def setup(self):
self._plaintext_payload = 'plaintext credentials'
self._encrypted_payload = encrypt_with_kms(self._plaintext_payload,
REGION, KMS_ALIAS)
self._credentials = Credentials(self._encrypted_payload,
is_encrypted=True,
region=REGION)
class TestCredentialsEmpty(object):
def setup(self):
self._plaintext_payload = ''
self._credentials = Credentials(self._plaintext_payload, is_encrypted=False)
@mock_kms
def test_encrypt(self):
"""Credentials - Empty Credentials - Encrypt - Does nothing when payload is empty"""
self._credentials.encrypt(REGION, KMS_ALIAS)
assert_true(self._credentials.is_encrypted())
assert_equal(self._credentials.data(), '')
def test_save_credentials_into_s3(self):
"""S3Driver - Save Credentials
We test a full cycle of using save_credentials() then subsequently pulling them out with
load_credentials()."""
creds = {'url': 'http://best.website.ever/test'}
input_credentials = Credentials(creds,
is_encrypted=False,
region=REGION)
descriptor = 'test_descriptor'
# Annoyingly, moto needs us to create the bucket first
# We put a random unrelated object into the bucket and this will set up the bucket for us
put_mock_s3_object(self._s3_driver.get_s3_secrets_bucket(), 'aaa',
'bbb', REGION)
result = self._s3_driver.save_credentials_into_s3(
descriptor, input_credentials, KMS_ALIAS)
assert_true(result)
credentials = self._s3_driver.load_credentials(descriptor)
assert_is_not_none(credentials)
assert_true(credentials.is_encrypted())
loaded_creds = json.loads(credentials.get_data_kms_decrypted())
assert_equal(loaded_creds, creds)
def test_save_and_has_credentials(self):
"""LocalFileDriver - Save and Has Credentials"""
assert_false(self._fs_driver.has_credentials('descriptor'))
credentials = Credentials('aaaa', True) # pretend it's encrypted
self._fs_driver.save_credentials('descriptor', credentials)
assert_true(self._fs_driver.has_credentials('descriptor'))
def test_save_and_has_credentials(self):
"""EphemeralUnencryptedDriver - Save and Has Credentials"""
assert_false(self._ep_driver.has_credentials('descriptor'))
credentials = Credentials('aaaa', False)
assert_true(self._ep_driver.save_credentials('descriptor', credentials))
assert_true(self._ep_driver.has_credentials('descriptor'))
def test_save_and_has_credentials(self):
"""SpooledTempfileDriver - Save and Has Credentials"""
assert_false(self._sp_driver.has_credentials('descriptor'))
credentials = Credentials('aaaa', True) # let's pretend they're encrypted
assert_true(self._sp_driver.save_credentials('descriptor', credentials))
assert_true(self._sp_driver.has_credentials('descriptor'))
class TestCredentialsUnencrypted(object):
def setup(self):
self._plaintext_payload = 'plaintext credentials'
self._credentials = Credentials(self._plaintext_payload, is_encrypted=False)
def test_is_encrypted(self):
"""Credentials - Plaintext Credentials - Is Encrypted"""
assert_false(self._credentials.is_encrypted())
def test_is_data(self):
"""Credentials - Plaintext Credentials - Data"""
assert_equal(self._credentials.data(), self._plaintext_payload)
@patch('logging.Logger.error')
def test_get_data_kms_decrypted(self, logging_error):
"""Credentials - Plaintext Credentials - KMS Decrypt"""
assert_is_none(self._credentials.get_data_kms_decrypted())
logging_error.assert_called_with('Cannot decrypt Credentials as they are already decrypted')
@mock_kms
def test_encrypt(self):
"""Credentials - Plaintext Credentials - Encrypt
Doubly-encrypting the credentials should do nothing.
