def test_cryptostring_has_symbol():
s_util = CryptoString()
crypto_string = 'Th1sP@sswordH4sSymbols!'
assert s_util.has_symbol(crypto_string) is True
crypto_string = r'!@#$%^&*()[]\}{|<>?,./~`'
assert s_util.has_symbol(crypto_string) is True
crypto_string = 'ThisPasswordH4sNoSymbols'
assert s_util.has_symbol(crypto_string) is False
def test_cryptostring_has_lower():
s_util = CryptoString()
crypto_string = 'Th1sP@sswordH4sLowers!'
assert s_util.has_lower(crypto_string) is True
crypto_string = 'thispasswordhasonlylowers'
assert s_util.has_lower(crypto_string) is True
crypto_string = 'TH1SP@SSWORDH4SNOLOWERS!'
assert s_util.has_lower(crypto_string) is False
def test_cryptostring_has_number():
s_util = CryptoString()
crypto_string = 'Th1sP@sswordH4sNumbers!'
assert s_util.has_number(crypto_string) is True
crypto_string = '123456789012345678901234567890'
assert s_util.has_number(crypto_string) is True
crypto_string = 'ThisP@sswordHasNoNumbers!'
assert s_util.has_number(crypto_string) is False
def test_cryptostring_short_len():
s_util = CryptoString()
s = s_util.get_crypto_string(0)
assert len(s) == 24
s = s_util.get_crypto_string(23)
assert len(s) == 24
s = s_util.get_crypto_string(-1)
assert len(s) == 24
def test_cryptostring_has_upper():
s_util = CryptoString()
crypto_string = 'Th1sP@sswordH4sUppers!'
assert s_util.has_upper(crypto_string) is True
crypto_string = 'THISPASSWORDHASONLYUPPERS'
assert s_util.has_upper(crypto_string) is True
crypto_string = 'th1sp@sswordh4snouppers!'
assert s_util.has_upper(crypto_string) is False
def test_cryptostring_has_all():
s_util = CryptoString()
crypto_string = s_util.get_crypto_string()
assert s_util.validate_crypto_str(crypto_string) is True
crypto_string = 'Th1sP@sswordH4sItAll!'
assert s_util.validate_crypto_str(crypto_string) is True
crypto_string = 'th1sp@sswordh4snouppers!'
assert s_util.validate_crypto_str(crypto_string) is False
crypto_string = 'TH1SP@SSWORDH4SNOLOWERS!'
assert s_util.validate_crypto_str(crypto_string) is False
crypto_string = 'ThisP@sswordHasNoNumbers!'
assert s_util.validate_crypto_str(crypto_string) is False
crypto_string = 'ThisPasswordH4sNoSymbols'
assert s_util.validate_crypto_str(crypto_string) is False
def test_cryptostring_all_profile():
s_util = CryptoString(profile='all')
crypto_string = s_util.get_crypto_string()
assert s_util.has_lower(crypto_string) is True
assert s_util.has_upper(crypto_string) is True
assert s_util.has_number(crypto_string) is True
assert s_util.has_symbol(crypto_string) is True
def generate_crypto_string(length):
"""
Create a cryptographic string.
:param int length: Length of cryptographic string.
:rtype: string
"""
return CryptoString().get_crypto_string(length)
def test_cryptostring_hex_upper_profile():
s_util = CryptoString(profile='hex_upper')
crypto_string = s_util.get_crypto_string()
assert s_util.has_lower(crypto_string) is False
assert s_util.has_upper(crypto_string) is True
assert s_util.has_number(crypto_string) is True
assert s_util.has_symbol(crypto_string) is False
bad_letters = any(char in 'GHIJKLMNOPQRSTUVWXYZ' for char in crypto_string)
assert not bad_letters
def test_cryptostring_hex_lower_profile():
s_util = CryptoString(profile='hex_lower')
crypto_string = s_util.get_crypto_string()
assert s_util.has_lower(crypto_string) is True
assert s_util.has_upper(crypto_string) is False
assert s_util.has_number(crypto_string) is True
assert s_util.has_symbol(crypto_string) is False
bad_letters = any(char in 'ghijklmnopqrstuvwxyz' for char in crypto_string)
assert not bad_letters
def test_cryptostring_default_profile():
s_util = CryptoString(profile='default')
crypto_string = s_util.get_crypto_string()
assert s_util.has_lower(crypto_string) is True
assert s_util.has_upper(crypto_string) is True
assert s_util.has_number(crypto_string) is True
assert s_util.has_symbol(crypto_string) is True
bad_symbols = any(
char in '!"$%()*,./:;<>[]^_`{|}~\'' for char in crypto_string)
assert not bad_symbols
def test_profiles_catalog(*_):
_dir = tempfile.mkdtemp()
os.makedirs(os.path.join(_dir, 'cicd_site_repo'), exist_ok=True)
PassphraseGenerator('cicd', _dir, 'test_author').generate()
s_util = CryptoString()
for passphrase in TEST_PROFILES_CATALOG['data']['passphrases']:
passphrase_file_name = '{}.yaml'.format(passphrase['document_name'])
passphrase_file_path = os.path.join(_dir, 'site', 'cicd', 'secrets',
'passphrases',
passphrase_file_name)
assert os.path.isfile(passphrase_file_path)
with open(passphrase_file_path) as stream:
doc = yaml.safe_load(stream)
decrypted_passphrase = encryption.decrypt(
doc['data']['managedDocument']['data'],
os.environ['PEGLEG_PASSPHRASE'].encode(),
os.environ['PEGLEG_SALT'].encode()).decode()
assert len(decrypted_passphrase) == 24
if passphrase_file_name == "default_passphrase.yaml":
assert s_util.has_lower(decrypted_passphrase) is True
assert s_util.has_upper(decrypted_passphrase) is True
assert s_util.has_number(decrypted_passphrase) is True
assert s_util.has_symbol(decrypted_passphrase) is True
