Example #1
0
 def setup(self):
     self.kms_mocker = mock_kms()
     self.kms_mocker.start()
     setup_mock_kms(REGION, KMS_ALIAS)
     self._plaintext_payload = 'plaintext credentials'
     self._credentials = Credentials(self._plaintext_payload,
                                     is_encrypted=False)
Example #2
0
 def setup(self):
     self._plaintext_payload = 'plaintext credentials'
     self._encrypted_payload = encrypt_with_kms(self._plaintext_payload,
                                                REGION, KMS_ALIAS)
     self._credentials = Credentials(self._encrypted_payload,
                                     is_encrypted=True,
                                     region=REGION)
Example #3
0
class TestCredentialsEmpty:
    def setup(self):
        self._plaintext_payload = ''
        self._credentials = Credentials(self._plaintext_payload,
                                        is_encrypted=False)

    def test_encrypt(self):
        """Credentials - Empty Credentials - Encrypt - Does nothing when payload is empty"""
        self._credentials.encrypt(REGION, KMS_ALIAS)

        assert_true(self._credentials.is_encrypted())
        assert_equal(self._credentials.data(), '')
Example #4
0
    def test_save_and_has_credentials(self):
        """LocalFileDriver - Save and Has Credentials"""
        assert_false(self._fs_driver.has_credentials('descriptor'))

        credentials = Credentials('aaaa', True)  # pretend it's encrypted
        self._fs_driver.save_credentials('descriptor', credentials)

        assert_true(self._fs_driver.has_credentials('descriptor'))
Example #5
0
class TestCredentialsUnencrypted:
    def setup(self):
        self._plaintext_payload = 'plaintext credentials'
        self._credentials = Credentials(self._plaintext_payload,
                                        is_encrypted=False)

    def test_is_encrypted(self):
        """Credentials - Plaintext Credentials - Is Encrypted"""
        assert_false(self._credentials.is_encrypted())

    def test_is_data(self):
        """Credentials - Plaintext Credentials - Data"""
        assert_equal(self._credentials.data(), self._plaintext_payload)

    @patch('logging.Logger.error')
    def test_get_data_kms_decrypted(self, logging_error):
        """Credentials - Plaintext Credentials - KMS Decrypt"""
        assert_is_none(self._credentials.get_data_kms_decrypted())
        logging_error.assert_called_with(
            'Cannot decrypt Credentials as they are already decrypted')

    @mock_kms
    def test_encrypt(self):
        """Credentials - Plaintext Credentials - Encrypt

        Doubly-encrypting the credentials should do nothing.
        """
        self._credentials.encrypt(REGION, KMS_ALIAS)

        assert_true(self._credentials.is_encrypted())
        assert_equal(self._credentials.data(),
                     'InBsYWludGV4dCBjcmVkZW50aWFscyI='.encode())
Example #6
0
    def test_save_and_has_credentials(self):
        """EphemeralUnencryptedDriver - Save and Has Credentials"""
        assert_false(self._ep_driver.has_credentials('descriptor'))

        credentials = Credentials('aaaa', False)
        assert_true(self._ep_driver.save_credentials('descriptor',
                                                     credentials))

        assert_true(self._ep_driver.has_credentials('descriptor'))
Example #7
0
    def test_save_errors_on_unencrypted(self):
        """SpooledTempfileDriver - Save Errors on Unencrypted Credentials"""
        raw_credentials = 'aaaa'
        descriptor = 'descriptor5'

        credentials = Credentials(raw_credentials, False)

        assert_false(self._sp_driver.save_credentials(descriptor, credentials))
        assert_false(self._sp_driver.has_credentials(descriptor))
Example #8
0
    def test_clear(self):
        """SpooledTempfileDriver - Clear Credentials"""
        descriptor = 'descriptor'
        credentials = Credentials('aaaa', True)  # pretend it's encrypted

        assert_true(self._sp_driver.save_credentials(descriptor, credentials))

        SpooledTempfileDriver.clear()

        assert_false(self._sp_driver.has_credentials(descriptor))
Example #9
0
    def test_save_and_has_credentials(self):
        """SpooledTempfileDriver - Save and Has Credentials"""
        assert_false(self._sp_driver.has_credentials('descriptor'))

        credentials = Credentials('aaaa',
                                  True)  # let's pretend they're encrypted
        assert_true(self._sp_driver.save_credentials('descriptor',
                                                     credentials))

        assert_true(self._sp_driver.has_credentials('descriptor'))
Example #10
0
    def test_clear(self):
        """EphemeralUnencryptedDriver - Clear Credentials"""
        descriptor = 'descriptor'

        credentials = Credentials('aaaa', False)
        self._ep_driver.save_credentials(descriptor, credentials)

        EphemeralUnencryptedDriver.clear()

        assert_false(self._ep_driver.has_credentials(descriptor))
Example #11
0
    def test_clear(self):
        """LocalFileDriver - Clear Credentials"""
        descriptor = 'descriptor'

        credentials = Credentials('aaaa', True,
                                  REGION)  # pretend it's encrypted
        self._fs_driver.save_credentials(descriptor, credentials)