"""
self._credentials.encrypt(REGION, KMS_ALIAS)
assert_true(self._credentials.is_encrypted())
assert_equal(self._credentials.data(), 'InBsYWludGV4dCBjcmVkZW50aWFscyI=')
def test_save_credentials_into_s3_blank_credentials(self):
"""S3Driver - Save Credentials does nothing when Credentials are Blank"""
input_credentials = Credentials('', is_encrypted=False, region=REGION)
descriptor = 'test_descriptor22'
result = self._s3_driver.save_credentials_into_s3(descriptor, input_credentials, KMS_ALIAS)
assert_true(result)
assert_is_none(self._s3_driver.load_credentials(descriptor))
def test_save_errors_on_unencrypted(self):
"""SpooledTempfileDriver - Save Errors on Unencrypted Credentials"""
raw_credentials = 'aaaa'
descriptor = 'descriptor5'
credentials = Credentials(raw_credentials, False)
assert_false(self._sp_driver.save_credentials(descriptor, credentials))
assert_false(self._sp_driver.has_credentials(descriptor))
def test_clear(self):
"""EphemeralUnencryptedDriver - Clear Credentials"""
descriptor = 'descriptor'
credentials = Credentials('aaaa', False)
self._ep_driver.save_credentials(descriptor, credentials)
EphemeralUnencryptedDriver.clear()
assert_false(self._ep_driver.has_credentials(descriptor))
def test_clear(self):
"""LocalFileDriver - Clear Credentials"""
descriptor = 'descriptor'
credentials = Credentials('aaaa', True, REGION) # pretend it's encrypted
self._fs_driver.save_credentials(descriptor, credentials)
LocalFileDriver.clear()
assert_false(self._fs_driver.has_credentials(descriptor))
def test_clear(self):
"""SpooledTempfileDriver - Clear Credentials"""
descriptor = 'descriptor'
credentials = Credentials('aaaa', True) # pretend it's encrypted
assert_true(self._sp_driver.save_credentials(descriptor, credentials))
SpooledTempfileDriver.clear()
assert_false(self._sp_driver.has_credentials(descriptor))
def test_save_and_load_credentials(self):
"""EphemeralUnencryptedDriver - Save and Load Credentials"""
descriptor = 'descriptor'
credentials = Credentials('aaaa', False)
assert_true(self._ep_driver.save_credentials(descriptor, credentials))
loaded_credentials = self._ep_driver.load_credentials(descriptor)
assert_is_not_none(loaded_credentials)
assert_false(loaded_credentials.is_encrypted())
assert_equal(loaded_credentials.data(), 'aaaa')
def test_save_and_load_credentials_persists_statically(self):
"""EphemeralUnencryptedDriver - Save and Load Credentials"""
descriptor = 'descriptor'
credentials = Credentials('aaaa', False)
assert_true(self._ep_driver.save_credentials(descriptor, credentials))
driver2 = EphemeralUnencryptedDriver('service') # Create a separate, identical driver
loaded_credentials = driver2.load_credentials(descriptor)
assert_is_not_none(loaded_credentials)
assert_false(loaded_credentials.is_encrypted())
assert_equal(loaded_credentials.data(), 'aaaa')
def test_save_errors_on_unencrypted(self):
"""LocalFileDriver - Save Errors on Unencrypted Credentials"""
raw_credentials_dict = {
'python': 'is very difficult',
'someone': 'save meeeee',
}
descriptor = 'descriptor5'
raw_credentials = json.dumps(raw_credentials_dict)
credentials = Credentials(raw_credentials, False, REGION)
assert_false(self._fs_driver.save_credentials(descriptor, credentials))
assert_false(self._fs_driver.has_credentials(descriptor))
def test_save_and_load_credentials(self):
"""SpooledTempfileDriver - Save and Load Credentials"""
raw_credentials = 'aaaa'
descriptor = 'descriptor'
encrypted_raw_credentials = encrypt_with_kms(raw_credentials, REGION, KMS_ALIAS)
credentials = Credentials(encrypted_raw_credentials, True, REGION)
assert_true(self._sp_driver.save_credentials(descriptor, credentials))
loaded_credentials = self._sp_driver.load_credentials(descriptor)
assert_is_not_none(loaded_credentials)
assert_true(loaded_credentials.is_encrypted())
assert_equal(loaded_credentials.get_data_kms_decrypted(), raw_credentials)
def test_save_and_load_credentials_persists_statically(self):
"""LocalFileDriver - Save and Load Credentials"""
raw_credentials = 'aaaa'
descriptor = 'descriptor'
encrypted_raw_credentials = encrypt_with_kms(raw_credentials, REGION, KMS_ALIAS)
credentials = Credentials(encrypted_raw_credentials, True, REGION)
assert_true(self._fs_driver.save_credentials(descriptor, credentials))
driver2 = LocalFileDriver(REGION, 'service') # Create a separate, identical driver
loaded_credentials = driver2.load_credentials(descriptor)
assert_is_not_none(loaded_credentials)
assert_true(loaded_credentials.is_encrypted())
assert_equal(loaded_credentials.get_data_kms_decrypted(), raw_credentials)
class TestCredentialsEncrypted(object):
@mock_kms
def setup(self):
self._plaintext_payload = 'plaintext credentials'
self._encrypted_payload = encrypt_with_kms(self._plaintext_payload,
REGION, KMS_ALIAS)
self._credentials = Credentials(self._encrypted_payload,
is_encrypted=True,
region=REGION)
def test_is_encrypted(self):
"""Credentials - Encrypted Credentials - Is Encrypted"""
assert_true(self._credentials.is_encrypted())
def test_is_data(self):
"""Credentials - Encrypted Credentials - Data"""
assert_equal(self._credentials.data(), self._encrypted_payload)
@mock_kms
def test_get_data_kms_decrypted(self):
"""Credentials - Encrypted Credentials - KMS Decrypt"""
decrypted = self._credentials.get_data_kms_decrypted()
assert_equal(decrypted, self._plaintext_payload)
def test_encrypt(self):
"""Credentials - Encrypted Credentials - Encrypt
Doubly-encrypting the credentials should do nothing.