bad_symbols = any(char in '!"$%()*,./:;<>[]^_`{|}~\''
for char in decrypted_passphrase)
assert not bad_symbols
elif passphrase_file_name == "alphanumeric_passphrase.yaml":
assert s_util.has_lower(decrypted_passphrase) is True
assert s_util.has_upper(decrypted_passphrase) is True
assert s_util.has_number(decrypted_passphrase) is True
assert s_util.has_symbol(decrypted_passphrase) is False
elif passphrase_file_name == "alphanumeric_lower_passphrase.yaml":
assert s_util.has_lower(decrypted_passphrase) is True
assert s_util.has_upper(decrypted_passphrase) is False
assert s_util.has_number(decrypted_passphrase) is True
assert s_util.has_symbol(decrypted_passphrase) is False
elif passphrase_file_name == "alphanumeric_upper_passphrase.yaml":
assert s_util.has_lower(decrypted_passphrase) is False
assert s_util.has_upper(decrypted_passphrase) is True
assert s_util.has_number(decrypted_passphrase) is True
assert s_util.has_symbol(decrypted_passphrase) is False
elif passphrase_file_name == "all_passphrase.yaml":
assert s_util.has_lower(decrypted_passphrase) is True
assert s_util.has_upper(decrypted_passphrase) is True
assert s_util.has_number(decrypted_passphrase) is True
assert s_util.has_symbol(decrypted_passphrase) is True
elif passphrase_file_name == "hex_lower_passphrase.yaml":
assert s_util.has_lower(decrypted_passphrase) is True
assert s_util.has_upper(decrypted_passphrase) is False
assert s_util.has_number(decrypted_passphrase) is True
assert s_util.has_symbol(decrypted_passphrase) is False
bad_letters = any(char in 'ghijklmnopqrstuvwxyz'
for char in decrypted_passphrase)
assert not bad_letters
elif passphrase_file_name == "hex_upper_passphrase.yaml":
assert s_util.has_lower(decrypted_passphrase) is False
assert s_util.has_upper(decrypted_passphrase) is True
assert s_util.has_number(decrypted_passphrase) is True
assert s_util.has_symbol(decrypted_passphrase) is False
bad_letters = any(char in 'GHIJKLMNOPQRSTUVWXYZ'
for char in decrypted_passphrase)
assert not bad_letters
def generate(self, interactive=False, force_cleartext=False):
"""
For each passphrase entry in the passphrase catalog, generate a
random passphrase string, based on a passphrase specification in the
catalog. Create a pegleg managed document, wrap the generated
passphrase document in the pegleg managed document, and encrypt the
passphrase. Write the wrapped and encrypted document in a file at
<repo_name>/site/<site_name>/secrets/passphrases/passphrase_name.yaml.
:param bool interactive: If true, allow input
:param bool force_cleartext: If true, don't encrypt
"""
for p_name in self._catalog.get_passphrase_names:
# Check if this secret is present and should not be regenerated
save_path = self.get_save_path(p_name)
regenerable = self._catalog.is_passphrase_regenerable(p_name)
if os.path.exists(save_path) and not regenerable:
continue
# Generate secret as it either does not exist yet or is a
# regenerable secret and does exist but should be rotated.
passphrase = None
passphrase_type = self._catalog.get_passphrase_type(p_name)
prompt = self._catalog.is_passphrase_prompt(p_name)
profile = self._catalog.get_passphrase_profile(p_name)
if interactive and prompt:
auto_allowed = regenerable
if passphrase_type == 'uuid': # nosec
passphrase = self._prompt_user_passphrase_and_validate(
p_name,
'UUID',
self.validate_uuid,
auto_allowed=auto_allowed)
elif passphrase_type == 'base64': # nosec
passphrase = self._prompt_user_passphrase_and_validate(
p_name,
'passphrase (b64)',
self.validate_base64,
auto_allowed=auto_allowed)
elif passphrase_type == 'passphrase':
passphrase = self._prompt_user_passphrase_and_validate(
p_name,
'passphrase',
self.validate_passphrase,
auto_allowed=auto_allowed)
elif not interactive and prompt:
LOG.debug('Skipping interactive input for %s', p_name)
continue
if not passphrase:
if passphrase_type == 'uuid': # nosec
passphrase = uuidutils.generate_uuid()
else:
passphrase = CryptoString(profile).get_crypto_string(
self._catalog.get_length(p_name))
if passphrase_type == 'base64': # nosec
# Take the randomly generated string and convert to a
# random base64 string
passphrase = passphrase.encode()
passphrase = base64.b64encode(passphrase).decode()
docs = list()
if force_cleartext:
storage_policy = passphrase_catalog.P_CLEARTEXT
LOG.warning("Passphrases for {} will be "
"generated in clear text.".format(p_name))
else:
storage_policy = self._catalog.get_storage_policy(p_name)
docs.append(
self.generate_doc(KIND, p_name, storage_policy, passphrase))
if storage_policy == passphrase_catalog.P_ENCRYPTED:
PeglegSecretManagement(
docs=docs,
generated=True,
author=self._author,
catalog=self._catalog).encrypt_secrets(save_path)
else:
files.write(docs, save_path)
def test_cryptostring_long_len():
s_util = CryptoString()
s = s_util.get_crypto_string(25)
assert len(s) == 25
s = s_util.get_crypto_string(128)
assert len(s) == 128
def test_cryptostring_default_len():
s_util = CryptoString()
s = s_util.get_crypto_string()
assert len(s) == 24