def test_decrypt_payload_with_multiple_decryption_paths(self): self._config._paths["$"]._to_decrypt = { "encryptedData1": "data1", "encryptedData2": "data2" } self._config._data_encoding = Encoding.HEX encrypted_payload = { "encryptedData2": { "iv": "c1ffb457798714b679e5b59e5b8fb62c", "encryptedKey": "f16425f1550c28515bc83e25f7f63ca8102a2cbbadd6452c610f03d920563856f1a7318d98bc0939a3a6a84922caebc3691b34aa96ed4d2d016727a30d3622966dec3cb13f9da9d149106afc2b81846e624aa6134551bca169fa539df4034b48e47923cb4f2636b993c805b851cc046a7e98a70ff1c6b43207ac8dcbfbf6132a070860040093d4399af70b0d45cf44854390df9c24f2eb17aa6e745da1a2b7a765f8b4970f6764731d6a7d51af85be669e35ad433ff0942710764265253c956797cd1e3c8ba705ee8578373a14bbab368426d3797bd68076f6ec9c4ef8d43c2959f4fd4c17897a9d6d0622ffc662d5f5c304fb6d5ca84de63f7cf9b9dfe700d2", "encryptedValue": "a49dff0a6f9ca58bdd3e991f13eb8e53" }, "encryptedData1": { "iv": "4c278e7b0c0890973077960f682181b6", "encryptedKey": "c2c4a40433e91d1175ba933ddb7eb014e9839e3bf639c6c4e2ea532373f146ee6a88515103cb7aeb9df328c67b747c231bfdf4a6b3d366792b6e9ec0f106447f28518a864cc9dd59ed6e1a9ed017229166f23389b4c141b4492981e51ad6863ed48e8c93394378a8e8ab922b8c96dfdf6c683c334eef4c668d9f059b6ac6c26a7d623032ef0bac0e3d4fde5a735d4c09879364efb723c2f2bd3288f8619f9f1a63ed1e283ae7cb40726632fe271fea08252991a158bce3aeca90a4ce7b6895f7b94516ada042de80942ddbc3462baeee49c4169c18c0024fec48743610281cec0333906953da783b3bcd246226efccff4cdefa62c26753db228e0120feff2bdc", "encryptedValue": "1ea73031bc0cf9c67b61bc1684d78f2b" } } payload = to_test.decrypt_payload(encrypted_payload, self._config) self.assertNotIn("encryptedData1", payload) self.assertNotIn("encryptedData2", payload) self.assertIn("data1", payload) self.assertIn("data1", payload)
def test_DecryptPayload_ShouldOverwriteInputObject_WhenOutPathSameAsInPath_PrimitiveTypeData( self): self._config._paths["$"]._to_decrypt = {"data": "data"} self._config._data_encoding = Encoding.HEX encrypted_payload = { "data": { "encryptedValue": "741a932b1ed546072384eef82f42c781", "encryptedKey": "0069fd96179b119cda77ec56be29b184d25c639af27c1f59b6b5e4de4e9bcba883d7933dda5cb6bb8888ea402cbd0f2cddf572b2baee2dd57c94081e4db318a0ded28ae96a80eff1ed421ca7bae6418fae3a1ce9744c02d4aa4dc53efa69b483a2e030919df30a87f95bb18595b4beb15b65eff3c1332c2d54100bd39ccb3ab7eeea648e0ccc473586002063a380dddd940aaa075b998047bd75a5cdb79142c150fa87e9ec2706569a5f7f06bc36c959f144cd22fbf5e690388902eca06d3cc4492d50b72ed5e96f66e6f03087931d3147401720fb512c0c3d5b89fa029fba157fbb1571a4712377b68bac4344dbf75535a1b40197a293eadc563ea035b62591", "iv": "f84e565520f5b75cbb6a13c97fdaea2b", "oaepHashingAlgo": "SHA256", "certFingerprint": "80810fc13a8319fcf0e2ec322c82a4c304b782cc3ce671176343cfe8160c2279", "keyFingerprint": "761b003c1eade3a5490e5000d37887baa5e6ec0e226c07706e599451fc032a79" } } payload = to_test.decrypt_payload(encrypted_payload, self._config) self.assertEqual("string", payload['data'])