        LocalFileDriver.clear()

        assert_false(self._fs_driver.has_credentials(descriptor))
Example #12
0
    def test_save_and_load_credentials(self):
        """EphemeralUnencryptedDriver - Save and Load Credentials"""
        descriptor = 'descriptor'
        credentials = Credentials('aaaa', False)
        assert_true(self._ep_driver.save_credentials(descriptor, credentials))

        loaded_credentials = self._ep_driver.load_credentials(descriptor)

        assert_is_not_none(loaded_credentials)
        assert_false(loaded_credentials.is_encrypted())
        assert_equal(loaded_credentials.data(), 'aaaa')
Example #13
0
    def test_save_errors_on_unencrypted(self):
        """LocalFileDriver - Save Errors on Unencrypted Credentials"""
        raw_credentials_dict = {
            'python': 'is very difficult',
            'someone': 'save meeeee',
        }
        descriptor = 'descriptor5'
        raw_credentials = json.dumps(raw_credentials_dict)

        credentials = Credentials(raw_credentials, False, REGION)

        assert_false(self._fs_driver.save_credentials(descriptor, credentials))
        assert_false(self._fs_driver.has_credentials(descriptor))
Example #14
0
    def test_save_and_has_credentials(self):
        """SSMDriver - Save and Has Credentials"""
        descriptor = 'unit-test'

        # Verify Credentials don't already exist
        assert_is_none(self._ssm_driver.load_credentials(descriptor))

        credentials = Credentials('CREDS', is_encrypted=False)
        self._ssm_driver.save_credentials(descriptor, credentials, KMS_ALIAS)

        # Verify they saved correctly
        result = self._ssm_driver.load_credentials(descriptor)
        assert_is_not_none(result)
Example #15
0
    def test_save_and_load_credentials_persists_statically(self):
        """EphemeralUnencryptedDriver - Save and Load Credentials"""
        descriptor = 'descriptor'
        credentials = Credentials('aaaa', False)

        assert_true(self._ep_driver.save_credentials(descriptor, credentials))

        driver2 = EphemeralUnencryptedDriver(
            'service')  # Create a separate, identical driver
        loaded_credentials = driver2.load_credentials(descriptor)

        assert_is_not_none(loaded_credentials)
        assert_false(loaded_credentials.is_encrypted())
        assert_equal(loaded_credentials.data(), 'aaaa')
Example #16
0
class TestCredentialsEncrypted:
    def setup(self):
        self.kms_mocker = mock_kms()
        self.kms_mocker.start()
        setup_mock_kms(REGION, KMS_ALIAS)
        self._plaintext_payload = 'plaintext credentials'
        self._encrypted_payload = encrypt_with_kms(self._plaintext_payload,
                                                   REGION, KMS_ALIAS)
        self._credentials = Credentials(self._encrypted_payload,
                                        is_encrypted=True,
                                        region=REGION)

    def teardown(self):
        self.kms_mocker.stop()

    def test_is_encrypted(self):
        """Credentials - Encrypted Credentials - Is Encrypted"""
        assert_true(self._credentials.is_encrypted())

    def test_is_data(self):
        """Credentials - Encrypted Credentials - Data"""
        assert_equal(self._credentials.data(), self._encrypted_payload)

    def test_get_data_kms_decrypted(self):
        """Credentials - Encrypted Credentials - KMS Decrypt"""
        decrypted = self._credentials.get_data_kms_decrypted()
        assert_equal(decrypted, self._plaintext_payload.encode())

    def test_encrypt(self):
        """Credentials - Encrypted Credentials - Encrypt

        Doubly-encrypting the credentials should do nothing.
        """
        self._credentials.encrypt(REGION, KMS_ALIAS)
        assert_equal(self._credentials.data(), self._encrypted_payload)

    @patch('boto3.client')
    @patch('logging.Logger.exception')
    def test_decrypt_kms_error(self, logging_exception, boto3):
        """Credentials - Encrypted Credentials - KMS Decrypt - Errors if KMS Fails to Respond"""

