Esempio n. 1
0
 def test_ref_update_compile(self):
     "check ref update and compile() output is valid"
     tag = '?{ref:my/ref1}'
     REF_CONTROLLER[tag] = Ref(b'ref 1 more data')
     ref_obj = REF_CONTROLLER[tag]
     compiled = ref_obj.compile()
     self.assertEqual(compiled, '?{ref:my/ref1:ed438a62}')
Esempio n. 2
0
 def test_ref_reveal(self):
     "check ref reveal() output is valid"
     tag = '?{ref:my/ref2}'
     REF_CONTROLLER[tag] = Ref(b'ref 2 data')
     ref_obj = REF_CONTROLLER[tag]
     revealed = ref_obj.reveal()
     self.assertEqual(revealed, 'ref 2 data')
Esempio n. 3
0
 def test_ref_compile(self):
     "check ref compile() output is valid"
     tag = '?{ref:my/ref1}'
     REF_CONTROLLER[tag] = Ref(b'ref 1 data')
     ref_obj = REF_CONTROLLER[tag]
     compiled = ref_obj.compile()
     self.assertEqual(compiled, '?{ref:my/ref1:3342a45c}')
Esempio n. 4
0
    def test_reveal_subvars(self):
        "write yaml secret, and access sub-variables in secrets"
        tag_to_save = '?{ref:ref/subvars}'
        yaml_secret = b"""
        var1:
          var2: hello
        var3:
          var4: world
        """
        REF_CONTROLLER[tag_to_save] = Ref(yaml_secret)
        self.assertTrue(os.path.isfile(os.path.join(REFS_HOME, 'ref/subvars')))

        tag_subvar = '?{ref:ref/[email protected]}'
        data = "message here: {}".format(tag_subvar)
        revealed_data = REVEALER.reveal_raw(data)
        self.assertEqual("message here: hello", revealed_data)

        tag_subvar = '?{ref:ref/[email protected]}'
        data = "message here: {}".format(tag_subvar)
        revealed_data = REVEALER.reveal_raw(data)
        self.assertEqual("message here: world", revealed_data)

        with self.assertRaises(KeyError):
            tag_subvar = '?{ref:ref/[email protected]}'
            data = "message here: {}".format(tag_subvar)
            revealed_data = REVEALER.reveal_raw(data)
Esempio n. 5
0
 def test_ref_path(self):
     "check ref tag path is correct"
     tag = '?{ref:my/ref6}'
     tag, token, func_str = REF_CONTROLLER.tag_params(tag)
     self.assertEqual(tag, '?{ref:my/ref6}')
     self.assertEqual(token, 'ref:my/ref6')
     self.assertEqual(func_str, None)
     REF_CONTROLLER[tag] = Ref(b'ref 6 data')
     ref_obj = REF_CONTROLLER[tag]
     self.assertEqual(ref_obj.path, 'my/ref6')
Esempio n. 6
0
 def test_compile_subvars(self):
     """
     test that refs with sub-variables compile properly,
     and refs with different sub-variables stored in the same file has the same hash
     """
     subvar_tag1 = '?{ref:ref/subvars@var1}'
     subvar_tag2 = '?{ref:ref/subvars@var2}'
     REF_CONTROLLER['?{ref:ref/subvars}'] = Ref(b'ref 1 data')
     ref_obj1 = REF_CONTROLLER[subvar_tag1]
     ref_obj2 = REF_CONTROLLER[subvar_tag2]
     self.assertEqual(ref_obj1.compile(),
                      '?{ref:ref/subvars@var1:4357a29b}')
     self.assertEqual(ref_obj2.compile(),
                      '?{ref:ref/subvars@var2:4357a29b}')
Esempio n. 7
0
    def test_reveal_subvars_raise_RefError(self):
        """
        test that reveal with sub-variable fails should the secret not
        be in valid yaml format
        """
        tag_to_save = '?{ref:ref/subvars_error}'
        yaml_secret = b"this is not yaml"
        REF_CONTROLLER[tag_to_save] = Ref(yaml_secret)
        self.assertTrue(
            os.path.isfile(os.path.join(REFS_HOME, 'ref/subvars_error')))

