def _encrypt_data(context, data):
try:
# TODO(pbourke): move auth construction into common area if it ends up
# been required in other areas
auth = identity.V3Password(
auth_url=settings.KEY_MANAGER['auth_url'],
username=settings.KEY_MANAGER['username'],
user_domain_name=settings.KEY_MANAGER['user_domain_name'],
password=settings.KEY_MANAGER['password'],
project_name=settings.KEY_MANAGER['project_name'],
project_domain_name=settings.KEY_MANAGER['project_domain_name']
)
except (KeyError, AttributeError) as e:
LOG.exception(e)
msg = ('Could not find valid key manager credentials in the '
'murano-dashboard config. encryptData yaql function not '
'available')
raise castellan_exception.KeyManagerError(message_arg=msg)
sess = session.Session(auth=auth)
auth_context = _oslo_context.RequestContext(
auth_token=auth.get_token(sess), tenant=auth.get_project_id(sess))
options.set_defaults(cfg.CONF,
auth_endpoint=settings.KEY_MANAGER['auth_url'])
manager = key_manager.API()
try:
# TODO(pbourke): while we feel opaque data should cover the most common
# use case, we may want to add support for other secret types in the
# future (see https://goo.gl/tZhfqe)
stored_key_id = manager.store(auth_context,
opaque_data.OpaqueData(data))
except castellan_exception.KeyManagerError as e:
LOG.exception(e)
raise
return stored_key_id
def test___eq__(self):
self.assertTrue(self.opaque_data == self.opaque_data)
self.assertTrue(self.opaque_data is self.opaque_data)
self.assertFalse(self.opaque_data is None)
self.assertFalse(None == self.opaque_data)
other_opaque_data = opaque_data.OpaqueData(self.data, self.name)
self.assertTrue(self.opaque_data == other_opaque_data)
self.assertFalse(self.opaque_data is other_opaque_data)
def test_encrypt_data(self, mock_identity, mock_keymanager,
mock_oslo_context, _):
mock_service = mock.Mock(parameters={'#foo_template': 'foo_data'})
context = {'?service': mock_service}
secret_value = 'secret_password'
mock_auth_context = mock.MagicMock()
mock_oslo_context.RequestContext.return_value = mock_auth_context
yaql_functions._encrypt_data(context, secret_value)
mock_keymanager.API().store.assert_called_once_with(
mock_auth_context, opaque_data.OpaqueData(secret_value))
def test_store_secret(self):
payload = 'encrypt me!!'
key_spec = mock.MagicMock()
content_type = mock.MagicMock()
transport_key = None
secret_dto = ss.SecretDTO(ss.SecretType.SYMMETRIC, payload, key_spec,
content_type, transport_key)
response = self.plugin.store_secret(secret_dto)
data = opaque_data.OpaqueData(secret_dto.secret)
self.plugin.key_manager.store.assert_called_once_with(mock.ANY, data)
expected_response = {css.CastellanSecretStore.KEY_ID: key_ref1}
self.assertEqual(response, expected_response)
def store_cert(self, context, certificate, private_key, intermediates=None,
private_key_passphrase=None, expiration=None,
name="PKCS12 Certificate Bundle"):
p12 = crypto.PKCS12()
p12.set_certificate(certificate)
p12.set_privatekey(private_key)
if intermediates:
p12.set_ca_certificates(intermediates)
if private_key_passphrase:
raise exceptions.CertificateStorageException(
"Passphrases protected PKCS12 certificates are not supported.")
