def test_new_secret_is_created_from_dict(self): date_time = datetime.datetime.now().isoformat() self.parsed_secret['expiration'] = date_time secret = models.Secret(self.parsed_secret) self.assertEqual(self.parsed_secret['name'], secret.name) self.assertEqual(self.parsed_secret['secret_type'], secret.secret_type) self.assertEqual(self.parsed_secret['algorithm'], secret.algorithm) self.assertEqual(self.parsed_secret['bit_length'], secret.bit_length) self.assertEqual(self.parsed_secret['mode'], secret.mode) self.assertIsInstance(secret.expiration, datetime.datetime) self.assertEqual(self.parsed_secret['creator_id'], secret.creator_id) self.assertEqual(secret.created_at, secret.updated_at) fields = secret.to_dict_fields() self.assertEqual(self.parsed_secret['secret_type'], fields['secret_type']) self.assertEqual(self.parsed_secret['algorithm'], fields['algorithm']) self.assertEqual(self.parsed_secret['creator_id'], fields['creator_id'])
def test_generate_128_bit_key(self): secret = models.Secret() secret.bit_length = 128 secret.algorithm = "AES" kek_meta_dto = self._get_mocked_kek_meta_dto() generate_dto = plugin.GenerateDTO( secret.algorithm, secret.bit_length, None, None) response_dto = self.plugin.generate_symmetric( generate_dto, kek_meta_dto, mock.MagicMock() ) decrypt_dto = plugin.DecryptDTO(response_dto.cypher_text) key = self.plugin.decrypt(decrypt_dto, kek_meta_dto, response_dto.kek_meta_extended, mock.MagicMock()) self.assertEqual(16, len(key))
def _create_base_secret(self, project_id=None): # Setup the secret and needed base relationship secret_repo = repositories.get_secret_repository() session = secret_repo.get_session() if project_id is None: # don't re-create project if it created earlier project = models.Project() project.external_id = "keystone_project_id" project.save(session=session) project_id = project.id secret_model = models.Secret() secret_model.project_id = project_id secret = secret_repo.create_from(secret_model, session=session) secret.save(session=session) session.commit() return secret
def test_store_secret_dto(self): spec = { 'algorithm': 'AES', 'bit_length': 256, 'secret_type': 'symmetric' } secret = base64.b64encode(b'ABCDEFABCDEFABCDEFABCDEF') self.plugin_resource.store_secret(unencrypted_raw=secret, content_type_raw=self.content_type, content_encoding='base64', secret_model=models.Secret(spec), project_model=self.project_model) dto = self.moc_plugin.store_secret.call_args_list[0][0][0] self.assertEqual("symmetric", dto.type) self.assertEqual(secret, dto.secret) self.assertEqual(spec['algorithm'], dto.key_spec.alg) self.assertEqual(spec['bit_length'], dto.key_spec.bit_length) self.assertEqual(self.content_type, dto.content_type)
def create_secret(mime_type, id="id", name="name", algorithm=None, bit_length=None, cypher_type=None, encrypted_datum=None): """Generate a Secret entity instance.""" info = { 'id': id, 'name': name, 'mime_type': mime_type, 'algorithm': algorithm, 'bit_length': bit_length, 'cypher_type': cypher_type } secret = models.Secret(info) if encrypted_datum: secret.encrypted_data = [encrypted_datum] return secret
def on_post(self, external_project_id, **kwargs): LOG.debug('Start on_post for project-ID %s:...', external_project_id) data = api.load_body(pecan.request, validator=self.validator) project = res.get_or_create_project(external_project_id) self.quota_enforcer.enforce(project) transport_key_needed = data.get('transport_key_needed', 'false').lower() == 'true' ctxt = controllers._get_barbican_context(pecan.request) if ctxt: # in authenticated pipleline case, always use auth token user data['creator_id'] = ctxt.user secret_model = models.Secret(data) new_secret, transport_key_model = plugin.store_secret( unencrypted_raw=data.get('payload'), content_type_raw=data.get('payload_content_type', 'application/octet-stream'), content_encoding=data.get('payload_content_encoding'), secret_model=secret_model, project_model=project, transport_key_needed=transport_key_needed, transport_key_id=data.get('transport_key_id')) url = hrefs.convert_secret_to_href(new_secret.id) LOG.debug('URI to secret is %s', url) pecan.response.status = 201 pecan.response.headers['Location'] = url LOG.info('Created a secret for project: %s', external_project_id) if transport_key_model is not None: tkey_url = hrefs.convert_transport_key_to_href( transport_key_model.id) return {'secret_ref': url, 'transport_key_ref': tkey_url} else: return {'secret_ref': url}