        with self.assertRaises(RefError):
            tag_subvar = '?{ref:ref/[email protected]}'
            data = "message here: {}".format(tag_subvar)
            REVEALER.reveal_raw(data)
Esempio n. 8
0
def secret_write(args, ref_controller):
    "Write secret to ref_controller based on cli args"
    token_name = args.write
    file_name = args.file
    data = None

    if file_name is None:
        fatal_error('--file is required with --write')
    if file_name == '-':
        data = ''
        for line in sys.stdin:
            data += line
    else:
        with open(file_name) as fp:
            data = fp.read()

    if token_name.startswith("gpg:"):
        type_name, token_path = token_name.split(":")
        recipients = [dict((("name", name), )) for name in args.recipients]
        if args.target_name:
            inv = inventory_reclass(args.inventory_path)
            kap_inv_params = inv['nodes'][
                args.target_name]['parameters']['kapitan']
            if 'secrets' not in kap_inv_params:
                raise KapitanError(
                    "parameters.kapitan.secrets not defined in {}".format(
                        args.target_name))

            recipients = kap_inv_params['secrets']['gpg']['recipients']
        if not recipients:
            raise KapitanError(
                "No GPG recipients specified. Use --recipients or specify them in "
                + "parameters.kapitan.secrets.gpg.recipients and use --target")
        secret_obj = GPGSecret(data, recipients, encode_base64=args.base64)
        tag = '?{{gpg:{}}}'.format(token_path)
        ref_controller[tag] = secret_obj

    elif token_name.startswith("gkms:"):
        type_name, token_path = token_name.split(":")
        key = args.key
        if args.target_name:
            inv = inventory_reclass(args.inventory_path)
            kap_inv_params = inv['nodes'][
                args.target_name]['parameters']['kapitan']
            if 'secrets' not in kap_inv_params:
                raise KapitanError(
                    "parameters.kapitan.secrets not defined in {}".format(
                        args.target_name))

            key = kap_inv_params['secrets']['gkms']['key']
        if not key:
            raise KapitanError(
                "No KMS key specified. Use --key or specify it in parameters.kapitan.secrets.gkms.key and use --target"
            )
        secret_obj = GoogleKMSSecret(data, key, encode_base64=args.base64)
        tag = '?{{gkms:{}}}'.format(token_path)
        ref_controller[tag] = secret_obj

    elif token_name.startswith("awskms:"):
        type_name, token_path = token_name.split(":")
        key = args.key
        if args.target_name:
            inv = inventory_reclass(args.inventory_path)
            kap_inv_params = inv['nodes'][
                args.target_name]['parameters']['kapitan']
            if 'secrets' not in kap_inv_params:
                raise KapitanError(
                    "parameters.kapitan.secrets not defined in {}".format(
                        args.target_name))

            key = kap_inv_params['secrets']['awskms']['key']
        if not key:
            raise KapitanError(
                "No KMS key specified. Use --key or specify it in parameters.kapitan.secrets.awskms.key and use --target"
            )
        secret_obj = AWSKMSSecret(data, key, encode_base64=args.base64)
        tag = '?{{awskms:{}}}'.format(token_path)
        ref_controller[tag] = secret_obj

    elif token_name.startswith("ref:"):
        type_name, token_path = token_name.split(":")
        _data = data.encode()
        encoding = 'original'
        if args.base64:
            _data = base64.b64encode(_data).decode()
            _data = _data.encode()
            encoding = 'base64'
        ref_obj = Ref(_data, encoding=encoding)
        tag = '?{{ref:{}}}'.format(token_path)
        ref_controller[tag] = ref_obj

    else:
        fatal_error(
            "Invalid token: {name}. Try using gpg/gkms/awskms/ref:{name}".
            format(name=token_name))