def test_secret_too_big_is_true_for_big_secrets(self):
data = b'\x01' * validators.CONF.max_allowed_secret_in_bytes
data += b'\x01'
is_too_big = validators.secret_too_big(data)
self.assertTrue(is_too_big)
def on_put(self, external_project_id, **kwargs):
if (not pecan.request.content_type or
pecan.request.content_type == 'application/json'):
pecan.abort(
415,
u._("Content-Type of '{content_type}' is not supported for "
"PUT.").format(content_type=pecan.request.content_type)
)
transport_key_id = kwargs.get('transport_key_id')
payload = pecan.request.body
if not payload:
raise exception.NoDataToProcess()
if validators.secret_too_big(payload):
raise exception.LimitExceeded()
if self.secret.encrypted_data or self.secret.secret_store_metadata:
_secret_already_has_data()
project_model = res.get_or_create_project(external_project_id)
content_type = pecan.request.content_type
content_encoding = pecan.request.headers.get('Content-Encoding')
plugin.store_secret(
unencrypted_raw=payload,
content_type_raw=content_type,
content_encoding=content_encoding,
secret_model=self.secret,
project_model=project_model,
transport_key_id=transport_key_id)
LOG.info(u._LI('Updated secret for project: %s'), external_project_id)
def on_put(self, external_project_id, **kwargs):
if (not pecan.request.content_type
or pecan.request.content_type == 'application/json'):
pecan.abort(
415,
u._("Content-Type of '{content_type}' is not supported for "
"PUT.").format(content_type=pecan.request.content_type))
transport_key_id = kwargs.get('transport_key_id')
payload = pecan.request.body
if not payload:
raise exception.NoDataToProcess()
if validators.secret_too_big(payload):
raise exception.LimitExceeded()
if self.secret.encrypted_data or self.secret.secret_store_metadata:
_secret_already_has_data()
project_model = res.get_or_create_project(external_project_id)
content_type = pecan.request.content_type
content_encoding = pecan.request.headers.get('Content-Encoding')
plugin.store_secret(unencrypted_raw=payload,
content_type_raw=content_type,
content_encoding=content_encoding,
secret_model=self.secret,
project_model=project_model,
transport_key_id=transport_key_id)
LOG.info('Updated secret for project: %s', external_project_id)
def test_secret_too_big_is_true_for_big_secrets(self):
data = b'\x01' * validators.CONF.max_allowed_secret_in_bytes
data += b'\x01'
is_too_big = validators.secret_too_big(data)
self.assertTrue(is_too_big)
def create_encrypted_datum(secret, payload,
content_type, content_encoding,
tenant, crypto_manager, datum_repo, kek_repo):
"""Modifies the secret to add the plain_text secret information.
:param secret: the secret entity to associate the secret data to
:param payload: secret data to store
:param content_type: payload content mime type
:param content_encoding: payload content encoding
:param tenant: the tenant (entity) who owns the secret
:param crypto_manager: the crypto plugin manager
:param datum_repo: the encrypted datum repository
:param kek_repo: the KEK metadata repository
:retval The response body, None if N/A
"""
if not payload:
raise exception.NoDataToProcess()
if validators.secret_too_big(payload):
raise exception.LimitExceeded()
if secret.encrypted_data:
raise ValueError('Secret already has encrypted data stored for it.')
# Encrypt payload
LOG.debug('Encrypting secret payload...')
new_datum = crypto_manager.encrypt(payload,
content_type,
content_encoding,
secret,
tenant,
kek_repo)
datum_repo.create_from(new_datum)
return new_datum
def create_encrypted_datum(secret, payload, content_type, content_encoding,
tenant, crypto_manager, datum_repo, kek_repo):
"""Modifies the secret to add the plain_text secret information.
:param secret: the secret entity to associate the secret data to
:param payload: secret data to store
:param content_type: payload content mime type
:param content_encoding: payload content encoding
:param tenant: the tenant (entity) who owns the secret
:param crypto_manager: the crypto plugin manager
:param datum_repo: the encrypted datum repository
:param kek_repo: the KEK metadata repository
:retval The response body, None if N/A
"""
if not payload:
raise exception.NoDataToProcess()
if validators.secret_too_big(payload):
raise exception.LimitExceeded()
if secret.encrypted_data:
raise ValueError('Secret already has encrypted data stored for it.')
# Encrypt payload
LOG.debug('Encrypting secret payload...')
