class TestCredentialsEncrypted:
def setup(self):
self.kms_mocker = mock_kms()
self.kms_mocker.start()
setup_mock_kms(REGION, KMS_ALIAS)
self._plaintext_payload = 'plaintext credentials'
self._encrypted_payload = encrypt_with_kms(self._plaintext_payload,
REGION, KMS_ALIAS)
self._credentials = Credentials(self._encrypted_payload,
is_encrypted=True,
region=REGION)
def teardown(self):
self.kms_mocker.stop()
def test_is_encrypted(self):
"""Credentials - Encrypted Credentials - Is Encrypted"""
assert_true(self._credentials.is_encrypted())
def test_is_data(self):
"""Credentials - Encrypted Credentials - Data"""
assert_equal(self._credentials.data(), self._encrypted_payload)
def test_get_data_kms_decrypted(self):
"""Credentials - Encrypted Credentials - KMS Decrypt"""
decrypted = self._credentials.get_data_kms_decrypted()
assert_equal(decrypted, self._plaintext_payload.encode())
def test_encrypt(self):
"""Credentials - Encrypted Credentials - Encrypt
Doubly-encrypting the credentials should do nothing.
"""
self._credentials.encrypt(REGION, KMS_ALIAS)
assert_equal(self._credentials.data(), self._encrypted_payload)
@patch('boto3.client')
@patch('logging.Logger.exception')
def test_decrypt_kms_error(self, logging_exception, boto3):
"""Credentials - Encrypted Credentials - KMS Decrypt - Errors if KMS Fails to Respond"""
# We pretend that KMS errors out
boto3_client = MagicMock()
boto3.return_value = boto3_client
response = MagicMock()
boto3_client.decrypt.side_effect = ClientError(response, 'kms_decrypt')
assert_is_none(self._credentials.get_data_kms_decrypted())
logging_exception.assert_called_with(
'an error occurred during credentials decryption')
class TestCredentialsUnencrypted:
def setup(self):
self._plaintext_payload = 'plaintext credentials'
self._credentials = Credentials(self._plaintext_payload,
is_encrypted=False)
def test_is_encrypted(self):
"""Credentials - Plaintext Credentials - Is Encrypted"""
assert_false(self._credentials.is_encrypted())
def test_is_data(self):
"""Credentials - Plaintext Credentials - Data"""
assert_equal(self._credentials.data(), self._plaintext_payload)
@patch('logging.Logger.error')
def test_get_data_kms_decrypted(self, logging_error):
"""Credentials - Plaintext Credentials - KMS Decrypt"""
assert_is_none(self._credentials.get_data_kms_decrypted())
logging_error.assert_called_with(
'Cannot decrypt Credentials as they are already decrypted')
@mock_kms
def test_encrypt(self):
"""Credentials - Plaintext Credentials - Encrypt
Doubly-encrypting the credentials should do nothing.
"""
self._credentials.encrypt(REGION, KMS_ALIAS)
assert_true(self._credentials.is_encrypted())
assert_equal(self._credentials.data(),
'InBsYWludGV4dCBjcmVkZW50aWFscyI='.encode())
class TestCredentialsUnencrypted:
def setup(self):
self.kms_mocker = mock_kms()
self.kms_mocker.start()
setup_mock_kms(REGION, KMS_ALIAS)
self._plaintext_payload = 'plaintext credentials'
self._credentials = Credentials(self._plaintext_payload,
is_encrypted=False)
def teardown(self):
self.kms_mocker.stop()
def test_is_encrypted(self):
"""Credentials - Plaintext Credentials - Is Encrypted"""
assert_false(self._credentials.is_encrypted())
def test_is_data(self):
"""Credentials - Plaintext Credentials - Data"""
assert_equal(self._credentials.data(), self._plaintext_payload)
@patch('logging.Logger.error')
def test_get_data_kms_decrypted(self, logging_error):
"""Credentials - Plaintext Credentials - KMS Decrypt"""
assert_is_none(self._credentials.get_data_kms_decrypted())
logging_error.assert_called_with(
'Cannot decrypt Credentials as they are already decrypted')
def test_encrypt(self):
"""Credentials - Plaintext Credentials - Encrypt
Doubly-encrypting the credentials should do nothing.
"""
self._credentials.encrypt(REGION, KMS_ALIAS)
assert_true(self._credentials.is_encrypted())
# moto changed from simply base64 encoding data to actually
# doing proper encryption/decryption. See here:
# https://github.com/earlrob/moto/commit/98581b9196768ad8d5eaa1e02ca744c0c3b2098e
assert_not_equal(self._credentials.data(), 'plaintext credentials')