def test_read_encrypted_data_bag_item():
"""
Ensures that when the --decrypt flag is not passed the content is not decrypted.
"""
# setup: upload secret
args = parse_args([
'data', 'bag', 'from', 'file', 'aws', test_base.DATA_BAG,
test_base.DATA_BAG_ITEM_FILE_2, '-c', test_base.CFG_FILE,
'--secret-file', test_base.SECRETS_FILE
])
cmd = UploadAWSDataBag(args)
validate_common_props(cmd)
cmd.execute()
# test: read secret
args = parse_args([
'data', 'bag', 'show', 'aws', test_base.DATA_BAG,
test_base.DATA_BAG_ITEM_NAME_2, '-c', test_base.CFG_FILE
])
cmd = ShowAWSDataBag(args)
validate_common_props(cmd)
assert cmd.item == test_base.DATA_BAG_ITEM_NAME_2
data_bag_item = cmd.execute()
assert "encrypted_data" in data_bag_item
assert "username" not in data_bag_item
with open(test_base.DATA_BAG_ITEM_FILE_2) as data_file:
orig_data = json.load(data_file)
with pytest.raises(AssertionError):
compare_json(orig_data, data_bag_item)
def list_databags(cloud, messer_config):
args = messer.parse_args(
['data', 'bag', 'show', cloud, '-c', messer_config.name])
cmd = MesserCommandLoader(cloud,
'messer.databag').load("Show{cloud}DataBag",
args)
return cmd.execute()
def create_data_bag(cloud, bag, messer_config):
args = messer.parse_args(
['data', 'bag', 'create', cloud, bag, '-c', messer_config.name])
cmd = MesserCommandLoader(cloud,
'messer.databag').load("Create{cloud}DataBag",
args)
return cmd.execute()
def teardown_function(function):
"""
Delete both secret files as cleanup step
"""
args = parse_args([
'data', 'bag', 'delete', 'aws', test_base.DATA_BAG,
test_base.DATA_BAG_ITEM_NAME, '-c', test_base.CFG_FILE
])
cmd = DeleteAWSDataBag(args)
cmd.execute()
args = parse_args([
'data', 'bag', 'delete', 'aws', test_base.DATA_BAG,
test_base.DATA_BAG_ITEM_NAME_2, '-c', test_base.CFG_FILE
])
cmd = DeleteAWSDataBag(args)
cmd.execute()
def test_parse_use_default_config():
"""
Ensures that when no config is specified as an argument it attempts to use the file installed via pip
"""
args = parse_args(['data', 'bag', 'create', 'aws', DATA_BAG])
assert isinstance(args.config, types.FileType) is True
assert args.config.name == get_default_config()
def test_parse_use_specified_config():
"""
Ensures that the the -c argument correctly returns a file type
"""
args = parse_args(['data', 'bag', 'create', 'aws', DATA_BAG, '-c', CFG_FILE, ])
assert isinstance(args.config, types.FileType) is True
assert args.config.name == CFG_FILE
def decrypt_databag_item(cloud, bag, item, messer_config):
args = messer.parse_args([
'data', 'bag', 'show', cloud, bag, item, '-c', messer_config.name,
'--decrypt'
])
cmd = MesserCommandLoader(cloud,
'messer.databag').load("Show{cloud}DataBag",
args)
return cmd.execute()
def test_parse_encryption_rotate():
"""
Make sure all the options are present for rotating existing cipher text keys
"""
args = parse_args(['encryption', 'increment', 'aws', 'adobe-messer-unittest'])
assert args.key_name == 'adobe-messer-unittest'
assert inspect.isfunction(args.command) is True
assert args.command.__name__ == 'increment_key_version_aws'
def test_parse_delete_data_bag():
"""
Make sure all the options are present for deleting a data bags
"""
args = parse_args(['data', 'bag', 'delete', 'aws', DATA_BAG])
assert args.name == DATA_BAG
assert inspect.isfunction(args.command) is True
assert args.command.__name__ == 'delete_data_bag_aws'
def test_parse_encryption_create():
"""
Make sure all the options are present for creating new cipher text keys
"""
args = parse_args(['encryption', 'create', 'aws', 'adobe-messer-unittest'])
assert args.key_name == 'adobe-messer-unittest'
assert inspect.isfunction(args.command) is True
assert args.command.__name__ == 'create_key_aws'
def test_parse_create_data_bag():
"""
Make sure that all of the options are available for creating data bags
"""
args = parse_args(['data', 'bag', 'create', 'aws', DATA_BAG])
assert inspect.isfunction(args.command) is True
assert args.command.__name__ == "create_data_bag_aws"
assert args.name == DATA_BAG
def test_parse_show_data_bag_item():
"""
make sure that all of the options are available for viewing encrypted data bag items
"""
args = parse_args(['data', 'bag', 'show', 'aws', DATA_BAG, DATA_BAG_ITEM_NAME])
assert args.item == DATA_BAG_ITEM_NAME
assert args.name == DATA_BAG
assert inspect.isfunction(args.command) is True
assert args.command.__name__ == 'show_data_bag_aws'
def test_get_or_create_key():
"""
Ensures that getting the master key by alias returns the proper id.