def test_decrypt_payload_when_certificate_and_key_fingerprint_field_name_not_set( self): self._config._encryption_certificate_fingerprint_field_name = None self._config._encryption_key_fingerprint_field_name = None encrypted_payload = { "encryptedData": { "iv": "uldLBySPY3VrznePihFYGQ==", "encryptedKey": "Jmh/bQPScUVFHSC9qinMGZ4lM7uetzUXcuMdEpC5g4C0Pb9HuaM3zC7K/509n7RTBZUPEzgsWtgi7m33nhpXsUo8WMcQkBIZlKn3ce+WRyZpZxcYtVoPqNn3benhcv7cq7yH1ktamUiZ5Dq7Ga+oQCaQEsOXtbGNS6vA5Bwa1pjbmMiRIbvlstInz8XTw8h/T0yLBLUJ0yYZmzmt+9i8qL8KFQ/PPDe5cXOCr1Aq2NTSixe5F2K/EI00q6D7QMpBDC7K6zDWgAOvINzifZ0DTkxVe4EE6F+FneDrcJsj+ZeIabrlRcfxtiFziH6unnXktta0sB1xcszIxXdMDbUcJA==", "encryptedValue": "KGfmdUWy89BwhQChzqZJ4w==", "encryptionCertificateFingerprint": "gIEPwTqDGfzw4uwyLIKkwwS3gsw85nEXY0PP6BYMInk=", "encryptionKeyFingerprint": "dhsAPB6t46VJDlAA03iHuqXm7A4ibAdwblmUUfwDKnk=", "oaepHashingAlgo": "SHA256" } } payload = to_test.decrypt_payload(encrypted_payload, self._config) self.assertIn("encryptedData", payload) self.assertNotIn("iv", payload["encryptedData"]) self.assertNotIn("encryptedKey", payload["encryptedData"]) self.assertNotIn("encryptedValue", payload["encryptedData"]) self.assertNotIn("oaepHashingAlgo", payload["encryptedData"]) self.assertIn("encryptionCertificateFingerprint", payload["encryptedData"]) self.assertIn("encryptionKeyFingerprint", payload["encryptedData"])
def test_decrypt_payload_when_out_path_already_contains_data(self): self._config._data_encoding = Encoding.HEX encrypted_payload = { "encryptedData": { "iv": "17492f69d92d2008ee9289cf3e07bd36", "encryptedKey": "22b3df5e70777cef394c39ac74bacfcdbfc8cef4a4da771f1d07611f18b4dc9eacde7297870acb421abe77b8b974f53b2e5b834a68e11a4ddab53ece2d37ae7dee5646dc3f4c5c17166906258615b9c7c52f7242a1afa6edf24815c3dbec4b2092a027de11bcdab4c47de0159ce76d2449394f962a07196a5a5b41678a085d77730baee0d3d0e486eb4719aae8f1f1c0fd7026aea7b0872c049e8df1e7eed088fa84fc613602e989fa4e7a7b77ac40da212a462ae5d3df5078be96fcf3d0fe612e0ec401d27a243c0df1feb8241d49248697db5ec79571b9d52386064ee3db11d200156bfd3af03a289ea37ec2c8f315840e7804669a855bf9e34190e3b14d28", "encryptedValue": "9cad34c0d7b2443f07bb7b7e19817ade132ba3f312b1176c09a312e5b5f908198e1e0cfac0fd8c9f66c70a9b05b1a701", "oaepHashingAlgo": "SHA256" }, "data": { "field1": "previousField1Value", "field3": "field3Value" } } payload = to_test.decrypt_payload(encrypted_payload, self._config) self.assertNotIn("encryptedData", payload) self.assertIn("data", payload) self.assertIn("field1", payload["data"]) self.assertIn("field2", payload["data"]) self.assertIn("field3", payload["data"]) self.assertEqual("field1Value", payload["data"]["field1"]) self.assertEqual("field2Value", payload["data"]["field2"]) self.assertEqual("field3Value", payload["data"]["field3"])