def test_get_secret_list(self): session = self.repo.get_session() project = models.Project() project.external_id = "my keystone id" project.save(session=session) secret_model = models.Secret() secret_model.project_id = project.id secret = self.repo.create_from(secret_model, session=session) session.commit() secrets, offset, limit, total = self.repo.get_secret_list( "my keystone id", session=session, ) self.assertEqual([secret.id], [s.id for s in secrets]) self.assertEqual(0, offset) self.assertEqual(10, limit) self.assertEqual(1, total)
def test_get_by_create_date(self): session = self.repo.get_session() secret = self.repo.create_from(models.Secret(), session=session) project = models.Project() project.external_id = "my keystone id" project.save(session=session) project_secret = models.ProjectSecret() project_secret.secret_id = secret.id project_secret.project_id = project.id project_secret.save(session=session) session.commit() secrets, offset, limit, total = self.repo.get_by_create_date( "my keystone id", session=session, ) self.assertEqual([s.id for s in secrets], [secret.id]) self.assertEqual(offset, 0) self.assertEqual(limit, 10) self.assertEqual(total, 1)
def create_secret(id_ref="id", name="name", algorithm=None, bit_length=None, mode=None, encrypted_datum=None, content_type=None): """Generate a Secret entity instance.""" info = { 'id': id_ref, 'name': name, 'algorithm': algorithm, 'bit_length': bit_length, 'mode': mode } secret = models.Secret(info) secret.id = id_ref if encrypted_datum: secret.encrypted_data = [encrypted_datum] if content_type: content_meta = models.SecretStoreMetadatum('content_type', content_type) secret.secret_store_metadata['content_type'] = content_meta return secret
def test_can_create_new_secret_with_transport_key(self, mocked_store): # TODO(jvrbanac): Look into removing this patch mocked_store.return_value = models.Secret(), None # Create Transport Key (keeping for session scoping reasons) transport_key_model = models.TransportKey('default_plugin', 'tkey1234') transport_key_id = transport_key_model.id tkey_repo.create_from(transport_key_model) # Create a normal secret with the TransportKey resp, secret_uuid = create_secret(self.app, payload=b'not-encrypted', content_type='text/plain', transport_key_id=transport_key_id) self.assertEqual(201, resp.status_int) # We're interested in the transport key values mocked_store.assert_called_once_with(unencrypted_raw='not-encrypted', content_type_raw='text/plain', content_encoding=None, secret_model=mock.ANY, project_model=mock.ANY, transport_key_id=transport_key_id, transport_key_needed=False)
def setUp(self): self.secret = models.Secret({}) self.secret.secret_id = "secret#1" self.datum = models.EncryptedDatum(self.secret) self.secret.encrypted_data = [self.datum]
def test_new_secret_is_created_from_dict(self): secret = models.Secret(self.parsed_secret) self.assertEqual(secret.name, self.parsed_secret['name']) self.assertEqual(secret.algorithm, self.parsed_secret['algorithm']) self.assertEqual(secret.bit_length, self.parsed_secret['bit_length']) self.assertEqual(secret.mode, self.parsed_secret['mode'])
def create_secret(project=None, session=None): secret = models.Secret() secret.project_id = project.id secret_repo = repositories.get_secret_repository() secret_repo.create_from(secret, session=session) return secret
def setUp(self): super(BaseCertificateRequestsTestCase, self).setUp() self.external_project_id = "56789" self.project = res.get_or_create_project(self.external_project_id) project_repo.save(self.project) self.barbican_meta_dto = mock.MagicMock() self.order_meta = {} self.plugin_meta = {} self.barbican_meta = {} self.result = cert_man.ResultDTO( cert_man.CertificateStatus.WAITING_FOR_CA ) self.result_follow_on = common.FollowOnProcessingStatusDTO() self.cert_plugin = mock.MagicMock() self.cert_plugin.issue_certificate_request.return_value = self.result self.cert_plugin.check_certificate_status.return_value = self.result self.store_plugin = mock.MagicMock() parsed_ca = { 'plugin_name': "cert_plugin", 'plugin_ca_id': "XXXX", 'name': "test ca", 'description': 'Test CA', 'ca_signing_certificate': 'ZZZZZ', 'intermediates': 'YYYYY' } self.ca = models.CertificateAuthority(parsed_ca) ca_repo.create_from(self.ca) self.ca_id = self.ca.id # second ca for testing parsed_ca = { 'plugin_name': "cert_plugin", 'plugin_ca_id': "XXXX2", 'name': "test ca2", 'description': 'Test CA2', 'ca_signing_certificate': 'ZZZZZ2', 'intermediates': 'YYYYY2' } self.ca2 = models.CertificateAuthority(parsed_ca) ca_repo.create_from(self.ca2) self.ca_id2 = self.ca2.id # data for preferred CA and global preferred CA tests # add those to the repo in those tests self.pref_ca = models.PreferredCertificateAuthority( self.project.id, self.ca_id) self.global_pref_ca = models.PreferredCertificateAuthority( self.project.id, self.ca_id) # data for stored key cases self.private_key = models.Secret() self.private_key.secret_type = 'PRIVATE' self.private_key.project_id = self.project.id secret_repo.create_from(self.private_key) self.public_key = models.Secret() self.public_key.secret_type = 'PUBLIC' self.public_key.project_id = self.project.id secret_repo.create_from(self.public_key) self.passphrase = models.Secret() self.passphrase.secret_type = 'PASSPHRASE' self.passphrase.project_id = self.project.id secret_repo.create_from(self.passphrase) self.private_key_value = None self.public_key_value = "public_key" self.passphrase_value = None self.parsed_container_with_passphrase = { 'name': 'container name', 'type': 'rsa', 'secret_refs': [ {'name': 'private_key', 'secret_ref': 'https://localhost/secrets/' + self.private_key.id}, {'name': 'public_key', 'secret_ref': 'https://localhost/secrets/' + self.public_key.id}, {'name': 'private_key_passphrase', 'secret_ref': 'https://localhost/secrets/' + self.passphrase.id} ] } self.parsed_container = { 'name': 'container name', 'type': 'rsa', 'secret_refs': [ {'name': 'private_key', 'secret_ref': 'https://localhost/secrets/' + self.private_key.id}, {'name': 'public_key', 'secret_ref': 'https://localhost/secrets/' + self.public_key.id} ] } self.container_with_passphrase = models.Container( self.parsed_container_with_passphrase) self.container_with_passphrase.project_id = self.project.id container_repo.create_from(self.container_with_passphrase) self.container = models.Container(self.parsed_container) self.container.project_id = self.project.id container_repo.create_from(self.container) repositories.commit() self.stored_key_meta = { cert_man.REQUEST_TYPE: cert_man.CertificateRequestType.STORED_KEY_REQUEST, "container_ref": "https://localhost/containers/" + self.container.id, "subject_dn": "cn=host.example.com,ou=dev,ou=us,o=example.com" } self.order = models.Order() self.order.meta = self.order_meta self.order.project_id = self.project.id self.order.order_barbican_meta = self.barbican_meta self.order.type = 'certificate' order_repo.create_from(self.order) self._config_cert_plugin() self._config_store_plugin() self._config_cert_event_plugin() self._config_save_meta_plugin() self._config_get_meta_plugin() self._config_save_barbican_meta_plugin() self._config_get_barbican_meta_plugin() self._config_barbican_meta_dto()
def _init(self, payload=b'not-encrypted', payload_content_type='text/plain', payload_content_encoding=None): self.name = 'name' self.payload = payload self.payload_content_type = payload_content_type self.payload_content_encoding = payload_content_encoding self.secret_algorithm = 'AES' self.secret_bit_length = 256 self.secret_mode = 'CBC' self.secret_req = { 'name': self.name, 'algorithm': self.secret_algorithm, 'bit_length': self.secret_bit_length, 'creator_id': None, 'mode': self.secret_mode } if payload: self.secret_req['payload'] = payload if payload_content_type: self.secret_req['payload_content_type'] = payload_content_type if payload_content_encoding: self.secret_req['payload_content_encoding'] = ( payload_content_encoding) # Set up mocked project self.external_project_id = 'keystone1234' self.project_entity_id = 'tid1234' self.project = models.Project() self.project.id = self.project_entity_id self.project.external_id = self.external_project_id # Set up mocked project repo self.project_repo = mock.MagicMock() self.project_repo.find_by_external_project_id.return_value = ( self.project) self.setup_project_repository_mock(self.project_repo) # Set up mocked secret self.secret = models.Secret() self.secret.id = utils.generate_test_valid_uuid() # Set up mocked secret repo self.secret_repo = mock.MagicMock() self.secret_repo.create_from.return_value = self.secret self.setup_secret_repository_mock(self.secret_repo) # Set up mocked encrypted datum repo self.datum_repo = mock.MagicMock() self.datum_repo.create_from.return_value = None self.setup_encrypted_datum_repository_mock(self.datum_repo) # Set up mocked kek datum self.kek_datum = models.KEKDatum() self.kek_datum.kek_label = "kek_label" self.kek_datum.bind_completed = False self.kek_datum.algorithm = '' self.kek_datum.bit_length = 0 self.kek_datum.mode = '' self.kek_datum.plugin_meta = '' # Set up mocked kek datum repo self.kek_repo = mock.MagicMock() self.kek_repo.find_or_create_kek_datum.return_value = self.kek_datum self.setup_kek_datum_repository_mock(self.kek_repo) # Set up mocked secret meta repo self.setup_secret_meta_repository_mock() # Set up mocked transport key self.transport_key = models.TransportKey('default_plugin_name', 'XXXABCDEF') self.transport_key_id = 'tkey12345' self.tkey_url = hrefs.convert_transport_key_to_href( self.transport_key.id) # Set up mocked transport key self.setup_transport_key_repository_mock()