"""
args = parse_args([
'encryption', 'create', 'aws', 'adobe-messer-unittest', '-c',
test_base.CFG_FILE
])
cmd = CreateAWSEncryptionKey(args)
assert cmd.get_master_key('alias/adobe-messer-unittest') == TEST_KEY_ID
def test_cannot_overwrite_existing_secrets():
"""
Attempt to write over secret1, and verifies that it fails.
"""
arglist = [
'data', 'bag', 'from', 'file', 'aws', test_base.DATA_BAG,
test_base.DATA_BAG_ITEM_FILE, '-c', test_base.CFG_FILE,
'--secret-file', test_base.SECRETS_FILE
]
args = parse_args(arglist)
cmd = UploadAWSDataBag(args)
validate_common_props(cmd)
if not data_bag_exists(cmd, test_base.DATA_BAG_ITEM_FILE):
cmd.execute()
cmd = UploadAWSDataBag(parse_args(arglist))
assert isinstance(args.item, types.FileType)
assert cmd.item.name == test_base.DATA_BAG_ITEM_FILE
with pytest.raises(AttributeError):
assert cmd.args.secrets_file is test_base.SECRETS_FILE
with pytest.raises(RuntimeError):
cmd.execute()
def test_delete_data_bag_fails_if_not_empty():
"""
Tests to make sure that messer cannot delete a data bag with items in it.
"""
args = parse_args([
'data', 'bag', 'delete', 'aws', test_base.DATA_BAG, '-c',
test_base.CFG_FILE
])
cmd = DeleteAWSDataBag(args)
assert cmd.name == test_base.DATA_BAG
with pytest.raises(RuntimeError):
cmd.execute()
def create_data_bag_item(cloud, bag, item, key, messer_config):
filename = write_item_to_disk(item)
try:
args = messer.parse_args([
'data', 'bag', 'from', 'file', cloud, bag, filename,
'--secret-file', key, '-c', messer_config.name
])
cmd = MesserCommandLoader(cloud, 'messer.databag').load(
"Upload{cloud}DataBag", args)
return cmd.execute()
finally:
os.remove(filename)
def test_new_key_version():
"""
Ensures that key rotation generates an incremental version
"""
args = parse_args([
'encryption', 'create', 'aws', 'adobe-messer-unittest-rotation', '-c',
test_base.CFG_FILE
])
create_cmd = CreateAWSEncryptionKey(args)
create_cmd.execute()
