def test_serialization_and_deserialization_does_not_garble_output():
"""
Ensure that encrypt/decrypt works even after serializing and deserializing
"""
private_key = generate_new_private_key()
public_key = generate_new_public_key(private_key)
input_str = "AABB"
encrypted_str = encrypt_value(input_str, public_key)
built_dict = {"sum_key": Encrypted(encrypted_str)}
dump_output = dump(built_dict)
str_to_load = dump(built_dict)
load_output = load(str_to_load)
dump_output = dump(load_output)
load_output = load(dump_output)
parsed_encrypted = load_output['sum_key']
output_str = decrypt_value(parsed_encrypted, private_key)
assert input_str == output_str
def test_substitution_for_pyyaml():
"""
One thing we wanted to capture in the design of this library is that
It should work as a passthrough to pyyaml.load, verify that
non dictionary inputs have the same output as pyyaml.load, and that they function at all.
It should also work with encrypted values, even if no key is passed
"""
assert load('some str') == 'some str'
with open('fixtures/test_substitution_for_pyyaml.yml') as f:
loaded_dict = load(f)
assert isinstance(loaded_dict['PASSWORD'], Encrypted)
def test_add_nested_secret_to_yaml_file():
private_key_output_filename = "test_output/test_add_nested_secret_to_yaml_file.private"
public_key_output_filename = "test_output/test_add_nested_secret_to_yaml_file.public"
private_key = generate_private_key_to_file(private_key_output_filename)
public_key = generate_public_key_to_file(private_key_output_filename,
public_key_output_filename)
nested_value = "test"
nested_key = "TEST_PARENT_KEY:TEST_CHILD_KEY"
yaml_file_fixture = "fixtures/test_add_nested_secret_to_yaml_file.yml"
yaml_file_to_append_to = "test_output/test_add_nested_secret_to_yaml_file.yml"
copyfile(yaml_file_fixture, yaml_file_to_append_to)
before_dict = None
with open(yaml_file_to_append_to) as f:
before_dict = load(f)
# Check for expected test data
assert before_dict["Y"] == "B"
assert before_dict["X"] == "B"
add_secret_to_yaml_file(nested_key, nested_value,
public_key_output_filename, yaml_file_to_append_to)
with open(yaml_file_to_append_to) as f:
after_dict = load(f)
# Test the value is encrypted.
assert isinstance(
reduce(lambda x, y: x[y], nested_key.split(":"), after_dict),
Encrypted)
# Test the value was actually encrypted
assert reduce(lambda x, y: x[y], nested_key.split(":"),
after_dict) != nested_value
# Test the expected test data was not modified, and is still present.
assert after_dict["Y"] == "B"
assert after_dict["X"] == "B"
before_keys = list(before_dict.keys())
after_keys = list(after_dict.keys())
# Zip stops when the shorter of the two stops
# so these should always be equal as the new key should
# have been added to the end, this checks
# that order was preserved.
for before_key, after_key in zip(before_keys, after_keys):
assert before_key == after_key
def test_add_secret_to_yaml_file():
private_key_output_filename = "test_output/test_add_secret_to_yaml_file.private"
public_key_output_filename = "test_output/test_add_secret_to_yaml_file.public"
private_key = generate_private_key_to_file(private_key_output_filename)
public_key = generate_public_key_to_file(private_key_output_filename,
public_key_output_filename)
test_key_value = "TEST_KEY"
yaml_file_fixture = "fixtures/test_add_secret_to_yaml_file.yml"
yaml_file_to_append_to = "test_output/test_add_secret_to_yaml_file.yml"
copyfile(yaml_file_fixture, yaml_file_to_append_to)
before_dict = None
with open(yaml_file_to_append_to) as f:
before_dict = load(f)
# Check for expected test data
assert before_dict["Y"] == "B"
assert before_dict["X"] == "B"
# Check the value we are adding is not already there
assert test_key_value not in before_dict
add_secret_to_yaml_file(test_key_value, test_key_value,
public_key_output_filename, yaml_file_to_append_to)
with open(yaml_file_to_append_to) as f:
after_dict = load(f)
# Test the value was added
assert test_key_value in after_dict
# Test the value is encrypted.
assert isinstance(after_dict[test_key_value], Encrypted)
# Test the value was actually encrypted
assert after_dict[test_key_value] != test_key_value
# Test the expected test data was not modified, and is still present.
assert after_dict["Y"] == "B"
assert after_dict["X"] == "B"
before_keys = list(before_dict.keys())
after_keys = list(after_dict.keys())
