def test_get_encrypted_key():
passwd = u"passwd"
ekey = cu.encrypt_key(passwd)
assert ekey is not None
assert isinstance(ekey, str)
ekey2 = cu.encrypt_key(passwd)
assert ekey2 == ekey
def test_configure_save_key(set_up):
conf_file = set_up
passwd = u"passwd"
set_configuration(encrypt_key(passwd), None, None, None, conf_file)
data = get_configuration(conf_file)
key = data['key'].encode('latin1')
assert key is not None
assert isinstance(key, bytes)
def test_wrong_salt(set_up):
my_access = 'another'
other_key = cu.encrypt_key('pirillo')
sleep(1)
du.insert_secret(DOMAIN, my_access, 'login', 'password', None, 'memorable', other_key)
#the following shoud produce and InvalidToken error
sys.argv=['secret_wallet','get','-d',DOMAIN, '-a', my_access]
with io.StringIO() as buf, redirect_stdout(buf):
Parser()
assert 'InvalidToken' in buf.getvalue()
def set_up():
c_pwd = u"passwd"
table_name = "test"
key = cu.encrypt_key(c_pwd)
parameters.set_salt_key(key)
parameters.set_table_name(table_name)
du.create_table(table_name)
yield
parameters.clear()
def test_encrypt_decrypt_info():
c_pwd = u"passwd"
m_pwd = u"memorabile"
key = cu.encrypt_key(c_pwd)
info = {'first': 'value_1', 'second': 'value_2'}
ien = du.encrypt_info(info, m_pwd, key)
ide = du.decrypt_info(ien, m_pwd, key)
for key in info:
assert ide[key] == info[key]
def test_encrypt_decrypt_no_config():
c_pwd = u"passwd"
m_pwd = u"memorabile"
secret = u"mamma"
key = cu.encrypt_key(c_pwd)
esecret = cu.encrypt(secret, m_pwd, key)
v1 = cu.decrypt(esecret, m_pwd, key)
esecret2 = cu.encrypt(secret, m_pwd, key)
v2 = cu.decrypt(esecret2, m_pwd, key)
assert v1 == v2
assert v1 == secret
def test_encrypt_decrypt_secret(set_up):
conf_file = set_up
c_pwd = u"passwd"
m_pwd = u"memorabile"
secret = u"mamma"
set_configuration(encrypt_key(c_pwd), None, None, None, conf_file)
parameters.set_data(get_configuration(conf_file))
esecret = cu.encrypt(secret, m_pwd, parameters.get_salt_key())
v1 = cu.decrypt(esecret, m_pwd, parameters.get_salt_key())
esecret2 = cu.encrypt(secret, m_pwd, parameters.get_salt_key())
v2 = cu.decrypt(esecret2, m_pwd, parameters.get_salt_key())
assert v1 == v2
assert v1 == secret
def test_wrong_salt_key(set_up):
c_pwd = 'pirillo'
wrong_key = cu.encrypt_key(c_pwd)
m_pwd = u"memorabile"
domain = u"my_domain"
access = u"my_access"
secret_uid = u"me@home"
secret_pwd = u"ciao mamma"
try:
du.insert_secret(domain, access, secret_uid, secret_pwd, None, m_pwd,
wrong_key)
with pytest.raises(cryptography.fernet.InvalidToken):
du.get_secret(domain, access, m_pwd)
finally:
du.delete_secret(domain, access)
def test_configure_save_many(set_up):
conf_file = set_up
passwd = u"passwd"
profile = 'my profile'
salt = 'my salt'
table = 'my table'
set_configuration(encrypt_key(passwd), profile, table, salt, conf_file)
data = get_configuration(conf_file)
key = data['key'].encode('latin1')
assert key is not None
assert isinstance(key, bytes)
assert profile == data['profile']
assert salt == data['salt']
assert table == data['table_name']
def test_reconf_salt_key(set_up, insert_records):
old_mem = "memorable"
c_pwd = 'carpiato'
new_salt_key = cu.encrypt_key(c_pwd)
secrets = du.list_secrets("d1") + du.list_secrets("d2")
assert 3 == len(secrets)
sec = du.get_secret('d1', 'a1', old_mem)
assert "v1" == sec['info']['k1']
du.reconf_salt_key(secrets, old_mem, c_pwd, False)
secrets = du.list_secrets("d1") + du.list_secrets("d2")
assert 3 == len(secrets)
secrets = du.list_secrets("I") + du.list_secrets("D")
assert 0 == len(secrets)
sec = du.get_secret('d1', 'a1', old_mem, new_salt_key)
assert "v1" == sec['info']['k1']
with pytest.raises(cryptography.fernet.InvalidToken):
du.get_secret('d1', 'a1', old_mem)
def reconf_salt_key(secrets, old_mem, new_device_pwd, backup=False):
"""Reconfigure all secrets changing the memorable password
input:
secrets a list of secrets, as domain, asset pairs
old_mem old memorable password
new_device_pwd the new device password
backup a boolean flag to request a full baclup of the table
output:
the BackupArn of the table
"""
ekey = encrypt_key(new_device_pwd)
ns = len(secrets)
i = 0
arn = None
if backup:
arn =_backup_table("backup")
for s in secrets:
i += 1
domain = s[0]
access = s[1]
try:
message = f"[{i}/{ns}] - Reconfiguring the secret ({domain},{access})"
logger.info(message)
print(message)
secret = get_secret(domain, access, old_mem)
insert_secret("I", f"{domain}{SEPARATOR}{access}", secret['uid'], secret['pwd'], secret['info'], old_mem, ekey)
rename_secret(domain, access, "D", f"{domain}{SEPARATOR}{access}")
rename_secret("I", f"{domain}{SEPARATOR}{access}", domain, access)
delete_secret("D", f"{domain}{SEPARATOR}{access}")
except Exception as e:
logger.error(e)
message = f"Could not reconfigure ({domain},{access})"
print(message)
logger.error(message)
return arn
def reconf(self):
"""
Reconfigures either the memorable or the device password. All secrets will be re-encryted with the changed password.