assert get_latest_key_version(create_cmd.keys_bucket,
create_cmd.args.key_name) == VERSION_0
# increment the key version of the newly created key and get the latest version which should be 1.
args = parse_args([
'encryption', 'increment', 'aws', 'adobe-messer-unittest-rotation',
'-c', test_base.CFG_FILE
])
cmd = IncrementAWSKeyVersion(args)
cmd.execute()
assert get_latest_key_version(cmd.keys_bucket,
cmd.args.key_name) == VERSION_1
# delete version 1 of this key
del_cmd = DeleteAWSEncryptionKey(
parse_args([
'encryption', 'delete', 'aws', 'adobe-messer-unittest-rotation',
'1', '--no-prompt', '-c', test_base.CFG_FILE
]))
del_cmd.execute()
assert get_latest_key_version(cmd.keys_bucket,
cmd.args.key_name) == VERSION_0
# delete base key to have a fresh version of the key and then create the said key
del_cmd = DeleteAWSEncryptionKey(
parse_args([
'encryption', 'delete', 'aws', 'adobe-messer-unittest-rotation',
'--no-prompt', '-c', test_base.CFG_FILE
]))
del_cmd.execute()
def test_parse_create_data_bag_item():
"""
make sure that all of the options are available for creating encrypted data bag items
"""
args = parse_args(['data', 'bag', 'from', 'file', 'aws', DATA_BAG, DATA_BAG_ITEM_FILE,
'--secret-file', SECRETS_FILE])
assert isinstance(args.item, types.FileType)
assert args.item.name == DATA_BAG_ITEM_FILE
assert args.name == DATA_BAG
assert inspect.isfunction(args.command) is True
assert args.command.__name__ == 'upload_data_bag_aws'
assert args.secret_file == SECRETS_FILE
def test_create_data_bag():
"""
Ensures that messer can create data bags with folder names that match it's policy
"""
args = parse_args([
'data', 'bag', 'create', 'aws', test_base.DATA_BAG, '-c',
test_base.CFG_FILE
])
cmd = CreateAWSDataBag(args)
validate_common_props(cmd)
cmd.execute()
assert cmd.secrets_bucket.get_key(cmd.name +
"/").name == test_base.DATA_BAG + "/"
def test_read_non_existing_folder():
"""
Listing the contents of 'some-none-existing-folder' on the secrets bucket returns no results (no exception)
"""
args = parse_args([
'data', 'bag', 'show', 'aws', "some-none-existing-folder", '-c',
test_base.CFG_FILE, '--decrypt'
])
cmd = ShowAWSDataBag(args)
assert not cmd.name == test_base.DATA_BAG
cmd.execute()
assert cmd.exists(cmd.path) is False
def test_create_envelope_key_fails_on_duplicate():
"""
Ensures that we can create only one key with the same name and version.
"""
args = parse_args([
'encryption', 'create', 'aws', 'adobe-messer-unittest', '-c',
test_base.CFG_FILE
])
cmd = CreateAWSEncryptionKey(args)
exception_thrown = False
try:
cmd.execute()
except RuntimeError, e:
exception_thrown = True
def test_delete_data_bag_item():
"""
Tests to make sure that messer can delete a secret
"""
# setup: upload secret
args = parse_args([
'data', 'bag', 'from', 'file', 'aws', test_base.DATA_BAG,
test_base.DATA_BAG_ITEM_FILE, '-c', test_base.CFG_FILE,
'--secret-file', test_base.SECRETS_FILE
])
cmd = UploadAWSDataBag(args)
validate_common_props(cmd)
cmd.execute()
# test to delete the data bag item
args = parse_args([
'data', 'bag', 'delete', 'aws', test_base.DATA_BAG,
test_base.DATA_BAG_ITEM_NAME, '-c', test_base.CFG_FILE
])
cmd = DeleteAWSDataBag(args)
assert cmd.name == test_base.DATA_BAG
assert cmd.item == 'secret1'
assert cmd.execute() == 1
def setup_encryptor():