        # We pretend that KMS errors out
        boto3_client = MagicMock()
        boto3.return_value = boto3_client

        response = MagicMock()
        boto3_client.decrypt.side_effect = ClientError(response, 'kms_decrypt')

        assert_is_none(self._credentials.get_data_kms_decrypted())
        logging_exception.assert_called_with(
            'an error occurred during credentials decryption')
Example #17
0
    def test_save_and_load_credentials(self):
        """SpooledTempfileDriver - Save and Load Credentials"""
        raw_credentials = 'aaaa'
        descriptor = 'descriptor'
        encrypted_raw_credentials = encrypt_with_kms(raw_credentials, REGION,
                                                     KMS_ALIAS)

        credentials = Credentials(encrypted_raw_credentials, True, REGION)
        assert_true(self._sp_driver.save_credentials(descriptor, credentials))

        loaded_credentials = self._sp_driver.load_credentials(descriptor)

        assert_is_not_none(loaded_credentials)
        assert_true(loaded_credentials.is_encrypted())
        assert_equal(loaded_credentials.get_data_kms_decrypted(),
                     raw_credentials.encode())
Example #18
0
    def test_save_and_load_credentials_persists_statically(self):
        """LocalFileDriver - Save and Load Credentials"""
        raw_credentials = 'aaaa'
        descriptor = 'descriptor'

        encrypted_raw_credentials = encrypt_with_kms(raw_credentials, REGION,
                                                     KMS_ALIAS)

        credentials = Credentials(encrypted_raw_credentials, True, REGION)
        assert_true(self._fs_driver.save_credentials(descriptor, credentials))

        driver2 = LocalFileDriver(
            REGION, 'service')  # Create a separate, identical driver
        loaded_credentials = driver2.load_credentials(descriptor)

        assert_is_not_none(loaded_credentials)
        assert_true(loaded_credentials.is_encrypted())
        assert_equal(loaded_credentials.get_data_kms_decrypted(),
                     raw_credentials.encode())
Example #19
0
    def test_save_automatically_decrypts(self):
        """EphemeralUnencryptedDriver - Save Automatically Decrypts"""
        raw_credentials_dict = {
            'python': 'is very difficult',
            'someone': 'save meeeee',
        }
        descriptor = 'descriptor5'

        raw_credentials = json.dumps(raw_credentials_dict)
        encrypted_raw_credentials = encrypt_with_kms(raw_credentials, REGION,
                                                     KMS_ALIAS)

        credentials = Credentials(encrypted_raw_credentials, True, REGION)

        assert_true(self._ep_driver.save_credentials(descriptor, credentials))

        loaded_credentials = self._ep_driver.load_credentials(descriptor)

        assert_is_not_none(loaded_credentials)
        assert_false(loaded_credentials.is_encrypted())
        assert_equal(json.loads(loaded_credentials.data()),
                     raw_credentials_dict)
Example #20
0
    def test_save_and_load_credentials_persists_statically(self):
        """SpooledTempfileDriver - Save and Load Credentials"""
        raw_credentials_dict = {
            'python': 'is very difficult',
            'someone': 'save meeeee',
        }
        descriptor = 'descriptor'

        raw_credentials = json.dumps(raw_credentials_dict)
        encrypted_raw_credentials = encrypt_with_kms(raw_credentials, REGION,
                                                     KMS_ALIAS)

        credentials = Credentials(encrypted_raw_credentials, True)
        assert_true(self._sp_driver.save_credentials(descriptor, credentials))

        driver2 = SpooledTempfileDriver(
            'service', REGION)  # Create a separate, identical driver
        loaded_credentials = driver2.load_credentials(descriptor)

        assert_is_not_none(loaded_credentials)
        assert_true(loaded_credentials.is_encrypted())
        assert_equal(loaded_credentials.get_data_kms_decrypted(),
                     raw_credentials.encode())
Example #21
0
class TestCredentialsUnencrypted:
    def setup(self):
        self.kms_mocker = mock_kms()
        self.kms_mocker.start()
        setup_mock_kms(REGION, KMS_ALIAS)
        self._plaintext_payload = 'plaintext credentials'
        self._credentials = Credentials(self._plaintext_payload,
                                        is_encrypted=False)

    def teardown(self):
        self.kms_mocker.stop()

    def test_is_encrypted(self):
        """Credentials - Plaintext Credentials - Is Encrypted"""
        assert_false(self._credentials.is_encrypted())

    def test_is_data(self):
        """Credentials - Plaintext Credentials - Data"""
        assert_equal(self._credentials.data(), self._plaintext_payload)

    @patch('logging.Logger.error')
    def test_get_data_kms_decrypted(self, logging_error):
        """Credentials - Plaintext Credentials - KMS Decrypt"""
        assert_is_none(self._credentials.get_data_kms_decrypted())
        logging_error.assert_called_with(
            'Cannot decrypt Credentials as they are already decrypted')

    def test_encrypt(self):
        """Credentials - Plaintext Credentials - Encrypt

        Doubly-encrypting the credentials should do nothing.
        """
        self._credentials.encrypt(REGION, KMS_ALIAS)

        assert_true(self._credentials.is_encrypted())

        # moto changed from simply base64 encoding data to actually
        # doing proper encryption/decryption. See here:
        # https://github.com/earlrob/moto/commit/98581b9196768ad8d5eaa1e02ca744c0c3b2098e
        assert_not_equal(self._credentials.data(), 'plaintext credentials')
Example #22
0
 def setup(self):
     self._plaintext_payload = 'plaintext credentials'
     self._credentials = Credentials(self._plaintext_payload,
                                     is_encrypted=False)