def _encrypt_data(context, data): try: # TODO(pbourke): move auth construction into common area if it ends up # been required in other areas auth = identity.V3Password( auth_url=settings.KEY_MANAGER['auth_url'], username=settings.KEY_MANAGER['username'], user_domain_name=settings.KEY_MANAGER['user_domain_name'], password=settings.KEY_MANAGER['password'], project_name=settings.KEY_MANAGER['project_name'], project_domain_name=settings.KEY_MANAGER['project_domain_name'] ) except (KeyError, AttributeError) as e: LOG.exception(e) msg = ('Could not find valid key manager credentials in the ' 'murano-dashboard config. encryptData yaql function not ' 'available') raise castellan_exception.KeyManagerError(message_arg=msg) sess = session.Session(auth=auth) auth_context = _oslo_context.RequestContext( auth_token=auth.get_token(sess), tenant=auth.get_project_id(sess)) options.set_defaults(cfg.CONF, auth_endpoint=settings.KEY_MANAGER['auth_url']) manager = key_manager.API() try: # TODO(pbourke): while we feel opaque data should cover the most common # use case, we may want to add support for other secret types in the # future (see https://goo.gl/tZhfqe) stored_key_id = manager.store(auth_context, opaque_data.OpaqueData(data)) except castellan_exception.KeyManagerError as e: LOG.exception(e) raise return stored_key_id
def test___eq__(self): self.assertTrue(self.opaque_data == self.opaque_data) self.assertTrue(self.opaque_data is self.opaque_data) self.assertFalse(self.opaque_data is None) self.assertFalse(None == self.opaque_data) other_opaque_data = opaque_data.OpaqueData(self.data, self.name) self.assertTrue(self.opaque_data == other_opaque_data) self.assertFalse(self.opaque_data is other_opaque_data)
def test_encrypt_data(self, mock_identity, mock_keymanager, mock_oslo_context, _): mock_service = mock.Mock(parameters={'#foo_template': 'foo_data'}) context = {'?service': mock_service} secret_value = 'secret_password' mock_auth_context = mock.MagicMock() mock_oslo_context.RequestContext.return_value = mock_auth_context yaql_functions._encrypt_data(context, secret_value) mock_keymanager.API().store.assert_called_once_with( mock_auth_context, opaque_data.OpaqueData(secret_value))
def test_store_secret(self): payload = 'encrypt me!!' key_spec = mock.MagicMock() content_type = mock.MagicMock() transport_key = None secret_dto = ss.SecretDTO(ss.SecretType.SYMMETRIC, payload, key_spec, content_type, transport_key) response = self.plugin.store_secret(secret_dto) data = opaque_data.OpaqueData(secret_dto.secret) self.plugin.key_manager.store.assert_called_once_with(mock.ANY, data) expected_response = {css.CastellanSecretStore.KEY_ID: key_ref1} self.assertEqual(response, expected_response)
def store_cert(self, context, certificate, private_key, intermediates=None, private_key_passphrase=None, expiration=None, name="PKCS12 Certificate Bundle"): p12 = crypto.PKCS12() p12.set_certificate(certificate) p12.set_privatekey(private_key) if intermediates: p12.set_ca_certificates(intermediates) if private_key_passphrase: raise exceptions.CertificateStorageException( "Passphrases protected PKCS12 certificates are not supported.") p12_data = opaque_data.OpaqueData(p12.export(), name=name) self.manager.store(context, p12_data)
def store_secret(self, secret_dto): if not self.store_secret_supports(secret_dto.key_spec): raise ss.SecretAlgorithmNotSupportedException( secret_dto.key_spec.alg) try: secret_ref = self.key_manager.store( self.context, opaque_data.OpaqueData(secret_dto.secret) ) return {CastellanSecretStore.KEY_ID: secret_ref} except Exception as e: LOG.exception("Error storing secret: {}".format( six.text_type(e))) raise ss.SecretGeneralException(e)
def store_secret(self, secret_dto): if not self.store_secret_supports(secret_dto.key_spec): raise ss.SecretAlgorithmNotSupportedException( secret_dto.key_spec.alg) plaintext = base64.b64decode(secret_dto.secret) try: secret_id = self.key_manager.store( self.context, opaque_data.OpaqueData(plaintext) ) return self._meta_dict(secret_id) except Exception as e: LOG.exception("Error storing secret: {}".format( six.text_type(e))) raise ss.SecretGeneralException(e)
def setUp(self): super(WhenTestingVaultSecretStore, self).setUp() self.key_manager_mock = mock.MagicMock(name="key manager mock") self.key_manager_mock.create_key_pair.return_value = (key_ref1, key_ref2) self.key_manager_mock.create_key.return_value = key_ref1 self.key_manager_mock.store.return_value = key_ref1 secret_object = opaque_data.OpaqueData(secret_passphrase) self.key_manager_mock.get.return_value = secret_object self.cfg_mock = mock.MagicMock(name='config mock') self.cfg_mock.vault_plugin = mock.MagicMock(use_ssl=False, root_token_id='12345') self.plugin = vss.VaultSecretStore(self.cfg_mock) self.plugin.key_manager = self.key_manager_mock self.plugin_name = "VaultSecretStore"
def test_store_secret(self): payload = b'encrypt me!!' key_spec = mock.MagicMock() content_type = mock.MagicMock() transport_key = None secret_dto = ss.SecretDTO(ss.SecretType.SYMMETRIC, base64.b64encode(payload), key_spec, content_type, transport_key) response = self.plugin.store_secret(secret_dto) data = opaque_data.OpaqueData(payload) self.plugin.key_manager.store.assert_called_once_with( mock.ANY, data ) expected_response = self.plugin._meta_dict(key_ref1) self.assertEqual(response, expected_response)
def test_fetch_secret(self): # fake KeyManager populated with secret km = fake.fake_api() secret_id = km.store("fake_context", opaque_data.OpaqueData(b"super_secret!")) # driver config config = "[key_manager]\nbackend=vault" mapping = "[DEFAULT]\nmy_secret=" + secret_id # creating temp files with tempfile.NamedTemporaryFile() as config_file: config_file.write(config.encode("utf-8")) config_file.flush() with tempfile.NamedTemporaryFile() as mapping_file: mapping_file.write(mapping.encode("utf-8")) mapping_file.flush() self.conf_fixture.load_raw_values( group='castellan_source', driver='castellan', config_file=config_file.name, mapping_file=mapping_file.name, ) source = self.driver.open_source_from_opt_group( self.conf, 'castellan_source') # replacing key_manager with fake one source._mngr = km # testing if the source is able to retrieve # the secret value stored in the key_manager # using the secret_id from the mapping file self.assertEqual("super_secret!", source.get("DEFAULT", "my_secret", cfg.StrOpt(""))[0])
def _get_test_opaque_data(): data = bytes(b'opaque data') opaque_object = opaque_data.OpaqueData(data) return opaque_object
def test___ne___name(self): other_opaque = opaque_data.OpaqueData(self.data, "other opaque") self.assertTrue(self.opaque_data != other_opaque)
def test___ne___data(self): other_opaque = opaque_data.OpaqueData(b'other data', self.name) self.assertTrue(self.opaque_data != other_opaque)
def _create_data(self): return opaque_data.OpaqueData(self.data, self.name)
def test_get_created_none(self): created = None data = opaque_data.OpaqueData(self.data, self.name, created) self.assertEqual(created, data.created)
def test_is_only_metadata(self): d = opaque_data.OpaqueData(None, self.name, self.created) self.assertTrue(d.is_metadata_only())