def test_loading_keys_from_keyczar_formatted_key_files(self):
key_path = os.path.join(KEY_FIXTURES_PATH, 'one.json')
aes_key = read_crypto_key(key_path=key_path)
self.assertEqual(aes_key.hmac_key_string, 'lgI9YdOKlIOtPQFdgB0B6zr0AZ6L2QJuFQg4gTu2dxc')
self.assertEqual(aes_key.hmac_key_size, 256)
self.assertEqual(aes_key.aes_key_string, 'vKmBE2YeQ9ATyovel7NDjdnbvOMcoU5uPtUVxWxWm58')
self.assertEqual(aes_key.mode, 'CBC')
self.assertEqual(aes_key.size, 256)
key_path = os.path.join(KEY_FIXTURES_PATH, 'two.json')
aes_key = read_crypto_key(key_path=key_path)
self.assertEqual(aes_key.hmac_key_string, '92ok9S5extxphADmUhObPSD5wugey8eTffoJ2CEg_2s')
self.assertEqual(aes_key.hmac_key_size, 256)
self.assertEqual(aes_key.aes_key_string, 'fU9hT9pm-b9hu3VyQACLXe2Z7xnaJMZrXiTltyLUzgs')
self.assertEqual(aes_key.mode, 'CBC')
self.assertEqual(aes_key.size, 256)
key_path = os.path.join(KEY_FIXTURES_PATH, 'five.json')
aes_key = read_crypto_key(key_path=key_path)
self.assertEqual(aes_key.hmac_key_string, 'GCX2uMfOzp1JXYgqH8piEE4_mJOPXydH_fRHPDw9bkM')
self.assertEqual(aes_key.hmac_key_size, 256)
self.assertEqual(aes_key.aes_key_string, 'EeBcUcbH14tL0w_fF5siEw')
self.assertEqual(aes_key.mode, 'CBC')
self.assertEqual(aes_key.size, 128)
def test_loading_keys_from_keyczar_formatted_key_files(self):
key_path = os.path.join(KEY_FIXTURES_PATH, 'one.json')
aes_key = read_crypto_key(key_path=key_path)
self.assertEqual(aes_key.hmac_key_string,
'lgI9YdOKlIOtPQFdgB0B6zr0AZ6L2QJuFQg4gTu2dxc')
self.assertEqual(aes_key.hmac_key_size, 256)
self.assertEqual(aes_key.aes_key_string,
'vKmBE2YeQ9ATyovel7NDjdnbvOMcoU5uPtUVxWxWm58')
self.assertEqual(aes_key.mode, 'CBC')
self.assertEqual(aes_key.size, 256)
key_path = os.path.join(KEY_FIXTURES_PATH, 'two.json')
aes_key = read_crypto_key(key_path=key_path)
self.assertEqual(aes_key.hmac_key_string,
'92ok9S5extxphADmUhObPSD5wugey8eTffoJ2CEg_2s')
self.assertEqual(aes_key.hmac_key_size, 256)
self.assertEqual(aes_key.aes_key_string,
'fU9hT9pm-b9hu3VyQACLXe2Z7xnaJMZrXiTltyLUzgs')
self.assertEqual(aes_key.mode, 'CBC')
self.assertEqual(aes_key.size, 256)
key_path = os.path.join(KEY_FIXTURES_PATH, 'five.json')
aes_key = read_crypto_key(key_path=key_path)
self.assertEqual(aes_key.hmac_key_string,
'GCX2uMfOzp1JXYgqH8piEE4_mJOPXydH_fRHPDw9bkM')
self.assertEqual(aes_key.hmac_key_size, 256)
self.assertEqual(aes_key.aes_key_string, 'EeBcUcbH14tL0w_fF5siEw')
self.assertEqual(aes_key.mode, 'CBC')
self.assertEqual(aes_key.size, 128)
def _setup_crypto():
if KeyValuePairAPI.crypto_setup:
# Crypto already set up
return
LOG.info("Checking if encryption is enabled for key-value store.")