def _decrypt_payload(self, headers, body): """Encryption enforcement based on configuration - decrypt using session key params from header or body""" conf = self._encryption_conf params = None if conf.use_http_headers: if conf.iv_field_name in headers and conf.encrypted_key_field_name in headers: iv = headers.pop(conf.iv_field_name) encrypted_key = headers.pop(conf.encrypted_key_field_name) oaep_digest_algo = headers.pop(conf.oaep_padding_digest_algorithm_field_name) \ if _contains_param(conf.oaep_padding_digest_algorithm_field_name, headers) else None if _contains_param(conf.encryption_certificate_fingerprint_field_name, headers): del headers[conf.encryption_certificate_fingerprint_field_name] if _contains_param(conf.encryption_key_fingerprint_field_name, headers): del headers[conf.encryption_key_fingerprint_field_name] params = SessionKeyParams(conf, encrypted_key, iv, oaep_digest_algo) else: # skip decryption and return original body if not iv nor key is in headers return body decrypted_body = decrypt_payload(body, conf, params) payload = json.dumps(decrypted_body).encode('utf-8') return payload
def request(self, method, url, query_params=None, headers=None, post_params=None, body=None, _preload_content=True, _request_timeout=None): check = -1 if body: if url == "testservice/headers": iv = headers["x-iv"] encrypted_key = headers["x-key"] oaep_digest_algo = headers[ "x-oaep-digest"] if "x-oaep-digest" in headers else None params = SessionKeyParams(self._config, encrypted_key, iv, oaep_digest_algo) else: params = None plain = encryption.decrypt_payload(body, self._config, params) check = plain["data"]["secret2"] - plain["data"]["secret1"] res = {"data": {"secret": check}} else: res = {"data": {"secret": [53, 84, 75]}} if url == "testservice/headers" and method in ["GET", "POST", "PUT"]: params = SessionKeyParams.generate(self._config) json_resp = encryption.encrypt_payload(res, self._config, params) response_headers = { "Content-Type": "application/json", "x-iv": params.iv_value, "x-key": params.encrypted_key_value, "x-oaep-digest": self._config.oaep_padding_digest_algorithm } mock_headers = Mock(return_value=response_headers) else: json_resp = encryption.encrypt_payload(res, self._config) mock_headers = Mock( return_value={"Content-Type": "application/json"}) response = Mock() response.status = 200 response.getheaders = mock_headers if method in ["GET", "POST", "PUT"]: response.data = json_resp else: response.data = "OK" if check == 0 else "KO" return response
def test_decrypt_payload_when_oaep_padding_digest_algorithm_field_not_returned(self): encrypted_payload = { "encryptedData": { "iv": "uldLBySPY3VrznePihFYGQ==", "encryptedKey": "Jmh/bQPScUVFHSC9qinMGZ4lM7uetzUXcuMdEpC5g4C0Pb9HuaM3zC7K/509n7RTBZUPEzgsWtgi7m33nhpXsUo8WMcQkBIZlKn3ce+WRyZpZxcYtVoPqNn3benhcv7cq7yH1ktamUiZ5Dq7Ga+oQCaQEsOXtbGNS6vA5Bwa1pjbmMiRIbvlstInz8XTw8h/T0yLBLUJ0yYZmzmt+9i8qL8KFQ/PPDe5cXOCr1Aq2NTSixe5F2K/EI00q6D7QMpBDC7K6zDWgAOvINzifZ0DTkxVe4EE6F+FneDrcJsj+ZeIabrlRcfxtiFziH6unnXktta0sB1xcszIxXdMDbUcJA==", "encryptedValue": "KGfmdUWy89BwhQChzqZJ4w==" } } payload = to_test.decrypt_payload(encrypted_payload, self._config) self.assertDictEqual({"data": {}}, payload)