p12_data = opaque_data.OpaqueData(p12.export(), name=name)
self.manager.store(context, p12_data)
def store_secret(self, secret_dto):
if not self.store_secret_supports(secret_dto.key_spec):
raise ss.SecretAlgorithmNotSupportedException(
secret_dto.key_spec.alg)
try:
secret_ref = self.key_manager.store(
self.context,
opaque_data.OpaqueData(secret_dto.secret)
)
return {CastellanSecretStore.KEY_ID: secret_ref}
except Exception as e:
LOG.exception("Error storing secret: {}".format(
six.text_type(e)))
raise ss.SecretGeneralException(e)
def store_secret(self, secret_dto):
if not self.store_secret_supports(secret_dto.key_spec):
raise ss.SecretAlgorithmNotSupportedException(
secret_dto.key_spec.alg)
plaintext = base64.b64decode(secret_dto.secret)
try:
secret_id = self.key_manager.store(
self.context,
opaque_data.OpaqueData(plaintext)
)
return self._meta_dict(secret_id)
except Exception as e:
LOG.exception("Error storing secret: {}".format(
six.text_type(e)))
raise ss.SecretGeneralException(e)
def setUp(self):
super(WhenTestingVaultSecretStore, self).setUp()
self.key_manager_mock = mock.MagicMock(name="key manager mock")
self.key_manager_mock.create_key_pair.return_value = (key_ref1,
key_ref2)
self.key_manager_mock.create_key.return_value = key_ref1
self.key_manager_mock.store.return_value = key_ref1
secret_object = opaque_data.OpaqueData(secret_passphrase)
self.key_manager_mock.get.return_value = secret_object
self.cfg_mock = mock.MagicMock(name='config mock')
self.cfg_mock.vault_plugin = mock.MagicMock(use_ssl=False,
root_token_id='12345')
self.plugin = vss.VaultSecretStore(self.cfg_mock)
self.plugin.key_manager = self.key_manager_mock
self.plugin_name = "VaultSecretStore"
def test_store_secret(self):
payload = b'encrypt me!!'
key_spec = mock.MagicMock()
content_type = mock.MagicMock()
transport_key = None
secret_dto = ss.SecretDTO(ss.SecretType.SYMMETRIC,
base64.b64encode(payload),
key_spec,
content_type,
transport_key)
response = self.plugin.store_secret(secret_dto)
data = opaque_data.OpaqueData(payload)
self.plugin.key_manager.store.assert_called_once_with(
mock.ANY,
data
)
expected_response = self.plugin._meta_dict(key_ref1)
self.assertEqual(response, expected_response)
def test_fetch_secret(self):
# fake KeyManager populated with secret
km = fake.fake_api()
secret_id = km.store("fake_context",
opaque_data.OpaqueData(b"super_secret!"))
# driver config
config = "[key_manager]\nbackend=vault"
mapping = "[DEFAULT]\nmy_secret=" + secret_id
# creating temp files
with tempfile.NamedTemporaryFile() as config_file:
config_file.write(config.encode("utf-8"))
config_file.flush()
with tempfile.NamedTemporaryFile() as mapping_file:
mapping_file.write(mapping.encode("utf-8"))
mapping_file.flush()
self.conf_fixture.load_raw_values(
group='castellan_source',
driver='castellan',
config_file=config_file.name,
mapping_file=mapping_file.name,
)
source = self.driver.open_source_from_opt_group(
self.conf,
'castellan_source')
# replacing key_manager with fake one
source._mngr = km
# testing if the source is able to retrieve
# the secret value stored in the key_manager
# using the secret_id from the mapping file
self.assertEqual("super_secret!",
source.get("DEFAULT",
"my_secret",
cfg.StrOpt(""))[0])
def _get_test_opaque_data():
data = bytes(b'opaque data')
opaque_object = opaque_data.OpaqueData(data)
return opaque_object
def test___ne___name(self):
other_opaque = opaque_data.OpaqueData(self.data, "other opaque")
self.assertTrue(self.opaque_data != other_opaque)
def test___ne___data(self):
other_opaque = opaque_data.OpaqueData(b'other data', self.name)
self.assertTrue(self.opaque_data != other_opaque)
def _create_data(self):
return opaque_data.OpaqueData(self.data, self.name)
def test_get_created_none(self):
created = None
data = opaque_data.OpaqueData(self.data, self.name, created)
self.assertEqual(created, data.created)
def test_is_only_metadata(self):
d = opaque_data.OpaqueData(None, self.name, self.created)
self.assertTrue(d.is_metadata_only())