KeyValuePairAPI.is_encryption_enabled = cfg.CONF.keyvalue.enable_encryption
LOG.debug("Encryption enabled? : %s",
KeyValuePairAPI.is_encryption_enabled)
if KeyValuePairAPI.is_encryption_enabled:
KeyValuePairAPI.crypto_key_path = cfg.CONF.keyvalue.encryption_key_path
LOG.info(
"Encryption enabled. Looking for key in path %s",
KeyValuePairAPI.crypto_key_path,
)
if not os.path.exists(KeyValuePairAPI.crypto_key_path):
msg = ("Encryption key file does not exist in path %s." %
KeyValuePairAPI.crypto_key_path)
LOG.exception(msg)
LOG.info("All API requests will now send out BAD_REQUEST " +
"if you ask to store secrets in key value store.")
KeyValuePairAPI.crypto_key = None
else:
KeyValuePairAPI.crypto_key = read_crypto_key(
key_path=KeyValuePairAPI.crypto_key_path)
KeyValuePairAPI.crypto_setup = True
def decrypt_kv(value):
original_value = value
if isinstance(value, KeyValueLookup) or isinstance(value,
UserKeyValueLookup):
# Since this is a filter the incoming value is still a KeyValueLookup
# object as the jinja rendering is not yet complete. So we cast
# the KeyValueLookup object to a simple string before decrypting.
is_kv_item = True
value = str(value)
else:
is_kv_item = False
# NOTE: If value is None this indicate key value item doesn't exist and we hrow a more
# user-friendly error
if is_kv_item and value == '':
# Build original key name
key_name = original_value.get_key_name()
raise ValueError(
'Referenced datastore item "%s" doesn\'t exist or it contains an empty '
'string' % (key_name))
crypto_key_path = cfg.CONF.keyvalue.encryption_key_path
crypto_key = read_crypto_key(key_path=crypto_key_path)
return symmetric_decrypt(decrypt_key=crypto_key, ciphertext=value)
def decrypt_kv(value):
if isinstance(value, KeyValueLookup):
# Since this is a filter the incoming value is still a KeyValueLookup
# object as the jinja rendering is not yet complete. So we cast
# the KeyValueLookup object to a simple string before decrypting.
value = str(value)
crypto_key_path = cfg.CONF.keyvalue.encryption_key_path
crypto_key = read_crypto_key(key_path=crypto_key_path)
return symmetric_decrypt(decrypt_key=crypto_key, ciphertext=value)
def setUp(self):
super(JinjaUtilsDecryptTestCase, self).setUp()
crypto_key_path = cfg.CONF.keyvalue.encryption_key_path
crypto_key = read_crypto_key(key_path=crypto_key_path)
self.secret = 'Build a wall'
self.secret_value = symmetric_encrypt(encrypt_key=crypto_key, plaintext=self.secret)
self.env = jinja_utils.get_jinja_environment()
def decrypt_kv(value):
if isinstance(value, KeyValueLookup):