def test_decrypt_payload_skip_when_encrypted_value_does_not_exist(self): encrypted_payload = { "encryptedData": { "iv": "ba574b07248f63756bce778f8a115819", "encryptedKey": "26687f6d03d27145451d20bdaa29cc199e2533bb9eb7351772e31d1290b98380b43dbf47b9a337cc2ecaff9d3d9fb45305950f13382c5ad822ee6df79e1a57b14a3c58c71090121994a9f771ef96472669671718b55a0fa8d9f76de9e172fedcabbc87d64b5a994899e43abb19afa840269012c397b5b18d4babc0e41c1ad698db98c89121bbe5b2d227cfc5d3c3c87f4f4c8b04b509d326199b39adfbd8bca8bf0a150fcf3c37b9717382af502ad8d4d28b17b91762bf108d34aba0fb40ca410c2ecaeb30d68003af20dce27d9d034e4c557b8104e85f859de0eb709b23f9978869bae545c7f1b62173887eae9e75e4b6d6b4b01d7172ccc8c5774c0db51c24", "oaepHashingAlgorithm": "SHA256" } } payload = to_test.decrypt_payload(encrypted_payload, self._config) self.assertDictEqual(encrypted_payload, payload)
def test_decrypt_payload_with_type_string(self): encrypted_payload = { "encryptedData": { "iv": "O3Q2ImjdBmKxWRUk7mQVFg==", "encryptedKey": "kibOZUXsipx2qZxEJ3+Aociuvg8h3mFSm+7DM/AkLKvxPpqzm2l7IyERhGRVf/amEuIeCkoNvDE+LgxDPPFWPTEXg7warFtZCnEPlzuD/uES67QYMp9HUAtK240VwM8hJ+KFS8C4Scc3Eb1GZkIRXbgziyTD3HClQA/iMUNlwiVsMrLAiSucyteR17fKEbJqKOtn2kAZFz6jFVQKvxZdsqF+Xwcz+uNpzRCsLMZqqnqAXqqOjK0sfOTjn47JfUW/46O4stsHL392Nt4N1X3YDuab2ikve1wdk+NRV6QLjcaS2bsFC31T0vWMJdsjnAn5Pnbu0AdYaOrJxvRyBjCFxg==", "encryptedValue": "SG7XYn5kKlsbSXhpDW/kUQ==", "oaepHashingAlgo": "SHA256" } } payload = to_test.decrypt_payload(encrypted_payload, self._config) self.assertNotIn("encryptedData", payload) self.assertDictEqual({"data": "string"}, payload)
def __assert_payload_encrypted(self, payload, encrypted, config): self.assertNotIn("data", encrypted) self.assertIn("encryptedData", encrypted) enc_data = encrypted["encryptedData"] self.assertEqual(6, len(enc_data.keys())) self.assertIsNotNone(enc_data["iv"]) self.assertIsNotNone(enc_data["encryptedKey"]) self.assertIsNotNone(enc_data["encryptedValue"]) self.assertEqual("SHA256", enc_data["oaepHashingAlgo"]) self.assertEqual("761b003c1eade3a5490e5000d37887baa5e6ec0e226c07706e599451fc032a79", enc_data["keyFingerprint"]) self.assertEqual("80810fc13a8319fcf0e2ec322c82a4c304b782cc3ce671176343cfe8160c2279", enc_data["certFingerprint"]) del payload["encryptedData"] self.assertEqual(payload, to_test.decrypt_payload(encrypted, config))
def test_decrypt_payload_with_type_list(self): encrypted_payload = { "encryptedData": { "iv": "unaCJ1/6/wH2X4WgNAjGsQ==", "encryptedKey": "Y85zA4Ss/c9DGs3FvT9kv4XXdWSWfcvKeYOOuD9S61XuUhpN9ICu6KXuRVACgApo2E2Y0hLC1YQf9KwXTVm1X3dLY0zxSOB8n1TpDl4TgB2wtMsiuSotUE4YqsinLZI6F+utJ1ufnQx6LFjwdPgZYb6JOjHxoitBQbQif9LhooEN0Zbbc8GQH17Dpf2dsmUvA9NnoSmYji1HUzkrajgJWM1Fn47jpSmaKZ85/F1gBXcZ0D5KGfT83D5VywU+MTbNEudu2cQcEHFe1l9TIjrqB5M7d+VklpFlLZ+UZVAUK4xb8lz9Q0ohZte3ohws94XbaQyMsvQFkEPH7JdofcGtAQ==", "encryptedValue": "kyGB3cPNP+tUdEqOYbJcmFjwMxD/DK9kubzjonsDdEU=", "oaepHashingAlgo": "SHA256" } } payload = to_test.decrypt_payload(encrypted_payload, self._config) self.assertNotIn("encryptedData", payload) self.assertDictEqual({"data": ["item1", "item2", "item3"]}, payload)
