def test_secret_substitution_missing_encryption_sources_raises_exc(self):
"""Validate that when ``encryption_sources`` doesn't contain a
reference that a ``EncryptionSourceNotFound`` is raised.
"""
secret_ref = test_utils.rand_barbican_ref()
certificate = self.secrets_factory.gen_test(
'Certificate', 'encrypted', data=secret_ref)
certificate['metadata']['name'] = 'example-cert'
document_mapping = {
"_GLOBAL_SUBSTITUTIONS_1_": [{
"dest": {
"path": ".chart.values.tls.certificate"
},
"src": {
"schema": "deckhand/Certificate/v1",
"name": "example-cert",
"path": ".path-to-nowhere"
}
}]
}
payload = self.document_factory.gen_test(document_mapping,
global_abstract=False)
bucket_name = test_utils.rand_name('bucket')
documents = self.create_documents(
bucket_name, [certificate] + [payload[-1]])
secrets_substitution = secrets_manager.SecretsSubstitution(
documents, encryption_sources={'foo': 'bar'})
with testtools.ExpectedException(errors.EncryptionSourceNotFound):
next(secrets_substitution.substitute_all(documents))
def test_delete_revisions_also_deletes_barbican_secrets(self):
rules = {'deckhand:create_cleartext_documents': '@',
'deckhand:create_encrypted_documents': '@',
'deckhand:delete_revisions': '@'}
self.policy.set_rules(rules)
resource_path = os.path.join(os.getcwd(), 'deckhand', 'tests', 'unit',
'resources', 'sample_passphrase.yaml')
with open(resource_path) as f:
encrypted_document = f.read()
fake_secret_ref = test_utils.rand_barbican_ref()
with mock.patch.object(secrets_manager, 'SecretsManager',
autospec=True) as mock_secrets_mgr:
mock_secrets_mgr.create.return_value = fake_secret_ref
resp = self.app.simulate_put(
'/api/v1.0/buckets/mop/documents',
headers={'Content-Type': 'application/x-yaml'},
body=encrypted_document)
self.assertEqual(200, resp.status_code)
with mock.patch.object(secrets_manager.SecretsManager,
'barbican_driver', autospec=True) \
as m_barbican_driver:
resp = self.app.simulate_delete(
'/api/v1.0/revisions',
headers={'Content-Type': 'application/x-yaml'})
self.assertEqual(204, resp.status_code)
m_barbican_driver.delete_secret.assert_called_once_with(
fake_secret_ref)
def _test_secrets_substitution(self, secret_type, expected_exception):
secret_ref = test_utils.rand_barbican_ref()
certificate = self.secrets_factory.gen_test(
'Certificate', secret_type, data=secret_ref)
certificate['metadata']['name'] = 'example-cert'
document_mapping = {
"_GLOBAL_SUBSTITUTIONS_1_": [{
"dest": {
"path": ".chart.values.tls.certificate"
},
"src": {
"schema": "deckhand/Certificate/v1",
"name": "example-cert",
"path": "."
}
}]
}
payload = self.document_factory.gen_test(document_mapping,
global_abstract=False)
bucket_name = test_utils.rand_name('bucket')
documents = self.create_documents(
bucket_name, [certificate] + [payload[-1]])
secrets_substitution = secrets_manager.SecretsSubstitution(documents)
with testtools.ExpectedException(expected_exception):
next(secrets_substitution.substitute_all(documents))
def setUp(self):
super(BarbicanCacheTest, self).setUp()
self.secret_ref = test_utils.rand_barbican_ref()
self.secret_payload = 'very-secret-payload'
# Clear the cache between tests.
cache.invalidate()