"""
self._credentials.encrypt(REGION, KMS_ALIAS)
assert_equal(self._credentials.data(), self._encrypted_payload)
@patch('boto3.client')
@patch('logging.Logger.exception')
def test_decrypt_kms_error(self, logging_exception, boto3):
"""Credentials - Encrypted Credentials - KMS Decrypt - Errors if KMS Fails to Respond"""
# We pretend that KMS errors out
boto3_client = MagicMock()
boto3.return_value = boto3_client
response = MagicMock()
boto3_client.decrypt.side_effect = ClientError(response, 'kms_decrypt')
assert_is_none(self._credentials.get_data_kms_decrypted())
logging_exception.assert_called_with(
'an error occurred during credentials decryption')
def test_load_credentials(self):
"""S3Driver - With File Driver - Load Credentials - Pulls into LocalFileStore
Here we use the S3Driver's caching ability to yank stuff into a local driver."""
remove_temp_secrets()
creds = {'my_secret': 'i ate two portions of biscuits and gravy'}
input_credentials = Credentials(creds,
is_encrypted=False,
region=REGION)
descriptor = 'test_descriptor'
# Annoyingly, moto needs us to create the bucket first
# We put a random unrelated object into the bucket and this will set up the bucket for us
put_mock_s3_object(self._s3_driver.get_s3_secrets_bucket(), 'aaa',
'bbb', REGION)
# First, check if the Local driver can find the credentials (we don't expect it to)
assert_false(self._fs_driver.has_credentials(descriptor))
# Save the credentials using S3 driver
result = self._s3_driver.save_credentials_into_s3(
descriptor, input_credentials, KMS_ALIAS)
assert_true(result)
# We still don't expect the Local driver to find the credentials
assert_false(self._fs_driver.has_credentials(descriptor))
# Use S3Driver to warm up the Local driver
self._s3_driver.load_credentials(descriptor)
# Now we should be able to get the credentials from the local fs
assert_true(self._fs_driver.has_credentials(descriptor))
credentials = self._fs_driver.load_credentials(descriptor)
assert_is_not_none(credentials)
assert_true(credentials.is_encrypted())
loaded_creds = json.loads(credentials.get_data_kms_decrypted())
assert_equal(loaded_creds, creds)
remove_temp_secrets()
def test_save_automatically_decrypts(self):
"""EphemeralUnencryptedDriver - Save Automatically Decrypts"""
raw_credentials_dict = {
'python': 'is very difficult',
'someone': 'save meeeee',
}
descriptor = 'descriptor5'
raw_credentials = json.dumps(raw_credentials_dict)
encrypted_raw_credentials = encrypt_with_kms(raw_credentials, REGION, KMS_ALIAS)
credentials = Credentials(encrypted_raw_credentials, True, REGION)
assert_true(self._ep_driver.save_credentials(descriptor, credentials))
loaded_credentials = self._ep_driver.load_credentials(descriptor)
assert_is_not_none(loaded_credentials)
assert_false(loaded_credentials.is_encrypted())
assert_equal(json.loads(loaded_credentials.data()), raw_credentials_dict)
def test_save_and_load_credentials_persists_statically(self):
"""SpooledTempfileDriver - Save and Load Credentials"""
raw_credentials_dict = {
'python': 'is very difficult',
'someone': 'save meeeee',
}
descriptor = 'descriptor'
raw_credentials = json.dumps(raw_credentials_dict)
encrypted_raw_credentials = encrypt_with_kms(raw_credentials, REGION, KMS_ALIAS)
credentials = Credentials(encrypted_raw_credentials, True)
assert_true(self._sp_driver.save_credentials(descriptor, credentials))
driver2 = SpooledTempfileDriver('service', REGION) # Create a separate, identical driver
loaded_credentials = driver2.load_credentials(descriptor)
assert_is_not_none(loaded_credentials)
assert_true(loaded_credentials.is_encrypted())
assert_equal(loaded_credentials.get_data_kms_decrypted(), raw_credentials)
def setup(self):
self._plaintext_payload = ''
self._credentials = Credentials(self._plaintext_payload, is_encrypted=False)
