Beispiel #1
0
    def test_publishing_profile(self,
                                mock_validator,
                                mock_vault_profile,
                                mock_signature,
                                Change=Change):

        from cis.libs import encryption
        o = encryption.Operation(boto_session=None)

        test_kms_data = {
            'Plaintext':
            base64.b64decode(self.test_artifacts['Plaintext']),
            'CiphertextBlob':
            base64.b64decode(self.test_artifacts['CiphertextBlob'])
        }

        test_iv = base64.b64decode(self.test_artifacts['IV'])

        # Set attrs on object to test data.  Not patching boto3 now!
        o.data_key = test_kms_data
        o.iv = test_iv

        mock_vault_profile.return_value = None
        mock_validator.return_value = True
        mock_signature.return_value = self.good_signatures

        p = Change(publisher={'id': 'mozilliansorg'},
                   signature={},
                   profile_data=self.test_profile_good)

        p.encryptor = o
        p.boto_session = "I am a real session I swear"
        result = p.send()

        assert result is True
Beispiel #2
0
    def test_decryption(self):

        from cis.libs import encryption

        o = encryption.Operation(
            boto_session=None
        )

        test_kms_data = {
            'Plaintext': base64.b64decode(self.test_artifacts['Plaintext']),
            'CiphertextBlob': base64.b64decode(self.test_artifacts['CiphertextBlob'])
        }

        test_iv = base64.b64decode(self.test_artifacts['IV'])

        # Set attrs on object to test data.  Not patching boto3 now!
        o.data_key = test_kms_data
        o.iv = test_iv
        o.plaintext_key = test_kms_data['Plaintext']

        kwargs = {
            'ciphertext': base64.b64decode(self.test_artifacts['expected_ciphertext']),
            'ciphertext_key': test_kms_data['CiphertextBlob'],
            'iv': test_iv,
            'tag': base64.b64decode(self.test_artifacts['expected_tag'])
        }

        operation_result = o.decrypt(**kwargs)

        self.assertEqual(operation_result, b'foobar')
Beispiel #3
0
    def test_processor_decrypt(self, mock_verification):
        mock_verification.return_value = True
        kc = boto3.client('kinesis')

        self.dummy_stream = kc.create_stream(StreamName='dummy_cis_stream',
                                             ShardCount=1)

        self.dummy_stream = kc.describe_stream(StreamName='dummy_cis_stream', )

        os.environ["CIS_KINESIS_STREAM_ARN"] = self.dummy_stream['StreamDescription']['StreamARN'] + \
            '/dummy_cis_stream'

        from cis.libs import encryption

        o = encryption.Operation(boto_session=None)

        test_kms_data = {
            'Plaintext':
            base64.b64decode(self.test_artifacts['Plaintext']),
            'CiphertextBlob':
            base64.b64decode(self.test_artifacts['CiphertextBlob'])
        }

        test_iv = base64.b64decode(self.test_artifacts['IV'])

        # Set attrs on object to test data.  Not patching boto3 now!
        o.data_key = test_kms_data
        o.iv = test_iv
        o.plaintext_key = base64.b64decode(self.test_artifacts['Plaintext'])

        encrypted_profile = o.encrypt(
            json.dumps(self.test_profile_good).encode())

        base64_payload = dict()
        for key in ['ciphertext', 'ciphertext_key', 'iv', 'tag']:
            base64_payload[key] = base64.b64encode(encrypted_profile[key])

        encrypted_profile = base64_payload

        publisher = {'id': 'mozilliansorg'}

        from cis import processor

        p = processor.Operation(boto_session=None,
                                publisher=publisher,
                                signature=self.good_signatures,
                                encrypted_profile_data=encrypted_profile)

        p.kinesis_client = boto3.client('kinesis')

        p.user = self.test_profile_good

        p.decryptor = o

        p.run()

        dump_a = json.dumps(self.test_profile_good, sort_keys=True, indent=2)
        dump_b = json.dumps(p.decrypted_profile, sort_keys=True, indent=2)

        assert dump_a == dump_b
Beispiel #4
0
    def test_processor_validator_with_bad_sig(self, mock_verification):
        mock_verification.return_value = False
        kc = boto3.client('kinesis')

        self.dummy_stream = kc.create_stream(StreamName='dummy_cis_stream',
                                             ShardCount=1)

        self.dummy_stream = kc.describe_stream(StreamName='dummy_cis_stream', )

        os.environ["CIS_KINESIS_STREAM_NAME"] = 'dummy_cis_stream'

        from cis.libs import encryption

        o = encryption.Operation(boto_session=None)

        test_kms_data = {
            'Plaintext':
            base64.b64decode(self.test_artifacts['Plaintext']),
            'CiphertextBlob':
            base64.b64decode(self.test_artifacts['CiphertextBlob'])
        }

        test_iv = base64.b64decode(self.test_artifacts['IV'])