It is not possible to change both passwords at the same time. Depending on the size of the wallet, this operation
might take some time. A backup of the old table is also performed.
"""
parser = argparse.ArgumentParser(description=self.reconf.__doc__,
prog='secret_wallet reconf')
#optional arguments
parser.add_argument(
'-m',
'--memorable',
action='store_true',
default=False,
help='Reconfigure secrets because of a change of memorable password'
)
parser.add_argument(
'-d',
'--device',
action='store_true',
default=False,
help='Reconfigure secrets because of a change of device password')
args = iou.my_parse(parser, sys.argv[2:])
if args is None:
return
try:
if args.memorable and args.device:
print(
"You can't reconfigure both memorable and device password at the same time"
)
elif args.memorable:
iou.my_output("You are reconfiguring the memorable password")
if is_connected():
stop_service()
iou.display_reconfiguration_warning()
iou.my_output('***Enter the existing memorable password***')
old_memorable, _ = pm.get_memorable_password(False)
iou.my_output('***Set the new memorable password***')
new_memorable, _ = pm.get_memorable_password(True)
reconf_memorable(list_secrets(None), old_memorable,
new_memorable, True)
elif args.device:
iou.my_output("You are reconfiguring the device password")
if is_connected():
stop_service()
iou.display_reconfiguration_warning()
iou.my_output('***Enter the existing memorable password***')
old_memorable, _ = pm.get_memorable_password(False)
iou.my_output('***Set the new device password***')
new_device, _ = pm.get_memorable_password(True)
reconf_salt_key(list_secrets(None), old_memorable, new_device,
True)
#now pass it to the configuration file
ekey = encrypt_key(new_device)
cdata = get_configuration()
cdata['key'] = ekey
set_configuration_data(cdata)
except Exception as e:
iou.my_output(repr(e))
def make_configurations():
"Main configuration script"
print("\nMain configuration script for your secret wallet.")
print(
"Please press return to accept the pre-set values in square brackets, or type a new value:\n"
)
answ = input("\nDo you want to configure the AWS credentials? (yes|skip) ")
if answ.lower().startswith('y'):
profile = input('{0:30}[{1:>30}] = '.format(
'AWS profile name', parameters.get_profile_name()))
if len(profile) == 0:
profile = parameters.get_profile_name()
if has_credentials() and profile in get_credentials_sections():
print(
'The AWS profile {0} is already in use. Choose another or reconfigure'
.format(profile))
exit(1)
parameters.set_profile_name(profile)
access_key = input('{0:30}[{1:>30}] = '.format('AWS access key id',
''))
secret_access_key = input('{0:30}[{1:>30}] = '.format(
'AWS secret access key', ''))
region = input('{0:30}[{1:>30}] = '.format('AWS region', ''))
cred = {
'aws access key id': access_key,
'aws seceret access key': secret_access_key,
'aws region': region
}
display_configuration(CREDENTIALS_FILE, 'AWS credentials are located',
cred)
answ = input("\nDo you want to set the credentials? (yes|skip|exit) ")
if answ.lower().startswith('y'):
set_credentials(CREDENTIALS_FILE, access_key, secret_access_key,
region)
elif answ.lower().startswith('s'):
pass
else:
exit(1)
answ = input(
"\nDo you want to configure the the secret-wallet parameters? (yes|skip) "
)
if answ.lower().startswith('y'):
profile = input('{0:30}[{1:>30}] = '.format(
'AWS profile name', parameters.get_profile_name()))
if len(profile) == 0:
profile = parameters.get_profile_name()
table = input('{0:30}[{1:>30}] = '.format('DynameDB table name',
parameters.get_table_name()))
if len(table) == 0:
table = parameters.get_table_name()
if has_configuration() and has_table(table):
print(
'The secret-wallet has been configured previously for the same table.\nTo protect secrets, you need to call a reconfigure procedure'
)
exit(1)
conf_pwd = get_password('Configuration password', 6)
conf_key = encrypt_key(conf_pwd)
conf = {
'configuration key': conf_key,
'profile': profile,
'table': table
}
parameters.set_profile_name(profile)
parameters.set_table_name(table)
display_configuration(CONFIG_FILE,
'secret wallet configuration is located', conf)
answ = input(
"\nDo you want to set the configuration parameters? (yes|exit) ")
if answ.lower().startswith('y'):
try:
set_configuration(conf_key, profile, table, None, CONFIG_FILE)
create_table(table)
except Exception as e:
print(e)
print(
"Could not write the configuration file. Make sure you have AWS connection and try again"
)
else:
exit(1)