",
'description': 'Test CA',
'ca_signing_certificate': 'ZZZZZ',
'intermediates': 'YYYYY'
}
self.ca = models.CertificateAuthority(parsed_ca)
ca_repo.create_from(self.ca)
self.ca_id = self.ca.id
# second ca for testing
parsed_ca = {
'plugin_name': "cert_plugin",
'plugin_ca_id': "XXXX2",
'name': "test ca2",
'description': 'Test CA2',
'ca_signing_certificate': 'ZZZZZ2',
'intermediates': 'YYYYY2'
}
self.ca2 = models.CertificateAuthority(parsed_ca)
ca_repo.create_from(self.ca2)
self.ca_id2 = self.ca2.id
# data for preferred CA and global preferred CA tests
# add those to the repo in those tests
self.pref_ca = models.PreferredCertificateAuthority(
self.project.id,
self.ca_id)
self.global_pref_ca = models.PreferredCertificateAuthority(
self.project.id,
self.ca_id)
# data for stored key cases
self.private_key = models.Secret()
self.private_key.secret_type = 'PRIVATE'
self.private_key.project_id = self.project.id
secret_repo.create_from(self.private_key)
self.public_key = models.Secret()
self.public_key.secret_type = 'PUBLIC'
self.public_key.project_id = self.project.id
secret_repo.create_from(self.public_key)
self.passphrase = models.Secret()
self.passphrase.secret_type = 'PASSPHRASE'
self.passphrase.project_id = self.project.id
secret_repo.create_from(self.passphrase)
self.private_key_value = None
self.public_key_value = "public_key"
self.passphrase_value = None
self.parsed_container_with_passphrase = {
'name': 'container name',
'type': 'rsa',
'secret_refs': [
{'name': 'private_key',
'secret_ref': 'https://localhost/secrets/' +
self.private_key.id},
{'name': 'public_key',
'secret_ref': 'https://localhost/secrets/' +
self.public_key.id},
{'name': 'private_key_passphrase',
'secret_ref': 'https://localhost/secrets/' +
self.passphrase.id}
]
}
self.parsed_container = {
'name': 'container name',
'type': 'rsa',
'secret_refs': [
{'name': 'private_key',
'secret_ref': 'https://localhost/secrets/' +
self.private_key.id},
{'name': 'public_key',
'secret_ref': 'https://localhost/secrets/' +
self.public_key.id}
]
}
self.container_with_passphrase = models.Container(
self.parsed_container_with_passphrase)
self.container_with_passphrase.project_id = self.project.id
container_repo.create_from(self.container_with_passphrase)
self.container = models.Container(self.parsed_container)
self.container.project_id = self.project.id
container_repo.create_from(self.container)
repositories.commit()
self.stored_key_meta = {
cert_man.REQUEST_TYPE:
cert_man.CertificateRequestType.STORED_KEY_REQUEST,
"container_ref":
"https://localhost/containers/" + self.container.id,
"subject_dn": "cn=host.example.com,ou=dev,ou=us,o=example.com"
}
self.order = models.Order()
self.order.meta = self.order_meta
self.order.project_id = self.project.id
self.order.order_barbican_meta = self.barbican_meta
self.order.type = 'certificate'
order_repo.create_from(self.order)
self._config_cert_plugin()
self._config_store_plugin()
self._config_cert_event_plugin()
self._config_save_meta_plugin()
self._config_get_meta_plugin()
self._config_save_barbican_meta_plugin()
self._config_get_barbican_meta_plugin()
self._config_barbican_meta_dto()
def _init(self,
payload=b'not-encrypted',
payload_content_type='text/plain',
payload_content_encoding=None):
self.name = 'name'
self.payload = payload
self.payload_content_type = payload_content_type
self.payload_content_encoding = payload_content_encoding
self.secret_algorithm = 'AES'
self.secret_bit_length = 256
self.secret_mode = 'CBC'
self.secret_req = {
'name': self.name,
'algorithm': self.secret_algorithm,
'bit_length': self.secret_bit_length,
'creator_id': None,
'mode': self.secret_mode
}
if payload:
self.secret_req['payload'] = payload
if payload_content_type:
self.secret_req['payload_content_type'] = payload_content_type
if payload_content_encoding:
self.secret_req['payload_content_encoding'] = (
payload_content_encoding)
# Set up mocked project
self.external_project_id = 'keystone1234'
self.project_entity_id = 'tid1234'
self.project = models.Project()
self.project.id = self.project_entity_id
self.project.external_id = self.external_project_id
# Set up mocked project repo
self.project_repo = mock.MagicMock()
self.project_repo.find_by_external_project_id.return_value = (
self.project)
self.setup_project_repository_mock(self.project_repo)
# Set up mocked secret
self.secret = models.Secret()
self.secret.id = utils.generate_test_valid_uuid()
# Set up mocked secret repo
self.secret_repo = mock.MagicMock()
self.secret_repo.create_from.return_value = self.secret
self.setup_secret_repository_mock(self.secret_repo)
# Set up mocked encrypted datum repo
self.datum_repo = mock.MagicMock()
self.datum_repo.create_from.return_value = None
self.setup_encrypted_datum_repository_mock(self.datum_repo)
# Set up mocked kek datum
self.kek_datum = models.KEKDatum()
self.kek_datum.kek_label = "kek_label"
self.kek_datum.bind_completed = False
self.kek_datum.algorithm = ''
self.kek_datum.bit_length = 0
self.kek_datum.mode = ''
self.kek_datum.plugin_meta = ''
# Set up mocked kek datum repo
self.kek_repo = mock.MagicMock()
self.kek_repo.find_or_create_kek_datum.return_value = self.kek_datum
self.setup_kek_datum_repository_mock(self.kek_repo)
# Set up mocked secret meta repo
self.setup_secret_meta_repository_mock()
# Set up mocked transport key
self.transport_key = models.TransportKey('default_plugin_name',
'XXXABCDEF')
self.transport_key_id = 'tkey12345'
self.tkey_url = hrefs.convert_transport_key_to_href(
self.transport_key.id)
# Set up mocked transport key
self.setup_transport_key_repository_mock()
def setUp(self):
super(TestSecretStoreBase, self).setUp()
self.patchers = [] # List of patchers utilized in this test class.