def test_decrypt_payload_with_type_boolean(self): encrypted_payload = { "encryptedData": { "iv": "F1A4qvOslYRmvzWfwcKbTw==", "encryptedKey": "Hdg0V/zckF54UHGmOz3ETQYg9RKqvdc0P2dK3ftIf1sMgQO4TpPGUwghHFVN9t/UMdovcqPexSrLMo3r1GrL1lMDGXKGOhS+lCkU571JdPHgNGP372ZuaeBvGkk0LEnM79jS4lQG3NIC0mlQ5NDwMXqRDwV2xVG6knSGq6WqRMyWfMY7GzrAbtUxyfci1JGideFyBDGqXkCFPh1P2Sn2VJO3ZVdSVHj2C2Xxi5p9/LD2UfAZCckZSw/H6GR+WzOdITbwhYNnsGBZbl+Ft0hnYBmLcqHfFEKocPdDDHXkaoEENzWppIME1yRqUptigv+D2/o74+w4uZiqVl3LH10qJg==", "encryptedValue": "1vyqJ7nIbb0amo4wV8OdKQ==", "oaepHashingAlgo": "SHA256" } } payload = to_test.decrypt_payload(encrypted_payload, self._config) self.assertNotIn("encryptedData", payload) self.assertDictEqual({"data": False}, payload)
def test_decrypt_payload_with_type_integer(self): encrypted_payload = { "encryptedData": { "iv": "EmYzzlZKAVbaSF/Y4syvJA==", "encryptedKey": "gDQtozERUlMJddjoX5oW7dYzS0DYt1+HG3wtniMfeoG+5jQfT8zUC6jN/2/itO8oX3EeoU8/a77NGy8OUSjfFUibuy4rvP6ojbtakBn3BnYNi8KEVK25Yk5uJqfBj2g7T+zWDcOwJE9vFBwf8Sj2D5hjoxxGlRXhFNJoF0sOzE6qqUIzjnIHk6xigk3zfhUOiCyFa7OdsuLRAfAXETRTk/qnI/0MYd7E3fyT0fDqbwijNw1L8nosfiSuK3bbTwU6cLKDbZW5gp3AGgZAdlBRPrH/iLi+ctDyYw8ebktcPpXk/4OmV/ZQv4C6/dR20RuK4Cp1INRVS2nrS8Xbin0flg==", "encryptedValue": "wReq0oQGo5QjRYGUPlIVHg==", "oaepHashingAlgo": "SHA256" } } payload = to_test.decrypt_payload(encrypted_payload, self._config) self.assertNotIn("encryptedData", payload) self.assertDictEqual({"data": 12345}, payload)
def test_encrypt_payload_when_session_key_params_is_provided(self): payload = {"data": {}, "encryptedData": {}} params = SessionKeyParams.generate(self._config) encrypted_payload = to_test.encrypt_payload(payload, self._config, params) self.assertNotIn("data", encrypted_payload) self.assertIn("encryptedData", encrypted_payload) self.assertIn("encryptedValue", encrypted_payload["encryptedData"]) self.assertEqual(1, len(encrypted_payload["encryptedData"].keys())) del payload["encryptedData"] self.assertEqual( payload, to_test.decrypt_payload(encrypted_payload, self._config, params))
def test_decrypt_payload_when_root_as_in_and_out_path(self): self._config._paths["$"]._to_decrypt = {"$": "$"} self._config._data_encoding = Encoding.HEX encrypted_payload = { "iv": "6fef040c8fe8ad9ec56b74efa194b5f7", "encryptedKey": "b04c69e1ca944fd7641ea79f03e5cd540144759212fa50d07c8a97ab30ca8bded324e2d4b8cd2613b25cd6bceac35b76c2fa1b521ff205b5f33eafaf4102efbefd35cae6707f985953d6dac366cca36295b29d8af3d94d5d5d1532158066b9fecfc2cc000f10e4757967e84c043d7db164d7488f5bef28f59c989c4cd316c870da7b7c1d10cfd73b6d285cd43447e9e96702e3e818011b45b0ecda21b02286db04b7c77ab193dcc4a9036beff065a404689b7cea40b6a348554900ae3eb819af9cb53ab800e158051aac8d8075045a06808e3730cd8cbc1b5334dcdc922d0227f6da1518442914ac5f3abf6751dfb5721074459d0626b62e934f6a6e6fd96020", "encryptedValue": "386cdb354a33a5b5ae44fa73622297d0372857d1f7634b45010f691964958e2afca0f7391742dc1243768ccf0b4fce8b", "certFingerprint": "80810fc13a8319fcf0e2ec322c82a4c304b782cc3ce671176343cfe8160c2279", "keyFingerprint": "761b003c1eade3a5490e5000d37887baa5e6ec0e226c07706e599451fc032a79", "oaepHashingAlgo": "SHA256" } payload = to_test.decrypt_payload(encrypted_payload, self._config) self.assertDictEqual({"field1": "value1", "field2": "value2"}, payload)
