def testNonStringValue(self):
try:
secretary.extractEnvelopes({1: 2})
except ValueError as e:
self.assertEquals("Input must be str or unicode, was dict({1: 2})", str(e))
else:
self.fail("Expected exception ValueError")
def process_env(filename, verifySecrets, env):
result = copy(env)
for key, value in env.iteritems():
# Can't support non-string keys consistently
if not isinstance(key, (str, unicode)):
raise ValueError(
"Only string dict keys are supported, please use quotes around the key '%s' in %s"
% (key, filename))
# Coerce types to string and serialize non-scalars
if not isinstance(value, (str, unicode)):
if isinstance(value, bool):
value = 'true' if value else 'false'
elif isinstance(value, (int, float)):
value = str(value)
else:
value = json.dumps(value)
result[key] = value
# Check for unencrypted secrets
if (('password' in key.lower() or 'pwd' in key.lower()
or 'key' in key.lower() or 'token' in key.lower())
and 'public' not in key.lower() and 'id' not in key.lower()
and 'routing' not in key.lower()) and len(
secretary.extractEnvelopes(value)) == 0:
if verifySecrets:
raise RuntimeError('Found unencrypted secret in %s: %s' %
(filename, key))
else:
logging.warn('Found unencrypted secret in %s: %s' %
(filename, key))
return result
def testExtractEnvelopes(self):
envelopes = secretary.extractEnvelopes(
"amqp://ENC[NACL,uSr123+/=]:ENC[NACL,pWd123+/=]@rabbit:5672/")
self.assertEqual(2, len(envelopes))
self.assertEqual(["ENC[NACL,uSr123+/=]", "ENC[NACL,pWd123+/=]"],
envelopes)
envelopes = secretary.extractEnvelopes(
"amqp://ENC[NACL,uSr123+/=]:ENC[NACL,pWd123+/=]@rabbit:5672/ENC[KMS,123abc+/=]"
)
self.assertEqual(3, len(envelopes))
self.assertEqual([
"ENC[NACL,uSr123+/=]", "ENC[NACL,pWd123+/=]", "ENC[KMS,123abc+/=]"
], envelopes)
envelopes = secretary.extractEnvelopes(
"amqp://ENC[NACL,]:ENC[NACL,pWd123+/=]@rabbit:5672/")
self.assertEqual(1, len(envelopes))
self.assertEqual(["ENC[NACL,pWd123+/=]"], envelopes)
envelopes = secretary.extractEnvelopes(
"amqp://ENC[NACL,:ENC[NACL,pWd123+/=]@rabbit:5672/")
self.assertEqual(1, len(envelopes))
self.assertEqual(["ENC[NACL,pWd123+/=]"], envelopes)
envelopes = secretary.extractEnvelopes(
"amqp://NC[NACL,]:ENC[NACL,pWd123+/=]@rabbit:5672/")
self.assertEqual(1, len(envelopes))
self.assertEqual(["ENC[NACL,pWd123+/=]"], envelopes)
envelopes = secretary.extractEnvelopes(
"amqp://ENC[NACL,abc:ENC[NACL,pWd123+/=]@rabbit:5672/")
self.assertEqual(1, len(envelopes))
self.assertEqual(["ENC[NACL,pWd123+/=]"], envelopes)
def verify_secrets(services, enforce):
for service in services:
# Check for unencrypted secrets
for key, value in service.config.get('env', {}).iteritems():
# Skip secretary keys
if isinstance(value, secretary.KeyValue):
continue
if (('password' in key.lower() or 'pwd' in key.lower()
or 'key' in key.lower() or 'token' in key.lower()) and
'public' not in key.lower() and 'id' not in key.lower()
and 'routing' not in key.lower()) and len(
secretary.extractEnvelopes(value)) == 0:
if enforce:
raise RuntimeError('Found unencrypted secret in %s: %s' %
(service.filename, key))
else:
logging.warn('Found unencrypted secret in %s: %s' %
(service.filename, key))
def testExtractEnvelopes(self):
envelopes = secretary.extractEnvelopes("amqp://ENC[NACL,uSr123+/=]:ENC[NACL,pWd123+/=]@rabbit:5672/")
self.assertEqual(2, len(envelopes))
self.assertEqual(["ENC[NACL,uSr123+/=]", "ENC[NACL,pWd123+/=]"], envelopes)
envelopes = secretary.extractEnvelopes("amqp://ENC[NACL,uSr123+/=]:ENC[NACL,pWd123+/=]@rabbit:5672/ENC[KMS,123abc+/=]")
self.assertEqual(3, len(envelopes))
self.assertEqual(["ENC[NACL,uSr123+/=]", "ENC[NACL,pWd123+/=]", "ENC[KMS,123abc+/=]"], envelopes)
envelopes = secretary.extractEnvelopes("amqp://ENC[NACL,]:ENC[NACL,pWd123+/=]@rabbit:5672/")
self.assertEqual(1, len(envelopes))
self.assertEqual(["ENC[NACL,pWd123+/=]"], envelopes)
envelopes = secretary.extractEnvelopes("amqp://ENC[NACL,:ENC[NACL,pWd123+/=]@rabbit:5672/")
self.assertEqual(1, len(envelopes))
self.assertEqual(["ENC[NACL,pWd123+/=]"], envelopes)
envelopes = secretary.extractEnvelopes("amqp://NC[NACL,]:ENC[NACL,pWd123+/=]@rabbit:5672/")
self.assertEqual(1, len(envelopes))
self.assertEqual(["ENC[NACL,pWd123+/=]"], envelopes)
envelopes = secretary.extractEnvelopes("amqp://ENC[NACL,abc:ENC[NACL,pWd123+/=]@rabbit:5672/")
self.assertEqual(1, len(envelopes))
self.assertEqual(["ENC[NACL,pWd123+/=]"], envelopes)
def process_env(filename, verifySecrets, env):
result = copy(env)
for key, value in env.iteritems():
# Can't support non-string keys consistently
if not isinstance(key, (str, unicode)):
raise ValueError("Only string dict keys are supported, please use quotes around the key '%s' in %s" % (key, filename))
# Coerce types to string and serialize non-scalars
if not isinstance(value, (str, unicode)):
if isinstance(value, bool):
value = 'true' if value else 'false'
elif isinstance(value, (int, float)):
value = str(value)
else:
value = json.dumps(value)
result[key] = value
# Check for unencrypted secrets
if (('password' in key.lower() or 'pwd' in key.lower() or 'key' in key.lower() or 'token' in key.lower()) and
'public' not in key.lower() and 'id' not in key.lower() and 'routing' not in key.lower()) and len(secretary.extractEnvelopes(value)) == 0:
if verifySecrets:
raise RuntimeError('Found unencrypted secret in %s: %s' % (filename, key))
else:
logging.warn('Found unencrypted secret in %s: %s' % (filename, key))
return result