def setUp(self): super(TestSecretStoreBase, self).setUp() self.patchers = [] # List of patchers utilized in this test class. self.project_id = '12345' self.content_type = 'application/octet-stream' self.content_encoding = 'base64' self.secret = base64.b64encode(b'secret') self.decrypted_secret = b'decrypted_secret' self.cypher_text = b'cypher_text' self.kek_meta_extended = 'kek-meta-extended' self.spec_aes = secret_store.KeySpec('AES', 64, 'CBC') self.spec_rsa = secret_store.KeySpec( 'RSA', 1024, passphrase='changeit') self.project_model = mock.MagicMock() self.project_model.id = 'project-model-id' self.project_model.external_id = self.project_id self.secret_dto = secret_store.SecretDTO( secret_store.SecretType.OPAQUE, self.secret, secret_store.KeySpec(), self.content_type ) self.response_dto = crypto.ResponseDTO( self.cypher_text, kek_meta_extended=self.kek_meta_extended) self.private_key_dto = crypto.ResponseDTO(self.cypher_text) self.public_key_dto = crypto.ResponseDTO(self.cypher_text) self.passphrase_dto = crypto.ResponseDTO(self.cypher_text) self.kek_meta_project_model = models.KEKDatum() self.kek_meta_project_model.plugin_name = 'plugin-name' self.kek_meta_project_model.kek_label = 'kek-meta-label' self.kek_meta_project_model.algorithm = 'kek-meta-algo' self.kek_meta_project_model.bit_length = 1024 self.kek_meta_project_model.mode = 'kek=meta-mode' self.kek_meta_project_model.plugin_meta = 'kek-meta-plugin-meta' self.encrypted_datum_model = models.EncryptedDatum() self.encrypted_datum_model.kek_meta_project = ( self.kek_meta_project_model) self.encrypted_datum_model.cypher_text = base64.b64encode( b'cypher_text') self.encrypted_datum_model.content_type = 'content_type' self.encrypted_datum_model.kek_meta_extended = 'extended_meta' self.secret_model = models.Secret( { 'algorithm': 'myalg', 'bit_length': 1024, 'mode': 'mymode' } ) self.secret_model.id = 'secret-model-id' self.secret_model.encrypted_data = [self.encrypted_datum_model] self.context = store_crypto.StoreCryptoContext( secret_model=self.secret_model, project_model=self.project_model, content_type=self.content_type)
def _do_create_instance(self): return models.Secret()
def create_secret(data, tenant, crypto_manager, secret_repo, tenant_secret_repo, datum_repo, kek_repo, ok_to_generate=False): """Common business logic to create a secret.""" time_keeper = utils.TimeKeeper('Create Secret Resource') new_secret = models.Secret(data) time_keeper.mark('after Secret model create') new_datum = None content_type = data.get('payload_content_type', 'application/octet-stream') if 'payload' in data: payload = data.get('payload') content_encoding = data.get('payload_content_encoding') LOG.debug('Encrypting payload...') new_datum = crypto_manager.encrypt(payload, content_type, content_encoding, new_secret, tenant, kek_repo, enforce_text_only=True) time_keeper.mark('after encrypt') elif ok_to_generate: LOG.debug('Generating new secret...') # TODO(atiwari): With new typed Order API proposal # we need to translate new_secret to meta # currently it is working as meta will have same attributes new_datum = crypto_manager. \ generate_symmetric_encryption_key(new_secret, content_type, tenant, kek_repo) time_keeper.mark('after secret generate') else: LOG.debug('Creating metadata only for the new secret. ' 'A subsequent PUT is required') # Create Secret entities in datastore. secret_repo.create_from(new_secret) time_keeper.mark('after Secret datastore create') new_assoc = models.TenantSecret() time_keeper.mark('after TenantSecret model create') new_assoc.tenant_id = tenant.id new_assoc.secret_id = new_secret.id new_assoc.role = "admin" new_assoc.status = models.States.ACTIVE tenant_secret_repo.create_from(new_assoc) time_keeper.mark('after TenantSecret datastore create') if new_datum: new_datum.secret_id = new_secret.id datum_repo.create_from(new_datum) time_keeper.mark('after Datum datastore create') time_keeper.dump() return new_secret