def test_decrypt_payload_when_session_key_params_is_provided(self): self._config._data_encoding = Encoding.HEX encrypted_payload = { "encryptedData": { "encryptedValue": "2867e67545b2f3d0708500a1cea649e3" } } iv_value = "ba574b07248f63756bce778f8a115819" encrypted_key = "26687f6d03d27145451d20bdaa29cc199e2533bb9eb7351772e31d1290b98380b43dbf47b9a337cc2ecaff9d3d9fb45305950f13382c5ad822ee6df79e1a57b14a3c58c71090121994a9f771ef96472669671718b55a0fa8d9f76de9e172fedcabbc87d64b5a994899e43abb19afa840269012c397b5b18d4babc0e41c1ad698db98c89121bbe5b2d227cfc5d3c3c87f4f4c8b04b509d326199b39adfbd8bca8bf0a150fcf3c37b9717382af502ad8d4d28b17b91762bf108d34aba0fb40ca410c2ecaeb30d68003af20dce27d9d034e4c557b8104e85f859de0eb709b23f9978869bae545c7f1b62173887eae9e75e4b6d6b4b01d7172ccc8c5774c0db51c24" oaep_hashing_algo = "SHA256" params = SessionKeyParams(self._config, encrypted_key, iv_value, oaep_hashing_algo) payload = to_test.decrypt_payload(encrypted_payload, self._config, params) self.assertNotIn("encryptedData", payload) self.assertDictEqual({"data": {}}, payload)
def test_decrypt_payload_hex_field_encoding(self): self._config._data_encoding = Encoding.HEX self._config._encryption_certificate_fingerprint_field_name = "encryptionCertificateFingerprint" self._config._encryption_key_fingerprint_field_name = "encryptionKeyFingerprint" self._config._oaep_padding_digest_algorithm_field_name = "oaepHashingAlgorithm" encrypted_payload = { "encryptedData": { "iv": "ba574b07248f63756bce778f8a115819", "encryptedKey": "26687f6d03d27145451d20bdaa29cc199e2533bb9eb7351772e31d1290b98380b43dbf47b9a337cc2ecaff9d3d9fb45305950f13382c5ad822ee6df79e1a57b14a3c58c71090121994a9f771ef96472669671718b55a0fa8d9f76de9e172fedcabbc87d64b5a994899e43abb19afa840269012c397b5b18d4babc0e41c1ad698db98c89121bbe5b2d227cfc5d3c3c87f4f4c8b04b509d326199b39adfbd8bca8bf0a150fcf3c37b9717382af502ad8d4d28b17b91762bf108d34aba0fb40ca410c2ecaeb30d68003af20dce27d9d034e4c557b8104e85f859de0eb709b23f9978869bae545c7f1b62173887eae9e75e4b6d6b4b01d7172ccc8c5774c0db51c24", "encryptedValue": "2867e67545b2f3d0708500a1cea649e3", "encryptionCertificateFingerprint": "80810fc13a8319fcf0e2ec322c82a4c304b782cc3ce671176343cfe8160c2279", "encryptionKeyFingerprint": "761b003c1eade3a5490e5000d37887baa5e6ec0e226c07706e599451fc032a79", "oaepHashingAlgorithm": "SHA256" } } payload = to_test.decrypt_payload(encrypted_payload, self._config) self.assertNotIn("encryptedData", payload) self.assertDictEqual({"data": {}}, payload)
def test_decrypt_payload_skip_when_in_path_does_not_exist(self): encrypted_payload = {"data": {}} payload = to_test.decrypt_payload(encrypted_payload, self._config) self.assertDictEqual({"data": {}}, payload)