# Zip stops when the shorter of the two stops
# so these should always be equal as the new key should
# have been added to the end, this checks
# that order was preserved.
for before_key, after_key in zip(before_keys, after_keys):
assert before_key == after_key
def test_reencrypt_secrets_and_write_to_yaml_file():
private_key_file = "fixtures/test.private"
private_key = load_private_key_from_file(private_key_file)
yaml_file_fixture = "fixtures/test_reencrypt_secrets_and_write_to_yaml_file.yml"
input_yaml_file = "test_output/test_reencrypt_secrets_and_write_to_yaml_file.yml"
test_encrypted_key = "C"
copyfile(yaml_file_fixture, input_yaml_file)
private_key_output_filename_new = "test_output/test_new_reencrypt_secrets_and_write_to_yaml_file.private"
public_key_output_filename_new = "test_output/test_new_reencrypt_secrets_and_write_to_yaml_file.public"
private_key_new = generate_private_key_to_file(
private_key_output_filename_new)
public_key_new = generate_public_key_to_file(
private_key_output_filename_new, public_key_output_filename_new)
reencrypt_secrets_and_write_to_yaml_file(input_yaml_file, private_key_file,
public_key_output_filename_new)
before_dict = None
with open(yaml_file_fixture) as f:
before_dict = load(f)
# Check for expected test data
assert before_dict["A"] == "A"
assert before_dict["B"] == "B"
# Check for expected encrypted test data
test_encrypted_key_value = decrypt_value(before_dict[test_encrypted_key],
private_key)
assert test_encrypted_key_value == "C"
after_dict = None
with open(input_yaml_file) as f:
after_dict = load(f)
# Test the expected test data was not modified, and is still present
assert after_dict["A"] == "A"
assert after_dict["B"] == "B"
# Test the value is re-encrypted
test_encrypted_key_value = decrypt_value(after_dict[test_encrypted_key],
private_key_new)
assert test_encrypted_key_value == "C"
def decrypt_and_write_to_file(encrypted_filename, decrypted_output_filename,
secret_key_files):
decrypted_dict = None
with open(encrypted_filename, "r") as f:
if secret_key_files:
secret_keys = secret_key_files.split(',')
for secret_key in secret_keys:
try:
decrypted_dict = asym_crypto_yaml.load(f, secret_key)
break
except Exception as err:
logging.warning('Secret key is invalid %s: %s\n' %
(str(secret_key), str(err)))
f.seek(0)
else:
logging.error('ERROR decrypting File %s:' %
(str(encrypted_filename)))
decrypted_dict = asym_crypto_yaml.load(f, None)
else:
decrypted_dict = asym_crypto_yaml.load(f, secret_key_files)
asym_crypto_yaml.write_dict_to_yaml(decrypted_dict,
decrypted_output_filename)
def test_add_secret_to_yaml_file():
private_key_output_filename = "test_output/test_add_secret_to_yaml_file.private"
public_key_output_filename = "test_output/test_add_secret_to_yaml_file.public"
private_key = generate_private_key_to_file(private_key_output_filename)
public_key = generate_public_key_to_file(private_key_output_filename,
public_key_output_filename)
test_key_value = "C"
yaml_file_fixture = "fixtures/simple_test_dict.yml"
yaml_file_to_append_to = "test_output/test_add_secret_to_yaml_file.yml"
copyfile(yaml_file_fixture, yaml_file_to_append_to)
before_dict = None
with open(yaml_file_to_append_to, "r") as f:
before_dict = load(f)
# Check for expected test data
assert before_dict["A"] == "A"
assert before_dict["B"] == "B"
# Check the value we are adding is not already there
assert test_key_value not in before_dict
add_secret_to_yaml_file(test_key_value, test_key_value,
public_key_output_filename, yaml_file_to_append_to)
with open(yaml_file_to_append_to, "r") as f:
after_dict = load(f)
# Test the value was added
assert test_key_value in after_dict
# Test the value is encrypted.
assert isinstance(after_dict[test_key_value], Encrypted)
# Test the value was actually encrypted
assert after_dict[test_key_value] != test_key_value
# Test the expected test data was not modified, and is still present.
assert after_dict["A"] == "A"
assert after_dict["B"] == "B"
def test_decrypt_yaml_file_and_write_encrypted_file_to_disk():
private_key_output_filename = "test_output/test_decrypt_yaml_file_and_write_encrypted_file_to_disk.private"
public_key_output_filename = "test_output/test_decrypt_yaml_file_and_write_encrypted_file_to_disk.public"
private_key = generate_private_key_to_file(private_key_output_filename)
public_key = generate_public_key_to_file(private_key_output_filename,
public_key_output_filename)
test_key_value = "C"
yaml_file_fixture = "fixtures/test_decrypt_yaml_file_and_write_encrypted_file_to_disk.yml"
yaml_file_to_append_to = "test_output/test_decrypt_yaml_file_and_write_encrypted_file_to_disk.yml"
copyfile(yaml_file_fixture, yaml_file_to_append_to)
add_secret_to_yaml_file(test_key_value, test_key_value,
public_key_output_filename, yaml_file_to_append_to)
after_dict = None
with open(yaml_file_to_append_to) as f:
after_dict = load(f, private_key_output_filename)
after_dict["A"] = "A"
after_dict["B"] = "B"
after_dict["C"] = "C"