        # Set attrs on object to test data.  Not patching boto3 now!
        o.data_key = test_kms_data
        o.iv = test_iv
        o.plaintext_key = base64.b64decode(self.test_artifacts['Plaintext'])

        encrypted_profile = o.encrypt(
            json.dumps(self.test_profile_good).encode())

        base64_payload = dict()
        for key in ['ciphertext', 'ciphertext_key', 'iv', 'tag']:
            base64_payload[key] = base64.b64encode(encrypted_profile[key])

        encrypted_profile = base64_payload

        publisher = {'id': 'mozillians.org'}

        from cis import processor

        p = processor.ValidatorOperation(
            boto_session=None,
            publisher=publisher,
            signature=self.good_signatures,
            encrypted_profile_data=encrypted_profile)

        p.kinesis_client = boto3.client('kinesis')

        # Fake like the user returned from dynamo by returning same profile.
        p.user = self.test_profile_good

        # Decrypt with fake key material.
        p.decryptor = o

        res = p.run()

        assert res is False
Beispiel #5
0
    def test_object_init(self):

        from cis.libs import encryption

        o = encryption.Operation(
            boto_session=None
        )

        assert o is not None
Beispiel #6
0
    def test_vault_storage(self, mock_table):
        mock_table.dynamodb_table.get_item.return_value = {
            'ResponseMetadata': {
                'HTTPStatusCode': 200,
            }
        }

        from cis.libs import encryption

        o = encryption.Operation(boto_session=None)

        test_kms_data = {
            'Plaintext':
            base64.b64decode(self.test_artifacts['Plaintext']),
            'CiphertextBlob':
            base64.b64decode(self.test_artifacts['CiphertextBlob'])
        }

        test_iv = base64.b64decode(self.test_artifacts['IV'])

        # Set attrs on object to test data.  Not patching boto3 now!
        o.data_key = test_kms_data
        o.iv = test_iv
        o.plaintext_key = base64.b64decode(self.test_artifacts['Plaintext'])

        encrypted_profile = o.encrypt(
            json.dumps(self.test_profile_good).encode())

        base64_payload = dict()
        for key in ['ciphertext', 'ciphertext_key', 'iv', 'tag']:
            base64_payload[key] = base64.b64encode(encrypted_profile[key])

        encrypted_profile = base64_payload

        publisher = {'id': 'mozilliansorg'}

        from cis import processor

        p = processor.StreamtoVaultOperation(
            boto_session=None,
            publisher=publisher,
            signature=self.good_signatures,
            encrypted_profile_data=encrypted_profile)

        p.kinesis_client = boto3.client('kinesis')
        p.decryptor = o

        from cis import user

        u = user.Profile(boto_session=None,
                         profile_data=self.test_profile_good)

        p.user = u

        p.run()
Beispiel #7
0
 def __init__(self,
              boto_session=None,
              publisher=None,
              signature=None,
              encrypted_profile_data=None):
     self.boto_session = boto_session
     self.dry_run = True
     self.decryptor = encryption.Operation(boto_session=boto_session)
     self.encrypted_profile_data = encrypted_profile_data
     self.kinesis_client = None
     self.publisher = publisher
     self.signature = signature
     self.stage = self._get_stage()
     self.user = None
Beispiel #8
0
    def _prepare_profile_data(self):
        # Performing encryption and encoding on the user data and set on the object
        # Encode to base64 all payload fields
        if not self.encryptor:
            logger.info(
                'Encryptor not present on object.  Intializing encryptor for change for user: {}'
                .format(self.profile_data.get('user_id')))
            self.encryptor = encryption.Operation(
                boto_session=self.boto_session)

        logger.info(
            'Preparing profile data and encrypting profile for user_id: {}.'.
            format(self.profile_data.get('user_id')))

        # Reintegrate groups this publisher is not authoritative for.
        self._reintegrate_profile_with_api()

        # DynamoDB workaround
        self.profile_data = self._nullify_empty_values(self.profile_data)

        # Actually encrypt the profile
        encrypted_profile = self.encryptor.encrypt(
            json.dumps(self.profile_data).encode('utf-8'))

        base64_payload = dict()
        # Build up our encryption envelope
        for key in ['ciphertext', 'ciphertext_key', 'iv', 'tag']:
            base64_payload[key] = base64.b64encode(
                encrypted_profile[key]).decode('utf-8')

        # Dump that out to a string
        encrypted_profile = json.dumps(base64_payload)
        logger.info(
            'Encryption process complete for change for user_id: {}.'.format(
                self.profile_data.get('user_id')))
        return encrypted_profile