# Since this is a filter the incoming value is still a KeyValueLookup
# object as the jinja rendering is not yet complete. So we cast
# the KeyValueLookup object to a simple string before decrypting.
value = str(value)
crypto_key_path = cfg.CONF.keyvalue.encryption_key_path
crypto_key = read_crypto_key(key_path=crypto_key_path)
return symmetric_decrypt(decrypt_key=crypto_key, ciphertext=value)
def setUp(self):
super(JinjaUtilsDecryptTestCase, self).setUp()
crypto_key_path = cfg.CONF.keyvalue.encryption_key_path
crypto_key = read_crypto_key(key_path=crypto_key_path)
self.secret = 'Build a wall'
self.secret_value = symmetric_encrypt(encrypt_key=crypto_key, plaintext=self.secret)
self.env = jinja_utils.get_jinja_environment()
def test_filter_decrypt_kv(self):
secret = 'Build a wall'
crypto_key_path = cfg.CONF.keyvalue.encryption_key_path
crypto_key = read_crypto_key(key_path=crypto_key_path)
secret_value = symmetric_encrypt(encrypt_key=crypto_key, plaintext=secret)
KeyValuePair.add_or_update(KeyValuePairDB(name='k8', value=secret_value,
scope=FULL_SYSTEM_SCOPE,
secret=True))
env = jinja_utils.get_jinja_environment()
context = {}
context.update({SYSTEM_SCOPE: KeyValueLookup(scope=SYSTEM_SCOPE)})
context.update({
DATASTORE_PARENT_SCOPE: {
SYSTEM_SCOPE: KeyValueLookup(scope=FULL_SYSTEM_SCOPE)
}
})
template = '{{st2kv.system.k8 | decrypt_kv}}'
actual = env.from_string(template).render(context)
self.assertEqual(actual, secret)
def decrypt_kv(value):
original_value = value
if isinstance(value, KeyValueLookup) or isinstance(value, UserKeyValueLookup):
# Since this is a filter the incoming value is still a KeyValueLookup
# object as the jinja rendering is not yet complete. So we cast
# the KeyValueLookup object to a simple string before decrypting.
is_kv_item = True
value = str(value)
else:
is_kv_item = False
# NOTE: If value is None this indicate key value item doesn't exist and we hrow a more
# user-friendly error
if is_kv_item and value == '':
# Build original key name
key_name = original_value.get_key_name()
raise ValueError('Referenced datastore item "%s" doesn\'t exist or it contains an empty '
'string' % (key_name))
crypto_key_path = cfg.CONF.keyvalue.encryption_key_path
crypto_key = read_crypto_key(key_path=crypto_key_path)
return symmetric_decrypt(decrypt_key=crypto_key, ciphertext=value)
def _setup_crypto():
if KeyValuePairAPI.crypto_setup:
# Crypto already set up
return
LOG.info('Checking if encryption is enabled for key-value store.')
KeyValuePairAPI.is_encryption_enabled = cfg.CONF.keyvalue.enable_encryption
LOG.debug('Encryption enabled? : %s', KeyValuePairAPI.is_encryption_enabled)
if KeyValuePairAPI.is_encryption_enabled:
KeyValuePairAPI.crypto_key_path = cfg.CONF.keyvalue.encryption_key_path
LOG.info('Encryption enabled. Looking for key in path %s',
KeyValuePairAPI.crypto_key_path)
if not os.path.exists(KeyValuePairAPI.crypto_key_path):
msg = ('Encryption key file does not exist in path %s.' %
KeyValuePairAPI.crypto_key_path)
LOG.exception(msg)
LOG.info('All API requests will now send out BAD_REQUEST ' +
'if you ask to store secrets in key value store.')
KeyValuePairAPI.crypto_key = None
else:
KeyValuePairAPI.crypto_key = read_crypto_key(
key_path=KeyValuePairAPI.crypto_key_path
)
KeyValuePairAPI.crypto_setup = True
def test_filter_decrypt_kv(self):
secret = 'Build a wall'
crypto_key_path = cfg.CONF.keyvalue.encryption_key_path
crypto_key = read_crypto_key(key_path=crypto_key_path)
secret_value = symmetric_encrypt(encrypt_key=crypto_key,
plaintext=secret)
KeyValuePair.add_or_update(
KeyValuePairDB(name='k8',
value=secret_value,
scope=FULL_SYSTEM_SCOPE,
secret=True))
env = jinja_utils.get_jinja_environment()
context = {}
context.update({SYSTEM_SCOPE: KeyValueLookup(scope=SYSTEM_SCOPE)})
context.update({
DATASTORE_PARENT_SCOPE: {
SYSTEM_SCOPE: KeyValueLookup(scope=FULL_SYSTEM_SCOPE)
}
})
template = '{{st2kv.system.k8 | decrypt_kv}}'
actual = env.from_string(template).render(context)
self.assertEqual(actual, secret)