new_datum = crypto_manager.encrypt(payload, content_type, content_encoding,
secret, tenant, kek_repo)
datum_repo.create_from(new_datum)
return new_datum
def on_put(self, keystone_id, **kwargs):
if not pecan.request.content_type or \
pecan.request.content_type == 'application/json':
pecan.abort(
415,
u._("Content-Type of '{0}' is not supported for PUT.").format(
pecan.request.content_type
)
)
payload = pecan.request.body
if not payload:
raise exception.NoDataToProcess()
if validators.secret_too_big(payload):
raise exception.LimitExceeded()
secret_model = self.repos.secret_repo.get(entity_id=self.secret_id,
keystone_id=keystone_id,
suppress_exception=True)
if not secret_model:
_secret_not_found()
if secret_model.encrypted_data:
_secret_already_has_data()
tenant_model = res.get_or_create_tenant(keystone_id,
self.repos.tenant_repo)
content_type = pecan.request.content_type
content_encoding = pecan.request.headers.get('Content-Encoding')
plugin.store_secret(payload, content_type,
content_encoding, secret_model.to_dict_fields,
secret_model, tenant_model, self.repos)
def test_secret_too_big_is_true_for_big_unicode_secrets(self):
beer = u'\U0001F37A'
data = beer * (validators.CONF.max_allowed_secret_in_bytes / 4)
data += u'1'
is_too_big = validators.secret_too_big(data)
self.assertTrue(is_too_big)
def test_secret_too_big_is_true_for_big_unicode_secrets(self):
beer = u'\U0001F37A'
data = beer * (validators.CONF.max_allowed_secret_in_bytes / 4)
data += u'1'
is_too_big = validators.secret_too_big(data)
self.assertTrue(is_too_big)
def create_encrypted_datum(secret, plain_text, tenant, crypto_manager,
tenant_secret_repo, datum_repo):
"""
Modifies the secret to add the plain_text secret information.
:param secret: the secret entity to associate the secret data to
:param plain_text: plain-text of the secret data to store
:param tenant: the tenant (entity) who owns the secret
:param crypto_manager: the crypto plugin manager
:param tenant_secret_repo: the tenant/secret association repository
:param datum_repo: the encrypted datum repository
:retval The response body, None if N/A
"""
if not plain_text:
raise exception.NoDataToProcess()
if validators.secret_too_big(plain_text):
raise exception.LimitExceeded()
if secret.encrypted_data:
raise ValueError('Secret already has encrypted data stored for it.')
fields = secret.to_dict_fields()
fields['plain_text'] = plain_text
# Encrypt plain_text
LOG.debug('Encrypting plain_text secret')
new_datum = crypto_manager.encrypt(plain_text,
secret,
tenant)
datum_repo.create_from(new_datum)
# Create Tenant/Secret entity.
new_assoc = models.TenantSecret()
new_assoc.tenant_id = tenant.id
new_assoc.secret_id = secret.id
new_assoc.role = "admin"
new_assoc.status = models.States.ACTIVE
tenant_secret_repo.create_from(new_assoc)
return new_datum
def on_put(self, external_project_id, **kwargs):
if (not pecan.request.content_type
or pecan.request.content_type == 'application/json'):
pecan.abort(
415,
u._("Content-Type of '{content_type}' is not supported for "
"PUT.").format(content_type=pecan.request.content_type))
transport_key_id = kwargs.get('transport_key_id')
payload = pecan.request.body
if not payload:
raise exception.NoDataToProcess()
if validators.secret_too_big(payload):
raise exception.LimitExceeded()
secret_model = self.repos.secret_repo.get(
entity_id=self.secret_id,
external_project_id=external_project_id,
suppress_exception=True)
if not secret_model:
_secret_not_found()
if secret_model.encrypted_data:
_secret_already_has_data()
project_model = res.get_or_create_project(external_project_id,
self.repos.project_repo)
content_type = pecan.request.content_type
content_encoding = pecan.request.headers.get('Content-Encoding')
plugin.store_secret(payload,
content_type,
content_encoding,
secret_model.to_dict_fields(),
secret_model,
project_model,
self.repos,
transport_key_id=transport_key_id)
def create_encrypted_datum(secret, plain_text, tenant, crypto_manager,
tenant_secret_repo, datum_repo):
"""
Modifies the secret to add the plain_text secret information.
:param secret: the secret entity to associate the secret data to
:param plain_text: plain-text of the secret data to store
:param tenant: the tenant (entity) who owns the secret
:param crypto_manager: the crypto plugin manager
:param tenant_secret_repo: the tenant/secret association repository
:param datum_repo: the encrypted datum repository
:retval The response body, None if N/A
"""
if not plain_text:
raise exception.NoDataToProcess()
if validators.secret_too_big(plain_text):
raise exception.LimitExceeded()
if secret.encrypted_data:
raise ValueError('Secret already has encrypted data stored for it.')
fields = secret.to_dict_fields()
fields['plain_text'] = plain_text
# Encrypt plain_text
LOG.debug('Encrypting plain_text secret')
new_datum = crypto_manager.encrypt(plain_text, secret, tenant)
datum_repo.create_from(new_datum)
# Create Tenant/Secret entity.
new_assoc = models.TenantSecret()
new_assoc.tenant_id = tenant.id
new_assoc.secret_id = secret.id
new_assoc.role = "admin"
new_assoc.status = models.States.ACTIVE
tenant_secret_repo.create_from(new_assoc)
return new_datum
def test_secret_too_big_is_false_for_small_secrets(self):
data = b'\xb0'
is_too_big = validators.secret_too_big(data)
self.assertFalse(is_too_big)
def test_secret_too_big_is_false_for_small_secrets(self):
data = b'\xb0'
is_too_big = validators.secret_too_big(data)
self.assertFalse(is_too_big)