self.project_id = '12345'
self.content_type = 'application/octet-stream'
self.content_encoding = 'base64'
self.secret = base64.b64encode(b'secret')
self.decrypted_secret = b'decrypted_secret'
self.cypher_text = b'cypher_text'
self.kek_meta_extended = 'kek-meta-extended'
self.spec_aes = secret_store.KeySpec('AES', 64, 'CBC')
self.spec_rsa = secret_store.KeySpec(
'RSA', 1024, passphrase='changeit')
self.project_model = mock.MagicMock()
self.project_model.id = 'project-model-id'
self.project_model.external_id = self.project_id
self.secret_dto = secret_store.SecretDTO(
secret_store.SecretType.OPAQUE,
self.secret,
secret_store.KeySpec(),
self.content_type
)
self.response_dto = crypto.ResponseDTO(
self.cypher_text, kek_meta_extended=self.kek_meta_extended)
self.private_key_dto = crypto.ResponseDTO(self.cypher_text)
self.public_key_dto = crypto.ResponseDTO(self.cypher_text)
self.passphrase_dto = crypto.ResponseDTO(self.cypher_text)
self.kek_meta_project_model = models.KEKDatum()
self.kek_meta_project_model.plugin_name = 'plugin-name'
self.kek_meta_project_model.kek_label = 'kek-meta-label'
self.kek_meta_project_model.algorithm = 'kek-meta-algo'
self.kek_meta_project_model.bit_length = 1024
self.kek_meta_project_model.mode = 'kek=meta-mode'
self.kek_meta_project_model.plugin_meta = 'kek-meta-plugin-meta'
self.encrypted_datum_model = models.EncryptedDatum()
self.encrypted_datum_model.kek_meta_project = (
self.kek_meta_project_model)
self.encrypted_datum_model.cypher_text = base64.b64encode(
b'cypher_text')
self.encrypted_datum_model.content_type = 'content_type'
self.encrypted_datum_model.kek_meta_extended = 'extended_meta'
self.secret_model = models.Secret(
{
'algorithm': 'myalg',
'bit_length': 1024,
'mode': 'mymode'
}
)
self.secret_model.id = 'secret-model-id'
self.secret_model.encrypted_data = [self.encrypted_datum_model]
self.context = store_crypto.StoreCryptoContext(
secret_model=self.secret_model,
project_model=self.project_model,
content_type=self.content_type)
def _do_create_instance(self):
return models.Secret()
def create_secret(data,
tenant,
crypto_manager,
secret_repo,
tenant_secret_repo,
datum_repo,
kek_repo,
ok_to_generate=False):
"""Common business logic to create a secret."""
time_keeper = utils.TimeKeeper('Create Secret Resource')
new_secret = models.Secret(data)
time_keeper.mark('after Secret model create')
new_datum = None
content_type = data.get('payload_content_type', 'application/octet-stream')
if 'payload' in data:
payload = data.get('payload')
content_encoding = data.get('payload_content_encoding')
LOG.debug('Encrypting payload...')
new_datum = crypto_manager.encrypt(payload,
content_type,
content_encoding,
new_secret,
tenant,
kek_repo,
enforce_text_only=True)
time_keeper.mark('after encrypt')
elif ok_to_generate:
LOG.debug('Generating new secret...')
# TODO(atiwari): With new typed Order API proposal
# we need to translate new_secret to meta
# currently it is working as meta will have same attributes
new_datum = crypto_manager. \
generate_symmetric_encryption_key(new_secret,
content_type,
tenant,
kek_repo)
time_keeper.mark('after secret generate')
else:
LOG.debug('Creating metadata only for the new secret. '
'A subsequent PUT is required')
# Create Secret entities in datastore.
secret_repo.create_from(new_secret)
time_keeper.mark('after Secret datastore create')
new_assoc = models.TenantSecret()
time_keeper.mark('after TenantSecret model create')
new_assoc.tenant_id = tenant.id
new_assoc.secret_id = new_secret.id
new_assoc.role = "admin"
new_assoc.status = models.States.ACTIVE
tenant_secret_repo.create_from(new_assoc)
time_keeper.mark('after TenantSecret datastore create')
if new_datum:
new_datum.secret_id = new_secret.id
datum_repo.create_from(new_datum)
time_keeper.mark('after Datum datastore create')
time_keeper.dump()
return new_secret