# use this key to fetch the encryption object.
args = parse_args([
'encryption', 'create', 'aws', 'adobe-messer-unittest', '-c',
test_base.CFG_FILE
])
cmd = CreateAWSEncryptionKey(args)
encrypter = AWSEncryptionKeyLoader.load(cmd.args.key_name, cmd.keys_bucket,
cmd.kms, VERSION_0)
return dict(encryptor=encrypter,
name=cmd.args.key_name,
key_version=get_latest_key_version(cmd.keys_bucket,
cmd.args.key_name))
def test_role_s3_policy_restricts_read_existing_folder():
"""
Ensures that the unit test role cannot list the contents of the 'dev' folder on the secrets bucket
"""
args = parse_args(
['data', 'bag', 'create', 'aws', "dev", '-c', test_base.CFG_FILE])
cmd = CreateAWSDataBag(args)
exception_thrown = None
assert not cmd.name == test_base.DATA_BAG
try:
cmd.execute()
except S3ResponseError, e:
exception_thrown = True
assert e.status == 403
assert e.reason == "Forbidden"
def test_role_restricts_kms_key_creation_s3():
"""
Access to the cipher text key 'adobe-common' in S3 is NOT allowed by the unit test policy
"""
args = parse_args([
'encryption', 'create', 'aws', 'adobe-common', '-c', test_base.CFG_FILE
])
cmd = CreateAWSEncryptionKey(args)
exception_thrown = False
try:
cmd.execute()
except S3ResponseError, e:
exception_thrown = True
assert e.status == 403
assert e.reason == "Forbidden"
def test_s3_policy_restricts_write():
"""
Ensures that the unit test role does not have permission to write to folders which are not specifically defined.
"""
args = parse_args([
'data', 'bag', 'create', 'aws', "some-other-data-bag", '-c',
test_base.CFG_FILE
])
cmd = CreateAWSDataBag(args)
assert not cmd.name == test_base.DATA_BAG
try:
cmd.execute()
except S3ResponseError, e:
assert e.status == 403
assert e.reason == "Forbidden"
assert e.error_code == "AccessDenied"
def test_can_overwrite_existing_secrets_with_force_flag():
"""
Attempt to write over secret1 using the --force flag, and verifies that it succeeds.
"""
args = parse_args([
'data', 'bag', 'from', 'file', 'aws', test_base.DATA_BAG,
test_base.DATA_BAG_ITEM_FILE, '-c', test_base.CFG_FILE, '--force',
'--secret-file', test_base.SECRETS_FILE
])
cmd = UploadAWSDataBag(args)
assert not cmd.exists('secret2') is None
validate_common_props(cmd)
assert isinstance(args.item, types.FileType)
assert cmd.item.name == test_base.DATA_BAG_ITEM_FILE
with pytest.raises(AttributeError):
assert cmd.args.secrets_file is test_base.SECRETS_FILE
assert cmd.execute() > 0
def test_create_aws_config():
"""
Ensures that specifying a new config file creates the file.
:return:
"""
args = parse_args(['configure', 'aws', '-c' 'new.ini', '-m' 'adobe-test', '-e' 'Dev', '-r' 'us-east-2', '-b' 'test-bucket'])
cmd = AWSConfigure(args)
cmd.execute()
config = MesserAWSConfig(args.config)
assert config.master_key == 'adobe-test'
assert config.region == 'us-east-2'
# make sure dev gets converted to lower case
assert config.tier == 'dev'
assert config.secrets_bucket == 'test-bucket'
os.remove(config.filename)
def test_create_encrypted_item_from_file():
"""
Ensures that secrets can be created from json files using the encryption keys provided to the role.
"""
args = parse_args([
'data', 'bag', 'from', 'file', 'aws', test_base.DATA_BAG,
test_base.DATA_BAG_ITEM_FILE_2, '-c', test_base.CFG_FILE,
'--secret-file', test_base.SECRETS_FILE
])
cmd = UploadAWSDataBag(args)
validate_common_props(cmd)
assert isinstance(args.item, types.FileType)
assert cmd.item.name == test_base.DATA_BAG_ITEM_FILE_2
assert cmd.args.secret_file is test_base.SECRETS_FILE
bytes_written = cmd.execute()
assert bytes_written > 0
# check that files exist in both buckets
assert cmd.secrets_bucket.get_key(cmd.path +
"/secret2").name == 'unittest/secret2'
def increment_envelope_key(cloud, key_name, messer_config):
args = messer.parse_args(
['encryption', 'increment', cloud, key_name, '-c', messer_config.name])
cmd = MesserCommandLoader(cloud, 'messer.encryption').load(
"Increment{cloud}KeyVersion", args)
return cmd.execute()
